Cómo la gestión de identidades y g y accesos me ayuda con el
Security & Compliance Cómo la gestión g de identidades yy accesos me ayuda con el cumplimiento regulatorio? Henry Pérez é Senior Solution Strategist Agenda Algunas cifras asociadas al cumplimiento regulatorio Un paralelo entre ISO/IEC 27001 y NTP ISO/IEC 27001 Un paralelo entre ISO/IEC 27001 y NTP ISO/IEC 27001 Ley 29733 para la protección de datos personales La estrategia de cumplimiento Cómo IAM apoya transversalmente su estrategia de cumplimiento Comentarios y Conclusiones 2 Copyright © 2013 CA. All rights reserved. El cumplimiento regulatorio en cifras globales Información personal o corporativa confidencial o sensible Información personal o corporativa confidencial o sensible El costo promedio de un brecha de seguridad por registro seguridad, por comprometido, es de USD $214. La principal causa La principal causa es la negligencia1 La actividades La actividades relacionadas con el cumplimiento regulatorio cuestan cuestan a las compañías en promedio USD $5 400 $5,400 La compañía promedio debe La compañía cumplir con 45 diferentres regulaciones Por empleado 2 3 Sources: 1. Ponemon Institute 2. Competitive Enterprise Institute, 3. CA‐sponsored survey, 4. Industry studies 3 Copyright © 2013 CA. All rights reserved. Un paralelo entre la ISO/IEC 27001 y la NTP ISO/IEC 27001 Códi Código de Práctica d P á ti para la Gestión l G tió de la Seguridad de la Información Estándar británico que se conviritió se conviritió en estándar onternacional Aplicación de buenas de buenas prácticas de de Seguridad de la Información Objetivos de control j 4 Norma Técnica N Té i Peruana P Aplicación obligatoria para Entidades del Estado del Estado Sistema de Gestión de Seguridad de Informacion (SGSI) Instituto nacional de defensa de la competencia y de la protección de p y p la propiedad intelectual Copyright © 2013 CA. All rights reserved. Controles de Seguridad donde CA lo apoya ISO/IEC 27001:2005 Anexo A – Objetivos de Control Gobierno A5. Política de seguridad A6. Seguridad organizacional Activos A7. Gestión de activos Gobierno Cumplimiento i t Activos ISO 27001 Anexo A Operaciones Usuarios y Accesos Usuarios y Accesos A8. Seguridad en recursos humanos A9. Seguridad física y del entorno A11. Control de accesos Operaciones A10. Gestión de comunicaciones y operaciones A12. Adquisición de sistemas, desarrollo y mantenimiento A13. Gestión de incidentes en seguridad de información A14. Gestión de la continuidad del negocio Cumplimiento A15. Cumplimiento 5 5 Copyright © 2013 CA. All rights reserved. Objetivos de Control ISO 27002 Administración de Activos 7. Asset management Control CA Solution Support 7.1 RESPONSIBILITY FOR ASSETS C Control l objective: bj i To achieve hi andd maintain i i appropriate i protection i off organizational i i l assets. 7.1.1 Inventory of assets . CA GovernanceMinder can help to identify & manage current access rights to resources (DB‟s (DB s, apps apps, transactions, transactions flies, flies folders). folders) 7.1.2 Ownership of Assets CA GovernanceMinder . can assign an owner to every logical resource. 7.1.3 Acceptable use of assets Usage of assets can be monitored by CA UARM & CA GovernanceMinder to check acceptable use of assets. 7.2 INFORMATION CLASSIFICATION Control Objectives: To ensure that information receives an appropriate level of protection. 7 2 1 Classification Guidelines 7.2.1 CA DataMinder can assist in the classification of information. information Classification of resources (DB‟s, files, folders, transactions, apps, etc) can be managed by CA GovernanceMinder, which can then be used for allocation of access rights to users. 7.2.2 Information labeling and handling CA Dataminder can contribute to the process of information labeling and enforcement of how labeled information is controlled. Access rights can be handled based on classification and information labeling with CA GovernanceMinder. GovernanceMinder 6 Copyright © 2013 CA. All rights reserved. ISO 27001 : Sección 8 Seguridad sobre el Recurso Humano g 8 . Control CA Solution Support 8.1 PRIOR TO EMPLOYMENT C Control l Objective: Obj i To ensure that h employees, l contractors andd third hi d party users understand d d their h i responsibilities, ibili i andd are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities. 8.1.1 Roles and responsibilities CA GovernanceMinder can assist in this process by discovering the existing role model based on the org chart, responsibilities and business needs. 8.2 DURING EMPLOYMENT Control Objective: To ensure that all employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error. 8.2.1 Management responsibilities CA IdentityMinder allows the assignment of roles, access rights, groups thru Services , that could be predefined thru workflows. 8.3 TERMINATION OR CHANGE OF EMPLOYMENT Control objectives: To ensure that employees, contractors and third party users exit an organization or change employment in an orderly manner. 