Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Governance-based Approach to Identity Management

Published byLouisa Chapman Modified over 9 years ago

Similar presentations

Presentation on theme: "A Governance-based Approach to Identity Management"— Presentation transcript:

1 A Governance-based Approach to Identity Management
Darran Rolls – CTO – SailPoint Technologies Zurich

2 Cool Vendor in Identity and Access Management
About SailPoint Our Focus Identity and Access Governance Our Heritage 10 years of Identity Management leadership and experience (Waveset/Sun/SailPoint) Founded 2005; headquartered in Austin, TX Our Marquee Customers 5 of top 10 global banks 3 of top 4 U.S. managed healthcare companies 3 of top 4 global P&C casualty insurers Top telecom, manufacturing, energy companies BMC Strategic Partnership Validated MarketZone partner Strategic component of ITGRC Initiative Cool Vendor in Identity and Access Management 2

3 Setting the Stage for Identity Management Why Do We Care About Identity Controls?
The start with poor old TJ Max again… 2007 breach and loss of over M cards & related data Big embarrassment & even bigger cost ($200M ?) Settled with 41 states for <$10M (+ probation) Settled with Mastercard for $24M Settled with coalition of banks for $40M 15% Customer Appreciation Discount Day in all stores  Breach was discovered in December 2006 but likely started with basic textbook wardriving at the perimeter as early as 2004 Extensive systems compromise over 18+month period Prolonged internal privileged account access!! Speculation: TJX breach prevented, slowed or at least detected earlier via basic Identity Management controls

4 Identity Management Reality State of IAM Within Most Organizations…
Hundreds of user add, change, deletes every day… Inconsistent, ad-hoc and manual processes – platform dependent… Disparate provisioning tools and workflows… Many human touch points: business managers, help desk, IT, etc… Portal Help Desk Provisioning Paper form IT Admin No consistent policy enforcement No common controls or audit trail Very difficult to ensure compliance and assess risk

5 The Growing Identity Management Divide The Business & IT Disconnect
Inability to translate corporate governance into actionable IT policy Risk mgmt, business policy Auditing, controls still highly manual or spreadsheet-based Human error, inconsistencies Data is hard to obtain, missing No ability to manage identity through a business lens Lack of transparency IT / Identity data not understood by the business Are we protecting our assets?? Do we conform to policy?? Are we at risk?? IT

6 But This Isn’t My Company/Organization?
SailPoint Independent survey of Fortune 1000 companies 2008/2009 Security/IT/Audit professionals Focus: What are top of mind identity and access management issues?

7 Survey Results 46% of companies surveyed have failed an IT or security audit because of a lack of control around user access. Q In the last 5 years, has your company failed an IT or security audit because of a lack of control around user access? Yes No 46% 54%

8 Survey Results 66% of companies lack on-demand visibility to “who has access to what?” Q If your company’s CIO asked you to present a complete record of user access privileges for each employee that same day, could you? Yes No 34% 66%

9 56% of companies struggle to promptly deprovision terminated workers.
Survey Results 56% of companies struggle to promptly deprovision terminated workers. Q If your organization downsized significantly next month, could you immediately remove all access privileges for terminated employees? No Yes 56% 44%

10 Identity – Common Source of Internal Abuse A Top Focus for IT Audits
Entitlement Creep Accumulated privileges Potential toxic combinations Increased risk of fraud Orphan Accounts Poor de-provisioning High risk of sabotage, theft, fraud Privileged Users Users with “keys to kingdom” Poor visibility due to shared accounts Rogue Accounts Fake accounts created by criminals Undetected access and activity Data theft, fraud, and abuse PROTECTED ASSETS Identity & Access Management: #1 area requiring remedial action Gartner survey: 44% of IT audit deficiencies are IAM-related Ernst & Young: 7 of Top 10 control deficiencies relate to user access control

11 What’s Not Working? Data is everywhere, but getting access to the right Information at the right time is very difficult Multiple, fragmented identity stores, AuthN/AuthZ Huge gaps between business and IT groups Inconsistent, ad-hoc processes for access change Difficulty translating policy to IT implementation IT data not understood by the business Heavy reliance on manual compliance processes or spreadsheet-based Human error, inconsistencies Data is hard to obtain, missing

12 An Identity Governance Approach
An integrated approach that embeds risk management and compliance into core identity infrastructure and business processes Move from fragmented approaches to centralized visibility and control Automate identity controls and business processes A business-friendly layer linking business users and processes to underlying technology and technical users Actively measures and monitors risk associated with users and resources

