The Good, the Bad and the Ugly: A Different Perspective on Identity Governance
-
Upload
ibm-security -
Category
Technology
-
view
297 -
download
0
Transcript of The Good, the Bad and the Ugly: A Different Perspective on Identity Governance
© 2015 IBM Corporation
IBM Security
2
On stage today
Good#2 – Carsten Mielke
Head of Service Management
at E.ON Global Commodities
The Bad and the Ugly –
Andrea Rossi
WW Sales Leader – Identity
Governance @ IBM
© 2015 IBM Corporation
IBM Security
3
Why Identity Governance? What is Identity Governance?
Identity Governance solutions help to resolve Security Risks and Audit
findings related to logical access controls on business criticalapplications:
– Lack of (policy) violation detection: “Sensitive/Privileged access has been assigned toordinary employees”, “Separation of Duty policies are not enforced, toxic combinationsoccur’.
Identity Governance solutions detect and prevent the risk of improper
access to business applications. This ‘Security Posture’ is achieved
through a combination of IT controls:
– Separation of Duties policy management
– Access Risk scoring
– Access Review and Certification
– Access Request management with central auditability
© 2015 IBM Corporation
IBM Security
4
How did we get here today?
2003-2008 c.e.
The “Big
Provisioning
Brother” age
2009-2013 c.e.
The 1st Compliance
ice age
2014-2018 c.e.
The IGAge (the Identity
Governance and
Administration age)
© 2015 IBM Corporation
IBM Security
5
Identity Governance comprises 3 lifecycles
Identity
Lifecycle Entitlement/Role
Lifecycle
Create
Change
Delete
Discover
Create
Review
Change
Risk
Lifecycle
Model
Measure
Mitigate
Detect
© 2015 IBM Corporation
IBM Security
6
Business activities Separation of Duties Management
Seperation of Duty modeling
Business processes, eliminates the need for Role-to-Role SoD
Speaks the Auditor’s language
© 2015 IBM Corporation
IBM Security
7
The CRO dashboard: Access Risk scoring
Model and Measure Operational Risk
Model, Measure and trends risks across several dataset (OUs, Applications)
Allows for ‘Risk driven’ access certification using ‘Heat maps’
© 2015 IBM Corporation
IBM Security
8
IBM Security Identity Governance and Administration
Delivering actionable identity intelligence
Align Auditors, LoB and IT perspectives in one
consolidated Governance and Administration offering
Easy to launch Access Certification and Access
Request to meet compliance goals with minimal
IT involvement
Enhanced Role Mining and Separation of Duties
Reviews using visualization dashboard
and business-activity mapping
In-depth SAP Governance with Separation
of Duties (SoD), access risk and fine-grained
entitlements reviews
Easy to deploy virtual appliances
for multiple customer adoptions
– Standalone Identity Governance
– Integrate with existing Identity Management
– Modernize legacy Identity management with integrated
governance and administration
Common Integration Adapters
Identity Governance
and Administration Platform
VIRTUAL APPLIANCE
IT SecurityTeam
Auditors /Risk Managers
LoB Managers /Employees
Cloud Computing
Mobile Applications Desktopand Server
Data Mainframe
Access
FulfillmentSelf Service
Portal
Risk/ Access
VisibilityAccess
Certification
© 2015 IBM Corporation
IBM Security
9
IBM is a Leader in the 2015 Gartner Magic Quadrant for Identity Governance and Administration
Source: Gartner (January 2015)
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request
from http://www.gartner.com/technology/reprints.do?id=1-27CNZU9&ct=150112&st=sb.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other
designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or
implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Gartner, Inc. Positions IBM as a
LEADER in Identity Governance and
Administration (IGA)
"The IGA market is transforming legacy,
on-premises IAM products. IGA vendors
are investing heavily to meet client needs
in ease of use, mobility, business agility,
and lower total cost of ownership. User
provisioning and access governance
functions continue to consolidate.”
Gartner, Inc. “Magic Quadrant for Identity Governance and
Administration” by Felix Gaehtgens, Brian Iverson, Steve
Krapes, January 2015 Report #G00261633
© 2015 IBM Corporation
IBM Security
10
The IBM’s ‘Augmented Governance’ scenario
SIEM
IBM zSecure
Enterprise GRC
(e.g. IBM Open P, RSA
Archer
User Provisioning
(e.g. IBM SIM/NetIQ
IDM)
The User Provisioning layer enforces
access policies driven by ISIGISIG feeds the GRC processes with
Access-related risks (e.g. SoD).
ISIG embraces and extends SAP and
Mainframe Security
ISIG injects ‘Identity and Access
Intelligence’ to Security Incidents.
SAP Security
A Successful Implementation of a User Access Management System atE.ON Global Commodities (EGC)
Dr. Carsten Mielke
Head of Service Management
E.ON
12
Agenda
E.ON Global Commodities SE
Motivation/Drivers
Pre-Requisites
Vendor Selection process
Added Value
Lessons Learned
Challenges Ahead
14
E.ON Global Commodities SE (EGC)
The energy trading business of E.ON, one of the world's largest investor-
owned power and gas companies.
As the expert interface between the E.ON Group and international wholesale
energy markets, we create value by managing the commodity price risks
faced by E.ON and its customers, while optimizing the Group's broad and
diverse power and gas portfolio.
over 1000 professionals from more than 40 countries, based in
headquarters in Düsseldorf
one of the most active traders in the international wholesale energy markets
2011 volumes: Gas 2480 billion kWh, Power 1967 billion kWh, Carbon
598 million metric tons, Coal 269 million metric tons, Oil 89 million
metric tons (~ 600 million barrels);
active on more than 20 exchanges and in over 40 countries
executed more than 850,000 trades in 2011
15
The drivers for a professional User Access Management
• Audits (according to Audit standards IDW RS FAIT 1, IDW PS330)
showed strong need for improvement of evidence for legal
demands on authorization and authentication.
• Capabilities required• record the granting, amending and revoking of access rights to
applications in scope of the EGC application access processes;
• enable control on whether internal control process requirements are
working effectively at all times
“Nothing is more powerful than an idea whose time
has come” – Victor Hugo
16
Expected benefits
• Harmonisation and standardization of user access related processes
• From different user application templates down to one, later to a
workflow in the Intranet
• Better control of users, roles and privileges in the target systems
• Reducing the risk of abuse of non-intended status
• Quicker access, changes and termination of accounts in target systems
• User accounts and licenses can be better controlled
• Cost reduction possible
• Auditing control functions of SoD (Segregation of Duties) and sensitive
access rights will be available in a more sophisticated way
• Reducing effort in providing audit evidence
17
Prerequisites for UAM at E.ON Global Commodities
IT Solution
HR Data Cleanup
Process Setup
Organizational Implementation
Starter Mover Leaver
CEO
CIO HR Risk
CFO
Clean Data
Traders
Internals
Externals
18
Introduction of an IT Solution – Vendor Selection
•Detailed requirement definition of. ~500 requirements
•Initial design of the Proof of Concept (PoC)Initial Analysis
•Request for Information (RfI) sent out to ~20 vendorsMarket Analysis
•Rated regarding their coverage of the four defined functional areas
•Invitation of all 6 valid replies to provide a live demo of the solution approach
Evaluation of the feedback
•Selection of PoC candidates
•Finalization of the PoC design
Evaluation of the presentation
•6 use cases
•Both remaining vendors performing in parallelProof of Concept
•Final selection of strategic partnerSelection of the vendor
19
The Software Partner
• The CrossIdeas/IBM Identity & Access Governance platform
(IDEAS) was selected
• Why did EGC choose CrossIdeas/IBM?
• Risk/SoD modelling paradigm: 1to1 fit with Auditor requirements
• Proximity
• Consultative approach rather than product sale
20
Project roadmap (high level)
• Phase 1 (june-Dec 2012): ‘Understand the risk’
• Detective approach, no changes to existing user provisioning
processes
• Implementation of User and SoD controls on 8 top critical
applications
• Phase 2 (2013): ‘Reduce the risk’
• Onboarding of additional applications (including Ruhrgas)
• Access Certification
• Phase 3 (2014+): ‘Avoid the risk’
• Implementation of more mature SoD controls
• Streamline access request management
21
IDEAS
Inform
Model
Detect
Mitigate
Applications
HR
Reports and
Alerts
Sync
Power UKCont.
Power
Gas
UKCoal RiskGas
Trading
Backb.etc…..
Logical architecture
22
Benefits
EGC is now in control
•One single view on ‘who could do what’
•Real-time detection of several types of access risks:
• On User: SoD, Sensitive Access, orphan/service accounts;
• On Application Roles: intrinsic SoD violation.
•Ability to immediately react by appropriate counter-measures such
as periodical review processes, revoking accounts, etc.
‘Audit Ready, M&A Ready’
23
Lessons learned
Supportive
• Project staffing incl. project management and businessrepresentation;
• Selected vendor of the supporting IAM System represented an optimal fit to company IT and their “getting things done”-culture. Remarkably short implementation time of 4 months;
• Development of Segregation of Duties (SoD) model and vendor selection was carried out simultaneously.
Recommendations
• Implementing SoD is an organisational task, project should have been primarily driven by central business function;
• Carefully consider a tight time schedule from the very beginning and have it reflected in appropriate staffing;
• Internal Knowledge of security models of the selected applications should be robust enough to build a rigorous SoDimplementation on top of it.