Think. Transform. Making the possible practical

Think. Transform. Integrated Identity Management and its Impact on Governance, Audit, and Security

October 2012

A forward look at the evolution of identity & access management and governance

Copyright © 2012 Deloitte Development LLC. All rights reserved. 2

Abstract

As audit, compliance, and regulatory requirements continue to drive organizational directives,

organizations are looking for ways to increase the effectiveness of their business through a combination

of security compliance initiatives and technology. In this session, Deloitte & Touche LLP discusses the

evolution of Identity & Access Management (IAM). The focus of this session is to highlight the

intersection of IAM and governance, and how IAM enables organizations to incorporate the

management of risk and cost, while at the same time improving service and aligning IT investments to

business requirements, all with the end-goal of improving security compliance and the management of

the identity within the organization.


Biography

John Lu, Senior Manager, Deloitte & Touche LLP John is a Life Sciences Senior Manager in Deloitte & Touche LLP’s Enterprise Risk Services practice,

specializing in the area of Security & Privacy Services. He has over twelve years of experience in

information technology, information security, data privacy, and risk management, with a focus on Identity

& Access Management. John’s experience encompasses a broad spectrum of engagement types,

ranging from project management, policy development, current state assessment, strategy and

roadmap development, requirements analysis and definition, vendor evaluation and selection,

architecture and design, installation and configuration, testing, and knowledge transfer. In addition to his

technical skills, John possesses strong technical writing, leadership, project management, and

interpersonal skills.


Today’s agenda

Marketplace challenges

Evolution of IAM

Summary


Polling question

Which industry below best describes your organization’s primary focus?

• Financial Services

• Consumer Products

• Healthcare & Life Sciences

• Technology, Media & Telecommunications

• Oil & Energy

• Other

Marketplace challenges


Organizations continue to face a myriad of challenges

• Mergers and

acquisitions impact

organizational

technology strategies

• Technology and

regulatory

challenges due to

globalization initiatives

Business Facilitation

Enterprise

• There is a need to

manage user accounts

and passwords centrally

to reduce operational

overheads

• Organizations have

issues with respect

provisioning access to

users in a timely fashion

to increase productivity

Operational Efficiency

• Cost cutting measures

cause difficulty in

maintaining current

performance levels and

SLAs

• Increased management

skepticism associated

with IT spending

Cost Containment

• No single view exists

of the organization’s

control, security, and

privacy requirements

and operating

framework

• Challenges in

responding and

addressing audit and

regulatory issues

Risk Management

• Changes in existing

regulations and increase

in new regulations are

creating compliance

challenges

• Cross-boundary

regulatory needs are

causing the organizations

to rethink compliance

strategies

Compliance


Including the struggle to manage access rights, both within, and across, applications

Application 1

Platform A

Application 2

System X

Directors

Business Analysts

Technical Analysts

Application 3Manual Request

Process

Manual Request

Process


Resulting in issues that are prevalent across various industries

“On average, workers receive 35% more access rights than needed” – Insider Threat

Global Financial Services Organization

System administrator sabotages corporate network, then made

financial bets that the company's stock would tank as a result

Healthcare ProviderEmployee accused of selling 2,000

patients' data & accessing nearly 50,000 records illegitimately

Chemical ManufacturerEmployee gains access to R&D documents unrelated to job –

compromises multiple millions in trade secrets

National Grocery ChainRegional manager steals millions of

dollars by manipulating the accounting system with dummy

accounts

Global Financial Services Organization

Former contractor steals Social Security numbers and other personal

information from regional customers

Sabotage

Espionage

Abuse of privileges

Theft of proprietary data

Data altering / deletion

Financial fraud

Government AgencyDisgruntled contractor sabotages

several government agency servers

Hacking as a business

Proliferation of data via

mobile platforms

Abuse of privileges

Theft of proprietary

data

Changing regulatory

environment


These issues have resulted in a steadily increasing risk gap

Information security risks increase as the organization and technology evolves. Necessary changes will

help close the current gap, as well as position Merck to respond to future risks in a practical, cost-

effective way.

Time

Typical organization capabilities

Risk

Gap

Trends in the market

Proliferation of data through the use of mobile devices

Excessive access rights and management of privileged

accounts

Externalization and sharing of data with individuals,

organizations, etc.

Move to cloud-based solutions (salesforce.com;

Workday)

Advanced persistent threats and other advanced cyber

attacks (hacking as a business; cyber espionage)

Attacks via social networks

Shortened product development lifecycles and rush to

market

Difficult global economic environment

Ris

ks


As a result, organizations have shifted towards enabling technology to meet these challenges

‒Regulatory compliance‒Customer demands and

new product sets‒Ever-changing business

requirements‒Mergers, acquisitions,

divestitures‒Globalization‒Intellectual property

‒Number of internal and external users

‒Distributed enterprise‒IT investment ROI‒Disparate applications

and devices‒Rapid expansion‒Outsourced IT

Business Drivers

Technology Drivers

Contain CostsManage Risk

Improve Service Align IT Investments

Modern Enterprise

Evolution of IAM


Polling question

How many digital identities do you have? (*Hint: Think about business identities

AND personal identities)

• 0

• 1 - 3

• 4 - 7

• 8 - 10

• More than 10

• Don’t know / Not applicable


What is an identity?

User

User Identity:

• First Name, Last Name, Unique Identifier, Date of Birth

Account Credentials:

• Login ID and password • SecurID card, other strong authentication factors

Common Profiles:

• Job Functional Roles • Business Unit • Office Location • Manager/Supervisor

Application Profiles:

• Permission levels • Access control items

Update Personal Web

Parts

Limited

Access*

Add/Remove Personal

Web Parts

Read

Manage Personal

Views

Contri-

bute

Delete Versions

Full

Control

Approve Items

Design

Cancel Checkout

View Versions

View Items

Open Items

Delete Items

ü ü ü

ü ü ü

ü ü ü

ü ü

ü ü ü

ü ü üü

ü ü

ü ü üü

ü ü üü

ü üü

New in Window

SharePoint Services

(version 3)?

No

No

No

New

New

New

No

New

No

No

User’s Digital ID

An “identity” is both a real world concept and a digital artifact.

• Internal employees

• Third-parties/vendors

• External resource collaboration


Identity & access management utilizes a combination of process and technology to protect those identities

Identities Role Functions / Privileges

Systems

ERP

Directories

Mainframes

Email

Portals

Supervisor

Manager

Administrator

Application access

System resources

Database tables

Approve invoices

Monitor transactions

Base access


Streamlining the administration of users and their corresponding access rights

Application 1

Platform A

Application 2

System X

Contractors

Business Partners

Customers

Application 3

Integrated IAM Solution

Supervisor Role

Business Analyst

Role

Technical Analyst

Role


Providing a standards-based framework for managing digital identities throughout the identity lifecycle

Request

System Access

Provision

Access

Maintain &

Control Access

Terminate

Access

• Identity is created as

the first step of on-

boarding employees,

contractors or

business partners

• Identity is created in

Authoritative Sources

such as PeopleSoft

HR Relationship

begins

Relationship ends

• User Life Cycle Management:

– Access Request

– Promotion/Transfer

– Status change

– Approvals

• Role Life Cycle Management

– Role Approval

– Role Assignment

• Access Management

– User Authentication

– User Authorization

• Audit

– User Access Review

– User Access Recertification

– Approver Actions

– Administrator Actions

• Removing user access

permissions from all

managed resources

• Scheduled User

Termination

• Unscheduled User

Termination

• Archive user identity

• User accounts are setup

for each of the resources

user will access

• Initial access permissions

and rules are setup on

each resource

• Self-Service Registration

User Identity:

• First Name, Last Name, Unique Identifier, Date of Birth

Account Credentials:

• Login ID and password• SecurID card, other strong authentication

factors

Common Profiles:

• Job Functional Roles• Business Unit• Office Location• Manager/Supervisor

Application Profiles:

• Permission levels• Access control items

Update Personal Web

Parts

Limited

Access*

Add/Remove Personal

Web Parts

Read

Manage Personal

Views

Contri-

bute

Delete Versions

Full

Control

Approve Items

Design

Cancel Checkout

View Versions

View Items

Open Items

Delete Items

ü ü ü

ü ü ü

ü ü ü

ü ü

ü ü ü

ü ü üü

ü ü

ü ü üü

ü ü üü

ü üü

New in Window

SharePoint Services

(version 3)?

No

No

No

New

New

New

No

New

No

No


Polling question

Does your organization utilize an IAM solution?

• Um… what is IAM?

• No, and we do not plan to

• No, but we are going to implement one in the future

• Yes, but it is not effective

• Yes, and it is great!


IAM has been a key enabling technology for many years

• User and role lifecycle management

• IAM organization, roles & responsibilities

Governance and

Business

Processes

• Risk management policies and controls

• Digital IDs, data flow, and reporting

Information and

Data Protection

• Administration and audit tools

• Provisioning, access management, and repositories

Technology and

Infrastructure


Security is contained within the

geographical location of the

organization

Employees don’t change job as

often and there is a job loyalty

Scope is limited to the

organization

Security is localized

“Exposures are limited and controllable”

Risk mitigation technique is used to reduce

risk

Network security is viewed as “the silver

bullet”

Attacks increase as channels of access to

data increase

Scope is broader than organization, it reaches

the globe including business partners,

customers, employees, etc.

Security viewed as a cost

“Security is viewed as a risk mitigation cost”

Security breaches most commonly

occur due to inappropriate user access

Integrated IAM becomes the focal point

for controlling the technologies that

enable business

People don’t do business with insecure

organizations

Security breaches are now top news

stories

Security is a business requirement

“People expect security”

Busin

ess V

alu

e o

f

Applic

ation S

ecurity

Host based

Access control

and OS and

file system

level security

controls

Distributed systems

and access control

and cryptography

Regulations (escrow,

etc)

Internet

As a channel

Security is

perceived as

a cost

Network security is

expected from

organizations

Privacy legislations such as

HIPAA standards for health

records, and the Gramm-Leach-

Bliley Act for FIs

Lack of security is a legal

exposure

Identity Solutions

begin to gain

market attention

Fines and security incidents

around Identity and access

management begin to gain

media attention

Integrated IAM

concept is born to

encompass the

protection of assets

across the enterprise

Late 80s Early 90s Mid 90s Late 90s Now Early 00s

Application Security

During that time IAM has been a core component to securing the enterprise

Integrated IAM has become a business requirement. Technology enables business to access

applications and data in more ways than ever before.


Evolving to not only protect, but also enable the business

• Improves efficiency of

privilege management

• Improves security and

compliance

• Supports seamless

integration with identity &

access management

solutions

• Supports single sign-on of

traditional web application

and web services

technologies

• Provides improved

alliances and cooperation

between organizations

• Helps reduce cost and

comply with regulations

• Encompasses the

integration between cloud

computing and IAM

• Enables management and

provisioning of user

accounts

• Provides workflow based

approval

• Enables management of

user privileges

• Enables seamless single

sign-on to the web services

• Provides centralized

authentication and

authorization decisions

• Encompasses privacy and other data protection requirements

• Incorporates data leakage prevention/protection

• Integrates privacy requirements with IAM

Integrated identity & access

management

Cloud computing

Identity federation

Enterprise Role

Lifecycle

Management

(ERLM)

Identity

Lifecycle

Management

(IdLM)

SOA security


Resulting in organizations relying on integrated IAM solutions to address business challenges

Integrated IAM Solution

• Current manual, fragmented approaches are not sustainable

• Existing technology is not adequately used to support governance, risk, and compliance

• Executives lack a complete picture of risks and costs ─ a situation exacerbated by fragmented

approaches to compliance, risk and performance management

• Leaders are looking to comprehensive, integrated IT solutions to improve the efficiency and

effectiveness of compliance

• Leaders are expecting technology to reduce cost and improve effectiveness

Regulatory

Compliance

People

Process

Governance

IT & Data

Strategic

Initiatives

People

Process

Governance

IT & Data

Legal

Requirements

People

Process

Governance

IT & Data

ORM

People

Process

Governance

IT & Data

Information

Security

People

Process

Governance

IT & Data

Internal

Policies

People

Process

Governance

IT & Data

Business Unit Requirements

Various organizational challenges

Summary


Integrated IAM continues to evolve – Future trends for consideration

As business strategies and organizational directives continue to change, integrated IAM solution will

evolve and expand to enable the business.

• Consolidated move towards IAM suites

• Externalization of identities/Identity-as-a-Service (e.g., Verizon, Google, Facebook, Apple, Microsoft)

• Adoption of cloud based solutions raises the importance of integrated IAM

• Mobile security/mobilization (e.g., bring your own device, iPads/iPhones, Android devices)

• Finer-grain entitlement management (i.e., taking into account location, type of resource, type of

access, amount of access, time of access, etc.)

• Expansion of consumer solutions for proofing and verification


Impact to Audit and Compliance

As integrated IAM continues to evolve and expand within the enterprise, the impact to audit and

compliance increases:

• Automated provisioning, modifications, and de-provisioning

• Trigger and/or risk-based reviews

• Closed loop provisioning with workflow to enable audit trails

• Access governance – Quickly and easily understand who has access to what

• Privileged account management

• Metrics, metrics, metrics…


Recommended Practices

Successful integrated IAM implementations are dependent on the ability to get the project moving,

effectively completing foundational elements, and institutionalizing the solution throughout the

enterprise.

Integrated IAM projects cross organizational boundaries and require strong sponsorship to

set direction and priorities

Governance function with engaged stakeholders from management, business, Information

Technology is challenging to establish, but vital for the long-term

Executive Sponsorship

Achieve clarity on the business challenges being addressed by the Integrated IAM solution

Identify business drivers – Compliance, Risk Management, Cost Control, Business

Facilitation – based upon enterprise needs and determine priority with stakeholders

Business Focus

Obtaining organizational buy-in for moving to enterprise Integrated IAM is an exercise in

diplomacy

Integrated IAM implementations are about people and organizations, about re-engineering

processes for managing user access to business information resources

Change Leadership


Recommended Practices (continued)

Initial Integrated IAM projects should deliver "quick wins" to build business support for

continuing the Integrated IAM program

The “big-bang” implementation approach is unlikely to build stakeholder trust and

involvement required for continuing Integrated IAM maturity

Value Delivery

Define identity populations (such as employees, contractors, business associates, and

customers)

Establish required identity characteristics and required data attributes

Establish authoritative sources for identity information

Define requirements associated with role-based access controls

Identity Definition

Determine point of diminishing returns for automated and manual processes

Pilot the implementation to prove the solution

Implement the solution by delivering in phases (top value first)

Test performance and functionality

Technology Integration

Integrated IAM projects have unique characteristics, so domain experience is vital

Integrated IAM projects are complex, demand effective managers who can not only track

schedule and budget, but effectively communicate with a diverse set of stakeholders and

make sure everyone is pulling in the same direction.

Integrated IAM

Experience


Integrated IAM solutions addresses strategic business challenges utilizing a holistic approach

Integrated IAM addresses business-focused challenges, enabling organizations to efficiently and

effectively support the enterprise.

• Efficient processes and lesser administrative overheads

• Reduced cost of audits through automated processes and technical controls

Business Facilitation

Risk Management

Regulatory Compliance

Operational Efficiency

• Flexibility to enforce compliance to new and changing regulations

• Implement automated controls and review them periodically

• Centralized management of risk leveraging consistent technologies and

processes

• Enforce enterprise risk management policies and protect sensitive assets

• Enable collaboration with business partners securely

• Improved user experience for customers and employees alike

Cost Containment

• Consistent, repeatable processes used throughout the organization for user

management

• Extensive automation that reduces the amount of manually intensive activities

About Deloitte

As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the

legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2012 Deloitte Development LLC. All rights reserved.

Member of Deloitte Touche Tohmatsu Limited

Think. Transform. Making the possible practical

Documents

Transcript of Think. Transform. Making the possible practical