• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Security health check access governance kpmg
 

Security health check access governance kpmg

on

  • 525 views

Access governance health

Access governance health

Statistics

Views

Total Views
525
Views on SlideShare
525
Embed Views
0

Actions

Likes
0
Downloads
20
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Security health check access governance kpmg Security health check access governance kpmg Presentation Transcript

    • Security Health Check:Access Governance
    • Content• Access governance 3• Challenges 4• Digital identity life cycle and access 5• Key questions 6• Our approach 7• Phases 8• Assisting technology 9• Example reports 10• KPMG’s track-record on access governance 11• Identity & access of today and beyond 12• Contact 13© 2013 KPMG in the Netherlands, registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG networkof independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. 2The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
    • Access governanceDefinition UsersAccess governance stands for governing who has access to whatapplication, services and data in order to maintain security (integrityand confidentiality of data), to ensure compliance with laws andregulations as well as to provide business intelligence on access Business users System administrators External users (Privileged accounts)control.ImportanceThe integrity and confidentiality of corporate data, structured as well Access governanceas unstructured, is vital to an organisations success. If the data isstolen and/or its integrity is compromised in any way, the damage to Policies Security requirementsthe organisations reputation and revenue stream could beirreparable. Access permission control Laws and regulationsDue to an increasing pressure to reduce costs, while adhering to Monitoring and reporting Segregation of dutiesregulatory pressure and to respond rapidly on changing businessneeds such as cloud computing and consumerization of mobiledevices, professionalised access governance is preconditional inmeeting business requirements.Access governance is a business responsibility and should therefore Directories and Applications Cloud services repositories and databe approached from a business perspective facilitated by effectivetechnology and processes. IT resources© 2013 KPMG in the Netherlands, registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG networkof independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. 3The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
    • ChallengesDespite the attention on security in general and access to valuable Usersdata in particular, access governance still poses tremendouschallenges for many organisations. Why?Complexity – The complexity of identities and access permissions tovarious IT resources and data types is often high. With the ongoing Business users System administrators External users (Privileged accounts)adoption of cloud services, federations with partner organisations andthe proliferation of mobile devices, the complexity is steadilyincreasing. Obsolete accountsLack of information – Many organisations have insufficientinformation to efficiently manage their identities and access. Excessive permissionsTechnology-focused – While access governance is a business Access without authorisationresponsibility in principal, many organisations have limited itsimplementation to a deployment of software only. Unmonitored accessHence, the issues remain with a growing risk of security breachesand incidents. Typical vulnerabilities are: Insufficient reporting• Obsolete accounts of employees who have left the organisation;• Excessive permissions breaching segregation of duties or offering Directories and Applications system administrators access to confidential data; repositories and data Cloud services• Access to employees without authorisation from the management;• Unmonitored access offering unauthorised users such as hackers to steal valuable data;• Insufficient reporting leaving responsible managers without any clue. IT resources© 2013 KPMG in the Netherlands, registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG networkof independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. 4The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
    • Digital identity life cycle and access: issues in practice No formal authorisation from Manual provisioning Limited monitoring and management or data owner susceptible to errors logging of access User account Authorisation of Monitoring and Provisioning creation access permissions reporting Access permissions based on similar Lack of data for reporting users (with excessive permissions) Discrepancies with HR Additional access permissions on top Provisioning of Limited monitoring on data of existing access permissions excessive permissions privileged accounts User account Authorisation of Monitoring and Provisioning change access permissions reporting Inadequate reporting on desired state and actual state of access permissions No formal authorisation from No deprovisioning of obsolete Obsolete user accounts management or data owner accounts and access permissions User account Authorisation of Monitoring and Deprovisioning removal removal reporting Limited monitoring on unauthorised use of access permissions© 2013 KPMG in the Netherlands, registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG networkof independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. 5The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
    • Key questionsConcerning the maturity/health of access governance, the followingquestions need to addressed:• What accounts on the applications/systems are obsolete – what Access governance policies accounts belong to employees who are not member of the organisation?• What are the users with excessive access rights – what are the What are the key items being reported? privileged accounts? Does permission control• How are these privileged accounts being monitored? align with access policies?• What permissions have been authorised and what are the actual access permissions of users to sensitive data? Access permission control• What are the key items regarding access being reported to the responsible management?• Do the access permission control measures reflect access How are access permissions How is user access being being implemented? governance policies? monitored?• How is unstructured data being controlled on access (shares, What are the actual access What accounts are obsolete? cloud repositories)? permissions?• How are the access permission being implemented on IT resources? Access permission on IT resources How is unstructured data What are privileged accounts? being controlled?© 2013 KPMG in the Netherlands, registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG networkof independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. 6The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
    • Our approachWe will provide you clear and decisive insight into your Desired stateorganisation’s state concerning access governance.Our approach is simple yet efficient and effective. By gathering HR Access permissions/data enriched with access permissions/business rules data, the HR data business rules datadesired state of access will be defined – how the accesspermissions should be implemented.By gathering access permission data from the IT resources in scope(structured data, unstructured data, data in the cloud), the actualstate of access will be defined – what the access permissions are inreality.We will transform these data sets into our specialised software, Data transformation, comparison and Health Check Reportcompare and verify them which will result in a access governance verificationhealth check report.This report which will answer the key questions comprises the Delta, risks and recommendationsfollowing parts:• Outline of the desired state of access permissions;• Outline of the actual state of access permissions on IT resources (applications/systems, directories, services); Access permission data on IT resources• Delta – the deviations/deficiencies;• Risks involved; Structured Unstructured Data in the data data cloud• Comparison with industry peers (benchmark);• Recommendations. Actual state© 2013 KPMG in the Netherlands, registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG networkof independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. 7The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
    • PhasesPhase 1: Scope definition 1. Scope definitionDuring this step, the scope of applications/systems, directories and -IT resources (applications/systems, directories, services)(if applicable) services will be defined, as well as the scope of users -Users and processesand processes. Also the key questions that need to be answered will -Key questionsbe defined.Phase 2: Planning 2. PlanningDuring this step, all stakeholders will be informed system engineers -Stakeholder involvementbe contacted to request technical assistance where needed. -Technical engineers involvementPhase 3: Collection of data extractionsDuring this step, KPMG will collect data extractions. Typically theseare: 3. Collection of data extractions -Collection of business data• Active Directory data (users, security groups, share settings); -Collection of IT data• Databases (User/group and privilege correlations);• Data on file servers and cloud-based data repositories;• Applications (Roles and privilege correlations); 4. Analysis -Data transformation• Data extractions from HR system(s); -Comparison -Verification• If available, data extractions from business rules engines.Phase 4: Analysis 5. Reporting & presentationDuring this step, KPMG will analyse the data using specialised -Reportingsoftware (Quest). -Management presentationPhase 5: Reporting and presentation© 2013 KPMG in the Netherlands, registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG networkof independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. 8The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
    • Assisting technologyQuest One IM application Data import Rules definitionWe use Quest One Identity Manager application by Dell SoftwareGroup to facilitate our research during phase 3 to 5. The collectionas well as the analysis of the data are automated where applicableand possible.The value of this automated approach lies in the far greater amountof data which can be analysed much more efficiently and effectively.As a rule, the application itself will not be installed on the customer’spremises but only used as a collection/analysis application on aKPMG’s computer. Mapping & matching CorrelationSteps1. Import of available corporate data (HR data, directory data, access permission data) – the data (.csv files or other formats) can be imported easily via the wizard.2. Definition of business rules – via a special function of the application, business rules on various aggregation levels can be defined.3. Data mapping and matching – the gathered data can be mapped Reporting and matched.4. Correlation of gathered data – the gathered data can be correlated and analysed.5. Reporting of findings – the analysed data can be displayed in a user-friendly manner to the analyst or business user.© 2013 KPMG in the Netherlands, registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG networkof independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. 9The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
    • Example reports Orphaned accounts Risk index Multiple accounts on the same system Compliance violations Data quality© 2013 KPMG in the Netherlands, registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG networkof independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. 10The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
    • KPMG’s track-record on access governance Public and healthcare Industry & food Finance Nationalised Dutch Dutch university Global oil company Dutch pension fund bank Dutch organisation in Large public railway Global energy International banking the financial-legal organisation company co-operation sector Dutch college of Dutch container Independent Dutch Dutch insurance advanced education carrier bank company Dutch secondary International Dutch payment International education electricity company services organisation insurance company organisation Dutch/Italian food Dutch bank focused Hospital in Rotterdam KPMG manufacturer on sustainability© 2013 KPMG in the Netherlands, registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG networkof independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. 11The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
    • Identity & access of today and beyond© 2013 KPMG in the Netherlands, registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG networkof independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. 12The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
    • Contact ing. John Hermans RE | Partner drs. Mike Chung RE | Senior manager Telephone: +31 (0)6 5136 6389 Telephone: +31 (0)6 1455 9916 E-mail: hermans.john@kpmg.nl E-mail: chung.mike@kpmg.nl© 2013 KPMG in the Netherlands, registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG networkof independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. 13The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.