CrossIdeas	  	  IDEAS	  for	  Iden4ty	  &	  	  Access	  Governance	  	  Our	  Unique	  SOD	  (Segrega/on	  of	  Du/es)	  a...
Company	  overview	  •  CrossIdeas is a leading innovator in Identity & Access Governance Solutions,  enabling organizatio...
IDEAS	  Capabili4es	  •  IDEAS	  addresses	  all	  areas	  of	           Audit	  and	                  Access	            ...
IDEAS	  Segrega:on	  of	  Du:es:	  Key	  Strengths	  •  Both detection and prevention of SoD conflicts•  Centralized SoD p...
IDEAS	  covers	  SOD	  as	  part	  of	  the	  full	  Access	  Lifecycle	                                                  ...
IDEAS	  SOD:	  demo	  agenda	         Business-oriented SoD model       SoD Detection       Compensating Controls       Re...
Business-­‐Oriented	  SoD	  Model	                                                   Business-oriented SoD model          ...
Business-­‐Oriented	  SoD	  Model	  Business and IT aspects of                                     Process                ...
SoD	  Demo	  –	  Ac4vi4es	  and	  Conflicts	                                              Associate	                       ...
SoD	  Demo	  –	  Ac4vi4es	  and	  Permissions	                                             Associate	                     ...
Segrega4on	  of	  Du4es	  –	  Demo	  Agenda	    ü   Business-oriented SoD model       SoD Detection       Compensating Co...
SoD	  Demo	  –	  SoD	  Detec4on	                 5	  different	  SoD	  	  analyses,	                 typically	  run	  nigh...
SoD	  Demo	  –	  SoD	  Detec4on	                                                         SoD	  conflict	  details	         ...
Segrega4on	  of	  Du4es	  –	  Demo	  Agenda	    ü   Business-oriented SoD model  ü   SoD Detection       Compensating Co...
SoD	  Demo	  –	  Compensa4ng	  Controls	  A pair of conflicting activities can have one ormore associated “compensating co...
SoD	  Demo	  –	  Defining	  a	  Compensa4ng	  Control	                                       Pre-define compensating contro...
SoD	  Demo	  –	  Associa4ng	  a	  Compensa4ng	  Control	                                                                  ...
Segrega4on	  of	  Du4es	  –	  Demo	  Agenda	    ü   Business-oriented SoD model  ü   SoD Detection  ü   Compensating Co...
SoD	  Demo	  –	  Real-­‐4me	  SoD	  Preven4on	  IDEAS automatically identifies SoD conflicts in real-time when they arise ...
SoD	  Demo	  –	  Workflow	  Example	  We will demo real-time SoD prevention using thisworkflow example:            Informal...
SoD	  Demo	  –	  Informal	  Access	  Request	                                                         UI	  skinnable	  wit...
SoD	  Demo	  –	  Informal	  Access	  Request	                                            SoD conflict is detected as      ...
SoD	  Demo	  –	  Risk	  Analysis	                                             SoD conflict escalated to Risk              ...
Segrega4on	  of	  Du4es	  –	  Demo	  Agenda	    ü   Business-oriented SoD model  ü   SoD Detection  ü   Compensating Co...
SoD	  Demo	  –	  SoD	  Domains	  	                                       Without the SoD Domain concept, this exampleSoD D...
SoD	  Demo	  –	  SoD	  Domains	                                                                          Domains are easy ...
SoD	  Demo	  –	  SoD	  Domains	                                                        This is the domain                 ...
Segrega4on	  of	  Du4es	  –	  Demo	  Agenda	    ü   Business-oriented SoD model  ü   SoD Detection  ü   Compensating Co...
SoD	  Demo	  –	  “Dry-­‐Run”	  Tests	  Changes	  to	  SoD	  Rules	  SoD “dry-run” tests changes to SoD policies beforedepl...
SoD	  Demo	  –	  “Dry-­‐Run”	  with	  SoD	  Environments	             Promote	  environment	         Create	  new	        ...
Segrega4on	  of	  Du4es	  –	  Demo	  Agenda	    ü   Business-oriented SoD model  ü   SoD Detection  ü   Compensating Co...
IDEAS	  SoD:	  Value	  and	  Benefits	  •  Reduce the risk of fraud, conflicts of interest and human error in   business pr...
Any	  IDEAS?	  	  For	  more	  informa4on	  Andrea.rossi@crossideas.com	  +39	  335	  1435578	  	                         ...
Upcoming SlideShare
Loading in...5
×

Crossideas Segregation of Duty Approach

1,703

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,703
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Crossideas Segregation of Duty Approach"

  1. 1. CrossIdeas    IDEAS  for  Iden4ty  &    Access  Governance    Our  Unique  SOD  (Segrega/on  of  Du/es)  approach   crossideas.com  
  2. 2. Company  overview  •  CrossIdeas is a leading innovator in Identity & Access Governance Solutions, enabling organizations to achieve their Compliance, Audit and Risk Management goals•  CrossIdeas is the result of the MBO of Engiweb Security – originally founded in 2001 – from the Engineering Group, one the largest SI in Europe.•  CrossIdeas is the only vendor in the market to offer Access Governance and Entitlement Management on a single platform•  90 customers in Energy, Banking, Manufacturing, Public administration and Law Enforcement•  Key clients are ENEL (Energy), Piaggio (Manufacturing), Italian Tax Enforcement Police (Govt), Italian Health Care Ministry, Regione Veneto, Ministry of Internal Affairs crossideas.com  
  3. 3. IDEAS  Capabili4es  •  IDEAS  addresses  all  areas  of   Audit  and   Access   Compliance   Iden4ty  &  Access  Governance   Repor:ng   Cer:fica:on   and  Risk   Intelligence  •  IDEAS  is  “IAM  agnos4c”,   integra4ng  with  your  exis4ng   Iden4ty  Management  layer   Authoriza:on   Workflow   Role   Life  Cycle   Segrega:on  of   Du:es  •  IDEAS  offers  En4tlement  Server   Management   capability  as  part  of  the  IAG   Role  Mining   En:tlement   Compliance   Management   Control  for  SAP   plaGorm  (unique  in  the  market)   Compliant  User  Provisioning   Processing   Applica:on   SOA   SPML   Connec/vity   Connectors   Integra:on   crossideas.com  
  4. 4. IDEAS  Segrega:on  of  Du:es:  Key  Strengths  •  Both detection and prevention of SoD conflicts•  Centralized SoD policies enforced across the whole enterprise•  Real-time SoD checks for all new authorizations•  Automatic assignment of compensating controls•  Business-oriented SoD model simplifies administration•  Platform-independent model supports heterogeneous environments•  Native support for SAP roles and authorization objects•  Data-domain concept reduces false-positive SoD conflicts•  “Dry-run” feature tests changes to SoD policies before deploying to production crossideas.com  
  5. 5. IDEAS  covers  SOD  as  part  of  the  full  Access  Lifecycle   Access  Governance   Iden/ty     Segrega:on   of  Du:es   Intelligence   Iden:ty   SAP   Risk   Compliance   Repor:ng  &   Access   Dashboards   Cer:fica:on   Roles   En:tlements   IDEAS  Core   Access   Iden:ty   Policies   Events   Role   Audit   Life-­‐Cycle   Access   Request   Role  Mining   Workflow   Compliant     En:tlement   Server   User  Provisioning   En/tlement  Management   crossideas.com  
  6. 6. IDEAS  SOD:  demo  agenda   Business-oriented SoD model SoD Detection Compensating Controls Real-time SoD Prevention SoD Domains reduce false positives SoD “Dry-Run” tests changes to SoD rules Summary crossideas.com  
  7. 7. Business-­‐Oriented  SoD  Model   Business-oriented SoD model is easily managed by business specialists. • Business processes broken down into “activities” • SoD rules define conflicts Purchase Order Creation Purchase  Order  Crea:on   among these activities Purchase  Order  Approval   Purchase Order Approval Receive  Supplier  Shipment   Verify  Supplier  Shipment   Example: Purchase Order Creation conflicts with Purchase Order Approval and 2 other activities. crossideas.com  
