Path to effective & achievable Identity GovernanceMatthew Ulery

VP of Product Management

Identities have evolved, beyond heartbeats…

2

Internal Employees

External Partners/Contractors

Applications/Services

Devices Servers, Mobile &

BYOD

Things (IoT) Customers

IDENTITY

Mobile

EmployeesUsers, Devices,

Things, Services,Relationships, Roles…

IDENTITY

CustomersUsers, Devices,

Things, Services,Relationship, Experience

IDENTITY

IDENTITY

IDENTITY

IDENTITY

IDENTITY

IDENTITY

IDENTITY

Growing complexity and velocity

PartnersTech Support, Financial,Delivery, Development,

Services…. etc.

IDENTITY

IDENTITY

IDENTITY

IDENTITY

IDENTITYIDENTITY

IDENTITY

IDENTITY

Internal

Employees, Data

Services, Applications

Employees

Identity PoweredSecurity

CustomersB2C

PartnersB2B

IDENTITY

IDENTITYIDENTITY

An Identity-Centric Approach

OrganizationalScale

Organizational Complexity

Productivity, Operational Efficiency

IAM 1.0Risk & Compliance

IAM 2.0

Evolution of Information Security

To Drive Perimeter Controls To Drive Identity Insight To Leverage Intelligence

Transforming Approach

Identity-centric Security

IAM 3.0

Avoid compliance audit finding?

Business enablement?

Risk reduction?

Breach avoidance?

Losing track of the goal… what is yours?

Enable business while managing risk, with compliance

as a by-product

Where this began…

Automated Provisioning

“ … let’s automate all our manual processes and

SoD policies…”

“ …cost per application is high, is there a simpler

approach…”

Automated existing manual process – where they the right processes?

Balance of focus on business enablement over risk management

High cost of maintenance due to over customization

8

Automated Provisioning Challenges

Too often started with technology without business & risk assessment

Where we are…

Automated Provisioning

Access Governance

“ … why automate provisioning, why not address with requests

and certification…”

“ …but certification is not addressing risk & I still have

my manual processes…”

Identity Governance is about involving the business in your access and entitlement decisions – an expansion, not a replacement for Identity Management

Ineffective, “rubber-stamp” certifications

Greater workload for business manager

Cost of manual processes remain

Risk blind-spots between certification cycles

11

Access Governance Centric Challenges

Simpler, but less capable is not effective

“I need insight into who really needs their access, and who has it but isn’t even using it.”

13

Decision Support“I need assistance when making decisions. Is this a regular request? Do other people in this role have similar access?”

JAN FEB MAR APR MAY JUNE JULY AUG SEP OCT NOV DEC JAN FEB MAR APR

Access certification completed!

Bob’s access added

Risk blind-spots from point in time certification

14

BLIND UNTIL NEXT REVIEW

Bob’s access removed

Access certification completed!

Bob’s access added

BLIND UNTIL NEXT REVIEW

Bob’s access removedBob’s access removed

Access certification completed!

Bob’s access added

BLIND UNTIL NEXT REVIEW

Bob’s access removed

“How can we close these blind-spots while still lowering costs?”

16

When needs evolve, you must adapt…

Beyond point in time governance

Automated Provisioning

Access Governance

Adaptive Access Governance

18

Achieving Adaptive Governance

1

2

Change Driven: Reduce the cost and annoyance of certifications, with micro-certifications based on changes as they occur

3

Outlier Focused: Lower certification workload by focusing on high risk and special cases – feedback lessons learned

Pragmatic Automation: Right level of automation or orchestration based on risk and business need

JAN FEB MAR APR MAY JUNE JULY AUG SEP OCT NOV DEC JAN FEB MAR APR2 0 1 7

Automatically approved based on role definition

Hired with initial entitlements

Entitlement request

2 0 1 8

End of year certification supported by micro-certifications throughout the year

Adaptive Governance

20

Changed Dept

New Roles assigned – mgr approval

Transition window begins with SoDchecks

Transition window ends triggering micro-certification

Employee attempts to access previous entitlements: micro-certification?

Employee granted entitlement outside process: micro-certification!

Entitlements granted outside approved roles

High cost and/or high risk entitlements

Automate decisions based on previous activity and policy

Detect and respond to anomalous activity

Focus on outliers, exceptions 2

Automation vs OrchestrationThe right balance

AutomationOrchestration

-VS-

3

Adaptive Governance A Living Practice

Response Control

Policy

Monitor

Holistic view of identity – beyond the carbon based life form.

Go beyond point in time to real-time.

Demonstrate value to the business with intelligence driven decision support.

Flexibility to adapt to how your organization works.

Actively enhance risk management while improving efficiency.

Define success as more than just an audit pass - that is the by-product.

24

Take Aways -

Micro Focus Confidential

Micro Focus Confidential