Cómo la gestión de identidades y accesos me ayuda con el

Transcripción

1 Security & Compliance Cómo la gestión de identidades y accesos me ayuda con el cumplimiento regulatorio? é Henry Pérez Senior Solution Strategist

2 Agenda Algunas cifras asociadas al cumplimiento regulatorio Un paralelo entre ISO/IEC y NTP ISO/IEC Ley para la protección de datos personales La estrategia de cumplimiento Cómo IAM apoya transversalmente su estrategia de cumplimiento Comentarios y Conclusiones 2 Copyright 2013 CA. All rights reserved.

3 El cumplimiento regulatorio en cifras globales Información personalo o corporativa confidencial o sensible El costopromediode un brecha de seguridad, por registro comprometido, es de USD $214. La principal causa es La actividades relacionadas con el la negligencia1 cumplimiento regulatorio cuestan cuestan a las compañías en promedio USD La compañía promedio debe cumplir con45 diferentres regulaciones 3 $5,400 Por empleado 2 Sources: 1. Ponemon Institute 2. Competitive Enterprise Institute, 3. CA sponsored survey, 4. Industry studies 3 Copyright 2013 CA. All rights reserved.

4 Un paralelo entre la ISO/IEC y la NTP ISO/IEC Código de Páti Práctica para la Gestión Norma Técnica Peruana de la Seguridad de la Información Aplicación obligatoria para Estándarbritánico quese conviritió Entidades del Estado en estándar onternacional Sistema de Gestión de Seguridad de Aplicación de buenas prácticas de Informacion (SGSI) Seguridad de la Información Instituto nacional de defensa de la Objetivos de control competencia y de la protección de la propiedad intelectual 4 Copyright 2013 CA. All rights reserved.

5 Controles de Seguridad donde CA lo apoya ISO/IEC 27001:2005 Anexo A Objetivos de Control Gobierno A5. Política de seguridad A6. Seguridad organizacional Cumpli- miento Gobierno ISO Anexo A Operaciones Activos Usuarios y Accesos Activos A7. Gestión de activos Usuarios y Accesos A8. Seguridad en recursos humanos A9. Seguridad física y del entorno A11. Control de accesos Operaciones A10. Gestión de comunicaciones y operaciones A12. Adquisición de sistemas, desarrollo y mantenimiento A13. Gestión de incidentes en seguridad de información A14. Gestión de la continuidad del negocio 5 Copyright 2013 CA. All rights reserved. 5 Cumplimiento A15. Cumplimiento

6 Objetivos de Control ISO Administración de Activos 7. Asset management Control CA Solution Support 7.1 RESPONSIBILITY FOR ASSETS Control objective: To achieve and maintain i appropriate protection of organizational i assets Inventory of assets. CA GovernanceMinder can help to identify & manage current access rights to resources (DB s s, apps, transactions, flies, folders) Ownership of Assets CA GovernanceMinder. can assign an owner to every logical resource Acceptable use of assets Usage of assets can be monitored by CA UARM & CA GovernanceMinder to check acceptable use of assets. 7.2 INFORMATION CLASSIFICATION Control Objectives: To ensure that information receives an appropriate level of protection Classification Guidelines CA DataMinder can assist in the classification of information. Classification of resources (DB s, files, folders, transactions, apps, etc) can be managed by CA GovernanceMinder, which can then be used for allocation of access rights to users Information labeling and handling CA Dataminder can contribute to the process of information labeling and enforcement of how labeled information is controlled. Access rights can be handled based on classification and information labeling with CA GovernanceMinder. 6 Copyright 2013 CA. All rights reserved.

