Identity, Governance and Administration as forefront of IT Security model: European

and North American Experience

Vladislav ShapiroDirector of Identity Practice – IGA

Dell/Immersion Consulting

Established in 1995, Orient Logic is a leading IT company and system integrator in Georgia.

Discussion points

• Current state of affairs in IT Security

• Basics of Identity Governance Administration

• Connecting the dots: agile I-G-A

• Use cases – Government of Austria, Bayern Department of Justice and State of Alabama

Current State of Affairs in IT Security

IT Security realities of today

• Change of focus: from protection the perimeter (external only) to the governance of the whole infrastructure (internal and external)

• Change of mentality: from “castle under siege” to “enemy is already here”

• Main external goal: advanced threat protection

• Main internal goal: IGA – Identity Governance and Administration

• Shift from pure technical-based to business and human factor focused solutions

WHO ARE THE “BAD GUYS”?

ATTACKS ALWAYS RELY ON INTERNAL PROCESS FLAWS

• No established business process for granting rights to individuals• Lack of governance, access controls and monitoring• No actionable reporting

IGA SHOULD BE READY FOR ADVANCED THREATS

IGA

ATR

Best response practice: ATR+ IGA

9

Pre-Incident Preparation Detect Triage

Collect Data: - Volatile Data- Forensic Dup. - Network Traffic

Perform Analysis

Take Action: Admin and

LegalReporting

Incident Occurs: Point-In-Time or Ongoing

Remediation: Technical Recovery from the Incident

Status Reporting

Identity Governance and Administration central authority

Data feed

Data feed

Data feed

Data feed

Targets/Applications/Devices

Account checks Access freeze Risk-based provisioning

Notifications, access restore and provisioning

Identity DataSync

Data feed

Basics of Identity Governance andAdministration (IGA)

Three dimensions of IGA

• I - Identity Management

• G - Governance, Risk and Compliance (GRC)

• A – Administration – Access Management and Provisioning

Main challenge: Make all three components connected to work as one

Three forces of IGA in your enterprise

• Identity owners (HR, Identity suppliers) - I–Responsibilities: manage identities, organization charts–Goal: make sure that identity and organization information is up to date

• Business owners (C-level managers, PM, compliance officers) - G–Responsibilities: manage all business-related matters, including

governance, risk and compliance–Goal: make business successful and customers happy

• Technology owners (System admins, DB admins, etc.) - A–Responsibilities: support business with technology–Goal: All systems should be up and running 24-7 with no downtime

Identity Posture - how to evaluate

• Identity Posture is about how connected and in-sync three forces are – Three forces collaboration– Maturity of each force

• Identity Posture is about measuring maturity of– Identity model– Governance model– Administration model

• Identity Posture is about how enterprise can handle CHANGES – Identity updates – Governance processes restructuring– Administration redesigning

Connecting the dots – agile IGA

15

Connected I-G-A goal – be agile

• All elements are connected into one solution where each responsible person is a contributor to the system

• Each contributor has means to configure his/her own IGA elements within his knowledge • IGA project should have short length phases with clear achievable milestones

I G

GG

AA

Identity Governance Administration

Managers should easily see all the entitlements of an employee in one clear view

• Actionable

• All logical, physical systems, resources and assets.

Identity - Identity Goal - Enterprise Visibility

Identity goal – separate business and technical views

• Business view • Technical view

Governance goal – give dashboard views for current status visibility

Managers should easily find the overall and specific status of requests and processes in the system

Governance goal - Access granting history audit

People responsible for auditing should be able to see the history of assigning access and entitlements to the individuals

Governance goal – Approval Workflow builder

Approval workflows should be built by the same people who are responsible for the granting process using regular tools, not scripts

Use Cases

Government of Austria

• Central portal for Austrian citizens requests

• Central business workflow engine for handling requests

• Monitoring automation and actionable reports

Bayern Department of Justice

• Internal personnel IGA: access control, governance and attestation

• Centralized Policy engine

• Advanced threat protection: external and internal

• Constant activity monitoring and actionable reports

State of Alabama

• State of Alabama was breached in 2012

– Millions of data records were stolen – State Web site was disabled– IT operations was paralyzed

• IT Security and IGA solution– Advanced threat detection software– IGA full suite solution– Privileged access manager

• Security and IGA education of the personnel