Transcript Technical Marketecture Slides - internationalcybercenter.org

A Governance-based Approach to
Identity Management
Darran Rolls – CTO – SailPoint Technologies
2010 - Zurich
About SailPoint
Our Focus
 Identity and Access Governance
Our Heritage
 10 years of Identity Management leadership and
experience (Waveset/Sun/SailPoint)
 Founded 2005; headquartered in Austin, TX
Our Marquee
Customers
 5 of top 10 global banks
 3 of top 4 U.S. managed healthcare companies
 3 of top 4 global P&C casualty insurers
 Top telecom, manufacturing, energy companies
BMC Strategic
Partnership
 Validated MarketZone partner
 Strategic component of ITGRC Initiative
Cool Vendor in
Identity and
Access
Management
2
Setting the Stage for Identity Management
Why Do We Care About Identity Controls?
 The start with poor old TJ Max again…


2007 breach and loss of over 40-100M cards & related data
Big embarrassment & even bigger cost ($200M ?)
•
•
•
•

Settled with 41 states for <$10M (+ probation)
Settled with Mastercard for $24M
Settled with coalition of banks for $40M
15% Customer Appreciation Discount Day in all stores 
Breach was discovered in December 2006 but likely started with
basic textbook wardriving at the perimeter as early as 2004
• Extensive systems compromise over 18+month period
• Prolonged internal privileged account access!!
Speculation: TJX breach prevented, slowed or at least
detected earlier via basic Identity Management controls
3
Identity Management Reality
State of IAM Within Most Organizations…
 Hundreds of user add, change,
deletes every day…
Portal
 Inconsistent, ad-hoc and
manual processes – platform
dependent…
 Disparate provisioning tools
Email
Help Desk
and workflows…
 Many human touch points:
business managers, help desk,
IT, etc…
Provisioning
Paper form
IT Admin
 No consistent policy enforcement
 No common controls or audit trail
 Very difficult to ensure compliance and assess risk
4
The Growing Identity Management Divide
The Business & IT Disconnect
 Inability to translate corporate
governance into actionable IT policy
 Risk mgmt, business policy
 Auditing, controls still highly manual
 Are we protecting our assets??
 Do we conform to policy??
 Are we at risk??



Email or spreadsheet-based
Human error, inconsistencies
Data is hard to obtain, missing
 No ability to manage identity
IT
through a business lens
 Lack of transparency
 IT / Identity data not understood
by the business
5
But This Isn’t My Company/Organization?
 SailPoint Independent survey of Fortune 1000

companies 2008/2009
Security/IT/Audit professionals
 Focus: What are top of mind identity and access
management issues?
6
Survey Results
46% of companies surveyed have failed an IT or
security audit because of a lack of control around
user access.
In the last 5 years, has your company failed an
IT or security audit because of a lack of control
around user access?
46%
Yes
No
54%
7
Survey Results
66% of companies lack on-demand visibility to
“who has access to what?”
If your company’s CIO asked you to present a
complete record of user access privileges for
each employee that same day, could you?
Yes
34%
No
66%
8
Survey Results
56% of companies struggle to promptly
deprovision terminated workers.
If your organization downsized significantly next
month, could you immediately remove all access
privileges for terminated employees?
Yes
56%
No
44%
9
Identity – Common Source of Internal Abuse
A Top Focus for IT Audits
Entitlement Creep
Orphan Accounts
• Accumulated privileges
• Potential toxic combinations
• Increased risk of fraud
• Poor de-provisioning
• High risk of sabotage, theft, fraud
PROTECTED
ASSETS
Rogue Accounts
• Fake accounts created by criminals
• Undetected access and activity
• Data theft, fraud, and abuse
Privileged Users
• Users with “keys to kingdom”
• Poor visibility due to shared
accounts
 Identity & Access Management: #1 area requiring remedial action


Gartner survey: 44% of IT audit deficiencies are IAM-related
Ernst & Young: 7 of Top 10 control deficiencies relate to user access
control
10
What’s Not Working?
 Data is everywhere, but getting access to the right
Information at the right time is very difficult

Multiple, fragmented identity stores, AuthN/AuthZ
 Huge gaps between business and IT groups



Inconsistent, ad-hoc processes for access change
Difficulty translating policy to IT implementation
IT data not understood by the business
 Heavy reliance on manual compliance processes



Email or spreadsheet-based
Human error, inconsistencies
Data is hard to obtain, missing
11
An Identity Governance Approach
An integrated approach that embeds risk management and compliance
into core identity infrastructure and business processes

Move from fragmented
approaches to centralized
visibility and control

Automate identity controls and
business processes

A business-friendly layer linking
business users and processes
to underlying technology and
technical users

Actively measures and monitors
risk associated with users and
resources
12
Manage Lifecycle
Make Identity Management a Business Process
Regulatory
Reporting
Provisioning
Life-cycle
Business
Help Desk
• Visibility
• Business oversight
• Provisioning
& transparency
&
• Auditing & tracking
Directory
• Control of entire
IAM
process
✗
?
Risk
Model
Tacking &
Reporting
IT Sec
Policy
Evaluation
Self
Service
Actions
Users
13
What is an IAG Model?
•Defined Process
•Compliance Proof
•Sustainable Controls
•People Grouping
•Entitlement Bundling
•Assignment Controls
Controls
Model
•Clear Ownership
•Defined Approvals
•Tracked Actions
Audit
Model
Role
Model
Policy
Model
•SoD Rules
•Value Change Controls
•Checks & Balances
Risk
Model
•Rate & Rank Risk
•Assessment of Process
•Trending & Analysis
14
Governance Model Driven Processes
Operational
Provisioning Process
Identity
Compliance Process
Request
Access
Define
Controls
Collect
Data
Analyze/
Audit
Policy
Roles
Approve
Governance
Metadata
Closed
Loop
Audit
Grant/
Remove
Provisioning Engine
Centralized
ID Data
Help Desk
Implement
Controls
Review/
Certify
Remediate
Closed
Loop
Audit
IT Admin
15
The Three Steps To Identity Governance
Current State
Checkpoint
Governance
Model
Operational
Provisioning
Understand Current State
Plan Desired State
Manage Delta
•Build Entitlement Warehouse
•Establish Responsibility
•Critical Remediation
•Automate Controls
•Model Policies & Roles
•Change Management Models
•Automate High Value Apps
•Enhance Existing Procedures
•Closed Loop Execution
Detective
Preventative
Reactive
Scheduled
Remediation
Mitigation
16
An Integrated Solution
Compliance Manager
Lifecycle Manager
Certification | Policy Evaluation
Access Request | Business Event Triggers
Governance Platform
Role Management | Policy Engine | Risk Model | Provisioning Broker
Integration Module
3rd Party Service
Desk
IdentityIQ
Provisioning
Engine
Integration Module
3rd Party Provisioning
Engine
17
[email protected]
QUESTIONS
18