Your SlideShare is downloading. ×
  • Like
  • Save
Crossideas Segregation of Duty Approach
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Crossideas Segregation of Duty Approach

  • 1,555 views
Published

 

Published in Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,555
On SlideShare
0
From Embeds
0
Number of Embeds
3

Actions

Shares
Downloads
0
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. CrossIdeas    IDEAS  for  Iden4ty  &    Access  Governance    Our  Unique  SOD  (Segrega/on  of  Du/es)  approach   crossideas.com  
  • 2. Company  overview  •  CrossIdeas is a leading innovator in Identity & Access Governance Solutions, enabling organizations to achieve their Compliance, Audit and Risk Management goals•  CrossIdeas is the result of the MBO of Engiweb Security – originally founded in 2001 – from the Engineering Group, one the largest SI in Europe.•  CrossIdeas is the only vendor in the market to offer Access Governance and Entitlement Management on a single platform•  90 customers in Energy, Banking, Manufacturing, Public administration and Law Enforcement•  Key clients are ENEL (Energy), Piaggio (Manufacturing), Italian Tax Enforcement Police (Govt), Italian Health Care Ministry, Regione Veneto, Ministry of Internal Affairs crossideas.com  
  • 3. IDEAS  Capabili4es  •  IDEAS  addresses  all  areas  of   Audit  and   Access   Compliance   Iden4ty  &  Access  Governance   Repor:ng   Cer:fica:on   and  Risk   Intelligence  •  IDEAS  is  “IAM  agnos4c”,   integra4ng  with  your  exis4ng   Iden4ty  Management  layer   Authoriza:on   Workflow   Role   Life  Cycle   Segrega:on  of   Du:es  •  IDEAS  offers  En4tlement  Server   Management   capability  as  part  of  the  IAG   Role  Mining   En:tlement   Compliance   Management   Control  for  SAP   plaGorm  (unique  in  the  market)   Compliant  User  Provisioning   Processing   Applica:on   SOA   SPML   Connec/vity   Connectors   Integra:on   crossideas.com  
  • 4. IDEAS  Segrega:on  of  Du:es:  Key  Strengths  •  Both detection and prevention of SoD conflicts•  Centralized SoD policies enforced across the whole enterprise•  Real-time SoD checks for all new authorizations•  Automatic assignment of compensating controls•  Business-oriented SoD model simplifies administration•  Platform-independent model supports heterogeneous environments•  Native support for SAP roles and authorization objects•  Data-domain concept reduces false-positive SoD conflicts•  “Dry-run” feature tests changes to SoD policies before deploying to production crossideas.com  
  • 5. IDEAS  covers  SOD  as  part  of  the  full  Access  Lifecycle   Access  Governance   Iden/ty     Segrega:on   of  Du:es   Intelligence   Iden:ty   SAP   Risk   Compliance   Repor:ng  &   Access   Dashboards   Cer:fica:on   Roles   En:tlements   IDEAS  Core   Access   Iden:ty   Policies   Events   Role   Audit   Life-­‐Cycle   Access   Request   Role  Mining   Workflow   Compliant     En:tlement   Server   User  Provisioning   En/tlement  Management   crossideas.com  
  • 6. IDEAS  SOD:  demo  agenda   Business-oriented SoD model SoD Detection Compensating Controls Real-time SoD Prevention SoD Domains reduce false positives SoD “Dry-Run” tests changes to SoD rules Summary crossideas.com  
  • 7. Business-­‐Oriented  SoD  Model   Business-oriented SoD model is easily managed by business specialists. • Business processes broken down into “activities” • SoD rules define conflicts Purchase Order Creation Purchase  Order  Crea:on   among these activities Purchase  Order  Approval   Purchase Order Approval Receive  Supplier  Shipment   Verify  Supplier  Shipment   Example: Purchase Order Creation conflicts with Purchase Order Approval and 2 other activities. crossideas.com  
  • 8. Business-­‐Oriented  SoD  Model  Business and IT aspects of Process Processthe SoD rules can be Process Businessmanaged independently: 1 Specialists                                                              Activity                       Activity            • Business specialists define Activity 2 !processes and conflicting Ac/vity   Activity ITactivities. 3 Specialists Permission Permission• IT specialists map activities to Permissiontechnical permissions. Applica4on   Applica4on   ü This reduces management overhead and improves scalability. crossideas.com  
  • 9. SoD  Demo  –  Ac4vi4es  and  Conflicts   Associate   conflic4ng   ac4vi4es   Conflic4ng   ac4vi4es   Navigate activity hierarchy – select activity to inspect it. Business specialists manage this part. crossideas.com  
  • 10. SoD  Demo  –  Ac4vi4es  and  Permissions   Associate   profiles   Associated   permissions   IT specialists manage this part. crossideas.com  
  • 11. Segrega4on  of  Du4es  –  Demo  Agenda   ü Business-oriented SoD model SoD Detection Compensating Controls Real-time SoD Prevention SoD Domains reduce false positives SoD “Dry-Run” tests changes to SoD rules Summary crossideas.com  
  • 12. SoD  Demo  –  SoD  Detec4on   5  different  SoD    analyses,   typically  run  nightly,  or  on   demand   A full scan of users and roles detects existing SoD risks. crossideas.com  
  • 13. SoD  Demo  –  SoD  Detec4on   SoD  conflict  details   for  a  specific  user     Users  with  SoD  conflicts   listed  here.   Full details of detected SoD conflicts facilitate analysis and remediation. crossideas.com  
  • 14. Segrega4on  of  Du4es  –  Demo  Agenda   ü Business-oriented SoD model ü SoD Detection Compensating Controls Real-time SoD Prevention SoD Domains reduce false positives SoD “Dry-Run” tests changes to SoD rules Summary crossideas.com  
  • 15. SoD  Demo  –  Compensa4ng  Controls  A pair of conflicting activities can have one ormore associated “compensating controls”.•  The compensating control allows the conflictingactivities to be safely assigned to a user.•  IDEAS SoD automatically requires that at least oneof the compensating controls be assigned. crossideas.com  
  • 16. SoD  Demo  –  Defining  a  Compensa4ng  Control   Pre-define compensating controls, such as periodic reviews, or automated or manual checks. crossideas.com  
  • 17. SoD  Demo  –  Associa4ng  a  Compensa4ng  Control   List  of  suitable   compensa4ng   controls   Add  more  suitable   compensa4ng   controls  here   Select  conflic4ng   ac4vity  Select  ac4vity   Associate one or more suitable compensating controls with each pair of conflicting activities. crossideas.com  
  • 18. Segrega4on  of  Du4es  –  Demo  Agenda   ü Business-oriented SoD model ü SoD Detection ü Compensating Controls Real-time SoD Prevention SoD Domains reduce false positives SoD “Dry-Run” tests changes to SoD rules Summary crossideas.com  
  • 19. SoD  Demo  –  Real-­‐4me  SoD  Preven4on  IDEAS automatically identifies SoD conflicts in real-time when they arise in access request workflow:• Displays the conflict details• Automatically proposes appropriate compensatingcontrols according to the conflict or risk level• Workflow for escalation and compensation is veryflexible and configurable. crossideas.com  
  • 20. SoD  Demo  –  Workflow  Example  We will demo real-time SoD prevention using thisworkflow example: Informal   Request   Risk  Analysis   Approval   Request   formaliza4on   User or Application Risk Business Manager Manager Officer Process Owner •  User  or  Manager   •  Applica4on   •  If  there  is  a   •  Business  process   enters  request  in   Manager   conflict,  Risk   owner  approves   free  text   translates  the   Officer  reviews   or  denies  the   request  into   the  authoriza4on   request   •  No  technical   and  assigns  a     specific  roles   knowledge   risk-­‐mi4ga4ng   required   •  SoD  detec:on   control   here   crossideas.com  
