technicalguide on

S EAR C H S EC U R ITY.CO M

contents4 Making the Case for Enterprise

IAM Centralized Access Control

7 Content-Aware IAM: Uniting User Access and Data Rights

10 Best Practices for a Privileged Access Policy to Secure User Accounts

12 How to Implement and Maintain Enterprise User Roles

MANAGINGIDENTITIESand ACCESSCONTROL

Database security and compliance made simple.More Global 1000 companies trust Guardium, an IBM company, to secure their critical

enterprise data than any other technology provider. We provide the simplest, most robust

solution for preventing information leaks from your data center and ensuring the integrity

of corporate data.

• Gain 100% visibility and control over your entire DBMS infrastructure.

• Reduce complexity with a single set of cross-DBMS auditing and access control policies.

• Enforce separation of duties and eliminate overhead of native DBMS logs.

• Monitor privileged users, detect insider fraud and prevent cyberattacks.

• Automate vulnerability assessment, data discovery, compliance reporting and sign-offs.

Copyright © 2010 Guardium, an IBM company. All rights reserved. Information is subject to change without notice. IBM, and the IBM logo are trademarks of International Business Machines Corporation in the United States, other countries or both.

For more information, visit

www.guardium.com/SearchSecurity

S E A R C H S E C U R I T Y. C O M Technical Guide on Managing Identities and Access Control2

| TEC H N I CAL G U I D E O N MANAG I N G I D E NTIT I ES AN D ACC ESS CO NTR O L

insight

contents

SEARCHSECURITY.COM presents a comprehensive guide to managing user iden-tities and access control within the enterprise. Our experts cover all theangles with authoritative technical advice on: centralized identity manage-ment; the importance of uniting IAM and data protection; how to developpolicies for privileged users; and how to implement and maintain user roles.

Managing Identities and Access ControlControl over user identities, roles and the access users have to assetsis quickly becoming a critical security and compliance strategy.

4 Making the Case for Enterprise IAM Centralized Access ControlC E NTRAL I Z E D IAM Central access to multiple applications and systems can raise the level of security while getting rid of red tape. BY DAVID GRIFFETH

7 Content-aware IAM: Uniting User Access and Data RightsIAM AN D DATA PR OTECTI O N IAM and data protection have generally kept to their separate corners. That trend may be shifting. BY RANDALL GAMBY

10 Best Practices for a Privileged Access Policy to Secure User AccountsPR IVI LEG E D ACCO U NT P O L I C I ES Enterprises need to secure accounts belonging to actual users by reviewing and monitoring their privileged access.BY MARK DIODATI

12 Best Practices: How to Implement and Maintain Enterprise User RolesR O LE MANAG E M E NT Effective enterprise role management is essential for properly managing user access rights and enforcing access policies, but the implementation process can be challenging. BY ANDRAS CSER

16 VE N D O R R ES O U R C ES

www.centrify.com/protected

Making the Casefor Enterprise IAMCentralized Access ControlCentral access to multiple applications and systems canraise the level of security while getting rid of red tape.BY DAVID GRIFFETH

S E A R C H S E C U R I T Y. C O M Technical Guide on Managing Identities and Access Control4

TABLE OF CONTENTS

CENTRALIZED IAM

IAM AND DATA PROTECTION

PRIVILEGED ACCESSPOLICIES

ROLE MANAGEMENT

SPONSOR RESOURCES

| MANAG I N G I D E NTIT I ES AN D ACC ESS CO NTR O L

wWITHIN TODAY’S enterprises, it’s common for organizations of all sizes to rely onmany different applications to fulfill a variety of business needs. In smaller corpora-tions, the access administration model tends to be distributed across many businesslines or system owners. This model does not allow for a functional identity and accessmanagement program, meaning it’s virtually impossible to manage user access, privi-lege levels and revocation when necessary.

Eventually, these organizations reach a maturation point where the access admin-istration model must be assessed to determine if it’s more efficient to centralize. Thisarticle lays out many of the process and security benefits of a centralized model.

The lifecycle of access for employees and temporary workers has three major phases:• New access creation: requiring new accounts on various systems.• Access modification: necessary when employees move from one job to another

within the organization, requiring account access and privilege modifications,deletions and/or new accounts.

