WIXLIB

6Securing Enterprise Identities For Dummies, Centrify Special Edition These benefits are usually delivered in one of three commonmodels that you might encounter: Software as a Service,Platform as a Service, and Infrastructure as a Service. Eachoffers a different approach to computing outside of a t raditionalon‐site datacenter, with different benefits and considerations tokeep in mind as you consider cloud services: Software as a Service (SaaS): SaaS is a model thatprovides software via the Internet, as a service. SaaStypically has the least operational overhead becauseit relies on the vendor to run all the underlying tools,systems, and services that make the software function.Security for SaaS is primarily in the vendor’s handsbecause they control the underlying hardware, software,and infrastructure, leaving you to provide user‐account‐based security and integration with your own systemsand data.Because SaaS leaves accounts as your primary means ofcontrol, integrating SaaS tools with your central identitymanagement system can provide both security controland usability benefits by leveraging centrally managedcredentials and access controls. Platform as a Service (PaaS): PaaS describes a range ofservices that underlie a technology platform or service.It provides your organization with the platform butrequires more support because you receive the platformand must configure and support it. Here, the securitymodel relies more on your organization’s configurationof and use of the platform, as well as how you handle andintegrate identity and access management. Infrastructure as a Service (IaaS): IaaS provides outsourced systems, networks, storage, and other components. These are typically provided much like they wouldbe in a virtualized or software‐defined environment, butat a much larger scale by the IaaS provider. Becausethis is much more like running your own datacenterin the cloud, you’ll have most of the same operationaland security requirements as you would in a traditional datacenter, with the caveat that they may need to integrate with your IaaS provider’s systems.These materials are 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

Chapter 1: Understanding the Current Anatomy of Enterprise IT7If your organization finds that cloud services are a goodfit, it probably won’t just jump directly to the cloud allat once, which means you’ll be partially in a traditionaldatacenter or software‐defined datacenter model whilealso using cloud services. These split models are knownas hybrid operating models with a split between on‐ premises and off‐premises software and services.Looking at the Major Modelsfor ApplicationsWhether you run a traditional or software‐defined datacenter,or whether you use cloud services, the reason that your datacenter exists is to run the applications that you need to conduct your business. As you may expect, there are a few majormodels for applications, and each of them has implications foryour security perimeter and operations.On‐premises applicationsFor years, most of the applications that your organization used were likely on‐premises, with local servers andinfrastructure to keep them running. Both traditional and software‐defined datacenters host on‐premises applications,and even organizations that have moved a lot of their infrastructure and applications to the cloud still use on‐premisesapplications. This means that security operations still need toaccount for how existing systems that use Active Directory,LDAP, or other local accounts can integrate into a hybrid environment.Cloud applicationsCloud applications change your identity needs because theyrequire integration with AuthN (authentication) and AuthZ(authorization) services. Many cloud applications rely ontechnologies like SAML, OpenID, OAuth, or SCIM. Integratingthese with existing on‐premises systems can be a challenge ifyour current systems aren’t built to work with the cloud!These materials are 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

8Securing Enterprise Identities For Dummies, Centrify Special Edition These standards can be confusing, so here’s a quick overviewof what they are: SAML is the Security Assertion Markup Language, anXML‐based protocol for authorization and authentication, and is frequently used to eliminate the need for text‐based passwords, and to provide single sign‐on. OpenID is often used along with OAuth, where it provides the authentication layer for integrations. OAuth is a widely used authorization technology, withsimilar benefits to SAML, but a different implementation. SCIM is the System for Cross‐domain IdentityManagement. It helps with user management in thecloud by providing ways to represent users and groupsamongst other features.Big dataThere’s a lot of information in really large datasets, and analyzing them using big data tools can provide a major competitive advantage. The same treasure trove of dataand the analysis tools that you need to deal with it can alsocreate new security challenges. Big data tools like Hadoopare often run in a nonsecure mode, particularly during development, and locking them down by requiring AuthZ andAuthN controls can be challenging. Making big data part ofyour identity infrastructure is key to keeping your big data environment secure.Mobile applicationsMobile applications add yet another layer of complexity.Some are native applications for mobile platforms like AppleiOS or Android, while others are built to work on both traditional PCs via a web browser and on mobile devices.Making the applications work with your infrastructure can bean adventure in much the same way that cloud applicationintegration can be challenging.These materials are 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