8.3.1 Termination responsibilities 8 3 2 Removal of access rights 8.3.2 7 7 CA IdentityMinder could be use to predefine the workflow sequence to assign responsibilities for performing employment termination or changes. CA IdentityMinder can automate the removal of access rights from all IT users to information and IT facilities on termination Copyright © 2013 CA. All rights reserved. ISO 27001 : Section 11.2 Gestión de accesos de los usuarios CA Solution Support Control 11.2 USER ACCESS MANAGEMENT C t l objective: Control bj ti : To T ensure authorised th i d user access andd to t preventt unauthorised th i d access to t information i f ti systems. t 11.2.1 User registration CA Identity Minder provides identity creation and management services through delegated user administration, user self-service, integrated workflow, and a structured administrative model to g specifically p y to address the challenges g of user enable role based access control . It is designed management (requesting, establishing, issuing, suspending, and closing of user accounts). CA GovernanceMinder will enable you to quickly build and manage a role model to more efficiently support the management of identities and their IT access. CA CloudMinder/CA Cl dMi d /CA SiteMinder Sit Mi d allows ll ffor JJustt iin ti time provisioning i i i via i SAML 11.2.2 Privilege management CA Identity Management & Access Governance can manage the allocation, change and revocation of privileges for each user. CA ControlMinder can manage and enforce the allocation and use of high privilege access to distributed IT systems. CA SiteMinder provides rule and role based access privilege management for web access to information and resources. 11.2.3 User password management CA IdentityMinder /CA SiteMinder can support the process of password management. Password Services also enable password self-service and forgotten password services for end users. 11.2.4 Review of user access rights CA Identity Management & Access Governance provides a means of formally reviewing access rights across the organization at regular intervals through its robust audit and reporting capabilities 8 Copyright © 2013 CA. All rights reserved. ISO 27002 : Sección 11.5 Operación de sistemas de control de acceso p 11.5 OPERATING SYSTEM ACCESS CONTROL C Control l objectives: bj i T prevent unauthorized To h i d access to operating i systems. 11.5.1 Secure log-on procedures CA ControlMinder and CA SiteMinder provide secure log on methods and can support third party strong authentication mechanisms such as CA AuthMinder/ CA RiskMinder . 11.5.2 User identification and authentication 11.5.3 Password management system 11 5 4 Use of system utilities 11.5.4 11.5.5 Session time out 11.5.6 Limitation of connection time 9 CA IdentityMinder, CA ControlMinder & CA SiteMinder can provide the means of managing and authenticating unique identifiers for user log on under a variety of conditions. CA IdentityMinder provides an interactive means of managing passwords and ensuring password quality. As described in 11.3.1. CA ControlMinder can control the use of system utilities by unauthorized users; including fine grained control of what operations (such as termination) may be performed on those utilities. CA SiteMinder provides session and idle timeouts to protect business and system applications when accessed via the Web. CA ControlMinder & CA SiteMinder can control the times at which access to high risk systems can be allowed and disallowed. Copyright © 2013 CA. All rights reserved. ISO 27001 : Sección 10 Gestión de comunicaciones y operaciones y p Control CA Solution Support 10.1 OPERATIONAL PROCEDURES AND RESPONSIBILITIES Control objectives: To ensure the correct and secure operation of information processing facilities. 10.1.2 Change Management CA Change Manager capability solution set will provide an automated change control system. 10 1 3 Segregation of duties 10.1.3 This can be enforced through rules in CA IdentityMinder and CA GovernanceMinder as they can implement, document and help enforce segregation of duties rules. 10.1.4 Separation of development and test The separate test and development facilities can each use CA ControlMinder operational facilities to reduce the risks of unauthorized changes to the operational system. 10.7 MEDIA HANDLING j To pprevent unauthorized disclosure, modification, removal or destruction of assets, and interruptions p to Control objective: business activities. 10.7.3 Information handling procedures CA ControlMinder can enforce access restrictions to prevent access from unauthorized personnel. CA DataMinder can assist in the classification of the i f information ti andd can control t l it its movementt even bby authorized th i d personnell if it is i against policy. 10.7.4 Security of system documentation For documentation held electronically, CA ControlMinder and/or CA SiteMinder p can control access to and helpp pprevent damage g to the information. Sharepoint CA DataMinder can also protect system documentation and help prevent it from being distributed to unauthorized personnel. 10 Copyright © 2013 CA. All rights reserved. ISO27002 : Sección 10.9 Servicios de Comercio Electrónico 10.9 ELECTRONIC COMMERCE SERVICES Control objective: To ensure the security of electronic commerce services services, and their secure use use. 10.9.1 Electronic commerce CA SiteMinder and CA DataMinder contribute to the protection of information in electronic commerce and protect the integrity and confidentiality of that information. CA AuthMinder/CA RiskMinder a llows the use of PKI OTP, digital certificates and Adaptative Authentication can also contribute to this control. 10.9.2 On line transactions CA SiteMinder can contribute to the protection of online transactions. CA AuthMinder A thMi d & CA RiskMinder Ri kMi d allows ll th the use off di digital it l certificates tifi t andd PKI should also be considered to help meet the requirements of this control. 10.9.3 Publicly available information CA SiteMinder , CA DataMinder & CA ControlMinder can help to protect publicly available information from unauthorized modification. 11 Copyright © 2013 CA. All rights reserved. ISO27001 Sección 12 Adquisición de sistemas, desarrollo y mantenimiento q , y Control CA Solution Support 12.3 CRYPTOGRAPHIC CONTROLS C t l objectives: Control bj ti T protect To t t the th confidentiality, fid ti lit authenticity th ti it or iintegrity t g it off iinformation f ti bby cryptographic t g hi means. 12.3.1 Policy on the use of Consultancy services can assist in the development of such a policy. CA DataMinder cryptographic controls can be used to help enforce the use of encryption in some communication channels. 12.4 12 4 SECURITY OF SYSTEM FILES Control objectives: To ensure the security of system files. 12.4.1 Control of operational CA Change and Configuration Management capability solutions can help control the software installation of software on operational systems. CA ControlMinder can provide the protection of the software in operation. 12.4.2 Protection of system test CA ControlMinder can provide protection for system test data, controlling who has data access to the information on systems. CA DataMinder can apply rules to the movement of test data even for those people who have the access rights to the data data. 12.4.3 Access control to source CA ControlMinder can help protect source libraries. code CA GovernanceMinder can confirm that access rights to source codes and library are granted only to approved users, based on roles, responsibilities and business needs. 12.5 SECURITY IN DEVELOPMENT AND SUPPORT PROCESSES Control objectives: To maintain the security of application system software and information. 12.5.4 Information leakage CA DataMinder can help provide control of information across multiple leak points in the organization organization, such as email, email Instant Messaging, Messaging FTP, FTP printing and saving to USB. USB 12 Copyright © 2013 CA. All rights reserved. ISO27001 : Sección 13 Gestión de incidentes en seguridad de información g Control CA Solution Support 13.1 REPORTING INFORMATION SECURITY EVENTS AND WEAKNESSES Control objectives: To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken. 13.1.1 Reporting information security events CA Service Desk Manager provides a means of receiving and managing reports of security incidents. 13.1.2 Reporting security weaknesses Consultancy services can provide advice on the processes and employee education needs for reporting of security weaknesses. CA Service Desk Manager can be used as a central place to make, record and manage those reports. 13.2 MANAGEMENT OF INFORMATION SECURITY INCIDENTS AND IMPROVEMENTS Control objectives: To ensure a consistent and effective approach is applied to the management of information security incidents. 13.2.2 learning from information security incidents CA User Activity Reporting Module provides a view of enterprise wide security activity and incidents 13.2.3 Collection of evidence Consultancy services can provide advice on the procedures for evidence gathering and handling. CA User Activity Reporting Module provides a means to collect and report on logs and security activity and can support follow up action on security incidents. 13 Copyright © 2013 CA. All rights reserved. ISO27001 : Sección 15 Cumplimiento Control CA Solution Support 15.1 COMPLIANCE WITH LEGAL REQUIREMENTS Control objectives: To avoid breaches of any law, statutory, regulatory or contractual obligations and of any security requirements. 