Information Security Trends I

Dr David Chapman

1
 Introduction

Context Main concepts Practical Conclusions

implications

2
 Context: 1 of 2

3
Source: www.OCEG.org
 Context: 2 of 2

4
 Main Concepts

Information security governance trends Identity and access management trends

5
 Information security governance trends section

6
 Information security governance: introduction: 1 of 3

7
 Information security governance: introduction: 2 of 3

8
 Information security governance: introduction: 3 of 3

Governance Management
Oversight Implementation
Authorises decision rights Authorised to make decisions
Enact policy Enforce policy
Accountability Responsibility
Strategic planning Project planning
Resource allocation Resource utilisation

9
Source: Allen & Westby, 2007
 ISO/IEC 38500 vs. ISO/IEC 27014: 1 of 2

10
Source: modulo.com
 ISO/IEC 38500 vs. ISO/IEC 27014: 2 of 2

11
 ISO/IEC 27014:2013: 1 of 2

12
 ISO/IEC 27014:2013: 2 of 2

13
Source: modulo.com
 Information security governance trends: 1 of 8

14
 Information security governance trends: 2 of 8

15
 Information security governance trends: 3 of 8

16
 Information security governance trends: 4 of 8

17
Source: modernsystems.com
 Information security governance trends: 5 of 8

18
 Information security governance trends: 6 of 8

19
 Information security governance trends: 7 of 8

20
 Information security governance trends: 8 of 8

21
Source: www.tracesecurity.com
 Identity and access management trends section

22
 The access management problem: 1 of 6

23
 The access management problem: 2 of 6

User authentication has morphed …

… customers assemble digital products

24
and services to meet their needs
Source: Forrester
 The access management problem: 3 of 6

Digital business requirements present IAM

challenges in three dimensions
25
Source: Forrester
 The access management problem: 4 of 6

IBM

26
 The access management problem: 5 of 6

27
 The access management problem: 6 of 6

28
Source: Microsoft
 Current IAM weaknesses

Three IAM disconnect problems

1.Stumbling blocks and lack of
standardisation in cross-domain user
provisioning
2.Weakened control of authentication and
authorisation
3.Siloed IAM approaches to different
purposes and populations

29
Source: Forrester
 Stumbling blocks and lack of standardisation

Four pillars of identity management

30
Source: Microsoft
 Problem 1: cross-domain user provisioning: 1 of 4

31
Source: RadiantLogic
 Problem 1: cross-domain user provisioning: 2 of 4

32
 Problem 1: cross-domain user provisioning: 3 of 4

33
 Problem 1: cross-domain user provisioning: 4 of 4

34
 Problem 2: weakened authentication and authorisation: 1 of 3

35
 Problem 2: weakened authentication and authorisation: 2 of 3

36
 Problem 2: weakened authentication and authorisation: 3 of 3

37
JumpCloud: a Directory-as-a-Service example Source: JumpCloud.com
 Problem 3: IAM silos for different purposes and populations: 1 of 3

38
 Problem 3: IAM silos for different purposes and populations: 2 of 3

Typical social sign-in

39
Google’s federated login flow
 Problem 3: IAM silos for different purposes and populations: 3 of 3

Some well known cloud service providers

40
 Zero trust identity: introduction: 1 of 6

41
Sources: jhbaars & f5.com
 Zero trust identity: introduction: 2 of 6

42
 Zero trust identity: introduction: 3 of 6

43
 Zero trust identity: introduction: 4 of 6

44
Source: Cisco
 Zero trust identity: introduction: 5 of 6

45
 Zero trust identity: introduction: 6 of 6

46
 Zero trust identity: 3 rules

• Rule 1 – plan for secure, both outward

and inward, identity propagation
• Rule 2 – formalise and robustly protect
the interfaces for IAM functions
• Rule 3 – use and advocate standards for
IAM interfaces

47
Source: Forrester
 Zero trust identity: rule 1: 1 of 2
Many scenarios require
two-way flows of
identity and access
information

48 Rule 1 – plan for secure, both outward and inward, identity propagation
Source: Forrester
 Zero trust identity: rule 1: 2 of 2

