Kuppinger Cole Virtual Conference The Three Elements of Access Governance

Similar documents
Identity Access Management Challenges and Best Practices

Identity Management Roadmap and Maturity Levels. Martin Kuppinger Kuppinger Cole + Partner mk@kuppingercole.de

Quest One Identity Solution. Simplifying Identity and Access Management

<Insert Picture Here> Oracle Identity And Access Management

IDENTITY MANAGEMENT AND WEB SECURITY. A Customer s Pragmatic Approach

The Unique Alternative to the Big Four. Identity and Access Management

Identity & Access Management Gliding Flight. Paolo Ottolino PMP CISSP ISSAP CISA CISM OPST ITIL

Security management White paper. Develop effective user management to demonstrate compliance efforts and achieve business value.

RSA Via Lifecycle and Governance 101. Getting Started with a Solid Foundation

Identity Governance Evolution

1 Introduction Product Description Strengths and Challenges Copyright... 5

Certified Identity and Access Manager (CIAM) Overview & Curriculum

RSA Identity Management & Governance (Aveksa)

SIEM and IAM Technology Integration

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities

Vermont Enterprise Architecture Framework (VEAF) Identity & Access Management (IAM) Abridged Strategy Level 0

Enterprise Identity Management Reference Architecture

ObserveIT User Activity Monitoring

IAM Open Discussion. Todd Rossin Managing Director

The Principles of Audit Automation for Access Control

PROTECT YOUR WORLD. Identity Management Solutions and Services

Identity Management Basics. OWASP May 9, The OWASP Foundation. Derek Browne, CISSP, ISSAP

Cloud SSO and Federated Identity Management Solutions and Services

OPENIAM ACCESS MANAGER. Web Access Management made Easy

Stephen Hess. Jim Livingston. Program Name. IAM Executive Sponsors. Identity & Access Management Program Charter Dated 3 Jun 15

Trust but Verify: Best Practices for Monitoring Privileged Users

SSO-Report 2007 Key-Player, Status, Trends. Martin Kuppinger, KCP

EXECUTIVE VIEW. CA Privileged Identity Manager. KuppingerCole Report

Protecting the keys to your kingdom against cyber-attacks and insider threats

CA SiteMinder SSO Agents for ERP Systems

True Information Security only a click away for anyone"

Oracle Mobile Security Suite. René Klomp 6 mei 2014

With Great Power comes Great Responsibility: Managing Privileged Users

B2C, B2B and B2E:! Leveraging IAM to Achieve Real Business Value

Cloud Security: Is It Safe To Go In Yet?

Identity and Access Management Point of View

Privileged Account Management Mar3n Cannard, Security Solu3ons Architect

IAM can utilize SIEM event data to drive user and role life cycle management and automate remediation of exception conditions.

IBM Software Group. Deliver effective governance for identity and access management.

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

APIs The Next Hacker Target Or a Business and Security Opportunity?

Oracle Privileged Account Manager 11gR2. Karsten Müller-Corbach

1 Building an Identity Management Business Case. 2 Agenda. 3 Business Challenges

managing the risks of virtualization

1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

How To Create Situational Awareness

Select the right solution for identity and access governance

SaaS at Pfizer. Challenges, Solutions, Recommendations. Worldwide Business Technology

Glinda Cummings World Wide Tivoli Security Product Manager

EXECUTIVE VIEW. KuppingerCole Report. Content. Related Research

AD Management Survey: Reveals Security as Key Challenge

By Makesh Kannaiyan 8/27/2011 1

Module 6 Essentials of Enterprise Architecture Tools

ADAPTABLE IDENTITY GOVERNANCE AND MANAGEMENT

PCI DSS Compliance: The Importance of Privileged Management. Marco Zhang

The X-Factor in Data-Centric Security. Webinar, Tuesday July 14 th 2015

Metrics that Matter Security Risk Analytics

How To Improve Your Business

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

Westcon Presentation on Security Innovation, Opportunity, and Compromise

SEC 07 : L IAM : Comment accorder sécurité et productivité?

Unified Identity Management

Quest InTrust. Change auditing and policy compliance for the secure enterprise. May Copyright 2006 Quest Software

Microsoft Services Premier Support. Security Services Catalogue

Approaches to Enterprise Identity Management: Best of Breed vs. Suites

Supporting GIS Best practices for Incident Management and Daily Operations

The. Tenets of IAM. Putting Identity Management at the Center of Security. Darran Rolls, Chief Technology Officer

Governed Migration using Dell One Identity Manager

Role Based Access Control for Industrial Automation and Control Systems

SOLUTION BRIEF CA TECHNOLOGIES IDENTITY-CENTRIC SECURITY. How Can I Both Enable and Protect My Organization in the New Application Economy?

1 Introduction Product Description Strengths and Challenges Copyright... 5

Information & Asset Protection with SIEM and DLP

Seven Steps to Complete Privileged Account Management. August 2015

How can Identity and Access Management help me to improve compliance and drive business performance?

PRIVILEGED IDENTITY MANAGEMENT CASE STUDY. Barak Feldman, Cyber-Ark Software Seth Fogie, Lancaster General Health

An Oracle White Paper Feb Buyer s Guide for Access Management

The 7 Tenets of Successful Identity & Access Management

Oracle Identity Management for SAP in Heterogeneous IT Environments. An Oracle White Paper January 2007

Secret Server Qualys Integration Guide

EXECUTIVE VIEW. Centrify Identity Service. KuppingerCole Report. by Martin Kuppinger January 2015

Identity & Access Management new complex so don t start?

How to best protect Active Directory in your organization. Alistair Holmes. Senior Systems Consultant

White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution

Product overview. CA SiteMinder lets you manage and deploy secure web applications to: Increase new business opportunities

A Smarter Way to Manage Identity

Enabling Single Sign-On for Oracle Applications Oracle Applications Users Group PAGE 1

It s 2014 Do you Know where Your digital Identity is? Rapid Compliance with Governance Driven IAM. Toby Emden Vice President Strategy and Practices

Delivering value to the business with IAM

An Oracle White Paper Dec Identity and Access Management: Comparing Oracle and NetIQ/Novell

RSA ACCESS MANAGER. Web Access Management Solution ESSENTIALS SECURE ACCESS TO WEB APPLICATIONS WEB SINGLE SIGN-ON CONTEXTUAL AUTHORIZATION

CSN38:Tracking Privileged User Access within an ArcSight Logger and SIEM Environment Philip Lieberman, President and CEO

How To Manage A Privileged Account Management

Oracle Role Manager. An Oracle White Paper Updated June 2009

The Importance of Information Delivery in IT Operations

C21 Introduction to User Access

Secure Your Cloud and Outsourced Business with Privileged Identity Management

LEADERSHIP COMPASS by Martin Kuppinger January Enterprise Single Sign-On. KuppingerCole Report

How Microsoft runs IT. Ludwig Wilhelm CIO Central & Eastern Europe Microsoft IT

Real-Time Database Protection and. Overview IBM Corporation

managing SSO with shared credentials

Transcription:

Kuppinger Cole Virtual Conference The Three Elements of Access Governance Martin Kuppinger, Kuppinger Cole mk@kuppingercole.com December 8th, 2009 This virtual conference is sponsored by Axiomatics and Oracle

CREATING MORE VALUE FOR LESS THROUGH IDENTITY MANAGEMENT & GRC MARKET MATURITY REGULATION, PRIVACY, INFORMATION SECURITY GOVERNANCE, MITIGATING RISK CLOUD COMPUTING & TRUST ROLES AND ATTRIBUTES AUTHENTICATION & AUTHORIZATION Call for Speakers: http://www.idconf.com/events/eic2010/callforsp eakers Sponsors/Exhibitors: http://www.idconf.com/events/eic2010/sponsori nfo www.id-conf.com/eic2010 Seite 2

Virtual Conference Enterprise Access Governance Controlling Access, Ensuring Information Security DECEMBER 8-9, 2009 How to efficiently mitigate your access risks Full Access Governance combining access certification, role management, provisioning, and privileged access management RBAC vs. ABAC: Comparing Role Based and Attribute based Access The business view Enterprise GRC vs. IT-GRC and where they should be linked Mitigating application security risks How does Access Governance fit into your GRC roadmap? www.kuppingercole.com/webinars Seite 3

