A Governance-based Approach to Identity Management Darran Rolls – CTO – SailPoint Technologies...
-
Upload
louisa-chapman -
Category
Documents
-
view
220 -
download
1
Transcript of A Governance-based Approach to Identity Management Darran Rolls – CTO – SailPoint Technologies...
A Governance-based Approach to Identity Management
Darran Rolls – CTO – SailPoint Technologies
2010 - Zurich
2
About SailPoint
Our Focus Identity and Access Governance
5 of top 10 global banks 3 of top 4 U.S. managed healthcare companies 3 of top 4 global P&C casualty insurers Top telecom, manufacturing, energy companies
Our Marquee Customers
10 years of Identity Management leadership and experience (Waveset/Sun/SailPoint)
Founded 2005; headquartered in Austin, TX
Our Heritage
Validated MarketZone partner Strategic component of ITGRC Initiative
BMC Strategic Partnership
Cool Vendor in Identity and
Access Management
3
Setting the Stage for Identity ManagementWhy Do We Care About Identity Controls?
The start with poor old TJ Max again… 2007 breach and loss of over 40-100M cards & related data Big embarrassment & even bigger cost ($200M ?)
• Settled with 41 states for <$10M (+ probation)
• Settled with Mastercard for $24M
• Settled with coalition of banks for $40M
• 15% Customer Appreciation Discount Day in all stores Breach was discovered in December 2006 but likely started with
basic textbook wardriving at the perimeter as early as 2004• Extensive systems compromise over 18+month period
• Prolonged internal privileged account access!!
Speculation: TJX breach prevented, slowed or at least detected earlier via basic Identity Management controls
4
Identity Management RealityState of IAM Within Most Organizations…
Hundreds of user add, change, deletes every day…
Inconsistent, ad-hoc and manual processes – platform dependent…
Disparate provisioning tools and workflows…
Many human touch points: business managers, help desk, IT, etc…
No consistent policy enforcement No common controls or audit trail Very difficult to ensure compliance and assess risk
No consistent policy enforcement No common controls or audit trail Very difficult to ensure compliance and assess risk
Portal
Help Desk
Provisioning
Paper form
IT Admin
5
The Growing Identity Management DivideThe Business & IT Disconnect
Inability to translate corporate governance into actionable IT policy
Risk mgmt, business policy
Auditing, controls still highly manual Email or spreadsheet-based Human error, inconsistencies Data is hard to obtain, missing
No ability to manage identity through a business lens
Lack of transparency IT / Identity data not understood
by the business
Are we protecting our assets?? Do we conform to policy??
Are we at risk??
Are we protecting our assets?? Do we conform to policy??
Are we at risk??
IT
6
But This Isn’t My Company/Organization?
SailPoint Independent survey of Fortune 1000 companies 2008/2009
Security/IT/Audit professionals
Focus: What are top of mind identity and access management issues?
7
Survey Results
Yes No
46% of companies surveyed have failed an IT or security audit because of a lack of control around
user access.
46% 54%
In the last 5 years, has your company failed an IT or security audit because of a lack of control around user access?
8
Survey Results
Yes
No
If your company’s CIO asked you to present a complete record of user access privileges for each employee that same day, could you?
34% 66%
66% of companies lack on-demand visibility to “who has access to what?”
9
Survey Results
Yes No
56% 44%
If your organization downsized significantly next month, could you immediately remove all access privileges for terminated employees?
56% of companies struggle to promptly deprovision terminated workers.
10
Identity – Common Source of Internal AbuseA Top Focus for IT Audits
Identity & Access Management: #1 area requiring remedial action Gartner survey: 44% of IT audit deficiencies are IAM-related Ernst & Young: 7 of Top 10 control deficiencies relate to user access control
PROTECTEDASSETS
Entitlement Creep
• Accumulated privileges • Potential toxic combinations• Increased risk of fraud
Privileged Users
• Users with “keys to kingdom”• Poor visibility due to shared
accounts
Rogue Accounts
• Fake accounts created by criminals • Undetected access and activity• Data theft, fraud, and abuse
Orphan Accounts
• Poor de-provisioning• High risk of sabotage, theft, fraud
11
What’s Not Working?
Data is everywhere, but getting access to the right Information at the right time is very difficult Multiple, fragmented identity stores, AuthN/AuthZ
Huge gaps between business and IT groups Inconsistent, ad-hoc processes for access change Difficulty translating policy to IT implementation IT data not understood by the business
Heavy reliance on manual compliance processes Email or spreadsheet-based Human error, inconsistencies Data is hard to obtain, missing
12
An Identity Governance Approach
Move from fragmented approaches to centralized visibility and control
Automate identity controls and business processes
A business-friendly layer linking business users and processes to underlying technology and technical users
Actively measures and monitors risk associated with users and resources
An integrated approach that embeds risk management and compliance into core identity infrastructure and business processes
13
Manage LifecycleMake Identity Management a Business Process
Business
IT Sec
Help Desk
Users
RiskModel
?• Provisioning
&Directory✗• Visibility
• Business oversight& transparency
• Auditing & tracking• Control of entire
IAMprocess
14
What is an IAG Model?
•People Grouping•Entitlement Bundling•Assignment Controls
•Defined Process•Compliance Proof•Sustainable Controls
•Clear Ownership•Defined Approvals•Tracked Actions
•SoD Rules•Value Change Controls•Checks & Balances
•Rate & Rank Risk•Assessment of Process•Trending & Analysis
15
RequestAccess
Define Controls
Approve
CollectData
ImplementControls
Review/Certify
Analyze/Audit
Grant/Remove
Remediate
OperationalProvisioning Process
OperationalProvisioning Process
IdentityCompliance Process
IdentityCompliance Process
Provisioning EngineProvisioning Engine Help DeskHelp Desk IT Admin IT Admin
Governance Model Driven Processes
CentralizedID Data
CentralizedID Data
GovernanceMetadata
GovernanceMetadata
PolicyRolesPolicyRoles
ClosedLoop Audit
ClosedLoop Audit
16
The Three Steps To Identity Governance
Detective Preventative
Reactive Scheduled
Remediation Mitigation
17
An Integrated Solution
Compliance ManagerCertification | Policy Evaluation
Lifecycle ManagerAccess Request | Business Event Triggers
Governance PlatformRole Management | Policy Engine | Risk Model | Provisioning Broker
Integration ModuleIdentityIQ
Provisioning Engine
Integration Module
3rd Party Provisioning Engine
3rd Party Service Desk