49 Rule 1 – plan for secure, both outward and inward, identity propagation
 Zero trust identity: rule 2: 1 of 5

50 Rule 2 – formalise and robustly protect the interfaces for IAM functions
 Zero trust identity: rule 2: 2 of 5

51 Rule 2 – formalise and robustly protect the interfaces for IAM functions
 Zero trust identity: rule 2: 3 of 5

52 Rule 2 – formalise and robustly protect the interfaces for IAM functions
 Zero trust identity: rule 2: 4 of 5

Role based provisioning

53 Rule 2 – formalise and robustly protect the interfaces for IAM functions
 Zero trust identity: rule 2: 5 of 5

54 Rule 2 – formalise and robustly protect the interfaces for IAM functions
 Zero trust identity: rule 3: 1 of 6

55 Rule 3 – use and advocate standards for IAM interfaces

Source: Rakesh R
 Zero trust identity: rule 3: 2 of 6

56 Rule 3 – use and advocate standards for IAM interfaces

 Zero trust identity: rule 3: 3 of 6

57 Rule 3 – use and advocate standards for IAM interfaces

 Zero trust identity: rule 3: 4 of 6

RadiantOne – use of OpenID connect

58 Rule 3 – use and advocate standards for IAM interfaces

 Zero trust identity: rule 3: 5 of 6

59 Rule 3 – use and advocate standards for IAM interfaces

 Zero trust identity: rule 3: 6 of 6

UMA entity spiral

60 Rule 3 – use and advocate standards for IAM interfaces
 Enabling zero trust identity

61
 Step 1: Map identity and context to your data

62
 Step 2: Federation-enable the organisation and applications

63
 Step 3: Create communities of developers to increase attraction of
IAM services

64
 Step 4: Push the edge of the envelope in externalising authorisation

65
 Practical implications section

Why it matters Where might this lead?

66
 Practical implications: Information security governance

67
Source: IBM
 Practical implications: Zero Trust

68
Source: Van Driel, 2015
 Conclusions section

69
 Conclusions: 1 of 2

70
Source: www.OCEG.org
 Context: 2 of 2

71
 Bibliography

72
 Bibliography: 1 of 11
Allen, J. & Westby, J., 2007. Governing for Enterprise Security (GES) Implementation Guide. [Online]
Available at: http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=8251
Assche, W., 2012. Identity and Access Management and electronic Identities _ Belgian Federal
Government. [Online] Available at: http://www.slideshare.net/E-Gov_Center_Moldova/iam-
belgian-federal-government
Binwal, P., 2015. Creating a Cybersecurity Governance Framework: The Necessity of Time. [Online]
Available at: https://securityintelligence.com/creating-a-cybersecurity-governance-
framework-the-necessity-of-time/
Bloomberg, 2016. 5 information security trends that will dominate 2016. [Online] Available at:
https://www.bloomberg.com/enterprise/blog/5-information-security-trends-that-will-
dominate-2016/
Confluence, 2014. Information Security Governance. [Online] Available at:
https://spaces.internet2.edu/display/2014infosecurityguide/Information+Security+Governan
ce
73
 Bibliography: 2 of 11
Cser, A. & Maler, E., 2012. The Forrester Wave : Risk-Based Authentication, Q1 2012. [Online]
Available at:
https://www.landsbankinn.is/library/Documents/Frettir/The_Forrester_Wave_Risk-B1.pdf
Cser, A., Maxim, M. & Maler, E., 2015. Navigate The Future Of Identity And Access Management.
[Online] Available at:
http://www.infosecurityeurope.com/__novadocuments/235770?v=635973654839800000
Degges, R., 2015. What the Heck is OAuth? [Online] Available at:
https://stormpath.com/blog/what-the-heck-is-oauth
European Commission, 2016. European Commission launches EU-U.S. Privacy Shield: stronger
protection for transatlantic data flows. [Online] Available at: http://europa.eu/rapid/press-
release_IP-16-2461_en.htm
F5, 2014. The Expectations of SSL Everywhere. [Online] Available at:
https://f5.com/Portals/1/Cache/Pdfs/2421/the-expectation-of-ssl-everywhere.pdf

74
 Bibliography: 3 of 11
Forrester Research, Inc., 2013. Developing a Framework to Improve Critical Infrastructure
Cybersecurity. [Online] Available at:
http://csrc.nist.gov/cyberframework/rfi_comments/040813_forrester_research.pdf
Gates, S., 2005. Accelerate Without Fear. [Online] Available at:
https://blogs.oracle.com/saragates/entry/accelerate_without_fear
Glick, B., 2014. The business challenges and benefits of identity and access management. [Online]
Available at: http://www.computerweekly.com/feature/The-business-challenges-and-
benefits-of-identity-and-access-management
Global IDs, 2014. Data Governance 2.0. [Online] Available at:
https://www.youtube.com/watch?v=mQ_5IX9fv1s
Google, 2016. Sign-in flow. [Online] Available at:
https://developers.google.com/identity/toolkit/web/federated-login

