IT Advisory Identity & Access Management new complex so don t start? Ing. John A.M. Hermans RE Associate Partner March 2009 ADVISORY
Agenda 1 KPMG s view on IAM 2 KPMG s IAM Survey 2008 3 Best approach for IAM 4 Questions & Answers 2009 KPMG Advisory N.V., the Dutch member firm of KPMG All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 1
Changing operating environment for companies Company X Medium to Large Entity w/ diverse operations and (a) complex compliance mandates and (b) aggressive financial goals Business Unit A Overseas Affiliate B Trusted 3 rd rd Party C each business unit, affiliate, and trusted third party utilizes numerous, sometimes disparate, information systems and repositories each utilizing unique processes and information assets to manage their business objectives. which leads to: exploding data populations; control deficiencies (i.e. access and SOD); redundant data; lack of data integrity; limited query capability; information inaccessibility; data leakage. 2009 KPMG Advisory N.V., the Dutch member firm of KPMG All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 2
A Typical Business Access Management Environment Today System administrators Provisioning Privacy legislation Business managers Security administrators Data protection acts Short user life cycles Suppliers Clients Employees 1,000+ users 100+ applications Immediate access Third parties requirements SSO Employee self SAP service Mergers and Windows PeopleSoft acquisitions Mainframe Consolidation 100,000+ possible functions Sarbanes-Oxley Basel II Segregation of duties Outstanding audit issues How do you manage and control who has access to what in an efficient and effective way? 2009 KPMG Advisory N.V., the Dutch member firm of KPMG All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 3
Definition of Identity & Access Management The policies, processes and systems for efficiently and effectively governing and managing who has access to which resources within an organisation The processes covered by IAM are: User management Authentication management Authorisation management Access management Provisioning Monitoring & audit 2009 KPMG Advisory N.V., the Dutch member firm of KPMG All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 4
KPMG s view on envisioned end-state of IAM Governance Authentication Management (1) Employees, Suppliers, Partner, Customers, etc. User Management (2) User Lifecycle Automated trigger Approve user authorizations based on roles/rules Authorization Management (3) Authorization model Usage Contract Authentication Management Services Authoritative Sources Data Management & Provisioning (5) Provisioning Services Data Management Services (manual / automated) User Management Services Desired state Monitoring Services Auditing Services Federation Access Management Reporting Services Services Actual state Access Management (4) Systems and Applications Monitoring & Audit (6) 2009 KPMG Advisory N.V., the Dutch member firm of KPMG All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 5
IAM process model (simplified) problem statement User Lifecycle User Management Automated trigger Approve user authorisations based on standard roles Authorisation Management End-Users Authoritative source Authorisation model Manage Self Service IAM Administration Desired state Provisioning Provisioning Service Monitoring Services Auditing Services Use Actual state Reporting Services Monitoring & Audit 2009 KPMG Advisory N.V., the Dutch member firm of KPMG All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 6
IT ADVISORY KPMG s 2008 European Identity & Access Management Survey Main findings ADVISORY
Current status and IAM projects All participants started one or more IAM projects in the last three years Two-thirds of participants have separate IAM budgets Financial sector has highest budgets, government sector has lowest budgets All respondents initiated an IAM journey, IAM is here to stay! 2009 KPMG Advisory N.V., the Dutch member firm of KPMG All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 8
Scope of IAM projects IAM projects focus on employees/contractors and internal systems/ information Federated Identity Management, the cross-boundary connection of IAM environments with business partners, is not yet broadly used Most projects are focused on employees and contractors. The main reason appears to be the obligation to comply with internal and external regulations 2009 KPMG Advisory N.V., the Dutch member firm of KPMG All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 9
Drivers & benefits Significant benefits are expected for regulatory compliance and risk management, especially in Financial Services sector and Information, Communication & Entertainment sector For the Infrastructure, Government and Healthcare sector, significant gain expected for process improvements Cost containment and competitive advantages are the least important drivers of IAM. Improving compliance and reducing risk are the main driver behind IAM projects 2009 KPMG Advisory N.V., the Dutch member firm of KPMG All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 10
