Brainwave USER ACCESS REVIEW CERTIFICATION AND RECERTIFICATION IN A NUTSHELL

Transcription

1 Brainwave Identity Analytics USER ACCESS REVIEW CERTIFICATION AND RECERTIFICATION IN A NUTSHELL

2

3 NEXT-GENERATION IDENTITY ANALYTICS REDUCES THE COST AND BURDEN OF THE USER ACCESS REVIEW PROCESS FOR ACCESS CERTIFICATION AND RECERTIFICATION We recently conducted a survey among the CISO community, IT security practitioners and Auditors from Fortune 100 companies in Europe. As cyber security threats are an ever-growing concern for business, we wanted to understand how effective the Access Certification Process was in those companies, knowing that this particular process is highly critical to IT security and Governance. The results were eye-opening: Brainwave GRC - User Access Review Survey % 38% 15% 4% Think their process is fully operational of respondents run access reviews on a regular basis Find it collaborative and enterprise-wide Consider their access review process as effective WHAT IS USER ACCESS CERTIFICATION? Businesses must periodically perform user access certification for security and compliance purposes. The logic behind these requirements for continuous user access certification is that there is an endemic lack of trust in the processes applied to user access management across many enterprises. Organizations have to meet tightly-controlled security, compliance and audit requirements by regularly checking and certifying user access rights. Security governance concerns, as well as national, international or industry specific regulatory compliance requirements, motivate user access certification: Sarbanes-Oxley act, Solvency II, PCI, Basel II/III, CRBF, HIPAA ISO/IEC and 27002, ISAE 3402 User access certifications are typically labor-intensive tasks involving a huge number of people to collect, correlate and verify vast volumes of data and organize reporting to the reviewers. All this effort is expended yet the task is frequently only partially completed with poor quality results. Due to these limitations, it is nearly impossible to expand the frequency and scope of the access reviews. WHAT DO WE EXPECT OUT OF USER ACCESS CERTIFICATION? User Access Certification or Access Review is a process driven by individuals or group of authorized people in which they review and reaffirm user access to corporate IT resources. The goal is to revoke instances of inappropriate, excessive or illegitimate user access. At the end of the process, the reviewers certify that the so called remaining user access rights are legitimate and accurate. Detect accounts that are inactive, unused or inappropriate. Highlight orphaned and dormant accounts to let reviewers decide if the access is still needed. Assign risk ratings to support regular periodic reviews for higher risk users Proceed to revocation of access, which have been declared as incorrect.

4 Provide a full audit trail and reporting for actions that are performed. TOWARD A RISK-AWARE STRATEGY WITH IDENTITY ANALYTICS Organizations may have to manage thousands of users with millions of access rights across hundreds of applications on a daily basis. In such an environment, the enterprise needs more innovative ways to manage their user access related risks. Incumbent Identity and Access Management vendors have failed to provide the tools able to manage the scale and complexity of modern environments. For example, a provisioning system only does what it s been configured to do so, if the rules are wrong, the tool will provision accounts incorrectly. The only true way to verify that the system is operating to policy is to audit its functions - Recertification is the best process to do this. These solutions are lagging behind for a number of reasons: Lack of support of certifications correlated to organizational structureabsence of sophisticated access review scenarios like risk-aware micro certification Weaknesses in offering real enterprise-wide collaboration and distribution/delegation of reviews Light or no support of incremental access reviews No ability to process fine grained entitlement reviews Presentation of access review results are not adapted to a business audience INEFFICIENCY OF TRADITIONAL ACCESS REVIEWS When organizations have already implemented tools to manage access review, they may suffer from inefficiencies. Those are caused by what Gartner calls access certification fatigue. It means that when a reviewer has hundreds of users to review and no or too little contextual information to help him/her make decisions, rather than go through the process of reviewing each user account, he or she invokes the approve all feature. Subsequently, users are left with inappropriate or excessive access and the organization is vulnerable. TWO MAJOR TRAPS ARE OFTEN PENALIZING THE USER ACCESS REVIEW EFFICIENCY: ACCOUNTABILITY GAPS The responsibility for user access reviews is too often limited to IT teams who are lacking the necessary business context to know what level of access is needed for a particular job function or business responsibility. Therefore, it is essential that any access review function involves line of business. BLIND COMPLIANCE Blind Compliance results from the mistaken belief that to be compliant with user access-related regulatory recommendations ensures that adequate access risk management exists across the enterprise. If user access entitlements meet regulatory recommendations this does not automatically mean that they are consistent with the rule of least-privileged access and other access governance best practices. Legal compliance is a minimum standard it is necessary but not sufficient for the prudent operation of an enterprise.

