identity and access governance buyer’s...
TRANSCRIPT
![Page 1: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/1.jpg)
IDENTITY AND ACCESS GOVERNANCE
Buyer’s Guide
![Page 2: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/2.jpg)
Purpose of this Guide ..............................................................................................1
Identity and Access Governance.............................................................................2
IAG as Part of Identity & Access Management .......................................................4
Feature Tables:
RoleDefinition .....................................................................................................7
AccessRequests ...............................................................................................11
Access Approvals ...............................................................................................15
AccessCertifications .........................................................................................18
AuditsandComplianceAnalysis .........................................................................21
IdentityandAccessIntelligence:MonitoringandAnalysis ...................................24
SolutionDeploymentandIntegration ..................................................................29
SummaryofTables ............................................................................................32
Appendix ................................................................................................................33
For More Information .............................................................................................34
TABLE OF CONTENTS
![Page 3: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/3.jpg)
1
WelcometotheCourionIdentityandAccessGovernanceBuyer’sGuide.
ThisguideisdesignedtohelpyoudefinerequirementsforanIdentityandAccessGovernancesolutionfor yourenterprise.
Itcanalsohelpyouselectashortlistofvendorsforevaluation,andcompareIdentityandAccessGovernanceproductsduringanevaluationprocess.
Our ApproachThematerialinthisguideisorganizedaroundthecoretasksofIdentityandAccessGovernance(IAG)andthepeoplewhoperformthem.ItexaminesthefeaturesandfunctionsofIAGsolutionsneededto:
• Define roles and the access permissions associated with them, atasktypicallyperformedbyIAM analysts,resourceownersandbusinessmanagers.(Inthisguidewewilluse“IAManalysts”asshorthandforIAMprojectleadersandsecurityprofessionalsresponsibleformanagingIAMactivities.“Resource owners”willrefertoline-of-businessandITstaffresponsibleformanagingaccesstoapplications, databasesandotherresources.)
• Request access to applications, systems and resources,anactivitycarriedoutbybusinessmanagersonbehalfoftheirreports,andbyawidevarietyofemployeesandothersystemusersforthemselves.
• Approve access requests,typicallyperformedbybusinessmanagers andresourceowners.
• Certify the appropriateness of accesstosensitivesystems,applications anddata,tasksperformedby businessmanagers,resourceownersandauditors.
• Manage risk and verify compliance with government, industry and corporate policies,tasksbelongingtoauditorsandcomplianceofficers.
• Use Identity and Access Intelligence tools to analyze usage, uncover vulnerabilities, identify policy violations, respond to attacks, remediate problems and reduce risks.
• Deploy IAG solutionsandintegratethemwithotheridentitymanagementandsecurityproducts.
TheopeningsectionsprovideabriefoverviewofIdentityandAccessGovernance(IAG),andplaceIAGsolutionsinthecontextofIdentityandAccessManagementasawhole.
PURPOSE OF THIS GUIDE
1ExamplesfromrealIdentityandAccessManagementbuyer’sguides.
![Page 4: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/4.jpg)
2
Theremainingsectionsaredesignedsothatevaluationteammemberscanworkwithrepresentative“subjectmatterexperts(SMEs)”ineachcategory(businessmanagers,systemusers,complianceofficers,etc.)toassesshowanIAGsolutioncanhelpthemdotheirjobsbetterandmeetorganizationalgoals.
Thefeaturetablescanbeusedtocaptureassessmentdataduringfeaturereviews,vendordemonstrations, proof-of-concepttests,referencecalls,andotherevaluationactivities.Thetablesarelaidoutsoyoucanusetheratingsystemofyourchoice,andtherearespacesforcommentsandassessmentsbysection.Ifyouwanttomodifyorexpandthetables,youcandownloadtheminPDForExcelformatfromtheCourionwebsiteResourcessectionatwww.courion.com.
Inthisguidewetrytoapplythesamepractical,business-friendlydesignprinciplesusedinCourion’sproducts,avoidingplatitudes(“Today’sbusinessworldischangingrapidly,andsoareyourIAMrequirements”)anddensefeaturedescriptions(“HasaworkflowthatseamlesslyintegrateswithSAPandOracleERP,andfine-grained separation-of-dutiescheckingwithflexibleexception-handlingmethods[Yes/No]”).1
Talk with UsOurconsultingteamandpartnerscanansweryourquestions,demonstrateCourion’ssolutions,helpyouconductaproof-of-concept,generateabusinesscase,orassessaccessrisk.Wewouldalsolikeyourfeedbackonthisguide.Pleasecontactusatinfo@courion.com
IDENTITY AND ACCESS GOVERNANCE
Functions of Identity and Access GovernanceToday,thefieldofIdentityandAccessGovernancecoversfourmaincomponents:
1.Processestocertifythatexistingpermissionsareappropriateandinconformancewithcorporatepolicies.
2.Processestoauditidentityandaccessprocessesandresults,demonstratecontrols,definepoliciesaboutwhoshouldhaveaccesstowhatresources(governance),provecompliancewithregulatoryrequirementsandcompanystandards,andremediateanyissuesuncovered.
3.Processestodefinerolesandtorequestandapproveaccesstodata,applicationsandotherinformation technologyresources.
4.Monitoringandanalysistoolstodetectvulnerabilities,assessrisk,andimprovecompliancewith requirementsandstandards.
![Page 5: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/5.jpg)
3
TheoriginalfocusofIAGwasonthefirsttwocomponents,especiallyontoolstocertifypermissionsandtohelpauditorsandcomplianceofficersreduceauditcostsanddocumentcompliance.
