Heavily Regulated Industries

Cyber Crime is the threat we are all facing. The Finance Industry is high on the target list of attackers, but what this session provides is relevant to all industries. Learn about how the situation has changed during the past years. Understand what really is behind the buzzword of APTs (Advanced Persistent Threats). See how to map what happens in Cyber Crime to a standardized risk rating. Look at what to do to mitigate these risks – on the organizational side and technology-wise. Cyber Crime is a big issue in these days. However, starting with applying good sense and standard approaches for Risk Management helps to move from uncertainty towards a controlled risk – and that is what you need.

When looking at the risk surface around online threats against retail and banking customers, the question is: What will we do next to mitigate these risks? Some of the approaches like out-of-band are not always as secure as they should be, especially when they end up as in-band authentication. Others are tied to tools like Flash which aren’t supported on all devices. And there is the question of how to deal with that in the backend. How to best implement a risk- and context-based authentication and authorization? This session will look at the status, what comes up in the solution space and what should come up there.

IT Organizations are on the move. The Cloud requires new skills in procurement, service orchestration and service management. An increasing number of CEOs nowadays aren’t IT veterans anymore but young managers which understand the CIO role as an important career step. And the demand for more Business/IT alignment drives the change of IT organizations as well. In this session, you will learn of how to fundamentally restructuring your IT, following the KuppingerCole IT Model. This results in an IT organization which is business-driven and focused. This also supports efficiency gains in IT production. It is about an agile organization, ready for the future.

Most organizations have done quite some investment into IAM and Access Governance. But they need much more. They need to integrate, they need to extend what they have done, and tey need to levarage developments like geographically dispersed infrastructures, mobile computing and cloud. Thus good solutions should add value to what these organizations have instead of putting most effort in redoing things which did cost a lot of money. In this panel, we will discuss strategies for IAM and Access Governance which focuses on adding value, enhancing what customers have and filling the gaps they might have, without ending in vendor clashes.

Information Security in the Cloud - that's in fact moving towards a location-independent and provider-independent approach for information security. In the days of on-premise only IT (plus maybe an outsourcer), the focus could be on securing the network and the device. In these days where IT services are a mix of on-premise, private and public cloud services - i.e. in days where things become hybrid - we can't rely on network or system security. We don't really know where our data remains and where services are run. The cloud sprawl, with chains of providers like your SaaS provider relying for example on Amazon Web Services, leads to a situation where we have to re-think the approach in Information Security.

The most important cornerstone is to move from system, network, device security towards information-centric security, which we might name "real Information Security". Another one is understanding Information Security as an initiative which isn't focused on technologies first of all, but on understanding risks, contracts and other aspects. Another important cornerstone is, without any doubt, the identity. We have to deal with more identities and with persons using different identities. Identity and Access Management is a key element in Information Security in, for, and with the Cloud.

There are many other aspects. In this session, we will provide our view on the future of Information Security - an approach that works seamless for the hybrid world of today and tomorrow, from classical on-premise IT to the public Clouds.

Identity management across multiple SaaS (software-as-a-Service) applications as well as on-premise systems is a challenge to most enterprises. Challenges in Identity Management in the cloud, simply goes beyond how we do authentication, authorization and auditing right. Cross domain authentication, provisioning, interoperability, multi-tenancy, delegation and security are few challenges to name. The best way to preserve interoperability is to adhere to open standards. Lots of proprietary standards came a long way, but at the time they felt a larger audience is needed and interactions with other systems, those became open standards. SAML2 Web SSO, OpenID, OAuth are some popular open standards, widely used across many cloud providers for authenticating users while facilitating identity portability. WS-Trust, WS-Federation used to cater the same aspect while dealing with systems. XACML is another open standard, which is considered to be the de-facto standard for authorization. It facilitates fine-grained authorization in a policy driven manner. Provisioning is also an important aspect in a cloud identity management system. SPML failed to be the de-facto standard for provisioning due to its heavyweight nature and being bias to SOAP. The latest emerging standard for provisioning is SCIM, which is still in progress at the specification level, but looks promising.

Privileged accounts like root, sysadmin or Oracle system, are necessary to run and manage databases, middleware and operating systems. These accounts are the most powerful within an organisation as they allow access to any type of business and in most cases ‘critical’ information. So if somebody wanted to severely damage your business, attacks targeting these privileged accounts would be the way to do it.

This leads us to the question: Would you at least find out if a privileged account is being misused? In other words: Do you actually know, who is using such accounts and whether this usage is necessary and allowed? If this is a question you are asking yourself from time to time - the auditor would dive much deeper and also ask, ‘Exactly what was done during a certain session?’ Considering, that according to the Ponemon Institute 2012 Cybercrime Survey, 62% of respondents reported malicious insider breaches, we can assume that the auditor´s questions are reasonable and it would be good to have an answer

In this panel discussion, we will look into the reliability of currently available solutions and talk about the different approaches to reach compliance with PCI-DSS, SOX, Basel and comparable regulations.

Years ago, when the cloud became popular, KuppingerCole published a Cloud Roadmap with a simple target: One IT, not a separation of Cloud IT and On-Premise IT. However, there are still many offerings which are cloud-only, even while it is obvious that the reality for most organizations will remain hybrid. That’s true for many areas of IT, including IAM. There are also offerings for that. But is there really a value in solutions which only support the cloud? When do you need them, if at all? Which integration should cloud-based IAM solutions provide? And how might your future look like, if you focus on the One IT/One IAM approach but still have to rely on cloud-based solutions for example for an easier integration of external users like your customers and for using different types of Saas? That’s what you’ll learn in that session.

As the software-as-a-service (SaaS) market explodes, more and more organizations struggle to gain control over their user’s identities in the cloud. Some are also exploring outsourcing their identity and access management (IAM) functions to the cloud.

