1 / 30

Providence Health & Services

Identity Management: Tools to govern system access Michael Fornal, Security Analyst Providence Health & Services ISSA International Conference 10.10.13. Providence Health & Services. Very large Catholic healthcare system 33 hospitals in AK, CA, MT, OR, WA 65,000 employees. ATTENTION:.

zanna
Download Presentation

Providence Health & Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identity Management: Tools to govern system accessMichael Fornal, Security AnalystProvidence Health & ServicesISSA International Conference 10.10.13

  2. Providence Health & Services • Very large Catholic healthcare system • 33 hospitals in AK, CA, MT, OR, WA • 65,000 employees

  3. ATTENTION: The information you are about to hear is from a Newbie in the InfoSec community who is still learning to manage his own Identity. If you disagree with any of the information that you hear here todayPLEASE DON’T REMOVE HIS ACCESS to the InfoSec community or ISSA!

  4. Topics of Discussion • Capabilities IAM tools can bring. • Challenges of implementing an IAM tool in the enterprise. • How you can improve your security program with an IAM tool.

  5. What is Identity Management • In short it’s the ability to provide provisioning and governance of users within your environment. This includes: • Password Management • Access Requests • Enforcement of role based policies

  6. Capabilities IAM tools can bring to bear around Identity & Access Governance: • Management of employee life cycle from beginning to end. • Provides an overall view of how effective yourpolicies are. • Centralize authentication and authorization of applications across an enterprise. • Gives greater transparency into who has access to what. • Reduce the fears that Executives and IT Managers have around Identity and Access Governance.

  7. Management of employee life cycle • Add an employee • Move an employee • Employee leaves

  8. Provides an overall view of how effective your polices are by: • Providing reports that show employee violations of polices. • Showing you where there could be potential conflicts with a role or group that could limit an employee’s productivity.

  9. Centralize authentication and authorization of applications across an enterprise • One piece of software can control access to all applications in an enterprise reducing redundancy. • Provides accountability • Allows for the burden of account management to be taken off a department like applications support.

  10. Allows for greater transparency • Gives a high level of who has access and to what based on role or group. • Shows who your super users are and where your areas of high risk are.

  11. High Privilege Group

  12. Reduce managements fears around Identity and Access Governance • Executives fear that account management is being done incorrectly. • IT Managers fear for integrity of their data and applications. • Providing leadership with tangible results that allow them thenecessary transparency to see that the IAM program is working.

  13. Report Summary

  14. Privilege group membership report

  15. Challenges Implementing an IAM tool within the enterprise: • Connecting to different environments, how do they look? • Knowledge of required skills and resources to be successful. • Scoping what you are going to handle and what you are not. (eg. Cloud applications) • Getting buy in and cooperation from other departments.

  16. Know your environments • What infrastructure are you connecting to (AD, SharePoint, database) and how does it look? • How does that connection work (flat file, database connection etc.)?

  17. Knowledge of required skills and resources to be successful • Understanding different environments. • Prog languages & OSs • Support from the vendor • Trouble shooting

  18. Rule to add multiple groups to a certification(Java beans)

  19. Scoping what you are going to handle and what you are not? • What is going to be the goal of your IAM program? • Provisioning or governance? • Hosted & non-hosted applications?

  20. Getting buy in • Show how this is beneficial to the company. • Show you need it even if you haven’t had a problem. • What resources from other depts. are going to be required to make this • Successful?

  21. Manager certification

  22. Manager Certification cont.

  23. How you can improve your security program with an IAM tool: • Allows for better creation of company security polices. • Used as a provisioning tool allows for better management of employee life cycle. • Reduce your attack surfaces.

  24. Allows for better creation of company security polices by: • Giving you the information that you need to make better informed decisions. • Where to use least privilege andwhere not to use. • Performing audits and reports.

  25. Used as a provisioning tool allows for better management of employee life cycle Setup everything from: • Password Management • Application Access • Closing of Accounts

  26. Reduction in attack surface. • Able to clean up old accounts that could be used to access sensitive information. • High privilege accounts can be monitored • Mitigates the insider threat especially in a dynamic environment • Reduces the risk of super user accounts beingcreated by having it approved by another dept.

  27. High Privilege Account Certification

  28. Today’s Takeaways • An IAM tool in your enterprise gives you the benefits of a detective tool and a prevention tool. • IDM needs to be a cornerstone of a security programwithout it everything else will break down.

  29. Thank you! Thanks for attending my talk today onIdentity Management: Tools to govern system access Questions…?

  30. Contact On Twitter:@fornalm Security blog: Fighting In.Security http://fightinginsecurity.wordpress.com/

More Related