Professional Documents
Culture Documents
1
AGENDA
Introduction: Setting the scene: Personal, Disclaimer, RSA products at Daimler
Concepts: Identity & Access Management in IGL and Archer
Requirements to be implemented
Implementation / Deployment
Summary
Questions / Discussion
2 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
INTRODUCTION
SETTING THE SCENE
R
3S A A r c h e r S u m m i t | A u g 2 0 1 8 |
PERSONAL
Dieter Hüll from Stuttgart, Germany
More than 20 years professional experience working as System Engineer, IT Security Analyst,
Trainer, Consultant, System Architect, Information Security Policy Framework Responsible
Current job: Cyber Risk Analyst in the staff of Daimler’s CISO, Michael Schrank,
Responsible for Cyber Risk Management and Daimler’s Archer eGRC platform
4 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
DISCLAIMER
I am not affiliate with RSA.
I am an employee of Daimler AG, not authorized to speak for Daimler ( you may find a
contact Daimler here: https://www.daimler.com/kontakt)
Please be aware that content of the presentation might contain errors or might not be
applicable in your environment.
References in the deck to trademarked items and commercial software are fair use and for
information purposes.
5 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
ARCHER & IGL AT DAIMLER
Daimler’s implementation of IGL is called GIAG (Global Identity
Access Governance) and that of Archer eGRC is called AGP
(Archer Governance Platform) to indicate its utilization as an
“ecosystem” for GRCS applications
7 RSA Use Cases:
− RSA Archer Issues Management
− RSA Archer IT Security Vulnerabilities Program
− RSA Archer IT Risk Management
− RSA Archer Security Incident Management
− RSA Archer Security Operations and Breach Management
− RSA Archer Policy Program Management
− RSA Archer Key Indicator Management
Large Installation on premise, enterprise license
Started End 2016
Versions: Archer 6.4; IGL 7.2
6 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
SETTING THE SCENE
Typical Archer setup:
User Management based on Active Directory or local user management
Access managed based on groups typically
This session presents a different approach: Using the capabilities of IGL to manage identities,
accounts, entitlements of Archer eGRC
7 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
CONCEPTS
.
R
8S A A r c h e r S u m m i t | A u g 2 0 1 8 |
ACCESS MANAGEMENT – WHAT IS IT ABOUT?
All Identity & Access Governance related processes like Access Review,
Access Rules and Access Request require the information …
Granular Entitlements
Non-privileged Access
Application Roles
Group Membership
9 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
ACCESS REQUEST - WHAT IS IT ABOUT?
Access Request process supports compliance with requirements of IT Account
Management, statutory requirements and policies through audit-proof access request
processes
Direct de-
provisioning
? Ticketing
System
E-Mail +
Manual activity
Access Rules
Change requests can be … and are validated Mitigation controls Access rights which need to be changed
initiated by authorized against defined need to be defined can be (de)-provisioned by a change
requestors for predefined users
R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
access rules for rule breaches request workflow.
10
…
ACCESS REVIEW – WHAT IS IT ABOUT?
Access Review process supports compliance with statutory requirements and the least
privilege principle through an audit-proof, recurrent recertification of granted access
rights
Direct de-
provisioning
- Decisions Ticketing
System
E-Mail +
Manual activity
Reviewers regularly decide if granted privileges of Access rights which need to get revoked are de-provisioned by a
users are still adequate or need to be revoked. revocation workflow.
11 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
ACCESS RULES - WHAT IS IT ABOUT?
Access Rules process supports compliance with statutory requirements and policies
through audit-proof, recurrent controls of segregation of duties (SoD) and other access
control rules as well as joiner, mover, leaver rules
Direct de-
provisioning
- Decisions Ticketing
System
E-Mail +
Manual activity
Access Review
Granted privileges of users are regularly Possible actions for detected rule violations:
validated against defined access rules Generation of report, remediator decision (Compensating Control /
Revocation) or initiation of Access Review
12 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
IGL - ROLE BASED ACCESS CONTROL
Scope: Business Area Scope: Application
Responsible: Responsible:
Business Owner Business Role Set Technical Role Set A Technical Owner (= Application Owner)
Responsible:
Technical Role Owner Application A: e.g. Archer
Responsible:
Business Role Owner Technical Roles A
(department or
BU area) Business Roles
Technical Roles B
Users can be assigned
to Business Roles
Application B: e.g. Travel
Management System
Technical Role Set B
Business roles for corporate functions or Technical roles are created PER application
processes. E.g. CISO, Information Owner, (Archer, SAP). Entitlements of different
Assessor applications must not be mixed together in a
technical role.
Only technical roles are assigned as
entitlement to a business role. A technical role should not contain SoD
conflicts.
Users are assigned to the business role only
via Access Reequerst Management Module. Least privilege principle must always apply.
A membership rule was created for users and Application Owners will get access rights to
technical roles assigned to the Business role. add or remove entitlements from the technical
The rule then is enforced. role.
An entitlement rule must be created for
Global Roles We do not use Global Roles entitlements. The rule then is enforced.
