© 2015 IBM Corporation

IBM Security

1

The Good, the Bad and the Ugly

© 2015 IBM Corporation

IBM Security

2

On stage today

Good#2 – Carsten Mielke

Head of Service Management

at E.ON Global Commodities

The Bad and the Ugly –

Andrea Rossi

WW Sales Leader – Identity

Governance @ IBM

© 2015 IBM Corporation

IBM Security

3

Why Identity Governance? What is Identity Governance?

Identity Governance solutions help to resolve Security Risks and Audit

findings related to logical access controls on business criticalapplications:

– Lack of (policy) violation detection: “Sensitive/Privileged access has been assigned toordinary employees”, “Separation of Duty policies are not enforced, toxic combinationsoccur’.

Identity Governance solutions detect and prevent the risk of improper

access to business applications. This ‘Security Posture’ is achieved

through a combination of IT controls:

– Separation of Duties policy management

– Access Risk scoring

– Access Review and Certification

– Access Request management with central auditability

© 2015 IBM Corporation

IBM Security

4

How did we get here today?

2003-2008 c.e.

The “Big

Provisioning

Brother” age

2009-2013 c.e.

The 1st Compliance

ice age

2014-2018 c.e.

The IGAge (the Identity

Governance and

Administration age)

© 2015 IBM Corporation

IBM Security

5

Identity Governance comprises 3 lifecycles

Identity

Lifecycle Entitlement/Role

Lifecycle

Create

Change

Delete

Discover

Create

Review

Change

Risk

Lifecycle

Model

Measure

Mitigate

Detect

© 2015 IBM Corporation

IBM Security

6

Business activities Separation of Duties Management

Seperation of Duty modeling

Business processes, eliminates the need for Role-to-Role SoD

Speaks the Auditor’s language

© 2015 IBM Corporation

IBM Security

7

The CRO dashboard: Access Risk scoring

Model and Measure Operational Risk

Model, Measure and trends risks across several dataset (OUs, Applications)

Allows for ‘Risk driven’ access certification using ‘Heat maps’

© 2015 IBM Corporation

IBM Security

8

IBM Security Identity Governance and Administration

Delivering actionable identity intelligence

Align Auditors, LoB and IT perspectives in one

consolidated Governance and Administration offering

Easy to launch Access Certification and Access

Request to meet compliance goals with minimal

IT involvement

Enhanced Role Mining and Separation of Duties

Reviews using visualization dashboard

and business-activity mapping

In-depth SAP Governance with Separation

of Duties (SoD), access risk and fine-grained

entitlements reviews

Easy to deploy virtual appliances

for multiple customer adoptions

– Standalone Identity Governance

– Integrate with existing Identity Management

– Modernize legacy Identity management with integrated

governance and administration

Common Integration Adapters

Identity Governance

and Administration Platform

VIRTUAL APPLIANCE

IT SecurityTeam

Auditors /Risk Managers

LoB Managers /Employees

Cloud Computing

Mobile Applications Desktopand Server

Data Mainframe

Access

FulfillmentSelf Service

Portal

Risk/ Access

VisibilityAccess

Certification

© 2015 IBM Corporation

IBM Security

9

IBM is a Leader in the 2015 Gartner Magic Quadrant for Identity Governance and Administration

Source: Gartner (January 2015)

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request

from http://www.gartner.com/technology/reprints.do?id=1-27CNZU9&ct=150112&st=sb.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other

designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or

implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner, Inc. Positions IBM as a

LEADER in Identity Governance and

Administration (IGA)

"The IGA market is transforming legacy,

on-premises IAM products. IGA vendors

are investing heavily to meet client needs

in ease of use, mobility, business agility,

and lower total cost of ownership. User

provisioning and access governance

functions continue to consolidate.”

Gartner, Inc. “Magic Quadrant for Identity Governance and

Administration” by Felix Gaehtgens, Brian Iverson, Steve

Krapes, January 2015 Report #G00261633

© 2015 IBM Corporation

IBM Security

10

The IBM’s ‘Augmented Governance’ scenario

SIEM

IBM zSecure

Enterprise GRC

(e.g. IBM Open P, RSA

Archer

User Provisioning

(e.g. IBM SIM/NetIQ

IDM)

The User Provisioning layer enforces

access policies driven by ISIGISIG feeds the GRC processes with

Access-related risks (e.g. SoD).

ISIG embraces and extends SAP and

Mainframe Security

ISIG injects ‘Identity and Access

Intelligence’ to Security Incidents.

