preventing entitlements creep with identity governance
TRANSCRIPT
© 2015 IBM Corporation
How Identity Governance Can Help
Nick Oropall and Matt Ward
IBM Security
Preventing Entitlements Creep
2© 2015 IBM Corporation
What is ‘entitlements creep’?
As organizations grow/change and as users change roles, user access will
change
Users are constantly adding access and entitlements, they are rarely being taken
away
Management doesn’t understand their user access and don’t want to take away
important entitlements
How does it affect your organization?
Can make your organization less secure
Users can begin to gain entitlements that constitute a
separation of duties violation
If not properly managed this could lead to an accidental
or intentional internal security breach
3© 2015 IBM Corporation
Identity Intelligence: Collect and Analyze Identity Data
Organizations are seeking a business-driven approach to Identity Governance and Intelligence
Administration
Cost savings
Automation
User lifecycle
Key on premise
applications and
employees
Analytics
Application usage
Privileged activity
Risk-based control
Baseline normal behavior
Employees, partners, consumers – anywhere
Governance
Role management
Access certification
Extended enterprise
and business partners
On and off-premise
applications
How to gain visibility into user access?
How to prioritize compliance actions?
How to make better business decisions?
Identity and Governance Evolution
1 2 3
4© 2015 IBM Corporation
IT Security Manager
ERPCRM
Mainframe HR
Application Entitlements
The dependencies of traditional identity governance
Business activities vs. Entitlements
Provides information
regarding who has
which entitlements
Who SHOULD
have which
entitlements?
Auditor
Identifies what business
activities cause SoD
violations (toxic combinations)
Which entitlements
cause toxic
combinations?
Business Manager
Understands what
business activities
employees need
Which entitlements
grant access to which
business activities?
Requests employee
IT entitlements
from IT Security Manager
Receives list of entitlements
based on IT Security
Manager’s request
5© 2015 IBM Corporation
CFO, CEO, COO
The Pain Chain
Can you confirm that
John Smith has the
proper access?
Application
Managers3
IT Security
Could you prove that John
Smith has “appropriate”
permissions for his job?
1
I can tell you what
access John has – I
can’t tell if it’s
appropriate
4
Business
Manager
Can you confirm that John
Smith has the proper
entitlements?
5
I could… If I was
technical enough to
understand all these IT
details…
Are we properly managing
user access? Will our
security controls pass the
next audit?
2
Auditors
6
6© 2015 IBM Corporation
MainframeCRM ERP HR
Bridging Business, Auditor and IT points of view
Business-Centric SoD mapping to simplify access request and certification
IT Roles and Entitlements
Business Activities
View Accounts
Payable
Create
Sales Record
Create
Purchase Order
Update
Payroll
Map business activities to IT roles and entitlements
7© 2015 IBM Corporation
Introducing IBM Security Identity Governance and Administration
Delivering actionable identity intelligence
Align Auditors, LoB and IT perspectives in one
consolidated Governance and Administration offering
Easy to launch Access Certification and Access
Request to meet compliance goals with minimal
IT involvement
Enhanced Role Mining and Separation of Duties
Reviews using visualization dashboard
and business-activity mapping
In-depth SAP and RACF Governance with
Segregation of Duties (SoD), access risk and fine-
grained entitlements reviews
Easy to deploy virtual appliances
for multiple customer adoptions
– Standalone Identity Governance
– Integrate and modernize legacy Identity
management with integrated governance and
administration
Common Integration Adapters
Identity Governance
and Administration Platform
VIRTUAL APPLIANCE
IT SecurityTeam
Auditors /Risk Managers
LoB Managers /Employees
Cloud Computing
Mobile Applications Desktopand Server
Data Mainframe
Access
FulfillmentSelf Service
Portal
Risk/ Access
VisibilityAccess
Certification
9© 2015 IBM Corporation
Activity driven access request management
Simplify self-service access request for managers and employees
Self-service, shopping cart interface
“Speaks” business language but also understands the IT and application roles
Automatically detects segregation of duties (SoD) conflicts
Saves time, while ensuring proper and compliant user access
Jane Doe is now on my
team and needs to be
able to Approve Orders
I have a new
assignment,
I need to be able to
Approve Orders.
