implementing process controls and risk management with novell compliance management platform...
DESCRIPTION
Managing processes, automatically testing controls within processes, and proactively managing risk through key performance/risk indicators are significant challenges to establishing GRC/IT-GRC practices and an effective compliance framework. This session will focus on the current and future capabilities of Novell Compliance Management Platform that can assist organizations with implementating process controls and risk management throughout the enterprise. We will provide specific examples with SAP GRC Access Control, Process Control and Risk Management.TRANSCRIPT
Implementing Process Controls and Risk Management with Novell® Compliance Management Platform extension for SAP Environments
Mark WorwetzSenior Engineering ManagerNovell Inc./[email protected]
Volker ScheuberConsulting EngineerNovell Inc./[email protected]
© Novell, Inc. All rights reserved.2
Novell® Compliance Management Platform• Integrated Identity and Security Management Platform
– Software Components> Identity Vault> Novell® Identity Manager with Roles Based Provisioning Module (RBPM)> Novell® Sentinel™
> Novell® Access Manager™
– Tools> Designer for Novell Identity Manager> Analyzer for Novell Identity Manager
– Solution Content> Integrated Provisioning and Access Control Policies and Workflows> Identity Tracking> Identity and Security Monitoring and Reporting
© Novell, Inc. All rights reserved.3
Extension for SAP Environments
• Role Mapping Administrator– Tool for mapping SAP-specific authorizations to RBPM Business Roles
• SAP Drivers – New or Enhanced– SAP User Management Fanout Driver– SAP Business Logic Driver– SAP Portal (UME) Driver– SAP BusinessObjects Access Control Driver
• SAP Solution Pack– SAP-specific Sentinel Content
• SAP-specific Identity Manager Content– Driver Configurations, Policies, Workflows
© Novell, Inc. All rights reserved.4
Technical Integration Goals
• Develop SAP-Oriented Solution Synergies– Allow Identity Manager customers to utilize the advanced Segregation of Duties
and Risk Analysis/Remediation capabilities of SAP BusinessObjects Access Control
– Extend the reach of SAP BusinessObjects Access Control to other Enterprise Systems via Identity Manager
– Integrate Sentinel™ with the SAP Computing Center Management System (CCMS)
– Provide an SAP Solution Pack for Sentinel• Extend Existing Integrations with SAP Products
– SAP ERP Human Capital Management (HCM)– SAP User Management– SAP User Management Engine (UME)
• Provide a Roles-based Entitlement Content Framework
Scenario 1:SAP User Provisioning
© Novell, Inc. All rights reserved.6
IDM Provisioning of SAP Users
Monitoring and Reporting
SAP HCM(ABAP)
Abby SpencerSales Rep SAP CRM
(ABAP)
SAP Portal
© Novell, Inc. All rights reserved.7
IDM Provisioning of SAP Users
Monitoring and Reporting
SAP HCM(ABAP)
Abby SpencerSales Rep SAP CRM
(ABAP)
SAP Portal
Mtn RegionSales Rep
© Novell, Inc. All rights reserved.8
IDM Provisioning of SAP Users
Monitoring and Reporting
SAP HCM(Self-Service)
SAP PortalSales Rep
SAP CRM(Sales Rep)
Mtn RegionSales Rep
Abby SpencerSales Rep
© Novell, Inc. All rights reserved.9
Role to Authorization Mapping
Role “IT Specialist”• SAP System N4S (CRM) Client 100
– Single Role: SAP_ALM_ADMINISTRATOR– Single Role: SAP_BC_BASIS_ADMIN– Single Role: SAP_BC_DB_ADMIN– Composite Role: SAP_BC_MID_ALE_ADMIN
• SAP System S7H (HR - SAPABAP) Client 300– Profile: SAP_ALL
• SAP Portal (CRM Portal)– Group: /VIRSA/VFAT_ADMINISTRATOR– Role: Administrator
© Novell, Inc. All rights reserved.10
Role Mapping Administrator
Scenario 2:SAP User Provisioning using SAP BusinessObjects Access Control
© Novell, Inc. All rights reserved.12
IDM Provisioning to Access Control
Monitoring and Reporting
© Novell, Inc. All rights reserved.13
Additional Security Benefits
• Roles for all SAP systems are aggregated in Access Control• Risk Analysis can be run for all SAP role assignment requests• Risk Mitigation can be performed prior to approval of role assignments• IDM exposes the results of SAP Risk Analysis in Provisioning Workflow
– Provides critical risk information to Role Approver– Provides information to guide tuning of Enterprise Role Model and
Process Controls• Leaves the ultimate decision on SAP Provisioning Security in the domain
of the SAP System and Business Owners
© Novell, Inc. All rights reserved.14
SAP Risk Analysis Results
© Novell, Inc. All rights reserved.15
IDM Provisioning Request Results
Scenario 3:IDM User Provisioning using SAP BusinessObjects Access Control
© Novell, Inc. All rights reserved.17
Access Control Provisioning to IDM
Monitoring and Reporting
© Novell, Inc. All rights reserved.18
Scenario Characteristics
• Roles for non-SAP systems are imported to Access Control• Risk Analysis Rules can be implemented for non-SAP systems• Risk Mitigation can be performed prior to requesting provisioning of role
assignments to non-SAP systems• IDM can act as a Provisioning Agent to non-SAP systems
Where Are We Going From Here?
© Novell, Inc. All rights reserved.20
Value Proposition
Provide the Platform for a Comprehensive IT Compliance LifeCycle!
© Novell, Inc. All rights reserved.21
IT Compliance Lifecycle
Define business objectives, policies and Key Performance Indicators (KPIs)
to help meet objectives
Real time risk response
Allow business to determine best
long-term response
Monitor and detect risk
Analyze risk versus thresholds
Evaluate processes and business objectives to
identify and qualify risks
© Novell, Inc. All rights reserved.22
Typical IT Concerns Never Stop
for(;;) {Are the Business Service Level Agreements being met?Are my Employees as Productive as Possible?Is My Infrastructure Compliant?Are my IT System and Application Administrators following established processes?Are my Controls Adequate and Efficient?Are my Control Policies Protected?Can I Verify all of this?}
© Novell, Inc. All rights reserved.23
Data Gathering...
• Novell® Compliance Management Platform ability to deliver a great deal of data related to IT Systems, Users, Provisioning, Access, etc.
© Novell, Inc. All rights reserved.24
Plus Risk Management...
• Novell® Compliance Management Platform ability to deliver a great deal of data related to IT Systems, Users, Provisioning, Access, etc.
• SAP BusinessObjects Risk Management ability to Identify and Calculate Risk based on data from Key Risk Indicator (KRI) data providers
© Novell, Inc. All rights reserved.25
SAP BusinessObjectsRisk Management Integration
• Novell® Compliance Management Platform ability to deliver a great deal of data related to IT Systems, Users, Provisioning, Access, etc.
• SAP BusinessObjects Risk Management ability to Identify and Calculate Risk based on data from Key Risk Indicator (KRI) data providers
Enterprise IT Risk Management Solutions!
© Novell, Inc. All rights reserved.26
Novell® IT Key Risk Indicators(KRI)
• Gather Information about Risky Behaviors– Bad Login Attempts– Password Changes– Authorization Changes
• Gather IT Performance Values– Metrics for System Availability– Workflow Run-Times– Provisioning / Deprovisioning Statistics
• Monitor the Need for, and Effectiveness of, Controls– Identify Out-of-Policy Administration Activity– Verification of Performance of Control Tasks
© Novell, Inc. All rights reserved.27
Risk Management Integration
• Development of Key Risk Indicator Components– CMP KRI Gateway Driver– IT-related KRIs– KRI Dashboards– KRI Reports
• Integration with SAP BusinessObjects Risk Management– Implementation of Event-Based KRI Interfaces– Scenario Development and Documentation
© Novell, Inc. All rights reserved.28
IT Risk Management Integration
© Novell, Inc. All rights reserved.29
IT Risk Management Integration(cont.)
© Novell, Inc. All rights reserved.30
Process Control Integration
• Integration with SAP BusinessObjects Process Control– Development of Process Control Alert Adapters
> Occurrence of High-Risk Activities> Occurrence of Process Violations> Occurrence of Critical System Outages
– Development of Automated Mitigation Controls> Restart Identity Services> Roll-back of Improper Data Changes> Account Locking
– Scenario Development and Documentation
Use Case Scenarios
© Novell, Inc. All rights reserved.32
Scenario 1Workflow Efficiency
• Process Policies:– All Access Approvals are granted via IDM Workflows– All Access Workflows must be completed within 24 hours
• Business Problems:– How Long do Workflows really take to complete?– Are there any Bottlenecks in Approval Chains?– What is the current state of my Workflows?– Are my current Policies optimal for the Business?– Are my current Policies meeting my Security Needs?
© Novell, Inc. All rights reserved.33
Role Provisioning
System Assets,Accounts, and Authorizations
Scenario 1Current View
80% =
5% = 15% =
Average Time = 36 Hours
© Novell, Inc. All rights reserved.34
Scenario 1Workflow Efficiency
• Process Policies:– All Access Approvals are Processed via IDM Workflows– All Access Workflows must be completed within 24 hours– All Low Threat Access will have Automated Approval– All Medium Threat Access must have 1 Approval– All High Threat Access must have 2 Approvals
© Novell, Inc. All rights reserved.35
Scenario 1Revised Policies
Multiple Approvals based on Role LevelSystem Asset Values and
Authorization Threats Valued by Asset Owner
Automated Approvalsbased on Role Level
Average Time = 2.56 Hours
(12 mins) 15% = 5% =
80% = (8 hours) (24 hours)
© Novell, Inc. All rights reserved.36
Scenario 1Workflow Efficiency
• Process Policies:– All Access Approvals are Processed via IDM Workflows– All Access Workflows must be completed within 24 hours– All Low Threat Access will have Automated Approval– All Medium Threat Access must have 1 Approval– All High Threat Access must have 2 Approvals
• Process Improvements:– All Access Approvals are completed faster!– Security Posture Improved!– Bottlenecks Removed!
© Novell, Inc. All rights reserved.37
Scenario 2Rogue Administration
• Process Policies:– All Access Approvals are granted via IDM Workflows– All Access Rights changes are performed via IDM Drivers after
approval
• Business Problems:– Can I detect if these policies are violated?– Can I remediate violations at an IT level?– Can Process Owners receive notification of violations?
© Novell, Inc. All rights reserved.38
Scenario 2Process Control
Novell® CMP receives eventAnd begins IT and Process remediation
GRC Process control forwards the item to Glen to review the effect on SAP applications
Jim's Acces is reset in the SAP CRM system
A notification is sent to Process administrators to remediate controls violation
Violating Policy, Natasha grants Jim SAP_ALL rights in the SAP CRM system.
Jim requests IT to Temporarily give him access rights to perform a task
“Rogue Administration” work flow is started to remediate IT security
Questions and Answers
Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.