Integration of Security Information and Event Management (SIEM) and Identity and Access Management (IAM).

1
Integration of Security Information and Event
Management (SIEM) and Identity and Access
Management (IAM).
Reed HarrisonCTO, Security Compliance
SolutionsReed_at_novell.com
2
Compliance Defined
Compliance In management, the actof adhering
to, and demonstrating adherence to laws,
regulations or policies source
www.wikipedia.org
3
Sarbanes Oxley Act (SOX)

• Section 404
• Annual Reports are required to contain an
  internal control report, which shall
• (1) state the responsibility of management for
  establishing and maintaining an adequate internal
  control structure and procedures for financial
  reporting and
• (2) contain an assessment ... of the
  effectiveness of the internal control structure
  and procedures.

4
PCI-DSS
Payment Card Industry Data Security Standard

• PCI Executive Committee Amex, Visa, Mastercard,
  JCB, Discover
• A set of comprehensive requirements for enhancing
  payment account data security

5
The Organizational Problem Multitude of
Regulations (Extract)
Privacy Act
FERC
HIPAA
SEC Regulation SP
Gramm-Leach-Bliley
Network Advising Initiative
Homeland Security Act
European Data Protection Directive
Children's Internet Protection Act
Family Educational Rights and Privacy Act
Government Information Security Reform Act
Cyber Security Research and Development Act
Insurance Information and Privacy Protection
Model Act
6
The Organizational Relief
7
Pareto Principle 80 Overlaps, 20 Specific
SOX
PCI-DSS
BASEL II
European Data Protection Directive
EURO-SOX
...
8
IT General Controls and Identity Security
Management

• program change
• IT control environment
• access to programs and data
• program development
• computer operations

• by authorized staff only
• monitoring and reporting
• access to productive system
• user provisioning, security administration
• data processing, backup problem management

9
IT General Controls and Identity Security
Management

• program development
• program change
• IT control environment
• access to programs and data
• computer operations

• access to productive system
• by authorized staff only
• monitoring and reporting
• user provisioning, security administration
• data processing, backup problem management

10
PCI-DSS and Identity Security Management

1. Install and maintain a firewall configuration to
   protect card-holder data
2. Do not use vendor-supplied defaults for system
   passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across
   open, public networks
5. Use and regularly update anti-virus software or
   programs
6. Develop and maintain secure systems and
   applications
7. Restrict Access to cardholder data by business
   need-to-know
8. Assign a unique ID to each person with computer
   access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources
    and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information
    security for employees and contractors

11
Top10 Compliance Control Deficiencies 7 are
Identity Management related

• Unidentified or unresolved segregation of duties
  issues
• Operating System access controls supporting
  financial applications or Portal not secure
• Database (e.g. Oracle) access controls supporting
  financial applications (e.g. SAP, Oracle,
  Peoplesoft, JDE) not secure
• Development staff can run business transactions
  in production
• Large number of users with access to super user"
  transactions in production
• Terminated employees or departed consultants
  still have access
• Posting periods not restricted within GL
  application
• Custom programs, tables interfaces are not
  secured
• Procedures for manual processes do not exist or
  are not followed
• System documentation does not match actual
  process

12
The Technology Problem
13
Silos of Data, Manual Processes, So Little
Insight
14
Automation is Key
Automate IT Controls Monitoring and Reporting

• RACF
• ACF 2
• Top Secret

15
Aggregation increases Manageability
Action
Reporting
Remediation
Alerting
Knowledge
Incident
Threat Assessment
Situation Assessment
Information
Correlation
Consolidation
Pattern Discovery
Data
Collection
Filtering
Normalization
16
Bringing it All Together
17
Organisational Framework ISMS (ISO 27001)
Plan Security Policy
Do IT-Security Control Points
Act Continuous Improvement
IT Policy Controls
Check Monitor Control Points
Check Compliance-Reporting
Check Remediation
18
Organisational Framework
Plan Security Policy
Do IT-Security Control Points
Act Continuous Improvement
IT Policy Controls
Check Monitor Control Points
Check Compliance-Reporting
Check Remediation
19
Enabling Compliance Through Common Policy
User accesses a resource
Relevant events are collected by Sentinel
Policy engine determines if the access was in
compliance with policy
Identity Manager modifies the user's access to
systems to bring the system into compliance with
policy
Policy Engine
If the access was out of compliance with policy
an incident is generated and the remediation
process begins
Remediation process is triggered in Identity
Management System, which consults the policy
engine
20
Technology FrameworkCompliance-Aware
Architecture
21
Compliance Benefits
22
Drivers for Compliance InitiativesUniversity of
Erlangen-Nuremberg
Drivers
Centralisation
Internal Requirements
External Requirements
Cost of Compliance
Processes
Automation
Compliance
Consultants / Auditors
Tools
23
Cost and Benefits of ComplianceUniversity of
Erlangen-Nuremberg
of Rev
PWC 6 percent of IT budget for
compliance Forrester 8 of budget for IT
security

• Managers tend to focus on cost instead of
  benefits and savings.
• Well thought out compliance strategies are less
  expensive than assumed.

