Adam EvansSenior Identity & Access Specialist21 March 2017
Innovation——In ActionSupporting Security Through Next Generation Identity Governance
#MFSummit2017
• The Origins of Identity Governance• Identity Governance 1.x
• Pros• Cons
• Identity Governance.NextGen• Five Steps to Efficient ID Governance
• Questions & Answers
Agenda
Identity GovernanceThe Origins…
Identity Repositories
The Evolution of Identity Governance?Phase One: The Proliferation of Identity Repositories
Identity Repository
Presenter
Presentation Notes
Started with a single repository – e.g. Mainframe, AS/400 (iSeries) etc. Then came others – UNIX, File & Print, Email, Client-Server Applications Administration nightmare in terms of account maintenance and password resets. Users have lots of credentials to remember. Offboarding wasn’t so much of an issue as external connectivity was limited at best.
The Evolution of Identity Governance?Phase Two: The Directory Services “Silver Bullet”
Identity Repositories
Directory Services…plus Identity Repositories
…or NOT!
Presenter
Presentation Notes
Directory Service was the industry response which provides a single central identity repository that can be leveraged by applications and services. X.500 (LDAP) NDS (eDirectory Active Directory Limited Success as full integration was hard to achieve. Administration overhead did not significantly fall. Also in a time of greater connectivity, identity lifecycle was gaining in prominence.
The Evolution of Identity Governance?Phase Three: Provisioning, Password Sync & SSO
Identity Repositories
Directory Services…plus Identity Repositories
Provisioning/Pwd Sync
Single-Sign On
Presenter
Presentation Notes
The next evolution was a dual pronged approach. The first concentrating on centralised provisioning where identities are created once in an authoritative system (e.g. HR application) and synchronised the identity to a central identity vault and subsequently to all connected systems. The really clever provisioning solutions delivered a high degree of identity integrity by allowing authoritative attributes to be defined on the source systems (as opposed to a single authoritative application) – e.g. email, telephone extension and tightly controlling change propagation such that only changes made to authoritative attribute values are synchronised to connected systems. The challenges around re-provisioning (change) and de-provisioning were also addressed at this time by synchronising changes from authoritative attribute values that affect wholesale change, such as job role changes, secondment and ending the relationship (leaving the organisation). This did however, depend on a system being connected to the provisioning solution. Provisioning has evolved over the years delivering key capabilities, such as roles-based provisioning, end user UI, request engine, workflow etc. and now delivers comprehensive identity lifecycle through identity management. The second part concentrated on reducing administration and lost productivity by reducing the number of credentials that a user has to remember by synchronising passwords across connected systems and delivering SSO via enterprise (fat applications), web SSO and later federation, which is beyond the scope of this presentation.
What Does This Have To Do With ID Governance?Sarbanes-Oxley Act 202 Section 404
Assessment of Internal ControlRequires management & external auditor to reporton the adequacy of the company's internal controlon financial reporting (ICFR). This is the mostcostly aspect of the legislation for companies toimplement, as documenting and testing importantfinancial manual and automated controls requiresenormous effort.
Presenter
Presentation Notes
Through all of this evolution, along came SoX which included a section (404) and places greater scrutiny on the internal controls placed on identities. Key areas are as follows: Regular review of all access in the organization Controls in place to detect and manage toxic combinations for entitlements (SoD). Timely removal of access when it is no longer required (orphaned/unmapped accounts). Privileged account management (including business justification). Ability to demonstrate compliance to auditors. Unfortunately, SoX 404 is aimed at the business and identity management doesn’t really deliver the necessary controls in order to gain, maintain and demonstrate compliance. The initial approach was to fire up excel and email in order to demonstrate compliance using manual processes. Everyone quickly realised that manual processes didn’t work as they placed a huge burden on the business, was very cumbersome and error prone. This lead to what Gartner terms as Identity Governance 1.x, which was later rolled into identity lifecycle and Identity Governance & Administration.
What Does This Have To Do With ID Governance?Sarbanes-Oxley Act 202 Section 404
• Ability to Collect Accounts & Permission from Apps• Central Repository of All Access• Automatically Link Accounts to Identities• Configure & Forget• Scheduled
• Policy • Create & Apply Consistent Policies• SoD, Risk, High Privileged Access, Unmapped/Orphaned• Easily Identify Policy Violations from the “Noise”
Identity Governance & Administration 1.xPros…
• Review Management• Create Targeted Review Campaigns• Run Review on a Schedule and/or Ad-Hoc• Track Completion & Escalate
• Persistent Information Overload• Little or No Reduction In Number of Review Items• Lack of Business Context• Automation of Controls, Not The Review
Identity Governance & Administration 1.xCons…
Select All
Permission #1
Permission #2
Permission #3
Permission #4
Permission #5
Permission #6
Permission #7
Permission #21
Permission #22
Permission #23
Permission #24
Permission #25
Permission #26
Permission #27
Permission #x1
Permission #x2
Permission #x3
Permission #x4
Permission #x5
Permission #x6
Permission #x7
Keep Next
1
2 3
Presenter
Presentation Notes
IGA 1.x concentrated on delivering automation and tracking around the review process, but didn’t do much to reduce the burden on the business as 1.x simply carried forward the manual process where each account and entitlement was reviewed individually. Additionally, the review items were in IT language and had little meaning to the business. The result was information overload, which inevitably led to the person completing the review to select all, click keep, followed by next. While this technically meets the requirement, it falls way short of addressing the intent of the requirement and achieves little more than shifting the blame around the business.
