IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE

Transcription

1 IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE ABSTRACT Changing regulatory requirements, increased attack surfaces and a need to more efficiently deliver access to the business are putting pressure on many organizations, to reduce their overall risk exposure The foundation of any risk management program is the ability to monitor, identify, assess and treat risks consistently across the organization. The systems and processes utilized by the Identity and Access Management (IAM) team can reduce risks associated with regulatory / corporate compliance and security incidents. From a compliance perspective, IAM systems and processes can attest to access controls, to restrict access to authorized users and to manage access based on business roles. Additionally, these systems can help security analysts answer questions around appropriateness of user access during the investigation process with identity context and intelligence. This white paper explores scenarios in which RSA Archer and RSA Via Lifecycle and Governance (RSA Via L&G) solutions can be used together to provide higher levels of visibility and analysis, to effectively investigate security incidents and to manage the identity lifecycle based on risk. June 2015 RSA PERSPECTIVE

2 TABLE OF CONTENTS ABSTRACT... 1 EXECUTIVE SUMMARY... 3 GRC MARKET LANDSCAPE... 3 IAM MARKET LANDSCAPE... 4 RSA ARCHER AND RSA VIA L&G: DELIVERING MORE VALUE TOGETHER... 4 Monitor and Attest to Identity Controls to Minimize Compliance Risk... 5 What if you could take this to the next level by mapping control procedures in Archer to an actionable solution?... 5 Improve Effectiveness of Security Investigations with Business and Identity Context... 6 Visibility and Governance of RSA Archer Accounts, Groups and Roles... 7 Managing Identity Lifecycle and Access Decisions Based on Application Risk... 6 Provide a View of identity Risk with Intuitive Dashboards and Reports... 7 CONCLUSION... 8

3 EXECUTIVE SUMMARY Many organizations have a team responsible for Governance, Risk & Compliance (GRC), and another team that manages their Identity and Access Management (IAM) program. However, these teams often work in silos with limited communication or sharing of intelligence across and between the domains. Forward-thinking organizations recognize that today s risk and compliance landscape demands that these silos be connected. Bridging the gap between GRC and IAM teams can deliver considerable value by reducing risk, more efficiently meeting compliance and audit needs, and improving security posture. With integrated GRC and IAM solutions, an organization can prioritize business decisions and align risk objectives by using business and identity context. By integrating industry leading-solutions such as RSA Archer and RSA Via Lifecycle and Governance (RSA Via L&G), an organization can harness and exploit risk with advanced levels of context. This paper explores the integration use cases between Archer and RSA Via L&G as follows: Monitor and attest to identity controls to minimize compliance risk Improve effectiveness of security investigations with business and identity context Collection and Governance of RSA Archer Accounts, Groups and Roles Manage identity lifecycle and access decisions based on application risk Provide visibility into identity risk with intuitive dashboards and reports GRC MARKET LANDSCAPE The GRC market space began by focusing primarily on meeting compliance needs. Organizations in the early days were narrowly focused on compliance initiatives and typically used elementary approaches to attack individual risk and compliance initiatives with an isolated strategy. To use an analogy, this isolated strategy relied on constant fire-fighting by front-line and functional employees. Early days of GRC took Compliance off the table and helped organizations deal with the rapidly changing regulatory and industry trends in the most efficient and effective manner. In this early stage, GRC solutions helped organizations, for the first time, to effectively managed compliance and built a cohesive strategy to deal with meeting regulatory and compliance requirements. As organizations learned and navigated their way through the compliance maze, they matured and began modeling and managing enterprise risk. In the risk-managed state, organizations have common policies, standards and controls, an effective control infrastructure and efficient methods to measure, monitor and report on risk posture. Companies at this level of maturity are aware of various risks and can put in place plans to manage these risks within the context of a broader strategy. This progress is often fueled by increased visibility into risk through metrics and analysis capabilities. The next phase of GRC is for companies to harness and exploit risk for competitive advantage. Companies in this stage speak and think about GRC in the language of business. They are able to identify and respond to emerging risk ahead of the curve using common taxonomies, common approaches and finely-tuned decision-making process supported by integration of GRC with solutions that provide visibility into various aspects of the company (such as identities, threats and vulnerabilities). See Figure 1 below, for a depiction of the GRC market transformation: 3

4 e 1. Figure 1: GRC Market Transformation IAM MARKET LANDSCAPE The Identity and Access Management (IAM) market segment has followed a similar pattern of growth. What began as IT-centric tools (focused on automating administrative tasks around account provisioning and password management) have grown into businessuser focused solutions providing governance and management of the complete user lifecycle. By automating user activities such as granting new users with their initial access, or adding new access for existing users these IAM solutions can deliver business agility while ensuring that organizations meet their corporate risk and compliance requirements. Today s IAM solutions help organizations move from an IT-centric perspective to a business driven approach, shifting accountability and responsibility for making access decision to the Line-of-Business, while ensuring that compliance and regulatory policies are met. Throughout the entire identity lifecycle, policies and risks are incorporated into business processes - spanning initial access grants for new users, additional access requests & approvals, and access de-provisioning upon termination through a simple, easy-to-manage user interface, backed by a powerful workflow and rules engines. e 2. Figure 2: IAM Market Landscape RSA ARCHER AND RSA VIA L&G: DELIVERING MORE VALUE TOGETHER However, as noted above, GRC and IAM teams often work in silos with limited communication or sharing of intelligence across and between the domains. By leveraging the power of both teams and the respective processes and systems, organizations can be more effective and efficient with their GRC and IAM programs. Conceptually, what if an organization is able to:

5 Map GRC control procedures to identity policies in an IAM solution as it relates to financial controls legislation, data protection and privacy, industry mandates and corporate security policies Improve security investigations with better insight into the business roles of people and application entitlements Leverage application risk information from the GRC team to plan access reviews and approval levels of access entitlements Provide a view of identity risk to stakeholders through intuitive dashboards and reports By integrating RSA Archer and RSA Via L&G, an organization can effectively bridge the gap between the GRC and IAM teams. Visibility with enhanced analysis and improved metrics enables the business to move quickly and predictably, without compromising risk. Leveraging the risk intelligence from the GRC solution, the IAM team can design access request and approval workflows, and access review frequency to be aligned with application risk levels. And conversely, the identity intelligence available through the RSA Via L&G solution can be leveraged by the GRC team to automate attestation of regulatory and corporate policies and to drive more effective security investigations with identity context. MONITOR AND ATTEST TO IDENTITY CONTROLS TO MINIMIZE COMPLIANCE RISK The effort required for monitoring, reporting, and testing against regulatory and corporate compliance can become a barrier to effective compliance. Organizations that maintain a siloed compliance approach, using disconnected tools and manual processes, will be at a competitive disadvantage. These organizations will likely see reductions in productivity and market effectiveness, as well as increased risk of regulatory or audit findings. As a result, organizations recognize that they must proactively create efficiencies in their compliance programs. Focusing on prioritizing, making risk actionable, and automating/sharing compliance processes and data will lead a company to achieve the competitive advantage that s possible. RSA Archer is the preferred solution of choice when managing regulatory and corporate compliance. RSA Archer drives efficiencies across the organization with prebuilt, out-of-the-box regulatory content, which provides an intuitive mapping to help to test once and use the results across many requirements. WHAT IF YOU COULD TAKE THIS TO THE NEXT LEVEL BY MAPPING CONTROL PROCEDURES IN ARCHER TO AN ACTIONABLE SOLUTION? In the case of identity controls, RSA Archer control procedures can be mapped to reports and processes in the RSA Via L&G solution. The results of access reviews, reports on business and technical roles, enforced access policies, Segregation of Duties results, and orphaned account reviews can serve as attestation of the control objectives. e 3. Figure 3: Mapping of Archer Control Procedure to RSA Via L&G An American Action Forum (AAF) Study dated January 2014 stated that regulations in 2013 introduced $112B in cost and 10B hours of effort for organizations. The constant influx of new and changing regulations and limited budgets often tie up an organization s resources on compliance activities. The combination and the ability to leverage RSA Archer and RSA Via L&G can transform compliance by automating the compliance process with respect to identity controls and make the overall organizational compliance process more effective.

6 IMPROVE EFFECTIVENESS OF SECURITY INVESTIGATIONS WITH BUSINESS AND IDENTITY CONTEXT Visibility, analysis and action are the three pillars that enable effective detection, investigation and response to security incidents. RSA Archer Security Operations Management (SecOps) provides the framework and alignment for customers building out their security incident response teams. SecOps provides a workflow-driven incident response process with business context so security analysts can prioritize incidents. For example, when an event happens, a security analyst can prioritize investigation of an event that is occurring on a business-critical asset. This prioritization is accomplished through business context. Identity intelligence is another aspect of context that can drastically improve the effectiveness of security investigations. In this case, a security analyst can use identity context to see if the user s access is appropriate, and how the user relates to the application in question. What if you could provide another level of context with identity intelligence for the security analyst? The security analyst in this case would be able to: Improve the overall investigation process with better insight into who people are Translate cryptic user IDs into understandable user names, departments and roles Drill down into a user s role and capabilities during an investigation process Visibility into Segregation of Duties (SoD) violations or number of orphaned accounts indicators to take action on reducing the attack surface for inappropriate access The combination of RSA Archer SecOps and RSA Via L&G solution enables that next level of context with Identity intelligence. Through this integration, a security analyst will have the ability to investigate appropriate and inappropriate access for business critical applications. e 4. Figure 4: Business and Identity Context for Security Analysis MANAGING IDENTITY LIFECYCLE AND ACCESS DECISIONS BASED ON APPLICATION RISK For information security professionals, context is key when managing user access to resources and understanding enterprise risk levels. There are two types of context that can make a big difference for information security, these are identity context and business context. Identity context is focused on users, while business context is more about application risk. Combining these two types of context can create immediate and tangible benefits for information security professionals. RSA Archer is a solution that can help organizations catalog applications and determine the risk and criticality of those applications. This is a foundational process to manage the overall risk and compliance of those applications with respect to regulatory and corporate compliance. Application risk information from Archer can drive the access governance processes in the RSA Via L&G solution.

7 With the integration of Archer and RSA Via L&G, business owners can tailor IAM business processes based on an application's risk rating, and with a clear understanding of the overall risk context. For example, in the case of high risk applications, requests for new access could be easily configured to require a multi-step approval process that includes the supervisor, application owner, and risk team. Requests for access to low-risk applications may only require supervisor approval. This is a great example of how integrating risk information can balance the efficiency that the business demands, with the compliance and risk requirements that the organization needs. Another example is the frequency of access reviews a business process where managers review who has access to what, validating that it s appropriate for each user s role and job function. With this integration, the organization can prioritize their efforts and review high-risk applications frequently, while placing low-risk applications on a slower review cadence. Figure 5, below, shows an example of application risk information imported from RSA Archer into RSA Via L&G. e 5. Figure 5: Risk Information from RSA Archer within RSA Via L&G VISIBILITY AND GOVERNANCE OF RSA ARCHER ACCOUNTS, GROUPS AND ROLES RSA Archer accounts, groups and roles can be imported into RSA Via L&G solution. Once this information is available, the overall Archer Access Governance process such as reporting, reviewing and requesting access is managed through the RSA Via L&G solution. PROVIDE A VIEW OF IDENTITY RISK WITH INTUITIVE DASHBOARDS AND REPORTS RSA Archer enables an organization to better understand, prioritize and manage risk. By using the capabilities of RSA Archer, organizations can reduce the likelihood of negative events, lost opportunities, and surprises so that an organization is able to maximize performance. Take the case of a CISO where the overall IT Security Risk Management resides in his/her direct line of responsibility. The 1st step for the CISO s organization is to have a clear understanding of the business hierarchy, products and services, business processes, supporting IT infrastructure, physical facilities and personnel. This central repository or catalog provides a view into business context. The next step is to have visibility into the risks associated with IT security. The combination of business context and visibility into the risks enables the CISO organization to effectively prioritize issues that posed the biggest risk to their organization. IT Security risks can be categorized into 5 different buckets as follows: Security Incidents and Breaches Vulnerabilities IT Compliance Sensitive Information

8 Identities A holistic view of the risks and business context will help the CISO team prioritize issues. RSA Via L&G solution is the source of the Identity Risk Dashboard in RSA Archer. The combination of RSA Via L&G and Archer can quickly flag risks associated with user entitlements, user roles, application entitlements, orphaned accounts and SoD violations. e 6. Figure 6: CISO Dashboard for IT Security Risk Management CONCLUSION Organizations have made tremendous progress improving the maturity and efficiency of both their GRC and IAM programs. As a result, they ve reduced their risk, improved compliance with regulatory guidelines, and obtained significant business value. And yet, there s untapped potential for even more value by breaking down the barriers and connecting GRC and IAM systems and processes. Integration between RSA Archer and RSA Via Lifecycle and Governance solutions can help organizations develop a common, consistent, and highly effective risk and compliance model across the enterprise. EMC 2, EMC, the EMC logo, RSA, the RSA logo, are registered trademarks or trademarks of EMC Corporation in the United States and other countries. VMware is a registered trademark or trademark of VMware, Inc., in the United States and other jurisdictions. Copyright 2015 EMC Corporation. All rights reserved. Published in the USA. 06/15 White Paper H13191 RSA believes the information in this document is accurate as of its publication date. The information is subject to change without notice.