Customizing Identity Management to fit complex ecosystems

Similar documents
White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

Vermont Enterprise Architecture Framework (VEAF) Identity & Access Management (IAM) Abridged Strategy Level 0

Automated User Provisioning

QRadar SIEM 6.3 Datasheet

Identity and Access Management Memorial s Strategic Roadmap

Establishing a Mature Identity and Access Management Program for a Financial Services Provider

Oracle Role Manager. An Oracle White Paper Updated June 2009

Leveraging the Synergy between Identity Management and ITIL Processes

Attestation of Identity Information. An Oracle White Paper May 2006

Security management White paper. Develop effective user management to demonstrate compliance efforts and achieve business value.

Quest One Identity Solution. Simplifying Identity and Access Management

Information & Asset Protection with SIEM and DLP

ENTERPRISE MANAGEMENT AND SUPPORT IN THE TELECOMMUNICATIONS INDUSTRY

Why you should adopt the NIST Cybersecurity Framework

Security Services. A Solution for Providing BPM of Security Services within the Enterprise Environment.

How can Identity and Access Management help me to improve compliance and drive business performance?

Payment Card Industry Data Security Standard

Leveraging a Maturity Model to Achieve Proactive Compliance

Advisory Services Oracle Alliance Case Study

identity management in Linux and UNIX environments

White Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA

Identity and Access Management Point of View

ACCESS RIGHTS MANAGEMENT Securing Assets for the Financial Services Sector

Services. Hospital Solutions: Integrated Healthcare IT and Business Process Solutions that Achieve Breakthrough Results

G&A Onboarding. G&A Partners Human Capital Solutions

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

Overcoming Active Directory Audit Log Limitations. Written by Randy Franklin Smith President Monterey Technology Group, Inc.

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

A Buyer's Guide to Data Loss Protection Solutions

Unleash the Full Value of Identity Data with an Identity-Aware Business Service Management Approach

How can Content Aware Identity and Access Management give me the control I need to confidently move my business forward?

Cisco Security Optimization Service

When millions need access: Identity management in an increasingly connected world

Technical Management Strategic Capabilities Statement. Business Solutions for the Future

IBM Tivoli Service Request Manager

HP and netforensics Security Information Management solutions. Business blueprint

Service management White paper. Manage access control effectively across the enterprise with IBM solutions.

Boosting enterprise security with integrated log management

Extreme Networks Security Analytics G2 Vulnerability Manager

Clavister InSight TM. Protecting Values

Whitepaper Data Governance Roadmap for IT Executives Valeh Nazemoff

BUSINESS-DRIVEN, COMPLIANT IDENTITY MANAGEMENT USING SAP NetWeaver IDENTITY MANAGEMENT

What is Security Intelligence?

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

The Return on Investment (ROI) for Forefront Identity Manager

PROTECT YOUR WORLD. Identity Management Solutions and Services

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Take Control of Identities & Data Loss. Vipul Kumra

Sarbanes-Oxley Compliance for Cloud Applications

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

Bring Your Own Device (BYOD) & Customer Data Protection Are You Ready?

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Certified Identity and Access Manager (CIAM) Overview & Curriculum

Minimize Access Risk and Prevent Fraud With SAP Access Control

Compliance Management, made easy

You Can Survive a PCI-DSS Assessment

RSA Via Lifecycle and Governance 101. Getting Started with a Solid Foundation

The Impact of HIPAA and HITECH

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

Whitepaper: 7 Steps to Developing a Cloud Security Plan

CMDB Essential to Service Management Strategy. All rights reserved 2007

RSA Identity Management & Governance (Aveksa)

Windows Least Privilege Management and Beyond

Service Orchestration

Accenture Human Capital Management Solutions. Transforming people and process to achieve high performance

Remote Management Services Portfolio Overview

ROUTES TO VALUE. Business Service Management: How fast can you get there?