However,itwassoonrecognizedthatthesefourareasarereinforcing.Organizationsthathavereliableprocessestorequestandapproveaccessmakefewererrors,andthereforeexpendlesseffortoncertification,auditingandremediation.Organizationswithidentityandaccessintelligencetoolscanmonitorchangesforpolicyviolations,tracktrendsandidentifyvulnerabilities,allowingthemtorespondtoproblemsfaster.
Infact,comprehensiveIAGsolutionsprovidevalueinmanyareasby:
•Improvingtheproductivityofmanagersbysimplifyingidentityandaccesscertificationprocesses
•Savingtimeforemployeesbyspeedinguptheprocesstorequestandreceiveaccesstoresources (especiallywhentherequestsystemisintegratedwithautomatedprovisioning)
•Providingmoredatatospeedupauditsandreducethehighcostofregulatorycompliance
•Reducingvulnerabilitiesanddecreasingtheriskofdatabreachesandthelossofcustomerandemployeeinformationandintellectualandfinancialproperty
•Improvingriskmanagement
•Deterringpolicyviolationsbyemployeesandotherinsiders
Atthesametime,IAGsolutionshelpenterprisesaddresssomeoftheirmostpressinghumanandtechnology challenges:increasingnumbersandtypesoftechnologyusers(employees,contractors,businesspartners,customers),multiplyingapplicationsanddevices(includingemployee-sourceddevicesencouragedby“BYOD”policies),growingregulatoryrequirements,pressuresforbetterriskmanagementandsecurity,andtightlimits onbudgetsandstaffing.
Tasks and PeopleFigure1showssomeofthemajortasksinvolvedinIdentityandAccessGovernance,andthepeoplewhotypicallyperformthem.
Thefeaturetablessectionofthisguideusesthesetaskareastoorganizeitslistofdesirablefeaturesand functions,tomakeitclearhowthosefeaturesandfunctionsrelatetospecificpeopledoingspecificjobs.
![Page 6: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/6.jpg)
4
Figure 1: IAGtasks,andthepeoplewhoperformthem
IAG AS PART OF IDENTITY & ACCESS MANAGEMENT
Broadlyspeaking,today’sstate-of-the-artIdentityandAccessManagementsystemscoverthreeprimaryareasoffunctionality:Governance,Provisioning,andIntelligence.
Governancesystemsprovideprocessestorequest,approveandcertifyaccesstoapplicationsandITresources,andtoolstodocumentcompliancewithgovernmentregulations,industrystandardsandcorporatepolicies.
Provisioningsystemsautomatetheprovisioningandde-provisioningofaccesstoapplicationsandITresources,andmanageaccessthroughusers’lifecyclewiththeorganization.KeyIAMfunctionssuchaspassword management,advancedauthenticationandsinglesign-onaresometimesconsideredaspartofprovisioningandlife-cyclemanagement,andsometimesasseparateentities(butareinanycaseoutsideofthescopeofthisguide).
Identity and Access Intelligencesystemsprovidetoolstocontinuouslycollect,monitorandanalyzelargevolumesofidentityandaccess-relatedinformation,combiningdatanotonlyfromGovernanceandProvisioningsystems,butalsofromsecurityproductsandotherexternalsystems.IdentityandAccessIntelligenceproductsareoftendesignedsotheycanbeusedwitheitheragovernancesystem,oraprovisioningsystem,orwithboth.
![Page 7: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/7.jpg)
5
Infact,IdentityandAccessIntelligencetoolsshouldbeseenasanintegralpartofanyIdentityandAccess Governanceimplementation.ThisguidediscussesfunctionalitythatistypicallyavailableingovernancesystemsandinIdentityandAccessIntelligencetoolswhentheyworktogether.Figure2illustratesthisapproach,andliststheproductsfromCourionthatfallintothoseareas.
AbriefoverviewoftheCourionproductsisprovidedintheappendix.
Figure 2: ThethreemainareasofIdentityandAccessManagement,withproductsfromCourion.TheCourionproductsaremodularandcanbeimplementedinanycombination.
![Page 8: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/8.jpg)
6
Feature Tables
![Page 9: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/9.jpg)
7
ROLE DEFINITION
Primary participants: IAM analysts, resource owners and business managersAnIdentityandAccessGovernancesolutionshouldmakeitassimpleaspossibleforIAManalysts,resource ownersandbusinessmanagerstodefinerolesandtheaccesspermissionsthatareassociatedwiththem.
Peopleshouldbeabletousebusinessterminology,nottechnicaljargon,toidentifyrolesandpermissions.Thisallowsbusinessmanagersandbusinessuserstoparticipatefullyindefiningroles,andlaterinrequesting,approvingandcertifyingaccess.
Itshouldbeeasytocreatesimplerolesatfirst,thenrefine,enhanceandexpandthemovertime.Thatallows organizationstostartusingthesystemquicklywhilecontinuouslyimprovingefficiencyandaccuracy.
Itshouldbepossibletodefinepermissionsthat(a)accuratelyreflectthelegitimateneedsofsystemusers,and (b)donotprovideunnecessaryentitlementsthatcouldjeopardizesecurityandprivacy.Toachievetheseobjectives,analysts,resourceownersandbusinessmanagersshouldbeableto:
•Createverygranularentitlements,forexamplepermissiontomakeAPinquiriesagainstaspecific accountingpackage,touseaspecificcomputingresourcelikeSharePointorInternetaccess,ortoacquireanassetlikealaptopwitha17”screen.
•Createrolesthatincludecombinationsofpermissions,suchasan“Accountant”rolethatincludes permissionstomakedeposits,reconcilebankstatements,createpurchaseorders,makeAPinquiries,etc.
•Creategroupingsthatcombineroles,forexamplea“SeniorAccountant”rolethatincludespermissions assignedtothe“Accountant”and“Level2Manager”roles.
