IDENTITY AND ACCESS GOVERNANCE Buyer’s Guide
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
IDENTITY AND ACCESS GOVERNANCE
Buyer’s Guide
Purpose of this Guide ..............................................................................................1
Identity and Access Governance.............................................................................2
IAG as Part of Identity & Access Management .......................................................4
Feature Tables:
RoleDefinition .....................................................................................................7
AccessRequests ...............................................................................................11
Access Approvals ...............................................................................................15
AccessCertifications .........................................................................................18
AuditsandComplianceAnalysis .........................................................................21
IdentityandAccessIntelligence:MonitoringandAnalysis ...................................24
SolutionDeploymentandIntegration ..................................................................29
SummaryofTables ............................................................................................32
Appendix ................................................................................................................33
For More Information .............................................................................................34
TABLE OF CONTENTS
1
WelcometotheCourionIdentityandAccessGovernanceBuyer’sGuide.
ThisguideisdesignedtohelpyoudefinerequirementsforanIdentityandAccessGovernancesolutionfor yourenterprise.
Itcanalsohelpyouselectashortlistofvendorsforevaluation,andcompareIdentityandAccessGovernanceproductsduringanevaluationprocess.
Our ApproachThematerialinthisguideisorganizedaroundthecoretasksofIdentityandAccessGovernance(IAG)andthepeoplewhoperformthem.ItexaminesthefeaturesandfunctionsofIAGsolutionsneededto:
• Define roles and the access permissions associated with them, atasktypicallyperformedbyIAM analysts,resourceownersandbusinessmanagers.(Inthisguidewewilluse“IAManalysts”asshorthandforIAMprojectleadersandsecurityprofessionalsresponsibleformanagingIAMactivities.“Resource owners”willrefertoline-of-businessandITstaffresponsibleformanagingaccesstoapplications, databasesandotherresources.)
• Request access to applications, systems and resources,anactivitycarriedoutbybusinessmanagersonbehalfoftheirreports,andbyawidevarietyofemployeesandothersystemusersforthemselves.
• Approve access requests,typicallyperformedbybusinessmanagers andresourceowners.
• Certify the appropriateness of accesstosensitivesystems,applications anddata,tasksperformedby businessmanagers,resourceownersandauditors.
• Manage risk and verify compliance with government, industry and corporate policies,tasksbelongingtoauditorsandcomplianceofficers.
• Use Identity and Access Intelligence tools to analyze usage, uncover vulnerabilities, identify policy violations, respond to attacks, remediate problems and reduce risks.
• Deploy IAG solutionsandintegratethemwithotheridentitymanagementandsecurityproducts.
TheopeningsectionsprovideabriefoverviewofIdentityandAccessGovernance(IAG),andplaceIAGsolutionsinthecontextofIdentityandAccessManagementasawhole.
PURPOSE OF THIS GUIDE
1ExamplesfromrealIdentityandAccessManagementbuyer’sguides.
2
Theremainingsectionsaredesignedsothatevaluationteammemberscanworkwithrepresentative“subjectmatterexperts(SMEs)”ineachcategory(businessmanagers,systemusers,complianceofficers,etc.)toassesshowanIAGsolutioncanhelpthemdotheirjobsbetterandmeetorganizationalgoals.
Thefeaturetablescanbeusedtocaptureassessmentdataduringfeaturereviews,vendordemonstrations, proof-of-concepttests,referencecalls,andotherevaluationactivities.Thetablesarelaidoutsoyoucanusetheratingsystemofyourchoice,andtherearespacesforcommentsandassessmentsbysection.Ifyouwanttomodifyorexpandthetables,youcandownloadtheminPDForExcelformatfromtheCourionwebsiteResourcessectionatwww.courion.com.
Inthisguidewetrytoapplythesamepractical,business-friendlydesignprinciplesusedinCourion’sproducts,avoidingplatitudes(“Today’sbusinessworldischangingrapidly,andsoareyourIAMrequirements”)anddensefeaturedescriptions(“HasaworkflowthatseamlesslyintegrateswithSAPandOracleERP,andfine-grained separation-of-dutiescheckingwithflexibleexception-handlingmethods[Yes/No]”).1
Talk with UsOurconsultingteamandpartnerscanansweryourquestions,demonstrateCourion’ssolutions,helpyouconductaproof-of-concept,generateabusinesscase,orassessaccessrisk.Wewouldalsolikeyourfeedbackonthisguide.Pleasecontactusatinfo@courion.com
IDENTITY AND ACCESS GOVERNANCE
Functions of Identity and Access GovernanceToday,thefieldofIdentityandAccessGovernancecoversfourmaincomponents:
1.Processestocertifythatexistingpermissionsareappropriateandinconformancewithcorporatepolicies.
2.Processestoauditidentityandaccessprocessesandresults,demonstratecontrols,definepoliciesaboutwhoshouldhaveaccesstowhatresources(governance),provecompliancewithregulatoryrequirementsandcompanystandards,andremediateanyissuesuncovered.
3.Processestodefinerolesandtorequestandapproveaccesstodata,applicationsandotherinformation technologyresources.
4.Monitoringandanalysistoolstodetectvulnerabilities,assessrisk,andimprovecompliancewith requirementsandstandards.
3
TheoriginalfocusofIAGwasonthefirsttwocomponents,especiallyontoolstocertifypermissionsandtohelpauditorsandcomplianceofficersreduceauditcostsanddocumentcompliance.
However,itwassoonrecognizedthatthesefourareasarereinforcing.Organizationsthathavereliableprocessestorequestandapproveaccessmakefewererrors,andthereforeexpendlesseffortoncertification,auditingandremediation.Organizationswithidentityandaccessintelligencetoolscanmonitorchangesforpolicyviolations,tracktrendsandidentifyvulnerabilities,allowingthemtorespondtoproblemsfaster.
Infact,comprehensiveIAGsolutionsprovidevalueinmanyareasby:
•Improvingtheproductivityofmanagersbysimplifyingidentityandaccesscertificationprocesses
•Savingtimeforemployeesbyspeedinguptheprocesstorequestandreceiveaccesstoresources (especiallywhentherequestsystemisintegratedwithautomatedprovisioning)
•Providingmoredatatospeedupauditsandreducethehighcostofregulatorycompliance
•Reducingvulnerabilitiesanddecreasingtheriskofdatabreachesandthelossofcustomerandemployeeinformationandintellectualandfinancialproperty
•Improvingriskmanagement
•Deterringpolicyviolationsbyemployeesandotherinsiders
Atthesametime,IAGsolutionshelpenterprisesaddresssomeoftheirmostpressinghumanandtechnology challenges:increasingnumbersandtypesoftechnologyusers(employees,contractors,businesspartners,customers),multiplyingapplicationsanddevices(includingemployee-sourceddevicesencouragedby“BYOD”policies),growingregulatoryrequirements,pressuresforbetterriskmanagementandsecurity,andtightlimits onbudgetsandstaffing.
Tasks and PeopleFigure1showssomeofthemajortasksinvolvedinIdentityandAccessGovernance,andthepeoplewhotypicallyperformthem.
Thefeaturetablessectionofthisguideusesthesetaskareastoorganizeitslistofdesirablefeaturesand functions,tomakeitclearhowthosefeaturesandfunctionsrelatetospecificpeopledoingspecificjobs.
4
Figure 1: IAGtasks,andthepeoplewhoperformthem
IAG AS PART OF IDENTITY & ACCESS MANAGEMENT
Broadlyspeaking,today’sstate-of-the-artIdentityandAccessManagementsystemscoverthreeprimaryareasoffunctionality:Governance,Provisioning,andIntelligence.
Governancesystemsprovideprocessestorequest,approveandcertifyaccesstoapplicationsandITresources,andtoolstodocumentcompliancewithgovernmentregulations,industrystandardsandcorporatepolicies.
Provisioningsystemsautomatetheprovisioningandde-provisioningofaccesstoapplicationsandITresources,andmanageaccessthroughusers’lifecyclewiththeorganization.KeyIAMfunctionssuchaspassword management,advancedauthenticationandsinglesign-onaresometimesconsideredaspartofprovisioningandlife-cyclemanagement,andsometimesasseparateentities(butareinanycaseoutsideofthescopeofthisguide).
Identity and Access Intelligencesystemsprovidetoolstocontinuouslycollect,monitorandanalyzelargevolumesofidentityandaccess-relatedinformation,combiningdatanotonlyfromGovernanceandProvisioningsystems,butalsofromsecurityproductsandotherexternalsystems.IdentityandAccessIntelligenceproductsareoftendesignedsotheycanbeusedwitheitheragovernancesystem,oraprovisioningsystem,orwithboth.
5
Infact,IdentityandAccessIntelligencetoolsshouldbeseenasanintegralpartofanyIdentityandAccess Governanceimplementation.ThisguidediscussesfunctionalitythatistypicallyavailableingovernancesystemsandinIdentityandAccessIntelligencetoolswhentheyworktogether.Figure2illustratesthisapproach,andliststheproductsfromCourionthatfallintothoseareas.
AbriefoverviewoftheCourionproductsisprovidedintheappendix.
Figure 2: ThethreemainareasofIdentityandAccessManagement,withproductsfromCourion.TheCourionproductsaremodularandcanbeimplementedinanycombination.
6
Feature Tables
7
ROLE DEFINITION
Primary participants: IAM analysts, resource owners and business managersAnIdentityandAccessGovernancesolutionshouldmakeitassimpleaspossibleforIAManalysts,resource ownersandbusinessmanagerstodefinerolesandtheaccesspermissionsthatareassociatedwiththem.
Peopleshouldbeabletousebusinessterminology,nottechnicaljargon,toidentifyrolesandpermissions.Thisallowsbusinessmanagersandbusinessuserstoparticipatefullyindefiningroles,andlaterinrequesting,approvingandcertifyingaccess.
Itshouldbeeasytocreatesimplerolesatfirst,thenrefine,enhanceandexpandthemovertime.Thatallows organizationstostartusingthesystemquicklywhilecontinuouslyimprovingefficiencyandaccuracy.
Itshouldbepossibletodefinepermissionsthat(a)accuratelyreflectthelegitimateneedsofsystemusers,and (b)donotprovideunnecessaryentitlementsthatcouldjeopardizesecurityandprivacy.Toachievetheseobjectives,analysts,resourceownersandbusinessmanagersshouldbeableto:
•Createverygranularentitlements,forexamplepermissiontomakeAPinquiriesagainstaspecific accountingpackage,touseaspecificcomputingresourcelikeSharePointorInternetaccess,ortoacquireanassetlikealaptopwitha17”screen.
•Createrolesthatincludecombinationsofpermissions,suchasan“Accountant”rolethatincludes permissionstomakedeposits,reconcilebankstatements,createpurchaseorders,makeAPinquiries,etc.
•Creategroupingsthatcombineroles,forexamplea“SeniorAccountant”rolethatincludespermissions assignedtothe“Accountant”and“Level2Manager”roles.
•Modelnewrolesbycomparingspecificpermissionsfromexistingroles(Courioncallsthis“intelligentmodeling”).
Rolescancombinepermissionstoperformspecificactionsontargetresources
8
Mostindividualswillhavediverseaccessrequirements,basedontheirfunction,location,managementlevel,andapplicationneeds.Thereforepeopleshouldbeabletofindappropriateentitlementsandrolesbyusingsearchandfilteringtechniqueswithacatalogofroles.Theyalsoshouldbeabletoclassifyandtagrolessopeoplemakingaccessrequestscanfindtherightonestorequest,andsoapproverscandeterminethemostappropriaterolesforspecificsystemusers.
Thesystemshouldbeabletoaccommodateboth:
•A“bottomup”approach:Seewhatpermissionspeoplehavetodayandassemblerolesbasedon thoseobservations.
•A“topdown”approach:Createrolesbasedonananalysisofwhatislikelytoworkbestintheenvironment,andtestthose.
Systemusersshouldbeabletodefinepolicies,forexampleSeparationofDuties(SoD)policiesthatprevent thesamepersonfromtakingpotentiallydamagingactionslikecreatingvendoraccountsandauthorizing vendorpayments.
Roledefinitionandrefinementcaninvolvemanypeople,includingIAManalystswhoknowbestpracticesfordesigningroles,“resourceowners”responsibleforapplications,databases,andotherITservices,andbusinessmanagerswhounderstandtheresponsibilitiesofemployeesperformingspecificjobs.Thereforethesystemshouldhavemechanismstomanagewhocandefine,change,disableanddeletespecificroles.
Thesystemsshouldcreateacompleteaudittrailofeveryactionrelatedtodefining,modifyinganddeletingroles.
Thereshouldbe“outofthebox”oreasilymanagedintegrationwithprovisioningsystems,directoriesand applications,sorole-relatedinformationfromthosesystemsisavailable.
ThereshouldbeintegrationwithIdentityandAccessIntelligencetoolssoanalystscanassessrolesafterthey havebeencreated.Forexample,ifareportorqueryshowsmanyuserswiththesamerolerequestinganadditionalaccountorentitlement,thenthataccountorentitlementcanbeaddedtotherole.Conversely,ifthereare entitlementsthatnobodywiththeroleuses,theseshouldberemovedfromtheroledefinition.
IntegrationwithIdentityandAccessIntelligencetoolsalsoallowsrole-relatedinformationtobeanalyzedandusedforgovernance,compliance,incidentresponseandotherpurposes.
9
Role DefinitionScoring
(Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Useasingleinterfacetomanageaccesstoawidearrayofbusinessresources,includingapplications,networks,ITaccounts,local,remoteandcloud-basedsystems,locallyinstalled,client/serverandcloud-basedapplications,LAN, wirelessandInternetconnectivityservices,physicalassetssuchaslaptopsandsmartphones,andsoftwarelicenses.
Definerolesusingbusinessterminology(nottechnicaljargon)
Assignauserfriendlynametoroles (forsearchingandfiltering)
Addauserfriendlydescriptiontoroles
Definerolesbasedonindividual,granularentitlements (e.g.read-onlyaccesstoaspecificdatabase)
Definerolesbasedongroupingsofexistingrolesandentitlements
Definerolesbasedontitlesordepartments(e.g.Accountant,VicePresident,ITContractor,Sales,CustomerService)
DefinerolesbasedonapplicationsorITresources (e.g.MicrosoftOffice,Salesforce.com,NetworkAccess,LaptopUser)
Clonerolesfromexistingroles
Modelnewrolesbasedonexistingroles(add/subtract)
Modelnewrolesbasedonexistinguseraccess (add/subtract)
Createanentitlements“catalog”ofavailableentitlementsandroles
Usesearchingandfilteringtoidentifyrelevantrolesin thecatalog
Assigntagstoroles,andusetagsforsearchingandfilteringinthecatalog
Allowuserstousethecatalogtodefinenewrolescombininggroupingsofexistingentitlementsandroles
9
10
Overall assessment for Role Definition
Comments:
Role DefinitionScoring
(Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
DefineSeparationofDuties(SOD)andotheraccess-relatedpolicies(e.g.thesameusercannothavepermissionstomakedepositsandreconcilebankstatements)
Runnewpolicesagainstexistingrolesandpoliciestoflagpolicyviolations
Setadministrativepoliciesaboutwhoisallowedtodefineroles(e.g.,anyone,onlymanagers,onlyHumanResourcesstaff,onlydesignatedindividualsforeachdepartment)
Limitpermissiontochangearoledefinitiontoadesignated“roleowner”or“resourceowner”
Requirethatchangestoaroledefinitionbeapprovedbyoneormorespecifiedindividualsinadditiontotheroleowner
Displayroleusagestatistics,suchaswhenarolewaslastmodifiedandthenumberoftimesithasbeenassigned tousers
Disablerolestemporarily
Obtainroleanduserinformationfromprovisioningsystems(integration)
Exportroleanduserinformationtodirectories,applications,analytictoolsandotherexternalsystems(integration)
Createacompleteaudittrailofallactionsrelatedtorolecreation,definition,modification,deletionandapprovals.
10
11
ACCESS REQUESTS
Primary participants: Business managers, employees, contractors and other system usersAnIdentityandAccessGovernancesolutionshouldmakeitassimpleaspossibleformanagerstorequest accesspermissionsfordirectreports,andforemployees,contractorsandothersystemuserstorequestaccess forthemselves.
Peopleshouldbeabletousebusinessterminology,nottechnicaljargon,tofindrelevantrolesandunderstandtherelatedentitlements.Peopleshouldfindappropriateentitlementsandrolesbyusingarolecatalogwithsearchandfilteringtechniques,andbyusingtagsforsearchingandfiltering.
Itshouldbepossibletoallowsomepeopletorequestpermissionsforeveryoneintheorganization,andtolimitotherpeopletomakingrequestsforspecificgroups,oronlyforthemselves.
Itshouldbepossibletorestrictrequestsbasedonpolicy,andtofilterrolesandentitlementsbasedonrelated criteria.Forexample,amemberofthefinancestaffmightberestrictedtorequestingentitlementsrelatedtofinance,andwouldbeabletoapplyafilterintherolecatalogsothatitwoulddisplayonlythoseentitlements.
Someapplicationsandresourcesmayinvolveoptionsthatdonotaffectsecurityorgovernance;thereshouldbeamechanismtoallowpeopletorequesttheseoptionswithoutcreatingmanyseparateroles.Forexample,itshouldbepossibletohaveasinglerolecalled“Laptop”withachoiceofmemoryandscreensizeoptions.Thatismoreefficientthancreatingseparateresourcescalled“Laptop,8MBmemory,13inscreen,”“Laptop,8MBmemory, 15inscreen,”“Laptop,16MBmemory,13inscreen,”etc.
Thesystemsshouldcreateacompleteaudittrailofeveryactionrelatedtorequesting,approvingand grantingaccess.
Thisfunctionalityiscomplementarytoprovisioning.Provisioningsystemsautomatetheprocessofrequesting andgrantingaccess,especiallywhenpeopleenterandleavetheorganization.Someprovisioningsystemshave front-endinterfaceswiththesamefeaturesdescribedhere.ButanaccessrequesttoolcanbeusedaspartofanIdentityandAccessGovernancesolutionwithoutaprovisioningsystem.Itcanbeusedinconjunctionwithone,especiallyiftheprovisioningsystemfrontendlackskeyfeaturesorishardtouse.
12
Thereshouldbeamechanismtorequestoptionswithoutcreatingseparaterolesforeverycombination
13
Access RequestsScoring
(Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Requestpermissionsfordirectreports
Requestpermissionsforself(self-service)
Requestpermissionsforaspecificlistofusers
Requestaccesstoaspecificlistofresources,suchas applications
Usearolecatalogwithsearchingandfilteringtoquicklyfindandrequestrelevantrolesandentitlements
Requestpermissionsbasedonexistingrolesandgroupingsofrolesandentitlements
Usetagsforsearchingandfilteringinthecatalog
Selectoptionsrelevanttoaspecificresource(e.g.haveoneresourcecalled“SalesLaptop”withadynamicformtochoosememoryandscreensizeoptions)
Abilitytodelegateaccessrequests(e.g.,thedirectorofadepartmentcandelegatetoamanagertherighttomakeaccessrequestsforallmembersofthedepartment)
Use“bulkprovisioning”torequestonesetofrolesandentitlementsformultipledirectreports,orforalistofusers
Validateaccessrequestsagainstdefinedbusinesspoliciesandflagviolations
Whenpolicyviolationsareflagged,allowrequesterstooverridethepolicythroughanexemptionrequest
Shareaccessrequestinformationwithprovisioning systems(integration)
13
14
Access RequestsScoring
(Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
ExportaccessrequestinformationtoIdentityandAccessIntelligencetoolssotheycanidentifysuspiciousactivitiesandpolicyviolations(integration)
Createacompleteaudittrailofallactionsrelatedto accessrequests
Overall assessment for Access Requests
Comments:
14
15
ACCESS APPROVALS
Primary participants: Business managers and resource ownersAnIdentityandAccessGovernancesolutionshouldprovidesimple,efficientprocessesforbusinessmanagersandresourceownerstoprocessaccessrequests.
Inthiscontext“resourceowners”areline-of-businessorITstaffresponsibleforcontrollingaccesstoapplications, databasesandITservices.Theyarethepeoplewho,alongwithbusinessmanagers,understandwhattypesof accessusersneedtoperformtheirjobs,andwhatentitlementscanbegivenwithoutcompromisingsecurity, privacyrulesandcorporatepolicies.
Businesspoliciesmayrequiremultipleapprovalsforsomerequests.Thesolutionshouldenforcethesepolicies,forexamplebyrequiringapprovalfromtherequester’simmediatemanageranddepartmenthead,orfromamanagerandthe“owner”oftherequestedresource.
Thesolutionshouldprovideanintuitiveinterface,soapproverscanassessindividualrequestsefficientlyand managedozensofrequestseachday.
Thesolutionshouldalertapproverstopotentialpolicyviolations.
Busyorabsentapproverscanbeabottleneck,preventingusersfromaccessingresourcesneededfortheirwork.Toaddressthisissue,thesolutionshouldprovidereminderandescalationprocedurestoalertapproversandtoallowhigher-levelmanagersorappropriatecolleaguestostepin.
Thesystemshouldcreateacompleteaudittrailofeveryactionrelatedtoapprovingaccessrequests.
Thesolutionshouldalertapproverstopotentialpolicyviolations
16
Access ApprovalsScoring
(Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Assignapprovalstobusinessmanagersandresourceowners
Requiremultipleapprovals(e.g.,amanagerandaresourceowner,ortwolevelsofmanagement)
Provideapproverswithalistorinboxshowingallwaitingapprovalrequests
Approveorrejectindividuallineitemsineachrequest
Provideapproverswithadetailedviewofnew accessrequests
Optiontorequireacommentforeachlineitemrejected
Alertapproverstopotentialpolicyviolations(e.g.the sameusercannothavepermissionstomakedepositsandreconcilebankstatements)
Delegateallrequeststoanothermanagerorresourceownerforaspecifiedtimeperiod
Sendemailnotificationsofapprovalsandrejections torequesters
Optionallysendemailnotificationsofapprovalsandrejectionstorequesters’managersandotherinterestedparties
Sendemailremindersofpendingrequeststoapprovers
Sendemailnotificationstoapprovers’managerifnoactiontakenafteraspecifiedtime(e.g.noaction2daysafter therequest)
16
17
Access ApprovalsScoring
(Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Createacompleteaudittrailofallactionsrelatedto accessrequests
Overall assessment for Access Approvals
Comments:
Escalateapprovaltoapprovers’managerifnoactiontakenafteraspecifiedtime(e.g.noaction3daysaftertherequest)
17
18
ACCESS CERTIFICATIONS
Primary participants: Business managers, resource owners and auditorsAnIdentityandAccessGovernancesolutionshouldmakeiteasytoinitiatecertifications,andshouldprovide simple,efficientprocessesforbusinessmanagersandresourceownerstoperformthem.
Inthiscontext“resourceowners”areline-of-businessandITstaffresponsibleformanagingaccessto applications,databasesandITservices.
Thesolutionshouldbeabletosupportbothcomprehensivecertificationefforts(e.g.,certifyingaccessforall membersofadepartment)andmicro-certifications(certifyingaccessforasingleemployeeafterapolicyviolationisdetected).
Certifiersshouldbeabletoassessexactlywhataccessisavailabletocurrentusers.Theyshouldbeabletoacceptandrejectindividualinstancesofaccessrights,performadditionalresearch,andreassigncertificationstoanotherappropriatemanagerorresourceowner.
Thesystemshouldgivecertifiersvisibilityintoissueslikeexcessiveaccessrightsandtheviolationofseparationofdutiesandotherpolicies.
Toallowcertifierstoprocessdozensorhundredsofdecisionsefficiently,thesolutionshouldprovideanintuitiveinterfaceandfeaturestoallowdecisionstobeappliedtomultiplerequestsinonestep.
Thesolutionshouldprovidereminder,escalationanddelegationprocedurestoalertcertifiersandtoallow higher-levelmanagersorappropriatecolleaguestostepin.
Thesystemshouldcreateacompleteaudittrailofeveryactionrelatedtocertificationprocesses.
Certifiersshouldbeabletoacceptandrejectpermissions,performadditionalresearch,andreassigncertificationstoothers
19
Access CertificationsScoring
(Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Initiatecertificationreviewsmanually
Initiatecertificationreviewsbasedonevents (e.g.identificationofpolicyviolations)
Providecertifierswithalistorinboxshowingallwaitingcertificationrequests
Providecertifierswithadetailedviewofcurrentlevelsofaccessforeachuser
Alertcertifierstopotentialpolicyviolations(e.g.thesameusercannothavepermissionstomakedepositsandreconcilebankstatements)
Approveorrejectindividuallineitemsineachcertification
Optiontorequireacommentforeachlineitemrejected
Givecertificationsa“Research”statusifinvestigation isrequired
Reassignindividualcertificationstoanothermanagerorresourceowner
Delegateallcertificationstoanothermanagerorresourceownerforaspecifiedtimeperiod
Giveeachcertifieradashboardshowingtotalnumberofcertificationscompletedandoutstanding,intotalandbrokendownbycertificationtype
Showeachcertifierthetotalnumberofcertificationsheorshehasacceptedandrejected,andthenumberaccepted andrejectedforeachuser,eachrole,andeachapplication or resource
Sendemailnotificationsofcertificationresultstousers
Optionallysendemailnotificationsofcertificationresultstomanagersandotherinterestedparties
19
20
Sendemailnotificationstocertifiers’managerifnoactiontakenafteraspecifiedtime
Escalateapprovaltocertifiers’managerifnoactiontakenafteraspecifiedtime
Createacompleteaudittrailofallactionsrelated tocertifications
Sendemailreminderstocertifiersofincompletecertifications
Access CertificationsScoring
(Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Overall assessment for Access Certifications
Comments:
20
21
AUDITS AND COMPLIANCE ANALYSIS
Primary participants: Auditors, compliance officers and risk managersAnIdentityandAccessGovernancesolutionshouldcaptureeveryactionrelatedtocreating,defining,modifyinganddeletingroles,torequestingandapprovingaccess,andtocertifyingpermissions.
Standardreportsshouldshowactionsrelatedtoaccessrequestsandapprovalsandcertificationreviews.
Itshouldbeeasytoexportallofthisdatatospreadsheets,databases,reportingtoolsandothersystemsso thatauditorsandcomplianceofficerscanusetheinformationtoverifycompliancewithregulationsand corporatepolicies.
AnIdentityandAccessGovernancesolutionshouldalsogobeyondbasicreportingbyincorporatingintelligentanalytics.Forexample,anorganizationshouldbeabletolookatactivityforaccountsthatarecertifiedbuthavenolog-insoractivity.Theyshouldbeabletoimproveriskassessment,forexamplebydeterminingwhichorphanaccountsrepresentthehighestriskandneedtobeaddressedfirst.Analyticscanalsobeusedforbettertrendanalysis,foruncoveringsubtlepolicyviolations,andfortrackingtheorganization’soverallcomplianceposture.Capabilitieslikethesearecoveredinthe“IdentityandAccessIntelligence”sectionofthisguide.
22
Audits and Compliance Analysis
Scoring (Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Captureallactionsrelatedtocreating,defining,modifyinganddeletingroles,andforapprovingmodificationstoroles
Captureallactionsrelatedtorequestingaccessandapprovingaccessrequests,includingreassigninganddelegatingapprovals
Captureallidentifiedpolicyviolations
Captureallactionsrelatedtocertifications,includinginitiatingcertificationsandapprovingandrejectingpermissions
CapturealldataneededtosupportauditsrelatedtoSOX,GLBA,HIPAA,PCIDSS,UKDataProtectionActandothergovernmentregulationsandindustrystandards
Capturedatashowingperformanceagainstkeymetrics (e.g.timetodisableaccountsofterminatedemployees, percentageofpermissionscertifiedquarterly)
Reportsshowingaccessrequestandapprovalactions
Reportsshowingaccessrequestsandapprovalsbytargetsystemandbyresource
Reportsshowingaccessrequestsandapprovalsby useraccounts
Reportsshowingcertificationreviewactionsandresults
Exportdatatospreadsheets,databasesandreportingtoolsforanalysisandreporting
ExportdatatoIdentityandAccessIntelligencetoolsfordataminingandsophisticatedanalyses
21
23
Scoring (Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Overall assessment for Audits and Compliance Analysis
Comments:
Audits and Compliance Analysis
22
24
Primary participants: IAM analysts, resource owners, business managers, auditors, compliance officers and IT staffIdentityandAccessIntelligence(IAI)goesbeyondreportingtoaddtwocriticalcapabilitiestoIdentityandAccessGovernancesolutions:
1.Continuousmonitoring,todetectaccessissuesandpolicyviolationsquickly(ratherthanwaitingweeksor monthsforcertificationreviews).
2. “Bigdata”andadvancedanalytictoolstoprocessandinterpretmassivevolumesofidentityandaccessdata, toidentifyvulnerabilitiesandsubtlepolicyviolations.2
IdentityandAccessIntelligencetoolscanbeusedbyalmostalloftheindividualsdiscussedinthisdocument.
ThebasiccomponentsofanIdentityandAccessIntelligencesystemareshowninthediagrambelow.
2Enterprisestodaycaneasilygeneratebillionsofdatapointsrelatedtoidentitymanagement.Theseincludedataaboutidentities,resources,rights,policies,andidentityandaccess-relatedactivities.Anorganizationwith1,000systemusers,5,000useraccountsand1,000entitlementswouldneedtokeeptrackof5billioncombinations(1,000x5,000x1,000),andthatfiguredoesn’tincludeactionsperformedbythoseusers.IdentityandAccessIntelligencesolutionsneeddatawarehousingtoolstoprocessthosevolumesofinformation,andbusinessintelligenceanddatavisualizationtoolstohelppinpointmeaningfuldetails.FormoreinformationseetheCourionwhitepaperIdentity and Access Intelligence: How Big Data and Risk Analytics Will Revolutionize IAM.
IDENTITY AND ACCESS INTELLIGENCE: MONITORING AND ANALYSIS
OverviewofanIdentityandAccessIntelligenceSystem
25
Manytypesofidentityandaccess-relateddatafrommanytypesofsystemsanddevicesarecollectedcontinuouslyinadatawarehouse.Thisdataisanalyzedwithreferencetopolicies,compliancerules,threatdefinitions,and riskindicators.
Whenissuesandpolicyviolationsareidentified,eithertheyare automaticallyremediated,orrelevantmanagersandresourceownersarealertedsotheycantakeaction.
Sophisticateddatavisualizationandriskanalytictoolscanbeusedtofindpatternsincomplexdata,identify vulnerabilities,andpinpointpolicyviolations.Withconventionalreportingtools,manyofthesewouldremain hidden,orwouldhavebeendetectedonlyafterincidentshadalreadyoccurred.
AnIdentityandAccessIntelligencesystemcanmakeitmucheasiertouncovervulnerabilitiesandriskfactorslike:
•Orphanaccounts
•Rightsgrantedviainheritedpermissionsandnestedgroups
•Individualswhoseaccessrightssignificantlyexceednormsforpeopleintheirjobs
•Abnormalnumbersofrightsgrantedbyexception,oroutsidetheapprovedcorporateworkflow
Advancedanalytictoolslikeheatmapshelpusersuncoversubtlepolicyviolationsandcorrectlyprioritizerisks
26
Datavisualizationtoolscanhelpviewersassesswhatissuesshouldbethehighestprioritybasedonmultiple criteria.Inthe“heatmap”exampleonthispage,anautomatedanalysisshowsthatorphanaccountsBandCshouldbeaddressedbeforeorphanaccountA.AlthoughaccountAinvolvesthehighest-riskapplication,accountsBandCinvolvehigher-riskentitlementsandmoreactivity,andthereforerepresentmoreseriousrisksthatshouldbeaddressedfirst.Itwouldbeextremelydifficult,ifnotimpossible,toattainthisinsightwithconventionalreports.
AdditionalusesofIdentityandAccessIntelligencetoolsinclude:
•Alertingsecurityanalysts,anti-fraudgroupsandincidentresponseteamsto“privilegeescalation”andothersymptomsofpersistentthreatsandotherattacks.
•Trackingpositiveandnegativetrends.
•Analyzingmassiveamountsofidentityandaccessdataagainstpoliciesandcompany-definedmodelsof activitypatterns.
•Performing“what-if”analysisoftheimpactofpolicychanges.
IdentityandAccessIntelligencetoolscanbeacriticalpartofprovisioningaswellasIdentityandAccess Governancesolutions,butherewewillfocusonusesforgovernance.
27
Identity and Access Intelligence
Scoring (Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Provideoutoftheboxconnectorsandcollectorstogatherdatacontinuouslyfromenterprisedirectories,governancesolutions,policycreationtools,securityproductsandotherdatasources
Gatherinformationfromsourcesofunstructureddata(e.g.fileshares)aswellassourcesofstructureddata(databases)
ProvideETL(extract,transformandload)anddata warehousetoolstotransforminformationfromdisparatesystemsintoacommonformatsoitcanbecorrelated andanalyzed
Provide“Bigdata”businessanalysiscapabilitiestocorrelatemillionsorbillionsofidentity-resource-permissionrelationships
Detectorphanaccounts
DetectviolationsofSeparationofDuties(SoD)policies
Detectindividualswithpermissionsassociatedwith formerpositions
Detectfactorsassociatedwithvulnerabilities,suchassharedpasswords,weakpasswordsandveryoldaccounts
Detectrightsgrantedthroughexceptionsoroutsidetheapprovedworkflow(“outofband”)andtriggerreviewsbyresourceowners
Detectexcessivenumbersofaccountsorpermissions grantedbyanadministratororotherprivilegeduser
Detectrightsgrantedviainheritedpermissionsand nestedgroups
Detectindividualswithrightsinexcessofthoseinthesamedepartmentorwithsimilarroles
Detectriskindicators,suchasprivilegedaccountscreatedanddeletedwithinashortperiod,ormultiplefailedloginsfollowedbyasuccessfullogin
27
28
Overall assessment for Identity and Access Intelligence
Comments:
Identity and Access Intelligence
Scoring (Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Provideheatmapsandotheranalysisandvisualizationtoolstoidentifyhigh-riskandrecurringpolicyviolations
Automaticallyinitiatede-provisioningactionswhendangerousactivitiesaredetected
Automaticallyinitiatecertificationswhensuspiciousactivitiesorpermissionsaredetected
Automaticallyinitiatecertificationswhenrisklevelschange
Alertadministrators,managersandcomplianceofficersto“privilegeescalation”andothersymptomsofpersistentthreatsandotherattacks
Trackpositiveandnegativetrendsinaccessrequestsandpolicyviolations
Alertadministrators,managersandcomplianceofficerswhenpolicyviolationsaredetected
Providegraphsandreportstohighlightsourcesofrisk (e.g.individualswhodeviatefromgroupnormsorcausethemostpolicyviolations)
Performing“what-if”analysesoftheimpactofchanges (e.g.thenumberofpeopleoraccountsthatwouldbeaffectedbymodifyingapolicy)
28
29
SOLUTION DEPLOYMENT AND INTEGRATION
Primary participants: IT Staff (administrators, operations, applications, etc.)AnITorganizationshouldbeabletodeployanIdentityandAccessGovernancesolutioninashorttimeframe, withoutneedingtoinstallcomplexnewinfrastructureoracquirenewskills.Fastdeploymentlowersimplementationcostsandstartsgeneratingvaluefortheenterprisesooner.
Ongoingadministrationshouldbestraightforward,tominimizetheburdenontheITstaff.
IdentityandAccessManagementsystemsneedtointeractwithawidevarietyofexternalsystems,toshare informationaboutusers,roles,accessactivities,securityeventsandotherdata.Do-it-yourselfintegrationswiththesesystemscanbeverycostlytocodeandmaintain,andworkingonthemcandelayimplementation.Thereforeitisveryadvantageousifthesolutioncanbeintegratedwithaverywiderangeofsystemsandapplicationsusingout-of-the-boxconnectorssupportedbythevendor.
Thereshouldalsobetoolstofacilitatetherapiddevelopmentofcustomconnectorswhenout-of-the-boxsolutionsarenotavailable.
30
Solution Deployment and Integration
Scoring (Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Intuitivetoolsforinstallationandconfiguration
Littleornorequirementforprogrammingskillstoinstall andconfigure
Runonindustry-standardwebandapplicationserverssonospecializedinstallationormanagementskillsarerequired
Lightweightinfrastructure(e.g.noneedtoinstall middlewareoranenterprisedirectory)
Modulardesign–solutionmodulescanbedeployedin whateverorderprovidesthequickestbenefittothebusiness
Abilitytoextendthedatabaseschemaofthesolutiontoholdadditionaltypesofinformationfromintegratedsystemssuchasbusinessapplicationsandsecurityproducts
Out-of-theboxconnectorstoenterprisedirectoriesandaccesscontrolsystems(e.g.MicrosoftActiveDirectory,LDAP,OpenLDAP,IBMRACF,SunDirectoryServer,CA-ACF2)
Out-of-theboxconnectorstosystemswithindustrystandardoperatingsystems(e.g.RedHatLinux,SUSELinux,IBMAIX,IBMz/OS,HP-UX,Solaris)
Out-of-theboxconnectorstobusinessapplications(e.g.SAP,PeopleSoft,OracleE-BusinessSuite)
Out-of-theboxconnectorstodatabasesandcollaborationproducts(e.g.SQL,MySQL,OracleDatabase,Microsoft Exchange,NovellGroupWise,IBMLotus)
Out-of-theboxconnectorstoSIEM,DLPandothersecurityproducts(e.g.RSAAuthenticationManager,RSASecurID,CitrixSSO,ImprivataOneSign,RSADLPSuite,RSAenVision,McAfeeePO,SymantecDataLossPrevention)
30
31
Overall assessment for Deployment and Integration
Comments:
Solution Deployment and Integration
Scoring (Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Rapiddevelopmentkit(RDK)tointegratethesolutionwithothersystemswhenout-of-the-boxconnectorsare notavailable.
31
32
Summary of Assessments by Section
Scoring (Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Role Definition
Access Requests
Access Approvals
Access Certifications
Audits and Compliance Analysis
Identity and Access Intelligence: Monitoring and Analysis
Solution Deployment and Integration
Overall assessment
Comments:
32
33
APPENDIX: OVERVIEW OF COURION PRODUCTS
GovernanceAccess Request ManagerCourion’saccessrequestsolutionprovidesintuitive,easytouseprocessesfor authorizeduserstocreate,reviewandapproveaccessrequests.
ComplianceCourier® Courion’saccesscertificationandcompliancemanagementsolutionprovidesorganizationstheabilitytoautomatetheverificationandremediationofaccessrights.Itextendstheresponsibilityand accountabilityforcompliancetothemostappropriateresources,enablingbusinessuserstomonitorandenforceaccesstosensitivedataandothervitalcorporateassets.Powerfulanalysistoolsprovideavisuallyrichinterfacethatmakesiteasiertomonitorcomplianceandreduceenterpriserisk.
RoleCourier®Courion’srolelifecyclemanagementsolutionautomatesrolecreationandongoingrolemanagement, enablingorganizationstoeffectivelyalignbusinessroleswithITaccountsandaccessrights.RoleCourier’suniquehybridapproachcombines“top-down”roledesignand“bottom-up”roleminingtocreateaplatformforrobustlong-termrolelifecyclemanagementthatflexiblyadaptstotoday’schangingbusinessenvironment.
Identity and Access IntelligenceAccess Insight®Courion’sIdentityandAccessIntelligencesolutionappliespredictiveanalyticstomanage business,people,assetandsecurityrisks,automaticallycreatingnear-real-timegraphicalprofilesofthemostcriticalsecurityriskstoinformation,aspartofatotalIdentityandAccessManagementstrategy.
ProvisioningAccountCourier®Courion’suserprovisioningsolutionenablesenterprisestofullyautomatenewhire,promotion/transferandterminationprocesses.Withitsflexibleworkflowengineandabilitytoconnecttomultipleauthoritativesources,AccountCourierprovidesacommonaccessmanagementenvironmentforbothITaccountsand physicalassets.
PasswordCourier®Courion’spasswordmanagementsolutionenforcesconsistentlystrongpasswordpolicies andenablesuserstoinstantlyandsecurelyresettheirownpasswordsonenterprisesystems,applications,andWebportals.Transparentsynchronizationletsusersuseonepasswordtoaccessmultiplesystems,improving convenience,enhancingsecurity,andincreasingadoption.Multipleself-serviceentrypointsareavailable,such asWeb,desktopPC,voiceauthentication,IVR,orviasupportstaff.
34
ForinformationontheseCourionproducts,pleasevisitwww.courion.comorcontactyourCourionrepresentative or reseller.
About CourionWithdeepexperienceandmorethan600customersmanagingover10millionidentities,CourionisthemarketleaderinIdentityandAccessManagement(IAM),fromprovisioningtogovernancetoIdentityandAccessIntelligence(IAI).Courionprovidesinsightfromanalyzingthebigdatageneratedfromanorganization’sidentityandaccessrelationshipssouserscanefficientlyandaccuratelyprovision,identifyandminimizerisks,andmaintaincontinuouscompliance.Asaresult,ITcostsarereducedandauditsexpedited.WithCourion,youcanconfidentlyprovideopenandcompliantaccesstoallwhilealsoprotectingcriticalcompanydataandassetsfromunauthorizedaccess.Formoreinformation,pleasevisitwww.courion.comorreadhttp://blog.courion.com.
World Headquarters COURIONCORPORATION 1900WestParkDrive Westborough,MAUSA01581 Phone:+1508-879-8400 Toll-free:1-866-COURION
APAC COURIONITPRIVATELTD 305,PridePurpleAccord, S.N.3/6/1BanerRoad, Pune,Maharashtra,India411045 Phone:+91(20)6687-9100
FOR MORE INFORMATION
Copyright©1996-2014CourionCorporation.Courion,theCourionlogo,AccessInsight,AccountCourier,CertificateCourier,PasswordCourier,ProfileCourier,RoleCourierareregisteredtrademarksofCourionCorporation.AccessAssuranceSuite,ComplianceCourier,andEnterpriseProvisioningSuitearetrademarksofCourionCorporation.Allrightsreserved.Thenamesofactualcompaniesandproductsmentionedhereinmaybethetrademarksoftheirrespectiveowners.
Anyrightsnotexpresslygrantedhereinarereserved.
Related Documents
