Discussion Overview Company Background IAM Inertia IAM Value Proposition IAM at Chase IAM Team Scope and Mission IAM Program Functional Structure IAM Team Functional Structure IAM Program Progress IAM Case Study IAM Tools Integration Request Tools Meta Data Management Program Lessons Learned IAM Target State Questions 1
JP Morgan Chase Overview JPMorgan Chase (NYSE: JPM) is one of the oldest financial institutions in the United States. With a history dating back over 200 years, here's where we stand today: JPMorgan Chase is a leading global financial services firm with assets of $2.3 trillion. Operates in more than 60 countries. Has more than 240,000 employees. Serves millions of consumers, small businesses and many of the world's most prominent corporate, institutional and government clients. Leader in investment banking, financial services for consumers, small business and commercial banking, financial transaction processing, asset management and private equity. Chase Bank Consumer and Business Banking Commercial Banking Mortgage Banking Auto and Student Lending Card Services JP Morgan Investment Banking Asset Management Private Banking Treasury and Security Services Centralized Services Retail Technology Services Central Technology Operations Enterprise Systems Global Technology and Infrastructure 2
IAM Inertia Automation is scary the real power of IAM is realized when there is wide spread integration and automation. However, automation scares people when you break, you break big! Legacy applications every organization is challenged with servicing high value legacy applications. They often require specialized integration for some of the basic technology improvement. In some organizations, like Chase, legacy applications dominate the technology landscape Integration challenges in a distributed environment integration across support organizations and assets can be a significant barrier to effective IAM integration IAM Program must focus on adding value to the business and application owners Address high impact/high visibility access issues Reactively address issues - strategically add value as program matures 3
The Value Proposition for an IAM Program Knowing who has access to what is critical to successful business operations. Having this information supports Fraud detection and prevention Least privilege access (see first bullet) Customer information protection (see first bullet) Licensing and system management User productivity having the right access to perform job duties 4
IAM At Chase How did we get it to work? Organizational Structure and Support Taking small successes and building on those for strategic value Metrics and Tools 5
IAM Governance Scope Mission Scope Ensure all in scope applications leverage the strategic IAM tools and that all IAM Controls are actively monitored and enforced. Additionally, provide strategic and architectural direction for increased controls compliance and operational efficiency. Represent the Line of Business interests in policy management and corporate tools operation and functionality All applications and infrastructure assets owned or supported by: Consumer and Business Banking Commercial Banking Retail Technology Services Central Technology Operations Enterprise Systems This includes: About 1000 applications Thousands of databases and servers Over 2.1M non-unique users Over 1.4M distinct levels of access 6
IAM Governance Scope Controls Access On/Off Boarding and Certification User or Functional access is properly requested or removed, reviewed, and is appropriate for the job function. user access to all applications is recertified at least annually to validate that user access is appropriate. Role Based Authorization User access is granted via application profiles or job function roles. Access is requested using the strategic request tool (RSAM) and provisioned by a centralized access administration group to ensure consistent and timely provisioning process execution. Access Profile Management Entitlements or roles granted to application profiles are appropriate for the job function. Any changes to application profiles are documented and reviewed by Sr. Management. Privileged Privileged User or Functional access is managed through a centralized password vault to support compliance with password change policy and management approval of nonbusiness-as-usual activity. 7
Program Functional Structure Every company is different, but it is important that the IAM Program have both business and IT representation. More importantly, both the business and IT sponsors and stakeholders must hold the information owners and application developers accountable for the program deliverables. The IAM Program, in its current structure, is about 5 years old 8
Team Functional Structure 9
IAM Program - Infrastructure Cri5cal Access Control, Documentation and Oversight Profile Management Consistent On-Boarding & User Admin (CAA) Emergency Access Impact Profile Certification Low Legend Initial Risk Rating: No Controls OR remediation in place Low Intermediate Risk Rating: Partial Controls deployed OR Intermediate remediation plan Final Risk Rating: Comprehensive Controls deployed OR Full remediation plan in place Likelihood High 10
IAM Program - Application Cri5cal Consistent On-Boarding & User Admin (CAA) Profile Management Access Control, Documentation and Oversight Emergency Access Profile Certification Impact Low Legend Initial Risk Rating: No Controls OR remediation in place Intermediate Risk Rating: Partial Controls deployed OR Intermediate remediation plan Final Risk Rating: Comprehensive Controls deployed OR Full remediation plan in place Low Likelihood High 11
