Kuppinger Cole Virtual ConferenceThe Three Elements of Access Governance
Martin Kuppinger, Kuppinger Cole
December 8th, 2009
This virtual conference is sponsored by Axiomatics and Oracle
© Kuppinger Cole 2009Seite 2
www.id-conf.com/eic2010
• MARKET MATURITY
• REGULATION, PRIVACY, INFORMATION SECURITY
• GOVERNANCE, MITIGATING RISK
• CLOUD COMPUTING & TRUST
• ROLES AND ATTRIBUTES
• AUTHENTICATION & AUTHORIZATION
CREATING MORE VALUE FOR LESS THROUGH IDENTITY MANAGEMENT & GRC
Call for Speakers: http://www.id-conf.com/events/eic2010/callforspeakers
Sponsors/Exhibitors:
http://www.id-conf.com/events/eic2010/sponsorinfo
Virtual Conference
Enterprise Access GovernanceControlling Access, Ensuring Information Security
© Kuppinger Cole 2009Seite 3
www.kuppingercole.com/webinars
DECEMBER 8-9, 2009
• How to efficiently mitigate your “access risks”• Full Access Governance– combining access certification, role
management, provisioning, and privileged access management
• RBAC vs. ABAC: Comparing Role Based and Attribute based Access
• The business view – Enterprise GRC vs. IT-GRC and where they should be linked
• Mitigating application security risks
• How does Access Governance fit into your GRC roadmap?
Kuppinger Cole Reports
Some of the current reports:
•Market Report Cloud Computing
•Product Report Radiant Logic Virtual Directory Server
•Vendor Report Arcot Systems
•Product Report Sun Identity Manager
•Vendor Report ActivIdentity
•Trend Report Enterprise Role Management
•Vendor Report Quest Software
•Product Report SailPoint IdentityIQ
•Vendor Report BHOLD 2009
•Vendor Report Entrust 2009
•Vendor Report Oracle 2009
•Vendor Report Evidian
•Business Report Key Risk Indicators
© Kuppinger Cole 2009Page 4
http://www.kuppingercole.com/reports
Some guidelines for the Webinar
You will be muted centrally. You don„t have to mute/unmute yourself – we can control the mute/unmute features
We will record the Webinar
Q+A will be at the end – you can ask questions using the Q+A tool anytime which we will pick at the end or, if appropriate, during the Webinar
© Kuppinger Cole 2009Page 5
Agenda
• The Three Elements of Access Governance: Recertification/Attestation – Access Control – Privileged Access Management
Part 1, Martin
Kuppinger:
• Q+APart 2:
© Kuppinger Cole 2009Page 6
Access Governance defined
•Access
•Managing access to systems and information – who is allowed to do what?
•Governance
•Enforcing a good practice of management – in that case particularly for IT
Access Governance
•Identity and Access Management
•The management of identities and their access
•It„s mainly about access – but we need identities therefore
Context: IAM
•Governance, Risk Management, and Compliance
•Governance as the basic concept
•Risk Management and Compliance as elements of Governance
Context: GRC
•Information Security is the business term
•That„s why we mainly deal with topics like IAM and Access Governance
Context: Information Security
© Kuppinger Cole 2009Seite 7
The three elements of Access Governance
Management
Analysis
© Kuppinger Cole 2009Seite 8
The main elements
Analysis
Management
Types ofAccounts
„Standard“User
AdminUser
Att
esta
tion/
Recert
icia
tion
Auditin
g
Auth
ori
zation
Managem
ent Pri
vileged
Account
Managem
ent
Attestation and RecertificationAnalyzing the situation
The (manual) process of having responsible persons going
through existing access controls (authorizations, entitlements) and attesting or revoking them
Manual control process
Regularly performed at the departmental manager level
(but be careful on that)
Supported by escalations and other procedures
Attestation/
Recertification
© Kuppinger Cole 2009Seite 9
The need for attestation5 good reasons
Attestation is a first step to clean up access controls
Attestation is (if done right) an continuous audit mechanism
Attestation can show issues in identity and access lifecycle management
Attestation educates users about the need for security
Attestation can decrease access control-related IT security and depending operational risks
© Kuppinger Cole 2009Seite 10
Approaches to attestation
© Kuppinger Cole 2009Seite 11
One-way, audit-oriented Two-way, actionable
Single-layered Multi-layered
Point-of-time Continuous
Undifferentiated Risk-based
worse goodExample of vendor rating
Technical approaches
Attestation as singular solution
Attestation as part of IAM-GRC
platforms
Attestation as part of overall GRC platforms
Identity Provisioning w/ reconciliation
Attestation features in Provisioning
Expand/integrate/move to IAM-GRC platforms
© Kuppinger Cole 2009Seite 12
Threat:Multi-layered attestation
© Kuppinger Cole 2009Seite 13
System Security Access ControlSystem
Administration
Correct Access Controls?
Identity Management + System Administration
System RolesGroups, Roles,
ProfilesIdentity
Management
Correct Assignments?
Business IT +Identity Management
Business RolesJob, Hierarchy,
Location, Project,…Business IT
Correct Business Roles?
Management +Business IT
Employees Tasks, Projects,… Management
Multi-la
yere
d A
ttesta
tion
More AnalysisAdding Automated Controls
Automated Controls support the ongoing analysis and (potentially) the realtime detection of issues
Advanced analysis mechanisms support the ad hoc analysis
Specific attestation/recertification solutions typically support at least ad hoc controls
Relevant as well for typical day-by-day IT operations
© Kuppinger Cole 2009Seite 14
The situation
Increasing pressure on
IT management
and operations
Growing number of compliance regulations
Increasing awareness of the
need of IT Governance
Increasing complexity of IT environments –
breadth and depth Changing role of
IT – less autonomy, more focus on efficient
fulfillment
More fear and awareness of
security breaches
© Kuppinger Cole 2009Seite 15
The result
More requests
More answers to provide
Less time to deliver
Higher workload for fewer people
Operational work is heavily affected
© Kuppinger Cole 2009Seite 16
The real world of core systems
Many servers Different systems
Different operators, frequently some inconsistency in
operations
Large amount of data
Large amount of controls
The answers to questions like „what
has Mr. X done when“ requires
access to different systems at a detailed level
strong capabilities in mapping and normalizing data
strong analytic capabilities
good reporting tools
© Kuppinger Cole 2009Seite 17
The RealityMissing auditability
•Few enterprises know them allWhich systems are out there?
•Sometimes known for central system, if there is a provisioning tool deployed (sometimes even via E-SSO)
Which users have access to which systems?
•Usually even for core systems like Active Directory and SAP insufficiently solved
Which granular entitlements do
they have?
© Kuppinger Cole 2009Seite 18
Auditing, SIEM, Operations Management
System-level Auditing
SIEM OperationsManagement
Current state and historical data
Current events, sometimes historical
Current events
Ex post Real time Real time
Security-focused Security-focused Operations-focused,all types of operational aspects
Mainly access controls
All types of securityevents, frequently more „classical security“ than access controls
All types of events
© Kuppinger Cole 2009Seite 19
Approaches to audit optimization
Integration
• Define the required elements – less is more
• Platforms help – few platforms are better than many point solutions
• Integrate these elements to support drill-down
Automation
• Focus on automated collection and
• strong analytical capabilities
© Kuppinger Cole 2009Seite 20
Authorization ManagementClosing the loop
The different terms – all about the same
• Access Control
• Authorization Management
• Entitlement Management
Authorization Management
• Actively managing access
• Not detective, but preventive
© Kuppinger Cole 2009Seite 21
Authorization ManagementClosing the loop
Managing Authorizations
Analysis and Recertification
© Kuppinger Cole 2009Seite 22
Authorization ManagementBeyond Attestation
Business Policies
Business Roles
IT Management
IT Controls
Policies
Roles, Groups
Entitlements
Attestation
© Kuppinger Cole 2009Seite 23
Multi-layeredAuthorization Management
Management of detailed Entitlements (System and App level, might be XACML based,…)
Assigment of Users to Groups, Roles, Profiles (Provisioning)
Business-Policies
© Kuppinger Cole 2009Seite 24
The RealityMissing consistency
Consistent, centralized Authorization Management for heterogeneous environments?
Windows, Active
Directory, Exchange,
SharePoint,…
SAP, Enterprise
Portals, other Business
Applications,…
Host, own applications,…
© Kuppinger Cole 2009Seite 25
The RealityMissing management
Controls layer
Status analysis
System layer
Authorization Management
© Kuppinger Cole 2009Seite 26
Privileged Account ManagementFocus on sensitive accounts
Adding privileged accounts
How to control the access of users using these accounts?
Emerging field, not fully covered by existing approaches (neither detective nor preventive)
© Kuppinger Cole 2009Seite 27
Many termsOne target
•PAM: Privileged Account Management
•PIM: Privileged Identity Management
•PUM: Privileged User Management
•Root Account Management
The terms
•Controlling privileged accounts and how they are used
The target
© Kuppinger Cole 2009Seite 28
Privileged AccountsBeyond „root“
• root
• Windows Administrators (Domain and local)
• Database Administrators
• …
Administrators:
Technical users
System accounts
Service accounts
© Kuppinger Cole 2009Seite 29
Why are these accounts that critical?
Not necessarily associated with a single physical
person
Elevated Privileges
High risk
Missing Lifecycle
Management
Missing Auditability
© Kuppinger Cole 2009Seite 30
PAMThe approaches
Differentiated auditing of administrative
activities
Integration with Lifecycle Management
approaches – no orphaned privileged
accounts
One time passwords for privileged
accounts
Reduced entitlements of privileged accounts,
for example using specialized shells
Organizational actions
Automatic generation of passwords for accounts without interactive logon
Avoiding technical users
SSO for privileged accounts
© Kuppinger Cole 2009Seite 31
PAM marketEvolution
Point solutions
PAM suites
Integration with Identity Lifecycle
Management
Application Security Infrastructures
Identity Federation, End-to-End Security
Changing Security Models at the System Level (OS,
Business Apps,…)
© Kuppinger Cole 2009Seite 32
Maturity Levels ofPAM approaches
Missing
•Status
•No PAM at all
•Tools
•None
•Risk
•Very high
Ad hoc
•Status
•Point solutions, typically for UNIX/Linux
•Tools
•Mainly sudo
•Risk
•Very high
Unplanned
•Status
•Non coordinated use of point solutions
•Tools
•PAM Tools for specific system environments
•Risk
•Still high
Isolated
•Status
•Coordinated use of PAM tools, but not integrated with other security approaches
•Tools
•Cross-platform PAM solutions
•Risk
•Reduced
Integrated
•Status
•Integration of PAM with provisioning, Access Governance, and Application Architectures
•Tools
•Cross-Platform PAM, Provisioning, Access Governance, Application Security Infrastructures
•Risk
•Minimized
© Kuppinger Cole 2009Seite 33
Putting it all togetherConsistent strategies
Define a strategy –go beyond tactics
Understand the relationship
between different GRC layers
Combine reactive and preventive
approaches
Combine analyis/attestation
and active management
Focus on a small set of tools – keep
it simple
© Kuppinger Cole 2009Seite 34
Information Security andAccess Governance
Access Governance
Attestation and
Recertification
Advanced Analysis and
Auditing
Authorization Management
Privileged Account
Management
Access Governance
Information Security
© Kuppinger Cole 2009Seite 35
© Kuppinger Cole 2009Seite 36
www.id-conf.com/eic2010
• MARKET MATURITY
• REGULATION, PRIVACY, INFORMATION SECURITY
• GOVERNANCE, MITIGATING RISK
• CLOUD COMPUTING & TRUST
• ROLES AND ATTRIBUTES
• AUTHENTICATION & AUTHORIZATION
CREATING MORE VALUE FOR LESS THROUGH IDENTITY MANAGEMENT & GRC
Call for Speakers: http://www.id-conf.com/events/eic2010/callforspeakers
Sponsors/Exhibitors:
http://www.id-conf.com/events/eic2010/sponsorinfo
Virtual Conference
Enterprise Access GovernanceControlling Access, Ensuring Information Security
© Kuppinger Cole 2009Seite 37
www.kuppingercole.com/webinars
DECEMBER 8-9, 2009
• How to efficiently mitigate your “access risks”• Full Access Governance– combining access certification, role
management, provisioning, and privileged access management
• RBAC vs. ABAC: Comparing Role Based and Attribute based Access
• The business view – Enterprise GRC vs. IT-GRC and where they should be linked
• Mitigating application security risks
• How does Access Governance fit into your GRC roadmap?