1 / 26

Luis Casco-Arias IBM Tivoli Security WW Senior Product Manager

IBM Tivoli IAM Governance Trends, Updates and Roadmap EMEA Tivoli Security Users Group - May 2010. Luis Casco-Arias IBM Tivoli Security WW Senior Product Manager. Agenda. Addressing Security Challenges with IAM Governance IAM Governance Strategy and roadmap

monte
Download Presentation

Luis Casco-Arias IBM Tivoli Security WW Senior Product Manager

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IBM Tivoli IAM Governance Trends, Updates and RoadmapEMEA Tivoli Security Users Group - May 2010 Luis Casco-AriasIBM Tivoli Security WW Senior Product Manager

  2. Agenda • Addressing Security Challenges with IAM Governance • IAM Governance Strategy and roadmap • IBM Tivoli Identity Manager v5.1 – Operational Role Management • Role Management • Privileged Identity Management

  3. Controls have to be applied within a Business context - addressing trends in data center and cloud deployments Policy driven governance Context aware access control Identity aware Content aware Transaction aware Business oriented governance IAM governance Empower people, enable collaboration Business personas factored into lifecycle Enable users, administrators, line of business owners and application owners Security rendered as a service integration with business applications Interoperability through open standards 3

  4. Drivers for Identity and Access Assurance have remained consistent APRA PCI-DSS FISMA GLBA • Governance, risk and compliance • Driver • Deliver accountability and audit trail for external regulatory mandates and internal policies • Trigger • Time/cost of compliance preparation • Failed compliance audit • Access certification requirements • Cost reduction (via automation) • Driver • Streamline business and IT processes for user access to resources • Trigger • Cost and time associated with manual administration of user access • Stalled or expanding user provisioning project • Security • Driver • Mitigate risk of fraud, theft of IP, loss of customer data, etc… • Trigger • Prior incident/compromise • Poor visibility of risk based on user acess • Stalled or expanding user provisioning project SOX Basel II ISO 27001 ITAR Nearly Two-Thirds of Ex-Employees Steal Data on the Way Out 59 percent of workers who left their positions took confidential information with them

  5. Role Management Entitlement Management IAM Governance User Roles Applications Access Rights Cardiologist Laboratory RACF/ACF2/ Top Secret Execute, Read, Update. Alter Radiology Chief Resident UNIX Read, Write, Execute Admission, Discharge, Transfer (ADT) Emergency Room Nurse SAP/Oracle Alter, Delete, Execute, Index, Insert, Select Radiologist Ambulatory Clinical System Susan LDAP/Active Directory Read, Write, Search Lab Technician Privileged Identity Management Administer, control and monitor privileged identities Separation of Duties Nurse cannot have role of Doctor Nurse admitting patient cannot discharge on own Access Certification Certification Triggers: SOX, HIPAA, SAS 70, Basel II, FISMA, etc.. Business IT IAM Governance delivers a bridge between business and IT, to meet the evolving access mgmt customer requirements Handle user access growth and scale Add Business Context Resolve weak admin access controls Handle Business access conflict Avoid access loopholes Compliance and policy effectiveness User Activity Monitoring

  6. Agenda • Addressing Security Challenges with IAM Governance • IAM Governance Strategy and roadmap • IBM Tivoli Identity Manager v5.1 – Operational Role Management • Role Management • Privileged Identity Management

  7. IBM’s IAM Governance strategy and vision Planning Policy and Role Modeling • Role and Policy modeling & simulation • Role and Policy lifecycle management Policy Driven Governance Process Integration Enforcing Identity Management Entitlement Management • Identity lifecycle management • Access certification • Remediation of user access rights • Privileged Identity management • Entitlement Lifecycle management • Context-based enforcement Tracking User Activity Monitoring • Unified Reporting and Auditing • Compliance Reporting Modules • Feedback for policies and roles

  8. IBM’s IAM Governance Portfolio in 2010 Planning Role Modeling Assistant Policy and Role Modeling Role Management Assistant Policy Design Tool Policy Driven Governance Process Integration Enforcing Identity Management Entitlement Management IBM Tivoli Identity Manager Tracking IBM Tivoli Privileged Identity Manager Service IBM Tivoli Security Information and Event Manager User Activity Monitoring IBM Tivoli Security Policy Manager