13 Manage Lifecycle Make Identity Management a Business Process
Provisioning Life-cycle Self Service Actions Policy Evaluation Tacking & Reporting Regulatory Reporting Visibility Business oversight & transparency Auditing & tracking Control of entire IAM process ? Provisioning & Directory Business Help Desk Risk Model IT Sec Users

14 What is an IAG Model? Role Model Policy Model Risk Model Audit Model
Defined Process Compliance Proof Sustainable Controls People Grouping Entitlement Bundling Assignment Controls Role Model Policy Model Risk Model Audit Model Controls Model SoD Rules Value Change Controls Checks & Balances Clear Ownership Defined Approvals Tracked Actions Rate & Rank Risk Assessment of Process Trending & Analysis

15 Operational Provisioning Process Identity Compliance Process
Governance Model Driven Processes Operational Provisioning Process Identity Compliance Process Request Access Define Controls Analyze/ Audit Collect Data Implement Controls Centralized ID Data Governance Metadata Policy Roles Approve Review/ Certify Closed Loop Audit Grant/ Remove Remediate Provisioning Engine Help Desk IT Admin

16 The Three Steps To Identity Governance
Current State Checkpoint Understand Current State Build Entitlement Warehouse Establish Responsibility Critical Remediation Governance Model Plan Desired State Automate Controls Model Policies & Roles Change Management Models Operational Provisioning Manage Delta Automate High Value Apps Enhance Existing Procedures Closed Loop Execution Detective Preventative Reactive Scheduled Remediation Mitigation

17 An Integrated Solution
Compliance Manager Certification | Policy Evaluation Lifecycle Manager Access Request | Business Event Triggers Governance Platform Role Management | Policy Engine | Risk Model | Provisioning Broker Integration Module IdentityIQ Provisioning Engine Integration Module 3rd Party Service Desk 3rd Party Provisioning Engine

18 QUESTIONS

Download ppt "A Governance-based Approach to Identity Management"

Similar presentations

Improving SOX Remediation Through Automated Testing of Internal Controls November 4, 2005.

Improving SOX Remediation Through Automated Testing of Internal Controls November 4, 2005.
Copyright © 2014 STEALTHbits Technologies, Inc.. All rights reserved. | STEALTHbits Technologies, Inc. The Unstructured Data Challenge 1.

Copyright © 2014 STEALTHbits Technologies, Inc.. All rights reserved. | STEALTHbits Technologies, Inc. The Unstructured Data Challenge 1.
Identity, Governance and Administration as forefront of IT Security model: European and North American Experience Vladislav Shapiro Director of Identity.

Identity, Governance and Administration as forefront of IT Security model: European and North American Experience Vladislav Shapiro Director of Identity.
Risk & Safety Presentation January 8, 2013 Bryan Sabari, CUSP Manager Corporate Safety 425-213-2149

Risk & Safety Presentation January 8, 2013 Bryan Sabari, CUSP Manager Corporate Safety
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
Rick Killpack Senior Product Manager Identity and Security Novell, Inc. sample for a picture in the title slide SAP and Novell: Extending IT Governance.

Rick Killpack Senior Product Manager Identity and Security Novell, Inc. sample for a picture in the title slide SAP and Novell: Extending IT Governance.
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
Customer confidential 1 Privilege Management Sean Moore Solutions Specialist.

Customer confidential 1 Privilege Management Sean Moore Solutions Specialist.
Remedy, a BMC Software company Change Management Maximize Speed and Minimize Risk in the Change Process.

Remedy, a BMC Software company Change Management Maximize Speed and Minimize Risk in the Change Process.
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.

Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.

EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.

Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.
General Motors Corporation 2008 Identity and Access Management Stuart McCubbrey Director, Information Technology Audit General Motors Corporation IIA Detroit.

General Motors Corporation 2008 Identity and Access Management Stuart McCubbrey Director, Information Technology Audit General Motors Corporation IIA Detroit.
Rev Jul-o6 Oracle Identity Management Automate Provisioning to Oracle Applications and Beyond Kenny Gilbert Director of Technology Services.

Rev Jul-o6 Oracle Identity Management Automate Provisioning to Oracle Applications and Beyond Kenny Gilbert Director of Technology Services.
IDENTITY MANAGEMENT: PROTECTING FROM THE INSIDE OUT MICHAEL FORNAL, SECURITY ANALYST PROVIDENCE HEALTH & SERVICES SOURCE SEATTLE CONFERENCE 10.23.13 -10.24.13.

IDENTITY MANAGEMENT: PROTECTING FROM THE INSIDE OUT MICHAEL FORNAL, SECURITY ANALYST PROVIDENCE HEALTH & SERVICES SOURCE SEATTLE CONFERENCE
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
A Governance-based Approach to Identity Management

A Governance-based Approach to Identity Management

Similar presentations

Ads by Google