Zero Trust Applied for Access Management - How to Control and Monitor the User Access

Have 25 years in experience with security architecture and assist development. I start with system development, but I moved to security the beginning of my career here. I'm a booker writer about security and development too. I'm a teacher in university with stock and I work in ca, IBM in Micro Fox novel and customers telcos, chemicals and a lot of industries and nowadays I'm working in at Farfetch and this is my linking and I'm very hoping to talk with you and share a bit more experience and understand your challenges and learn more about this topic. Start with the his context.

We can have the customers with a lot of channels to access like the mobiles websites, APIs, IOTs and other stuff. Here we can have the new challenges for workforce access like the hemo access, hemo hiring and board of persons and a lot of his at this point true API first strategy in the companies have where you have a lot of APIs working and and we have also a lot of project with the user connections I think is one of the main points here.

For one side we have the user experience and the damage for the experience and the other side security, trying to provide this in a secure way and we have a lot of user types with different condition conditions to manage here. Abbi about the security his, you have the mobile manipulation where you have his from MA for example, the hemo TRO simulations where someone simulates your device. A lot of his Q API in general credentialing session.

This is the main thing again in my point of view application for therapeutic because you can have a strong identity management but if the application have vulnerability, this can bypass everything. Privileged access in general is another great security here and user lifecycle managements and we will talk a bit about this two talking about the challenges again about the access channels. The context of each user enable lot of channels to this user. Interact with one company, maybe a customer, maybe a partner or an employee and you need to take care about this.

Thousands of mobile operation systems and user setups increase the husk because for example, seven Androids maybe have good set up for example from Sani or another devices, maybe a generic Android set up and increase the risk for to have hours and or other manipulations like hooch or geo break for example, user experience versus security. We talked about this bit here but is the challenging how? How can you provide the user experience for the user?

We'll talk about user monitoring is another challenge, but I have some ideas to share with you here too and development I versus the concepts to to educate your developers to not try to invent some items management and use what you define in your architecture, your framework or a vendor solution. It doesn't matter but the developer must follow the standards defined by you about the proposal strategy. I have a lot of points here to to share. I start with the point that I love is about the onboarding. Maybe the customer, maybe employee doesn't matter. You adapt the the flow to your conditions.

I start with data collection. DNA data collection is the main information of the person is in Push the information the name, the idea of the the person and DNA is a collection from the device of the person. You can collect a photo of the documents of the person to use in some minutes. You can collect the biometric information like a photo at this moment of the person you can of proof of life.

Some regulations like the Brazilian banks needs the proof of life and you can provide a video, live video of the person and because this you have the hek of the Jeep fake and some I techs cloud providers have solutions to analyze the videos and check if is a deep fake and show to you if he is a fake. After this you can activate the device of the person to have the device in white list.

You can, you must in this case use another IG tech to validate all the information. You share the data collected, you share the documents and you share the biometrics and the i g tech validates this to check if we have some misinformation, something strange or in the biometric not match with the documents. After our set you activate the OTP of the person to be using critical transactions but the idea is not use the OTP for everything.

Thinking about the user experience and we will talk about this for hemo of the workforce for example, you can adapt to this workflow and use to talking about mobile. Mobile versus API integration. I suggest you to include your motor authentication, motor authentic education. You can authenticate the mobile app, can trust in the API gateway.

The API gateway can trust in now the mobile apps as use because I know some cases where for example, fake bank has received a lot of connections from mobile apps and collects the P I i data of the persons and persons and a lot of data and both authentication avoids this. Another point for mobile is device DNA gel location access behavior device DNA is to check the DNA collected on the onboard of the person. Gel location is to analyze if the person for example is working from Lisbon and now is working from Berlin, have enough time to arrive in Berlin to work is okay.

Or for example the person is working from Lisbon and at the same time or in a short gap of time is working from New York. Something strange and the access behavior is the way that the person access the system and you need to check this and some tools can analyze this inhale time in appeal.

Another point for mobile is the user behavior for IT transaction where some case for example the hemo access Trojan after you authenticate very well with thes, the hemo access Trojan can use your safe channel to execute frauds and the idea is to validate each transaction and authenticate thinking about behavior, thinking about another kind of analysis and avoid the Trojan connection. In this case have we can found some vendors with this feature available too about the api. I suggest an API gator if security features. This can help you about the a lot of kinds of attacks.

Web application file in some case can help here but in some cases the API gate is enough to have this kind of control. Another point here is my learning, analyzing the API data where you can control data leak of p i information or another modern kinds of attacks. Maybe analyzing with this. Normally this is provided by clung vendors with this feature and you connect your API gateways cloudy vendor. Another point is the AAA features. I suggest strongly true to your API gateway support.

