Meeting the
Provisioning Needs of
Both IT and Business
Users at Vanguard




Security Management
SA202SN
Abstract

> Vanguard, one of the world's largest investment
  management companies, needs to provision timely access
  to ...
Biography


> Philip Taddeo
  Sr. Manager, Business Access Management, Security and
  Contingency Services, Planning and D...
Agenda


> Company Overview

> Differentiation of Business vs. IT Users

> Provisioning Challenges

> M
  Managing your IT...
Vanguard Company Overview

> Founded in 1975 and headquartered in Valley Forge, PA.

> Vanguard’s mission is to is to help...
Technical Deployment Overview

> Utilize CA Identity Manager to provision access

> All crew have access to CA Identity Ma...
Technical Deployment Overview


    > Platforms (endpoints)
                                                              ...
Business User Characteristics


> What are common characteristics of business users?
        ! Limited number of accounts,...
Example Business User

Common Business User (Customer Service)
                                                           ...
Example IT User

                                                                                                         ...
IT User Characteristics


> What are common characteristics of IT users?
         ! Large number of accounts ranging from ...
Pre-Implementation Environment


> What security looked like prior to our CA Identity
  Manager implementation
         1....
Audit and Control Considerations


> Common control themes for logical access to
  systems and data
         1. Requests f...
Business Operations Considerations


> Common themes of IT user security provisioning
         1. Administration of access...
Project Goals


> Provide the IT users with a self-provisioning
  system using intuitive naming conventions.
> Establish e...
Project Timeline




                  Phase I                                       Phase II               Phase III
    ...
The Solution



                      People                                            Process




                      ...
People - Communications

   Training
                                                                          All levels ...
People – Engagement of Key Personnel

> Engaged employees from all levels of the IT organization
  to develop role content...
Process - Establish Simple Guidelines


 Goal: IT crewmembers have the proper access to perform their job
 functions while...
Blending Process with Technology

• All roles below use the same children role and policies underneath the parent role.
• ...
Blending Process with Technology:
On-Demand Crisis Access




22   November 16-20, 2008   Copyright © 2008 CA. All rights ...
Blending Process with Technology:
On-Demand Temporary Access




23   November 16-20, 2008   Copyright © 2008 CA. All righ...
Process: New Role Methodologies

                                                                                         ...
Technology: Identity Manager End Product




                                                                         This...
Technology: Identity Manager End Product




                                                                        This ...
Technology: End Product – UPO Initiated
Workflow Form

                                                                   ...
End Results


> IT crew have a majority of their access Day 1 when
  starting their job without their managers needing to
...
Considerations


> If CA Identity Manager is unavailable for IT Divisional
  Administrators and Availability Managers. You...
Helpful Hints for Planning


> Set realistic expectations of deliverables for senior
  management.
> Communicate, train, a...
Value of Metrics




Robyn Fisher
Dashboards Drive Change


> Dashboards/metrics are a standard communication tool
  used by Vanguard management in accordan...
Divisional Level Reports


                                                                    IT Division Production Acce...
Departmental Examples


                                                 % Full Time Production Access By Department
     ...
Departmental Detail Examples




35   November 16-20, 2008   Copyright © 2008 CA. All rights reserved.
Q&A
Related Sessions


SESSION #                   TITLE                                        Date / Time

SA103SN          ...
Please Complete a Session Evaluation Form


> The number for this session
  is SA202SN

> After completing your
  session ...
Upcoming SlideShare
Loading in...5
×

Sa202 Sn

440

Published on

Identity and Access Management

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
440
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Sa202 Sn