  9. Agenda • Addressing Security Challenges with IAM Governance • IAM Governance Strategy and roadmap • IBM Tivoli Identity Manager v5.1 – Operational Role Management • Role Management • Privileged Identity Management

  10. IBM Tivoli Identity Manager v5.1 enhances enterprise IAM governance C-Level officers receive improved visibility, control and automation of critical resource access Operational role management is now a fundamental, embedded capability within the TIM platform

  11. Provisioning Policy Service (Resource) User Business Role TIM provisioning model with role hierarchy • Inheritance flows to all objects that use roles • Provisioning policy • Role owners and approvals • Provisioning policies administer access to resources through user membership and access rights • Users can be assigned to roles based on their responsibilities • Roles, accounts and groups are then assigned as members of provisioning policies Group membership Application Role

  12. Roles can also be requested as part of self-service • Consolidate self-service access requests with roles • Role of Product Tester is associated with a provisioning policy that provides access to 3 systems

  13. NEW TIM access recertification facilitates compliance • Customer challenge • Compliance – enabling an access validation process to those who can responsibly and accurately make that decision • TIM capabilities • 3 types of recertification policies to validate continued need for resources • Account recertification policies • Account recertification policies target accounts on specific services • Access recertification policies • Access recertification policies target specific accesses (i.e. business translation of a group – AD group UK3g8saleww_R = sales pipeline portlet) • User recertification policies • Presents an approver with a single recertification approval activity for multiple resources associated with a given user: • Accounts • Groups • Role membership

  14. User recertification delivers consumable compliance • Recertifier specifies a separate decision for each resource and submits a consolidated response • The impact of recertification decisions can be previewed prior to submission • Incremental progress can be saved as a draft • A User Recertification Policy defines a user population, schedule, resource targets, and workflow • Workflow can be defined using either Simple or Advanced modes • Simple workflow options include approval participant, rejection notification recipient (if any), rejection action, due date, overdue behavior (new), and notification templates

  15. Reconciliation Who has access to what? Identify orphan and dormant accounts – big security exposures! 1 2 Recertification Does this user still need this account or access entitlement? Establish an automated process for review and enforcement. 3 Reporting Prove it. Show auditors who has access to what and how they got it. Achieve quick value and compliance without user provisioning in TIM today

  16. Agenda • Addressing Security Challenges with IAM Governance • IAM Governance Strategy and roadmap • IBM Tivoli Identity Manager v5.1 – Operational Role Management • Role Management • Privileged Identity Management

  17. Import • Bottom-up import of identity, role and entitlement data • Top-down import of human interview data Role Management: modeling and lifecycle management of roles and policies Collaborative Role and Policy Governance • Build • Analyze and query data • Mine, map and model • Engineer policy and role structure Role Modeling Assistant and Role Management Assistant • Import data from interviews and data sources • Analyze and engineer roles • Approve, edit or certify roles • Export roles into Tivoli Identity Manager for operational usage Edit/Approve/Certify -Validate or edit roles and policies -Submit roles and policies for approval or certification Draft Save and retrieve the drafted role or policy Export Export the approved roles and policies into operation New!

  18. Agenda • Addressing Security Challenges with IAM Governance • IAM Governance Strategy and roadmap • IBM Tivoli Identity Manager v5.1 – Operational Role Management • Role Management • Privileged Identity Management

  19. Privileged Identity Management Traditional Thinking “ 2 Approaches“ The strategic Privileged Identity Management solution combines the best features of both approaches, without the disadvantages

  20. IAM Governance Entitlement Management Role Management Access Certification SeparationofDuties Privileged Identity Mgmt Privileged Identity Management • IBM offers 2 solutions: • TAMOS provides OS level enforcement of non-shared IDs • Privileged Identity Management provides centralized management of shared and privileged accounts to improve compliance, lower cost and reduce risk • Key PIM functions include: • Centralized management of privileged and shared identities. Privileged identities can be centrally provisioned, de-provisioned, and shared. • Secure access and storage of shared identities • Request, approve and re-validate privileged access • Single sign-on with automated check in and check out of shared and privileged IDs • End to end monitoring and reporting • Benefits • Centralized Privileged ID management improves IT control and reduces risk • Automated sign on and check-in/out simplifies usage and reduces cost • Comprehensive tracking and reporting enhances accountability and compliance

  21. IAM Governance Discussion Topics • What type of IAM projects are being deployed in your organization? • How are they progressing? • What are some of the challenges? • What are the features that you would like to see? • What areas of IAM Governance are you using? • How are business policies that impact user access translated into IT requirements? • How are roles utilized today? • Do you do role mining? • Who is responsible for defining roles and maintaining them? • Once roles are defined, do you monitor for role degradation? • How are privileged identities handled? • How is user access certification handled today? • How is Separation of Duties addressed today? • What steps are taken to ensure compliance with business policy after entitlements are granted? • What best practices for implementing an IAM project would you recommend that that have worked in your organization? • What products / IBM technologies are you using today and what feedback can you give us?

  22. Role Management Feedback Session • Role Management Goals and Directions • What are your goals for role management? • Where are you in the maturity curve for role management? • How are roles being used today? • How do you prove ROI? Is it enough? • How do you stage your identity and access governance project? • What is the process used in deploying a role management project (steps & timing)? • What is the main philosophy in creating the roles? • How are business policies that impact user access translated into IT requirements? • How are the roles strategic to your organization? • What is the scope of the roles you want to deploy (Enterprise wide, dept, apps)? • How do you leverage roles as an abstraction for access mgmt? (complete change, restructuring, reflection of current structure, etc) • What other insights you usually mine from the user access data? • Is hierarchy something that helps in role definition? How do you manage the hierarchy? • What benefits do you see from implementing a role mgmt strategy? • What do you need to do to manage access through roles as opposed to how you manage access today? • What changed in direction do you see in the next 12 months?

  23. Role Management Feedback Session • Customer Environments • How large is your access environment (users, applications, roles)? • What is the largest you have seen or expect to deploy? • Within your organization, how many people are involved in defining, maintaining roles? What are their functions? • Role Management Process • Who is responsible for defining roles and maintaining them? • Are business owners generally involved in defining roles? How are they engaged? • How do business role assignment requirements get communicated to IT for execution? • How do you approach partitioning the user access data? • How large do you like those partitions to be? • How is the validity of the use access checked? • Is user access data aggregated and cleaned on a regular basis? • How do you clean up data? Remove overprivilege, stale, orphans, outliers, unique assignments, etc… • How are SOD checks done and when? • What process is used to check for Separation of Duties issues? • How do you generally use a tool for automatic role mining vs manual role modeling? • What criteria do you use to create a role? • What role does access monitoring play in your identity and access management deployments? • What steps are taken to ensure compliance during access assignments and usage? • How are roles validated before implementation or provisioning? • How do you account for access changes while roles are being developed? • How do you transition a proposed role structure into the existing access structure? • How often are roles monitored and maintained? (automatic change, periodic certification and restructuring, all at once or in sections, etc)

  24. Role Management Feedback Session • Features • How much would you use identity repository for other business analytics uses? • Is weighting the impact of a resource something that is used in the creation or assessment of roles? • What is used to avoid proliferation of roles? • What is expected of a user interface that faces business people (non-technical)? • How to you train on business owners on tool usage? • Assigning membership to roles? • Requesting of roles? • Approval of roles? • Others? • How do you handle role requests on an existing role structure? • How do you handle large scale decisions or interactions? • How do you implement the provisioning of the roles once defined (into an existing environment)? • Is usage data required to generate a good role structure? • How do you handle version of roles structures?

  25. Open Process Automation Library (OPAL) offers valuable IBM Service Management integration modules • OPAL has TIM integration modules for additional value add to your solution • http://www-01.ibm.com/software/brandcatalog/portal/opal • Popular TIM OPAL modules include the following: • Adapter Development Tool • Graphical tool for building custom TIM adapters for legacy or homegrown applications • TIM Documentation Tool • Documents TIM configurations into an a single HTML output • Web Services Wrapper • Exposes the TIM self-service API through a web services interface and includes and Eclipse-based reference UI to facilitate custom user interface development

More Related