© 2015 IBM Corporation
How Identity Governance Can Help
Nick Oropall and Matt Ward
IBM Security
Preventing Entitlements Cr...
2© 2015 IBM Corporation
What is ‘entitlements creep’?
 As organizations grow/change and as users change roles, user acces...
3© 2015 IBM Corporation
Identity Intelligence: Collect and Analyze Identity Data
Organizations are seeking a business-driv...
4© 2015 IBM Corporation
IT Security Manager
ERPCRM
Mainframe HR
Application Entitlements
The dependencies of traditional i...
5© 2015 IBM Corporation
CFO, CEO, COO
The Pain Chain
Can you confirm that
John Smith has the
proper access?
Application
Ma...
6© 2015 IBM Corporation
MainframeCRM ERP HR
Bridging Business, Auditor and IT points of view
Business-Centric SoD mapping ...
7© 2015 IBM Corporation
Introducing IBM Security Identity Governance and Administration
Delivering actionable identity int...
© 2015 IBM Corporation
Key Use Cases
9© 2015 IBM Corporation
Activity driven access request management
Simplify self-service access request for managers and em...
10© 2015 IBM Corporation
Review Access with Risk Identification
 Easily identify risk
 Review and remediate toxic combin...
11© 2015 IBM Corporation
Highly usable end user interface for easy user recertification
LOB Review Access
 Support busine...
12© 2015 IBM Corporation
 Focused, risk-driven campaigns
 Managers can understand exactly what access they are certifyin...
13© 2015 IBM Corporation
Identity and Access Intelligence – Identifying outliers
Risk driven access certification using ‘H...
14© 2015 IBM Corporation
Visual analytics – Risk Scoring
Model and Measure Operational Risk
 Model, Measure and trends ri...
15© 2015 IBM Corporation
CLIENT EXAMPLES
Identity Governance and Administration Results
SoD Simplification
Multinational
m...
© 2015 IBM Corporation
Other Solution Highlights
17© 2015 IBM Corporation
Visual Analytics – Role Mining
Discover & Build Roles
 Visual Role Mining
 Create new Roles or ...
18© 2015 IBM Corporation
Segregation of Duties Management for SAP
 Extends fine-grained SoD controls to SAP (users and ro...
19© 2015 IBM Corporation
Identity Governance on the Mainframe
 Extends fine-grained SoD controls to the mainframe-specifi...
© 2015 IBM Corporation
Extend SIM with SIG Governance
Capabilities
21© 2015 IBM Corporation
Integrated Governance and Identity Lifecycle Management:
4 Key Use Cases are a) Access Review and...
22© 2015 IBM Corporation
IBM is a Leader in the 2015 Gartner Magic Quadrant for Identity
Governance and Administration
Sou...
23© 2015 IBM Corporation
• QRadar Log Manager
• QRadar Security Intelligence
• QRadar Risk Manager
• QRadar Vulnerability ...
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for inform...
of 24

Preventing Entitlements Creep with Identity Governance

View on-demand webinar: https://securityintelligence.com/events/preventing-entitlements-creep-with-identity-governance/#.VcyoPVNViko What happens when an employee transfers to a new role within your organization? In almost every case, the employee will get access to new systems and applications as part of their new role. But are you removing access to systems that employees no longer need? When someone moves from finance to HR do they still need access to financial systems? Are you proactively ensuring your employees are not aggregating unnecessary entitlements? This is known as entitlements creep and it is a growing problem. When users have unnecessary access, attackers can more easily gain access to sensitive systems. One of the simplest ways to secure your environment is to prevent entitlements creep. During this presentation, you will learn how you can automate the process of auditing user access and discovering unnecessary access in your organization.
Published on: Mar 4, 2016
Published in: Technology      
Source: www.slideshare.net


Transcripts - Preventing Entitlements Creep with Identity Governance

  • 1. © 2015 IBM Corporation How Identity Governance Can Help Nick Oropall and Matt Ward IBM Security Preventing Entitlements Creep
  • 2. 2© 2015 IBM Corporation What is ‘entitlements creep’?  As organizations grow/change and as users change roles, user access will change  Users are constantly adding access and entitlements, they are rarely being taken away  Management doesn’t understand their user access and don’t want to take away important entitlements How does it affect your organization?  Can make your organization less secure  Users can begin to gain entitlements that constitute a separation of duties violation  If not properly managed this could lead to an accidental or intentional internal security breach
  • 3. 3© 2015 IBM Corporation Identity Intelligence: Collect and Analyze Identity Data Organizations are seeking a business-driven approach to Identity Governance and Intelligence Administration  Cost savings  Automation  User lifecycle  Key on premise applications and employees Analytics  Application usage  Privileged activity  Risk-based control  Baseline normal behavior  Employees, partners, consumers – anywhere Governance  Role management  Access certification  Extended enterprise and business partners  On and off-premise applications How to gain visibility into user access? How to prioritize compliance actions? How to make better business decisions? Identity and Governance Evolution 1 2 3
  • 4. 4© 2015 IBM Corporation IT Security Manager ERPCRM Mainframe HR Application Entitlements The dependencies of traditional identity governance Business activities vs. Entitlements Provides information regarding who has which entitlements Who SHOULD have which entitlements? Auditor Identifies what business activities cause SoD violations (toxic combinations) Which entitlements cause toxic combinations? Business Manager Understands what business activities employees need Which entitlements grant access to which business activities? Requests employee IT entitlements from IT Security Manager Receives list of entitlements based on IT Security Manager’s request
  • 5. 5© 2015 IBM Corporation CFO, CEO, COO The Pain Chain Can you confirm that John Smith has the proper access? Application Managers 3 IT Security Could you prove that John Smith has “appropriate” permissions for his job? 1 I can tell you what access John has – I can’t tell if it’s appropriate 4 Business Manager Can you confirm that John Smith has the proper entitlements? 5 I could… If I was technical enough to understand all these IT details… Are we properly managing user access? Will our security controls pass the next audit? 2 Auditors 6
  • 6. 6© 2015 IBM Corporation MainframeCRM ERP HR Bridging Business, Auditor and IT points of view Business-Centric SoD mapping to simplify access request and certification IT Roles and Entitlements Business Activities View Accounts Payable Create Sales Record Create Purchase Order Update Payroll Map business activities to IT roles and entitlements
  • 7. 7© 2015 IBM Corporation Introducing IBM Security Identity Governance and Administration Delivering actionable identity intelligence  Align Auditors, LoB and IT perspectives in one consolidated Governance and Administration offering  Easy to launch Access Certification and Access Request to meet compliance goals with minimal IT involvement  Enhanced Role Mining and Separation of Duties Reviews using visualization dashboard and business-activity mapping  In-depth SAP and RACF Governance with Segregation of Duties (SoD), access risk and fine- grained entitlements reviews  Easy to deploy virtual appliances for multiple customer adoptions – Standalone Identity Governance – Integrate and modernize legacy Identity management with integrated governance and administration Common Integration Adapters Identity Governance and Administration Platform VIRTUAL APPLIANCE IT Security Team Auditors / Risk Managers LoB Managers / Employees Cloud Computing Mobile Applications Desktop and Server Data Mainframe Access Fulfillment Self Service Portal Risk/ Access Visibility Access Certification
  • 8. © 2015 IBM Corporation Key Use Cases
  • 9. 9© 2015 IBM Corporation Activity driven access request management Simplify self-service access request for managers and employees  Self-service, shopping cart interface  “Speaks” business language but also understands the IT and application roles  Automatically detects segregation of duties (SoD) conflicts  Saves time, while ensuring proper and compliant user access Jane Doe is now on my team and needs to be able to Approve Orders I have a new assignment, I need to be able to Approve Orders. End User Business Manager Jane Doe can also Create Orders and that is a segregation of duties violation APPROVED DENIED
  • 10. 10© 2015 IBM Corporation Review Access with Risk Identification  Easily identify risk  Review and remediate toxic combinations Business readable access risk
  • 11. 11© 2015 IBM Corporation Highly usable end user interface for easy user recertification LOB Review Access  Support business managers in requesting & certifying their own staff’s access
  • 12. 12© 2015 IBM Corporation  Focused, risk-driven campaigns  Managers can understand exactly what access they are certifying and why  Same simple look and feel regardless of role within the organization  Ability to execute multi-step approval workflows Business centric access certification Enables business managers to quickly review employee access and take action Business Manager “Does John Smith still need to open Sales Opportunities? SalesConnect is a CRM tool used by the sales team to effectively communicate with clients and track ongoing projects.” NO John is no longer on the Sales team NOT SURE Please delegate to Jane Doe YES John still needs access
  • 13. 13© 2015 IBM Corporation Identity and Access Intelligence – Identifying outliers Risk driven access certification using ‘Heat maps’
  • 14. 14© 2015 IBM Corporation Visual analytics – Risk Scoring Model and Measure Operational Risk  Model, Measure and trends risks across several dataset (OU, Applications)  Allows for ‘Risk driven’ access certification using ‘Heat maps’
  • 15. 15© 2015 IBM Corporation CLIENT EXAMPLES Identity Governance and Administration Results SoD Simplification Multinational manufacturer manages over 430M potential entitlement conflicts with only a few hundred segregation of duty rules Governance Large European insurance and financial services firm governs access to 75,000 employees, agents, privileged users by identifying access risks, segregation of duty and certify access for SAP, AD, mainframe, and custom-built apps Audit Access Large European designer found almost 80% of users had unnecessary access after leveraging the “last usage” information in their automated controls set
  • 16. © 2015 IBM Corporation Other Solution Highlights
  • 17. 17© 2015 IBM Corporation Visual Analytics – Role Mining Discover & Build Roles  Visual Role Mining  Create new Roles or optimize existing ones
  • 18. 18© 2015 IBM Corporation Segregation of Duties Management for SAP  Extends fine-grained SoD controls to SAP (users and roles).  One governance platform for SAP and non-SAP applications Segregation of Duties for SAP
  • 19. 19© 2015 IBM Corporation Identity Governance on the Mainframe  Extends fine-grained SoD controls to the mainframe-specific data model  Provides Access Review and Request Management capabilities Governance on the Mainframe
  • 20. © 2015 IBM Corporation Extend SIM with SIG Governance Capabilities
  • 21. 21© 2015 IBM Corporation Integrated Governance and Identity Lifecycle Management: 4 Key Use Cases are a) Access Review and Reporting Visibility, b) Access Request Management, c) Segregation of Duty Controls and d) Role Management and Intelligence
  • 22. 22© 2015 IBM Corporation IBM is a Leader in the 2015 Gartner Magic Quadrant for Identity Governance and Administration Source: Gartner (January 2015) This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from http://www.gartner.com/technology/reprints.do?id=1-27CNZU9&ct=150112&st=sb. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. Gartner, Inc. Positions IBM as a LEADER in Identity Governance and Administration (IGA) "The IGA market is transforming legacy, on-premises IAM products. IGA vendors are investing heavily to meet client needs in ease of use, mobility, business agility, and lower total cost of ownership. User provisioning and access governance functions continue to consolidate.” Gartner, Inc. “Magic Quadrant for Identity Governance and Administration” by Felix Gaehtgens, Brian Iverson, Steve Krapes, January 2015 Report #G00261633
  • 23. 23© 2015 IBM Corporation • QRadar Log Manager • QRadar Security Intelligence • QRadar Risk Manager • QRadar Vulnerability Manager • QRadar Incident Forensics IBM Security offers a comprehensive product portfolio
  • 24. © Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. THANK YOUwww.ibm.com/security

Related Documents