SlideShare una empresa de Scribd logo

CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the State of Texas

CloudIDSummit
CloudIDSummit

Wendy Nather, Research Director, Enterprise Security Practice, 451 Research At first, "identities" just meant employees, and then they meant customers and partners. Then the cloud came along, and all hell broke loose. But it's always been a lot more complicated in government due to the intersection of roles, context, legal requirements, public information and privacy rights, and a dynamic environment. This is a real-life case study of the migration from a custom-written, ten year old, single sign-on portal with around 60 applications, to a COTS IAM product. Thirty minutes can't do it justice, but it'll be enough to bring some of the pain.

TecnologíaEmpresariales
1 de 18
Descargar para leer sin conexión
The  Good,  The  Bad,  and  the  Government:   Wrangling  A6ributes  in  the  State  of  Texas   Wendy  Nather          @451wendy   Research  Director,  Enterprise  Security  Prac=ce  
The  backdrop   Custom-­‐wriDen  single  sign-­‐on  portal  (10+  years  old)     Provides  SSO  for  ~60-­‐75  apps     External  user  base  of  ~50,000     Internal  user  base  of  ~800       The  challenge:  drag  it  kicking  and  screaming  into  some  part  of  the  21st   century     2  
Other  complica=ng  factors   Family  Educa=onal  Rights  and  Privacy  Act  (FERPA)  compliance         ~1300  school  districts   ~8,000  campuses   ~20  regional  educa=onal  service  centers  (ESCs)         Other  partners/stakeholders:  other  Texas  state  agencies,  higher   educa=on,  contractors  of  all  kinds,  nonprofits,  educators,  cer=fica=on   bodies  …  roughly  2500  different  organiza=ons     3  
Mul=ple  roles  and  contexts   TEA  employee  of  some  division  or  cost  center,  at  some  posi=on  level     Contractors  pretending  to  be  TEA  employees     Personnel  at  ESCs,  districts,  campuses     Administrators,  educators,  auditors,  researchers       People  using  different  applica=ons  in  different  capaci=es  on  behalf  of   mul=ple  organiza=ons     Differing  levels  of  delega=on,  both  organiza=onal  and  legal     4  
Ge`ng  a  clue   Professor   Plum   in  the   kitchen   with  a  lead   pipe   with  a   candles=ck   in  the   library   with  a  lead   pipe   with  a  rope  
Ge`ng  a  clue   Professor   Plum   killing   in  the   kitchen   with  a  lead   pipe   with  a   candles=ck   being  killed   in  the   library   with  a  lead   pipe   with  a  rope  
Ge`ng  a  clue   Professor   Plum   killing   in  the   kitchen   with  a  lead   pipe   with  a   candles=ck   in  the   library   with  a  lead   pipe   with  a  rope   being  killed   in  the   kitchen   with  a  lead   pipe   with  a  rope   in  the   library   with  a  lead   pipe   with  a   candles=ck  
Ge`ng  a  clue   Professor   Plum   killing   in  the   kitchen   with  a  lead   pipe   with  a   candles=ck   in  the   library   with  a  lead   pipe   with  a  rope   being  killed   in  the   kitchen   with  a  lead   pipe   with  a  rope   in  the   library   with  a  lead   pipe   with  a   candles=ck  
Ge`ng  a  clue   Professor   Plum   killing   in  the   kitchen   with  a  lead   pipe   with  a   candles=ck   in  the   library   with  a  lead   pipe   with  a  rope   being  killed   in  the   kitchen   with  a  lead   pipe   with  a  rope   in  the   library   with  a  lead   pipe   with  a   candles=ck  
Context  plus  governance  =  …     Iden=ty  authority   Access  authority   Who  you  are  +     Why  you  should  have   access   What  you  may  access     En=tlements  
Example   11  
Workflow  example   TEA   ESC   District1   User   District2   App   owner   App   owner   Delegate   12  
Constraints   Can’t  be  full  federa=on  due  to  compliance  requirements     Principle  of  least  privilege  means  scoping  down  wherever  possible     Separa=on  of  du=es  requires  discrete  roles  and  en=tlements       13  
Constraints   Can’t  be  full  federa=on  due  to  compliance  requirements     Principle  of  least  privilege  means  scoping  down  wherever  possible     Separa=on  of  du=es  requires  discrete  roles  and  en=tlements     And  remember  …     Most  of  the  users  don’t  really  want  to  be  there.     14  
Constraints   Can’t  be  full  federa=on  due  to  compliance  requirements     Principle  of  least  privilege  means  scoping  down  wherever  possible     Separa=on  of  du=es  requires  discrete  roles  and  en=tlements     And  remember  …     Most  of  the  users  don’t  really  want  to  be  there.   They  are  not  at  all  technical.     15  
Constraints   Can’t  be  full  federa=on  due  to  compliance  requirements     Principle  of  least  privilege  means  scoping  down  wherever  possible     Separa=on  of  du=es  requires  discrete  roles  and  en=tlements     And  remember  …     Most  of  the  users  don’t  really  want  to  be  there.   They  are  not  at  all  technical.   And  you  can’t  fire  them.     16  
Moral  of  the  story   Need  to  be  granular  with  iden=ty,  authoriza=on  and  en=tlements  for   risk  and  compliance  management       Be  careful  with  RBAC  –  keep  it  out  of  your  code       IAM  is  not  a  project,  it’s  an  ongoing  journey       17  
Ques=ons?  Comments?   wendy.nather@451research.com  

