Time
2 hours 41 minutes
Difficulty
Beginner
CEU/CPE
3

Video Transcription

00:00
I and welcome back
00:02
to the next session off cybersecurity, architectural fundamentals,
00:07
enterprise security areas, Part two.
00:11
In this session, I would go to too many areas, which is the identity and excess management
00:18
and data protection,
00:21
identity and excess management.
00:24
It's a very important part off any system.
00:28
It covers the authentication and authorization, a speck off a system
00:33
and how we manage privilege uses.
00:36
And it's much more complex than most people think
00:42
for identity and excess management,
00:45
therefore, phases of concern
00:48
first being identify,
00:51
which is simply getting someone to supply some credentials.
00:55
Second is to authenticate.
00:58
This is where we ensure that the
01:00
identification presented
01:03
this accurate all riel.
01:06
Then I will pass on to authorize, which is to allow the actions for that identity, which has been very fired.
01:15
And lastly, there needs to be an audit function which keeps track off the activities performed with the identity.
01:26
This four phases and sometimes known as the I triple A phase is off identity management.
01:34
Now there are many ways to view identity and excess management today. I'll just quickly brief on one view of it, which is from the IBM Book Off Enterprise Security, Architecture using I be emptively secure solution.
01:51
In this view, identity and excess management
01:53
is broken into five subsistence,
01:57
which is the management of identity in credentials, management of access controls, management of information flows, management, off solution, integrity and the management off security audit.
02:13
Each of thes subsystems can be fairly complex. Let me go to an example.
02:20
No
02:21
taking a look at one subsystem, which is the identity management subsystem.
02:25
As you can see from the picture there many components that make up identity management.
02:31
We have to take into account how an identity is and brought into the system. How is it verified?
02:39
How is it authenticated? How do we deal with rejected credentials? And how do we pass it on to an other subsystems, like the audit subsystems,
02:51
to design a good identity system? There are many things to work on.
02:57
To further illustrate,
02:59
I take a look at another subsystem, which is the excess management.
03:04
Once a credential has been verified,
03:07
we have to decide what can they excess?
03:10
This is about the rights management to the system. What are they authorized to do, and what systems can they have access to?
03:20
Looking at an excess management. We have to worry about the session. How long is a person granted access
03:27
and by which means can they access the system?
03:30
Yes, you can see it's not so straightforward. And it's not a simple lists most people see under surface.
03:38
To learn more about this, I would highly encourage you to get the Red Book
03:43
showing below enterprise security architecture using IBM Tivoli Security Systems. It's a fairly old book, but the principles are still song today.
03:54
The sights, the technical implementation from the subsystem view.
04:00
It is also important to pay attention to the implementation procedures for any access system.
04:08
In this example from IBM Red Paper
04:13
on identity, excess management, architectural patterns,
04:16
we can see how implementing a row base access control has a lot more sub steps that most people realize
04:25
well, this is not the only way to do it, but I encourage you to learn more about design patterns and architectural patterns so you do not have to reinvent the wheel.
04:35
But point is to pay close attention to procedures as well s technical implementation or technical solutions.
04:46
The treads around identity and excess management
04:49
can beefs view from identity treads and access traits
04:55
in identity treads that could be spoofing.
04:58
I did the details
05:00
and key logging. These are our threats to stealing identity
05:03
in terms of excess treads. We always worry about escalation of privileges and also about information leak
05:13
he controls to implement. To mitigate this risk would depend very much on the system.
05:19
It is implemented on
05:21
some of the more common tools and techniques used to mitigate threats in this space would be the use of identity manager,
05:31
employ for and never the fix.
05:35
Employ good provisioning processes
05:39
and the use off multi factor authentication.
05:43
In the case of excess management. Do pay attention to single sign on systems and how you configure them.
05:49
Employ the use of a privileged access management,
05:55
which can not only keep the secrets off the password but also do session recording for audit purposes,
06:04
behavior and athletics.
06:06
It's also a novel way to look at excess management. Do people normally excess systems from certain locations? Seven time of the day and so on
06:16
and a roll base approach? It's a very good way
06:20
to manage all the different rights.
06:26
Now let's take a look at data protection.
06:29
Data protection is increasingly becoming much more important to the management into your boards. The Eater protection covers the collection, storage and dissemination of data
06:41
and beyond the technical. We need to consider legal regulations and restrictions off the data and where it recites
06:50
some off the key questions. Tow us when dealing with data protection.
06:55
Uh,
06:57
what does the system administrator needs to see
07:00
who administers the administrator?
07:01
What if the administrator's account is compromise?
07:04
How do you limit or reduce the damage and so on?
07:10
Most organizations would have achieved data officer off Chief Data Protection Officer.
07:15
It is good to work with these people. Toe. Understand the legal requirements on securing the data,
07:24
some off the more common threats to data protection in crude
07:29
regulatory compliance. Like Judy Pio for Europe
07:32
Data Residency law can date Herbie move across borders,
07:38
encryption standards.
07:40
Privileged users, which includes database administrators,
07:43
the right to erase your
07:45
and data possibility. The right to be able to move data out off the hosting provider, for example,
07:53
Only when you understand the legal requirements or regulatory requirements, then can you have the right level
08:00
off control measures to be put in place.
08:03
There are many tools around data protection. Some of the more common or more newer ones include the use off the Lt technology. Like Blockchain,
08:13
uh,
08:15
Anonima izing technology liked organizations off a database
08:20
encryption algorithm, standards and home offic. Encryption is increasingly popular in data sharing systems,
08:31
the EU's off multiparty trust computation. It's also increasing, with a lot more collaboration between various organizations, like some banks working together
08:43
and
08:43
old fashioned technology like database activities, monitoring and prevention. It's also very useful to ensure that data is only seen by those who need to see it.
08:56
In summary,
08:58
we have gone true identity and excess management,
09:01
and hopefully you'll understand it's lot more complex than it seems.
09:07
And some of the things to consider when thinking about data protection strategies.
09:13
Some good reading materials are. Then this page on idea in excess munition with a lot of resource is there
09:20
and then this guy to protecting confidential a T on personal identifying information.
09:28
These papers are freely available, and I highly encourage you to download them to take a read.
09:37
In the next session, we were wrap up the enterprise security areas covering vulnerability and patch management,
09:46
availability, management and supplies and security. So if you have the time,
09:50
I'll see you in the next lecture

Up Next

Fundamentals of Cybersecurity Architecture

This cyber security architecture class aims to give an appreciation of the various aspects of consideration that goes into a proper security architecture.

Instructed By

Instructor Profile Image
Ian Loe
Sr. Vice President at NTUC Enterprise Co-operative Limited
Instructor