SEARCHSECURITY. COM technical guide on MANAGING IDENTITIES and ACCESS CONTROL contents 4 Making the Case for Enterprise IAM Centralized Access Control 7 Content-Aware IAM: Uniting User Access and Data Rights 10 Best Practices for a Privileged Access Policy to Secure User Accounts 12 How to Implement and Maintain Enterprise User Roles
Database security and compliance made simple. More Global 1000 companies trust Guardium, an IBM company, to secure their critical enterprise data than any other technology provider. We provide the simplest, most robust solution for preventing information leaks from your data center and ensuring the integrity of corporate data. Gain 100% visibility and control over your entire DBMS infrastructure. Reduce complexity with a single set of cross-dbms auditing and access control policies. Enforce separation of duties and eliminate overhead of native DBMS logs. Monitor privileged users, detect insider fraud and prevent cyberattacks. Automate vulnerability assessment, data discovery, compliance reporting and sign-offs. For more information, visit www.guardium.com/searchsecurity Copyright 2010 Guardium, an IBM company. All rights reserved. Information is subject to change without notice. IBM, and the IBM logo are trademarks of International Business Machines Corporation in the United States, other countries or both.
T ECHNICAL GUIDE ON MANAGING IDENTITIES AND ACCESS CONTROL insight 2 Managing Identities and Access Control Control over user identities, roles and the access users have to assets is quickly becoming a critical security and compliance strategy. contents presents a comprehensive guide to managing user identities and access control within the enterprise. Our experts cover all the angles with authoritative technical advice on: centralized identity management; the importance of uniting IAM and data protection; how to develop policies for privileged users; and how to implement and maintain user roles. 4 Making the Case for Enterprise IAM Centralized Access Control Central access to multiple applications and systems can raise the level of security while getting rid of red tape. BY DAVID GRIFFETH 7 Content-aware IAM: Uniting User Access and Data Rights IAM and data protection have generally kept to their separate corners. That trend may be shifting. BY RANDALL GAMBY 10 Best Practices for a Privileged Access Policy to Secure User Accounts P R IVILEGED ACCOUNT Enterprises need to secure accounts belonging to actual users by reviewing and monitoring their privileged access. BY MARK DIODATI 12 Best Practices: How to Implement and Maintain Enterprise User Roles Effective enterprise role management is essential for properly managing user access rights and enforcing access policies, but the implementation process can be challenging. BY ANDRAS CSER 16 VEN D O R RESOURCES
Making the Case for Enterprise IAM Centralized Access Control Central access to multiple applications and systems can raise the level of security while getting rid of red tape. BY DAVID GRIFFETH wwithin TODAY S enterprises, it s common for organizations of all sizes to rely on many different applications to fulfill a variety of business needs. In smaller corporations, the access administration model tends to be distributed across many business lines or system owners. This model does not allow for a functional identity and access management program, meaning it s virtually impossible to manage user access, privilege levels and revocation when necessary. Eventually, these organizations reach a maturation point where the access administration model must be assessed to determine if it s more efficient to centralize. This article lays out many of the process and security benefits of a centralized model. The lifecycle of access for employees and temporary workers has three major phases: New access creation: requiring new accounts on various systems. Access modification: necessary when employees move from one job to another within the organization, requiring account access and privilege modifications, deletions and/or new accounts. Termination: removal of all access. For new access requests in a distributed access administration model, users that need access to multiple applications must make requests to multiple application owners. This often means filling out and submitting a variety of forms, which usually ask for the same data, depending on the system owner s governance process and interpretation of policy. As the system owners receive request forms, they provision the access and notify the end user. Unfortunately, the system owners won t grant access on the same day, so the end user will not have the complete set of access they need to do his or her job until the slowest system owner completes the request. When an existing user is terminated or moves within the organization to a different job, the old manager must remember or figure out what systems the user had access to and request the accounts be disabled. The new manager must also fill out all the required forms for access appropriate to the user s new job. 4
