RSA enables rapid transformation of Identity and Access Governance processes Sean Peasley, Principal Laxman Tathireddy, Senior Manager Deloitte & Touche LLP Cyber Risk Services
Identity and Access Governance (IAG) Where it stands today 2
IAG : Current State Securing access to Cloud services Intersecting consumer, enterprise IDs Cross-platform SOD Violations Role proliferation; many user contexts Automation without intelligence Cumbersome user experience Advanced identity compromise threats Massive expansion in number of users Inadequate audit trail for access requests Increased security breaches High Total Cost of Ownership, inflexible to business requirements 3
Information Security Challenges Increasing Compliance Requirements Business Efficiency and Agility Audit, Risk & Compliance Line of Business Information Security Team IT Infrastructure Cloud & Applications Mobile Increasing Complexity and Scale of Infrastructure Data 4
A business- and process-driven approach to IAG 5
The RSA Identity Management & Governance (IMG) approach Shift decision making and accountability to the business Governed by information security constraints Centralized identity and business context One Brain for intelligence and operational efficiency Process-driven approach Discrete, measurable, efficient business processes Policy-based automation Automated policy enforcement Join/Move/Leave Acct Management Governance Business Ownership Applications Access Certification Role Management 6
IAG Evolution HR system integration Create identity Synchronize user accounts and passwords Self-Service access request Segregations of duty violations check Time based and ad-hoc user access deprovisioning Scheduled user termination Hostile termination Archive user identity Recycle user identity Terminate Access Request System Access IAG Processes Maintain & Control Access Provision Access User accounts setup on premise/cloud Initial access permissions and rules Approvals, escalations and delegations Policy based and compliant user access provisioning User life cycle management Role life cycle management Reconcile user access Access management Audit and reporting 7
The Art of Role Engineering A demonstrated process around role engineering results in better investment from the business: Acquire and analyze business community system access information and statistics Perform access remediation Deploy and store enterprise roles Deploy role governance processes, procedures, and guidelines Finalize business community role management implementation Test roles, processes, and technology Identify exceptions Finalize roles with appropriate individuals and groups Obtain approval on roles, worker types, and exceptions Initial Activities Deploym ent Role Validatio n & Approval Role Methodology Jumpstar t Start with a pilot business community Review intelligence gathered during initial activities phase Initiate education on the role definition model Initiate education on role governance processes Conduct role engineering for selected business communities Educate business community on the role processes and role definitions 8
Case Study How did RSA IMG help rapidly transform IAG processes 9
Case Study Global Fortune 1000 Airline Services Organization, RSA IMG v6 implementation Objective: The objective is to reengineer the existing Identity and Access Management (IAM) program to manage enterprise user access in a more secure and user friendly manner. Establish a centralized IAG platform with consistent processes for access request, access certification and user lifecycle activities, better integration/automation with the existing provisioning solution, ticketing systems, advanced reporting, role engineering and management. 10
Current State - User Access Challenges Operational Efficiency Stability Security and Compliance Personnel must contact multiple teams to request access creating confusion and delays Undocumented and manual routing of approvals Manually adding or removing user accounts and access delays access to applications Current approval process lacking business owner review Extensive use of pattern after requests resulting in excess access No ability to monitor access provisioned across the enterprise Inappropriate removal of access resulting in an outage Inability to adequately certify access Accumulation of inappropriate access over time Rubber stamping of approval Limited enforcement of policies (Segregation of Duties [SOD]) through automation This has resulted in a disjointed environment, causing pain for the business users and IT. The client s environment is subject to increased risk due to lack of visibility and efficiencies in the processes set forth to provision and govern access. 11
Solution Architecture using RSA IMG 12
Implementation Strategy Release Release One Release Two Release Three Release Four Tasks Central Access Request and Approval Portal for users Ability to track access requests through to completion Current State Active Directory (AD)/LDAP Group Analysis and Planning Enhanced Access Request process through data collection Quarterly Access Certifications within Portal Visibility into System Access Define and establish Access Governance process Implement AD/LDAP Group management Role Engineering pilot for two business groups Improve time to productivity for joiners and movers Move towards Exception-based Compliance Provisioning using AFX platform Policy-based Provisioning and Certification Onboard additional applications (e.g. ERP) Role Engineering for three business groups Cross Application SOD analysis Result Centralized Access Request Management Data Collection and Access Certification Process User Lifecycle Enhancements and Role Engineering Continue Role Engineering, enhance/extend existing functionality 13
A Closer Look at Challenges Choosing a tool that provides flexibility to leverage the existing Identity Management infrastructure while providing a long term strategy for considering a provisioning alternative Identifying a suitable and scalable data collection approach Flexibility in defining the mapping between business/application roles to entitlements Identifying a suitable approach for role definition top-down/bottomup, big-bang/small-bites? Understanding legacy AD/LDAP group data Identifying the resource owners and assigning them responsibility to review and approve access 14
Success factors Phased-approach to implementation Business-Oriented Architecture Intuitive development interface Executive level buy-in from the Lines of Business early in the project Consensus among stakeholders operations, engineering, application owners, end users, etc. Maintain regular communication with project stakeholders steering committee, PMO, etc. Establish common understanding of product terminology 15
RSA & Deloitte Alliance RSA & Deloitte have a 10+ year strategic alliance. We ve jointly delivered projects in the areas of IAM, GRC, Data Protection, Security Management and Security Operations. Deloitte has a nine-year relationship with Aveksa, including strong working relationship with engineering and the services team. Deloitte has implemented each major release of Aveksa Governance and has joint qualifications in Financial Services, Healthcare, Life Sciences, Travel, Retail, Telecom industries and State Government sectors. Deloitte has 30+ practitioners at various levels with certifications and multiple project/implementation experience. As used in this document, Deloitte means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. 16
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation. 17
THANK YOU