Integration of Security Information and Event Management (SIEM) and Identity and Access Management (IAM). - PowerPoint PPT Presentation

Loading...

PPT – Integration of Security Information and Event Management (SIEM) and Identity and Access Management (IAM). PowerPoint presentation | free to view - id: 446f63-YjYwM



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Integration of Security Information and Event Management (SIEM) and Identity and Access Management (IAM).

Description:

Integration of Security Information and Event Management (SIEM) and Identity and Access Management (IAM). Reed Harrison CTO, Security & Compliance Solutions – PowerPoint PPT presentation

Number of Views:732
Avg rating:3.0/5.0
Slides: 24
Provided by: networkwo9
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Integration of Security Information and Event Management (SIEM) and Identity and Access Management (IAM).


1
Integration of Security Information and Event
Management (SIEM) and Identity and Access
Management (IAM).
Reed HarrisonCTO, Security Compliance
SolutionsReed_at_novell.com
2
Compliance Defined
Compliance In management, the actof adhering
to, and demonstrating adherence to laws,
regulations or policies source
www.wikipedia.org
3
Sarbanes Oxley Act (SOX)
  • Section 404
  • Annual Reports are required to contain an
    internal control report, which shall
  • (1) state the responsibility of management for
    establishing and maintaining an adequate internal
    control structure and procedures for financial
    reporting and
  • (2) contain an assessment ... of the
    effectiveness of the internal control structure
    and procedures.

4
PCI-DSS
Payment Card Industry Data Security Standard
  • PCI Executive Committee Amex, Visa, Mastercard,
    JCB, Discover
  • A set of comprehensive requirements for enhancing
    payment account data security

5
The Organizational Problem Multitude of
Regulations (Extract)
Privacy Act
FERC
HIPAA
SEC Regulation SP
Gramm-Leach-Bliley
Network Advising Initiative
Homeland Security Act
European Data Protection Directive
Children's Internet Protection Act
Family Educational Rights and Privacy Act
Government Information Security Reform Act
Cyber Security Research and Development Act
Insurance Information and Privacy Protection
Model Act
6
The Organizational Relief
7
Pareto Principle 80 Overlaps, 20 Specific
SOX
PCI-DSS
BASEL II
European Data Protection Directive
EURO-SOX
...
8
IT General Controls and Identity Security
Management
  • program change
  • IT control environment
  • access to programs and data
  • program development
  • computer operations
  • by authorized staff only
  • monitoring and reporting
  • access to productive system
  • user provisioning, security administration
  • data processing, backup problem management

9
IT General Controls and Identity Security
Management
  • program development
  • program change
  • IT control environment
  • access to programs and data
  • computer operations
  • access to productive system
  • by authorized staff only
  • monitoring and reporting
  • user provisioning, security administration
  • data processing, backup problem management

10
PCI-DSS and Identity Security Management
  1. Install and maintain a firewall configuration to
    protect card-holder data
  2. Do not use vendor-supplied defaults for system
    passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across
    open, public networks
  5. Use and regularly update anti-virus software or
    programs
  6. Develop and maintain secure systems and
    applications
  7. Restrict Access to cardholder data by business
    need-to-know
  8. Assign a unique ID to each person with computer
    access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources
    and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information
    security for employees and contractors

11
Top10 Compliance Control Deficiencies 7 are
Identity Management related
  • Unidentified or unresolved segregation of duties
    issues
  • Operating System access controls supporting
    financial applications or Portal not secure
  • Database (e.g. Oracle) access controls supporting
    financial applications (e.g. SAP, Oracle,
    Peoplesoft, JDE) not secure
  • Development staff can run business transactions
    in production
  • Large number of users with access to super user"
    transactions in production
  • Terminated employees or departed consultants
    still have access
  • Posting periods not restricted within GL
    application
  • Custom programs, tables interfaces are not
    secured
  • Procedures for manual processes do not exist or
    are not followed
  • System documentation does not match actual
    process

12
The Technology Problem
13
Silos of Data, Manual Processes, So Little
Insight
14
Automation is Key
Automate IT Controls Monitoring and Reporting
  • RACF
  • ACF 2
  • Top Secret

