Sie sind auf Seite 1von 16
Security management White paper
Security management
White paper
Security management White paper Develop effective user management to demonstrate compliance efforts and achieve business

Develop effective user management to demonstrate compliance efforts and achieve business value.

White paper Develop effective user management to demonstrate compliance efforts and achieve business value. September 2008

September 2008

Develop effective user management to demonstrate compliance efforts and achieve business value.

2

 

Contents

2

Overview

3

Understand the challenges of user

management

4

Develop a strategic approach that

delivers quick value

6

Expand user management and bridge

IT with lines of business

10

Discover enterprise-wide security and

compliance solutions from IBM

12

Alcatel-Lucent customer experience

13

Conclusion

14

For more information

15

About Tivoli software from IBM

Overview

Organizations are faced with the challenge of demonstrating compliance while providing accurate, timely information to more users across more envi- ronments than ever before — and to do all this while reducing overhead, increasing productivity and expanding the number and variety of information services across the enterprise.

Supporting a strategic approach, IBM solutions can help organizations successfully develop and expand user management solutions from the depart- mental level to enterprise-wide implementations. In support of their specific compliance, business and technical requirements, organizations can use IBM Tivoli ® Identity Manager software and other IBM offerings to:

• Automate, manage and audit the life cycle of user access rights across the IT infrastructure.

• Define and manage centralized authentication, access and audit policies.

• Enable single sign-on (SSO) across security domains.

• Provide centralized log management and event correlation.

With IBM, organizations can develop comprehensive solutions to help gain visibility into business continuity risks, achieve control over utilization of sensitive business assets and automate a variety of processes for managing access to critical assets and data.

Develop effective user management to demonstrate compliance efforts and achieve business value.

3

Highlights

Understand the challenges of user management

Doing two things at once is hard enough. For today’s organizations, the chal- lenge is to accomplish three, four or more things — any one of which might appear to be in conflict with the others.

On the one hand, organizations need to demonstrate compliance by control- ling and monitoring access to sensitive information. On the other hand, they need to stay competitive by providing access to more information than ever before to more users and different types of users, including employees, cus- tomers, business partners and suppliers. At the same time, they need to find new and better ways to reduce administrative costs and improve productivity through automation, user self-service and other innovative capabilities.

Organizations should develop a common user management solution implemented across the enterprise, including authentication, authorization and network traffic monitoring, backed by comprehensive audit and reporting capabilities

Compliance remains a critical issue for many organizations. To help demon - strate compliance, organizations should develop a common user management solution implemented across the enterprise. This solution should include authentication, authorization and network traffic monitoring, backed by comprehensive audit and reporting capabilities. User management should also support the full life cycle of user identity, from the efficient onboarding of new users to their final retirement and the elimination of unidentified or “orphan” accounts.

Develop effective user management to demonstrate compliance efforts and achieve business value.

4

User management solutions should be implemented to provide timely updates. Organizations should create user accounts efficiently to allow new hires — or employees with new roles — to be productive as soon as possible without waiting days for their accounts to be created. Conversely, when users are offboarded, their accounts and privileges should be retired immediately to help avoid potential security exposures from disgruntled employees who were terminated. And when an employee changes jobs or takes on new duties, account access should be reviewed and privileges removed that are no longer required. In order to provide timely updates to handle these user life-cycle events, a user management solution should be implemented.

Organizations also have to deal with the rising cost of user management administration, including account provisioning and deprovisioning, recertifica- tion of access rights, help-desk calls, password resets and other administrative tasks, many of which are still manual-based. These costs can add up quickly and will only increase as the number of users and services continues to grow and IT infrastructures become larger and more complex.

Develop a strategic approach that delivers quick value

Proven strategies can help organizations address the challenges of deploying user management solutions that are compliant, efficient, scalable and cost- effective. The perception that user provisioning deployments are long and cumbersome holds merit when not planned accordingly. However, what is often missed is that quick, significant value can be derived without the need to provision users. With compliance as the critical business driver behind user management deployments, a quick first step to value can be achieved through reconciliation, recertification and reporting.

Develop effective user management to demonstrate compliance efforts and achieve business value.

