C21 - Leveraging an Identity Management Foundation

to Sustain Compliance
Mick Coady

 
 Leveraging an Identity
Management Foundation
to Sustain Compliance
Michael Coady
Vice President, Solution Strategy
Security Business Unit

Agenda
• Some Pertinent Data
• The challenge of managing multiple
users andd entitlements
il
• Identity Lifecycle Management defined
• Three components
– Identity Management
– Security
S it Compliance
C li Management
M t
– Role Management and Role Engineering
• CA customer perspectives

1
S e cu rity A ttacks and B reaches

59.4
Virus attack
67.7

40.0
Network attack
49.5 Only
Increase
Denial-of-service 26.4 2008
attack 39.6 2006

Internal breach of 43.6

The first time security
security 42.3 attack/breach incidence has
declined – except for Internal
B
Breach h incidence
i id which
hi h has
h
13.8
None more than doubled compared
10.7
to five years ago (15%-20%)
0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0
Percentage

N=500. Q13. What types of security challenges has your organization dealt with over the past 12 months?
Source: The Strategic Counsel, 2008

S trIc tly P rIv Ile g e d an d C o n fId e ntIal

S e cu rity A tta ck/B re a ch C o sts

Lost productivity 61.3

51.7

Loss of trust/confidence 34.9

29.6
29 6

Embarassment
32.7 Most
28.1
significant
23.2 increases
Damage to reputation 27.6 2008
Loss of 20.8 2006
business/revenue/customers 26.1
Loss of confidential 34.1
information 22.4 Significantly Increasing
Internal Breach incidence,
18.4
Loss of intellectual property 20.4 and d significantly
i ifi tl increasing
i i
Reduced customer
Loss of Confidential
32.7
satisfaction 20.1 Information and Reduced
Customer Satisfaction – a co-
0 10 20 30 40 50 60 70incidence?
80 90 Perhaps
100 not
Percentage
N=500. Q14. What impact have these security challenges had on your organization?
Source: The Strategic Counsel, 2008

S trIc tly P rIv Ileged a nd C o nfIde ntIa l

2
S e cu rity C o m p lia n ce C o sts - B u d ge t

10% or more 81.4

20% or more 56.0

30% or more 34.0 TOTAL

Security compliance is a huge IT

budget eater – organizations need this
40% or more 22.4
to be more effective/efficient: 56% of
p
U.S. enterprise-class firms spend
p 20%
or more of their IT budget on IT
50% or more 15.6 security compliance

0 10 20 30 40 50 60 70 80 90 100
Percentage
N=500. Q104. What percent of your organization’s IT budget is spent specifically to ensure IT security compliance with various
regulations?
Source: The Strategic Counsel, 2008
S trIc tly P rIv Ile g e d a n d C o n fId en tIal

S ecurity C om plia nce C o sts - T im e

10% or more 81.4

20% or more 57.0

30% or more 30.4 TOTAL

Security compliance is a huge IT time

40% or more 19.8 eater – organizations need this to be
more effective/efficient: 57% of U.S.
enterprise-class
t i l firms
fi spendd 20% or more
50% or more 15.6 of their IT time on IT security compliance

0 10 20 30 40 50 60 70 80 90 100
Percentage
N=500. Q105. What percent of your organization’s IT time is spent specifically to ensure IT security compliance with various regulations?
Source: The Strategic Counsel, 2008

S trIctly P rIvIleged and C onfIdentIal

3
IA M Issue s an d P ro b lem s

Autom ated review and approval of user

62.0
access privileges

Tracking and reporting on user activity

60.4
that m ay pose a risk to the organization
Respondents feel
there are several
Central m anagem ent and enforcem ent of
areas where IAM can
policies that ensure audit and legal 60.0 be more efficient or
requirem ents
better managed

The creation, enforcem ent and

verification of role-based access across 59.4
diverse enterprise applications

0 10 20 30 40 50 60 70 80 90 100
Percentage
Majority of
respondents say A Problem
these are problem
areas
N=500. Q101. Are any of the following problem areas for your organization…?
Source: The Strategic Counsel, 2008
S trIc tly P rIv Ile g e d a n d C o n fId en tIal

W hat U se rs E xp e ct IA M T o D e live r – 2 0 0 8 T o p D e live ra b le s

Emphasis is Im proved security 56.6 29.2 11.6 1.6
1.0

currently on Web services security 47.2 31.0 17.6 3.01.2

utilizing IAM to
deliver Im proved audit capability/transparency 40.0 37.8 18.8 2.8
0.6

i
improved d
Im proved risk m anagem ent 40.0 37.6 18.2 3.60.6
security
Better IT dept efficiency/cost reductions 39.8 36.8 18.4 4.20.8

