Beruflich Dokumente
Kultur Dokumente
to Sustain Compliance
Mick Coady
Leveraging an Identity
Management Foundation
to Sustain Compliance
Michael Coady
Vice President, Solution Strategy
Security Business Unit
Agenda
• Some Pertinent Data
• The challenge of managing multiple
users andd entitlements
il
• Identity Lifecycle Management defined
• Three components
– Identity Management
– Security
S it Compliance
C li Management
M t
– Role Management and Role Engineering
• CA customer perspectives
1
S e cu rity A ttacks and B reaches
59.4
Virus attack
67.7
40.0
Network attack
49.5 Only
Increase
Denial-of-service 26.4 2008
attack 39.6 2006
N=500. Q13. What types of security challenges has your organization dealt with over the past 12 months?
Source: The Strategic Counsel, 2008
Embarassment
32.7 Most
28.1
significant
23.2 increases
Damage to reputation 27.6 2008
Loss of 20.8 2006
business/revenue/customers 26.1
Loss of confidential 34.1
information 22.4 Significantly Increasing
Internal Breach incidence,
18.4
Loss of intellectual property 20.4 and d significantly
i ifi tl increasing
i i
Reduced customer
Loss of Confidential
32.7
satisfaction 20.1 Information and Reduced
Customer Satisfaction – a co-
0 10 20 30 40 50 60 70incidence?
80 90 Perhaps
100 not
Percentage
N=500. Q14. What impact have these security challenges had on your organization?
Source: The Strategic Counsel, 2008
2
S e cu rity C o m p lia n ce C o sts - B u d ge t
0 10 20 30 40 50 60 70 80 90 100
Percentage
N=500. Q104. What percent of your organization’s IT budget is spent specifically to ensure IT security compliance with various
regulations?
Source: The Strategic Counsel, 2008
S trIc tly P rIv Ile g e d a n d C o n fId en tIal
0 10 20 30 40 50 60 70 80 90 100
Percentage
N=500. Q105. What percent of your organization’s IT time is spent specifically to ensure IT security compliance with various regulations?
Source: The Strategic Counsel, 2008
3
IA M Issue s an d P ro b lem s
0 10 20 30 40 50 60 70 80 90 100
Percentage
Majority of
respondents say A Problem
these are problem
areas
N=500. Q101. Are any of the following problem areas for your organization…?
Source: The Strategic Counsel, 2008
S trIc tly P rIv Ile g e d a n d C o n fId en tIal
i
improved d
Im proved risk m anagem ent 40.0 37.6 18.2 3.60.6
security
Better IT dept efficiency/cost reductions 39.8 36.8 18.4 4.20.8
Autom ated identity m anagem ent services across all platform s used 38.0 37.0 20.8 2.81.4
0 10 20 30 40 50 60 70 80 90 100
Percentage
Very Important Important
Neither Important nor Not-Important Not Important
Not at All Important
N=500. Q7. How important is it for your current or planned IT Identity and Access Management solution to deliver the following?
Source: The Strategic Counsel, 2008
S trIc tly P rIv Ile g e d a n d C o n fId en tIal
4
W hat U se rs E xp e ct IA M T o D elive r – 2 0 0 6 To p D elivera b le s
Im proved s ecurity 50.2 34.8 9.2 5.7
Im prove d regulatory
46.0 31.8 12.9 9.2
com pliance
Im proved audit
40.0 39.1 14.7 6.2
capability/transpare ncy
Breaches/losses
have big
82.4
Reduced customer consequences –
satisfaction
82 4
82.4 consumers and
IAM Pros agree
Reputation of 76.8
organization
damaged 76.4
0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0
Percentage
N=400. Q6. What is the impact of major security or privacy breaches for you?
N=500 Q17. If your organization suffered a loss of customer or transaction data, what impact would it have?
Source: The Strategic Counsel, 2008
S trIc tly P rIv Ile g e d a n d C o n fId en tIal
5
C onsum er and IA M D ecision-M aker S ecurity and P rivacy C onfidence
0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0
Percentage
N=400. Q8-Q10. Do you think ________ spends enough on on-line security and privacy?
N=100 Retail; N=100 Federal/State Government; N=100 Financial Services Q20. Thinking in percentage terms, do you think the
percentage of your organization’s total IT budget devoted to security is too low, adequate or too high?
Source: The Strategic Counsel, 2008
S trIc tly P rIv Ile g e d a n d C o n fId en tIal
Financial
8.5
Services
0 10 20 30 40 50
Percentage
N=500. Q3a-b-c. How confident are you that the banking industry is properly protecting your on-line personal and private information?
How confident are you that retailers are properly protecting your on-line personal and private information? How confident are you that the
Government is properly protecting your on-line personal and private information?
Source: The Strategic Counsel, 2008
S trIc tly P rIv Ile g e d a n d C o n fId en tIal
6
IA M D ecision-M aker S ecurity and P rivacy C onfidence
IAM Decision-Makers
0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0
Percentage
N=500 Q15. How confident are you that your organization can protect itself against losing customer or transaction data?
