Gartner Hype Cycle for Identity and Access Management by hyo57994

VIEWS: 188 PAGES: 23

More Info
									   end user
administrator identity
  embedded
                          identity
isolated privilege     elevated privilege    elevated privilege

end user administrator embedded
   individual         local administrator       database

                       network devices          batch jobs

                          server o/s                ftp

                             dba

                         mainframe

      Experience shows that there are 3 to 5 times more
      elevated privilege accounts than end user accounts
                              identity
isolated privilege         elevated privilege      elevated privilege

end user administrator embedded
   individual             local administrator         database

                           network devices            batch jobs

                              server o/s                  ftp

                                 dba

                             mainframe

                end user identity management solutions
                address one third of your identity needs!
                         identity
isolated privilege   elevated privilege   elevated privilege

end user administrator embedded
   individual             shared               shared

regular changes      irregular changes    irregular changes

   self-reset          no self-reset        no self-reset

   revocable            irrevocable          irrevocable

  memorized            spreadsheet          hard-coded
 when was the last time that you
  changed all of your database
passwords and modified all of the
   applications that use those
          passwords?
 when was the last time that you
 changed all of your server and
device administrative passwords?
sapm ~ shared/service account
   password management
                    sapm analysts
“Shared/Service accounts risk significant exposure, especially in the
   context of regulatory compliance, auditors will continue to target
   them aggressively during the next two to three years, driving
   adoption of SAPM tools."


Password management tools provide direct benefit to personnel cost
  reductions


Shared account/service account password management (SAPM) new
  on the Hype Cycle

                                       Source: Gartner Hype Cycle for Identity and
                                       Access Management Technologies, 2007
                   sapm drivers
Driver                   Section                      Effective
Payment Card Industry    2, 3, 6, 7, 8, 10, 12        Q406
Data Security Standard
1.1 (PCI-DSS)
Sarbanes-Oxley           302, 404                     2002
HIPAA                    164.308(a)(1,3,4,5,7)        April 2005
FISMA                    NIST SP 800-53 AC-2, 3, 13   2002
                         NIST SP 800-53 IA-2, 3, 5
                         NIST SP 800-53 SI-7, 9
…


    It’s being regulated/legislated and it’s the law!
   what might it cost you to begin
   managing these passwords?

large commercial bank with 4800 passwords = $14.5m over 5 years
                    (now licensed for 28,000 passwords)



  large consumer bank with 625 passwords = $2.4m over 5 years
                   (now licensed for 575,000 passwords)

small managed services provider with 100 passwords = $360k over 5
                              years
    do nothing

manual intervention

    automation
                       sapm threats
How do you know that the application in   Integrity Verification/Tamper detection
production is the same one that was
originally deployed?
How do you know that Keys/Passwords       Key protection / Key Renewal
have not been stolen/misused?
How do you know that your script is       Machine fingerprinting
running on the correct machine?
How do you protect information at rest    Data and Session protection
and while it travels?
How do you resist a rogue                 Strong authentication, dual authorization,
administrator?                            password renewals, on-demand access




         Performing a Threat / Risk Assessment of your internal
            network will identify numerous areas for security
                             improvements!
                  sapm approach
                                           Secure
            GUI Interface                 Credential
                                          Repository
Privileged User




             Web            Application               Target
             Server           Server         Server / Device / Appl’n
                  sapm approach                                   Key Copy?
                                                                  Data Copy?
                                                                  Data Integrity?
                                                                  Denial of Service?
                                                               Secure
            GUI Interface                                     Credential
                                                              Repository
Privileged User
                            Man in Middle?
                            Rogue Admin?



             Web             Application                                  Target
             Server            Server                            Server / Device / Appl’n

                                             Man in Middle?




                                 Key Copy?
                                 Software copy?
                                 Tampering?
                                 Spoofed?
                          risk mitigation
                                                                                   Endorsement Keys
                                                                                   Sealed Storage
                                                                                   Data Encryption
                                                                                   Key Renewals
   Remote attestation                                                              Key Protection
Strong Authentication                                                              Access Management
        RSA SecurID                 Endorsement Keys                               AutoStart
          Certificates              Memory partitioning                            Recovery/History
         SmartCards                 Secure I/O
            LDAP/AD
   Dual Authorization               SSL/TLS
                                    RBAC
                                    Integrity Verification
                                    IP Filtering




                                                                  Secure I/O
                                                                  SSL/TLS
                         Remote attestation                       Key Renewals
                         Memory partitioning                      Key Protection
                         Sealed storage

                         Unique Keys
                         Key Protection
                         Key Renewals                      Remote attestation
                         Data Transforms                 Integrity Verification
                         Control Flow Transforms   Storage location detection
                         Hardware Fingerprinting Execution location detection
                         Integrity Verification       Executing ID detection
                         Agent Diversity
Security and Risk Mitigation   P
        Standards

Performance and Scalability

 High Availability & Uptime

       Manageability

    Integration Support

   Auditing & Reporting
how it works
shared/service account registration
                                       Secure
                                      Credential
automated/manual account discovery    Repository
       multiple d/b choices
  customer defined fault tolerance
          AES encryption
          managed keys
       managed connection                         Target
                                         Server / Device / Appl’n
        tamper resistance
         server groupings
   administrator interaction
                                 Secure
                                Credential
                                Repository
Privileged User




   2nd factor authentication
  role-based access control
        user groupings
    break-glass accounts
 gui or api-based interaction
  script/application interaction

     certificate-based SSL/TLS
   client managed private keys
static/dynamic analysis protected
                                            Secure
      “application biometric”              Credential
                                           Repository
       authorization mapping
        unique payload keys
        password revocation
      no password left behind
       software node-locking                           Target
         secure local cache                   Server / Device / Appl’n




                             Application
                               Server
shared/service account updating
                                         Secure
                                        Credential
 policy-driven password rules           Repository
  scheduled, ad-hoc updates
       grouped updates
       clear cache event
   extensive target support
 connector based framework                          Target
                                           Server / Device / Appl’n
       client / clientless




                          Application
                            Server
                 sapm benefits
Improve operational efficiencies by reducing maintenance windows,
          service outages, errors due to password changes


Reduce costs by eliminating the reliance on human interactions to
                     affect password changes


Assist with legislative compliance by achieving security and privacy
 goals that were previously unattainable due to the costs of password
                                changes


Improve security by reducing human knowledge of business critical
                      information like passwords
     contact


  cloakware, inc.
www.cloakware.com

								
To top