5

Highlights

Tivoli Identity Manager capabilities offer both small-to-midsize and large enterprises the opportunity to retrieve quick value while establishing a footprint for user provisioning and role management

By centrally reconciling accounts on target systems, organizations can quickly identify orphan and/or dormant accounts. This enables organizations to get an immediate view of potential security exposures. After cleaning up the accounts to ensure that they match with valid users, the next step is to establish a recertification policy to validate the need for the accounts on an ongoing basis. This recertification policy will also mitigate the proliferation of orphan and dormant accounts in the future. For example, if a user has moved on to another position and no longer needs access to their account(s), then that user’s manager would reject the recertification request and the user’s account(s) would be automatically suspended or deleted. Finally, organiza- tions should provide an auditable trail that can help demonstrate compliance efforts. Delivering reports on each service, orphan accounts, dormant accounts and a recertification history will enable organizations to show reports to audi- tors that help describe who has access to what and how they got that access.

Reconciliation, recertification and reporting can deliver a tremendous amount of value before introducing the need to provision user accounts. A critical fac- tor in delivering value, however, is the ability to integrate with target systems so that reconciliation, recertification and reporting can occur. Tivoli Identity Manager is uniquely positioned to deliver this value for several reasons. First, Tivoli Identity Manager can provide reconciliation, recertification and report- ing, as well as a substantial number of target system adapters available out of the box. Second, should an organization have a custom application, Tivoli Identity Manger provides a rapid adapter toolkit specifically designed to help organizations create custom adapters. Third, Tivoli Identity Manager has the ability to create and manage “manual services” for target systems that may be managing their user accounts via a spreadsheet. Manual services can be reconciled by a comma separated values (CSV) file so they can be subject to approval workflows, recertification policies and reporting. Together these Tivoli Identity Manager capabilities offer both small-to-midsize and large enterprises the opportunity to retrieve quick value while establishing a footprint for user provisioning and role management.

Develop effective user management to demonstrate compliance efforts and achieve business value.

6

Define controls Monitor, audit, report Enroll and proof users Enforce access control Issue and manage
Define
controls
Monitor,
audit,
report
Enroll
and
proof
users
Enforce
access
control
Issue and
manage user
rights

Support identity governance, role and user rights, recertification and reporting

Enroll users and provide user self-service

Issue credentials, automate access rights and retire accounts

Tivoli Identity Manager and Tivoli Access Manager solutions provide key capabilities ranging from initial user onboarding to final account retirement.

Expand user management and bridge IT with lines of business

As organizations expand their user management plans to include user pro- visioning, it is imperative that they understand the context of an identity in their own business environment. A cross-functional team made up of IT and business stakeholders should evaluate an organization’s existing business processes and the management of their users and access rights. Particular attention should be paid to the frequency and volume of changes to user roles and access rights. This can help organizations assess the relative benefits of role-based and request-based user provisioning for their organization.

Develop effective user management to demonstrate compliance efforts and achieve business value.

7

Request-based provisioning becomes more commonplace for organizations that have a more knowledge-based workforce, such as a law firm or business consultancy. In these types of organizations, user access rights can change frequently. Therefore, it is better to have users request new access than to constantly change their role to reflect a new set of access permissions. Tivoli Identity Manager has a simple self-service user interface that facilitates request-based provisioning — for both the end user requesting access and the approver allowing access. Behind the scenes, Tivoli Identity Manager evaluates the provisioning policy, and it provisions user access to the business resource.

and it provisions user access to the business resource. The Tivoli Identity Manager self-service console lets

The Tivoli Identity Manager self-service console lets users manage their passwords and access to corporate resources.

Develop effective user management to demonstrate compliance efforts and achieve business value.

8

Highlights

Tivoli Identity Manager also helps bridge IT with lines of business by allowing end users to request access to one business entitlement (for example, a sales portal) rather than individual technical permissions (such as “Active Directory group — UK3g8saleww_R”). These access entitlements streamline the admin- istrative effort by grouping technical permissions into a reusable asset that is pluggable into workflows and policies. At the same time, auditing becomes much more intuitive as access entitlements represent meaningful assets rather than cryptic technical permissions.

Role-based provisioning, where users are assigned access permissions by their organizational role, is typically better for organizations where business roles, and their access rights, do not frequently change — as with bank tellers. The use of roles can also bridge IT with lines of business as organizational roles (such as an insurance claims administrator) become tied to application roles (for example, “ClaimsApplicationCaseWorker”). Together this linkage can provide visibility into business, effective control of user access permissions and automa- tion of user management business processes throughout the organization.

