2. 12 years of expertise in IAM
35+ projects:
Strong Authentication,
Identity Management,
Access Governance,
Information Protection.
Proud member of a versatile team of 25+ expert
consultants ready for innovation To keep in touch
https://twitter.com/IdentityMonk
https://ca.linkedin.com/in/jflombardo
Proud employer of 500+
consultants
Located in
Montréal (HQ), Québec City,
Ottawa, Toronto, Boston, Paris
Facilité was created in 1992
Acts in different modes:
• Risk sharing
• Turn key services
• Advisory
6 practices of expertise
(Dev., Arch., Sec., Agile, Data, Log.)
3. Information on an entity used by digital systems to
represent an external agent.
That agent may be a person, organization, application,
or device
Identity
4. Information on an entity used by digital systems to
represent an external agent.
That agent may be a person, organization, application,
or device
Identification
AuthenticationAuthorization
Identity
Information on an entity used by computer systems to
represent an external agent. That agent may be a
person, organisation, application, or device
Process of determining if a
user has the right to access a
service or perform an action.
An extra security step that
allows or denies access
privileges to company
resources
Process of validating that
external agent are who they
say they are.
5. Information on an entity used by digital systems to
represent an external agent.
That agent may be a person, organization, application,
or device
Identification
AuthenticationAuthorization
IdentityProcess of determining if a
user has the right to access a
service or perform an action.
An extra security step that
allows or denies access
privileges to company
resources
Process of validating that
external agent are who they
say they are.
Information on an entity used by computer systems to
represent an external agent. That agent may be a
person, organisation, application, or device
Provide capabilities such as
segregation of duties, access
certification, role engineering, role
management, logging, analytics,
and reporting.
15. More than one set
of credentials
SSO is difficult
SSO is not
possible
More than one
place to know who
accesses what
Application
on-boarding is
specific and costly
Integration costs
are repeated
Still not
a good solution
16. No difference
between
applications and
services
Identity chaining
Only one
recipe for
integration
Use standards
and APIs
One Access
Manager acts as
Access Broker
Only one place
to know who
accesses what
One role model
to control access
to applications
and permissions
Each population
has one set of
credentials
Specific
integration is
on the last
mile
Use standards
according to
context
17. Identity Chaining (Meshed)
My individual
customers through
Social Login
My strategic
customer
through delegation
My strategic
partner
through delegation
Partners of my
strategic partner
integration
Bi-directional
relationship
19. NIST-800-63-3 (A,B,C)
ISO, NIST, COBIT, ITIL, BS7799
ISO 27001, Jericho
SSAE16/70, SOC x type y, CSA CCM
Safe Harbor, Privacy Shield
PCI-DSS
NERC
HIPAA
PIPEDA, CASTLE
SOX
Data specific Governance
General Risk Governance
Security Governance
IAM specific Governance
Cloud Security Governance
Cloud Privacy Governance
Governance landscape
20. Regulation lays down rules relating to the protection of natural
persons with regard to the processing of personal data and
rules relating to the free movement of personal data.
Goes in effect May 25th 2018
Companies can be fined if not compliant (20M€ or 4% turnout,
depending which one is larger)
Protection of EU resident (different that EU citizen) personal data
Companies doing business with EU data subject (offering goods
or services irrespective of whether connected to a payment)
Companies processing EU data subject, even if companies are
located outside the EU borders
EU citizen
Non EU resident
EU citizen
EU resident
2+ citizen (incl. EU)
EU resident
?
!
!
2+ citizen (incl. EU)
Non EU resident?
Non EU citizen
EU resident
!
Non EU citizen
Non EU resident
Subject
Personal
Data
Data shall be exportable
in portable format
(Art. 20)
Data Collection shall
enforce subject’s consent
(Art. 6/7)
Controller shall comply
with Breach Notification rules (Art. 33)
Controller shall comply with
right to be forgotten
(Art. 17)
Controller shall implement
organizational/procedural/technical
means to protect Data
Risk assessment and Governance
of Data shall be implemented
(Art. 35/42)
Digital Privacy Officer shall
be elected in large company
(Art. 37)
Controller shall comply with
cross border processing rules
(Art. 3)
• Name (first, last, second);
• Identification number (permanent
or transient);
• Location data (physical but also
transient like GPS);
• Genetic (characteristics which give
unique information about the
physiology/health with or without
analysis)
• Biometric (issues for technical
processing of physical,
physiological or behavioral
characteristics);
• Mental, cultural, economic;
• Social Identity and activity;
• Online activity (IP address, cookie,
etc.)
(re) definition of Subject Personal Data
‘controller ’ who determines the purposes and means of the
processing of personal data;
‘ processor’ who processes personal data on behalf of the
controller;
‘recipient’ who to which the personal data are disclosed
‘third party’ who, under the direct authority of the controller or
processor, are authorized to process personal data.
Key points to handle
Global implications of GDPR
https://gdpr-info.eu/
http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
• ISO 27K1-like means:
• Ongoing confidentiality/integrity/
availability/resilience of systems
• Ability to restore the availability and
access to data in a timely manner
• Regularly testing/assessing/evaluating
effectiveness of technical/organizational
measures
• Additional means:
Pseudonymisation and encryption;
Code of conduct (Art. 40);
Approved certification mechanism (Art. 42)
Proposed solutions (Art. 32)
Governing
the Data
What types
are owned
Where it
is stored
Who has access
to what
How it is
managed
21. Be ready for ripples
GDPR is just a first step…
Russia Data Privacy Laws are operational
Australia Data Privacy Laws are operational
<Insert your country> Data Laws
are coming
China Data Privacy Laws are drafted
23. Centralized
Federated
User Centric
Self Sovereign
User control
Low
High
LowHigh Portability
Based on Christopher Allen, stages of online identity
http://www.lifewithalacrity.com
What you
considered too obsolete
and did not capitalize on
What you hoped to see and
what Blockchain hopes to solve
24. User control
Low
High
LowHigh Portability
User Centric
Self Sovereign
Centralized
Federated
Based on Christopher Allen, stages of online identity
http://www.lifewithalacrity.com
Need Decentralization
What you
considered too obsolete
and did not capitalize on
What you hoped to see and
what Blockchain hopes to solve
Need Trust
25. David Birch, Director of Consult Hyperion:
• Blockchain is not for storing digital ID
• Still an issue for managing the private key
• Should be managed by trusted party (e.g. Banks)
http://dutchblockchainconference.com/2016/06/20/david-birch-hyperion/
Steve Wilson, VP Constellation Research
• There is no ID in the blockchain
• An intermediary is still needed
• See project MDAV for CCICADA
https://www.youtube.com/watch?v=dzetCrresXM
26. User control
Low
High
LowHigh Portability
User Centric
Self Sovereign
Centralized
Federated
Based on Christopher Allen, stages of online identity
http://www.lifewithalacrity.com
Need Decentralization
What you
considered too obsolete
and did not capitalize on
What you hoped to see and
what Blockchain hopes to solve
Need Trust
Meshed
Controlled via:
Linking of accounts
Consent to share
Portable through the
Trust framework
…
Hinweis der Redaktion
So the solution is Identity Chaining
3 points definition
1 recipe solution
Let’s explain what it is
So in order to be an archipelago of Trust, we must be meshed
We are in a company (blue), we have partners (green), we have customer – Organizations and infividuals (purple)
We have Circle of Authority for each one of them
We can establishTrust link