Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie Identity as the Perimeter
Ähnlich wie Identity as the Perimeter (20)
Mehr von scoopnewsgroup
Mehr von scoopnewsgroup (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Identity as the Perimeter
- 1. Chris Niggel | Okta Director Security & Compliance Identity as the Perimeter October 2017
- 2. © Okta and/or its affiliates. All rights reserved. Okta Confidential Or: How I Learned To Stop Worrying And Love The Cloud
- 3. © Okta and/or its affiliates. All rights reserved. Okta Confidential
- 4. © Okta and/or its affiliates. All rights reserved. Okta Confidential 4 Set UngaDasOutlook = CreateObject("Outlook.Application") Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI") For y = 1 To DasMapiName.AddressLists.Count Set AddyBook = DasMapiName.AddressLists(y) Mail.Subject = "Important Message From " & Application.UserName Mail.Body = "Here is that document you asked for” Mail.Attachments.Add ActiveDocument.FullName Mail.Send
- 5. © Okta and/or its affiliates. All rights reserved. Okta Confidential
- 6. © Okta and/or its affiliates. All rights reserved. Okta Confidential Photo Credit: https://upload.wikimedia.org/wikipedia/commons/2/22/Bodiam_Castle_south.jpg
- 7. © Okta and/or its affiliates. All rights reserved. Okta Confidential
- 8. © Okta and/or its affiliates. All rights reserved. Okta Confidential Image: http://thedailywtf.com/images/remy/robotguys.png
- 9. © Okta and/or its affiliates. All rights reserved. Okta Confidential Source: Okta Businesses @ Work Report, Jan 2017
- 10. © Okta and/or its affiliates. All rights reserved. Okta Confidential
- 11. © Okta and/or its affiliates. All rights reserved. Okta Confidential I can’t control what applications employees use, but I can make the approved applications more attractive than the alternatives
- 12. © Okta and/or its affiliates. All rights reserved. Okta Confidential IDENTITY Partners Employees Contractors Customers Cloud Platforms On-Premises Systems Applications Devices
- 13. © Okta and/or its affiliates. All rights reserved. Okta Confidential Context Adaptive Access Allow Step-up Restrict Deny
- 15. © Okta and/or its affiliates. All rights reserved. Okta Confidential
- 16. © Okta and/or its affiliates. All rights reserved. Okta Confidential
- 17. 1
Hinweis der Redaktion
- There is a fundamental problem in the way we promote and treat system security. For 15 years I was a “network administrator” for businesses across the country. My primary metric was uptime. Was the system up. How quickly could the system be up. Why is the system down?
- This used to be relatively easy. My biggest concern was my users causing problems, for example when the office manager at my first job decided to re-organize all of the files on her computer by file type. At least I was able to recover her files from backup.
- Then came along internet viruses and worms, with now infamous names: Code Red, Nimda, and Melissa This is Melissa, one of the first internet-scale viruses. It took mere hours for this to circle the globe, infecting tens of thousands of computers. A mere 6 lines of code.
- As we relied on more and more systems connected to the internet, the attacks also got larger. One day, I had an attacker guess a user’s password and use my mail server to send tens of thousands of email messages. I had phone servers taken over and used against Taiwan, the attacks got more brazen, and more damaging
- Our solution to the problem was to build walls and secrets. We viewed information security like building a castle. Moat to cross in the form of a firewall, with a VPN forming our drawbridge. Secret passwords to open the gate through our 3-foot-thick stone walls, and we moved all of our corporate data inside of this fortress Soon, we were trapped within our network. Sure, things were secure, but all this security was painful for employees. Mobile devices became a force of change against us
- So, as we forced users to have complex passwords, with multiple letters, numbers, symbols, our users put them on post-it notes, and re-used the same password across personal and corporate sites. So when Google lost 5 million passwords, and linkedin lost 110 million in 2012, we had to reset corporate accounts, too
- When we found passwords were not strong enough, we deployed multifactor tokens, that had to be carried around everywhere we went. Of course, if you left your token on your desk, and the boss wanted that critical report done by the morning, you were stuck. So users put their multifactor token in front of a webcam!
- As technology progressed, and cloud services took off,I struggled to keep our data within the castle walls, implementing filtering at the firewall. But it was a losing battle - employees just used different services.
- Employees not graded on security, they have other tasks to do. Therefore, they are always going to follow the path of least resistance. A recent report by SkyHigh finds that Federal agencies currently use over 900 unique cloud applications. You are here because cloud is here. We must embrace how it can enable your business. We need a fundamental shift in IT.
- I realized that the days of placing walls around our networks are over. Software-as-a-Service means that the traditional financial and network controls we could use were no longer effective. As a system administrator, the ease of procuring new applications meant that I had to get out of managing tools the business wanted, and into enabling employees to use the tools they needed. I realized that I could no longer control what applications employees used, I had to shift and make the applications the business offered faster and easier than the alternatives
- The first step was to deploy single sign-on to move identity to the center of the experience. You don’t want to remember 100 different passwords, or have 100 bookmarks for applications all over the internet. By tying applications to their corporate identity, I created a single sign-on experience that put key tools at employee fingertips. Single Sign-On is just the start, however. Business customers don’t want to manage their own cloud applications, having to create accounts, move accounts, manage permissions, and deprovision when employees leave. By tying corporate applications to a single sign-in platform, I automated all of the account creation and deletion, so when employees started, they already had access to everything they need
- The second challenge is secure MFA. Remember finding out tokens broadcast on a webcam? With traditional approaches, Those RSA tokens were placed at the perimeter, requiring tokens all the time and encouraging abuse. Risk-based MFA eliminates all-or-nothing approaches and encourages the use of strong authentication but putting it where it is needed, and removing friction where it’s not
- Once departments started seeing the value, they began to approach me for solutions. The application library grew quickly. By supporting the applications people wanted to use, IT was no longer the “no” team, we were a business partner We knew what cloud applications were being used, and by whom, reducing license costs and saving money But I was still unable to keep up with the speed of business, and the shadow IT problem persisted.
- The only solution was to hand over the keys to our business customers. IT is not prepared to own all account provisioning, we don’t have the staff or the knowledge. When we move the perimeter to the identity, we are now able to split responsibilities. Sales understands how they use their tools, so they should be responsible for the accounts. Implementing application assignment workflows keeps ownership with other departments, while giving IT and security the visibility and control they need. It’s the best of both worlds, and enabled me to turn Shadow IT into Distributed IT.
- Before embracing the cloud This used to be my job – keeping the castle walls tall and strong meant endless patching and progress bars I was tied to my desk adding uptime instead of adding value
- With cloud services controlled by a risk-based identity management system, I’m able to work wherever and whenever I’m most productive. By making identity the perimeter, I’m no longer watching progress bars, I’m making progress.
- Thank you!