SlideShare a Scribd company logo

Addressing Excess Privileges using Hitachi ID Access Certifier

Hitachi ID Systems, Inc.
Hitachi ID Systems, Inc.

This document describes the business problem of privilege accumulation and the impact of this IT problem on organizations in the context of a growing set of regulatory requirements. Having defined the business problem, this document then describes the process of access certification, used to respond to privilege accumulation in a manner consistent with regulations such as Sarbanes-Oxley, HIPAA, 21CFR11 and GLB.

TechnologyBusiness
1 of 9
Download to read offline
Addressing Excess Privileges using Hitachi ID Access Certifier © 2014 Hitachi ID Systems, Inc. All rights reserved.
Addressing Excess Privileges using Hitachi ID Access Certifier 1 Introduction This document describes the business problem of privilege accumulation and the impact of this IT problem on organizations in the context of a growing set of regulatory requirements. Having defined the business problem, this document then describes the process of access certification, used to respond to privilege accumulation in a manner consistent with regulations such as Sarbanes-Oxley, HIPAA, 21CFR11 and GLB. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 1
Addressing Excess Privileges using Hitachi ID Access Certifier 2 The Challenge 2.1 The Regulatory Environment Two common threads running through many regulations are privacy protection (e.g., HIPAA, GLB, PIPEDA, EU Privacy Directive) and corporate governance (e.g., Sarbanes-Oxley, 21-CFR-11). Privacy applies to customers, patients, investors, employees and so forth. Good governance applies to financial data, clinical processes, safety procedures, etc. 2.2 Compliance Requires AAA Privacy protection and corporate governance both depend on effective internal controls. The challenge is to answer the questions: Who can access sensitive data? How are these users authenticated? What can they see and modify? Are users held accountable for their actions? These requirements can be restated as AAA: authentication, authorization and audit. 2.3 Problems with AAA AAA infrastructure is nothing new and has been built into every multi-user application for decades. The problem is that a growing number of systems and applications, combined with high staff mobility, have made it much harder to the manage passwords and entitlements on which AAA rests. With weak passwords, unreliable caller identification at the help desk, orphan accounts, inappropriate se- curity entitlements and mismatched login IDs, AAA systems often wind up enforcing the wrong rules. The weakness is not in the authentication or authorization technology – it’s in the business process for managing security entitlements and credentials. 2.4 Addressing Problems with AAA Requires Identity Management To address problems with AAA data, it is essential to implement robust processes to manage security, so that only the right users get access to the right data, at the right time. This is accomplished with: • Better control over how users acquire new entitlements and when entitlements are revoked. • Correlating user IDs between systems and applications, so that audit logs can be related to real people. • Periodic audits of entitlements, to verify that they remain business-appropriate. • Logging of both current and historical entitlements, to support forensic audits. • Stronger passwords and more robust authentication in general. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 2
Addressing Excess Privileges using Access Certifier 3 Access Certification Hitachi ID Access Certifier enables organizations to review and clean up security entitlements with: • Certification of users: Access Certifier can invite managers to review a list of their direct subordinates and for each one – certify that the subordinate still works for them, transfer the subordinate to their new manager or indicate that the user in question has left the organization and their access should be terminated. • Certification of entitlements: Access Certifier can invite both managers and the owners of roles, applications and security groups to review the entitlements which have been assigned to users and either certify that they remain appropriate or ask that they be revoked. • Certification of exceptions to policy: Hitachi ID Identity Manager supports enforcement of two types of policy – role based access control (RBAC) and segregation of duties (SoD). Access Certifier can be used to review approved exceptions to these policies and either certify that they remain appropriate or ask for the user in question to be brought back into compliance. • Electronic signatures: Access Certifier requires certifiers to sign off on their work. Signatures form a chain of accountability, acting as evidence that entitlements