The process inefficiencies are obvious: multiple forms with similar information going to multiple system owners, who each provide access according to their own rules and requirements. If access reviews are required, this means a slew of uncoordinated emails to managers asking for access reviews and approvals. The security concerns are worse. Each time an employee or contractor moves within the organization or is terminated, the old manager is expected to fill out a variety of forms requesting access modification, making each manager a potential failure point. If there is a process failure, there will most likely be accounts on systems that are inappropriate, or worse, belong to terminated employees. In a centralized model, all system access is granted according to one interpretation of policy It also streamlines new user creation, modification and termination processes that can be based on one feed from human resources. For example, when an individual joins the organization there is one request made for all access. The centralized provisioning team will In a centralized model, all system access is granted according to one interpretation of policy. be able to verify the new user is employed and who his or her manager is based on the HR feed. All access is granted at the same time as a single request and the user is ready to work when that request is complete. When a user moves, there is only one group to notify for access changes and there is no need for a notification for planned termination because the HR feed will notify the centralized provisioning group of all the day s terminations. In the case of termination with prejudice (being fired), there is only one group to call to have all access shut down immediately. Other advantages include the ability to have a single system access review generated across all systems, the beginnings of automated provisioning, fewer resources required to provision access and quicker turnaround time for requests. I recommend moving toward a centralized provisioning model around the same time it s determined the company needs a helpdesk function. Moving towards this model will provide sounder information security practices, more efficient provisioning processes and will reduce the risk associated with managers as failure points. It will also put an organization on the road to a full-blown identity and access management program, which is essential to the information security program success of all midsized and large enterprises.w David Griffeth is the Vice President of Business Line Integration and Reporting at RBS Citizens Bank, a financial institution that is one of the 10 largest commercial banking companies in the United States ranked by assets and deposits. As part of his responsibilities, David manages the Enterprise Identity and Access Management group and is charged with supporting the bank s growth model while maintaining compliance with several regulatory bodies. Prior to his current position, David consulted on major information risk management projects with large companies such as Fidelity Investments and CIGNA. David earned a bachelor s degree in computer science from Framingham State College and holds several certifications including CISSP and CISA. 5
DATA BREACHES UP 47% 60% ATTRIBUTED TO INSIDER FRAUD KEY WEAKNESS: Controlling access to privileged accounts FoxT provides Enterprise Access Management solutions that will enable you to control access to privileged accounts and data across your diverse servers and business applications. In addition to protecting corporate value, centralized access management will also help you achieve compliance with HIPAA, SOX, PCI, NERC/FERC, Massachusetts Privacy Law, and other regulations. FOR MORE INFORMATION: www.foxt.com Enterprise Access Management
Content-Aware IAM: Uniting User Access and Data Rights IAM and data protection have generally kept to their separate corners. That trend may be shifting. BY RANDALL GAMBY The common theme within this domain is the right data, getting to the right place securely, by means of the right services. rrecently THERE S been a new development in the information security world: content-aware identity and access management (CA-IAM). CA-IAM is the integration of two established, usually separately administered security domains identity and access management (IAM) and data protection. The first domain, IAM, is used to administer user rights. When security personnel think of tools in the IAM domain, they picture Web access management systems, provisioning systems, portals, Web-based applications and federation technologies. The common theme among these technologies is the configuration of data access based on the adage the right people, getting the right access to the right information. However, within enterprises there s another, sometimes darker, domain: data protection. The goal of data protection is to correctly configure data rights for information. The people interested in data protection talk about classification of information (i.e. company confidential, secret, top secret, etc.), data loss prevention (DLP), meta-directories, security information and event management (SIEM), event logging, firewalls, secure communications and encryption. The common theme within this domain is the right data, getting to the right place securely, by means of the right services. While IAM s focus is to secure communications channels to applications and services for users, data protection s focus is to establish secure communications channels to applications and services for data: the yin to IAM s yang. So why does the concept of combining these two domains make sense? There are three reasons: compliance, data transformation and intelligent user rights. Regarding compliance, combining the user access rights of identity and access management with the information protection rights of data protection solves the overarching business issue of compliance. Under the cover of existing regulations around privacy and protection whether government (i.e. SOX, HIPAA, GLBA, Basel II) or industry driven (i.e. PCI DSS) the auditors expect companies to have implemented controls around authorized user access and data protection. Since the tools that implement these controls have been traditionally separated, it makes sense to 7
combine their functionality for the common good of compliance. Data transformation involves scenarios in which new data sets are added, data is manipulated, and old data sets are expunged. Managing the sensitivity and value of information during these transformations is becoming increasingly more difficult due to the volume of data a typical enterprise manages and the fact that external organizations are often managing key pieces of data via outsourcing and SaaS to enhance a company s data management capabilities. Determining access to the newly updated and created data can be a nightmare. CA-IAM promises to identify how these transformations have affected the data and, if warranted, automatically map new protections to the data, and then go on to assign new access rights to the information based on corporate policies. An example of how this can be used is the December 2008 announcement of an alliance between Microsoft and EMC Corp. s RSA unit in which the vendors plan to develop a tight integration between RSA s DLP suite and Microsoft s digital rights management technology. The goal of this alliance is to take the best features of RSA s DLP automated data classification services and map them to Microsoft s file management technology to ensure data classifications and rights automatically follow the data. With intelligent user rights, it has become important to understand the roles and responsibilities of an individual when determining his or her access to applications and services. With intelligent user rights, it has become important to understand the roles and responsibilities of an individual when determining his or her access to applications and services. After determining an individual s rights, CA-IAM can be used to give proper access to the data, providing fine-grained access controls beyond the application down to the actual data itself. So if CA-IAM provides such great benefits, why haven t more enterprises implemented it? There are several reasons. First, both IAM and data protection had their start in different parts of the enterprise. IT traditionally started managing user access as part of its infrastructure provisioning projects. As users joined the company, IT added their accounts to the systems they needed to do their jobs. Subsequently, as users roles or employment statuses changed, IT was responsible for managing and updating their permissions, eventually taking away all rights when users left the company. Data protection started in the traditional risk management and IT security departments. The responsibility of the data protection pros was to safeguard sensitive data and ensure it didn t leave the organization through unauthorized channels. While these two groups usually work well together, they ve each traditionally reported up to different parts of the organization. The prospect of integrating these two disciplines presents, if not a managerial problem, at least a serious managerial project. Also, in order to even consider implementing CA-IAM, an organization must understand its user and data classifications and have defined processes for managing them. Many organizations are still in the throws of doing role-based access definitions, finding and classifying data based upon existing policies, and aligning risks across the organiza- 8
tion. In addition, DLP and IAM tools are still being implemented. Without a level technology playing field, integration of IAM and data protection technologies will involve a lot of time, effort and money, and probably a few costly mistakes along the way. Something else to consider is that CA-IAM is a concept, not a product. Today s organizations are working to solve business problems through technology; tomorrow s technologies are still in the hands of enterprise architects and risk managers. Full enterprise deployments of CA-IAM, and the standards and experience they bring, are still years off. So does this mean companies can t do CA-IAM today? Not necessarily. While a formal deployment is not yet possible, an enterprise that already understands its data and access requirements, has classified its data, user roles and responsibilities, and has strong political clout, should be able, through policies and processes, to begin to create a common framework, even if the tools aren t integrated. This is how traditional IAM technologies started and it s the way that CA-IAM will begin.w Randall Gamby is an enterprise security architect for a Fortune 500 insurance and finance company who has worked in the security industry for more than 20 years. He specializes in security/identity management strategies, methodologies and architectures. 9
PRIVILEGED ACCOUNT Best Practices for a Privileged Access Policy to Secure User Accounts Enterprises need to secure accounts belonging to actual users by reviewing and monitoring their privileged access. BY MARK DIODATI tthe PROCESS of securing accounts includes a variety of factors, one of the most important being ensuring employees have the minimum access necessary to target platforms. In addition, employees job functions and related access should be reviewed to ensure there are no separation of duties issues. Case in point: A person who creates a vendor account should not be able to approve payment to that vendor. The access-review process includes understanding workflow: A baseline of access policies must be reviewed and approved by application owners. Additionally, subsequent changes to access rights should be reviewed and approved. Access certification tools, including those embedded in identity management provisioning systems from various vendors, can assist with the review process. In some cases, a third-party security tool like CA Inc. s Access Control or Symark A person who creates a vendor account should not be able to approve payment to that vendor. International Inc. s PowerBroker is required to limit privileged user access. For example, rather than giving the UNIX database administrator access to the root account for the purpose of restarting the server, the security tool can delegate the privilege of system restart to a real user. Assuming you have locked down privileged user access, you should be all set, right? Not quite; you need to ensure privileged users do not abuse their access rights. One common use case concerns the customer support supervisor who appropriately has access to confidential customer data. If the supervisor accesses an excessive number of customer records on a given day, it may be an indication of a problem. A security information management (SIM) system would not likely detect this anomaly. Increasingly, enterprises are looking to deploy risk-based consumer authentication techniques to detect this level of access, but for the most part, these risk-based tools aren t ready for enterprise use because they are oriented toward financial transactions. Consumer authentication vendors with risk-based authentication include Hagel 10
Technologies Ltd. s AdmitOne, Arcot Systems Inc., Entrust, Oracle Corp., RSA Security and VeriSign Inc. Some organizations consider the use of two separate accounts to address excessive user privilege. The first one is the everyday account for use in routine activities such as logging onto Windows workstations and checking email. The second account is only used for administrative tasks that require high privilege, including working with high-risk production systems. The high privilege account is not used during everyday tasks, which limits exposure to malware. However, the use of two accounts will not address the issue of excessive privileges granted to the user. Balancing user access between the too lenient and the overly strict can be a challenge, but with these best practices, it can be a bit less daunting.w Mark Diodati, CPA, CISA, CISSP, MCP, CISM, has more than 18 years of experience in the development and deployment of information security technologies. He has served as vice president of worldwide IAM for CA Inc., as well as senior product manager for RSA Security s smart card, SSO, UNIX security, mobile PKI and file encryption products. He has had extensive experience implementing information security systems for the financial services industry since starting his career at Arthur Andersen & Co. He is a frequent speaker at information security conferences, a contributor to numerous publications, and has been referenced as an authority on IAM in a number of academic and industry research publications. 11
How to Implement, Maintain Enterprise User Roles Effective enterprise role management is essential for managing user access rights and enforcing access policies, but the implementation process can be challenging. BY ANDRAS CSER eenterprise ROLE management is key in efficiently managing user access rights and enforcing access policies such as segregation of duties. Roles help companies group coarse- and fine-grained access rights (such as access to and functionality within a financial accounts application) into groups, called enterprise roles. These enterprise roles map to job functions and are only allowed access rights that don t violate segregation of duties. For instance, a financial clerk role can t contain fine-grained access rights that allow someone in the role to access the accounts receivable and accounts payable parts of the financial application. The processes and tools necessary for effective role management consist of role mining and design (automatic discovery and management of roles based on existing access rights and entitlements data), role recertification (a process performed typically every six months when a business role custodian certifies what access rights should belong to a role), and access recertification (a process performed typically every 3-6 months to ensure all user access is understood and was granted in an audited way). To be successful, organizations should implement and maintain enterprise roles by: 1. Establishing a closed-loop process. If the organization wants to gain value from enterprise roles, it needs to use a closed-loop process to ensure roles are periodically updated based on current business requirements. (This is especially important after reorganizations; there may have been changes to a business process after a reorganization, and roles need to reflect those changes.) Forrester Research Inc. learned that enterprises iterate at least twice through a role-design cycle before they can build a solid foundation for role-based access control (RBAC). This cycle consists of seven phases: Develop or update an RBAC vision Based on Forrester s initial discovery conversations, successful organizations define, refine and communicate widely why they are implementing RBAC and what their long-term RBAC plans are. Gather requirements Interview executives and business leaders to understand their expectations and explain how it s to their benefit to support the process. Onboard applications and organizations Organizations need to approach the owners 12
and business users of the applications and conduct detailed interviews on how access is stored, granted and revoked, as well as what application-level roles exist. Mine roles Mining roles (the automatic discovery of roles based on existing access rights and entitlements data) is the bottom-up discovery process of looking at what application access and entitlements within those applications an organization s employees have. The results are used to make recommendations for role adjustments. Role mining usually takes about two weeks per application. Adjust roles Once the mining process has determined role suggestions, these roles need to be adjusted. This adjustment is essentially comparing the as-is situation for access with what the newly defined roles would yield. * Certify roles Once roles are adjusted and measures are taken to ensure excessive permissions aren t granted, the roles need to be certified by a role custodian. This is usually a member of the relevant business unit and not IT security. The role custodian has ongoing responsibility for ensuring the roles remain up to date and reflect realistic groupings of access rights and entitlements that map to business processes. Certify access After the role structure goes live, the role management or user account-provisioning system sends email notifications to managers or application owners to request approval of their employees and users access rights and entitlements and the assignment of employees to roles. 