Centralized control w / distributed enforcem ent of role-based access to server

39.6 38.8 18.2 2.4
1.0
resources

Centralized w eb access m anagem ent 38.2 38.6 19.4 2.8

1.0

Better user account m anagem ent 38.0 38.8 20.0 2.2

1.0

Autom ated identity m anagem ent services across all platform s used 38.0 37.0 20.8 2.81.4

Im proved regulatory com pliance 37 8

37.8 33 2
33.2 19 6
19.6 7 2 2.2
7.2 22

0 10 20 30 40 50 60 70 80 90 100
Percentage
Very Important Important
Neither Important nor Not-Important Not Important
Not at All Important

N=500. Q7. How important is it for your current or planned IT Identity and Access Management solution to deliver the following?
Source: The Strategic Counsel, 2008
S trIc tly P rIv Ile g e d a n d C o n fId en tIal

4
W hat U se rs E xp e ct IA M T o D elive r – 2 0 0 6 To p D elivera b le s
Im proved s ecurity 50.2 34.8 9.2 5.7

Im prove d regulatory
46.0 31.8 12.9 9.2
com pliance

Better IT dept efficiency/cost

44.8 36.8 11.9 6.5
reductions
d ti

Im proved ris k m anagem ent 41.8 35.8 14.4 8.0

Im proved audit
40.0 39.1 14.7 6.2
capability/transpare ncy

Bette r use r account

39.6 38.8 14.4 7.2
m anagem ent

Im prove d facilitation of s ecure

38.1 37.3 14.4 10.2
e-bus iness

Im proved custom er/end-user

37.1 41.5 13.4 8.0
self-s ervice
In 2006 there
Single s ign
ign-on
on 33 6
33.6 40 3
40.3 18 9
18.9 72
7.2
was more
emphasis on 0 10 20 30 40 50 60 70 80 90 100
utilizing IAM to Pe rcentage
improve Very Important Important
compliance Neither Important nor Not-Important Not Important
and achieve IT Not at All Important
efficiencies /
cost
reductions
N=500. Q7. How important is it for your current or planned IT Identity and Access Management solution to deliver the following?
Source: The Strategic Counsel, 2006
S trIctly P rIv Ileged and C on fIden tIal

C onsum er and IA M D ecision-M aker S ecurity and P rivacy C onfidence

Breaches/losses
have big
82.4
Reduced customer consequences –
satisfaction
82 4
82.4 consumers and
IAM Pros agree

Loss of 78.8 Consumers

customer/public trust
and confidence 76.8 IAM Decision-Makers

Reputation of 76.8
organization
damaged 76.4

0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0
Percentage

N=400. Q6. What is the impact of major security or privacy breaches for you?
N=500 Q17. If your organization suffered a loss of customer or transaction data, what impact would it have?
Source: The Strategic Counsel, 2008
S trIc tly P rIv Ile g e d a n d C o n fId en tIal

5
C onsum er and IA M D ecision-M aker S ecurity and P rivacy C onfidence

Retailers do not 72.5

spend enough
34 0
34.0

Government does not 68.5 Consumers

spend enough IAM Decision-Makers
38.0

Large majority of consumers

thinks spending isn’t high
Big Banks do not 57.8 g – a significant
enough g
spend enough percentage of IAM Pros
24.0
agree

0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0
Percentage
N=400. Q8-Q10. Do you think ________ spends enough on on-line security and privacy?
N=100 Retail; N=100 Federal/State Government; N=100 Financial Services Q20. Thinking in percentage terms, do you think the
percentage of your organization’s total IT budget devoted to security is too low, adequate or too high?
Source: The Strategic Counsel, 2008
S trIc tly P rIv Ile g e d a n d C o n fId en tIal

C onsum er S ecurity and P rivacy C onfidence

Consumers’ aren’t very

confident their on-line
Retailers 4.8 personall and
d private
i t
information is protected

Government 11.0 Very confident can protect on-line

personal and private information

Financial
8.5
Services

0 10 20 30 40 50
Percentage
N=500. Q3a-b-c. How confident are you that the banking industry is properly protecting your on-line personal and private information?
How confident are you that retailers are properly protecting your on-line personal and private information? How confident are you that the
Government is properly protecting your on-line personal and private information?
Source: The Strategic Counsel, 2008
S trIc tly P rIv Ile g e d a n d C o n fId en tIal

6
IA M D ecision-M aker S ecurity and P rivacy C onfidence

Only 28% of IAM Pros are

very confident their
Very confident 28.0 firm/organization can protect
itself against
g losing
g
customer or transaction data

Somewhat confident 58.2

IAM Decision-Makers

Not confident 11.8

Not confident at all 2.0

0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0
Percentage

N=500 Q15. How confident are you that your organization can protect itself against losing customer or transaction data?
Source: The Strategic Counsel, 2008

S trIc tly P rIv Ile g e d a n d C o n fId en tIal

C onsum er P ersonal Inform ation T heft V ictim ization

Have personally 22.5

suffered a personal
information theft 77.5

Yes
No

Know someone who 48.0 More than one-fifth of U.S

has suffered a consumers have suffered a
personal information personal information theft;
theft 52 0
52.0 almost
l th
half
lf know
k someone
who has been a victim

0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0
Percentage
N=400. Q7-Q8. Have you ever suffered a personal information theft? Do you know someone who has been the victim of personal
information theft?
Source: The Strategic Counsel, 2008

S trIc tly P rIv Ile g e d a n d C o n fId en tIal

7
 The Regulatory Environment
Global and Growing
SOX
EU Privacy
Directive HIPAA

FIPS 200 EU Privacy

Directive

CobiT 3rd
Edition DS5.5
ACSI33

OGC ITIL:
Security FFIEC
Management Information
4.3 Security
Secu y

FFIEC
ISO 27001 Operation
s

NIST SP 800-53

Compliance: The Early Days

External Requirements Internal Auditing

Reporting Systems

Accounting

Internal Audit
Human
Resources

Sales and
Marketing

Manufacturing

Finance
i

Legal Counsel

IT

8
 Enter SOX
External Requirements SOX Audits Internal Auditing

Reporting Systems

Accounting

Internal Audit
Human
Resources

Sales and
Marketing

SOX
Manufacturing

Finance

Legal Counsel

IT

Test Results

Next Come PCI, EU Privacy Directive,

Internal Policies (as well as Compliance Management)
External Requirements Internal Auditing

Reporting Systems

Accounting

Internal Audit
Human
Resources

Sales and
Marketing

SOX
Manufacturing

Finance
i

Legal Counsel

IT

9
The Challenge of Managing Multiple
Users and their Entitlements
>Security “Silos”
>Inconsistent enforcement

Many policies
> External regulations
 Legislative
 Industry-specific
> Best practices
> Internal

The Challenge of Managing Multiple Users

and their Entitlements

> High admin cost

> Inconsistent enforcement
> Increased risks

Many policies Many manual

> External regulations compliance processes
 Legislative > Access reviews
 Industry specific > User entitlements
> Best practices > Certification
> Internal

10
 The Challenge of Managing Multiple
Users and their Entitlements
> Difficult administration
> Difficult compliance
> Reduced security

Many policies Many manual Many

> External regulations compliance processes entitlements
 Legislative > Access reviews > Mainframe
 Industry specific > User entitlements > RDBMS
> Best practices > Certification > LDAP
> Internal > NOS
> ERP…

21

The Challenge of Managing Multiple

Users and their Entitlements

> Difficult to administer

access rights
> High
Hi h hhelp
l ddesk
k costs
t

Many policies Many manual Many Many roles

> External regulations compliance processes entitlements > Many user
 Legislative > Access reviews > Mainframe types
 Industry specific > User entitlements > RDBMS > Poor role
> Best practices > Certification > LDAP mapping
> Internal > NOS > Privilege
> ERP… accumulation

11
 Identity Lifecycle Management
The Solution
Security compliance
automation
> Reduced admin costs
> Risk reduction
Reduced
entitlements
> Easier
administration
> Reduced costs Reduced roles
> Improved > Increased
auditing for efficiency
easier compliance > Appropriate
entitlements

Centralized Many manual Many Many roles

policies compliance processes entitlements > Many user
> Consistent security > Access reviews > Mainframe types
& enforcement > User entitlements > RDBMS > Poor role
> Certification > LDAP mapping
> NOS > Privilege
> ERP… accumulation

Solution to Managing Multiple Users and

Entitlements
Identity Lifecycle Management

Centralized Security compliance Reduced Reduced roles

policies automation entitlements > Increased
> Consistent security > Reduced admin costs > Easier efficiency
& enforcement administration > Appropriate
> Risk reduction > Reduced costs entitlements
> Improved
auditing for
easier compliance

12
 Identity
Id i Lif
Lifecycle
l
Management

Identity Lifecycle Management Defined

Goal: Automating identity-related processes that span

the entire enterprise

• What are “identity-related” processes?

