getting to an rbac model easily · 2016-11-13 · customer database directory hrhiroki shimada unix...
TRANSCRIPT
VANGUARD SECURITY & COMPLIANCE 2016
Carla A. Flores
CA Technologies
ATM09
Getting to an RBAC Model Easily
SECURITY & COMPLIANCE CONFERENCE 2016
© 2016 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.
The content provided in this CA Technologies presentation is intended for informational purposes only and does not form any type of
warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.
For Informational Purposes Only
Terms of this Presentation
Abstract
Cost, effort and time are the biggest challenges customers face when it comes to mainframe security.
This session will provide an overview of how CA Cleanup reduces the effort and pressures associated with maintaining current regulatory, statutory and audit requirements.
We’ll cover how simple it is to use CA Cleanup as the first step to getting to a role-based access control implementation that reduces the cost of administering mainframe security.
Carla Flores
CA Technologies
Sr. Principal Consultant
John Pinkowski
CA Technologies
Product Owner
Agenda
BUSINESS CHALLENGE & NEED
EFFECTIVE CLEANUP AS YOUR #1 TASK
OPEN DISCUSSION / Q&A
IDENTITY GOVERNANCE AND ROLE MINING
PHASED IMPLEMENTATION APPROACH & BEST PRACTICE
ROLE BASED ACCESS CONTROL BEST PRACTICES
1
2
3
4
5
6
VANGUARD SECURITY & COMPLIANCE 2016
Business Challenges What do you want to do?
MITIGATE RISK SUPPORT THE
BUSINESS REDUCE COST OF
COMPLIANCE
Automate for efficiency (e.g. certification)
Centralized visibility
Reduce exception processing
Least privileged access
and SOD violations
Enable business to be accountable (while
minimizing their effort)
Enable quick and secure access
Improve security, not just pass the audit
On-going remediation and improvement of
compliance
Eliminate terminated users, orphan accounts
Reduce excessive
entitlements
Delete inactive accounts
Improve role quality
(redundancy)
Automate HR changes related to role assignments
VANGUARD SECURITY & COMPLIANCE 2016
Quick Assessment
REDUCE RISK OF OVER-PRIVILEGED USERS
Do I have Segregation of Duties violations right now? Do all my users have the correct access for their role(s)?
AUTOMATE IDENTITY PROCESSES
Are my processes too manual? Are they inefficient? Do I have inconsistent security policies due to human error?
Can I reduce the time & effort it takes to submit audit reports? Can I easily show “who has access to what”?
SIMPLIFY COMPLIANCE AUDITS
IMPROVE EMPLOYEE PRODUCTIVITY
How much time do my managers spend in access certifications? How long does it take a new employee to have ALL their access
and accounts available?
INCREASE USER PARTICIPATION
Can I provide a one-stop-shop where my users can easily access all identity services in one place?
Can I reduce the need of IT to manage identity processes?
PROVIDE OUTSTANDING USER EXPERIENCE
Can the system interact with my users with Business terms that they understand?
Can I improve my user productivity and satisfaction?
VANGUARD SECURITY & COMPLIANCE 2016
Devastating losses in the event of unauthorized access. There is a need
to establish unique preventive and detective controls to reduce the
likelihood of unauthorized access and limit the impact of such an event.
Reduce Risk Growing regulatory concerns stemming from recent security breaches are driving new security requirements. Discovering and cleaning access is the first step to better manage both current and future compliance requirements.
Improve Compliance
Errors and mistakes made by administrators can lead to system outages and SLA violations and are costly to triage. Enhanced auditing and session recording capabilities can solve the attribution problem and help the engagement team address issues before they negatively impact operations.
Improve Operational Efficiency Too many manual or ad-hoc
processes to grant and manage access on the Mainframe. This leads
to administrators either spending more time than necessary to grant
access or taking shortcuts to impact the security posture of the entire
organization. A consolidated platform to simplify administrator
access can also enforce accountability and compliance.
Increase Productivity
Opportunities for Improvement
VANGUARD SECURITY & COMPLIANCE 2016
Where Does Your Organization Stand?
