Role-Based Privileges Management (3.1MB) - IBM - United States
description
Transcript of Role-Based Privileges Management (3.1MB) - IBM - United States
![Page 1: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/1.jpg)
The Enterprise Role Management Company
Role-Based Privileges Management
How to Quickly and Effectively Implement Compliance
June 2007
Dr. Ron RymonFounder, Eurekify [email protected]
![Page 2: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/2.jpg)
2
Eurekify at a Glance
• Leading provider of role-based management solutions► Privileges Quality Management► Role Management► Identity Management► Compliance Management
• Eurekify did not invent RBAC, but our unique & patented pattern recognition technology makes it a lot easier to implement
• History and current presence► Since 2002, with more than 50 customers worldwide► Partners include Consultants, Integrators, Vendors, and Auditors► Based in Israel, with offices in NY and CA, and Worldwide partners
![Page 3: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/3.jpg)
3
Examples of Eurekify Projects
Clean-up Privileges
Role Engineering
Role Mgmt Business Processes
IdM Preparation
Privileges Attestation
Verify Compliance
(SoD & more…)
Privileges Archiving
Review & Query
Privileges
![Page 4: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/4.jpg)
4
Customers
![Page 5: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/5.jpg)
5
IBM Partnership
• Eurekify works as an independent solution and/or complementing any Identity Management system
• Special partnership with IBM – “Optimized Partner”
• Integrated interface with Tivoli Identity Manager (ITIM)
• Working closely with ITIM lab in Irvine, CA
• Certified as “Ready for Tivoli”
• More than 20 joint customers worldwide
![Page 6: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/6.jpg)
The Enterprise Role Management Company
What is Role-based Management
![Page 7: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/7.jpg)
7
Privileges Quality is the Source of All Evil
• Currently: Many Systems, Many People, Many Changes► Hundreds of even thousands of applications► Many people came, many changed positions, many left► Many privileges were granted ad-hoc
• The Result: Poor & Unmanageable Privileges► 1MM privileges for 20,000 users, many are ad-hoc► 50% more accounts than people in average system► 30% out-of-pattern privileges► 20-50% of groups are redundant or unnecessary► No central view of privileges
• The Immediate Impact:► ... Serious security holes abound…► … Administration costs and productivity losses
• Other Impact ► Difficult to implement Identity Management► Difficult to achieve and demonstrate compliance
![Page 8: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/8.jpg)
8
Solution: Role-based Management
• Role-based Access Control ties IT privileges management practices to BUSINESS concepts, processes, and culture
• Role based access control (RBAC) is intended to simplify and strengthen security administration:
► Attach relevant privileges► Associate users with relevant roles► Avoid managing individual privileges
• Instead of 50 privileges/person, manage 3-5 roles/person• Roles can be expressed based on membership, or as rules
► e.g., “Marketing users, in division X, that work out of CA, shall have access to A, B, and C”.
► e.g. “All the members of project X”, and the rights to the project materials
• Roles and rules, combined, constitute a privileges model. Role engineering is the construction of the privileges model.
![Page 9: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/9.jpg)
The Enterprise Role Management Company
Eurekify’s Approach
![Page 10: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/10.jpg)
10
Eurekify Pattern Recognition Analytics
• We did not invent Role-based Access Control (RBAC)
• But we made it a lot easier with our pattern recognition technology
Jim
Kim
Sara
Dave
Mike Mike
RoleRole
• Discover business structure and define role model
• Detect and remove out-of-pattern exceptions
• Identify and adapt to business changes
![Page 11: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/11.jpg)
The Enterprise Role Management Company
Privileges Quality Management
Compliance Management
Role Management
![Page 12: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/12.jpg)
12
Five Steps to Privileges Quality Management
V. Implement full role-based privileges model across platforms (incrementally)
I. Visually review privileges, to ensure valid HR and account information across systems
II. Systematically detect & cleanup pattern-based exceptions
III. Correct groups/profiles on individual systems and applications
IV. Review of privileges and exceptions by business managers (online)
Initial assessment
![Page 13: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/13.jpg)
13
Current Statistics
• Users, Groups, Access rights, Access levels
• Individual system or application
• Cross system (IdM view)
• Any level of granularity
![Page 14: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/14.jpg)
14
Privileges Querying
• Who has which privileges? who else? what else? what’s in common? through which roles? who/what is the exception? what is the overlap? what other role is similar?
![Page 15: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/15.jpg)
15
Privileges Quality Assessment
• HR mismatches
• Out-of-pattern privileges
• Suspected users, groups
• Redundant groups/roles
• Dual links
• Much more…
![Page 16: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/16.jpg)
16
Privileges Cleanup• Each system, cross systems• Orphan users, groups• Privileges collectors• All levels of granularity• Out-of-pattern alerts• Rule violation alerts• Easy review/fixing• User/Manager review workflow
![Page 17: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/17.jpg)
17
Analytics-Assisted Privileges Verification
![Page 18: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/18.jpg)
18
Privileges Quality Management
• Detect► Automatically detect
inconsistencies
• Critique► Collaborative analysis
and review► Set and review quality
targets
• Adapt► Analyze & update role
model► Fix privileges
• Approve► Approve changes
CRITIQUE
Initial Privileges Cleanup
Ongoing PrivilegeChanges
Business Role Manager / Administrator
DETECT
FIX
APPROVE
IdM Provisioning
or Other Systems
![Page 19: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/19.jpg)
The Enterprise Role Management Company
Privileges Quality Management
Compliance Management
Role Management
![Page 20: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/20.jpg)
20
Five Steps to Compliance Management
V. Implement full role-based privileges management and compliance
I. Review & query privileges across multiple systems
II. Detect pattern-based exceptions systematically
III. Review and certify privileges by business managers (online)
IV. Verify Segregation of Duty and business policies (automatically)
Initial assessment
![Page 21: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/21.jpg)
21
Privileges Recertification/Attestation
• Quick setup of recertification processes
► User initiated via portal► E-mail campaigns
• Users certified by their managers
• Resource owners certify access
► Roles► Individual privileges
![Page 22: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/22.jpg)
22
Business Process Rules (including SoD)
• Easily specified into a portable catalog
• Can be specified by business and/or IT people and/or auditors
• Segregation of duty (SoD)
• Business process rules and constraints
• Restricted relationships between HR attributes and allowed privileges
• All levels of granularity
![Page 23: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/23.jpg)
23
Policy and Compliance Verification
• Automated compliance reverification, periodically via batch processes
• Compliance reporting and dashboard
• Easy review/fixing by business owners and administrators
• Easy integration with external reporting, workflow, and IdM tools
![Page 24: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/24.jpg)
24
Compliance Management• Detect
► Automatically detect policy violations & inconsistencies
• Critique► Collaborative
analysis and review
• Adapt► Analyze & update
role model► Fix privileges
• Approve► Approve changes
Business Role Manager / Administrator Auditor
Critique
SessionOngoing Privilege
Changes
Ongoing PolicyChanges
Initial Identification of Policies and Regulations
DETECT
ADAPT
APPROVE/ATTEST
IdM Provisioning
or Other Systems
![Page 25: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/25.jpg)
The Enterprise Role Management Company
Privileges Quality Management
Compliance Management
Role Management
![Page 26: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/26.jpg)
26
Five Steps to Role Management
V. Define and implement administrative provisioning processes (IT, HR)
I. Cleanup privileges
II. Identify and test fitness of alternative role engineering methods
III. Iteratively define & review deeper and broader role model (to reach ~80% coverage)
IV. Define & deploy role model and role management processes (administrative & analytical)
Initial assessment
![Page 27: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/27.jpg)
27
Eurekify Role Engineering Methodology
• Combined RE methodologies► Target coverage: 80% of privileges
• Comparison of alternative role engineering methodologies
• Critiquing of new/existing roles
• Top-down• Analytics-assisted Top-Down• Bottom-up (role/rule mining)• Multitude of role engineering
methods► Automatic discovery of HR-based as well
as project-based provisioning patterns► Other methods: obvious, modeled-after, …
![Page 28: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/28.jpg)
28
Eurekify Role Management Processes
• Role Model Management processes► Detect and adapt to business changes► Consistency and compliance tests► Review and approval processes
• Role Administration processes (for customers that do not deploy a strong IdM system)
► Add/change/request role definitions► Add/change/remove privileges
• Eurekify analytics are key for effective processes
• Independent processes that can also be integrated into any external workflow
• Role provisioning usually done by IdM or Meta-Directory
![Page 29: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/29.jpg)
29
Easy Integration with Other Systems
• Quick import/export (asynchronous)► Privileges data and role definitions► File-based or API-based exchange
• Easy real-time synchronization► Real-time exchange of roles & privileges data (snapshot/delta)► Real-time analytics available via web services calls► All levels of granularity► Web services integration
• Flexible web services for third-party workflow► Identity Management, Help Desk, company standard workflow► All are empowered with Eurekify’s analytics
![Page 30: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/30.jpg)
30
Role Management
CRITIQUE
Role Engineering
Ongoing PrivilegeChanges
Business Role Manager / Administrator
DETECT
ADAPT
APPROVE
IdM Provisioning
or Other Systems
• Detect► Exceptions► Inconsistencies► Policy violations► Business changes that
affect roles
• Critique► Collaborative analysis &
review
• Adapt► Analyze & update role
model► Fix privileges
• Approve► Approve changes
• Synch it
![Page 31: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/31.jpg)
The Enterprise Role Management Company
Customer Case
![Page 32: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/32.jpg)
32
KPN – The Dutch National Telecom
• The scenario► Multiple business units: “fixed”, mobile, cable, IPTV► 28,000 people► 48 systems subject to SOX + 19 to National Competition Regulation
▼ Very diverse, including mainframe, SAP, and many homegrown systems
• The approach and project► Performed jointly by PwC and KPMG ► Used Eurekify Sage to code BPRs► Analyzed 80 business processes, creating one policy for each► A total of over 1000 BPRs (10-15 per policy)► 3 Layers of controls: commonly accepted principles, organizational
structure and processes, time and location
• The result► Project completed in under 4 months !► Several thousand violations were removed or rationalized► Passed SOX review
![Page 33: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/33.jpg)
The Enterprise Role Management Company
How to Start
![Page 34: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/34.jpg)
34
How to Start?
• A Eurekify “Survey” is the best way to start► Only 5 days !► Lots of immediate value
▼ Qualitative and quantitative assessment▼ Privileges review▼ Piloting compliance tests▼ Role engineering tryouts
• You will then know► What you need, and how to justify your needs► How to best start a successful project
• Call Eurekify or a local partner, or email [email protected]
![Page 35: Role-Based Privileges Management (3.1MB) - IBM - United States](https://reader035.fdocuments.net/reader035/viewer/2022070303/549c1ef7b47959fe318b4634/html5/thumbnails/35.jpg)
The Enterprise Role Management Company
END