Tivoli Identity Manager can provide organizations with role-based access control for provisioning and attestation, provisioning policy simulation to determine the impact of role changes, and providing a delegated administration system for the creation and management of roles

Tivoli Identity Manager can provide organizations with role-based access control for provisioning and attestation, provisioning policy simulation to determine the impact of role changes, and providing a delegated administra- tion system for the creation and management of roles. Specifically, Tivoli Identity Manager offers the ability to define roles statically (where roles are defined for a set of people) and dynamically (where roles are defined for a set of people based on attribute information about them, such as employees or contractors). These roles are often used for automated provisioning workflows. Reduced administration can also be achieved by having entitlements for mul- tiple accesses or accounts embodied in a single role.

Develop effective user management to demonstrate compliance efforts and achieve business value.

9

To give an example of role-based access control, a user joins a new project and needs an account on the test system, access to documentation on a file server and access to the project management database — each with different access rights based on the user’s role. When the project is completed, access to these systems can be quickly revoked by removing the person from the role. If users change jobs, their new roles can automatically remove them from systems they no longer require. Tivoli Identity Manager also enables organiza- tions to recertify a user’s need to be a member of a role. This recertification process enhances security and compliance by revalidating a user’s member- ship in a particular role.

For organizations seeking extended role administration, role mining and segre- gation of duties, Tivoli Identity Manager offers integration with several strategic Ready for Tivoli partners. (Visit http://catalog.lotus.com/wps/portal/topal)

 

Ready for Tivoli partners

Name

Product

Solution

SecurIT

RoleManager

Extended role-based access control capabilities for Tivoli Identity Manager

SailPoint

Compliance IQ

Identity risk management

Aveksa

Aveksa Compliance Manager and Role Manager

Enterprise access governance

Eurekify

Enterprise Role and Compliance Management Suite

Role and policy life-cycle management

Approva

BizRights

Intelligent business controls

SAP

SAP GRC

Intelligent business controls

Develop effective user management to demonstrate compliance efforts and achieve business value.

10

Highlights

In summary, most organizations fall somewhere between role-based and request-based provisioning, and they take a hybrid approach to leverage the benefits of both models. At one end, the ongoing operational labor associated with request-based provisioning can be too cumbersome for some organiza- tions — yet it is quick to implement. At the other end, the time and effort

required to set up a fully developed organizational role structure and associ- ated policies for role-based provisioning can be too difficult to effectively execute. However, tremendous value is provided through automation once it

is deployed. There is no right or wrong answer. Rather, an organization should

evaluate what approach works best for them and then establish a phased approach to deliver value.

When it comes to actual deployment, the best strategy typically is to start with

a small user management solution and then grow larger incrementally. For

example, a single, departmental application can be used as the foundation for more complex cross-system and cross-application implementations. In the same way, request-driven user provisioning can be implemented first and then replaced with role-based provisioning.

Every organization should have a complete, end-to-end security and compliance strategy in place

Discover enterprise-wide security and compliance solutions from IBM

Every organization should have a complete, end-to-end security and compli- ance strategy in place. That’s where IBM can help, providing an unparalleled range of products, services and other offerings designed to:

• Identify gaps in existing capabilities across people, processes, applications and data.

• Prioritize security initiatives according to business goals and technology requirements.

• Select technology based on specific budgetary goals and ROI requirements.

• Simplify and speed the planning and execution of enterprise-wide security programs.

• Provide repeatable, measurable planning processes.

• Achieve a desired security posture that meets business and compliance requirements.

Develop effective user management to demonstrate compliance efforts and achieve business value.

11

Highlights

A complete description of IBM security and compliance offerings is well beyond the scope of this white paper, but the following examples indicate how organizations can easily increase the depth and breadth of their Tivoli Identity Manager solution.

IBM Tivoli Security Information and Event Manager can help demonstrate compliance and enhance security by providing log management, real-time event correlation and user activity monitoring. This helps to streamline management, control costs and increase IT productivity across a large, heterogeneous IT infrastructure.

For centralized authentication and authorization, IBM Tivoli Access Manager for e-business provides an integrated solution for defining and managing authentication, access and audit policy across a broad range of business ini- tiatives. Tivoli Access Manager for e-business can help organizations control management costs and streamline the execution of security policies across multiple Web and application resources.

Unmanaged access to super-user or “root” accounts presents organizations with a significant security risk

IBM Tivoli Access Manager for Operating Systems is designed to block ille- gal access to business-critical applications, files and platforms. Unmanaged access to super-user or “root” accounts presents organizations with a signifi- cant security risk. A policy-based access control solution like Tivoli Access Manager for Operating Systems helps address these security risks by providing centralized policy management, enforcement and comprehensive auditing.

