identity governance: not just for compliance
TRANSCRIPT
© 2015 IBM Corporation
IBM Security
1© 2015 IBM Corporation
Identity Governance: Not Just for
Compliance
Brandon Whichard & Diana Kelley
IBM Security
© 2015 IBM Corporation
IBM Security
2
<Identity Management> <Identity Governance>
Control unauthorized
access and prevent
“entitlement creep”
Ability to quickly
deprovision and identify
who has access to what
Identity governance and management can help you reduce risk
Govern and administer users and their access
1. What does the user have access to?
2. What business activity does the user want to do with that access?
3. What access does that user need to do their job?
© 2015 IBM Corporation
IBM Security
3
According to Ponemon Institute, the cost of a data breach to global organizations is on the rise
Source: Ponemon Institute Cost of Data Breach Study
$154Average cost per
record compromised
23% increaseTotal cost of a data breach net
change over two years
$3.79 millionAverage total cost per
data breach
up 6%
up 7%
$136 $145
$154
1 2 3
Series1
Net change over 1 year = 6%
Net change over 2 years = 12%
© 2015 IBM Corporation
IBM Security
4
Overwhelmingly, survey respondents identify evasion of existing security controls as a key reason for breaches
3%
6%
7%
12%
15%
20%
35%
37%
65%
Other
Lack of accountability
Lack of data classification
Incomplete knowledge of where sensitive data exists
Poor leadership
Third-party vetting failure
Lack of in-house expertise
Insufficient funding
Evaded existing preventive security controls
Source: Ponemon Institute Cost of Data Breach Study. Two responses permitted.
© 2015 IBM Corporation
IBM Security
5
Recent data from IBM Security Services shows 55% of all attacks were found to be carried out by malicious insiders or inadvertent actors
Source: IBM 2015 Cyber Security Intelligence Index, Figure 5
© 2015 IBM Corporation
IBM Security
6
New classifications of Insider Threats
Disgruntled employees
Malicious insiders
Inadvertent insiders Quasi-insiders
Traditionally, “insider threats” meant disgruntled or negligent employees were inflicting harm to the
company’s assets; today many different classifications have come forward
© 2015 IBM Corporation
IBM Security
8
Using Identity and Access management solutions can help mitigate risks
Strong authentication that relies on sound
policy for identity assurance
Use identity governance solutions to help classify users by
roles and access requirements
Privileged IDs are growing, so control the
associated risk.
Grant user entitlements appropriately and keep
them updated
Manage and monitor users for both security
and compliance.
© 2015 IBM Corporation
IBM Security
9
IT Security Manager
ERPCRM
Mainframe HR
Application Entitlements
Business Activities vs. Roles and Entitlements
Provides information
regarding who has
which entitlements
Who SHOULD
have which
entitlements?
Auditor
Identifies what business
activities cause SoD
violations (toxic combinations)
Which entitlements
cause toxic
combinations?
Business Manager
Understands what
business activities
employees do
Which entitlements
grant access to which
business activities?
The dependencies of traditional identity management
Requests employee
IT entitlements
from IT Security Manager
Receives list of entitlements
based on IT Security
Manager’s request
© 2015 IBM Corporation
IBM Security
10
MainframeCRM ERP HR
Bridging Business, Auditor and IT points of view
Business-Centric SoD mapping to simplify access request and certification
IT Roles and Entitlements
Business Activities
View Accounts
Payable
Create
Sales Record
Create
Purchase Order
Update
Payroll
Map business activities to IT roles and entitlements
© 2015 IBM Corporation
IBM Security
11
Role-based SoD vs. Activity-based SoD
Detected
Violation
1 Logical Constraint
© 2015 IBM Corporation
IBM Security
12
Undetected Violations with Roles
But ... alternative assignment patterns may lead to false negative
- Same access rights - Different assignment - Undetected violations
Undetected
Violation1 Logical Constraint
© 2015 IBM Corporation
IBM Security
13
1 Logical Constraint
=
6 Manually managed
FAQ: Couldn’t we just use Roles?
