The document discusses entitlement and access management, emphasizing the importance of regulatory compliance and the risks associated with ineffective entitlements in application environments. It outlines an approach for analyzing, designing, and implementing entitlement management systems to ensure that user access aligns with organizational policies and requirements. Key deliverables include inventorying entitlement types, documenting procedures, and remediating obsolete access controls to enhance security and compliance.

1. 5© Copyright 2012 Axis Technology, LLC
Entitlements and Access Management

2. Entitlement and Access Management
Regulatory control functions, such as Operational Risk, Compliance and Audit, increasingly raise
questions around the scope, management, and clarity of entitlements within distributed and
mainframe application environments.
•
•
•
•
Entitlements are used to determine what a user is allowed to do once they are in a network or application.
Often Implemented as a shared service within specific technology stacks.
Typically includes query-able metadata repository for Compliance, Management, Auditing and Reporting.
Entitlement Management tools externalize and centralize fine-grained authorization policies for enterprise
applications, web services, and data.
2© Copyright 2012 Axis Technology, LLC
Entitlement management can be
used to strengthen the security of
Web services, Web applications,
legacy applications, documents
and files, and physical security
systems.
Implementation of a metric-driven
policy that is consistent across all
applications is becoming more
important in the face of regulatory
pressures from Sarbanes-Oxley,
HIPAA, PCI and the like.
Enterprise Entitlement Solutions
typically include separate
mainframe, application specific
and LDAP based solutions

3. Regulators
Signific
Regulatory
Requirements for improved
Entitlement Management
Change
capabilities are increasing
to challenges with legacy
due
processes and
regulation
changed and Auditors are focusing on legacy
controls and processes put in place in response
to SOX and GLBA that are under renewed
scrutiny due to regulatory focus
ant operational and reputational risk
exposure with entitlements that do not
conform to security policies, regulations,
and/or best practices.
Typical entitlement systems do not provide
business friendly information for required
management reviews of user access.
3© Copyright 2012 Axis Technology, LLC

4. Entitlement Management - Approach
Determine Target State
Options
Analyze Current State Design Implementation Plan Execute Plan
Work with security administration, business teams and application owners to:
•
•
Identify the applications in scope and their responsible business and technology organizations
Document current state of user’s profiles and entitlements grouped by organizations:
– Inventory of the existing job functions, profile details and corresponding entitlements.
– Determine overlap and uniqueness of resource entitlements across groups.
Work with security administration teams to analyze existing entitlements to determine the applications
associated with job roles and functional usage of each entitlement
Validate understanding of existing entitlements and determine their alignment to existing business roles
and the applications used to carry out business function.
Document gaps within existing Entitlements Management structure
•
•
•
4© Copyright 2012 Axis Technology, LLC
Deliverables Benefits
• Inventory of Entitlement Types, Processes and Categories
• Remediation criteria and functional requirements
• Development of remediation rules and approach for each
category
• Provides a comprehensive understandingof the types of
entitlements in the environments (unreferenced, obsolete,
valid, override)
• Creates understandingof current state Entitlement
Management processes

5. Entitlement Management - Approach
Determine Target State
Options
Analyze Current State Design Implementation Plan Execute Plan
• Work with application and business management to recommend valid target job role definitions with associated
business functions and required resource entitlements.
– Establish existing business role definitions and entitlements expected for each role.
– Align functional groupings of entitlements into corresponding Job Roles.
Recommend possible cleanup of obsolete, redundant and unused entitlements
Rationalize Entitlement usage within the existing user base by recommending enhanced descriptions and
definitions of roles, profiles and entitlements in a way that clearly:
•
•
–
–
–
Shows what a user’s entitlements are,
Shows that a user does not have more entitlements than they need,
Allows reviewers to understands what entitlements are being granted and identify any potential
conflicting entitlements
5© Copyright 2012 Axis Technology, LLC
Deliverables Benefits
• Documentingprocedures for the remediation of
entitlements by category
• Analyzing business and technical impact
• Reviewing and documenting end-to-end remediation
process
• Remediation steps are designed at a holistic level to ensure
that impacts are minimized and efficiencies are realized.

6. Entitlement Management - Approach
Determine Target State
Options
Analyze Current State Design Implementation Plan Execute Plan
Determine Implementation Options and Target Design for Entitlements Provisioning:
• Map profiles and entitlements between Current and Target State.
–
–
–
Develop design options for entitlements provisioning based upon target state role definitions.
Identify procedures for migration of existing entitlements to target entitlements.
Identify potential and implied impacts, business and technical support dependencies and rank
conversion procedures based upon risk and effort estimates.
•
•
Select design direction and create high-level design documentation.
Develop implementation plan for required provisioning components.
– Develop new compliance and control process and procedures to ensure the integrity of the
implemented solutions going forward.
Coordinate provisioning component definition and options selection.–
6© Copyright 2012 Axis Technology, LLC
Deliverables Benefits
• Implementation
• Communication plan
• Selection of Pilot remediation activities
• Milestone based plan to ensure effective communication
and awareness.

7. Entitlement Management - Approach
Determine Target State
Options
Analyze Current State Design Implementation Plan Execute Plan
• Coordinate implementation efforts with administrative and operation groups that carry out the transition
from current to target state:
–
–
–
Review of risk mitigation strategies and back out procedures
Phased rollout strategies
SLAs, point of contacts, escalation procedures and progress reporting strategies
• Phased rollout of the Target State implementation:
– Initial Pilot Implementation (with learning used to adjust implementation plan)
– Multi-phase rollout across business units and divisions with validation, progress reports and
implementation plan adjustments based on outcomes and learning
Post Implementation review:
– Implementation result assessments
– Learning and inputs to future Integrity Maintenance
•
7© Copyright 2012 Axis Technology, LLC
Deliverables Benefits
• Remediation of selected entitlement scenarios
• Revising process documentation and plans including
lessons learned and post remediation audit steps
• Piloting allows for the process and effort assumptions to
be validated and improved prior to full engagement

8. e.
siness functions.
Entitlement Management - Expertise
• Technical
–
–
Comprehensive understanding of the existing entitlement management frameworks and their implementations.
Technical knowledge required to extract entitlement sources and verify entitlement usag
• Analytical
–
–
Analyze current state and its integration with the Enterprise Entitlement strategy.
Technical and business SME and stakeholder interactions:
•
•
•
•
•
•
Business Operations
Entitlement Administration
Compliance
Audit
ApplicationDevelopment
InformationSecurity Officers
–
–
–
Articulate the rules that will need to be enforced to secure the solution and align with bu
Identification of control gaps in accordance with security and audit compliance policies and standards.
Identification of business and technical conversion impacts and risks.
• Implementation
–
–
–
Modification of Control routines based on the analysis.
Clean up and realignment of the existing entitlements configurations
Review and development of new procedures and processes around the provisioning process that implement and
check these new rules so that the integrity of the solutions will be maintained going forward.
8© Copyright 2012 Axis Technology, LLC

9. 9© Copyright 2012 Axis Technology, LLC
Entitlement Management
Case Study

10. Mainframe Entitlement Remediation
• Project Drivers stem from audit findings related to access management including:
•
•
•
General presence of excessive entitlements across the enterprise due to the complexity of User IDs, roles and profiles
Poor quality of manager entitlement reviews due to awareness, information availability and process gaps
Lack of a risk based scoring process and approach to the management of entitlements
• Within Mainframe environments, issues manifest themselves by:
•
•
•
•
•
•
Overly complex IDs and profiles that include obsolete and extinct entitlements
Improper toxic combinations and excessive entitlements within and across assigned profiles
Weak or non-existent definitions of entitlements and profiles designatingfunctionality and/or usage
Inconsistentfunctional implementations of RACF & Top Secret that have become institutionalizedwithin LOBs
Deficiencies in the procedures to manage and maintain the integrity of user access controls and entitlements
Complex entitlement provisioningbeing understood by a limited number of individuals
• Remediation is hampered by legacy mainframe technology constraints:
•
•
•
•
Lack of formal Role Based Access Control (RBAC)
Mainframe entitlements structures that do not allow for people to define their usage
Legacy custom developed methods that extend entitlement capabilities
Unique access controls embedded within application code leading to additional layers of management complexity
10© Copyright 2012 Axis Technology, LLC

11. Stakeholder Integration
This effort was a key part of multiple Access
Management Audit Response workstreams that
required Axis to create strong integration among
multiple constituents
The goal is to remediate roles and
profiles so that managers performing
entitlement reviews understand what
they are reviewing and can ensure
that the entitlements are appropriate
•
• The Axis Project Team brought
together key stakeholders to interface
and cooperate to effect the changes
11© Copyright 2012 Axis Technology, LLC
Business/User
Entitlement
Administration
Axis Project
Team
Profiles
Roles
IDs
Definitions&
Realignment
Processes&
Entitlement
Management
QualityAssurance
&Data Integrity
Interpret and
transform
Implements
Functional Knowledge

12. opyright 2012 Axis Technology, LLC 12
Current State Analysis Artifacts
The complexity of the current state environment was captured through Axis analysis artifacts
that allowed for consistent comparison of existing capabilities for gaps, overlaps and critical
requirements
Risk prioritization and impact analysis of potential solutions provided objective measures for
identifying target solutions and the activities required to achieve the biggest benefit
•
•
© C

13. K
K
K
Administration to ISA for review
5c LOB P and
processing Qu Asses
Pro
(TB
5a 5b 5
COMP C-2 IAM Periodic
Entitlement
Role/Profile
1. Prof
C-6
Quality
Review by
Administrator
2. eLabAssessment
Manager
Process
3. Data
C-7 Process Completion
4. Prof
5. IDat
6. Perio
7. Ope
8. Syst
9. Prof
End 10. Sep
11. IAM
12. Use
Target State analysis Artifacts
The target state model simplifies understanding•
and effectiveness of Role Based Entitlements
Gap Analysis of Processes and Controls leads to
identification and implementation of changes that
•
KC-2 Monitoring / Logging of Entitlement Reviews
improve 4. No toxic combinations
KC-5 Approval of Authorized Signer(s) or Resource
KC-6 Periodic Review of Entitlements
Entitlements
2. Manager approval
4. Role owner
Approved
KC-1
GUID
RO
APP
OTRANS
13© Copyright 2012 Axis Technology, LLC
Administrator
behalf of business
List of
List of Approvers
Data Repository
Reporting
Administrator
needs and
2b Audit review
requests
Requesting area
long term ownership and maintenance of
Profile Provisioning Construction and Review Procedures
Process Flow Diagram - TARGET
Key Controls New Key Controls Added Start
RULES CHECK:
1. Numberof Mode Profiles
2. Authorized signers and Managers
1
3. Submitter cannot be approver
Initiates 5. Glossary naming convention
a request to 6. Enforce Application-centric Profiles
Role/Profile (one application per Profile) Administrator
7. Define(s) a Job Role
8. Quality and efficiency of resources
check
KC-1 Audit Logging of Profile Changes
KC-3 Review for Compliance with Construction
Standards
KC-4 Segregation of Duties - Maker / Checker
Owners(s)
KC-7 Documented Process or Procedure to
Implement Standards
KC-3, KC-4, KC-5
2a 2 Role/Profile 3e
Add-Hoc
reviews rules, reasons for KC-6 Form to Update
(TBD)
reasons
3a
Data
KC-1 Capture
3 3c LIST OF APPROVERS: All:
(Database) Role/Profile 1. Authorized signers of request KC-5 KC-3, KC-4
submits Form on Approvers 3. Resource owner
3b
Templated 5. LOB ISO Forms
4a
Profile
4
Request is routed
User
a
c
eriodic
lity
sment
ess
D)
USER ID KC-3, KC-4, KC-5
KC-6, KC-7
L
il
il
a
r
IANCE WITH STANDARDS, PROCESSES & PROCEDURES:
e Provisioning & ComplianceProcess el to
a UserID Process
Warehouse Feed Synchronization Process e
Reconfiguration Process
base Refresh Process into Change Management
dic Process to Maintain Clean-up Rules for Top Secret ator
Role SelectionProcedure
em/Application Level Logging & Auditing Procedure le
Review Procedure
aration of Duties Procedure
Top Secret Procedure
rIDs Determination and Activation Procedure
Job Function* GUI
Job Roles* RO LE 1 ROLE 2 i
Profiles APPLICATION 1 APPLICATION 2 APPLICATION 3 APPLICATION 4
Resources OTRANS OTRANS OTRANS
DATA DATA DATA DATA
SYSTEMS SYSTEMS
SYSTEMS SYSTEMS
PROCESSES PROCESSES PROCESSES PROCESSES
* Defined logic ally within MainframeEnvironments

14. Valid
Current State 48
Obsolete
293
Obsolete
Redundant
Valid
Redundant
388
Benefits of Profile
Business benefits
Realignment
•
• Reconfigured profiles have fewer entitlements and are
logically grouped by application
Enhanced definitions allow Business to understand what
the profiles manage when reviewing and approving
Reduced dependence on Single Point of Failure SMEs
with profile configuration knowledge across business
and Entitlement Administration
Ownership of profile and entitlement definition is
established at the business operation management level
•
•
•
• Technical benefits
• Dramatic Reduction in the overall number of
entitlements assigned to each user and role (i.e.
decreased over 75% in some cases)
Documentation of security processing and its
relationship to Top Secret /RACF entitlements and
application source code
Systematic identification obsolete business entitlements
• In current state User Group had 7 profiles with intermixed
access to 9 applications and 681 entitlements.
Post remediation, only 48 entitlements remain which are
directly aligned to user role and associated application
functions
• •
•
14© Copyright 2012 Axis Technology, LLC

15. www.axistechnologyllc.com
70 Federal Street
Boston, MA 02110
(857) 445-0110
15© Copyright 2012 Axis Technology, LLC