Shirief Nosseir, Marketing Manager, CA Technologies
April 17, 2012 16:50
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Shirief Nosseir, Marketing Manager, CA Technologies
April 17, 2012 16:50
Shirief Nosseir, Marketing Manager, CA Technologies
April 17, 2012 16:50
Thank you. Well, next up we have Sharif.
No, who was on our panel earlier? Is he here?
No, No, here you, you, you you're taking me from, from behind here. And Sharif is marking manager of CA technologies and his title is cloud consumerization and identity time to transform the security model. And you have little less than 20 minutes and I'll give you five minute morning. Thank you very much. So for the next 20 minutes, basically, I'll focus on two things. First is why is cloud consumerization of it and other emerging trends and technologies demanding that we change the current traditional security and identity and access models that we have.
And then second thing is how we need to change the identity and access management models. So without further ado in, in order to speak about cloud and consumerization and, and, and the effects that they have, there's many analogies that one can use.
But on, on a lighter note, I would like to use star Trek. And I would like to use the Borg from star Trek. And the Borg is a sued race. That is a major threat to the United Federation of planets.
Basically, there are major threats to the good guys like us and the Borg coined a phrase that became one of the greatest TV catch phrases. They said, strength is irrelevant. Resistance is futile. Your culture will adapt to service hours, business supporters of cloud and consumerization today can say the same thing about security. They can say security is irrelevant. Resistance is futile. Your culture will adapt to service hours.
Basically, as far as business decision makers are concerned that the business benefits of cloud and ization are so compelling that whether the services and the products that they need to use have been vetted enough for security or not, will often not stop them from going ahead and, and consuming them. We recently did the survey.
We, we, we sponsored the survey as say, technologies sponsored the survey where we interviewed over 900. It practitioners that already using cloud computing. And this were from Europe as well as the us from from large organizations. And 49% of the respondents said that the cloud services that they use today in their organization have not been vetted enough for security in the views. Also 68% of the respondents said that the it organization, the it security organization is not the most responsible for securing these services.
Also, it's, it's, it's also important to remember that the, the business supporters of cloud and consumerization often highlight as a benefit, the ability of the business to go out and to be able to, you know, buy it services themselves while bypassing it altogether. It is now abundantly clear that it organizations that are gonna resist the move to cloud and cons consumerization that gonna be either bypass or replace altogether. So resistance is, is not an option really.
So if, if, if business users are gonna be going out and, and adopting cloud and consumerization, regardless, what can we do to avoid the mayhem that happened in the eighties and nineties? When the lines of business will go out and buying PCs and servers and spreading them like wildfire without involving it with very little control and coordination from it, blocking everything is, is not gonna work because we're not gonna be enabling the use of it.
And technology actually preventing everything from happening today would result in more risk because our users now are a lot more sophisticated that they'll be able to find ways around it. However, there will often not be well aware of the security implications involved in doing that. So The question then becomes is how can we protect to enable how can we design for the loss of control?
And if we look at the traditional identity and access management models that we have, they've originally originally been developed when we had our computing resources and our data located on premise, we also had the main bulk of our users operating from within our office building basically, as far as we're concerned is, is as far as the buildings were secure, our it assets were secure. Now the security controls in these models today will neither be able to keep up with emerging trends and technologies, nor with the threats that are going after them.
So if we start to look at virtualization and cloud and cons consumerization, and the way that our environments are evolving, we see that our systems and data often were not gonna be located on premise anymore. So for example, with public clouds, if we look at users will be able to access applications like salesforce.com, even from outside the firewall, they don't even have to be within the firewall altogether.
Also, the level of trust that we have in our users is changing users no longer physically come into the office building anymore. They're always, you know, they still are able to access our applications and, and data, but they're doing it well on the move and from all different kinds of devices, also from a, from a trust perspective, it is becoming critically important from a business perspective, to be able to enable collaboration and innovation, to be able to be more competitive in the market from, from a business perspective.
