Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler


Published on

IBM Pulse 2012 presentation by Alex Ivkin (Prolifics) and Grey Thrasher (IBM)

Synthesizing the business view of IT resources with the technical implementation of Role Based Access Control remains one of the toughest challenges in Identity Management today. We will walk through a real-world use case to understand how organizations can utilize the new IBM Role and Policy Modeler (RaPM) tool to discover essential business relationships and map them to IT access permissions, creating the schema for a comprehensive RBAC system. We will explain how the design criteria provided by RaPM has enabled the foundation of a comprehensive Identity and Role Lifecycle Management structure. The follow-on implementation of an RBAC system in the Identity Provisioning platform, IBM Tivoli Identity Manager, will be explored, as well as how this organization is automating access privileges, simplifying internal security controls and reducing the complexity of audit and compliance enforcement.

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Separation of duty ensures that the same user cannot have conflicting roles that would provide them with an unacceptable level of authority. Constraints can be applied to user/role assignments (static constraints), to session/role assignments (dynamic constraints), or to role hierarchies.
  • To conclude, I would like to summarize that IBM has shown leadership in the RBAC space for a long time. We have made these role management capabilities available in an integrated solution for Identity Management. And we have targeted our delivery of strong functionality to what enterprises need today. Our IAM Governance strategy and vision also encompasses a broader perspective that goes beyond role management. While we are completing this vision with role modeling and lifecycle management, we are also well prepared to make the next evolutionary step into identity analytics.Thanks for your time and attention. I would like to answer any questions you may have.***************Win dealArla Foods: Originally acquired TIM to have a handle over the 10+% of orphan accounts in their SAP applications that cause them to fail ISO 17799 audit. MN Security helped them reduce the number of roles by 95% using TIM's SOD, certification, approval workflow, and UP. 50% reduction in service desk calls.GameStop - game retailer with 3000 employees. Got TIM because it was failing audits due to churn and lack of access tracking. Orphan accounts, obsolete accounts. They needed to understand their access and clean it.CommonWealth Bank (Australia) - TIM 4.6 customer that bought Sailpoint, and then changed by Sun RM because TIM did not cover roles. Now wants to get TIM 5.1. (48K users, 125apps)
  • Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler

    1. 1. Role Discovery and RBAC Design A Case study with IBM RaPM Alex Ivkin, Prolifics Grey Thrasher, IBM March 19, 2012
    2. 2. Agenda Alex Ivkin, CISSP Grey Thrasher Practice Director Senior Software Engineer Security Line of Business L2 Technical Team Lead Prolifics IBM SWG Client Support – Software Role Based Process and Results andIntroductions Access Reality Check Q&A Technology Discussion Control
    3. 3. Prolifics at a GlanceWho Are We? A Corporate Group of 1200 Employees Worldwide specializing in the expert delivery of end-to-end IBM Solutions Over 30 years in business, Prolifics is an end-to-end systems integrator specializing in IBM technologies New York Orlando Boston San Francisco Philadelphia London Application Testing Washington DC Hamburg Santa Clara, CA USA Off-Shore Development Center Hyderabad, India S t a b i l i t y, L o n g e v i t y & G r o w t h Solution Leadership  Serviced over 1600 IBM software accounts in the past 11 years $70  Prolifics boasts over 110 Security certifications for architecture, $60Gross Revenue development, administration. $50 (millions) $40  IBM Tivoli “AAA Accredited” – First For Security WW $30  IBM Cloud Certification – First of 5 Partners $20  Authorized for SVP in 5 Industry Capabilities – First in Utilities $10 $0  Also in SOA, Information Management and BPM solutions and 2004 2005 2006 2007 2008 2009 2010 2011 appliances for Business Process Management and Integration
    4. 4. Business challenges • Difficulty in the business understanding of security information causing a rubber stamp process, or simply too much data to sort through for the business • Challenges in the quarterly attestation cycle • Challenges for supervisory personnel understanding how "least privilege" works in their business unit • Onboarding (new hire user adds) requests requiring additional time and effort becuase access requests are submitted on a case by case basis using individual forms • Challenges in managing the access of persons who transfer between jobs, creating complex modification requests for access on a case by case basis • Risk due to inappropriate access, which could be misuse or simply audit findings - this is due to mirrored access (make Johns access look like Marys) that may grant too much permission, or through job transfers where old access is not removed properly
    5. 5. Role Based Access Control• RBAC is a methodology to align security entitlements to persons through an abstraction of organizational responsibilities using job function and relationship to the organization. The idea is to use roles to represent common access rights for users as sets of privileges on different systems. Direct access assignmentsBefore today are complex, difficult to track and change when needed • Simplify roles and access assignments • Ability to handle growth and scale • Facilitate accountability and compliance Role Based Access ControlAfter (RBAC) offers an effective operational model to drive IAM Governance
    6. 6. Business Benefits of RBAC • Reduce risk by ensuring people are limited to the required access dictated by their job function • Reduce dormant time for new hires during onboarding because their well defined access can be instantiated automatically • Simplify the attestation and audit process by reviewing privileges that are exceptions to the roles instead of reviewing every entitlement • Increase accuracy in the attestation process due to an easier to understand business interface to information security data • Simplify the cross boarding process and reduce the risk of personnel dragging inappropriate entitlements to their new job function • Address compliance requirements through the inherent linkage to organizational definitions of least privilege and separation of duty
    7. 7. Reality check  How many companies want to do RBAC?  How many companies are doing RBAC?  How many companies successfully completed RBAC in 2011?  Our study showed:  97% of IdM customers in 2011 agreed that Role Based Access Control is a solid approach to tackle problems of compliance and security control  A third has engaged in RBAC design and implementation, internally and externally  Less than a tenth achieved the goals  Why?7
    8. 8. Challenges Time consuming  Correlating massive data High skill required  Not business user friendly Inaccurate results Requires business change – the 60/40 mix Requires proper tooling  Identity and Access management platform  Modeling Tool  Role life-cycle tool Requires understanding, communication and motivation It’s a process, not a state
    9. 9. How it is done (the secret recipe) Strong business processes Clever technical instrumentation Effective review procedures Tight enforcement and integration
    10. 10. Introducing Role and Policy Modeler CIO, CSO, Compliance Lines of Business Officers, Business Owners•Governance Goals Modeling•Scope Tools•Business Policies •Approvals/certification•Interview data •Risk Analysis •Collaboration ROLE AND POLICY MODELER •Compliance Reports BUSINESS VIEW VALIDATE TECHNICAL VIEW Extensible Exceptional Data Layer Analytics Intuitive UI Indepth report •Resources •Identities •Entitlements •Role and Policy Templates •Roles and policies •Reports IT Systems and Applications Owners IT Management
    11. 11. The beginningSizingScoping and size control Focusing on stable business units •Customer service •Financial department Focusing on well understood applications •Core business applicationsProduct targeted at the business analyst Engaging the sponsors and LoB managers Involving IT Asset custodiansAggregating existing data Business View Role Lifecycl e Role and Policy Modeler Technical Integration View
    12. 12. RaPM RaPM: Home Page Designed for Business Analyst Simple View Model:  Projects  Role Mining/Modeling Reports Import
    13. 13. Modeling CIO, CSO, Compliance Officers, Business Owners Top-down:•Governance Goals•Scope Modeling Business interviews Tools•Business Policies•Interview data Existing model ROLE AND POLICY MODELER BUSINESS VIEW TECHNICAL VIEW Extensible Exceptional Data Layer Analytics Intuitive UI Indepth report Bottom-up: •Resources •Identities Data aggregation •Entitlements •Roles and policies System state IT Systems and Existing knowledge Applications Owners
    14. 14. RaPM RaPM: Model Roles and Policies Project Creation  User selection  Permission selection
    15. 15. RaPM: Generating roles  Artificial intelligence algorithms  Poor performance vs over-fitting  Analytics  IBM Research  Parameters:  Hierarchy  Ownership  Compatibility constraints  Modeling flexibility Business View Role Lifecycl e Role and Policy Modeler Technical Integration View18
