an identity-focused approach to compliance
DESCRIPTION
Come to this session to learn how Novell Compliance Management Platform addresses risk management, access management, and continuous controls testing and monitoring using an identity management based approach. See how Novell Identity Manager and Novell Sentinel provide an end-to-end solution for preventative and detective controls. We'll show you how the Role Mapping Administrator can manage roles-based access to authorizations in enterprise applications. We'll also show how Identity Tracking can not only report on user activity across enterprise applications, but also blend multi-source technical events with business-relevant data to provide identity-based dashboards and reports.TRANSCRIPT
An Identity-focused Approach to Compliance
Mark WorwetzSenior Engineering ManagerNovell Inc./[email protected]
Volker ScheuberSenior Engineering ManagerNovell Inc./[email protected]
© Novell, Inc. All rights reserved.2
Novell® Compliance Management Platform• Integrated Identity and Security Management Platform
– Software Components> Identity Vault> Novell® Identity Manager with Roles Based Provisioning Module> Novell® Sentinel™
> Novell® Access Manager™
– Tools> Designer for Novell Identity Manager> Analyzer for Novell Identity Manager
– Solution Content> Integrated Provisioning and Access Control Policies and Workflows> Identity Tracking> Identity and Security Monitoring and Reporting
© Novell, Inc. All rights reserved.3
Novell® Compliance Management Platform (cont.)
• CMP 1.x Value Proposition– To which systems do people have access?
> Identity Tracking
– How did people get access to systems?> Automated provisioning events> Workflow provisioning events
– What are people doing with their access?> Identity-based Reporting
© Novell, Inc. All rights reserved.4
Role Provisioning
System Assets,Accounts, and Authorizations
Monitoring and Reporting
© Novell, Inc. All rights reserved.12
IT Compliance Lifecycle
Define business objectives, policies and Key Performance Indicators (KPIs)
to help meet objectives
Real time risk response
Allow business to determine best
long-term response
Monitor and detect risk
Analyze risk versus thresholds
Evaluate processes and business objectives to
identify and qualify risks
© Novell, Inc. All rights reserved.13
Role Provisioning
System Assets,Accounts, and Authorizations
Monitoring and Reporting
What's Next?
© Novell, Inc. All rights reserved.14
Role Provisioning
System Assets,Accounts, and Authorizations
What Is My IT Risk?
IT Risk = ???
Monitoring and Reporting
© Novell, Inc. All rights reserved.15
IT Risk Calculation Enablers
• Asset Valuation Criteria Workflow– $$$ High Value – $$ Medium Value – $ Low Value
• Identify and Assign Asset Owners Workflow– John Smith – System Owner, GroupWise®
– Abby Spencer – System Owner, Financials Database– Chip Nano – System Owner, Golf Tournament Database
© Novell, Inc. All rights reserved.16
IT Risk Calculation Enablers(cont.)
• Asset Valuation Workflows– GroupWise® =– Financials =– Golf Tournament Database =
• Authorizations Threat Assessment Workflows– High Threat– Medium Threat– Low Threat
© Novell, Inc. All rights reserved.17
IT Risk Calculation Enablers(cont.)
• Identify Unmanaged/Privileged Accounts Workflows– SAP*, DDIC– Administrator– Root
• Customized Risk Analysis– Allows partners and customers to add additional criteria for
calculating IT risk> Threat Communities and Capabilities> Locale-Specific Threats> Industry-Specific Threats> Compliance Regulation Concerns
© Novell, Inc. All rights reserved.18
Role Provisioning
System Assets,Accounts, and Authorizations
Monitoring and Reporting
System and AuthorizationAssessment
© Novell, Inc. All rights reserved.19
IT Risk Calculation and Monitoring Tools
• Threat-Enabled Role Mapping Administrator– Bubble up system authorization threat level to business roles– Approval workflows for role mappings
• Risk Analysis Tools– Monitor authorization entitlement grants– Monitor activities of User communities– Risk-related Reports and Dashboards
© Novell, Inc. All rights reserved.22
Role Provisioning
System Assets,Accounts, and Authorizations
Monitoring and Reporting
Risk Calculation Enabled
IT Risk =
© Novell, Inc. All rights reserved.23
Role Provisioning
System Assets,Accounts, and Authorizations
Monitoring and Reporting
How Can I Mitigate these Risks?
IT Risk =
© Novell, Inc. All rights reserved.24
IT Risk Control Tools
• Threat-Enabled Role-based Provisioning Module– Allow Business Owners to recognize and mitigate risk in
provisioning activities• Impact Reports and Dashboards
– Did Risk turn into Damage? What was the cost?– Risk Heat Maps– Should Controls be added, modified, removed?
• Controls Content– Packaged policy, monitoring, and reporting content to apply
controls to areas of risk
© Novell, Inc. All rights reserved.25
Provisioning Controls EnabledMultiple Approvals based on Role Level
System Asset Values and Authorization Threats
Valued by Asset Owner
IT Risk =
Automated Approvalsbased on Role Level
Monitoring and Reporting
Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.