Upload
samuel90
View
886
Download
1
Embed Size (px)
DESCRIPTION
Citation preview
The Enterprise Role Management Company
Role-Based Privileges Management
How to Quickly and Effectively Implement Compliance
June 2007
Dr. Ron RymonFounder, Eurekify [email protected]
2
Eurekify at a Glance
• Leading provider of role-based management solutions► Privileges Quality Management► Role Management► Identity Management► Compliance Management
• Eurekify did not invent RBAC, but our unique & patented pattern recognition technology makes it a lot easier to implement
• History and current presence► Since 2002, with more than 50 customers worldwide► Partners include Consultants, Integrators, Vendors, and Auditors► Based in Israel, with offices in NY and CA, and Worldwide partners
3
Examples of Eurekify Projects
Clean-up Privileges
Role Engineering
Role Mgmt Business Processes
IdM Preparation
Privileges Attestation
Verify Compliance
(SoD & more…)
Privileges Archiving
Review & Query
Privileges
4
Customers
5
IBM Partnership
• Eurekify works as an independent solution and/or complementing any Identity Management system
• Special partnership with IBM – “Optimized Partner”
• Integrated interface with Tivoli Identity Manager (ITIM)
• Working closely with ITIM lab in Irvine, CA
• Certified as “Ready for Tivoli”
• More than 20 joint customers worldwide
The Enterprise Role Management Company
What is Role-based Management
7
Privileges Quality is the Source of All Evil
• Currently: Many Systems, Many People, Many Changes► Hundreds of even thousands of applications► Many people came, many changed positions, many left► Many privileges were granted ad-hoc
• The Result: Poor & Unmanageable Privileges► 1MM privileges for 20,000 users, many are ad-hoc► 50% more accounts than people in average system► 30% out-of-pattern privileges► 20-50% of groups are redundant or unnecessary► No central view of privileges
• The Immediate Impact:► ... Serious security holes abound…► … Administration costs and productivity losses
• Other Impact ► Difficult to implement Identity Management► Difficult to achieve and demonstrate compliance
8
Solution: Role-based Management
• Role-based Access Control ties IT privileges management practices to BUSINESS concepts, processes, and culture
• Role based access control (RBAC) is intended to simplify and strengthen security administration:
► Attach relevant privileges► Associate users with relevant roles► Avoid managing individual privileges
• Instead of 50 privileges/person, manage 3-5 roles/person• Roles can be expressed based on membership, or as rules
► e.g., “Marketing users, in division X, that work out of CA, shall have access to A, B, and C”.
► e.g. “All the members of project X”, and the rights to the project materials
• Roles and rules, combined, constitute a privileges model. Role engineering is the construction of the privileges model.
The Enterprise Role Management Company
Eurekify’s Approach
10
Eurekify Pattern Recognition Analytics
• We did not invent Role-based Access Control (RBAC)
• But we made it a lot easier with our pattern recognition technology
Jim
Kim
Sara
Dave
Mike Mike
RoleRole
• Discover business structure and define role model
• Detect and remove out-of-pattern exceptions
• Identify and adapt to business changes
The Enterprise Role Management Company
Privileges Quality Management
Compliance Management
Role Management
12
Five Steps to Privileges Quality Management
V. Implement full role-based privileges model across platforms (incrementally)
I. Visually review privileges, to ensure valid HR and account information across systems
II. Systematically detect & cleanup pattern-based exceptions
III. Correct groups/profiles on individual systems and applications
IV. Review of privileges and exceptions by business managers (online)
Initial assessment
13
Current Statistics
• Users, Groups, Access rights, Access levels
• Individual system or application
• Cross system (IdM view)
• Any level of granularity
14
Privileges Querying
• Who has which privileges? who else? what else? what’s in common? through which roles? who/what is the exception? what is the overlap? what other role is similar?
