Aberdeen ppt-iam integrated-db-06 20120412
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Aberdeen ppt-iam integrated-db-06 20120412

on

  • 825 views

Derek Brink's Presentation

Derek Brink's Presentation

Statistics

Views

Total Views
825
Views on SlideShare
825
Embed Views
0

Actions

Likes
0
Downloads
37
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Aberdeen ppt-iam integrated-db-06 20120412 Presentation Transcript

  • 1. IAM Integrated Analyzing the “Platform” versus “Point Solution” Approach Spring 2012 Derek E. Brink, BS, MBA, CISSPVice President & Research Fellow, IT Security / IT GRC Derek.Brink@aberdeen.com
  • 2. Outline Introductions  Myself  Research methodology  Benchmark study on IAM Business context Aberdeen’s research findings Summary and recommendations Additional resources 2
  • 3. IntroductionsDerek E. Brink, CISSP – www.linkedin.com/in/derekbrink VP & Research Fellow covering topics in IT Security and IT GRC at Aberdeen Group, a Harte-Hanks Company  I help organizations to improve their security and compliance initiatives by researching, writing about and speaking about the people, processes and technologies that correspond most strongly with the top performers Adjunct Professor in Graduate Professional Studies at Brandeis University  I help individuals to improve their critical thinking, leadership skills and communication skills by teaching graduate courses in information assurance Senior high-tech executive experienced in strategy development and execution, corporate / business development, product management and product marketing  RSA Security, IBM, Gradient, Sun Microsystems, Hewlett-Packard MBA – Harvard Business School BS Applied Mathematics – Rochester Institute of Technology 3
  • 4. Aberdeen’s Unique Research MethodologyFact-based, “benchmarking” style average lagging leading  Pressures  Respondents are differentiated  Actions based on key performance  Capabilities indicators  Enabling Technologies  Correlation of “people, process and technologies” with results 4
  • 5. Benchmark Study on Identity and Access Management (IAM) Business Context: Increased Complexity of the Enterprise Computing EnvironmentDrivers, Inhibitors for investment time to provisionStrategies % orphans time to ∆ # rolesCapabilities (people, process) time to de-provisionEnabling Technologies #, type Provisioning# applications #, type Applications End-Users Identities Access• Employees Data• Temporary employees / contractors• Mobile / remote users• Business Partners• Customers• Privileged Users Hosts Endpoints Intelligence Repositories time to integrate apps, roles % customization vs. % configuration #, type # FTE admins unauthorized access “platform” vs. “best of breed” audit deficiencies total annual cost data loss or exposure 5
  • 6. Outline Introductions Business context  End-users  Endpoints  Applications and data  The cost complexity and compliance Aberdeen’s research findings Summary and recommendations Additional resources 6
  • 7. Business ContextEvolving End-User Populations• The days of enterprise end-users being largely synonymous with internal employees are over In Aberdeen’s 2011 study on managing identities and access:  For every 100 employees there are another 27 temporary employees or contractors  Of this combined population, about 2 out of 5 (39%) are supported as mobile / remote users  Externally, support for business partners adds still another 20% to the total end-user count –  And this updated figure is then more than doubled when adding in support for the organizations external customers Effects of changing end-user populations  Increased security- and compliance-related risks  Pressure on the necessary supporting infrastructure (e.g., including all people, process, technology, hardware, software, services, training and support) 7
  • 8. Business ContextEvolving Endpoint Complexity• Momentum behind greater diversity and complexity of the enterprise IT infrastructure continues to mount Enterprise end-users increasingly have an expectation of access to enterprise resources from any place, at any time, from any mobile platform  94% support access to enterprise email  89% support access to enterprise contacts  89% support access to enterprise calendar  87% support access to enterprise web-based apps  45% support access to corporate network or Wi-Fi Of particular note is the growing population of mobile endpoint devices that are not provisioned and managed by the enterprise  72% of respondents in Aberdeen’s study on enterprise mobility support corporate-owned devices  62% support employee-owned devices Greater diversity and complexity of the enterprise IT infrastructure creates corresponding challenges to the enterprises ability to maintain some semblance of visibility and control 8
  • 9. Business ContextEvolving Characteristics of Enterprise Applications and Data• Enterprise data is generally not created to be hidden away – it is generally created to be shared• This naturally increases the need for the means to access enterprise resources, securely and reliably Data volume and type  Applications / services  More data  Currently supported: 215  Larger files  Routinely accessed by typical  More file types enterprise end-users: 56 (26%)  Routinely accessed using Data flow strong authentication: 8 (14%)  Increased collaboration, both within and across organizational boundaries  Greater pressure to provide faster access to information, any time, any location, any device Greater complexity for access  More users  Diverse populations  More user-managed devices 9
  • 10. Business ContextThe cost of Complexity also amplifies the cost of Compliance• In the context of their identity and access management initiatives, many organizations struggle withimplementing repeatable approaches to demonstrating compliance with regulatory requirements such asattestation and separation of duties (SoD) … and this is consuming more and more of their IT budgets Attestation refers to the  Separation of duties (or periodic validation that end- segregation of duties) refers users have appropriate access to dividing tasks and rights, i.e., as part of providing associated privileges for certain assurance that the right end- business processes among users have the right access to more than one individual, to the right resources at the right help prevent potential abuse or times. fraud. 10
  • 11. Outline Introductions Business context Aberdeen’s research findings  Vendor-integrated “platform” approach vs. enterprise-integrated “point solution” approach  Quantification of benefits Summary and recommendations Additional resources 11
  • 12. Aberdeen’s Research FindingsApproach to Selecting and Deploying IAM Solutions (all respondents) • Across all respondents, a discernable shift from integration of point solutions to a “platform” approach • Average number of individual / point solutions currently deployed: between 4 and 5 100% 47% 53%Percentage of Respondents (N=155) 80% Vendor-integrated / "Platform" approach 60% 53% 47% 40% Enterprise-integrated / "Point Solution" approach 20% 0% Current Planned 12
  • 13. Analysis“Platform” vs. “Point Solution” Aberdeen’s research shows a discernable shift from enterprise self-integration of point solutions for IAM toward more of a vendor-integrated approach  Some solution providers refer to this as an IAM "platform“  Others emphasize vendor integration, but feel that the term "platform" implies a lack of flexibility and choice Aberdeen’s perspective  Any approach that shifts the burden of integration from the enterprise to the solution provider is a welcome trend  Analysis of organizations adopting each approach provides additional insights  Platform approach (N=32)  Point Solution approach (N=39) 13
  • 14. Summary of FindingsAnalysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM Benefits Description and Derivation of Benefits Platform vs. Point Solution Increased Timely provisioning and modification of end-user access to existing end-user applications or services can save companies hundreds of dollars per end- Advantage: user per year in terms of convenience, productivity and downtime, andproductivity significantly enhance the overall end-user experience. Platform approach 14
  • 15. Summary of FindingsAnalysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM Benefits Description and Derivation of Benefits Platform vs. Point Solution Increased Timely provisioning and modification of end-user access to existing end-user applications or services can save companies hundreds of dollars per end- Advantage: user per year in terms of convenience, productivity and downtime, and productivity significantly enhance the overall end-user experience. Platform approachAdoption of the Platform Approach to Managing Identities and Access Platform Point Solution PlatformTranslates to Tangible Business Value (average for each respective metric) (N=32) (N=39) Advantage Provide emergency access Increased 2.0 hours 2.3 hours 11% faster (e.g., forgotten username or password) end-user productivity Reset a password or PIN 1.1 hours 1.6 hours 30% faster (e.g., help desk or end-user self-service) 15
  • 16. Summary of FindingsAnalysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM Benefits Description and Derivation of Benefits Platform vs. Point Solution Rapid de-provisioning of end-user access, on the other hand, is more about cost avoidance than it is about cost savings – e.g., by reducing the window Reduced of vulnerability from orphaned accounts and minimizing the potential for Advantage: risk downstream misuse. Periodic attestation of access privileges and enforcement for separation of duties are also critical elements of reducing Platform approach risk. 16
  • 17. Summary of FindingsAnalysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM Benefits Description and Derivation of Benefits Platform vs. Point Solution Rapid de-provisioning of end-user access, on the other hand, is more about cost avoidance than it is about cost savings – e.g., by reducing the window Reduced of vulnerability from orphaned accounts and minimizing the potential for Advantage: risk downstream misuse. Periodic attestation of access privileges and enforcement for separation of duties are also critical elements of reducing Platform approach risk.Adoption of the Platform Approach to Managing Identities and Access Platform Point Solution PlatformTranslates to Tangible Business Value (average for each respective metric) (N=32) (N=39) Advantage Suspend / revoke / de-provision an existing end-user identity 4.9 hours 5.8 hours 14% faster Suspend / revoke / de-provision end-user access to an existing app 3.7 hours 6.8 hours 46% faster Reduced Average dormant / orphaned accounts found risk 3.7% 6.5% 44% faster (as a % of total number of accounts) 4.3-times Average dormant / orphaned accounts found = none 13% 3% higher 17
  • 18. Summary of FindingsAnalysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM Benefits Description and Derivation of Benefits Platform vs. Point Solution Given the dynamic changes in enterprise end-user populations and application portfolios, faster time to integrate a new application or integrate Increased a new end-user role with the enterprises IAM infrastructure translates to Advantage: agility flexibility and agility to compete more effectively. Pre-integration and workflow spanning IAM components cuts out the complexity and overhead Platform approach of synchronization. 18
  • 19. Summary of FindingsAnalysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM Benefits Description and Derivation of Benefits Platform vs. Point Solution Given the dynamic changes in enterprise end-user populations and application portfolios, faster time to integrate a new application or integrate Increased a new end-user role with the enterprises IAM infrastructure translates to Advantage: agility flexibility and agility to compete more effectively. Pre-integration and workflow spanning IAM components cuts out the complexity and overhead Platform approach of synchronization.Adoption of the Platform Approach to Managing Identities and Access Platform Point Solution PlatformTranslates to Tangible Business Value (average for each respective metric) (N=32) (N=39) Advantage Increased Integrate a new application with the enterprise’s IAM solution 43 hours 118 hours 64% faster agility Integrate a new end-user role into the enterprise’s IAM solution 19 hours 70 hours 73% faster 19
  • 20. Summary of FindingsAnalysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM Benefits Description and Derivation of Benefits Platform vs. Point Solution Fewer incidents of unauthorized access to enterprise resources related to Enhanced IAM translates to a huge benefit in terms of cost avoidance, particularly security given the high average cost per incident found in Aberdeens studies. Advantage: and Consistent enforcement of policies and consistent, consolidated reporting for compliance translates to fewer audit deficiencies related to IAM, and the Platform approach compliance liberation of IT resources for more strategic projects. 20
  • 21. Summary of FindingsAnalysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM Benefits Description and Derivation of Benefits Platform vs. Point Solution Fewer incidents of unauthorized access to enterprise resources related to Enhanced IAM translates to a huge benefit in terms of cost avoidance, particularly security given the high average cost per incident found in Aberdeens studies. Advantage: and Consistent enforcement of policies and consistent, consolidated reporting for compliance translates to fewer audit deficiencies related to IAM, and the Platform approach compliance liberation of IT resources for more strategic projects.Adoption of the Platform Approach to Managing Identities and Access Platform Point Solution PlatformTranslates to Tangible Business Value (average for each respective metric) (N=32) (N=39) Advantage Enhanced Unauthorized access to enterprise resources (per 10K users) 0.64 0.74 14% fewer security and compliance Audit deficiencies related to IAM (per 10K users) 0.56 0.87 35% fewer 21
  • 22. Summary of FindingsAnalysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM Benefits Description and Derivation of Benefits Platform vs. Point Solution Efficiency of the vendor-integrated approach translates to support for higher scale with fewer FTE admin resources, at lower total annual cost per Reduced end-user per year. Common management interfaces across components Advantage: total cost enable policies which are consistent and easier to administer. Both Platform approach "internal" and "external" end-users are managed by the same system. 22
  • 23. Summary of FindingsAnalysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM Benefits Description and Derivation of Benefits Platform vs. Point Solution Efficiency of the vendor-integrated approach translates to support for higher scale with fewer FTE admin resources, at lower total annual cost per Reduced end-user per year. Common management interfaces across components Advantage: total cost enable policies which are consistent and easier to administer. Both Platform approach "internal" and "external" end-users are managed by the same system.Adoption of the Platform Approach to Managing Identities and Access Platform Point Solution PlatformTranslates to Tangible Business Value (average for each respective metric) (N=32) (N=39) Advantage Total annual cost related to IAM initiatives $8.90 $17.10 (e.g., including all people, process, technology, hardware, per end-user per end-user 48% lower Reduced software, services, training, support) per year per year total cost 2.75-times Total end-users per FTE IAM administrator 5,500 2,000 more 23
  • 24. Summary of FindingsAnalysis of Organizations Adopting “Platform” vs. “Point Solution” Approach to IAM Benefits Description and Derivation of Benefits Platform vs. Point Solution Increased Timely provisioning and modification of end-user access to existing applications or services can save companies hundreds of dollars per end- end-userproductivity user per year in terms of convenience, productivity and downtime, and Advantage: significantly enhance the overall end-user experience. Platform approach Rapid de-provisioning of end-user access, on the other hand, is more about cost avoidance than it is about cost savings – e.g., by reducing the window Reduced of vulnerability from orphaned accounts and minimizing the potential for risk downstream misuse. Periodic attestation of access privileges and enforcement for separation of duties are also critical elements of reducing risk. Given the dynamic changes in enterprise end-user populations and application portfolios, faster time to integrate a new application or integrate Increased a new end-user role with the enterprises IAM infrastructure translates to agility flexibility and agility to compete more effectively. Pre-integration and workflow spanning IAM components cuts out the complexity and overhead of synchronization. Fewer incidents of unauthorized access to enterprise resources related to Enhanced IAM translates to a huge benefit in terms of cost avoidance, particularly security given the high average cost per incident found in Aberdeens studies. and Consistent enforcement of policies and consistent, consolidated reporting compliance for compliance translates to fewer audit deficiencies related to IAM, and the liberation of IT resources for more strategic projects. Efficiency of the vendor-integrated approach translates to support for higher scale with fewer FTE admin resources, at lower total annual cost per Reduced end-user per year. Common management interfaces across components 24
  • 25. Details of AnalysisAdoption of the Platform Approach to IAM Translates to Tangible Business ValueAdoption of the Platform Approach to Managing Identities and Access Platform Point Solution PlatformTranslates to Tangible Business Value (average for each respective metric) (N=32) (N=39) Advantage Provide emergency access Increased 2.0 hours 2.3 hours 11% faster (e.g., forgotten username or password) end-user productivity Reset a password or PIN 1.1 hours 1.6 hours 30% faster (e.g., help desk or end-user self-service) Suspend / revoke / de-provision an existing end-user identity 4.9 hours 5.8 hours 14% faster Suspend / revoke / de-provision end-user access to an existing 3.7 hours 6.8 hours 46% faster application Reduced risk Average dormant / orphaned accounts found 3.7% 6.5% 44% faster (as a % of total number of accounts) 4.3-times Average dormant / orphaned accounts found = none 13% 3% higher Increased Integrate a new application with the enterprise’s IAM solution 43 hours 118 hours 64% faster agility Integrate a new end-user role into the enterprise’s IAM solution 19 hours 70 hours 73% faster Enhanced Unauthorized access to enterprise resources (per 10K users) 0.64 0.74 14% fewer security and compliance Audit deficiencies related to IAM (per 10K users) 0.56 0.87 35% fewer Total annual cost related to IAM initiatives $8.90 $17.10 (e.g., including all people, process, technology, hardware, per end-user per end-user 48% lower Reduced software, services, training, support) per year per year total cost 2.75-times Total end-users per FTE IAM administrator 5,500 2,000 more 25
  • 26. Current CapabilitiesKnowledge Management, by Maturity Class and by Approach • Workflow for IAM lifecycle; workflow-based approval for exceptions; standardized audit and reporting • Platform approach is closest to Best-in-Class; Point Solution approach is between Average and Laggard Best-in-Class (Top 20%) Industry Average (Middle 50%) Laggards (Bottom 30%) Platform Approach (N=32) Point Solution (N=39) 67% 59% 60%Percentage of Respondents (N=155) 55% 59% 58% 56% 49% 49% 50% 47% 40% 33% 28% 20% 24% 21% 15% 0% Workflow-based approval for Standardized workflow for the IAM Standardized audit, analysis and exceptions lifecycle reporting 26
  • 27. Current CapabilitiesPerformance Management, by Maturity Class and by Approach • Effective audit and reporting, attestation, and enforcement for separation of duties • Platform approach is closest to Best-in-Class; Point Solution approach is between Average and Laggard Best-in-Class (Top 20%) Industry Average (Middle 50%) Laggards (Bottom 30%) Platform Approach (N=32) Point Solution (N=39) 68% 63% 67% 60% 63% 56%Percentage of Respondents (N=155) 56% 57% 50% 49% 45% 45% 40% 35% 36% 24% 25% 20% 0% Audit and reporting for who approved Periodic validation that end-users Enforcement for separation of duties access privileges and when have appropriate access rights 27
  • 28. How IAM Capabilities Are AchievedConfiguration (out-of-the-box) vs. Customization (coding)• Leaders are slightly more able than all others to achieve IAM capabilities by configuration than by coding• Adopters of the Platform approach have pushed this advantage a bit further; no impact for Point Solution• Cost implications are obvious; vendor enhancements in this area would receive strong market welcome 100%Percentage of Respondents (N=155) 80% 42% 44% 47% 47% 60% Customization Configuration 40% 58% 56% 53% 53% 20% 0% Platform Best-in-Class Point Solution All Others (Other Approach (N=32) (Top 20%) Approach (N=39) 80%) 28
  • 29. Outline Introductions Business context Aberdeen’s research findings Summary and recommendations Additional resources 31
  • 30. Summary Based on more a study of more than 160 respondents, Aberdeens analysis of 32 enterprises which have adopted the vendor-integrated (Platform) approach to identity and access management, and 39 organizations which have adopted the enterprise-integrated (Point Solution) approach, showed that the vendor-integrated approach correlates with the realization of significant advantages – including  Increased end-user productivity  Reduced risk  Increased agility  Enhanced security and compliance  Reduced total cost. 32
  • 31. RecommendationsCrawl / Walk / Run (1 of 3)• Aberdeens research consistently confirms the merits of a pragmatic "Crawl, Walk, Run" approach asthe basic template for successful enterprise-wide initiatives Adopt a primary strategic focus. Which of the following strategies supports the most compelling business case for your organizations investments in IAM: convenience and productivity for end-users? Compliance and security requirements? Consistency of policies for managing identities and access to corporate resources? Cost savings and cost avoidance through greater efficiency and effectiveness? The essential first step is to identify the strategy that is most compelling for your organization to get started, and begin. Put someone in charge. Having a responsible executive or team with primary ownership for important enterprise-wide initiatives is consistently correlated with the achievement of top results. IAM initiatives are consistent with this pattern. Prioritize security control objectives as a function of requirements for risk, audit and compliance. Emphasizing security before compliance, rather than the other way around, reduces the probability of overlaps in controls (which waste resources) or gaps (which increase vulnerabilities). 33
  • 32. RecommendationsCrawl / Walk / Run (2 of 3) Establish consistent policies for end-user identities and end-user access to enterprise resources. As the expression of managements intent for the business, consistent policies are the foundation for any successful IAM initiative. Standardize the workflow for the IAM lifecycle, including workflow-based approval for exceptions. Standardization and automation of workflow should not mean automatic approval, however – on the contrary, increased involvement and accountability for approvals puts a greater responsibility on the business owners rather than on the IT staff. Standardize audit, analysis and reporting for IAM projects, including reporting for who approved access and when, periodic validation that end- users have appropriate access, and enforcement for separation of duties. Quarterly attestation reviews, for example, are common to address requirements for regulatory compliance. 34
  • 33. RecommendationsCrawl / Walk / Run (3 of 3) Evaluate and select IAM solutions. Pay special attention to the level of integration and intelligence provided by the IAM solution provider(s), versus the degree of integration that remains to be completed by the enterprise. Another critical consideration is the proportion of capabilities that can be achieved by configuration (i.e., out-of-the-box) versus customization (i.e., coding and services). Proposals which are disproportionately heavy with professional services from vendors or their third-party business partners do not move a given solution from the enterprise-integrated category to the vendor-integrated category. 35
  • 34. Recommendations – Additional Considerations New approaches  Organizational (vs. departmental)  Lifecycle  Vendor integrated / interoperable  Higher scale at lower total cost New identity-enabled opportunities DEVRE ER STHGIR LLA puo rG need rebA 1102 © S  Social  Mobile Cloud ™  DU OLC SoMoClo Evolution Social + Mobile + Cloud = Business Transformation 36
  • 35. Outline Introductions Business context Aberdeen’s research findings Summary and recommendations Additional resources 37
  • 36. Aberdeen Online Identity AssessmentBenchmark your own organization against those in the report www.oracle.com/Identity 38