3.1 Security and Compliance Portfolio Strategy.ppt …€¦ · · 2006-08-06Service Composition...

© 2006 IBM Corporation

IT Service ManagementSecurity and Compliance Portfolio and Roadmap

Venkat RaghavanProgram Director – Security & ComplianceIBM Software GroupTivoli Software

IT Service Management

© 2006 IBM Corporation2 Tivoli Software

Open Process Automation

Library(OPAL)

IBM Global Technology

Services

Ecosystem of System

Integrators and Business Partners

IBM Tivoli Unified Process(ITUP)

IBM IT Service Management


Change and ConfigurationManagement Database (CCMDB)

Server, Network & Device

ManagementStorage

ManagementSecurity

ManagementBusiness

ApplicationManagement

Service Delivery

& SupportService

DeploymentInformation

ManagementBusinessResilience

IT CRM & Business

Management

A Comprehensive Approach to IT Service Management

Best Practices

IT Service Management Platform

IT Process Management Products

IT Operational Management Products



IT Service Management: Security & Compliance

Best Practices




Identity & Access Mgmt

Directory

SOA Security

Management

Security EventMgmt

(Micromuse)

Federated Identity Mgmt

Server, NetworkCompliance

Change and ConfigurationManagement Database (CCMDB)

IT Compliance Automation

Console

Compliance & Governance Processes

Security and Compliance Products

Single Sign On



Marketplace insightTraditional views on models are changing

Corporate governance/regulatory compliance has C-level execvisibilityAnytime, anywhere access required for many services and informationNew threats motivated by financial gains - phishing, ID Theft, SpamAttackers exploiting vulnerabilities at the IT service or business process level (e.g., Choicepoint)

Trends

Emerging need to secure composite & SOA applications – Private Label, Joint-Ventures, M&A, Software-As-ServicesReduce cost of Audit, Compliance & Governance – Automation of IT ControlsStrong Authentication & Data Protection

Customer Requirements



ITSM Portfolio Focus Areas – Security & Compliance

Governance, Risk and Compliance

Change Integrity

Identity & Access Management

SOA Security and Federated Identity Management

Security Information Event Management

Employees, Contractors, Suppliers, Partners, Brokers


Governance and Compliance



Governance-related

topics rank high

In the first three weeks, more than 300 members used the CIO Executive Board’s IT Governance (ITG) competency diagnostic to assess functional capabilities

Governance is top of mind for CIOs



Control Objectives for Compliance Initiatives Compliance

Red = most often required control objective



Governance, Risk and Compliance

Business Governance Objectives

Risk & Compliance

Posture

Selection & Testing of Controls

Measure Performance

Set Objectives

IT Activities

Measure Performance

Verify & Improve

Provide Direction



Set Objectives

IT Activities

Measure Performance

Verify & Improve

Provide Direction

Compliance is a big part of IT Governance Establish Controls and Measurement

Verify & ImproveEstablish

Metrics and Controls

Verify Controls

Audit Change

Monitor Status

IT GovernanceIT GovernanceComplianceCompliance

AuditAudit

•Compliance is the proactive implementation of IT process controls•Audit is the reactive analysis of implemented IT process controls



Compliance Architecture

IT and Application Controls Monitoring Tasks

IT Data Model (IT Controls)

Processes and Workflow

Various IT Tools, products and “bespoke” applications

Business Process (Application Controls)

Compliance Architecture ElementsControl objectives

CCMDB

Policies

Rules

Standards



Compliance Automation Strategy Platform for management and enforcement of IT Controls

Helps Clients manage IT controls using CoBIT, ISO 17799 to address regulations etc. Generic IT Compliance technology that can be with a number of external (SOX, Basel II, HIPAA etc) and internal regulations

COBIT controls ties together security, change, data/storage, Threat management and other domains

Value is focused on integrated reporting and compliance data management across OMPs

Open platform for connecting third-party applications

Target CIO’s office “ compliance designee”Key influencers: Auditors, LOB, CFO office

Security OMP(Implement IT Controls)

COBIT IT Compliance Controls

Automation

Storage (Implement IT Controls)

IT Process ManagementIT ProcessManagement Products


Best Practices

IT OperationalManagement Products

CCMDB

Define and Instantiate

best practices

Define Compliance

ControlsPlan

TestCompliance

Controls

Assess & Report on

Compliance

Identify Compliance

Requirements

Implement Remediation activities

Define Compliance

ControlsPlan

TestCompliance

Controls

Assess & Report on

Compliance

Compliance Process Manager (Roadmap)

Compliance Task Automation





Challenges with Managing IT Changes

• Fewer than 1% of IT organizations perform configuration management beyond simple desktop and server network configurations, making change management risk and impact assessment extremely difficult1

• Hundreds of changes are made every week without a change ticket or authorization2

• 40% of unplanned downtime caused by operations failures, typically people and process issues related to infrastructure changes, as well as configuration and problem management3

• “The #1 predictor of a security event is a change”

Source: Gartner reports

85% of problems are caused by changes



UnAuthorized Change Scenario – 4 Steps

CMDB(manages

CI)TADDM

(part of CCMDB)

Access Manager

A A A

AdministratorsUnAuthorized

Change Reports

Discovers Financial Applications and populates CMDB

12

3

4

Policy DB

“Applications” that need to under “unauthorized”change are published to TAM



IT – Challenges to Compliance

Can IT processes tell you “which users are authorized to access what applications?”

Can IT processes prevent unauthorized changes?

Can IT processes tell you “which”Applications are dealing with “client data”?

Controls to mitigate “privileged administrator abuse”

Controls that implement role-based access to critical apps

Controls to reduce risk of customer data disclosure


SOA Security ManagementFederated Identity Management



Division “A” Division “B” Division “C” Division “D” Division “E”

The Vertical Silo Problem



Service Composition – Security Challenges in composing Services

ClientsOutsourced Provider

White Label

Secu

rity

XMLWSDL

SOAP

Identity Management

AccessManagement

/Rules

Identity Management

AccessManagement/

Rules

Internal Service Provider

Acquisition

Secu

rity

XMLWSDL

SOAP

AccessManagement

User Authentication

User Access Control

User Provisioning

Federated Audit

Single Sign On

Fine-grained access control to Business Applications

Constrain: Has to work with Web Services, HTTP, SMS, MMS and various intermediaries

Service Composition

Retail Insurance Product Portal

Pain Points

Identity Mgmt

Brokers, Customers



Where Are We Heading – Service Oriented Architecture

Outsourced

SupplierSupplier

Shared ServicesShared Services

Division (s)

CustomerCustomer

Process

Services

Components

BusinessComponent

Resources

<<compose>>

<<choreograph>>

<<interface>>

<<implement>>



Common Security Questions in an SOA context

How do we provision access rights and entitlements to SOA services?How do services “identify” and “authenticate” Users ?How do services enforce access control – Gold vs. Platinum ? How do services associate user or identity context? How do services enforce user specific rules to services across multiple channels ?How do we implement role-based access to services ? (Portal Context) How can we protect service integrity by detecting & preventing unauthorized changes?How do we integrate security with new Application components: Message Broker, Process Servers across vendor solutions ? How can we deliver end-to-end security, transactional audit and compliance for services?How do we identify users of service metadata ?



SOA and Federated Identity Buying Occasions

Business TransformationOutsourcingSoftware-As-ServicesWeb Services SSOIntra-Enterprise IntegrationSystem Z Integration

User Strong AuthenticationUser & Business Access ControlUser Application SecurityUser Federated AuditFederated Access to z-based Web ServicesCentralized Policy Management

WebSphere Process Server

Portal

ITCAM

DataPower

Business Drivers Technical Drivers Relational Products



Security Services for SOA – Application Pattern

Insurance PORTAL

Client-usersDirect

Authentication Access

ESB

Portal/Presentation

Insurance Process

Business Tier(Application Server)

Client-users(Federated access from Local portal)

Federation &Access Gateway

(FIM)

First Line of Defense (identity verification & authentication layer)

Data/Legacy

TierClient-users

Admin users

Third-Party Credit Scorers

Identification & Authentication

Authorization &Privacy

Audit

Policy Services

Identity ProvisioningIdentity FederationSOA Security

Management

Internet

DataPower

SAML/Liberty/WS-Security

WebSphere, .NET, SAP



Identity Integration Challenges – Federation Gateway

Multi Protocol Federation Gateway

Partners using WS-Federation

Partners using Liberty

Partners using SAML in their Portal or Web

Partners using WS-Security

SAP Platform

WebSphere Platform

MS .NET Platform

“Identity”

“Identity”

“Identity”

“Identity”

“Identity”

“Identity”

“Identity”

How to share information How to share information with trusted providers?with trusted providers?

Identity Management as a business process for cross-enterprise collaboration

A way to associate “identities” to “services” in an SOA

Identities can be “external” or “internal”



TFIM on System Z – Enabling System Z as a first class security platform for Applications

Mainframe integrity

z/OS platform

z/OS Security Admin & Management

CICS IMS DB2

WAS

Federated ID on System Z

TIM on Z

Vanguard(RACF mgr)

CTS

RACF

Support for RACF PassticketsIdentification of scenarios leveraging TFIM to integrate with WebSphereWorking on CICS Transaction Gateway (CTG), CICS Transaction Server (CTS)HATS

IAM

Active Directory

Distribution Platforms

Federated ID

WAS

CTG

Distribution Platforms

Federated ID

WAS

CTG

Position System Z as first class platform for Application Security – Hub for Applications



Application Enabler

Strategic PartnersApplication

Service Provider

Employees

ENTERPRISE HUB

Partner Users

USERS

White LabelServices

USERS

A large service provider integrating their business processes with a number of their smaller clients –

Easier to integrate Application Services – “Software-As-Services”, M&A, Private Labels, Partnerships, Resells

Federated Identity Lifecycle Management

FIM Business Gateway

SAMLDirect Users






Application Enabler for enabling clients to Enterprise ProvidersSolution that is targeted to enable our enterprise customers to quickly and secure integrate their “clients”

Key differences – Does not include TAM eb– Focus on SSO for Web and Web Services– Optimized for Business Applications: MS .NET, WebSphere, …..

Focus– Process Transformation: Supply chain, Financial Services, Healthcare, Government– ISVs Simpler solution that replaces “home-grown” Web SSO and Access Control solutions

Turnkey Solution with best practices and GTM focus


Identity & Access Management



Server, Network

Compliance

Identity Management

Authentication &Access

Management

Enterprise Single Sign On

Portfolio: Identity, Access and Security Event Monitoring

Users & Applications

User-centric SOA & Federated Identity Management

Directory Server

Directory Integrator

Security Information

Event Management



Tivoli Approach – Tivoli IdM is foundation for Strong Auth

Soft Certificate And Soft OTP

All-in-one Token (OTP & USB Smart Card)

PKI-USB Token

Mobile Devices

Smart Card For Physical & Network

Access

OTP Only

All-in-one Token with secure

storage

BiometricOperating System Based

Tivoli Security Platform



Tivoli Identity Manager – Product & Roadmap

Role-based, self-service, and hybrid user account provisioning and deactivation

Centralized, pre-built and customizable access rights reports to efficiently support IT governance and compliance audits

Challenge/response self-care password reset reduces help desk calls

Risk-based compliance issue remediation: automatically detects violations and applies risk-appropriate corrective actions

Policy simulation provides “what-if”analysis of automated management policies

Powerful workflow builder and custom adapter toolkit supports virtually any business process

User Experience Adaptable to Corporate Branding Needs:– Business-friendly provisioning requests

and approvals– Tailored, configurable user interface

views for different user personas – Look and feel customizable via style

sheets and custom text– Section 508 Accessibility complianceSimplified Deployment Options– Supported auto-upgrade paths between

TIM Express and TIM (middleware upgrade a prerequisite)

– Simplified post-install configuration and fixpack application

Automated Compliance Lifecycle– Auditor-centric UI view and reports– Business-friendly revalidation of

granular user access rights– Additional compliance related reports – Integration with compliance & reporting

systems/processes

Automated identity and user access rights lifecycle management



Access Control

Tivoli Access Manager— Strategy & Roadmap

Strong Authentication

Platform

Flexible choice among diverse authentication mechanismsStep-upForced re-authentication

Native—Desktop and Web SSOIntegrate w/TFIM for federated SSOIntegrate w/partner products for client/server SSO

Policy-drivenResource “agnostic”Standards-based (Java, .NET, C/C++)

Single Sign-On

Unauthorized change management

Reporting

COBIT Controls support

Compliance

Tivoli AccessManager Family(EAL-3 certified)

SOA Security

Management

XACML Policy Management engine

Integration with Process Server and Service Registry



Tivoli Access Manager for Enterprise Single Sign On

Simplify user experience and increase security by eliminating the need to remember and manage passwordsLogon and password change support for almost any Windows, Web, Java and Host-based applicationSingle secure strong authentication for initial authentication, re-authentication and forced authenticationAutomatic password generation and policy supportIntegrated with Tivoli Identity Manager to provision and remove credentials Integrated with Tivoli Access Manager to enable fine-grained authorization and entitlements to web applications

Reduce help desk costs and extend audit capabilities



Tivoli Security Operations Manager (NeuSecure)

Security incident managementand policy monitoring– Real-time correlation– Broad device support– Added TAM and TIM monitoring in 2006

Automate regulatory compliance reporting– Sarbanes Oxley, GLBA, HIPAA, FISMA etc.

New integrations to support ITSM strategy in 2006– Escalate critical security events to TEC and Netcool– Common data collection with Netcool



Tivoli Security Operations Manager (NeuSecure)

Customers increasingly seeking solutions integrated with network & systems operations, and identity & access managementFocus Areas

Security Operations Center (SOC) automation (real-time event correlation, incident management)Compliance focused log aggregation, monitoring, and reporting.

TSOM 3.1 integration - Netcool, TEC, TIM and TAM



Tivoli Security Compliance Manager

OperatingSystems

Applications

Workstations

Databases

ITSecurityCxO

IT Environment

Business Issues,Regulations,Standards

IT ConcernsSlammer, MSBlaster

OS patchesPassword violations

Users

Server ComplianceSecurity policy compliance product that checks systems and applications for vulnerabilities and identifies violations against security policies

Key benefits:Helps to secure corporate data and integrityIdentifies software security vulnerabilitiesDecreases IT costs through automation, centralization, and separation of dutiesAssists in complying with legislative and governmental standards

r



Products include:• Tivoli Access

Manager for e-business

• Tivoli Access Manager for Operating Systems

• Tivoli Access Manager for E-SSO

• Tivoli Identity Manager Family

• Tivoli Federated Identity Manager

• Tivoli Directory Server

• Tivoli Directory Integrator

• Security Compliance Manager

• Tivoli Security Operations Manager (NeuSecure)

Security Management

Products include:

• Tivoli Storage Manager

• Tivoli Continuous Data Protection for Files

• TotalStorage Productivity Center

Storage Management

Products include:Tivoli Enterprise Console

• Tivoli Monitoring• Tivoli

OMEGAMON• Tivoli NetView• Tivoli Remote

Control• Tivoli Systems

Automation• Tivoli Workload

Scheduler• Tivoli Provisioning

Manager• Tivoli

Configuration Manager

• Tivoli Decision Support for z/OS

• Netcool/OMNIbus• Netcool/Proviso• Netcool/Precision• Netcool/Monitors

Server, Network & Device Management

Products include:Tivoli Composite Application Manager

• Tivoli Business Systems Manager

• Tivoli Intelligent Orchestrator

• Tivoli Service Level Advisor

• Tivoli License Manager

• Tivoli License Compliance Manager

• Netcool/Impact

Business ApplicationManagement





Best Practices


Tivoli Product PortfolioAvailable TODAY!

Integrated across silos through the ITSM platform to the IT process management products



Disclaimers and TrademarksNo part of this document may be reproduced or transmitted in any form without written permission from IBM Corporation.Product data has been reviewed for accuracy as of the date of initial publication. Product data is subject to change without notice. Any statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.THE INFORMATION PROVIDED IN THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IBM EXPRESSLY DISCLAIMS ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements (e.g. IBM Customer Agreement, Statement of Limited Warranty, International Program License Agreement, etc.) under which they are provided. IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer's business and any actions the customer may need to take to comply with such laws. The following terms are trademarks or registered trademarks of the IBM Corporation in either the United States, other countries or both: DB2, e-business logo, eServer, IBM, IBM eServer, IBM logo, Lotus, Tivoli, WebSphere, Rational, z/OS, zSeries, System z.Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States and/or other countries.Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries.UNIX is a registered trademark of The Open Group in the United States and other countries.Linux is a trademark of Linus Torvalds in the United States and other countries.Other company, product, or service names may be trademarks or service marks of others.ITIL® is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office.IT Infrastructure Library® is a Registered Trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.

Date post:	16-Apr-2018
Category:	Documents
Upload:	buibao
View:	222 times
Download:	7 times

3.1 Security and Compliance Portfolio Strategy.ppt …€¦ · · 2006-08-06Service Composition...

Documents