Weitere ähnliche Inhalte Mehr von IBM Security (20) Kürzlich hochgeladen (20) Myths, Failures and the Future of Identity Governance1. © 2015 IBM Corporation
IBM Security
1© 2015 IBM Corporation
Myths, Failures and the Future of
Identity Governance
Andy Land
Director of Products
2. © 2015 IBM Corporation
IBM Security
2
Myth #1: Identity Governance projects are long and painful
In the past, identity governance projects
have been categorized as a long painful
process
– Weeks/months of meetings and 3rd
party
consulting fees
Long implementations that rarely get
100% complete
Lots of time spent turning the information
into actionable items
Inability to determine “who approved
what and when”
3. © 2015 IBM Corporation
IBM Security
3
A Business-Centric Approach Can Have Governance in Place in a
Matter of Months Rather Than Years
Business-centric activity based roles can
speed up the processes
The right governance solution can bring
intelligence out of the box
Bridging the communication gap facilitates
collaboration between necessary parties
Ability to translate audit rules into
actionable controls
When implemented, automation and
repeatability speed up the processes
4. © 2015 IBM Corporation
IBM Security
4
Myth #2: IT and the Audit Team Speak the Same Language
IT and audit are often speaking very
different languages
– Auditors speak in business-centric languages
– IT staff speaks with specific IT entitlements
Who “owns” Identity Governance?
C-level executives are often not aware of
the language barriers and need answers to
seemingly basic questions
– Do our employees have access to the proper
applications?
CISO, CRO, Application Managers, IT
Managers, Auditors and LOB Managers
often hold one piece of the puzzle but
not the entire picture
– “The Pain Chain”
Lack of insight to guide user access
approval and recertification decisions
5. © 2015 IBM Corporation
IBM Security
5
The Right Identity Governance Solution Can Transform IT Lingo into
Business Language
The “Rosetta Stone”
Identity Governance can help Business
users and IT Staff communicate on the
same terms
Business Activities provide layman’s
terms for entitlements
– Critical for Separation of Duties
Helps management and end users to
definitively certify access
6. © 2015 IBM Corporation
IBM Security
6
Myth 3: Everyone Loves Spreadsheets
Identity Governance is normally a
maddening array of spreadsheets created
by auditors
Spreadsheets get lost, are hard to keep
consistent and make life difficult for those
using the data
Role analytics and optimization are much
more difficult on a spreadsheet than a
dynamic visual map
One centralized solution would save
significant time and energy
7. © 2015 IBM Corporation
IBM Security
7
The Right Identity Governance Solution Can Transform These
Spreadsheets Into Actionable Processes and Controls
Decreased time from information to
action
Makes the auditor and IT staff lives easier
Dynamic role mapping capabilities
provide the necessary information for role
optimization
End users can now “see” SoD violations
and make educated decisions
Capability to tie business activities
to enterprise risk
8. © 2015 IBM Corporation
IBM Security
8
Role
Modeling
Role
Modeling
Define SoD
on Roles
Define SoD
on Roles
Entitlement
Collection
Entitlement
Collection
Role Based SoD
Design Roles, then set SoD rules
Requires IT and Business to agree
Where did it work?
Myth #4: You Need Roles to Define Separation of Duties
Anxiety level
9. © 2015 IBM Corporation
IBM Security
9
Role
Modeling
Role
Modeling
Entitlement
Collection
Entitlement
Collection
Activity
Based SoD
Activity
Based SoD
Activity Based SoD
Roles are only for granting
access
SoD design does not require
Roles
IT and Business do not need to
agree
A New Activity Based SoD
Anxiety level
10. © 2015 IBM Corporation
IBM Security
10
Myth #5: Compliance is the Only Reason for Identity Governance
Identity governance has been traditionally viewed as a check mark
– Pass Audits
– Remain regulation compliant
This mindset ignores the fact that the “identity” can be the gateway into an organization and
can leave businesses susceptible to breaches if not properly governed
11. © 2015 IBM Corporation
IBM Security
11
Identity Governance Should Provide Controls Against Insider
Threats
Improper levels of access have been involved in many breaches
– Intentional malicious activity (Insider threat)
– Accidental (Well intentioned users doing the wrong things)
Orphan accounts are the perfect target for hackers
With mobile employees, contractors, business partners and consultants, it has become
increasingly more important that users have access to the proper applications and
entitlements
12. © 2015 IBM Corporation
IBM Security
12
Failure #1: The 91 Day Audit Cycle
Repeating 90 day audit cycles
– No chance to catch breath
Manual spreadsheets and non-integrated
Identity Management solutions can lead to
confusion and elongate the audit cycle
Constant communication back and forth
between this business/auditors and IT
Long audit processes hinder the possibility
to optimize roles and governance
Costly and time consuming
13. © 2015 IBM Corporation
IBM Security
13
Identity Governance Should Provide Automation and Repeatability
Rather than using spreadsheets,
automated processes are put into place
with one unified solution
Speeds up the audit process and provides
time to analyze identity data and to
optimize roles/processes
These processes are repeatable
Helps regulatory compliance as well as
fortifying the security posture
Integration with Identity Management and
other solutions can greatly improve
visibility
Identity Lifecycle
•Access request
•Access
enforcement
Entitlement Lifecycle
•Role / entitlement
management
•Access request
•Access certification
Risk Lifecycle
•Compliance /
access risk / SoD
Identity