15.1.4 Data protection and . Where personal information is held on IT systems it can be protected with CA ControlMinder. privacy of personal CA DataMinder can help control the use and movement of personal information to maintain its information privacy, even when access rights to the data are granted. Access to protected data and private information can be limited, managed and controlled with CA GovernanceMinder, based on the user‟s business needs, role, responsibilities, etc. 15.1.5 Prevention of Inappropriate use of information processing facilities can be controlled by CA ControlMinder misuse of information for servers and CA SiteMinder for web applications. CA IdentityMinder provides facilities to processing facilities manage the identity of people authorized to use information processing facilities of IT systems. CA GovernanceMinder can prevent logical access to information processing facilities by unauthorized users. 15.2 COMPLIANCE WITH SECURITY POLICIES AND STANDARDS AND TECHNICAL COMPLIANCE Control objectives: To ensure compliance of systems with organizational security policies and standards. 15.2.1 Compliance with CA UARM provides a view of CA IAM enterprise-wide security activity and incidents that can security policy and be used to review the adherence to the organization‟s security policies and standards. CA standards GovernanceMinder can be used in order to define rule and restrictions that are based on the security policy. policy Once defined monitoring of violations can be done with provided dashboards and reports. A preventive policy checks can be used , during requests and adm processes. 15.2.2 can be used to define rules and restrictions that are based on the 14 Technical compliance CA GovernanceMinder Copyright © 2013 CA. All rights reserved. checking security policy. Once defined, monitoring of violations can be done with provided dashboards LEY N°29733 ‐ Ley de Protección de Datos Personales Consta de 6 Títulos, 131 Artículos – Definiciones Datos Personales , Datos Personales de Salud,Datos Sen‐ sibles Ambitos A bit de aplicación d li ió y excepciones i – Tratamiento de datos personales Procedimientos Custodia, accesos, utilización Capitulo V: Medidas de seguridad: Articulo 39 – Control de accesos Control de accesos a la información, gestión a la información gestión de privilegios de privilegios – Generar y mantener registros sobre las interacciones Capitulo V: Articulo 40 – Conservación, respaldo C ió ld y recuperación ió de datos d d t personales l (NTP 17799) (NTP 17799) Capitulo V: Articulo 44 – Acceso a la documentación personal se limitará exclusivamente a personal autorizado 15 Copyright © 2013 CA. All rights reserved. Por donde empezar: Establecer un plan de respuesta Definir un equipo de trabajo responsable del proceso Realizar un análisis de la situación actual con respecto al cumplimiento de la ley Definir la política de privacidad de la organización Levantamiento de información de todos los datos de tipo personal dentro y fuera de la organización. Id Identificación tifi ió de d riesgos i y definición d fi i ió de d un plan l en cuanto t a mecanismos de protección Establecer plan de respuesta a incidentes 16 Copyright © 2013 CA. All rights reserved. Los frentes de ataque Procedimientos dentro de la empresa 17 Tecnologías de apoyo Copyright © 2013 CA. All rights reserved. Las políticas de seguridad como parte de los procesos de negocio Políticas de seguridad Política de protección de datos confidenciales o sensibles Política P lí i de acceso d para la l retención de la información Procedimientos di i dentro de la empresa p 18 Sistema de clasificación de clasificación De la información basado en roles Procedimiento de registro de registro de de actividades de usuario Copyright © 2013 CA. All rights reserved. La responsabilidad de la tecnología Evitar el robo de información Tecnologías g de apoyo 19 Copyright © 2013 CA. All rights reserved. Evitar la fuga de información La tecnología me ayuda a automatizar los controles Automatización de controles Accesos basados en roles a en roles a las aplicaciones de negocio Segregación g g de usuarios privilegiados Tecnologías l í de d apoyo P Prevención de fuga de información ió d f d i f ió Monitoreo y registro y registro de actividades de actividades de de usuario 20 Copyright © 2013 CA. All rights reserved. Acceso seguro basado en roles a las aplicaciones de negocio g Facilidades 4 5 Partner Website 3 Applications Customer 1 1. 2. 3 3. 4. 5. 6. 7. Autenticación Autogestión de Contraseñas Single sign‐on Single sign on Federación Autorización basada en Politicas Aprovisionamento de Cuentas Certificación y reportes de privilegios 7 Use Logs Beneficios Employee 2 6 Partner 21 E d i t Endpoint Directories Self Service Copyright © 2013 CA. All rights reserved. Mejor experiencia al usuario Reducción de riesgos Reducción de riesgos Aumento de eficiencia operativa Agilidad para lanzamiento de nuevos servicios Acceso seguro basado en roles a las aplicaciones de negocio g Gestión de Acceso Web Partner Website Applications CA SiteMinder CA SiteMinder Federation CA AuthMinder (Autenticación avanzada) RiskMinder (Análisis de Riesgo sobre transacciones) Administración & Gobierno de Identidades Customer Use Logs CA IdentityMinder CA IdentityMinder CA GovernanceMinder Employee Partner 22 Endpoint E d i t Directories Self Service Copyright © 2013 CA. All rights reserved. Control de acceso de usuarios privilegiados El entorno del centro de cómputos evoluciona….. Trusted insiders or business partners are responsible for 43% of security breaches VM VM VM * “Your Data Protection Strategy Will Fail Without Strong Identity Context”; Forrester Research, Inc., June 27, 2011 Hypervisor Virtualización i li ió Ataques dirigidos di i id Amenazas Internas …crea nuevos desafíos para la seguridad Password Admin VM VM VM Auditor Hypervisor Systems Admin Virtualization Mgmt Virtualization Mgmt Control 23 Cuentas Compartidas Copyright © 2013 CA. All rights reserved. Complejidad CA ControlMinder ofrece una completa solución para la segregación de usuarios privilegiados Gestión de cuentas compartidas Seguridad para virutalización VM VM VM Hypervisor CA ControlMinder Reportes de actividad usuarios Autenticación A t ti ió integrada UNIX UNIX 24 Control de acceso granular Copyright © 2013 CA. All rights reserved. Prevención de fuga de información CA SiteMinder CA IdentityMinder & CA GovernanceMinder MS SharePoint Content Protection Active Directory / Enterprise LDAP Active Directory / Enterprise LDAP User Identity & Roles CA DataMinder Content Classification Service CA DataMinder Endpoints MS Outlook Lotus Notes Internet Explorer Local File Scanning USB /CD‐DVD Print Application Control Central Management Server File Shares & Data Repositories Policy Management Security Administrator File Scanning Agent SharePoint MS Exchange Public Folders Databases Message Servers & MTAs iConsole Reviewer Incident Review, Reports & Dashboards MS Exchange Lotus Domino MS IIS SendMail PostFix Quarantine Classifications Network Devices Native & 3rd Party Encryption & DRM/IRM Integration 3rd Party Archives Planned Integration 25 Copyright © 2013 CA. All rights reserved. Network Boundary Appliance Monitoreo y registro de actividad de usuarios Qué hace Network Operations Security Operations PCI SOX HIPAA IAM Systems SAS70 FISMA Report NERC ISO27.. Auditor / Governance JSOX COBIT COSO BASEL II Investigate Facilidades User Activity Reporting Module User Activity Reporting Module OS Applications Auth Systems Prov Systems Prov Systems Databases Directories Firewalls Proxy Auth Systems • Reportes de compliance para verificar controles de seguridad • Análisis ‘Drill‐down ‘ de actividades de usuarios y acceso y acceso a recursos a recursos Routers Switches VPN • Reportes predefinidos y customizables de compliance • Análisis e Investigación interactivo y multidimensional de logs g • Reportes de Tendencias • Actualización automática de Reportes • Integración IAM, Spectrum, MF, Help Desk Proof Points 26 Copyright © 2013 CA. All rights reserved. Soluciones de Seguridad de CA 27 Copyright © 2013 CA. All rights reserved. Comentarios y conclusiones La La tecnología junto con los procedimientos se complementan tecnología junto con los procedimientos se complementan para dar respuesta a los requerimientos regulatorios LLa seguridad id d basada b d en la identidad l id tid d juega j un papell fundamental en la mitigación de riesgos El cumplimiento debe darse como un proceso transversal que cubre varios controles, de esto depende fundamentalmente la efeciencia f i i de mi plan d i l El establecimiento de un modelo de madurez dentro del cumplimiento es la clave de las mediciones, así como auditorías internas para que no se pierda validez en el tiempo. 28 Copyright © 2013 CA. All rights reserved. FOR INFORMATION PURPOSES ONLY Terms of this presentation This presentation was based on current information that may outline CA’ss general product direction as of April 2013 and is This presentation was based on current information that may outline CA general product direction as of April 2013 and is subject to change by CA at any time without notice. Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in this presentation, CA will make such release available (i) for sale to new licensees of such product; and (ii) to existing licensees of such product on a when and if‐available basis as part of CA maintenance and support, and in the form of a regularly scheduled major product release. Such releases may be made available t to current licensees of such product who are current subscribers to CA maintenance and support on a when and if‐available t li f h d t h t b ib t CA i t d t h d if il bl basis. In the event of a conflict between the terms of this paragraph and any other information contained in this presentation, the terms of this paragraph shall govern. All information in this presentation is for your informational purposes only and is provided “as is” without warranty of any kind. In no event will CA be liable from this presentation. No unauthorized copying or distribution permitted. 29 Copyright © 2013 CA. All rights reserved. Q Q&A
© Copyright 2024