This action might not be possible to undo. Are you sure you want to continue?
Leveraging an Identity Management Foundation to Sustain Compliance
Michael Coady Vice President, Solution Strategy Security Business Unit
• Some Pertinent Data • The challenge of managing multiple users and entitlements d il • Identity Lifecycle Management defined • Three components
– Identity Management – S Security Compliance Management it C li M t – Role Management and Role Engineering
• CA customer perspectives
6 42.1 23. and significantly increasing d i ifi tl i i Loss of Confidential Information and Reduced Customer Satisfaction – a co60 70 80 90 100 incidence? Perhaps not Percentage N=500.4 20.3 13.0 30.3 Most significant increases 2008 2006 40 50 Significantly Increasing Internal Breach incidence.0 50.8 26.7 34.0 49.1 20 30 32. Q13.7 61. 2008 S trIc tly P rIv Ile g e d an d C o n fId e ntIal S e cu rity A tta ck/B re a ch C o sts Lost productivity Loss of trust/confidence Embarassment Damage to reputation Loss of business/revenue/customers Loss of confidential information Loss of intellectual property Reduced customer satisfaction 0 10 34.0 Network attack Only Increase 2008 2006 Denial-of-service attack Internal breach of security None The first time security attack/breach incidence has declined – except for Internal Breach incidence which has B h i id hi h h more than doubled compared to five years ago (15%-20%) 70.0 40.6 20.0 80. 2008 S trIc tly P rIv Ileged a nd C o nfIde ntIa l 2 .0 100.7 40.0 60.4 20.1 22.0 10.2 27.4 18.0 20. Q14.7 0.0 Percentage N=500.8 10.0 90.4 67.S e cu rity A ttacks and B reaches Virus attack 59.6 29 6 32. What types of security challenges has your organization dealt with over the past 12 months? Source: The Strategic Counsel.7 28.5 26. What impact have these security challenges had on your organization? Source: The Strategic Counsel.6 43.1 51.9 29.4 39.
8 50% or more 15. enterprise-class firms spend 20% or more of their IT budget on IT security compliance 40 50 Percentage 60 70 80 90 100 0 10 20 30 N=500.0 30% or more 30.T im e 10% or more 81.S. Q105. 2008 S trIctly P rIvIleged and C onfIdentIal 3 .S.0 30% or more 34. Q104. What percent of your organization’s IT budget is spent specifically to ensure IT security compliance with various regulations? Source: The Strategic Counsel. 2008 S trIc tly P rIv Ile g e d a n d C o n fId en tIal S ecurity C om plia nce C o sts .4 TOTAL 40% or more 19.4 50% or more 15.6 Security compliance is a huge IT time eater – organizations need this to be more effective/efficient: 57% of U.6 Security compliance is a huge IT budget eater – organizations need this to be more effective/efficient: 56% of p p U. enterprise-class firms spend 20% or more t i l fi d of their IT time on IT security compliance 0 10 20 30 40 50 Percentage 60 70 80 90 100 N=500.0 TOTAL 40% or more 22.4 20% or more 56. What percent of your organization’s IT time is spent specifically to ensure IT security compliance with various regulations? Source: The Strategic Counsel.S e cu rity C o m p lia n ce C o sts .4 20% or more 57.B u d ge t 10% or more 81.
2008 S trIc tly P rIv Ile g e d a n d C o n fId en tIal 4 .2 19.2 0.2 38.8 1.6 4.0 38. How important is it for your current or planned IT Identity and Access Management solution to deliver the following? Source: The Strategic Counsel.4 0 10 20 30 40 50 Percentage 60 70 80 90 100 Majority of respondents say these are problem areas N=500. Are any of the following problem areas for your organization…? Source: The Strategic Counsel.2 18.2 40.2 2.8 38.2 17.2 2.8 37. Q7.6 31.IA M Issue s an d P ro b lem s Autom ated review and approval of user access privileges 62.0 20.8 0.6 3.6 36.4 7.0 Respondents feel there are several areas where IAM can be more efficient or better managed The creation.8 18.4 18. Q101.2 1.8 37.6 1.6 0.8 11.0 37.4 Central m anagem ent and enforcem ent of policies that ensure audit and legal requirem ents 60.0 1.0 3.8 1.4 20.6 1.0 40.0 2.8 37 8 56. 2008 A Problem S trIc tly P rIv Ile g e d a n d C o n fId en tIal W hat U se rs E xp e ct IA M T o D e live r – 2 0 0 8 T o p D e live ra b le s Emphasis is currently on utilizing IAM to deliver improved i d security Im proved security Web services security Im proved audit capability/transparency Im proved risk m anagem ent Better IT dept efficiency/cost reductions Centralized control w / distributed enforcem ent of role-based access to server resources Centralized w eb access m anagem ent Better user account m anagem ent Autom ated identity m anagem ent services across all platform s used Im proved regulatory com pliance 47.6 38. enforcem ent and verification of role-based access across diverse enterprise applications 59.0 Tracking and reporting on user activity that m ay pose a risk to the organization 60.8 39.2 72 22 0 10 20 30 40 50 Percentage 60 70 80 90 100 Very Important Neither Important nor Not-Important Not at All Important Important Not Important N=500.0 33.2 33 2 19.8 2.6 19 6 29.0 37.0 39.4 1.6 38.8 38.0 2.0 2.6 18.
