IBM Security Identity Governance Update Session (ISIG, the new name for CrossIdeas)

Transcription

1 IBM Security Identity Governance Update Session (ISIG, the new name for CrossIdeas) Business Partner Enablement Derrick Hodnett. European Sales Lead

2 Agenda A Quick Recap on where ISIG fits into IAM and Security Some Background and Terminology that you may find useful Some Cheat Sheet basic questions to consider opening a conversation with a prospect. Some words on the competition. A few slides from the standard slide deck Current/Planned Integration with other IBM products Information on licensing Q&A 2

3 Background IBM Security Identity Governance (ISIG) is part of the IBM Security Division and Product Set. IBM acquired CrossIdeas in Q3 2014, the first version of ISIG was released in Dec Integrated within the IBM Security framework - the Identity Manager (ISIM) product. ISIG enables organisations to achieve their Compliance and Audit objectives for Access Risk Management. Recognised as a Leader in the latest Gartner Identity Governance and Administration Magic Quadrant, Jan

4 How Did We Get Here? IBM Security invests in best-of-breed technologies Security intelligence IBM Security is created Incident forensics Advanced fraud protection Secure mobile management Cloud-enabled identity management Identity governance Mainframe and server security Identity management Directory integration Security services and network security Enterprise single-sign-on Endpoint management and security Information and analytics management IBM Security Investment 6,000+ IBM Security experts worldwide 1,700+ IBM security patents Access management SOA management and security Application security Risk management Data management Database monitoring and protection Application security 4,000+ IBM managed security services clients worldwide 25 IBM Security labs worldwide 4

5 IBM Security offers a comprehensive product portfolio 5

6 A Quick Refresh on the IAM Products ISAM (Access Manager) Single Sign On Federation Less Passwords Easier access, but more secure PIM (Privileged Identity Manager) Controlled Admin Access What exactly is that user doing? IT Super User Accounts Policing the Police ISIM (Identity Manager) User Life Cycle Joiner / Mover / Leaver Automates manual processes Operational Effectiveness ISIG Identity Governance Reviewing Enterprise Access Business Applications Retrospective Business Compliance 6

7 Agenda A Quick Recap on where ISIG fits into IAM and Security Some Background and Terminology that you may find useful Some Cheat Sheet basic questions to consider opening a conversation with a prospect. Some words on the competition. A few slides from the standard slide deck Current/Planned Integration with other IBM products Information on licensing 7 Q&A

8 Difference between compliance and security? Compliant Secure 8

9 Segregation of Duties Also known as SoD Separation of Duties These are toxic combinations i.e. individual activities which by themselves might be safe, but pose a business risk when one person has access to multiple capabilities An Example being I could place an order for goods/services. I could then authorize payment. If I were a criminal I could use this to commit fraud. Generating real payments (to me!) for goods/services never delivered. These could be combinations of accounts, roles, entitlements, privileges, permissions across multiple systems. Most organisations do have SoD risk, the problem is finding them and then removing or mitigating the risk, and proving it to an auditor The SoD controls would usually be defined by specialist consulting 9 firms such as the big 4.

10 Regulation & Compliance If a company is in a regulated industry then they must demonstrate that they control and review who has access to key applications. This is time consuming, and therefore IT solutions are required Many regulations exist, a common one is Sarbanes-Oxley (SOX). Set up in the US as a result of corporate scandals such as Enron. This applies to any company doing business in the US. One of the overriding principles is accountability. SOX increased the oversight role of boards of directors and the independence of the outside auditors who review the accuracy of corporate financial statements. Regulations of this type apply to most companies. Leaving regulation aside it is also about Reputational Risk. Regulation and Audit though are key drivers in many organisations. They often do this simply because they have to. 10

11 Agenda A Quick Recap on where ISIG fits into IAM and Security Some Background and Terminology that you may find useful Some Cheat Sheet basic questions to consider opening a conversation with a prospect. Some words on the competition. A few slides from the standard slide deck Current/Planned Integration with other IBM products Information on licensing Q&A 11

12 Cheat Sheet Do you have regulatory controls over access to your key corporate applications? Like Sarbanes-Oxley (SOX) for example? Are you audited to demonstrate you control this? For example Segregation of Duties or re-certifying access? Do you have any audit issues in this area? If so what are they? When do you have to fix them? Do you have concerns over users having access to too much sensitive information in your key applications? I.e. Insider Threat Our Solution Provides customers with governance over access to their key applications. Addresses regulatory compliance / audit issues in this area. Business-friendly interfaces (since this is a business problem). Can be standalone or integrated into your existing IAM platform. 12

13 Follow Up Questions for Consideration Are you a SAP user? SAP requires a specialist approach due to the complexities involved. Do you have explicit Segregation of Duties controls? If so how onerous are these? If so have they already deployed an IT solution? How well is it received? Does it apply to all the business? Do you currently have any IAM products deployed. Try and find out the existing IAM landscape, competitive products. It is also common for companies to have home grown solutions. Who owns the Compliance Problem. Is there a business sponsor? If there is an issue(s), is there budget approved to solve it? If not then how will they address the issue and how important is it? 13

14 Agenda A Quick Recap on where ISIG fits into IAM and Security Some Background and Terminology that you may find useful Some Cheat Sheet basic questions to consider opening a conversation with a prospect. Some words on the competition. A few slides from the standard slide deck Current/Planned Integration with other IBM products Information on licensing Q&A 14

15 Latest Gartner Magic Quadrant Identity Governance & Administration. Jan 2015 Main Competitors Sailpoint EMC/RSA Aveksa Oracle Dell Quest NetIQ Novell CA Just completed. Gartner IAM Conference London 16 th /17 th March IBM Platinum Sponsor KuppingerCole EIC Munich 5 th -8 th May IBM Platinum Sponsor 15

16 Agenda A Quick Recap on where ISIG fits into IAM and Security Some Background and Terminology that you may find useful Some Cheat Sheet basic questions to consider opening a conversation with a prospect. Some words on the competition. A few slides from the standard slide deck Current/Planned Integration with other IBM products Information on licensing Q&A 16

17 Legislation / Regulation. This is a business problem. Financial Reporting SOX, Turnbull, LSF, Transparency Directive, JSOX, MAR, L.262 Industry Mandated Initiatives Basel III, Solvency II, GLBA, FERC/NERC, FFIEC, FISMA, HIPAA/HITECH, ITAR, Smart Grid, Compliance Privacy Mandates PCI, State Based (CA 1386, MA Privacy 201), Country Based, EU Data Protection CxO/Senior Executives Take individual responsibility for the accuracy and completeness Auditors Require certified information to approve Accounts / Risk Mgt reports This is an Issue for Every Business across Every Industry 17

18 The pain chain. An Example 1 Can you prove that John Doe has appropriate permissions as defined by your business processes? 2 Could you verify if John Doe has appropriate access? Auditors 0 Is our business compliant to regulation? How do we manage and mitigate risks? 4 Could you verify if John Doe has the appropriate access? IT Security 5 3 I can tell you what John has. I can t tell if it is appropriate or not. I could If I was techy enough to understand all this IT and application stuff.... Application Managers 18 The Board Business Manager

19 Typical Audit findings to Board Level CEO/CFO Manual efforts to retrieve data: Delays, Error Prone, 3 rd party consulting fees. Not secure and not sustainable. Inability to detect existing toxic combinations : privileged application accounts assigned to standard employees, conflicting permissions creating SoD violations. Inability to determine Who approved what and when? : many approval processes, difficult to demonstrate. 19

20 Example Screen Shot : Access Certification Screenshot here 20

21 Example Screen Shot : Segregation of Duty 21

22 Agenda A Quick Recap on where ISIG fits into IAM and Security Some Background and Terminology that you may find useful Some Cheat Sheet basic questions to consider opening a conversation with a prospect. Some words on the competition. A few slides from the standard slide deck Current/Planned Integration with other IBM products Information on licensing Q&A 22

23 Integration with Other IBM Products Very, very, briefly... ISIG integrates with ISIM (Identity Manager). For a customer of ISIM, ISIG can read the information on people / roles / entitlements to perform the governance functions not in ISIM. ISIG integrates with z/os IBM Mainframe ISIG can read information on mainframe users/ roles / entitlements to include business-critical mainframe applications in company-wide governance programs. ISIG will integrate with qradar ISIG will publish information on SoD violations or risky access privileges that can be processed by qradar. 23

24 Agenda A Quick Recap on where ISIG fits into IAM and Security Some Background and Terminology that you may find useful Some Cheat Sheet basic questions to consider opening a conversation with a prospect. Some words on the competition. A few slides from the standard slide deck Current/Planned Integration with other IBM products Information on licensing Q&A 24

25 Licensing UVU Pricing. Same as ISIM, using the same UVU calculations. Some PVU pricing exists but unlikely to be competitive. Usual pricing, approval and order fulfillment process for partners. Services this product needs services to become a solution. License $000 s to $000000s 3 Part Numbers D1B41LL ISIG Foundation. Core Product D1B36LL ISIG Access Request. Optional Extra. Only make optional if the customer has an alternative solution. D1B3ZLL ISIGA Identity Governance & Administration. Combination of base ISIM + ISIG. Cheaper than buying separately. ISIG is a J2EE application and is supplied as an appliance. 25

26 Further Information Available via the usual channels / partner teams Offer Demo Mondays as a follow up? Partner training is available and publicised via the usual channels Public web site If you are struggling contact me. 26

27 References and Customers I N S U R A N C E F I N A N C I A L S E R V I C E S E N E R G Y & U T I L I T I E S M A N U F A C T U R I N G Ferrari P U B L I C S E C T O R 27

28 Leading global insurance and financial company simplifies identity intelligence by moving away from manual processes Security Identity Governance Business role management, separation of duties analysis and flexible access certification for more than 75,000 users on SAP and mainframe technologies Business Challenge Recertification using a custom built tool that was arduous and difficult to track Access recertification was based on technical entitlements which led to confusion between the auditors and the IT department Extremely expensive to add applications to custom built solution IBM Security Identity Governance and Administration Solution Benefits It is now simple and inexpensive to add new applications and certify access Able to use one solution for SAP and non-sap applications Recertification is now an automatic process with shopping cart-like functionality for management Out of the box integration with their Identity Management solution (NetIQ) 28

29 A top 5 energy trading company worldwide delivers actionable identity intelligence Security Identity Governance Separation of duties (SoD) analysis and access certification for more than 2,500 users across 40 countries Business Challenge Told by auditors that they were unable to provide substantial separation of duties analysis from the front office to back office applications Recertification was a manual process (via spreadsheets) with no audit trail IBM Security Identity Governance Solution Benefits Client is now automatically informed if there is a potential SoD conflict; they can choose to remove or monitor the offense Client can use their auditor s spreadsheet directly into the solution for real time business activity based SoD Recertification is now an automatic process with shopping cart-like functionality for management 29

30 Agenda A Quick Recap on where ISIG fits into IAM and Security Some Background and Terminology that you may find useful Some Cheat Sheet basic questions to consider opening a conversation with a prospect. Some words on the competition. A few slides from the standard slide deck Current/Planned Integration with other IBM products Information on licensing Q&A 30

31 31