KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
In this lecture I present a reference architecture covering CIAM, API and PAM thinking about closing the main attack possibilities in modern contexts
In this lecture I present a reference architecture covering CIAM, API and PAM thinking about closing the main attack possibilities in modern contexts
Today, I'm here to about security of strategy in general is have more than 20 years of experience. Mainly with enterprise architecture and system development. I'm a book writer and of identity and access manager. I work that companies like CA and others, and nowadays I work in Portugal at Farfetch for your digital initiative. What's the, of, for your project. We have a channel access channel is so important because you have mobile web access and, and access it.
First strategy to partners, to applications in general application by application you have with the user credentials, the credentials is the target of the hackers. Other kinds we have the user experience as a Fox, and you need to cost talk a little bit about the security you have mobile manipulation, normally, maybe a Mo in your mobile. We can have, Maer working as you talking with your bank. For example, we have someone using try to work as you, okay, try to simulate your mobile.
We have the mobile, you have the application application is not directly associated to important, and you have the access. This is the main, a bit challenges have the access channels in. We have a lot of channels to control. And for your development thing, think about secure. We have a lot of mobile operation systems and user setups. We have some like airport is more controlled. The versions of IO, variations, variation, variations, a huge challenges, more complex. You have another challenge, user experience versus to experience when could mores. And we'll talk about how should improve this.
Do you have customer management, the tools working or you, the, they get work with the internal and normally this in the companies normally be working in directly with the, but we don't have this kind tools working together and have development thinking of, of channels. We, the first frontier here is your mobile application needs to connect to API.
You, I think you don't know, but I will take from Brazil. We had the bank and the customers start to use the mobile application and the mobile application thinking to, to EO bank, but was the, and the fake the, of the customers. This don't the authentic. When you use the authentic you mobile trust in and mobile need tool, and you need create a process to certificated applications after this is becoming possible to have a simulated.
Now you have the device DNA location and access behavior device, DNA need, you need to collect the DNA from the mobile and this consider the model operation systems version, and other kinds of points, including the application version and other points true. And you need to storage this and checks any time to analyze, if is the correct mobile application and phone, you need to collect and analyze the location. For example, a fi I'm in the Portugal. And in a short time period, I try to execute task from Germany.
This is a problem, and you need to check this or considering the less point access behavior. If I as out transactions from Portugal, and then I is a transaction from Germany, I need to check if it's correct this. If he I'm traveling to Germany or not, and you can analyze this with specific tool, okay, continuing, you need to check the user local behavior for each transaction.
You, you need to collect or, or what the user is huge. What kind of transaction is normal? What kind of time they use of the phone? How the user touch the phone, how they use, move the phone, because maybe remote access, TROs working as the user and installing the connection in the session. Okay. For Jesus necessary specific tools to check this, look, the other side, you have gateway and you need to consider IPA Gator with secure features. You need to check the payload of I API and check.
If, if the payload is attack is attack or other kind of behaviors, okay. We can have a, like a signal tool of behaviors to be checked. Another important point is include a machine learning, analyzing the API data, the API behavior. And the point here is to check if it is an attack or if for is for example, data leak, data leak incident. Your GDPR is a good approach here. Okay? Normally the solution for this is based in cloud and collect the, how the payload of your collection to analyzing real time. You need to consider Tipa features like authentication, authorization, and account account.
So register the, the log of the access. We will talk more about the authentication author authorization here, but we need to consider the standards of the marketing like theof and consider the Mo factor of education. But we have a strategy for this. This is the point of the strategy, considering the mooch factor, access, access orchestration. And this point is good because this point helps the developers and the developers now can focus in the business and they get through the orchestration. The orchestration is a tool where you connect all the secure tools related to the access.
We can include his analysis tool and other kinds of datas related to this. And this is the, the, to orchestration to analyze the conditions of that moment. The orchestration connects to mood factor solutions. In our example, one and biome and based on his can shows the one or, or the biome, but this is strange behavior of one. In our example, if I travel to Germany, I'm in a different condition and the orchestration may show me the HPE one, but maybe bad user trying to work as me and the orchestration can show the HPE one or two, and the user don't have this. And don't access.
Gist is if the risk is good and green is possible to enable PE less considering the user experience and the PE less enables this user experience with no much factor, because I'm okay. I'm working in Portugal. I with mobile, with the co DNA, the location, the COHA behavior, but if I travel to Germany, but I'm a good user, made the orchestration, show me the O P one. I have success to use the O P one. And then I can use this information. I give the access for the user, but I can use this information. And we enter the monitoring aspect.
I access, I have the access, his canal Analyst, where I'm the Germany and, and I'm a yellow user because I need to provide OTP. My OTP is okay, but I'm yellow. And then I provide the yellow to user behavior Analyst. Considering we, what we talk in this presentation is the gap. And we solve the gap. If we connect the, his Analyst Analyst with the user behavior Analyst Analyst, and then the user behavior Analyst, eh, continue to monitor me because I'm yellow. I'm okay with the much factor, but I can be a bad user. Not for now.
My, I can be a bad user and the user behavior analysis continue to check my behavior for our, our, of my session. Okay. And can stop stopping me if it's necessary. Talking now about the privilege access manager, we need to consider the mood factor authentication to provide to a privileged user in the access for, for the privileged assets. You need to limit the assets. Don't show more than using needs to see in terms of assets. You need to, the comments, the user may work as user for example, but don't have all the comments enable. You need to the comments. You need to know everything.
They use type it. You need to record the screen to see the user in action. For example, the user may use visual screen and with the clicks and that kind of things. And then only with the head of screen, you can see what, what the user doing, but we can compose this compose the, with the here not allowed you start through, it's not necessarily true everything, but if the user try to execute comments, you start to record the user. And this point you have the, for the credentials in script apps, you need to hemo credential from scripts, include liquidations in the access manager too.
And then the scan is checkout of the credentials to use only use ING of memory only. And if I encryption to S with this six points, we have a good strategy for, from per and per is so much important, important to your C strategy. And thank you. This is my linking and my email. If you want to talk with me, thank you so much.