Recomendados

CIS14: Authentication Family Tree (1.1.1 annotated) - Steve Wilson
CIS14: Authentication Family Tree (1.1.1 annotated) - Steve WilsonCIS14: Authentication Family Tree (1.1.1 annotated) - Steve Wilson
CIS14: Authentication Family Tree (1.1.1 annotated) - Steve WilsonCloudIDSummit
 
Reflections on Participatory Science for TELSci2.0
Reflections on Participatory Science for TELSci2.0Reflections on Participatory Science for TELSci2.0
Reflections on Participatory Science for TELSci2.0Rose Luckin
 
Converge 08 presentation
Converge 08 presentationConverge 08 presentation
Converge 08 presentationCarol Skyring
 
Where Is A Thesis Statement In An Essay
Where Is A Thesis Statement In An EssayWhere Is A Thesis Statement In An Essay
Where Is A Thesis Statement In An EssayVanessa Wilcox
 
Where Is A Thesis Statement In An Essay.pdf
Where Is A Thesis Statement In An Essay.pdfWhere Is A Thesis Statement In An Essay.pdf
Where Is A Thesis Statement In An Essay.pdfChristy Williams
 
Soft-Skils
Soft-SkilsSoft-Skils
Soft-SkilsAli Osman Öncel
 
Argumentative Essays On School Uniforms.pdf
Argumentative Essays On School Uniforms.pdfArgumentative Essays On School Uniforms.pdf
Argumentative Essays On School Uniforms.pdfLydia Jana
 
Open2012 undergrad-research-adding-value
Open2012 undergrad-research-adding-valueOpen2012 undergrad-research-adding-value
Open2012 undergrad-research-adding-valuethe nciia
 

Recomendados

CIS14: Authentication Family Tree (1.1.1 annotated) - Steve Wilson
CIS14: Authentication Family Tree (1.1.1 annotated) - Steve WilsonCIS14: Authentication Family Tree (1.1.1 annotated) - Steve Wilson
CIS14: Authentication Family Tree (1.1.1 annotated) - Steve WilsonCloudIDSummit
 
Reflections on Participatory Science for TELSci2.0
Reflections on Participatory Science for TELSci2.0Reflections on Participatory Science for TELSci2.0
Reflections on Participatory Science for TELSci2.0Rose Luckin
 
Converge 08 presentation
Converge 08 presentationConverge 08 presentation
Converge 08 presentationCarol Skyring
 
Where Is A Thesis Statement In An Essay
Where Is A Thesis Statement In An EssayWhere Is A Thesis Statement In An Essay
Where Is A Thesis Statement In An EssayVanessa Wilcox
 
Where Is A Thesis Statement In An Essay.pdf
Where Is A Thesis Statement In An Essay.pdfWhere Is A Thesis Statement In An Essay.pdf
Where Is A Thesis Statement In An Essay.pdfChristy Williams
 
Soft-Skils
Soft-SkilsSoft-Skils
Soft-SkilsAli Osman Öncel
 
Argumentative Essays On School Uniforms.pdf
Argumentative Essays On School Uniforms.pdfArgumentative Essays On School Uniforms.pdf
Argumentative Essays On School Uniforms.pdfLydia Jana
 
Open2012 undergrad-research-adding-value
Open2012 undergrad-research-adding-valueOpen2012 undergrad-research-adding-value
Open2012 undergrad-research-adding-valuethe nciia
 
NR 512 Invent Yourself/newtonhelp.com
NR 512 Invent Yourself/newtonhelp.comNR 512 Invent Yourself/newtonhelp.com
NR 512 Invent Yourself/newtonhelp.comlechenau110
 
Got the tech, do they use it?
Got the tech, do they use it?Got the tech, do they use it?
Got the tech, do they use it?Abi James
 
Icicte invited talk
Icicte invited talkIcicte invited talk
Icicte invited talkRose Luckin
 
Skills for industry 4.0
Skills for industry 4.0 Skills for industry 4.0
Skills for industry 4.0 Dr. N. Asokan
 
Good Ways To Start A Conclusion Paragraph. How To Start A Co
Good Ways To Start A Conclusion Paragraph. How To Start A CoGood Ways To Start A Conclusion Paragraph. How To Start A Co
Good Ways To Start A Conclusion Paragraph. How To Start A CoGina Rizzo
 
Learning & Research Services Librarian University of Adelaide Candidate appli...
Learning & Research Services Librarian University of Adelaide Candidate appli...Learning & Research Services Librarian University of Adelaide Candidate appli...
Learning & Research Services Librarian University of Adelaide Candidate appli...Kane McCard
 
Assistive technology
Assistive technologyAssistive technology
Assistive technologyrtstein27
 
Assistive technology
Assistive technologyAssistive technology
Assistive technologyrtstein27
 
Quality Essay
Quality EssayQuality Essay
Quality EssayOnline Paper Writing Services Haynes
 
EIE Workshop
EIE WorkshopEIE Workshop
EIE WorkshopFlorida RID
 
APS Physics Insight Slidshow - April 2020
APS Physics Insight Slidshow - April 2020APS Physics Insight Slidshow - April 2020
APS Physics Insight Slidshow - April 2020American Physical Society
 
CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content HighlightsCloudIDSummit
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016CloudIDSummit
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2CloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CloudIDSummit
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CloudIDSummit
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CloudIDSummit
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCloudIDSummit
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCloudIDSummit
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CloudIDSummit
 

Más contenido relacionado

Similar a CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the State of Texas

NR 512 Invent Yourself/newtonhelp.com
NR 512 Invent Yourself/newtonhelp.comNR 512 Invent Yourself/newtonhelp.com
NR 512 Invent Yourself/newtonhelp.comlechenau110
 
Got the tech, do they use it?
Got the tech, do they use it?Got the tech, do they use it?
Got the tech, do they use it?Abi James
 
Icicte invited talk
Icicte invited talkIcicte invited talk
Icicte invited talkRose Luckin
 
Skills for industry 4.0
Skills for industry 4.0 Skills for industry 4.0
Skills for industry 4.0 Dr. N. Asokan
 
Good Ways To Start A Conclusion Paragraph. How To Start A Co
Good Ways To Start A Conclusion Paragraph. How To Start A CoGood Ways To Start A Conclusion Paragraph. How To Start A Co
Good Ways To Start A Conclusion Paragraph. How To Start A CoGina Rizzo
 
Learning & Research Services Librarian University of Adelaide Candidate appli...
Learning & Research Services Librarian University of Adelaide Candidate appli...Learning & Research Services Librarian University of Adelaide Candidate appli...
Learning & Research Services Librarian University of Adelaide Candidate appli...Kane McCard
 
Assistive technology
Assistive technologyAssistive technology
Assistive technologyrtstein27
 
Assistive technology
Assistive technologyAssistive technology
Assistive technologyrtstein27
 

Similar a CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the State of Texas (11)

NR 512 Invent Yourself/newtonhelp.com
NR 512 Invent Yourself/newtonhelp.comNR 512 Invent Yourself/newtonhelp.com
NR 512 Invent Yourself/newtonhelp.com
 
Got the tech, do they use it?
Got the tech, do they use it?Got the tech, do they use it?
Got the tech, do they use it?
 
Icicte invited talk
Icicte invited talkIcicte invited talk
Icicte invited talk
 
Skills for industry 4.0
Skills for industry 4.0 Skills for industry 4.0
Skills for industry 4.0
 
Good Ways To Start A Conclusion Paragraph. How To Start A Co
Good Ways To Start A Conclusion Paragraph. How To Start A CoGood Ways To Start A Conclusion Paragraph. How To Start A Co
Good Ways To Start A Conclusion Paragraph. How To Start A Co
 
Learning & Research Services Librarian University of Adelaide Candidate appli...
Learning & Research Services Librarian University of Adelaide Candidate appli...Learning & Research Services Librarian University of Adelaide Candidate appli...
Learning & Research Services Librarian University of Adelaide Candidate appli...
 
Assistive technology
Assistive technologyAssistive technology
Assistive technology
 
Assistive technology
Assistive technologyAssistive technology
Assistive technology
 
Quality Essay
Quality EssayQuality Essay
Quality Essay
 
EIE Workshop
EIE WorkshopEIE Workshop
EIE Workshop
 
APS Physics Insight Slidshow - April 2020
APS Physics Insight Slidshow - April 2020APS Physics Insight Slidshow - April 2020
APS Physics Insight Slidshow - April 2020
 

Más de CloudIDSummit

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content HighlightsCloudIDSummit
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016CloudIDSummit
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2CloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CloudIDSummit
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CloudIDSummit
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CloudIDSummit
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCloudIDSummit
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCloudIDSummit
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CloudIDSummit
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCloudIDSummit
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCloudIDSummit
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCloudIDSummit
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...CloudIDSummit
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCloudIDSummit
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCloudIDSummit
 

Más de CloudIDSummit (20)

CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content Highlights
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
 
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean Deuby
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of Things
 

Último

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 

Último (20)

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 

CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the State of Texas

  • 1. The  Good,  The  Bad,  and  the  Government:   Wrangling  A6ributes  in  the  State  of  Texas   Wendy  Nather          @451wendy   Research  Director,  Enterprise  Security  Prac=ce  
  • 2. The  backdrop   Custom-­‐wriDen  single  sign-­‐on  portal  (10+  years  old)     Provides  SSO  for  ~60-­‐75  apps     External  user  base  of  ~50,000     Internal  user  base  of  ~800       The  challenge:  drag  it  kicking  and  screaming  into  some  part  of  the  21st   century     2  
  • 3. Other  complica=ng  factors   Family  Educa=onal  Rights  and  Privacy  Act  (FERPA)  compliance         ~1300  school  districts   ~8,000  campuses   ~20  regional  educa=onal  service  centers  (ESCs)         Other  partners/stakeholders:  other  Texas  state  agencies,  higher   educa=on,  contractors  of  all  kinds,  nonprofits,  educators,  cer=fica=on   bodies  …  roughly  2500  different  organiza=ons     3  
  • 4. Mul=ple  roles  and  contexts   TEA  employee  of  some  division  or  cost  center,  at  some  posi=on  level     Contractors  pretending  to  be  TEA  employees     Personnel  at  ESCs,  districts,  campuses     Administrators,  educators,  auditors,  researchers       People  using  different  applica=ons  in  different  capaci=es  on  behalf  of   mul=ple  organiza=ons     Differing  levels  of  delega=on,  both  organiza=onal  and  legal     4  
  • 5. Ge`ng  a  clue   Professor   Plum   in  the   kitchen   with  a  lead   pipe   with  a   candles=ck   in  the   library   with  a  lead   pipe   with  a  rope  
  • 6. Ge`ng  a  clue   Professor   Plum   killing   in  the   kitchen   with  a  lead   pipe   with  a   candles=ck   being  killed   in  the   library   with  a  lead   pipe   with  a  rope  
  • 7. Ge`ng  a  clue   Professor   Plum   killing   in  the   kitchen   with  a  lead   pipe   with  a   candles=ck   in  the   library   with  a  lead   pipe   with  a  rope   being  killed   in  the   kitchen   with  a  lead   pipe   with  a  rope   in  the   library   with  a  lead   pipe   with  a   candles=ck  
  • 8. Ge`ng  a  clue   Professor   Plum   killing   in  the   kitchen   with  a  lead   pipe   with  a   candles=ck   in  the   library   with  a  lead   pipe   with  a  rope   being  killed   in  the   kitchen   with  a  lead   pipe   with  a  rope   in  the   library   with  a  lead   pipe   with  a   candles=ck  
  • 9. Ge`ng  a  clue   Professor   Plum   killing   in  the   kitchen   with  a  lead   pipe   with  a   candles=ck   in  the   library   with  a  lead   pipe   with  a  rope   being  killed   in  the   kitchen   with  a  lead   pipe   with  a  rope   in  the   library   with  a  lead   pipe   with  a   candles=ck  
  • 10. Context  plus  governance  =  …     Iden=ty  authority   Access  authority   Who  you  are  +     Why  you  should  have   access   What  you  may  access     En=tlements  
  • 12. Workflow  example   TEA   ESC   District1   User   District2   App   owner   App   owner   Delegate   12  
  • 13. Constraints   Can’t  be  full  federa=on  due  to  compliance  requirements     Principle  of  least  privilege  means  scoping  down  wherever  possible     Separa=on  of  du=es  requires  discrete  roles  and  en=tlements       13  
  • 14. Constraints   Can’t  be  full  federa=on  due  to  compliance  requirements     Principle  of  least  privilege  means  scoping  down  wherever  possible     Separa=on  of  du=es  requires  discrete  roles  and  en=tlements     And  remember  …     Most  of  the  users  don’t  really  want  to  be  there.     14  
  • 15. Constraints   Can’t  be  full  federa=on  due  to  compliance  requirements     Principle  of  least  privilege  means  scoping  down  wherever  possible     Separa=on  of  du=es  requires  discrete  roles  and  en=tlements     And  remember  …     Most  of  the  users  don’t  really  want  to  be  there.   They  are  not  at  all  technical.     15  
  • 16. Constraints   Can’t  be  full  federa=on  due  to  compliance  requirements     Principle  of  least  privilege  means  scoping  down  wherever  possible     Separa=on  of  du=es  requires  discrete  roles  and  en=tlements     And  remember  …     Most  of  the  users  don’t  really  want  to  be  there.   They  are  not  at  all  technical.   And  you  can’t  fire  them.     16  
  • 17. Moral  of  the  story   Need  to  be  granular  with  iden=ty,  authoriza=on  and  en=tlements  for   risk  and  compliance  management       Be  careful  with  RBAC  –  keep  it  out  of  your  code       IAM  is  not  a  project,  it’s  an  ongoing  journey       17