Ongoing studies of the FAU Erlangen-Nuremberg
will investigate the real figures.
24
Cost and Benefits of ComplianceUniversity of
Erlangen-Nuremberg

• Reduction of service cost
• Cost reduction of reports
• Early awareness of incidents
• Information and data security
• Reduction of redundancies
• Centralisation of data
• Consistent data update
• Risk assessment of specific business requirements
• Synergies in required staff
• Faster implementation of further tools

Ongoing studies of the FAU Erlangen-Nuremberg
will investigate the real figures.
25
Cost and Benefits of ComplianceUniversity of
Erlangen-Nuremberg
Cost of internal and external compliance
Cost of non-compliance

• Labor cost
• Internal communication, training
• Software(licensing maintenance)
• Monitoring (KPIs, audits, risk assessment, )
• External / internal consultants
• Identification and coordination of requirements
• Compliance hot-line
• Communication to public authorities
• Certification (ISO 21000, )

• Cost of reworking measures
• Risk to loose information
• Loss of image gt opportunity costs of lost
  profit
• Fines, contractual penalties
• Non-compliance causes big-bang-method with high
  
• Failure frequency and fall-back-scenarios
• Cost of business discontinuity

26
Cost and Benefits of ComplianceUniversity of
Erlangen-Nuremberg
General benefits
Benefits by usage of software tools

• Processes optimisation, transparency,
  standardisation, process owners clearly defined,
  higher maturity level, less redundancies
• Competitive advantage (secure use of personal
  client data)
• Security
• Improvement of internal control
• Risk assessment of specific business
  requirements, projects
• Continuous improvement
• Higher flexibility

• Reduction of service cost
• Cost reduction of reports
• Early awareness of incidents
• Information and data security
• Reduction of redundancies
• Centralisation of data
• Consistent data update
• Risk assessment of specific business requirements
• Synergies in required staff
• Faster implementation of further tools

27
RoI of Compliance
Integrated approach to asses compliance
activities quantitatively (three-year approach)
Shrinking costs of compliance activities
To save cost its important to know the
requirements at an early stage, address and
implement them
28
Implementation Complexity
Business Benefit
29
Conclusion

• Compliance needs to be embedded into an
  overarching security and risk management system

Continuous monitoring of compliance with policies
and documentation needs to be ensured
ISMS-compatible monitoring and reporting cannot
be done manually at reasonable cost anymore
30
(No Transcript)
31

• Unpublished Work of Novell, Inc. All Rights
  Reserved.
• This work is an unpublished work and contains
  confidential, proprietary, and trade secret
  information of Novell, Inc. Access to this work
  is restricted to Novell employees who have a need
  to know to perform tasks within the scope of
  their assignments. No part of this work may be
  practiced, performed, copied, distributed,
  revised, modified, translated, abridged,
  condensed, expanded, collected, or adapted
  without the prior written consent of Novell, Inc.
  Any use or exploitation of this work without
  authorization could subject the perpetrator to
  criminal and civil liability.
• General Disclaimer
• This document is not to be construed as a promise
  by any participating company to develop, deliver,
  or market a product. It is not a commitment to
  deliver any material, code, or functionality, and
  should not be relied upon in making purchasing
  decisions. Novell, Inc. makes no representations
  or warranties with respect to the contents of
  this document, and specifically disclaims any
  express or implied warranties of merchantability
  or fitness for any particular purpose. The
  development, release, and timing of features or
  functionality described for Novell products
  remains at the sole discretion of Novell.
  Further, Novell, Inc. reserves the right to
  revise this document and to make changes to its
  content, at any time, without obligation to
  notify any person or entity of such revisions or
  changes. All Novell marks referenced in this
  presentation are trademarks or registered
  trademarks of Novell, Inc. in the United States
  and other countries. All third-party trademarks
  are the property of their respective owners.