Hitachi ID Access Certifier: Find and remove stale privileges with periodic reviews


Published on

Hitachi ID Access Certifier:

Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications.

Periodic review and cleanup of security entitlements.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Hitachi ID Access Certifier: Find and remove stale privileges with periodic reviews

  1. 1. 1 Hitachi ID Access Certifier Managing the User Lifecycle Across On-Premises and Cloud-Hosted ApplicationsPeriodic review and cleanup of security entitlements.2 Agenda • Hitachi ID corporate overview. • ID Management Suite overview. • The regulatory environment. • The Access Certifier solution. © 2012 Hitachi ID Systems, Inc.. All rights reserved. 1
  2. 2. Slide Presentation3 Hitachi ID Corporate Overview Hitachi ID is a leading provider of identity and access management solutions. • Founded as M-Tech in 1992. • A division of Hitachi, Ltd. since 2008. • Over 900 customers. • More than 11M+ licensed users. • Offices in North America, Europe and APAC. • Partners globally.4 Representative Hitachi ID Customers © 2012 Hitachi ID Systems, Inc.. All rights reserved. 2
  3. 3. Slide Presentation5 ID Management Suite © 2012 Hitachi ID Systems, Inc.. All rights reserved. 3
  4. 4. Slide Presentation6 Regulatory EnvironmentLegislation requiring effective corporate governance and privacy protection is impacting organizationsworld-wide. Sarbanes-Oxley Requires that publicly traded companies comply with the proper reporting of financial information and control access to this information. SAS 70 Allows service organizations to disclose their control activities and processes to their customers and their customers’ auditors in a uniform reporting format. HIPAA The Health Insurance Portability and Accountability Act of 1996. 21CFR11 Electronic signature and system protection regulations by the FDA. GLB Applies to financial institutions and securities firms, aimed at protecting the privacy of customer data. PIPEDA The Canadian Personal Information Protection and Electronics Document Act. 2002/58/EC European Union Privacy Protection Directive.These regulations call for better internal controls and a policy of least-privilege.7 IAM is Linked to Regulations • Many regulations, in many jurisdictions, call for internal controls: – This implies effective AAA: Authentication, Authorization and Audit. • Every system already has AAA. – The weakness is bad user/access data. • The missing link is business process: – Appropriate access rights. – Timely access termination. – Effective authentication. • Identity and access management process and technology are needed to bridge the gap between business requirements and AAA infrastructure. © 2012 Hitachi ID Systems, Inc.. All rights reserved. 4
  5. 5. Slide Presentation8 Compliance ArchitectureBuild a common architecture to address multiple regulatory requirements: • Externalize administration of users and entitlements from applications. • Administration process should be user-focused, not application-focused. Authentication Authorization Audit Infrastructure Password management. Automatic access Login ID Firewalls, virus termination; reconciliation; scanners, etc. Sod policy Periodic review of enforcement. user rights.9 Problem: Users Accumulate Rights Over time, users change With each transition, users accumulate roles/responsibilities: entitlements: • Users change jobs, departments and • From what? There is no record of every locations. right a user had before, so old rights are • There are many users, each with access not removed. to many systems. • To what? Without a role model, it is impossible to say which of a user’s old rights should stay and which should go. • When? A reassigned user may back up his replacement for a while, so must retain old rights for an undefined period of time.10 Access CertificationAccess Certifier automates periodic review and cleanup of entitlements: • Leverages org-chart data. • Delegates access review, cleanup and certification to managers. • Automated e-mail reminders to managers and other stake-holders. • Stake-holders review entitlements on a web form. • Entitlements are either certified or flagged for removal. • Stake-holders must sign off on completed reviews. © 2012 Hitachi ID Systems, Inc.. All rights reserved. 5
  6. 6. Slide Presentation11 Access Certifier FeaturesAccess Certifier automates periodic audits of all users and their access rights: • Orgchart integration: – Managers are reminded to review their direct subordinates. • Certification: – Each manager’s review is completed by an electronic signature, to certify that remaining entitlements are appropriate. • Completion: – Managers are motivated to complete the audit, since failure to do so prevents their superiors’ own audits. • Roll-up: – At the end of the process, executives can attest to appropriate entitlements enterprise-wide.12 Accountability Up the Org Chart • Managers cannot sign off until all subordinate managers have signed off. – Creates a chain of accountability, flowing up the org-chart. • Managers are blocked from sign-off until their subordinate managers finish their own reviews. – Creates downward pressure throughout the organization to complete the review process. – Effective, low cost manager motivation.13 Unique Advantages of Access Certifier Executive When the CEO or CFO signs off, they are assured that the process has been Assurance completed globally. They can then attest to this aspect of internal controls in a SOX compliance statement. Proactive Managers are automatically asked to review the rights of their subordinates. Non-response triggers reminders and escalation. Full coverage Management pressure down the org-chart ensures that the process is actually completed globally. Rapid The only requirement is org-chart data. No role definition or user classification. deployment © 2012 Hitachi ID Systems, Inc.. All rights reserved. 6
  7. 7. Slide Presentation 14 Summary Access Certifier gives CFOs and CEOs assurance of compliance with privacy and governance regulations: • Internal controls require clean data about users. • Improve security by finding and removing orphan and dormant accounts. • Eliminate unneeded login IDs and security rights left over after users changed jobs. • Actively engage all managers in a periodic review process. • Motivate managers to complete the process. • This is accomplished quickly, without resorting to role engineering. Learn more at ... or ... E-mail access-certifier@Hitachi-ID.com500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: File: Date: March 1, 2012