SAP Security

A Successful Implementation of a User Access Management System atE.ON Global Commodities (EGC)

Dr. Carsten Mielke

Head of Service Management

E.ON

12

Agenda

E.ON Global Commodities SE

Motivation/Drivers

Pre-Requisites

Vendor Selection process

Added Value

Lessons Learned

Challenges Ahead

13

E.ON Global Commodities SE

14

E.ON Global Commodities SE (EGC)

The energy trading business of E.ON, one of the world's largest investor-

owned power and gas companies.

As the expert interface between the E.ON Group and international wholesale

energy markets, we create value by managing the commodity price risks

faced by E.ON and its customers, while optimizing the Group's broad and

diverse power and gas portfolio.

over 1000 professionals from more than 40 countries, based in

headquarters in Düsseldorf

one of the most active traders in the international wholesale energy markets

2011 volumes: Gas 2480 billion kWh, Power 1967 billion kWh, Carbon

598 million metric tons, Coal 269 million metric tons, Oil 89 million

metric tons (~ 600 million barrels);

active on more than 20 exchanges and in over 40 countries

executed more than 850,000 trades in 2011

15

The drivers for a professional User Access Management

• Audits (according to Audit standards IDW RS FAIT 1, IDW PS330)

showed strong need for improvement of evidence for legal

demands on authorization and authentication.

• Capabilities required• record the granting, amending and revoking of access rights to

applications in scope of the EGC application access processes;

• enable control on whether internal control process requirements are

working effectively at all times

“Nothing is more powerful than an idea whose time

has come” – Victor Hugo

16

Expected benefits

• Harmonisation and standardization of user access related processes

• From different user application templates down to one, later to a

workflow in the Intranet

• Better control of users, roles and privileges in the target systems

• Reducing the risk of abuse of non-intended status

• Quicker access, changes and termination of accounts in target systems

• User accounts and licenses can be better controlled

• Cost reduction possible

• Auditing control functions of SoD (Segregation of Duties) and sensitive

access rights will be available in a more sophisticated way

• Reducing effort in providing audit evidence

17

Prerequisites for UAM at E.ON Global Commodities

IT Solution

HR Data Cleanup

Process Setup

Organizational Implementation

Starter Mover Leaver

CEO

CIO HR Risk

CFO

Clean Data

Traders

Internals

Externals

18

Introduction of an IT Solution – Vendor Selection

•Detailed requirement definition of. ~500 requirements

•Initial design of the Proof of Concept (PoC)Initial Analysis

•Request for Information (RfI) sent out to ~20 vendorsMarket Analysis

•Rated regarding their coverage of the four defined functional areas

•Invitation of all 6 valid replies to provide a live demo of the solution approach

Evaluation of the feedback

•Selection of PoC candidates

•Finalization of the PoC design

Evaluation of the presentation

•6 use cases

•Both remaining vendors performing in parallelProof of Concept

•Final selection of strategic partnerSelection of the vendor

19

The Software Partner

• The CrossIdeas/IBM Identity & Access Governance platform

(IDEAS) was selected

• Why did EGC choose CrossIdeas/IBM?

• Risk/SoD modelling paradigm: 1to1 fit with Auditor requirements

• Proximity

• Consultative approach rather than product sale

20

Project roadmap (high level)

• Phase 1 (june-Dec 2012): ‘Understand the risk’

• Detective approach, no changes to existing user provisioning

processes

• Implementation of User and SoD controls on 8 top critical

applications

• Phase 2 (2013): ‘Reduce the risk’

• Onboarding of additional applications (including Ruhrgas)

• Access Certification

• Phase 3 (2014+): ‘Avoid the risk’

• Implementation of more mature SoD controls

• Streamline access request management

21

IDEAS

Inform

Model

Detect

Mitigate

Applications

HR

Reports and

Alerts

Sync

Power UKCont.

Power

Gas

UKCoal RiskGas

Trading

Backb.etc…..

Logical architecture

22

Benefits

EGC is now in control

•One single view on ‘who could do what’

•Real-time detection of several types of access risks:

• On User: SoD, Sensitive Access, orphan/service accounts;

• On Application Roles: intrinsic SoD violation.

•Ability to immediately react by appropriate counter-measures such

as periodical review processes, revoking accounts, etc.

‘Audit Ready, M&A Ready’

23

Lessons learned

Supportive

• Project staffing incl. project management and businessrepresentation;

• Selected vendor of the supporting IAM System represented an optimal fit to company IT and their “getting things done”-culture. Remarkably short implementation time of 4 months;

• Development of Segregation of Duties (SoD) model and vendor selection was carried out simultaneously.

Recommendations

• Implementing SoD is an organisational task, project should have been primarily driven by central business function;

• Carefully consider a tight time schedule from the very beginning and have it reflected in appropriate staffing;

• Internal Knowledge of security models of the selected applications should be robust enough to build a rigorous SoDimplementation on top of it.

24

Challenges ahead