14 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
ARCHER ACCESS MANAGEMENT EXAMPLE
U S E R S A R E G R A N T E D A C C E S S T O VA R I O U S A R C H E R F U N C T I O N A L I T I E S . A C C E S S
RIGHTS CAN BE COMBINED ACCORDING TO CURRENT REQUIREMENTS.
Assessor
• Conduct the assessment and identify weakness. • Conduct Assessment • Create Finding
• Document findings and address them to the
persons in charge.
3 Manager Business
• Take ownership for findings and risks in his/her domain. • Own Finding • Own Risk
• Plan the implementation of mitigating measures and track
Role
• Create Rem. Plan
their status. • Request Exception
• Own Rem. Plan
• Set up exception requests.
16 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
ACCESS MANAGEMENT APPROACH FOR THE AGP
U S E R O W N D I F F E R E N T B U S I N E S S R O L E S A N D N E E D A P P R O P R I AT E A C C E S S
R I G H T S T O F U L F I L L T H E I R TA S K A N D R E S P O N S I B I L I T I E S .
User Daimler Business Role Applications Record Access Access Rights
(depending on the
record status: CRUD)
Finding
IT-
Employee
Risk
Finding
Information
Security Officer
(ISO)
Risk
17 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
REQUIREMENTS
R
18S A A r c h e r S u m m i t | A u g 2 0 1 8 |
P R O T E C T I O N O F S E N S I T I V E I N F O R M AT I O N F R O M
UNAUTHORIZED ACCESS
D U E T O T H E N AT U R E O F T H E S E N S I T I V E I N F O R M AT I O N S T O R E D I N A R C H E R ,
EFFECTIVE MEASURES ARE IN PLACE TO PROTECT THEM.
Requirements Measures
• Formal process for joiners, movers and leavers The IDM Tool IGL is connected to Archer eGRC:
are defined with necessary authorization check- • In IGL a defined joiner, mover and leaver process
points and these processes are system enforced. is implemented, enforced and monitored
• An authentication mechanism is in place to • IGL has monitoring capabilities (SoD check)
protect the access to Archer eGRC. • Accounts & authentication are managed by IGL.
• Fine-grained access rights system ensures that Archer eGRC internal measures:
rights are only granted on a need-to-know basis
and are revoked once no longer required. • Record access is only granted for users directly
assigned (e.g. risk owner) to the record.
• Access rights are decided on a record level (e.g. • Writing rights on records are immediately revoked
per finding within the Findings application). once the user has no related tasks requiring
writing rights (within Archer workflows)
• Definition of deputies for key roles to ensure
processing in case of holidays and sickness. • Deputies can be announced per record.
19 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
GENERAL/FURTHER REQUIREMENTS
Enhance User Convenience
Complete digital process to improve processing time until a access request gets fulfilled
Requestors must be able to trace the status of their access request
Information Security
Lock dead accounts and unnecessary privileges for security, system stability and performance
Define who is able to request which access rights for which set of beneficial users to prevent
attackers to get new access rights easily
Reduce authorizations of accounts to only required privileges in order to make them less attractive
for attackers
Prevent new un-remediated rule violations in order to prevent fraud
Identity Access Mangement
Direct provisioning of access rights into target systems
Recertification of granted access rights
Audit-proof workflows for access revocation decisions
Role-mining, dashboards and reports
20 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
IMPLEMENTATION
R
21S A A r c h e r S u m m i t | A u g 2 0 1 8 |
ACCESS MANAGEMENT FROM A CONCEPTIONAL
POINT OF VIEW
User
In the Archer eGRC context, users are all persons that work or potentially could work (at any point) with the
tool. Even persons that hold a “inactive” role related to an asset stored in Archer eGRC (e.g. Device Owner)
are considered as user.
Daimler Business Roles (DBR) group together a defined set of business tasks and responsibilities, related to a
persons job description and not limited to the Archer eGRC context. DBRs are implemented as IGL business
roles
For each DBR there exists exactly one corresponding Archer Business Role (ABR). Each ABR represents the
subset of DBR tasks which have to be performed within the Archer eGRC plattform. ABRs are implemented as
Technical Roles in IGL having mapped groups and roles as entitlements. In Daimler we map only groups as
entitlements to technical roles.
22 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
C O N C E P T I O N A L R E L AT I O N S H I P S
D I F F E R E N T L E V E L S C A N B E C O M B I N E D I N S E V E R A L W AY S , O U T S I D E O F A R C H E R ,
T O E N A B L E A H I G H D E G R E E O F F L E X I B I L I T Y.
User Business Role Technical Role IGL Archer Archer Group
(Daimler Business Role) (Archer Business Role) (Archer Entitlement Group)
Assessment
Assessor ABR Assessor Submitter
Assessment
Reviewer
ISO
ABR ISO Finding Submitter
Accountant
Finding Owner
Record Permission
Record Permissions limit the access rights a user got from the AAR, on a record level. Depending on the
record information (e.g. the status), a user can only see a subset of all records.