75
 Bibliography: 4 of 11
Harmer, G., 2015. Updated edition of ISO/IEC 38500:2015. [Online] Available at:
http://www.itwnet.com/columns/updated-edition-isoiec-385002015
Hillam, J., 2014. What is Data Governance? [Online] Available at:
https://www.youtube.com/watch?v=sHPY8zIhy60
Hitachi ID Systems, Inc, 2016. Defining Enterprise Identity Management. [Online] Available at:
http://hitachi-id.com/password-manager/docs/defining-enterprise-identity-management.pdf
IBM, 2013. Form 8-K. [Online] Available at:
https://www.sec.gov/Archives/edgar/data/51143/000110465913015897/a13-6155_28k.htm
ISO, 2013. Information technology — Security techniques — Governance of information security.
[Online] Available at: https://www.iso.org/obp/ui/#iso:std:iso-iec:27014:ed-1:v1:en

76
 Bibliography: 5 of 11
IT Governance Institute, 2006. Information Security Governance: Guidance for Boards of Directors
and Executive Management. [Online] (2e) Available at: http://www.isaca.org/Knowledge-
Center/Research/Documents/Information-Security-Govenance-for-Board-of-Directors-and-
Executive-Management_res_Eng_0510.pdf
Jain, A., 2014. CIS14: Mobile SSO using NAPPS: OpenID Connect Profile for Native Apps. [Online]
Available at: http://www.slideshare.net/CloudIDSummit/cis14-modern-identity-protocol-
landscape-3vfinalmobile-sso-using-nappsjain
Jain, R., 2015. Bringing Context-Aware Security to Applications. [Online] Available at:
http://blogs.cisco.com/ciscoit/b-s-11162015-bringing-context-aware-security-to-applications
JumpCloud, n.d. Home page. [Online] Available at: https://jumpcloud.com/
Kindervag, J. & Reichenberg, N., 2015. 5 Steps to a Zero Trust Network - From Theory to Practice.
[Online] Available at: http://www.slideshare.net/AlgoSec/5-steps-to-a-zero-trust-network-
from-theory-to-practice

77
 Bibliography: 6 of 11
Mahncke, R., 2013. The Applicability of ISO/IEC27014:2013 For Use Within General Medical Practice.
[Online] Available at: http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1011&context=aeis
Maler, E., 2014. UMA Frequently Asked Questions. [Online] Available at:
https://kantarainitiative.org/confluence/display/uma/UMA+FAQ
Maler, E. & Drummond, R., 2008. The Venn of Identity. [Online] Available at:
https://css.csail.mit.edu/6.858/2012/readings/identity.pdf
Michalsky, R., 2015. Zero Trust Cyber Security Model Explained. [Online] Available at:
http://www.njvc.com/blog/cyber-security/zero-trust-cyber-security-model-understanding
Microsoft, 2013. Designing an attestation campaign. [Online] Available at:
https://technet.microsoft.com/en-us/library/dn155883(v=ws.10).aspx
Microsoft, 2013. The Four Pillars of Identity - Identity Management in the Age of Hybrid IT. [Online]
Available at: https://social.technet.microsoft.com/wiki/contents/articles/15530.the-four-
pillars-of-identity-identity-management-in-the-age-of-hybrid-it.aspx

78
 Bibliography: 7 of 11
MSDN, n.d. Federated Identity Pattern. [Online] Available at: https://msdn.microsoft.com/en-
us/library/dn589790.aspx
Ng, F., 2015. Trust No One? How Far Forrester's "Zero Trust" Model Should Go. [Online] Available at:
https://www.linkedin.com/pulse/trust-one-how-far-forresters-zero-model-should-go-
freeman-ng
OCEG, n.d. Home page. [Online] Available at: http://www.oceg.org/
Palo Alto Networks, 2012. Zero Trust Network Architecture with John Kindervag. [Online] Available
at: https://www.youtube.com/watch?v=SSUUg38lFg0
Panetta, K., 2016. Gartner’s Top 10 Security Predictions 2016. [Online] Available at:
http://www.gartner.com/smarterwithgartner/top-10-security-predictions-2016/
PatecCo, n.d. 5 Practical Tips for Access Attestation. [Online] Available at:
http://www.patecco.com/blog/attestation-blog-post

