2 hours 41 minutes
I and welcome back
to the next session off cybersecurity, architectural fundamentals,
enterprise security areas, Part two.
In this session, I would go to too many areas, which is the identity and excess management
and data protection,
identity and excess management.
It's a very important part off any system.
It covers the authentication and authorization, a speck off a system
and how we manage privilege uses.
And it's much more complex than most people think
for identity and excess management,
therefore, phases of concern
first being identify,
which is simply getting someone to supply some credentials.
Second is to authenticate.
This is where we ensure that the
this accurate all riel.
Then I will pass on to authorize, which is to allow the actions for that identity, which has been very fired.
And lastly, there needs to be an audit function which keeps track off the activities performed with the identity.
This four phases and sometimes known as the I triple A phase is off identity management.
Now there are many ways to view identity and excess management today. I'll just quickly brief on one view of it, which is from the IBM Book Off Enterprise Security, Architecture using I be emptively secure solution.
In this view, identity and excess management
is broken into five subsistence,
which is the management of identity in credentials, management of access controls, management of information flows, management, off solution, integrity and the management off security audit.
Each of thes subsystems can be fairly complex. Let me go to an example.
taking a look at one subsystem, which is the identity management subsystem.
As you can see from the picture there many components that make up identity management.
We have to take into account how an identity is and brought into the system. How is it verified?
How is it authenticated? How do we deal with rejected credentials? And how do we pass it on to an other subsystems, like the audit subsystems,
to design a good identity system? There are many things to work on.
To further illustrate,
I take a look at another subsystem, which is the excess management.
Once a credential has been verified,
we have to decide what can they excess?
This is about the rights management to the system. What are they authorized to do, and what systems can they have access to?
Looking at an excess management. We have to worry about the session. How long is a person granted access
and by which means can they access the system?
Yes, you can see it's not so straightforward. And it's not a simple lists most people see under surface.
To learn more about this, I would highly encourage you to get the Red Book
showing below enterprise security architecture using IBM Tivoli Security Systems. It's a fairly old book, but the principles are still song today.
The sights, the technical implementation from the subsystem view.
It is also important to pay attention to the implementation procedures for any access system.
In this example from IBM Red Paper
on identity, excess management, architectural patterns,
we can see how implementing a row base access control has a lot more sub steps that most people realize
well, this is not the only way to do it, but I encourage you to learn more about design patterns and architectural patterns so you do not have to reinvent the wheel.
But point is to pay close attention to procedures as well s technical implementation or technical solutions.
The treads around identity and excess management
can beefs view from identity treads and access traits
in identity treads that could be spoofing.
I did the details
and key logging. These are our threats to stealing identity
in terms of excess treads. We always worry about escalation of privileges and also about information leak
he controls to implement. To mitigate this risk would depend very much on the system.
It is implemented on
some of the more common tools and techniques used to mitigate threats in this space would be the use of identity manager,
employ for and never the fix.
Employ good provisioning processes
and the use off multi factor authentication.
In the case of excess management. Do pay attention to single sign on systems and how you configure them.
Employ the use of a privileged access management,
which can not only keep the secrets off the password but also do session recording for audit purposes,
behavior and athletics.
It's also a novel way to look at excess management. Do people normally excess systems from certain locations? Seven time of the day and so on
and a roll base approach? It's a very good way
to manage all the different rights.
Now let's take a look at data protection.
Data protection is increasingly becoming much more important to the management into your boards. The Eater protection covers the collection, storage and dissemination of data
and beyond the technical. We need to consider legal regulations and restrictions off the data and where it recites
some off the key questions. Tow us when dealing with data protection.
what does the system administrator needs to see
who administers the administrator?
What if the administrator's account is compromise?
How do you limit or reduce the damage and so on?
Most organizations would have achieved data officer off Chief Data Protection Officer.
It is good to work with these people. Toe. Understand the legal requirements on securing the data,
some off the more common threats to data protection in crude
regulatory compliance. Like Judy Pio for Europe
Data Residency law can date Herbie move across borders,
Privileged users, which includes database administrators,
the right to erase your
and data possibility. The right to be able to move data out off the hosting provider, for example,
Only when you understand the legal requirements or regulatory requirements, then can you have the right level
off control measures to be put in place.
There are many tools around data protection. Some of the more common or more newer ones include the use off the Lt technology. Like Blockchain,
Anonima izing technology liked organizations off a database
encryption algorithm, standards and home offic. Encryption is increasingly popular in data sharing systems,
the EU's off multiparty trust computation. It's also increasing, with a lot more collaboration between various organizations, like some banks working together
old fashioned technology like database activities, monitoring and prevention. It's also very useful to ensure that data is only seen by those who need to see it.
we have gone true identity and excess management,
and hopefully you'll understand it's lot more complex than it seems.
And some of the things to consider when thinking about data protection strategies.
Some good reading materials are. Then this page on idea in excess munition with a lot of resource is there
and then this guy to protecting confidential a T on personal identifying information.
These papers are freely available, and I highly encourage you to download them to take a read.
In the next session, we were wrap up the enterprise security areas covering vulnerability and patch management,
availability, management and supplies and security. So if you have the time,
I'll see you in the next lecture