• Termination: removal of all access.

For new access requests in a distributed access administration model, users thatneed access to multiple applications must make requests to multiple application own-ers. This often means filling out and submitting a variety of forms, which usually askfor the same data, depending on the system owner’s governance process and interpre-tation of policy. As the system owners receive request forms, they provision the accessand notify the end user. Unfortunately, the system owners won’t grant access on thesame day, so the end user will not have the complete set of access they need to do hisor her job until the slowest system owner completes the request.

When an existing user is terminated or moves within the organization to a differ-ent job, the old manager must remember or figure out what systems the user hadaccess to and request the accounts be disabled. The new manager must also fill out all the required forms for access appropriate to the user’s new job.

C E NTRAL I Z E D IAM

S E A R C H S E C U R I T Y. C O M Technical Guide on Managing Identities and Access Control5

TABLE OF CONTENTS

CENTRALIZED IAM

IAM AND DATA PROTECTION

PRIVILEGED ACCESSPOLICIES

ROLE MANAGEMENT

SPONSOR RESOURCES

| MANAG I N G I D E NTIT I ES AN D ACC ESS CO NTR O L

The process inefficiencies are obvious: multiple forms with similar informationgoing to multiple system owners, who each provide access according to their ownrules and requirements. If access reviews are required, this means a slew of uncoordi-nated emails to managers asking for access reviews and approvals.

The security concerns are worse. Each time an employee or contractor moveswithin the organization or is terminated, the old manager is expected to fill out a vari-ety of forms requesting access modification, making each manager a potential failurepoint. If there is a process failure, there will most likely be accounts on systems thatare inappropriate, or worse, belong to terminated employees.

In a centralized model, all system access is granted according to one interpretationof policy It also streamlines new user creation,modification and termination processes thatcan be based on one feed from humanresources.

For example, when an individual joins theorganization there is one request made for allaccess. The centralized provisioning team willbe able to verify the new user is employed and who his or her manager is based on theHR feed. All access is granted at the same time as a single request and the user is readyto work when that request is complete.

When a user moves, there is only one group to notify for access changes and thereis no need for a notification for planned termination because the HR feed will notifythe centralized provisioning group of all the day’s terminations. In the case of termi-nation with prejudice (being fired), there is only one group to call to have all accessshut down immediately.

Other advantages include the ability to have a single system access review generatedacross all systems, the beginnings of automated provisioning, fewer resources requiredto provision access and quicker turnaround time for requests.

I recommend moving toward a centralized provisioning model around the sametime it’s determined the company needs a helpdesk function. Moving towards thismodel will provide sounder information security practices, more efficient provision-ing processes and will reduce the risk associated with managers as failure points. Itwill also put an organization on the road to a full-blown identity and access manage-ment program, which is essential to the information security program success of allmidsized and large enterprises.w

David Griffeth is the Vice President of Business Line Integration and Reporting at RBS CitizensBank, a financial institution that is one of the 10 largest commercial banking companies in theUnited States ranked by assets and deposits. As part of his responsibilities, David manages theEnterprise Identity and Access Management group and is charged with supporting the bank’sgrowth model while maintaining compliance with several regulatory bodies. Prior to his currentposition, David consulted on major information risk management projects with large companiessuch as Fidelity Investments and CIGNA. David earned a bachelor’s degree in computer sciencefrom Framingham State College and holds several certifications including CISSP and CISA.

In a centralized model, allsystem access is grantedaccording to one interpre-tation of policy.

DATA BREACHES UP 47%

60% ATTRIBUTED TO INSIDER FRAUD

KEY WEAKNESS: Controlling access to privileged accounts

Enterprise Access Management

FoxT provides Enterprise Access Management solutions that will enable you to control access to privileged accounts and data across your diverse servers and business applications.

In addition to protecting corporate value, centralized access management will also help you achieve compliance with HIPAA, SOX, PCI, NERC/FERC, Massachusetts Privacy Law, and other regulations.

FOR MORE INFORMATION: www.foxt.com

Content-Aware IAM: UnitingUser Access and Data RightsIAM and data protection have generally kept to their separatecorners. That trend may be shifting. BY RANDALL GAMBY

S E A R C H S E C U R I T Y. C O M Technical Guide on Managing Identities and Access Control7

TABLE OF CONTENTS

CENTRALIZED IAM

IAM AND DATA PROTECTION

PRIVILEGED ACCESSPOLICIES

ROLE MANAGEMENT

SPONSOR RESOURCES

| MANAG I N G I D E NTIT I ES AN D ACC ESS CO NTR O L

rRECENTLY THERE’S been a new development in the information security world:content-aware identity and access management (CA-IAM). CA-IAM is the integrationof two established, usually separately administered security domains—identity andaccess management (IAM) and data protection.

The first domain, IAM, is used to administer user rights. When security personnelthink of tools in the IAM domain, they picture Web access management systems, pro-visioning systems, portals, Web-based applications and federation technologies. Thecommon theme among these technologies isthe configuration of data access based on theadage “the right people, getting the right accessto the right information.”

However, within enterprises there’s another,sometimes darker, domain: data protection. Thegoal of data protection is to correctly configuredata rights for information. The people inter-ested in data protection talk about classification of information (i.e. company confi-dential, secret, top secret, etc.), data loss prevention (DLP), meta-directories, securityinformation and event management (SIEM), event logging, firewalls, secure commu-nications and encryption. The common theme within this domain is “the right data,getting to the right place securely, by means of the right services.” While IAM’s focusis to secure communications channels to applications and services for users, data protection’s focus is to establish secure communications channels to applicationsand services for data: the yin to IAM’s yang.

So why does the concept of combining these two domains make sense? There arethree reasons: compliance, data transformation and intelligent user rights.

Regarding compliance, combining the user access rights of identity and accessmanagement with the information protection rights of data protection solves theoverarching business issue of compliance. Under the cover of existing regulationsaround privacy and protection—whether government (i.e. SOX, HIPAA, GLBA, BaselII) or industry driven (i.e. PCI DSS)—the auditors expect companies to have imple-mented controls around authorized user access and data protection. Since the toolsthat implement these controls have been traditionally separated, it makes sense to

The common theme withinthis domain is “the rightdata, getting to the rightplace securely, by meansof the right services.”

IAM AN D DATA PR OTECTI O N

S E A R C H S E C U R I T Y. C O M Technical Guide on Managing Identities and Access Control8

TABLE OF CONTENTS

CENTRALIZED IAM

IAM AND DATA PROTECTION

PRIVILEGED ACCESSPOLICIES

ROLE MANAGEMENT

SPONSOR RESOURCES

| MANAG I N G I D E NTIT I ES AN D ACC ESS CO NTR O L

combine their functionality for the common good of compliance.Data transformation involves scenarios in which new data sets are added, data is

manipulated, and old data sets are expunged. Managing the sensitivity and value ofinformation during these transformations is becoming increasingly more difficult dueto the volume of data a typical enterprise manages and the fact that external organiza-tions are often managing key pieces of data via outsourcing and SaaS to enhance acompany’s data management capabilities. Determining access to the newly updatedand created data can be a nightmare. CA-IAM promises to identify how these trans-formations have affected the data and, if warranted, automatically map new protec-tions to the data, and then go on to assign new access rights to the information basedon corporate policies. An example of how this can be used is the December 2008announcement of an alliance between Microsoft and EMC Corp.’s RSA unit in whichthe vendors plan to develop a tight integration between RSA’s DLP suite andMicrosoft’s digital rights management technol-ogy. The goal of this alliance is to take the bestfeatures of RSA’s DLP automated data classifi-cation services and map them to Microsoft’sfile management technology to ensure dataclassifications and rights automatically followthe data.

With intelligent user rights, it has becomeimportant to understand the roles and respon-sibilities of an individual when determininghis or her access to applications and services.After determining an individual’s rights, CA-IAM can be used to give proper access tothe data, providing fine-grained access controls beyond the application down to theactual data itself.

So if CA-IAM provides such great benefits, why haven’t more enterprises imple-mented it? There are several reasons. First, both IAM and data protection had their startin different parts of the enterprise. IT traditionally started managing user access as partof its infrastructure provisioning projects. As users joined the company, IT added theiraccounts to the systems they needed to do their jobs. Subsequently, as users’ roles oremployment statuses changed, IT was responsible for managing and updating theirpermissions, eventually taking away all rights when users left the company.

Data protection started in the traditional risk management and IT securitydepartments. The responsibility of the data protection pros was to safeguard sensitivedata and ensure it didn’t leave the organization through unauthorized channels.While these two groups usually work well together, they’ve each traditionally reportedup to different parts of the organization. The prospect of integrating these two disci-plines presents, if not a managerial problem, at least a serious managerial project.

Also, in order to even consider implementing CA-IAM, an organization must under-stand its user and data classifications and have defined processes for managing them.Many organizations are still in the throws of doing role-based access definitions, findingand classifying data based upon existing policies, and aligning risks across the organiza-

With intelligent user rights,it has become important to understand the rolesand responsibilities of an individual when deter-mining his or her access toapplications and services.

S E A R C H S E C U R I T Y. C O M Technical Guide on Managing Identities and Access Control9

TABLE OF CONTENTS

CENTRALIZED IAM

IAM AND DATA PROTECTION

PRIVILEGED ACCESSPOLICIES

ROLE MANAGEMENT

SPONSOR RESOURCES

| MANAG I N G I D E NTIT I ES AN D ACC ESS CO NTR O L

tion. In addition, DLP and IAM tools are still being implemented. Without a level tech-nology playing field, integration of IAM and data protection technologies will involve a lot of time, effort and money, and probably a few costly mistakes along the way.

Something else to consider is that CA-IAM is a concept, not a product. Today’sorganizations are working to solve business problems through technology; tomorrow’stechnologies are still in the hands of enterprise architects and risk managers. Fullenterprise deployments of CA-IAM, and the standards and experience they bring, arestill years off. So does this mean companies can’t do CA-IAM today? Not necessarily.While a formal deployment is not yet possible, an enterprise that already understandsits data and access requirements, has classified its data, user roles and responsibilities,and has strong political clout, should be able, through policies and processes, to beginto create a common framework, even if the tools aren’t integrated. This is how tradi-tional IAM technologies started and it’s the way that CA-IAM will begin.w

Randall Gamby is an enterprise security architect for a Fortune 500 insurance and finance company who has worked in the security industry for more than 20 years. He specializes in security/identity management strategies, methodologies and architectures.

Best Practices for aPrivileged Access Policy to Secure User AccountsEnterprises need to secure accounts belonging to actual users by reviewing and monitoring their privileged access.BY MARK DIODATI

S E A R C H S E C U R I T Y. C O M Technical Guide on Managing Identities and Access Control10

TABLE OF CONTENTS

CENTRALIZED IAM

IAM AND DATA PROTECTION

PRIVILEGED ACCESSPOLICIES

ROLE MANAGEMENT

SPONSOR RESOURCES

| MANAG I N G I D E NTIT I ES AN D ACC ESS CO NTR O L

tTHE PROCESS of securing accounts includes a variety of factors, one of the mostimportant being ensuring employees have the minimum access necessary to targetplatforms. In addition, employees’ job functions and related access should bereviewed to ensure there are no separation ofduties issues. Case in point: A person who cre-ates a vendor account should not be able toapprove payment to that vendor.

The access-review process includes under-standing workflow: A baseline of access policiesmust be reviewed and approved by applicationowners. Additionally, subsequent changes to access rights should be reviewed andapproved. Access certification tools, including those embedded in identity managementprovisioning systems from various vendors, can assist with the review process.

In some cases, a third-party security tool like CA Inc.’s Access Control or SymarkInternational Inc.’s PowerBroker is required to limit privileged user access. For example,rather than giving the UNIX database administrator access to the root account for thepurpose of restarting the server, the security tool can delegate the privilege of systemrestart to a real user.

Assuming you have locked down privileged user access, you should be all set,right? Not quite; you need to ensure privileged users do not abuse their access rights.One common use case concerns the customer support supervisor who appropriatelyhas access to confidential customer data. If the supervisor accesses an excessive num-ber of customer records on a given day, it may be an indication of a problem. A secu-rity information management (SIM) system would not likely detect this anomaly.Increasingly, enterprises are looking to deploy risk-based consumer authenticationtechniques to detect this level of access, but for the most part, these risk-based toolsaren’t ready for enterprise use because they are oriented toward financial transactions.Consumer authentication vendors with risk-based authentication include Hagel

PR IVI LEG E D ACCO U NT P O L I C I ES

A person who creates avendor account should not be able to approvepayment to that vendor.

S E A R C H S E C U R I T Y. C O M Technical Guide on Managing Identities and Access Control11

TABLE OF CONTENTS

CENTRALIZED IAM

IAM AND DATA PROTECTION

PRIVILEGED ACCESSPOLICIES

ROLE MANAGEMENT

SPONSOR RESOURCES

| MANAG I N G I D E NTIT I ES AN D ACC ESS CO NTR O L

Technologies Ltd.’s AdmitOne, Arcot Systems Inc., Entrust, Oracle Corp., RSA Securityand VeriSign Inc.

Some organizations consider the use of two separate accounts to address excessiveuser privilege. The first one is the “everyday” account for use in routine activities suchas logging onto Windows workstations and checking email. The second account isonly used for administrative tasks that require high privilege, including working withhigh-risk production systems. The high privilege account is not used during everydaytasks, which limits exposure to malware. However, the use of two accounts will notaddress the issue of excessive privileges granted to the user.

Balancing user access between the too lenient and the overly strict can be a challenge,but with these best practices, it can be a bit less daunting.w

Mark Diodati, CPA, CISA, CISSP, MCP, CISM, has more than 18 years of experience in the devel-opment and deployment of information security technologies. He has served as vice president ofworldwide IAM for CA Inc., as well as senior product manager for RSA Security’s smart card, SSO,UNIX security, mobile PKI and file encryption products. He has had extensive experience imple-menting information security systems for the financial services industry since starting his career atArthur Andersen & Co. He is a frequent speaker at information security conferences, a contributorto numerous publications, and has been referenced as an authority on IAM in a number of academicand industry research publications.

How to Implement, MaintainEnterprise User RolesEffective enterprise role management is essential for managing user access rights and enforcing access policies,but the implementation process can be challenging.BY ANDRAS CSER

S E A R C H S E C U R I T Y. C O M Technical Guide on Managing Identities and Access Control12

TABLE OF CONTENTS

CENTRALIZED IAM

IAM AND DATA PROTECTION

PRIVILEGED ACCESSPOLICIES

ROLE MANAGEMENT

SPONSOR RESOURCES

| MANAG I N G I D E NTIT I ES AN D ACC ESS CO NTR O L

eENTERPRISE ROLE management is key in efficiently managing user access rightsand enforcing access policies such as segregation of duties. Roles help companiesgroup coarse- and fine-grained access rights (such as access to and functionality with-in a financial accounts application) into groups, called enterprise roles. These enter-prise roles map to job functions and are only allowed access rights that don’t violatesegregation of duties. For instance, a financial clerk role can’t contain fine-grainedaccess rights that allow someone in the role to access the accounts receivable andaccounts payable parts of the financial application.

The processes and tools necessary for effective role management consist of rolemining and design (automatic discovery and management of roles based on existingaccess rights and entitlements data), role recertification (a process performed typicallyevery six months when a business role custodian certifies what access rights shouldbelong to a role), and access recertification (a process performed typically every 3-6months to ensure all user access is understood and was granted in an audited way).

To be successful, organizations should implement and maintain enterprise roles by:

1. Establishing a closed-loop process. If the organization wants to gain valuefrom enterprise roles, it needs to use a closed-loop process to ensure roles are periodicallyupdated based on current business requirements. (This is especially important afterreorganizations; there may have been changes to a business process after a reorganiza-tion, and roles need to reflect those changes.) Forrester Research Inc. learned that enter-prises iterate at least twice through a role-design cycle before they can build a solidfoundation for role-based access control (RBAC). This cycle consists of seven phases:

• Develop or update an RBAC vision—Based on Forrester’s initial discovery conversations,successful organizations define, refine and communicate widely why they are imple-menting RBAC and what their long-term RBAC plans are.

• Gather requirements—Interview executives and business leaders to understand theirexpectations and explain how it’s to their benefit to support the process.