79
 Bibliography: 8 of 11
Power, C., 2011. Security Zone: The ISO/IEC 38500 IT governance standard. [Online] Available at:
http://www.computerweekly.com/opinion/Security-Zone-The-ISO-IEC-38500-IT-governance-
standard
Powers, A., 2012. Network Segmentation, Segregation, and Zero-Trust Design. [Online] Available
at: https://www.plixer.com/blog/netflow/network-segmentation-zero-trust/
Preimesberger, C., 2016. 10 Emerging Compliance and Information Governance Trends. [Online]
Available at: http://www.eweek.com/it-management/slideshows/10-emerging-compliance-
and-information-governance-trends.html
PWC, 2014. The value of an information governance strategy. [Online] Available at:
https://www.pwc.co.uk/forensic-services/assets/fts-ig-info-gov-white-paper-april-2014.pdf
Radiant Logic, Inc., n.d. OpenID Connect. [Online] Available at:
http://www.radiantlogic.com/docs/docs/configuration/openidconnect.html

80
 Bibliography: 9 of 11
Radiant Logic, n.d. RadiantOne VDS. [Online] Available at:
http://www.radiantlogic.com/products/radiantone-vds/
Rakesh, n.d. Identity Driven Enterprise (Security) Architecture (IDEAs!). [Online] Available at:
http://identity-centric-architecture.blogspot.co.uk/
RSA, n.d. RSA SecureID Access. [Online] Available at: https://www.rsa.com/en-us/products-
services/identity-access-management/securid
Scholtz, T., 2015. Gartner Survey Shows Information Security Governance Practices Are Maturing.
[Online] Available at: http://www.gartner.com/newsroom/id/3098118
Seiner, R., 2015. Real-World Data Governance Webinar: Data Governance Framework Components.
[Online] Available at: https://www.youtube.com/watch?v=cYuRu6P8ugI
Sharmila, M., 2015. The Rise of Data Governance Comes With the Age of Data 2.0. [Online]
Available at: http://insights.wired.com/profiles/blogs/data-governance-rises-in-importance-
for-data-2-0-age#axzz3SbFPOYc4

81
 Bibliography: 10 of 11
SMMT, 2015. The Society of Motor Manufacturers and Traders Motor Industry Facts 2015. [Online]
Available at: https://www.smmt.co.uk/wp-content/uploads/sites/2/100049_SMMT-Facts-
Guide-2015.pdf
Sylvester, D., 2011. ISO 38500—Why Another Standard? [Online] Available at:
https://www.isaca.org/Knowledge-Center/Documents/COBIT-Focus-ISO-38500-Why-Another-
Standard.pdf
Tracesecurity, n.d. TraceCSO simplifies information security and compliance management. [Online]
Available at: https://www.tracesecurity.com/solutions/tracecso
UL.com, 2014. Ten things you need to know about tokenization. [Online] Available at:
https://www.ul-ts.com/about/newsroom/ten-things-you-need-to-know-about-tokenization/
Van Driel, R., 2015. Zero Trust and APT. [Online] Available at:
https://www.linkedin.com/pulse/zero-trust-apt-ruud-van-driel-cissp
Vigneron, A., 2014. ISO 27014 et 38500. [Online] Available at:
http://www.slideshare.net/AntoineVigneron/iso-27014-38500
82
 Bibliography: 11 of 11
Vormetric, n.d. Compliance Overview. [Online] Available at:
https://www.vormetric.co.uk/compliance/overview
Whitman, M. & Mattord, H., 2015. Principles of Information Security. 5th ed. Cengage.
Wikipedia, n.d. Identity Provider. [Online] Available at:
https://en.wikipedia.org/wiki/Identity_provider
Wikipedia, n.d. Integrated Windows Authentication. [Online] Available at:
https://en.wikipedia.org/wiki/Integrated_Windows_Authentication
Wikipedia, n.d. ISO/IEC 38500. [Online] Available at:
https://en.wikipedia.org/wiki/ISO/IEC_38500
Yegge, S., 2011. Stevey's Google Platforms Rant. [Online] Available at:
https://plus.google.com/+RipRowan/posts/eVeouesvaVX

-oo000oo-
83