Chapter 1: Understanding the Current Anatomy of Enterprise IT9Comparing Mobile andDesktop ComputingIn addition to the move to cloud computing, the growth ofmobile computing has been a major driver for enterprise ITchange. The changes driven by laptops, and now by smartphones and tablets, have resulted in a desire to be able towork anywhere, from any device, at any time.Traditional desktop computingTraditional enterprise computing has been built around desktop computers and laptops that were often standardized, centrally managed, and which were in predicable locations on anetwork owned and managed by the organization. There’s stilla lot of enterprise computing platforms that use this model,but mobile computing is growing quickly, and that growthmeans that the old model of providing security by controllingyour organizationally controlled desktops is changing.Mobile computingMobile computing covers a broad variety of computing thatisn’t conducted at a user’s desk. In very broad terms, mobilecomputing is composed of two major groups of devices: Smartphones and tablets: Smartphones and tablets typically don’t run typical enterprise applications — they’reused to access web and native iOS and Android applications. In addition, they typically don’t provide the samesecurity controls and visibility that a traditional desktopdoes. To make things even more challenging, many ofthem are personally owned and yet are still used to conduct organizational business. Laptops: Mac and PC laptops, whether they’re personallyowned or are the property of your organization, make upthe other half of the mobile computing movement. Theneed to handle personally owned devices in a variety oflocations — from the office down the hall to a Starbucksin another country — means that identity, rather thanthe computing platform is likely to be your first line ofdefense.These materials are 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

10Securing Enterprise Identities For Dummies, Centrify Special Edition VPN and identityOffsite access can be a securitychallenge because it’s hard to provethat the user who is logged in is actually who they claim to be. In fact, in2013, the Verizon Risk team reportedthat they investigated a softwaredeveloper in the United States whohad outsourced his own job to China!During a normal security audit, auser’s account was discovered tobe logging in from China every day,despite the user being at his desk.Further investigation showed thathe was paying a Chinese contractorto do his work at a discounted ratewhile he himself surfed the web allday from his desk. It turned out thathe was also employed elsewhereand had contracted those jobs outas well!This story is just one example ofhow identity is an important part ofsecurity management. In this case,matching identity to location dataand access logs would’ve helpedcatch the issue far sooner.If you’d like to read the wholestory, you can find it here:https://securityblog.verizonenterprise.com/?p 1626.Defining Users and AccessRequirementsAs computing environments have become more complex, thenumber and types of users have increased. At the same time,the set of rights, roles, and policies that control access havebecome even harder to maintain, making automation and centralization key to success.The final major element of enterprise IT is the set of userswho use and maintain the IT infrastructure, applications, anddata that it exists to support. There are many types of usersin a typical enterprise, including the following: Administrators and power users: The most trustedusers, and those who have the most power granted tothem are administrative and power uses. Their accountsgive them greater rights, so they’re likely targets forattackers.These materials are 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

Chapter 1: Understanding the Current Anatomy of Enterprise IT11 Privileged accounts: IT administrators have access to aspecial type of shared system or application accounts,which provide access to sensitive data, to change orgrant access or provide the ability to delete or damagecritical systems. These so called “privileged accounts,”such as the root account or local administrator accountare the digital equivalent to a master key. Special careneeds to be taken in order to protect these accounts andtheir associated privileges, including auditing, monitoring, and logging. Employees: Typical employees make up the bulk of yourusers for enterprise IT systems, and they can create complexity due to the variety of roles and positions they canhold. Over time, many employees end up accumulatinga broad range of rights if they aren’t carefully managed,and even a normal employee account can be useful toattackers as a way into your systems and applications. Contractors and outsourced IT: Contractors can create aunique set of requirements because they’re typically timelimited, but they can require special access to do whatyou’ve hired them to do. A contractor like a developeror outsourced IT staff member may need system accessor rights and privileges unique to their role, but may nothave the rest of the access that a normal employee does.In addition, they may work for a period of time and thenstop when their contracts end. Later, they may be rehired,or be asked to perform further services. This makes traditional account lifecycles challenging to follow. In addition,many contractors work from a remote location, makingtheir identity hard to verify. That means that using identity management services to audit, monitor, and managecontractor accounts is particularly important. Partners: Business partners, both as individuals and asorganizations, often need accounts and rights to accessdata and applications that your organizations share towork together. Partner accounts may require interorganizational coordination and oversight, and may need tosupport trust relationships or federation.Federation allows a user to log in to various unrelatedsystems or applications, using credentials from his ownorganization. It’s accomplished by having a shared set ofpolicies and practices, as well as supporting technologies that establish delegated or trusted authenticationbetween members of the “federation.”These materials are 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

12Securing Enterprise Identities For Dummies, Centrify Special Edition Customers: Customer account management is sometimesan entirely separate process from managing internalaccounts and privileges, but many of the challenges arethe same. Customer accounts need to have a lifecycleand management process that allows them to be easilyhandled in a customer‐friendly way that also meets yourorganizational needs, and supports customer accounts inan effective way. Third‐party vendors: Third‐party vendors create different identity issues than contractors and outsourced IT.Instead of requiring access to your systems, the challengeis usually how you can integrate with them. Fortunately,open standards like SAML, OAuth, and others can helpyou build bridges between your identity managementsystem and standards‐compliant vendors, changing whatused to be custom integrations taking days or weeks to amatter of a few hours of configuration work.You may find that some (or many!) of your users fit into multiple categories and roles. That can add a lot of complexity toyour identity management process as you try to track whataccess rights they should have. Remember that accumulatedaccess can be a major risk as your users move around theorganization and acquire rights and roles!A key part of both the security and usability of enterprise IT ishow you provide and control access. Traditional IT environments have often relied on access controls that were built andmanaged at each individual server or application, resulting ina massive amount of overhead, as well as a major challengewhen you try to monitor or validate access rights.Centralization, identity consolidation, privileged access security and shared account management, as well as the growth ofsingle sign‐on and security standards like SAML and multifactor authentication, have resulted in the ability to use identitymanagement services to control, monitor, audit, and reporton access rights and access usage across all your enterpriseresources.These materials are 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

Chapter 2Exploring the Role ofIdentity in Cyber SecurityIn This Chapter Identifying today’s cyber security challenges Protecting on‐premises and cloud infrastructure Securing external and mobile users and systems Expanding your security perimeter when data is everywhereKeeping your network, systems, and data secure probablyseems like it has become harder over time. New threatsappear daily, and organized attackers are defeating the security of major organizations despite their best efforts to stopthem.In this chapter, I discuss current cyber threats and explainwhat a breach can mean to your organization. I also explainhow you can use identity as a key element in your strategy tosecure your systems, applications, and data, including how toaddress new trends like mobile devices, big data, cloud computing, and open networks.Understanding Current CyberSecurity ChallengesThere are many current cyber security challenges such ascyber threats, breaches, hackers, attackers, and advancedpersistent threats. Many of these challenges start because ofcompromise credentials and poor security around how useraccounts and rights are created, monitored, and maintained.These materials are 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

14Securing Enterprise Identities For Dummies, Centrify Special Edition Cyber threatsToday’s organizations must be protected against a broadrange of cyber threats. These can include things like Directed attacks focused on your organization, its operations, and data Indirect cyber threats like drive‐by downloads, whichinstall malware on your PCs and devices Insider threats, including purposeful attacks, as well ashonest mistakesIf you’re thinking about how user credentials play a role in eachof those attacks, you’re already ahead of the game: Privilegedcredentials often play a big part in cyber attacks like these.BreachesIt seems like nearly every day you hear news of a new breach.In fact, large‐ and small‐scale breaches have become socommon that they’re a topic of discussion in our daily lives —even for people outside of IT. That doesn’t mean that theimpact of a breach isn’t significant.The average cost of a breach — according to research conducted by the Ponemon Institute — is 3.8 million, a number thathas gone up by 23 percent since 2013. The same study saysthat the average cost per individual affected is 154, meaningthat even a small breach can quickly add up to significant costs.Want to know more about the risks you face? Check outCentrify’s State of the Corporate Perimeter Survey. It includesdata on how employees treat credentials, what other organizations are facing, and how leaders are dealing with issues.You can find it at ter‐survey.The leading cause of breaches are compromised credentials.The 2015 Data Breach Investigation Report from Verizonconcludes that over half of all breaches are caused by compromised credentials. And Mandiant states that close to100 percent of breaches it investigates involve compromisedcredentials. Clearly, enterprise identities have become a leading area of risk that needs to be managed and mitigated.These materials are 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

Chapter 2: Exploring the Role of Identity in Cyber Security15Hackers, attackers, and advancedpersistent threatsThe biggest change in cyber security in recent years has beenthe appearance of advanced persistent threats (APTs). Attackergroups use adva

You can find additional information about Centrify's identity solutions, including single sign‐on, multifactor authentication, mobile and Mac management, privileged access security, and session monitoring at www.centrify.com. 2 Securing Enterprise Identities For Dummies, Centrify Special Edition