And, and in order to do this, it must be able to open up their systems and data to their business partners and, and, and customers. So if we look at the existing security models that we have today, the traditional security models that we have today, they've, you know, originally been developed to try to prevent everything from happening, trying to prevent everything from happening, just because we hope to prevent breaches. We have to acknowledge that we cannot do the do this anymore. We have to, we have to live with the fact that compromise is inevitable.
We have to assume that someone that has enough means and enough motivation to compromise our systems, that they will succeed to some level. So what we need to then do is to be able to identify and attack as soon as it happens and to minimize its impact as once we discover. And in order to do this, we need to, we need to be able to look at a new security model and, and the new security model basically needs to be able to, to look at three layers, basically the, the new security parameter that we need to be thinking about needs to be looking at three layers.
The first layer is, you know, looking at the data throughout it, its life cycle, whether it's at trusts in use or in motion, we need to look at the users and how they're using this data. And we need to look at the, the third thing is to look at the context of how a user is using this data.
Also, in order to enable all of this to happen, we need to look at the trust model that we have today, the security models that we have use a binary trust model. We either trust something or we do not trust it at all. What we need to do is to be able to create for our new policies and procedures, to be more dynamic and more agile, we need to be able to create a more granular trust model that allows us to have different variations and, and, and to be able to capture different kind of risk variations that we have. And in order to do this, we need to have multiple layers in our trust model.
And the first layer that we, as you've seen earlier here is basically the identity layer. Whenever a user is trying to access an application or a system. What we typically traditionally do today is to look at the identity and the entitlements that this user have. And this is what we've been using for, for quite a while.
And, and, and basically just to be more specific on definitions from an identity management perspective, we're talking about things like entitlement certification, role management, user provisioning, and from the, the point of view of access management, if you like, we're talking about things like multifactor authentication, single sign on and web access management, however, there's one major limitation. This few limitations, one, one major. One of them that is major is one. Once a user is able to legitimately access an application.
We're not able to though then to control once this person accesses data and information from this application, we're not able to control what this user is then able to do with this information. Just to give you an example, if I have a person that is working in finance, that that legitimately has access to the financial accounting module in SAP, they can log in and access sense of financial information, export it into an Excel sheet and download it to their laptop.
ING access management will stop at this point and will not be able to control what this user will then be able to do with Excel sheet. However, if this Excel sheet falls in the wrong hands, obviously it can cause a lot of harm. Also traditional identity and access management models typically do not look at the risk perspective, the, the, the, the contextual risk that is involved in the transaction, or what is the user trying to do. And this is a really important layer.
If we need to be adopting the new emergent trends and technologies here, we looked at things like the user behavior, what is the user trying to do? And, and from this, by looking at the behavior of the user, and what they're trying to do are able to give a risk score, to be able to take the appropriate action.
And what I'm talking about here is looking at things like, where is this user located right now, as they're doing the transaction versus where are they usually located in if they, if they usually located in Germany, but now they're, they're, they're doing a transaction from as our Beja where we know that a common attack is coming out of there. Then obviously we need to give this a higher risk. Another thing is looking at user velocity.
So if someone logs in from Munich, then 10 minutes later logs in from New York city, then five minutes later from Beijing, obviously this should drain raise alarm belts. We can look at a number of different things like that the time of the day.
Is it, you know, what day of the week is it? Is it usual user behavior? Is it out of pattern? We look at, is this a device that they typically use when they're doing transactions or not? And we can get down to the level of the transaction and how risky is the transaction itself to control what the, what the user is doing.
And, and from all of these different things, get a score between zero and a hundred zero means that we trust this user and what they're trying to do as much as we can hundred means that we're, you know, certain as much as we can, that there's something risky here. There's something wrong here, and we should abor this transaction, and we can get scores in between to allow us to do different kind of actions, rather than just a binary black and white. Thanks.
The, the, the last layer that we have here, the third layer is the content sensitivity. And what we're looking at is how sensitive is the information that the user is trying to access. And also from a contextual perspective, again, is what is this user and how is this user trying to use this information?
