Identity Governance: Not Just For Compliance
•
2 likes•1,483 views
View on-demand presentation: http://securityintelligence.com/events/identity-governance-not-just-for-compliance/ Did you know that proper identity governance will make your organization more secure? Between Separation of Duty violations, entitlement creep and insider threats, user IDs are the doorway to your organization and identity governance can be the deadbolt. Join this webinar to learn how you can employ identity governance to not only simplify your audit process, but to safeguard your entire organization.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Identity Governance: Not Just For Compliance
Similar to Identity Governance: Not Just For Compliance (20)
More from IBM Security
More from IBM Security (20)
Recently uploaded
Recently uploaded (20)
Identity Governance: Not Just For Compliance
- 1. © 2015 IBM Corporation IBM Security 1© 2015 IBM Corporation Identity Governance: Not Just for Compliance Brandon Whichard & Diana Kelley IBM Security
- 2. © 2015 IBM Corporation IBM Security 2 <Identity Management> <Identity Governance> Control unauthorized access and prevent “entitlement creep” Ability to quickly deprovision and identify who has access to what Identity governance and management can help you reduce risk Govern and administer users and their access 1. What does the user have access to? 2. What business activity does the user want to do with that access? 3. What access does that user need to do their job?
- 3. © 2015 IBM Corporation IBM Security 3 According to Ponemon Institute, the cost of a data breach to global organizations is on the rise Source: Ponemon Institute Cost of Data Breach Study $154 Average cost per record compromised 23% increase Total cost of a data breach net change over two years $3.79 million Average total cost per data breach up 6% up 7% $136 $145 $154 1 2 3 Series1 Net change over 1 year = 6% Net change over 2 years = 12%
- 4. © 2015 IBM Corporation IBM Security 4 Overwhelmingly, survey respondents identify evasion of existing security controls as a key reason for breaches 3% 6% 7% 12% 15% 20% 35% 37% 65% Other Lack of accountability Lack of data classification Incomplete knowledge of where sensitive data exists Poor leadership Third-party vetting failure Lack of in-house expertise Insufficient funding Evaded existing preventive security controls Source: Ponemon Institute Cost of Data Breach Study. Two responses permitted.
- 5. © 2015 IBM Corporation IBM Security 5 Recent data from IBM Security Services shows 55% of all attacks were found to be carried out by malicious insiders or inadvertent actors Source: IBM 2015 Cyber Security Intelligence Index, Figure 5
- 6. © 2015 IBM Corporation IBM Security 6 New classifications of Insider Threats Disgruntled employees Malicious insiders Inadvertent insiders Quasi-insiders Traditionally, “insider threats” meant disgruntled or negligent employees were inflicting harm to the company’s assets; today many different classifications have come forward
- 7. © 2015 IBM Corporation IBM Security 7 People can be the weakest link in securing valuable data
- 8. © 2015 IBM Corporation IBM Security 8 Using Identity and Access management solutions can help mitigate risks Strong authentication that relies on sound policy for identity assurance Use identity governance solutions to help classify users by roles and access requirements Privileged IDs are growing, so control the associated risk. Grant user entitlements appropriately and keep them updated Manage and monitor users for both security and compliance.
- 9. © 2015 IBM Corporation IBM Security 9 IT Security Manager ERPCRM Mainframe HR Application Entitlements Business Activities vs. Roles and Entitlements Provides information regarding who has which entitlements Who SHOULD have which entitlements? Auditor Identifies what business activities cause SoD violations (toxic combinations) Which entitlements cause toxic combinations? Business Manager Understands what business activities employees do Which entitlements grant access to which business activities? The dependencies of traditional identity management Requests employee IT entitlements from IT Security Manager Receives list of entitlements based on IT Security Manager’s request
- 10. © 2015 IBM Corporation IBM Security 10 MainframeCRM ERP HR Bridging Business, Auditor and IT points of view Business-Centric SoD mapping to simplify access request and certification IT Roles and Entitlements Business Activities View Accounts Payable Create Sales Record Create Purchase Order Update Payroll Map business activities to IT roles and entitlements
- 11. © 2015 IBM Corporation IBM Security 11 Role-based SoD vs. Activity-based SoD Detected Violation 1 Logical Constraint
- 12. © 2015 IBM Corporation IBM Security 12 Undetected Violations with Roles But ... alternative assignment patterns may lead to false negative - Same access rights - Different assignment - Undetected violations Undetected Violation 1 Logical Constraint
- 13. © 2015 IBM Corporation IBM Security 13 1 Logical Constraint = 6 Manually managed FAQ: Couldn’t we just use Roles? Role based SoD enforcement imply high configuration complexity - Constraint combinatorial explosion required Detected Violation Roles are not designed for effective SoD management
- 14. © 2015 IBM Corporation IBM Security 14 Roles inherit – Activities propagate Business activity model is designed specifically for SoD Management - Works regardless the assignment style (direct, role based, mixed) - Full enforcement does not require additional constraint definition 1 Logical Constraint = 1 Manually managed (9 automatically propagated) Detected Violation
- 15. © 2015 IBM Corporation IBM Security 15 Roles inherit – Activities propagate Business activity model is designed specifically for SoD Management - Works regardless the assignment style (direct, role based, mixed) - Full enforcement does not require additional constraint definition 1 Logical Constraint = 1 Manually managed (9 automatically propagated) 1 Logical Constraint = 6 Manually managed Detected Violation
- 16. © 2015 IBM Corporation IBM Security 16 Role-based SoD versus Activity-based SoD Role Mining / Modeling Define SoD on Roles Entitlements Collection Role Mining / Modeling Entitlements Collection Activity Based SoD Activity Based SoD Role Based SoD Role needs to come first Access Review to allow Role Mining is further delaying the SoD Introduction SoD Analysis can be the first, or the only, objective Side effect – Deliver Business level readability of Entitlements regardless of Role introduction
- 17. © 2015 IBM Corporation IBM Security 17 1. Activity driven access request management Simplify self-service access request for managers and employees Self-service, shopping cart interface “Speaks” business language but also understands the IT and application roles Automatically detects segregation of duties (SoD) conflicts Saves time, while ensuring proper and compliant user access Jane Doe is now on my team and needs to be able to Approve Orders I have a new assignment, I need to be able to Approve Orders. End User Business Manager Jane Doe can also Create Orders and that is a segregation of duties violation APPROVED DENIED
- 18. © 2015 IBM Corporation IBM Security 18 Focused, risk-driven campaigns Managers can understand exactly what access they are certifying and why Same simple look and feel regardless of role within the organization Ability to execute multi-step approval workflows 2. Business centric access certification Enables business managers to quickly review employee access and take action Business Manager “Does John Smith still need to open Sales Opportunities? SalesConnect is a CRM used by the sales team to effectively communicate with clients and track ongoing projects.” NO John is no longer on the Sales team NOT SURE Please delegate to Jane Doe YES John still needs access
- 19. © 2015 IBM Corporation IBM Security 19 Identity Governance and Administration Results CLIENT EXAMPLES Audit Access Large European designer found almost 80% of users had unnecessary access after leveraging the “last usage” information in their automated controls set Governance Large European insurance and financial services firm governs access to 75,000 employees, agents, privileged users by identifying access risks, separation of duty and certify access for SAP, AD, mainframe, and custom-built apps
- 20. © 2015 IBM Corporation IBM Security 20 Identity and Access Management Capabilities to help organizations secure the enterprise identity as a new perimeter Datacenter Web Social Mobile Cloud Directory Services IBM Identity and Access Management Solutions and IBM Security Services Cloud Managed / Hosted Services Software-as-a- Service On Premise Appliances Identity Management • Identity Governance and Intelligence • User Lifecycle Management • Privileged Identity Control Access Management • Adaptive Access Control and Federation • Application Content Protection • Authentication and Single Sign On
- 21. © 2015 IBM Corporation IBM Security 21 Learn more about IBM Security Visit our website IBM Security Website Watch our videos IBM Security YouTube Channel Read new blog posts SecurityIntelligence.com Follow us on Twitter @ibmsecurity IBM Security Intelligence. Integration. Expertise.
- 22. © 2015 IBM Corporation IBM Security 22 www.ibm.com/security © Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.