identity governance: not just for compliance

© 2015 IBM Corporation

IBM Security

1© 2015 IBM Corporation

Identity Governance: Not Just for

Compliance

Brandon Whichard & Diana Kelley

IBM Security


IBM Security

2

<Identity Management> <Identity Governance>

Control unauthorized

access and prevent

“entitlement creep”

Ability to quickly

deprovision and identify

who has access to what

Identity governance and management can help you reduce risk

Govern and administer users and their access

1. What does the user have access to?

2. What business activity does the user want to do with that access?

3. What access does that user need to do their job?


IBM Security

3

According to Ponemon Institute, the cost of a data breach to global organizations is on the rise

Source: Ponemon Institute Cost of Data Breach Study

$154Average cost per

record compromised

23% increaseTotal cost of a data breach net

change over two years

$3.79 millionAverage total cost per

data breach

up 6%

up 7%

$136 $145

$154

1 2 3

Series1

Net change over 1 year = 6%

Net change over 2 years = 12%

http://www.ibm.com/services/data-breach


IBM Security

4

Overwhelmingly, survey respondents identify evasion of existing security controls as a key reason for breaches

3%

6%

7%

12%

15%

20%

35%

37%

65%

Other

Lack of accountability

Lack of data classification

Incomplete knowledge of where sensitive data exists

Poor leadership

Third-party vetting failure

Lack of in-house expertise

Insufficient funding

Evaded existing preventive security controls

Source: Ponemon Institute Cost of Data Breach Study. Two responses permitted.

http://www.ibm.com/services/data-breach


IBM Security

5

Recent data from IBM Security Services shows 55% of all attacks were found to be carried out by malicious insiders or inadvertent actors

Source: IBM 2015 Cyber Security Intelligence Index, Figure 5

http://www.ibm.com/common/ssi/cgi-bin/ssialias?subtype=ST&infotype=SA&htmlfid=SEJ03278USEN&attachment=SEJ03278USEN.PDF


IBM Security

6

New classifications of Insider Threats

Disgruntled employees

Malicious insiders

Inadvertent insiders Quasi-insiders

Traditionally, “insider threats” meant disgruntled or negligent employees were inflicting harm to the

company’s assets; today many different classifications have come forward


IBM Security

7

People can be the weakest link in securing valuable data


IBM Security

8

Using Identity and Access management solutions can help mitigate risks

Strong authentication that relies on sound

policy for identity assurance

Use identity governance solutions to help classify users by

roles and access requirements

Privileged IDs are growing, so control the

associated risk.

Grant user entitlements appropriately and keep

them updated

Manage and monitor users for both security

and compliance.


IBM Security

9

IT Security Manager

ERPCRM

Mainframe HR

Application Entitlements

Business Activities vs. Roles and Entitlements

Provides information

regarding who has

which entitlements

Who SHOULD

have which

entitlements?

Auditor

Identifies what business

activities cause SoD

violations (toxic combinations)

Which entitlements

cause toxic

combinations?

Business Manager

Understands what

business activities

employees do

Which entitlements

grant access to which

business activities?

The dependencies of traditional identity management

Requests employee

IT entitlements

from IT Security Manager

Receives list of entitlements

based on IT Security

Manager’s request


IBM Security

10

MainframeCRM ERP HR

Bridging Business, Auditor and IT points of view

Business-Centric SoD mapping to simplify access request and certification

IT Roles and Entitlements

Business Activities

View Accounts

Payable

Create

Sales Record

Create

Purchase Order

Update

Payroll

Map business activities to IT roles and entitlements


IBM Security

11

Role-based SoD vs. Activity-based SoD

Detected

Violation

1 Logical Constraint


IBM Security

12

Undetected Violations with Roles

But ... alternative assignment patterns may lead to false negative

- Same access rights - Different assignment - Undetected violations

Undetected

Violation1 Logical Constraint


IBM Security

13


=

6 Manually managed

FAQ: Couldn’t we just use Roles?

Role based SoD enforcement imply high configuration complexity

- Constraint combinatorial explosion required

Detected

Violation

Roles are not designed for effective SoD management


IBM Security

14

Roles inherit – Activities propagate

Business activity model is designed specifically for SoD Management

- Works regardless the assignment style (direct, role based, mixed)

- Full enforcement does not require additional constraint definition


=

1 Manually managed

(9 automatically propagated)

Detected

Violation


IBM Security

15

Roles inherit – Activities propagate

Business activity model is designed specifically for SoD Management

- Works regardless the assignment style (direct, role based, mixed)

- Full enforcement does not require additional constraint definition


=

1 Manually managed

(9 automatically propagated)


=

6 Manually managed

Detected

Violation


IBM Security

16

Role-based SoD versus Activity-based SoD

Role Mining

/ Modeling

Define SoD

on Roles

Entitlements

Collection

Role Mining

/ Modeling

Entitlements

Collection

Activity

Based SoD

Activity Based SoD

Role Based SoD

Role needs to come first

Access Review to allow Role

Mining is further delaying the

SoD Introduction

SoD Analysis can be the first, or

the only, objective

Side effect – Deliver Business

level readability of Entitlements

regardless of Role introduction


IBM Security

17

1. Activity driven access request management

Simplify self-service access request for managers and employees

Self-service, shopping cart interface

“Speaks” business language but also understands the IT and application roles

Automatically detects segregation of duties (SoD) conflicts

Saves time, while ensuring proper and compliant user access

Jane Doe is now on my team

and needs to be able to

Approve Orders

I have a new assignment,

I need to be able to

Approve Orders.

End

User

Business Manager

Jane Doe can also Create

Orders and that is a

segregation of duties violation

APPROVED

DENIED


IBM Security

18

Focused, risk-driven campaigns

Managers can understand exactly what access they are certifying and why

Same simple look and feel regardless of role within the organization

Ability to execute multi-step approval workflows

2. Business centric access certification

Enables business managers to quickly review employee access and take action

Business Manager

“Does John Smith still

need to open Sales

Opportunities?

SalesConnect is a CRM

used by the sales team to

effectively communicate

with clients and track

ongoing projects.”

NO

John is no longer on the Sales team

NOT SURE

Please delegate to Jane Doe

YES

John still needs access


IBM Security

19

Identity Governance and Administration Results

CLIENT EXAMPLES

Audit Access

Large European

designer found

almost

80%

of users had

unnecessary access

after leveraging the

“last usage” information

in their automated

controls set

Governance

Large European insurance

and financial services firm

governs access to

75,000employees, agents,

privileged users

by identifying access risks,

separation of duty and certify

access for SAP, AD, mainframe,

and custom-built apps


IBM Security

20

Identity and Access Management

Capabilities to help organizations secure the enterprise identity as a new perimeter

Datacenter Web Social Mobile Cloud

Directory Services

IBM Identity and Access Management Solutions and IBM Security Services

Cloud Managed / Hosted Services

Software-as-a-Service

On Premise Appliances

Identity Management

• Identity Governance and Intelligence

• User Lifecycle Management

• Privileged Identity Control

Access Management

• Adaptive Access Control and Federation

• Application Content Protection

• Authentication and Single Sign On


IBM Security

21

Learn more about IBM Security

Visit our website

IBM Security Website

Watch our videos

IBM Security YouTube Channel

Read new blog posts

SecurityIntelligence.com

Follow us on Twitter

@ibmsecurity

IBM SecurityIntelligence. Integration. Expertise.

http://www-03.ibm.com/security/

https://www.youtube.com/channel/UClAgZm2OXFpX8WoMsOpWoXA

http://securityintelligence.com/

http://www.twitter.com/ibmsecurity


IBM Security

22

www.ibm.com/security

© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes

only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use

of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any

warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement

governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in

all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole

discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any

way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United

States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and

response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed,

misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product

should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use

or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily

involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT

THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE

MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

http://www.ibm.com/security

identity governance: not just for compliance

Technology