• Onboard applications and organizations—Organizations need to approach the owners

R O LE MANAG E M E NT

S E A R C H S E C U R I T Y. C O M Technical Guide on Managing Identities and Access Control13

TABLE OF CONTENTS

CENTRALIZED IAM

IAM AND DATA PROTECTION

PRIVILEGED ACCESSPOLICIES

ROLE MANAGEMENT

SPONSOR RESOURCES

| MANAG I N G I D E NTIT I ES AN D ACC ESS CO NTR O L

and business users of the applications and conduct detailed interviews on how accessis stored, granted and revoked, as well as what application-level roles exist.

• Mine roles—Mining roles (the automatic discovery of roles based on existingaccess rights and entitlements data) is the bottom-up discovery process of looking atwhat application access and entitlements within those applications an organization’semployees have. The results are used to make recommendations for role adjustments.Role mining usually takes about two weeks per application.

• Adjust roles—Once the mining process has determined role suggestions, theseroles need to be adjusted. This adjustment is essentially comparing the as-is situationfor access with what the newly defined roles would yield.

* Certify roles—Once roles are adjusted and measures are taken to ensure excessivepermissions aren’t granted, the roles need to be certified by a role custodian. This isusually a member of the relevant business unit and not IT security. The role custodianhas ongoing responsibility for ensuring the roles remain up to date and reflect realisticgroupings of access rights and entitlements that map to business processes.

• Certify access—After the role structure goes live, the role management or useraccount-provisioning system sends email notifications to managers or applicationowners to request approval of their employees’ and users’ access rights and entitlementsand the assignment of employees to roles.

2. Pitfalls to avoid during enterprise role design. Enterprise role design

doesn’t emerge based solely on results of role mining. There are existing repositoriesof information in the organization that RBAC should examine, reuse and extend:

• Waiting for HR repository data quality to improve—Some organizations will have to acceptthat data quality and quantity in their HR databases is insufficient to create roles.Many times HR records lack or do not carefully record enough critical user attributes,such as geographic location, job code, department code, reporting structure, floorlocation, etc. Sometimes RBAC can’t be built on them because there is no unified HRdatabase, or because HR databases are updated long after an actual event (especiallytransfer) takes place.

• Automatically equating an application role with an enterprise role—Those application rolesthat describe fine-grained sub-application level entitlements cannot be automaticallyrolled into a job role. Many applications roles are too granular or defined too crypticallyto be equated directly with an enterprise role. A complicated Active Directory groupname or an SAP collection of entitlements does not map to the financial clerk role.

• Using technology-heavy terms in role descriptions—One message has been maderesoundingly clear in our interviews: The purpose of an enterprise role system is toexpose IT access management to business people in business-friendly terms (creating“telling” descriptions in tools that clearly describe the job functions of the employeesthat the roles are granted to).

• Listening only to “onboarding” clerks and managers—Interviews with employees andmanagers who participate in requesting and revoking access rights for newly hiredand terminated employees provided a wealth of information about how applicationaccess is granted.

S E A R C H S E C U R I T Y. C O M Technical Guide on Managing Identities and Access Control14

TABLE OF CONTENTS

CENTRALIZED IAM

IAM AND DATA PROTECTION

PRIVILEGED ACCESSPOLICIES

ROLE MANAGEMENT

SPONSOR RESOURCES

| MANAG I N G I D E NTIT I ES AN D ACC ESS CO NTR O L

3. Target simple areas that yield high return. Almost all of the organizations

that Forrester interviewed in regard to role management (including banks, healthcareproviders, transportation companies, energy and utility companies, colleges, etc.) followeda combination of these best practices when they identified the initial area for imple-menting enterprise RBAC:

• Areas with high employee turnover—These job responsibility areas require a lot oftraditional IT administration effort and pose higher security risk. Ensuring thatemployees in these areas are provisioned quickly, but only given minimal access,and then de-provisioned just as promptly when appropriate, will resonate well with senior management.

• Areas with relatively simple and standardized functions—The fewer differences there arein people’s access in that environment, the easier RBAC definition and implementationwill be. In these organizations, you can expect to have hundreds or thousands of peoplein the same role.

• Newly acquired organizations—Sometimes it’s easier to lead an IT integration andclean-up activity when focusing on a newly acquired company. Implementing enter-prise roles in a pilot project at a newly acquired organization is an easier sell with senior management than impacting a legacy organization at the acquiring company.

Defining enterprise roles, even with automated mining, is not easy. To ease theburden, follow these best practices, and remember to work one-on-one with yourbusiness representatives, gain their support, and implement a carefully phased roleimplementation process.w

Andras Cser is a principal analyst at Forrester Research, where he serves security & risk professionalsand is a leading expert on identity management and access controls.

S E A R C H S E C U R I T Y. C O M Technical Guide on Managing Identities and Access Control15

TABLE OF CONTENTS

CENTRALIZED IAM

IAM AND DATA PROTECTION

PRIVILEGED ACCESSPOLICIES

ROLE MANAGEMENT

SPONSOR RESOURCES

| MANAG I N G I D E NTIT I ES AN D ACC ESS CO NTR O L

TECHTARGET SECUR ITY MED IA GROUP

VICE PRESIDENT/GROUP PUBLISHERDoug Olender

PUBLISHER Josh Garland

DIRECTOR OF PRODUCT MANAGEMENTSusan Shaver

DIRECTOR OF MARKETING Kristin Hadley

SALES DIRECTOR Dara Such

CIRCULATION MANAGER Kate Sullivan

ASSOCIATE PROJECT MANAGER Suzanne Jackson

PRODUCT MANAGEMENT & MARKETINGCorey Strader, Jennifer Labelle, Andrew McHugh

SALES REPRESENTATIVESEric Belcher ebelcher@techtarget.com

Patrick Eichmannpeichmann@techtarget.com

Jason Olson jolson@techtarget.com

Jeff Tonello jtonello@techtarget.com

Nikki Wise nwise@techtarget.com

TECHTARGET INC.CHIEF EXECUTIVE OFFICER Greg Strakosch

PRESIDENT Don Hawk

EXECUTIVE VICE PRESIDENT Kevin Beam

CHIEF FINANCIAL OFFICER Eric Sockol

EUROPEAN DISTRIBUTIONParkway Gordon Phone 44-1491-875-386www.parkway.co.uk

LIST RENTAL SERVICESJulie BrownPhone 781-657-1336 Fax 781-657-1100

REPRINTSFosteReprints Rhonda BrownPhone 866-879-9144 x194 rbrown@fostereprints.com

“Technical Guide on Managing Identities and Access Control” is published by TechTarget,117 Kendrick St., Suite 800, Needham, MA 02494 U.S.A.; Phone 781-657-1000; Fax 781-657-1100.

All rights reserved. Entire contents, Copyright © 2010 TechTarget. No part of this publication may betransmitted or reproduced in any form, or by any means without permission in writing from the pub-lisher, TechTarget or SearchSecurity.com.

EDITORIAL DIRECTOR Michael S. Mimoso

SEARCHSECURITY.COMSENIOR SITE EDITOR Eric Parizo

NEWS EDITOR Robert Westervelt

SITE EDITOR William Hurley

ASSISTANT EDITOR Maggie Wright

ASSISTANT EDITOR Carolyn Gibney

ART & DESIGNCREATIVE DIRECTOR Maureen Joyce

S E A R C H S E C U R I T Y. C O M Technical Guide on Managing Identities and Access Control16

TABLE OF CONTENTS

CENTRALIZED IAM

IAM AND DATA PROTECTION

PRIVILEGED ACCESSPOLICIES

ROLE MANAGEMENT

SPONSOR RESOURCES

| MANAG I N G I D E NTIT I ES AN D ACC ESS CO NTR O L

Guardium, an IBM CompanySee ad page 1• Oracle Account Security Techniques

• Database Security and Auditing: Getting Started

• Your Enterprise Database Security Strategy 2010 (Forrester Research)

Centrify CorporationSee ad page 3• Implement a least-privilege security model for Linux and UNIX

• Video chalktalk library of in-depth IAM technology discussions

• White paper: integrate your Unix, Linux, Mac, Java and web platforms with Active Directory

FoxTSee ad page 6• Top Ten Essentials for Privileged Account Management

• Role-Based Access Control (RBAC): The Next Generation of Access Management

• Proactively Controlling Access to Patient Data

SPONSOR RESOURCES

R