The Principles of Audit Automation for Access Control Redmond Identity Summit 2014 Directories Devices Identity Marvin Tansley
Thank You to our Sponsors Gold Silver Plus Silver
Agenda The Role of Identity and Roles in Access Control What Does an Auditor Want? Okay how do I automate? Q&A
The Role Of Identity USERS & DEVICES Identity Spans Environment Users & Devices to Infrastructure Infrastructure to Apps & Services Users & Devices to Apps & Services INFRASTRUCTURE APPS & SERVICES IDENTITY
Identity is Essential for Cloud Computing USERS & DEVICES PRIVATE PUBLIC INFRASTRUCTURE APPS & SERVICES TRADITIONAL IT IDENTITY HYBRID CLOUD Governance and control of end to end user lifecycle
User Identity Lifecycle Methodology Provisioning Authentication Relationship Begins New project Authorization Identity Lifecycle Change location, roles, etc Self Service Relationship Ends Forget password Password Management De Provisioning Compliance
Centralized Identity Management Locate the Logic in One Place and Connect to Many Systems Automated Provisioning Automated De provisioning Account, Group and Mailbox Management Users HR Systems Cloud Office365, Salesforce, ADP Self Service Group Management Self Service Password Reset Improved Productivity Identity Management Application Owners & Managers On Premise Database, Directories & Applications Active Directory Exchange Administrators Workflow Notifications Approvals Attestation and Reporting
What does an Auditor want? As presented by KPMG at OCG summits and webinars
Access Governance and Automation Main objective of the auditor during the testing of IT General Controls: information security policy / user awareness physical access configuration of access rules access administration identification and authentication monitoring, and reporting super users Availability of an information security policy within the organisation, including the awareness of employees of this policy. The responsibility of information security should be allocated to a designated employee. Not tested using access governance (out-of-scope) Authorization matrices are available and are approved by the process/application owner. These matrices are used to validate authorization requests and are implemented in the applications. Authorization requests are submitted by an authorized manager in hardcopy or electronically. Other authorization requests are not accepted. Changes of job functions or the employment status are communicated, resulting in the modification of authorizations. The user gains access with an account that can be traced back to a person. The organization uses an adequate password policy. The responsible management periodically validates if the implemented authorizations are correct. Incorrect authorizations are modified immediately. Administrators use individual accounts to perform their administrative actions. The actions performed using administrative accounts are validated.
Access Governance and Automation Audit innovation phases Phase 1 Preparation Collection of data (HR + application) Setting up rules Account matching Phase 2 Rules validation Comparison of authorization matrices Segregation of Duty policy checks Super users Phase 3 Reporting of results to management Discuss the results Determine the risks taken Suggestions for client improvements 2 3 1 information security policy / user awareness physical access configuration of access rules access administration identification and authentication monitoring, and reporting super users Phase 1 Phase 2
Incremental Approach to Entitlements Management Stage 5 functional roles for use in policy Establish policy (rules) for mapping application roles to users Stage 4 Stage 3 Publish application roles through request framework for provisioning Definition of application roles for use with access certification Stage 2 Stage 1 Use raw entitlements for requests, provisioning, and access certification MANAGING ROLES AND ENTITLEMENTS
Historical Perspective Evolution Toward Roles Historically the focus of Identity and Access Management has been on managing users (provisioning) and enforcing access policies (access management). The focus of Identity and Access Management needs to evolve from managing identities to managing entitlements. MANAGING ROLES AND ENTITLEMENTS
Historical Perspective Evolution Toward Roles The natural state of identity is chaos, as accounts are managed individually across separate systems with their own mechanisms for authentication and access control. It is hard to know if a person has the right access. It is hard to know who owns a specific account. Orphan accounts are a chronic problem. MANAGING ROLES AND ENTITLEMENTS
Historical Perspective Evolution Toward Roles Identity Management Innovations: People oriented perspective on accounts and access Information about people more available to applications for access decisions Answer the question: Who has access to what? Applications individually mining people data. Even though we now know who owns individual accounts, we still treat accounts individually from an access perspective. Still hard to know if person/account has the correct access. MANAGING ROLES AND ENTITLEMENTS
Historical Perspective Evolution Toward Roles Entitlements management is a natural evolution from application management through identity management. Roles increase the power of entitlements management by providing higher quality information to enhance decisionmaking and policy enforcement. Roles present logical groupings of users or entitlements to improve visibility, provide clarity, enable comprehensibility, and enhance control. Enhance governance by institutionalizing accountability of business for access to business information and provide tools for effective exercise of authority. MANAGING ROLES AND ENTITLEMENTS
Okay how do I Automate?
Access Governance and Automation Roles, profiles and groups A communication mechanism
Role Based Access Control in FIM 2010 R2 Knowing who really has access to what systems is vital for regulatory compliance and for safeguarding security. In many cases manual processes are leaving fundamental vulnerabilities unnoticed and making audit and reporting difficult. This 60 minute webinar will explore the subject of Access Governance and showcase BHOLD Suites. Please join us to find out how BHOLD Suites can help automate the process. Solutions for Access Governance and Automation will: Reduce account administration costs Provide an insight into your current status regarding accounts and authorizations Expose compliance and security policy violations Help you prove compliance in laws, rules, and regulations (e.g. SOX, FSA, PCI DSS etc.) Give you confidence in the quality of your data
Identity and Access Management FirstName Terry HR System LastName Adams Title Sales Manager Dept Sales Mgr: Melissa Meyers EmplID 123 Meta- Data FirstName LastName Title Dept Terry Adams Sales Manager Sales On Premises and Private Cloud Phone 555 1212 Mgr: Username: Melissa Meyers Tadams Self Service Email Tadams@litwar e.com Phone 555-1212 Workflow Email Tadams@litware.com Access Control Groups Melissa s Directs FIM 2010 All in Sales Public Cloud Roles Sales App Owners LDAP Givenname Terry Sales Cloud Users Surname Adams Phone 555-1212 Email LoginID Tadams Email tadams@litwar e.com
Role Based Access A. Business Roles contain System Roles Correspond to business functions or business roles B. System Roles contain permissions Correspond to business tasks C. Permissions correspond to groups or profiles in managed systems Business Functions/ roles Business tasks System Groups/ profiles System Role B System Role B Permission Permission Permission C Hierarchy Business Role A Hierarchy Business Role A BHOLD Target applications Group Group Profile Resource Resource Resource Application A System B
Microsoft BHOLD Suite Modules Reporting Analytics Model generator Attestation Microsoft BHOLD Suite BHOLD Core BHOLD DB (SQL) FIM integration FIM provisioning FIM Sync FIM Service FIM Portal
BHOLD Core Module Manages the central store for the RBAC model, which contains: Users Organizational units Roles Permissions Calculates user access rights based on role membership Required by all other BHOLD Suite modules
Attestation Module Implement a repeatable process to review and clean up access rights. Allows managers/app owners to review/approve existing access rights of users across the org Campaign Managers define attestation campaigns Stewards receive emailed requests to approve employee s existing access rights Dashboards provide visibility to the progress of a campaign Attestation can be done on accounts or group memberships Denied access rights can automatically be removed from users, through FIM
Attestation
Next Steps Have OCG do an Active Directory Assessment Sign up for Windows Azure Active Directory Premium Preview http://www.windowsazure.com/en us/services/preview/ Self service password reset User provisioning and de provisioning to SaaS apps Group management Advanced security reports More to come! My contact info marvin.tansley@oxfordcomputergroup.com
Q&A