A Governance-based Approach to Identity Management

Darran Rolls – CTO – SailPoint Technologies

2010 - Zurich

2

About SailPoint

Our Focus Identity and Access Governance

5 of top 10 global banks 3 of top 4 U.S. managed healthcare companies 3 of top 4 global P&C casualty insurers Top telecom, manufacturing, energy companies

Our Marquee Customers

10 years of Identity Management leadership and experience (Waveset/Sun/SailPoint)

Founded 2005; headquartered in Austin, TX

Our Heritage

Validated MarketZone partner Strategic component of ITGRC Initiative

BMC Strategic Partnership

Cool Vendor in Identity and

Access Management

3

Setting the Stage for Identity ManagementWhy Do We Care About Identity Controls?

The start with poor old TJ Max again… 2007 breach and loss of over 40-100M cards & related data Big embarrassment & even bigger cost ($200M ?)

• Settled with 41 states for <$10M (+ probation)

• Settled with Mastercard for $24M

• Settled with coalition of banks for $40M

• 15% Customer Appreciation Discount Day in all stores Breach was discovered in December 2006 but likely started with

basic textbook wardriving at the perimeter as early as 2004• Extensive systems compromise over 18+month period

• Prolonged internal privileged account access!!

Speculation: TJX breach prevented, slowed or at least detected earlier via basic Identity Management controls

4

Identity Management RealityState of IAM Within Most Organizations…

Hundreds of user add, change, deletes every day…

Inconsistent, ad-hoc and manual processes – platform dependent…

Disparate provisioning tools and workflows…

Many human touch points: business managers, help desk, IT, etc…

No consistent policy enforcement No common controls or audit trail Very difficult to ensure compliance and assess risk

No consistent policy enforcement No common controls or audit trail Very difficult to ensure compliance and assess risk

Portal

Email

Help Desk

Provisioning

Paper form

IT Admin

5

The Growing Identity Management DivideThe Business & IT Disconnect

Inability to translate corporate governance into actionable IT policy

Risk mgmt, business policy

Auditing, controls still highly manual Email or spreadsheet-based Human error, inconsistencies Data is hard to obtain, missing

No ability to manage identity through a business lens

Lack of transparency IT / Identity data not understood

by the business

Are we protecting our assets?? Do we conform to policy??

Are we at risk??

Are we protecting our assets?? Do we conform to policy??

Are we at risk??

IT

6

But This Isn’t My Company/Organization?

SailPoint Independent survey of Fortune 1000 companies 2008/2009

Security/IT/Audit professionals

Focus: What are top of mind identity and access management issues?

7

Survey Results

Yes No

46% of companies surveyed have failed an IT or security audit because of a lack of control around

user access.

46% 54%

In the last 5 years, has your company failed an IT or security audit because of a lack of control around user access?

8

Survey Results

Yes

No

If your company’s CIO asked you to present a complete record of user access privileges for each employee that same day, could you?

34% 66%

66% of companies lack on-demand visibility to “who has access to what?”

9

Survey Results

Yes No

56% 44%

If your organization downsized significantly next month, could you immediately remove all access privileges for terminated employees?

56% of companies struggle to promptly deprovision terminated workers.

10

Identity – Common Source of Internal AbuseA Top Focus for IT Audits

Identity & Access Management: #1 area requiring remedial action Gartner survey: 44% of IT audit deficiencies are IAM-related Ernst & Young: 7 of Top 10 control deficiencies relate to user access control

PROTECTEDASSETS

Entitlement Creep

• Accumulated privileges • Potential toxic combinations• Increased risk of fraud

Privileged Users

• Users with “keys to kingdom”• Poor visibility due to shared

accounts

Rogue Accounts

• Fake accounts created by criminals • Undetected access and activity• Data theft, fraud, and abuse

Orphan Accounts

• Poor de-provisioning• High risk of sabotage, theft, fraud

11

What’s Not Working?

Data is everywhere, but getting access to the right Information at the right time is very difficult Multiple, fragmented identity stores, AuthN/AuthZ

Huge gaps between business and IT groups Inconsistent, ad-hoc processes for access change Difficulty translating policy to IT implementation IT data not understood by the business

Heavy reliance on manual compliance processes Email or spreadsheet-based Human error, inconsistencies Data is hard to obtain, missing

12

An Identity Governance Approach

Move from fragmented approaches to centralized visibility and control

Automate identity controls and business processes

A business-friendly layer linking business users and processes to underlying technology and technical users

Actively measures and monitors risk associated with users and resources

An integrated approach that embeds risk management and compliance into core identity infrastructure and business processes

13

Manage LifecycleMake Identity Management a Business Process

Business

IT Sec

Help Desk

Users

RiskModel

?• Provisioning

&Directory✗• Visibility

• Business oversight& transparency

• Auditing & tracking• Control of entire

IAMprocess

14

What is an IAG Model?

•People Grouping•Entitlement Bundling•Assignment Controls

•Defined Process•Compliance Proof•Sustainable Controls

•Clear Ownership•Defined Approvals•Tracked Actions

•SoD Rules•Value Change Controls•Checks & Balances

•Rate & Rank Risk•Assessment of Process•Trending & Analysis

15

RequestAccess

Define Controls

Approve

CollectData

ImplementControls

Review/Certify

Analyze/Audit

Grant/Remove

Remediate

OperationalProvisioning Process

OperationalProvisioning Process

IdentityCompliance Process

IdentityCompliance Process

Provisioning EngineProvisioning Engine Help DeskHelp Desk IT Admin IT Admin

Governance Model Driven Processes

CentralizedID Data

CentralizedID Data

GovernanceMetadata

GovernanceMetadata

PolicyRolesPolicyRoles

ClosedLoop Audit

ClosedLoop Audit

16

The Three Steps To Identity Governance

Detective Preventative

Reactive Scheduled

Remediation Mitigation

17

An Integrated Solution

Compliance ManagerCertification | Policy Evaluation

Lifecycle ManagerAccess Request | Business Event Triggers

Governance PlatformRole Management | Policy Engine | Risk Model | Provisioning Broker

Integration ModuleIdentityIQ

Provisioning Engine

Integration Module

3rd Party Provisioning Engine

3rd Party Service Desk

18

QUESTIONSdarran@sailpoint.com