Satisfaction More than half of the IAM projects did not achieve the intended goals There is a clear gap between expected and actual benefits of IAM projects Most organisations lack insight into the benefits of IAM projects A confirmed strategy, business case and expectations management are essential for a successful IAM project 2009 KPMG Advisory N.V., the Dutch member firm of KPMG All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 11
Project failures The biggest challenges for a successful IAM project are not the technical issues The main cause of project failure is that the business is not ready 2009 KPMG Advisory N.V., the Dutch member firm of KPMG All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 12
How to approach IAM
KPMG s IAM Methodology Plan Insight Design Implement Monitor Objective Effective and efficient project kick-off Assess current state and envision future state Help design the IAM process and infrastructure solution Help implement the IAM solution Help assess and enhance the operation of the solution Activities Define the project approach Facilitate the planning activities for the overall IAM engagement Gain an understanding of the client s issues and objectives related to the engagement Assist with the understanding of the current state and future state vision and areas of improvement Transition in to designing the IAM solution Clarify IAM solution business requirements and KPIs Assist with IAM strategy, roadmap and conceptual architecture Obtain business case approval Assist the client to design the IAM PMO and governance model Facilitate the establishment of PMO and governance model Assist client with designing the IAM solution Assist client with solution selection Provide project advisory and risk / control support throughout the implementation process Conduct post-implementation review Audit IAM Program Assist with ongoing compliance auditing and performance monitoring Tools deployed KPMG Identity and Access Management methodology KPMG Project Management methodology KPMG Change Management methodology KPMG Business Performance Improvement methodology ISO 27001questionnaire and mapping tool Current state workshop guidance Stakeholder matrix and portfolio template IAM interview questionnaire Industry practices Business case template Roadmap template Future state strategy sample ROI calculator Implementation tools and templates Implementation plan Use case examples RFI and RFP templates Infrastructure design examples Interface development guidance IAM Assessment programs Assessment work plans Segregation of Duties tools Remediation and Improvement templates Deliverables Project Plan Stakeholder matrix Current state assessment report High-level future state model Gap analysis and remediation recommendations Defined CSF s and KPI s Future state strategy Future state roadmap IAM conceptual architecture IAM Business case IAM PMO design IAM governance design IAM use cases RFI and RFP Pilot testing program Implementation program IAM assessment status report Benefits realization report Remediation and enhancement report Performance scorecard 2009 KPMG Advisory N.V., the Dutch member firm of KPMG All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 14
Step 1: Build your strategy and business case Who to involve? Business Responsible for Management / controlling of business activities HR Responsible for management of employee information IT Architecture & Ops Responsible for IT architecture and IT operations Identity & Access Management Audit Responsible for Internal Audit Programs & Projects Responsible for updating the IT of the business environment of the enterprise Security Responsible for the organisation s security processes 2009 KPMG Advisory N.V., the Dutch member firm of KPMG All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 15
Step 1: Build your strategy and business case What are you aiming for? Overall ambition level Minimum scenario Maximum scenario Common security principles and policies Separate IAM solutions per organizational unit Common security principles and policies, common processes but separate IAM solutions per organizational unit One IAM solution as Shared Service for all organizational units but limited to core and critical business applications One IAM solution as Shared Service for all organizational units and all business applications Based on IAM governance model 2009 KPMG Advisory N.V., the Dutch member firm of KPMG All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 16
Step 1: Build your strategy and business case Identity & Access Management Business Value Core Benefits Drives Results Metrics Automation & Automation Repeatability Consistency Accountability Reduced Cost Better Service Increased Compliance Avg access request turn-around time Avg time between user termination and the disablement of the user's IDs Avg time between a user's role change and the access rights update Avg time to obtain approval for a request Time interval to re-notify an approver about unfulfilled access requests % of requests initiated through the proper channel % of requests that are fully processed through roles % of requests that do not require re-work % of changes done through the tool % of requests processed with mgt approval % of residual active accounts employed with employees who were termed % of requests processed with an audit trail % of privileges covered by periodic access reviews % of privileges that can be reviewed thru audit reports % of audit findings employed with security administration lapses % of access requests processed in compliance with the policies and procedures Managing Risks Efficiently 2009 KPMG Advisory N.V., the Dutch member firm of KPMG All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 17 17
And then there was the CRISIS.. Consequences of the crisis Budget cuts, resulting in reassessing project portfolio Search for cost optimization opportunities Increased need of adequate risk management, leading to an increase of compliance obligations Most IAM initiatives are currently being reassessed Is there are still a business case / business need? Or is it changed? Does the original approach still meet the requirements of the business? Can we cut the budget for IAM or delay the program? Are there different options? Re-scoping of the original scope? From corporate-wide to departmental or application domain specific (i.e. focus on the crown jewels)? The current economic slow-down requires organizations to reformulate their IAM strategy 2009 KPMG Advisory N.V., the Dutch member firm of KPMG All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 18
Costs related to Identity & Access Management Project costs PMO-related, such as project management and quality assurance Design, build, integration and test of IAM-environment (including building of connectors) Investments (CAPEX) IAM software & hardware Cost of operations (OPEX) Activities of security administrations (IT) Activities related to authorization request process (Business) Activities related to authorization definitions (e.g. SoD matrices, business rules, etc) Cost of control (OPEX) Periodical reviews by management and application / business owner (process control costs) Periodical audits 2009 KPMG Advisory N.V., the Dutch member firm of KPMG All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 19
Reformulating the IAM strategy requires to focus more on potential cost savings Direct cost savings Operational excellence (see next slides) Business / IT / Audit Indirect cost savings License management Limiting costs use of new technologies such SAAS Sourcing fee 2009 KPMG Advisory N.V., the Dutch member firm of KPMG All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 20
In the current climate there is no one size fits all - circumstances vary Increasing time horizon for planning and choices Strategic Examples: Outsourcing Strategic divestiture Location rationalization Fundamental shift technology architecture Tactical Examples: Discretionary spend reduction De-layering Process optimisation (Lean/6σ) Contract renegotiation Survival Examples: Stopping all non-essential spend Sale of assets for cash technology carve outs Rapid cease of non-core services Long-term view to generating sustainable performance improvements consistent with strategic goals and long-term value creation. Performance improvements may reflect high degree of improvement and shifts of fundamental technology. Opportunistic response to improve performance of existing technology function to take account of: Emerging competitive pressures Deteriorating cost control or other margin pressures Stakeholder pressure for short-term performance improvement Rapid cost reduction to stay in business speed is of the essence. Cash is usually paramount Most options 'non-discretionary' Immediate divestment or closure of business lines may form part of the approach 2009 KPMG Advisory N.V., the Dutch member firm of KPMG All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 21
Cost optimization opportunities related to IAM (some examples) Project Investments Cost of operations Cost of control Strategic Use of well know Methodology / best practices Use of experienced IAM team Align IAM initiatives across organization Consolidation of IAM Platforms (HW / SW) Establish IAM as consolidated onlien service to be used for all key apps Use of Federated Identity management (for business partners) Role based authorization Automation of Authorization Request Management process Single Sign On Integrate IAM controls with GRC controls Automating periodical control (attestation) Tactical Redefine IAM strategy and focus on key concerns/areas Off shoring development and testing of connectors Renting of / Pay per use for IAM software Use of Open Source products Introduction of Password reset/synchronization Automation of provisioning Off shoring of IdM Services Automating factfinding audits Survival STOP IAM initiative Sale / lease back Equipment 2009 KPMG Advisory N.V., the Dutch member firm of KPMG All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 22
