Preventing Entitlements Creep with Identity Governance

© 2015 IBM Corporation

How Identity Governance Can Help

Nick Oropall and Matt Ward

IBM Security

Preventing Entitlements Creep

2© 2015 IBM Corporation

What is ‘entitlements creep’?

As organizations grow/change and as users change roles, user access will

change

Users are constantly adding access and entitlements, they are rarely being taken

away

Management doesn’t understand their user access and don’t want to take away

important entitlements

How does it affect your organization?

Can make your organization less secure

Users can begin to gain entitlements that constitute a

separation of duties violation

If not properly managed this could lead to an accidental

or intentional internal security breach


Identity Intelligence: Collect and Analyze Identity Data

Organizations are seeking a business-driven approach to Identity Governance and Intelligence

Administration

Cost savings

Automation

User lifecycle

Key on premise

applications and

employees

Analytics

Application usage

Privileged activity

Risk-based control

Baseline normal behavior

Employees, partners, consumers – anywhere

Governance

Role management

Access certification

Extended enterprise

and business partners

On and off-premise

applications

How to gain visibility into user access?

How to prioritize compliance actions?

How to make better business decisions?

Identity and Governance Evolution

1 2 3


IT Security Manager

ERPCRM

Mainframe HR

Application Entitlements

The dependencies of traditional identity governance

Business activities vs. Entitlements

Provides information

regarding who has

which entitlements

Who SHOULD

have which

entitlements?

Auditor

Identifies what business

activities cause SoD

violations (toxic combinations)

Which entitlements

cause toxic

combinations?

Business Manager

Understands what

business activities

employees need

Which entitlements

grant access to which

business activities?

Requests employee

IT entitlements

from IT Security Manager

Receives list of entitlements

based on IT Security

Manager’s request


CFO, CEO, COO

The Pain Chain

Can you confirm that

John Smith has the

proper access?

Application

Managers3

IT Security

Could you prove that John

Smith has “appropriate”

permissions for his job?

1

I can tell you what

access John has – I

can’t tell if it’s

appropriate

4

Business

Manager

Can you confirm that John

Smith has the proper

entitlements?

5

I could… If I was

technical enough to

understand all these IT

details…

Are we properly managing

user access? Will our

security controls pass the

next audit?

2

Auditors

6


MainframeCRM ERP HR

Bridging Business, Auditor and IT points of view

Business-Centric SoD mapping to simplify access request and certification

IT Roles and Entitlements

Business Activities

View Accounts

Payable

Create

Sales Record

Create

Purchase Order

Update

Payroll

Map business activities to IT roles and entitlements


Introducing IBM Security Identity Governance and Administration

Delivering actionable identity intelligence

Align Auditors, LoB and IT perspectives in one

consolidated Governance and Administration offering

Easy to launch Access Certification and Access

Request to meet compliance goals with minimal

IT involvement

Enhanced Role Mining and Separation of Duties

Reviews using visualization dashboard

and business-activity mapping

In-depth SAP and RACF Governance with

Segregation of Duties (SoD), access risk and fine-

grained entitlements reviews

Easy to deploy virtual appliances

for multiple customer adoptions

– Standalone Identity Governance

– Integrate and modernize legacy Identity

management with integrated governance and

administration

Common Integration Adapters

Identity Governance

and Administration Platform

VIRTUAL APPLIANCE

IT SecurityTeam

Auditors /Risk Managers

LoB Managers /Employees

Cloud Computing

Mobile Applications Desktopand Server

Data Mainframe

Access

FulfillmentSelf Service

Portal

Risk/ Access

VisibilityAccess

Certification


Key Use Cases


Activity driven access request management

Simplify self-service access request for managers and employees

Self-service, shopping cart interface

“Speaks” business language but also understands the IT and application roles

Automatically detects segregation of duties (SoD) conflicts

Saves time, while ensuring proper and compliant user access

Jane Doe is now on my

team and needs to be

able to Approve Orders

I have a new

assignment,

I need to be able to

Approve Orders.

End

User

Business Manager

Jane Doe can also

Create Orders and that is

a segregation of duties

violation

APPROVED

DENIED


Review Access with Risk Identification

Easily identify risk

Review and remediate toxic combinations

Business readable access risk


Highly usable end user interface for easy user recertification

LOB Review Access

Support business managers in requesting & certifying their own staff’s

access


Focused, risk-driven campaigns

Managers can understand exactly what access they are certifying and why

Same simple look and feel regardless of role within the organization

Ability to execute multi-step approval workflows

Business centric access certification

Enables business managers to quickly review employee access and take action

Business Manager “Does John Smith still

need to open Sales

Opportunities?

SalesConnect is a CRM

tool used by the sales

team to effectively

communicate with clients

and track ongoing

projects.”

NO

John is no longer on the Sales team

NOT SURE

Please delegate to Jane Doe

YES

John still needs access


Identity and Access Intelligence – Identifying outliers

Risk driven access certification using ‘Heat maps’


Visual analytics – Risk Scoring

Model and Measure Operational Risk

Model, Measure and trends risks across several dataset (OU, Applications)

Allows for ‘Risk driven’ access certification using ‘Heat maps’


CLIENT EXAMPLES

Identity Governance and Administration Results

SoD Simplification

Multinational

manufacturer

manages over

430Mpotential

entitlement

conflictswith only

a few hundred

segregation of duty

rules

Governance

Large European insurance

and financial services firm

governs access to

75,000employees, agents,

privileged users

by identifying access risks,

segregation of duty and certify

access for SAP, AD, mainframe,

and custom-built apps

Audit Access

Large European

designer found

almost

80%

of users had

unnecessary access

after leveraging the

“last usage” information

in their automated

controls set


Other Solution Highlights


Visual Analytics – Role Mining

Discover & Build Roles

Visual Role Mining

Create new Roles or optimize existing ones


Segregation of Duties Management for SAP

Extends fine-grained SoD controls to SAP (users and roles).

One governance platform for SAP and non-SAP applications

Segregation of Duties for SAP


Identity Governance on the Mainframe

Extends fine-grained SoD controls to the mainframe-specific data model

Provides Access Review and Request Management capabilities

Governance on the Mainframe


Extend SIM with SIG Governance Capabilities


Integrated Governance and Identity Lifecycle Management:

4 Key Use Cases are a) Access Review and Reporting Visibility, b) Access Request

Management, c) Segregation of Duty Controls and d) Role Management and Intelligence


IBM is a Leader in the 2015 Gartner Magic Quadrant for Identity Governance and Administration

Source: Gartner (January 2015)

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request

from http://www.gartner.com/technology/reprints.do?id=1-27CNZU9&ct=150112&st=sb.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other

designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or

implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner, Inc. Positions IBM as a LEADER

in Identity Governance and Administration

(IGA)

"The IGA market is transforming legacy,

on-premises IAM products. IGA vendors

are investing heavily to meet client needs

in ease of use, mobility, business agility,

and lower total cost of ownership. User

provisioning and access governance

functions continue to consolidate.”

Gartner, Inc. “Magic Quadrant for Identity Governance and

Administration” by Felix Gaehtgens, Brian Iverson, Steve

Krapes, January 2015 Report #G00261633

http://www.gartner.com/technology/reprints.do?id=1-27CNZU9&ct=150112&st=sb


• QRadar Log Manager

• QRadar Security Intelligence

• QRadar Risk Manager

• QRadar Vulnerability Manager

• QRadar Incident Forensics

IBM Security offers a comprehensive product portfolio

© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any

kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor

shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use

of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or

capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product

or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries

or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside

your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks

on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access.

IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other

systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE

IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

THANK YOUwww.ibm.com/security

http://www.ibm.com/security

http://www.ibm.com/security

Preventing Entitlements Creep with Identity Governance

Technology

Transcript of Preventing Entitlements Creep with Identity Governance