  1. 1. Meeting the Provisioning Needs of Both IT and Business Users at Vanguard Security Management SA202SN
  2. 2. Abstract > Vanguard, one of the world's largest investment management companies, needs to provision timely access to all of their employees. However, like many organizations, their IT and business users have distinct provisioning needs. This access must be granted quickly to enable the business, but audited and removed as soon as possible to , p protect customers' confidential data. Senior Manager at Vanguard, Phil Taddeo, will share their experiences for implementing CA Identity Manager. Robyn Fisher, officer of Business Access Management, will share an executive perspective on identity management, including the success metrics that help gain corporate support. 2 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  3. 3. Biography > Philip Taddeo Sr. Manager, Business Access Management, Security and Contingency Services, Planning and Development Division. ! 16 Year Vanguard veteran holding various leadership positions in multiple business lines. ! Responsible for supporting the provisioning needs of Vanguard internal users and the systems which provision them. ! Supported Vanguard’s various role based access control solutions for the past 8 years. ! Involved in deploying and supporting CA Identity Manager at Vanguard from 2004 to current. > Robyn Fisher Principal, Business Access Management, Security and Contingency Services, Planning and Development Division. ! 20+ year background in IT operations management. ! Responsible for all business access to data at Vanguard. 3 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  4. 4. Agenda > Company Overview > Differentiation of Business vs. IT Users > Provisioning Challenges > M Managing your IT U i Users > Value of Metrics in this process > Questions 4 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  5. 5. Vanguard Company Overview > Founded in 1975 and headquartered in Valley Forge, PA. > Vanguard’s mission is to is to help clients reach their financial goals by being the world's highest-value provider of investment products and services. > World’s largest pure no load mutual fund company and World s no-load the second largest fund firm in the U.S. > Offer a wide array of financial products to individuals, institutions and financial advisors. > As of 12/31/2007 we managed approximately 1.3 trillion dollars in U.S. Mutual Funds. > Approximately 12,000 U.S. based crewmembers. 5 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  6. 6. Technical Deployment Overview > Utilize CA Identity Manager to provision access > All crew have access to CA Identity Manager self-service front end > We role and rule base all platform entitlements for our crew. We manage fine grain entitlements for: – ACF2 – AD – CA Access – DB2 – Sybase Control – Unix / Linux – Oracle – Siebel – Kerberos – MS SQL – Lotus Notes – AS400 – UPO > CA Identity Manager manages over 350,000 accounts 6 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  7. 7. Technical Deployment Overview > Platforms (endpoints) Endpoint managed in strong Active Directory synchronization DB2 > System of Record Kerberos ! PeopleSoft HR MS-SQL ! Nightly feed of any OS400 changes to Oracle demographics Sybase ! Configurable fields UNIX/LINUX that warrant access ACF2 changes – Department – Job Code 7 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  8. 8. Business User Characteristics > What are common characteristics of business users? ! Limited number of accounts, usually 4-7 accounts ! Static level of access based on business need ! Generally access data and resources through applications ! Do not have direct access to enterprise data stores ! For compliance reasons systems they use usually have segregation of duties and controls coded within the application 8 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  9. 9. Example Business User Common Business User (Customer Service) • Fully automated rule driven role based access based on HR feed • 4 accounts created Recordkeeping / Trading LAN Account E-Mail CRM System System Account • Domain user access • Customer service role • Customer service role • Company intranet access • Access company • Lookup account • Shared drive access profile • Process trade • Look at company • Modify account options contacts 9 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  10. 10. Example IT User • Some access automated Common IT Support • Ad-hoc requested access User • Also has standard LAN and e-mail access • Little application level access • Has significant number Data Center1 Data Center 2 of accounts across many Requires Server-1 Server-2 platforms Server Server-3 Server-4 Access Requires Hardware R R R R Access Database Database Database 1 2 3 Database Requires 4 Database Access 10 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  11. 11. IT User Characteristics > What are common characteristics of IT users? ! Large number of accounts ranging from 100 to over a 1000 ! Dynamic need to access highly sensitive data and functions ! Need access to production and development resources ! Have little application level access ! Require direct access to enterprise data stores ! Require access quickly to support critical system outages 11 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  12. 12. Pre-Implementation Environment > What security looked like prior to our CA Identity Manager implementation 1. Managers rarely knew what roles to request for new employees. 2. Turnover could result in loss of knowledge of security requirements. it i t 3. Security was sometimes requested after an employee started within a department. 4. Since inappropriate roles might have been assigned, maintenance was frequent and roles were redundant. 5. Security related help desk calls for user access were many. 12 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  13. 13. Audit and Control Considerations > Common control themes for logical access to systems and data 1. Requests for new or modified access must be documented and authorized by management prior to production activation. 2. Logical access is removed in a timely fashion, upon HR notification and/or system availability events. 3. Appropriateness of users with access to sensitive data. 4. Appropriateness of users with access to perform system administrative functions. 13 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  14. 14. Business Operations Considerations > Common themes of IT user security provisioning 1. Administration of access must be timely especially during system troubleshooting events. 2. Access to production resources, data and systems, must be restricted and tightly controlled. g y 3. “Don’t grant anything unless I authorize it”. 4. Sometimes people outside of production support may require production access, but not full time. 5. I know we are technical but… I really don’t understand security. 14 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  15. 15. Project Goals > Provide the IT users with a self-provisioning system using intuitive naming conventions. > Establish easy to understand access guidelines. > Certify user access to the platform level. > C Create reusable roles f all types of user access bl l for ll f to reduce security maintenance activities. > Apply rules in order to provision access automatically whenever possible. > Reduce overall access of IT personnel to production data and systems without impacting operations. 15 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  16. 16. Project Timeline Phase I Phase II Phase III 2006 2007-2008 2009- X " Install CA Identity " Communications to " Extend CA Identity Manager to enhance Business Manager to additional current capabilities " Rollout users into new systems and connectors " Role Design in roles (implementation administered manually cooperation with of role design) business 16 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  17. 17. The Solution People Process Technology In order to achieve the desired reduction in Audit findings/observations and increase efficiency and client satisfaction, three key areas needed to be addressed. Focus on one area, without the other two will not result in the desired outcomes. 17 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  18. 18. People - Communications Training All levels of management will actively participate in security awareness and “ I know what to do and will change perform the necessary steps to my behavior” Behavior “Secure the Organization”. All levels of management be committed “ I am committed to to “Secure the Organization”. participating” Commitment Two-way communication All levels of management must understand the on-boarding, transfer and off-boarding “ I understand the Understanding processes and the security message” implications of each process. All levels of management must be aware of their open “ I hear the Audit observations. In message” Awareness addition, they need to One-way know the applications communication and level of access used by their crew. 18 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  19. 19. People – Engagement of Key Personnel > Engaged employees from all levels of the IT organization to develop role content and access guidelines. ! Production Access Steering Committee – officers and senior managers from IT and Internal Audit. ! Production Access Core Team – managers, auditors and support level personnel. ! Departmental Change Agents – management and non- management subject matter experts. > Work from the above teams reported to the IT Risk Council. > Overall program progress reported to senior executive levels throughout the organization. 19 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  20. 20. Process - Establish Simple Guidelines Goal: IT crewmembers have the proper access to perform their job functions while reasonably limiting access to the production environment. Require prod access averaging at least 3 out of 5 days every A week to perform their primary duties Read access unless associated to an Administrative Privilege B such as Root access on Unix Application level access for IT Personnel must adhere to C Guideline A Note: Exceptions will require both sub-division senior management & IT Security Office approval. 20 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  21. 21. Blending Process with Technology • All roles below use the same children role and policies underneath the parent role. • Each parent role has a different scoping and approval chain. Access Type Reason to Have How Quick is Duration of Who Who Access Access Authorizes Administers Granted Use Access Permanent You meet the IT NA – users 24 x7 IT Divisional Self service Full Time production access who have this Designee Access guidelines access carry it full time On-Demand You do not have <15 minutes 24 hours IT Divisional Production CRISIS full time access Designee Support Access and need to Managers support a system issue On-Demand You need to Within 24 24 hours Requestors Self service Temporary perform a non- hours of manager and Production critical function submission IT Divisional Access that the production Designee support group cannot do for you. (i.e. research) 21 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  22. 22. Blending Process with Technology: On-Demand Crisis Access 22 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  23. 