Event Recording

Identity Security Implementation and Deployment in KONE

Name: Identity Security Implementation and Deployment in KONE
Uploaded: 2023-05-11T12:00:00+02:00
Duration: 19 min 13 s

Posted on May 11, 2023

In this talk, Krishna Balan Kannappan will describe Kone´s path to a holistic and integrated Identity Security infrastructure.

IDM Deployment in KONE includes Lifecycle management of KONE Internal Users and non person accounts. Automated Processes in IDM ensures that minimum accesses required for Internal Users are granted automatically based on User Attributes and all accesses are removed automatically when user leaves the organization. Non Person accounts are hardened automatically based on the usage.
Applications authorization is managed by IDM using various provisioning mechanisms.
Applications authentication is controlled by Azure AD, MFA enabled is mandated for all applications and end users.
Admin Accounts used for Accessing KONE Infrastructure and Workstations are managed in IDM(Microsoft recommended Tier based model is used).
Self Service allows Role Owners and Account Owners to Create Access Reviews, Manage Passwords, Manage Access.
KONE SOC team uses IDM for performing emergency actions to disable/enable/reset Password of AD Accounts.

Privilege Access Management:

KONE uses PRIVX as the PAM Solution for allowing access to Infrastructure. PAM is integrated with IDM for authorizations. PAM Solution ensures KONE Infratructure cannot be accessed outside PAM by access controls and continuous monitoring.
PAM Uses Separate MFA for added Security.
Automations are implemented to onboard/offboard Application servers into PAM

DevSecops model is used for Development, automated deployments, Security Scans and automated Testing.

Show description

In this talk, Krishna Balan Kannappan will describe Kone´s path to a holistic and integrated Identity Security infrastructure.

IDM Deployment in KONE includes Lifecycle management of KONE Internal Users and non person accounts. Automated Processes in IDM ensures that minimum accesses required for Internal Users are granted automatically based on User Attributes and all accesses are removed automatically when user leaves the organization. Non Person accounts are hardened automatically based on the usage.
Applications authorization is managed by IDM using various provisioning mechanisms.
Applications authentication is controlled by Azure AD, MFA enabled is mandated for all applications and end users.
Admin Accounts used for Accessing KONE Infrastructure and Workstations are managed in IDM(Microsoft recommended Tier based model is used).
Self Service allows Role Owners and Account Owners to Create Access Reviews, Manage Passwords, Manage Access.
KONE SOC team uses IDM for performing emergency actions to disable/enable/reset Password of AD Accounts.

Privilege Access Management:

KONE uses PRIVX as the PAM Solution for allowing access to Infrastructure. PAM is integrated with IDM for authorizations. PAM Solution ensures KONE Infratructure cannot be accessed outside PAM by access controls and continuous monitoring.
PAM Uses Separate MFA for added Security.
Automations are implemented to onboard/offboard Application servers into PAM

DevSecops model is used for Development, automated deployments, Security Scans and automated Testing.

Speakers

Solution Design Owner - IAM
KONE

Krishna Balan Kannappan

16+ years of experience in Information Technology and worked on various technology frameworks and domains. Have extensive experience in Identity Access management domain. Having worked with many international organizations, specialized in SailPoint Identity IQ and PRIVX SSH tools, CyberArk....

View profile

Security Engineer
KONE

Akarshi Rastogi

Akarshi Rastogi ia a Code-savvy security engineer seeking to build secure, scalable solutions, with a passion for cybersecurity. Unlocking the possibilities of technology with 7+ years of experience in Identity and Access Management at KONE as a Configuration Owner. Prior to KONE, she was a...

