Information Security Leadership

KuppingerCole recently has unveiled its view on the IT: The KuppingerCole IT Model. This model focuses on fulfilling the business needs: Providing the services business really needs – and ensuring that corporate information is adequately protected. Based on these targets, the model segments IT in three layers and allows mapping virtually anything. It supports in increasing the agility of IT in terms of quickly fulfilling business service requests. It explains on how to build your IT infrastructure as well as the Governance framework. It is the answer on how to best deal with the hybrid environments organizations have today, mixing different cloud environments with the existing on-premise IT. Thus it provides the logical answer for the strategic use of the Cloud. And it provides the cornerstones for building efficient on-premise environments. The model is a lean concept on which you can base your future-proof, business-driven IT.

IAM (Identity & Access Management) is one of the cornerstones of Information Security. Thinking in identities and putting the security of information and the access to information in the center of attention is the foundation for improving information security. Moving away from device-centric and network-centric security to information-centric security allows to better understand information risks and the required actions to mitigate these risks and better secure your enterprise. Leading industry experts, all with an analyst background, and KuppingerCole analysts discuss the role IAM plays for information security and the future of IT Security in general in this panel.

IT Organizations are on the move. The Cloud requires new skills in procurement, service orchestration and service management. An increasing number of CEOs nowadays aren’t IT veterans anymore but young managers which understand the CIO role as an important career step. And the demand for more Business/IT alignment drives the change of IT organizations as well. In this session, you will learn of how to fundamentally restructuring your IT, following the KuppingerCole IT Model. This results in an IT organization which is business-driven and focused. This also supports efficiency gains in IT production. It is about an agile organization, ready for the future.

Most organizations have done quite some investment into IAM and Access Governance. But they need much more. They need to integrate, they need to extend what they have done, and tey need to levarage developments like geographically dispersed infrastructures, mobile computing and cloud. Thus good solutions should add value to what these organizations have instead of putting most effort in redoing things which did cost a lot of money. In this panel, we will discuss strategies for IAM and Access Governance which focuses on adding value, enhancing what customers have and filling the gaps they might have, without ending in vendor clashes.

In recent times where the term "federation" is slipped into the conversation as if it were a straight forward hassle free process, there lurks a multitude of technical challenges. Chief amongst those are the "session state" issues of SLO and idle time-out. This panel session will unpick the problem and touch on various approaches being used to solve it, manage it, or avoid it.

Privileged accounts like root, sysadmin or Oracle system, are necessary to run and manage databases, middleware and operating systems. These accounts are the most powerful within an organisation as they allow access to any type of business and in most cases ‘critical’ information. So if somebody wanted to severely damage your business, attacks targeting these privileged accounts would be the way to do it.

This leads us to the question: Would you at least find out if a privileged account is being misused? In other words: Do you actually know, who is using such accounts and whether this usage is necessary and allowed? If this is a question you are asking yourself from time to time - the auditor would dive much deeper and also ask, ‘Exactly what was done during a certain session?’ Considering, that according to the Ponemon Institute 2012 Cybercrime Survey, 62% of respondents reported malicious insider breaches, we can assume that the auditor´s questions are reasonable and it would be good to have an answer

In this panel discussion, we will look into the reliability of currently available solutions and talk about the different approaches to reach compliance with PCI-DSS, SOX, Basel and comparable regulations.

Working across six continents, Teleflex provides medical devices used in critical care and surgeries across the globe. Their products help protect patients from infections and enables surgeons to do safer, less invasive procedures ranging from vascular access, anesthesia and airway management among many others.

Teleflex Incorporated (www.teleflex.com) has a core identity management strategy: one point of access. Beginning as just a temporary fix to decommission the company's Sun LDAP directory, Teleflex began their use of a virtual directory. The virtual directory allowed the company to link all of their separate directory information into one enterprise directory. Using directory virtualization, Teleflex was able to eliminate custom scripting, serving up employee data from SQL databases to the receiving applications without scheduling synchronization tasks.

The enterprise directory has now become a significant part of Teleflex's identity management strategy to improve facilitation of acquisitions, eliminate custom scripting to obtain employee data from Teleflex's HR Vista system and to unify and simplify both application access and the end user experience.

Modern identity infrastructures are a tangled web of identity sources, protocols, and varies security means. This panel discussion will focus on the challenges around unifying a disparate identity infrastructure for identity management and federation initiatives. The panel will explore how an identity service, enabled by virtualization, can be used to tackle many kinds of identity management challenges, and facilitate the addition of new identity stores and populations. Nick Sabinske’s experience at Teleflex will serve as a catalyst for the panel discussion, while Ulrich Schulz of Radiant Logic will extend the discussion with other real-life deployments, and Fulup ar Foll from KuppingerCole will provide an objective, third party view of the industry.

Some of the points to discuss:

• Integrating identities stored in Active Directory with the rest of the identity infrastructure, including multiple directories, databases, and web-based applications
• Why a single access point is an essential starting point for many identity management and federation initiatives
• When to choose an on-premise identity management solution compared to a hosted solution
• Achieving single sign on across disparate identity sources and federated systems
• Improving user experience by minimizing credentials and providing uniformity

Doc Searls' vision of VRM just rings true. The common reaction is "Of course that's how things ought to work!" Now with his new book out—The Intention Economy: When Customers Take Charge—the vision is even stronger and clearer.

How do we build the intention economy? What infrastructure will undergird it? How will our understanding of identity, privacy, and rights change to support it? 

This session will explore the infrastructure for the intention economy and the role of identity in that infrastructure.

Many companies are making IAG projects a high priority because of the business benefits the governance-based approach delivers. In this session, Rabobank International’s Global head of security operations, Jethro Cornelissen, presents an IAG case study and discusses best practices for demonstrating business value in each phase of an IAG implementation.

François-Pierre Regamey, CIO of CHUV, a large Swiss university hospital, will describe how Identity Management takes a central part in CHUV's strategic drive toward digital healthcare.

The presentation will cover the strategic and practical aspects of Identity management deployment in a hospital. It will present the lessons learned, main recommendations and key success factors.

CHUV's strategic plan calls for a strong development and integration of the hospital's health information through the deployment of a hospital wide electronic patient record. Health personnel, including 1,400 MDs, must access 200 applications from CHUV's 8,000 workstations. The growing role of IT in the quality of care creates confidentiality risks - therefore efficient identity management is mandatory to find a balance between security and ease of access.

The project required a technical implementation, but also a streamlining of the hospital's authorization procedures.  An important aspect was an inventory and redefinition of stakeholders, roles, authorizations rules and procedures. As a guideline, Identity Management must target the simplicity and speed of the hospital's most common and critical processes, such as patient arrival, temporary health practitioner authorization and personnel move.

Based in Lausanne, Centre Hospitalier Universitaire Vaudois (CHUV) is one of Switzerland's largest university hospitals with over 1,400 beds,10,300 employees and 4'000 external consultants.

BYOD, or Bring Your Own Device, is a trend which means that corporate IT may no longer control what devices employees use to connect to corporate applications. In this new environment, employees use iPads and smartphones for work, expecting to use enterprise applications anytime and anywhere. This presents significant challenges, including the fact that devices may not interface directly with corporate identity management systems. In this track, we examine the implications of BYOD on the enterprise. We consider the challenges firms encounter when trying to use products like CA SiteMinder and Oracle Access Manager to secure mobile access? Are current policies / auth schemes suitable? How promising are opportunities such as locating-based auth and mobile-as-authentication-means? Users now come from multiple clients. Can these policies/auth schemes properly handle different combination of user + client identity and trust scenarios?

Physical security of mobile devices is poor. It is good practice to enforce stronger data security and privacy policies for data bound to mobile clients, and have mandatory remote wipe functionalities. How can you implement tiered data security / privacy policies that are mobile aware? For example, when a REST API is being called by a web app from an internal IP, enforce minimum restrictions, where as if the caller is an iPhone application, enforce maximum restrictions.

Many organizations are deploying APIs, using REST and JSON, to enable mobile application developers to create apps using their APIs. In this way, an organisation can quickly create an ecosystem of developers creating apps for their services. However, how can these APIs be secured? How is usage controlled? This session focuses on API Management in the age of mobile.