Identity and Access Management The road to sustained compliance

Similar documents
Identity Governance and Administration Catalyst for compliance, efficiency and strategy. Lessons learned from Danish IGA Study 2015

IDENTITY MANAGEMENT AND WEB SECURITY. A Customer s Pragmatic Approach

The Unique Alternative to the Big Four. Identity and Access Management

Identity and Access Management Point of View

RSA Via Lifecycle and Governance 101. Getting Started with a Solid Foundation

Identity Management: Securing Information in the HIPAA Environment

Vermont Enterprise Architecture Framework (VEAF) Identity & Access Management (IAM) Abridged Strategy Level 0

Single Sign-On. Security and comfort can be friend. Arnd Langguth. September, 2006

THE THEME AREA. This situation entails:

Module 6 Essentials of Enterprise Architecture Tools

IQS Identity and Access Management

RSA Identity and Access Management 2014

RSA Identity Management & Governance (Aveksa)

Provide access control with innovative solutions from IBM.

C21 Introduction to User Access

MAESON MAHERRY. 3 Factor Authentication and what it means to business. Date: 21/10/2013

1 Building an Identity Management Business Case. 2 Agenda. 3 Business Challenges

Establishing A Multi-Factor Authentication Solution. Report to the Joint Legislative Oversight Committee on Information Technology

Establishing a Mature Identity and Access Management Program for a Financial Services Provider

Certified Identity and Access Manager (CIAM) Overview & Curriculum

Identity and Access Management

Vendor Relationship Management Unlocking value from your outsourcing vendors. Deloitte Consulting

Unifying framework for Identity management

Role Based Identity and Access Management Basic Infrastructure for New Citizen Services and Lean Internal Administration

Stephen Hess. Jim Livingston. Program Name. IAM Executive Sponsors. Identity & Access Management Program Charter Dated 3 Jun 15

Foundation ACTIVE DIRECTORY AND MICROSOFT EXCHANGE PROVISIONING FOR HEALTHCARE PROVIDERS HEALTHCARE: A UNIQUELY COMPLEX ENVIRONMENT

Cloud SSO and Federated Identity Management Solutions and Services

BUSINESS-DRIVEN IDENTITY AND ACCESS GOVERNANCE: WHY THIS NEW APPROACH MATTERS

White Paper The Identity & Access Management (R)evolution

Strengthen security with intelligent identity and access management

Business and Process Requirements Business Requirements mapped to downstream Process Requirements. IAM UC Davis

The Return on Investment (ROI) for Forefront Identity Manager

How To Improve Your Business

White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution

Service management White paper. Manage access control effectively across the enterprise with IBM solutions.

Softchoice Solution Guide: five things you need to know about single-sign on

Audio: This overview module contains an introduction, five lessons, and a conclusion.

1 Introduction to Identity Management. 2 Identity and Access Needs are Ever-Changing

White paper. Business-Driven Identity and Access Management: Why This New Approach Matters

Approaches to Enterprise Identity Management: Best of Breed vs. Suites

Global Headquarters: 5 Speen Street Framingham, MA USA P F

INTELLIGENCE DRIVEN IDENTITY AND ACCESS MANAGEMENT

Cloud security architecture

Ensuring Contract Compliance through integration of Ariba Contracts and SAP ECC Michael Chavez and Sean Rhoades, Deloitte Consulting LLP

The Value of Vulnerability Management*

Enterprise Identity Management Reference Architecture

Identity & access management solution IDM365 for the Pharma & Life Science

Citrix Password Manager 4.5 Partner and Sales FAQ

The Benefits of an Industry Standard Platform for Enterprise Sign-On

Key New Capabilities Complete, Open, Integrated. Oracle Identity Analytics 11g: Identity Intelligence and Governance

Identity and Access Management. An Introduction to IAM

How to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions

Business-Driven, Compliant Identity Management

Hands on, field experiences with BYOD. BYOD Seminar

Guideline on Access Control

B2C, B2B and B2E:! Leveraging IAM to Achieve Real Business Value

Business-Driven, Compliant Identity Management

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

BUSINESS-DRIVEN, COMPLIANT IDENTITY MANAGEMENT USING SAP NetWeaver IDENTITY MANAGEMENT

ITL BULLETIN FOR MARCH 2012 GUIDELINES FOR IMPROVING SECURITY AND PRIVACY IN PUBLIC CLOUD COMPUTING

solution brief February 2012 How Can I Obtain Identity And Access Management as a Cloud Service?

Business Process Management & Workflow Solutions

HR Function Optimization

Introductions. KPMG Presenters: Jay Schulman - Managing Director, Advisory - KPMG National Leader Identity and Access Management

Analytics Strategy Information Architecture Data Management Analytics Value and Governance Realization

SUN IdM: Migrate with Confidence. SDG IAG Practice: Global Technology Solutions

Identity & Access Management new complex so don t start?

Quest One Identity Solution. Simplifying Identity and Access Management

Department of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT

Vision on Mobile Security and BYOD BYOD Seminar

1 Introduction Product Description Strengths and Challenges Copyright... 5

Security management White paper. Develop effective user management to demonstrate compliance efforts and achieve business value.

NCOE whitepaper Master Data Deployment and Management in a Global ERP Implementation

Product Life Cycle Management in Life Sciences Industry

Arkansas Department of Information Systems Arkansas Department of Finance and Administration

Identity Management Overview. Bill Nelson Vice President of Professional Services

Sun and Oracle: Joining Forces in Identity Management

Oracle Identity Management for SAP in Heterogeneous IT Environments. An Oracle White Paper January 2007

Advanced Analytics for Better Insights. Part of the Insurance series: Benefits of a New Policy Administration System: Why Going Live is Not Enough

secure user IDs and business processes Identity and Access Management solutions Your business technologists. Powering progress

When millions need access: Identity management in an increasingly connected world

Realizing business flexibility through integrated SOA policy management.

The Jamcracker Enterprise CSB AppStore Unifying Cloud Services Delivery and Management for Enterprise IT

Presentation to House Committee on Technology: HHS System Identity & Access Management

API Management: Powered by SOA Software Dedicated Cloud

Identity Access Management: Beyond Convenience

Delivering value to the business with IAM

How can Identity and Access Management help me to improve compliance and drive business performance?

The Age of Audit: The Crucial Role of the 4 th A of Identity and Access Management in Provisioning and Compliance

Governance, Risk, and Compliance (GRC) White Paper

How To Design A Cloud Based Infrastructure For Spera

White paper December IBM Tivoli Access Manager for Enterprise Single Sign-On: An overview

Information Technology Policy

Reference Process for Enterprise Architecture enabled ICT Planning

Enterprise Single Sign-On SOS. The Critical Questions Every Company Needs to Ask

It s 2014 Do you Know where Your digital Identity is? Rapid Compliance with Governance Driven IAM. Toby Emden Vice President Strategy and Practices

Introduction to SOA governance and service lifecycle management.

Take the right steps 9 principles for building the Risk Intelligent Enterprise

Select the right solution for identity and access governance

Master Data Management Architecture

Transcription:

Identity and Access Management The road to sustained compliance

Identity and Access Management An overview 1 On-boarding is the process of establishing an identity for a person, device, or system account in an enterprise. Identity information can be populated via self-registration or a business process(es). 2 Identity source systems contain authoritative data elements that collectively comprise each individual identity. 3 Identity stores contain enterprise identities linked dynamically to identity source system, eliminating data duplication across the enterprise. 4 Workflow management automates provisioning processes (e.g., approvals, rejections, re-certifications) to enforce preventative access controls and maintain audit and compliance of the identity life cycle to provide users access to protected resources. 5 Lifecycle management is the process of managing the digital identity and its attributes including any updates or changes to attributes from the creation of the identity to the removing an identity from the IAM system during off-boarding. 6 Access management enables authentication of identities for use with Single Sign-on to enterprise resources by validating identity information (e.g., roles, attributes) and resource-specific access control policies. Access control policies can incorporate separation of duties, repudiation and reconciliation. 7 Policies incorporate business rules and logic, defining them in IAM as controls for granting access to resources based on attributes (e.g., title, application) or roles (e.g., system administrator, human resources specialist). 8 Physical access control systems can be integrated with IAM to leverage identity information provisioned to local data stores. Identity information can be used for granting access to sites, buildings or areas in conjunction with authentication mechanisms such as smart cards, PINs, biometrics and Public Key Infrastructure (PKIs). 9 Logical access to information technology resources (e.g., networks, computers, applications, data, etc.) is provided by integrating with the IAM solution in an organization s enterprise. The IAM solution performs identity authentication based on the level of assurance required by an individual resource, including the use of strong authentication mechanisms like PKI and secure hard tokens. The solution then authorizes or denies access based on resourcespecific policies that can be defined to accommodate mixed populations (i.e., internal and external users) and credential types (e.g., passwords, smart cards, Personal Identity Verifications, VPN tokens). 10 Auditing and reporting are IAM capabilities that can provide an enterprise wide view (i.e., dashboard view) of detected access policy violations (i.e. SOD, rogue accounts) security, compliance, system monitoring, system notifications and warnings, performance indicators and data integrity. Auditing capabilities can automatically enforce access policies by mitigating detected violations. 11 Federation enables trusted, cross-domain single sign-on authentication among internal or external organizations and trusted partners by establishing trust models for vetting identities and enforcing security policies.

Overview IAM Disciplines and Subdisciplines a complex matter Discipline Inception Elaboration Construction Transition Project Management Project Planning Manage Project Close Project Quality Planning Quality Management Perform Quality Assurance Perform Quality Control Perform Quality Support Business Modeling Define vision & strategy Define Policies Define Process Model Define Organization Model Design Processes Develop Organizational Design Requirements Define Requirements Analysis & Design Develop Conceptual Architecture Develop Solution Design Develop Roadmap Develop Solution Architecture Update Solution Design Solution Build Build Configuration Environment Configure IAM Solution Install IAM Solution Build Development Environment Build User Acceptance Environment Build Production Environment Test Deployment Change Management Develop IAM Change and Configuration Management Approach Develop Test Approach Manage Change Conduct Testing Develop Deployment Approach Update Deployment Approach Deploy Solution Develop Operations Documentation Conduct Knowledge Transfer 2012 Deloitte

Identity and Access Management what are the drivers? Typically seen statements in white papers, proposals & marketing material: Increased efficiency through business process automation Increased user/customer satisfaction Reduction in help desk costs (e.g., password resets) Secure information sharing and collaboration Enabled transparency Privacy protection Enhanced data protection and integrity Improved and automated reporting Compliance with relevant laws and regulations

Identity and Access Management grouping of drivers Increased Security Increased Compliance Increased Efficiency Increased Satisfaction Deloitte, Dubex & Dell decided to conduct a small survey in Denmark encompassing public (14) and private (16) organisations, to map out how the above drivers weighed in compared to each other for - the initiation of an IAM project, and - how the organisations assessed the achieved results. and to obtain interesting facts in general (see the following slides)

We asked or were directed to Position CIO IT manager

Do they have a project? Have you completed, or are you currently undergoing a project within Identity & Access Management? Yes, completed Yes, undergoing No, not yet

Project Ownership Where was the project ownership in your organisation? IT The business organsation

Degree of ownership within the business organisation Public companies Private companies To what extent is the ownership of user administration and access management with the business organisation? The business organisation are demandig and IDM is an integrated part of the business processes that are audited continuously The business organisation are demanding towards IT that implement, test and deliver IT involves the business organisation in IDM if it is necessary To what extent is the ownership of user administration and access management with the business organisation? The business organisation are demandig and IDM is an integrated part of the business processes that are audited continuously The business organisation are demanding towards IT that implement, test and deliver IT involves the business organisation in IDM if it is necessary IDM is an almost 100% driven IT project IDM is an almost 100% driven IT project

Pre-Analysis 14 12 10 8 6 4 2 0 To what extent was a pre-analysis of challenges and needs with respect to user administration and access management conducted? (rating 1-4, 1=Not at all, 4=To a high extent) 1 2 3 4

To what extent were users involved in the project? Public Private To what extent were the thought-in users/owners of the IDM system involved in the project? To what extent were the thought-in users/owners of the IDM system involved in the project? Owners/users were taken in council in regards to design/architecture Owners/users were involved in the test fase of already planned solutions Owners/users were not involved before the training fase Owners/users were not involved, as it is an IT-project Owners/users were taken in council in regards to design/architecture Owners/users were involved in the test fase of already planned solutions Owners/users were not involved before the training fase Owners/users were not involved, as it is an IT-project

Success criteria in relation with the start-up What were the weighing of the following success criteria in relation with the start-up of the project? (Please indicate a rating 1-4, 1 = least, 4 = highest) Increased user satisfaction Increased efficiency or financial savings Increased compliance Increased security 0,00 0,50 1,00 1,50 2,00 2,50 3,00 3,50 4,00

Success criteria in relation with the results What were the weighing of the following success criteria in relation to what was achieved? (please indicate a rating 1-4, 1 = least, 4 = highest) Increased user satisfaction Increased efficiency or financial savings Increased compliance Increased security 0,00 0,50 1,00 1,50 2,00 2,50 3,00 3,50 4,00

Overview initiation criteria vs. realised Factor Initiation Realized Difference Increased Security Increased Compliance Increased Efficiency Increased Satisfaction 3,63 3,45 3,26 3,32 3,22 3,05 2,44 2,73

Overview success rate vs. ownership of processes Success rating in combination with extent of ownership of user administration and access management with the business organisation (rating 1-4, 1 = least, 4 = highest) IDM is an almost 100% driven IT project Increased user satisfaction Increased efficiency or financial savings Increased compliance IT involves the business organisation in IDM if it is necessary The business organisation are demanding towards IT that implement, test and deliver Increased security 0,00 0,50 1,00 1,50 2,00 2,50 3,00 3,50 4,00 The business organisation are demanding and IDM is an integrated part of the business processes that are audited continuously

What would you do differently? Management ownership as well as involving the business organization. Also a deeper and more thorough pre-analysis and critical choice of supplier is important. Send more money! There has been a lack of central coordination (top management), it has been fragmented in regards to different system owners Supplier management is essential, we trusted the suppliers too much Users should be involved early in the process, and time should be spent in the training system. Make managers aware of the importance of security Management s authorization of employees as well as strengthening of the control environment Municipalities must know each individual employee, compliance is important. The public sector is not capable of rolling out systems as fast as the private sector Involve users earlier Have decisions in place early It must be owned in the business organization

Conclusion As it is the very first time we have asked such questions to a broader audience, we have no data to compare the weighing of the groups of drivers with earlier periods. It is however our impression, that Danish organizations in the past have focused on increased efficiency, rationalizations and savings as the most important factors when deciding on whether or not to embark on an IAMproject. The answers in our survey indicates a tendency to focus more on Security and Compliance than what we would have expected. Differences are however not significant (but note the low emphasis on User Satisfaction this is clearly not driving much).

We re not alone Gartners report on User Administration & Provisioning (UAP) of December 27 th 2012 describes a similar change on the IAM market as a whole. Gartner notes that they in the period 2010-2012 sees a shift from efficiency to responsibility, transparency and control. A shift from Identity Access Management to Identity Access Governance, providing information's about who has access to what for use in the business to comply with internal and external audits, compliance and regulatory needs, forensic investigations, risk- and control assessments etc. Gartner also notes, that the need for an efficient and controlled process with respect to provisioning will not disappear, but that the organizations seems to focus more on using existing knowledge about users access to fulfill business needs.

IAM in a governance perspective Access Governance - Main building blocks and enablers Access Governance Compliance Security policies, standards and strategies People Effective Controls Identity lifecycle processes Access management and administration processes Security management processes Processes Automation IAM technologies Technology Identity & Access Management is a foundation for effective control compliance. It supports policy change and enforcement and helps accelerate adoption of adequate and effective controls. To ensure sustained compliance, Identify & Access Management projects should focus on all three dimensions: People, Process and Technology

Access Governance The road to sustained compliance

Questions to consider roundtable Is focus shifting due to increased regulatory requirements? Have organizations realized the automation potential, and is now moving towards further benefits in the shape of Security/Compliance? How do we build a business case for IAG in a time of economic crisis? Will IAG projects extend to encompass more systems/applications, or focus more on role development and fine-grained access management for a limited number of end-points? Will IAG be or continue to be the responsibility of the IT department?

Deloitte Touche Tohmatsu Limited Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Statsautoriseret Revisionspartnerselskab. Member of Deloitte Touche Tohmatsu Limited

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information