2. Pitfalls to avoid during enterprise role design. Enterprise role design doesn t emerge based solely on results of role mining. There are existing repositories of information in the organization that RBAC should examine, reuse and extend: Waiting for HR repository data quality to improve Some organizations will have to accept that data quality and quantity in their HR databases is insufficient to create roles. Many times HR records lack or do not carefully record enough critical user attributes, such as geographic location, job code, department code, reporting structure, floor location, etc. Sometimes RBAC can t be built on them because there is no unified HR database, or because HR databases are updated long after an actual event (especially transfer) takes place. Automatically equating an application role with an enterprise role Those application roles that describe fine-grained sub-application level entitlements cannot be automatically rolled into a job role. Many applications roles are too granular or defined too cryptically to be equated directly with an enterprise role. A complicated Active Directory group name or an SAP collection of entitlements does not map to the financial clerk role. Using technology-heavy terms in role descriptions One message has been made resoundingly clear in our interviews: The purpose of an enterprise role system is to expose IT access management to business people in business-friendly terms (creating telling descriptions in tools that clearly describe the job functions of the employees that the roles are granted to). Listening only to onboarding clerks and managers Interviews with employees and managers who participate in requesting and revoking access rights for newly hired and terminated employees provided a wealth of information about how application access is granted. 13
3. Target simple areas that yield high return. Almost all of the organizations that Forrester interviewed in regard to role management (including banks, healthcare providers, transportation companies, energy and utility companies, colleges, etc.) followed a combination of these best practices when they identified the initial area for implementing enterprise RBAC: Areas with high employee turnover These job responsibility areas require a lot of traditional IT administration effort and pose higher security risk. Ensuring that employees in these areas are provisioned quickly, but only given minimal access, and then de-provisioned just as promptly when appropriate, will resonate well with senior management. Areas with relatively simple and standardized functions The fewer differences there are in people s access in that environment, the easier RBAC definition and implementation will be. In these organizations, you can expect to have hundreds or thousands of people in the same role. Newly acquired organizations Sometimes it s easier to lead an IT integration and clean-up activity when focusing on a newly acquired company. Implementing enterprise roles in a pilot project at a newly acquired organization is an easier sell with senior management than impacting a legacy organization at the acquiring company. Defining enterprise roles, even with automated mining, is not easy. To ease the burden, follow these best practices, and remember to work one-on-one with your business representatives, gain their support, and implement a carefully phased role implementation process.w Andras Cser is a principal analyst at Forrester Research, where he serves security & risk professionals and is a leading expert on identity management and access controls. 14
TECHTARGET SECURITY MEDIA GROUP VICE PRESIDENT/GROUP PUBLISHER Doug Olender PUBLISHER Josh Garland EDITORIAL DIRECTOR Michael S. Mimoso SENIOR SITE EDITOR Eric Parizo NEWS EDITOR Robert Westervelt SITE EDITOR William Hurley ASSISTANT EDITOR Maggie Wright ASSISTANT EDITOR Carolyn Gibney ART & DESIGN CREATIVE DIRECTOR Maureen Joyce DIRECTOR OF PRODUCT MANAGEMENT Susan Shaver DIRECTOR OF MARKETING Kristin Hadley SALES DIRECTOR Dara Such CIRCULATION MANAGER Kate Sullivan ASSOCIATE PROJECT MANAGER Suzanne Jackson PRODUCT MANAGEMENT & MARKETING Corey Strader, Jennifer Labelle, Andrew McHugh SALES REPRESENTATIVES Eric Belcher ebelcher@techtarget.com Patrick Eichmann peichmann@techtarget.com Jason Olson jolson@techtarget.com Jeff Tonello jtonello@techtarget.com Nikki Wise nwise@techtarget.com TECHTARGET INC. CHIEF EXECUTIVE OFFICER Greg Strakosch PRESIDENT Don Hawk EXECUTIVE VICE PRESIDENT Kevin Beam CHIEF FINANCIAL OFFICER Eric Sockol EUROPEAN DISTRIBUTION Parkway Gordon Phone 44-1491-875-386 www.parkway.co.uk LIST RENTAL SERVICES Julie Brown Phone 781-657-1336 Fax 781-657-1100 REPRINTS FosteReprints Rhonda Brown Phone 866-879-9144 x194 rbrown@fostereprints.com is published by TechTarget, 117 Kendrick St., Suite 800, Needham, MA 02494 U.S.A.; Phone 781-657-1000; Fax 781-657-1100. All rights reserved. Entire contents, Copyright 2010 TechTarget. No part of this publication may be transmitted or reproduced in any form, or by any means without permission in writing from the publisher, TechTarget or SearchSecurity.com. 15
Guardium, an IBM Company See ad page 1 Oracle Account Security Techniques Database Security and Auditing: Getting Started Your Enterprise Database Security Strategy 2010 (Forrester Research) Centrify Corporation See ad page 3 Implement a least-privilege security model for Linux and UNIX Video chalktalk library of in-depth IAM technology discussions White paper: integrate your Unix, Linux, Mac, Java and web platforms with Active Directory R FoxT See ad page 6 Top Ten Essentials for Privileged Account Management Role-Based Access Control (RBAC): The Next Generation of Access Management Proactively Controlling Access to Patient Data 16