•Modelnewrolesbycomparingspecificpermissionsfromexistingroles(Courioncallsthis“intelligentmodeling”).
Rolescancombinepermissionstoperformspecificactionsontargetresources
![Page 10: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/10.jpg)
8
Mostindividualswillhavediverseaccessrequirements,basedontheirfunction,location,managementlevel,andapplicationneeds.Thereforepeopleshouldbeabletofindappropriateentitlementsandrolesbyusingsearchandfilteringtechniqueswithacatalogofroles.Theyalsoshouldbeabletoclassifyandtagrolessopeoplemakingaccessrequestscanfindtherightonestorequest,andsoapproverscandeterminethemostappropriaterolesforspecificsystemusers.
Thesystemshouldbeabletoaccommodateboth:
•A“bottomup”approach:Seewhatpermissionspeoplehavetodayandassemblerolesbasedon thoseobservations.
•A“topdown”approach:Createrolesbasedonananalysisofwhatislikelytoworkbestintheenvironment,andtestthose.
Systemusersshouldbeabletodefinepolicies,forexampleSeparationofDuties(SoD)policiesthatprevent thesamepersonfromtakingpotentiallydamagingactionslikecreatingvendoraccountsandauthorizing vendorpayments.
Roledefinitionandrefinementcaninvolvemanypeople,includingIAManalystswhoknowbestpracticesfordesigningroles,“resourceowners”responsibleforapplications,databases,andotherITservices,andbusinessmanagerswhounderstandtheresponsibilitiesofemployeesperformingspecificjobs.Thereforethesystemshouldhavemechanismstomanagewhocandefine,change,disableanddeletespecificroles.
Thesystemsshouldcreateacompleteaudittrailofeveryactionrelatedtodefining,modifyinganddeletingroles.
Thereshouldbe“outofthebox”oreasilymanagedintegrationwithprovisioningsystems,directoriesand applications,sorole-relatedinformationfromthosesystemsisavailable.
ThereshouldbeintegrationwithIdentityandAccessIntelligencetoolssoanalystscanassessrolesafterthey havebeencreated.Forexample,ifareportorqueryshowsmanyuserswiththesamerolerequestinganadditionalaccountorentitlement,thenthataccountorentitlementcanbeaddedtotherole.Conversely,ifthereare entitlementsthatnobodywiththeroleuses,theseshouldberemovedfromtheroledefinition.
IntegrationwithIdentityandAccessIntelligencetoolsalsoallowsrole-relatedinformationtobeanalyzedandusedforgovernance,compliance,incidentresponseandotherpurposes.
![Page 11: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/11.jpg)
9
Role DefinitionScoring
(Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Useasingleinterfacetomanageaccesstoawidearrayofbusinessresources,includingapplications,networks,ITaccounts,local,remoteandcloud-basedsystems,locallyinstalled,client/serverandcloud-basedapplications,LAN, wirelessandInternetconnectivityservices,physicalassetssuchaslaptopsandsmartphones,andsoftwarelicenses.
Definerolesusingbusinessterminology(nottechnicaljargon)
Assignauserfriendlynametoroles (forsearchingandfiltering)
Addauserfriendlydescriptiontoroles
Definerolesbasedonindividual,granularentitlements (e.g.read-onlyaccesstoaspecificdatabase)
Definerolesbasedongroupingsofexistingrolesandentitlements
Definerolesbasedontitlesordepartments(e.g.Accountant,VicePresident,ITContractor,Sales,CustomerService)
DefinerolesbasedonapplicationsorITresources (e.g.MicrosoftOffice,Salesforce.com,NetworkAccess,LaptopUser)
Clonerolesfromexistingroles
Modelnewrolesbasedonexistingroles(add/subtract)
Modelnewrolesbasedonexistinguseraccess (add/subtract)
Createanentitlements“catalog”ofavailableentitlementsandroles
Usesearchingandfilteringtoidentifyrelevantrolesin thecatalog
Assigntagstoroles,andusetagsforsearchingandfilteringinthecatalog
Allowuserstousethecatalogtodefinenewrolescombininggroupingsofexistingentitlementsandroles
9
![Page 12: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/12.jpg)
10
Overall assessment for Role Definition
Comments:
Role DefinitionScoring
(Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
DefineSeparationofDuties(SOD)andotheraccess-relatedpolicies(e.g.thesameusercannothavepermissionstomakedepositsandreconcilebankstatements)
Runnewpolicesagainstexistingrolesandpoliciestoflagpolicyviolations
Setadministrativepoliciesaboutwhoisallowedtodefineroles(e.g.,anyone,onlymanagers,onlyHumanResourcesstaff,onlydesignatedindividualsforeachdepartment)
Limitpermissiontochangearoledefinitiontoadesignated“roleowner”or“resourceowner”
Requirethatchangestoaroledefinitionbeapprovedbyoneormorespecifiedindividualsinadditiontotheroleowner
Displayroleusagestatistics,suchaswhenarolewaslastmodifiedandthenumberoftimesithasbeenassigned tousers
Disablerolestemporarily
Obtainroleanduserinformationfromprovisioningsystems(integration)
Exportroleanduserinformationtodirectories,applications,analytictoolsandotherexternalsystems(integration)
Createacompleteaudittrailofallactionsrelatedtorolecreation,definition,modification,deletionandapprovals.
10
![Page 13: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/13.jpg)
11
ACCESS REQUESTS
Primary participants: Business managers, employees, contractors and other system usersAnIdentityandAccessGovernancesolutionshouldmakeitassimpleaspossibleformanagerstorequest accesspermissionsfordirectreports,andforemployees,contractorsandothersystemuserstorequestaccess forthemselves.