7 ISO : Sección 8 Seguridad sobre el Recurso Humano 8. Control CA Solution Support 8.1 PRIOR TO EMPLOYMENT Control Objective: To ensure that employees, contractors and third party users understand d their responsibilities, i and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities Roles and responsibilities CA GovernanceMinder can assist in this process by discovering the existing role model based on the org chart, responsibilities and business needs. 8.2 DURING EMPLOYMENT Control Objective: To ensure that all employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error Management responsibilities CA IdentityMinder allows the assignment of roles, access rights, groups thru Services, that could be predefined thru workflows. 8.3 TERMINATION OR CHANGE OF EMPLOYMENT Control objectives: To ensure that employees, contractors and third party users exit an organization or change employment in an orderly manner Termination responsibilities CA IdentityMinder could be use to predefine the workflow sequence to assign responsibilities for performing employment termination or changes. 832Removalof of access rights CA IdentityMinder can automate the removal of access rights from all IT users to information and IT facilities on termination Copyright 2013 CA. All rights reserved. 7

8 ISO : Section 11.2 Gestión de accesos de los usuarios Control CA Solution Support 11.2 USER ACCESS MANAGEMENT Control objective: :To ensure authorised user access and dto prevent unauthorised access to information systems User registration CA Identity Minder provides identity creation and management services through delegated user administration, user self-service, integrated workflow, and a structured administrative model to enable role based access control. It is designed specifically to address the challenges of user management (requesting, establishing, issuing, suspending, and closing of user accounts). CA GovernanceMinder will enable you to quickly build and manage a role model to more efficiently support the management of identities and their IT access. CA CloudMinder/CA d SiteMinder allows for Just in time provisioning i i via SAML Privilege CA Identity Management & Access Governance can manage the allocation, change and management revocation of privileges for each user. CA ControlMinder can manage and enforce the allocation and use of high privilege access to distributed IT systems. CA SiteMinder provides rule and role based access privilege management for web access to information and resources User password management CA IdentityMinder /CA SiteMinder can support the process of password management. Password Services also enable password self-service and forgotten password services for end users Review of user CA Identity Management & Access Governance provides a means of formally reviewing access access rights rights across the organization at regular intervals through its robust audit and reporting capabilities 8 Copyright 2013 CA. All rights reserved.

9 ISO : Sección 11.5 Operación de sistemas de control de acceso 11.5 OPERATING SYSTEM ACCESS CONTROL Control objectives: To prevent unauthorized access to operating systems Secure log-on procedures CA ControlMinder and CA SiteMinder provide secure log on methods and can support third party strong authentication mechanisms such as CA AuthMinder/ CA RiskMinder User identification and authentication Password management system CA IdentityMinder, CA ControlMinder & CA SiteMinder can provide the means of managing and authenticating unique identifiers for user log on under a variety of conditions. CA IdentityMinder provides an interactive means of managing passwords and ensuring password quality. As described in Use of system utilities CA ControlMinder can control the use of system utilities by unauthorized users; including fine grained control of what operations (such as termination) may be performed on those utilities Session time out CA SiteMinder provides session and idle timeouts to protect business and system applications when accessed via the Web Limitation of connection time CA ControlMinder & CA SiteMinder can control the times at which access to high risk systems can be allowed and disallowed. 9 Copyright 2013 CA. All rights reserved.

10 ISO : Sección 10 Gestión de comunicaciones y operaciones Control CA Solution Support 10.1 OPERATIONAL PROCEDURES AND RESPONSIBILITIES Control objectives: To ensure the correct and secure operation of information processing facilities Change Management CA Change Manager capability solution set will provide an automated change control system Segregation of duties This can be enforced through rules in CA IdentityMinder and CA GovernanceMinder as they can implement, document and help enforce segregation of duties rules Separation of development and test The separate test and development facilities can each use CA ControlMinder operational facilities to reduce the risks of unauthorized changes to the operational system MEDIA HANDLING Control objective: To prevent unauthorized disclosure, modification, removal or destruction of assets, and interruptions to business activities Information handling procedures CA ControlMinder can enforce access restrictions to prevent access from unauthorized personnel. CA DataMinder can assist in the classification of the information and can control its movement even by authorized personnel if it is against policy Security of system documentation For documentation held electronically, CA ControlMinder and/or CA SiteMinder Sharepoint can control access to and help pprevent damage to the information. CA DataMinder can also protect system documentation and help prevent it from being distributed to unauthorized personnel. 10 Copyright 2013 CA. All rights reserved.