This you can authenticate against an IDP and you can control everything about the user lifecycle over this I dp and you can con control the authentication authorization using modern protocols. Here is is the idea and for you can the information about the user access and use inside of your talking about your orchestration, the idea here is to externalize it. This logic from the development. The development have focus on the business side of work.

Your orchestration and normally with a no coach approach can connect you to in some cases your legacy tools or modern tools to orchestrate the access. Start with the his analysis and all the information collected in here. Time is compared if you are onboarding in some case using AI approach and other case have some logic inside of these tools.

After this, if something is strange, for example the New York case go, go to lock of the access, no access in this case or in the case of the Berlin for example, you can request the h p in the first moment and in the second moment you can work with a person or less and for the day by day of the user, if it is offset, why not person or less for the user. This is the idea of the orchestration. We can talk more after the presentation. Send me a messaging. We can talk about this, about the workforce identity. I suggest you to start your identity management program with three main points here.

One is the I D P of your SS solution because this cover a lot of applications controlled by sso. If you have an internal igp you can connect to. Normally the internal IGP is to control VPN and other kinds of access in a context. And another point to connect is the email assisting because they may have a lot of business information and email can be usage to cover one access and maybe the first point of the Gucci attack of your environments. More about the workforce id, we have the externals.

The externals is one person working for some time in your company and we need to control the start date and end date with a contract of this person. I suggest you to link this person with an employee. If you link with an employee, the employee may be in charge of the person, maybe control the entities of the contract and if this employee leave the company, we can delegate to the line manager of this employee to control this about partners. Partners is more complex because you can have a partner and partner have employees not controlled by you.

I suggest you to have a good contract with the partner and delegate the access management of the this kind of externals to one or more focal points inside of the partner. This the idea about cloud entitlements and the access related, I suggest you to analyze the solutions with focus in cloud access management because eh, with ions or with your contracts you probably have a lot of EH cloud contracts and access and you can cross this if your company do a lot of accessions to, I think you may have five to 10 contracts in place of cloud and you can control this.

Another point is the service account account must have focal point and focal point can help to be the owner and helping the documentation of the sales accounts. Another point is the movers have you where you need to control the movement of the users inside of the company and validate the access when change the HR data of the person.

Okay, and to close here the quarterly access have you where you validate how the access critical, how the critical access of the persons. Another point about monitoring now about monitoring is when you grant the access for the person in Berlin, the person is okay provide the OTP is on set but you can share a yellow flag to the user behaviors too in general and the two can monitor the person because it is a bit of a bit different from the day by day of the user.

And the idea here is to connect the access management tool with realtime information with this kind of tools or use modern solutions like it d r and and see this kind of behavioral true. Another point for monitoring is the inhalation of user entitlement husks and monitoring. What's the point here? The user have a lot of entitlements with the axis and the entitlement may have level of SK for example is an entitlement with axis you can have more SK than another kind of simple axis for example.

And this and with this we have a list of critical users of of a list of critical business users of the company. And this critical business users may be used inside of the monitoring tools to have a real view of the hi with Rio Husk users. This is the main idea here. Another point for monitoring is similar but with the fox on technical privileged access and the privileged access manage solution may provide a lot of information for the monitoring tools.

For example may provide list of privileged users with the related assets and with a lot of LT information about the access and refugees, the monitoring tools can map out the critical assets with without the critical privilege users and understand if something is strange with use of privilege access. This is the idea about the monitoring actions. Monitoring tools can connect with the identity solutions to lock and user and move the access or start a certification of the user and can connect with the privileged access management solution.

And is a similar thing locking the access of the user with the critical credentials. This is the main idea here. And if you, you have this automation, you can avoid a complex attack attacking in the company.

Okay, and about the privileged access management solutions I I bring here some features, important features to you know, MFA is very important. You need this to control the first access of the solution. You can conclude the also the ER networks access for example to authenticating the solution and then you limit the assets showing for example, only the Oracle database is for one person and maybe o only the production database or only the development database. This kind of control you can control comments for example the user is switch but only can stop and start one service. This is possible.

Another thing is, is integrated the identity solution with the privileged solution to validate the access of the person. For example, I need to have access to the development databases or not more. The owner of this may have validate to send to the monitoring tools. You can record the session of the the people working. But you can correlate this with the comments and if the person try a different comedy or try to do something beyond the the controlled comments like a trigger to record the session of that person.

And then you can include true scripts and application credentials inside of your privileged solution and the how description apps, delegates this control through the solution and you can update the credential and et cetera. Okay, and that's it again, my linking. We can talk about anything about the this topics. This is my personal email and thank you so much for your time. And that's it. Bye-bye.