Government of Canada Directory Services Architecture. Presentation to the Architecture Framework Advisory Committee November 4, 2013

RSA, The Security Division of EMC. Zamanta Anguiano Sales Manager RSA

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

QUICK FACTS. Guiding the Identity and Access Management Strategy for Yale New Haven Health System TEKSYSTEMS GLOBAL SERVICES CUSTOMER SUCCESS STORIES

AlienVault for Regulatory Compliance

Symantec Security Compliance Solution Symantec s automated approach to IT security compliance helps organizations minimize threats, improve security,

Q1 Labs Corporate Overview

Dell One Identity Manager Scalability and Performance

How To Buy Nitro Security

Cloud Computing. Mike Bourgeois Platform as a Service Point of View September 17, 2015

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

CA Service Desk On-Demand

Vendor Risk Management Financial Organizations

Logica Sweden provides secure and compliant cloud services with CA IdentityMinder TM

Protecting Business Information With A SharePoint Data Governance Model. TITUS White Paper

IDENTITY MANAGEMENT AND WEB SECURITY. A Customer s Pragmatic Approach

Strengthen security with intelligent identity and access management

Improving Financial Advisor Productivity through Automation

Preemptive security solutions for healthcare

RSA Solution Brief. RSA SecurID Authentication in Action: Securing Privileged User Access. RSA Solution Brief

AssurX Makes Quality & Compliance a Given Not Just a Goal

Business-Driven, Compliant Identity Management

CA Process Automation for System z 3.1

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Running an Agile and Dynamic Business. Business Solutions Delivered by Microsoft Services

Transcription:

Customizing Identity Management to fit complex ecosystems Advisory Services PwC Security - Identity Management 12 July 2011 Client s challenge One of the world s largest aerospace and defense corporations was spending far too much time and money on provisioning and user-account accreditation. And it s easy to see why: The global company s ecosystem comprised a complex tangle of 1.7 million user accounts on more than 1,500 target systems. Under its existing procedures, account management, certification, and provisioning were performed manually a resource-intensive process. At the same time, a challenging business environment demanded that the company trim costs by reducing its provisioning systems by over 50%. The company had identified Oracle Identity Manager (OIM) as the best solution to automate these tasks and enable more efficient use of resources. In-house attempts to implement OIM had stalled because the company lacked expertise in the processes and underlying technology architecture necessary to implement a mature Identity Management solution. PwC s Advisory solution The company engaged PwC to assist with the design and deployment of OIM. Drawing upon hours of hands-on experience in Identity Management architecture and implementation, PwC worked with the company to refine its original deployment plan by taking a step back and re-architecting the entire solution including design, test, and deployment of an infrastructure that addressed the aerospace company s complex needs. We worked with the company to assess its current security infrastructure to develop access control and user-administration policies, modified connectors for integrated provisioning, and established business procedures for access certification across platforms and systems. Taking advantage of our large, skilled team of OIM specialists and proprietary knowledge of Identity Management architecture, we built and deployed a custom front end to OIM that met the company s complex needs. The easy-to-use front end, a Role-Based Access Control (RBAC) Web interface, sits on top of OIM and allows target systems to limit the number of discrete connectors required, thereby greatly reducing the amount of system memory necessary to deploy the solution and enabling customization of each connector.

The Java-based Role Administration User Interface allows data owners or administrators to develop customized, application-level roles with settings that include fine-grained entitlements, role requestor and approver groups, template accounts, and notification emails. Once the initial implementation was deployed and tested, we helped the company add target systems and platforms, as well as extend functionality for existing platforms. PwC also drew upon its changemanagement expertise to help overcome cultural obstacles that could derail the success of the implementation. Impact on client s business Today, the aerospace company s implementation is the single largest use of OIM in terms of user base. The company continues to follow the roadmap drafted by PwC for building out the connector framework and adding target systems. Once the solution is fully deployed, OIM will enable onboarding of employees and contractors to client applications in hours rather than days and weeks it took with the legacy provisioning systems that required additional manual processes. Additionally, the automated user access and provisioning system has enabled the company to meet reduction in workforce goals, although many of the provisioning staff have been shifted to more strategic analytic roles. The implementation also enabled the aerospace company to more cost-effectively manage regulatory requirements and internal security policies. For more information, please visit http://www.pwc.com/us/en/it-risk-security/identity-management.jhtml Or contact Thomas Phelps IV Rex Thexton Director Managing Director (213) 217-3577 (973) 236-5470 thomas.phelps@us.pwc.com rex.thexton@us.pwc.com Gary Loveland Principal (973) 236-5470 gary.loveland@us.pwc.com "This document is for general information purposes only, and should not be used as a substitute for consultation with professional advisors."