Kuppinger Cole Reports Some of the current reports: Market Report Cloud Computing Product Report Radiant Logic Virtual Directory Server Vendor Report Arcot Systems Product Report Sun Identity Manager Vendor Report ActivIdentity Trend Report Enterprise Role Management Vendor Report Quest Software Product Report SailPoint IdentityIQ Vendor Report BHOLD 2009 Vendor Report Entrust 2009 Vendor Report Oracle 2009 Vendor Report Evidian Business Report Key Risk Indicators http://www.kuppingercole.com/reports Page 4

Some guidelines for the Webinar You will be muted centrally. You don t have to mute/unmute yourself we can control the mute/unmute features We will record the Webinar Q+A will be at the end you can ask questions using the Q+A tool anytime which we will pick at the end or, if appropriate, during the Webinar Page 5

Agenda Part 1, Martin Kuppinger: The Three Elements of Access Governance: Recertification/Attestation Access Control Privileged Access Management Part 2: Q+A Page 6

Access Governance defined Access Governance Access Managing access to systems and information who is allowed to do what? Governance Enforcing a good practice of management in that case particularly for IT Context: IAM Identity and Access Management The management of identities and their access It s mainly about access but we need identities therefore Context: GRC Governance, Risk Management, and Compliance Governance as the basic concept Risk Management and Compliance as elements of Governance Context: Information Security Information Security is the business term That s why we mainly deal with topics like IAM and Access Governance Seite 7

Authorization Management Privileged Account Management Attestation/ Recerticiation Auditing The three elements of Access Governance The main elements Analysis Management Standard User Admin User Types of Accounts Analysis Management Seite 8

Attestation and Recertification Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations, entitlements) and attesting or revoking them Manual control process Attestation/ Recertification Regularly performed at the departmental manager level (but be careful on that) Supported by escalations and other procedures Seite 9

The need for attestation 5 good reasons Attestation is a first step to clean up access controls Attestation is (if done right) an continuous audit mechanism Attestation can show issues in identity and access lifecycle management Attestation educates users about the need for security Attestation can decrease access control-related IT security and depending operational risks Seite 10

Approaches to attestation One-way, audit-oriented Two-way, actionable Single-layered Multi-layered Point-of-time Continuous Undifferentiated Risk-based worse Seite 11 Example of vendor rating good

Technical approaches Attestation as singular solution Attestation as part of overall GRC platforms Attestation as part of IAM-GRC platforms Identity Provisioning w/ reconciliation Expand/integrate/move to IAM-GRC platforms Attestation features in Provisioning Seite 12

Threat: Multi-layered attestation Employees Tasks, Projects, Management Business Roles System Roles Correct Business Roles? Job, Hierarchy, Location, Project, Correct Assignments? Groups, Roles, Profiles Correct Access Controls? Management + Business IT Business IT Business IT + Identity Management Identity Management Identity Management + System Administration Multi-layered Attestation System Security Access Control System Administration Seite 13

More Analysis Adding Automated Controls Automated Controls support the ongoing analysis and (potentially) the realtime detection of issues Advanced analysis mechanisms support the ad hoc analysis Specific attestation/recertification solutions typically support at least ad hoc controls Relevant as well for typical day-by-day IT operations Seite 14

The situation Increasing awareness of the need of IT Governance Increasing complexity of IT environments breadth and depth Changing role of IT less autonomy, more focus on efficient fulfillment Growing number of compliance regulations Increasing pressure on IT management and operations More fear and awareness of security breaches Seite 15

The result More requests More answers to provide Less time to deliver Higher workload for fewer people Operational work is heavily affected Seite 16

The real world of core systems Many servers Different systems Different operators, frequently some inconsistency in operations Large amount of data Large amount of controls The answers to questions like what has Mr. X done when requires access to different systems at a detailed level strong capabilities in mapping and normalizing data strong analytic capabilities good reporting tools Seite 17

The Reality Missing auditability Which systems are out there? Few enterprises know them all Which users have access to which systems? Which granular entitlements do they have? Sometimes known for central system, if there is a provisioning tool deployed (sometimes even via E-SSO) Usually even for core systems like Active Directory and SAP insufficiently solved Seite 18

Auditing, SIEM, Operations Management System-level Auditing Current state and historical data SIEM Current events, sometimes historical Operations Management Current events Ex post Real time Real time Security-focused Security-focused Operations-focused, all types of operational aspects Mainly access controls All types of security events, frequently more classical security than access controls All types of events Seite 19

