SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017

Adam EvansSenior Identity & Access Specialist21 March 2017

Innovation——In ActionSupporting Security Through Next Generation Identity Governance

#MFSummit2017

• The Origins of Identity Governance• Identity Governance 1.x

• Pros• Cons

• Identity Governance.NextGen• Five Steps to Efficient ID Governance

• Questions & Answers

Agenda

Identity GovernanceThe Origins…

Identity Repositories

The Evolution of Identity Governance?Phase One: The Proliferation of Identity Repositories

Identity Repository

Presenter

Presentation Notes

Started with a single repository – e.g. Mainframe, AS/400 (iSeries) etc. Then came others – UNIX, File & Print, Email, Client-Server Applications Administration nightmare in terms of account maintenance and password resets. Users have lots of credentials to remember. Offboarding wasn’t so much of an issue as external connectivity was limited at best.

The Evolution of Identity Governance?Phase Two: The Directory Services “Silver Bullet”


Directory Services…plus Identity Repositories

…or NOT!

Presenter

Presentation Notes

Directory Service was the industry response which provides a single central identity repository that can be leveraged by applications and services. X.500 (LDAP) NDS (eDirectory Active Directory Limited Success as full integration was hard to achieve. Administration overhead did not significantly fall. Also in a time of greater connectivity, identity lifecycle was gaining in prominence.

The Evolution of Identity Governance?Phase Three: Provisioning, Password Sync & SSO


Directory Services…plus Identity Repositories

Provisioning/Pwd Sync

Single-Sign On

Presenter

Presentation Notes

The next evolution was a dual pronged approach. The first concentrating on centralised provisioning where identities are created once in an authoritative system (e.g. HR application) and synchronised the identity to a central identity vault and subsequently to all connected systems. The really clever provisioning solutions delivered a high degree of identity integrity by allowing authoritative attributes to be defined on the source systems (as opposed to a single authoritative application) – e.g. email, telephone extension and tightly controlling change propagation such that only changes made to authoritative attribute values are synchronised to connected systems. The challenges around re-provisioning (change) and de-provisioning were also addressed at this time by synchronising changes from authoritative attribute values that affect wholesale change, such as job role changes, secondment and ending the relationship (leaving the organisation). This did however, depend on a system being connected to the provisioning solution. Provisioning has evolved over the years delivering key capabilities, such as roles-based provisioning, end user UI, request engine, workflow etc. and now delivers comprehensive identity lifecycle through identity management. The second part concentrated on reducing administration and lost productivity by reducing the number of credentials that a user has to remember by synchronising passwords across connected systems and delivering SSO via enterprise (fat applications), web SSO and later federation, which is beyond the scope of this presentation.

What Does This Have To Do With ID Governance?Sarbanes-Oxley Act 202 Section 404

SoX Section 404 Identity Governance & Administration 1.x

IT C

entri

cBu

sine

ss

Cen

tric

Assessment of Internal ControlRequires management & external auditor to reporton the adequacy of the company's internal controlon financial reporting (ICFR). This is the mostcostly aspect of the legislation for companies toimplement, as documenting and testing importantfinancial manual and automated controls requiresenormous effort.

Presenter

Presentation Notes

Through all of this evolution, along came SoX which included a section (404) and places greater scrutiny on the internal controls placed on identities. Key areas are as follows: Regular review of all access in the organization Controls in place to detect and manage toxic combinations for entitlements (SoD). Timely removal of access when it is no longer required (orphaned/unmapped accounts). Privileged account management (including business justification). Ability to demonstrate compliance to auditors. Unfortunately, SoX 404 is aimed at the business and identity management doesn’t really deliver the necessary controls in order to gain, maintain and demonstrate compliance. The initial approach was to fire up excel and email in order to demonstrate compliance using manual processes. Everyone quickly realised that manual processes didn’t work as they placed a huge burden on the business, was very cumbersome and error prone. This lead to what Gartner terms as Identity Governance 1.x, which was later rolled into identity lifecycle and Identity Governance & Administration.

What Does This Have To Do With ID Governance?Sarbanes-Oxley Act 202 Section 404

SoX Section 404 Identity Governance & Administration 1.x

IT C

entri

cBu

sine

ss

Cen

tric

• Ability to Collect Accounts & Permission from Apps• Central Repository of All Access• Automatically Link Accounts to Identities• Configure & Forget• Scheduled

• Policy • Create & Apply Consistent Policies• SoD, Risk, High Privileged Access, Unmapped/Orphaned• Easily Identify Policy Violations from the “Noise”

Identity Governance & Administration 1.xPros…

• Review Management• Create Targeted Review Campaigns• Run Review on a Schedule and/or Ad-Hoc• Track Completion & Escalate

• Transparency• Capture Access Decisions• Review Sign-Off• Audit Reporting


• Fulfilment• Automated• Manual• Closed Loop Verification


That All Sounds Great, Right?However…

• Persistent Information Overload• Little or No Reduction In Number of Review Items• Lack of Business Context• Automation of Controls, Not The Review

Identity Governance & Administration 1.xCons…

Select All

Permission #1

Permission #2

Permission #3

Permission #4

Permission #5

Permission #6

Permission #7

Permission #21

Permission #22

Permission #23

Permission #24

Permission #25

Permission #26

Permission #27

Permission #x1

Permission #x2

Permission #x3

Permission #x4

Permission #x5

Permission #x6

Permission #x7

Keep Next

1

2 3

Presenter

Presentation Notes

IGA 1.x concentrated on delivering automation and tracking around the review process, but didn’t do much to reduce the burden on the business as 1.x simply carried forward the manual process where each account and entitlement was reviewed individually. Additionally, the review items were in IT language and had little meaning to the business. The result was information overload, which inevitably led to the person completing the review to select all, click keep, followed by next. While this technically meets the requirement, it falls way short of addressing the intent of the requirement and achieves little more than shifting the blame around the business.

• No Decision Support• Requires Manual Intelligence Gathering


Permission #1

Permission #2

Permission #3

Permission #4

Permission #5

Permission #6

Permission #7

Permission #21

Permission #22

Permission #23

Permission #24

Permission #25

Permission #26

Permission #27

Permission #x1

Permission #x2

Permission #x3

Permission #x4

Permission #x5

Permission #x6

Permission #x7Who Approved These

Permissions?

When Did This Person Get These

Permissions?

Are These Direct Assignments, or Part of a Role?

Are These Permissions

Normal?

What Do These Permissions

Mean?

Do These Permissions

Violate Any SoD Policies?

Is This Person a Privileged User?

How Did The Person Get These

Permissions?

Presenter

Presentation Notes

The lack of decision support placed a large burden on a business, as the person completing the review had to carry out their own investigation for each review item in order to ascertain whether it is authorized and appropriate. Also, as the investigation was manual, there is usually nearly zero audit trail.

• It Does Not Significantly Reduce Risk


Collect Review Sign Off Certified Collect Review

Review Campaign #1 Review Campaign #2

ChangeRisk Window

~6 Months?

• The Role Mining Myth• It Looks Good in Demos• But…


• Are All The Permission Assignments:• Correct?• Appropriate?• Accurate (Point in Time)?

• Are The New Roles Appropriate?• Do They Reflect The Business?• Are They Close To Existing Roles?

• Will Risk Be Accurately Represented?

• Delivers Automation & Review Oversight• No Significant Reduction in Review Effort• Lack of Decision Support• No Reduction in Risk

• Review Items Usually Out Of Date• Select All, Keep, Next!

• Role Mining Is Not The Answer

Identity Governance & Administration 1.xIn Summary

Identity Governance.NextGenFive Steps to Efficient Identity Governance

Step One – CurationMake Sense of What You Have…

• Identity Centric• Review at Macro Level• Authorised Roles Can Be

Excluded From Reviews• Concentrate Exceptions

(White listing)

Step Two – Reduce the NoiseBusiness Roles…

• Membership Expression Automates Assignment

• Contains Permissions, Technical Roles & Applications

• Role Items Are Mandatory / Optional

• Can be Authorised at the role, or More Granular with Time Limits

Step Two – Reduce the NoiseBusiness Roles…

• Capability Centric

• Review at Macro Level

• Assignment is based on Permissions Assigned

Step Two – Reduce the NoiseTechnical Roles…

Step Two – Reduce the NoiseWorking with Roles…

Step Two – Reduce Noise Without Increasing RiskRisk-Based Reviews…

• Concentrate on High Risk Access

• Review Everything Else Less Often……If At All…Or On Change

Step Three – Make Informed DecisionsContext-Based Decision Support…

Usage Guidance

Permission Relationship

Person Details Permission Details

Step Four – Close the Risk WindowsEvent-Based Reviews – High Risk Group Example…

Person Added to High Risk AD Group (e.g. Domain Admins)

Detected by Change Guardian

Alert Raised Alert Event Triggers a Review

of the User

Complete Fulfilment (If Required)

Store Decision (for Audit)

Near Real-Time

Window of Risk

Step Five – Demonstrating GovernanceTracking…

Step Five – Demonstrating GovernanceReporting…

Presenter

Presentation Notes

There’s no point in being compliant, unless you can demonstrate it! Reporting is often the Achilles heel of not just governance offerings, but general across the board. Identity Governance.NextGen addresses these shortcoming in subtle ways which have proven rather effective. IG.NextGen delivers reporting via a centralised reporting capability. This delivers a number of benefits, such as: Standardised reporting across the IGA portfolio. Report updates are delivered by a different channel than solution updates, reducing time to fix. Reporting is delivered on mature, proven platform. Here we can see a few reports that are typically asked for by auditors. These are as follows: - Access Review report showing what decision was made, when it was made and by whom. It also shows and decision overrides and comments. - Collection Overview. This shows the last collection of identities and application sources and demonstrates that the review was carried out using current information. - SoD open violations overview which shows the current status of any open SoD violations. You can see from the report that there is currently one violation that is approved, which means that a compensating control has been applied and a second violation that has not been reviewed.

Step Five – Demonstrating GovernanceAnalytics…

Presenter

Presentation Notes

Analytics is at the heart of demonstrating governance. We have already seen analytics used to support the decision making process by showing how a review item is currently being used by the business. Analytics can also be used to provide a dashboard “compliance at a glance” view. There are many metrics that can be placed on the dashboard, here is an example of a few… The first one shows information about data collection. An important part of demonstrating compliance is working with current data. Here we can see an over view of the identities, applications and permissions collected, included the last publication date. The next one shows the number of unmapped (orphaned) account by application. There seems to be a lot of unmapped account, which is not good, so I may want to take a look at that and work out why this is the way it is. Finally, we have a view of how many unmapped accounts , number of accounts per user and percentage of unmapped account. This actually sheds some light on the previous view as I can see a sudden spike in unmapped accounts, which could be the result of a new application being onboarded that has a problem with the account mapping. So, we can see how analytics can firstly, quickly identify when there is a problem and secondly, help identify the cause of a problem all from one dashboard. This is yet another example of how Identity Governance.NextGen delivers unprecedented insight without increasing the burden the organisation.

• Automates the Entire Review Process• Efficiency Without Compromise

• Curaton, Roles, Risk-Based Review• Enables the Business to Make Informed Decisions

• Context-Based Decision Support• Reduces Risk Exposure

• Event-Based Reviews• Easily Demonstrate Governance

Identity Governance.NextGenIn Summary

It Delivers the Promises Made by Identity Governance &

Administration 1.x

Identity Governance.NextGenIn Summary

Fundamentally…

www.microfocus.com

SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017

Software

Transcript of SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017