– On-boarding/Off-boarding an employee
– Users managing their own profiles
– Executing proper provisioning approval processes
– Ensuring user entitlements match functional responsibilities
– Validating company is in compliance
– And more…

13
 Identity Lifecycle Management: IT Needs

Role Management
 Understand what roles exist in the enterprise
 Establish role model that fits organization
 Analyze and maintain role model as business
evolves

Identity Management
 Assign users to roles
Identity
 Apply role-based controls
Lifecycle
Management  Provision users with approved accounts and
privileges
 Manage change requests and approvals over
time
Security Security Compliance Management
Compliance  Understand security policy
Management
 Import audit/log data
 Import identity information
 Compare, then initiate and verify remediation
 Streamline security compliance processes

Role Mining/Management
Enables efficient and accurate identity and entitlement
management
• Role Mining
– Automates discovery of roles and access patterns
– Enables gap analysis, cleanup and role modeling
• Ongoing Role Management
– Processes role approval/adaptation, self service requests
– Detects business changes that affect role structure
• Auditing and Reporting
– Assesses role exceptions, cleanup and repair
– Provides executive reporting and audit trail

14
 Role Management Key Capabilities

Audit/Gap Data Cleanup Validation

Analysis and Remediation
Assess and >Clean and match
audit systems user IDs
for exceptions >Identify out of
pattern and
exceptional users

Role Modeling
Model Management
> Reveal
and Reporting
methodology
Integration
> Define roles –
>Detect changes
top down/
and exceptions
bottom-up
>Adapt role based
model
Policy Modeling
>Verify, certify,
and report
>Enriches
provisioning processes
The Secret Ingredient –
Pattern Recognition Analysis

Identity Management
Central engine for identity-related processes

• Provisioning/De-Provisioning
o so g/ e o so g
– Quickly assigns and removes access privileges
– Automates consistent workflow processes
• User Self Service
– Empowers end users to resolve issues
– Reduces burden on IT and help desk
• Identity Administration
– Centralizes data/policy for consistency across
enterprise
– Delegates decision-making to application owners

15
 Identity Management Key Capabilities
The Secret Ingredient: Modular yet
Integrated
Role-based User Self-Service
Provisioning/ Decrease help
De-Provisioning
De Provisioning desk costs and
Ensure timely improve user satisfaction
access and protect
sensitive resources
Integration
From web
Workflow applications to
Enforce the mainframe
consistent and
automated Auditing and
approval Reporting
processes
p Event and
entitlements tracking

Centralized
Administration Security Policies
Establish Enforce identity
authoritative controls, separation
identity source of duties

Security Compliance
Meet compliance objectives on a continuous basis

• Compliance Reporting and Dashboards

– Generates
G access, entitlement
il and
d audit
di reports
– Cross-system compliance reporting
• User and Role Entitlement Certification
– Validates users’ access is appropriate for their role
– Ensures access to applications is appropriate
• Change Management and Validation
– Initiates change management requests in other
systems
– Enables timely follow-up on remediation requests

16
 Security Compliance Key Capabilities
The Secret Ingredient: Process-centric Platform
Entitlement Validation and
Certification Remediation
Periodic reviews of Automatically
users’ access, roles follows up on
pp
and applications requests to verify
fixes are complete

Compliance Integration
Warehouse
Centralized IAM, GRC and
compliance Help- Desk
evidence warehouse Security integrations
Compliance

Change Certification Reporting

and Attestation and
Dynamically Dashboards
commence approval Cross-system compliance
process for any identified reports and dashboards
change

Identity Lifecycle Management Payoff

• Increased security and reduced risk
– Eliminate unauthorized access and orphan accounts
– Easier to prove compliance
• Reduced cost/increased productivity
– Automation, delegation and self-service
• Overcome idle users requesting help desk support
– Consolidation of roles accelerates provisioning
• Improved user experience/satisfaction
– Faster & easier access to applications and data
• Centralized hub for storing all security
compliance info
– Provides ongoing visibility and project
management over access review processes

17
 Customer Successes: Identity Lifecycle
Management
• Problems
– Organizations with more roles than users
– 10+ days to provision new employees
– Very complex IT environments:
• 100+ target systems, 150K roles, 200K identities
– Man weeks to complete compliance
processes such as access reviews
(multiple man-weeks)
• Solutions
– Reduce 150K roles to <5K roles
– Provision new employees in <1 day to
multiple systems
– Complete access reviews in hours
not days

Summary
• You need to streamline and automate your existing identity
lifecycle management processes for:
– Identity management
– Role mining and management
– Security compliance
• You need to find vendors who have a complete, integrated
solution to manage the entire identity lifecycle across your
enterprise

18
Q&A

19