An Identity-focused Approach to Compliance

An Identity-focused Approach to Compliance

Mark WorwetzSenior Engineering ManagerNovell Inc./[email protected]

Volker ScheuberSenior Engineering ManagerNovell Inc./[email protected]

© Novell, Inc. All rights reserved.2

Novell® Compliance Management Platform• Integrated Identity and Security Management Platform

– Software Components> Identity Vault> Novell® Identity Manager with Roles Based Provisioning Module> Novell® Sentinel™

> Novell® Access Manager™

– Tools> Designer for Novell Identity Manager> Analyzer for Novell Identity Manager

– Solution Content> Integrated Provisioning and Access Control Policies and Workflows> Identity Tracking> Identity and Security Monitoring and Reporting


Novell® Compliance Management Platform (cont.)

• CMP 1.x Value Proposition– To which systems do people have access?

> Identity Tracking

– How did people get access to systems?> Automated provisioning events> Workflow provisioning events

– What are people doing with their access?> Identity-based Reporting


Role Provisioning

System Assets,Accounts, and Authorizations

Monitoring and Reporting


Identity Browser – Accounts


Identity Browser – Recent Activity


Per-Identity Provisioning Report


Per-Identity Account Management


Role Mapping Administrator

Where Are We Going From Here?

The Path to Compliance:A Risk Management and Controls Lifecycle


IT Compliance Lifecycle

Define business objectives, policies and Key Performance Indicators (KPIs)

to help meet objectives

Real time risk response

Allow business to determine best

long-term response

Monitor and detect risk

Analyze risk versus thresholds

Evaluate processes and business objectives to

identify and qualify risks


Role Provisioning



What's Next?


Role Provisioning


What Is My IT Risk?

IT Risk = ???



IT Risk Calculation Enablers

• Asset Valuation Criteria Workflow– $$$ High Value – $$ Medium Value – $ Low Value

• Identify and Assign Asset Owners Workflow– John Smith – System Owner, GroupWise®

– Abby Spencer – System Owner, Financials Database– Chip Nano – System Owner, Golf Tournament Database


IT Risk Calculation Enablers(cont.)

• Asset Valuation Workflows– GroupWise® =– Financials =– Golf Tournament Database =

• Authorizations Threat Assessment Workflows– High Threat– Medium Threat– Low Threat


IT Risk Calculation Enablers(cont.)

• Identify Unmanaged/Privileged Accounts Workflows– SAP*, DDIC– Administrator– Root

• Customized Risk Analysis– Allows partners and customers to add additional criteria for

calculating IT risk> Threat Communities and Capabilities> Locale-Specific Threats> Industry-Specific Threats> Compliance Regulation Concerns


Role Provisioning



System and AuthorizationAssessment


IT Risk Calculation and Monitoring Tools

• Threat-Enabled Role Mapping Administrator– Bubble up system authorization threat level to business roles– Approval workflows for role mappings

• Risk Analysis Tools– Monitor authorization entitlement grants– Monitor activities of User communities– Risk-related Reports and Dashboards


Role Mapping Administrator + Risk


Risk Overview Dashboard


Role Provisioning



Risk Calculation Enabled

IT Risk =


Role Provisioning



How Can I Mitigate these Risks?

IT Risk =


IT Risk Control Tools

• Threat-Enabled Role-based Provisioning Module– Allow Business Owners to recognize and mitigate risk in

provisioning activities• Impact Reports and Dashboards

– Did Risk turn into Damage? What was the cost?– Risk Heat Maps– Should Controls be added, modified, removed?

• Controls Content– Packaged policy, monitoring, and reporting content to apply

controls to areas of risk


Provisioning Controls EnabledMultiple Approvals based on Role Level

System Asset Values and Authorization Threats

Valued by Asset Owner

IT Risk =

Automated Approvalsbased on Role Level



Identity Risk Dashboard

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

An Identity-focused Approach to Compliance

Documents

authorizations role provisioning

specific threats

risk calculation enablers

rights reserved

risk monitoring

system assets

unpublished work