    16. 16. RaPM RaPM: Role Generation IBM Research-created algorithms automatically generate Roles/Hierarchies Options affect number of roles and depth of hierarchy
    17. 17. RBAC Modeling Combine Roles Split Roles Rules for Roles ROLE A ROLE B ROLE Z ROLE A ROLE B ROLE C ROLE X ROLE Y Role Definition processes Role Management Review for HR Updates (Reorg, New job codes, etc) Role Review for Application changes (New system, retire system, new features) Iterative approach and instant feedback Business View Role Lifecycl e Role and Policy Modeler Technical Integration View
    18. 18. Role Quality RBAC Definition Lifecycle Role Definition IterationsOrganizational RoleDefinition -Business Structured steps of interviews,View data gathering, engineering, and tests to produce rolesExamine Cleanup Define Test PublishApplication RoleDefinition – System Empowerment andView Knowledge Transfer
    19. 19. RaPM RaPM: Role Analysis Analysis Catalog provide different analyses to help determine potential role members/permissions Ensure Membership/Permissions are accurate Ability to view granular user/permission details in analysis results
    20. 20. Analytics Engine Dynamic and Adaptive Access Control BUSINESS ROLE Dynamic Role Application / System Entitlements ROLE Application / System ROLE Entitlements ROLE Application / System Entitlements ROLE A single RBAC statically assigned role can be associated to a specific specific set of entitlements (permissions)An RBAC dynamic role can inherit - VPN Accesscollection of Roles that can relate - Access to GL Businessto a Job Family, which can be View Role LifecyclOrganization wide, Divisional, or Role and e PolicyLocation – represented by person Modelertype Technical Integration View
    21. 21. RaPM RaPM: Membership Qualifier Configure multiple Conditions Automatically associated users with Role Use analysis results to help build out Qualifiers Membership View indicates members assigned directly or by qualifier
    22. 22. Separation of Duties Separation of duty constraints and policies, both static and dynamic in a role model SOD Constraints Role Hierarchy users Roles Permissions Business View Role Lifecycl e Sessions Role and Policy Modeler Technical Integration View
    23. 23. RaPM RaPM: Separation of Duties (SOD) Alert when users are in disallowed combination of Roles Indicates SOD configuration problems (inevitable conflicts) Details Users/Roles in conflict
    24. 24. Role-Based Access Control RBAC Administration Lifecycles Attestation (tactical) Request Based (mid range) IdM Integrated (strategic) HR RBAC ROLE ROLE Audit ReviewA re-org, new data such as org ROLE ROLEtype, physical location, job title,cost center, or the retirement ROLE ROLEof any of these… Business OwnerA new application or Info. Sec.system, a new group isadded, a group or systemis consolidated or retired Roles are analyzed, changes are proposed, and a draft is circulated Role Approver Roles are published and ready for use IT
    25. 25. RaPM RaPM: Reports TCR/Cognos based reports Operations report Permissions report Roles report User Access report
    26. 26. RaPM Role Lifecycle Manager Business Process Manager Approval request sent to Role Owner(s) Attach Role Reports to Approval request for more details
    27. 27. Real World Role Automation User Account HR Role and Policy Modeler User Account ROLE PROFILE ROLE Identity Management User Account ROLE User Account ROLEAutomatic Permission Assignment User AccountManual Permission Assignment Security Administration Business View Role Lifecycl e Role andRelationship between RBAC and Policy Modeler Identity Provisioning - Mature Technical Integratio Integration View n
    28. 28. RaPM RaPM: Export Project Generates XML containing:  Roles  Separation of Duty constraints  User to Role assignments (optional) Immediately consumable by ITIM Load utility
    29. 29. RaPMRaPM: ITIM Load Utility to load exported Roles/SODs/User-to-Role assignments Preview option shows number of:  New or Modified Roles  Modified Hierarchies  New or Modified Separation of Duty Constraints  User-to-Role assignments to be added or deleted
    30. 30. Role and Policy Modeler Highlights Role Management capabilities are integral to the Security Identity Manager Integrated built-in functionality in one package, rather than 2 or 3 from competitors. Costs less than comparable solutions in the market. Integration and automation provide immediately effective operationsSimple and yet sophisticated role modeling helps accelerate results Business-user centric Web UI ensures faster adoption and easy to deploy. Powerful, built-in analytics guide role analyst in generating a timely role structure. IBM’s solid technology and experience with roles built-into a productFlexibility to adapt to the client-specific IT processes Handles scale and large access data sources with project based approach. Extensible policy & graphical role model to analyze particular enterprise scenarios. Offer business process automation platform to quickly get stakeholder validationAbility to drive IAM Governance – beyond role Business View Rolemanagement Lifecycl e Customers can easily deploy and integrate run-time enforcement Role and Policy (entitlement management) with IBM’s Identity and Access Management Modeler Governance strategy. Security Intelligence: Identity Analytics in role modeling provide valuable business insight, helping customers achieve Technical Integration the next level of security alignment with the business View
    31. 31. Summing up Role Based Access Management improves compliance postures and reduces cost of administration in an evolving IT environment,……. … but there are still challenges achieving this goal Face to face Approvals The traditional solution for Role Modeling Reject Certify generates results that are obsolete by the Face to Face Collect Written time they are ready Report Consult ABAC, RuBAC, ZBAC … Manual This is about 60% business process Data consulting and 40% tool. Collect Spreadsheet Written You need both to be strong to get to the Reports Evaluation 100% Manual Enforcemen Business View Role t Lifecycle Role and Policy Modeler Technical Integration View37
    32. 32. RBAC Change Control and Notification ProcessesFoundational processes will Foundational processes willallow business to keep allow business to keep systemorganizational structure up to entitlements clean up to datedate on systems.After foundational processes are implemented, and RBAC is in place, these processes can beleveraged and integrated with RBAC Management Processes
    33. 33. Business View Role Lifecycle Role and Policy Modeler Technical Integration View39