Page 1
© 2008 KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Germany. KPMG and the KPMG logo are registered trademarks of KPMG International. 1
IT ADVISORY
ADVISORY
How to assess the maturity of Identity
Management
Marko Vogel23.04.2008
Page 2
© 2008 KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Germany. KPMG and the KPMG logo are registered trademarks of KPMG International. 2
Agenda
1 KPMG‘s view on IAM
2 KPMG‘s IAM Maturity Assessment
3 Assessment Results
4 Next steps
Page 3
© 2008 KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Germany. KPMG and the KPMG logo are registered trademarks of KPMG International. 3
Agenda
1 KPMG‘s view on IAM
2 KPMG‘s IAM Maturity Assessment
3 Assessment Results
4 Next steps
Page 4
© 2008 KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Germany. KPMG and the KPMG logo are registered trademarks of KPMG International. 4
Definition IAM
The policies, processes and systems for
governing and managing efficiently and
effectively who has access to which
resources within an organization.
IAM is the process of creating value and addressing IT governance and
compliance through effectively and efficiently:
• Managing users
• Authenticating the identity of users
• Managing users’ access to IT resources
• Monitoring what users are doing with that access
Page 5
© 2008 KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Germany. KPMG and the KPMG logo are registered trademarks of KPMG International. 5
IAM Governance Framework
Consideration of
„Regulatory
Compliance“, Risk
Management and
Information
Security.
Processes
Technology
PeopleDesired State
Processes
Technology
PeopleCurrent State
Adjustment on
changing
business
requirements.
Effective, efficient and
secure implementation
of the desired state.
Auditing, monitoring and
reporting to ensure that
the Current State is in
accordance with the
Desired State.
IAM Governance Framework
Page 6
© 2008 KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Germany. KPMG and the KPMG logo are registered trademarks of KPMG International. 6
IAM Domains
Authentication Management
• Activities for effectively governing and managing the process for determining that an entity is who or what they claim to be.
User Management
• Activities for effectively governing and managing the lifecycle of identities.
Authorization Management
• Activities for effectively governing and managing the process for determining entitlement rights that determine what resources an entity is permitted to access in accordance with the organisation’s policies.
Access Management
• Enforcing policies for access control in response to a request from an entity wanting to access an IT resource within the organisation.
Data Management & Provisioning
• Propagation of identity and authorization data to IT resources via automated or manual processes.
Monitoring and Audit
• Monitoring, auditing and reporting compliance of users access to resources within the organization based on the defined policies.
Page 7
© 2008 KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Germany. KPMG and the KPMG logo are registered trademarks of KPMG International. 7
Blueprint IAM
Authorization
model
Authorization Management
(3)
User Management (2)
Provisioning Services
Data Management Services
(manual / automated)
Systems and Applications
Current
state
Desired
state
Authoritative
SourcesUser Management
Services
Authentication
Management
Services
Access
Management
Services
Authentication
Management (1)
Employees,
Suppliers,
Partner,
Customers, etc.
Monitoring Services
Auditing Services
Reporting Services
Access
Management (4) Monitoring & Audit (6)
Data Management &
Provisioning (5)
Automated trigger
Approve user authorizations
based on roles/rules
Usa
ge
Con
tract
User Lifecycle
Page 8
© 2008 KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Germany. KPMG and the KPMG logo are registered trademarks of KPMG International. 8
Agenda
1 KPMG‘s view on IAM
2 KPMG‘s IAM Maturity Assessment
3 Assessment Results
4 Next steps
Page 9
© 2008 KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Germany. KPMG and the KPMG logo are registered trademarks of KPMG International. 9
IAM Maturity Model
• KPMG‘s IAM Maturity Model follows existing standards like CMMI and Cobit.
• The IAM Maturity Model provides independent assessment criteria.
• The IAM Maturity Model can be used to measure where the organisation is, to efficiently decide where to go and for measuring progress against the goal.
Page 10
© 2008 KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Germany. KPMG and the KPMG logo are registered trademarks of KPMG International. 10
Overview of maturity level elements
Authorization ManagementUser Management
Systems and Applications
Authentication
Management
Access ManagementMonitoring & Audit
Data Management & Provisioning
1.1 Authentica-
tion Manage-
ment Policy
1.2 PW Policy
1.3 Classification
of
Assets
1.4 Original
Identification
Process
1.5 Registration
Process
1.6 Credential
Lifecycle
Management
2.1 User Management Policy
2.2 User Lifecycle Management
2.3 Request and approval Workflow
2.4 Review of Users
2.5 Account Mapping
2.6 Administration Model
3.1 Authorization
Management Policy
3.2 Authorization Management
3.3 Review of Authorizations
3.4 Segregation of Duties
3.5 Privileged Users
4.1 Access
Management
Policy
4.2 Physical Access,
4.3 Authentication
4.4 Access Control
4.5 Single Sign On
4.6 Password Self
Service
4.7 Federation
5.1 Data Management & Provisioning Policy
5.2 Provisioning
5.3 Data Management
5.4 Identity Data Inventory
6.1 Monitoring & Audit Policy
6.2 Monitoring
6.3 Reporting
6.4 Audit
6.5 Audit Logging
6.6 Privileged User Access
6.7 Collection of Evidence
Page 11
© 2008 KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Germany. KPMG and the KPMG logo are registered trademarks of KPMG International. 11
AssessmentComprehensive element description
• A comprehensive description for every single element is available concerning Capability, Consistency, Management and Performance.
Page 12
© 2008 KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Germany. KPMG and the KPMG logo are registered trademarks of KPMG International. 12
AssessmentExample process: Review of users
• At irregular intervals a review of users takes place. The review of the authorisations is based on single
(technical) authorisations.
• The review of persons, user accounts and authorisations is based on internal best practices. The review of the
authorisations is based on business rules, instead of on single authorisations. SLAs, goals and key figures are
defined.
Page 13
© 2008 KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Germany. KPMG and the KPMG logo are registered trademarks of KPMG International. 13
AssessmentExample process: Review of users
• A review of users takes place only for some applications based on a case by case
decision.
• The review of persons, user accounts and authorisations is performed at defined
intervals. The process is applied for all business units and applications. Consistent
responsibilities are defined across the organisation.
Page 14
© 2008 KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Germany. KPMG and the KPMG logo are registered trademarks of KPMG International. 14
AssessmentExample process: Review of users
• Informal management - There is no formal review by
management. However, the process is monitored where
required. Responsibilities exist but they are not formally
assigned.
• Reactive management – All parts of the process will be
reviewed by management. Deviations are recorded,
traced and corrected. Accountability and Responsibility
are clearly defined and accepted.
Page 15
© 2008 KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Germany. KPMG and the KPMG logo are registered trademarks of KPMG International. 15
AssessmentExample process: Review of users
• The process is performed
manually.
• Tools are used to
automate but they are not
fully integrated.
Page 16
© 2008 KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Germany. KPMG and the KPMG logo are registered trademarks of KPMG International. 16
Agenda
1 KPMG‘s view on IAM
2 KPMG‘s IAM Maturity Assessment
3 Assessment Results
4 Next steps
Page 17
© 2008 KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Germany. KPMG and the KPMG logo are registered trademarks of KPMG International. 17
Assessment resultsAverage Maturity Level
Ad Hoc
Repeatable
Defined
Managed
Optimised
Ad hoc processes. Success depends on the authority
and the commitment of individual employees.
Same tasks are similarly solved by different persons.
Responsibility and knowledge remains with a single person.
Errors are probable.
Processes are documented and standardized. Processes
are to be observed, however deviations are probably not
recognized.
The management monitors the adherence to the
processes and takes measures, if processes are not
effective. Tools are used in the main areas.
Processes are improved constantly and have reached a good practice level. IT is
used integrated for workflow automation and provides tools for the improvement
of quality and effectiveness.
1
2
4
5
Maturity LevelCharacteristics
3
* SOX relevant processes und systems
Current
State (SOX*)
Current
state
Target
state
Page 18
© 2008 KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Germany. KPMG and the KPMG logo are registered trademarks of KPMG International. 18
Assessment resultsAverage value of the single results per domain
Source: KPMG IAM Survey, 2008
Maturity of IAM domains for >200
European organisations
(Source: KPMG IAM Survey)
• Current and desired maturity level of
IAM domains
(arithmetic mean of all elements)
• Priority per domain
(arithmetic mean of all elements)
Page 19
© 2008 KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Germany. KPMG and the KPMG logo are registered trademarks of KPMG International. 19
Assessment resultsDetailed results per element
• Current maturity level
of all 35 elements
• Desired maturity level
of all 35 elements
• Current and desired maturity level of
IAM domains
(arithmetic mean of all elements)
• Priority per domain
(arithmetic mean of all elements)
Page 20
© 2008 KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Germany. KPMG and the KPMG logo are registered trademarks of KPMG International. 20
Analysis User ManagementImprovement areas
• No process for user lifecycle
of external staff
• Process for account
disabling is in place for
leavers but process can be
optimised (e.g. complete-
ness).
• There is no policy for User
Management in place
including:
• definition of (Process-)
responsibilities
• Consideration of
different user types
• No “SLA” for disabling /
deleting accounts for
leavers
• E-mail based, inconsistent
request- & approval
workflow in place:
• No consistent standard
process
• Approval of asset or
process owners not
defined consistently
• No consistent
confirmation of
implementation as
requested
• No efficient analysis and
reporting possible
• Only for one application a
review process for users and
their authorisations is in
place.
Page 21
© 2008 KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Germany. KPMG and the KPMG logo are registered trademarks of KPMG International. 21
Analysis User ManagementPrioritised activity program
• Implement process for user lifecycle of
external staff
• Optimise leaver process
• Document policy for User Management
including
• (Process-) responsibilities
• Handling of different user types
(employees, service provider, etc.)
• Relevant service level and metrics
2.2
2.1
• Define and implement standard process for
request and approval
• Define and implement consistent
governance for process (activities), e.g.
according to RACI
• Define and implement confirmation of
requests
• Implement needed analysis and reporting
capabilities
2.3
• Implement a consistent review process for
users and their authorisation
2.4
Page 22
© 2008 KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Germany. KPMG and the KPMG logo are registered trademarks of KPMG International. 22
Analysis Authorisation ManagementImprovement areas
• A security concept is not in
place for all systems.
• Recertification is not
considered in policies (only
SOX control).
• Business-oriented roles are
only partly defined.
• SOD* is only partly defined.
• Check for SOD conflicts
before assignment of
authorisation is missing.
• Review of authorisation (e.g.
unused authorisation) does
not take place.
* SOD = Segregation of Duties
Page 23
© 2008 KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Germany. KPMG and the KPMG logo are registered trademarks of KPMG International. 23
Analysis Authorisation ManagementPrioritised activity program
• Expansion of business-oriented role
concepts for critical systems/ apps.
• Implementation of a process for „Review
of Authorisations“.
• Definition of SOD as part of each
authorisation concept.
• Review of compliance to SOD for
substantial systems/apps.
• Amendment of existing policies with
guidelines on minimum content for
security concepts (e.g. recertification
process).
• Definition of KPIs for the monitoring of
compliance to the policies.
3.3
3.2
3.4
3.1
Page 24
© 2008 KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Germany. KPMG and the KPMG logo are registered trademarks of KPMG International. 24
Agenda
1 KPMG‘s view on IAM
2 KPMG‘s IAM Maturity Assessment
3 Assessment Results
4 Next steps
Page 25
© 2008 KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Germany. KPMG and the KPMG logo are registered trademarks of KPMG International. 25
Next steps
1 Definition of an overall IAM strategy and organisational responsibility for IAM.
2 Roll-Out of the standardized processes from the SOX Scope on substantial businesses applications and systems (e.g. recertification process).
3 Ensure revocation of access rights for movers (e.g. department change).
5 Ensure compliance for segregation of duties for business critical applications.
4 Standardized and automated monitoring of critical events and status (in particular administrative activities) for business critical applications.
6 Definition of KPIs and monitoring of compliance to the policies (management dashboard).
Page 26
© 2008 KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Germany. KPMG and the KPMG logo are registered trademarks of KPMG International. 26
Roadmap
IAM strategy
Concept phase
Q1 Q2 Q3 Q4 Q1 Q2
Stream 1: User Management
Stream 2: Monitoring
Stream 3: Privileged users
Tool selec-tion
Pilot
Rollout systems phase 1
…
IDM monitoring
Concept phase UM
Tool selec-tion Pilot
Recertification Phase 1
Role-Definition Phase 1
Rollout Phase 1 UM
Recertification Phase 2
Role-Definition Phase 2
Rollout Phase 2
1. Milestone (Basic roles)
Obsolete Accounts deleted
Rollout systems phase 2
Manual Controls
Concept phase Review**
(optional) Tool-Implementation
** Review performance of manual controls ->decision on tooling
Page 27
27
© 2008 KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Germany. KPMG and the KPMG logo are registered trademarks of KPMG
International.
Marko Vogel
KPMG Deutsche Treuhand-Gesellschaft
Aktiengesellschaft
Wirtschaftsprüfungsgesellschaft
+49 (201) 455-8838
[email protected]
www.kpmg.com
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.