Governance and Administration
14. © 2015 IBM Corporation
IBM Security
14
Failure #2: The Law of Herding Cats
Arguably the most difficult part of
Identity Governance is the coordination
and cooperation of multiple groups,
processes and organizations
Each is responsible for a piece of the
puzzle
– Cooperation and data sharing is
necessary in order to facilitate the total
picture of identity governance
Not only does each group have different
information, but they are also speaking
different languages
15. © 2015 IBM Corporation
IBM Security
15
Identity Governance Solutions Should Be The Universal Translator
Managers can understand exactly what
access they are certifying/re-certifying
– Ex. An employee who has moved from
sales to marketing should not continue to
have access to sales applications
IT Staff, Auditors, Application owners
and CISOs now know which users have
access to which applications AND
whether or not these are the proper
applications
Business-Centric terms make it easy to
find “Toxic” SoD combinations
16. © 2015 IBM Corporation
IBM Security
16
Identity Intelligence: Collect and Analyze Identity DataIdentity Intelligence: Collect and Analyze Identity Data
The Future is Now: A business-driven approach to Identity Governance
Administration
Cost savings
Automation
User lifecycle
Key on premise
applications and
employees
Analytics
Application usage
Privileged activity
Risk-based control
Baseline normal behavior
Employees, partners,
consumers – anywhere
Governance
Role management
Access certification
Extended enterprise
and business partners
On and off-premise
applications
How to gain visibility
into user access?
How to prioritize
compliance actions?
How to make better
business decisions?
Identity and Governance Evolution
1 2 3
17. © 2015 IBM Corporation
IBM Security
17
IBM Security Identity Governance and Administration
Delivering actionable identity intelligence
Align Auditors, LoB and IT perspectives in one
consolidated Governance and Administration offering
Easy to launch Access Certification and Access
Request to meet compliance goals with minimal
IT involvement
Enhanced Role Mining and Separation of Duties
Reviews using visualization dashboard
and business-activity mapping
In-depth SAP Governance with Separation
of Duties (SoD), access risk and fine-grained
entitlements reviews
Easy to deploy virtual appliances
for multiple customer adoptions
– Standalone Identity Governance
– Integrate with existing Identity Management
– Modernize legacy Identity management with integrated
governance and administration
Common Integration Adapters
Identity Governance
and Administration Platform
VIRTUAL APPLIANCE
IT Security
Team
Auditors /
Risk Managers
LoB Managers /
Employees
Cloud
Computing
Mobile Applications Desktop
and Server
Data Mainframe
Access
Fulfillment
Self Service
Portal
Risk/ Access
Visibility
Access
Certification
18. © 2015 IBM Corporation
IBM Security
18
IBM is a Leader in the 2015 Gartner Magic Quadrant for Identity
Governance and Administration
Source: Gartner (January 2015)
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request
from http://www.gartner.com/technology/reprints.do?id=1-27CNZU9&ct=150112&st=sb.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other
designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or
implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Gartner, Inc. Positions IBM as a
LEADER in Identity Governance and
Administration (IGA)
"The IGA market is transforming legacy,
on-premises IAM products. IGA vendors
are investing heavily to meet client needs
in ease of use, mobility, business agility,
and lower total cost of ownership. User
provisioning and access governance
functions continue to consolidate.”
Gartner, Inc. “Magic Quadrant for Identity Governance and
Administration” by Felix Gaehtgens, Brian Iverson, Steve
Krapes, January 2015 Report #G00261633
19. © 2015 IBM Corporation
IBM Security Systems
19
Learn more about IBM Security Identity Governance and Administration
2015 Gartner Identity Governance and Administration Magic Quadrant
IBM Security
Intelligence. Integration. Expertise.
Watch IBM Security Identity Governance DEMOS
Access Request Management (part 1) (part 2)
Access Recertification
Role Mining and Modeling
Policy Modeling
Visit our website to view solution briefs, whitepapers, and other assets
IBM Security Identity Governance and Management Website
Follow our blogs (SecurityIntelligence.com)
IBM Security Is a Leader, Again, in the New 2015 Gartner IGA Magic Quadrant
What Leading Analysts are Saying About IBM’s Acquisition of CrossIdeas
20. © 2015 IBM Corporation
IBM Security
20
IBM Security @ Interconnect will feature today’s hottest security topics including
Cloud & Mobile Security, Security Analytics & Fraud Protection, Identity & Access Management,
Application & Data Security Strategies, Advanced Threat Detection & Prevention and more
IBM Security @ Interconnect delivers:
Three Days of keynotes and general sessions featuring industry thought leaders
100+ Security Sessions including hands-on labs and certification testing
Solution Expo featuring demonstrations of the latest products and services from IBM
Security and our partners
More Networking Events than ever to expand and strengthen your sphere of influence
Register at ibm.com/interconnect today!
21. © 2015 IBM Corporation
IBM Security
21
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and
response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed,
misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product
should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper
use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily
involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT
THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY