Identity Governance and Administration

Similar documents
Simplify and Secure: Managing User Identities Throughout their Lifecycles

Making intelligent decisions about identities and their access

INTELLIGENT IAM FOR DUMMIES. SecureAuth Special Edition

SOLUTION BRIEF RSA IDENTITY GOVERNANCE & LIFECYCLE SOLUTION OVERVIEW ACT WITH INSIGHT TO DRIVE INFORMED DECISIONS TO MITIGATE IDENTITY RISK

An Oracle White Paper March Access Certification: Addressing and Building On a Critical Security Control

Fulfilling CDM Phase II with Identity Governance and Provisioning

RSA Identity Management & Governance

Identity & access management solution IDM365 for the Public Sector

Identity & access management solution IDM365 for the Energy & Utility sector

1 Building an Identity Management Business Case. 2 Agenda. 3 Business Challenges

Sustainable Identity and Access Governance

The 7 Tenets of Successful Identity & Access Management

An Introduction to Oracle Identity Management. An Oracle White Paper June 2008

Certified Identity Governance Expert (CIGE) Overview & Curriculum

Detect. Resolve. Prevent. Assure.

Identity and Access Management

Brainwave USER ACCESS REVIEW CERTIFICATION AND RECERTIFICATION IN A NUTSHELL

Identity and Access Management. Program Primer

Identity & Access Management Enabling e-government. Identity & Access Management (IAM) Defined

Providing full life-cycle identity management. August idm365.com

Improving Information Security by Automating Provisioning and Identity Management WHITE PAPER

SailPoint + Microsoft: Better Together

1 Building an Identity Management Business Case. 2 Agenda. 3 Business Challenges

Identity Management Solutions for Oracle E-Business Suite. An Oracle White Paper January 2008

Learn to streamline User Provisioning process in Oracle Applications with workflows

Selecting the Right Identity Governance Solution A BUYER S GUIDE

CHOOSE THE RIGHT IDENTITY & ACCESS MANAGEMENT SOLUTION

Securing Your Business in the Digital Age

Jeff Carpenter Authentication and Access Specialist RSA, The Security Division of EMC. Copyright 2015 EMC Corporation. All rights reserved.

Keep pace with change.

Securely Yours LLC. Identity and Access Management (IAM) IAM in a Cloud Auditing Guidelines IIA Detroit Chapter September 8, 2009

Identity Administration Needs Governance

BUYER S GUIDE. Identity Management and Governance

Streamlining Access Control for SAP Systems

SAP Product Road Map SAP Identity Management

Identity & Access Management Unlocking the Business Value

The Hybrid Enterprise: Working Across On-premises, IaaS, PaaS and SaaS

The SaaS Management Platform (SMP): A Single Pane of Glass to Make SaaS Management More Secure, Streamlined & Cost-Effective

An Overview of the AWS Cloud Adoption Framework

Identity is Everything

Oracle Identity & Access Management

GDPR COMPLIANCE: HOW AUTOMATION CAN HELP

Compliance Management Solutions from Novell Insert Presenter's Name (16pt)

Leverage T echnology: Turn Risk into Opportunity

Streamline Physical Identity and Access Management

Infor Risk and Compliance for CDM Phase 2: Automate, integrate, manage, and report across your enterprise

SOLUTION BRIEF CA TECHNOLOGIES IDENTITY-CENTRIC SECURITY. How Can I Both Enable and Protect My Organization in the New Application Economy?

10 ways to make analytics more useful and consumable

Managing Complexity in Identity & Access Management

Securing the Mobile, Cloud-connected Enterprise

IBM Data Security Services for activity compliance monitoring and reporting log analysis management

DATA SHEET RSA IDENTITY GOVERNANCE & LIFECYCLE SERVICES ACCELERATE TIME-TO-VALUE WITH PROFESSIONAL SERVICES FROM RSA IDENTITY ASSURANCE PRACTICE

Neues von der Oracle Identity Governance Suite. Dr. Stephan Hausmann

Title: Leveraging Oracle Identity Manager (OIM) to Improve Costs and Control. An Oracle White Paper March 2009

ORACLE ADVANCED ACCESS CONTROLS CLOUD SERVICE

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into

See how SailPoint helps organizations around the globe.

Securing SaaS at Scale

FUJITSU Application Modernization. Robotic Process Automation

White paper Orchestrating Hybrid IT

Mastering new and expanding financial services regulations and audits

OIC LLC is our Oracle Partner name. It stands for Oracle Independent Consultants (OIC) LLC.

Fujitsu Digital Workforce

Tivoli Identity Manager at the Commonwealth Bank. Presenter: Jon Davies 3 August 2006

OMADA IDENTITY SUITE OMADA IDENTITY SUITE. - Solution in Detail. - for Microsoft Forefront Identity Manager 2010

Extending Access Control to the Cloud

Taking Control of Open Source Software in Your Organization

Advanced Attestation and Recertification for Today s Organizations

WHITE PAPER Funding Speech Analytics 101: A Guide to Funding Speech Analytics and Leveraging Insights Gained to Improve ROI

When It Needs to Get Done at 2 a.m., That s when you can rely on CA Workload Automation

Identity and Access Governance. Buyer s Guide. By Felicia Thomas

Employee Lifecycle Management in an R12 World

ERP IMPLEMENTATION RISK

Optimizing Security Practices Among Employees

Why Oracle GRC with every E-Business Suite Upgrade

Hospital Network Finds Efficiency, Cost Savings in IAM

An Oracle White Paper April Developers and Identity Services - Bridging Usability and Transparency with Role Provider Service

Kronos Workforce TeleStaff. Meeting the unique scheduling and notification needs of corrections

Security solutions White paper. Effectively manage access to systems and information to help optimize integrity and facilitate compliance.

Active Directory Integration with Microsoft Dynamics. 5 Steps to Create Dynamic Identity Management. Elevate HR, Inc. Published: January 2018

IBM Security Investor Briefing 2018

INFORMATION STREAMLINES

IBM Collaboration Solutions Readiness for GDPR IBM Corporation

How to assess the maturity of Identity Management

Simple, Scalable, Real-time Protection

Investor Deck. May 2018

Have You Outgrown Your Old Accounting System? 5 Signs Your Accounting System is Holding You Back

Kronos Workforce TeleStaff. Meeting the unique scheduling and notification needs of law enforcement

HP TRIM and Microsoft SharePoint Optimizing Secure Information Flow and Compliance

SuccessFactors Employee Central Side-by-Side Deployment with SAP ERP. White Paper

Disrupt or be disrupted

Security and Compliance: Taking a Business Perspective. Yolanda Ma, Senior Product Marketing Manager, RSA Professional Strategies S24

Have You Outgrown Your Old Accounting System? 5 Signs Your Accounting System is Holding You Back

Achieve Continuous Compliance via Business Service Management (BSM)

Managing Change and Complexity with Identity and Access Governance

The Changing Landscape of State Government Identity Management

SOLUTION BRIEF IDENTITY AND ACCESS GOVERNANCE. Simplify Identity Governance and Reduce Risk With the CA Identity Suite

Oracle Identity Governance 11g R2: Essentials

SafeNet Authentication Service:

Fastpath. Innovation in User Experience for Automated Controls SOLUTIONPERSPECTIVE EXPERIENCE. November 2017

Transcription:

