Post on 09-Apr-2018
8/8/2019 C21 - Leveraging an Identity Management Foundation to Sustain Compliance
1/20
C21 - Leveraging an Identity Management Foundatio
to Sustain Compliance
Mick Coady
8/8/2019 C21 - Leveraging an Identity Management Foundation to Sustain Compliance
2/20
Leveraging an IdentityManagement Foundationto Sustain ComplianceMichael Coad
Vice President, Solution StrategySecurity Business Unit
Agenda Some Pertinent Data
The challenge of managing multipleusers an ent t ements
Identity Lifecycle Management defined
Three components
Identity Management
ecur y omp ance anagemen Role Management and Role Engineering
CA customer perspectives
8/8/2019 C21 - Leveraging an Identity Management Foundation to Sustain Compliance
3/20
Security Attacks and Breaches
67.7
59.4Virus attack
42.3
39.6
49.5
43.6
26.4
40.0
Internal breach of
security
Denial-of-service
attack
Network attack
2008
2006
OnlyIncrease
The first time securityattack/breach incidence hasdeclined except for Internal
S t r I c t l y P r I v I l e g e d a n d C o n f I d e n t I a l
10.7
13.8
0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0
None
Percentage
N=500. Q13. What types of security challenges has your organization dealt with over the past 12 months?Source: The Strategic Counsel, 2008
Breach incidence which hasmore than doubled comparedto five years ago (15%-20%)
Security Attack/Breach Costs
51.7
34.9
61.3
Loss of trust/confidence
Lost productivity
22.4
26.1
27.6
28.1
.
18.4
34.1
20.8
23.2
32.7
Loss of confidential
information
Loss of
business/revenue/customers
Damage to reputation
Embarassment
2008
2006
Mostsignificantincreases
Significantly IncreasingInternal Breach incidence,
S t r I c t l y P r I v I l e g e d a n d C o n f I d e n t I a l
20.1
20.4
32.7
0 10 20 30 40 50 60 70 80 90 100
Reduced customer
satisfaction
oss o n e ec ua proper y
Percentage
N=500. Q14. What impact have these security challenges had on your organization?
Source: The Strategic Counsel, 2008
an s gn can y ncreas ngLoss of ConfidentialInformation and Reduced
Customer Satisfaction a co-incidence? Perhaps not
8/8/2019 C21 - Leveraging an Identity Management Foundation to Sustain Compliance
4/20
Security Compliance Costs - Budget
81.410% or more
22.4
34.0
56.0
40% or more
30% or more
20% or more
TOTAL
Security compliance is a huge ITbudget eater organizations need thisto be more effective/efficient: 56% of
U.S. enterprise-class firms spend 20%
S t r I c t l y P r I v I l e g e d a n d C o n f I d e n t I a l
15.6
0 10 20 30 40 50 60 70 80 90 100
50% or more
Percentage
N=500. Q104. What percent of your organizations IT budget is spent specifically to ensure IT security compliance with various
regulations?Source: The Strategic Counsel, 2008
or more of their IT budget on ITsecurity compliance
Security Compliance Costs - Time
81.410% or more
19.8
30.4
57.0
40% or more
30% or more
20% or more
TOTAL
Security compliance is a huge IT timeeater organizations need this to bemore effective/efficient: 57% of U.S.
S t r I c t l y P r I v I l e g e d a n d C o n f I d e n t I a l
15.6
0 10 20 30 40 50 60 70 80 90 100
50% or more
Percentage
N=500. Q105. What percent of your organizations IT time is spent specifically to ensure IT security compliance with various regulations?
Source: The Strategic Counsel, 2008
en erpr se-c ass rms spen or moreof their IT time on IT security compliance
8/8/2019 C21 - Leveraging an Identity Management Foundation to Sustain Compliance
5/20
IAM Issues and Problems
62.0Automated review and approval of user
access privileges
60.4
60.0
59.4
Tracking and reporting on us er activity
that may pose a risk to the organization
Central management and enforcement of
policies that ens ure audit and legal
requirements
The creation, enforcement and
verification of role-based access across
diverse ente rprise applications
Respondents feelthere are several
areas where IAM canbe more efficient or
better managed
S t r I c t l y P r I v I l e g e d a n d C o n f I d e n t I a l
N=500. Q101. Are any of the following problem areas for your organization?Source: The Strategic Counsel, 2008
0 10 20 30 40 50 60 70 80 90 100
Percentage
A ProblemMajority of
respondents saythese are problem
areas
What Users Expect IAM To Deliver 2008 Top Deliverables
56.6
47.2
40.0
29.2
31.0
37.8
11.6
17.6
18.8
1.6
3.0
2.8
1.0
1.2
0.6
Improved security
Web services security
Improved audit capability/transparency
Emphasis iscurrently on
utilizing IAM todeliver
40.0
39.8
39.6
38.2
38.0
38.0
37.6
36.8
38.8
38.6
38.8
37.0
18.2
18.4
18.2
19.4
20.0
20.8
3.6
4.2
2.4
2.8
2.2
2.8
0.6
0.8
1.0
1.0
1.0
1.4
Improved risk management
Better IT dept efficiency/cost reductions
Centralized control w/ distributed enforcement of role-based access to s erver
resources
Centralized web access management
Better user account management
Automated identity management s ervices across all platforms used
mprovesecurity
S t r I c t l y P r I v I l e g e d a n d C o n f I d e n t I a l
N=500. Q7. How important is it for your current or planned IT Identity and Access Management solution to deliver the following?Source: The Strategic Counsel, 2008
. . . . .
0 10 20 30 40 50 60 70 80 90 100
mprove regua ory comp ance
Percentage
Very Important ImportantNeither Important nor Not-Important Not ImportantNot at All Important
8/8/2019 C21 - Leveraging an Identity Management Foundation to Sustain Compliance
6/20
What Users Expect IAM To Deliver 2006 Top Deliverables
50.2
46.0
44.8
34.8
31.8
36.8
9.2
12.9
11.9
5.7
9.2
6.5
Improved security
Improved regulatory
compliance
Better IT dept efficiency/cost
41.8
40.0
39.6
38.1
37.1
35.8
39.1
38.8
37.3
41.5
14.4
14.7
14.4
14.4
13.4
8.0
6.2
7.2
10.2
8.0
reductions
Improved risk management
Improved audit
capability/transparency
Better user account
management
Improved facilitation of s ecure
e-business
Improved customer/end-user
self-service
In 2006 there
S t r I c t l y P r I v I l e g e d a n d C o n f I d e n t I a l
N=500. Q7. How important is it for your current or planned IT Identity and Access Management solution to deliver the following?Source: The Strategic Counsel, 2006
. . . .
0 10 20 30 40 50 60 70 80 90 100
ng e s gn-on
Percentage
Very Important ImportantNeither Important nor Not-Important Not ImportantNot at All Important
was moreemphasis on
utilizing IAM to
improvecompliance
and achieve ITefficiencies /
costreductions
Consumer and IAM Decision-Maker Security and Privacy Confidence
82.4Reduced customer
satisfaction
Breaches/losseshave big
consequences consumers and
76.8
.
76.8
78.8
Reputation of
Loss of
customer/public trust
and confidence
Consumers
IAM Decision-Makers
IAM Pros agree
S t r I c t l y P r I v I l e g e d a n d C o n f I d e n t I a l
76.4
0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0
organizationdamaged
Percentage
N=400. Q6. What is the impact of major security or privacy breaches for you?
N=500 Q17. If your organization suffered a loss of customer or transaction data, what impact would it have?Source: The Strategic Counsel, 2008
8/8/2019 C21 - Leveraging an Identity Management Foundation to Sustain Compliance
7/20
Consumer and IAM Decision-Maker Security and Privacy Confidence
72.5Retailers do not
spend enough
38.0
.
57.8
68.5
B i Banks do not
Government does not
spend enough
Consumers
IAM Decision-Makers
Large majority of consumersthinks spending isnt high
enough a significant
S t r I c t l y P r I v I l e g e d a n d C o n f I d e n t I a l
24.0
0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0
spend enough
Percentage
N=400. Q8-Q10. Do you think ________ spends enough on on-line security and privacy?N=100 Retail; N=100 Federal/State Government; N=100 Financial Services Q20. Thinking in percentage terms, do you think the
percentage of your organizations total IT budget devoted to security is too low, adequate or too high?Source: The Strategic Counsel, 2008
percentage of IAM Prosagree
Consumer Security and Privacy Confidence
Consumers arent veryconfident their on-line
11.0
4.8
Financial
Government
Retailers
Very confident can protect on-linepersonal and private information
personal and privateinformation is protected
S t r I c t l y P r I v I l e g e d a n d C o n f I d e n t I a l
8.5
0 10 20 30 40 50
Services
Percentage
N=500. Q3a-b-c. How confident are you that the banking industry is properly protecting your on-line personal and private information?
How confident are you that retailers are properly protecting your on-line personal and private information? How confident are you that the
Government is properly protecting your on-line personal and private information?Source: The Strategic Counsel, 2008
8/8/2019 C21 - Leveraging an Identity Management Foundation to Sustain Compliance
8/20
IAM Decision-Maker Security and Privacy Confidence
28.0Very confident
Only 28% of IAM Pros arevery confident their
firm/organization can protectitself against losing
11.8
58.2
Not confident
Somewhat confident
IAM Decision-Makers
customer or transaction data
S t r I c t l y P r I v I l e g e d a n d C o n f I d e n t I a l
2.0
0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0
Not confident at all
Percentage
N=500 Q15. How confident are you that your organization can protect itself against losing customer or transaction data?
Source: The Strategic Counsel, 2008
Consumer Personal Information Theft Victimization
22.5Have personally
77.5
48.0Know someone who
has suffered a
personal information
suffered a personal
information theft
Yes
No
More than one-fifth of U.Sconsumers have suffered apersonal information theft;
S t r I c t l y P r I v I l e g e d a n d C o n f I d e n t I a l
.
0.0 10.0 20.0 30.0 40.0 50.0 60.0 70.0 80.0 90.0 100.0
theft
Percentage
N=400. Q7-Q8. Have you ever suffered a personal information theft? Do you know someone who has been the victim of personal
information theft?
Source: The Strategic Counsel, 2008
a mos a now someonewho has been a victim
8/8/2019 C21 - Leveraging an Identity Management Foundation to Sustain Compliance
9/20
The Regulatory EnvironmentGlobal and Growing
SOX
EU Privacyir i
HIPAA
FIPS 200
EU PrivacyDirective
ACSI33
FFIECInformation
Security
CobiT 3rdEdition DS5.5
OGC ITIL:Security
Management4.3
NIST SP 800-53
FFIECOperations
ISO 27001
Compliance: The Early DaysInternal Auditing
Accounting
Systems
External Requirements
Reporting
HumanResources
Sales andMarketing
Manufacturing
Internal Audit
Finance
IT
Legal Counsel
8/8/2019 C21 - Leveraging an Identity Management Foundation to Sustain Compliance
10/20
Enter SOXInternal Auditing
Accounting
Systems
External Requirements
Reporting
SOX Audits
HumanResources
Sales andMarketing
Manufacturing
Internal Audit
SOX
Finance
IT
Test Results
Legal Counsel
Next Come PCI, EU Privacy Directive,
Internal Policies (as well as Compliance Management)Internal Auditing
Accounting
Systems
External Requirements
Reporting
HumanResources
Sales andMarketing
Manufacturing
Internal Audit
SOX
Finance
IT
Legal Counsel
8/8/2019 C21 - Leveraging an Identity Management Foundation to Sustain Compliance
11/20
The Challenge of Managing MultipleUsers and their Entitlements
>Security Silos
>Inconsistent enforcement
Many policies
> External regulations Legislative Industry-specific
> Best practices> Internal
The Challenge of Managing Multiple Users
and their Entitlements
> High admin cost
> Inconsistent enforcement
> Increased risks
Many manualcompliance processes
> Access reviews> User entitlements> Certification
Many policies> External regulations
Legislative Industry specific
> Best practices> Internal
8/8/2019 C21 - Leveraging an Identity Management Foundation to Sustain Compliance
12/20
The Challenge of Managing MultipleUsers and their Entitlements
> Difficult administration
> Difficult compliance
> Reduced security
21
Many manual
compliance processes> Access reviews> User entitlements> Certification
Many
entitlements> Mainframe> RDBMS> LDAP> NOS> ERP
Many policies
> External regulations Legislative Industry specific
> Best practices> Internal
The Challenge of Managing Multiple
Users and their Entitlements
> Difficult to administeraccess rights
> Hig e p es costs
Many manualcompliance processes
> Access reviews> User entitlements> Certification
Manyentitlements
> Mainframe> RDBMS> LDAP> NOS> ERP
Many policies> External regulations
Legislative Industry specific
> Best practices> Internal
Many roles> Many user
types> Poor role
mapping> Privilege
accumulation
8/8/2019 C21 - Leveraging an Identity Management Foundation to Sustain Compliance
13/20
Security complianceautomation
> Reduced admin costs> Risk reduction
Reducedentitlements
> Easier
Identity Lifecycle ManagementThe Solution
Reduced roles> Increased
efficiency> Appropriate
entitlements
administration> Reduced costs> Improved
auditing foreasier compliance
Many roles
> Many usertypes> Poor role
mapping> Privilege
accumulation
Many manual
compliance processes> Access reviews> User entitlements> Certification
Many
entitlements> Mainframe> RDBMS> LDAP> NOS> ERP
Centralized
policies> Consistent security& enforcement
Solution to Managing Multiple Users and
EntitlementsIdentity Lifecycle Management
Reduced roles> Increased
efficiency> Appropriate
entitlements
Security complianceautomation
> Reduced admin costs
> Risk reduction
Reducedentitlements
> Easieradministration
> Reduced costs> Improved
auditing foreasier compliance
Centralizedpolicies
> Consistent security& enforcement
8/8/2019 C21 - Leveraging an Identity Management Foundation to Sustain Compliance
14/20
ent ty ecyc eManagement
Identity Lifecycle Management Defined
Goal: Automating identity-related processes that spanthe entire enterprise
What are identity-related processes?
On-boarding/Off-boarding an employee
Users managing their own profiles
Executing proper provisioning approval processes
Ensuring user entitlements match functional responsibilities
Validatin com an is in com liance
And more
8/8/2019 C21 - Leveraging an Identity Management Foundation to Sustain Compliance
15/20
Identity Lifecycle Management: IT Needs
Role Management Understand what roles exist in the enterprise
IdentityLifecycle
Management
s a s ro e mo e a s organ za on
Analyze and maintain role model as businessevolves
Identity Management Assign users to roles
Apply role-based controls
Provision users with approved accounts andprivileges
Manage change requests and approvals overtime
SecurityCompliance
Management
Security Compliance Management Understand security policy
Import audit/log data Import identity information
Compare, then initiate and verify remediation
Streamline security compliance processes
Role Mining/Management
Enables efficient and accurate identity and entitlement
management
Role Mining
Enables gap analysis, cleanup and role modeling
Ongoing Role Management
Processes role approval/adaptation, self service requests
Detects business changes that affect role structure
Auditing and Reporting
Assesses role exceptions, cleanup and repair
Provides executive reporting and audit trail
8/8/2019 C21 - Leveraging an Identity Management Foundation to Sustain Compliance
16/20
Data Cleanup Validation
and Remediation>Clean and match
user IDs
>Identify out of
Role Management Key Capabilities
Audit/Gap
AnalysisAssess andaudit systemsfor exceptions
pa ern anexceptional users
Role Modeling
> Revealmethodology
> Define roles top down/bottom-up
Polic Modelin
Model Managementand ReportingIntegration
>Detect changesand exceptions
>Adapt role basedmodel
>Verify, certify,and report
>Enrichesprovisioning processes The Secret Ingredient Pattern Recognition Analysis
Identity ManagementCentral engine for identity-related processes
Provisionin De-Provisionin
Quickly assigns and removes access privileges
Automates consistent workflow processes
User Self Service
Empowers end users to resolve issues
Reduces burden on IT and help desk
Identity Administration
Centralizes data/policy for consistency acrossenterprise
Delegates decision-making to application owners
8/8/2019 C21 - Leveraging an Identity Management Foundation to Sustain Compliance
17/20
Identity Management Key CapabilitiesThe Secret Ingredient: Modular yet
IntegratedRole-basedProvisioning/De-Provisionin
User Self-Service
Decrease help
Workflow
Enforceconsistent andautomatedapprovalrocesses
Ensure timelyaccess and protectsensitive resources
improve user satisfaction
Integration
From webapplications tothe mainframe
Auditing andReporting
Centralized
AdministrationEstablishauthoritativeidentity source
entitlements tracking
Security PoliciesEnforce identitycontrols, separationof duties
Security ComplianceMeet compliance objectives on a continuous basis
Compliance Reporting and Dashboards
Generates access, entit ement an au it reports
Cross-system compliance reporting
User and Role Entitlement Certification
Validates users access is appropriate for their role
Ensures access to applications is appropriate
Change Management and Validation
systems
Enables timely follow-up on remediation requests
8/8/2019 C21 - Leveraging an Identity Management Foundation to Sustain Compliance
18/20
Validation andRemediation
Automaticallyfollows up onrequests to verify
Security Compliance Key CapabilitiesThe Secret Ingredient: Process-centric Platform
Entitlement
Certification
Periodic reviews ofusers access, rolesand applications
Integration
IAM, GRC andHelp- Deskintegrations
xes are comp e e
Chan e Certification
ComplianceWarehouse
Centralizedcomplianceevidence warehouse Security
Compliance
epor ngandDashboards
Cross-system compliancereports and dashboards
and Attestation
Dynamicallycommence approval
process for any identifiedchange
Identity Lifecycle Management Payoff
Increased security and reduced risk
Eliminate unauthorized access and orphan accounts
Easier to prove compliance
e uce cos ncrease pro uc v y
Automation, delegation and self-service
Overcome idle users requesting help desk support
Consolidation of roles accelerates provisioning
Improved user experience/satisfaction
Faster & easier access to applications and data
Centralized hub for storing all security
Provides ongoing visibility and projectmanagement over access review processes
8/8/2019 C21 - Leveraging an Identity Management Foundation to Sustain Compliance
19/20
Customer Successes: Identity LifecycleManagement
Problems
Organizations with more roles than users
10+ days to provision new employees
Ver com lex IT environments:
100+ target systems, 150K roles, 200K identities
Man weeks to complete complianceprocesses such as access reviews(multiple man-weeks)
Solutions
Reduce 150K roles to
8/8/2019 C21 - Leveraging an Identity Management Foundation to Sustain Compliance
20/20