The Cross-Examination of Identity Governance and Intelligence

© 2015 IBM Corporation

David Tyrrell IBM Identity Governance Specialist IBM Security Nick Oropall Market Segment Manager – Identity Governance IBM Security

The Cross-Examination of Identity Governance and Intelligence

2 © 2015 IBM Corporation

Who Has the Proper Access? Can You Prove it?

IBM and Business Partner internal use only

Source: WIRED


Why is it important to understand who has what access?


55%

of all attacks are caused by insider

threats**

60%

Of all users have

unnecessary access

**Source: 2Q15 X-Force Report


Roles- We’re here to help?


Accounting – New York Sales – New York Sales Managers – New York

Sales – Austin

HR - Austin

Roles are great for provisioning but cause problems when trying to find risk!


CFO, CEO, COO

The Pain Chain Application Manager

3

IT Security

1

4

Business Manager 5

Are we properly managing user access? Will our

security controls pass the next audit?

2

Internal Auditor

6

Could you prove that John Smith has “appropriate” permissions for his job?

Can you confirm that John Smith has the

proper access?

I can tell you what access John has – I can’t

tell if it’s appropriate

I could… If I was technical enough to

understand all these IT details…

Can you confirm that John Smith has the proper entitlements?


Mainframe CRM ERP HR

Bridging Business, Auditor and IT points of view Business-Centric activity mapping to better engage with the Business

IT Roles and Entitlements

Business Activities

View Accounts Payable

Create Sales Record

Create Purchase Order

Update Payroll

Map business activities to IT roles and entitlements


IGI – User access and business activities view

•  Who are the users that I can manage •  What is the assigned access •  Which business activity they can perform


What is a role?


Accounting – New York Sales – New York Sales Managers – New York

Sales – Austin

HR - Austin


How do we provide it?

Business Activity Mapping !  Linking application permissions to a unified Business

process taxonomy !  Application owner driven task

Application Permissions


Audit findings are not the only driver


APQC Process Classification Framework


Industry Specific Activity Trees !  High-level enterprise process model that allows organizations

to see their business processes in a structured taxonomy

!  Open Standard administered by APQC

!  The most used process framework in the world !  Easily extended to support specific audit & risk goals

!  Industry specific trees developed in conjunction with IBM industry experts since 2008:-

Aerospace and Defence Airline Automotive Banking Broadcasting City Government* Consumer Electronics* Consumer Products Cross-Industry Health Insurance Payer*

Healthcare Provider* Life Sciences Petroleum Downstream Petroleum Upstream Pharmaceutical Property and Casualty Insurance Retail* Telco Utilities

SM

*Content from other contributors


What Value Do Business Activities Bring to Customers?

1.  Business-centric view versus technology-centric view !  “Raise Purchase Orders” vs “Z3-PRCH-1”

!  “Business View” in Access Request and Review !  Revocation of Business Activity rather than Access

2.  Sensitive/Privileged Access Risk !  Highlighting users who carry risk due to the activities they are able to perform

3.  Business-centric SoD !  Speaks the language of the auditor – 1:1 mapping with the auditor provided SoD rules !  Removes any reliance on roles


How wide is Access Risk?

Users Privileged Users

Access Risk


Global Threat Intelligence

Consulting Services | Managed Services

Expand the value of security solutions through integration

Endpoint

Identity and

Access

Applications

Data

Mobile Network

Advanced Fraud

QRadar Risk Manager QRadar Incident Forensics

SiteProtector Network Protection XGS

Key Lifecycle Manager Guardium

zSecure

BigFix Trusteer Apex

IBM MaaS360

Trusteer Mobile Trusteer Rapport

Trusteer Pinpoint

IBM Security Research

Identity Manager

Access Manager

Identity Governance and Intelligence

Privileged Identity Manager

DataPower Web Security Gateway

AppScan Security Intelligence

Cloud

Cloud Security Enforcer

QRadar SIEM

QRadar Vulnerability Manager

QRadar Log Manager


IBM is a Leader in the 2016 Gartner Magic Quadrant for Identity Governance and Administration

Source: Gartner (February 2016) This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from 2016 Gartner IGA Magic Quadrant Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner, Inc. Positions IBM as a LEADER in Identity Governance and Administration (IGA)

"An increased focus on threat protection, including insider threats, is driving integration of IGA products with overall threat detection and analysis tools, specifically with SIEM and user and entity behavioral analytics (UEBA) products. IGA can provide identity context to SIEM and UEBA tools, and, in the opposite direction, UEBA can provide risk scores and activity data to IGA”

Gartner, Inc. “Magic Quadrant for Identity Governance and Administration” by Felix Gaehtgens, Brian Iverson, Perry Carpenter, February 2016 Report #G00274258

© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

THANK YOU www.ibm.com/security

Technology

The Cross-Examination of Identity Governance and Intelligence