Source: The Strategic Counsel, 2008
Yes
No
0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0
Percentage
N=400. Q7-Q8. Have you ever suffered a personal information theft? Do you know someone who has been the victim of personal
information theft?
Source: The Strategic Counsel, 2008
7
The Regulatory Environment
Global and Growing
SOX
EU Privacy
Directive HIPAA
CobiT 3rd
Edition DS5.5
ACSI33
OGC ITIL:
Security FFIEC
Management Information
4.3 Security
Secu y
FFIEC
ISO 27001 Operation
s
NIST SP 800-53
Reporting Systems
Accounting
Internal Audit
Human
Resources
Sales and
Marketing
Manufacturing
Finance
i
Legal Counsel
IT
8
Enter SOX
External Requirements SOX Audits Internal Auditing
Reporting Systems
Accounting
Internal Audit
Human
Resources
Sales and
Marketing
SOX
Manufacturing
Finance
Legal Counsel
IT
Test Results
Reporting Systems
Accounting
Internal Audit
Human
Resources
Sales and
Marketing
SOX
Manufacturing
Finance
i
Legal Counsel
IT
9
The Challenge of Managing Multiple
Users and their Entitlements
>Security “Silos”
>Inconsistent enforcement
Many policies
> External regulations
Legislative
Industry-specific
> Best practices
> Internal
10
The Challenge of Managing Multiple
Users and their Entitlements
> Difficult administration
> Difficult compliance
> Reduced security
21
11
Identity Lifecycle Management
The Solution
Security compliance
automation
> Reduced admin costs
> Risk reduction
Reduced
entitlements
> Easier
administration
> Reduced costs Reduced roles
> Improved > Increased
auditing for efficiency
easier compliance > Appropriate
entitlements
12
Identity
Id i Lif
Lifecycle
l
Management
13
Identity Lifecycle Management: IT Needs
Role Management
Understand what roles exist in the enterprise
Establish role model that fits organization
Analyze and maintain role model as business
evolves
Identity Management
Assign users to roles
Identity
Apply role-based controls
Lifecycle
Management Provision users with approved accounts and
privileges
Manage change requests and approvals over
time
Security Security Compliance Management
Compliance Understand security policy
Management
Import audit/log data
Import identity information
Compare, then initiate and verify remediation
Streamline security compliance processes
Role Mining/Management
Enables efficient and accurate identity and entitlement
management
• Role Mining
– Automates discovery of roles and access patterns
– Enables gap analysis, cleanup and role modeling
• Ongoing Role Management
– Processes role approval/adaptation, self service requests
– Detects business changes that affect role structure
• Auditing and Reporting
– Assesses role exceptions, cleanup and repair
– Provides executive reporting and audit trail
14
Role Management Key Capabilities
Role Modeling
Model Management
> Reveal
and Reporting
methodology
Integration
> Define roles –
>Detect changes
top down/
and exceptions
bottom-up
>Adapt role based
model
Policy Modeling
>Verify, certify,
and report
>Enriches
provisioning processes
The Secret Ingredient –
Pattern Recognition Analysis
Identity Management
Central engine for identity-related processes
• Provisioning/De-Provisioning
o so g/ e o so g
– Quickly assigns and removes access privileges
– Automates consistent workflow processes
• User Self Service
– Empowers end users to resolve issues
– Reduces burden on IT and help desk
• Identity Administration
– Centralizes data/policy for consistency across
enterprise
– Delegates decision-making to application owners
15
Identity Management Key Capabilities
The Secret Ingredient: Modular yet
Integrated
Role-based User Self-Service
Provisioning/ Decrease help
De-Provisioning
De Provisioning desk costs and
Ensure timely improve user satisfaction
access and protect
sensitive resources
Integration
From web
Workflow applications to
Enforce the mainframe
consistent and
automated Auditing and
approval Reporting
processes
p Event and
entitlements tracking
Centralized
Administration Security Policies
Establish Enforce identity
authoritative controls, separation
identity source of duties
Security Compliance
Meet compliance objectives on a continuous basis
16
Security Compliance Key Capabilities
The Secret Ingredient: Process-centric Platform
Entitlement Validation and
Certification Remediation
Periodic reviews of Automatically
users’ access, roles follows up on
pp
and applications requests to verify
fixes are complete
Compliance Integration
Warehouse
Centralized IAM, GRC and
compliance Help- Desk
evidence warehouse Security integrations
Compliance
17
Customer Successes: Identity Lifecycle
Management
• Problems
– Organizations with more roles than users
– 10+ days to provision new employees
– Very complex IT environments:
• 100+ target systems, 150K roles, 200K identities
– Man weeks to complete compliance
processes such as access reviews
(multiple man-weeks)
• Solutions
– Reduce 150K roles to <5K roles
– Provision new employees in <1 day to
multiple systems
– Complete access reviews in hours
not days
Summary
• You need to streamline and automate your existing identity
lifecycle management processes for:
– Identity management
– Role mining and management
– Security compliance
• You need to find vendors who have a complete, integrated
solution to manage the entire identity lifecycle across your
enterprise
18
Q&A
19