Kuppinger Cole Virtual Conference The Three Elements of Access Governance Martin Kuppinger, Kuppinger Cole mk@kuppingercole.com December 8th, 2009 This virtual conference is sponsored by Axiomatics and Oracle
CREATING MORE VALUE FOR LESS THROUGH IDENTITY MANAGEMENT & GRC MARKET MATURITY REGULATION, PRIVACY, INFORMATION SECURITY GOVERNANCE, MITIGATING RISK CLOUD COMPUTING & TRUST ROLES AND ATTRIBUTES AUTHENTICATION & AUTHORIZATION Call for Speakers: http://www.idconf.com/events/eic2010/callforsp eakers Sponsors/Exhibitors: http://www.idconf.com/events/eic2010/sponsori nfo www.id-conf.com/eic2010 Seite 2
Virtual Conference Enterprise Access Governance Controlling Access, Ensuring Information Security DECEMBER 8-9, 2009 How to efficiently mitigate your access risks Full Access Governance combining access certification, role management, provisioning, and privileged access management RBAC vs. ABAC: Comparing Role Based and Attribute based Access The business view Enterprise GRC vs. IT-GRC and where they should be linked Mitigating application security risks How does Access Governance fit into your GRC roadmap? www.kuppingercole.com/webinars Seite 3
Kuppinger Cole Reports Some of the current reports: Market Report Cloud Computing Product Report Radiant Logic Virtual Directory Server Vendor Report Arcot Systems Product Report Sun Identity Manager Vendor Report ActivIdentity Trend Report Enterprise Role Management Vendor Report Quest Software Product Report SailPoint IdentityIQ Vendor Report BHOLD 2009 Vendor Report Entrust 2009 Vendor Report Oracle 2009 Vendor Report Evidian Business Report Key Risk Indicators http://www.kuppingercole.com/reports Page 4
Some guidelines for the Webinar You will be muted centrally. You don t have to mute/unmute yourself we can control the mute/unmute features We will record the Webinar Q+A will be at the end you can ask questions using the Q+A tool anytime which we will pick at the end or, if appropriate, during the Webinar Page 5
Agenda Part 1, Martin Kuppinger: The Three Elements of Access Governance: Recertification/Attestation Access Control Privileged Access Management Part 2: Q+A Page 6
Access Governance defined Access Governance Access Managing access to systems and information who is allowed to do what? Governance Enforcing a good practice of management in that case particularly for IT Context: IAM Identity and Access Management The management of identities and their access It s mainly about access but we need identities therefore Context: GRC Governance, Risk Management, and Compliance Governance as the basic concept Risk Management and Compliance as elements of Governance Context: Information Security Information Security is the business term That s why we mainly deal with topics like IAM and Access Governance Seite 7
Authorization Management Privileged Account Management Attestation/ Recerticiation Auditing The three elements of Access Governance The main elements Analysis Management Standard User Admin User Types of Accounts Analysis Management Seite 8
Attestation and Recertification Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations, entitlements) and attesting or revoking them Manual control process Attestation/ Recertification Regularly performed at the departmental manager level (but be careful on that) Supported by escalations and other procedures Seite 9
The need for attestation 5 good reasons Attestation is a first step to clean up access controls Attestation is (if done right) an continuous audit mechanism Attestation can show issues in identity and access lifecycle management Attestation educates users about the need for security Attestation can decrease access control-related IT security and depending operational risks Seite 10
Approaches to attestation One-way, audit-oriented Two-way, actionable Single-layered Multi-layered Point-of-time Continuous Undifferentiated Risk-based worse Seite 11 Example of vendor rating good
Technical approaches Attestation as singular solution Attestation as part of overall GRC platforms Attestation as part of IAM-GRC platforms Identity Provisioning w/ reconciliation Expand/integrate/move to IAM-GRC platforms Attestation features in Provisioning Seite 12
Threat: Multi-layered attestation Employees Tasks, Projects, Management Business Roles System Roles Correct Business Roles? Job, Hierarchy, Location, Project, Correct Assignments? Groups, Roles, Profiles Correct Access Controls? Management + Business IT Business IT Business IT + Identity Management Identity Management Identity Management + System Administration Multi-layered Attestation System Security Access Control System Administration Seite 13
More Analysis Adding Automated Controls Automated Controls support the ongoing analysis and (potentially) the realtime detection of issues Advanced analysis mechanisms support the ad hoc analysis Specific attestation/recertification solutions typically support at least ad hoc controls Relevant as well for typical day-by-day IT operations Seite 14
The situation Increasing awareness of the need of IT Governance Increasing complexity of IT environments breadth and depth Changing role of IT less autonomy, more focus on efficient fulfillment Growing number of compliance regulations Increasing pressure on IT management and operations More fear and awareness of security breaches Seite 15
The result More requests More answers to provide Less time to deliver Higher workload for fewer people Operational work is heavily affected Seite 16
The real world of core systems Many servers Different systems Different operators, frequently some inconsistency in operations Large amount of data Large amount of controls The answers to questions like what has Mr. X done when requires access to different systems at a detailed level strong capabilities in mapping and normalizing data strong analytic capabilities good reporting tools Seite 17
The Reality Missing auditability Which systems are out there? Few enterprises know them all Which users have access to which systems? Which granular entitlements do they have? Sometimes known for central system, if there is a provisioning tool deployed (sometimes even via E-SSO) Usually even for core systems like Active Directory and SAP insufficiently solved Seite 18
Auditing, SIEM, Operations Management System-level Auditing Current state and historical data SIEM Current events, sometimes historical Operations Management Current events Ex post Real time Real time Security-focused Security-focused Operations-focused, all types of operational aspects Mainly access controls All types of security events, frequently more classical security than access controls All types of events Seite 19
Approaches to audit optimization Integration Define the required elements less is more Platforms help few platforms are better than many point solutions Integrate these elements to support drill-down Automation Focus on automated collection and strong analytical capabilities Seite 20
Authorization Management Closing the loop The different terms all about the same Access Control Authorization Management Entitlement Management Authorization Management Actively managing access Not detective, but preventive Seite 21
Authorization Management Closing the loop Analysis and Recertification Managing Authorizations Seite 22
Authorization Management Beyond Attestation Business Policies IT Controls Business Roles Policies IT Management Attestation Roles, Groups Entitlements Seite 23
Multi-layered Authorization Management Business-Policies Assigment of Users to Groups, Roles, Profiles (Provisioning) Management of detailed Entitlements (System and App level, might be XACML based, ) Seite 24
The Reality Missing consistency Consistent, centralized Authorization Management for heterogeneous environments? Windows, Active Directory, Exchange, SharePoint, SAP, Enterprise Portals, other Business Applications, Host, own applications, Seite 25
The Reality Missing management Controls layer Authorization Management Status analysis System layer Seite 26
Privileged Account Management Focus on sensitive accounts Adding privileged accounts How to control the access of users using these accounts? Emerging field, not fully covered by existing approaches (neither detective nor preventive) Seite 27
Many terms One target The terms PAM: Privileged Account Management PIM: Privileged Identity Management PUM: Privileged User Management Root Account Management The target Controlling privileged accounts and how they are used Seite 28
Privileged Accounts Beyond root Administrators: root Windows Administrators (Domain and local) Database Administrators Technical users System accounts Service accounts Seite 29
Why are these accounts that critical? Missing Auditability Not necessarily associated with a single physical person Elevated Privileges Missing Lifecycle Management High risk Seite 30
PAM The approaches Differentiated auditing of administrative activities Integration with Lifecycle Management approaches no orphaned privileged accounts One time passwords for privileged accounts Reduced entitlements of privileged accounts, for example using specialized shells Organizational actions Automatic generation of passwords for accounts without interactive logon Avoiding technical users SSO for privileged accounts Seite 31
PAM market Evolution Point solutions Integration with Identity Lifecycle Management PAM suites Application Security Infrastructures Changing Security Models at the System Level (OS, Business Apps, ) Identity Federation, Endto-End Security Seite 32
Maturity Levels of PAM approaches Missing Ad hoc Unplanned Isolated Integrated Status No PAM at all Tools None Risk Very high Status Point solutions, typically for UNIX/Linux Tools Mainly sudo Risk Very high Status Non coordinated use of point solutions Tools PAM Tools for specific system environments Risk Still high Status Coordinated use of PAM tools, but not integrated with other security approaches Tools Cross-platform PAM solutions Risk Reduced Status Integration of PAM with provisioning, Access Governance, and Application Architectures Tools Cross-Platform PAM, Provisioning, Access Governance, Application Security Infrastructures Risk Minimized Seite 33
Putting it all together Consistent strategies Define a strategy go beyond tactics Understand the relationship between different GRC layers Combine reactive and preventive approaches Combine analyis/attestation and active management Focus on a small set of tools keep it simple Seite 34
Information Security and Access Governance Information Security Access Governance Access Governance Attestation and Recertification Advanced Analysis and Auditing Authorization Management Privileged Account Management Seite 35
CREATING MORE VALUE FOR LESS THROUGH IDENTITY MANAGEMENT & GRC MARKET MATURITY REGULATION, PRIVACY, INFORMATION SECURITY GOVERNANCE, MITIGATING RISK CLOUD COMPUTING & TRUST ROLES AND ATTRIBUTES AUTHENTICATION & AUTHORIZATION Call for Speakers: http://www.idconf.com/events/eic2010/callforsp eakers Sponsors/Exhibitors: http://www.idconf.com/events/eic2010/sponsori nfo www.id-conf.com/eic2010 Seite 36
Virtual Conference Enterprise Access Governance Controlling Access, Ensuring Information Security DECEMBER 8-9, 2009 How to efficiently mitigate your access risks Full Access Governance combining access certification, role management, provisioning, and privileged access management RBAC vs. ABAC: Comparing Role Based and Attribute based Access The business view Enterprise GRC vs. IT-GRC and where they should be linked Mitigating application security risks How does Access Governance fit into your GRC roadmap? www.kuppingercole.com/webinars Seite 37