getting to an rbac model easily · 2016-11-13 · customer database directory hrhiroki shimada unix...

VANGUARD SECURITY & COMPLIANCE 2016

Carla A. Flores

CA Technologies

ATM09

Getting to an RBAC Model Easily

SECURITY & COMPLIANCE CONFERENCE 2016

© 2016 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.

The content provided in this CA Technologies presentation is intended for informational purposes only and does not form any type of

warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.

For Informational Purposes Only

Terms of this Presentation

Abstract

Cost, effort and time are the biggest challenges customers face when it comes to mainframe security.

This session will provide an overview of how CA Cleanup reduces the effort and pressures associated with maintaining current regulatory, statutory and audit requirements.

We’ll cover how simple it is to use CA Cleanup as the first step to getting to a role-based access control implementation that reduces the cost of administering mainframe security.

Carla Flores

CA Technologies

Sr. Principal Consultant

John Pinkowski

CA Technologies

Product Owner

Agenda

BUSINESS CHALLENGE & NEED

EFFECTIVE CLEANUP AS YOUR #1 TASK

OPEN DISCUSSION / Q&A

IDENTITY GOVERNANCE AND ROLE MINING

PHASED IMPLEMENTATION APPROACH & BEST PRACTICE

ROLE BASED ACCESS CONTROL BEST PRACTICES

1

2

3

4

5

6


Business Challenges What do you want to do?

MITIGATE RISK SUPPORT THE

BUSINESS REDUCE COST OF

COMPLIANCE

Automate for efficiency (e.g. certification)

Centralized visibility

Reduce exception processing

Least privileged access

and SOD violations

Enable business to be accountable (while

minimizing their effort)

Enable quick and secure access

Improve security, not just pass the audit

On-going remediation and improvement of

compliance

Eliminate terminated users, orphan accounts

Reduce excessive

entitlements

Delete inactive accounts

Improve role quality

(redundancy)

Automate HR changes related to role assignments


Quick Assessment

REDUCE RISK OF OVER-PRIVILEGED USERS

Do I have Segregation of Duties violations right now? Do all my users have the correct access for their role(s)?

AUTOMATE IDENTITY PROCESSES

Are my processes too manual? Are they inefficient? Do I have inconsistent security policies due to human error?

Can I reduce the time & effort it takes to submit audit reports? Can I easily show “who has access to what”?

SIMPLIFY COMPLIANCE AUDITS

IMPROVE EMPLOYEE PRODUCTIVITY

How much time do my managers spend in access certifications? How long does it take a new employee to have ALL their access

and accounts available?

INCREASE USER PARTICIPATION

Can I provide a one-stop-shop where my users can easily access all identity services in one place?

Can I reduce the need of IT to manage identity processes?

PROVIDE OUTSTANDING USER EXPERIENCE

Can the system interact with my users with Business terms that they understand?

Can I improve my user productivity and satisfaction?


Devastating losses in the event of unauthorized access. There is a need

to establish unique preventive and detective controls to reduce the

likelihood of unauthorized access and limit the impact of such an event.

Reduce Risk Growing regulatory concerns stemming from recent security breaches are driving new security requirements. Discovering and cleaning access is the first step to better manage both current and future compliance requirements.

Improve Compliance

Errors and mistakes made by administrators can lead to system outages and SLA violations and are costly to triage. Enhanced auditing and session recording capabilities can solve the attribution problem and help the engagement team address issues before they negatively impact operations.

Improve Operational Efficiency Too many manual or ad-hoc

processes to grant and manage access on the Mainframe. This leads

to administrators either spending more time than necessary to grant

access or taking shortcuts to impact the security posture of the entire

organization. A consolidated platform to simplify administrator

access can also enforce accountability and compliance.

Increase Productivity

Opportunities for Improvement


Where Does Your Organization Stand?

Continuous compliance

Systematic identification of access risk

Streamlining existing processes

Repeatable security practice

Incorporated business relevance

Intelligent decision support

Identity intelligence

Content-aware

Security in the Cloud

Manual

Integrated and

Automated

Business Optimized

Reacting to audits with spreadsheets

Compliance teams in silos with overlap

Best effort security policy enforcement

Cleanup & Identity Governance A winning combination…


Governing Access on the Mainframe (Cleanup + Identity Governance) Reduce time and cost of compliance, mitigate risk and support the business

50%+ of mainframe security databases contain orphaned, obsolete or redundant identities and entitlements.

Automated removal of redundant or orphaned entitlements and

access groups

Least privileged access rights

Gain rapid insight - Who has access to what

Identify exposures - wrong

entitlements, inactive accounts, etc

Continuously monitor system usage over time

Automate and streamline compliance processes and

establish detective controls

Consolidate Entitlements

Repeatable Processes

Cleanup Access


UNDERSTAND ACCESS

AT OUTSET

ESTABLISH REPEATABLE

PROCESSES CREATE FOUNDATION

FOR SUCCESS

Identity Governance

• Correlate access from all systems

• Gain rapid insight: Who has access to what

• Identify exposures- privilege, role and resource exceptions

• Privilege clean-up: Remove incorrect access rights

• Establish business rules to enforce proper segregation of duties

• Define effective role model going forward

• Automate provisioning and codify SoD rules

• Create certification campaigns to automate and streamline the compliance process and establish detective controls to mitigate risk going forward

Cleanup

• Identify exposures- inactive, unreferenced accounts (based on usage)

• Privilege clean-up: remove entitlements and access groups no longer used

• Continuously monitor system usage over time to identify access that might no longer be needed going forward

Governing Access on the Mainframe (Cleanup + Identity Governance) Reduce time and cost of compliance, mitigate risk and support the business


“Who has access to what?” Example assessment in CA ACF2 shop

Email

Mainframe

Customer Database

Directory

HR

UNIX

Corporate Network

Sally Brown Finance

Bob Thomas Payments

Hiroki Shimada IT

Harold Fletcher Finance

Jane Coors Payments

Morgan Smith IT

Carlos Bayez IT

Laura Dempsey Payments

1,000,000’s Entitlements 15,000+ People 100’s Applications

Finance

1,123 combinations of UID string values, minus the LID.

