Myths, Failures and the Future of Identity Governance

© 2015 IBM Corporation

IBM Security

1 © 2015 IBM Corporation

Myths, Failures and the Future of Identity Governance

Andy Land

Director of Products


IBM Security

2

Myth #1: Identity Governance projects are long and painful

In the past, identity governance projects have been categorized as a long painful process– Weeks/months of meetings and 3rd party

consulting fees

Long implementations that rarely get 100% complete

Lots of time spent turning the information into actionable items

Inability to determine “who approved what and when”


IBM Security

3

A Business-Centric Approach Can Have Governance in Place in a Matter of Months Rather Than Years

Business-centric activity based roles can speed up the processes

The right governance solution can bring intelligence out of the box

Bridging the communication gap facilitates collaboration between necessary parties

Ability to translate audit rules into actionable controls

When implemented, automation and repeatability speed up the processes


IBM Security

4

Myth #2: IT and the Audit Team Speak the Same Language

IT and audit are often speaking very different languages– Auditors speak in business-centric languages

– IT staff speaks with specific IT entitlements

Who “owns” Identity Governance? C-level executives are often not aware of

the language barriers and need answers to seemingly basic questions– Do our employees have access to the proper

applications?

CISO, CRO, Application Managers, IT Managers, Auditors and LOB Managers often hold one piece of the puzzle but not the entire picture

– “The Pain Chain”

Lack of insight to guide user access approval and recertification decisions


IBM Security

5

The Right Identity Governance Solution Can Transform IT Lingo into Business Language

The “Rosetta Stone”

Identity Governance can help Business users and IT Staff communicate on the same terms

Business Activities provide layman’s terms for entitlements– Critical for Separation of Duties

Helps management and end users to definitively certify access


IBM Security

6

Myth 3: Everyone Loves Spreadsheets

Identity Governance is normally a maddening array of spreadsheets created by auditors

Spreadsheets get lost, are hard to keep consistent and make life difficult for those using the data

Role analytics and optimization are much more difficult on a spreadsheet than a dynamic visual map

One centralized solution would save significant time and energy


IBM Security

7

The Right Identity Governance Solution Can Transform These Spreadsheets Into Actionable Processes and Controls

Decreased time from information to action

Makes the auditor and IT staff lives easier

Dynamic role mapping capabilities provide the necessary information for role optimization

End users can now “see” SoD violations and make educated decisions

Capability to tie business activities to enterprise risk


IBM Security

8

Role Modeling

Role Modeling

Define SoD on Roles

Define SoD on Roles

EntitlementCollection


Role Based SoD Design Roles, then set SoD rules

Requires IT and Business to agree

Where did it work?

Myth #4: You Need Roles to Define Separation of Duties

Anxiety level


IBM Security

9

Role Modeling

Role Modeling



Activity Based SoD

Activity Based SoD

Activity Based SoD Roles are only for granting

access

SoD design does not require Roles

IT and Business do not need to agree

A New Activity Based SoD

Anxiety level


IBM Security

10

Myth #5: Compliance is the Only Reason for Identity Governance

Identity governance has been traditionally viewed as a check mark– Pass Audits– Remain regulation compliant

This mindset ignores the fact that the “identity” can be the gateway into an organization and can leave businesses susceptible to breaches if not properly governed


IBM Security

11

Identity Governance Should Provide Controls Against Insider Threats

Improper levels of access have been involved in many breaches– Intentional malicious activity (Insider threat)– Accidental (Well intentioned users doing the wrong things)

Orphan accounts are the perfect target for hackers With mobile employees, contractors, business partners and consultants, it has become

increasingly more important that users have access to the proper applications and entitlements


IBM Security

12

Failure #1: The 91 Day Audit Cycle

Repeating 90 day audit cycles– No chance to catch breath

Manual spreadsheets and non-integrated Identity Management solutions can lead to confusion and elongate the audit cycle

Constant communication back and forth between this business/auditors and IT

Long audit processes hinder the possibility to optimize roles and governance

Costly and time consuming


IBM Security

13

Identity Governance Should Provide Automation and Repeatability

Rather than using spreadsheets, automated processes are put into place with one unified solution

Speeds up the audit process and provides time to analyze identity data and to optimize roles/processes

These processes are repeatable

Helps regulatory compliance as well as fortifying the security posture

Integration with Identity Management and other solutions can greatly improve visibility

Identity Lifecycle

•Access request

•Access enforcement

Entitlement Lifecycle

•Role / entitlement management

•Access request

•Access certification

Risk Lifecycle

•Compliance / access risk / SoD

IdentityGovernance and Administration


IBM Security

14

Failure #2: The Law of Herding Cats

Arguably the most difficult part of Identity Governance is the coordination and cooperation of multiple groups, processes and organizations

Each is responsible for a piece of the puzzle– Cooperation and data sharing is

necessary in order to facilitate the total picture of identity governance

Not only does each group have different information, but they are also speaking different languages


IBM Security

15

Identity Governance Solutions Should Be The Universal Translator

Managers can understand exactly what access they are certifying/re-certifying– Ex. An employee who has moved from

sales to marketing should not continue to have access to sales applications

IT Staff, Auditors, Application owners and CISOs now know which users have access to which applications AND whether or not these are the proper applications

Business-Centric terms make it easy to find “Toxic” SoD combinations


IBM Security

16

Identity Intelligence: Collect and Analyze Identity DataIdentity Intelligence: Collect and Analyze Identity Data

The Future is Now: A business-driven approach to Identity Governance

Administration Cost savings Automation User lifecycle

Key on premise applications and employees

Analytics Application usage

Privileged activity

Risk-based control

Baseline normal behavior Employees, partners,

consumers – anywhere

Governance Role management Access certification

Extended enterprise and business partners

On and off-premise applications

How to gain visibility into user access?

How to prioritize compliance actions?

How to make better business decisions?

Identity and Governance Evolution

1 2 3


IBM Security

17

IBM Security Identity Governance and AdministrationDelivering actionable identity intelligence

Align Auditors, LoB and IT perspectives in one consolidated Governance and Administration offering

Easy to launch Access Certification and Access Request to meet compliance goals with minimal IT involvement

Enhanced Role Mining and Separation of Duties Reviews using visualization dashboard and business-activity mapping

In-depth SAP Governance with Separation of Duties (SoD), access risk and fine-grained entitlements reviews

Easy to deploy virtual appliances for multiple customer adoptions

– Standalone Identity Governance

– Integrate with existing Identity Management

– Modernize legacy Identity management with integrated governance and administration

Common Integration Adapters

Identity Governanceand Administration Platform

VIRTUAL APPLIANCE

IT SecurityTeam

Auditors /Risk Managers

LoB Managers /Employees

Cloud Computing

Mobile Applications Desktopand Server

Data Mainframe

AccessFulfillment

Self Service Portal

Risk/ Access Visibility

AccessCertification


IBM Security

18

IBM is a Leader in the 2015 Gartner Magic Quadrant for Identity Governance and Administration

Source: Gartner (January 2015)This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from http://www.gartner.com/technology/reprints.do?id=1-27CNZU9&ct=150112&st=sb.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner, Inc. Positions IBM as a LEADER in Identity Governance and

Administration (IGA)

"The IGA market is transforming legacy, on-premises IAM products. IGA vendors are investing heavily to meet client needs in ease of use, mobility, business agility, and lower total cost of ownership. User provisioning and access governance functions continue to consolidate.”

Gartner, Inc. “Magic Quadrant for Identity Governance and Administration” by Felix Gaehtgens, Brian Iverson, Steve Krapes, January 2015 Report #G00261633

http://www.gartner.com/technology/reprints.do?id=1-27CNZU9&ct=150112&st=sb


IBM Security Systems

19

Learn more about IBM Security Identity Governance and Administration

2015 Gartner Identity Governance and Administration Magic Quadrant

IBM SecurityIntelligence. Integration. Expertise.

Watch IBM Security Identity Governance DEMOS

Access Request Management (part 1) (part 2)

Access Recertification

Role Mining and Modeling

Policy Modeling

Visit our website to view solution briefs, whitepapers, and other assets

IBM Security Identity Governance and Management Website

Follow our blogs (SecurityIntelligence.com)

IBM Security Is a Leader, Again, in the New 2015 Gartner IGA Magic Quadrant

What Leading Analysts are Saying About IBM’s Acquisition of CrossIdeas


IBM Security

20

IBM Security @ Interconnect will feature today’s hottest security topics including Cloud & Mobile Security, Security Analytics & Fraud Protection, Identity & Access Management, Application & Data Security Strategies, Advanced Threat Detection & Prevention and more

IBM Security @ Interconnect delivers: Three Days of keynotes and general sessions featuring industry thought leaders 100+ Security Sessions including hands-on labs and certification testing Solution Expo featuring demonstrations of the latest products and services from IBM

Security and our partners More Networking Events than ever to expand and strengthen your sphere of influence

Register at ibm.com/interconnect today!


IBM Security

21

www.ibm.com/security

© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY

http://www.ibm.com/security

Technology

Myths, Failures and the Future of Identity Governance