Field Permission
Fine-grain access restrictions within a record is realized by Field Permission. Field Permissions restrict
the access to certain fields within a record.
24 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
T E C H N I C A L R E L AT I O N S H I P S
U S E R S A R E M A I N TA I N E D W I T H I N A R C H E R ( E N T I T L E M E N T ) G R O U P S A N D
THEREBY GRANT THEIR INDIVIDUAL ACCESS RIGHTS
L1, L2 & L3
Mappings
Risk records
Findings
Assessment
25 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
Record & Field Permissions
IGL USE CASES FOR ARCHER EGRC
Approval
Use Case Area IGL Use Case Requestor(s) Beneficial Approver1 Approver2 Reviewer
process?
Account Mgmt Create User Account yes Employee Same as Requestor Supervisor if Beneficial Role Owner Supervisor of Benefical
Owner of disabled
Account Mgmt Enable User Account yes Employee account Supervisor if Employee Role Owner not applicable
Employee other than
Account Mgmt Disable User Account yes Employee Requestor Supervisor if Employee Role Owner not applicable
Add Business Role to Employee other than
Access Mgmt User yes Employee Requestor Supervisor if Beneficial Role Owner Supervisor of Benefical
Remove Business
Access Mgmt Role from User yes role owner for his roles self-approved self-approved Supervisor of Benefical
Role Mgmt Create Business Role yes AGP System Administrator not applicable AGP CAB Role Owner not applicable
Role Mgmt Delete Business Role yes AGP System Administrator not applicable AGP CAB Role Owner not applicable
Add group to
Role Mgmt Business Role yes AGP System Administrator not applicable AGP CAB Role Owner not applicable
Remove group from
Role Mgmt Business Role yes AGP System Administrator not applicable AGP CAB Role Owner not applicable
Reassign Archer Supervisor of
Special Tasks to sucessor yes AGP System Administrator Employee AGP CAB Role Owner not applicable
26 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
L E V E L 2 M A P P I N G : B U S I N E S S R O L E TO
TECHNICAL ROLE
Manager AGP_Manager
27 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
BUSINESS ROLE MAPPING
28 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
L E V E L 3 M A P P I N G : E N T I T L E M E N T TO T E C H . R O L E
Archer Entitlement
AGP AGP AGP_Info AGP_IS_
Groups \ Archer AGP
Description Access _CISO _Emplo- rmation Risk_Ana
Business Roles _CISO
_Staff yee Owner lyst
(ABR)
CAS: Conduct
Assessement
Individuals that are allowed and mandated to create an assessment and collect data
CAS-Submitter on the results of the questionnaire. CRU x x x
Specific group of individuals that are allowed to review an assessment and have the
authority to decide if the assessment was done correctly and the result is quality
CAS-Reviewer RU x x
assured. The reviewer does not judge the content but he is allowed to request
evidence that the assessment has been conducted properly by the assessor.
Individual that creates the finding and initially fills out the basic data, and he also
suggests the owner of the finding.
MFN-Submitter CRU x x
This could be the assessor that has recently completed an assessment or some
individual support the assessor, for example an “analyst” or more junior person. In
any case, s(he) needs access to the AGP to create the record.
Individual that was assigned to the finding to ensure that finding gets adequate
treatment. In case the treatment deci-sion is to create a remediation plan or to
MFN-Owner RU x x
assign the finding to an existing remediation plan, the owner of the remediation plan
ensures that the finding is closed.
29 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
IGL: ENTITLEMENT TO TECHNICAL ROLE
30 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
MAPPING TO ARCHER GROUP
Archer Group ID
31 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
PREREQUISITES AND LIMITATIONS
Minimum software versions:
− Archer 5.5sp3,
− IGL 7.0.1 see RSA_Via_L-G_RSA_Archer_GRC_AppGuide.pdf
In IGL: No out of the box functionality to set a randomized password May be a security
problem if no action is taken
32 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
SUMMARY
R
33S A A r c h e r S u m m i t | A u g 2 0 1 8 |
SUMMARY
Connector works with some limitations on IGL side
Seamless integration is possible
Benefit from strength of 2 RSA products
No need for Active Directory as Group management
34 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
ISAAC CREDITS
NEWTON,1675:
" I F I H AV E S E E N
Michael Schrank, Daimler AG
FURTHER IT IS BY Michael Zenleser, Daimler AG
S TA N D I N G O N Jasmin Naber, Daimler AG
THE SHOULDERS
OF GIANTS." Dr. Markus Böhm, PricewaterhouseCoopers
Daniel Speth, PricewaterhouseCoopers
Patrick Schleiter, PricewaterhouseCoopers
Dennis Heickhaus, PricewaterhouseCoopers
James Griffith, RSA
35 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
QUESTIONS DISCUSSION
36 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
THANK YOU CONTACT
Dieter Hüll,
IT Cross Functions & Services
Global Cyber Security
Daimler AG
Stuttgart, Germany
dieter.huell@daimler.com
37 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |