Beruflich Dokumente
Kultur Dokumente
Erie Insurance
CONTENTS
Identity Management
Foundations and
basics
What needs to be
protected
IT Risk perspective
Business
Requirements
Applications
Data
Infrastructure
APPLICATIONS
Business and organization processes
programs that sell something, manufacture
something, offer a service, do something useful
The really important programs that dont
monitor or manage processes deal with making
and managing data.
Programs often reflect the mission, activities,
and major purposes of an organization.
People need program to get things done
Programs need to be secured
DATA
INFRASTRUCTURE
Infrastructure is at the bottom of the Pyramid
All other things run on it
If it is not done well or not secured and
controlled properly things will not go well
Poor implementation at the infrastructure
level will ripple through all other layers
Access Control applies to infrastructure
targets as well
IT RISK
IT RISK MECHANICS
IT and
Business
Manager
Knowledge
Executive
Team
Knowledge
External
Forces
Assess
Strategic IT
Risks
IT Risk
Management
Strategies
Assess IT
Risk
Management
Program
Strategic
Intitiatives
Risk
Governance
Plans
Foundation
Plans
Awareness
Plans
Agility
Accuracy
Access
Process
Awareness
Availability
Foundation
4A Framework
Risk Disciplines
IT PROGRAM OBJECTIVES
IT ARCHITECURE
If you are going to build an IT organization
that fits the business mission and all of the
associated complexities you will need
architecture
Plan and design before you build
IT Security is an integral component of IT
Architecture
Business formulates
its needs. Engages EA
for fit and feasibility.
IT Guiding
Principles
Business
Drivers
Technical Feedback
IT Governance
EA Project
Approval
Process
Approved
Projects
Architectural Fit
Assessment
Architecture
Principles
Guidelines
and Checklists
New Technology
Approval Process
Enterprise
Architects
Architecture
Patterns
Bricks &
Patterns
Business Platform
Architects
Architecture
Standards
Bricks &
Patterns
Technical
Standards
Process
Standards
Business Architecture
Application Architecture
Data Architecture
Technology Architecture
Infrastructure
Architects
New System
Infrastructure
Implementation
IT SECURITY ARCHITECTURE
Enterprise IT Security Architecture Program
Security Service
Map
Current State
IT
Annual Risk
Forecast
Total Risk
Cost
Risk
Assessment
Security
Effectiveness
Total Security
Cost
IT Security
Roadmap
Risk Position
EA Risk
Program
Risk
Measure
IT Security
Governance
Risk Position
Risk
Measure
Risk
Principles
EA Principle
Annual Loss
Rate
Risk
Assessment
IT Risk
Program
Risk
Measure
Business
Drivers
IT Security
Processes
IT Security
Life Cycle
IT Security
Program
Policy
IT Security
Architecture
Standards
Procesdures
Security
Strategy
Cycle
Supplier
Windows
Unix / Linux
ZOS
Sub Project
Security
DATA
Other
Security Project
Customers
Programming Interfaces
Security
Administration
Role
Based
Security
Security
Models
SOX
PCI
LDAP
Meta
Directory
eTrust
Site
Minder
IT Security
IT Security
IT Security
Kerberos
User
Models
Meta
Directory
IT Security
IT Security
Company
Company
Automated
Provisioning
People
Soft
User
Provisioning
ID Request
WEB
Security
Dictionary
Data
Calsssification
Model
Admin
Company
IT Security
Control
Company
Public
CA
Private
CA
Smart
Cards
SSO
Company
Governance
Compliance
Privacy
SOX
PCI
Quarterly Tests
Annual Compliance
Secure Code
Quarterly Tests
Non-Public Info
Application Scan
Prod Isolation
Secure EMail
Key Management
Secure Network
Account Mgmt
Firewall Mgmt
Vendor Acces
Field Crypto
HIPS
Wireless
Two Factor
Company
Company
States
Audit
Security
Policy
3rd Party
Audits
Company
Company
Company
LDAP
CA-RCM
LDAP
EMail
Sign
Physical
Access
Meta
Directory
Company
Company
Company
Centrify
The growth of social media and sites for singles and dating have grown
dramatically in the last ten years
There are over 14,000 singles dating sites in the US alone
The top European site has over 17 million active users
SCAMS are the name given to con artist scenarios where site
customers are subjected to a staged ploy on their interests up to and
including marriage
These are elaborate deceptions designed to elicit money and
information out of unsuspecting targets
The CONs are far more likely to originate in Eastern Europe where most
of the complaints have been lodged.
The targets are worldwide many of them in North and South America.
Complaints from unhappy customers and the theft of PI data including
cash is causing credit card companies to shut down many site operators
ability to take a credit or debit card
They have to solve the Identity and Access Control problem to stay
sucessful
We approached the problem by looking for a way to assign a trusted value unique to an individual to their
account and access control into a sites services
Account creation was necessary and post validation was required independent of the account set up
But things like fingerprints, voiceprint, and social security numbers were not practical to use as an access
control mechanism
We hit on using the cell phone
People are more attached to their cell phones more than any other thing they carry
Most people under 40 will go home from work to get their cell phones but not their wallets
The cell phone number is not a bad way to assist in identifying a person
The call back validation or an email or a text can be used to confirm the identity and security management
process can be tailored for monitoring the owners of the numbers
Cooperation with the service providers is essential
It must be in conjunction with additional factors like E-Mail addresses and other publicly available information
It is not perfect but considering the scale of numbers of users it was deemed viable and several solutions using
this venue are in the works
The real trick though is wrapping an Access Control process around this particular problem
Mobile devices are becoming very personal to people especially cell phones
Digital certificates and private key systems like PGP are starting to appear for the mobile devices
Certificates are not easy to use on mobile devices and the manufacturers have a long way to go
I think it is inevitable
SOLUTIONS
QUESTIONS?