Kuppinger Cole Virtual Conference The Three Elements of Access Governance

(1)

Kuppinger Cole Virtual Conference

The Three Elements of Access

Governance

Martin Kuppinger, Kuppinger Cole

[email protected]

December 8th, 2009

(2)

www.id-conf.com/eic2010

• M

ARKET

M

ATURITY

• R

EGULATION

, P

RIVACY

,

I

NFORMATION

S

ECURITY

• G

OVERNANCE

, M

ITIGATING

R

ISK

• C

LOUD

C

OMPUTING

& T

RUST

• R

OLES AND

A

TTRIBUTES

• A

UTHENTICATION

&

A

UTHORIZATION

C

REATING MORE

V

ALUE FOR LESS THROUGH

I

DENTITY

M

ANAGEMENT

& GRC



Call for Speakers:

(3)

Virtual Conference

Enterprise Access Governance

Controlling Access, Ensuring Information Security

www.kuppingercole.com/webinars

D

ECEMBER

8-9, 2009

• How to efficiently mitigate your “access risks”

• Full Access Governance– combining access certification, role

management, provisioning, and privileged access

management

• RBAC vs. ABAC: Comparing Role Based and Attribute based

Access

• The business view – Enterprise GRC vs. IT-GRC and where

they should be linked

• Mitigating application security risks

(4)

Kuppinger Cole Reports

Some of the current reports:

• Market Report Cloud Computing

• Product Report Radiant Logic Virtual Directory Server

• Vendor Report Arcot Systems

• Product Report Sun Identity Manager

• Vendor Report ActivIdentity

• Trend Report Enterprise Role Management

• Vendor Report Quest Software

• Product Report SailPoint IdentityIQ

• Vendor Report BHOLD 2009

• Vendor Report Entrust 2009

• Vendor Report Oracle 2009

• Vendor Report Evidian

• Business Report Key Risk Indicators

(5)

Some guidelines for the

Webinar

You will be muted centrally. You don„t have to

mute/unmute yourself – we can control the

mute/unmute features

We will record the Webinar

(6)

Agenda

• The Three Elements of Access

Governance:

Recertification/Attestation – Access

Control – Privileged Access

(7)

Access Governance defined

•Access

•Managing access to systems and information – who is allowed to do what? •Governance

•Enforcing a good practice of management – in that case particularly for IT

Access Governance

•Identity and Access Management

•The management of identities and their access

•It„s mainly about access – but we need identities therefore

Context: IAM

•Governance, Risk Management, and Compliance •Governance as the basic concept

•Risk Management and Compliance as elements of Governance

Context: GRC

•Information Security is the business term

•That„s why we mainly deal with topics like IAM and Access Governance

(8)

The three elements of Access

Governance

Management

Analysis

The main elements

Analysis

Types of

Accounts

„Standard“

User AdminUser

(9)

Attestation and Recertification

Analyzing the situation

The (manual) process of having

responsible persons going

through existing access controls

(authorizations, entitlements)

and attesting or revoking them

Manual control process

Regularly performed at the

departmental manager level

(but be careful on that)

Supported by escalations and

other procedures

(10)

The need for attestation

5 good reasons

Attestation is a first step to clean up access controls

Attestation is (if done right) an continuous audit mechanism

Attestation can show issues in identity and access lifecycle

management

Attestation educates users about the need for security

(11)

Approaches to attestation

One-way, audit-oriented

Two-way, actionable

Single-layered

Multi-layered

Point-of-time

Continuous

Undifferentiated

Risk-based

(12)

(13)

Threat:

Multi-layered attestation

System Security

Access Control

_{Administration}

System

Correct Access

Controls?

Identity Management +

System Administration

System Roles

Groups, Roles,

_Profiles

_Management

Identity

Correct

Assignments?

Identity Management

Business IT +

Business Roles

_{Location, Project,…}

Job, Hierarchy,

Business IT

Correct Business

Roles?

Management +

Business IT

Employees

Tasks, Projects,…

Management

(14)

More Analysis

Adding Automated Controls

Automated Controls support the ongoing analysis

and (potentially) the realtime detection of issues

Advanced analysis mechanisms support the ad

hoc analysis

Specific attestation/recertification solutions

typically support at least ad hoc controls

(15)

The situation

Increasing

pressure on

IT

management

and

operations

Growing number

of compliance

regulations

Increasing

awareness of the

need of IT

Governance

Increasing

complexity of IT

environments –

breadth and

depth

Changing role of

IT – less

autonomy, more

focus on efficient

fulfillment

(16)

The result

More requests

Less time to deliver

Higher workload for fewer people

(17)

The real world of core systems

Many servers Different systems

Different operators, frequently some inconsistency in operations Large amount of data Large amount of controls

The answers to

questions like „what

has Mr. X done

when“ requires

access to different

systems at a

detailed level

strong capabilities

in mapping and

normalizing data

strong analytic

(18)

The Reality

Missing auditability

• Few enterprises know them all

Which systems

are out there?

• Sometimes known for central system,

if there is a provisioning tool deployed

(sometimes even via E-SSO)

Which users

have access to

which systems?

• Usually even for core systems like

Active Directory and SAP insufficiently

solved

Which granular

entitlements do

(19)

Auditing, SIEM, Operations

Management

System-level

Auditing

SIEM

Operations

Management

Current state and

historical data

Current events,

sometimes historical

Current events

Ex post

Real time

Security-focused

Operations-focused,

all types of

operational aspects

Mainly access

controls

All types of security

events, frequently

more „classical

security“ than access

controls

(20)

Approaches to audit

optimization

Integration

• Define the required elements – less is more • Platforms help – few

platforms are better than many point solutions

• Integrate these elements to support drill-down

Automation

• Focus on automated collection and

(21)

Authorization Management

Closing the loop

The different terms – all about the same

• Access Control

• Authorization Management

• Entitlement Management

Authorization Management

• Actively managing access

(22)

Authorization Management

Closing the loop

Managing

Authorizations

Analysis and

(23)

(24)

Multi-layered

Authorization Management

Management of detailed Entitlements (System

and App level, might be XACML based,…)

Assigment of Users to Groups, Roles, Profiles

(Provisioning)

(25)

The Reality

Missing consistency

Consistent, centralized Authorization

Management for heterogeneous environments?

(26)

(27)

Privileged Account Management

Focus on sensitive accounts

Adding privileged accounts

How to control the access of users using

these accounts?

(28)

Many terms

One target

• PAM: Privileged Account Management

• PIM: Privileged Identity Management

• PUM: Privileged User Management

• Root Account Management

The

terms

• Controlling privileged accounts and

how they are used

(29)

Privileged Accounts

Beyond „root“

• root

(30)

(31)

PAM

The approaches

Differentiated auditing

of administrative

activities

Integration with

Lifecycle Management

approaches – no

orphaned privileged

accounts

One time passwords

for privileged

accounts

Reduced entitlements

of privileged accounts,

for example using

specialized shells

Organizational actions

Automatic generation

of passwords for

accounts without

interactive logon

Avoiding technical

(32)

PAM market

Evolution

Point solutions

PAM suites

Integration with

Identity Lifecycle

Management

Application Security Infrastructures

Identity Federation, End-to-End Security

Changing Security Models at the System Level (OS,

(33)

Maturity Levels of

PAM approaches

Missing

•Status

•No PAM at all •Tools •None •Risk •Very high Ad hoc •Status •Point solutions, typically for UNIX/Linux •Tools •Mainly sudo •Risk •Very high Unplanned •Status •Non coordinated use of point solutions •Tools