a study in borderless over perimeter
DESCRIPTION
A Breakout Session by Amit Saha, COO at Saviynt. Presented at the 2014 IRM Summit in Phoenix, Arizona.TRANSCRIPT
A study in Borderless over Perimeter
Evolution of IAM at a US financial services major
• Increased adoption of Cloud & Big
Data – Workday, Office 365, SaaS,
Hadoop,…
• Adoption of BYOD is diluting
traditional perimeter
• Growing security concerns on critical
platforms
• Expanding compliance mandates
• Increased collaboration with business
partners
• End users did not find IAM processes
intuitive enough
• Existing Sun IAM platform was
challenged to scale and deliver
• Extremely long turn around to
onboard new applications to IAM
platform
• No single view of employees and
contingent workers
• Different service windows for logical
and physical access
2
Saviynt elevates traditional IAM with fine-grained access management and usage analytics
3
Access /
Usage
LogsRoles
Workflow
SOD
Controls
Life-cycle
Management
Self-service
Critical applications
Infrastructure platforms
E.g. AD, RACF, AS/400, LDAP, Identity
Management platforms,…
Fine-
grained
Access
Epic: templates, classes, security points
SAP HANA: roles, privileges, usage logs,..
Oracle EBS: Responsibilities, Menus, Functions
Office 365: groups, sites, folders, files,…
(Saviynt + ForgeRock) provided the next generation IAM architecture Core architecture deployed in 2 months
4
Managed Systems
Big
Data
Clo
ud
Ente
rprise
Enterprise IAM
Identity
Warehouse
Fine-grained
Roles and SOD
Collection engines
for user access
and usage logs
Audit and
Control
SSO /
Authentication
Password
Management
REST APIs
Bu
siness V
iew
Coarse-grained
Provisioning,
Synchronization
End-users, Managers,
IT Security, Auditors,
Platform owners
Fine-grained SOD
Management & Remediation
Enterprise / Application Role
Engineering & Management
Controls Library (200+ security & SOD controls)
Access
Simulation
& Version
Mgmt.
Collectors
Access
Request
System
Access
Review
Security &
Compliance
Reporting
Saviynt AppSec Manager
Identity Stores /
Authoritative Sources
Custom AppsAD LDAP RACF Badging
Step 1 – Introduced an intuitive web and mobile UI for access request and certification
5
• Simple grid layout for
easy navigation
• Supports
personalization
Mobile app available
on iOS and Android
Single window to request logical
and physical access
Step 1 – Introduced an intuitive web and mobile UI for access request and certification
6
• Simple grid layout for
easy navigation
• Supports
personalization
Mobile app available
on iOS and Android
Single window to request logical
and physical access
• End users did not find IAM
processes intuitive enough
• Different service windows
for logical and physical
access
Step 2 – Single best-practice enterprise workflow and pre-built modules to accelerate application onboarding
7
• Out-of-box single enterprise
workflow drives access
request behavior
• Enhanced with access
recommendations
• Met requirements of more
than 90% of enterprise apps
and platforms
• Promoted configuration
instead of coding to
onboard applications
• Reduced customization and
# of workflows, accelerated
application onboarding
• Based on industry based
practices
Integrated 182 applications
with new IAM platform in just
4.5 months• Integration varied from automated to
semi-automated provisioning
• Usage logs were fed in for critical
applications, Cloud and Big Data
platforms
Privilege User
Management
Badge
Management
Contingent
Worker
Onboarding
Service
Account
Management
Step 2 – Single best-practice enterprise workflow and pre-built modules to accelerate application onboarding
8
• Out-of-box single enterprise
workflow drives access
request behavior
• Enhanced with access
recommendations
• Met requirements of more
than 90% of enterprise apps
and platforms
• Promoted configuration
instead of coding to
onboard applications
• Reduced customization and
# of workflows, accelerated
application onboarding
• Based on industry based
practices
Integrated 182 applications
with new IAM platform in just
4.5 months• Integration varied from automated to
semi-automated provisioning
• Usage logs were fed in for critical
applications, Cloud and Big Data
platforms
Privilege User
Management
Badge
Management
Contingent
Worker
Onboarding
Service
Account
Management
• Extremely long turn around
to onboard new applications
to IAM platform
• No single view of employees
and contingent workers
Step 3 – Implemented over 200+ security, process and SOD controls ingrained in security platform, and actionable usage analytics
9
Financial platforms(180 SOD rules)
o Core banking
o Investment management
o Life insurance
o Property and casualty
o Treasury
o Core financials
o Fraud management
o Information technology
SOX
Privacy
FFIEC
Access Logs
Analytics
Engine Access
Recommendations
Access Request – Peer recommendations
Access Approval – Outlier analysis
Access Certification – Outlier & Usage
analysis
Step 3 – Implemented over 200+ security, process and SOD controls ingrained in security platform, and actionable usage analytics
10
Financial platforms(180 SOD rules)
o Core banking
o Investment management
o Life insurance
o Property and casualty
o Treasury
o Core financials
o Fraud management
o Information technology
SOX
Privacy
FFIEC
Access Logs
Analytics
Engine Access
Recommendations
Access Request – Peer recommendations
Access Approval – Outlier analysis
Access Certification – Outlier & Usage
analysis
• Growing security concerns
on critical platforms
• Expanding compliance
mandates
Step 4 – Implemented fine-grained entitlement management for critical apps, cloud and big data platforms
11
Managed Systems
Big
Data
Clo
ud
Ente
rprise
Fine-grained
Roles and SOD
Collection engines
for user access
and usage logs
Audit and
Control
Bu
siness V
iew
IT Security, Auditors,
IAM Admins
Fine-grained SOD
Management & Remediation
Enterprise / Application Role
Engineering & Management
Controls Library (200+ security & SOD controls)
Access
Simulation
& Version
Mgmt.
