How to merge SIM and IAM systems to reduce enterprise risks (1)

In general, IT organizations manage user access and authorization through their identity management processes and technologies within the company. At the same time, IT security organizations have adopted a series of policies, processes, and technologies to reduce risks. Organizations increase their effectiveness by combining these two functions to achieve 1 + 1> 2.

The IT Security Department has begun to deploy security information and event management system SIM in the Organization to monitor and report information asset vulnerabilities. Collects information about violations of information policies through scanners distributed across the organization, and then uses a manageable scoring software to define and report the overall vulnerability situation, the SIM then addresses these risks. Although it becomes more and more effective, these technologies are only used as an early warning radar system that will identify such events when a serious rule violation occurs, A classification process is then used to verify and remedy the problem.

Currently, most SIM systems are only set to focus on identifying events, that is, events where sensitive information tries to flow out of the Company domain from the authorized channel. Such reports are important to any organization, but managers still expect the SIM System to provide more proactive information asset Vulnerability Management and control functions, not just reporting events to reduce fraud activities. However, this feature can only be implemented after the security factor is combined with the information provided by the current SIM tool.

When security managers look for useful user authorization and role information within the organization to combine with their SIM System data, they find that the most complete information is not from the traditional HR) system, but an IAM system from the IT department. Unlike HR tools, these systems are used to identify roles or responsibilities played by users within the Organization, so that users have the right system and information access permissions to perform their duties.

In the past, such access was implemented through the management of a series of permissions and extensive access benefits, but now the trend is to concentrate Multiple permissions on one single-role Access Control RBAC) definition, which facilitates consistency and convenient management. For example, if all WEB development engineers must have the same 20 permissions in the same 10 systems to complete their work, compared to managing 200 permissions, 10 systems have 20 permissions.) If you put all these permissions on one RBAC object for control, it is very convenient, for example, for an object called "WEB engineer", you only need to use this single value in the account configuration process to grant or remove their accounts. By using user identification and access control in a RBAC model, IT staff can process the entry, change, and resignation of user accounts more quickly and greatly simplify the process, it is more effective.

Integrate SIM and IAM to Reduce Risks

How can these two very different technologies work together to reduce the risks of the Organization? SIM is a centralized tool used by security managers to identify violations of policies. However, in order to fix a detected vulnerability, the issue must be verified and remedied after the shunting process. This usually requires an IT security person to dive deeper into the information provided and then determine the impact of the activity.

This process is usually effective, and SIM tools are used to process information and systems, rather than people. In many cases, IT security personnel need to remedy a problem, but they do not know anything about the following: do some people have something to do with this problem? When were they involved in this issue? Who causes and causes this problem? If some people are related to this issue, they need to ask a series of questions: Is this a fraudulent activity conducted by a dissatisfied internal employee? Is an unauthorized person obtaining access to the internal system from outside the company? Is this implemented by authorized users, and most common users do not have the permission to complete it? For example, a colleague from the Personnel Department sends a tax identification number to an external beneficial partner. Is this because the developer sends sensitive information from one system to another as input data due to a programming error? Because such information does not exist in the SIM System's local solution, IT security personnel must spend time tracking the information, this will cause unnecessary delays in deciding whether the incident will cause serious risks to the Organization.

For example, when a data loss Protection DLP tool identifies a security event and reports it to the SIM System: the credit card information is found in an information package, this information package is intended to be transmitted outside the organizational unit and has been intercepted. When the SIM System identifies the date, time, target IP address, source IP address, user name, and severity of the event, it cannot determine who initiated the event, and whether this person is authorized to send this type of information. By accessing the IAM information of an organization, the SIM System can obtain the information, including not only the user mapped to this IP address/user name in this event, in addition, it can determine whether this is an authorization event by checking their roles.

This means that the IAM technology plays a role in providing information to the SIM System. They enhance and provide more complete information required by the SIM System. With such highly reliable information, events can be remedied more quickly. SIM technology is also useful for IAM technology because it can identify seemingly non-obvious events, such as separation of duties SOD)-for example, users can access information they manage on their own, or the system administrator can manually bypass authorization control in the system they manage.

In addition, with their information channel monitoring feature, SIM technology can help organizations monitor what employees are doing, even after applications are migrated to Cloud technology. For information and activities performed by specific external personnel located within the Organization, they can also be given special attention through the roles they obtain in the IAM system.

A bank with three SIM systems with over 0.1 million nodes and tens of millions of events per day

If you want to find a better test ground to test new functions of the Security Information and event management system, such as the identity management system, it is difficult for you to find a better place than the Bank of New York Mellon.

This global financial service company uses three different SIM products, including ArcSight, to monitor over 0.1 million nodes, this includes terminals, server infrastructure, network access control systems, data loss protection, and anti-malware. Daniel Conroy, vice president of the company's global security architecture, said he would integrate the SIM System with IAM and other technologies. For example, Fraud monitoring is a must for SIM systems, but these technologies, in particular, identity management must be integrated with these technologies.

The challenges faced by the IAM system are not limited to integration and implementation problems, as there are diversity of roles in any large organization and the variability of user permissions and access control.

"Integrated Identity Management is the way it must go," Conroy said. "I am happy to see that the SIM System eventually becomes more interactive and self-conscious with these tools. Imagine if you are willing to do this manually or simply open the Asset Management System and pull the data directly ."

Considering the large number of global infrastructure of Mellon Bank, it is undoubtedly a major account of the SIM System. Conroy mentioned that their company's SIM System handles more than 10 million events every day, and he expects this number to triple again after they start monitoring external connections. For now, Conroy wants to see that his SIM system is working properly in terms of scale and quality relevance, analysis, and reporting after new features are added.

"You want to upgrade the number of events that can be processed per second to a certain level. If some products encounter events that can be processed more than per second, it will crash and lead to a new problem, "Conroy said." events that can be handled per second are the goals pursued by the SIM System ".