Approaches to audit optimization Integration Define the required elements less is more Platforms help few platforms are better than many point solutions Integrate these elements to support drill-down Automation Focus on automated collection and strong analytical capabilities Seite 20

Authorization Management Closing the loop The different terms all about the same Access Control Authorization Management Entitlement Management Authorization Management Actively managing access Not detective, but preventive Seite 21

Authorization Management Closing the loop Analysis and Recertification Managing Authorizations Seite 22

Authorization Management Beyond Attestation Business Policies IT Controls Business Roles Policies IT Management Attestation Roles, Groups Entitlements Seite 23

Multi-layered Authorization Management Business-Policies Assigment of Users to Groups, Roles, Profiles (Provisioning) Management of detailed Entitlements (System and App level, might be XACML based, ) Seite 24

The Reality Missing consistency Consistent, centralized Authorization Management for heterogeneous environments? Windows, Active Directory, Exchange, SharePoint, SAP, Enterprise Portals, other Business Applications, Host, own applications, Seite 25

The Reality Missing management Controls layer Authorization Management Status analysis System layer Seite 26

Privileged Account Management Focus on sensitive accounts Adding privileged accounts How to control the access of users using these accounts? Emerging field, not fully covered by existing approaches (neither detective nor preventive) Seite 27

Many terms One target The terms PAM: Privileged Account Management PIM: Privileged Identity Management PUM: Privileged User Management Root Account Management The target Controlling privileged accounts and how they are used Seite 28

Privileged Accounts Beyond root Administrators: root Windows Administrators (Domain and local) Database Administrators Technical users System accounts Service accounts Seite 29

Why are these accounts that critical? Missing Auditability Not necessarily associated with a single physical person Elevated Privileges Missing Lifecycle Management High risk Seite 30

PAM The approaches Differentiated auditing of administrative activities Integration with Lifecycle Management approaches no orphaned privileged accounts One time passwords for privileged accounts Reduced entitlements of privileged accounts, for example using specialized shells Organizational actions Automatic generation of passwords for accounts without interactive logon Avoiding technical users SSO for privileged accounts Seite 31

PAM market Evolution Point solutions Integration with Identity Lifecycle Management PAM suites Application Security Infrastructures Changing Security Models at the System Level (OS, Business Apps, ) Identity Federation, Endto-End Security Seite 32

Maturity Levels of PAM approaches Missing Ad hoc Unplanned Isolated Integrated Status No PAM at all Tools None Risk Very high Status Point solutions, typically for UNIX/Linux Tools Mainly sudo Risk Very high Status Non coordinated use of point solutions Tools PAM Tools for specific system environments Risk Still high Status Coordinated use of PAM tools, but not integrated with other security approaches Tools Cross-platform PAM solutions Risk Reduced Status Integration of PAM with provisioning, Access Governance, and Application Architectures Tools Cross-Platform PAM, Provisioning, Access Governance, Application Security Infrastructures Risk Minimized Seite 33

Putting it all together Consistent strategies Define a strategy go beyond tactics Understand the relationship between different GRC layers Combine reactive and preventive approaches Combine analyis/attestation and active management Focus on a small set of tools keep it simple Seite 34

Information Security and Access Governance Information Security Access Governance Access Governance Attestation and Recertification Advanced Analysis and Auditing Authorization Management Privileged Account Management Seite 35

CREATING MORE VALUE FOR LESS THROUGH IDENTITY MANAGEMENT & GRC MARKET MATURITY REGULATION, PRIVACY, INFORMATION SECURITY GOVERNANCE, MITIGATING RISK CLOUD COMPUTING & TRUST ROLES AND ATTRIBUTES AUTHENTICATION & AUTHORIZATION Call for Speakers: http://www.idconf.com/events/eic2010/callforsp eakers Sponsors/Exhibitors: http://www.idconf.com/events/eic2010/sponsori nfo www.id-conf.com/eic2010 Seite 36

Virtual Conference Enterprise Access Governance Controlling Access, Ensuring Information Security DECEMBER 8-9, 2009 How to efficiently mitigate your access risks Full Access Governance combining access certification, role management, provisioning, and privileged access management RBAC vs. ABAC: Comparing Role Based and Attribute based Access The business view Enterprise GRC vs. IT-GRC and where they should be linked Mitigating application security risks How does Access Governance fit into your GRC roadmap? www.kuppingercole.com/webinars Seite 37

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information