The two sides of managing Identity Risk
|
|
|
- Sara Doyle
- 5 years ago
- Views:
Transcription
1 The two sides of managing Identity Risk Enforcing segregation of duties by means of provisioning and attestation 2nd European Identity Conference Dr. Martin Dehn KOGIT GmbH
2 Agenda Introduction SoD The two approaches Case Study How to converge Q&A
3 Risk Factors in IDM Space Identity Theft Unauthorized Access Theft of IP & Trade Secrets Sabotage Financial Fraud Data Altering/ Deletion Sarbanes- Oxley Security Risks Regulatory Risks Privacy Breaches HIPAA J-SOX PIPEDA FISMA California SB 1386 EU Data Privacy PCI GLBA Basel II SailPoint Technologies
4 Causes of Risk: Examples Too many rights due to cumulation during career in company Too many rights remain after holiday replacement Unsafe combination of rights due to missing SoD controls Identity theft due to weak passwords Free-to-use accounts due to fragmentary leaver-process
5 Segregation of Duties (SoD) Target is to avoid users with conflicting business roles. E.g., one person/user is not allowed to be assigned to the two roles: request purchase orders approve purchase orders However: at which level is SoD defined and controlled? Business role IT role transaction
6 The Two Approaches
7 The two approaches User Provisioning / RBAC Resources & Permissions Attestation / Risk Management
8 Main priorities of the approaches Volume Automation: -Mailsystem -Directories Focus on Risk: -Finance -ERP Criticality/ Sensitivity
9 Components of Identity Risk Management
10 Components of User Provisioning Automation with Policies Audit proof Provisioning IdM Roles for Provisioning Approved Requests
11 Identity Risk Management Case Study I
12 Case I: Bank Career add Frontoffice rights del Backoffice rights? add Backoffice rights del trainee rights? add trainee rights
13 The Perfect Transition IdM adds frontoffice role And removes backoffice role June July June 1st Change from Back to Frontoffice Regular attestation 1 month later does not find violations
14 The User Provisiong Task - Execute - Write audit log Move request Resources & Permissions - Get details of new function - Get details of abandonded function - Calculate new access rights
15 Risk Management/Attestation - Scheduled regular attestation - Or triggered by suspicion Check for: - Correct role - Approved access rights - SoD violations
16 Risk Management/Reconciliation Provides a means for comparing the actual state versus the should be BUT, how do you define should be in the absence of a role model? Should be Reality
17 Which access is correct (should be)? Measure Comment Derivable role Useful for both user provisioning and attestation. Requires living role model Approved request Auditable in provisioning tools, neglected in Risk Management tools Attestation Less time consumptive with roles. Hardly any automation for approved requests.
18 The Transition in Reality IdM adds frontoffice rights (no role defined) IdM does not know what to remove (no role defined) Oct Nov June 1st Change from Back to Frontoffice Regular attestation 5 month later does not find all violations - No roles defined - access rights chaotic - manual mapping to request
19 How to Converge
20 Clues for Convergence User Provisioning Risk Management Preventive action long duration projects requires set of policies often implemented without roles Sometimes with SoD rules often with a focus on automation Aftercare with time lag faster to implement requires set of policies More efficiency with roles, especially SoD focus on business
21 The Big Picture Executive = Provisioning Legislative = Policy/Roles Judicial = Attestation
22 Interaction Risk Mgmt. & Provisioning Risk Management Tool (GRC Software) SPML Interface SPML Interface User Provisioning Tool
23 Interaction Risk Mgmt. & Provisioning Risk Management Tool (GRC Software) SPML Interface Remediation Request Remediation Response SPML Interface User Provisioning Tool
24 Interaction Risk Mgmt. & Provisioning Risk Management Tool (GRC Software) SPML Interface Remediation Request SOD Response Remediation Response SOD Check SPML Interface User Provisioning Tool
25 Interaction Risk Mgmt. & Provisioning Risk Management Tool (GRC Software) SPML Interface Remediation Request Remediation Response SOD Check SOD Response Request Role Set Return Role Set SPML Interface User Provisioning Tool
26 Interaction Risk Mgmt. & Provisioning Risk Management Tool (GRC Software) SPML Interface Remediation Request Remediation Response SOD Check SOD Response Request Role Set Return Role Set Should Be Request Should Be Response SPML Interface User Provisioning Tool
27 Kontakt: /
28 Case Study II Service Provider for Banking Industry
29 Case II: SP for Banking Industry ISMS Identity Administration Role concepts ISMS Controls Tech. Audit ISMS Controls SAP HR Roles und Profiles Concepts of rights Workflow Application ISMS Controls User records Existing Identities ISMS Controls Owner of the rights authorise request ISMS Controls Manager confirm user and role ISMS Controls Walter Kuron /IZB Informatik Zentrum