ed mccarthy, director of global security sales ca

1

www.hcca-info.org | 888-580-8373

Identity & Access Management – Enabling e-Government

Ed McCarthy,

Director of Global Security Sales

CA

www.hcca-info.org | 888-580-8373 2

Identity & Access Management (IAM) Defined

Delivers answers to key questions:

– Who has access to what resources?

– When did they access those resources?

– What are our access policies?

– What did they do while they were there?

– Who authorized that access?

2


3 April 8, 2008 Improve Compliance and Enable Business Copyright © 2007 CA

What CIOs, CSOs and CFOs Are Telling Us

“It’s too expensive and manual to make sure we’re addressing all the necessary

regulations. And then we have to do it all over again for the

next time.”

ContinuousCompliance

Negative Security-Related

Publicity

Help Desk Overload

Escalating Administration

Costs

Ghost User Accounts

Accumulating& Inappropriate

Privileges

Auditors’Requirements

Leverage-able It Infrastructure






Publicity

Help Desk Overload


Costs

Ghost User Accounts


Privileges



“25% of my help desk calls are related to resetting forgotten

passwords!”

3






Publicity

Help Desk Overload


Costs

Ghost User Accounts


Privileges



“There is just no budget to hire more IT administrators, but our

user population is growing, particularly as

we bring more customers/partners

online.”






Publicity

Help Desk Overload


Costs

Ghost User Accounts


Privileges



“I still have accounts in my systems for users that are long gone!”

4






Publicity

Help Desk Overload


Costs

Ghost User Accounts


Privileges



“As employees and partners change responsibilities they keep acquiring new system privileges with us while none are removed. How do I fix that?”






Publicity

Help Desk Overload


Costs

Ghost User Accounts


Privileges



“Internal and external auditors need to see if you have sufficient control over your IT systems and access to private data. Auditors don’t care generally how much it costs.”

5






Publicity

Help Desk Overload


Costs

Ghost User Accounts


Privileges



“Enterprise architects hate to see the IT ‘wheel’ continually

reinvented. IAM should be deployed and managed as part of enterprise architecture.”






Publicity

Help Desk Overload


Costs

Ghost User Accounts


Privileges



“I don’t want to see my organization in the news.”

6



Identity & Access Management The Challenge

MANY USERS>Customers >Employees>Partners

>Difficult to admin access rights

>High Help Desk costs





MANY APPLICATIONS>Logistics>Financial >Service>Production>CRM>ERP

> Security “Silos”

> Inconsistent enforcement

7






MANY IDENTITIES>Mainframe>RDBMS>LDAP>NOS>ERP…

> Difficult administration

> Difficult compliance

> Reduced security






MANY ADMINS>Many tactical issues>Managing users, passwords, etc.

>High Admin cost

> Manual IT Processes

MANY IDENTITIES>Mainframe>RDBMS>LDAP>NOS>ERP…

8



The Business Value of IAM

• Reduced IT Security Risk– Protect your critical IT resources

– Centrally manage all identities and access policies

• Reduced Operational Expenses– Lower your IT Admin and Help Desk expenses

– Automate existing manual IT processes

• Enhanced Compliance– Audit your complete security environment

– Achieve sustainable compliance

• Enhanced Business Enablement– Deploy new online services quickly

– Strengthen your existing customer relationships



REDUCED IDENTITIES>Easier administration>Reduced Costs>Improved auditing for easier compliance

MANY USERSMANY IDENTITIES

Identity & Access Management The Solution

CENTRALIZED ADMINISTRATION

>Reduced admin costs

>Consistent admin across platforms

>Automation of IT processes

MANY ADMINS

> Single Sign-on

> User self-service

>Centralized Security

>Easier app dev

SecurityPolicy

MANY APPLICATIONS

9



CENTRALIZED ADMINISTRATION

• Reduced admin costs

• Consistent admin across platforms

• Automation of IT processes

Identity & Access Management The Solution

MANY USERS MANY APPLICATIONS

• Single Sign-on

• User self-service

• Centralized Security

• Easier app dev

SecurityPolicy

REDUCED IDENTITIES• Easier administration

• Reduced Costs

• Improved auditing for easier compliance


Maturity Model for

Provisioning to

Identity Management

10


What is Identity Management?

– User Credentials

– Password Management

– Grouping and Roles to rules

– Application function entitlements

– Separation of Duties (Segregation of Duties)

– Enrollment (provisioning)

– Termination (de-Provisioning)


The ROI Model

• Situational Analysis

• Mapping your success

• Incremental wins

• Leveraging the future

11


STAGE 1 - Password Management

• Increased User Productivity

• Reduced Helpdesk Costs

AC

TIV

E

Incremental WinBlueprint

Matu

rity

Gap

Password Mgmt To Be As Is

ROI

Time


• On-boarding new employees

• MAC for functional assignments

• Automated Integration

EFFIC

IEN

T

AC

TIV

E

Matu

rity

Gap

Password Mgmt Id Mgmt To Be As Is

ROI

ROI

EstablishedProcess


Time

STAGE 2 - Consolidated Identity Mgmt

12


STAGE 3 - Roles and Entitlement Mgmt

• Business Application on-boarding

• Automated reporting for Governance

• Established Standards for new applications

• Reduced entitlements administration

EFFIC

IEN

T

RE

SP

ON

SIV

E

AC

TIV

E

Matu

rity

TimeG

ap

Password Mgmt ID Mgmt Entitlements To Be

ROI

ROI

ROI


EstablishedProcess

EstablishedProcess


• Authoritative Credentials

• Applications as a Service

• Intranet and Extranet SLA’s

• Standards Compliant

EFFIC

IEN

T

RE

SP

ON

SIV

E

AC

TIV

E

Matu

rity

Time

ROI

ROI

ROI

EstablishedProcess

EstablishedProcess

EstablishedProcess

Password Mgmt ID Mgmt Entitlements

Federation

BU

SIN

ES

S

DR

IVE

N

STAGE 4 - Federated Identity Mgmt

13


Provisioning to Identity Management - Maturity Model

Federated Identity Management

4

• Provisioning is extended to support non-IT environments• Asset management integration with provisioning is supported• Web services are used for integration between business applications• Federated trust is implemented to enable external SPML requests• CMDB changes automatically opens workflow requests into

provisioning

Integrated Role and Entitlement Management

3

• Common Directory Infrastructure• Role-based provisioning is now supported for most critical systems

and applications • Automated generation of entitlement exception reports• Business workflows are defined Development uses an externalized

security framework

Password Management 1 • Self Service Password Management which allow users to reset their own passwords without calling the helpdesk

ConsolidatedIdentity Management 2

• Automate Basic User Management and Provisioning which mostly extends to mostly infrastructure platforms and applications (AD, MF, UNIX, Email, etc)

• Basic Entitlement Reporting on user access is enabled• Delegated administration is offered to business units and helpdesk


SUMMARY - ID Mgmt Checklist

• Authoritative Directory(ies)

– What is my best source for User information?

• Critical Applications

– Which Applications have the highest Exposure?

– Which Applications create the most HelpDesk issues?

– Which Applications provide the Highest Productivity?

– Which Applications contain or connect to high value data?

• Segregation of Duties

– Who are the critical IT Administrators?

– Who are the key Security Administrators?

– Which business unit(s) benefit most from an automated approach?

• Business Agreements

– Business Units that deal with other departments and other companies

14


What CA’s IAM Solution Will Do For You

• Secure user identities and access policies across your enterprise

• Provide repeatable, defendable and sustainable compliance

• Reduce IT expenses through automation

• Protect IT resources to reduce risk

• Enable business securely with faster time to market

• Manage centrally, and flexibly, to distribute across your business


28April 8, 2008 Improve Compliance and Enable Business Copyright © 2007 CA

“CA has one of the broadest and most integrated set of identity management solutions on the market today. Few vendors have enterprise single sign-on (eTrust SSO), host access control (eTrust Access Control) or Web services security (eTrust TransactionMinder), and CA stands alone with all three.”

Forrester Research, January 2006*

IDC, IAM 2005 Vendor Shares

“Even before the acquisition of Netegrity in 2004, CA had a very broad identity management (IdM) product suite. With the acquisition of Netegrity, CA’s IdM suite now includes provisioning, web access management (WAM), federation, enterprise single sign-on (SSO), Web services security, operating systems security (for mainframes, UNIX, and Windows) and directory products.”

Burton Group, March 2006*

Sources:•“CA Provisioning Delivers Strong Auditing and Administration Atop A robust Architecture,” Forrester Research, Jan 30, 2006• IDC, “WW Identity and Access Management 2005 Vendor Shares,” Sally Hudson, Doc #203296, Sept 2006 • Burton Group, “CA Identity Manager r8.1”, Mark Diodati, March 2006.

Broadest & most integrated

suite

#1 for 6 consecutive years

Best of Breed

0.6%

0.9%

1.2%

2.7%

6.3%

8.7%

10.9%

17.1%

HP

BMC

Sun

Novell

VeriSign

RSA

IBM

CA

CA is the Right Choice

15


Thank You.

ed mccarthy, director of global security sales ca

Documents