Path to effective & achievable Identity Governance...Identity Governance is about involving the...
Transcript of Path to effective & achievable Identity Governance...Identity Governance is about involving the...
Path to effective & achievable Identity GovernanceMatthew Ulery
VP of Product Management
Identities have evolved, beyond heartbeats…
2
Internal Employees
External Partners/Contractors
Applications/Services
Devices Servers, Mobile &
BYOD
Things (IoT) Customers
IDENTITY
Mobile
EmployeesUsers, Devices,
Things, Services,Relationships, Roles…
IDENTITY
CustomersUsers, Devices,
Things, Services,Relationship, Experience
IDENTITY
IDENTITY
IDENTITY
IDENTITY
IDENTITY
IDENTITY
IDENTITY
Growing complexity and velocity
PartnersTech Support, Financial,Delivery, Development,
Services…. etc.
IDENTITY
IDENTITY
IDENTITY
IDENTITY
IDENTITYIDENTITY
IDENTITY
IDENTITY
Internal
Employees, Data
Services, Applications
Employees
Identity PoweredSecurity
CustomersB2C
PartnersB2B
IDENTITY
IDENTITYIDENTITY
An Identity-Centric Approach
OrganizationalScale
Organizational Complexity
Productivity, Operational Efficiency
IAM 1.0Risk & Compliance
IAM 2.0
Evolution of Information Security
To Drive Perimeter Controls To Drive Identity Insight To Leverage Intelligence
Transforming Approach
Identity-centric Security
IAM 3.0
Avoid compliance audit finding?
Business enablement?
Risk reduction?
Breach avoidance?
Losing track of the goal… what is yours?
Enable business while managing risk, with compliance
as a by-product
Where this began…
Automated Provisioning
“ … let’s automate all our manual processes and
SoD policies…”
“ …cost per application is high, is there a simpler
approach…”
Automated existing manual process – where they the right processes?
Balance of focus on business enablement over risk management
High cost of maintenance due to over customization
8
Automated Provisioning Challenges
Too often started with technology without business & risk assessment
Where we are…
Automated Provisioning
Access Governance
“ … why automate provisioning, why not address with requests
and certification…”
“ …but certification is not addressing risk & I still have
my manual processes…”
Identity Governance is about involving the business in your access and entitlement decisions – an expansion, not a replacement for Identity Management
Ineffective, “rubber-stamp” certifications
Greater workload for business manager
Cost of manual processes remain
Risk blind-spots between certification cycles
11
Access Governance Centric Challenges
Simpler, but less capable is not effective
“I need insight into who really needs their access, and who has it but isn’t even using it.”
13
Decision Support“I need assistance when making decisions. Is this a regular request? Do other people in this role have similar access?”
JAN FEB MAR APR MAY JUNE JULY AUG SEP OCT NOV DEC JAN FEB MAR APR
Access certification completed!
Bob’s access added
Risk blind-spots from point in time certification
14
BLIND UNTIL NEXT REVIEW
Bob’s access removed
Access certification completed!
Bob’s access added
BLIND UNTIL NEXT REVIEW
Bob’s access removedBob’s access removed
Access certification completed!
Bob’s access added
BLIND UNTIL NEXT REVIEW
Bob’s access removed
“How can we close these blind-spots while still lowering costs?”
16
When needs evolve, you must adapt…
Beyond point in time governance
Automated Provisioning
Access Governance
Adaptive Access Governance
18
Achieving Adaptive Governance
1
2
Change Driven: Reduce the cost and annoyance of certifications, with micro-certifications based on changes as they occur
3
Outlier Focused: Lower certification workload by focusing on high risk and special cases – feedback lessons learned
Pragmatic Automation: Right level of automation or orchestration based on risk and business need
JAN FEB MAR APR MAY JUNE JULY AUG SEP OCT NOV DEC JAN FEB MAR APR2 0 1 7
Automatically approved based on role definition
Hired with initial entitlements
Entitlement request
2 0 1 8
End of year certification supported by micro-certifications throughout the year
Adaptive Governance
20
Changed Dept
New Roles assigned – mgr approval
Transition window begins with SoDchecks
Transition window ends triggering micro-certification
Employee attempts to access previous entitlements: micro-certification?
Employee granted entitlement outside process: micro-certification!
Entitlements granted outside approved roles
High cost and/or high risk entitlements
Automate decisions based on previous activity and policy
Detect and respond to anomalous activity
Focus on outliers, exceptions 2
Automation vs OrchestrationThe right balance
AutomationOrchestration
-VS-
3
Adaptive Governance A Living Practice
Response Control
Policy
Monitor
Holistic view of identity – beyond the carbon based life form.
Go beyond point in time to real-time.
Demonstrate value to the business with intelligence driven decision support.
Flexibility to adapt to how your organization works.
Actively enhance risk management while improving efficiency.
Define success as more than just an audit pass - that is the by-product.
24
Take Aways -
Micro Focus Confidential
Micro Focus Confidential