Role-Based Privileges Management (3.1MB) - IBM - United States

The Enterprise Role Management Company

Role-Based Privileges Management

How to Quickly and Effectively Implement Compliance

June 2007

Dr. Ron RymonFounder, Eurekify [email protected]

2

Eurekify at a Glance

• Leading provider of role-based management solutions► Privileges Quality Management► Role Management► Identity Management► Compliance Management

• Eurekify did not invent RBAC, but our unique & patented pattern recognition technology makes it a lot easier to implement

• History and current presence► Since 2002, with more than 50 customers worldwide► Partners include Consultants, Integrators, Vendors, and Auditors► Based in Israel, with offices in NY and CA, and Worldwide partners

3

Examples of Eurekify Projects

Clean-up Privileges

Role Engineering

Role Mgmt Business Processes

IdM Preparation

Privileges Attestation

Verify Compliance

(SoD & more…)

Privileges Archiving

Review & Query

Privileges

4

Customers

5

IBM Partnership

• Eurekify works as an independent solution and/or complementing any Identity Management system

• Special partnership with IBM – “Optimized Partner”

• Integrated interface with Tivoli Identity Manager (ITIM)

• Working closely with ITIM lab in Irvine, CA

• Certified as “Ready for Tivoli”

• More than 20 joint customers worldwide


What is Role-based Management

7

Privileges Quality is the Source of All Evil

• Currently: Many Systems, Many People, Many Changes► Hundreds of even thousands of applications► Many people came, many changed positions, many left► Many privileges were granted ad-hoc

• The Result: Poor & Unmanageable Privileges► 1MM privileges for 20,000 users, many are ad-hoc► 50% more accounts than people in average system► 30% out-of-pattern privileges► 20-50% of groups are redundant or unnecessary► No central view of privileges

• The Immediate Impact:► ... Serious security holes abound…► … Administration costs and productivity losses

• Other Impact ► Difficult to implement Identity Management► Difficult to achieve and demonstrate compliance

8

Solution: Role-based Management

• Role-based Access Control ties IT privileges management practices to BUSINESS concepts, processes, and culture

• Role based access control (RBAC) is intended to simplify and strengthen security administration:

► Attach relevant privileges► Associate users with relevant roles► Avoid managing individual privileges

• Instead of 50 privileges/person, manage 3-5 roles/person• Roles can be expressed based on membership, or as rules

► e.g., “Marketing users, in division X, that work out of CA, shall have access to A, B, and C”.

► e.g. “All the members of project X”, and the rights to the project materials

• Roles and rules, combined, constitute a privileges model. Role engineering is the construction of the privileges model.


Eurekify’s Approach

10

Eurekify Pattern Recognition Analytics

• We did not invent Role-based Access Control (RBAC)

• But we made it a lot easier with our pattern recognition technology

Jim

Kim

Sara

Dave

Mike Mike

RoleRole

• Discover business structure and define role model

• Detect and remove out-of-pattern exceptions

• Identify and adapt to business changes


Privileges Quality Management

Compliance Management

Role Management

12

Five Steps to Privileges Quality Management

V. Implement full role-based privileges model across platforms (incrementally)

I. Visually review privileges, to ensure valid HR and account information across systems

II. Systematically detect & cleanup pattern-based exceptions

III. Correct groups/profiles on individual systems and applications

IV. Review of privileges and exceptions by business managers (online)

Initial assessment

13

Current Statistics

• Users, Groups, Access rights, Access levels

• Individual system or application

• Cross system (IdM view)

• Any level of granularity

14

Privileges Querying

• Who has which privileges? who else? what else? what’s in common? through which roles? who/what is the exception? what is the overlap? what other role is similar?

15

Privileges Quality Assessment

• HR mismatches

• Out-of-pattern privileges

• Suspected users, groups

• Redundant groups/roles

• Dual links

• Much more…

16

Privileges Cleanup• Each system, cross systems• Orphan users, groups• Privileges collectors• All levels of granularity• Out-of-pattern alerts• Rule violation alerts• Easy review/fixing• User/Manager review workflow