5 The combination of these challenges are highlighting the need to improve user access certifications and is becoming a major business driver. The huge benefits of deploying dentity analytics solutions such as Brainwave Identity GRC can be seen to dramatically enhance the access certification process: Enriched information, by mapping information from the HR information system to classification meta-data (sensitivity, description and process). This provides a very comprehensive reference to auditors, internal control organization and lines of business managers, allowing them to understand the impact of the privileges granted. Identify the situations at risk by linking the information to be reviewed with the reference table of control. The gaps are emphasized, the impacts of the risks are explained and the root causes are clearly identified and underlined. Check and verify the legitimacy of the permissions granted based on the to the organization/department involved (i.e: peer group) whilst highlighting any abnormal situations: rogue access, residual access, and excessive access. Analyze the history and the evolutions to limit the review process to the changes since a given date or a previous review. It leads to dramatic gains in operating efficiency. Ability to switch from compliance to operational view and focus only on the risks or new situations at risk For improved accuracy, consistency and granularity, Brainwave Identity GRC allows fully automated user access reviews to be established on every single type of certification: Resource-based: resource owners review all the users who have entitlements. Organization-based: managers are asked to review the access assigned to their subordinates. HR-based: managers review the accuracy of the information related to their team members and duties IT Admin based: resource owners review privileged accounts, technical accounts and privileged entitlements Entitlements-catalog-based: resource owners review entitlements and associated policy and metadata that are maintained in a repository for accuracy. Unlike conventional IAM solutions, Brainwave Identity GRC manages, schedules, and distributes access reviews to the appropriate reviewers and constantly tracks progress through a very intuitive web interface. In addition, Brainwave Identity GRC offers a tight integration with IAM and other provisioning solutions, as well as ITSM solutions to allow reviewers to revoke inappropriate rights upon detection and make sure the changes have been granted in the systems to remediate access risks. Brainwave Identity GRC differs from other solutions by reducing the cost of security and compliance by automating labor-intensive access review processes while also strengthening controls to address audit insufficiencies or limitations. The solution unifies and centralizes access reviews across on-premise and cloud resources and applications. It streamlines the whole access review process, saving significant time and effort. WHAT DIFFERENTIATES BRAINWAVE IDENTITY GRC FROM OTHER SOLUTIONS? Presents analysis in an effective and meaningful way to IT, Audit and business people in charge of user access reviews, through dynamic and intuitive interfaces. Takes care of the processes of both simple and advanced review processes

6 Capable of managing reviews based on fine-grained data (i.g: transactions, SOD) or access rights to unstructured data (i.g: access to files or folders) Integrates built-in ready-to-use analysis and reports to make better decisions A seamless integration with IAM and ITSM solutions automates the required changes identified during the operations of recertification to make sure that there are no gaps SOLVE TIME AND COST ISSUES RELATED TO USER ACCESS RECERTIFICATION An unparalleled time-to-implement. You get actionable access reviews in just a couple of weeks! If you already have an IAM solution in place, it will be faster and more cost-effective to use Brainwave Identity GRC to manage your user access certification and leave your IAM to manage provisioning. If you don t have one, there is no hurry to deploy a costly IAM system! You can avoid the risk of shelfware (undeployed software due to the overwhelming project complexity). Brainwave Identity GRC mitigates risk through a proactive detection and prevention of improper access and security policy violations. More importantly, it fosters a collaborative governance process across lines of business and IT, while delivering any necessary proofs of compliance for internal and external auditors. IMPROVE REVIEW CAMPAIGNS FOR ACCESS CERTFICATION AND RECERTIFICATION WITH BRAINWAVE IDEN- TITY GRC Brainwave Identity GRC automates your access review campaigns. It fosters collaboration with CISO, CRO, IT security managers, application and technology owners, controllers and auditors. It eliminates the risks of fraud, data breach, and guarantees compliance whilst dramatically reducing Total Cost of Ownership. Access Review/Recertification Monitoring Account Classification Control Reporting Gap Analysis, inconsistency Detection Gap Mitigation Tracking exceptions Dashboard Who has access to what? Data Quality Analysis Known Risks Management Access Review Decision Support Governance process Automation month 3 months 6 months Brainwave Identity GRC is quick and easy to deploy and has proven to be more efficient to achieve enterprise-wide access reviews faster than other solutions for half the price. Do you want to know how much time and budget you can cut by using Brainwave GRC? Let s try our ROI calculator and get a personalized estimation.

7

8 Brainwave BRAINWAVE GRC UNITED KINGDOM 1 Fore Street Moorgate London EC2Y 9DT contact@brainwavegrc.com IDENTITY METHODS LIMITED Tower Point 44 North Road Brighton East Sussex BN1 1YR +44 (0) info@identitymethods.co.uk