RSA Identity Management & Governance (Aveksa) · RSA Identity Management & Governance (Aveksa) ......
Transcript of RSA Identity Management & Governance (Aveksa) · RSA Identity Management & Governance (Aveksa) ......
1 © Copyright 2014 EMC Corporation. All rights reserved. © Copyright 2014 EMC Corporation. All rights reserved.
RSA Identity Management & Governance (Aveksa)
2 © Copyright 2014 EMC Corporation. All rights reserved. © Copyright 2014 EMC Corporation. All rights reserved.
RSA IAM Enabling trusted interactions between identities and information
Applications/Data/Resources
Identity Lifecycle
Compliance
Access Platform Governance Platform
Federation/SSO
Authentication
Employees/Partners/Customers
Provisioning
Identity Intelligence
3 © Copyright 2014 EMC Corporation. All rights reserved. © Copyright 2014 EMC Corporation. All rights reserved.
RSA’s Governance Platform
Applications/Data/Resources
Access Platform
Federation/SSO
Authentication
Employees/Partners/Customers
Identity Intelligence Identity Lifecycle
Compliance
Governance Platform
Provisioning
Governance Platform
•Supervisor Reviews
•App Owner Reviews
•Data Ownership Reviews
•Segregation of Duties Policies
•Data Compliance Policies
Compliance
•Joiner, Mover, Leaver
•Access Request Portal
•Policy-Based Change Management
•Password Management
Identity Lifecycle
•Task Notification
•Service Desk Integration
•Automated Provisioning
Provisioning
• Purpose-Built for Governance • Lowest Cost of Ownership • Fastest Time to Value
•Compliance • Reduce Compliance Efforts • Improve Compliance Effectiveness • Applications and Data Resources
• Identity Lifecycle • Automate Joiner, Mover, Leavers • Access Request with policy enforcement
• Provisioning • Simple architecture streamlines deployment • Business-driven provisioning
4 © Copyright 2014 EMC Corporation. All rights reserved. © Copyright 2014 EMC Corporation. All rights reserved.
RSA’s Identity Intelligence
Applications/Data/Resources
Identity Lifecycle
Compliance
Access Platform Governance Platform
Federation/SSO
Authentication
Employees/Partners/Customers
Provisioning
Identity Intelligence
• Unified view of Business Context •“One Brain” for Better Access Decisions • Complete Picture of User Access Rights, Job Roles, Business Attributes
• Role Management • Simplify Access Reviews and Policies • Achieve Role-based Access Control
• Connection to Business-level Goals • Corporate and Application Risk
• Integration with Security Ecosystem • Enforce and Validate Authentication Policies • Leverage Context for Better Threat Analysis and Triage
Identity Intelligence
• Accounts & Entitlements
• Rich User Context
• Business Roles
• Risk Analytics
• Authentication Policies
User Context and Activity
5 © Copyright 2014 EMC Corporation. All rights reserved. © Copyright 2014 EMC Corporation. All rights reserved.
RSA Takes a Business Driven Approach to IAM
Shift Decision Making and Accountability to the Business
– Governed by Info Security constraints
Centralized Identity & Business Context
– “One Brain”for intelligence and operational efficiency
Process-Driven
– Discrete, Measurable, Efficient Business Processes
Policy-Based Automation
– Automated Policy Enforcement
6 © Copyright 2014 EMC Corporation. All rights reserved. © Copyright 2014 EMC Corporation. All rights reserved.
IT Security
Information Security
Line of Business
Ensure Compliance and Manage Risk
Audit, Risk & Compliance
Enterprise, Mobile & Cloud Applications and Data, DLP, SIEM, GRC
Enable the Business: Ownership & Accountability Business
Processes
A Business Process Perspective
7 © Copyright 2014 EMC Corporation. All rights reserved. © Copyright 2014 EMC Corporation. All rights reserved.
Customer Case Study
8 © Copyright 2014 EMC Corporation. All rights reserved. © Copyright 2014 EMC Corporation. All rights reserved.
Overview & Business Drivers Profile
– Fortune 100 Investment and Retirement Planning Services:
▪ $500B USD under management
– 11,000 Users, 900 Managers
– 130 Critical Applications (Audited, High-Risk)
IAM Program Shortcomings
– No Unified Visibility of Access Across Applications
– Manual and Inefficient Access Review processes
– Inefficient and Error-Prone Paper-Based Access Request Process
– Poor Business User Experience
– Inability to Define and Enforce Access Policies
– 12,000+ Orphan Accounts – Unowned and Unmanaged
Result : Audit Findings and Unhappy Line-of-Business
9 © Copyright 2014 EMC Corporation. All rights reserved. © Copyright 2014 EMC Corporation. All rights reserved.
IAM Project Focus
Governance Platform
•Supervisor Reviews
•App Owner Reviews
•Data Ownership Reviews
•Segregation of Duties Policies
•Data Compliance Policies
Compliance
•Joiner, Mover, Leaver
•Access Request Portal
•Policy-Based Change Management
•Password Management
Identity Lifecycle
•Task Notification
•Service Desk Integration
•Automated Provisioning
Provisioning
Identity Intelligence
• Accounts & Entitlements
• Rich User Context
• Business Roles
• Risk Analytics
• Authentication Policies
User Context and Activity
10 © Copyright 2014 EMC Corporation. All rights reserved. © Copyright 2014 EMC Corporation. All rights reserved.
IAM Project Overview Audit Findings
– Manual Access Review Process
– Poor Controls Around Access Request & Provisioning
– Uncontrolled Direct Access to Application Databases
Deployed RSA Aveksa Solution
– Collaboration with Line-of-Business was Key to Success
New Access Reviews
– Supervisor, Application Owner, Platform Owner
New Access Request Portal
– Simple Web-Based UI
– Enforcement of Policies and Approval Processes
11 © Copyright 2014 EMC Corporation. All rights reserved. © Copyright 2014 EMC Corporation. All rights reserved.
Before and After: Access Reviews
12 © Copyright 2014 EMC Corporation. All rights reserved. © Copyright 2014 EMC Corporation. All rights reserved.
Supervisor Access Reviews: Before RSA
Collection
Review
Remediation
Manual import & reconciliation
Applications
Review Results & Change Requests
Security Administrators
Run Reports
Database Administrators
Run DB Extracts
Desktop Database
Manual creation of
spreadsheets
Emailed to Reviewers
Reminders & Harassment
!
Manual Logging of Results
App Owner & System Administrators
Manual Ticket Creation and
Change Validation
Execution of Changes in Systems Duration:
36 weeks
Managers Delegate to
Admin or team
13 © Copyright 2014 EMC Corporation. All rights reserved. © Copyright 2014 EMC Corporation. All rights reserved.
Supervisor Access Reviews: With RSA
Scheduled & Automated
Entitlement Collection
Applications
Review Results & Change Requests
Centralized IAM System
Web-Based UI
Automated Reminders
!
App Owner & System Administrators
Manual Ticket Creation
Execution of Changes in Systems
Duration: 9 weeks
Reviews Initiated Managers
perform reviews directly
Automated System
Results automatically stored in centralized DB
Automated validation of change completion
Collection
Review
Remediation
14 © Copyright 2014 EMC Corporation. All rights reserved. © Copyright 2014 EMC Corporation. All rights reserved.
Before and After: Access Request
15 © Copyright 2014 EMC Corporation. All rights reserved. © Copyright 2014 EMC Corporation. All rights reserved.
Access Request: Before RSA
Access Request
Approval Flow
Provisioning
Provisioning Request Email Sent to Help Desk
User Fills Out Entitlements Access
Request Form (Word Document)
Manual Approval Request Email to Business Process Owner
Manual Reminder & Harassment
!
Help Desk Administrators
Manual Ticket Creation
Manual Provisioning
Duration: ~ 10 days
End Users Manual Approval Request
Email to LOB Manager
16 © Copyright 2014 EMC Corporation. All rights reserved. © Copyright 2014 EMC Corporation. All rights reserved.
Access Request: With RSA
Approval Flow
Provisioning
Provisioning Request Email Sent to Help Desk
User Submits Access Request
Approval Request Emailed To Business Process Owner
Automated Reminders
! Help Desk
Administrators
Manual Ticket Creation Duration:
3 Days
End Users Approval Notification
Emailed to LOB Manager Web-Based UI
Web-Based Approval UI
Access Request
Manual Provisioning
17 © Copyright 2014 EMC Corporation. All rights reserved. © Copyright 2014 EMC Corporation. All rights reserved.
Benefits Realized
Metric Before After Improvement
Time to complete User Entitlement Reviews 36 weeks 9 weeks 75%
FTEs to manage Review Process 5 FTEs 2.5 during; 1 off-cycle
50%+
Orphan accounts 12,000+ 0 100%
SoD Rules Defined & Enforced 0 150+
Unified Access Request Portal No Yes
Automated Routing to Correct Approvers No Yes
Application Owner Reviews No Yes
Validation of Access Changes No Yes
Improved Business and IT Efficiency
Elimination of Audit Exceptions
Earned Trust of Business Managers and Audit Group
18 © Copyright 2014 EMC Corporation. All rights reserved.
Why RSA Aveksa?
• Purpose-Built for Identity Management & Governance
• Scalability and Performance Architectural Superiority
• Configuration vs. Customization
• Business-Logic Driven not IT-provisioning Driven
Lowest TCO and Fastest
Time-To-Value
• Integrated IAM Platform: Governance, Authentication, Intelligence
• Unified management of on-premise and cloud, Apps and Data
Completeness of Solution
19 © Copyright 2014 EMC Corporation. All rights reserved. © Copyright 2014 EMC Corporation. All rights reserved.
Q&A
20 © Copyright 2014 EMC Corporation. All rights reserved.
Thank You
21 © Copyright 2014 EMC Corporation. All rights reserved. © Copyright 2014 EMC Corporation. All rights reserved.
RSA’s Platform Architecture
Integration Logic
Business-Friendly UI
Business Logic for Policy-based Governance
Business Agility
Operational Efficiency
Access Lifecycle Policy Lifecycle Resource Lifecycle
Provisioning Remediation Monitoring
Audit and Review Exception Handling Risk Analytics
Reduced Risk
Compliance Assurance
Cloud Applications
Directory Systems
HR Systems
Data On-premise Applications
Shared Files
GRC DLP SIEM
Identity, Resource, Policy
Security Integration Fabric Collection Provisioning
Events Data Query
App Access Portal
Authentication / SSO Process Orchestration Integrated
Workflow
22 © Copyright 2014 EMC Corporation. All rights reserved.
Aveksa Functionality by Module
•Compliance Manager •Role Manager •Self-Service Access Request
• Automated, Agentless Collection
• User Access Certification
• Group Reviews
• Configurable Workflow
• Controls Automation (Rules)
• Reporting and Dashboards
• SaaS Version Available
• Role Mining and Design
• Role Life Cycle Management
• Role Synchronization
• Flexible, Hierarchical Role Model
• Role Membership and Entitlement Policies
• Business Friendly Access Request Self-Service
• Attribute and Policy Based Form Generation
• Proactive Policy Enforcement
• Orchestration Across Provisioning Endpoints
• SaaS Version Available
•Data Access Governance •Provisioning and Fulfillment •Single Sign On
• Access Governance for Unstructured Data
• File Shares and SharePoint
• Data Ownership Identification
• Data Access Reviews
• DLP Integration
• Automated User Access Changes
• Password Management
• Attribute Synchronization
• Configuration-Based Connector Development
• Integration with Existing Provisioning and Ticketing Systems
• Cloud-Based Service
• Desktop and Tablet Application Launchpad
• Pre-built SSO integration with over 2,700 SaaS applications.
• Multi-factor authentication and one-time password support.
• Integrated with Governance and Provisioning