Embed Size (px)
Citation preview
IDENTITY AND ACCESS GOVERNANCE
Buyer’s Guide
Purpose of this Guide ..............................................................................................1
Identity and Access Governance.............................................................................2
IAG as Part of Identity & Access Management .......................................................4
Feature Tables:
RoleDefinition .....................................................................................................7
AccessRequests ...............................................................................................11
Access Approvals ...............................................................................................15
AccessCertifications .........................................................................................18
AuditsandComplianceAnalysis .........................................................................21
IdentityandAccessIntelligence:MonitoringandAnalysis ...................................24
SolutionDeploymentandIntegration ..................................................................29
SummaryofTables ............................................................................................32
Appendix ................................................................................................................33
For More Information .............................................................................................34
TABLE OF CONTENTS
1
WelcometotheCourionIdentityandAccessGovernanceBuyer’sGuide.
ThisguideisdesignedtohelpyoudefinerequirementsforanIdentityandAccessGovernancesolutionfor yourenterprise.
Itcanalsohelpyouselectashortlistofvendorsforevaluation,andcompareIdentityandAccessGovernanceproductsduringanevaluationprocess.
Our ApproachThematerialinthisguideisorganizedaroundthecoretasksofIdentityandAccessGovernance(IAG)andthepeoplewhoperformthem.ItexaminesthefeaturesandfunctionsofIAGsolutionsneededto:
• Define roles and the access permissions associated with them, atasktypicallyperformedbyIAM analysts,resourceownersandbusinessmanagers.(Inthisguidewewilluse“IAManalysts”asshorthandforIAMprojectleadersandsecurityprofessionalsresponsibleformanagingIAMactivities.“Resource owners”willrefertoline-of-businessandITstaffresponsibleformanagingaccesstoapplications, databasesandotherresources.)
• Request access to applications, systems and resources,anactivitycarriedoutbybusinessmanagersonbehalfoftheirreports,andbyawidevarietyofemployeesandothersystemusersforthemselves.
• Approve access requests,typicallyperformedbybusinessmanagers andresourceowners.
• Certify the appropriateness of accesstosensitivesystems,applications anddata,tasksperformedby businessmanagers,resourceownersandauditors.
• Manage risk and verify compliance with government, industry and corporate policies,tasksbelongingtoauditorsandcomplianceofficers.
• Use Identity and Access Intelligence tools to analyze usage, uncover vulnerabilities, identify policy violations, respond to attacks, remediate problems and reduce risks.
• Deploy IAG solutionsandintegratethemwithotheridentitymanagementandsecurityproducts.
TheopeningsectionsprovideabriefoverviewofIdentityandAccessGovernance(IAG),andplaceIAGsolutionsinthecontextofIdentityandAccessManagementasawhole.
PURPOSE OF THIS GUIDE
1ExamplesfromrealIdentityandAccessManagementbuyer’sguides.
2
Theremainingsectionsaredesignedsothatevaluationteammemberscanworkwithrepresentative“subjectmatterexperts(SMEs)”ineachcategory(businessmanagers,systemusers,complianceofficers,etc.)toassesshowanIAGsolutioncanhelpthemdotheirjobsbetterandmeetorganizationalgoals.
Thefeaturetablescanbeusedtocaptureassessmentdataduringfeaturereviews,vendordemonstrations, proof-of-concepttests,referencecalls,andotherevaluationactivities.Thetablesarelaidoutsoyoucanusetheratingsystemofyourchoice,andtherearespacesforcommentsandassessmentsbysection.Ifyouwanttomodifyorexpandthetables,youcandownloadtheminPDForExcelformatfromtheCourionwebsiteResourcessectionatwww.courion.com.
Inthisguidewetrytoapplythesamepractical,business-friendlydesignprinciplesusedinCourion’sproducts,avoidingplatitudes(“Today’sbusinessworldischangingrapidly,andsoareyourIAMrequirements”)anddensefeaturedescriptions(“HasaworkflowthatseamlesslyintegrateswithSAPandOracleERP,andfine-grained separation-of-dutiescheckingwithflexibleexception-handlingmethods[Yes/No]”).1
Talk with UsOurconsultingteamandpartnerscanansweryourquestions,demonstrateCourion’ssolutions,helpyouconductaproof-of-concept,generateabusinesscase,orassessaccessrisk.Wewouldalsolikeyourfeedbackonthisguide.Pleasecontactusatinfo@courion.com
IDENTITY AND ACCESS GOVERNANCE
Functions of Identity and Access GovernanceToday,thefieldofIdentityandAccessGovernancecoversfourmaincomponents:
1.Processestocertifythatexistingpermissionsareappropriateandinconformancewithcorporatepolicies.
2.Processestoauditidentityandaccessprocessesandresults,demonstratecontrols,definepoliciesaboutwhoshouldhaveaccesstowhatresources(governance),provecompliancewithregulatoryrequirementsandcompanystandards,andremediateanyissuesuncovered.
3.Processestodefinerolesandtorequestandapproveaccesstodata,applicationsandotherinformation technologyresources.
4.Monitoringandanalysistoolstodetectvulnerabilities,assessrisk,andimprovecompliancewith requirementsandstandards.
3
TheoriginalfocusofIAGwasonthefirsttwocomponents,especiallyontoolstocertifypermissionsandtohelpauditorsandcomplianceofficersreduceauditcostsanddocumentcompliance.