Continuous compliance
Systematic identification of access risk
Streamlining existing processes
Repeatable security practice
Incorporated business relevance
Intelligent decision support
Identity intelligence
Content-aware
Security in the Cloud
Manual
Integrated and
Automated
Business Optimized
Reacting to audits with spreadsheets
Compliance teams in silos with overlap
Best effort security policy enforcement
Cleanup & Identity Governance A winning combination…
VANGUARD SECURITY & COMPLIANCE 2016
Governing Access on the Mainframe (Cleanup + Identity Governance) Reduce time and cost of compliance, mitigate risk and support the business
50%+ of mainframe security databases contain orphaned, obsolete or redundant identities and entitlements.
Automated removal of redundant or orphaned entitlements and
access groups
Least privileged access rights
Gain rapid insight - Who has access to what
Identify exposures - wrong
entitlements, inactive accounts, etc
Continuously monitor system usage over time
Automate and streamline compliance processes and
establish detective controls
Consolidate Entitlements
Repeatable Processes
Cleanup Access
VANGUARD SECURITY & COMPLIANCE 2016
UNDERSTAND ACCESS
AT OUTSET
ESTABLISH REPEATABLE
PROCESSES CREATE FOUNDATION
FOR SUCCESS
Identity Governance
• Correlate access from all systems
• Gain rapid insight: Who has access to what
• Identify exposures- privilege, role and resource exceptions
• Privilege clean-up: Remove incorrect access rights
• Establish business rules to enforce proper segregation of duties
• Define effective role model going forward
• Automate provisioning and codify SoD rules
• Create certification campaigns to automate and streamline the compliance process and establish detective controls to mitigate risk going forward
Cleanup
• Identify exposures- inactive, unreferenced accounts (based on usage)
• Privilege clean-up: remove entitlements and access groups no longer used
• Continuously monitor system usage over time to identify access that might no longer be needed going forward
Governing Access on the Mainframe (Cleanup + Identity Governance) Reduce time and cost of compliance, mitigate risk and support the business
VANGUARD SECURITY & COMPLIANCE 2016
“Who has access to what?” Example assessment in CA ACF2 shop
Mainframe
Customer Database
Directory
HR
UNIX
Corporate Network
Sally Brown Finance
Bob Thomas Payments
Hiroki Shimada IT
Harold Fletcher Finance
Jane Coors Payments
Morgan Smith IT
Carlos Bayez IT
Laura Dempsey Payments
1,000,000’s Entitlements 15,000+ People 100’s Applications
Finance
1,123 combinations of UID string values, minus the LID.
443 refer to only 1 LID, 76 refer to 2, 42 refer to 3, 32 refer to 4 and 29 refer to 5.
662 unique combinations, or a little more than half, refer to 5 or less LIDs.
VANGUARD SECURITY & COMPLIANCE 2016
Time
Level of privilege
Employee is hired and ID is provisioned
Orphan Accounts & Entitlements
New entitlements
Employee leaves and ID is de-provisioned
Orphaned ids and entitlements cause problems…
Not all entitlements are removed
This creates a security risk!
VANGUARD SECURITY & COMPLIANCE 2016
Recommended Best Practice for Clean-up
• Run cleanup process for initial data collection
• Best practice = 400 days
• Or through all critical processing periods:
• Month-end
• Quarter-end
• Year-end
• Special Processing (ie. 1099)
• Run cleanup to meet SLA for account/entitlement removals
• Maintain delete/recovery command files via GDG
Time
Level of privilege
Employee is hired and ID is provisioned
Not all entitlements are removed ~
This creates a security
risk!
