C21 - Leveraging an Identity Management Foundation to Sustain Compliance

8/8/2019 C21 - Leveraging an Identity Management Foundation to Sustain Compliance

1/20

C21 - Leveraging an Identity Management Foundatio

to Sustain Compliance

Mick Coady


2/20

Leveraging an IdentityManagement Foundationto Sustain ComplianceMichael Coad

Vice President, Solution StrategySecurity Business Unit

Agenda Some Pertinent Data

The challenge of managing multipleusers an ent t ements

Identity Lifecycle Management defined

Three components

Identity Management

ecur y omp ance anagemen Role Management and Role Engineering

CA customer perspectives


3/20

Security Attacks and Breaches

67.7

59.4Virus attack

42.3

39.6

49.5

43.6

26.4

40.0

Internal breach of

security

Denial-of-service

attack

Network attack

2008

2006

OnlyIncrease

The first time securityattack/breach incidence hasdeclined except for Internal

S t r I c t l y P r I v I l e g e d a n d C o n f I d e n t I a l

10.7

13.8

0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0

None

Percentage

N=500. Q13. What types of security challenges has your organization dealt with over the past 12 months?Source: The Strategic Counsel, 2008

Breach incidence which hasmore than doubled comparedto five years ago (15%-20%)

Security Attack/Breach Costs

51.7

34.9

61.3

Loss of trust/confidence

Lost productivity

22.4

26.1

27.6

28.1

.

18.4

34.1

20.8

23.2

32.7

Loss of confidential

information

Loss of

business/revenue/customers

Damage to reputation

Embarassment

2008

2006

Mostsignificantincreases

Significantly IncreasingInternal Breach incidence,


20.1

20.4

32.7

0 10 20 30 40 50 60 70 80 90 100

Reduced customer

satisfaction

oss o n e ec ua proper y

Percentage

N=500. Q14. What impact have these security challenges had on your organization?

Source: The Strategic Counsel, 2008

an s gn can y ncreas ngLoss of ConfidentialInformation and Reduced

Customer Satisfaction a co-incidence? Perhaps not


4/20

Security Compliance Costs - Budget

81.410% or more

22.4

34.0

56.0

40% or more

30% or more

20% or more

TOTAL

Security compliance is a huge ITbudget eater organizations need thisto be more effective/efficient: 56% of

U.S. enterprise-class firms spend 20%


15.6

0 10 20 30 40 50 60 70 80 90 100

50% or more

Percentage

N=500. Q104. What percent of your organizations IT budget is spent specifically to ensure IT security compliance with various

regulations?Source: The Strategic Counsel, 2008

or more of their IT budget on ITsecurity compliance

Security Compliance Costs - Time

81.410% or more

19.8

30.4

57.0

40% or more

30% or more

20% or more

TOTAL

Security compliance is a huge IT timeeater organizations need this to bemore effective/efficient: 57% of U.S.


15.6

0 10 20 30 40 50 60 70 80 90 100

50% or more

Percentage

N=500. Q105. What percent of your organizations IT time is spent specifically to ensure IT security compliance with various regulations?


en erpr se-c ass rms spen or moreof their IT time on IT security compliance


5/20

IAM Issues and Problems

62.0Automated review and approval of user

access privileges

60.4

60.0

59.4

Tracking and reporting on us er activity

that may pose a risk to the organization

Central management and enforcement of

policies that ens ure audit and legal

requirements

The creation, enforcement and

verification of role-based access across

diverse ente rprise applications

Respondents feelthere are several

areas where IAM canbe more efficient or

better managed


N=500. Q101. Are any of the following problem areas for your organization?Source: The Strategic Counsel, 2008

0 10 20 30 40 50 60 70 80 90 100

Percentage

A ProblemMajority of

respondents saythese are problem

areas

What Users Expect IAM To Deliver 2008 Top Deliverables

56.6

47.2

40.0

29.2

31.0

37.8

11.6

17.6

18.8

1.6

3.0

2.8

1.0

1.2

0.6

Improved security

Web services security

Improved audit capability/transparency

Emphasis iscurrently on

utilizing IAM todeliver

40.0

39.8

39.6

38.2

38.0

38.0

37.6

36.8

38.8

38.6

38.8

37.0

18.2

18.4

18.2

19.4

20.0

20.8

3.6

4.2

2.4

2.8

2.2

2.8

0.6

0.8

1.0

1.0

1.0

1.4

Improved risk management

Better IT dept efficiency/cost reductions

Centralized control w/ distributed enforcement of role-based access to s erver

resources

Centralized web access management

Better user account management

Automated identity management s ervices across all platforms used

mprovesecurity


N=500. Q7. How important is it for your current or planned IT Identity and Access Management solution to deliver the following?Source: The Strategic Counsel, 2008

. . . . .

0 10 20 30 40 50 60 70 80 90 100

mprove regua ory comp ance

Percentage

Very Important ImportantNeither Important nor Not-Important Not ImportantNot at All Important


6/20

What Users Expect IAM To Deliver 2006 Top Deliverables

50.2

46.0

44.8

34.8

31.8

36.8

9.2

12.9

11.9

5.7

9.2

6.5

Improved security

Improved regulatory

compliance

Better IT dept efficiency/cost

41.8

40.0

39.6

38.1

37.1

35.8

39.1

38.8

37.3

41.5

14.4

14.7

14.4

14.4

13.4

8.0

6.2

7.2

10.2

8.0

reductions

Improved risk management

Improved audit

capability/transparency

Better user account

management

Improved facilitation of s ecure

e-business

Improved customer/end-user

self-service

In 2006 there


N=500. Q7. How important is it for your current or planned IT Identity and Access Management solution to deliver the following?Source: The Strategic Counsel, 2006

. . . .

0 10 20 30 40 50 60 70 80 90 100

ng e s gn-on

Percentage

Very Important ImportantNeither Important nor Not-Important Not ImportantNot at All Important

was moreemphasis on

utilizing IAM to

improvecompliance

and achieve ITefficiencies /

costreductions

Consumer and IAM Decision-Maker Security and Privacy Confidence

82.4Reduced customer

satisfaction

Breaches/losseshave big

consequences consumers and

76.8

.

76.8

78.8

Reputation of

Loss of

customer/public trust

and confidence

Consumers

IAM Decision-Makers

IAM Pros agree


76.4

0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0

organizationdamaged

Percentage

N=400. Q6. What is the impact of major security or privacy breaches for you?

N=500 Q17. If your organization suffered a loss of customer or transaction data, what impact would it have?Source: The Strategic Counsel, 2008


7/20

Consumer and IAM Decision-Maker Security and Privacy Confidence

72.5Retailers do not

spend enough

38.0

.

57.8

68.5

B i Banks do not

Government does not

spend enough

Consumers

IAM Decision-Makers

Large majority of consumersthinks spending isnt high

enough a significant


24.0

0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0

spend enough

Percentage

N=400. Q8-Q10. Do you think ________ spends enough on on-line security and privacy?N=100 Retail; N=100 Federal/State Government; N=100 Financial Services Q20. Thinking in percentage terms, do you think the

percentage of your organizations total IT budget devoted to security is too low, adequate or too high?Source: The Strategic Counsel, 2008

percentage of IAM Prosagree

Consumer Security and Privacy Confidence

Consumers arent veryconfident their on-line

11.0

4.8

Financial

Government

Retailers

Very confident can protect on-linepersonal and private information

personal and privateinformation is protected


8.5

0 10 20 30 40 50

Services

Percentage

N=500. Q3a-b-c. How confident are you that the banking industry is properly protecting your on-line personal and private information?

How confident are you that retailers are properly protecting your on-line personal and private information? How confident are you that the

Government is properly protecting your on-line personal and private information?Source: The Strategic Counsel, 2008


8/20

IAM Decision-Maker Security and Privacy Confidence

28.0Very confident

Only 28% of IAM Pros arevery confident their

firm/organization can protectitself against losing

11.8

58.2

Not confident

Somewhat confident

IAM Decision-Makers

customer or transaction data


2.0

0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0

Not confident at all

Percentage

N=500 Q15. How confident are you that your organization can protect itself against losing customer or transaction data?


Consumer Personal Information Theft Victimization

22.5Have personally

77.5

48.0Know someone who

has suffered a

personal information

suffered a personal

information theft

Yes

No

More than one-fifth of U.Sconsumers have suffered apersonal information theft;


.

0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0

theft

Percentage

N=400. Q7-Q8. Have you ever suffered a personal information theft? Do you know someone who has been the victim of personal

information theft?


a mos a now someonewho has been a victim


9/20

The Regulatory EnvironmentGlobal and Growing

SOX

EU Privacyir i

HIPAA

FIPS 200

EU PrivacyDirective

ACSI33

FFIECInformation

Security

CobiT 3rdEdition DS5.5

OGC ITIL:Security

Management4.3

NIST SP 800-53

FFIECOperations

ISO 27001

Compliance: The Early DaysInternal Auditing

Accounting

Systems

External Requirements

Reporting

HumanResources

Sales andMarketing

Manufacturing

Internal Audit

Finance

IT

Legal Counsel


10/20

Enter SOXInternal Auditing

Accounting

Systems


Reporting

SOX Audits

HumanResources

Sales andMarketing

Manufacturing

Internal Audit

SOX

Finance

IT

Test Results

Legal Counsel

Next Come PCI, EU Privacy Directive,

Internal Policies (as well as Compliance Management)Internal Auditing

Accounting

Systems


Reporting

HumanResources

Sales andMarketing

Manufacturing

Internal Audit

SOX

Finance

IT

Legal Counsel


11/20

The Challenge of Managing MultipleUsers and their Entitlements

>Security Silos

>Inconsistent enforcement

Many policies

> External regulations Legislative Industry-specific

> Best practices> Internal

The Challenge of Managing Multiple Users

and their Entitlements

> High admin cost

> Inconsistent enforcement

> Increased risks

Many manualcompliance processes

> Access reviews> User entitlements> Certification

Many policies> External regulations

Legislative Industry specific



12/20

The Challenge of Managing MultipleUsers and their Entitlements

> Difficult administration

> Difficult compliance

> Reduced security

21

Many manual

compliance processes> Access reviews> User entitlements> Certification

Many

entitlements> Mainframe> RDBMS> LDAP> NOS> ERP

Many policies

> External regulations Legislative Industry specific


The Challenge of Managing Multiple

Users and their Entitlements

> Difficult to administeraccess rights

> Hig e p es costs

Many manualcompliance processes

> Access reviews> User entitlements> Certification

Manyentitlements

> Mainframe> RDBMS> LDAP> NOS> ERP

Many policies> External regulations

Legislative Industry specific


Many roles> Many user

types> Poor role

mapping> Privilege

accumulation


13/20

Security complianceautomation

> Reduced admin costs> Risk reduction

Reducedentitlements

> Easier

Identity Lifecycle ManagementThe Solution

Reduced roles> Increased

efficiency> Appropriate

entitlements

administration> Reduced costs> Improved

auditing foreasier compliance

Many roles

> Many usertypes> Poor role

mapping> Privilege

accumulation

Many manual

compliance processes> Access reviews> User entitlements> Certification

Many

entitlements> Mainframe> RDBMS> LDAP> NOS> ERP

Centralized

policies> Consistent security& enforcement

Solution to Managing Multiple Users and

EntitlementsIdentity Lifecycle Management

Reduced roles> Increased

efficiency> Appropriate

entitlements

Security complianceautomation

> Reduced admin costs

> Risk reduction

Reducedentitlements

> Easieradministration

> Reduced costs> Improved

auditing foreasier compliance

Centralizedpolicies

> Consistent security& enforcement


14/20

ent ty ecyc eManagement

Identity Lifecycle Management Defined

Goal: Automating identity-related processes that spanthe entire enterprise

What are identity-related processes?

On-boarding/Off-boarding an employee

Users managing their own profiles

Executing proper provisioning approval processes

Ensuring user entitlements match functional responsibilities

Validatin com an is in com liance

And more


15/20

Identity Lifecycle Management: IT Needs

Role Management Understand what roles exist in the enterprise

IdentityLifecycle

Management

s a s ro e mo e a s organ za on

Analyze and maintain role model as businessevolves

Identity Management Assign users to roles

Apply role-based controls

Provision users with approved accounts andprivileges

Manage change requests and approvals overtime

SecurityCompliance

Management

Security Compliance Management Understand security policy

Import audit/log data Import identity information

Compare, then initiate and verify remediation

Streamline security compliance processes

Role Mining/Management

Enables efficient and accurate identity and entitlement

management

Role Mining

Enables gap analysis, cleanup and role modeling

Ongoing Role Management

Processes role approval/adaptation, self service requests

Detects business changes that affect role structure

Auditing and Reporting

Assesses role exceptions, cleanup and repair

Provides executive reporting and audit trail


16/20

Data Cleanup Validation

and Remediation>Clean and match

user IDs

>Identify out of

Role Management Key Capabilities

Audit/Gap

AnalysisAssess andaudit systemsfor exceptions

pa ern anexceptional users

Role Modeling

> Revealmethodology

> Define roles top down/bottom-up

Polic Modelin

Model Managementand ReportingIntegration

>Detect changesand exceptions

>Adapt role basedmodel

>Verify, certify,and report

>Enrichesprovisioning processes The Secret Ingredient Pattern Recognition Analysis

Identity ManagementCentral engine for identity-related processes

Provisionin De-Provisionin

Quickly assigns and removes access privileges

Automates consistent workflow processes

User Self Service

Empowers end users to resolve issues

Reduces burden on IT and help desk

Identity Administration

Centralizes data/policy for consistency acrossenterprise

Delegates decision-making to application owners


17/20

Identity Management Key CapabilitiesThe Secret Ingredient: Modular yet

IntegratedRole-basedProvisioning/De-Provisionin

User Self-Service

Decrease help

Workflow

Enforceconsistent andautomatedapprovalrocesses

Ensure timelyaccess and protectsensitive resources

improve user satisfaction

Integration

From webapplications tothe mainframe

Auditing andReporting

Centralized

AdministrationEstablishauthoritativeidentity source

entitlements tracking

Security PoliciesEnforce identitycontrols, separationof duties

Security ComplianceMeet compliance objectives on a continuous basis

Compliance Reporting and Dashboards

Generates access, entit ement an au it reports

Cross-system compliance reporting

User and Role Entitlement Certification

Validates users access is appropriate for their role

Ensures access to applications is appropriate

Change Management and Validation

systems

Enables timely follow-up on remediation requests


18/20

Validation andRemediation

Automaticallyfollows up onrequests to verify

Security Compliance Key CapabilitiesThe Secret Ingredient: Process-centric Platform

Entitlement

Certification

Periodic reviews ofusers access, rolesand applications

Integration

IAM, GRC andHelp- Deskintegrations

xes are comp e e

Chan e Certification

ComplianceWarehouse

Centralizedcomplianceevidence warehouse Security

Compliance

epor ngandDashboards

Cross-system compliancereports and dashboards

and Attestation

Dynamicallycommence approval

process for any identifiedchange

Identity Lifecycle Management Payoff

Increased security and reduced risk

Eliminate unauthorized access and orphan accounts

Easier to prove compliance

e uce cos ncrease pro uc v y

Automation, delegation and self-service

Overcome idle users requesting help desk support

Consolidation of roles accelerates provisioning

Improved user experience/satisfaction

Faster & easier access to applications and data

Centralized hub for storing all security

Provides ongoing visibility and projectmanagement over access review processes


19/20

Customer Successes: Identity LifecycleManagement

Problems

Organizations with more roles than users

10+ days to provision new employees

Ver com lex IT environments:

100+ target systems, 150K roles, 200K identities

Man weeks to complete complianceprocesses such as access reviews(multiple man-weeks)

Solutions

Reduce 150K roles to


20/20

Date post:	09-Apr-2018
Category:	Documents
Upload:	sarveshkr
View:	218 times
Download:	0 times

C21 - Leveraging an Identity Management Foundation to Sustain Compliance

Documents