e-ID: are you (proven) in control?

1. INFORMATION RISK MANAGEMENT e-ID: are you (proven) in control? DENNIS VAN HAM

2. Introduction and setting the scene • Identity: who are you? And how can we be sure it’s you? • Access: what are you allowed to do? • Business: protection of information is important but please don’t bother me; • Technology: lots of it available but how reliable is it really? • Audit and compliance management: proven in control?

3. 2003 2004 2005 2006 • “Classic” Phishing • Spyware • Man-in-the-Middle Attacks • Botnets • Keylogging • Pharming • And More … • Trojan Horses • Malware Impact on people – changing threats and fast

4. People are different and have many e-ID’s • Tentative mother of grown children • Learning to navigate the Net • Considering banking online, but hasn’t taken the leap yet • Afraid of hackers from news story about ID theft victims • Her motto: The Web is complicated! Better to be safe than sorry. • Young, traveling businessman with a family • Juggles 30 passwords • Uses two-factor authentication at work • Wonders if its available for his personal accounts • His motto: Internet security is key, but I can’t carry one more thing • Hip, 20-something male • Thinks he’s immune to online fraud • Freely gives away his personal information • Has a firewall and antivirus • Clicks on any link • His motto: I grew up with the Internet. I’m not afraid of it. Source: RSA Security

5. Impact on business • Compliance • SOX, HIPAA, Privacy, BASEL II, FDIC, etc • Corporate or IT Governance • Lack of clear strategy; • Timely implementation of policies or resolutions; • Policy enforcement and reporting; • Security • Protection of intellectual property; • Rising administration and helpdesk costs; • Complex technologies and application infrastructure.

6. IT-security survey: six important signals • Technology remains very dynamic, proper risk analysis is key but not applied on a large-scale; • Insufficient expertise most important motive for outsourcing IT-security; • Hacking, viruses and worms significant threats, companies have little insight into the quality of their protection; • Authorisation management is structured ineffectively and inefficiently; • Continuity management is often organised on paper but it is usually not certain whether it also works well in practice; • The growing use of mobile devices requires attention.

7. Compliance – but not a goal in itself

8. Complex and getting management attention is difficult

9. Reality bites – ‘identity and access’ information everywhere

10. How does an auditor think?

11. Cross Platform Provisioning Authorization Authentication Federation Meta-Directory Audit Management Significant Integration Effort Required APIs and protocols APIs and protocols APIs and protocols Frameworks Frameworks Frameworks OS and infrastructure OS and infrastructure OS and infrastructure Security Security Security Networking Networking Storage Networking Storage Storage Processing Processing Processing J2SE/J2EE Windows/.NET UNIX/LAMP Identity & Access Management – in a nutshell

12. More information? KPMG Information Risk Management Dennis van Ham Consultant KPMG Information Risk Management Burgemeester Rijnderslaan 20, 1185 MC Amstelveen Postbus 74105, 1070 BC Amsterdam Telefoon +31(0)20 6568103, Telefax +31 (0)20 6568388 E-mail: vanham.dennis@kpmg.nl Internet: www.kpmg.nl/irm