Case Study of Success Large business critical application 100K + users, 70+ access profiles, multiple lines of business, internal and external facing customers Shared profiles, unstructured profile ownership, access granted by job code and cost center. Several access related audit findings People who did not need access were granted access. Significant business risk. No way to remove access except by groups defined by job code cost center Step 1 get on the tools and monitor IAM metrics Onboarded application to strategic IAM tools for reporting user access, review and approval of user requests, centralized access provisioning Information owner highly engaged with IAM processes and monitoring Step 2 mature profile management Completed profile certification and rationalization with bi-annual certifications Complete access management strategy and documentation. Completed DCR QA to validate 100% of ID s, ID ownership, and system access is being reported Implement automated profile modification request review and approval process Integration with request tool and demand management model (for code releases) 18 months after IAM implementation follow up audit resulted in no reported access related issues. Improved transparency and efficiency of user access and profile modification 12
IAM Tools Integration Overview 13
Request Tool Integration 1 The Enterprise UID Repository contains Employee and Contractor generated users ID s and relevant employee meta data that triggers downstream request activity 2 The Enterprise UID Meta Data Repository contains meta data for user access reported by applications and infrastructure assets data that triggers downstream request activity 3 Technology Assets report user details to the Enterprise UID Meta Data Repository ( Push approach) 4 Request Tools process end user submitted requests, automated rules based requests from the enterprise repositories as well as compliance requests generated by the Risk team. The access admin team and auto provisioning tools process requests generated by the request tools. 5 Static job functions have Auto Provision Rules defined based on HR attributes. Impacted users tracked in the Auto Provisioned UID Store for future rules analysis triggered by HR events. 6 Access Certification Tool services both quarterly access certification as well as HR triggered (Transfers) certification. Access recertification based on data reported to the Enterprise UID Meta Data Repository 7 For infrastructure assets an intermediate Infrastructure Access collection and Normalization Repository is leveraged for both access management and compliance reporting and remediation ( Pull approach) 8 Access Compliance Manager uses white-list rules to identify non compliant access. Delete requests can be generated for non compliant access without valid exceptions. 14
Meta Data Collection 1 The Enterprise UID Repository contains Employee and Contractor generated users ID s and relevant employee meta data (employee status, type, hire/term dates, etc) 2 The Enterprise UID Meta Data Repository contains meta data for user access reported by applications and infrastructure assets (ID type, access level, owner, source system, priv, etc) 3 Technology Assets report user details to the Enterprise UID Meta Data Repository 7 For infrastructure assets an intermediate Infrastructure Access collection and Normalization Repository is leveraged for both access management and compliance reporting and remediation 9 Privileged Access Vault manages access to passwords for privileged ID s 10 Enterprise Application and Infrastructure Meta Data Repositories contain Application and Infrastructure ownership and supporting attributes (architecture, support teams, configuration data, etc) 11 Application Meta Data and Profile Repository contains additional application meta data specific to access (requestable profiles, descriptions, associated entitlements, etc) 15
IAM Program Lessons Learned IAM Tools and Initiatives Incremental/Phased approach Risk based scoping and scheduling Combination of Firm wide efforts, focus, support, and reporting Firm wide effort in concert with Line of Business (LOB) specific IAM strategies Strong risk model (Information Risk Managers [IT Risk], Operational Risk Managers [Business Risk], Line Of Business Centers of Excellence for information sharing) Partnership with internal and external auditors IAM Metrics, metrics, metrics 16
IAM Target State Strategically Add Value Toxic Combos enable the ability to identify access combinations across applications that represent significant risks. Toxic combinations would allow a single user to commit fraud without collusion Automated Profile Management enable application owners to request, track, and formally document changes to application profiles in a central location. This will support profile certification and other role based access controls Job Function and Role based auto provisioning enable access to be (de)provisioned according to employee job functions using application and infrastructure roles Complete transparency and self service (users, owners, auditors) support end user and application owner self service. This includes profile management, access control and certification, and non compliance monitoring and remediation. Real-time metrics and service provide real time, or near real time metrics for IT or business risk and security mangers, internal audit, and information owners to assess the current state of IAM control effectiveness. 17
Questions For more information: Kwame Fields JPMorgan Chase Consumer & Business Banking IT Risk Management kwame.a.fields@chase.com 18