15
Privileges Quality Assessment
• HR mismatches
• Out-of-pattern privileges
• Suspected users, groups
• Redundant groups/roles
• Dual links
• Much more…
16
Privileges Cleanup• Each system, cross systems• Orphan users, groups• Privileges collectors• All levels of granularity• Out-of-pattern alerts• Rule violation alerts• Easy review/fixing• User/Manager review workflow
17
Analytics-Assisted Privileges Verification
18
Privileges Quality Management
• Detect► Automatically detect
inconsistencies
• Critique► Collaborative analysis
and review► Set and review quality
targets
• Adapt► Analyze & update role
model► Fix privileges
• Approve► Approve changes
CRITIQUE
Initial Privileges Cleanup
Ongoing PrivilegeChanges
Business Role Manager / Administrator
DETECT
FIX
APPROVE
IdM Provisioning
or Other Systems
The Enterprise Role Management Company
Privileges Quality Management
Compliance Management
Role Management
20
Five Steps to Compliance Management
V. Implement full role-based privileges management and compliance
I. Review & query privileges across multiple systems
II. Detect pattern-based exceptions systematically
III. Review and certify privileges by business managers (online)
IV. Verify Segregation of Duty and business policies (automatically)
Initial assessment
21
Privileges Recertification/Attestation
• Quick setup of recertification processes
► User initiated via portal► E-mail campaigns
• Users certified by their managers
• Resource owners certify access
► Roles► Individual privileges
22
Business Process Rules (including SoD)
• Easily specified into a portable catalog
• Can be specified by business and/or IT people and/or auditors
• Segregation of duty (SoD)
• Business process rules and constraints
• Restricted relationships between HR attributes and allowed privileges
• All levels of granularity
23
Policy and Compliance Verification
• Automated compliance reverification, periodically via batch processes
• Compliance reporting and dashboard
• Easy review/fixing by business owners and administrators
• Easy integration with external reporting, workflow, and IdM tools
24
Compliance Management• Detect
► Automatically detect policy violations & inconsistencies
• Critique► Collaborative
analysis and review
• Adapt► Analyze & update
role model► Fix privileges
• Approve► Approve changes
Business Role Manager / Administrator Auditor
Critique
SessionOngoing Privilege
Changes
Ongoing PolicyChanges
Initial Identification of Policies and Regulations
DETECT
ADAPT
APPROVE/ATTEST
IdM Provisioning
or Other Systems
The Enterprise Role Management Company
Privileges Quality Management
Compliance Management
Role Management
26
Five Steps to Role Management
V. Define and implement administrative provisioning processes (IT, HR)
I. Cleanup privileges
II. Identify and test fitness of alternative role engineering methods
III. Iteratively define & review deeper and broader role model (to reach ~80% coverage)
IV. Define & deploy role model and role management processes (administrative & analytical)
Initial assessment
27
Eurekify Role Engineering Methodology
• Combined RE methodologies► Target coverage: 80% of privileges
• Comparison of alternative role engineering methodologies
• Critiquing of new/existing roles
• Top-down• Analytics-assisted Top-Down• Bottom-up (role/rule mining)• Multitude of role engineering
methods► Automatic discovery of HR-based as well
as project-based provisioning patterns► Other methods: obvious, modeled-after, …
28
Eurekify Role Management Processes
• Role Model Management processes► Detect and adapt to business changes► Consistency and compliance tests► Review and approval processes
• Role Administration processes (for customers that do not deploy a strong IdM system)
► Add/change/request role definitions► Add/change/remove privileges
• Eurekify analytics are key for effective processes
• Independent processes that can also be integrated into any external workflow
• Role provisioning usually done by IdM or Meta-Directory
29
Easy Integration with Other Systems
• Quick import/export (asynchronous)► Privileges data and role definitions► File-based or API-based exchange
• Easy real-time synchronization► Real-time exchange of roles & privileges data (snapshot/delta)► Real-time analytics available via web services calls► All levels of granularity► Web services integration
• Flexible web services for third-party workflow► Identity Management, Help Desk, company standard workflow► All are empowered with Eurekify’s analytics
30
Role Management
CRITIQUE
Role Engineering
Ongoing PrivilegeChanges
Business Role Manager / Administrator
DETECT
ADAPT
APPROVE
IdM Provisioning
or Other Systems
• Detect► Exceptions► Inconsistencies► Policy violations► Business changes that
affect roles
• Critique► Collaborative analysis &
review
• Adapt► Analyze & update role
model► Fix privileges
• Approve► Approve changes
• Synch it
The Enterprise Role Management Company
Customer Case
32
KPN – The Dutch National Telecom
• The scenario► Multiple business units: “fixed”, mobile, cable, IPTV► 28,000 people► 48 systems subject to SOX + 19 to National Competition Regulation
▼ Very diverse, including mainframe, SAP, and many homegrown systems
• The approach and project► Performed jointly by PwC and KPMG ► Used Eurekify Sage to code BPRs► Analyzed 80 business processes, creating one policy for each► A total of over 1000 BPRs (10-15 per policy)► 3 Layers of controls: commonly accepted principles, organizational
structure and processes, time and location
• The result► Project completed in under 4 months !► Several thousand violations were removed or rationalized► Passed SOX review
The Enterprise Role Management Company
How to Start
34
How to Start?
• A Eurekify “Survey” is the best way to start► Only 5 days !► Lots of immediate value
▼ Qualitative and quantitative assessment▼ Privileges review▼ Piloting compliance tests▼ Role engineering tryouts
• You will then know► What you need, and how to justify your needs► How to best start a successful project
• Call Eurekify or a local partner, or email [email protected]
The Enterprise Role Management Company
END