Identity Governance and Administration Background In the early days of identity management, organizations implemented the technology to provision access to applications so that users could be more efficient from the first day on the job, and to reduce the risks of overprovisioned access. Regulatory compliance, it was believed, would be a side effect of automated provisioning. But, automating identity and access provisioning turned out to be more costly than most organizations could bear and the result was partial automation for only a handful of applications. As a result of this background, a need arose for a specialized approach to demonstrate access controls to auditors in response to regulations requiring the application of the least privilege principle. This approach became known as access governance. Now organizations expect both access provisioning and governance capabilities from an integrated product. Gartner refers to these combined disciplines as Identity Governance and Administration (IGA). Governing Access to Information Regulated organizations must demonstrate to auditors that they have a process in place to manage access, including adding new users appropriately and removing access when no longer needed. Governance also includes managing segregation of duties, alerting when conflicting access is noticed/discovered/detected/granted. To address this, organizations routinely gather entitlements/identity and access information from their various systems and applications, and provide the information to line of business (LOB) managers or application owners, so they can certify or verify the individuals still need the access. The challenge is that this is a manual process, prone to error, difficult to document, costly and time consuming for both IT and the LOB managers. Although such a manual process might meet the letter of the regulatory compliance requirement, it does little to improve the risk posture of the organization mostly because it ends up being a rubber stamp operation on the part of the reviewers. Identity Administration/Management Identity Administration/Management is the process of maintaining and implementing the identity and access lifecycle of users creating, updating and removing accounts in a consistent fashion. This provides users with access to what they need in order to complete job tasks, and revokes access when someone leaves or changes roles. When an individual begins a relationship with the organization, an authoritative source, such as an HR system will trigger the process of automatically creating accounts in the appropriate applications. As that individual s relationship with the organization changes, their accounts and access is changed appropriately and then ultimately when the relationship ends, all access is disabled. The process can be completely automated based upon established policy or, manual where human intervention is required. Market Segments Any organization in a regulated industry, including (but not limited to): Healthcare, Finance, Government, Retail, Manufacturing, and Energy. All public companies have regulatory compliance mandates as well. Non-regulated companies also implement identity governance and administration tools as a best practice for protecting intellectual property or other sensitive information, and to make their organizations more efficient. How to Use This Document This document has three primary sections. The first is a listing of market problems, their impact and who cares about it, to help you understand the customer. The second section takes those same problems and matches them to NetIQ capabilities/benefits/products to solve the problems, along with key questions designed to help sales uncover whether it is a legitimate pain or not. The third section takes the capabilities from the second section and compares the Micro Focus capability to that of other vendors, and where possible, lists a defensible differentiator. The remaining sections provide supporting information.

Section 1 Buyers, Their Problems and the Negative Impact # Buyers and Influencers Market Problem Negative Impact to Organization I Risk and Compliance Lack of control over who has access to what I need to know, and control, who has access to what. But it s difficult to acquire the necessary data and certify it accurately. 2 Risk and Compliance Lack of historical access records It s challenging to maintain accurate historical access records of when individuals had access to applications. 3 Risk and Compliance Lack of accountability for service accounts We have difficulty maintaining accountability for machine or service accounts, and identifying who is ultimately responsible for these accounts. 4 Risk and Compliance Difficulty demonstrating policy controls, such as segregation of duty (SoD) enforcement. How can we identify who approved the SoD and what mitigating control has been put in place to prevent the individual from taking advantage of the additional access? 5 Risk and Compliance Lack of closed-loop fulfillment It s difficult to fulfill access requests and revocations consistently, or prove that access has been revoked that is, a lack of closed loop fulfillment. 6 Security Challenging to define and enforce policy for who should have access to what and when approval is necessary. Manual entitlement collection is time consuming and error-prone, with a high potential for audit findings. Missing information makes compliance reporting and researching incidents to put in place compensating controls difficult. Once created, these accounts are often forgotten, leaving them vulnerable to attackers. These orphaned/unmanaged accounts can be compliance violations. Inappropriate or extraneous access that can potentially lead to financial fraud and reputation loss, as a result of access abuse. Potential compliance fines from audit findings around extraneous access. Orphan accounts can be exploited by outside attackers or employees who have left the organization, and can result in compliance fines. Business users will rubber-stamp access approvals, potentially violating policy, without controls. 7 IT Infrastructure and Operations 8 IT Infrastructure and Operations 9 LOB Managers and Application Owners 10 LOB Managers and Application Owners Inefficient access provisioning Our processes for getting the right people the right access is too slow and/or consumes too much staff time. Password resets are too costly We need to minimize calls to the help desk for routine password resets. Bureaucratic access request and approval process Our process for access request and approval is bureaucratic, while managers lack visibility into the access their employees possess. Access certification and approval is rubber stamped Our managers lack context when approving or certifying access, making the process administrative overhead. When users cannot access needed apps, they either find another solution or become very vocal, distracting IT from more productive activities. It s expensive to maintain help desk staff 24x7. The more calls, the more staff needed. Users can t access what they need or don t use what they have, wasting application licenses and reducing organizational efficiency. This can drive managers to clone access or rubber-stamp approvals. Too much access can lead to risk of privilege abuse by insiders, or outsiders who have obtained insider credentials.

Section 2 Qualification Questions, NetIQ Capabilities, Benefits and Products This second section repeats the market problem, but is designed to provide sales with specific information needed in a conversation with the customer. In some cases, the capability may be aligned to multiple problems. # Market Problem Key Qualification Questions NetIQ Capabilities to Address Capability Benefit/Value Product(s) I Lack of control over who has access to what How do you track access today? How do you demonstrate access certifications to auditors? How fast can you answer the question, What does Sally have access to? a) Entitlement collection across on-prem & SaaS apps b) Access certification c) Event-driven change recognition Lower risk of excessive access with better controls Reduced cost for compliance reporting Visibility into who has access to what for the business to use 2 Lack of historical access records How far back in time do you have access records? Does that adequately address audit requirements? Entitlement reporting Reduced workload to gather accurate records for auditors 3 Lack of accountability for service accounts How many machine or service accounts are in your environment? How do you govern their credentials? a) Entitlement collection b) Unmanaged/orphan account controls Reduced risk of account abuse or hijacking 4 Difficulty demonstrating policy controls How do you maintain SoD policies? How do you detect SoD policy violations? What controls are in place? Have you attempted cross-application SoD? Policy and role management Reduce or eliminate conflicts, including SOD violations, so that fraud is minimized Identity Manager 5 Lack of closed-loop fulfillment How do you ensure that access revocations are accomplished? Do you measure the amount of time it takes to revoke access? a) Adaptive fulfillment b) Auditing More accurate and timely revocations reduce risk of access abuse plus Identity Manager 6 Challenge to define and enforce access policy Who establishes the authority for approving access? Request and approval workflow engine IT operations defines process once, making it repeatable Reduced time for approval workflow Identity Manager continued on next page

Section 2 Qualification Questions, NetIQ Capabilities, Benefits and Products continued # Market Problem Key Qualification Questions NetIQ Capabilities to Address Capability Benefit/Value Product(s) 7 Inefficient access provisioning How much of your staff s time is spent manually provisioning access? How do you make sure that access is revoked when someone s role changes? a) Identity lifecycle automation b) Automated provisioning via drivers (connectors) to applications Reduced time impact of manual provisioning on IT Reduced risk with more accurate provisioning and faster deprovisioning Identity Manager with drivers 8 Password resets are too costly How are requests received today? How do users reset their passwords today? How many access requests does your IT staff have to process? User self-service password reset Business users have visibility to understand access request status Reduced workload on IT Self-Service Password Reset 9 Bureaucratic access request and approval process How do users request access today? Can managers request for their staff or project teams? Are they happy with that process? How do users know what potential access they could have? User self-service access request & approval portal Users can see what access they have and what apps they can request access to, so they remain productive Managers can easily request access on behalf of others Identity Manager Home 10 Access certification and approval is rubber stamped How do you keep your line of business managers from rubberstamping access certifications? Analytics-based decision support Higher access revocation rates that lead to reduced risk not just governance for auditors