are still needed. The sign-off process also triggers workflow requests to revoke entitlements which certifiers indicated are no longer required. • Certification by entitlement owners: Application, group and role owners can be invited by Access Certifier to review lists of users with access to their entitlements. • Certification by managers: Access Certifier can be configured to invite every manager to review his direct subordinates and their entitlements. Managers are prevented from signing-off until managers that report to them have completed their own certification. This process creates downwards pressure on managers to complete their reviews. • Authorization workflow: Every user deactivation or access revocation request processed by Access Certifier is subject to an authorization process before being completed. The built-in workflow engine is designed to get quick and reliable feedback from groups of business users, who may be individually unreliable. It supports: – Concurrent invitations to multiple users to review a request. – Approval by N of M authorizers (N is fewer than M). – Automatic reminders to non-responsive authorizers. – Escalation from non-responsive authorizers to their alternates. – Scheduled delegation of approval responsibility from unavailable to alternate approvers. • Reports: © 2014 Hitachi ID Systems, Inc.. All rights reserved. 3
Addressing Excess Privileges using Hitachi ID Access Certifier Access Certifier includes a rich set of built-in reports, designed to answer a variety of questions, such as: – Who certified user X getting entitlement Y and when? – What users have entitlement Z? – What entitlements does user W have? – Which certifiers respond quickly and which procrastinate? – What accounts have no known owner (orphaned)? – What users have no accounts (empty profiles)? – What accounts have recent login activity (dormant)? – What users have no active accounts (dormant)? • Automated connectors and human implementers: Access Certifier can be integrated with existing systems and applications using a rich set of over 110 included connectors. This allows it to automatically detect and deprovision entitlements across commonly available systems and applications. Organizations may opt to integrate custom and vertical-market applications with Identity Manager by using the included flexible connectors. Alternately, the built-in “implementers” workflow can be used to invite human administrators to make approved changes to users and entitlements on those systems. 3.1 Benefits of Access Certification Access certification offers substantial benefits over previous approaches: Hitachi ID Access Certifier strengthens security by helping organizations to find and remove inappropriate security entitlements. It makes business stake-holders take direct responsibility for ensuring that users within their scope of authority have appropriate security rights for their jobs. 3.2 Previous Approaches Previous attempts to address the problem of finding and removing excess access rights have focused on policy-enforcement in general, and policy-based provisioning in particular: Policy-based provisioning is defined as follows: • Define a set of roles, detailed enough to capture the full access requirements of every user, on every target system. • Classify users into roles, such that their access requirements are fully specified by role membership. • Reconcile access privileges predicted by the policy model against the access privileges users actually have on target systems. • Correct actual privileges to match those predicted by roles, either automatically or after human review and approval. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 4
Addressing Excess Privileges using Access Certifier On an enterprise scale, where there are (tens of) thousands of users, employees, contractors and other principals are constantly hired, moved and terminated. This makes user classification difficult. Role definition, where user responsibilities are subtly different and where infrastructure is ever changing, is similarly difficult, because the target (a role model) is complex and moving. Access privilege reconciliation may also be hard to implement, as it can flag more exceptions than human authorizers can realistically review. The policy-based provisioning approach is challenging in complex organizations, because defining a com- prehensive and appropriate policy is time consuming, difficult and expensive. These challenges apply equally to initial deployment and ongoing system sustainment. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 5