443 refer to only 1 LID, 76 refer to 2, 42 refer to 3, 32 refer to 4 and 29 refer to 5.

662 unique combinations, or a little more than half, refer to 5 or less LIDs.


Time

Level of privilege

Employee is hired and ID is provisioned

Orphan Accounts & Entitlements

New entitlements

Employee leaves and ID is de-provisioned

Orphaned ids and entitlements cause problems…

Not all entitlements are removed

This creates a security risk!


Recommended Best Practice for Clean-up

• Run cleanup process for initial data collection

• Best practice = 400 days

• Or through all critical processing periods:

• Month-end

• Quarter-end

• Year-end

• Special Processing (ie. 1099)

• Run cleanup to meet SLA for account/entitlement removals

• Maintain delete/recovery command files via GDG

Time

Level of privilege

Employee is hired and ID is provisioned

Not all entitlements are removed ~

This creates a security

risk!

Orphan Accounts & Entitlements

New entitlements

Employee leaves and ID is de-provisioned


Phased Clean-up Steps

• Run cleanup for unref=999

• Review summary report

• Start with 100% non-use

• Cleanup based on selected resource types

• Review output

• Schedule cleanup cycle

• Execute deletes via batch

• Maintain delete/recovery command files as GDG(s) for audit and reference purposes


Phased Clean-up Steps

• Re-run cleanup for unref=999

• Review summary report

• Now with 80-99% non-use

• Run cleanup with selected resource types*

• Review output

• Schedule cleanup cycle

• Execute deletes via batch

• Maintain delete/recovery command files as GDG(s) for audit and reference purposes


Objective:

• Identify risks, estimate time and effort

• Define and quantify objectives

Steps Involved:

1. Collect access rights from key systems

a) ActiveDirectory

b) ACF2, RACF, Top Secret

2. Add HR information

3. Produce analysis report

• Quality assessment: users and access rights

• Exceptions & policy violations (e.g. SoD)

• Role modeling recommendations

Gap Analysis – High Level Process

HR System

Access Rights

• Clean-Up • Compliance

Testing

• Role Modeling • Analysis

dentity Governance


CA Identity Governance

Segregation of Duties Policies

Role Analyst

Business Manager

Entitlements Certification

Enterprise Apps

Windows/ UNIX

Virtualized Apps

Active Directory

Mainframe

Role Modeling/ Management

IT Audit & Compliance

Team

Reports & Dashboards

Identity Governance

Identity Governance

– Central warehouse for visibility

– Automate entitlements certification

– Dashboard and entitlement reports

– Verify identity policies (e.g. SoD)

– Role management

Designed for Rapid Time-To-Value

– Role analytics to business context

– Audits to identify excessive and inconsistent access rights


Case Study: Large Retailer Streamlining Mainframe access

CONTRACTORS

Challenges:

Fragmented entitlements

lack of visibility of access un-optimized group access orphan accounts overlapping access

Manual entitlement reviews

No standardized role definitions

PARTNERS

EMPLOYEES

Proven highly scalable solution Analyzed 250,000 accounts, 66 million access rights and discovered 200 roles within 3 minutes

“CA Identity Governance provided the most rapid TTV of any IAM product I’ve ever used…” - VP of IT


Cleanup Role Survey

Role Mining

Finding: Current mix of entitlements typically makes automated role mining impractical

Steps: - Manually assess business functions and roles

Finding: Leverage Identity Governance role mining recommendations and attestation

Steps: - Determine acceptable level of role matching - Identity SoD violation - Identify where people fall outside the normal access structure - Definition of Role groupings in CA ACF2

Roll-out

Big Bang – convert everything over a single weekend

Phased implementation - Define everyone based on new role - Migrate based on business tolerance

8-12 weeks 6-8 weeks

10-12 weeks

1-x weeks

This could be done in tandem with Cleanup

and/or during year-end freeze

Findings: - Cleanup is currently running

- Needs to run through year-end processing for confidence • Steps: - (ACF2) Nextkey merge/cleanup - Purge obsolete rule lines either phased or all at once - Ongoing Cleanup

Implementation Steps and Timeline


Phase 1: Planning

Phase 2: Foundation

Phase 3: Automation

Phase 4: Optimization

Data Discovery

Entitlements Certification

Role Management

User Provisioning

Gap Analysis

Visibility, Audit & Clean-Up

Role Modeling

Business Case Development

Project Planning

Ongoing

Refinement

Segregation of Duties Policies

User Activity Monitoring

21

Role Based Access Control - Best Practice Approach

Executive Sponsorship & Business Acceptance


Summary

• Protects against both external and internal threats

• Enables compliance for privileged identity and administrative

access across the Mainframe

• Reduces costs and improve efficiency through automated

security controls

• Reduces burden of security administration and lessens confusion

for less skilled staff

Questions/Open Discussion

What are your challenges?

THE VALUE


Thank you!

SECURITY & COMPLIANCE CONFERENCE 2016

getting to an rbac model easily · 2016-11-13 · customer database directory hrhiroki shimada unix...

Documents