Improving compliance with user access controls PwC helps a healthcare services provider improve key user access controls to enhance compliance Advisory Services PwC Security - Identity Management 12 July 2011 Client s challenge A large nonprofit provider of healthcare services, which serves several million members in nine states and Washington DC, had challenges with its Identity and Access Management (IAM) systems. The company needed to implement significant enhancements to its user access controls to improve compliance with Sarbanes-Oxley (SOX). The healthcare organization targeted three controls to improve: quarterly access reviews, provisioning, and termination. Quarterly Access Review The organization employed a manual process for its quarterly review of user access to 150 applications. Review of each application typically required 45 days, resulting in lost productivity, compliance and security risks, and inefficient and costly back-office processes. Provisioning The healthcare organization s provisioning processes for new hires was very slow: It took approximately 45 days from date of hire to provision all required resources and systems access. This manual process also contributed to lost productivity, increased risks, and inefficient backoffice processes. Termination The healthcare provider had deployed a solution that would notify the appropriate application team when an employee had been terminated in order to remove that employee s access applications subject to SOX regulations. Yet the application addressed only 15 applications and was largely ineffective; often users who had left the company maintained access to resources and systems beyond the mandated timeframe. PwC s Advisory solution The healthcare provider engaged PwC to help improve its SOX controls and develop an IAM strategy that would be aligned with investments and resources for compliance mandates. Our team of Identity Management experts worked with multiple stakeholder groups to develop and build consensus on a compliance-centric IAM strategy and roadmap. For quarterly access review, we helped the healthcare organization select and implement a tool that automates the compliance monitoring, reporting, certification, remediation, and change validation of user entitlements. As part of this initiative, we onboarded more than 30 applications, four database platforms, and the UNIX host environment into the centralized tool.

PwC helped the healthcare organization design a self-service web application to streamline its provisioning system for new hires. Our team of experts examined the root cause of system access issues and addressed overarching strategic issues, rather than simply approaching the project as a compliance issue. We then held focus groups with several regional units to identify and agree upon requirements of the new tool. Leveraging our expertise in Identity Management architecture, we designed and implemented a web services tool that sits on top of the existing Identity Manager system to deliver a flexible interface for provisioning. To improve the termination system, we enhanced the existing termination notification service and helped the company increase the number of integrated applications from 15 to 93. The system now notifies the application team in a timely manner when an employee is terminated, enabling the company to better meet SOX compliance. Impact on client s business Our engagement with the healthcare services provider has resulted in dramatically reduced time and costs for access reviews and access termination. Quarterly access reviews now require hundreds of hours less effort for managers and system owners. Notification of terminated employees is now achieved within hours. We assisted the client in implementing systems that clearly document provisioning and de-provisioning processes and preserve all audit trails, which enable the healthcare provider to better meet compliance and security objectives. As a result of the initiative, the healthcare services company now has consistent processes across divisions, and that will help reduce costs and inefficiencies over the long term. For more information, please visit http://www.pwc.com/us/en/it-risk-security/identity-management.jhtml Or contact Sohail Siddiqi Matthew D. Lawson Principal Director (408) 817-5844 (415) 515-0276 sohail.siddiqi@us.pwc.com matthew.d.lawson@us.pwc.com "This document is for general information purposes only, and should not be used as a substitute for consultation with professional advisors."

Mending a pharmacy chain s security strategy How PwC helped a large pharmacy company bring its security system into compliance Advisory Services PwC Security - Identity Management 12 July 2011 Client s challenge A large US pharmacy chain was hit with regulatory charges that it did not adequately protect personally identifiable information (PII) of customers and employees. To resolve the issue, the company needed to establish a comprehensive enterprise-wide information security program that would protect the security, confidentiality, and integrity of information across its enterprise and over 5,000 retail locations and enable it to meet Federal Trade Commission (FTC) compliance requirements. The design and implementation of an enterprise security program, as well as remediation of information security practices as prescribed by the FTC, were too time consuming and laborious for the pharmacy company to resolve on its own. PwC s Advisory solution The pharmacy company engaged PwC to assist with planning, design, and implementation of a comprehensive Information Security program that would protect customer and employee data as well as remediate regulatory compliance gaps. As a first step, our team of security specialists assessed the company s security posture and identified ISO/IEC 27001 as an overall security framework upon which to build an information security program. Drawing upon our expertise in information security and identity management, we helped the company align its information security policies, objectives, and processes with its business objectives, compliance mandates, and industry leading practices. The scope of the initiative, which comprised more than 50 projects, required a meticulously designed process plan and roadmap that would enable a simultaneous implementation of security initiatives prioritized according to business needs. As a part of this process, PwC helped the company identify and select software products that would best meet its information security needs. We organized the project into five key initiatives: Quality and assurance standards: PwC helped the company design and deploy a comprehensive set of policies, standards, and controls to ensure an industry-leading information security program. Key components included implementation of an enterprise Governance, Risk, and Compliance (egrc) tool and automated user account provisioning, de-provisioning, and access-management. We also helped the pharmacy chain develop a PII methodology for prioritizing application compliance control enhancement and/or remediation activities associated with federal compliance mandates such as Payment Card Industry (PCI) and Sarbanes-Oxley (SOX), as well as create enterprise-wide standards to meet other compliance requirements. Incident management: We helped the pharmacy chain design and implement a central security incident and event management system to proactively correlate, track, and

address information security-related anomalies and incidents. We also assisted in enhancing processes for effective log monitoring. Network security: PwC helped the company assess and enhance its network security by upgrading its wireless security standard as well as designing and configuring dual firewall architecture to better manage Internet security. Data security: We helped the company identify and deploy a Data Loss Prevention (DLP) tool that would enable it to manage compliance of sensitive data throughout the information lifecycle (collection, transmission, storage, and archive). We also guided the company in standardizing encryption of desktops and laptops across the enterprise. Identity and access management: A centralized identity management strategy that would automate various manual processes such as user access, provisioning and deprovisioning and access request processes across the enterprise was a key missing component of the pharmacy chain s information security system. We helped the company enhance its existing processes and plan a centralized request-management strategy to automate and streamline access request processes and provisioning/de-provisioning. In addition, we automated the User Access Review (UAR) process. Given the comprehensive scope of this security initiative, PwC also provided expertise in change management processes to help ensure that the project was successfully and efficiently implemented. Additionally, we helped design employee training to streamline the transition of existing work streams supported by third-party providers to internal resources. Impact on client s business The implementation of an enterprise security strategy has enabled the pharmacy chain to provide a world-class security platform that addresses the concerns of regulatory agencies and customers. The company has an organizational structure that is tightly aligned with its business objectives and information security needs. PwC has helped the company identify future opportunities for enhancements to management reporting and visibility of operating effectiveness, and the pharmacy company is set to further enhance the efficiency, effectiveness, and maturity of its information security program. For more information, please visit http://www.pwc.com/us/en/it-risk-security/identity-management.jhtml or contact Prakash Venkata Ankur Sheth Director Manager (617) 530-7622 (646) 471-0224 Prakash.Venkata@us.pwc.com Ankur.Sheth@us.pwc.com This document is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

Gaining efficiencies with Identity Management PwC helps a large retailer cut costs with an updated provisioning and user-entitlement system Advisory Services PwC Security - Identity Management 12 July 2011 Client s challenge A large retail and consumer products company needed to update its employee provisioning and user-entitlement certification systems to better ensure accuracy and regulatory compliance. Under its existing system, provisioning and quarterly user-entitlement certification were manual processes that were time-consuming, inefficient, and prone to inaccuracies. The retailer, which operates more than a thousand stores in the United States, understood that it needed to lower its costs and strengthen regulatory and internal compliance through the use of a centralized Identity Management solution. Yet it lacked expertise in the processes and underlying technology architecture necessary to efficiently implement a mature Identity Management solution. PwC s Advisory solution The retailer decided to build upon its foundation of Oracle solutions and selected Oracle Identity Manager (OIM) 11g and Oracle Identity Analytics (OIA) 11g to build a complete Identity Management system. It engaged PwC to assist with the design and deployment of OIM 11g and OIA 11g, and architect an Identity Management infrastructure that would be fully integrated with its Enterprise Resource Planning (ERP) system. Drawing upon more than 100,000 hours of hands-on experience in Identity Management architecture and implementation, PwC designed, tested, and deployed a shared infrastructure that addressed the retailer s complex needs. We carefully examined the company s current security infrastructure to develop access control and user-administration policies based on future growth projections. We also redefined and standardized the business processes for creation of accounts based on best practices. We then designed the technical architecture of the Identity Management infrastructure, carefully modified connectors for integrated provisioning, and set up business procedures for access certification across a variety of platforms and systems. Taking advantage of our large, skilled team of OIM specialists and proprietary knowledge of Identity Management architecture, we built and deployed an award-winning front end to OIM that was easy to use and precisely met the retailer s needs. We also developed processes for testing the implementation and trained the company s staff in best practices for deployment and operational support. Impact on client s business

Identity management The new shared Identity Management infrastructure has enabled the retail and consumer products company to automate 80% of user access requests, a substantial improvement over its previous 100% manual processes. To date, PwC has on-boarded 150 applications and systems across multiple data systems, and enabled automated recertification for more than 1 million user accounts. As a result, the retailer now has state-of-the-art automated control over user access and certification, while the costs to provide access control, user management, and provisions have been reduced significantly. The implementation also enabled the retailer to more cost-effectively manage regulatory requirements and internal security policies. For more information, please visit http://www.pwc.com/us/en/it-risk-security/identity-management.jhtml Or contact Rex Thexton Rich Kneeley Managing Director Managing Director (908) 868-1386 (610) 662-2972 rex.thexton@us.pwc.com richard.j.kneeley@us.pwc.com Scott L. MacDonald Manager (248) 379-7465 scott.l.macdonald@us.pwc.com

Identity management that makes the grade Helping a student testing firm reduce costs with automated provisioning and user account management Advisory Services PwC Security - Identity Management July 2011 Client s challenge A global educational assessment service, which administers and scores more than 50 million student tests annually, was deeply challenged by its inefficient identity management processes. The non-profit organization onboarded several thousand employees and contractors each year using a manual provisioning process that typically required a week to complete. The testing organization also wanted to update its manual system for certification of user accounts, a cumbersome and inefficient process that could take weeks or even months to conclude. And the high number of calls to its help desk for user password management and provisioning was becoming increasingly costly as the company relied on outsourcing to provide more operational support services. In short, the testing organization knew it needed to deploy an Identity Management solution that would enable it to lower costs and boost efficiencies through automated user access, provisioning, and password management. The company identified and purchased Oracle Identity Manager (OIM) to achieve these goals, and sought out PwC as an implementation partner, given the firm's deep technical knowledge of the OIM product and the implementation process expertise needed for success. PwC s Advisory solution The testing organization engaged PwC to help design and deploy an Identity Management strategy that would be aligned with its IT infrastructure, work streams, and business goals. Leveraging more than 100,000 hours of hands-on experience in Identity Management architecture and implementation, PwC carefully assessed the company s business processes and IT architecture to develop a strategy and roadmap. We helped the company identify gaps in source data and software capabilities, and delivered guidance on streamlining provisioning processes that would increase efficiencies and generate cost savings. Once an architecture for target systems and an authoritative source was in place, we installed and configured the basic components of OIM. We leveraged our experience in OIM deployment to integrate and customize connectors for a wide range of software and systems, including Microsoft Active Directory, Microsoft Exchange, Resource Access Control Facility (RACF), and enterprise LDAP, as well as several non-mainframe business applications. To ensure that the OIM solution would support the company s unique

provisioning processes, PwC s team of Identity Management experts also enhanced the user interface to optimize usability and functionality. Thorough testing of the OIM solution and all configured connectors and systems proved accuracy and eliminated gaps before the solution was released into production. We also delivered initial training and support services to the company s outsource providers and internal staff, including documentation and support knowledge. Impact on client s business The OIM deployment has enabled the testing organization to decrease provisioning time for new employees from two or more weeks to a single day, an efficiency that has resulted in enhanced employee productivity and lower costs. What s more, automated provisioning and self-service password management have greatly reduced the number of calls to the organization s IT help desk. The company is now building upon these gains by expanding the use of OIM to automate the provisioning of many more types of accounts. As they head into next year, the company plans to begin using the solution for the automated certification of user accounts. Based on the success of the OIM implementation, the testing organization engaged PwC to help implement Oracle Access Manager, Oracle Identity Federation, and another instance of OIM to provide a shared service platform for its application developers to use for external-facing business partners and customers. This shared service will provide provisioning, authentication, and authorization functionality so that developers will no longer have to construct their own identity services on an application-by-application basis. This will dramatically lower development time and cost, enable the organization to work with business partners using open standards, and leverage one support team to handle identity services for all applications. For more information, please visit http://www.pwc.com/us/en/it-risk-security/identity-management.jhtml or contact Robert House Director, PwC Advisory (973) 236-5457 robert.house@us.pwc.com Mark Lobel Partner, PwC Advisory (646) 471-5731 mark.a.lobel@us.pwc.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information