Peopleshouldbeabletousebusinessterminology,nottechnicaljargon,tofindrelevantrolesandunderstandtherelatedentitlements.Peopleshouldfindappropriateentitlementsandrolesbyusingarolecatalogwithsearchandfilteringtechniques,andbyusingtagsforsearchingandfiltering.
Itshouldbepossibletoallowsomepeopletorequestpermissionsforeveryoneintheorganization,andtolimitotherpeopletomakingrequestsforspecificgroups,oronlyforthemselves.
Itshouldbepossibletorestrictrequestsbasedonpolicy,andtofilterrolesandentitlementsbasedonrelated criteria.Forexample,amemberofthefinancestaffmightberestrictedtorequestingentitlementsrelatedtofinance,andwouldbeabletoapplyafilterintherolecatalogsothatitwoulddisplayonlythoseentitlements.
Someapplicationsandresourcesmayinvolveoptionsthatdonotaffectsecurityorgovernance;thereshouldbeamechanismtoallowpeopletorequesttheseoptionswithoutcreatingmanyseparateroles.Forexample,itshouldbepossibletohaveasinglerolecalled“Laptop”withachoiceofmemoryandscreensizeoptions.Thatismoreefficientthancreatingseparateresourcescalled“Laptop,8MBmemory,13inscreen,”“Laptop,8MBmemory, 15inscreen,”“Laptop,16MBmemory,13inscreen,”etc.
Thesystemsshouldcreateacompleteaudittrailofeveryactionrelatedtorequesting,approvingand grantingaccess.
Thisfunctionalityiscomplementarytoprovisioning.Provisioningsystemsautomatetheprocessofrequesting andgrantingaccess,especiallywhenpeopleenterandleavetheorganization.Someprovisioningsystemshave front-endinterfaceswiththesamefeaturesdescribedhere.ButanaccessrequesttoolcanbeusedaspartofanIdentityandAccessGovernancesolutionwithoutaprovisioningsystem.Itcanbeusedinconjunctionwithone,especiallyiftheprovisioningsystemfrontendlackskeyfeaturesorishardtouse.
![Page 14: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/14.jpg)
12
Thereshouldbeamechanismtorequestoptionswithoutcreatingseparaterolesforeverycombination
![Page 15: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/15.jpg)
13
Access RequestsScoring
(Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Requestpermissionsfordirectreports
Requestpermissionsforself(self-service)
Requestpermissionsforaspecificlistofusers
Requestaccesstoaspecificlistofresources,suchas applications
Usearolecatalogwithsearchingandfilteringtoquicklyfindandrequestrelevantrolesandentitlements
Requestpermissionsbasedonexistingrolesandgroupingsofrolesandentitlements
Usetagsforsearchingandfilteringinthecatalog
Selectoptionsrelevanttoaspecificresource(e.g.haveoneresourcecalled“SalesLaptop”withadynamicformtochoosememoryandscreensizeoptions)
Abilitytodelegateaccessrequests(e.g.,thedirectorofadepartmentcandelegatetoamanagertherighttomakeaccessrequestsforallmembersofthedepartment)
Use“bulkprovisioning”torequestonesetofrolesandentitlementsformultipledirectreports,orforalistofusers
Validateaccessrequestsagainstdefinedbusinesspoliciesandflagviolations
Whenpolicyviolationsareflagged,allowrequesterstooverridethepolicythroughanexemptionrequest
Shareaccessrequestinformationwithprovisioning systems(integration)
13
![Page 16: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/16.jpg)
14
Access RequestsScoring
(Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
ExportaccessrequestinformationtoIdentityandAccessIntelligencetoolssotheycanidentifysuspiciousactivitiesandpolicyviolations(integration)
Createacompleteaudittrailofallactionsrelatedto accessrequests
Overall assessment for Access Requests
Comments:
14
![Page 17: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/17.jpg)
15
ACCESS APPROVALS
Primary participants: Business managers and resource ownersAnIdentityandAccessGovernancesolutionshouldprovidesimple,efficientprocessesforbusinessmanagersandresourceownerstoprocessaccessrequests.
Inthiscontext“resourceowners”areline-of-businessorITstaffresponsibleforcontrollingaccesstoapplications, databasesandITservices.Theyarethepeoplewho,alongwithbusinessmanagers,understandwhattypesof accessusersneedtoperformtheirjobs,andwhatentitlementscanbegivenwithoutcompromisingsecurity, privacyrulesandcorporatepolicies.
Businesspoliciesmayrequiremultipleapprovalsforsomerequests.Thesolutionshouldenforcethesepolicies,forexamplebyrequiringapprovalfromtherequester’simmediatemanageranddepartmenthead,orfromamanagerandthe“owner”oftherequestedresource.
Thesolutionshouldprovideanintuitiveinterface,soapproverscanassessindividualrequestsefficientlyand managedozensofrequestseachday.
Thesolutionshouldalertapproverstopotentialpolicyviolations.
Busyorabsentapproverscanbeabottleneck,preventingusersfromaccessingresourcesneededfortheirwork.Toaddressthisissue,thesolutionshouldprovidereminderandescalationprocedurestoalertapproversandtoallowhigher-levelmanagersorappropriatecolleaguestostepin.
Thesystemshouldcreateacompleteaudittrailofeveryactionrelatedtoapprovingaccessrequests.
Thesolutionshouldalertapproverstopotentialpolicyviolations
![Page 18: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/18.jpg)
16
Access ApprovalsScoring
(Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Assignapprovalstobusinessmanagersandresourceowners
Requiremultipleapprovals(e.g.,amanagerandaresourceowner,ortwolevelsofmanagement)
Provideapproverswithalistorinboxshowingallwaitingapprovalrequests
Approveorrejectindividuallineitemsineachrequest
Provideapproverswithadetailedviewofnew accessrequests
Optiontorequireacommentforeachlineitemrejected
Alertapproverstopotentialpolicyviolations(e.g.the sameusercannothavepermissionstomakedepositsandreconcilebankstatements)
Delegateallrequeststoanothermanagerorresourceownerforaspecifiedtimeperiod
Sendemailnotificationsofapprovalsandrejections torequesters
Optionallysendemailnotificationsofapprovalsandrejectionstorequesters’managersandotherinterestedparties
Sendemailremindersofpendingrequeststoapprovers
Sendemailnotificationstoapprovers’managerifnoactiontakenafteraspecifiedtime(e.g.noaction2daysafter therequest)
16
![Page 19: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/19.jpg)
17
Access ApprovalsScoring
(Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Createacompleteaudittrailofallactionsrelatedto accessrequests
Overall assessment for Access Approvals
Comments:
Escalateapprovaltoapprovers’managerifnoactiontakenafteraspecifiedtime(e.g.noaction3daysaftertherequest)
17
![Page 20: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/20.jpg)
18
ACCESS CERTIFICATIONS
Primary participants: Business managers, resource owners and auditorsAnIdentityandAccessGovernancesolutionshouldmakeiteasytoinitiatecertifications,andshouldprovide simple,efficientprocessesforbusinessmanagersandresourceownerstoperformthem.
Inthiscontext“resourceowners”areline-of-businessandITstaffresponsibleformanagingaccessto applications,databasesandITservices.
Thesolutionshouldbeabletosupportbothcomprehensivecertificationefforts(e.g.,certifyingaccessforall membersofadepartment)andmicro-certifications(certifyingaccessforasingleemployeeafterapolicyviolationisdetected).
Certifiersshouldbeabletoassessexactlywhataccessisavailabletocurrentusers.Theyshouldbeabletoacceptandrejectindividualinstancesofaccessrights,performadditionalresearch,andreassigncertificationstoanotherappropriatemanagerorresourceowner.
Thesystemshouldgivecertifiersvisibilityintoissueslikeexcessiveaccessrightsandtheviolationofseparationofdutiesandotherpolicies.
Toallowcertifierstoprocessdozensorhundredsofdecisionsefficiently,thesolutionshouldprovideanintuitiveinterfaceandfeaturestoallowdecisionstobeappliedtomultiplerequestsinonestep.
Thesolutionshouldprovidereminder,escalationanddelegationprocedurestoalertcertifiersandtoallow higher-levelmanagersorappropriatecolleaguestostepin.
Thesystemshouldcreateacompleteaudittrailofeveryactionrelatedtocertificationprocesses.
Certifiersshouldbeabletoacceptandrejectpermissions,performadditionalresearch,andreassigncertificationstoothers
![Page 21: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/21.jpg)
19
Access CertificationsScoring
(Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Initiatecertificationreviewsmanually
Initiatecertificationreviewsbasedonevents (e.g.identificationofpolicyviolations)
Providecertifierswithalistorinboxshowingallwaitingcertificationrequests
Providecertifierswithadetailedviewofcurrentlevelsofaccessforeachuser
Alertcertifierstopotentialpolicyviolations(e.g.thesameusercannothavepermissionstomakedepositsandreconcilebankstatements)
Approveorrejectindividuallineitemsineachcertification
Optiontorequireacommentforeachlineitemrejected
Givecertificationsa“Research”statusifinvestigation isrequired
Reassignindividualcertificationstoanothermanagerorresourceowner
Delegateallcertificationstoanothermanagerorresourceownerforaspecifiedtimeperiod
Giveeachcertifieradashboardshowingtotalnumberofcertificationscompletedandoutstanding,intotalandbrokendownbycertificationtype
Showeachcertifierthetotalnumberofcertificationsheorshehasacceptedandrejected,andthenumberaccepted andrejectedforeachuser,eachrole,andeachapplication or resource
Sendemailnotificationsofcertificationresultstousers
Optionallysendemailnotificationsofcertificationresultstomanagersandotherinterestedparties
19
![Page 22: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/22.jpg)
20
Sendemailnotificationstocertifiers’managerifnoactiontakenafteraspecifiedtime
Escalateapprovaltocertifiers’managerifnoactiontakenafteraspecifiedtime
Createacompleteaudittrailofallactionsrelated tocertifications
Sendemailreminderstocertifiersofincompletecertifications
Access CertificationsScoring
(Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Overall assessment for Access Certifications
Comments:
20
![Page 23: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/23.jpg)
21
AUDITS AND COMPLIANCE ANALYSIS
Primary participants: Auditors, compliance officers and risk managersAnIdentityandAccessGovernancesolutionshouldcaptureeveryactionrelatedtocreating,defining,modifyinganddeletingroles,torequestingandapprovingaccess,andtocertifyingpermissions.
Standardreportsshouldshowactionsrelatedtoaccessrequestsandapprovalsandcertificationreviews.
Itshouldbeeasytoexportallofthisdatatospreadsheets,databases,reportingtoolsandothersystemsso thatauditorsandcomplianceofficerscanusetheinformationtoverifycompliancewithregulationsand corporatepolicies.
AnIdentityandAccessGovernancesolutionshouldalsogobeyondbasicreportingbyincorporatingintelligentanalytics.Forexample,anorganizationshouldbeabletolookatactivityforaccountsthatarecertifiedbuthavenolog-insoractivity.Theyshouldbeabletoimproveriskassessment,forexamplebydeterminingwhichorphanaccountsrepresentthehighestriskandneedtobeaddressedfirst.Analyticscanalsobeusedforbettertrendanalysis,foruncoveringsubtlepolicyviolations,andfortrackingtheorganization’soverallcomplianceposture.Capabilitieslikethesearecoveredinthe“IdentityandAccessIntelligence”sectionofthisguide.
![Page 24: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/24.jpg)
22
Audits and Compliance Analysis
Scoring (Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Captureallactionsrelatedtocreating,defining,modifyinganddeletingroles,andforapprovingmodificationstoroles
Captureallactionsrelatedtorequestingaccessandapprovingaccessrequests,includingreassigninganddelegatingapprovals
Captureallidentifiedpolicyviolations
Captureallactionsrelatedtocertifications,includinginitiatingcertificationsandapprovingandrejectingpermissions
CapturealldataneededtosupportauditsrelatedtoSOX,GLBA,HIPAA,PCIDSS,UKDataProtectionActandothergovernmentregulationsandindustrystandards
Capturedatashowingperformanceagainstkeymetrics (e.g.timetodisableaccountsofterminatedemployees, percentageofpermissionscertifiedquarterly)
Reportsshowingaccessrequestandapprovalactions
Reportsshowingaccessrequestsandapprovalsbytargetsystemandbyresource
Reportsshowingaccessrequestsandapprovalsby useraccounts
Reportsshowingcertificationreviewactionsandresults
Exportdatatospreadsheets,databasesandreportingtoolsforanalysisandreporting
ExportdatatoIdentityandAccessIntelligencetoolsfordataminingandsophisticatedanalyses
21
![Page 25: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/25.jpg)
23
Scoring (Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Overall assessment for Audits and Compliance Analysis
Comments:
Audits and Compliance Analysis
22
![Page 26: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/26.jpg)
24
Primary participants: IAM analysts, resource owners, business managers, auditors, compliance officers and IT staffIdentityandAccessIntelligence(IAI)goesbeyondreportingtoaddtwocriticalcapabilitiestoIdentityandAccessGovernancesolutions:
1.Continuousmonitoring,todetectaccessissuesandpolicyviolationsquickly(ratherthanwaitingweeksor monthsforcertificationreviews).
2. “Bigdata”andadvancedanalytictoolstoprocessandinterpretmassivevolumesofidentityandaccessdata, toidentifyvulnerabilitiesandsubtlepolicyviolations.2
IdentityandAccessIntelligencetoolscanbeusedbyalmostalloftheindividualsdiscussedinthisdocument.
ThebasiccomponentsofanIdentityandAccessIntelligencesystemareshowninthediagrambelow.
2Enterprisestodaycaneasilygeneratebillionsofdatapointsrelatedtoidentitymanagement.Theseincludedataaboutidentities,resources,rights,policies,andidentityandaccess-relatedactivities.Anorganizationwith1,000systemusers,5,000useraccountsand1,000entitlementswouldneedtokeeptrackof5billioncombinations(1,000x5,000x1,000),andthatfiguredoesn’tincludeactionsperformedbythoseusers.IdentityandAccessIntelligencesolutionsneeddatawarehousingtoolstoprocessthosevolumesofinformation,andbusinessintelligenceanddatavisualizationtoolstohelppinpointmeaningfuldetails.FormoreinformationseetheCourionwhitepaperIdentity and Access Intelligence: How Big Data and Risk Analytics Will Revolutionize IAM.
IDENTITY AND ACCESS INTELLIGENCE: MONITORING AND ANALYSIS
OverviewofanIdentityandAccessIntelligenceSystem
![Page 27: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/27.jpg)
25
Manytypesofidentityandaccess-relateddatafrommanytypesofsystemsanddevicesarecollectedcontinuouslyinadatawarehouse.Thisdataisanalyzedwithreferencetopolicies,compliancerules,threatdefinitions,and riskindicators.
Whenissuesandpolicyviolationsareidentified,eithertheyare automaticallyremediated,orrelevantmanagersandresourceownersarealertedsotheycantakeaction.
Sophisticateddatavisualizationandriskanalytictoolscanbeusedtofindpatternsincomplexdata,identify vulnerabilities,andpinpointpolicyviolations.Withconventionalreportingtools,manyofthesewouldremain hidden,orwouldhavebeendetectedonlyafterincidentshadalreadyoccurred.
AnIdentityandAccessIntelligencesystemcanmakeitmucheasiertouncovervulnerabilitiesandriskfactorslike:
•Orphanaccounts
•Rightsgrantedviainheritedpermissionsandnestedgroups
•Individualswhoseaccessrightssignificantlyexceednormsforpeopleintheirjobs
•Abnormalnumbersofrightsgrantedbyexception,oroutsidetheapprovedcorporateworkflow
Advancedanalytictoolslikeheatmapshelpusersuncoversubtlepolicyviolationsandcorrectlyprioritizerisks
![Page 28: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/28.jpg)
26
Datavisualizationtoolscanhelpviewersassesswhatissuesshouldbethehighestprioritybasedonmultiple criteria.Inthe“heatmap”exampleonthispage,anautomatedanalysisshowsthatorphanaccountsBandCshouldbeaddressedbeforeorphanaccountA.AlthoughaccountAinvolvesthehighest-riskapplication,accountsBandCinvolvehigher-riskentitlementsandmoreactivity,andthereforerepresentmoreseriousrisksthatshouldbeaddressedfirst.Itwouldbeextremelydifficult,ifnotimpossible,toattainthisinsightwithconventionalreports.
AdditionalusesofIdentityandAccessIntelligencetoolsinclude:
•Alertingsecurityanalysts,anti-fraudgroupsandincidentresponseteamsto“privilegeescalation”andothersymptomsofpersistentthreatsandotherattacks.
•Trackingpositiveandnegativetrends.
•Analyzingmassiveamountsofidentityandaccessdataagainstpoliciesandcompany-definedmodelsof activitypatterns.
•Performing“what-if”analysisoftheimpactofpolicychanges.
IdentityandAccessIntelligencetoolscanbeacriticalpartofprovisioningaswellasIdentityandAccess Governancesolutions,butherewewillfocusonusesforgovernance.
![Page 29: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/29.jpg)
27
Identity and Access Intelligence
Scoring (Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Provideoutoftheboxconnectorsandcollectorstogatherdatacontinuouslyfromenterprisedirectories,governancesolutions,policycreationtools,securityproductsandotherdatasources
Gatherinformationfromsourcesofunstructureddata(e.g.fileshares)aswellassourcesofstructureddata(databases)
ProvideETL(extract,transformandload)anddata warehousetoolstotransforminformationfromdisparatesystemsintoacommonformatsoitcanbecorrelated andanalyzed
Provide“Bigdata”businessanalysiscapabilitiestocorrelatemillionsorbillionsofidentity-resource-permissionrelationships
Detectorphanaccounts
DetectviolationsofSeparationofDuties(SoD)policies
Detectindividualswithpermissionsassociatedwith formerpositions
Detectfactorsassociatedwithvulnerabilities,suchassharedpasswords,weakpasswordsandveryoldaccounts
Detectrightsgrantedthroughexceptionsoroutsidetheapprovedworkflow(“outofband”)andtriggerreviewsbyresourceowners
Detectexcessivenumbersofaccountsorpermissions grantedbyanadministratororotherprivilegeduser
Detectrightsgrantedviainheritedpermissionsand nestedgroups
Detectindividualswithrightsinexcessofthoseinthesamedepartmentorwithsimilarroles
Detectriskindicators,suchasprivilegedaccountscreatedanddeletedwithinashortperiod,ormultiplefailedloginsfollowedbyasuccessfullogin
27
![Page 30: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/30.jpg)
28
Overall assessment for Identity and Access Intelligence
Comments:
Identity and Access Intelligence
Scoring (Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Provideheatmapsandotheranalysisandvisualizationtoolstoidentifyhigh-riskandrecurringpolicyviolations
Automaticallyinitiatede-provisioningactionswhendangerousactivitiesaredetected
Automaticallyinitiatecertificationswhensuspiciousactivitiesorpermissionsaredetected
Automaticallyinitiatecertificationswhenrisklevelschange
Alertadministrators,managersandcomplianceofficersto“privilegeescalation”andothersymptomsofpersistentthreatsandotherattacks
Trackpositiveandnegativetrendsinaccessrequestsandpolicyviolations
Alertadministrators,managersandcomplianceofficerswhenpolicyviolationsaredetected
Providegraphsandreportstohighlightsourcesofrisk (e.g.individualswhodeviatefromgroupnormsorcausethemostpolicyviolations)
Performing“what-if”analysesoftheimpactofchanges (e.g.thenumberofpeopleoraccountsthatwouldbeaffectedbymodifyingapolicy)
28
![Page 31: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/31.jpg)
29
SOLUTION DEPLOYMENT AND INTEGRATION
Primary participants: IT Staff (administrators, operations, applications, etc.)AnITorganizationshouldbeabletodeployanIdentityandAccessGovernancesolutioninashorttimeframe, withoutneedingtoinstallcomplexnewinfrastructureoracquirenewskills.Fastdeploymentlowersimplementationcostsandstartsgeneratingvaluefortheenterprisesooner.
Ongoingadministrationshouldbestraightforward,tominimizetheburdenontheITstaff.
IdentityandAccessManagementsystemsneedtointeractwithawidevarietyofexternalsystems,toshare informationaboutusers,roles,accessactivities,securityeventsandotherdata.Do-it-yourselfintegrationswiththesesystemscanbeverycostlytocodeandmaintain,andworkingonthemcandelayimplementation.Thereforeitisveryadvantageousifthesolutioncanbeintegratedwithaverywiderangeofsystemsandapplicationsusingout-of-the-boxconnectorssupportedbythevendor.
Thereshouldalsobetoolstofacilitatetherapiddevelopmentofcustomconnectorswhenout-of-the-boxsolutionsarenotavailable.
![Page 32: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/32.jpg)
30
Solution Deployment and Integration
Scoring (Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Intuitivetoolsforinstallationandconfiguration
Littleornorequirementforprogrammingskillstoinstall andconfigure
Runonindustry-standardwebandapplicationserverssonospecializedinstallationormanagementskillsarerequired
Lightweightinfrastructure(e.g.noneedtoinstall middlewareoranenterprisedirectory)
Modulardesign–solutionmodulescanbedeployedin whateverorderprovidesthequickestbenefittothebusiness
Abilitytoextendthedatabaseschemaofthesolutiontoholdadditionaltypesofinformationfromintegratedsystemssuchasbusinessapplicationsandsecurityproducts
Out-of-theboxconnectorstoenterprisedirectoriesandaccesscontrolsystems(e.g.MicrosoftActiveDirectory,LDAP,OpenLDAP,IBMRACF,SunDirectoryServer,CA-ACF2)
Out-of-theboxconnectorstosystemswithindustrystandardoperatingsystems(e.g.RedHatLinux,SUSELinux,IBMAIX,IBMz/OS,HP-UX,Solaris)
Out-of-theboxconnectorstobusinessapplications(e.g.SAP,PeopleSoft,OracleE-BusinessSuite)
Out-of-theboxconnectorstodatabasesandcollaborationproducts(e.g.SQL,MySQL,OracleDatabase,Microsoft Exchange,NovellGroupWise,IBMLotus)
Out-of-theboxconnectorstoSIEM,DLPandothersecurityproducts(e.g.RSAAuthenticationManager,RSASecurID,CitrixSSO,ImprivataOneSign,RSADLPSuite,RSAenVision,McAfeeePO,SymantecDataLossPrevention)
30
![Page 33: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/33.jpg)
31
Overall assessment for Deployment and Integration
Comments:
Solution Deployment and Integration
Scoring (Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Rapiddevelopmentkit(RDK)tointegratethesolutionwithothersystemswhenout-of-the-boxconnectorsare notavailable.
31
![Page 34: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/34.jpg)
32
Summary of Assessments by Section
Scoring (Yes/No,High/Med/Low,1-5scale,other)
Courion Option X
Role Definition
Access Requests
Access Approvals
Access Certifications
Audits and Compliance Analysis
Identity and Access Intelligence: Monitoring and Analysis
Solution Deployment and Integration
Overall assessment
Comments:
32
![Page 35: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/35.jpg)
33
APPENDIX: OVERVIEW OF COURION PRODUCTS
GovernanceAccess Request ManagerCourion’saccessrequestsolutionprovidesintuitive,easytouseprocessesfor authorizeduserstocreate,reviewandapproveaccessrequests.
ComplianceCourier® Courion’saccesscertificationandcompliancemanagementsolutionprovidesorganizationstheabilitytoautomatetheverificationandremediationofaccessrights.Itextendstheresponsibilityand accountabilityforcompliancetothemostappropriateresources,enablingbusinessuserstomonitorandenforceaccesstosensitivedataandothervitalcorporateassets.Powerfulanalysistoolsprovideavisuallyrichinterfacethatmakesiteasiertomonitorcomplianceandreduceenterpriserisk.
RoleCourier®Courion’srolelifecyclemanagementsolutionautomatesrolecreationandongoingrolemanagement, enablingorganizationstoeffectivelyalignbusinessroleswithITaccountsandaccessrights.RoleCourier’suniquehybridapproachcombines“top-down”roledesignand“bottom-up”roleminingtocreateaplatformforrobustlong-termrolelifecyclemanagementthatflexiblyadaptstotoday’schangingbusinessenvironment.
Identity and Access IntelligenceAccess Insight®Courion’sIdentityandAccessIntelligencesolutionappliespredictiveanalyticstomanage business,people,assetandsecurityrisks,automaticallycreatingnear-real-timegraphicalprofilesofthemostcriticalsecurityriskstoinformation,aspartofatotalIdentityandAccessManagementstrategy.
ProvisioningAccountCourier®Courion’suserprovisioningsolutionenablesenterprisestofullyautomatenewhire,promotion/transferandterminationprocesses.Withitsflexibleworkflowengineandabilitytoconnecttomultipleauthoritativesources,AccountCourierprovidesacommonaccessmanagementenvironmentforbothITaccountsand physicalassets.
PasswordCourier®Courion’spasswordmanagementsolutionenforcesconsistentlystrongpasswordpolicies andenablesuserstoinstantlyandsecurelyresettheirownpasswordsonenterprisesystems,applications,andWebportals.Transparentsynchronizationletsusersuseonepasswordtoaccessmultiplesystems,improving convenience,enhancingsecurity,andincreasingadoption.Multipleself-serviceentrypointsareavailable,such asWeb,desktopPC,voiceauthentication,IVR,orviasupportstaff.
![Page 36: IDENTITY AND ACCESS GOVERNANCE Buyer’s Guidecyber-edge.com/wp-content/uploads/2016/08/Courion-White-Paper.pdfWelcome to the Courion Identity and Access Governance Buyer’s Guide](https://reader033.vdocuments.net/reader033/viewer/2022060514/5f82b923e9971f1cc6119de2/html5/thumbnails/36.jpg)
34
ForinformationontheseCourionproducts,pleasevisitwww.courion.comorcontactyourCourionrepresentative or reseller.
About CourionWithdeepexperienceandmorethan600customersmanagingover10millionidentities,CourionisthemarketleaderinIdentityandAccessManagement(IAM),fromprovisioningtogovernancetoIdentityandAccessIntelligence(IAI).Courionprovidesinsightfromanalyzingthebigdatageneratedfromanorganization’sidentityandaccessrelationshipssouserscanefficientlyandaccuratelyprovision,identifyandminimizerisks,andmaintaincontinuouscompliance.Asaresult,ITcostsarereducedandauditsexpedited.WithCourion,youcanconfidentlyprovideopenandcompliantaccesstoallwhilealsoprotectingcriticalcompanydataandassetsfromunauthorizedaccess.Formoreinformation,pleasevisitwww.courion.comorreadhttp://blog.courion.com.
World Headquarters COURIONCORPORATION 1900WestParkDrive Westborough,MAUSA01581 Phone:+1508-879-8400 Toll-free:1-866-COURION
APAC COURIONITPRIVATELTD 305,PridePurpleAccord, S.N.3/6/1BanerRoad, Pune,Maharashtra,India411045 Phone:+91(20)6687-9100
FOR MORE INFORMATION
Copyright©1996-2014CourionCorporation.Courion,theCourionlogo,AccessInsight,AccountCourier,CertificateCourier,PasswordCourier,ProfileCourier,RoleCourierareregisteredtrademarksofCourionCorporation.AccessAssuranceSuite,ComplianceCourier,andEnterpriseProvisioningSuitearetrademarksofCourionCorporation.Allrightsreserved.Thenamesofactualcompaniesandproductsmentionedhereinmaybethetrademarksoftheirrespectiveowners.
Anyrightsnotexpresslygrantedhereinarereserved.