Role based SoD enforcement imply high configuration complexity
- Constraint combinatorial explosion required
Detected
Violation
Roles are not designed for effective SoD management
© 2015 IBM Corporation
IBM Security
14
Roles inherit – Activities propagate
Business activity model is designed specifically for SoD Management
- Works regardless the assignment style (direct, role based, mixed)
- Full enforcement does not require additional constraint definition
1 Logical Constraint
=
1 Manually managed
(9 automatically propagated)
Detected
Violation
© 2015 IBM Corporation
IBM Security
15
Roles inherit – Activities propagate
Business activity model is designed specifically for SoD Management
- Works regardless the assignment style (direct, role based, mixed)
- Full enforcement does not require additional constraint definition
1 Logical Constraint
=
1 Manually managed
(9 automatically propagated)
1 Logical Constraint
=
6 Manually managed
Detected
Violation
© 2015 IBM Corporation
IBM Security
16
Role-based SoD versus Activity-based SoD
Role Mining
/ Modeling
Define SoD
on Roles
Entitlements
Collection
Role Mining
/ Modeling
Entitlements
Collection
Activity
Based SoD
Activity Based SoD
Role Based SoD
Role needs to come first
Access Review to allow Role
Mining is further delaying the
SoD Introduction
SoD Analysis can be the first, or
the only, objective
Side effect – Deliver Business
level readability of Entitlements
regardless of Role introduction
© 2015 IBM Corporation
IBM Security
17
1. Activity driven access request management
Simplify self-service access request for managers and employees
Self-service, shopping cart interface
“Speaks” business language but also understands the IT and application roles
Automatically detects segregation of duties (SoD) conflicts
Saves time, while ensuring proper and compliant user access
Jane Doe is now on my team
and needs to be able to
Approve Orders
I have a new assignment,
I need to be able to
Approve Orders.
End
User
Business Manager
Jane Doe can also Create
Orders and that is a
segregation of duties violation
APPROVED
DENIED
© 2015 IBM Corporation
IBM Security
18
Focused, risk-driven campaigns
Managers can understand exactly what access they are certifying and why
Same simple look and feel regardless of role within the organization
Ability to execute multi-step approval workflows
2. Business centric access certification
Enables business managers to quickly review employee access and take action
Business Manager
“Does John Smith still
need to open Sales
Opportunities?
SalesConnect is a CRM
used by the sales team to
effectively communicate
with clients and track
ongoing projects.”
NO
John is no longer on the Sales team
NOT SURE
Please delegate to Jane Doe
YES
John still needs access
© 2015 IBM Corporation
IBM Security
19
Identity Governance and Administration Results
CLIENT EXAMPLES
Audit Access
Large European
designer found
almost
80%
of users had
unnecessary access
after leveraging the
“last usage” information
in their automated
controls set
Governance
Large European insurance
and financial services firm
governs access to
75,000employees, agents,
privileged users
by identifying access risks,
separation of duty and certify
access for SAP, AD, mainframe,
and custom-built apps
© 2015 IBM Corporation
IBM Security
20
Identity and Access Management
Capabilities to help organizations secure the enterprise identity as a new perimeter
Datacenter Web Social Mobile Cloud
Directory Services
IBM Identity and Access Management Solutions and IBM Security Services
Cloud Managed / Hosted Services
Software-as-a-Service
On Premise Appliances
Identity Management
• Identity Governance and Intelligence
• User Lifecycle Management
• Privileged Identity Control
Access Management
• Adaptive Access Control and Federation
• Application Content Protection
• Authentication and Single Sign On
© 2015 IBM Corporation
IBM Security
21
Learn more about IBM Security
Visit our website
IBM Security Website
Watch our videos
IBM Security YouTube Channel
Read new blog posts
SecurityIntelligence.com
Follow us on Twitter
@ibmsecurity
IBM SecurityIntelligence. Integration. Expertise.
© 2015 IBM Corporation
IBM Security
22
www.ibm.com/security
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and
response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed,
misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product
should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use
or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily
involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT
THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.