  8. 8. Business-­‐Oriented  SoD  Model  Business and IT aspects of Process Processthe SoD rules can be Process Businessmanaged independently: 1 Specialists                                                              Activity                       Activity            • Business specialists define Activity 2 !processes and conflicting Ac/vity   Activity ITactivities. 3 Specialists Permission Permission• IT specialists map activities to Permissiontechnical permissions. Applica4on   Applica4on   ü This reduces management overhead and improves scalability. crossideas.com  
  9. 9. SoD  Demo  –  Ac4vi4es  and  Conflicts   Associate   conflic4ng   ac4vi4es   Conflic4ng   ac4vi4es   Navigate activity hierarchy – select activity to inspect it. Business specialists manage this part. crossideas.com  
  10. 10. SoD  Demo  –  Ac4vi4es  and  Permissions   Associate   profiles   Associated   permissions   IT specialists manage this part. crossideas.com  
  11. 11. Segrega4on  of  Du4es  –  Demo  Agenda   ü Business-oriented SoD model SoD Detection Compensating Controls Real-time SoD Prevention SoD Domains reduce false positives SoD “Dry-Run” tests changes to SoD rules Summary crossideas.com  
  12. 12. SoD  Demo  –  SoD  Detec4on   5  different  SoD    analyses,   typically  run  nightly,  or  on   demand   A full scan of users and roles detects existing SoD risks. crossideas.com  
  13. 13. SoD  Demo  –  SoD  Detec4on   SoD  conflict  details   for  a  specific  user     Users  with  SoD  conflicts   listed  here.   Full details of detected SoD conflicts facilitate analysis and remediation. crossideas.com  
  14. 14. Segrega4on  of  Du4es  –  Demo  Agenda   ü Business-oriented SoD model ü SoD Detection Compensating Controls Real-time SoD Prevention SoD Domains reduce false positives SoD “Dry-Run” tests changes to SoD rules Summary crossideas.com  
  15. 15. SoD  Demo  –  Compensa4ng  Controls  A pair of conflicting activities can have one ormore associated “compensating controls”.•  The compensating control allows the conflictingactivities to be safely assigned to a user.•  IDEAS SoD automatically requires that at least oneof the compensating controls be assigned. crossideas.com  
  16. 16. SoD  Demo  –  Defining  a  Compensa4ng  Control   Pre-define compensating controls, such as periodic reviews, or automated or manual checks. crossideas.com  
  17. 17. SoD  Demo  –  Associa4ng  a  Compensa4ng  Control   List  of  suitable   compensa4ng   controls   Add  more  suitable   compensa4ng   controls  here   Select  conflic4ng   ac4vity  Select  ac4vity   Associate one or more suitable compensating controls with each pair of conflicting activities. crossideas.com  
  18. 18. Segrega4on  of  Du4es  –  Demo  Agenda   ü Business-oriented SoD model ü SoD Detection ü Compensating Controls Real-time SoD Prevention SoD Domains reduce false positives SoD “Dry-Run” tests changes to SoD rules Summary crossideas.com  
  19. 19. SoD  Demo  –  Real-­‐4me  SoD  Preven4on  IDEAS automatically identifies SoD conflicts in real-time when they arise in access request workflow:• Displays the conflict details• Automatically proposes appropriate compensatingcontrols according to the conflict or risk level• Workflow for escalation and compensation is veryflexible and configurable. crossideas.com  
  20. 20. SoD  Demo  –  Workflow  Example  We will demo real-time SoD prevention using thisworkflow example: Informal   Request   Risk  Analysis   Approval   Request   formaliza4on   User or Application Risk Business Manager Manager Officer Process Owner •  User  or  Manager   •  Applica4on   •  If  there  is  a   •  Business  process   enters  request  in   Manager   conflict,  Risk   owner  approves   free  text   translates  the   Officer  reviews   or  denies  the   request  into   the  authoriza4on   request   •  No  technical   and  assigns  a     specific  roles   knowledge   risk-­‐mi4ga4ng   required   •  SoD  detec:on   control   here   crossideas.com  
  21. 21. SoD  Demo  –  Informal  Access  Request   UI  skinnable  with   company  branding   Role-­‐based  menu   Enter “informal” access request here in free-text. User or Manager makes an access request in simple text – not technical application Self-­‐service  func4ons   knowledge required. crossideas.com  
  22. 22. SoD  Demo  –  Informal  Access  Request   SoD conflict is detected as soon as the access request is formalized. Conflict  details  here   crossideas.com  
  23. 23. SoD  Demo  –  Risk  Analysis   SoD conflict escalated to Risk Officer for analysis and compensation. Select  Compensa4ng   Control   Approve  SoD  conflict   with  compensa4ng   control.   crossideas.com  
  24. 24. Segrega4on  of  Du4es  –  Demo  Agenda   ü Business-oriented SoD model ü SoD Detection ü Compensating Controls ü Real-time SoD Prevention SoD Domains reduce false positives SoD “Dry-Run” tests changes to SoD rules Summary crossideas.com  
  25. 25. SoD  Demo  –  SoD  Domains     Without the SoD Domain concept, this exampleSoD Domains would generate a false positive SoD conflict:separate Create purchase order ⊗ Approve purchase orderindependentbusiness units: Order office Approve generator materials order• SoD conflicts do notcross domains. Corporate Services Operations Domain• SoD Domains Domain No conflict!reduce false positiveSoD conflicts. SoD conflicts require follow-up analysis by a person, so too many false- positive results are time-consuming and wasteful. If false-positives are too common, then the system cannot be considered reliable. crossideas.com  
  26. 26. SoD  Demo  –  SoD  Domains   Domains are easy to define because they typically correspond to groups of applications. These  are  the  defined   domains.   A  domain  is  defined  as   a  set  of  applica4ons   that  manage  the  data   in  the  domain.   crossideas.com  
  27. 27. SoD  Demo  –  SoD  Domains   This is the domain SoD conflicts are always within a single domain. crossideas.com  
  28. 28. Segrega4on  of  Du4es  –  Demo  Agenda   ü Business-oriented SoD model ü SoD Detection ü Compensating Controls ü Real-time SoD Prevention ü SoD Domains reduce false positives results SoD “Dry-Run” tests changes to SoD rules Summary crossideas.com  
  29. 29. SoD  Demo  –  “Dry-­‐Run”  Tests  Changes  to  SoD  Rules  SoD “dry-run” tests changes to SoD policies beforedeploying to production:• Multiple SoD environments can be created or copiedto test alternative sets of SoD rules• After dry-run testing, changes can be promoted toproduction crossideas.com  
  30. 30. SoD  Demo  –  “Dry-­‐Run”  with  SoD  Environments   Promote  environment   Create  new   to  produc4on   environment   Copy  environment   Specify  which  parts  of  the   environment  to  copy   Create as many SoD environments as required to test alternate SoD rule sets. At any time, an environment can be switched into or out of production, so deployment and fallback are predictable. crossideas.com  
  31. 31. Segrega4on  of  Du4es  –  Demo  Agenda   ü Business-oriented SoD model ü SoD Detection ü Compensating Controls ü Real-time SoD Prevention ü SoD Domains reduce false positives ü SoD “Dry-Run” tests changes to SoD rules Summary crossideas.com  
  32. 32. IDEAS  SoD:  Value  and  Benefits  •  Reduce the risk of fraud, conflicts of interest and human error in business processes•  Detect and remediate existing SoD conflicts, including SAP•  Prevent new SoD conflicts before they arise•  Consolidate SoD controls under business oversight•  Assure a transparent and auditable authorization process•  Promote a clean separation between business-oriented access policies and technical administration•  Promote best-practice processes in change management for SoD rules crossideas.com  
  33. 33. Any  IDEAS?    For  more  informa4on  Andrea.rossi@crossideas.com  +39  335  1435578     crossideas.com  

×