However,itwassoonrecognizedthatthesefourareasarereinforcing.Organizationsthathavereliableprocessestorequestandapproveaccessmakefewererrors,andthereforeexpendlesseffortoncertification,auditingandremediation.Organizationswithidentityandaccessintelligencetoolscanmonitorchangesforpolicyviolations,tracktrendsandidentifyvulnerabilities,allowingthemtorespondtoproblemsfaster.
Infact,comprehensiveIAGsolutionsprovidevalueinmanyareasby:
•Improvingtheproductivityofmanagersbysimplifyingidentityandaccesscertificationprocesses
•Savingtimeforemployeesbyspeedinguptheprocesstorequestandreceiveaccesstoresources (especiallywhentherequestsystemisintegratedwithautomatedprovisioning)
•Providingmoredatatospeedupauditsandreducethehighcostofregulatorycompliance
•Reducingvulnerabilitiesanddecreasingtheriskofdatabreachesandthelossofcustomerandemployeeinformationandintellectualandfinancialproperty
•Improvingriskmanagement
•Deterringpolicyviolationsbyemployeesandotherinsiders
Atthesametime,IAGsolutionshelpenterprisesaddresssomeoftheirmostpressinghumanandtechnology challenges:increasingnumbersandtypesoftechnologyusers(employees,contractors,businesspartners,customers),multiplyingapplicationsanddevices(includingemployee-sourceddevicesencouragedby“BYOD”policies),growingregulatoryrequirements,pressuresforbetterriskmanagementandsecurity,andtightlimits onbudgetsandstaffing.
Tasks and PeopleFigure1showssomeofthemajortasksinvolvedinIdentityandAccessGovernance,andthepeoplewhotypicallyperformthem.
Thefeaturetablessectionofthisguideusesthesetaskareastoorganizeitslistofdesirablefeaturesand functions,tomakeitclearhowthosefeaturesandfunctionsrelatetospecificpeopledoingspecificjobs.
4
Figure 1: IAGtasks,andthepeoplewhoperformthem
IAG AS PART OF IDENTITY & ACCESS MANAGEMENT
Broadlyspeaking,today’sstate-of-the-artIdentityandAccessManagementsystemscoverthreeprimaryareasoffunctionality:Governance,Provisioning,andIntelligence.
Governancesystemsprovideprocessestorequest,approveandcertifyaccesstoapplicationsandITresources,andtoolstodocumentcompliancewithgovernmentregulations,industrystandardsandcorporatepolicies.
Provisioningsystemsautomatetheprovisioningandde-provisioningofaccesstoapplicationsandITresources,andmanageaccessthroughusers’lifecyclewiththeorganization.KeyIAMfunctionssuchaspassword management,advancedauthenticationandsinglesign-onaresometimesconsideredaspartofprovisioningandlife-cyclemanagement,andsometimesasseparateentities(butareinanycaseoutsideofthescopeofthisguide).
Identity and Access Intelligencesystemsprovidetoolstocontinuouslycollect,monitorandanalyzelargevolumesofidentityandaccess-relatedinformation,combiningdatanotonlyfromGovernanceandProvisioningsystems,butalsofromsecurityproductsandotherexternalsystems.IdentityandAccessIntelligenceproductsareoftendesignedsotheycanbeusedwitheitheragovernancesystem,oraprovisioningsystem,orwithboth.
5
Infact,IdentityandAccessIntelligencetoolsshouldbeseenasanintegralpartofanyIdentityandAccess Governanceimplementation.ThisguidediscussesfunctionalitythatistypicallyavailableingovernancesystemsandinIdentityandAccessIntelligencetoolswhentheyworktogether.Figure2illustratesthisapproach,andliststheproductsfromCourionthatfallintothoseareas.
AbriefoverviewoftheCourionproductsisprovidedintheappendix.
Figure 2: ThethreemainareasofIdentityandAccessManagement,withproductsfromCourion.TheCourionproductsaremodularandcanbeimplementedinanycombination.
6
Feature Tables
7
ROLE DEFINITION
Primary participants: IAM analysts, resource owners and business managersAnIdentityandAccessGovernancesolutionshouldmakeitassimpleaspossibleforIAManalysts,resource ownersandbusinessmanagerstodefinerolesandtheaccesspermissionsthatareassociatedwiththem.
Peopleshouldbeabletousebusinessterminology,nottechnicaljargon,toidentifyrolesandpermissions.Thisallowsbusinessmanagersandbusinessuserstoparticipatefullyindefiningroles,andlaterinrequesting,approvingandcertifyingaccess.
Itshouldbeeasytocreatesimplerolesatfirst,thenrefine,enhanceandexpandthemovertime.Thatallows organizationstostartusingthesystemquicklywhilecontinuouslyimprovingefficiencyandaccuracy.
Itshouldbepossibletodefinepermissionsthat(a)accuratelyreflectthelegitimateneedsofsystemusers,and (b)donotprovideunnecessaryentitlementsthatcouldjeopardizesecurityandprivacy.Toachievetheseobjectives,analysts,resourceownersandbusinessmanagersshouldbeableto:
•Createverygranularentitlements,forexamplepermissiontomakeAPinquiriesagainstaspecific accountingpackage,touseaspecificcomputingresourcelikeSharePointorInternetaccess,ortoacquireanassetlikealaptopwitha17”screen.
•Createrolesthatincludecombinationsofpermissions,suchasan“Accountant”rolethatincludes permissionstomakedeposits,reconcilebankstatements,createpurchaseorders,makeAPinquiries,etc.
