Beyond the Password: Business Enablement Through Identity ...Presentation Transcript
Beyond the Password: Business Enablement Through IAM Ken Williams, CISSP, CFE Vice President, Technology Services CA, Inc.
25 years in risk management domain:
Ken is Vice President for CA, Inc. in Canada with over 25 years of experience in the enterprise risk services specializing in enterprise security architectures, information security operations, and regulatory compliance solutions globally within the banking, healthcare, government and telecommunications sector.
Ken manages CA’s Technology Services within the below sectors:
Banking & Finance
Gas & Oil
Electricity & Power
Local, State, Federal
Ken has authored technical security standards for State and Federal Government Agencies, Regional Banks, Regional Telecommunications carriers and authored technology white papers in the area of information security and regulatory compliance.
Prior to CA, Ken was a manager in the KPMG LLP Information Risk Management practice, Chief Security Officer of a international telecommunications provider, and founder of META Security Group .
Extensive past / present credentials:
Certified Fraud Examiner (CFE)
Certified Homeland Security Consultant (CHS)
Certified Information Systems Security Professional (CISSP)
Certified Protection Professional (CPP)
Certified IT Infrastructure Library (ITIL)
Defense Security Services – Active T/S Clearance
About Ken Williams
Enterprise security is a quality that must be embedded into all corporate functions.
We are experiencing a convergence of the need for reliability, privacy and accountability.
Commerce and IT are interconnected in ways that could not have been envisioned a generation ago.
Data security and privacy concerns are pervasive, while threats include situations that are simultaneously intentional and difficult to quantify and anticipate.
The only logical response to the requirement to maintain financial integrity, investor confidence and sustainable operations, is a program with a comprehensive approach to corporate governance as it relates to information management, security and availability.
What CSOs and CIOs are Telling Us
Costly to manage user accounts
Vulnerabilities are expensive
Security data overload is real
Must reduce corporate liability
Need to demonstrate regulatory compliance
(PIPEDA, HIPAA, Sarbanes-Oxley)
On-Demand Security Challenges…
Provision users automatically
Assess and fix vulnerabilities
Deliver instant security for regulatory compliance
Securely manage events and take action
Today’s Business Challenges Lack of transparency into business processes, business data and IT operations leads to lack of required corporate oversight Unavailable business-critical applications and processes Inefficient and labor-intensive operations; insufficient information on for budgeting and planning Security breaches; loss of critical business data; inconsistent processes Uninformed procurement; unnecessary hardware and software Governance Compliance Operating Costs Capital Costs Losses/Risk Downtime Agility and Time to Market Slow and costly change, inflexible business processes Fines and/or sanctions for non-compliance These issues have been top-of-mind for the last several years, and remain so today
Today’s IT Challenges
IT organizations are still grappling with solving
Lack of transparency
Compliance and IT governance
The result is a lack of alignment between IT and business needs
To Meet These Challenges, IT Must Evolve “ 95% of IT organizations still create IT strategic plans without fully understanding the business benefits … It is these plans that fall by the wayside … CIOs must create more focused, business-friendly, and actionable plans.” --Meta (March 2005)
To date, CIOs have not had the tools available to:
Create a business-driven IT organization
Solve business challenges, and
Manage IT operations like a business
This is the mandate for the next phase of IT evolution
Business Benefits of IAM Functionality
Reducing calls to help desk
Enabling easy access with one account and one password
Reducing account management time
Improving help-desk services
Delivering a better client web experience
Increasing user satisfaction
Reducing account management time
Streamlining business processes
Delivering better web services
Increasing productivity of help-desk and IT services
Increasing satisfaction of both internal and external users
Securing the company’s reputation
Attracting prospective customers to do business online
Securing important corporate data such as branding info
Complying with regulations such HIPAA, Gramm -Leach-Bliley act, 21 CFR part 11 and the Sarbanes-Oxley act
Scaling organizational security
Enabling a comprehensive picture of the entire organizational data
Facilitating an easy implementation of future applications
Managing resources more effectively
Eliminating redundancy in data management
SINGLE SIGN-ON REGISTRATION & ENROLLMENT AUTHENTICATION & AUTHORIZATION INFORMATION CONSOLIDATION
Business Benefits of IAM Functionality
Maintaining security through de-provisioning on termination, user clean-up and robust auditing capabilities
Managing access rights through centralized user management and delegated administration
Providing automated workflow
Addressing e-business initiatives promptly and efficiently to gain and maintain market share
Leveraging the system across the value chain and strengthening commitment
Complying with regulations
Increasing control and management of information flow
Increasing user satisfaction
Reducing account management time
Increasing IT & help desk productivity
Decentralizing organizational control
Increasing organizational security
Eliminating calls to help-desk regarding password reset
Business Impact of IAM Functionality Provisioning & Federated Identity USER SATISFACTION Audit Delegated Administration & Self-Service Password Management Single Sign-On Registration & Enrollment Authentication and Authorization Information Consolidation REGULATORY COMPLIANCE RISK MANAGMENT OPERATIONAL EFFICIENCY COST CONTAINMENT BUSINESS FACILITATION
Where Do Savings Come From?
IAM facilitates repeat business by improving online business.
IAM attracts new business by improving the organizational image.
IAM facilitates new business by enabling federated identity and convenient web access.
IAM streamlines business processes.
IAM reduces future costs by spending less on new capabilities.
IAM scales organizational security.
IAM is doing more with less.
IAM increases organizational productivity.
Where Do Savings Come From?
Complying with regulation
IAM helps avoid fines related to non-compliance with regulation.
IAM supports business opportunities by enabling the organization to work with existing or prospective customers and suppliers who have already achieved a certain security level.
IAM makes the organization competitive by matching your competitor’s existing regulation compliance.
Where Do Savings Come From? (p2)
IAM prevents loss resulting from damage to the supply chain.
IAM prevents monetary loss resulting from an accounting system breach.
IAM keeps intellectual property and competitive information safe.
IAM provides legal protection the organization.
Key Questions Every Organization Must Consider
What is the maximum capacity of your current system?
What is the average growth in application development?
What is the average impact of a reorganization?
How often does a reorganization occur?
What is the average turnover?
What menial tasks you would like to eliminate?
How long does it take to set up a new user in the current system?
Key Questions Every Organization Must Consider (p2)
What is the cost associated with this process?
How many users (customers, partners) will be given access?
What is your annual application management cost?
What is the cost of new user management?
What is the annual cost of existing user management?
What is the cost by security feature, per application?
What is the financial impact of faster access to applications?
Aligning To Needs
Enterprise IT Management Vision To Manage & Secure It All Application Environments Assets Users Business Processes IT Services IT Processes & Best Practices Security Management Enterprise Systems Management Business Service Optimization Storage Management
Enterprise IT Management
Enterprise IT Management (EITM) is CA’s vision and strategy for integrated IT management across traditionally distinct IT disciplines
Optimizes and automates the performance, reliability, high-availability and efficiency of enterprise IT environments.
Enables our customers to deliver IT seamlessly as a service and reduces TCO
Leverages common services and a central management database that provides a unified view of all aspects of the enterprise
EITM is supported by CA and partners and is based on industry best practices
Step 1: Define Your Business Operations and Needs
Business Enablement and protection
Protect the entity’s IT assets in open global network environment
Secure current infrastructure
Include security in ongoing development
Include security in ongoing implementation
Effective deployment of security technology to increase effectiveness and efficiency of security processes
Protect intellectual property
The strategic business objectives should be mapped to the strategic vision, mission and service objectives for the security organization. Impact on Security Objectives Business Objectives
Increase sales and expand to new markets
Extend the enterprise
Technology enable the organization
Increase Customer satisfaction
Enhance business processes
Step 2: Determine Overall Maturity Level 2 Information Delivery Maturity Level Centralized Access to Data content & applications Level 1 DATA INFORMATION Refine, analyze & sort data delivering security information Value (Cost too!) SECURITY MONITORING Level 4 Level 3 Apply business relevance to information to determine business priorities! KNOWLEDGE ACTION Act on real business knowledge in a single place according to business need SECURITY MANAGEMENT Providing Situational Awareness Security Command Center
Step 3: Align Business and IT Strategy
Focus on producing a baseline blueprint, developing a high level target state, and IS strategy alignment.
Migration Plan Architecture Documentation Resource Plan How should we get there? Organization and Core Competencies Where are we today? Technology Environment Information and Process Support Applications Communications Networks Process State Information State What should we look like? Organization State IT Technology State Information Technology Architecture & Processes Business Operations & Needs Security Vision & Mission Alignment IS Strategy Existing Baseline Target State Alignment Project Planning and Management IS BU
Step 4: Define IT Processes
An IIF consists of a set of IT processes
An IIF represents people, technology, and processes required to achieve a desired outcome
The desired outcome should be measurable and auditable
Create Modify Delete Policy Verification Add Access Rights Change Access Rights Remove Access Rights Provisioning Business Rules Engine – Roles Engine Standards and policies
Define self-registration policy
Define delegated managers
Define federated trust
Identity Management Internal Identity Mgt Processes Standards and policies
Define authoritative sources
Role Management Open Service Request Workflow Open Service Request Workflow
Service request approved (if required)
Workflow Process Followed
Separation of Duties Checked
Workflow Process Followed
Multiple Approvers (0 or many) Multiple Approvers (1 or many) HR Feed Delegated mgt Self management SPML Request New Hire Transfer Termination
Attributes Received from Authoritative Source
Unique Identifier Established or Checked
Roles Legend Applications Developer End User Internal Audit Manager Security Manager Application Manager HR IT Operations Manager Business Manager Close Request Log Events
Step 6: Develop a Blueprint ROI Component Level Technical Capabilities IT Organizational Characteristics Virtual Identity Directory
Focused on Traditional Services
Slow to Handle Change
Informal and Reactive Processes
Active Enterprise Identity Inventory Password Policy Enforcement Centralized Password Management Self-serve Password Reset Password Management System System/App Level Mgt of Users Consistent Cross-platform Web Interface Manual User Export from HR System Efficient
Change in Business Priorities
IT Change Driven by Cost / Regulatory Pressure
Commitment to Centralization and Automation
Adopts ITIL Svc Mgt to Formalize Processes
Automated Identity Provisioning Workflow Process Automation Correlation with Authoritative Source (i.e. HR) Entitlement & Change Report Generation Web/Desktop Password Reset Identity Management System Workflow Engine Web forms, Rules Identity Reporting System Delegated User Administration Feeds from HR Authoritative Source Integration With Key Identity Systems
IT Now Involved in Business Change Planning
Manages to SLA and Controls
Integrated Enterprise-wide IT Management
Tracks Performance of Processes
Responsive Automated Identity & Role Processing Entitlements Exception Reporting Syncs Multiple Authoritative Srcs (e.g. Contractors) Self-serve Registration Process Role Management System Feeds from All Authoritative Sources Business Application Provisioning Workflow for Application Security Review Role-based Entitlements Management Application Directory Integration Integration With Business Apps & Infrastructure Entitlement Synchronization System Business-Driven
Ready for Business-Driven Change
Rapidly Support New Services and Customers
Enables Support for Growing Partner Ecosystem
Automated Process Improvement
Web Services Security Interoperability w/SPML & Enabling SAML Automated Resource Provisioning Federated Trust Management Provisioning Authentication Technologies Web Services Business Integration Integration With Building Access Systems Partner Identity Management Integrated Business Processes CMDB Integration Reduced cost in partner access and change management Reduced cost in business application and compliance due to automation of role and entitlement management Administrative cost savings due to automation of processes for identity management Reduced helpdesk costs with automated password management
Step 7: Initiate Transition To Next Level Of Maturity
Step 8: Integrate Within The Enterprise
Sustaining the Program…
Once you have built the security program you must maintain it at an appropriate level while continuing to evolve it for the next business generation.
A security communication process and regular plan
“ Ease of Use” and practical solutions and approaches
Process based capabilities focus versus technology/project/initiative focus
Architectural models with reusable, scalable components
Foundation built on principles
Business Units actively involved in self assessment, risk assessment and awareness
Funding and resource levels appropriate with business risk profile, with differentiation between maintaining current capabilities (IS budget) and new capabilities for new changes in BU operations (BU or IT budget)
Connection to the business units and alignment of strategies and priorities
Monitoring and feedback loop with enforcement
Measurement system focused on performance management not statistics
Executive focus, sponsorship and reinforcement
BU ownership of security and requirements with IT delivering the services
BU leadership evaluated on security performance through individual and BU results (charge units for failure to comply)
Interfaces and formalized communications among the related parties (audit, legal, compliance, technology)
With Best Practices Across The Enterprise
Focusing Across Key Areas of IT Security … Privacy Identity and Access Management Threat Management Intelligent Security Management
Provides Sustainable Security Management Alerts Correlate Align to Business Attack New Attack IDS Sensors AV Alerts FW Messages Host Logs Check Assets & Vulnerabilities Prioritize to Business Level Initiate Remediation Actions Resolution Remediate Netsky Bagel Mydoom Data Discovery
Provides Sustainable Security Management Alerts Correlate Align to Business Attack New Attack IDS Sensors AV Alerts FW Messages Host Logs Check Assets & Vulnerabilities Prioritize to Business Level Initiate Remediation Actions Discovery Resolution Remediate Netsky Bagel Mydoom Data Security needs to help organizations understand what is happening and how it relates to the business
Need: Identity and Access Management Analysis
Organization requires an analysis of external audit results.
Provide a gap analysis utilizing EDM - Maturity Model tools.
Develop a solution blueprint for Identity and Access Management based upon Integrated Information Technology Flows (IIF).
Develop Solution Architecture Overview (SAO).
L H M M L H H Regulatory Non-Compliance Overall Current Risk Loss of Reputation Downtime Probability of Occurrence Impact Factor Current Maturity With Respect to Leading Practices Maturity Aggregate Impact and Probability Description: Control is not in place with no current plans to implement. 0 Control is not in place with approved plans to implement. 1 Control is partially in place with no current plans to implement. 2 Control is partially in place with approved plans to implement. 3 Control is in place with exceptions. 4 Control is in place without exceptions. 5
Solution Blueprint… Enterprise Repository
Point Solution Focused
Centralized Security Reporting
Enterprise Solution Focused
Centralized Process Controls
Controls Solution Focused
Integrated Process Management
Risk Management View
Value Solution Focused
Integrated Corporate Management
(Operations, Risk Management & Security)
Dynamic Entitlement Management View
Component Level Technical Capabilities Organizational Characteristics Audit Aggregation Tools Platform Access Control Responsive Active Perimeter Access Control Application Access Control Centralized Audit Management Data & Storage Access Control Centralized Monitoring Component Provisioning Enterprise-wide Provisioning Transactional Access Control Integrated Compliance Management Self-Service Entitlements User Multi Factor Authentication Centralized Authoritative Sources Transactional Value Approval Control Integration with Asset Mgt Anti-Money Laundering Capabilities Interactive Privilege Management Platform & App Security Controls Provisioning Solutions Enterprise Reporting Systems Secure Common Services Correlation & Analysis Tools Self-Service Tools Workflow Engine Transactional Engine Integrated Provisioning Platforms Biometric, Token and/or PKI Solutions Privilege Management Tools Compliance Management Tools SAML Solution Platform Forensics Tools Process Monitoring Tools Secure Transactional Repository Reporting Systems Enterprise User IDs Operational Processing Engine Knowledge Based Engine Risk Management Engine Business Reporting Engine Personalization Integrated Workflow Management Federated Identity Management Automated Forensics Capabilities Behavioral Pattern Analysis Process Management On-Demand Resource Management Integrated Regulatory Management Productivity Management Knowledge Based Authentication Business Process Cost Value Reporting Integrated Business Risk Management Integrated Operations Center External User & 3 rd Party Value Reporting Resource Optimization Tools Operational Auditing & Compliance Phase Identity Management Access Entitlements Management Business Enhancement Phase Business-Driven Efficient
To Summarize, Integrated IT Flows (IIFs) are Key
Process-centric approach to IT management
Both the means and a framework for advancing an organization’s IT maturity level
Industry best-practices instantiated in automated workflows that invoke management and security functions
Comprehensive management and security solutions
Solutions integrated at the data, UI and process levels
Blueprints and assessment services to identify an organization’s starting points and next steps in the IT maturity model