CPA - Introduction to Digital Identity - rev20171102

Identity and Access Management
Governance handbook

12 years of expertise in IAM
35+ projects:
 Strong Authentication,
 Identity Management,
 Access Governance,
 Information Protection.
Proud member of a versatile team of 25+ expert
consultants ready for innovation To keep in touch
https://twitter.com/IdentityMonk
https://ca.linkedin.com/in/jflombardo
Proud employer of 500+
consultants
Located in
Montréal (HQ), Québec City,
Ottawa, Toronto, Boston, Paris
Facilité was created in 1992
Acts in different modes:
• Risk sharing
• Turn key services
• Advisory
6 practices of expertise
(Dev., Arch., Sec., Agile, Data, Log.)

Information on an entity used by digital systems to
represent an external agent.
That agent may be a person, organization, application,
or device
Identity

or device
Identification
AuthenticationAuthorization
Identity
Information on an entity used by computer systems to
represent an external agent. That agent may be a
person, organisation, application, or device
Process of determining if a
user has the right to access a
service or perform an action.
An extra security step that
allows or denies access
privileges to company
resources
Process of validating that
external agent are who they
say they are.

or device
Identification
AuthenticationAuthorization
IdentityProcess of determining if a
user has the right to access a
service or perform an action.
An extra security step that
allows or denies access
privileges to company
resources
Process of validating that
external agent are who they
say they are.
Information on an entity used by computer systems to
represent an external agent. That agent may be a
person, organisation, application, or device
Provide capabilities such as
segregation of duties, access
certification, role engineering, role
management, logging, analytics,
and reporting.

End of Identity
/Deactivation
Identity
Onboarding
/Reactivation
Identity
Attribute
change
Role
Model
Policies
Role
assignation
Role
revocation
Account creation
/activation
Account
update
Account deletion
/deactivation
Account
update
Inbound
Policy
evaluation
Outbound
policy
evaluation

Identity
& Credential
Management
Role
Model
Role
assignation
Role
revocation
Account creation
/activation
Account
update
Account deletion
/deactivation
Account
update
Application
Access
Management
External agent
Want to use
Get authenticated
Get entitled
Check if authorized

B2E B2B B2C B2TBusiness
A complexity of contexts…

B2E B2B B2C B2TBusiness
Privileged
Devices
Applications
…and dimensions

Corporate
Services &
Applications
with siloed
Access,
Credential
and Identity
Management
SSO is not
possible
More than one
place to know who
accesses what
Application
on-boarding is
specific and costly
How
were we
used to
do it?

Employee Identity
& Credential
Management
Employee Access
Management
Corporate
Services &
Applications
How did
we
solve
this?
Enabling SSO
Enabling unique
identification

Employee Identity
& Credential
Management
Corporate
Services &
Applications
Partner Identity
& Credential
Management
Employee and Partner
Access Management
How did
we
solve
this?
Extending SSO
Extending unique
identification

Employee Identity
& Credential
Management
Employee and Partner
Access Management
Corporate
Services &
Applications
Partner Identity
& Credential
Management
Customer
Services &
Applications
Siloed Customer
Access Management
Siloed Identity
& Credential
Management

More than one set
of credentials
SSO is difficult
SSO is not
possible
More than one
place to know who
accesses what
Application
on-boarding is
specific and costly
Integration costs
are repeated
Still not
a good solution

No difference
between
applications and
services
Identity chaining
Only one
recipe for
integration
Use standards
and APIs
One Access
Manager acts as
Access Broker
Only one place
to know who
accesses what
One role model
to control access
to applications
and permissions
Each population
has one set of
credentials
Specific
integration is
on the last
mile
Use standards
according to
context

Identity Chaining (Meshed)
My individual
customers through
Social Login
My strategic
customer
through delegation
My strategic
partner
through delegation
Partners of my
strategic partner
integration
Bi-directional
relationship

Synchronized
identities
Centralized
identites
Federated
authentications
Silos of
identities
Silos of
authentication
Dynamic
authentications
Social
identities
Federated
identities
Centralized
authentications
Silos of
Role based
authorization
Centralized
Role based
authorizations
Dynamic
Role based
authorizations
Social
Authentication
Centralized
fine grained
authorization
Dynamic
fine grained
authorizations
Silos of
fine grained
authorization
Federated
role based
authorizations
Silos of
fine grained
authorization
80%
16%
4%
<1%
Centralized
high privileged
authorizations
Maturity matrix

NIST-800-63-3 (A,B,C)
ISO, NIST, COBIT, ITIL, BS7799
ISO 27001, Jericho
SSAE16/70, SOC x type y, CSA CCM
Safe Harbor, Privacy Shield
PCI-DSS
NERC
HIPAA
PIPEDA, CASTLE
SOX
Data specific Governance
General Risk Governance
Security Governance
IAM specific Governance
Cloud Security Governance
Cloud Privacy Governance
Governance landscape

 Regulation lays down rules relating to the protection of natural
persons with regard to the processing of personal data and
rules relating to the free movement of personal data.
 Goes in effect May 25th 2018
 Companies can be fined if not compliant (20M€ or 4% turnout,
depending which one is larger)
 Protection of EU resident (different that EU citizen) personal data
 Companies doing business with EU data subject (offering goods
or services irrespective of whether connected to a payment)
 Companies processing EU data subject, even if companies are
located outside the EU borders
EU citizen
Non EU resident
EU citizen
EU resident
2+ citizen (incl. EU)
EU resident
?
!
!
2+ citizen (incl. EU)
Non EU resident?
Non EU citizen
EU resident
!
Non EU citizen
Non EU resident

Subject
Personal
Data
Data shall be exportable
in portable format
(Art. 20)
Data Collection shall
enforce subject’s consent
(Art. 6/7)
Controller shall comply
with Breach Notification rules (Art. 33)
Controller shall comply with
right to be forgotten
(Art. 17)
Controller shall implement
organizational/procedural/technical
means to protect Data
Risk assessment and Governance
of Data shall be implemented
(Art. 35/42)
Digital Privacy Officer shall
be elected in large company
(Art. 37)
Controller shall comply with
cross border processing rules
(Art. 3)
• Name (first, last, second);
• Identification number (permanent
or transient);
• Location data (physical but also
transient like GPS);
• Genetic (characteristics which give
unique information about the
physiology/health with or without
analysis)
• Biometric (issues for technical
processing of physical,
physiological or behavioral
characteristics);
• Mental, cultural, economic;
• Social Identity and activity;
• Online activity (IP address, cookie,
etc.)
(re) definition of Subject Personal Data
 ‘controller ’ who determines the purposes and means of the
processing of personal data;
 ‘ processor’ who processes personal data on behalf of the
controller;
 ‘recipient’ who to which the personal data are disclosed
 ‘third party’ who, under the direct authority of the controller or
processor, are authorized to process personal data.
Key points to handle
Global implications of GDPR
https://gdpr-info.eu/
http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
• ISO 27K1-like means:
• Ongoing confidentiality/integrity/
availability/resilience of systems
• Ability to restore the availability and
access to data in a timely manner
• Regularly testing/assessing/evaluating
effectiveness of technical/organizational
measures
• Additional means:
 Pseudonymisation and encryption;
 Code of conduct (Art. 40);
 Approved certification mechanism (Art. 42)
Proposed solutions (Art. 32)
Governing
the Data
What types
are owned
Where it
is stored
Who has access
to what
How it is
managed

Be ready for ripples
GDPR is just a first step…
Russia Data Privacy Laws are operational
Australia Data Privacy Laws are operational
<Insert your country> Data Laws
are coming
China Data Privacy Laws are drafted

Centralized
Federated
Christopher Allen, stages of online identity
http://www.lifewithalacrity.com
User Centric
Self Sovereign
User control
Low
High
LowHigh Portability

Centralized
Federated
User Centric
Self Sovereign
User control
Low
High
LowHigh Portability
Based on Christopher Allen, stages of online identity
What you
considered too obsolete
and did not capitalize on
What you hoped to see and
what Blockchain hopes to solve

User control
Low
High
LowHigh Portability
User Centric
Self Sovereign
Centralized
Federated
Need Decentralization
What you
Need Trust

David Birch, Director of Consult Hyperion:
• Blockchain is not for storing digital ID
• Still an issue for managing the private key
• Should be managed by trusted party (e.g. Banks)
http://dutchblockchainconference.com/2016/06/20/david-birch-hyperion/
Steve Wilson, VP Constellation Research
• There is no ID in the blockchain
• An intermediary is still needed
• See project MDAV for CCICADA
https://www.youtube.com/watch?v=dzetCrresXM

User control
Low
High
LowHigh Portability
User Centric
Self Sovereign
Centralized
Federated
Need Decentralization
What you
Need Trust
Meshed
Controlled via:
Linking of accounts
Consent to share
Portable through the
Trust framework
…

CPA - Introduction to Digital Identity - rev20171102

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie CPA - Introduction to Digital Identity - rev20171102

Ähnlich wie CPA - Introduction to Digital Identity - rev20171102 (20)

Mehr von Jean-François LOMBARDO

Mehr von Jean-François LOMBARDO (10)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

CPA - Introduction to Digital Identity - rev20171102

Hinweis der Redaktion