There are three architectural models for implementing cloud identity services:

• In the cloud – identity and access management as an on-demand service
• To the cloud – IAM from an on-premise platform
• Hybrid – a model that includes elements of both on-demand and on-premise solutions.

In this session, we will discuss the key architectural, platform, integration, security, scalability and reliability issues which organizations seeking to adopt cloud-based identity need to consider, including the increasingly significant role that Cloud Identity Broker/Cloud Security Broker technology is playing. The discussion will also assess current and evolving technology and industry standards available for managing SaaS account provisioning/de-provisioning, single sign-on, strong authentication, and other identity operations.

Objective:

When you finish this session, you will have a framework for analyzing the state of today’s technology options and selecting the most appropriate architectural platform to meet your businesses identity requirements in the cloud.

GRC projects quickly tend to struggle once it becomes obvious that there is a lack of clearly defined processes and responsibilities. Unfortunately, that still happens in a large number of these projects. The session will focus on what you need to define before without ending up in endless organizational projects. It is about the balance between moving forward quickly (and moving into the right direction) without missing to build the organizational foundation for a successful GRC implementation.

T-Systems standardizes Identity and Account Management processes and thereby reduces costs. With this motto, T-Systems has established secure and optimum process handling by means of a new and integrated Identity and Access Management solution. This slot will show the background and success of the project.

T-Systems employees now have the option of requesting access to applications online via a Web front-end in a user management tool based on syscovery Savvy Suite. The introduced standard software structures the internal request process transparently and thereby helps to maintain Security and IT-Compliance requirements in Identity and Access Management and to reduce costs.

T-Systems was posed with the challenge of finding a uniform solution for the wide-ranging request and management processes for access to applications. In a company of this magnitude, distribution of applications is naturally very complex. With the launch of new security guidelines, a new solution was sought for that would not only guarantee data protection and SOX-compliant ordering processes, but also standardize the entire process landscape for access to applications, present expenses according to cost centers, and help make license costs for access to applications transparent.

Today, optimized and automated request processes help to cope with the increasing effort and expenses. Approval applications no longer have to be processed by hand, but get to the authorizing agency responsible for them by means of an automated workflow. After corresponding testing and approval, further processing happens automatically. The orderer can trace the status in the approval process at all times. The users' satisfaction with the now fast and transparent ordering process increased significantly.

The new solution makes application ordering processes transparent, accelerates their handling, and makes them traceable for the long-term. An employee in need of access to an application can order it in a personalized catalog via the corporate Intranet. Then an automated approval process begins, which is geared towards the stored hierarchical, organizational, and approval structures of T-Systems.

The application to be managed is captured and assigned to a cost center even as it is being provided. The integrated reporting solution informs decision-makers about the respective order processes, but also about the applications being used.

The new solution fulfills SOX/BillMoG and data security requirements. Only authorized data owner can grant concretely described access rights. Each employee has to clearly identify him or herself based on the authorization system to make use of his or her rights. The assignment of authorization is checked regularly and ensures that only authorized persons have the corresponding access rights. Unauthorized or inactive users will have their existing rights revoked. If applications are no longer used or employees have left the company, the associated access used to have to be deleted manually. Now this happens automatically.

The needs-based assignment of accounts reduces the total demand and thereby the costs. During the initial load of applications and their accesses, several thousand accesses could already be deleted. Depending on the applications, reductions of up to 63% were possible. Regular inventory audits also provide cost savings in the ongoing process.

Currently, employees of T-Systems can order authorization for up to 77 applications. In the process, a total of more than 350,000 accounts are set up. More than 5000 business managers and 50 so-called specialist approvers can check and approve these access authorizations in the workflow. On average, this means more than 400 business transactions per week.

Access Governance right now is a well-established technology, playing a central role in many Identity and Access Management environments. But despite to its increased use, it is still an emerging market, with a lot of innovation. There are five major trends in the market:

• adding provisioning technology or improving interfaces to provisioning systems and Enterprise Service Bus systems for connectivity to target systems
• improved analytical capabilities, using advanced business intelligence technology to go beyond traditional and limited reporting
• real-time capabilities allowing to not only to scheduled re-certifications but also to analyze real-time access
• cloud features
• business focus, valuating risks and mapping access issues to business controls for quick and focused answers to the questions of the business people

In this session, Prof. Dr. Sachar Paulus of KuppingerCole first will give a quick overview of the trends in the Access Governance market, leading to real-time, cloud-ready Access Governance and Intelligence. Following to Sachar´s introduction there will be a panel discussion between Access Governance vendors and technology users.

In order to comply with internal and external regulatory requirements, Telecom Italia had built a "Traceability & Secure Logging Framework."

During this session we will cover this framework as a basis for a ‘best practice’ approch on how to implement a good Ideneity and Access solution.

Access Management is a hot topic. It is about controlling who has access to what or, in other terms, who is entitled. Entitlements are what we need to manage. A common approach on that is Role Management. Role Management is established, there is a lot of experience. However, this experience led to two important learnings:
1) You need more than roles - you need to understand competencies, context, and the businesses processes.
2) Role Management approaches are typically to coarse grain for a complete access management down to the system level. The result is that there is the high level management done by roles. The lowest level of this role model (which typically is 2- or  3-tiered) then is mapped to the highest level within the different systems: SAP roles, Active Directory groups or whatever else.
A better Access Management, really and fully managing the entitlements, needs to go beyond roles and beyond a static assignment of entitlements. It is about moving foward to a Dynamic Authorization Management that integrates with what you have. That is a longer journey, but you should start now. The session will provide best practices, experiences and advice on how to move forward to real entitlement management.