Identity and Access Management The road to sustained compliance
Identity and Access Management An overview 1 On-boarding is the process of establishing an identity for a person, device, or system account in an enterprise. Identity information can be populated via self-registration or a business process(es). 2 Identity source systems contain authoritative data elements that collectively comprise each individual identity. 3 Identity stores contain enterprise identities linked dynamically to identity source system, eliminating data duplication across the enterprise. 4 Workflow management automates provisioning processes (e.g., approvals, rejections, re-certifications) to enforce preventative access controls and maintain audit and compliance of the identity life cycle to provide users access to protected resources. 5 Lifecycle management is the process of managing the digital identity and its attributes including any updates or changes to attributes from the creation of the identity to the removing an identity from the IAM system during off-boarding. 6 Access management enables authentication of identities for use with Single Sign-on to enterprise resources by validating identity information (e.g., roles, attributes) and resource-specific access control policies. Access control policies can incorporate separation of duties, repudiation and reconciliation. 7 Policies incorporate business rules and logic, defining them in IAM as controls for granting access to resources based on attributes (e.g., title, application) or roles (e.g., system administrator, human resources specialist). 8 Physical access control systems can be integrated with IAM to leverage identity information provisioned to local data stores. Identity information can be used for granting access to sites, buildings or areas in conjunction with authentication mechanisms such as smart cards, PINs, biometrics and Public Key Infrastructure (PKIs). 9 Logical access to information technology resources (e.g., networks, computers, applications, data, etc.) is provided by integrating with the IAM solution in an organization s enterprise. The IAM solution performs identity authentication based on the level of assurance required by an individual resource, including the use of strong authentication mechanisms like PKI and secure hard tokens. The solution then authorizes or denies access based on resourcespecific policies that can be defined to accommodate mixed populations (i.e., internal and external users) and credential types (e.g., passwords, smart cards, Personal Identity Verifications, VPN tokens). 10 Auditing and reporting are IAM capabilities that can provide an enterprise wide view (i.e., dashboard view) of detected access policy violations (i.e. SOD, rogue accounts) security, compliance, system monitoring, system notifications and warnings, performance indicators and data integrity. Auditing capabilities can automatically enforce access policies by mitigating detected violations. 11 Federation enables trusted, cross-domain single sign-on authentication among internal or external organizations and trusted partners by establishing trust models for vetting identities and enforcing security policies.
Overview IAM Disciplines and Subdisciplines a complex matter Discipline Inception Elaboration Construction Transition Project Management Project Planning Manage Project Close Project Quality Planning Quality Management Perform Quality Assurance Perform Quality Control Perform Quality Support Business Modeling Define vision & strategy Define Policies Define Process Model Define Organization Model Design Processes Develop Organizational Design Requirements Define Requirements Analysis & Design Develop Conceptual Architecture Develop Solution Design Develop Roadmap Develop Solution Architecture Update Solution Design Solution Build Build Configuration Environment Configure IAM Solution Install IAM Solution Build Development Environment Build User Acceptance Environment Build Production Environment Test Deployment Change Management Develop IAM Change and Configuration Management Approach Develop Test Approach Manage Change Conduct Testing Develop Deployment Approach Update Deployment Approach Deploy Solution Develop Operations Documentation Conduct Knowledge Transfer 2012 Deloitte
Identity and Access Management what are the drivers? Typically seen statements in white papers, proposals & marketing material: Increased efficiency through business process automation Increased user/customer satisfaction Reduction in help desk costs (e.g., password resets) Secure information sharing and collaboration Enabled transparency Privacy protection Enhanced data protection and integrity Improved and automated reporting Compliance with relevant laws and regulations
Identity and Access Management grouping of drivers Increased Security Increased Compliance Increased Efficiency Increased Satisfaction Deloitte, Dubex & Dell decided to conduct a small survey in Denmark encompassing public (14) and private (16) organisations, to map out how the above drivers weighed in compared to each other for - the initiation of an IAM project, and - how the organisations assessed the achieved results. and to obtain interesting facts in general (see the following slides)
We asked or were directed to Position CIO IT manager
Do they have a project? Have you completed, or are you currently undergoing a project within Identity & Access Management? Yes, completed Yes, undergoing No, not yet
Project Ownership Where was the project ownership in your organisation? IT The business organsation
Degree of ownership within the business organisation Public companies Private companies To what extent is the ownership of user administration and access management with the business organisation? The business organisation are demandig and IDM is an integrated part of the business processes that are audited continuously The business organisation are demanding towards IT that implement, test and deliver IT involves the business organisation in IDM if it is necessary To what extent is the ownership of user administration and access management with the business organisation? The business organisation are demandig and IDM is an integrated part of the business processes that are audited continuously The business organisation are demanding towards IT that implement, test and deliver IT involves the business organisation in IDM if it is necessary IDM is an almost 100% driven IT project IDM is an almost 100% driven IT project