End
User
Business Manager
Jane Doe can also
Create Orders and that is
a segregation of duties
violation
APPROVED
DENIED
10© 2015 IBM Corporation
Review Access with Risk Identification
Easily identify risk
Review and remediate toxic combinations
Business readable access risk
11© 2015 IBM Corporation
Highly usable end user interface for easy user recertification
LOB Review Access
Support business managers in requesting & certifying their own staff’s
access
12© 2015 IBM Corporation
Focused, risk-driven campaigns
Managers can understand exactly what access they are certifying and why
Same simple look and feel regardless of role within the organization
Ability to execute multi-step approval workflows
Business centric access certification
Enables business managers to quickly review employee access and take action
Business Manager “Does John Smith still
need to open Sales
Opportunities?
SalesConnect is a CRM
tool used by the sales
team to effectively
communicate with clients
and track ongoing
projects.”
NO
John is no longer on the Sales team
NOT SURE
Please delegate to Jane Doe
YES
John still needs access
13© 2015 IBM Corporation
Identity and Access Intelligence – Identifying outliers
Risk driven access certification using ‘Heat maps’
14© 2015 IBM Corporation
Visual analytics – Risk Scoring
Model and Measure Operational Risk
Model, Measure and trends risks across several dataset (OU, Applications)
Allows for ‘Risk driven’ access certification using ‘Heat maps’
15© 2015 IBM Corporation
CLIENT EXAMPLES
Identity Governance and Administration Results
SoD Simplification
Multinational
manufacturer
manages over
430Mpotential
entitlement
conflictswith only
a few hundred
segregation of duty
rules
Governance
Large European insurance
and financial services firm
governs access to
75,000employees, agents,
privileged users
by identifying access risks,
segregation of duty and certify
access for SAP, AD, mainframe,
and custom-built apps
Audit Access
Large European
designer found
almost
80%
of users had
unnecessary access
after leveraging the
“last usage” information
in their automated
controls set
17© 2015 IBM Corporation
Visual Analytics – Role Mining
Discover & Build Roles
Visual Role Mining
Create new Roles or optimize existing ones
18© 2015 IBM Corporation
Segregation of Duties Management for SAP
Extends fine-grained SoD controls to SAP (users and roles).
One governance platform for SAP and non-SAP applications
Segregation of Duties for SAP
19© 2015 IBM Corporation
Identity Governance on the Mainframe
Extends fine-grained SoD controls to the mainframe-specific data model
Provides Access Review and Request Management capabilities
Governance on the Mainframe
21© 2015 IBM Corporation
Integrated Governance and Identity Lifecycle Management:
4 Key Use Cases are a) Access Review and Reporting Visibility, b) Access Request
Management, c) Segregation of Duty Controls and d) Role Management and Intelligence
22© 2015 IBM Corporation
IBM is a Leader in the 2015 Gartner Magic Quadrant for Identity Governance and Administration
Source: Gartner (January 2015)
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request
from http://www.gartner.com/technology/reprints.do?id=1-27CNZU9&ct=150112&st=sb.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other
designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or
implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Gartner, Inc. Positions IBM as a LEADER
in Identity Governance and Administration
(IGA)
"The IGA market is transforming legacy,
on-premises IAM products. IGA vendors
are investing heavily to meet client needs
in ease of use, mobility, business agility,
and lower total cost of ownership. User
provisioning and access governance
functions continue to consolidate.”
Gartner, Inc. “Magic Quadrant for Identity Governance and
Administration” by Felix Gaehtgens, Brian Iverson, Steve
Krapes, January 2015 Report #G00261633
23© 2015 IBM Corporation
• QRadar Log Manager
• QRadar Security Intelligence
• QRadar Risk Manager
• QRadar Vulnerability Manager
• QRadar Incident Forensics
IBM Security offers a comprehensive product portfolio
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any
kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor
shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use
of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or
capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product
or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries
or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside
your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks
on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access.
IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other
systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE
IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOUwww.ibm.com/security