Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Governance-based Approach to Identity Management

Published byMiranda Craig Modified over 9 years ago

Similar presentations

Presentation on theme: "A Governance-based Approach to Identity Management"— Presentation transcript:

1 A Governance-based Approach to Identity Management
Darran Rolls – CTO – SailPoint Technologies Tariq Jan – Program Manager – JPMorganChase Confabulations, Zurich

2 Examples of IAM Lifecycle Breaks

3 Identity Lifecycle Management

4 User Access Recertification Beware The Big Bad Rubber Stamp…
Business Context Reliable Results Methods currently employed to manage compliance and governance are predominantly paper‐based, including spreadsheets, folders, and manual systems. Source: Aberdeen Group 2008

5 PROBLEM STATEMENT Audit deficiencies; No LOB ownership of process.
Lack of ownership on privilege accounts. Lines of Business within the firm proceeding down different paths and making respective investments in certifications procedures & tools. User Experience - variations in certification tools, processes, and methods. Scalability of current recertification tools and processes and manual effort required to manage end to end process. Movers and Leavers are not managed appropriately.

6 Project Approach Vendor Selection - 2008
Implementation Next Steps Vendor Selection 6 tools evaluated – 3 JPMC internal tools and 3 vendor tools Tech POC requirements were best by SailPoint at 72% versus 36% for other tools Cost - Cheaper to buy than build / maintain current tools when also considering future requirements Steering Committee Approval of IdentityIQ tool Contract issued to vendor for enterprise license and Professional Services in August’08 Offshore P.S. resource model selected for IB to reduce cost of implementation. Key stakeholder reviews: F&BM – Larry Holodak, Lizzie Wilson, Matthew King Asia – Martin Reeves IB Architecture – David Laurance, Bruce Horner Audit – Gayatri Kanakaratnam, Sean Aitken TSS – Richard Pyall, Andy Wells, Terry Buckley GTI – Doug Sizemore

7 Project Approach Implementation - 2009
Vendor Selection Implementation Next Steps Implementation 365 application instances with infrastructure where appropriate delivered for recertification in 2009. July’09 – Heritage Bear Merger. IIQ used to provide role-based access certification for 6 applications Deletes raised for more than 104k user entitlements certified as revoked Training on IIQ delivered in 2009 – approx 3,000 out of 17k certifying managers attended training sessions. Positive feedback on UI – 40% drop in support calls compared to using other tools Policy Violations and Rules implemented Implementation of Toxic Combo functionality IBID (Sun) – IIQ integration and strategy formulated Transfer and Leaver Handling process and additional functionality identified for implementation in 2010 Key stakeholder reviews: F&BM – Larry Holodak, Lizzie Wilson, Matthew King Asia – Martin Reeves IB Architecture – David Laurance, Bruce Horner Audit – Gayatri Kanakaratnam, Sean Aitken TSS – Richard Pyall, Andy Wells, Terry Buckley GTI – Doug Sizemore

8 Project Approach Next Steps - 2010
Vendor Selection Implementation Next Steps Next Steps 800 new applications and infrastructure onboarded to IIQ 1,200 applications and infrastructure recertified including external vendor applications Implementation and Go-Live of Toxic Combination functionality Improve user experience by implementing certification by exception Continue with investigating RBAC opportunities Decommissioning of other LOB recertification tools within the firm and migration to IIQ Key stakeholder reviews: F&BM – Larry Holodak, Lizzie Wilson, Matthew King Asia – Martin Reeves IB Architecture – David Laurance, Bruce Horner Audit – Gayatri Kanakaratnam, Sean Aitken TSS – Richard Pyall, Andy Wells, Terry Buckley GTI – Doug Sizemore

9 User Access Recertification Maturity
Review of Policy Compliance Effectiveness Event Based (Triggers) Continuous (Dynamic Review) Type of Review Periodic (System Based Reporting) Manual (Spreadsheets & ) Review of Actual Data Degree of Automation Static Data Real-time Review