Collectors
Access
Request
System
Access
Review
Security &
Compliance
Reporting
Saviynt AppSec Manager
Custom Critical
Apps Workday Admins,
Big Data Admins,
Platform Owners
Step 4 – Implemented fine-grained entitlement management for critical apps, cloud and big data platforms
12
Managed Systems
Big
Data
Clo
ud
Ente
rprise
Fine-grained
Roles and SOD
Collection engines
for user access
and usage logs
Audit and
Control
Bu
siness V
iew
IT Security, Auditors,
IAM Admins
Fine-grained SOD
Management & Remediation
Enterprise / Application Role
Engineering & Management
Controls Library (200+ security & SOD controls)
Access
Simulation
& Version
Mgmt.
Collectors
Access
Request
System
Access
Review
Security &
Compliance
Reporting
Saviynt AppSec Manager
Custom Critical
Apps Workday Admins,
Big Data Admins,
Platform Owners
• Increased adoption of Cloud & Big
Data – Workday, Office 365, SaaS,
Hadoop,…
• Adoption of BYOD is diluting
traditional perimeter
• Growing security concerns on critical
platforms
Step 5 – We are now implementing advanced behavioral analytics
13
UserAmount
transactions
Date &
Time
IP
Address
User
Time Slices
Activity frequency
Network Sources
Daily, Weekly, Monthly, Day of
the Week, Time of Day,
Holidays, Weekend
Behavior Profile
Suspicious Activities
John. Doe10/10/2011, 12:03:20,
10.12.132.1, John Doe, Email sent
Step 5 – …and activating various insider threat management use cases
14
Insider Threat Intelligence
• Data theft detection and prevention
• Fraud detection and prevention
• VIP Snooping
• Sabotage detection and prevention
Data Exfiltration Analytics
• Data theft detection/prevention
• Signature less and correlation analysis of
Network and Host DLP
• Risk ranking of incidents and case
management
Fraud Intelligence
• Enterprise Fraud detection
• Web Fraud detection
• Customer Service Rep Fraud detection
Identity & Access Intelligence
• Global Identity Warehouse
• Access risk monitoring & cleanup
• Risk-based access requests
• Risk-based access certifications
Big Data Analytics
• Data Mining for security intelligence
• Purpose-built Security Analytics on
Hadoop, Greenplum and other Big Data
stores
• Visualization of linkages in large datasets
Cyber Threat Detection
• Targeted attack detection
• Low and slow attacks
• Advanced malware detection
• Investigation & Response
Application Security Intelligence
• Privilege Misuse
• Unusual view/download of sensitive
information
• Account Takeover
• Off the shelf and Custom Apps
Security Risk Monitoring
• Continuous risk monitoring
• Organization Risk Scorecard
• User Risk Scorecard
• System Risk Scorecard
Case Management
• Graphical Link analysis using investigation
workbench
• Case management
• Fully configurable workflow
• Reporting
We helped realize tangible benefits for the client…
15
Uniform risk and security management• Consistent security model using roles, SOD policies, rules, templates, etc. across various critical /
enterprise applications, Big Data and Cloud providers
• Over 200+ security and SOD controls library, compliance dashboards provide visibility to security
posture
• Automated security life-cycle management combined with actionable usage analytics
• REST APIs enable easy integration with enterprise applications
Faster time to value• Saves >70% time in implementing security vis-à-vis traditional methods
• Pre-built life-cycle management modules and best practice workflow
• Rapid application integration promotes factory model
Lower TCO• Subscription-based pricing model
• Cloud-based deployment option available, lowers hardware footprint
• Reduce administrative overhead for audit reporting and user access management
• Improve end user satisfaction with intuitive and mobile ready security tools
1
2
3