And basically this would then allow us to take the appropriate action, whether it's to stop the user from doing at risky transaction or whether it is more likely to be able to educate our users on the risks that are involved in what they're trying to do and educate them on, you know, update them on our policies and procedures and the best practice that we have to highlight what I'm talking about here, I'll continue the same example that I gave about SAP and the, the person that is working in finance.
So let's assume the person that worked in finance that downloaded that spreadsheet to their laptop has now moved from the finance department. They moved to the sales department, and in order to ensure segregation of duties, we need to now be, you know, deprovision them from accessing that financial accounting module. But wait a minute, what about the spreadsheet that they just downloaded to their laptop? What should happen to this spreadsheet?
Because it's got a lot of sense of information that now that they're, they're working in, in and sales, they shouldn't have access to what I'm talking about here is that once the HR department changes the role of this person from finance to sales and as part of the deep provisioning process that needs to happen. And, and as it's happening, we would automatically go and scan the laptop of this person and would go and identify all of the sensitive information that this user should not be able to have access to anymore.
Move it to a secure location, replace this documents with stubs that once, you know, if they open it, it would explain what happened. And it would say, you know, contact your service desk to find out more, more details. And from this we're, we're basically reducing the amount of, of, of risk that is, is involved in what we're happening here. So just to summarize my point that I'm, I'm saying here, Information protection and control, or, or as it's commonly known in the market today, as data loss prevention often does not take an identity centric perspective.
And, and it doesn't look at the bigger picture and what users are able to access as a whole. And, and quite often data loss prevention is, is, is viewed as a technical, excuse me, as a tactical solution, as part of the threat protection capabilities, you know, with things like firewalls and anti malware. And this means that we're not able to granularly map information control policies down to the variations of the business processes that we have. And what we end up doing is we're neither able to truly protect data leakage from, from happening.
And also quite often, we prevent the business users from things that they should legitimately be able to do, because we're applying generic, you know, information protection policies that do not allow for flexibility. This is starting to change as organizations have learned from the early deployments and, and what has been happening in the market.
And, and, and basically what we are starting to see today. And this is what we really need to, to, to keep in mind is that data loss prevention technologies shouldn't be a threat protection element. It is a capability that needs to be an integral part of our access management stack, because this would allow us to give control access control down to the level of the data, rather than at the level of the application. So doing all of this then provides us with better insight and visibility of what we're doing and what is happening and, and allows us to have more agile and more dynamic policies.
NCA, we call CA technologies. We call this content aware identity and access management.
You know, we see a lot of organizations that have all of these three different layers that I'm talking about that very, you know, cutting edge, very few cutting edge organizations have used them and are using them in an integrated fashion as, as I'm describing here. So just to summarize what is, what is happening here, this would then allow us to have different tiers of trust. And depending on, on the different tiers that we have will assign different policies, security policies to the corresponding tiers that we have out there.
And depending on the action that a person is doing will be able to find a score. And then at front time be able to enforce the policies that correspond to the right tier that they fall into to allow us better flexibility. This would allow us to, to, to have I'm, I'm not gonna cover this because of time, but one less example that I want to give here is with regards to SharePoint and, and, and cutting on from the same example of the finance person that moved from finance to sales.
What about all of the financial documents that are stored on, on, on, on the SharePoint often SharePoint today, you know, is, is very pervasive in many organizations. And often today SharePoint sites are managed by someone that is sitting in the department. So it becomes a lot more difficult to, to manage who other people should access, what down on the document level.
So what we're talking about here is that when this person tries to access the spreadsheet, that they used to be able to access, when they're working in finance, now they're working in, in, in sales without changing any, anything manually, automatically the system was gonna go. And, and, and at one time classify this document, this Excel sheet, and from that, be able to decide because of the policies that we've set, this person now works in sales. They shouldn't be able to have this access to this document anymore.
And, and, and, and they will not be able to have access to it. It is gonna be rejected. And obviously we can capture all of this and, and for, for all the purposes and, and, and be able to improve our systems. Okay.
I'll, I'll stop at that. Thank you very much. Thank.