SlideShare a Scribd company logo

The Good, the Bad and the Ugly: A Different Perspective on Identity Governance

IBM Security
IBM Security

The document discusses a successful implementation of an identity governance and administration (IGA) system at E.ON Global Commodities (EGC) to better manage user access and meet compliance requirements. Key points: - EGC implemented IBM's Identity Governance and Administration platform to standardize access management processes, reduce risk of improper access, and improve audit controls. - Drivers for the project included audit findings showing a need to improve controls over user access and authentication. The new system would help enforce separation of duties policies. - Benefits of the system include a single view of access privileges, real-time detection of access risks, and ability to quickly review and revoke access. This has made EGC

Technology
1 of 24
Download to read offline
© 2015 IBM Corporation IBM Security 1 The Good, the Bad and the Ugly
© 2015 IBM Corporation IBM Security 2 On stage today Good#2 – Carsten Mielke Head of Service Management at E.ON Global Commodities The Bad and the Ugly – Andrea Rossi WW Sales Leader – Identity Governance @ IBM
© 2015 IBM Corporation IBM Security 3 Why Identity Governance? What is Identity Governance?  Identity Governance solutions help to resolve Security Risks and Audit findings related to logical access controls on business critical applications: – Lack of (policy) violation detection: “Sensitive/Privileged access has been assigned to ordinary employees”, “Separation of Duty policies are not enforced, toxic combinations occur’.  Identity Governance solutions detect and prevent the risk of improper access to business applications. This ‘Security Posture’ is achieved through a combination of IT controls: – Separation of Duties policy management – Access Risk scoring – Access Review and Certification – Access Request management with central auditability
© 2015 IBM Corporation IBM Security 4 How did we get here today? 2003-2008 c.e. The “Big Provisioning Brother” age 2009-2013 c.e. The 1st Compliance ice age 2014-2018 c.e. The IGAge (the Identity Governance and Administration age)
© 2015 IBM Corporation IBM Security 5 Identity Governance comprises 3 lifecycles Identity Lifecycle Entitlement/Role Lifecycle Create Change Delete Discover Create Review Change Risk Lifecycle Model Measure Mitigate Detect
© 2015 IBM Corporation IBM Security 6 Business activities Separation of Duties Management Seperation of Duty modeling  Business processes, eliminates the need for Role-to-Role SoD  Speaks the Auditor’s language
© 2015 IBM Corporation IBM Security 7 The CRO dashboard: Access Risk scoring Model and Measure Operational Risk  Model, Measure and trends risks across several dataset (OUs, Applications)  Allows for ‘Risk driven’ access certification using ‘Heat maps’
© 2015 IBM Corporation IBM Security 8 IBM Security Identity Governance and Administration Delivering actionable identity intelligence  Align Auditors, LoB and IT perspectives in one consolidated Governance and Administration offering  Easy to launch Access Certification and Access Request to meet compliance goals with minimal IT involvement  Enhanced Role Mining and Separation of Duties Reviews using visualization dashboard and business-activity mapping  In-depth SAP Governance with Separation of Duties (SoD), access risk and fine-grained entitlements reviews  Easy to deploy virtual appliances for multiple customer adoptions – Standalone Identity Governance – Integrate with existing Identity Management – Modernize legacy Identity management with integrated governance and administration Common Integration Adapters Identity Governance and Administration Platform VIRTUAL APPLIANCE IT Security Team Auditors / Risk Managers LoB Managers / Employees Cloud Computing Mobile Applications Desktop and Server Data Mainframe Access Fulfillment Self Service Portal Risk/ Access Visibility Access Certification
© 2015 IBM Corporation IBM Security 9 IBM is a Leader in the 2015 Gartner Magic Quadrant for Identity Governance and Administration Source: Gartner (January 2015) This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from http://www.gartner.com/technology/reprints.do?id=1-27CNZU9&ct=150112&st=sb. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. Gartner, Inc. Positions IBM as a LEADER in Identity Governance and Administration (IGA) "The IGA market is transforming legacy, on-premises IAM products. IGA vendors are investing heavily to meet client needs in ease of use, mobility, business agility, and lower total cost of ownership. User provisioning and access governance functions continue to consolidate.” Gartner, Inc. “Magic Quadrant for Identity Governance and Administration” by Felix Gaehtgens, Brian Iverson, Steve Krapes, January 2015 Report #G00261633
© 2015 IBM Corporation IBM Security 10 The IBM’s ‘Augmented Governance’ scenario SIEM IBM zSecure Enterprise GRC (e.g. IBM Open P, RSA Archer User Provisioning (e.g. IBM SIM/NetIQ IDM) The User Provisioning layer enforces access policies driven by ISIG ISIG feeds the GRC processes with Access-related risks (e.g. SoD). ISIG embraces and extends SAP and Mainframe Security ISIG injects ‘Identity and Access Intelligence’ to Security Incidents. SAP Security
A Successful Implementation of a User Access Management System at E.ON Global Commodities (EGC) Dr. Carsten Mielke Head of Service Management E.ON
12 Agenda  E.ON Global Commodities SE  Motivation/Drivers  Pre-Requisites  Vendor Selection process  Added Value  Lessons Learned  Challenges Ahead
13 E.ON Global Commodities SE
14 E.ON Global Commodities SE (EGC) The energy trading business of E.ON, one of the world's largest investor- owned power and gas companies. As the expert interface between the E.ON Group and international wholesale energy markets, we create value by managing the commodity price risks faced by E.ON and its customers, while optimizing the Group's broad and diverse power and gas portfolio.  over 1000 professionals from more than 40 countries, based in headquarters in Düsseldorf  one of the most active traders in the international wholesale energy markets 2011 volumes: Gas 2480 billion kWh, Power 1967 billion kWh, Carbon 598 million metric tons, Coal 269 million metric tons, Oil 89 million metric tons (~ 600 million barrels);  active on more than 20 exchanges and in over 40 countries  executed more than 850,000 trades in 2011
15 The drivers for a professional User Access Management • Audits (according to Audit standards IDW RS FAIT 1, IDW PS330) showed strong need for improvement of evidence for legal demands on authorization and authentication. • Capabilities required • record the granting, amending and revoking of access rights to applications in scope of the EGC application access processes; • enable control on whether internal control process requirements are working effectively at all times “Nothing is more powerful than an idea whose time has come” – Victor Hugo
16 Expected benefits • Harmonisation and standardization of user access related processes • From different user application templates down to one, later to a workflow in the Intranet • Better control of users, roles and privileges in the target systems • Reducing the risk of abuse of non-intended status • Quicker access, changes and termination of accounts in target systems • User accounts and licenses can be better controlled • Cost reduction possible • Auditing control functions of SoD (Segregation of Duties) and sensitive access rights will be available in a more sophisticated way • Reducing effort in providing audit evidence
17 Prerequisites for UAM at E.ON Global Commodities IT Solution HR Data Cleanup Process Setup Organizational Implementation Starter Mover Leaver CEO CIO HR Risk CFO Clean Data Trade rs Intern als Exter nals
18 Introduction of an IT Solution – Vendor Selection •Detailed requirement definition of. ~500 requirements •Initial design of the Proof of Concept (PoC)Initial Analysis •Request for Information (RfI) sent out to ~20 vendorsMarket Analysis •Rated regarding their coverage of the four defined functional areas •Invitation of all 6 valid replies to provide a live demo of the solution approach Evaluation of the feedback •Selection of PoC candidates •Finalization of the PoC design Evaluation of the presentation •6 use cases •Both remaining vendors performing in parallelProof of Concept •Final selection of strategic partnerSelection of the vendor
19 The Software Partner • The CrossIdeas/IBM Identity & Access Governance platform (IDEAS) was selected • Why did EGC choose CrossIdeas/IBM? • Risk/SoD modelling paradigm: 1to1 fit with Auditor requirements • Proximity • Consultative approach rather than product sale
20 Project roadmap (high level) • Phase 1 (june-Dec 2012): ‘Understand the risk’ • Detective approach, no changes to existing user provisioning processes • Implementation of User and SoD controls on 8 top critical applications • Phase 2 (2013): ‘Reduce the risk’ • Onboarding of additional applications (including Ruhrgas) • Access Certification • Phase 3 (2014+): ‘Avoid the risk’ • Implementation of more mature SoD controls • Streamline access request management
21 IDEAS Inform Model Detect Mitigate Applications HR Reports and Alerts Sync Power UK Cont. Power Gas UK Coal RiskGas Trading Backb. etc….. Logical architecture
22 Benefits EGC is now in control •One single view on ‘who could do what’ •Real-time detection of several types of access risks: • On User: SoD, Sensitive Access, orphan/service accounts; • On Application Roles: intrinsic SoD violation. •Ability to immediately react by appropriate counter-measures such as periodical review processes, revoking accounts, etc. ‘Audit Ready, M&A Ready’
23 Lessons learned Supportive • Project staffing incl. project management and business representation; • Selected vendor of the supporting IAM System represented an optimal fit to company IT and their “getting things done”-culture. Remarkably short implementation time of 4 months; • Development of Segregation of Duties (SoD) model and vendor selection was carried out simultaneously. Recommendations • Implementing SoD is an organisational task, project should have been primarily driven by central business function; • Carefully consider a tight time schedule from the very beginning and have it reflected in appropriate staffing; • Internal Knowledge of security models of the selected applications should be robust enough to build a rigorous SoD implementation on top of it.
24 Challenges ahead

Recommended

Identity Governance Solutions
Identity Governance SolutionsIdentity Governance Solutions
Identity Governance Solutions
Nitai Partners Inc
 
Identity Governance: Not Just For Compliance
Identity Governance: Not Just For ComplianceIdentity Governance: Not Just For Compliance
Identity Governance: Not Just For Compliance
IBM Security
 
IBM - IAM Security and Trends
IBM - IAM Security and TrendsIBM - IAM Security and Trends
IBM - IAM Security and Trends
IBM Sverige
 
5 reasons your iam solution will fail
5 reasons your iam solution will fail5 reasons your iam solution will fail
5 reasons your iam solution will fail
IBM Security
 
CrossIdeas Roadshow IBM IAM Governance Andrea Rossi
CrossIdeas Roadshow IBM IAM Governance Andrea RossiCrossIdeas Roadshow IBM IAM Governance Andrea Rossi
CrossIdeas Roadshow IBM IAM Governance Andrea Rossi
IBM Sverige
 
CA Technologies and Deloitte: Unleash and Protect your Business with Identity...
CA Technologies and Deloitte: Unleash and Protect your Business with Identity...CA Technologies and Deloitte: Unleash and Protect your Business with Identity...
CA Technologies and Deloitte: Unleash and Protect your Business with Identity...
CA Technologies
 
CrossIdeas Roadshow IAM Governance IBM Marco Venuti
CrossIdeas Roadshow IAM Governance IBM Marco VenutiCrossIdeas Roadshow IAM Governance IBM Marco Venuti
CrossIdeas Roadshow IAM Governance IBM Marco Venuti
IBM Sverige
 
Identity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. MookheyIdentity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. Mookhey
Network Intelligence India
 

Recommended

Identity Governance Solutions
Identity Governance SolutionsIdentity Governance Solutions
Identity Governance Solutions
Nitai Partners Inc
 
Identity Governance: Not Just For Compliance
Identity Governance: Not Just For ComplianceIdentity Governance: Not Just For Compliance
Identity Governance: Not Just For Compliance
IBM Security
 
IBM - IAM Security and Trends
IBM - IAM Security and TrendsIBM - IAM Security and Trends
IBM - IAM Security and Trends
IBM Sverige
 
5 reasons your iam solution will fail
5 reasons your iam solution will fail5 reasons your iam solution will fail
5 reasons your iam solution will fail
IBM Security
 
CrossIdeas Roadshow IBM IAM Governance Andrea Rossi
CrossIdeas Roadshow IBM IAM Governance Andrea RossiCrossIdeas Roadshow IBM IAM Governance Andrea Rossi
CrossIdeas Roadshow IBM IAM Governance Andrea Rossi
IBM Sverige
 
CA Technologies and Deloitte: Unleash and Protect your Business with Identity...
CA Technologies and Deloitte: Unleash and Protect your Business with Identity...CA Technologies and Deloitte: Unleash and Protect your Business with Identity...
CA Technologies and Deloitte: Unleash and Protect your Business with Identity...
CA Technologies
 
CrossIdeas Roadshow IAM Governance IBM Marco Venuti
CrossIdeas Roadshow IAM Governance IBM Marco VenutiCrossIdeas Roadshow IAM Governance IBM Marco Venuti
CrossIdeas Roadshow IAM Governance IBM Marco Venuti
IBM Sverige
 
Identity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. MookheyIdentity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. Mookhey
Network Intelligence India
 
IDENTITY ACCESS MANAGEMENT
IDENTITY ACCESS MANAGEMENTIDENTITY ACCESS MANAGEMENT
IDENTITY ACCESS MANAGEMENT
Prof. Jacques Folon (Ph.D)
 
Mt26 identity management as a service
Mt26 identity management as a serviceMt26 identity management as a service
Mt26 identity management as a service
Dell World
 
Building Your Roadmap Sucessful Identity And Access Management
Building Your Roadmap Sucessful Identity And Access ManagementBuilding Your Roadmap Sucessful Identity And Access Management
Building Your Roadmap Sucessful Identity And Access Management
Government Technology Exhibition and Conference
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Lance Peterman
 
Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016
Aujas
 
Intel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management Journey
Intel IT Center
 
3 Steps to Security Intelligence - How to Build a More Secure Enterprise
3 Steps to Security Intelligence - How to Build a More Secure Enterprise3 Steps to Security Intelligence - How to Build a More Secure Enterprise
3 Steps to Security Intelligence - How to Build a More Secure Enterprise
IBM Security
 
Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices 
Veritis Group, Inc
 
IBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - PortfolioIBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - Portfolio
IBM Sverige
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)
Identacor
 
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
IBM Security
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access management
Vandana Verma
 
Tuebora Self Driven IAM
Tuebora Self Driven IAMTuebora Self Driven IAM
Tuebora Self Driven IAM
Iranna Hurakadli
 
IBM Security Portfolio - 2015
IBM Security Portfolio - 2015IBM Security Portfolio - 2015
IBM Security Portfolio - 2015
IBM Thailand Co Ltd
 
Building an Effective Identity Management Strategy
Building an Effective Identity Management StrategyBuilding an Effective Identity Management Strategy
Building an Effective Identity Management Strategy
NetIQ
 
The Future of Enterprise Identity Management
The Future of Enterprise Identity ManagementThe Future of Enterprise Identity Management
The Future of Enterprise Identity Management
OneLogin
 
Secure Identity: The Future is Now
Secure Identity: The Future is NowSecure Identity: The Future is Now
Secure Identity: The Future is Now
Lane Billings
 
Union Bank Slashes Onboarding Times with Analytics
Union Bank Slashes Onboarding Times with Analytics Union Bank Slashes Onboarding Times with Analytics
Union Bank Slashes Onboarding Times with Analytics
Pyramid Solutions, Inc.
 
Privileged Access Manager Product Q&A
Privileged Access Manager Product Q&APrivileged Access Manager Product Q&A
Privileged Access Manager Product Q&A
Hitachi ID Systems, Inc.
 
Digital documents & e-discovery
Digital documents & e-discovery Digital documents & e-discovery
Digital documents & e-discovery
Prof. Jacques Folon (Ph.D)
 
CIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
CIS14: Identity Souffle: Creating a Well-baked Identity LifecycleCIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
CIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
CloudIDSummit
 
Workshop on Identity & Access Management.
Workshop on Identity & Access Management.Workshop on Identity & Access Management.
Workshop on Identity & Access Management.
cisoplatform
 

More Related Content

What's hot

Building an Effective Identity Management Strategy
Building an Effective Identity Management StrategyBuilding an Effective Identity Management Strategy
Building an Effective Identity Management Strategy
NetIQ
 

What's hot (20)

IDENTITY ACCESS MANAGEMENT
IDENTITY ACCESS MANAGEMENTIDENTITY ACCESS MANAGEMENT
IDENTITY ACCESS MANAGEMENT
 
Mt26 identity management as a service
Mt26 identity management as a serviceMt26 identity management as a service
Mt26 identity management as a service
 
Building Your Roadmap Sucessful Identity And Access Management
Building Your Roadmap Sucessful Identity And Access ManagementBuilding Your Roadmap Sucessful Identity And Access Management
Building Your Roadmap Sucessful Identity And Access Management
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
 
Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016
 
Intel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management Journey
 
3 Steps to Security Intelligence - How to Build a More Secure Enterprise
3 Steps to Security Intelligence - How to Build a More Secure Enterprise3 Steps to Security Intelligence - How to Build a More Secure Enterprise
3 Steps to Security Intelligence - How to Build a More Secure Enterprise
 
Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices 
 
IBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - PortfolioIBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - Portfolio
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)
 
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access management
 
Tuebora Self Driven IAM
Tuebora Self Driven IAMTuebora Self Driven IAM
Tuebora Self Driven IAM
 
IBM Security Portfolio - 2015
IBM Security Portfolio - 2015IBM Security Portfolio - 2015
IBM Security Portfolio - 2015
 
Building an Effective Identity Management Strategy
Building an Effective Identity Management StrategyBuilding an Effective Identity Management Strategy
Building an Effective Identity Management Strategy
 
The Future of Enterprise Identity Management
The Future of Enterprise Identity ManagementThe Future of Enterprise Identity Management
The Future of Enterprise Identity Management
 
Secure Identity: The Future is Now
Secure Identity: The Future is NowSecure Identity: The Future is Now
Secure Identity: The Future is Now
 
Union Bank Slashes Onboarding Times with Analytics
Union Bank Slashes Onboarding Times with Analytics Union Bank Slashes Onboarding Times with Analytics
Union Bank Slashes Onboarding Times with Analytics
 
Privileged Access Manager Product Q&A
Privileged Access Manager Product Q&APrivileged Access Manager Product Q&A
Privileged Access Manager Product Q&A
 
Digital documents & e-discovery
Digital documents & e-discovery Digital documents & e-discovery
Digital documents & e-discovery
 

Viewers also liked

Landscape of Web Identity Management
Landscape of Web Identity ManagementLandscape of Web Identity Management
Landscape of Web Identity Management
Fraunhofer AISEC
 
Iam suite introduction
Iam suite introductionIam suite introduction
Iam suite introduction
wardell henley
 
Values, Assumptions, and Beliefs in Organization Development
Values, Assumptions, and Beliefs in Organization DevelopmentValues, Assumptions, and Beliefs in Organization Development
Values, Assumptions, and Beliefs in Organization Development
Charisse Macalalag - Hernan
 
Leadership (principles of Management)
Leadership (principles of Management)Leadership (principles of Management)
Leadership (principles of Management)
Maha H
 

Viewers also liked (12)

CIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
CIS14: Identity Souffle: Creating a Well-baked Identity LifecycleCIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
CIS14: Identity Souffle: Creating a Well-baked Identity Lifecycle
 
Workshop on Identity & Access Management.
Workshop on Identity & Access Management.Workshop on Identity & Access Management.
Workshop on Identity & Access Management.
 
Landscape of Web Identity Management
Landscape of Web Identity ManagementLandscape of Web Identity Management
Landscape of Web Identity Management
 
Iam suite introduction
Iam suite introductionIam suite introduction
Iam suite introduction
 
Evolution of Management Theory
Evolution of Management TheoryEvolution of Management Theory
Evolution of Management Theory
 
An introduction to management and evolution of management
An introduction to management and evolution of managementAn introduction to management and evolution of management
An introduction to management and evolution of management
 
Evolution of management theory
Evolution of management theoryEvolution of management theory
Evolution of management theory
 
Values, Assumptions, and Beliefs in Organization Development
Values, Assumptions, and Beliefs in Organization DevelopmentValues, Assumptions, and Beliefs in Organization Development
Values, Assumptions, and Beliefs in Organization Development
 
Evolution of management
Evolution of managementEvolution of management
Evolution of management
 
Leadership (principles of Management)
Leadership (principles of Management)Leadership (principles of Management)
Leadership (principles of Management)
 
IBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Security Identity & Access Manager
IBM Security Identity & Access Manager
 
Dell Quest TPAM Privileged Access Control
Dell Quest TPAM Privileged Access ControlDell Quest TPAM Privileged Access Control
Dell Quest TPAM Privileged Access Control
 

Similar to The Good, the Bad and the Ugly: A Different Perspective on Identity Governance

[EIC 2021] The Rise of the Developer in IAM
[EIC 2021] The Rise of the Developer in IAM[EIC 2021] The Rise of the Developer in IAM
[EIC 2021] The Rise of the Developer in IAM
WSO2
 
Paradigmo specialised in Identity & Access Management
Paradigmo specialised in Identity & Access ManagementParadigmo specialised in Identity & Access Management
Paradigmo specialised in Identity & Access Management
Julie Beuselinck
 
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
WSO2
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)
danb02
 
Responsible Consumer Identity and Access Management (CIAM): Architecting High...
Responsible Consumer Identity and Access Management (CIAM): Architecting High...Responsible Consumer Identity and Access Management (CIAM): Architecting High...
Responsible Consumer Identity and Access Management (CIAM): Architecting High...
Enterprise Management Associates
 
CV of Mohan M
CV of Mohan MCV of Mohan M
CV of Mohan M
Mohan M
 
Con8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsCon8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controls
Oracle
 

Similar to The Good, the Bad and the Ugly: A Different Perspective on Identity Governance (20)

Modern Architectures
Modern ArchitecturesModern Architectures
Modern Architectures
 
ING webcast platform
ING webcast platformING webcast platform
ING webcast platform
 
[EIC 2021] The Rise of the Developer in IAM
[EIC 2021] The Rise of the Developer in IAM[EIC 2021] The Rise of the Developer in IAM
[EIC 2021] The Rise of the Developer in IAM
 
Uid101 intro preso
Uid101 intro presoUid101 intro preso
Uid101 intro preso
 
G05.2013 gartner top security trends
G05.2013 gartner top security trendsG05.2013 gartner top security trends
G05.2013 gartner top security trends
 
Paradigmo specialised in Identity & Access Management
Paradigmo specialised in Identity & Access ManagementParadigmo specialised in Identity & Access Management
Paradigmo specialised in Identity & Access Management
 
VMworld 2013: Create a Key Metrics-based Actionable Roadmap to Deliver IT as ...
VMworld 2013: Create a Key Metrics-based Actionable Roadmap to Deliver IT as ...VMworld 2013: Create a Key Metrics-based Actionable Roadmap to Deliver IT as ...
VMworld 2013: Create a Key Metrics-based Actionable Roadmap to Deliver IT as ...
 
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
 
FulcrumWay GRC Solutions
FulcrumWay GRC SolutionsFulcrumWay GRC Solutions
FulcrumWay GRC Solutions
 
ScaleFocus Insurance portfolio
ScaleFocus Insurance portfolioScaleFocus Insurance portfolio
ScaleFocus Insurance portfolio
 
Moving Enterprise Applications to the Cloud
Moving Enterprise Applications to the CloudMoving Enterprise Applications to the Cloud
Moving Enterprise Applications to the Cloud
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)
 
The Digital Innovation Award - Ignatica
The Digital Innovation Award - IgnaticaThe Digital Innovation Award - Ignatica
The Digital Innovation Award - Ignatica
 
Responsible Consumer Identity and Access Management (CIAM): Architecting High...
Responsible Consumer Identity and Access Management (CIAM): Architecting High...Responsible Consumer Identity and Access Management (CIAM): Architecting High...
Responsible Consumer Identity and Access Management (CIAM): Architecting High...
 
Compliance & Identity access management
Compliance & Identity access management Compliance & Identity access management
Compliance & Identity access management
 
CV of Mohan M
CV of Mohan MCV of Mohan M
CV of Mohan M
 
Streamlining Identity and Access Management through Unified Identity and Acce...
Streamlining Identity and Access Management through Unified Identity and Acce...Streamlining Identity and Access Management through Unified Identity and Acce...
Streamlining Identity and Access Management through Unified Identity and Acce...
 
How to Deliver Closed-Loop Compliance
How to Deliver Closed-Loop ComplianceHow to Deliver Closed-Loop Compliance
How to Deliver Closed-Loop Compliance
 
Con8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsCon8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controls
 
Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...
 

More from IBM Security

Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
IBM Security
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
IBM Security
 
Integrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIntegrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM Resilient
IBM Security
 
Accelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackAccelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon Black
IBM Security
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
IBM Security
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
IBM Security
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
IBM Security
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
IBM Security
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
IBM Security
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats
IBM Security
 

More from IBM Security (20)

Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOps
 
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
 
Integrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIntegrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM Resilient
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
 
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
 
Accelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackAccelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon Black
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationHow to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
 
Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do Now
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
 
IBM QRadar UBA
IBM QRadar UBA IBM QRadar UBA
IBM QRadar UBA
 
Mobile Vision 2020
Mobile Vision 2020Mobile Vision 2020
Mobile Vision 2020
 
Retail Mobility, Productivity and Security
Retail Mobility, Productivity and SecurityRetail Mobility, Productivity and Security
Retail Mobility, Productivity and Security
 
Close the Loop on Incident Response
Close the Loop on Incident ResponseClose the Loop on Incident Response
Close the Loop on Incident Response
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats
 

Recently uploaded

In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
Expeed Software
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
CzechDreamin
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
ScyllaDB
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
David Michel
 

Recently uploaded (20)

ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 

The Good, the Bad and the Ugly: A Different Perspective on Identity Governance

  • 1. © 2015 IBM Corporation IBM Security 1 The Good, the Bad and the Ugly
  • 2. © 2015 IBM Corporation IBM Security 2 On stage today Good#2 – Carsten Mielke Head of Service Management at E.ON Global Commodities The Bad and the Ugly – Andrea Rossi WW Sales Leader – Identity Governance @ IBM
  • 3. © 2015 IBM Corporation IBM Security 3 Why Identity Governance? What is Identity Governance?  Identity Governance solutions help to resolve Security Risks and Audit findings related to logical access controls on business critical applications: – Lack of (policy) violation detection: “Sensitive/Privileged access has been assigned to ordinary employees”, “Separation of Duty policies are not enforced, toxic combinations occur’.  Identity Governance solutions detect and prevent the risk of improper access to business applications. This ‘Security Posture’ is achieved through a combination of IT controls: – Separation of Duties policy management – Access Risk scoring – Access Review and Certification – Access Request management with central auditability
  • 4. © 2015 IBM Corporation IBM Security 4 How did we get here today? 2003-2008 c.e. The “Big Provisioning Brother” age 2009-2013 c.e. The 1st Compliance ice age 2014-2018 c.e. The IGAge (the Identity Governance and Administration age)
  • 5. © 2015 IBM Corporation IBM Security 5 Identity Governance comprises 3 lifecycles Identity Lifecycle Entitlement/Role Lifecycle Create Change Delete Discover Create Review Change Risk Lifecycle Model Measure Mitigate Detect
  • 6. © 2015 IBM Corporation IBM Security 6 Business activities Separation of Duties Management Seperation of Duty modeling  Business processes, eliminates the need for Role-to-Role SoD  Speaks the Auditor’s language
  • 7. © 2015 IBM Corporation IBM Security 7 The CRO dashboard: Access Risk scoring Model and Measure Operational Risk  Model, Measure and trends risks across several dataset (OUs, Applications)  Allows for ‘Risk driven’ access certification using ‘Heat maps’
  • 8. © 2015 IBM Corporation IBM Security 8 IBM Security Identity Governance and Administration Delivering actionable identity intelligence  Align Auditors, LoB and IT perspectives in one consolidated Governance and Administration offering  Easy to launch Access Certification and Access Request to meet compliance goals with minimal IT involvement  Enhanced Role Mining and Separation of Duties Reviews using visualization dashboard and business-activity mapping  In-depth SAP Governance with Separation of Duties (SoD), access risk and fine-grained entitlements reviews  Easy to deploy virtual appliances for multiple customer adoptions – Standalone Identity Governance – Integrate with existing Identity Management – Modernize legacy Identity management with integrated governance and administration Common Integration Adapters Identity Governance and Administration Platform VIRTUAL APPLIANCE IT Security Team Auditors / Risk Managers LoB Managers / Employees Cloud Computing Mobile Applications Desktop and Server Data Mainframe Access Fulfillment Self Service Portal Risk/ Access Visibility Access Certification
  • 9. © 2015 IBM Corporation IBM Security 9 IBM is a Leader in the 2015 Gartner Magic Quadrant for Identity Governance and Administration Source: Gartner (January 2015) This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from http://www.gartner.com/technology/reprints.do?id=1-27CNZU9&ct=150112&st=sb. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. Gartner, Inc. Positions IBM as a LEADER in Identity Governance and Administration (IGA) "The IGA market is transforming legacy, on-premises IAM products. IGA vendors are investing heavily to meet client needs in ease of use, mobility, business agility, and lower total cost of ownership. User provisioning and access governance functions continue to consolidate.” Gartner, Inc. “Magic Quadrant for Identity Governance and Administration” by Felix Gaehtgens, Brian Iverson, Steve Krapes, January 2015 Report #G00261633
  • 10. © 2015 IBM Corporation IBM Security 10 The IBM’s ‘Augmented Governance’ scenario SIEM IBM zSecure Enterprise GRC (e.g. IBM Open P, RSA Archer User Provisioning (e.g. IBM SIM/NetIQ IDM) The User Provisioning layer enforces access policies driven by ISIG ISIG feeds the GRC processes with Access-related risks (e.g. SoD). ISIG embraces and extends SAP and Mainframe Security ISIG injects ‘Identity and Access Intelligence’ to Security Incidents. SAP Security
  • 11. A Successful Implementation of a User Access Management System at E.ON Global Commodities (EGC) Dr. Carsten Mielke Head of Service Management E.ON
  • 12. 12 Agenda  E.ON Global Commodities SE  Motivation/Drivers  Pre-Requisites  Vendor Selection process  Added Value  Lessons Learned  Challenges Ahead
  • 14. 14 E.ON Global Commodities SE (EGC) The energy trading business of E.ON, one of the world's largest investor- owned power and gas companies. As the expert interface between the E.ON Group and international wholesale energy markets, we create value by managing the commodity price risks faced by E.ON and its customers, while optimizing the Group's broad and diverse power and gas portfolio.  over 1000 professionals from more than 40 countries, based in headquarters in Düsseldorf  one of the most active traders in the international wholesale energy markets 2011 volumes: Gas 2480 billion kWh, Power 1967 billion kWh, Carbon 598 million metric tons, Coal 269 million metric tons, Oil 89 million metric tons (~ 600 million barrels);  active on more than 20 exchanges and in over 40 countries  executed more than 850,000 trades in 2011
  • 15. 15 The drivers for a professional User Access Management • Audits (according to Audit standards IDW RS FAIT 1, IDW PS330) showed strong need for improvement of evidence for legal demands on authorization and authentication. • Capabilities required • record the granting, amending and revoking of access rights to applications in scope of the EGC application access processes; • enable control on whether internal control process requirements are working effectively at all times “Nothing is more powerful than an idea whose time has come” – Victor Hugo
  • 16. 16 Expected benefits • Harmonisation and standardization of user access related processes • From different user application templates down to one, later to a workflow in the Intranet • Better control of users, roles and privileges in the target systems • Reducing the risk of abuse of non-intended status • Quicker access, changes and termination of accounts in target systems • User accounts and licenses can be better controlled • Cost reduction possible • Auditing control functions of SoD (Segregation of Duties) and sensitive access rights will be available in a more sophisticated way • Reducing effort in providing audit evidence
  • 17. 17 Prerequisites for UAM at E.ON Global Commodities IT Solution HR Data Cleanup Process Setup Organizational Implementation Starter Mover Leaver CEO CIO HR Risk CFO Clean Data Trade rs Intern als Exter nals
  • 18. 18 Introduction of an IT Solution – Vendor Selection •Detailed requirement definition of. ~500 requirements •Initial design of the Proof of Concept (PoC)Initial Analysis •Request for Information (RfI) sent out to ~20 vendorsMarket Analysis •Rated regarding their coverage of the four defined functional areas •Invitation of all 6 valid replies to provide a live demo of the solution approach Evaluation of the feedback •Selection of PoC candidates •Finalization of the PoC design Evaluation of the presentation •6 use cases •Both remaining vendors performing in parallelProof of Concept •Final selection of strategic partnerSelection of the vendor
  • 19. 19 The Software Partner • The CrossIdeas/IBM Identity & Access Governance platform (IDEAS) was selected • Why did EGC choose CrossIdeas/IBM? • Risk/SoD modelling paradigm: 1to1 fit with Auditor requirements • Proximity • Consultative approach rather than product sale
  • 20. 20 Project roadmap (high level) • Phase 1 (june-Dec 2012): ‘Understand the risk’ • Detective approach, no changes to existing user provisioning processes • Implementation of User and SoD controls on 8 top critical applications • Phase 2 (2013): ‘Reduce the risk’ • Onboarding of additional applications (including Ruhrgas) • Access Certification • Phase 3 (2014+): ‘Avoid the risk’ • Implementation of more mature SoD controls • Streamline access request management
  • 22. 22 Benefits EGC is now in control •One single view on ‘who could do what’ •Real-time detection of several types of access risks: • On User: SoD, Sensitive Access, orphan/service accounts; • On Application Roles: intrinsic SoD violation. •Ability to immediately react by appropriate counter-measures such as periodical review processes, revoking accounts, etc. ‘Audit Ready, M&A Ready’
  • 23. 23 Lessons learned Supportive • Project staffing incl. project management and business representation; • Selected vendor of the supporting IAM System represented an optimal fit to company IT and their “getting things done”-culture. Remarkably short implementation time of 4 months; • Development of Segregation of Duties (SoD) model and vendor selection was carried out simultaneously. Recommendations • Implementing SoD is an organisational task, project should have been primarily driven by central business function; • Carefully consider a tight time schedule from the very beginning and have it reflected in appropriate staffing; • Internal Knowledge of security models of the selected applications should be robust enough to build a rigorous SoD implementation on top of it.