Section 3 Competitive Comparisons and Differentiators This section is designed to be an at-a-glance comparison of the capabilities listed on the previous page. If a capability is weak vs. a competitor, that is expected to communicate to sales that they will be better off positioning a different capability or finding another opportunity. For a differentiator to be defensible, it has to be important to the customer and truly unique. Therefore, not every capability will have a defensible differentiator. # Capability Defensible Differentiators Micro Focus Sail Point RSA/Dell Oracle CA IBM 1a Entitlement collection across on-prem and SaaS apps 1b Access Certification 1c Event-driven change recognition Greater visibility to events on target systems allows you to see and react in near-real time (out of the box) 2/ 3a Entitlement reporting 3b Unmapped/orphan account controls 4 Policy and role management 5a Adaptive fulfillment 5b Auditing 6 Request and approval workflow engine 7a Identity lifecycle automation 7b Automated provisioning via drivers (connectors) to applications 8 User self-service password reset 9 User self-service access request & approval portal 10 Analytics-based decision support Leading Capability, Strong Capability, Partial Capability, Limited Capability, No Capability

Section 4 Success Stories for Defensible Differentiators KMD The Church of Jesus Christ of Latter-day Saints St. Joseph Health KMD plays a key role in digitizing the Danish welfare state, helping make Denmark s public sector one of the best run, most efficient and highly digitized in the world. NetIQ Investments:, Identity Manager 15M member organization, 29,000+ branches, 406 missions, 85,000+ full-time missionaries, 30,000+ volunteers and largest genealogy site in the world. NetIQ Investments:, Identity Manager, Sentinel St. Joseph Health is a Western U.S.-based healthcare provider with nearly 25,000 full-time employees in its environment. NetIQ Investments: Identity Manager,, Identity Tracking for Identity Manager Issue Many of KMD s 3,000 users are privileged users that needed to be reviewed and access restricted to 1,000 applications. Customer also wanted to be prepared for when the European Data Privacy regulations go into effect. Action KMD selected because they needed a focused solution to conduct access certifications. Impact Initial deployment stage focused on mainframe. They now have an entire view of all mainframe users. Next stage to deploy IDM and leverage Access Review to manage roles and SOD violations. Issue Needed an identity and access governance that could scale to millions. Aveksa deployment didn t have real-time IAM lifecycle management to support 100,000 new users and/or access changes per month. Action Maximize NetIQ investment to support multiple identity and access lifecycle use cases such as employee, volunteer, member, ancestry site users. Impact Real-time access request and revocation capabilities supports future growth needs. Real-time access changes or revo cation capabilities improved ability to meet governance policies. Issue Existing Oracle deployment wasn t flexible for changing business processes. Issues like orphan accounts and manual deprovisioning made proving compliance challenging. Action Liked how NetIQ identity management and access govern ance solutions worked together. Impact Pleased with flexi bility and seamless integration between p roducts. Looking to expand into advanced authentication.

Section 5 Objection Handling This section records the most common objections with ways to handle them: 1. We already have a custom-built identity management solution. Why would we need this? NetIQ Identity Manager is a comprehensive, enterprise solution for managing identities and their access to any app in the enterprise as well as the cloud. It integrates with Active Directory to take advantage of the information there, but applies consistent policy and automation to meet compliance and risk-reducing objectives. Are you meeting the enterprise SLA s with what you have now? How much manual effort are you spending to maintain, adapt it to changing environment, fulfill changes? In other words would there be a benefit to reclaiming time and talent spent on getting the identity management tasks completed for use on enhancing the services you are providing? 2. We want a cloud-based solution for identity management. What is your plan to integrate with apps you run on your own premises? Keep in mind cloud identity management solutions tend to work best with cloud applications. Over the long-term, IDaaS may be more costly as well. NetIQ Identity Manager is designed to integrate with both enterprise and cloud applications to unify policies for meeting compliance and risk objectives, while making it easier for users to gain access to the resource they need regardless of where those resources are hosted.. But we want a turnkey solution that meets all our current needs, adapts to our changing environment and results in just a bill each month. For the newly created, simple enterprise, IDaaS can fulfill that promise. For the large organization, which retains an on-premise data center or has a high velocity of change, IDaaS is unlikely to fully deliver due to lack of integration and customization. 3. We don t have to comply with any regulations. Do you enforce basic security controls such as least privilege? Identity governance and administration is as much about reducing risk of access abuse as it is about compliance. Your CIO s job probably includes lowering the risk posture of the organization while offering the very best services to the business that the budget can buy. 4. We wrote our own scripts for running access certifications. Or we use spreadsheets. Tell me more? Is it business friendly? How long does it take? Who maintains them? Identity governance and administration reduces the manual burden of collecting entitlements and makes it easier for LOB managers to participate meaningfully in the process, rather than rubber-stamping. 5. We already have vendor XYZ. Does this vendor cover all you applications and systems? What do you wish you could automatically connect to for immediate fulfillment of access requests or revocations?

Section 6 Glossary Access Certifications: The periodic review of entitlements in order to validate that access privileges align with a user s job function and conform to policy guidelines. Access certifications are commonly used as an internal control to ensure compliance with Sarbanes- Oxley and other regulations. They require a line of business (LOB) manager to review a list of entitlements and check off whether those entitlements are still valid. The period of review can be monthly, quarterly, semi-annual or annual. AKA attestation. Access (or Identity) Governance: A discipline that includes the discovery of entitlements and the access certification process to control user access to critical applications and data. It is informed by risk scoring, policy and attributes such as roles that help to minimize the effort of reviewers. Identity Governance allows organizations to know who has access to what, meet compliance mandates and better manage risk. Attribute: A single piece of information associated with a digital identity. Examples of attributes are name, phone number, and institution affiliation. Each piece of identifying information about a user can be thought of as an attribute of that user. Users have identity attributes, each of which may be stored on one or more target systems. Delegation: A process where a reviewer or approver can pass his decision authority to another user, either temporarily or permanently. Deprovisioning/Provisioning: A process (manual or automated) to delete or add a user account in a system. AKA revocation or fulfillment. Entitlement: A right or permission granted to a user to access some application, data or function. AKA account or privilege. Identity and Access Management (IAM): Software that automates the business processes required to manage electronic identities and their related access permissions. This ensures that access privileges are granted according to one interpretation of policy and all individuals and services are properly authenticated, authorized and audited. IAM-as-a-Service (IDaaS): IAM software that is hosted in the cloud, delivered as a cloud service, and managed by a third-party service provider. Identity Store: A system which maintains identity information. An identity store is often an authoritative source for some of the information it contains. Orphan Account: An account belonging to a user who has since left the organization. Orphan accounts are a direct result of failure to remove access privileges when workers terminate or transfer jobs and are a frequent focus for IT auditors looking for security risks. Reconciliation: A process that periodically compares identity data in an Identity Management solution with the data actually present on managed resources. Reconciliation correlates account data and highlights differences and can invoke workflow to alert or make changes to the data. Role: A role is a collection of entitlements or other roles that enables an identity to access resources and to perform certain operations within an organization. A simple role is a collection of entitlements defined within the context of a single system. Roles are used to simplify security administration on systems and applications, by encapsulating popular sets of entitlements and assigning them as packages, rather than individually, to users. Role Management: Roles and role assignment are unlikely to remain static for any length of time. Because of this, they must be managed the entitlements associated with a role must be reviewed and updated and the users assigned the role, implicitly or explicitly, must be reviewed and changed. Role Management includes the business processes used to affect these reviews and changes. 574-000001-001 Q 09/16 2016 NetIQ Corporation and its affiliates. All rights reserved. NetIQ, the NetIQ logo and Sentinel are trademarks or registered trademarks of NetIQ Corporation in the USA. Micro Focus, among others, is a trademark or registered trademark of Micro Focus or its subsidiaries or affiliated companies in the United Kingdom, United States and other countries. All other company and product names may be trademarks of their respective companies.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback