myths, failures and the future of identity governance
TRANSCRIPT
© 2015 IBM Corporation
IBM Security
1 © 2015 IBM Corporation
Myths, Failures and the Future of Identity Governance
Andy Land
Director of Products
© 2015 IBM Corporation
IBM Security
2
Myth #1: Identity Governance projects are long and painful
In the past, identity governance projects have been categorized as a long painful process– Weeks/months of meetings and 3rd party
consulting fees
Long implementations that rarely get 100% complete
Lots of time spent turning the information into actionable items
Inability to determine “who approved what and when”
© 2015 IBM Corporation
IBM Security
3
A Business-Centric Approach Can Have Governance in Place in a Matter of Months Rather Than Years
Business-centric activity based roles can speed up the processes
The right governance solution can bring intelligence out of the box
Bridging the communication gap facilitates collaboration between necessary parties
Ability to translate audit rules into actionable controls
When implemented, automation and repeatability speed up the processes
© 2015 IBM Corporation
IBM Security
4
Myth #2: IT and the Audit Team Speak the Same Language
IT and audit are often speaking very different languages– Auditors speak in business-centric languages
– IT staff speaks with specific IT entitlements
Who “owns” Identity Governance? C-level executives are often not aware of
the language barriers and need answers to seemingly basic questions– Do our employees have access to the proper
applications?
CISO, CRO, Application Managers, IT Managers, Auditors and LOB Managers often hold one piece of the puzzle but not the entire picture
– “The Pain Chain”
Lack of insight to guide user access approval and recertification decisions
© 2015 IBM Corporation
IBM Security
5
The Right Identity Governance Solution Can Transform IT Lingo into Business Language
The “Rosetta Stone”
Identity Governance can help Business users and IT Staff communicate on the same terms
Business Activities provide layman’s terms for entitlements– Critical for Separation of Duties
Helps management and end users to definitively certify access
© 2015 IBM Corporation
IBM Security
6
Myth 3: Everyone Loves Spreadsheets
Identity Governance is normally a maddening array of spreadsheets created by auditors
Spreadsheets get lost, are hard to keep consistent and make life difficult for those using the data
Role analytics and optimization are much more difficult on a spreadsheet than a dynamic visual map
One centralized solution would save significant time and energy
© 2015 IBM Corporation
IBM Security
7
The Right Identity Governance Solution Can Transform These Spreadsheets Into Actionable Processes and Controls
Decreased time from information to action
Makes the auditor and IT staff lives easier
Dynamic role mapping capabilities provide the necessary information for role optimization
End users can now “see” SoD violations and make educated decisions
Capability to tie business activities to enterprise risk
© 2015 IBM Corporation
IBM Security
8
Role Modeling
Role Modeling
Define SoD on Roles
Define SoD on Roles
EntitlementCollection
EntitlementCollection
Role Based SoD Design Roles, then set SoD rules
Requires IT and Business to agree
Where did it work?
Myth #4: You Need Roles to Define Separation of Duties
Anxiety level
© 2015 IBM Corporation
IBM Security
9
Role Modeling
Role Modeling
EntitlementCollection
EntitlementCollection
Activity Based SoD
Activity Based SoD
Activity Based SoD Roles are only for granting
access
SoD design does not require Roles
IT and Business do not need to agree
A New Activity Based SoD
Anxiety level
© 2015 IBM Corporation
IBM Security
10
Myth #5: Compliance is the Only Reason for Identity Governance
Identity governance has been traditionally viewed as a check mark– Pass Audits– Remain regulation compliant
This mindset ignores the fact that the “identity” can be the gateway into an organization and can leave businesses susceptible to breaches if not properly governed
© 2015 IBM Corporation
IBM Security
11
Identity Governance Should Provide Controls Against Insider Threats
Improper levels of access have been involved in many breaches– Intentional malicious activity (Insider threat)– Accidental (Well intentioned users doing the wrong things)
Orphan accounts are the perfect target for hackers With mobile employees, contractors, business partners and consultants, it has become
increasingly more important that users have access to the proper applications and entitlements
© 2015 IBM Corporation
IBM Security
12
Failure #1: The 91 Day Audit Cycle
Repeating 90 day audit cycles– No chance to catch breath
Manual spreadsheets and non-integrated Identity Management solutions can lead to confusion and elongate the audit cycle
Constant communication back and forth between this business/auditors and IT
Long audit processes hinder the possibility to optimize roles and governance
Costly and time consuming
© 2015 IBM Corporation
IBM Security
13
Identity Governance Should Provide Automation and Repeatability
Rather than using spreadsheets, automated processes are put into place with one unified solution
Speeds up the audit process and provides time to analyze identity data and to optimize roles/processes
These processes are repeatable
Helps regulatory compliance as well as fortifying the security posture
Integration with Identity Management and other solutions can greatly improve visibility
Identity Lifecycle
•Access request
•Access enforcement
Entitlement Lifecycle
•Role / entitlement management
•Access request
•Access certification
Risk Lifecycle
•Compliance / access risk / SoD
IdentityGovernance and Administration
© 2015 IBM Corporation
IBM Security
14
Failure #2: The Law of Herding Cats
Arguably the most difficult part of Identity Governance is the coordination and cooperation of multiple groups, processes and organizations
Each is responsible for a piece of the puzzle– Cooperation and data sharing is
necessary in order to facilitate the total picture of identity governance
Not only does each group have different information, but they are also speaking different languages
© 2015 IBM Corporation
IBM Security
15
Identity Governance Solutions Should Be The Universal Translator
Managers can understand exactly what access they are certifying/re-certifying– Ex. An employee who has moved from
sales to marketing should not continue to have access to sales applications
IT Staff, Auditors, Application owners and CISOs now know which users have access to which applications AND whether or not these are the proper applications
Business-Centric terms make it easy to find “Toxic” SoD combinations
© 2015 IBM Corporation
IBM Security
16
Identity Intelligence: Collect and Analyze Identity DataIdentity Intelligence: Collect and Analyze Identity Data
The Future is Now: A business-driven approach to Identity Governance
Administration Cost savings Automation User lifecycle
Key on premise applications and employees
Analytics Application usage
Privileged activity
Risk-based control
Baseline normal behavior Employees, partners,
consumers – anywhere
Governance Role management Access certification
Extended enterprise and business partners
On and off-premise applications
How to gain visibility into user access?
How to prioritize compliance actions?
How to make better business decisions?
Identity and Governance Evolution
1 2 3
© 2015 IBM Corporation
IBM Security
17
IBM Security Identity Governance and AdministrationDelivering actionable identity intelligence
Align Auditors, LoB and IT perspectives in one consolidated Governance and Administration offering
Easy to launch Access Certification and Access Request to meet compliance goals with minimal IT involvement
Enhanced Role Mining and Separation of Duties Reviews using visualization dashboard and business-activity mapping
In-depth SAP Governance with Separation of Duties (SoD), access risk and fine-grained entitlements reviews
Easy to deploy virtual appliances for multiple customer adoptions
– Standalone Identity Governance
– Integrate with existing Identity Management
– Modernize legacy Identity management with integrated governance and administration
Common Integration Adapters
Identity Governanceand Administration Platform
VIRTUAL APPLIANCE
IT SecurityTeam
Auditors /Risk Managers
LoB Managers /Employees
Cloud Computing
Mobile Applications Desktopand Server
Data Mainframe
AccessFulfillment
Self Service Portal
Risk/ Access Visibility
AccessCertification
© 2015 IBM Corporation
IBM Security
18
IBM is a Leader in the 2015 Gartner Magic Quadrant for Identity Governance and Administration
Source: Gartner (January 2015)This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from http://www.gartner.com/technology/reprints.do?id=1-27CNZU9&ct=150112&st=sb.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Gartner, Inc. Positions IBM as a LEADER in Identity Governance and
Administration (IGA)
"The IGA market is transforming legacy, on-premises IAM products. IGA vendors are investing heavily to meet client needs in ease of use, mobility, business agility, and lower total cost of ownership. User provisioning and access governance functions continue to consolidate.”
Gartner, Inc. “Magic Quadrant for Identity Governance and Administration” by Felix Gaehtgens, Brian Iverson, Steve Krapes, January 2015 Report #G00261633
© 2015 IBM Corporation
IBM Security Systems
19
Learn more about IBM Security Identity Governance and Administration
2015 Gartner Identity Governance and Administration Magic Quadrant
IBM SecurityIntelligence. Integration. Expertise.
Watch IBM Security Identity Governance DEMOS
Access Request Management (part 1) (part 2)
Access Recertification
Role Mining and Modeling
Policy Modeling
Visit our website to view solution briefs, whitepapers, and other assets
IBM Security Identity Governance and Management Website
Follow our blogs (SecurityIntelligence.com)
IBM Security Is a Leader, Again, in the New 2015 Gartner IGA Magic Quadrant
What Leading Analysts are Saying About IBM’s Acquisition of CrossIdeas
© 2015 IBM Corporation
IBM Security
20
IBM Security @ Interconnect will feature today’s hottest security topics including Cloud & Mobile Security, Security Analytics & Fraud Protection, Identity & Access Management, Application & Data Security Strategies, Advanced Threat Detection & Prevention and more
IBM Security @ Interconnect delivers: Three Days of keynotes and general sessions featuring industry thought leaders 100+ Security Sessions including hands-on labs and certification testing Solution Expo featuring demonstrations of the latest products and services from IBM
Security and our partners More Networking Events than ever to expand and strengthen your sphere of influence
Register at ibm.com/interconnect today!
© 2015 IBM Corporation
IBM Security
21
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY