The document discusses Vanguard's use of CA Identity Manager to provision access for both IT and business users. It describes how business users typically have a limited number of static accounts while IT users often require dynamic access across many systems. The presentation outlines how CA Identity Manager helps automate provisioning for business users while also granting necessary access more quickly for IT users to resolve outages. It provides insights into Vanguard's deployment and how their environment improved by gaining control and auditability of access requests after implementing CA Identity Manager.

1. Meeting the
Provisioning Needs of
Both IT and Business
Users at Vanguard
Security Management
SA202SN

2. Abstract
> Vanguard, one of the world's largest investment
management companies, needs to provision timely access
to all of their employees. However, like many organizations,
their IT and business users have distinct provisioning
needs. This access must be granted quickly to enable the
business, but audited and removed as soon as possible to
, p
protect customers' confidential data.
Senior Manager at Vanguard, Phil Taddeo, will share their
experiences for implementing CA Identity Manager. Robyn
Fisher, officer of Business Access Management, will share
an executive perspective on identity management,
including the success metrics that help gain corporate
support.
2 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

3. Biography
> Philip Taddeo
Sr. Manager, Business Access Management, Security and
Contingency Services, Planning and Development Division.
! 16 Year Vanguard veteran holding various leadership positions in
multiple business lines.
! Responsible for supporting the provisioning needs of Vanguard
internal users and the systems which provision them.
! Supported Vanguard’s various role based access control solutions
for the past 8 years.
! Involved in deploying and supporting CA Identity Manager at
Vanguard from 2004 to current.
> Robyn Fisher
Principal, Business Access Management, Security and
Contingency Services, Planning and Development Division.
! 20+ year background in IT operations management.
! Responsible for all business access to data at Vanguard.
3 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

4. Agenda
> Company Overview
> Differentiation of Business vs. IT Users
> Provisioning Challenges
> M
Managing your IT U
i Users
> Value of Metrics in this process
> Questions
4 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

5. Vanguard Company Overview
> Founded in 1975 and headquartered in Valley Forge, PA.
> Vanguard’s mission is to is to help clients reach their
financial goals by being the world's highest-value
provider of investment products and services.
> World’s largest pure no load mutual fund company and
World s no-load
the second largest fund firm in the U.S.
> Offer a wide array of financial products to individuals,
institutions and financial advisors.
> As of 12/31/2007 we managed approximately 1.3 trillion
dollars in U.S. Mutual Funds.
> Approximately 12,000 U.S. based crewmembers.
5 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

6. Technical Deployment Overview
> Utilize CA Identity Manager to provision access
> All crew have access to CA Identity Manager self-service
front end
> We role and rule base all platform entitlements for our
crew. We manage fine grain entitlements for:
– ACF2 – AD – CA Access
– DB2 – Sybase Control
– Unix / Linux – Oracle – Siebel
– Kerberos – MS SQL – Lotus Notes
– AS400 – UPO
> CA Identity Manager manages over 350,000 accounts
6 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

7. Technical Deployment Overview
> Platforms (endpoints)
Endpoint
managed in strong
Active Directory
synchronization
DB2
> System of Record Kerberos
! PeopleSoft HR MS-SQL
! Nightly feed of any
OS400
changes to Oracle
demographics Sybase
! Configurable fields UNIX/LINUX
that warrant access ACF2
changes
– Department
– Job Code
7 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

8. Business User Characteristics
> What are common characteristics of business users?
! Limited number of accounts, usually 4-7 accounts
! Static level of access based on business need
! Generally access data and resources through
applications
! Do not have direct access to enterprise data stores
! For compliance reasons systems they use usually
have segregation of duties and controls coded within
the application
8 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

9. Example Business User
Common Business User (Customer Service)
• Fully automated rule
driven role based access
based on HR feed
• 4 accounts created
Recordkeeping / Trading LAN Account E-Mail CRM System
System Account
• Domain user access • Customer service role
• Customer service role • Company intranet access • Access company
• Lookup account • Shared drive access profile
• Process trade • Look at company
• Modify account options contacts
9 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

10. Example IT User
• Some access automated
Common IT Support • Ad-hoc requested access
User • Also has standard LAN
and e-mail access
• Little application level
access
• Has significant number
Data Center1 Data Center 2 of accounts across many
Requires Server-1 Server-2 platforms
Server
Server-3 Server-4
Access
Requires
Hardware R R R R
Access
Database Database Database
1 2 3 Database
Requires 4
Database
Access
10 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

11. IT User Characteristics
> What are common characteristics of IT users?
! Large number of accounts ranging from 100 to
over a 1000
! Dynamic need to access highly sensitive data and
functions
! Need access to production and development
resources
! Have little application level access
! Require direct access to enterprise data stores
! Require access quickly to support critical system
outages
11 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

12. Pre-Implementation Environment
> What security looked like prior to our CA Identity
Manager implementation
1. Managers rarely knew what roles to request for
new employees.
2. Turnover could result in loss of knowledge of
security requirements.
it i t
3. Security was sometimes requested after an
employee started within a department.
4. Since inappropriate roles might have been
assigned, maintenance was frequent and roles
were redundant.
5. Security related help desk calls for user access
were many.
12 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

13. Audit and Control Considerations
> Common control themes for logical access to
systems and data
1. Requests for new or modified access must be
documented and authorized by management prior
to production activation.
2. Logical access is removed in a timely fashion, upon
HR notification and/or system availability events.
3. Appropriateness of users with access to sensitive
data.
4. Appropriateness of users with access to perform
system administrative functions.
13 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

14. Business Operations Considerations
> Common themes of IT user security provisioning
1. Administration of access must be timely especially
during system troubleshooting events.
2. Access to production resources, data and systems,
must be restricted and tightly controlled.
g y
3. “Don’t grant anything unless I authorize it”.
4. Sometimes people outside of production support
may require production access, but not full time.
5. I know we are technical but… I really don’t
understand security.
14 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

15. Project Goals
> Provide the IT users with a self-provisioning
system using intuitive naming conventions.
> Establish easy to understand access guidelines.
> Certify user access to the platform level.
> C
Create reusable roles f all types of user access
bl l for ll f
to reduce security maintenance activities.
> Apply rules in order to provision access
automatically whenever possible.
> Reduce overall access of IT personnel to
production data and systems without impacting
operations.
15 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

16. Project Timeline
Phase I Phase II Phase III
2006 2007-2008 2009- X
" Install CA Identity " Communications to " Extend CA Identity
Manager to enhance Business Manager to additional
current capabilities " Rollout users into new systems and connectors
" Role Design in roles (implementation administered manually
cooperation with of role design)
business
16 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

17. The Solution
People Process
Technology
In order to achieve the desired reduction in Audit
findings/observations and increase efficiency and client satisfaction,
three key areas needed to be addressed. Focus on one area,
without the other two will not result in the desired outcomes.
17 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

18. People - Communications
Training
All levels of management will actively
participate in security awareness and
“ I know what to do and will change perform the necessary steps to
my behavior” Behavior “Secure the Organization”.
All levels of management be committed
“ I am committed to to “Secure the Organization”.
participating” Commitment
Two-way
communication All levels of management must
understand the on-boarding,
transfer and off-boarding
“ I understand the Understanding processes and the security
message” implications of each process.
All levels of management
must be aware of their open
“ I hear the
Audit observations. In
message” Awareness addition, they need to
One-way know the applications
communication and level of access
used by their crew.
18 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

19. People – Engagement of Key Personnel
> Engaged employees from all levels of the IT organization
to develop role content and access guidelines.
! Production Access Steering Committee – officers and senior
managers from IT and Internal Audit.
! Production Access Core Team – managers, auditors and
support level personnel.
! Departmental Change Agents – management and non-
management subject matter experts.
> Work from the above teams reported to the IT Risk
Council.
> Overall program progress reported to senior executive
levels throughout the organization.
19 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

20. Process - Establish Simple Guidelines
Goal: IT crewmembers have the proper access to perform their job
functions while reasonably limiting access to the production environment.
Require prod access averaging at least 3 out of 5 days every
A
week to perform their primary duties
Read access unless associated to an Administrative Privilege
B
such as Root access on Unix
Application level access for IT Personnel must adhere to
C
Guideline A
Note: Exceptions will require both sub-division senior management & IT Security Office approval.
20 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

21. Blending Process with Technology
• All roles below use the same children role and policies underneath the parent role.
• Each parent role has a different scoping and approval chain.
Access Type Reason to Have How Quick is Duration of Who Who
Access Access Authorizes Administers
Granted Use Access
Permanent You meet the IT NA – users 24 x7 IT Divisional Self service
Full Time production access who have this Designee
Access guidelines access carry it
full time
On-Demand You do not have <15 minutes 24 hours IT Divisional Production
CRISIS full time access Designee Support
Access and need to Managers
support a system
issue
On-Demand You need to Within 24 24 hours Requestors Self service
Temporary perform a non- hours of manager and
Production critical function submission IT Divisional
Access that the production Designee
support group
cannot do for you.
(i.e. research)
21 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

22. Blending Process with Technology:
On-Demand Crisis Access
22 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

23. Blending Process with Technology:
On-Demand Temporary Access
23 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

24. Process: New Role Methodologies
• Role content was defined by the
IT business areas
• Role diagrams were turned over
Sr. Developer Role Diagram the IT business areas
• Management knows what will
Department 1124 automatically happen and what
they need to request
Retail IT Senior
Dept = 1124 and job code = 1741
Developer
(developer)
Vanguard.com Vanguard.com Vanguard.com DB2 Auth ACF2 Unix
Retail IT Share
Performance Developement Developement Group Deveolpment Development
Drives
region Region 1 Region 2 Performance 1 Access Mid-Tier
C risisR R ETA IL U N IX
VTS H A R D
Vanguard.com Production
TOKEN
Production M id-Tier
Support
24 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

25. Technology: Identity Manager End Product
This task is available to
all IT crew to request full
time and temporary
access through a standard
self- service workflow
lf i kfl
Role descriptions are
easily understandable
25 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

26. Technology: Identity Manager End Product
This task is available
only to production
support managers
within a particular
ithi ti l
sub-division.
This task is scoped so
that the production
support managers can
only administer their
sub divisions crisis
access roles.
26 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

27. Technology: End Product – UPO Initiated
Workflow Form
Crisis and temporary roles will
both initiate UPO initiated
workflow forms.
27 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

28. End Results
> IT crew have a majority of their access Day 1 when
starting their job without their managers needing to
request it.
> IT managers understand the access their crew have.
> All access is approved by managers and the respective
pp y g p
data stewards prior to assignment.
> IT can evidence authorizations to various auditors.
> Access is removed from users in a timely fashion.
> Full time access to production data and systems can be
dramatically reduced, yet be available in a timely fashion
for production support event and development projects.
28 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

29. Considerations
> If CA Identity Manager is unavailable for IT Divisional
Administrators and Availability Managers. You need to
have a solid plan B.
> High availability design of your CA Identity Manager
infrastructure is a must.
> CA Identity Manager must sustain its performance as you
increase the number of crew, roles, and end points. Build
your solution with scalability in mind.
29 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

30. Helpful Hints for Planning
> Set realistic expectations of deliverables for senior
management.
> Communicate, train, and communicate again.
> Aggressive timeframes often are good on paper but
unrealistic – plan than add 33% to y
p your timelines.
> Define users access to least privilege. Less is easier to
maintain and better for audit controls.
> Managing all platforms is very difficult and time
consuming – decide carefully before automating.
> Heavy customization is time consuming, costly and
difficult to maintain – offset it by process change.
30 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

31. Value of Metrics
Robyn Fisher

32. Dashboards Drive Change
> Dashboards/metrics are a standard communication tool
used by Vanguard management in accordance with our 6
Sigma philosophy.
> Metrics focus on tracking IT's access to production data.
> Compliance support requires reports to facilitate
recertification processes that validate only authorized
crew have production access.
> Our metrics lend themselves to a friendly atmosphere of
competitiveness across peer organizations.
32 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

33. Divisional Level Reports
IT Division Production Access
45%
39%
40%
37%
35%
30%
Users
% of IT U
25%
20%
15%
10%
5%
0% 0% 0% 0% 0% 0% 0% 0% 0% 0%
0%
Jul-08 Aug-08 Sep-08 Oct-08 Nov-08 Dec-08 Jan-09 Feb-09 Mar-09 Apr-09 May-09 Jun-09
Jul-2008 Aug-2008 Sep-2008 Oct-2008 Nov-2008 Dec-2008 Jan-2009 Feb-2009 Mar-2009 Apr-2009 May-2009 Jun-2009
%of Prod Access 37% 39% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0%
33 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

34. Departmental Examples
% Full Time Production Access By Department
August 2008
120%
100% 100%
100% 96% 96%
90%
83%
81%
79%
80%
60%
48%
37%
40%
29%
20%
20%
1%
0%
Dept A Dept B Dept C Dept D Dept E Dept F Dept G Dept H Dept I Dept J Dept K Dept L Dept M
%of Prod Access 48% 96% 100% 81% 1% 79% 96% 100% 29% 37% 90% 83% 20%
IT Avg 39% 39% 39% 39% 39% 39% 39% 39% 39% 39% 39% 39% 39%
34 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

35. Departmental Detail Examples
35 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

36. Q&A

37. Related Sessions
SESSION # TITLE Date / Time
SA103SN CA Identity Manager Product Update 11/18/2008
and Roadmap Discussion at 2:45 p.m.
SA711SN How to Deploy Identity Management 11/19/2008
on a Fi d B d t
Fixed Budget at 8 30 a.m.
t 8:30
SG112SN Balancing Timely Provisioning with 11/19/2008
Security Requirements in a Changing at 2:45 p.m.
Environment
37 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.

38. Please Complete a Session Evaluation Form
> The number for this session
is SA202SN
> After completing your
session evaluation form,
place it in the basket at the
back of the room
! Please left-justify the
session number
38 November 16-20, 2008 Copyright © 2008 CA. All rights reserved.