• No Decision Support• Requires Manual Intelligence Gathering
Identity Governance & Administration 1.xCons…
Permission #1
Permission #2
Permission #3
Permission #4
Permission #5
Permission #6
Permission #7
Permission #21
Permission #22
Permission #23
Permission #24
Permission #25
Permission #26
Permission #27
Permission #x1
Permission #x2
Permission #x3
Permission #x4
Permission #x5
Permission #x6
Permission #x7Who Approved These
Permissions?
When Did This Person Get These
Permissions?
Are These Direct Assignments, or Part of a Role?
Are These Permissions
Normal?
What Do These Permissions
Mean?
Do These Permissions
Violate Any SoD Policies?
Is This Person a Privileged User?
How Did The Person Get These
Permissions?
Presenter
Presentation Notes
The lack of decision support placed a large burden on a business, as the person completing the review had to carry out their own investigation for each review item in order to ascertain whether it is authorized and appropriate. Also, as the investigation was manual, there is usually nearly zero audit trail.
• It Does Not Significantly Reduce Risk
Identity Governance & Administration 1.xCons…
Collect Review Sign Off Certified Collect Review
Review Campaign #1 Review Campaign #2
ChangeRisk Window
~6 Months?
• The Role Mining Myth• It Looks Good in Demos• But…
Identity Governance & Administration 1.xCons…
• Are All The Permission Assignments:• Correct?• Appropriate?• Accurate (Point in Time)?
• Are The New Roles Appropriate?• Do They Reflect The Business?• Are They Close To Existing Roles?
• Will Risk Be Accurately Represented?
• Delivers Automation & Review Oversight• No Significant Reduction in Review Effort• Lack of Decision Support• No Reduction in Risk
• Review Items Usually Out Of Date• Select All, Keep, Next!
• Can be Authorised at the role, or More Granular with Time Limits
Step Two – Reduce the NoiseBusiness Roles…
• Capability Centric
• Review at Macro Level
• Assignment is based on Permissions Assigned
Step Two – Reduce the NoiseTechnical Roles…
Step Two – Reduce the NoiseWorking with Roles…
Step Two – Reduce Noise Without Increasing RiskRisk-Based Reviews…
• Concentrate on High Risk Access
• Review Everything Else Less Often……If At All…Or On Change
Step Three – Make Informed DecisionsContext-Based Decision Support…
Usage Guidance
Permission Relationship
Person Details Permission Details
Step Four – Close the Risk WindowsEvent-Based Reviews – High Risk Group Example…
Person Added to High Risk AD Group (e.g. Domain Admins)
Detected by Change Guardian
Alert Raised Alert Event Triggers a Review
of the User
Complete Fulfilment (If Required)
Store Decision (for Audit)
Near Real-Time
Window of Risk
Step Five – Demonstrating GovernanceTracking…
Step Five – Demonstrating GovernanceReporting…
Presenter
Presentation Notes
There’s no point in being compliant, unless you can demonstrate it! Reporting is often the Achilles heel of not just governance offerings, but general across the board. Identity Governance.NextGen addresses these shortcoming in subtle ways which have proven rather effective. IG.NextGen delivers reporting via a centralised reporting capability. This delivers a number of benefits, such as: Standardised reporting across the IGA portfolio. Report updates are delivered by a different channel than solution updates, reducing time to fix. Reporting is delivered on mature, proven platform. Here we can see a few reports that are typically asked for by auditors. These are as follows: - Access Review report showing what decision was made, when it was made and by whom. It also shows and decision overrides and comments. - Collection Overview. This shows the last collection of identities and application sources and demonstrates that the review was carried out using current information. - SoD open violations overview which shows the current status of any open SoD violations. You can see from the report that there is currently one violation that is approved, which means that a compensating control has been applied and a second violation that has not been reviewed.
Step Five – Demonstrating GovernanceAnalytics…
Presenter
Presentation Notes
Analytics is at the heart of demonstrating governance. We have already seen analytics used to support the decision making process by showing how a review item is currently being used by the business. Analytics can also be used to provide a dashboard “compliance at a glance” view. There are many metrics that can be placed on the dashboard, here is an example of a few… The first one shows information about data collection. An important part of demonstrating compliance is working with current data. Here we can see an over view of the identities, applications and permissions collected, included the last publication date. The next one shows the number of unmapped (orphaned) account by application. There seems to be a lot of unmapped account, which is not good, so I may want to take a look at that and work out why this is the way it is. Finally, we have a view of how many unmapped accounts , number of accounts per user and percentage of unmapped account. This actually sheds some light on the previous view as I can see a sudden spike in unmapped accounts, which could be the result of a new application being onboarded that has a problem with the account mapping. So, we can see how analytics can firstly, quickly identify when there is a problem and secondly, help identify the cause of a problem all from one dashboard. This is yet another example of how Identity Governance.NextGen delivers unprecedented insight without increasing the burden the organisation.
• Automates the Entire Review Process• Efficiency Without Compromise
• Curaton, Roles, Risk-Based Review• Enables the Business to Make Informed Decisions