What is the impact of major security or privacy breaches for you? N=500 Q17.4 82.2 44.8 76. 2008 S trIc tly P rIv Ile g e d a n d C o n fId en tIal 5 . How important is it for your current or planned IT Identity and Access Management solution to deliver the following? reductions Source: The Strategic Counsel.9 9.0 60.0 40. If your organization suffered a loss of customer or transaction data.1 41.0 20.0 10.2 72 90 100 C onsum er and IA M D ecision-M aker S ecurity and P rivacy C onfidence Breaches/losses have big consequences – consumers and IAM Pros agree Reduced customer satisfaction 82.8 9.4 8.4 82 4 Loss of customer/public trust and confidence 78.8 36.8 11.2 38.0 39.5 13.9 6.2 34.0 30.7 6.6 38.0 90.0 70.7 46.8 12.5 41.4 8.2 39.9 18 9 was more emphasis on 0 10 20 30 40 50 60 70 80 utilizing IAM to Pe rcentage improve Very Important Important compliance Neither Important nor Not-Important Not Important Not at All Important and achieve IT efficiencies / cost N=500.0 In 2006 there Single s ign on ign-on 33.8 76. 2006 S trIctly P rIv Ileged and C on fIden tIal 7. Q6.8 14.4 7.0 Percentage N=400. Q7.8 Consumers IAM Decision-Makers Reputation of organization damaged 76.4 0.8 35.4 10.0 50.0 40.2 5. what impact would it have? Source: The Strategic Counsel.3 14.2 37.0 31.8 14.1 14.0 80.3 40 3 18.W hat U se rs E xp e ct IA M T o D elive r – 2 0 0 6 To p D elivera b le s Im proved s ecurity Im prove d regulatory com pliance Better IT dept efficiency/cost reductions d ti Im proved ris k m anagem ent Im proved audit capability/transpare ncy Bette r use r account m anagem ent Im prove d facilitation of s ecure e-bus iness Im proved custom er/end-user self-s ervice 50.1 37.0 100.6 33 6 40.
How confident are you that the banking industry is properly protecting your on-line personal and private information? How confident are you that retailers are properly protecting your on-line personal and private information? How confident are you that the Government is properly protecting your on-line personal and private information? Source: The Strategic Counsel.0 90.8 24. Thinking in percentage terms.0 40.5 38.0 30. Do you think ________ spends enough on on-line security and privacy? N=100 Retail.0 34 0 Government does not spend enough 68.0 50. N=100 Financial Services Q20. 2008 S trIc tly P rIv Ile g e d a n d C o n fId en tIal C onsum er S ecurity and P rivacy C onfidence Retailers 4.0 100.0 Very confident can protect on-line personal and private information Financial Services 8.5 0 10 20 30 40 50 Percentage N=500.0 20.5 34. Q3a-b-c. Q8-Q10. 2008 S trIc tly P rIv Ile g e d a n d C o n fId en tIal 6 .8 Consumers’ aren’t very confident their on-line personal and private l d i t information is protected Government 11. N=100 Federal/State Government.0 60.0 Percentage N=400.0 80.0 10. adequate or too high? Source: The Strategic Counsel. do you think the percentage of your organization’s total IT budget devoted to security is too low.0 Large majority of consumers thinks spending isn’t high g g enough – a significant percentage of IAM Pros agree 70.C onsum er and IA M D ecision-M aker S ecurity and P rivacy C onfidence Retailers do not spend enough 72.0 0.0 Consumers IAM Decision-Makers Big Banks do not spend enough 57.
0 90.0 52. Q7-Q8.0 90.0 Percentage N=400.0 10.0 30.5 Yes No Know someone who has suffered a personal information theft 48.0 50.0 40.0 100. almost h lf know someone l t half k who has been a victim 70.S consumers have suffered a personal information theft.0 Somewhat confident Not confident at all 2.0 80. 2008 S trIc tly P rIv Ile g e d a n d C o n fId en tIal C onsum er P ersonal Inform ation T heft V ictim ization Have personally suffered a personal information theft 22.0 10. 2008 S trIc tly P rIv Ile g e d a n d C o n fId en tIal 7 . Have you ever suffered a personal information theft? Do you know someone who has been the victim of personal information theft? Source: The Strategic Counsel.0 20.IA M D ecision-M aker S ecurity and P rivacy C onfidence Only 28% of IAM Pros are very confident their firm/organization can protect itself against losing g g customer or transaction data 58.0 80.0 0.0 20.8 Very confident 28.5 77.2 IAM Decision-Makers Not confident 11.0 60.0 0.0 50.0 30.0 100.0 40.0 70.0 60. How confident are you that your organization can protect itself against losing customer or transaction data? Source: The Strategic Counsel.0 52 0 More than one-fifth of U.0 Percentage N=500 Q15.
The Regulatory Environment Global and Growing EU Privacy Directive SOX HIPAA FIPS 200 EU Privacy Directive CobiT 3rd Edition DS5.5 ACSI33 OGC ITIL: Security Management 4.3 FFIEC Information Secu y Security ISO 27001 FFIEC Operation s NIST SP 800-53 Compliance: External Requirements Reporting The Early Days Internal Auditing Systems Accounting Internal Audit Human Resources Sales and Marketing Manufacturing Finance i Legal Counsel IT 8 .
External Requirements Reporting SOX Audits Enter SOX Internal Auditing Systems Accounting Internal Audit Human Resources Sales and Marketing SOX Manufacturing Finance Legal Counsel IT Test Results Next Come PCI. EU Privacy Directive. Internal Policies (as well as Compliance Management) External Requirements Reporting Internal Auditing Systems Accounting Internal Audit Human Resources Sales and Marketing SOX Manufacturing Finance i Legal Counsel IT 9 .
The Challenge of Managing Multiple Users and their Entitlements >Security “Silos” >Inconsistent enforcement > External regulations Legislative Industry-specific > Best practices > Internal Many policies The Challenge of Managing Multiple Users and their Entitlements > High admin cost > Inconsistent enforcement > Increased risks > External regulations Legislative Industry specific > Best practices > Internal Many policies > Access reviews > User entitlements > Certification Many manual compliance processes 10 .
The Challenge of Managing Multiple Users and their Entitlements > Difficult administration > Difficult compliance > Reduced security > External regulations Legislative Industry specific > Best practices > Internal Many policies > Access reviews > User entitlements > Certification Many manual compliance processes > > > > > Many entitlements Mainframe RDBMS LDAP NOS ERP… 21 The Challenge of Managing Multiple Users and their Entitlements > Difficult to administer access rights > Hi h h l d k costs High help desk t > External regulations Legislative Industry specific > Best practices > Internal Many policies > Access reviews > User entitlements > Certification Many manual compliance processes > > > > > Many entitlements Mainframe RDBMS LDAP NOS ERP… > Many user types > Poor role mapping > Privilege accumulation Many roles 11 .
Identity Lifecycle Management The Solution > Easier administration > Reduced costs > Improved auditing for easier compliance Reduced entitlements > Reduced admin costs > Risk reduction Security compliance automation > Increased efficiency > Appropriate entitlements Reduced roles > Consistent security & enforcement Centralized policies > Access reviews > User entitlements > Certification Many manual compliance processes > > > > > Many entitlements Mainframe RDBMS LDAP NOS ERP… > Many user types > Poor role mapping > Privilege accumulation Many roles Solution to Managing Multiple Users and Entitlements Identity Lifecycle Management > Consistent security & enforcement Centralized policies Security compliance automation > Reduced admin costs > Risk reduction > Easier administration > Reduced costs > Improved auditing for easier compliance Reduced entitlements > Increased efficiency > Appropriate entitlements Reduced roles 12 .
