IDENTITY & ACCESS MANAGEMENT FOR

RSA ARCHER BASED ON

RSA IDENTITY GOVERNANCE LIFECYCLE

Dieter Hüll, CISA, CISM, CRISC, Dipl. Ing.

Daimler AG
Stuttgart, Germany

1
AGENDA
 Introduction: Setting the scene: Personal, Disclaimer, RSA products at Daimler
 Concepts: Identity & Access Management in IGL and Archer
 Requirements to be implemented
 Implementation / Deployment
 Summary
 Questions / Discussion

2 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
INTRODUCTION
SETTING THE SCENE

R
3S A A r c h e r S u m m i t | A u g 2 0 1 8 |
PERSONAL
 Dieter Hüll from Stuttgart, Germany

 Graduated in Computer Engineering at University of Applied Science, Esslingen, Germany

 Certified Information Systems Auditor (CISA - ISACA.org)
 Certified Information Security Manager (CISM - ISACA.org)
 Certified in Risk and Information Systems Control (CRISC – ISACA.org)
 ITIL Foundation v3

 More than 20 years professional experience working as System Engineer, IT Security Analyst,
Trainer, Consultant, System Architect, Information Security Policy Framework Responsible
 Current job: Cyber Risk Analyst in the staff of Daimler’s CISO, Michael Schrank,
 Responsible for Cyber Risk Management and Daimler’s Archer eGRC platform

4 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
DISCLAIMER
 I am not affiliate with RSA.

 I am an employee of Daimler AG, not authorized to speak for Daimler ( you may find a
contact Daimler here: https://www.daimler.com/kontakt)

 Thus, I express my personal opinion and share my knowledge

 Please be aware that content of the presentation might contain errors or might not be
applicable in your environment.
 References in the deck to trademarked items and commercial software are fair use and for
information purposes.

5 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
ARCHER & IGL AT DAIMLER
 Daimler’s implementation of IGL is called GIAG (Global Identity
Access Governance) and that of Archer eGRC is called AGP
(Archer Governance Platform) to indicate its utilization as an
“ecosystem” for GRCS applications
 7 RSA Use Cases:
− RSA Archer Issues Management
− RSA Archer IT Security Vulnerabilities Program
− RSA Archer IT Risk Management
− RSA Archer Security Incident Management
− RSA Archer Security Operations and Breach Management
− RSA Archer Policy Program Management
− RSA Archer Key Indicator Management
 Large Installation on premise, enterprise license
 Started End 2016
 Versions: Archer 6.4; IGL 7.2
6 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
SETTING THE SCENE
Typical Archer setup:
 User Management based on Active Directory or local user management
 Access managed based on groups typically

This session presents a different approach: Using the capabilities of IGL to manage identities,
accounts, entitlements of Archer eGRC

 RSA provides the Archer Connector for IGL  see https://community.rsa.com/docs/DOC-59067

7 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
CONCEPTS
.

R
8S A A r c h e r S u m m i t | A u g 2 0 1 8 |
ACCESS MANAGEMENT – WHAT IS IT ABOUT?
 All Identity & Access Governance related processes like Access Review,
Access Rules and Access Request require the information …

… which identity … has what kind of access … … to which resource.

…
Privileged Access

Granular Entitlements

Non-privileged Access

Application Roles

Group Membership

9 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
ACCESS REQUEST - WHAT IS IT ABOUT?
 Access Request process supports compliance with requirements of IT Account
Management, statutory requirements and policies through audit-proof access request
processes

 Direct de-
provisioning


? Ticketing
System
E-Mail +
Manual activity
Access Rules

Change requests can be … and are validated Mitigation controls Access rights which need to be changed
initiated by authorized against defined need to be defined can be (de)-provisioned by a change
requestors for predefined users
R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
access rules for rule breaches request workflow.
10
…
ACCESS REVIEW – WHAT IS IT ABOUT?
 Access Review process supports compliance with statutory requirements and the least
privilege principle through an audit-proof, recurrent recertification of granted access
rights

Direct de-
provisioning

 - Decisions Ticketing
System
E-Mail +
Manual activity


Reviewers regularly decide if granted privileges of Access rights which need to get revoked are de-provisioned by a
users are still adequate or need to be revoked. revocation workflow.
11 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
ACCESS RULES - WHAT IS IT ABOUT?
 Access Rules process supports compliance with statutory requirements and policies
through audit-proof, recurrent controls of segregation of duties (SoD) and other access
control rules as well as joiner, mover, leaver rules

 Direct de-
provisioning

- Decisions Ticketing
System
E-Mail +
Manual activity
Access Review

Granted privileges of users are regularly Possible actions for detected rule violations:
validated against defined access rules Generation of report, remediator decision (Compensating Control /
Revocation) or initiation of Access Review
12 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
 IGL - ROLE BASED ACCESS CONTROL
Scope: Business Area Scope: Application

Responsible: Responsible:
Business Owner Business Role Set Technical Role Set A Technical Owner (= Application Owner)

Responsible:
Technical Role Owner Application A: e.g. Archer
Responsible:
Business Role Owner Technical Roles A
(department or
BU area) Business Roles

Technical Roles B
Users can be assigned
to Business Roles
Application B: e.g. Travel
Management System
Technical Role Set B

Entitlements of target applications

13 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
are assigned to Technical Roles
GIAG (IGL) ROLE MANAGEMENT CONCEPT
Business Roles
 Business roles for corporate functions or
processes. E.g. CISO, Information Owner,
Assessor
 Only technical roles are assigned as
entitlement to a business role.
 Users are assigned to the business role only
via Access Reequerst Management Module.
A membership rule was created for users and
technical roles assigned to the Business role.
The rule then is enforced.
Global Roles  We do not use Global Roles
14 R S A A r c h e r S u m m i t | A u g
Technical Roles
 Technical roles are created PER application
(Archer, SAP). Entitlements of different
applications must not be mixed together in a
technical role.
 A technical role should not contain SoD
conflicts.
 Least privilege principle must always apply.
 Application Owners will get access rights to
add or remove entitlements from the technical
role.
 An entitlement rule must be created for
entitlements. The rule then is enforced.
2 0 1 8 |
ARCHER ACCESS MANAGEMENT EXAMPLE
U S E R S A R E G R A N T E D A C C E S S T O VA R I O U S A R C H E R F U N C T I O N A L I T I E S . A C C E S S
RIGHTS CAN BE COMBINED ACCORDING TO CURRENT REQUIREMENTS.

Users Entitlements in Archer

Assessor
• Conduct the assessment and identify weakness. • Conduct Assessment • Create Finding
• Document findings and address them to the
persons in charge.
3 Manager Business
• Take ownership for findings and risks in his/her domain. • Own Finding • Own Risk
• Plan the implementation of mitigating measures and track
Role
• Create Rem. Plan
their status. • Request Exception
• Own Rem. Plan
• Set up exception requests.

Information Security Officer

• Ensure and review the required quality of documentation. • Review Assessment • Review Rem. Plan
• Take care of risk processing and exception handling. • Review Finding • Grant Exception
• Supervise and review actions and measures taken.
• Create Risk
• Process Risk
15 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
 I G L A S A C C E S S M A N A G E M E N T TO O L F O R A R C H E R E G R C
A C C E S S R E Q U E S T, C H A N G E A N D R E V O C AT I O N P R O C E S S E S A R E I M P L E M E N T E D ,
ENFORCED AND MONITORED USING IGL
User Business Role IGL Archer eGRC
Approve & Execute

Access Request add

change
revoke

Access Review review

Initiate change

Review & Report

Access Rule Definition govern

16 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
ACCESS MANAGEMENT APPROACH FOR THE AGP
U S E R O W N D I F F E R E N T B U S I N E S S R O L E S A N D N E E D A P P R O P R I AT E A C C E S S
R I G H T S T O F U L F I L L T H E I R TA S K A N D R E S P O N S I B I L I T I E S .
User Daimler Business Role Applications Record Access Access Rights
(depending on the
record status: CRUD)

Finding

IT-
Employee

Risk

Finding

Information
Security Officer
(ISO)
Risk

17 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
REQUIREMENTS

R
18S A A r c h e r S u m m i t | A u g 2 0 1 8 |
P R O T E C T I O N O F S E N S I T I V E I N F O R M AT I O N F R O M
UNAUTHORIZED ACCESS
D U E T O T H E N AT U R E O F T H E S E N S I T I V E I N F O R M AT I O N S T O R E D I N A R C H E R ,
EFFECTIVE MEASURES ARE IN PLACE TO PROTECT THEM.
Requirements
• Formal process for joiners, movers and leavers
are defined with necessary authorization check-
points and these processes are system enforced.
• An authentication mechanism is in place to
protect the access to Archer eGRC.
• Fine-grained access rights system ensures that
rights are only granted on a need-to-know basis
and are revoked once no longer required.
• Access rights are decided on a record level (e.g.
per finding within the Findings application).
• Definition of deputies for key roles to ensure
processing in case of holidays and sickness.
19 R S A A r c h e r S u m m i t | A u g
Measures
The IDM Tool IGL is connected to Archer eGRC:
• In IGL a defined joiner, mover and leaver process
is implemented, enforced and monitored
• IGL has monitoring capabilities (SoD check)
• Accounts & authentication are managed by IGL.
Archer eGRC internal measures:
• Record access is only granted for users directly
assigned (e.g. risk owner) to the record.
• Writing rights on records are immediately revoked
once the user has no related tasks requiring
writing rights (within Archer workflows)
• Deputies can be announced per record.
2 0 1 8 |
GENERAL/FURTHER REQUIREMENTS
Enhance User Convenience
 Complete digital process to improve processing time until a access request gets fulfilled
 Requestors must be able to trace the status of their access request
Information Security
 Lock dead accounts and unnecessary privileges for security, system stability and performance
 Define who is able to request which access rights for which set of beneficial users to prevent
attackers to get new access rights easily
 Reduce authorizations of accounts to only required privileges in order to make them less attractive
for attackers
 Prevent new un-remediated rule violations in order to prevent fraud
Identity Access Mangement
 Direct provisioning of access rights into target systems
 Recertification of granted access rights
 Audit-proof workflows for access revocation decisions
 Role-mining, dashboards and reports

20 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
IMPLEMENTATION

R
21S A A r c h e r S u m m i t | A u g 2 0 1 8 |
ACCESS MANAGEMENT FROM A CONCEPTIONAL
POINT OF VIEW
User
In the Archer eGRC context, users are all persons that work or potentially could work (at any point) with the
tool. Even persons that hold a “inactive” role related to an asset stored in Archer eGRC (e.g. Device Owner)
are considered as user.

Daimler Business Role

Daimler Business Roles (DBR) group together a defined set of business tasks and responsibilities, related to a
persons job description and not limited to the Archer eGRC context. DBRs are implemented as IGL business
roles

Archer Business Role

For each DBR there exists exactly one corresponding Archer Business Role (ABR). Each ABR represents the
subset of DBR tasks which have to be performed within the Archer eGRC plattform. ABRs are implemented as
Technical Roles in IGL having mapped groups and roles as entitlements. In Daimler we map only groups as
entitlements to technical roles.

22 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
C O N C E P T I O N A L R E L AT I O N S H I P S
D I F F E R E N T L E V E L S C A N B E C O M B I N E D I N S E V E R A L W AY S , O U T S I D E O F A R C H E R ,
T O E N A B L E A H I G H D E G R E E O F F L E X I B I L I T Y.
User Business Role Technical Role IGL Archer Archer Group
(Daimler Business Role) (Archer Business Role) (Archer Entitlement Group)
Assessment
Assessor ABR Assessor Submitter
Assessment
Reviewer
ISO
ABR ISO Finding Submitter

Accountant
Finding Owner

Application ABR Manager

Finding Reviewer
Owner
AEG-ISO
Information
Owner ABR Info Owner
AEG-Manager

Level 1 Mapping Level 2 Mapping Level 3 Mapping

further IGL
managed
23 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
Applications
ACCESS MANAGEMENT (TECHNICAL POINT OF VIEW)
WITHIN ARCHER DIFFERENT COMPONENTS ARE USED TO ENABLE A VERY FINE -
G R A I N E D A C C E S S M A N A G E M E N T.

Archer Entitlement Group

In Archer each user is assigned to Archer Entitlement Groups (AEG) according to the defined Level 1 to
Level 3 Mappings. The mapping information has to be maintained outside of Archer (IGL, Excel).

Archer Access Role

Archer Access Roles (AAR) are a set of individual rights within Archer (e.g. right to create, read, update
or delete findings). AARs are mapped to a AEG and thereby, entitle the user in this AEG with these rights.

Record Permission
Record Permissions limit the access rights a user got from the AAR, on a record level. Depending on the
record information (e.g. the status), a user can only see a subset of all records.

Field Permission
Fine-grain access restrictions within a record is realized by Field Permission. Field Permissions restrict
the access to certain fields within a record.
24 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
T E C H N I C A L R E L AT I O N S H I P S
U S E R S A R E M A I N TA I N E D W I T H I N A R C H E R ( E N T I T L E M E N T ) G R O U P S A N D
THEREBY GRANT THEIR INDIVIDUAL ACCESS RIGHTS

IGL Archer Archer Access Role

(AAR)

User Tech. Role Archer Entitlement Group

(AEG)

L1, L2 & L3
Mappings

Risk records

Findings
Assessment
25 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
Record & Field Permissions
IGL USE CASES FOR ARCHER EGRC
Approval
Use Case Area IGL Use Case Requestor(s) Beneficial Approver1 Approver2 Reviewer
process?

Account Mgmt Create User Account yes Employee Same as Requestor Supervisor if Beneficial Role Owner Supervisor of Benefical
Owner of disabled
Account Mgmt Enable User Account yes Employee account Supervisor if Employee Role Owner not applicable
Employee other than
Account Mgmt Disable User Account yes Employee Requestor Supervisor if Employee Role Owner not applicable
Add Business Role to Employee other than
Access Mgmt User yes Employee Requestor Supervisor if Beneficial Role Owner Supervisor of Benefical
Remove Business
Access Mgmt Role from User yes role owner for his roles self-approved self-approved Supervisor of Benefical

Role Mgmt Create Business Role yes AGP System Administrator not applicable AGP CAB Role Owner not applicable

Role Mgmt Delete Business Role yes AGP System Administrator not applicable AGP CAB Role Owner not applicable
Add group to
Role Mgmt Business Role yes AGP System Administrator not applicable AGP CAB Role Owner not applicable
Remove group from
Role Mgmt Business Role yes AGP System Administrator not applicable AGP CAB Role Owner not applicable
Reassign Archer Supervisor of
Special Tasks to sucessor yes AGP System Administrator Employee AGP CAB Role Owner not applicable

26 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
L E V E L 2 M A P P I N G : B U S I N E S S R O L E TO
TECHNICAL ROLE

Daimler Archer Business

Business Role Role
Chief Information
AGP_CISO
Security Officer
Chief Information
Security Officer - AGP_CISO
Deputy
Chief Information
Security Officer - AGP_CISO_Staff
Staff
Employee AGP_Employee

Manager AGP_Manager

27 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
BUSINESS ROLE MAPPING

 Each business role is mapped to exactly

one technical role

 Multiple Business roles may be mapped

to the same technical role e.g. deputies

28 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
L E V E L 3 M A P P I N G : E N T I T L E M E N T TO T E C H . R O L E
Archer Entitlement
AGP AGP AGP_Info AGP_IS_
Groups \ Archer AGP
Description Access _CISO _Emplo- rmation Risk_Ana
Business Roles _CISO
_Staff yee Owner lyst
(ABR)
CAS: Conduct
Assessement
Individuals that are allowed and mandated to create an assessment and collect data
CAS-Submitter on the results of the questionnaire. CRU x x x

Specific group of individuals that are allowed to review an assessment and have the
authority to decide if the assessment was done correctly and the result is quality
CAS-Reviewer RU x x
assured. The reviewer does not judge the content but he is allowed to request
evidence that the assessment has been conducted properly by the assessor.

MFN: Manage Findings

Individuals that can read all findings that were submitted.

MFN-Reader R x x

Individual that creates the finding and initially fills out the basic data, and he also
suggests the owner of the finding.
MFN-Submitter CRU x x
This could be the assessor that has recently completed an assessment or some
individual support the assessor, for example an “analyst” or more junior person. In
any case, s(he) needs access to the AGP to create the record.
Individual that was assigned to the finding to ensure that finding gets adequate
treatment. In case the treatment deci-sion is to create a remediation plan or to
MFN-Owner RU x x
assign the finding to an existing remediation plan, the owner of the remediation plan
ensures that the finding is closed.

29 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
IGL: ENTITLEMENT TO TECHNICAL ROLE

30 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
MAPPING TO ARCHER GROUP

Archer Group name

Archer Group ID

31 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
PREREQUISITES AND LIMITATIONS
 Minimum software versions:
− Archer 5.5sp3,
− IGL 7.0.1 see RSA_Via_L-G_RSA_Archer_GRC_AppGuide.pdf
 In IGL: No out of the box functionality to set a randomized password  May be a security
problem if no action is taken

32 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
SUMMARY

R
33S A A r c h e r S u m m i t | A u g 2 0 1 8 |
SUMMARY
 Connector works with some limitations on IGL side
 Seamless integration is possible
 Benefit from strength of 2 RSA products
 No need for Active Directory as Group management

34 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
ISAAC CREDITS
NEWTON,1675:

" I F I H AV E S E E N
 Michael Schrank, Daimler AG
FURTHER IT IS BY  Michael Zenleser, Daimler AG
S TA N D I N G O N  Jasmin Naber, Daimler AG
THE SHOULDERS
OF GIANTS."  Dr. Markus Böhm, PricewaterhouseCoopers
 Daniel Speth, PricewaterhouseCoopers
 Patrick Schleiter, PricewaterhouseCoopers
 Dennis Heickhaus, PricewaterhouseCoopers
 James Griffith, RSA

 To my beloved wife and children

35 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
QUESTIONS DISCUSSION

36 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |
THANK YOU CONTACT
Dieter Hüll,
IT Cross Functions & Services
Global Cyber Security

Daimler AG
Stuttgart, Germany

dieter.huell@daimler.com

37 R S A A r c h e r S u m m i t | A u g 2 0 1 8 |