Pre-Analysis 14 12 10 8 6 4 2 0 To what extent was a pre-analysis of challenges and needs with respect to user administration and access management conducted? (rating 1-4, 1=Not at all, 4=To a high extent) 1 2 3 4
To what extent were users involved in the project? Public Private To what extent were the thought-in users/owners of the IDM system involved in the project? To what extent were the thought-in users/owners of the IDM system involved in the project? Owners/users were taken in council in regards to design/architecture Owners/users were involved in the test fase of already planned solutions Owners/users were not involved before the training fase Owners/users were not involved, as it is an IT-project Owners/users were taken in council in regards to design/architecture Owners/users were involved in the test fase of already planned solutions Owners/users were not involved before the training fase Owners/users were not involved, as it is an IT-project
Success criteria in relation with the start-up What were the weighing of the following success criteria in relation with the start-up of the project? (Please indicate a rating 1-4, 1 = least, 4 = highest) Increased user satisfaction Increased efficiency or financial savings Increased compliance Increased security 0,00 0,50 1,00 1,50 2,00 2,50 3,00 3,50 4,00
Success criteria in relation with the results What were the weighing of the following success criteria in relation to what was achieved? (please indicate a rating 1-4, 1 = least, 4 = highest) Increased user satisfaction Increased efficiency or financial savings Increased compliance Increased security 0,00 0,50 1,00 1,50 2,00 2,50 3,00 3,50 4,00
Overview initiation criteria vs. realised Factor Initiation Realized Difference Increased Security Increased Compliance Increased Efficiency Increased Satisfaction 3,63 3,45 3,26 3,32 3,22 3,05 2,44 2,73
Overview success rate vs. ownership of processes Success rating in combination with extent of ownership of user administration and access management with the business organisation (rating 1-4, 1 = least, 4 = highest) IDM is an almost 100% driven IT project Increased user satisfaction Increased efficiency or financial savings Increased compliance IT involves the business organisation in IDM if it is necessary The business organisation are demanding towards IT that implement, test and deliver Increased security 0,00 0,50 1,00 1,50 2,00 2,50 3,00 3,50 4,00 The business organisation are demanding and IDM is an integrated part of the business processes that are audited continuously
What would you do differently? Management ownership as well as involving the business organization. Also a deeper and more thorough pre-analysis and critical choice of supplier is important. Send more money! There has been a lack of central coordination (top management), it has been fragmented in regards to different system owners Supplier management is essential, we trusted the suppliers too much Users should be involved early in the process, and time should be spent in the training system. Make managers aware of the importance of security Management s authorization of employees as well as strengthening of the control environment Municipalities must know each individual employee, compliance is important. The public sector is not capable of rolling out systems as fast as the private sector Involve users earlier Have decisions in place early It must be owned in the business organization
Conclusion As it is the very first time we have asked such questions to a broader audience, we have no data to compare the weighing of the groups of drivers with earlier periods. It is however our impression, that Danish organizations in the past have focused on increased efficiency, rationalizations and savings as the most important factors when deciding on whether or not to embark on an IAMproject. The answers in our survey indicates a tendency to focus more on Security and Compliance than what we would have expected. Differences are however not significant (but note the low emphasis on User Satisfaction this is clearly not driving much).
We re not alone Gartners report on User Administration & Provisioning (UAP) of December 27 th 2012 describes a similar change on the IAM market as a whole. Gartner notes that they in the period 2010-2012 sees a shift from efficiency to responsibility, transparency and control. A shift from Identity Access Management to Identity Access Governance, providing information's about who has access to what for use in the business to comply with internal and external audits, compliance and regulatory needs, forensic investigations, risk- and control assessments etc. Gartner also notes, that the need for an efficient and controlled process with respect to provisioning will not disappear, but that the organizations seems to focus more on using existing knowledge about users access to fulfill business needs.
IAM in a governance perspective Access Governance - Main building blocks and enablers Access Governance Compliance Security policies, standards and strategies People Effective Controls Identity lifecycle processes Access management and administration processes Security management processes Processes Automation IAM technologies Technology Identity & Access Management is a foundation for effective control compliance. It supports policy change and enforcement and helps accelerate adoption of adequate and effective controls. To ensure sustained compliance, Identify & Access Management projects should focus on all three dimensions: People, Process and Technology
Access Governance The road to sustained compliance
Questions to consider roundtable Is focus shifting due to increased regulatory requirements? Have organizations realized the automation potential, and is now moving towards further benefits in the shape of Security/Compliance? How do we build a business case for IAG in a time of economic crisis? Will IAG projects extend to encompass more systems/applications, or focus more on role development and fine-grained access management for a limited number of end-points? Will IAG be or continue to be the responsibility of the IT department?
Deloitte Touche Tohmatsu Limited Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Statsautoriseret Revisionspartnerselskab. Member of Deloitte Touche Tohmatsu Limited