View profile

Show Transcript

Hello everyone, I'm ato. I'm security engineer slash configuration owner for Kona and he's Krishna Ballen, solution design owner for identity and access management at Coney. I'll just give you brief history or a short introduction about what Kona is and then we can move forward with the presentation. COE is more than a hundred year old elevator company. We are based out of Helsinki, Finland and I couldn't agree on what the last presentation was that you have to be matured enough into the system to realize how you have to make your way forward with security. We have been sorting out a lot of legacy stuff and we are into a mature state right now in that journey. With that, the today's topic would be how IBM supports cybersecurity at Kune and how we are leveraging it.
Basic footprint about Coney IBM is we have 65,000 plus users, more than thousand plus application and more over 12,000 non-person accounts in the system that we have to manage today. Considering this footprint, you can calculate how IBM is managing the volume of those system right now. We'll be discussing in today's session that how IBM is supporting identity security, endpoint security, application security and detection and recovery and all these components are equally important in cybersecurity to take care of focusing on identity security. Every organization has a user identity and we have classified all the identity accounts here as user considering regular account tier zero account for the user, tier one and tier two. These tier accounts are Microsoft's suggested privilege access accounts which are categorized in this system. We also have a tier three account, which is COE system custom account and has the least level of access. So when you see the approach flowing from top to down regular ad accounts as general account that we have, tier zero one and two, our Microsoft model accounts, tier two being the highest privileged accounts tier one, the moderate privilege account, which will not have the complete access to the infrastructure tier two account being slightly leased, privileged account of all the Microsoft model tiered account that we have. Tier three will allow you to elevate access to your own workstation.
We'll be focusing about how regular ad account works in general and when we consider identity security. I believe identity management goes hand in hand and we, we have a lot of other things as well that we focus authorization being the first part and Martin was discussing about how this airbag and segregation of duties and policy violations play an important role for any IDM system. So I couldn't agree more than that. Suppose I am an outside user, I'm into the system and I want to just trick into the system and I'm playing around the organization. These factor will definitely help me to stop gaining the extra access that I should not be having right now. So there are role-based access controls along with attribute access controls in place and if I anyhow tries to gain access to the system, there's always notification system in place which will send notifications to your manager, the request you or the requester.
We have strong auditing and monitoring in place. For example, I work in Helsinki and I'm requesting something at really odd time for a longer period of time. It'll generate lot of logs, audit evens and fil send it out to the monitoring system so it's smart enough to understand that something is going wrong and generates alert to the security team to take the further actions. We also have periodic access review and segregation of duties in place to make sure that the user has right level of access at right time. Moving next, we have authentication in place. We have been hearing a lot about authentication in all these three days that we have been here. It is a very generic thing that every organization or enterprise should follow. So authentication comes hand in hand. Any application that we own at Coney is lying at the backend of single sign on.
So if you have to access the application, you have to log into the application which will ask you to authenticate password goodness is being the equal important component for it. You log in to the application, it'll show you to the authenticator being the push services available in this system that you have to enter the pin which is being displayed on your application along with the application name so that you are sure that you are into the right application and it is you. It also validates the user geolocation and if it is correct and user validates it, it allows you to log into this session.
We also moved now to detection and recovery, which I believe is the most important phase how you can utilize your IBM tool, any user request access to the IBM and is granted in ad. But what if any access is modified in active directory. So we have utilized our IBM system in such a way that it reconcile, it reconciled the accesses from active directory to DM system. Along with that it generates all the logs, all the events status being done in active directory and we automatically the access correction from our IBM system, which means if any outsider has access to their active directory or trying to do any modifications to any of these four things that I've listed to the attribute to groups. By creating new attributes, accounts or members, it flows to the IBM system and IBM's detected and automatically corrects it
Whenever there's any event which is generated and anybody tries to get into this system. We have configured SIM system in such a place that it is configured on the IDM side as well as on the active directory side. So any events which are generated generates the event which is being received on the security operation team and security operation team has access to the IDM system both through ui, also through APIs to perform any emergency action that they want to. I just want to have a look with audience as well. How many of you are doing emergency actions on the accounts through your I DM systems That's so great to see or all right so they can emergency disable the account, enable the account and also the password reset in case of emergency situations and whenever any action is taken we generate the audit event also notify the manager of the identity that something was wrong and the action was taken
Now let's see how I am is supporting endpoint security and application security. So as mentioned there are a lot of tiring models in place and we follow a custom tiring model as well. Now let's see how this Tire Zero is supporting to access all the privilege accesses within Connet. So as Akashi mentions, we already have a multifactor authentication in place but for privilege accesses we have a separate MFA infrastructure in place and it is a kind of a step up MFA which decides what kind of MFA is required based on the type of account the end user is using. And all these tiering accounts are managed lifecycle managed by IM system. So if I need a tier zero account, I come to the IM system and then request for access and once it is approved, tier zero account is created for the user and the password is shared.
And let's see how the user is accessing these C zero resources in connet. So for TA zero, the MFA is basically a hard PA key which needs to be entered while logging into the system. So user enters C zero credentials and it asks for PA key. So once the PA key is entered, you'll be presented with the list of resources which you can access. So basically taser is high privileged account which you can use for accessing your 80 resources and whenever I want to connect to an 80 server, the pan system creates a short-lived certificate or an FAL certificate for added security and it allows you to log into the system and when you go to the tier one, so tier one is less privileged when compared to tier zero and even it has a separate MFA infrastructure. So whenever I want to log in using a tier one account, so you log into the system and it presents a normal mfa which is basically a key based and you can use any authenticator app for authenticating yourself.
And Tier zero is basically for accessing all these application related infrastructures like an application server or a database or any proxy servers. So based on your accesses you have within the IAM system, the PAM system allows you to see the list of resources you can access using this access and again it generates a shortly certificate which enables you to log into the required infrastructure. And all these logins are fed into a CM system for activity monitoring and which ensures that if I am logging into the server outside this SPAN systems, it creates a security event and based on the critical of the security event, the CM system decides whether the account needs to be disabled or what should be done for that kind of account. So that is actually handled in the CM system. And when it comes to tier two, so tier two is actually an admin of all the workstations. So basically the operations team have helped this team who wants to perform many admin activities will use this tier two accounts and it is again lifecycle management tier two IBM system. And when it comes to tier three, it is basically an admin access to your own workstation. So if you need to have an admin access for a short period or for permanently, so based on the business need, you'll request for a permanent access or a temporary access and once it is approved you'll get this admin access for your own workstation.
Okay. And let's see how this application security is supported for by the IBM system and other infrastructures which we have in connet. So CMDB hits a configuration management database which is owned by the application owners of coe. So application owners are responsible for updating the CMDB with the proper status of an application. For example, if a new application is created then I say a new application is created and that needs to have an authentication complaints and an authorization complaint. And there are set of standards which are defined within Coney to ensure that a specific application is authentication complaint and authorization complaint based on the usage of the application are from where these applications are being accessed. So if I'm accessing an application from internet, then definitely should have an SSO enabled and there should be an MFA supported to ensure that it is an authentication complaint and if it is an internal net application it can be accessed only using an internal network.
It is fine to have a user M and password based login, but you should definitely have an MFA supported. So those are the standards which are set within Connet to ensure that the application is protected. And there are other features which are supported by using for authentication compliance within Azure, like the user activity monitoring to ensure that the user is logging in from the same IP are from the same dual locations and what should happen if it is a certain login at the midnight or from a different geo location, what should happen in that and should I have a conditional access policy for the application based on the risk of the application and for authorization compliance. IBM system ensures that these applications are onboarded into the IBM system for access request management, access reviews, and we embrace lot of self-service within the IBM system. So basically self-services for managing roles, application owners will have the capability to manage roles within the IBM system. So you don't need to contact a help desk or an operational team to create roles or manage roles. You can do it yourself.
Alright, thank you Krishna. We all have been discussing about how identity and the security is very important, but nonpersonal accounts play equal and important role in any organizational enterprise that we work in. We'll be seeing how Kona is managing Nonpersonal accounts from I DM system. We have four categories of accounts that we manage at Kona, test account, shared account, robot account and service account. So these all accounts are lifecycle management and owned by somebody because it's really critical to own these account otherwise people le leave the company and these account remain active in the system which open a door for attackers to come. So it is really critical and important for any enterprise that we have. I would also like to ask that, how many of you are doing account hardening from your IDM for these accounts? Anyone good to see one?
So two important confidence that play important role for these non-personal accounts are account hardening as well as password management. IBM system generally generates password for any account which comes into the system or any identity which comes into the system. But all these components are really important to be managed. So by default we make sure that all the RDPs and all the interactive logins are blocked for all the non-personal accounts. And if you have any purpose to do it, you'd come into the I DM system and temporarily remove access for it. When I say temporarily remove access, it removes access for the account for 24 Rs and it'll be reapplied by I D M system. It'll also generate logs and events for the same event which has been performed. There's also delegation block and which is available again for the account owner, which is by default blocked that you cannot delegate your account to perform any activity as such.
Then we have log on machines, so you have to define that for example, there's a service account which connects to to our server. So you have to define that to which log on machine you need this account to be enabled. So whatever log on machines are defined will be allowed by that service account to log into the system. We also generate complex password by defaults, but it also gives us password management capabilities to account owner to manage and generate the critical password through IBM system. Once this password is generated, it is never stored in IBM system and the events and the notifications are also generated to the account owner and also to the deputy account owners to make sure that something has happened and it's valid. I think that was all that we try to implement at Coney with all the red teaming and proper teaming exercise that we conduct every year. So we make sure that we improvise and implement things including identity and access management.
So that
Leaves for questions I would say. Any questions from the audience in the room? Otherwise I started with the online questions. Okay, so I start with the online questions. Do you have a common IBM system for all target provisioning or is this a distributed system in different with different tools? So an example would be one for Azure and the cloud and one for on-premise applications. For example sap.
Okay, I can answer that. So we have a common system that manages all the provisioning from our IDM system. We connect to on-prem as well as to cloud system. So we have connection with all the SAP active directory disconnected applications as well as Azure waste applications.
Good. Next question. Okay. Isn't it a bit dangerous to manage tier zero accounts with the DM system? If the DM system is compromised? The tier zero is also compromised. A very
Good question and sorry that I did not mention it earlier. We do not manage tier zero through ibm. It's separately managed, but there's a pan system involved, which Krishna was talking about that allows you to log in using your tier zero account. But we have a lot of hard tokens available and a separate login mechanism for two zero in place.
So creation is not through idm but lifecycle management is through idm, like levers 40 zero through IDM manually.
Okay. Meanwhile, any questions from the audience in the room? Good. So I continue with the online questions. So you have explained your PAM strategy question would be how would would it adopt to emerging threats and technologies?
So it uses ephemeral or short lived certificates, which is which leave only for three minutes of the session. And then once the session is established, you cannot reuse the same certificate for logging into the same server. So that's the technology which we're using right now and we feel that it is most secured right now and the even the MFA used as a separate infrastructure, it is not the Azure MFA infrastructure and our teaming exercises shows that no one is able to log into gain access to PAM till now. So that's benefit we have right now.
Okay. Process wise, are you taking a look at that once a year or twice a year to, to see if that is still a valid strategy for to encounter those emerging threats?
Once a year.
Once a year. We
Do have blue tubing exercises twice a year.
Good. So those are all the questions that I have from the online audience, so that would be the last chance for you to ask more questions if that's not the case. We're done with your presentation. Thank you. Thank you so
Much. Thank you. Thank you.