15
Aggregation increases Manageability
Action
Reporting
Remediation
Alerting
Knowledge
Incident
Threat Assessment
Situation Assessment
Information
Correlation
Consolidation
Pattern Discovery
Data
Collection
Filtering
Normalization
16
Bringing it All Together
17
Organisational Framework ISMS (ISO 27001)
Plan Security Policy
Do IT-Security Control Points
Act Continuous Improvement
IT Policy Controls
Check Monitor Control Points
Check Compliance-Reporting
Check Remediation
18
Organisational Framework
Plan Security Policy
Do IT-Security Control Points
Act Continuous Improvement
IT Policy Controls
Check Monitor Control Points
Check Compliance-Reporting
Check Remediation
19
Enabling Compliance Through Common Policy
User accesses a resource
Relevant events are collected by Sentinel
Policy engine determines if the access was in
compliance with policy
Identity Manager modifies the user's access to
systems to bring the system into compliance with
policy
Policy Engine
If the access was out of compliance with policy
an incident is generated and the remediation
process begins
Remediation process is triggered in Identity
Management System, which consults the policy
engine
20
Technology FrameworkCompliance-Aware
Architecture
21
Compliance Benefits
22
Drivers for Compliance InitiativesUniversity of
Erlangen-Nuremberg
Drivers
Centralisation
Internal Requirements
External Requirements
Cost of Compliance
Processes
Automation
Compliance
Consultants / Auditors
Tools
23
Cost and Benefits of ComplianceUniversity of
Erlangen-Nuremberg
of Rev
PWC 6 percent of IT budget for
compliance Forrester 8 of budget for IT
security
  • Managers tend to focus on cost instead of
    benefits and savings.
  • Well thought out compliance strategies are less
    expensive than assumed.

Ongoing studies of the FAU Erlangen-Nuremberg
will investigate the real figures.
24
Cost and Benefits of ComplianceUniversity of
Erlangen-Nuremberg
  • Reduction of service cost
  • Cost reduction of reports
  • Early awareness of incidents
  • Information and data security
  • Reduction of redundancies
  • Centralisation of data
  • Consistent data update
  • Risk assessment of specific business requirements
  • Synergies in required staff
  • Faster implementation of further tools

Ongoing studies of the FAU Erlangen-Nuremberg
will investigate the real figures.
25
Cost and Benefits of ComplianceUniversity of
Erlangen-Nuremberg
Cost of internal and external compliance
Cost of non-compliance
  • Labor cost
  • Internal communication, training
  • Software(licensing maintenance)
  • Monitoring (KPIs, audits, risk assessment, )
  • External / internal consultants
  • Identification and coordination of requirements
  • Compliance hot-line
  • Communication to public authorities
  • Certification (ISO 21000, )
  • Cost of reworking measures
  • Risk to loose information
  • Loss of image gt opportunity costs of lost
    profit
  • Fines, contractual penalties
  • Non-compliance causes big-bang-method with high
  • Failure frequency and fall-back-scenarios
  • Cost of business discontinuity

26
Cost and Benefits of ComplianceUniversity of
Erlangen-Nuremberg
General benefits
Benefits by usage of software tools
  • Processes optimisation, transparency,
    standardisation, process owners clearly defined,
    higher maturity level, less redundancies
  • Competitive advantage (secure use of personal
    client data)
  • Security
  • Improvement of internal control
  • Risk assessment of specific business
    requirements, projects
  • Continuous improvement
  • Higher flexibility
  • Reduction of service cost
  • Cost reduction of reports
  • Early awareness of incidents
  • Information and data security
  • Reduction of redundancies
  • Centralisation of data
  • Consistent data update
  • Risk assessment of specific business requirements
  • Synergies in required staff
  • Faster implementation of further tools

27
RoI of Compliance
Integrated approach to asses compliance
activities quantitatively (three-year approach)
Shrinking costs of compliance activities
To save cost its important to know the
requirements at an early stage, address and
implement them
28
Implementation Complexity
Business Benefit
29
Conclusion
  • Compliance needs to be embedded into an
    overarching security and risk management system

Continuous monitoring of compliance with policies
and documentation needs to be ensured
ISMS-compatible monitoring and reporting cannot
be done manually at reasonable cost anymore
30
(No Transcript)
31
  • Unpublished Work of Novell, Inc. All Rights
    Reserved.
  • This work is an unpublished work and contains
    confidential, proprietary, and trade secret
    information of Novell, Inc. Access to this work
    is restricted to Novell employees who have a need
    to know to perform tasks within the scope of
    their assignments. No part of this work may be
    practiced, performed, copied, distributed,
    revised, modified, translated, abridged,
    condensed, expanded, collected, or adapted
    without the prior written consent of Novell, Inc.
    Any use or exploitation of this work without
    authorization could subject the perpetrator to
    criminal and civil liability.
  • General Disclaimer
  • This document is not to be construed as a promise
    by any participating company to develop, deliver,
    or market a product. It is not a commitment to
    deliver any material, code, or functionality, and
    should not be relied upon in making purchasing
    decisions. Novell, Inc. makes no representations
    or warranties with respect to the contents of
    this document, and specifically disclaims any
    express or implied warranties of merchantability
    or fitness for any particular purpose. The
    development, release, and timing of features or
    functionality described for Novell products
    remains at the sole discretion of Novell.
    Further, Novell, Inc. reserves the right to
    revise this document and to make changes to its
    content, at any time, without obligation to
    notify any person or entity of such revisions or
    changes. All Novell marks referenced in this
    presentation are trademarks or registered
    trademarks of Novell, Inc. in the United States
    and other countries. All third-party trademarks
    are the property of their respective owners.
About PowerShow.com