Identity Lif Id i Lifecycle l Management Identity Lifecycle Management Defined Goal: Automating identity-related processes that span the entire enterprise • What are “identity-related” processes? – On-boarding/Off-boarding an employee – Users managing their own profiles – Executing proper provisioning approval processes – Ensuring user entitlements match functional responsibilities – Validating company is in compliance – And more… 13 .
Identity Lifecycle Management: IT Needs Role Management Understand what roles exist in the enterprise Establish role model that fits organization Analyze and maintain role model as business evolves Identity Management Identity Lifecycle Management Assign users to roles Apply role-based controls Provision users with approved accounts and privileges Manage change requests and approvals over time Security Compliance Management Security Compliance Management Understand security policy Import audit/log data Import identity information Compare. cleanup and role modeling • Ongoing Role Management – Processes role approval/adaptation. self service requests – Detects business changes that affect role structure • Auditing and Reporting – Assesses role exceptions. then initiate and verify remediation Streamline security compliance processes Role Mining/Management Enables efficient and accurate identity and entitlement management • Role Mining – Automates discovery of roles and access patterns – Enables gap analysis. cleanup and repair – Provides executive reporting and audit trail 14 .
and report >Enriches provisioning processes The Secret Ingredient – Pattern Recognition Analysis Identity Management Central engine for identity-related processes • Provisioning/De-Provisioning o so g/ e o so g – Quickly assigns and removes access privileges – Automates consistent workflow processes • User Self Service – Empowers end users to resolve issues – Reduces burden on IT and help desk • Identity Administration – Centralizes data/policy for consistency across enterprise – Delegates decision-making to application owners 15 . certify.Role Management Key Capabilities Audit/Gap Analysis Assess and audit systems for exceptions Data Cleanup Validation and Remediation >Clean and match user IDs >Identify out of pattern and exceptional users Model Management and Reporting Integration >Detect changes and exceptions >Adapt role based model Role Modeling > Reveal methodology > Define roles – top down/ bottom-up Policy Modeling >Verify.
separation of duties Security Compliance Meet compliance objectives on a continuous basis • Compliance Reporting and Dashboards – G Generates access.Role-based Provisioning/ De Provisioning De-Provisioning Ensure timely access and protect sensitive resources Workflow Enforce consistent and automated approval p processes Centralized Administration Establish authoritative identity source Identity Management Key Capabilities The Secret Ingredient: Modular yet Integrated User Self-Service Decrease help desk costs and improve user satisfaction Integration From web applications to the mainframe Auditing and Reporting Event and entitlements tracking Security Policies Enforce identity controls. entitlement and audit reports il d di – Cross-system compliance reporting • User and Role Entitlement Certification – Validates users’ access is appropriate for their role – Ensures access to applications is appropriate • Change Management and Validation – Initiates change management requests in other systems – Enables timely follow-up on remediation requests 16 .
Security Compliance Key Capabilities The Secret Ingredient: Process-centric Platform Entitlement Certification Periodic reviews of users’ access. roles pp and applications Validation and Remediation Automatically follows up on requests to verify fixes are complete Compliance Warehouse Centralized compliance evidence warehouse Integration IAM. GRC and Help. delegation and self-service • Overcome idle users requesting help desk support Consolidation of roles accelerates provisioning Faster & easier access to applications and data Reduced cost/increased productivity Improved user experience/satisfaction Centralized hub for storing all security compliance info – Provides ongoing visibility and project management over access review processes 17 .Desk integrations Security Compliance Change Certification and Attestation Dynamically commence approval process for any identified change Reporting and Dashboards Cross-system compliance reports and dashboards Identity Lifecycle Management Payoff • Increased security and reduced risk – – • – – • • – Eliminate unauthorized access and orphan accounts Easier to prove compliance Automation.
200K identities Complete access reviews in hours not days Provision new employees in <1 day to multiple systems Summary • You need to streamline and automate your existing identity lifecycle management processes for: – Identity management – Role mining and management – Security compliance • You need to find vendors who have a complete.Customer Successes: Identity Lifecycle Management • Problems – – – – Organizations with more roles than users 10+ days to provision new employees • Very complex IT environments: • Solutions – – – Man weeks to complete compliance processes such as access reviews (multiple man-weeks) Reduce 150K roles to <5K roles 100+ target systems. integrated solution to manage the entire identity lifecycle across your enterprise 18 . 150K roles.
Q&A 19 .
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.