10 User Access Recertification – End State
Reviewers Consolidated view of user access privileges Review and certify entitlements, business roles and policy violations Highlight accounts of interest – privileged user, service, dormant Business-focused certification process Cascading application certifications Easy-to-understand entitlement descriptions Highlight identity risk metrics within certification reports Closed-loop integration with existing provisioning systems Automatically generates revocation requests Validates changes were completed App Owner Manager Ad-hoc Automated Certification Process Approve access Allow exceptions Revoke access Delegate decision Policy Role Entitlement Identity Cubes IT Resources

11 Summary - IAM Convergence Framework
HR Clients Non Employee Functional Access Approval Policies Request Mgmt (Sailpoint IIQ / Other) Identity Store Provisioning Leaver Transfer Policies (SailPoint IIQ) Entitlement Data Model (SailPoint IIQ) Policy Store Event Mgmt Tool Recertification (Sailpoint IIQ) Separation Of Duty Policies (SailPoint IIQ) Leaver Transfer (Sailpoint IIQ ) Other Access Ctrl Policies Entitlement Store Policy Reviews (Sailpoint IIQ) Application Infrastructure Privileged Access

Download ppt "A Governance-based Approach to Identity Management"

Similar presentations

Strategic Meetings Management 101

Strategic Meetings Management 101
Program Management Office (PMO) Design

Program Management Office (PMO) Design
CHAPTER  Accounting can be defined from at least two point of views: A. It can emphasize the uses in which accounting information is put. B. It can emphasize.

CHAPTER  Accounting can be defined from at least two point of views: A. It can emphasize the uses in which accounting information is put. B. It can emphasize.
SL21 Information Security Board Mission, Goals and Guiding Principles.

SL21 Information Security Board Mission, Goals and Guiding Principles.
ISO 17025 Culture SHOQ Quiz 1. This program must be run in MS PowerPoint and requires sound. 2. Click “View” and then “Slide Show”. 3. Click “Continue”

ISO Culture SHOQ Quiz 1. This program must be run in MS PowerPoint and requires sound. 2. Click “View” and then “Slide Show”. 3. Click “Continue”
Extending IBM Security Identity Manager

Extending IBM Security Identity Manager
Sarbanes-Oxley Compliance Process Automation

Sarbanes-Oxley Compliance Process Automation
A framework for describing IT Project Management Processes and Tool Set Features Enterprise Project Management Framework.

A framework for describing IT Project Management Processes and Tool Set Features Enterprise Project Management Framework.
OneMinnesota January 25, 2012 Carolyn Parnell OET Commissioner and State CIO.

OneMinnesota January 25, 2012 Carolyn Parnell OET Commissioner and State CIO.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.

Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.
Identity and Access Management

Identity and Access Management
Quality Manual for Interoperability Testing Morten Bruun-Rasmussen Presented by Jos Devlies, Eurorec.

Quality Manual for Interoperability Testing Morten Bruun-Rasmussen Presented by Jos Devlies, Eurorec.
High-Level Assessment Month Year

High-Level Assessment Month Year
Procurement Strategic Planning Process Transformation Procurement Risks and Opportunities Procurement Process Capabilities & Interdependencies Key Strategic.

Procurement Strategic Planning Process Transformation Procurement Risks and Opportunities Procurement Process Capabilities & Interdependencies Key Strategic.
ZHRC/HTI Financial Management Training

ZHRC/HTI Financial Management Training
000000_1 Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.

000000_1 Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
DEPARTMENT OF BUSINESS AND EMPLOYMENT Moving to eRecruitment HR Forum – 6 August 2010 Department of Business & Employment Presented by: Kate McTaggart,

DEPARTMENT OF BUSINESS AND EMPLOYMENT Moving to eRecruitment HR Forum – 6 August 2010 Department of Business & Employment Presented by: Kate McTaggart,

Similar presentations

Ads by Google