•Creategroupingsthatcombineroles,forexamplea“SeniorAccountant”rolethatincludespermissions assignedtothe“Accountant”and“Level2Manager”roles.
•Modelnewrolesbycomparingspecificpermissionsfromexistingroles(Courioncallsthis“intelligentmodeling”).
Rolescancombinepermissionstoperformspecificactionsontargetresources
8
Mostindividualswillhavediverseaccessrequirements,basedontheirfunction,location,managementlevel,andapplicationneeds.Thereforepeopleshouldbeabletofindappropriateentitlementsandrolesbyusingsearchandfilteringtechniqueswithacatalogofroles.Theyalsoshouldbeabletoclassifyandtagrolessopeoplemakingaccessrequestscanfindtherightonestorequest,andsoapproverscandeterminethemostappropriaterolesforspecificsystemusers.
Thesystemshouldbeabletoaccommodateboth:
•A“bottomup”approach:Seewhatpermissionspeoplehavetodayandassemblerolesbasedon thoseobservations.
•A“topdown”approach:Createrolesbasedonananalysisofwhatislikelytoworkbestintheenvironment,andtestthose.
Systemusersshouldbeabletodefinepolicies,forexampleSeparationofDuties(SoD)policiesthatprevent thesamepersonfromtakingpotentiallydamagingactionslikecreatingvendoraccountsandauthorizing vendorpayments.
Roledefinitionandrefinementcaninvolvemanypeople,includingIAManalystswhoknowbestpracticesfordesigningroles,“resourceowners”responsibleforapplications,databases,andotherITservices,andbusinessmanagerswhounderstandtheresponsibilitiesofemployeesperformingspecificjobs.Thereforethesystemshouldhavemechanismstomanagewhocandefine,change,disableanddeletespecificroles.
Thesystemsshouldcreateacompleteaudittrailofeveryactionrelatedtodefining,modifyinganddeletingroles.
Thereshouldbe“outofthebox”oreasilymanagedintegrationwithprovisioningsystems,directoriesand applications,sorole-relatedinformationfromthosesystemsisavailable.
ThereshouldbeintegrationwithIdentityandAccessIntelligencetoolssoanalystscanassessrolesafterthey havebeencreated.Forexample,ifareportorqueryshowsmanyuserswiththesamerolerequestinganadditionalaccountorentitlement,thenthataccountorentitlementcanbeaddedtotherole.Conversely,ifthereare entitlementsthatnobodywiththeroleuses,theseshouldberemovedfromtheroledefinition.
IntegrationwithIdentityandAccessIntelligencetoolsalsoallowsrole-relatedinformationtobeanalyzedandusedforgovernance,compliance,incidentresponseandotherpurposes.
9
Role DefinitionScoring
(Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Useasingleinterfacetomanageaccesstoawidearrayofbusinessresources,includingapplications,networks,ITaccounts,local,remoteandcloud-basedsystems,locallyinstalled,client/serverandcloud-basedapplications,LAN, wirelessandInternetconnectivityservices,physicalassetssuchaslaptopsandsmartphones,andsoftwarelicenses.
Definerolesusingbusinessterminology(nottechnicaljargon)
Assignauserfriendlynametoroles (forsearchingandfiltering)
Addauserfriendlydescriptiontoroles
Definerolesbasedonindividual,granularentitlements (e.g.read-onlyaccesstoaspecificdatabase)
Definerolesbasedongroupingsofexistingrolesandentitlements
Definerolesbasedontitlesordepartments(e.g.Accountant,VicePresident,ITContractor,Sales,CustomerService)
DefinerolesbasedonapplicationsorITresources (e.g.MicrosoftOffice,Salesforce.com,NetworkAccess,LaptopUser)
Clonerolesfromexistingroles
Modelnewrolesbasedonexistingroles(add/subtract)
Modelnewrolesbasedonexistinguseraccess (add/subtract)
Createanentitlements“catalog”ofavailableentitlementsandroles
Usesearchingandfilteringtoidentifyrelevantrolesin thecatalog
Assigntagstoroles,andusetagsforsearchingandfilteringinthecatalog
Allowuserstousethecatalogtodefinenewrolescombininggroupingsofexistingentitlementsandroles
9
10
Overall assessment for Role Definition
Comments:
Role DefinitionScoring
(Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
DefineSeparationofDuties(SOD)andotheraccess-relatedpolicies(e.g.thesameusercannothavepermissionstomakedepositsandreconcilebankstatements)
Runnewpolicesagainstexistingrolesandpoliciestoflagpolicyviolations
Setadministrativepoliciesaboutwhoisallowedtodefineroles(e.g.,anyone,onlymanagers,onlyHumanResourcesstaff,onlydesignatedindividualsforeachdepartment)
Limitpermissiontochangearoledefinitiontoadesignated“roleowner”or“resourceowner”
Requirethatchangestoaroledefinitionbeapprovedbyoneormorespecifiedindividualsinadditiontotheroleowner
Displayroleusagestatistics,suchaswhenarolewaslastmodifiedandthenumberoftimesithasbeenassigned tousers
Disablerolestemporarily
Obtainroleanduserinformationfromprovisioningsystems(integration)
Exportroleanduserinformationtodirectories,applications,analytictoolsandotherexternalsystems(integration)
Createacompleteaudittrailofallactionsrelatedtorolecreation,definition,modification,deletionandapprovals.
10
11
ACCESS REQUESTS
Primary participants: Business managers, employees, contractors and other system usersAnIdentityandAccessGovernancesolutionshouldmakeitassimpleaspossibleformanagerstorequest accesspermissionsfordirectreports,andforemployees,contractorsandothersystemuserstorequestaccess forthemselves.
Peopleshouldbeabletousebusinessterminology,nottechnicaljargon,tofindrelevantrolesandunderstandtherelatedentitlements.Peopleshouldfindappropriateentitlementsandrolesbyusingarolecatalogwithsearchandfilteringtechniques,andbyusingtagsforsearchingandfiltering.
Itshouldbepossibletoallowsomepeopletorequestpermissionsforeveryoneintheorganization,andtolimitotherpeopletomakingrequestsforspecificgroups,oronlyforthemselves.
Itshouldbepossibletorestrictrequestsbasedonpolicy,andtofilterrolesandentitlementsbasedonrelated criteria.Forexample,amemberofthefinancestaffmightberestrictedtorequestingentitlementsrelatedtofinance,andwouldbeabletoapplyafilterintherolecatalogsothatitwoulddisplayonlythoseentitlements.
Someapplicationsandresourcesmayinvolveoptionsthatdonotaffectsecurityorgovernance;thereshouldbeamechanismtoallowpeopletorequesttheseoptionswithoutcreatingmanyseparateroles.Forexample,itshouldbepossibletohaveasinglerolecalled“Laptop”withachoiceofmemoryandscreensizeoptions.Thatismoreefficientthancreatingseparateresourcescalled“Laptop,8MBmemory,13inscreen,”“Laptop,8MBmemory, 15inscreen,”“Laptop,16MBmemory,13inscreen,”etc.
Thesystemsshouldcreateacompleteaudittrailofeveryactionrelatedtorequesting,approvingand grantingaccess.
Thisfunctionalityiscomplementarytoprovisioning.Provisioningsystemsautomatetheprocessofrequesting andgrantingaccess,especiallywhenpeopleenterandleavetheorganization.Someprovisioningsystemshave front-endinterfaceswiththesamefeaturesdescribedhere.ButanaccessrequesttoolcanbeusedaspartofanIdentityandAccessGovernancesolutionwithoutaprovisioningsystem.Itcanbeusedinconjunctionwithone,especiallyiftheprovisioningsystemfrontendlackskeyfeaturesorishardtouse.
12
Thereshouldbeamechanismtorequestoptionswithoutcreatingseparaterolesforeverycombination
13
Access RequestsScoring
(Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Requestpermissionsfordirectreports
Requestpermissionsforself(self-service)
Requestpermissionsforaspecificlistofusers
Requestaccesstoaspecificlistofresources,suchas applications
Usearolecatalogwithsearchingandfilteringtoquicklyfindandrequestrelevantrolesandentitlements
Requestpermissionsbasedonexistingrolesandgroupingsofrolesandentitlements
Usetagsforsearchingandfilteringinthecatalog
Selectoptionsrelevanttoaspecificresource(e.g.haveoneresourcecalled“SalesLaptop”withadynamicformtochoosememoryandscreensizeoptions)
Abilitytodelegateaccessrequests(e.g.,thedirectorofadepartmentcandelegatetoamanagertherighttomakeaccessrequestsforallmembersofthedepartment)
Use“bulkprovisioning”torequestonesetofrolesandentitlementsformultipledirectreports,orforalistofusers
Validateaccessrequestsagainstdefinedbusinesspoliciesandflagviolations
Whenpolicyviolationsareflagged,allowrequesterstooverridethepolicythroughanexemptionrequest
Shareaccessrequestinformationwithprovisioning systems(integration)
13
14
Access RequestsScoring
(Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
ExportaccessrequestinformationtoIdentityandAccessIntelligencetoolssotheycanidentifysuspiciousactivitiesandpolicyviolations(integration)
Createacompleteaudittrailofallactionsrelatedto accessrequests
Overall assessment for Access Requests
Comments:
14
15
ACCESS APPROVALS
Primary participants: Business managers and resource ownersAnIdentityandAccessGovernancesolutionshouldprovidesimple,efficientprocessesforbusinessmanagersandresourceownerstoprocessaccessrequests.
Inthiscontext“resourceowners”areline-of-businessorITstaffresponsibleforcontrollingaccesstoapplications, databasesandITservices.Theyarethepeoplewho,alongwithbusinessmanagers,understandwhattypesof accessusersneedtoperformtheirjobs,andwhatentitlementscanbegivenwithoutcompromisingsecurity, privacyrulesandcorporatepolicies.
Businesspoliciesmayrequiremultipleapprovalsforsomerequests.Thesolutionshouldenforcethesepolicies,forexamplebyrequiringapprovalfromtherequester’simmediatemanageranddepartmenthead,orfromamanagerandthe“owner”oftherequestedresource.
Thesolutionshouldprovideanintuitiveinterface,soapproverscanassessindividualrequestsefficientlyand managedozensofrequestseachday.
Thesolutionshouldalertapproverstopotentialpolicyviolations.
Busyorabsentapproverscanbeabottleneck,preventingusersfromaccessingresourcesneededfortheirwork.Toaddressthisissue,thesolutionshouldprovidereminderandescalationprocedurestoalertapproversandtoallowhigher-levelmanagersorappropriatecolleaguestostepin.
Thesystemshouldcreateacompleteaudittrailofeveryactionrelatedtoapprovingaccessrequests.
Thesolutionshouldalertapproverstopotentialpolicyviolations
16
Access ApprovalsScoring
(Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Assignapprovalstobusinessmanagersandresourceowners
Requiremultipleapprovals(e.g.,amanagerandaresourceowner,ortwolevelsofmanagement)
Provideapproverswithalistorinboxshowingallwaitingapprovalrequests
Approveorrejectindividuallineitemsineachrequest
Provideapproverswithadetailedviewofnew accessrequests
Optiontorequireacommentforeachlineitemrejected
Alertapproverstopotentialpolicyviolations(e.g.the sameusercannothavepermissionstomakedepositsandreconcilebankstatements)
Delegateallrequeststoanothermanagerorresourceownerforaspecifiedtimeperiod
Sendemailnotificationsofapprovalsandrejections torequesters
Optionallysendemailnotificationsofapprovalsandrejectionstorequesters’managersandotherinterestedparties
Sendemailremindersofpendingrequeststoapprovers
Sendemailnotificationstoapprovers’managerifnoactiontakenafteraspecifiedtime(e.g.noaction2daysafter therequest)
16
17
Access ApprovalsScoring
(Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Createacompleteaudittrailofallactionsrelatedto accessrequests
Overall assessment for Access Approvals
Comments:
Escalateapprovaltoapprovers’managerifnoactiontakenafteraspecifiedtime(e.g.noaction3daysaftertherequest)
17
18
ACCESS CERTIFICATIONS
Primary participants: Business managers, resource owners and auditorsAnIdentityandAccessGovernancesolutionshouldmakeiteasytoinitiatecertifications,andshouldprovide simple,efficientprocessesforbusinessmanagersandresourceownerstoperformthem.
Inthiscontext“resourceowners”areline-of-businessandITstaffresponsibleformanagingaccessto applications,databasesandITservices.
Thesolutionshouldbeabletosupportbothcomprehensivecertificationefforts(e.g.,certifyingaccessforall membersofadepartment)andmicro-certifications(certifyingaccessforasingleemployeeafterapolicyviolationisdetected).
Certifiersshouldbeabletoassessexactlywhataccessisavailabletocurrentusers.Theyshouldbeabletoacceptandrejectindividualinstancesofaccessrights,performadditionalresearch,andreassigncertificationstoanotherappropriatemanagerorresourceowner.
Thesystemshouldgivecertifiersvisibilityintoissueslikeexcessiveaccessrightsandtheviolationofseparationofdutiesandotherpolicies.
Toallowcertifierstoprocessdozensorhundredsofdecisionsefficiently,thesolutionshouldprovideanintuitiveinterfaceandfeaturestoallowdecisionstobeappliedtomultiplerequestsinonestep.
Thesolutionshouldprovidereminder,escalationanddelegationprocedurestoalertcertifiersandtoallow higher-levelmanagersorappropriatecolleaguestostepin.
Thesystemshouldcreateacompleteaudittrailofeveryactionrelatedtocertificationprocesses.
Certifiersshouldbeabletoacceptandrejectpermissions,performadditionalresearch,andreassigncertificationstoothers
19
Access CertificationsScoring
(Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Initiatecertificationreviewsmanually
Initiatecertificationreviewsbasedonevents (e.g.identificationofpolicyviolations)
Providecertifierswithalistorinboxshowingallwaitingcertificationrequests
Providecertifierswithadetailedviewofcurrentlevelsofaccessforeachuser
Alertcertifierstopotentialpolicyviolations(e.g.thesameusercannothavepermissionstomakedepositsandreconcilebankstatements)
Approveorrejectindividuallineitemsineachcertification
Optiontorequireacommentforeachlineitemrejected
Givecertificationsa“Research”statusifinvestigation isrequired
Reassignindividualcertificationstoanothermanagerorresourceowner
Delegateallcertificationstoanothermanagerorresourceownerforaspecifiedtimeperiod
Giveeachcertifieradashboardshowingtotalnumberofcertificationscompletedandoutstanding,intotalandbrokendownbycertificationtype
Showeachcertifierthetotalnumberofcertificationsheorshehasacceptedandrejected,andthenumberaccepted andrejectedforeachuser,eachrole,andeachapplication or resource
Sendemailnotificationsofcertificationresultstousers
Optionallysendemailnotificationsofcertificationresultstomanagersandotherinterestedparties
19
20
Sendemailnotificationstocertifiers’managerifnoactiontakenafteraspecifiedtime
Escalateapprovaltocertifiers’managerifnoactiontakenafteraspecifiedtime
Createacompleteaudittrailofallactionsrelated tocertifications
Sendemailreminderstocertifiersofincompletecertifications
Access CertificationsScoring
(Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Overall assessment for Access Certifications
Comments:
20
21
AUDITS AND COMPLIANCE ANALYSIS
Primary participants: Auditors, compliance officers and risk managersAnIdentityandAccessGovernancesolutionshouldcaptureeveryactionrelatedtocreating,defining,modifyinganddeletingroles,torequestingandapprovingaccess,andtocertifyingpermissions.
Standardreportsshouldshowactionsrelatedtoaccessrequestsandapprovalsandcertificationreviews.
Itshouldbeeasytoexportallofthisdatatospreadsheets,databases,reportingtoolsandothersystemsso thatauditorsandcomplianceofficerscanusetheinformationtoverifycompliancewithregulationsand corporatepolicies.
AnIdentityandAccessGovernancesolutionshouldalsogobeyondbasicreportingbyincorporatingintelligentanalytics.Forexample,anorganizationshouldbeabletolookatactivityforaccountsthatarecertifiedbuthavenolog-insoractivity.Theyshouldbeabletoimproveriskassessment,forexamplebydeterminingwhichorphanaccountsrepresentthehighestriskandneedtobeaddressedfirst.Analyticscanalsobeusedforbettertrendanalysis,foruncoveringsubtlepolicyviolations,andfortrackingtheorganization’soverallcomplianceposture.Capabilitieslikethesearecoveredinthe“IdentityandAccessIntelligence”sectionofthisguide.
22
Audits and Compliance Analysis
Scoring (Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Captureallactionsrelatedtocreating,defining,modifyinganddeletingroles,andforapprovingmodificationstoroles
Captureallactionsrelatedtorequestingaccessandapprovingaccessrequests,includingreassigninganddelegatingapprovals
Captureallidentifiedpolicyviolations
Captureallactionsrelatedtocertifications,includinginitiatingcertificationsandapprovingandrejectingpermissions
CapturealldataneededtosupportauditsrelatedtoSOX,GLBA,HIPAA,PCIDSS,UKDataProtectionActandothergovernmentregulationsandindustrystandards
Capturedatashowingperformanceagainstkeymetrics (e.g.timetodisableaccountsofterminatedemployees, percentageofpermissionscertifiedquarterly)
Reportsshowingaccessrequestandapprovalactions
Reportsshowingaccessrequestsandapprovalsbytargetsystemandbyresource
Reportsshowingaccessrequestsandapprovalsby useraccounts
Reportsshowingcertificationreviewactionsandresults
Exportdatatospreadsheets,databasesandreportingtoolsforanalysisandreporting
ExportdatatoIdentityandAccessIntelligencetoolsfordataminingandsophisticatedanalyses
21
23
Scoring (Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Overall assessment for Audits and Compliance Analysis
Comments:
Audits and Compliance Analysis
22
24
Primary participants: IAM analysts, resource owners, business managers, auditors, compliance officers and IT staffIdentityandAccessIntelligence(IAI)goesbeyondreportingtoaddtwocriticalcapabilitiestoIdentityandAccessGovernancesolutions:
1.Continuousmonitoring,todetectaccessissuesandpolicyviolationsquickly(ratherthanwaitingweeksor monthsforcertificationreviews).
2. “Bigdata”andadvancedanalytictoolstoprocessandinterpretmassivevolumesofidentityandaccessdata, toidentifyvulnerabilitiesandsubtlepolicyviolations.2
IdentityandAccessIntelligencetoolscanbeusedbyalmostalloftheindividualsdiscussedinthisdocument.
ThebasiccomponentsofanIdentityandAccessIntelligencesystemareshowninthediagrambelow.
2Enterprisestodaycaneasilygeneratebillionsofdatapointsrelatedtoidentitymanagement.Theseincludedataaboutidentities,resources,rights,policies,andidentityandaccess-relatedactivities.Anorganizationwith1,000systemusers,5,000useraccountsand1,000entitlementswouldneedtokeeptrackof5billioncombinations(1,000x5,000x1,000),andthatfiguredoesn’tincludeactionsperformedbythoseusers.IdentityandAccessIntelligencesolutionsneeddatawarehousingtoolstoprocessthosevolumesofinformation,andbusinessintelligenceanddatavisualizationtoolstohelppinpointmeaningfuldetails.FormoreinformationseetheCourionwhitepaperIdentity and Access Intelligence: How Big Data and Risk Analytics Will Revolutionize IAM.
IDENTITY AND ACCESS INTELLIGENCE: MONITORING AND ANALYSIS
OverviewofanIdentityandAccessIntelligenceSystem
25
Manytypesofidentityandaccess-relateddatafrommanytypesofsystemsanddevicesarecollectedcontinuouslyinadatawarehouse.Thisdataisanalyzedwithreferencetopolicies,compliancerules,threatdefinitions,and riskindicators.
Whenissuesandpolicyviolationsareidentified,eithertheyare automaticallyremediated,orrelevantmanagersandresourceownersarealertedsotheycantakeaction.
Sophisticateddatavisualizationandriskanalytictoolscanbeusedtofindpatternsincomplexdata,identify vulnerabilities,andpinpointpolicyviolations.Withconventionalreportingtools,manyofthesewouldremain hidden,orwouldhavebeendetectedonlyafterincidentshadalreadyoccurred.
AnIdentityandAccessIntelligencesystemcanmakeitmucheasiertouncovervulnerabilitiesandriskfactorslike:
•Orphanaccounts
•Rightsgrantedviainheritedpermissionsandnestedgroups
•Individualswhoseaccessrightssignificantlyexceednormsforpeopleintheirjobs
•Abnormalnumbersofrightsgrantedbyexception,oroutsidetheapprovedcorporateworkflow
Advancedanalytictoolslikeheatmapshelpusersuncoversubtlepolicyviolationsandcorrectlyprioritizerisks
26
Datavisualizationtoolscanhelpviewersassesswhatissuesshouldbethehighestprioritybasedonmultiple criteria.Inthe“heatmap”exampleonthispage,anautomatedanalysisshowsthatorphanaccountsBandCshouldbeaddressedbeforeorphanaccountA.AlthoughaccountAinvolvesthehighest-riskapplication,accountsBandCinvolvehigher-riskentitlementsandmoreactivity,andthereforerepresentmoreseriousrisksthatshouldbeaddressedfirst.Itwouldbeextremelydifficult,ifnotimpossible,toattainthisinsightwithconventionalreports.
AdditionalusesofIdentityandAccessIntelligencetoolsinclude:
•Alertingsecurityanalysts,anti-fraudgroupsandincidentresponseteamsto“privilegeescalation”andothersymptomsofpersistentthreatsandotherattacks.
•Trackingpositiveandnegativetrends.
•Analyzingmassiveamountsofidentityandaccessdataagainstpoliciesandcompany-definedmodelsof activitypatterns.
•Performing“what-if”analysisoftheimpactofpolicychanges.
IdentityandAccessIntelligencetoolscanbeacriticalpartofprovisioningaswellasIdentityandAccess Governancesolutions,butherewewillfocusonusesforgovernance.
27
Identity and Access Intelligence
Scoring (Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Provideoutoftheboxconnectorsandcollectorstogatherdatacontinuouslyfromenterprisedirectories,governancesolutions,policycreationtools,securityproductsandotherdatasources
Gatherinformationfromsourcesofunstructureddata(e.g.fileshares)aswellassourcesofstructureddata(databases)
ProvideETL(extract,transformandload)anddata warehousetoolstotransforminformationfromdisparatesystemsintoacommonformatsoitcanbecorrelated andanalyzed
Provide“Bigdata”businessanalysiscapabilitiestocorrelatemillionsorbillionsofidentity-resource-permissionrelationships
Detectorphanaccounts
DetectviolationsofSeparationofDuties(SoD)policies
Detectindividualswithpermissionsassociatedwith formerpositions
Detectfactorsassociatedwithvulnerabilities,suchassharedpasswords,weakpasswordsandveryoldaccounts
Detectrightsgrantedthroughexceptionsoroutsidetheapprovedworkflow(“outofband”)andtriggerreviewsbyresourceowners
Detectexcessivenumbersofaccountsorpermissions grantedbyanadministratororotherprivilegeduser
Detectrightsgrantedviainheritedpermissionsand nestedgroups
Detectindividualswithrightsinexcessofthoseinthesamedepartmentorwithsimilarroles
Detectriskindicators,suchasprivilegedaccountscreatedanddeletedwithinashortperiod,ormultiplefailedloginsfollowedbyasuccessfullogin
27
28
Overall assessment for Identity and Access Intelligence
Comments:
Identity and Access Intelligence
Scoring (Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Provideheatmapsandotheranalysisandvisualizationtoolstoidentifyhigh-riskandrecurringpolicyviolations
Automaticallyinitiatede-provisioningactionswhendangerousactivitiesaredetected
Automaticallyinitiatecertificationswhensuspiciousactivitiesorpermissionsaredetected
Automaticallyinitiatecertificationswhenrisklevelschange
Alertadministrators,managersandcomplianceofficersto“privilegeescalation”andothersymptomsofpersistentthreatsandotherattacks
Trackpositiveandnegativetrendsinaccessrequestsandpolicyviolations
Alertadministrators,managersandcomplianceofficerswhenpolicyviolationsaredetected
Providegraphsandreportstohighlightsourcesofrisk (e.g.individualswhodeviatefromgroupnormsorcausethemostpolicyviolations)
Performing“what-if”analysesoftheimpactofchanges (e.g.thenumberofpeopleoraccountsthatwouldbeaffectedbymodifyingapolicy)
28
29
SOLUTION DEPLOYMENT AND INTEGRATION
Primary participants: IT Staff (administrators, operations, applications, etc.)AnITorganizationshouldbeabletodeployanIdentityandAccessGovernancesolutioninashorttimeframe, withoutneedingtoinstallcomplexnewinfrastructureoracquirenewskills.Fastdeploymentlowersimplementationcostsandstartsgeneratingvaluefortheenterprisesooner.
Ongoingadministrationshouldbestraightforward,tominimizetheburdenontheITstaff.
IdentityandAccessManagementsystemsneedtointeractwithawidevarietyofexternalsystems,toshare informationaboutusers,roles,accessactivities,securityeventsandotherdata.Do-it-yourselfintegrationswiththesesystemscanbeverycostlytocodeandmaintain,andworkingonthemcandelayimplementation.Thereforeitisveryadvantageousifthesolutioncanbeintegratedwithaverywiderangeofsystemsandapplicationsusingout-of-the-boxconnectorssupportedbythevendor.
Thereshouldalsobetoolstofacilitatetherapiddevelopmentofcustomconnectorswhenout-of-the-boxsolutionsarenotavailable.
30
Solution Deployment and Integration
Scoring (Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Intuitivetoolsforinstallationandconfiguration
Littleornorequirementforprogrammingskillstoinstall andconfigure
Runonindustry-standardwebandapplicationserverssonospecializedinstallationormanagementskillsarerequired
Lightweightinfrastructure(e.g.noneedtoinstall middlewareoranenterprisedirectory)
Modulardesign–solutionmodulescanbedeployedin whateverorderprovidesthequickestbenefittothebusiness
Abilitytoextendthedatabaseschemaofthesolutiontoholdadditionaltypesofinformationfromintegratedsystemssuchasbusinessapplicationsandsecurityproducts
Out-of-theboxconnectorstoenterprisedirectoriesandaccesscontrolsystems(e.g.MicrosoftActiveDirectory,LDAP,OpenLDAP,IBMRACF,SunDirectoryServer,CA-ACF2)
Out-of-theboxconnectorstosystemswithindustrystandardoperatingsystems(e.g.RedHatLinux,SUSELinux,IBMAIX,IBMz/OS,HP-UX,Solaris)
Out-of-theboxconnectorstobusinessapplications(e.g.SAP,PeopleSoft,OracleE-BusinessSuite)
Out-of-theboxconnectorstodatabasesandcollaborationproducts(e.g.SQL,MySQL,OracleDatabase,Microsoft Exchange,NovellGroupWise,IBMLotus)
Out-of-theboxconnectorstoSIEM,DLPandothersecurityproducts(e.g.RSAAuthenticationManager,RSASecurID,CitrixSSO,ImprivataOneSign,RSADLPSuite,RSAenVision,McAfeeePO,SymantecDataLossPrevention)
30
31
Overall assessment for Deployment and Integration
Comments:
Solution Deployment and Integration
Scoring (Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Rapiddevelopmentkit(RDK)tointegratethesolutionwithothersystemswhenout-of-the-boxconnectorsare notavailable.
31
32
Summary of Assessments by Section
Scoring (Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Role Definition
Access Requests
Access Approvals
Access Certifications
Audits and Compliance Analysis
Identity and Access Intelligence: Monitoring and Analysis
Solution Deployment and Integration
Overall assessment
Comments:
32
33
APPENDIX: OVERVIEW OF COURION PRODUCTS
GovernanceAccess Request ManagerCourion’saccessrequestsolutionprovidesintuitive,easytouseprocessesfor authorizeduserstocreate,reviewandapproveaccessrequests.
ComplianceCourier® Courion’saccesscertificationandcompliancemanagementsolutionprovidesorganizationstheabilitytoautomatetheverificationandremediationofaccessrights.Itextendstheresponsibilityand accountabilityforcompliancetothemostappropriateresources,enablingbusinessuserstomonitorandenforceaccesstosensitivedataandothervitalcorporateassets.Powerfulanalysistoolsprovideavisuallyrichinterfacethatmakesiteasiertomonitorcomplianceandreduceenterpriserisk.
RoleCourier®Courion’srolelifecyclemanagementsolutionautomatesrolecreationandongoingrolemanagement, enablingorganizationstoeffectivelyalignbusinessroleswithITaccountsandaccessrights.RoleCourier’suniquehybridapproachcombines“top-down”roledesignand“bottom-up”roleminingtocreateaplatformforrobustlong-termrolelifecyclemanagementthatflexiblyadaptstotoday’schangingbusinessenvironment.
Identity and Access IntelligenceAccess Insight®Courion’sIdentityandAccessIntelligencesolutionappliespredictiveanalyticstomanage business,people,assetandsecurityrisks,automaticallycreatingnear-real-timegraphicalprofilesofthemostcriticalsecurityriskstoinformation,aspartofatotalIdentityandAccessManagementstrategy.
ProvisioningAccountCourier®Courion’suserprovisioningsolutionenablesenterprisestofullyautomatenewhire,promotion/transferandterminationprocesses.Withitsflexibleworkflowengineandabilitytoconnecttomultipleauthoritativesources,AccountCourierprovidesacommonaccessmanagementenvironmentforbothITaccountsand physicalassets.
PasswordCourier®Courion’spasswordmanagementsolutionenforcesconsistentlystrongpasswordpolicies andenablesuserstoinstantlyandsecurelyresettheirownpasswordsonenterprisesystems,applications,andWebportals.Transparentsynchronizationletsusersuseonepasswordtoaccessmultiplesystems,improving convenience,enhancingsecurity,andincreasingadoption.Multipleself-serviceentrypointsareavailable,such asWeb,desktopPC,voiceauthentication,IVR,orviasupportstaff.
34
ForinformationontheseCourionproducts,pleasevisitwww.courion.comorcontactyourCourionrepresentative or reseller.
About CourionWithdeepexperienceandmorethan600customersmanagingover10millionidentities,CourionisthemarketleaderinIdentityandAccessManagement(IAM),fromprovisioningtogovernancetoIdentityandAccessIntelligence(IAI).Courionprovidesinsightfromanalyzingthebigdatageneratedfromanorganization’sidentityandaccessrelationshipssouserscanefficientlyandaccuratelyprovision,identifyandminimizerisks,andmaintaincontinuouscompliance.Asaresult,ITcostsarereducedandauditsexpedited.WithCourion,youcanconfidentlyprovideopenandcompliantaccesstoallwhilealsoprotectingcriticalcompanydataandassetsfromunauthorizedaccess.Formoreinformation,pleasevisitwww.courion.comorreadhttp://blog.courion.com.
World Headquarters COURIONCORPORATION 1900WestParkDrive Westborough,MAUSA01581 Phone:+1508-879-8400 Toll-free:1-866-COURION
APAC COURIONITPRIVATELTD 305,PridePurpleAccord, S.N.3/6/1BanerRoad, Pune,Maharashtra,India411045 Phone:+91(20)6687-9100
FOR MORE INFORMATION
Copyright©1996-2014CourionCorporation.Courion,theCourionlogo,AccessInsight,AccountCourier,CertificateCourier,PasswordCourier,ProfileCourier,RoleCourierareregisteredtrademarksofCourionCorporation.AccessAssuranceSuite,ComplianceCourier,andEnterpriseProvisioningSuitearetrademarksofCourionCorporation.Allrightsreserved.Thenamesofactualcompaniesandproductsmentionedhereinmaybethetrademarksoftheirrespectiveowners.
Anyrightsnotexpresslygrantedhereinarereserved.