Addressing Excess Privileges using Hitachi ID Access Certifier 4 Motivating Managers to Participate In a large organization, there will be many managers, application owners and data owners who must perform periodic audits of user access privileges. It follows that some mechanism is required to ensure that these audits are in fact carried out and performed diligently. Audits by application and data owners are straightforward – this can be made a core part of the responsibility of these stakeholders and since there are relatively few such stake-holders, ensuring that they complete periodic user privilege audits. Audits of users by their direct supervisors can be more difficult, since there may be thousands of such supervisors and it is hard to make them all comply with any single directive. One approach to motivating managers to review the access rights of their direct subordinates is to require a signature at the end of every such review, but to block such signatures until subordinate managers have completed their own reviews. This signature underlies a legal statement by each manager, certifying that the remaining list of that manager’s direct subordinates and their privileges, are appropriate. With this process, an executive such as the CEO or CFO, who wishes to implement strong controls to sup- port a regulatory compliance program, will pressure his direct subordinates to complete their own reviews. They will be unable to sign off until their own subordinates have finished and so a downward pressure through the organization to complete the audit is created. Whereas pressure to perform the user privilege reviews flows downwards from the top of the organization, results of the audit, including cleaned up user rights, flow back up from the lowest-level managers right to the CEO or CFO. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 6
Addressing Excess Privileges using Access Certifier 5 Advantages of the Access Certification Approach The Hitachi ID Access Certifier process has several advantages that organizations can leverage: • Simple to deploy – This is a practical approach to addressing an important business problem: finding and eliminating obsolete user privileges. Organizations can deploy Access Certifier in just a few weeks, without getting bogged down in role definition or user classification projects, which tend to be lengthy and expensive. • Accurate and up-to-date – The information about who should have what access to what systems is drawn from managers with contextual knowledge, not IT staff far removed from day to day application usage. • Auditable – The process is 100% traceable, providing complete confidence to senior executives about the validity of the cleaned privileges and of the process itself. Please contact Hitachi ID to learn more about the Hitachi ID Access Certification Process and Hitachi ID’s complete line of Identity Management Solutions. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 7
Addressing Excess Privileges using Hitachi ID Access Certifier 6 About Hitachi ID Systems, Inc. Hitachi ID Systems, Inc. delivers access governance and identity administration solutions to organizations globally, including many of the Fortune 500 companies. The Hitachi ID Management Suite is a fully inte- grated solution for managing identities, security entitlements and credentials, for both business users and shared/privileged accounts, on-premise and in the cloud. The Management Suite is well known in the marketplace for high scalability, fault tolerance, a pragmatic design and low total cost of ownership (TCO). Hitachi ID Systems is recognized by customers and analysts for industry leading customer service. Originally founded in 1992 as M-Tech Information Technology, Inc. and acquired by Hitachi, Ltd. in 2008, Hitachi ID Systems, Inc. is a leading provider of identity management and access governance solutions. Hitachi ID Systems first identity management and access governance product, Hitachi ID Password Manager, has been commercially available since 1995. Today, Hitachi ID Systems is the leading password manage- ment vendor world-wide and a leading provider of identity and privileged access management solutions. Hitachi ID Systems currently has 140 employees. Hitachi ID Systems has enjoyed strong financial perfor- mance, with 76 consecutive quarters of growth and profitability. Hitachi ID Systems is headquartered in Calgary, Canada and has regional offices in: Canada: Vancouver, Ottawa and Montréal; United States: Denver and New York. Europe: Amsterdam. Australia: Brisbane. Hitachi ID’s customers include Avon, Bank of America, Bristol-Myers Squibb, Cisco, eBay, Ford Motor Com- pany, Intel, Kimberly-Clark Corporation, Merck MetLife, NCR Corporation, Pfizer, Pitney Bowes, Sears, Shell, Symantec, Wells Fargo and many more. For more information on Hitachi ID and its products, please visit http://Hitachi-ID.com/ or call 1.403.233.0740. www.Hitachi-ID.com 500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com File: /pub/wp/documents/idcert-short/idcert-3.tex Date: Jun 16, 2008

Recommended

Secure Management of Privileged Passwords
Secure Management of Privileged PasswordsSecure Management of Privileged Passwords
Secure Management of Privileged PasswordsHitachi ID Systems, Inc.
 
Hitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security AnalysisHitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security AnalysisHitachi ID Systems, Inc.
 
Hitachi ID Password Manager Brochure
Hitachi ID Password Manager BrochureHitachi ID Password Manager Brochure
Hitachi ID Password Manager BrochureHitachi ID Systems, Inc.
 
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and TechnologyHitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and TechnologyHitachi ID Systems, Inc.
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Systems, Inc.
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Systems, Inc.
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Systems, Inc.
 
Maximizing Value
Maximizing ValueMaximizing Value
Maximizing ValueHitachi ID Systems, Inc.
 

Recommended

Secure Management of Privileged Passwords
Secure Management of Privileged PasswordsSecure Management of Privileged Passwords
Secure Management of Privileged PasswordsHitachi ID Systems, Inc.
 
Hitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security AnalysisHitachi ID Password Manager Security Analysis
Hitachi ID Password Manager Security AnalysisHitachi ID Systems, Inc.
 
Hitachi ID Password Manager Brochure
Hitachi ID Password Manager BrochureHitachi ID Password Manager Brochure
Hitachi ID Password Manager BrochureHitachi ID Systems, Inc.
 
Hitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and TechnologyHitachi ID Suite 9.0 Features and Technology
Hitachi ID Suite 9.0 Features and TechnologyHitachi ID Systems, Inc.
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Systems, Inc.
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Systems, Inc.
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Systems, Inc.
 
Maximizing Value
Maximizing ValueMaximizing Value
Maximizing ValueHitachi ID Systems, Inc.
 
Authentication Management
Authentication ManagementAuthentication Management
Authentication ManagementHitachi ID Systems, Inc.
 
Introduction to Identity Management
Introduction to Identity ManagementIntroduction to Identity Management
Introduction to Identity ManagementHitachi ID Systems, Inc.
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Systems, Inc.
 
Hitachi ID Group Manager
Hitachi ID Group ManagerHitachi ID Group Manager
Hitachi ID Group ManagerHitachi ID Systems, Inc.
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Systems, Inc.
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Systems, Inc.
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Systems, Inc.
 
Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Systems, Inc.
 
Identity and Access Lifecycle Automation
Identity and Access Lifecycle AutomationIdentity and Access Lifecycle Automation
Identity and Access Lifecycle AutomationHitachi ID Systems, Inc.
 
Building an Identity Management Business Case
Building an Identity Management Business CaseBuilding an Identity Management Business Case
Building an Identity Management Business CaseHitachi ID Systems, Inc.
 
Privileged Access Management
Privileged Access ManagementPrivileged Access Management
Privileged Access ManagementHitachi ID Systems, Inc.
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Systems, Inc.
 
How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?Hitachi ID Systems, Inc.
 
Hitachi ID Privileged Access Manager
Hitachi ID Privileged Access ManagerHitachi ID Privileged Access Manager
Hitachi ID Privileged Access ManagerHitachi ID Systems, Inc.
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Systems, Inc.
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Systems, Inc.
 
Hitachi ID Management Suite
Hitachi ID Management SuiteHitachi ID Management Suite
Hitachi ID Management SuiteHitachi ID Systems, Inc.
 
Hitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Systems, Inc.
 
Hitachi ID Group Manager
Hitachi ID Group ManagerHitachi ID Group Manager
Hitachi ID Group ManagerHitachi ID Systems, Inc.
 
Managing Passwords for Mobile Users
Managing Passwords for Mobile UsersManaging Passwords for Mobile Users
Managing Passwords for Mobile UsersHitachi ID Systems, Inc.
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

More Related Content

More from Hitachi ID Systems, Inc.

Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Systems, Inc.
 
Building an Identity Management Business Case
Building an Identity Management Business CaseBuilding an Identity Management Business Case
Building an Identity Management Business CaseHitachi ID Systems, Inc.
 
How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?Hitachi ID Systems, Inc.
 
Hitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Systems, Inc.
 

More from Hitachi ID Systems, Inc. (20)

Authentication Management
Authentication ManagementAuthentication Management
Authentication Management
 
Introduction to Identity Management
Introduction to Identity ManagementIntroduction to Identity Management
Introduction to Identity Management
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access Certifier
 
Hitachi ID Group Manager
Hitachi ID Group ManagerHitachi ID Group Manager
Hitachi ID Group Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management SuiteHitachi ID Identity and Access Management Suite
Hitachi ID Identity and Access Management Suite
 
Identity and Access Lifecycle Automation
Identity and Access Lifecycle AutomationIdentity and Access Lifecycle Automation
Identity and Access Lifecycle Automation
 
Building an Identity Management Business Case
Building an Identity Management Business CaseBuilding an Identity Management Business Case
Building an Identity Management Business Case
 
Privileged Access Management
Privileged Access ManagementPrivileged Access Management
Privileged Access Management
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access Certifier
 
How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?How Well is Your Organization Protecting its Real Crown Jewels - Identities?
How Well is Your Organization Protecting its Real Crown Jewels - Identities?
 
Hitachi ID Privileged Access Manager
Hitachi ID Privileged Access ManagerHitachi ID Privileged Access Manager
Hitachi ID Privileged Access Manager
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
 
Hitachi ID Password Manager
Hitachi ID Password ManagerHitachi ID Password Manager
Hitachi ID Password Manager
 
Hitachi ID Management Suite
Hitachi ID Management SuiteHitachi ID Management Suite
Hitachi ID Management Suite
 
Hitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate EditionHitachi ID Identity Express™ - Corporate Edition
Hitachi ID Identity Express™ - Corporate Edition
 
Hitachi ID Group Manager
Hitachi ID Group ManagerHitachi ID Group Manager
Hitachi ID Group Manager
 
Managing Passwords for Mobile Users
Managing Passwords for Mobile UsersManaging Passwords for Mobile Users
Managing Passwords for Mobile Users
 

Recently uploaded

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 

Recently uploaded (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 

Addressing Excess Privileges using Hitachi ID Access Certifier

  • 1. Addressing Excess Privileges using Hitachi ID Access Certifier © 2014 Hitachi ID Systems, Inc. All rights reserved.
  • 2. Addressing Excess Privileges using Hitachi ID Access Certifier 1 Introduction This document describes the business problem of privilege accumulation and the impact of this IT problem on organizations in the context of a growing set of regulatory requirements. Having defined the business problem, this document then describes the process of access certification, used to respond to privilege accumulation in a manner consistent with regulations such as Sarbanes-Oxley, HIPAA, 21CFR11 and GLB. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 1
  • 3. Addressing Excess Privileges using Hitachi ID Access Certifier 2 The Challenge 2.1 The Regulatory Environment Two common threads running through many regulations are privacy protection (e.g., HIPAA, GLB, PIPEDA, EU Privacy Directive) and corporate governance (e.g., Sarbanes-Oxley, 21-CFR-11). Privacy applies to customers, patients, investors, employees and so forth. Good governance applies to financial data, clinical processes, safety procedures, etc. 2.2 Compliance Requires AAA Privacy protection and corporate governance both depend on effective internal controls. The challenge is to answer the questions: Who can access sensitive data? How are these users authenticated? What can they see and modify? Are users held accountable for their actions? These requirements can be restated as AAA: authentication, authorization and audit. 2.3 Problems with AAA AAA infrastructure is nothing new and has been built into every multi-user application for decades. The problem is that a growing number of systems and applications, combined with high staff mobility, have made it much harder to the manage passwords and entitlements on which AAA rests. With weak passwords, unreliable caller identification at the help desk, orphan accounts, inappropriate se- curity entitlements and mismatched login IDs, AAA systems often wind up enforcing the wrong rules. The weakness is not in the authentication or authorization technology – it’s in the business process for managing security entitlements and credentials. 2.4 Addressing Problems with AAA Requires Identity Management To address problems with AAA data, it is essential to implement robust processes to manage security, so that only the right users get access to the right data, at the right time. This is accomplished with: • Better control over how users acquire new entitlements and when entitlements are revoked. • Correlating user IDs between systems and applications, so that audit logs can be related to real people. • Periodic audits of entitlements, to verify that they remain business-appropriate. • Logging of both current and historical entitlements, to support forensic audits. • Stronger passwords and more robust authentication in general. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 2
  • 4. Addressing Excess Privileges using Access Certifier 3 Access Certification Hitachi ID Access Certifier enables organizations to review and clean up security entitlements with: • Certification of users: Access Certifier can invite managers to review a list of their direct subordinates and for each one – certify that the subordinate still works for them, transfer the subordinate to their new manager or indicate that the user in question has left the organization and their access should be terminated. • Certification of entitlements: Access Certifier can invite both managers and the owners of roles, applications and security groups to review the entitlements which have been assigned to users and either certify that they remain appropriate or ask that they be revoked. • Certification of exceptions to policy: Hitachi ID Identity Manager supports enforcement of two types of policy – role based access control (RBAC) and segregation of duties (SoD). Access Certifier can be used to review approved exceptions to these policies and either certify that they remain appropriate or ask for the user in question to be brought back into compliance. • Electronic signatures: Access Certifier requires certifiers to sign off on their work. Signatures form a chain of accountability, acting as evidence that entitlements are still needed. The sign-off process also triggers workflow requests to revoke entitlements which certifiers indicated are no longer required. • Certification by entitlement owners: Application, group and role owners can be invited by Access Certifier to review lists of users with access to their entitlements. • Certification by managers: Access Certifier can be configured to invite every manager to review his direct subordinates and their entitlements. Managers are prevented from signing-off until managers that report to them have completed their own certification. This process creates downwards pressure on managers to complete their reviews. • Authorization workflow: Every user deactivation or access revocation request processed by Access Certifier is subject to an authorization process before being completed. The built-in workflow engine is designed to get quick and reliable feedback from groups of business users, who may be individually unreliable. It supports: – Concurrent invitations to multiple users to review a request. – Approval by N of M authorizers (N is fewer than M). – Automatic reminders to non-responsive authorizers. – Escalation from non-responsive authorizers to their alternates. – Scheduled delegation of approval responsibility from unavailable to alternate approvers. • Reports: © 2014 Hitachi ID Systems, Inc.. All rights reserved. 3
  • 5. Addressing Excess Privileges using Hitachi ID Access Certifier Access Certifier includes a rich set of built-in reports, designed to answer a variety of questions, such as: – Who certified user X getting entitlement Y and when? – What users have entitlement Z? – What entitlements does user W have? – Which certifiers respond quickly and which procrastinate? – What accounts have no known owner (orphaned)? – What users have no accounts (empty profiles)? – What accounts have recent login activity (dormant)? – What users have no active accounts (dormant)? • Automated connectors and human implementers: Access Certifier can be integrated with existing systems and applications using a rich set of over 110 included connectors. This allows it to automatically detect and deprovision entitlements across commonly available systems and applications. Organizations may opt to integrate custom and vertical-market applications with Identity Manager by using the included flexible connectors. Alternately, the built-in “implementers” workflow can be used to invite human administrators to make approved changes to users and entitlements on those systems. 3.1 Benefits of Access Certification Access certification offers substantial benefits over previous approaches: Hitachi ID Access Certifier strengthens security by helping organizations to find and remove inappropriate security entitlements. It makes business stake-holders take direct responsibility for ensuring that users within their scope of authority have appropriate security rights for their jobs. 3.2 Previous Approaches Previous attempts to address the problem of finding and removing excess access rights have focused on policy-enforcement in general, and policy-based provisioning in particular: Policy-based provisioning is defined as follows: • Define a set of roles, detailed enough to capture the full access requirements of every user, on every target system. • Classify users into roles, such that their access requirements are fully specified by role membership. • Reconcile access privileges predicted by the policy model against the access privileges users actually have on target systems. • Correct actual privileges to match those predicted by roles, either automatically or after human review and approval. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 4
  • 6. Addressing Excess Privileges using Access Certifier On an enterprise scale, where there are (tens of) thousands of users, employees, contractors and other principals are constantly hired, moved and terminated. This makes user classification difficult. Role definition, where user responsibilities are subtly different and where infrastructure is ever changing, is similarly difficult, because the target (a role model) is complex and moving. Access privilege reconciliation may also be hard to implement, as it can flag more exceptions than human authorizers can realistically review. The policy-based provisioning approach is challenging in complex organizations, because defining a com- prehensive and appropriate policy is time consuming, difficult and expensive. These challenges apply equally to initial deployment and ongoing system sustainment. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 5