23. Blending Process with Technology: On-Demand Temporary Access 23 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  24. 24. Process: New Role Methodologies • Role content was defined by the IT business areas • Role diagrams were turned over Sr. Developer Role Diagram the IT business areas • Management knows what will Department 1124 automatically happen and what they need to request Retail IT Senior Dept = 1124 and job code = 1741 Developer (developer) Vanguard.com Vanguard.com Vanguard.com DB2 Auth ACF2 Unix Retail IT Share Performance Developement Developement Group Deveolpment Development Drives region Region 1 Region 2 Performance 1 Access Mid-Tier C risisR R ETA IL U N IX VTS H A R D Vanguard.com Production TOKEN Production M id-Tier Support 24 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  25. 25. Technology: Identity Manager End Product This task is available to all IT crew to request full time and temporary access through a standard self- service workflow lf i kfl Role descriptions are easily understandable 25 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  26. 26. Technology: Identity Manager End Product This task is available only to production support managers within a particular ithi ti l sub-division. This task is scoped so that the production support managers can only administer their sub divisions crisis access roles. 26 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  27. 27. Technology: End Product – UPO Initiated Workflow Form Crisis and temporary roles will both initiate UPO initiated workflow forms. 27 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  28. 28. End Results > IT crew have a majority of their access Day 1 when starting their job without their managers needing to request it. > IT managers understand the access their crew have. > All access is approved by managers and the respective pp y g p data stewards prior to assignment. > IT can evidence authorizations to various auditors. > Access is removed from users in a timely fashion. > Full time access to production data and systems can be dramatically reduced, yet be available in a timely fashion for production support event and development projects. 28 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  29. 29. Considerations > If CA Identity Manager is unavailable for IT Divisional Administrators and Availability Managers. You need to have a solid plan B. > High availability design of your CA Identity Manager infrastructure is a must. > CA Identity Manager must sustain its performance as you increase the number of crew, roles, and end points. Build your solution with scalability in mind. 29 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  30. 30. Helpful Hints for Planning > Set realistic expectations of deliverables for senior management. > Communicate, train, and communicate again. > Aggressive timeframes often are good on paper but unrealistic – plan than add 33% to y p your timelines. > Define users access to least privilege. Less is easier to maintain and better for audit controls. > Managing all platforms is very difficult and time consuming – decide carefully before automating. > Heavy customization is time consuming, costly and difficult to maintain – offset it by process change. 30 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  31. 31. Value of Metrics Robyn Fisher
  32. 32. Dashboards Drive Change > Dashboards/metrics are a standard communication tool used by Vanguard management in accordance with our 6 Sigma philosophy. > Metrics focus on tracking IT's access to production data. > Compliance support requires reports to facilitate recertification processes that validate only authorized crew have production access. > Our metrics lend themselves to a friendly atmosphere of competitiveness across peer organizations. 32 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  33. 33. Divisional Level Reports IT Division Production Access 45% 39% 40% 37% 35% 30% Users % of IT U 25% 20% 15% 10% 5% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% Jul-08 Aug-08 Sep-08 Oct-08 Nov-08 Dec-08 Jan-09 Feb-09 Mar-09 Apr-09 May-09 Jun-09 Jul-2008 Aug-2008 Sep-2008 Oct-2008 Nov-2008 Dec-2008 Jan-2009 Feb-2009 Mar-2009 Apr-2009 May-2009 Jun-2009 %of Prod Access 37% 39% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 33 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  34. 34. Departmental Examples % Full Time Production Access By Department August 2008 120% 100% 100% 100% 96% 96% 90% 83% 81% 79% 80% 60% 48% 37% 40% 29% 20% 20% 1% 0% Dept A Dept B Dept C Dept D Dept E Dept F Dept G Dept H Dept I Dept J Dept K Dept L Dept M %of Prod Access 48% 96% 100% 81% 1% 79% 96% 100% 29% 37% 90% 83% 20% IT Avg 39% 39% 39% 39% 39% 39% 39% 39% 39% 39% 39% 39% 39% 34 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  35. 35. Departmental Detail Examples 35 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  36. 36. Q&A
  37. 37. Related Sessions SESSION # TITLE Date / Time SA103SN CA Identity Manager Product Update 11/18/2008 and Roadmap Discussion at 2:45 p.m. SA711SN How to Deploy Identity Management 11/19/2008 on a Fi d B d t Fixed Budget at 8 30 a.m. t 8:30 SG112SN Balancing Timely Provisioning with 11/19/2008 Security Requirements in a Changing at 2:45 p.m. Environment 37 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  38. 38. Please Complete a Session Evaluation Form > The number for this session is SA202SN > After completing your session evaluation form, place it in the basket at the back of the room ! Please left-justify the session number 38 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×