Mike Thomas

Erie Insurance

ACCESS CONTROL FOR IT ASSETS

CONTENTS

Identity Management
Foundations and
basics
What needs to be
protected
IT Risk perspective

WHATS ACCESS CONTROL?

Well its pretty obviousBut the more

important IT becomes.as we continue to
put our most trusted assets into an IT
context..as we rely more and more on IT
to do critical work and services for us.as
the RISK of loss or interruption of our IT
assets becomes more critical..Access
Control is part of the foundation of a viable IT
infrastructurewithout it you might lose your,
time, money, and identity

ACCESS CONTROL BASIC COMPONENTS

Asset Target Data or Application
User Person or System Object
Policy Sets Need to Know Principle
Reference Monitor

DETERMINE WHAT NEEEDS TO BE PROTECTED

An Inventory of IT Assets would be a good place
to start
ITIL based inventories are very good if you have
them
I like to break them down using Westermans
Risk Pyramid

Business

Requirements
Applications
Data
Infrastructure

THE IT RISK PYRAMID

(WESTERMAN HUNTER MIT 2007)

BUSINESS STRATEGY (AGILITY)

This is where Policies, Standards, and
Guidelines come from
Laws and Regulations, Public and Private
GLBA, SOX, PCI
Access controls have to Fit what the
organization wants and support its mission

APPLICATIONS
Business and organization processes
programs that sell something, manufacture
something, offer a service, do something useful
The really important programs that dont
monitor or manage processes deal with making
and managing data.
Programs often reflect the mission, activities,
and major purposes of an organization.
People need program to get things done
Programs need to be secured

DATA

Data is the second biggest problem for security

professionals today. Complexity is the biggest.
Electronic Data is growing faster than any other aspect of
the IT Universe. We are making data at a ridiculous pace.
It needs to be managed and secured.
People need access to data usually through programs
and applications
Need to Know is more important than ever.
Data should be able to stand on its own regardless of
what application needs or uses it (James Martin)
In the Pyramid Data context should be a prerequisite to
the application.

INFRASTRUCTURE
Infrastructure is at the bottom of the Pyramid
All other things run on it
If it is not done well or not secured and
controlled properly things will not go well
Poor implementation at the infrastructure
level will ripple through all other layers
Access Control applies to infrastructure
targets as well

THE HUMAN TARGETS

At the end of the day
the majority of the
access control purpose
is focused on people.
People make and use
data to do their work.
This is the hardest part
of access controls

IT RISK

THE 4A FRAMEWORK FOR MANAGING IT RISK

Availability Keep the systems running and

recover from interruptions.
Access Ensure appropriate access to data
and systems so the right people have access
they need and the wrong people dont.
Accuracy Provide correct, timely, and
complete information.
Agility The capability to change with
managed cost and speed.

IT RISK MECHANICS
IT and
Business
Manager
Knowledge

Executive
Team
Knowledge
External
Forces
Assess
Strategic IT
Risks

IT Risk
Management
Strategies

Assess IT
Risk
Management
Program

Strategic
Intitiatives

Risk
Governance
Plans
Foundation
Plans
Awareness
Plans

Agility
Accuracy
Access

Process

Awareness

Availability

Foundation

4A Framework

Risk Disciplines

IT RISK DRIVES ACCESS CONTROL

Access control is needed for business assets
that are at the highest risk.of loss, misuse,
exposure
Risk analysis allows you to prioritize the
need for access control.what needs
protected and controlled
Resources are always limited so prioritization
is a good idea (biggest bang for the buck)

THE ACCESS CONTROL PROGRAM

THE IT SECURITY PROGRAM

this is the development, implementation, and maintenance
of all of the components that comprise IT Security at an
organization. It organizes these components into Tactical,
Operational, and Strategic activities.
The IT Security Program document details all of the IT
Security related activates. It shows management or a
trusted third party how the organization conducts its IT
Security programs and activities.
The IT Security Program will operate a life cycle that
includes planning and organization, implementation,
operations and maintenance, and Monitoring and
evaluation.
It includes Access Control and IT Risk

IT PROGRAM OBJECTIVES

The Information Security Program (ISP) is

designed to:
Ensure the security and confidentiality of
confidential information and IT resources,
Protect against any anticipated threats or hazards to
the security or integrity of the information or IT
infrastructure; and
Protect against unauthorized access to or use of the
information or IT infrastructure that could result in
substantial harm or inconvenience to any customer.

ACCESS CONTROL ARCHITECTURE

IT ARCHITECURE
If you are going to build an IT organization
that fits the business mission and all of the
associated complexities you will need
architecture
Plan and design before you build
IT Security is an integral component of IT
Architecture

THE ARCHITECTURE PROCESS

Architecture Principle Organization and Process
Enterprise
Architecture
Business Model

Business formulates
its needs. Engages EA
for fit and feasibility.

IT Guiding
Principles

Business
Drivers

Technical Feedback

IT Governance
EA Project
Approval
Process

Approved
Projects

EA ensures that IT Architecture requirements

will be applied. If changes are in order due to
project requirements EA will manage any
modifications to the Architecture.

Architectural Fit
Assessment
Architecture
Principles

Architecture Fit Based on Principles

Guidelines
and Checklists

New Technology
Approval Process

Enterprise
Architects
Architecture
Patterns

Bricks &
Patterns

Business Platform
Architects

Architecture
Standards

Bricks &
Patterns

Technical
Standards

Process
Standards

Business Architecture
Application Architecture
Data Architecture
Technology Architecture

Infrastructure
Architects

New System
Infrastructure
Implementation

IT SECURITY ARCHITECTURE
Enterprise IT Security Architecture Program
Security Service
Map
Current State

IT

Annual Risk
Forecast
Total Risk
Cost
Risk
Assessment

Security
Effectiveness
Total Security
Cost

IT Security
Roadmap

Risk Position

EA Risk
Program
Risk
Measure

IT Security
Governance

Risk Position
Risk
Measure

Risk
Principles
EA Principle

Annual Loss
Rate
Risk
Assessment

IT Risk
Program
Risk
Measure

Business
Drivers
IT Security
Processes
IT Security
Life Cycle

IT Security
Program
Policy

IT Security
Architecture

Standards
Procesdures
Security
Strategy

ACCESS CONTROL ARCHITECTURE

High Level
Programming
Project

Cycle

Supplier

Windows

Unix / Linux

ZOS

Sub Project

Security
DATA

Other
Security Project

Customers

Programming Interfaces

Security
Administration

Role
Based
Security

Security
Models

SOX

PCI

LDAP
Meta
Directory

eTrust

Site
Minder

IT Security

IT Security

IT Security

Kerberos

User
Models

Meta
Directory

IT Security

IT Security

Company

Company

Automated
Provisioning

People
Soft

User
Provisioning

ID Request
WEB

Security
Dictionary

Data
Calsssification

Model
Admin

Company

IT Security

Control

Company

Public
CA

Private
CA

Smart
Cards

SSO

Company

Governance
Compliance
Privacy

SOX

PCI

Quarterly Tests
Annual Compliance

Secure Code
Quarterly Tests
Non-Public Info
Application Scan
Prod Isolation
Secure EMail
Key Management
Secure Network
Account Mgmt
Firewall Mgmt
Vendor Acces
Field Crypto
HIPS
Wireless
Two Factor

Company

Company

States
Audit

Security
Policy

3rd Party
Audits

Company

Company

Company

LDAP

CA-RCM

LDAP

EMail
Sign

Physical
Access

Meta
Directory

Company

Company

Company

Centrify

IAM CASE STUDY

IAM CASE STUDY POINTS

This shows the complexity of the problem

There are a lot of components in this case study
The components cover all layers from the network up
This is a large organization with tens of thousands of users and millions of
customers
It is dispersed over a continent
You must have an architecture to get a handle on this
This also applies to smaller companies and less complex infrastructures
Some of the technology components shown help organize and implement
Access Control
Some of these components such as operating systems (ZOS ACF2 Top Secret)
and AD have to be managed whether you like it or not
I like LDAP
I like one copy of the Identity Master that all Access Control components use
I like federated Identity and authorization claims
I like Roles

HOW TO DO ACCESS CONTROL

A process and plan to implement Access
Control (IREC 2007)
Getting the business partners and even
customers involved

ASSESSING RISKS AND ROLES

DEFINING ACCESS RIGHTS

ACCESS CONTROL BIGGER PICTURE

Do we really have to do this? (outsource it)
The dating game case study

DATING AND SINGLES SITES ARE HAVING BIG PROBLEMS

The growth of social media and sites for singles and dating have grown
dramatically in the last ten years
There are over 14,000 singles dating sites in the US alone
The top European site has over 17 million active users
SCAMS are the name given to con artist scenarios where site
customers are subjected to a staged ploy on their interests up to and
including marriage
These are elaborate deceptions designed to elicit money and
information out of unsuspecting targets
The CONs are far more likely to originate in Eastern Europe where most
of the complaints have been lodged.
The targets are worldwide many of them in North and South America.
Complaints from unhappy customers and the theft of PI data including
cash is causing credit card companies to shut down many site operators
ability to take a credit or debit card
They have to solve the Identity and Access Control problem to stay
sucessful

DATING GAME IDENTITY AND ACESS CONTROL

We approached the problem by looking for a way to assign a trusted value unique to an individual to their
account and access control into a sites services
Account creation was necessary and post validation was required independent of the account set up
But things like fingerprints, voiceprint, and social security numbers were not practical to use as an access
control mechanism
We hit on using the cell phone
People are more attached to their cell phones more than any other thing they carry
Most people under 40 will go home from work to get their cell phones but not their wallets
The cell phone number is not a bad way to assist in identifying a person
The call back validation or an email or a text can be used to confirm the identity and security management
process can be tailored for monitoring the owners of the numbers
Cooperation with the service providers is essential
It must be in conjunction with additional factors like E-Mail addresses and other publicly available information
It is not perfect but considering the scale of numbers of users it was deemed viable and several solutions using
this venue are in the works
The real trick though is wrapping an Access Control process around this particular problem
Mobile devices are becoming very personal to people especially cell phones
Digital certificates and private key systems like PGP are starting to appear for the mobile devices
Certificates are not easy to use on mobile devices and the manufacturers have a long way to go
I think it is inevitable

SOLUTIONS

There are a lot of Identity Management and Access

Control solutions available on the market today. A lot of
the operating security systems vendors IBM and
SUN/Oracle and others have decent products that
compliment their core security products.
I know that a lot of research and study should go into
looking at a solution before you buy.
Getting a solution that works for you is half the work. The
other half is good security governance and user
provisioning. Without that it is not going to sustain itself
over time.
It is a big job and your identity and data depend on it
being done well

QUESTIONS?