IT ADVISORY How to assess the maturity of Identity Management

© 2008 KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Germany. KPMG and the KPMG logo are registered trademarks of KPMG International. 1

IT ADVISORY

ADVISORY

How to assess the maturity of Identity

Management

Marko Vogel23.04.2008


Agenda

1 KPMG‘s view on IAM

2 KPMG‘s IAM Maturity Assessment

3 Assessment Results

4 Next steps


Agenda




4 Next steps


Definition IAM

The policies, processes and systems for

governing and managing efficiently and

effectively who has access to which

resources within an organization.

IAM is the process of creating value and addressing IT governance and

compliance through effectively and efficiently:

• Managing users

• Authenticating the identity of users

• Managing users’ access to IT resources

• Monitoring what users are doing with that access


IAM Governance Framework

Consideration of

„Regulatory

Compliance“, Risk

Management and

Information

Security.

Processes

Technology

PeopleDesired State

Processes

Technology

PeopleCurrent State

Adjustment on

changing

business

requirements.

Effective, efficient and

secure implementation

of the desired state.

Auditing, monitoring and

reporting to ensure that

the Current State is in

accordance with the

Desired State.

IAM Governance Framework


IAM Domains

Authentication Management

• Activities for effectively governing and managing the process for determining that an entity is who or what they claim to be.

User Management

• Activities for effectively governing and managing the lifecycle of identities.

Authorization Management

• Activities for effectively governing and managing the process for determining entitlement rights that determine what resources an entity is permitted to access in accordance with the organisation’s policies.

Access Management

• Enforcing policies for access control in response to a request from an entity wanting to access an IT resource within the organisation.

Data Management & Provisioning

• Propagation of identity and authorization data to IT resources via automated or manual processes.

Monitoring and Audit

• Monitoring, auditing and reporting compliance of users access to resources within the organization based on the defined policies.


Blueprint IAM

Authorization

model

Authorization Management

(3)

User Management (2)

Provisioning Services

Data Management Services

(manual / automated)

Systems and Applications

Current

state

Desired

state

Authoritative

SourcesUser Management

Services

Authentication

Management

Services

Access

Management

Services

Authentication

Management (1)

Employees,

Suppliers,

Partner,

Customers, etc.

Monitoring Services

Auditing Services

Reporting Services

Access

Management (4) Monitoring & Audit (6)

Data Management &

Provisioning (5)

Automated trigger

Approve user authorizations

based on roles/rules

Usa

ge

Con

tract

User Lifecycle


Agenda




4 Next steps


IAM Maturity Model

• KPMG‘s IAM Maturity Model follows existing standards like CMMI and Cobit.

• The IAM Maturity Model provides independent assessment criteria.

• The IAM Maturity Model can be used to measure where the organisation is, to efficiently decide where to go and for measuring progress against the goal.


Overview of maturity level elements

Authorization ManagementUser Management

Systems and Applications

Authentication

Management

Access ManagementMonitoring & Audit

Data Management & Provisioning

1.1 Authentica-

tion Manage-

ment Policy

1.2 PW Policy

1.3 Classification

of

Assets

1.4 Original

Identification

Process

1.5 Registration

Process

1.6 Credential

Lifecycle

Management

2.1 User Management Policy

2.2 User Lifecycle Management

2.3 Request and approval Workflow

2.4 Review of Users

2.5 Account Mapping

2.6 Administration Model

3.1 Authorization

Management Policy

3.2 Authorization Management

3.3 Review of Authorizations

3.4 Segregation of Duties

3.5 Privileged Users

4.1 Access

Management

Policy

4.2 Physical Access,

4.3 Authentication

4.4 Access Control

4.5 Single Sign On

4.6 Password Self

Service

4.7 Federation

5.1 Data Management & Provisioning Policy

5.2 Provisioning

5.3 Data Management

5.4 Identity Data Inventory

6.1 Monitoring & Audit Policy

6.2 Monitoring

6.3 Reporting

6.4 Audit

6.5 Audit Logging

6.6 Privileged User Access

6.7 Collection of Evidence


AssessmentComprehensive element description

• A comprehensive description for every single element is available concerning Capability, Consistency, Management and Performance.


AssessmentExample process: Review of users

• At irregular intervals a review of users takes place. The review of the authorisations is based on single

(technical) authorisations.

• The review of persons, user accounts and authorisations is based on internal best practices. The review of the

authorisations is based on business rules, instead of on single authorisations. SLAs, goals and key figures are

defined.



• A review of users takes place only for some applications based on a case by case

decision.

• The review of persons, user accounts and authorisations is performed at defined

intervals. The process is applied for all business units and applications. Consistent

responsibilities are defined across the organisation.



• Informal management - There is no formal review by

management. However, the process is monitored where

required. Responsibilities exist but they are not formally

assigned.

• Reactive management – All parts of the process will be

reviewed by management. Deviations are recorded,

traced and corrected. Accountability and Responsibility

are clearly defined and accepted.



• The process is performed

manually.

• Tools are used to

automate but they are not

fully integrated.


Agenda




4 Next steps


Assessment resultsAverage Maturity Level

Ad Hoc

Repeatable

Defined

Managed

Optimised

Ad hoc processes. Success depends on the authority

and the commitment of individual employees.

Same tasks are similarly solved by different persons.

Responsibility and knowledge remains with a single person.

Errors are probable.

Processes are documented and standardized. Processes

are to be observed, however deviations are probably not

recognized.

The management monitors the adherence to the

processes and takes measures, if processes are not

effective. Tools are used in the main areas.

Processes are improved constantly and have reached a good practice level. IT is

used integrated for workflow automation and provides tools for the improvement

of quality and effectiveness.

1

2

4

5

Maturity LevelCharacteristics

3

* SOX relevant processes und systems

Current

State (SOX*)

Current

state

Target

state


Assessment resultsAverage value of the single results per domain

Source: KPMG IAM Survey, 2008

Maturity of IAM domains for >200

European organisations

(Source: KPMG IAM Survey)

• Current and desired maturity level of

IAM domains

(arithmetic mean of all elements)

• Priority per domain



Assessment resultsDetailed results per element

• Current maturity level

of all 35 elements

• Desired maturity level

of all 35 elements

• Current and desired maturity level of

IAM domains


• Priority per domain



Analysis User ManagementImprovement areas

• No process for user lifecycle

of external staff

• Process for account

disabling is in place for

leavers but process can be

optimised (e.g. complete-

ness).

• There is no policy for User

Management in place

including:

• definition of (Process-)

responsibilities

• Consideration of

different user types

• No “SLA” for disabling /

deleting accounts for

leavers

• E-mail based, inconsistent

request- & approval

workflow in place:

• No consistent standard

process

• Approval of asset or

process owners not

defined consistently

• No consistent

confirmation of

implementation as

requested

• No efficient analysis and

reporting possible

• Only for one application a

review process for users and

their authorisations is in

place.


Analysis User ManagementPrioritised activity program

• Implement process for user lifecycle of

external staff

• Optimise leaver process

• Document policy for User Management

including

• (Process-) responsibilities

• Handling of different user types

(employees, service provider, etc.)

• Relevant service level and metrics

2.2

2.1

• Define and implement standard process for

request and approval

• Define and implement consistent

governance for process (activities), e.g.

according to RACI

• Define and implement confirmation of

requests

• Implement needed analysis and reporting

capabilities

2.3

• Implement a consistent review process for

users and their authorisation

2.4


Analysis Authorisation ManagementImprovement areas

• A security concept is not in

place for all systems.

• Recertification is not

considered in policies (only

SOX control).

• Business-oriented roles are

only partly defined.

• SOD* is only partly defined.

• Check for SOD conflicts

before assignment of

authorisation is missing.

• Review of authorisation (e.g.

unused authorisation) does

not take place.

* SOD = Segregation of Duties


Analysis Authorisation ManagementPrioritised activity program

• Expansion of business-oriented role

concepts for critical systems/ apps.

• Implementation of a process for „Review

of Authorisations“.

• Definition of SOD as part of each

authorisation concept.

• Review of compliance to SOD for

substantial systems/apps.

• Amendment of existing policies with

guidelines on minimum content for

security concepts (e.g. recertification

process).

• Definition of KPIs for the monitoring of

compliance to the policies.

3.3

3.2

3.4

3.1


Agenda




4 Next steps


Next steps

1 Definition of an overall IAM strategy and organisational responsibility for IAM.

2 Roll-Out of the standardized processes from the SOX Scope on substantial businesses applications and systems (e.g. recertification process).

3 Ensure revocation of access rights for movers (e.g. department change).

5 Ensure compliance for segregation of duties for business critical applications.

4 Standardized and automated monitoring of critical events and status (in particular administrative activities) for business critical applications.

6 Definition of KPIs and monitoring of compliance to the policies (management dashboard).


Roadmap

IAM strategy

Concept phase

Q1 Q2 Q3 Q4 Q1 Q2

Stream 1: User Management

Stream 2: Monitoring

Stream 3: Privileged users

Tool selec-tion

Pilot

Rollout systems phase 1

…

IDM monitoring

Concept phase UM

Tool selec-tion Pilot

Recertification Phase 1

Role-Definition Phase 1

Rollout Phase 1 UM

Recertification Phase 2

Role-Definition Phase 2

Rollout Phase 2

1. Milestone (Basic roles)

Obsolete Accounts deleted

Rollout systems phase 2

Manual Controls

Concept phase Review**

(optional) Tool-Implementation

** Review performance of manual controls ->decision on tooling

27

© 2008 KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Germany. KPMG and the KPMG logo are registered trademarks of KPMG

International.

Marko Vogel

KPMG Deutsche Treuhand-Gesellschaft

Aktiengesellschaft

Wirtschaftsprüfungsgesellschaft

+49 (201) 455-8838

[email protected]

www.kpmg.com

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

IT ADVISORY How to assess the maturity of Identity Management

Documents