How to assess the maturity of Identity Management

Transcription

1 IT ADVISORY How to assess the maturity of Identity Management Marko Vogel ADVISORY 1

2 Agenda 1 KPMG s view on IAM 2 KPMG s IAM Maturity Assessment 3 Assessment Results 4 Next steps 2

3 Agenda 1 KPMG s view on IAM 2 KPMG s IAM Maturity Assessment 3 Assessment Results 4 Next steps 3

4 Definition IAM The policies, processes and systems for governing and managing efficiently and effectively who has access to which resources within an organization. IAM is the process of creating value and addressing IT governance and compliance through effectively and efficiently: Managing users Authenticating the identity of users Managing users access to IT resources Monitoring what users are doing with that access 4

5 IAM Governance Framework IAM Governance Framework Consideration of Regulatory Compliance, Risk Management and Information Security. Desired State People Processes Technology Adjustment on changing business requirements. Auditing, monitoring and reporting to ensure that the Current State is in accordance with the Desired State. Current State People Processes Technology Effective, efficient and secure implementation of the desired state. 5

6 IAM Domains Authentication Management Activities for effectively governing and managing the process for determining that an entity is who or what they claim to be. User Management Activities for effectively governing and managing the lifecycle of identities. Authorization Management Activities for effectively governing and managing the process for determining entitlement rights that determine what resources an entity is permitted to access in accordance with the organisation s policies. Access Management Enforcing policies for access control in response to a request from an entity wanting to access an IT resource within the organisation. Data Management & Provisioning Propagation of identity and authorization data to IT resources via automated or manual processes. Monitoring and Audit Monitoring, auditing and reporting compliance of users access to resources within the organization based on the defined policies. 6

7 Usage Contract Blueprint IAM Authentication Management (1) Employees, Suppliers, Partner, Customers, etc. User Management (2) User Lifecycle Automated trigger Approve user authorizations based on roles/rules Authorization Management (3) Authorization model Authoritative Sources User Management Services Desired state Authentication Management Services Data Management & Provisioning (5) Provisioning Services Data Management Services (manual / automated) Monitoring Services Auditing Services Access Management Reporting Services Services Current state Access Management (4) Systems and Applications Monitoring & Audit (6) 7

8 Agenda 1 KPMG s view on IAM 2 KPMG s IAM Maturity Assessment 3 Assessment Results 4 Next steps 8

9 IAM Maturity Model KPMG s IAM Maturity Model follows existing standards like CMMI and Cobit. The IAM Maturity Model provides independent assessment criteria. The IAM Maturity Model can be used to measure where the organisation is, to efficiently decide where to go and for measuring progress against the goal. 9

10 Overview of maturity level elements Authentication Management 1.1 Authentication Management Policy 1.2 PW Policy 1.3 Classification of Assets 1.4 Original Identification Process 1.5 Registration Process 1.6 Credential Lifecycle Management 4.1 Access Management Policy 4.2 Physical Access, 4.3 Authentication 4.4 Access Control 4.5 Single Sign On 4.6 Password Self Service 4.7 Federation Access Management User Management 2.1 User Management Policy 2.2 User Lifecycle Management 2.3 Request and approval Workflow 2.4 Review of Users 2.5 Account Mapping 2.6 Administration Model Data Management & Provisioning 5.1 Data Management & Provisioning Policy 5.2 Provisioning 5.3 Data Management 5.4 Identity Data Inventory Systems and Applications Authorization Management 3.1 Authorization Management Policy 3.2 Authorization Management 3.3 Review of Authorizations 3.4 Segregation of Duties 3.5 Privileged Users 6.1 Monitoring & Audit Policy 6.2 Monitoring 6.3 Reporting 6.4 Audit 6.5 Audit Logging 6.6 Privileged User Access 6.7 Collection of Evidence Monitoring & Audit 10

11 Assessment Comprehensive element description A comprehensive description for every single element is available concerning Capability, Consistency, Management and Performance. 11

12 Assessment Example process: Review of users At irregular intervals a review of users takes place. The review of the authorisations is based on single (technical) authorisations. The review of persons, user accounts and authorisations is based on internal best practices. The review of the authorisations is based on business rules, instead of on single authorisations. SLAs, goals and key figures are defined. 12

13 Assessment Example process: Review of users A review of users takes place only for some applications based on a case by case decision. The review of persons, user accounts and authorisations is performed at defined intervals. The process is applied for all business units and applications. Consistent responsibilities are defined across the organisation. 13

14 Assessment Example process: Review of users Informal management - There is no formal review by management. However, the process is monitored where required. Responsibilities exist but they are not formally assigned. Reactive management All parts of the process will be reviewed by management. Deviations are recorded, traced and corrected. Accountability and Responsibility are clearly defined and accepted. 14

15 Assessment Example process: Review of users The process is performed manually. Tools are used to automate but they are not fully integrated. 15

16 Agenda 1 KPMG s view on IAM 2 KPMG s IAM Maturity Assessment 3 Assessment Results 4 Next steps 16

17 Assessment results Average Maturity Level 5 Characteristics Processes are improved constantly and have reached a good practice level. IT is used integrated for workflow automation and provides tools for the improvement of quality and effectiveness. Maturity Level Optimised 4 The management monitors the adherence to the processes and takes measures, if processes are not effective. Tools are used in the main areas. Current State (SOX*) Target state Managed 3 Processes are documented and standardized. Processes are to be observed, however deviations are probably not recognized. Current state Defined 2 Same tasks are similarly solved by different persons. Responsibility and knowledge remains with a single person. Errors are probable. Repeatable 1 Ad hoc processes. Success depends on the authority and the commitment of individual employees. Ad Hoc * SOX relevant processes und systems 17

18 Assessment results Average value of the single results per domain Maturity of IAM domains for >200 European organisations (Source: KPMG IAM Survey) Current and desired maturity level of IAM domains (arithmetic mean of all elements) Priority per domain (arithmetic mean of all elements) Source: KPMG IAM Survey,

19 Assessment results Detailed results per element Current maturity level of all 35 elements Desired maturity level of all 35 elements Current and desired maturity level of IAM domains (arithmetic mean of all elements) Priority per domain (arithmetic mean of all elements) 19

20 Analysis User Management Improvement areas There is no policy for User Management in place including: definition of (Process-) responsibilities Consideration of different user types No SLA for disabling / deleting accounts for leavers Only for one application a review process for users and their authorisations is in place. No process for user lifecycle of external staff Process for account disabling is in place for leavers but process can be optimised (e.g. completeness). based, inconsistent request- & approval workflow in place: No consistent standard process Approval of asset or process owners not defined consistently No consistent confirmation of implementation as requested No efficient analysis and reporting possible 20

21 Analysis User Management Prioritised activity program Define and implement standard process for request and approval Define and implement consistent governance for process (activities), e.g. according to RACI Define and implement confirmation of requests Implement needed analysis and reporting capabilities Implement a consistent review process for users and their authorisation Document policy for User Management including (Process-) responsibilities Handling of different user types (employees, service provider, etc.) Relevant service level and metrics Implement process for user lifecycle of external staff Optimise leaver process 21

22 Analysis Authorisation Management Improvement areas A security concept is not in place for all systems. Recertification is not considered in policies (only SOX control). Business-oriented roles are only partly defined. SOD* is only partly defined. Check for SOD conflicts before assignment of authorisation is missing. Review of authorisation (e.g. unused authorisation) does not take place. * SOD = Segregation of Duties 22

23 Analysis Authorisation Management Prioritised activity program Amendment of existing policies with guidelines on minimum content for security concepts (e.g. recertification process). Definition of KPIs for the monitoring of compliance to the policies. Definition of SOD as part of each authorisation concept. Review of compliance to SOD for substantial systems/apps. Expansion of business-oriented role concepts for critical systems/ apps. 3.3 Implementation of a process for Review of Authorisations. 23

24 Agenda 1 KPMG s view on IAM 2 KPMG s IAM Maturity Assessment 3 Assessment Results 4 Next steps 24

25 Next steps 1 Definition of an overall IAM strategy and organisational responsibility for IAM. 2 Roll-Out of the standardized processes from the SOX Scope on substantial businesses applications and systems (e.g. recertification process). 3 Ensure revocation of access rights for movers (e.g. department change). 4 Standardized and automated monitoring of critical events and status (in particular administrative activities) for business critical applications. 5 Ensure compliance for segregation of duties for business critical applications. 6 Definition of KPIs and monitoring of compliance to the policies (management dashboard). 25

26 Roadmap Concept phase UM Tool selec-tion Pilot 1. Milestone (Basic roles) Role-Definition Phase 1 Role-Definition Phase 2 Rollout Phase 1 UM Rollout Phase 2 Stream 1: User Management Recertification Phase 1 Recertification Phase 2 Concept phase Obsolete Accounts deleted Rollout systems phase 1 Stream 2: Monitoring IAM strategy Tool selection Pilot Rollout systems phase 2 IDM monitoring Stream 3: Privileged users Concept phase Review** Manual Controls (optional) Tool- Implementation Q1 Q2 Q3 Q4 Q1 Q2 ** Review performance of manual controls ->decision on tooling 26

27 Marko Vogel KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft +49 (201) The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation KPMG Deutsche Treuhand-Gesellschaft Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in Germany. KPMG and the KPMG logo are registered trademarks of KPMG International. 27