Step 2: IAM Solution Design (1) Need for one confirmed architecture Starting point for the deployment of IAM is a confirmed architecture, consisting of: Governance (in terms of RACI model) Processes and Procedures Functional components of IAM Attention point: As IAM is a multiyear program, it is recommended to start with a high-level conceptual architecture and detail the architecture into a physical architecture (consisting of the technology choices) per stage of the program 2009 KPMG Advisory N.V., the Dutch member firm of KPMG All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 23
Step 2: IAM Solution Design (2) Single vendor / Multiple vendor strategy Most IdM solutions provide almost identical functionalities for user management and provisioning Workflows Connectivity to authoritative sources Connectivity to target systems & applications Limited authorization management capabilities Limited reporting capabilities Most IdM solutions do provided limited capabilities for access certification / role engineering / role management Most of our clients implement a best of breed solution, since no solution is seen to be complete 2009 KPMG Advisory N.V., the Dutch member firm of KPMG All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 24
Step 2: IAM Solution Design (3) Outsourcing Outsourcing of technical management of IAM solution Various multinationals do outsource the technical management of (parts of their) IAM solution As-Is is sourced, most times organised per client Key for success: Linkage to client s HR and contract management processes Linkage to authorization management processes Identity Management as a service is still in the early stages of development 2009 KPMG Advisory N.V., the Dutch member firm of KPMG All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 25
Step 3: Define High level IAM roadmap (Maturity Model) Organisation s current state 2007 / 2008 End of 2010 Level 1 Performed Informally Level 2 Planned and Tracked Level 3 Well Defined Level 4 Mature Level 5 Industry Leading Manual Account Mgt Disparate application security models Native user stores Manual Account Mgt Limited Auditing Capabilities Limited Password Mgt Disparate application security models adhering to standards Multiple directory stores with duplicative data Simple RBAC capabilities Limited SSO capabilities Consolidated Directories Self-service Password Mgt Limited Automated Provisioning Auditing Capabilities Limited RBAC capabilities Centralized Directory Infrastructure Fully Automated Provisioning and SSO Automated Auditing Capabilities Enterprise Monitoring Automated Compliance Tracking Advanced RBAC capabilities Federated Identity Mgt Fully Integrated Provisioning Advanced Auditing Capabilities Enterprise Metrics Enterprise Compliance Tracking Compliance Tracking 2009 KPMG Advisory N.V., the Dutch member firm of KPMG All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 26
Step 3: Example of roadmap Plateau 1 Basic Provisioning for Employees (1) Introduction of IAM solution infrastructure (2) User management is linked with (aggregated) HR (3) Automated provisioning of generic IT-services Estimated timeline Q4 2007 Plateau 2 Limited Role Based Access Control for organizations' Portal IAM solution manages SAP Portal accounts and authorizations Q3 2008 Plateau 3 Extensive Role Based Access Control for organization's Business Systems IAM solution manages Organization's Business Systems 2009 Management decision Plateau 4 Extensive Role Based Access Control for other systems IAM solution manages other (legacy) systems TBD 2009 KPMG Advisory N.V., the Dutch member firm of KPMG All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 27
To conclude Identity & Access Management is here to stay! Drivers for Identity & Access Management (compliance, operational excellence and business agility) are still valid, despite of the current economic climate Research shows that risk management function needs to improve, resulting in more compliance obligations The economic crisis requires organizations to reformulate their Identity & Access Management strategy What to do? In what order? To what extent? Within current budget restrictions! 2009 KPMG Advisory N.V., the Dutch member firm of KPMG All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 28
KPMG Key Contact Details John Hermans Associate Partner KPMG Advisory N.V. Tel: +31 6 51 366 389 Email: hermans.john@kpmg.nl 2009 KPMG Advisory N.V., the Dutch member firm of KPMG All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 29