Orphan Accounts & Entitlements
New entitlements
Employee leaves and ID is de-provisioned
VANGUARD SECURITY & COMPLIANCE 2016
Phased Clean-up Steps
• Run cleanup for unref=999
• Review summary report
• Start with 100% non-use
• Cleanup based on selected resource types
• Review output
• Schedule cleanup cycle
• Execute deletes via batch
• Maintain delete/recovery command files as GDG(s) for audit and reference purposes
VANGUARD SECURITY & COMPLIANCE 2016
Phased Clean-up Steps
• Re-run cleanup for unref=999
• Review summary report
• Now with 80-99% non-use
• Run cleanup with selected resource types*
• Review output
• Schedule cleanup cycle
• Execute deletes via batch
• Maintain delete/recovery command files as GDG(s) for audit and reference purposes
VANGUARD SECURITY & COMPLIANCE 2016
Objective:
• Identify risks, estimate time and effort
• Define and quantify objectives
Steps Involved:
1. Collect access rights from key systems
a) ActiveDirectory
b) ACF2, RACF, Top Secret
2. Add HR information
3. Produce analysis report
• Quality assessment: users and access rights
• Exceptions & policy violations (e.g. SoD)
• Role modeling recommendations
Gap Analysis – High Level Process
HR System
Access Rights
• Clean-Up • Compliance
Testing
• Role Modeling • Analysis
dentity Governance
VANGUARD SECURITY & COMPLIANCE 2016
CA Identity Governance
Segregation of Duties Policies
Role Analyst
Business Manager
Entitlements Certification
Enterprise Apps
Windows/ UNIX
Virtualized Apps
Active Directory
Mainframe
Role Modeling/ Management
IT Audit & Compliance
Team
Reports & Dashboards
Identity Governance
Identity Governance
– Central warehouse for visibility
– Automate entitlements certification
– Dashboard and entitlement reports
– Verify identity policies (e.g. SoD)
– Role management
Designed for Rapid Time-To-Value
– Role analytics to business context
– Audits to identify excessive and inconsistent access rights
VANGUARD SECURITY & COMPLIANCE 2016
Case Study: Large Retailer Streamlining Mainframe access
CONTRACTORS
Challenges:
Fragmented entitlements
lack of visibility of access un-optimized group access orphan accounts overlapping access
Manual entitlement reviews
No standardized role definitions
PARTNERS
EMPLOYEES
Proven highly scalable solution Analyzed 250,000 accounts, 66 million access rights and discovered 200 roles within 3 minutes
“CA Identity Governance provided the most rapid TTV of any IAM product I’ve ever used…” - VP of IT
VANGUARD SECURITY & COMPLIANCE 2016
Cleanup Role Survey
Role Mining
Finding: Current mix of entitlements typically makes automated role mining impractical
Steps: - Manually assess business functions and roles
Finding: Leverage Identity Governance role mining recommendations and attestation
Steps: - Determine acceptable level of role matching - Identity SoD violation - Identify where people fall outside the normal access structure - Definition of Role groupings in CA ACF2
Roll-out
Big Bang – convert everything over a single weekend
Phased implementation - Define everyone based on new role - Migrate based on business tolerance
8-12 weeks 6-8 weeks
10-12 weeks
1-x weeks
This could be done in tandem with Cleanup
and/or during year-end freeze
Findings: - Cleanup is currently running
- Needs to run through year-end processing for confidence • Steps: - (ACF2) Nextkey merge/cleanup - Purge obsolete rule lines either phased or all at once - Ongoing Cleanup
Implementation Steps and Timeline
VANGUARD SECURITY & COMPLIANCE 2016
Phase 1: Planning
Phase 2: Foundation
Phase 3: Automation
Phase 4: Optimization
Data Discovery
Entitlements Certification
Role Management
User Provisioning
Gap Analysis
Visibility, Audit & Clean-Up
Role Modeling
Business Case Development
Project Planning
Ongoing
Refinement
Segregation of Duties Policies
User Activity Monitoring
21
Role Based Access Control - Best Practice Approach
Executive Sponsorship & Business Acceptance
VANGUARD SECURITY & COMPLIANCE 2016
Summary
• Protects against both external and internal threats
• Enables compliance for privileged identity and administrative
access across the Mainframe
• Reduces costs and improve efficiency through automated
security controls
• Reduces burden of security administration and lessens confusion
for less skilled staff
Questions/Open Discussion
What are your challenges?
THE VALUE
VANGUARD SECURITY & COMPLIANCE 2016
Thank you!
SECURITY & COMPLIANCE CONFERENCE 2016