  • 7. Addressing Excess Privileges using Hitachi ID Access Certifier 4 Motivating Managers to Participate In a large organization, there will be many managers, application owners and data owners who must perform periodic audits of user access privileges. It follows that some mechanism is required to ensure that these audits are in fact carried out and performed diligently. Audits by application and data owners are straightforward – this can be made a core part of the responsibility of these stakeholders and since there are relatively few such stake-holders, ensuring that they complete periodic user privilege audits. Audits of users by their direct supervisors can be more difficult, since there may be thousands of such supervisors and it is hard to make them all comply with any single directive. One approach to motivating managers to review the access rights of their direct subordinates is to require a signature at the end of every such review, but to block such signatures until subordinate managers have completed their own reviews. This signature underlies a legal statement by each manager, certifying that the remaining list of that manager’s direct subordinates and their privileges, are appropriate. With this process, an executive such as the CEO or CFO, who wishes to implement strong controls to sup- port a regulatory compliance program, will pressure his direct subordinates to complete their own reviews. They will be unable to sign off until their own subordinates have finished and so a downward pressure through the organization to complete the audit is created. Whereas pressure to perform the user privilege reviews flows downwards from the top of the organization, results of the audit, including cleaned up user rights, flow back up from the lowest-level managers right to the CEO or CFO. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 6
  • 8. Addressing Excess Privileges using Access Certifier 5 Advantages of the Access Certification Approach The Hitachi ID Access Certifier process has several advantages that organizations can leverage: • Simple to deploy – This is a practical approach to addressing an important business problem: finding and eliminating obsolete user privileges. Organizations can deploy Access Certifier in just a few weeks, without getting bogged down in role definition or user classification projects, which tend to be lengthy and expensive. • Accurate and up-to-date – The information about who should have what access to what systems is drawn from managers with contextual knowledge, not IT staff far removed from day to day application usage. • Auditable – The process is 100% traceable, providing complete confidence to senior executives about the validity of the cleaned privileges and of the process itself. Please contact Hitachi ID to learn more about the Hitachi ID Access Certification Process and Hitachi ID’s complete line of Identity Management Solutions. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 7
  • 9. Addressing Excess Privileges using Hitachi ID Access Certifier 6 About Hitachi ID Systems, Inc. Hitachi ID Systems, Inc. delivers access governance and identity administration solutions to organizations globally, including many of the Fortune 500 companies. The Hitachi ID Management Suite is a fully inte- grated solution for managing identities, security entitlements and credentials, for both business users and shared/privileged accounts, on-premise and in the cloud. The Management Suite is well known in the marketplace for high scalability, fault tolerance, a pragmatic design and low total cost of ownership (TCO). Hitachi ID Systems is recognized by customers and analysts for industry leading customer service. Originally founded in 1992 as M-Tech Information Technology, Inc. and acquired by Hitachi, Ltd. in 2008, Hitachi ID Systems, Inc. is a leading provider of identity management and access governance solutions. Hitachi ID Systems first identity management and access governance product, Hitachi ID Password Manager, has been commercially available since 1995. Today, Hitachi ID Systems is the leading password manage- ment vendor world-wide and a leading provider of identity and privileged access management solutions. Hitachi ID Systems currently has 140 employees. Hitachi ID Systems has enjoyed strong financial perfor- mance, with 76 consecutive quarters of growth and profitability. Hitachi ID Systems is headquartered in Calgary, Canada and has regional offices in: Canada: Vancouver, Ottawa and Montréal; United States: Denver and New York. Europe: Amsterdam. Australia: Brisbane. Hitachi ID’s customers include Avon, Bank of America, Bristol-Myers Squibb, Cisco, eBay, Ford Motor Com- pany, Intel, Kimberly-Clark Corporation, Merck MetLife, NCR Corporation, Pfizer, Pitney Bowes, Sears, Shell, Symantec, Wells Fargo and many more. For more information on Hitachi ID and its products, please visit http://Hitachi-ID.com/ or call 1.403.233.0740. www.Hitachi-ID.com 500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com File: /pub/wp/documents/idcert-short/idcert-3.tex Date: Jun 16, 2008