Is Identity Governance as exciting as buying car Insurance?

Transcription

1 Is Identity Governance as exciting as buying car Insurance? History, myths, facts and lessons learned Andrea Rossi Co-founder & EVP Sales, CrossIdeas European IBM Security User Group Zurich May reality

2 Agenda What problem are we trying to solve? The Darwinian evolution of the art of Identity and Access Is Identity Governance as exciting as buying a car Insurance? Whatisaheadofus? 2

3 About Crossideas CrossIdeas is a leading player of Identity Governance Solutions, enabling organizations to achieve their Compliance, Audit and Access Risk Management objectives 3 Founded in 2011, product originates in 2005 HQ in Italy (Rome) Rated as visionaire in the Gartner IAG MQ 2011/2012 and IGA Fortune 500 companies run CrossIdeas (Generali, ENEL, Helvetia, EON, SocGen, etc) CrossIdeas is an IBM Business Partner. We add Identity Governance and Intelligence capabilities to ISIM and QRadar

4 Acronyms today What problem are we trying to solve? 4

5 The pain chain 1 Could you prove that John Doe has appropriate permissions as defined by the books? 2 Could you verify if John Doe is appropriately profiled? Auditors 4 Could you verify if John Doe is correctly profiled? IT Security 3 I can just tell you what John has I can t tell about appropriateness Application Managers 0 Are we compliant under xyz regulation? How do we manage and mitigate risks? 5 I could If I was techy enough to understand all these tech details.. CFO, CRO Business Manager

6 External forces drive Identity Governance adoption Financial Reporting SOX, CA , Turnbull, LSF, Transparency Directive, JSOX, MAR Industry Mandated Initiatives Basel II, Solvency II, GLBA, FERC/NERC, FFIEC, FISMA, HIPAA/HITECH, ITAR, Smart Grid Privacy Mandates PCI, State Based (CA 1386, MA Privacy 201), Country Based, EU Data Protection CxO/Senior Executives take individual responsibility for the accuracy and completeness Auditors require certified information to approve Accounts / Risk Mgt reports 6

7 Yes but What is the difference? Between Identity Management and Governance

8 Acronyms today The Darwinian evolution of the artof IdentityandAccess 8

9 It all started with giant projects a.c. The User Provisioning days Budgets well above 1 ml Results to be achieved within 18 months Myths Facts Automatic Provisioning of the right profile on each application is Role-based Compliance controls are enforced Operational efficiency is achieved, but with little business value On avg.less than 20% of applications are connected No real Compliance controls, no Roles

10 Then early mammals emerged a.c. The Access Governance days Budgets below0.5 ml Results to be achieved within 6 months Myths Facts Compliance clean-upof 90%+ of the audit relevant applications Business will help a lot as the UI is nice Visibility is achieved, no automation Business does not understand jargon of IT permissions even with a nice UI Certification is a one-off effort

11 Now we are in the age of Bipeds a.c. This is where we are today The Identity Governance days Budgets back again above1 ml Phased, short terms results (6 months milestones) Myths Facts Protect any existing investment (Provisioning, Service Desk) Add Risk controls (SoD) Streamline all end user facing processes (not just attestation, access request management too) with an Amazon-like UI Let s touch base in 2 years time

12 Governance has a different maturity path Access Request Role Mngmt Can we speed up access delivery with a business friendly UI? Segregation of Duty Can we define, discover, validate and maintain roles? Certification How do we design auditor friendly SoD policies? Access Visibility Should they have access? Who has access to what?

13 Acronyms today Is Identity Governance as exciting as buying car Insurance? 13

14 Lesson learned #1 Keep IT to Business Translation/information readability as yourconstant1 st priority 14

15 Lesson learned #2 Identity Governance is a highly-visible business application, not hidden infrastructure: IT usability is key, get the buy-in of business users before you roll it out Ferrari 15

16 Lesson learned #3 Make automated provisioning no longer an obsession, just fit for purpose. Re-use whatyouhaveasmuchaspossible 16

17 Summary of findings Keep IT to Business Translation/information readability as your constant top priority Identity Governance is a highly visible business application, not hidden infrastructure: IT usability is key, make it visible to business users Make automated provisioning no longer an obsession, just fit for purpose and re-use what you have (e.g. Service Desk) as much as possible 17

18 Acronyms today What saheadofus? 18

19 Will the risk connection take-off? a.c. The GRC days Budgets back again in L/VL mode? Myths Access & Identity Risks will be incorporated in Corporate Risk Management processes? Cautions The story looks nice on paper, but requires wise minds to keep it down to earth

20 Understanding the word Risk Risk = probability of a vulnerability being exploited times the cost/impact of the consequences Granting access always creates a vulnerability Access Risk Management seeks to measure and reduce this probability through risk mitigation Enterprise Risk Operational Risk IT Risk Access Risk 20

21 Risk is visual too What is the risk DNA? What is the most effective mitigation measure?

22 Could Gamification help with Risk Management? Maybe maybe not 22

23 Acronyms today? Questions? 23

24 Unpublished Work of CrossIdeas, All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of CrossIdeas. Access to this work is restricted to CrossIdeas employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of CrossIdeas. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. CrossIdeas makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for CrossIdeas products remains at the sole discretion of CrossIdeas. Further, CrossIdeas, reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All CrossIdeas marks referenced in this presentation are trademarks or registered trademarks of CrossIdeas. in the Italy and other countries. All third-party trademarks are the property of their respective owners. 24