Transcript Technical Marketecture Slides

A Governance-based Approach to
Identity Management
Darran Rolls – CTO – SailPoint Technologies
Tariq Jan – Program Manager – JPMorganChase
Confabulations, 2010 - Zurich
Examples of IAM Lifecycle Breaks
2
Identity Lifecycle Management
3
User Access Recertification
Beware The Big Bad Rubber Stamp…
Business
Context
Reliable
Results
Methods currently employed to manage compliance and governance
are predominantly paper‐based, including spreadsheets, folders, and
manual systems.
Source: Aberdeen Group 2008
4
PROBLEM STATEMENT
 Audit deficiencies; No LOB ownership of process.
 Lack of ownership on privilege accounts.
 Lines of Business within the firm proceeding down



different paths and making respective investments in
certifications procedures & tools.
User Experience - variations in certification tools,
processes, and methods.
Scalability of current recertification tools and
processes and manual effort required to manage end
to end process.
Movers and Leavers are not managed appropriately.
5
Project Approach
Vendor Selection - 2008
Implementation - 2009
Next Steps - 2010
Vendor Selection - 2008

6 tools evaluated – 3 JPMC
internal tools and 3 vendor tools
 Tech POC requirements were best

 Contract issued to vendor for
by SailPoint at 72% versus 36%
for other tools

Cost - Cheaper to buy than build /
maintain current tools when also
considering future requirements
Steering Committee Approval of
IdentityIQ tool
enterprise license and
Professional Services in August’08

Offshore P.S. resource model
selected for IB to reduce cost of
implementation.
6
Project Approach
Vendor Selection - 2008
Implementation - 2009
Next Steps - 2010
Implementation - 2009



365 application
instances with
infrastructure where
appropriate delivered for
recertification in 2009.
July’09 – Heritage Bear
Merger. IIQ used to
provide role-based
access certification for 6
applications
Deletes raised for more
than 104k user
entitlements certified as
revoked



Training on IIQ
delivered in 2009 –
approx 3,000 out of
17k certifying
managers attended
training sessions.
Positive feedback on
UI – 40% drop in
support calls
compared to 2008
using other tools
Policy Violations and
Rules implemented

Implementation of
Toxic Combo
functionality

IBID (Sun) – IIQ
integration and
strategy formulated

Transfer and Leaver
Handling process and
additional functionality
identified for
implementation in
2010
7
Project Approach
Vendor Selection - 2008
Implementation - 2009
Next Steps - 2010
Next Steps - 2010

800 new
applications and
infrastructure
onboarded to IIQ

1,200 applications
and infrastructure
recertified including
external vendor
applications


Implementation and
Go-Live of Toxic
Combination
functionality
Improve user
experience by
implementing
certification by
exception

Continue with
investigating RBAC
opportunities

Decommissioning
of other LOB
recertification tools
within the firm and
migration to IIQ
8
User Access Recertification Maturity
Review
of Policy
Compliance
Effectiveness
Event Based
(Triggers)
Type of Review
Continuous
(Dynamic Review)
Periodic
(System Based Reporting)
Review
of Actual
Data
Manual
(Spreadsheets & Email)
Degree of Automation
Static
Data
Real-time
Review
9
User Access Recertification – End State
Reviewers
 Consolidated view of user access
privileges


Review and certify entitlements, business
roles and policy violations
Highlight accounts of interest – privileged
user, service, dormant
 Business-focused certification process



Cascading application certifications
Easy-to-understand entitlement
descriptions
Highlight identity risk metrics
within certification reports
 Closed-loop integration
App Owner
Manager
Ad-hoc
Automated Certification Process
Policy
Role
Entitlement
• Approve access
• Allow exceptions
• Revoke access
• Delegate decision
Identity
Cubes
with existing provisioning systems


Automatically generates
revocation requests
Validates changes were completed
IT Resources
10
Summary - IAM Convergence Framework
HR
Access Approval
Policies
Clients
Non
Employee
Request Mgmt
Identity Store
(Sailpoint IIQ / Other)
Provisioning
Leaver Transfer
Policies
(SailPoint IIQ)
Functional
Policy
Store
Separation Of Duty
Policies
Entitlement Data Model
(SailPoint IIQ)
Event
Mgmt
Tool
Recertification
(Sailpoint IIQ)
Leaver Transfer
(SailPoint IIQ)
(Sailpoint IIQ )
Other Access Ctrl
Policies
Entitlement
Store
Application
Infrastructure
Policy Reviews
(Sailpoint IIQ)
Privileged Access
11