  • 21. SoD  Demo  –  Informal  Access  Request   UI  skinnable  with   company  branding   Role-­‐based  menu   Enter “informal” access request here in free-text. User or Manager makes an access request in simple text – not technical application Self-­‐service  func4ons   knowledge required. crossideas.com  
  • 22. SoD  Demo  –  Informal  Access  Request   SoD conflict is detected as soon as the access request is formalized. Conflict  details  here   crossideas.com  
  • 23. SoD  Demo  –  Risk  Analysis   SoD conflict escalated to Risk Officer for analysis and compensation. Select  Compensa4ng   Control   Approve  SoD  conflict   with  compensa4ng   control.   crossideas.com  
  • 24. Segrega4on  of  Du4es  –  Demo  Agenda   ü Business-oriented SoD model ü SoD Detection ü Compensating Controls ü Real-time SoD Prevention SoD Domains reduce false positives SoD “Dry-Run” tests changes to SoD rules Summary crossideas.com  
  • 25. SoD  Demo  –  SoD  Domains     Without the SoD Domain concept, this exampleSoD Domains would generate a false positive SoD conflict:separate Create purchase order ⊗ Approve purchase orderindependentbusiness units: Order office Approve generator materials order• SoD conflicts do notcross domains. Corporate Services Operations Domain• SoD Domains Domain No conflict!reduce false positiveSoD conflicts. SoD conflicts require follow-up analysis by a person, so too many false- positive results are time-consuming and wasteful. If false-positives are too common, then the system cannot be considered reliable. crossideas.com  
  • 26. SoD  Demo  –  SoD  Domains   Domains are easy to define because they typically correspond to groups of applications. These  are  the  defined   domains.   A  domain  is  defined  as   a  set  of  applica4ons   that  manage  the  data   in  the  domain.   crossideas.com  
  • 27. SoD  Demo  –  SoD  Domains   This is the domain SoD conflicts are always within a single domain. crossideas.com  
  • 28. Segrega4on  of  Du4es  –  Demo  Agenda   ü Business-oriented SoD model ü SoD Detection ü Compensating Controls ü Real-time SoD Prevention ü SoD Domains reduce false positives results SoD “Dry-Run” tests changes to SoD rules Summary crossideas.com  
  • 29. SoD  Demo  –  “Dry-­‐Run”  Tests  Changes  to  SoD  Rules  SoD “dry-run” tests changes to SoD policies beforedeploying to production:• Multiple SoD environments can be created or copiedto test alternative sets of SoD rules• After dry-run testing, changes can be promoted toproduction crossideas.com  
  • 30. SoD  Demo  –  “Dry-­‐Run”  with  SoD  Environments   Promote  environment   Create  new   to  produc4on   environment   Copy  environment   Specify  which  parts  of  the   environment  to  copy   Create as many SoD environments as required to test alternate SoD rule sets. At any time, an environment can be switched into or out of production, so deployment and fallback are predictable. crossideas.com  
  • 31. Segrega4on  of  Du4es  –  Demo  Agenda   ü Business-oriented SoD model ü SoD Detection ü Compensating Controls ü Real-time SoD Prevention ü SoD Domains reduce false positives ü SoD “Dry-Run” tests changes to SoD rules Summary crossideas.com  
  • 32. IDEAS  SoD:  Value  and  Benefits  •  Reduce the risk of fraud, conflicts of interest and human error in business processes•  Detect and remediate existing SoD conflicts, including SAP•  Prevent new SoD conflicts before they arise•  Consolidate SoD controls under business oversight•  Assure a transparent and auditable authorization process•  Promote a clean separation between business-oriented access policies and technical administration•  Promote best-practice processes in change management for SoD rules crossideas.com  
  • 33. Any  IDEAS?    For  more  informa4on  Andrea.rossi@crossideas.com  +39  335  1435578     crossideas.com