Develop effective user management to demonstrate compliance efforts and achieve business value.

12

IBM Tivoli Access Manager for Enterprise Single Sign-On provides simple authentication capability across diverse applications, data stores and environ- ments. The product helps automate SSO, enhance security with automatic password management, and extend audit and reporting capabilities in a quick, simple-to-deploy solution.

Alcatel-Lucent customer experience

Alcatel-Lucent selected Tivoli identity management software to help support its efforts to increase security measures, improve employee efficiency, reduce help-desk costs and support compliance initiatives.

“Expectations for real-time access, regulatory compliance, operational cost optimization and mobility of the workforce are key drivers for streamlining our user account provisioning processes,” said Elizabeth Hackenson, Alcatel- Lucent CIO. “IBM’s expertise and software have helped us develop a global user identity management program, providing us an automated tool to manage our user accounts while reducing costs.”

The initiative replaces various user provisioning processes with one integrated, standardized user management system. It provides Alcatel-Lucent with greater visibility into system-wide user identities, and it also uses automated software to streamline processes and tasks, thereby lowering IT support costs.

Develop effective user management to demonstrate compliance efforts and achieve business value.

13

Tivoli Identity Manager includes a password self-reset feature that allows users to reset and synchronize their passwords online. With this one feature alone, Alcatel-Lucent expects to reduce password-related calls to the IT service desk by 70 percent and provide increased productivity for both system users and support staff. Additionally, the new system can automatically close accounts of employees who have left the company, helping to eliminate related security risks and improve the data quality of the company directories.

Conclusion

As a recognized leader in identity and access management, Tivoli security solutions can also be used with a large number of non-IBM enterprise soft- ware solutions. Providing a broad, scalable solution for centralized security management, Tivoli Identity Manager software can help:

• Demonstrate compliance across the entire user life cycle with comprehensive auditing and reports

on user access rights and activities.

• Increase ROI by quickly integrating new users and applications.

• Efficiently manage user accounts, access rights and privacy preferences through automation.

• Simplify complexity with consistent security policies and centralized administration.

• Support fully integrated, strategic security across the enterprise.

Develop effective user management to demonstrate compliance efforts and achieve business value.

14

Visibility: Control: Automation: see your manage your improve your business business business
Visibility:
Control:
Automation:
see your
manage your
improve your
business
business
business

With IBM, organizations can develop comprehensive solutions to help gain visibility into business continuity risks, achieve control over utilization of sen- sitive business assets and automate a variety of processes for managing access to critical assets and data.

For more information

To learn more about Tivoli Identity Manager and other IBM solutions for optimizing security and compliance efforts, contact your IBM representative or IBM Business Partner, or visit ibm.com/tivoli

Develop effective user management to demonstrate compliance efforts and achieve business value.

15

About Tivoli software from IBM

Tivoli software offers a service management platform for organizations to deliver quality service by providing visibility, control and automation — visibil- ity to see and understand the workings of their business; control to effectively manage their business, and help minimize risk and protect their brand; and automation to help optimize their business, reduce the cost of operations and deliver new services more rapidly. Unlike IT-centric service management, Tivoli software delivers a common foundation for managing, integrating and align- ing both business and technology requirements. Tivoli software is designed to quickly address an organization’s most pressing service management needs and help proactively respond to changing business demands. The Tivoli portfolio is backed by world-class IBM Services, IBM Support and an active ecosystem of IBM Business Partners. Tivoli clients and Business Partners can also leverage each other’s best practices by participating in independently run IBM Tivoli User Groups around the world — visit www.tivoli-ug.org

© Copyright IBM Corporation 2008 IBM Corporation Software Group Route 100 Somers, NY 10589 U.S.A.

© Copyright IBM Corporation 2008

IBM Corporation Software Group Route 100 Somers, NY 10589 U.S.A.

Produced in the United States of America September 2008 All Rights Reserved

IBM, the IBM logo, ibm.com and Tivoli are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at ibm.com/ legal/copytrade.shtml

Other company, product and service names may be trademarks or service marks of others.

Disclaimer: The customer is responsible for ensuring compliance with legal requirements. It is the customer’s sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the reader may have to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law or regulation.

that its services or products will ensure that the customer is in compliance with any law

TIW14013-USEN-00