Identity governance has traditionally been seen as a
compliance activity. However, that has changed and
effective identity governance now has an additional,
vital role in reducing information security risk. So
what does this mean for you? In this session we’ll
take a look at how identity analytics and real-time
identity governance can ensure compliance, while
simultaneously increasing your security profile.
5. The Evolution of Identity Governance?
Phase Two: The Directory Services “Silver Bullet”
Identity
Repositories
Directory Services
…plus Identity Repositories
…or NOT!
6. The Evolution of Identity Governance?
Phase Three: Provisioning, Password Sync & SSO
Identity
Repositories
Directory Services
…plus Identity Repositories
Provisioning/Pwd Sync
Single-Sign On
7. What Does This Have To Do With ID Governance?
Sarbanes-Oxley Act 202 Section 404
SoX Section 404 Identity Governance
& Administration 1.x
ITCentricBusiness
Centric
Assessment of Internal Control
Requires management & external auditor to report
on the adequacy of the company's internal control
on financial reporting (ICFR). This is the most
costly aspect of the legislation for companies to
implement, as documenting and testing important
financial manual and automated controls requires
enormous effort.
8. What Does This Have To Do With ID Governance?
Sarbanes-Oxley Act 202 Section 404
SoX Section 404 Identity Governance
& Administration 1.x
ITCentricBusiness
Centric
9. • Ability to Collect Accounts & Permission from Apps
• Central Repository of All Access
• Automatically Link Accounts to Identities
• Configure & Forget
• Scheduled
• Policy
• Create & Apply Consistent Policies
• SoD, Risk, High Privileged Access, Unmapped/Orphaned
• Easily Identify Policy Violations from the “Noise”
Identity Governance & Administration 1.x
Pros…
13. • Persistent Information Overload
• Little or No Reduction In Number of Review Items
• Lack of Business Context
• Automation of Controls, Not The Review
Identity Governance & Administration 1.x
Cons…
Select All
Permission #1
Permission #2
Permission #3
Permission #4
Permission #5
Permission #6
Permission #7
Permission #21
Permission #22
Permission #23
Permission #24
Permission #25
Permission #26
Permission #27
Permission #x1
Permission #x2
Permission #x3
Permission #x4
Permission #x5
Permission #x6
Permission #x7
Keep Next
1
2 3
14. • No Decision Support
• Requires Manual Intelligence Gathering
Identity Governance & Administration 1.x
Cons…
Permission #1
Permission #2
Permission #3
Permission #4
Permission #5
Permission #6
Permission #7
Permission #21
Permission #22
Permission #23
Permission #24
Permission #25
Permission #26
Permission #27
Permission #x1
Permission #x2
Permission #x3
Permission #x4
Permission #x5
Permission #x6
Permission #x7Who Approved
These
Permissions?
When Did This
Person Get These
Permissions?
Are These Direct
Assignments, or
Part of a Role?
Are These
Permissions
Normal?
What Do These
Permissions
Mean?
Do These
Permissions
Violate Any SoD
Policies?
Is This Person a
Privileged User?
How Did The
Person Get These
Permissions?
15. • It Does Not Significantly Reduce Risk
Identity Governance & Administration 1.x
Cons…
Collect Review Sign Off Certified Collect Review
Review Campaign #1 Review Campaign #2
Change
Risk Window
~6 Months?
16. • The Role Mining Myth
• It Looks Good in Demos
• But…
Identity Governance & Administration 1.x
Cons…
• Are All The Permission Assignments:
• Correct?
• Appropriate?
• Accurate (Point in Time)?
• Are The New Roles Appropriate?
• Do They Reflect The Business?
• Are They Close To Existing Roles?
• Will Risk Be Accurately Represented?
17. • Delivers Automation & Review Oversight
• No Significant Reduction in Review Effort
• Lack of Decision Support
• No Reduction in Risk
• Review Items Usually Out Of Date
• Select All, Keep, Next!
• Role Mining Is Not The Answer
Identity Governance & Administration 1.x
In Summary
19. Step One – Curation
Make Sense of What You Have…
20. • Identity Centric
• Review at Macro Level
• Authorised Roles Can Be
Excluded From Reviews
• Concentrate Exceptions
(White listing)
Step Two – Reduce the Noise
Business Roles…
21. • Membership Expression
Automates Assignment
• Contains Permissions, Technical
Roles & Applications
• Role Items Are Mandatory /
Optional
• Can be Authorised at the role, or
More Granular with Time Limits
Step Two – Reduce the Noise
Business Roles…
22. • Capability Centric
• Review at Macro Level
• Assignment is based on
Permissions Assigned
Step Two – Reduce the Noise
Technical Roles…
23. Step Two – Reduce the Noise
Working with Roles…
24. Step Two – Reduce Noise Without Increasing Risk
Risk-Based Reviews…
• Concentrate on High Risk
Access
• Review Everything Else
Less Often…
…If At All
…Or On Change
25. Step Three – Make Informed Decisions
Context-Based Decision Support…
Usage Guidance
Permission Relationship
Person Details Permission Details
26. Step Four – Close the Risk Windows
Event-Based Reviews – High Risk Group Example…
Person Added to High Risk AD
Group (e.g. Domain Admins)
Detected by
Change Guardian
Alert Raised Alert Event
Triggers a Review
of the User
Complete Fulfilment
(If Required)
Store Decision
(for Audit)
Near Real-Time
Window of Risk
27. Step Five – Demonstrating Governance
Tracking…
28. Step Five – Demonstrating Governance
Reporting…
29. Step Five – Demonstrating Governance
Analytics…
30. • Automates the Entire Review Process
• Efficiency Without Compromise
• Curaton, Roles, Risk-Based Review
• Enables the Business to Make Informed Decisions
• Context-Based Decision Support
• Reduces Risk Exposure
• Event-Based Reviews
• Easily Demonstrate Governance
Identity Governance.NextGen
In Summary
31. It Delivers the Promises Made
by Identity Governance &
Administration 1.x
Identity Governance.NextGen
In Summary
Fundamentally…