Playlist

European Identity and Cloud Conference 2023

Event Recording

Covering Your Customer Identity Needs - The Way Forward

May 12, 2023

The Art of CIAM is to converge user Experience (UX) , security and privacy in a way that is seamless and unobtrusive for the user. In this panel session we will discuss the role of decentralized technologies, biometrics, and AI in Digtal ID, allowing for more secure and efficient authentication processes.

Watch

Event Recording

From A (ACLs) to Z (Zanzibar): Standardizing Access Policies with IDQL/Hexa

May 10, 2023

The adoption of multiple clouds is accelerating across all industries. While multi-cloud brings many benefits, it also results in new challenges. Organizations must manage platform-specific access policies in the bespoke policy syntax of each cloud.
Security and risk gaps arise between cloud identity systems due to the increased policy fragmentation and technical complexity that can obscure visibility and make it difficult to determine who has access to what.
These challenges grow exponentially when you consider the various access policies (and system languages) associated with each data, network, and platform layer (and vendor) in an organization’s tech stack.
This session will describe an open-source solution to multi-cloud access policy fragmentation: Identity Query Language (IDQL) and Hexa Orchestration. IDQL and Hexa are two sides of the same coin that together perform policy orchestration across incompatible cloud platforms.
IDQL is the universal declarative policy language that can be translated into a target system's proprietary or bespoke access policy format. Hexa is the open-source reference software that brings IDQL to life and makes it operational in the real world by connecting to target systems and performing the three main functions of discovery, translation, and orchestration.
Hexa Policy Orchestration was recently accepted as a Cloud Native Computing Foundation (CNCF) sandbox project. The session will include a technical review of Hexa plus a demonstration of current capabilities.

Watch

Event Recording

Leveraging Decentralized Identity Approaches in the Enterprise

May 11, 2023

In this session, Martin Kuppinger, Principal Analyst at KuppingerCole Analysts look at the potential of utilizing DID approaches within the enterprise. This session will look at the business benefits, the steps involved, important considerations, challenges, pitfalls, and recommendations for implementing decentralized identity. Martin will explain the potential and look at how this will impact existing technologies such as IGA, PAM, and Access Management, and how this relates to other trends such as WfA, BYOD, Policy-based Access, and more. He also will outline where interoperability and standards must further evolve to enable organizations in re-inventing their IAM, without ripping everything apart. He will discuss the steps involved, important considerations, challenges, pitfalls, and recommendations for implementing decentralized identity in the enterprise.

Watch

Event Recording

Preparations for Smoother PAM Flight

May 11, 2023

The short abstract of this topic would be "How we can make a proper business case and ROI(Return on Investment) for PAM". Below are some of the preparations we need for a smoother PAM flight:

Business Use Case
Technical Use Case draft and definition
Vendor selection & Role of research organisations like KuppingerCole
POC
ROI for management and their approval
Vision, Mission & Use case selection and prioritizations

Watch

Event Recording

Adam Cooper: Centralised or decentralised - what’s the real question?

May 11, 2023

There are clear battle lines drawn between the centralised and decentralised worlds, but how much of this is ideology and how much is simply a misunderstanding of how services are delivered, rights protected, and trust established? Both models have advantages and disadvantages but that doesn’t mean that one should simply replace the other.

Governments need data about us to plan services such as where schools and hospitals should be built or where the most vulnerable in society are so that they can be supported. That data can also be used to cause harm, but technology alone will not solve the problems of control, protection of basic rights, and the delivery of fair and fraud resistant services.

In this session Adam Cooper seeks to identify the real questions we should be asking and provides his own insights based on over a decade of working with governments, citizens, and the private sector to deliver better outcomes for all of us.

Watch

Event Recording

Automated Serverless Security Testing: Delivering Secure Apps Continuously

May 10, 2023

Serverless technology eliminates the need for development teams to provision servers, and it also results in some security threats being passed to the cloud provider. This frees up developers to concentrate on building logic and producing value quickly. But cloud functions still execute code. If the software is written poorly, it can lead to a cloud disaster.

How can developers ensure that their code is secure enough? They can scan for common vulnerabilities and exposures (CVEs) in open-source code. They can even scan their Infrastructure-as-Code (IaC) tool to identify insecure configurations. But what about custom code? At many organizations, the application security team struggles to keep up with the speed of development in a serverless environment. Traditional testing tools not only provide very limited coverage, but also slow development cycles unacceptably. Serverless code contains a mixture of cloud configurations and application programming interfaces (API) calls. As a result, legacy solutions lack the context that is necessary in a serverless environment, and the consequence is a lack of observability and slower response times.

Fortunately, it does not have to be this way. Organizations can leverage robust security during serverless development, automatically—if it is done properly. In this talk, we will discuss common risks in serverless environments. We will then cover existing testing methodologies and why they do not work well for serverless. Finally, we will present a new, completely frictionles

Watch

Event Recording

Managing your Code-to-Cloud Security Risks in a Multi-Cloud Environment

May 10, 2023

The shift to multi-cloud introduces a wide range of cloud security risks that remain unaddressed due to the siloed approach and limited focus of existing cloud security tools. Most cloud security tools offer highly focused solutions that are limited in scope and capabilities to address the growing spectrum of multi-cloud security risks. The convergence of IAM and multi-cloud security tools (CSPM, CWP and CIEM) offer a cloud security platform that takes an integrated approach to securely manage identities and their access entitlements to cloud resources for cloud-native application development, deployment and operations in the cloud. In this session, we will discuss:

What are the emerging archetypes of IAM and multi-cloud security tools convergence?
What are the essential building blocks to effectively address your code-to-cloud security risks in a multi-cloud environment?
What are the industry best practices and recommendations to deploy and operationalize multi-cloud security tools for best results?

Watch

Event Recording

The Future of IAM & Cybersecurity is Policy-Based

May 12, 2023

There are several sessions at this year’s EIC looking at the roles of policies in IAM, for modernizing and efficiency gains in IGA, for authentication and fraud detection, and for authorization. In his keynote, Martin Kuppinger, Principal Analyst at KuppingerCole Analysts, will take a broader perspective and look at why the future of IAM and cybersecurity must and will be policy-based. This involves policies in IGA, policies in cybersecurity, hierarchies of policies, policies for application developers and IaaS administrators, policies in Zero Trust, overcoming static entitlements, policies in the context of DID (decentralized identities), and other topics. He also will discuss what needs to be done where, such as Policy Governance, Data Governance, and Policy Lifecycle Management, and why the shift to policy-based approaches requires a multi-speed approach, with policies in new digital services coming faster than policies for modernizing legacy IAM.

Watch

Event Recording

Passwordless For the Masses

May 10, 2023

Watch

Event Recording

Machine Learning in IAM & IGA

May 11, 2023

This presentation will provide an overview of the terminology and basics of AI and ML in the context of Identity and Access Management (IAM) and Identity Governance and Administration (IGA). It will explore a number of current use cases for leveraging ML in IAM, demonstrating the benefits of automation and enhanced security that ML can bring to identity management. The presentation will conclude with strategic considerations for using ML in IAM, highlighting the importance of considering business value, available data, and existing technologies when implementing ML-based solutions for identity management.

Watch

Event Recording

Lessons Learned from Implementing PBAC Solutions with OPA

May 10, 2023

During the last 3 years we have seen a significant uptake on decoupled authorizations solutions, the main drivers behind this is a move to the cloud, micros services and ZT implementations. In this speech Gustaf Kaijser will walk you through the feedback he has been getting from the organisations that have implemented OPA based solutions the last years, and the significant gains that they have seen in:

Automation of policy checks
Application development
Consistent policies across applications and infrastructure
Troubleshooting / Time to repairs
Cost of change
and audit

Watch

Event Recording

Passwordless Primer

May 10, 2023

Passwordless authentication counts amongst the hot topics in IAM. In this session, the variants of passwordless authentication will be explained. Phishing resistance, device binding, secure elements, and many of the other technical aspects will be explained, put into context, and rated regarding their relevance for different use cases. The session also will discuss use cases and their specific needs, from simplified access to office solutions to a unified passwordless authentication for the entire IT environment.

Watch