17

Analytics-Assisted Privileges Verification

18


• Detect► Automatically detect

inconsistencies

• Critique► Collaborative analysis

and review► Set and review quality

targets

• Adapt► Analyze & update role

model► Fix privileges

• Approve► Approve changes

CRITIQUE

Initial Privileges Cleanup

Ongoing PrivilegeChanges

Business Role Manager / Administrator

DETECT

FIX

APPROVE

IdM Provisioning

or Other Systems




Role Management

20

Five Steps to Compliance Management

V. Implement full role-based privileges management and compliance

I. Review & query privileges across multiple systems

II. Detect pattern-based exceptions systematically

III. Review and certify privileges by business managers (online)

IV. Verify Segregation of Duty and business policies (automatically)

Initial assessment

21

Privileges Recertification/Attestation

• Quick setup of recertification processes

► User initiated via portal► E-mail campaigns

• Users certified by their managers

• Resource owners certify access

► Roles► Individual privileges

22

Business Process Rules (including SoD)

• Easily specified into a portable catalog

• Can be specified by business and/or IT people and/or auditors

• Segregation of duty (SoD)

• Business process rules and constraints

• Restricted relationships between HR attributes and allowed privileges

• All levels of granularity

23

Policy and Compliance Verification

• Automated compliance reverification, periodically via batch processes

• Compliance reporting and dashboard

• Easy review/fixing by business owners and administrators

• Easy integration with external reporting, workflow, and IdM tools

24

Compliance Management• Detect

► Automatically detect policy violations & inconsistencies

• Critique► Collaborative

analysis and review

• Adapt► Analyze & update

role model► Fix privileges


Business Role Manager / Administrator Auditor

Critique

SessionOngoing Privilege

Changes

Ongoing PolicyChanges

Initial Identification of Policies and Regulations

DETECT

ADAPT

APPROVE/ATTEST

IdM Provisioning

or Other Systems




Role Management

26

Five Steps to Role Management

V. Define and implement administrative provisioning processes (IT, HR)

I. Cleanup privileges

II. Identify and test fitness of alternative role engineering methods

III. Iteratively define & review deeper and broader role model (to reach ~80% coverage)

IV. Define & deploy role model and role management processes (administrative & analytical)

Initial assessment

27

Eurekify Role Engineering Methodology

• Combined RE methodologies► Target coverage: 80% of privileges

• Comparison of alternative role engineering methodologies

• Critiquing of new/existing roles

• Top-down• Analytics-assisted Top-Down• Bottom-up (role/rule mining)• Multitude of role engineering

methods► Automatic discovery of HR-based as well

as project-based provisioning patterns► Other methods: obvious, modeled-after, …

28

Eurekify Role Management Processes

• Role Model Management processes► Detect and adapt to business changes► Consistency and compliance tests► Review and approval processes

• Role Administration processes (for customers that do not deploy a strong IdM system)

► Add/change/request role definitions► Add/change/remove privileges

• Eurekify analytics are key for effective processes

• Independent processes that can also be integrated into any external workflow

• Role provisioning usually done by IdM or Meta-Directory

29

Easy Integration with Other Systems

• Quick import/export (asynchronous)► Privileges data and role definitions► File-based or API-based exchange

• Easy real-time synchronization► Real-time exchange of roles & privileges data (snapshot/delta)► Real-time analytics available via web services calls► All levels of granularity► Web services integration

• Flexible web services for third-party workflow► Identity Management, Help Desk, company standard workflow► All are empowered with Eurekify’s analytics

30

Role Management

CRITIQUE

Role Engineering

Ongoing PrivilegeChanges

Business Role Manager / Administrator

DETECT

ADAPT

APPROVE

IdM Provisioning

or Other Systems

• Detect► Exceptions► Inconsistencies► Policy violations► Business changes that

affect roles

• Critique► Collaborative analysis &

review

• Adapt► Analyze & update role

model► Fix privileges


• Synch it


Customer Case

32

KPN – The Dutch National Telecom

• The scenario► Multiple business units: “fixed”, mobile, cable, IPTV► 28,000 people► 48 systems subject to SOX + 19 to National Competition Regulation

▼ Very diverse, including mainframe, SAP, and many homegrown systems

• The approach and project► Performed jointly by PwC and KPMG ► Used Eurekify Sage to code BPRs► Analyzed 80 business processes, creating one policy for each► A total of over 1000 BPRs (10-15 per policy)► 3 Layers of controls: commonly accepted principles, organizational

structure and processes, time and location

• The result► Project completed in under 4 months !► Several thousand violations were removed or rationalized► Passed SOX review


How to Start

34

How to Start?

• A Eurekify “Survey” is the best way to start► Only 5 days !► Lots of immediate value

▼ Qualitative and quantitative assessment▼ Privileges review▼ Piloting compliance tests▼ Role engineering tryouts

• You will then know► What you need, and how to justify your needs► How to best start a successful project

• Call Eurekify or a local partner, or email [email protected]


END