11 ISO27002 : Sección 10.9 Servicios de Comercio Electrónico 10.9 ELECTRONIC COMMERCE SERVICES Control objective: To ensure the security of electronic commerce services, and their secure use Electronic commerce CA SiteMinder and CA DataMinder contribute to the protection of information in electronic commerce and protect the integrity and confidentiality of that information. CA AuthMinder/CA RiskMinder a llows the use of PKI OTP, digital certificates and Adaptative Authentication can also contribute to this control On line transactions CA SiteMinder can contribute to the protection of online transactions. CA AuthMinder &CARi RiskMinder allows the use of digital it certificates t and PKI should also be considered to help meet the requirements of this control Publicly available information CA SiteMinder, CA DataMinder & CA ControlMinder can help to protect publicly available information from unauthorized modification. 11 Copyright 2013 CA. All rights reserved.

12 ISO27001 Sección 12 Adquisición de sistemas, desarrollo y mantenimiento Control CA Solution Support 12.3 CRYPTOGRAPHIC CONTROLS Control objectives: To protect t the confidentiality, authenticity ti it or integrity it of information by cryptographic means Policy on the use of cryptographic controls 12.4 SECURITY OF SYSTEM FILES Control objectives: To ensure the security of system files Control of operational software Protection of system test data Access control to source code Consultancy services can assist in the development of such a policy. CA DataMinder can be used to help enforce the use of encryption in some communication channels. CA Change and Configuration Management capability solutions can help control the installation of software on operational systems. CA ControlMinder can provide the protection of the software in operation. CA ControlMinder can provide protection for system test data, controlling who has access to the information on systems. CA DataMinder can apply rules to the movement of test data even for those people who have the access rights to the data. CA ControlMinder can help protect source libraries. CA GovernanceMinder can confirm that access rights to source codes and library are granted only to approved users, based on roles, responsibilities and business needs SECURITY IN DEVELOPMENT AND SUPPORT PROCESSES Control objectives: To maintain the security of application system software and information Information leakage CA DataMinder can help provide control of information across multiple leak points in the organization, such as , Instant Messaging, FTP, printing and saving to USB. 12 Copyright 2013 CA. All rights reserved.

13 ISO27001 : Sección 13 Gestión de incidentes en seguridad de información Control CA Solution Support 13.1 REPORTING INFORMATION SECURITY EVENTS AND WEAKNESSES Control objectives: To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken Reporting information security events CA Service Desk Manager provides a means of receiving and managing reports of security incidents Reporting security weaknesses Consultancy services can provide advice on the processes and employee education needs for reporting of security weaknesses. CA Service Desk Manager can be used as a central place to make, record and manage those reports MANAGEMENT OF INFORMATION SECURITY INCIDENTS AND IMPROVEMENTS Control objectives: To ensure a consistent and effective approach is applied to the management of information security incidents learning from information security incidents CA User Activity Reporting Module provides a view of enterprise wide security activity and incidents Collection of evidence Consultancy services can provide advice on the procedures for evidence gathering and handling. CA User Activity Reporting Module provides a means to collect and report on logs and security activity and can support follow up action on security incidents. 13 Copyright 2013 CA. All rights reserved.

14 ISO27001 : Sección 15 Cumplimiento Control CA Solution Support 15.1 COMPLIANCE WITH LEGAL REQUIREMENTS Control objectives: To avoid breaches of any law, statutory, regulatory or contractual obligations and of any security requirements Data protection and. Where personal information is held on IT systems it can be protected with CA ControlMinder. privacy of personal CA DataMinder can help control the use and movement of personal information to maintain its information privacy, even when access rights to the data are granted. Access to protected data and private information can be limited, managed and controlled with CA GovernanceMinder, based on the user s business needs, role, responsibilities, etc Prevention of Inappropriate use of information processing facilities can be controlled by CA ControlMinder misuse of information for servers and CA SiteMinder for web applications. CA IdentityMinder provides facilities to processing facilities manage the identity of people authorized to use information processing facilities of IT systems. CA GovernanceMinder can prevent logical access to information processing facilities by unauthorized users COMPLIANCE WITH SECURITY POLICIES AND STANDARDS AND TECHNICAL COMPLIANCE Control objectives: To ensure compliance of systems with organizational security policies and standards Compliance with security policy and standards Technical compliance checking CA UARM provides a view of CA IAM enterprise-wide security activity and incidents that can be used to review the adherence to the organization s security policies and standards. CA GovernanceMinder can be used in order to define rule and restrictions that are based on the security policy. Once defined monitoring of violations can be done with provided dashboards and reports. A preventive policy checks can be used, during requests and adm processes. CA GovernanceMinder can be used to define rules and restrictions that are based on the security policy. Once defined, monitoring of violations can be done with provided dashboards 14 Copyright 2013 CA. All rights reserved.

15 LEY N Ley de Protección de Datos Personales Consta de 6Títulos, 131 Artículos Definiciones Datos Personales, Datos Personales de Salud,Datos Sensibles Ambitos de aplicacióny ió excepciones Tratamiento de datos personales Procedimientos Custodia, accesos, utilización Capitulo V: Medidas de seguridad: Articulo 39 Control de accesos a la información, gestión de privilegios Generar y mantener registros sobre las interacciones Capitulo V: Articulo 40 Conservación, respaldoy recuperación de dt datos personales (NTP 17799) Capitulo V: Articulo 44 Acceso a la documentación personal se limitará exclusivamente a personal autorizado 15 Copyright 2013 CA. All rights reserved.

16 Por donde empezar: Establecer un plan de respuesta Definir un equipo de trabajo responsable del proceso Realizar un análisis de la situación actual con respecto al cumplimiento de la ley Definir la política de privacidad de la organización Levantamiento de información de todos los datos de tipo personal dentro y fuera de la organización. Identificación ió de riesgos y definición i ió de un plan en cuanto a mecanismos de protección Establecer plan de respuesta a incidentes 16 Copyright 2013 CA. All rights reserved.

17 Los frentes de ataque Procedimientos dentro de la empresa Tecnologías de apoyo 17 Copyright 2013 CA. All rights reserved.

18 Las políticas de seguridad como parte de los procesos de negocio Políticas de seguridad Política de protección de datos confidenciales o sensibles Política de acceso para la retención de la información Procedimientos i dentro de la empresa Sistema de clasificación De la información basado en roles Procedimiento de registro de actividades de usuario 18 Copyright 2013 CA. All rights reserved.

19 La responsabilidad de la tecnología Evitar el robo de información Evitar la fuga de información Tecnologías de apoyo 19 Copyright 2013 CA. All rights reserved.

20 La tecnología me ayuda a automatizar los controles Automatización de controles Accesos basados en roles a las aplicaciones de negocio Segregación g de usuarios privilegiados Tecnologías de apoyo Prevención de fuga de información ió Monitoreo y registro de actividades de usuario 20 Copyright 2013 CA. All rights reserved.

21 Acceso seguro basado en roles a las aplicaciones de negocio 4 Facilidades Partner Website 3 5 Applications 1. Autenticación 2. Autogestión de Contraseñas 3. Single sign on 4. Federación 5. Autorización basada en Politicas 6. Aprovisionamento de Cuentas 7. Certificación y reportes de privilegios Customer 1 7 Use Logs Employee Partner 2 Self Service 6 Endpoint Directories Beneficios Mejor experiencia al usuario Reducción de riesgos Aumento de eficiencia operativa Agilidad para lanzamiento de nuevos servicios 21 Copyright 2013 CA. All rights reserved.

22 Acceso seguro basado en roles a las aplicaciones de negocio Gestión de Acceso Web Partner Website Applications CA SiteMinder CA SiteMinder Federation CA AuthMinder (Autenticación avanzada) RiskMinder (Análisis de Riesgo sobre transacciones) Customer Employee Use Logs Administración & Gobierno de Identidades CA IdentityMinder CA GovernanceMinder Partner Self Service Endpoint Directories 22 Copyright 2013 CA. All rights reserved.

23 Control de acceso de usuarios privilegiados El entorno del centro de cómputos evoluciona.. VM VM VM Hypervisor Trusted insiders or business partners are responsible for 43% of security breaches * Your Data Protection Strategy Will Fail Without Strong Identity Context ; Forrester Research, Inc., June 27, 2011 Virtualización ió Ataques dirigidosi id AmenazasInternas crea nuevos desafíos para la seguridad Password Admin Auditor Systems Admin VM VM VM Hypervisor Virtualization Mgmt Control Cuentas Compartidas Complejidad 23 Copyright 2013 CA. All rights reserved.

24 CA ControlMinder ofrece una completa solución para la segregación de usuarios privilegiados Seguridad para virutalización VM VM Hypervisor VM CA ControlMinder Gestión de cuentas compartidas Control de acceso granular Reportes Autenticación ti ió de integrada actividad UNIX usuarios 24 Copyright 2013 CA. All rights reserved.

25 Prevención de fuga de información CA IdentityMinder & CA GovernanceMinder ActiveDirectory / Enterprise LDAP Security Administrator Policy Management User Identity & Roles CA DataMinder Central Management Server CA DataMinder Content Classification Service CA SiteMinder MS SharePoint Content Protection Endpoints MS Outlook Lotus Notes Internet Explorer Local File Scanning USB /CD DVD Print Application Control File Shares & Data Repositories File Scanning Agent SharePoint MS Exchange Public Folders Databases Reviewer Incident Review, Reports & Dashboards iconsole Message Servers & MTAs MS Exchange Lotus Domino MS IIS SendMail PostFix Quarantine Classifications Native & 3 rd Party Encryption & DRM/IRM Integration 3 rd Party Archives Network Devices Network Boundary Appliance Planned Integration 25 Copyright 2013 CA. All rights reserved.

26 Monitoreo y registro de actividad de usuarios Security Operations PCI OS Applications Auth Systems Prov Systems SOX HIPAA FISMA NERC Network Operations Report Investigate IAM Systems SAS70 ISO27.. COSO COBIT BASEL II Auditor / Governance JSOX User Activity Reporting Module Databases Directories Firewalls Proxy Auth Systems Routers Switches VPN Proof Points Qué hace Reportesde compliance para verificar controles de seguridad Análisis Drill down de actividades de usuarios y acceso a recursos Facilidades Reportes predefinidos y customizables de compliance Análisis e Investigación interactivo y multidimensional de logs Reportesde Tendencias Actualización automática de Reportes Integración IAM, Spectrum, MF, Help Desk 26 Copyright 2013 CA. All rights reserved.

27 Soluciones de Seguridad de CA 27 Copyright 2013 CA. All rights reserved.

28 Comentarios y conclusiones La tecnología junto con los procedimientos se complementan para dar respuesta a los requerimientos regulatorios La seguridad d basadaen la identidad d juega un papel fundamental en la mitigación de riesgos El cumplimiento debe darse como un proceso transversal que cubre varios controles, de esto depende fundamentalmente la efeciencia i de mi plan El establecimiento de un modelo de madurez dentro del cumplimiento es la clave de las mediciones, así como auditorías internas para que no se pierda validez en el tiempo. 28 Copyright 2013 CA. All rights reserved.

29 FOR INFORMATION PURPOSES ONLY Terms of this presentation This presentation was based on current information that may outline CA s general product direction as of April 2013 and is subject to change by CA at any time without notice. Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in this presentation, CA will make such release available (i) for sale to new licensees of such product; and (ii) to existing licensees of such product on a when and if available basis as part of CA maintenance and support, and in the form of a regularly scheduled major product release. Such releases may be made available to current licensees of such product who are current subscribers to CA maintenance and support on a when and if available il basis. In the event of a conflict between the terms of this paragraph and any other information contained in this presentation, the terms of this paragraph shall govern. All information in this presentation is for your informational purposes only and is provided as is without warranty of any kind. In no event will CA be liable from this presentation. No unauthorized copying or distribution permitted. 29 Copyright 2013 CA. All rights reserved.

30 Q&A