kuppinger cole virtual conference the three elements of ... · analyzing the situation the (manual)...
TRANSCRIPT
![Page 1: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/1.jpg)
Kuppinger Cole Virtual ConferenceThe Three Elements of Access Governance
Martin Kuppinger, Kuppinger Cole
December 8th, 2009
This virtual conference is sponsored by Axiomatics and Oracle
![Page 2: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/2.jpg)
© Kuppinger Cole 2009Seite 2
www.id-conf.com/eic2010
• MARKET MATURITY
• REGULATION, PRIVACY, INFORMATION SECURITY
• GOVERNANCE, MITIGATING RISK
• CLOUD COMPUTING & TRUST
• ROLES AND ATTRIBUTES
• AUTHENTICATION & AUTHORIZATION
CREATING MORE VALUE FOR LESS THROUGH IDENTITY MANAGEMENT & GRC
Call for Speakers: http://www.id-conf.com/events/eic2010/callforspeakers
Sponsors/Exhibitors:
http://www.id-conf.com/events/eic2010/sponsorinfo
![Page 3: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/3.jpg)
Virtual Conference
Enterprise Access GovernanceControlling Access, Ensuring Information Security
© Kuppinger Cole 2009Seite 3
www.kuppingercole.com/webinars
DECEMBER 8-9, 2009
• How to efficiently mitigate your “access risks”• Full Access Governance– combining access certification, role
management, provisioning, and privileged access management
• RBAC vs. ABAC: Comparing Role Based and Attribute based Access
• The business view – Enterprise GRC vs. IT-GRC and where they should be linked
• Mitigating application security risks
• How does Access Governance fit into your GRC roadmap?
![Page 4: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/4.jpg)
Kuppinger Cole Reports
Some of the current reports:
•Market Report Cloud Computing
•Product Report Radiant Logic Virtual Directory Server
•Vendor Report Arcot Systems
•Product Report Sun Identity Manager
•Vendor Report ActivIdentity
•Trend Report Enterprise Role Management
•Vendor Report Quest Software
•Product Report SailPoint IdentityIQ
•Vendor Report BHOLD 2009
•Vendor Report Entrust 2009
•Vendor Report Oracle 2009
•Vendor Report Evidian
•Business Report Key Risk Indicators
© Kuppinger Cole 2009Page 4
http://www.kuppingercole.com/reports
![Page 5: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/5.jpg)
Some guidelines for the Webinar
You will be muted centrally. You don„t have to mute/unmute yourself – we can control the mute/unmute features
We will record the Webinar
Q+A will be at the end – you can ask questions using the Q+A tool anytime which we will pick at the end or, if appropriate, during the Webinar
© Kuppinger Cole 2009Page 5
![Page 6: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/6.jpg)
Agenda
• The Three Elements of Access Governance: Recertification/Attestation – Access Control – Privileged Access Management
Part 1, Martin
Kuppinger:
• Q+APart 2:
© Kuppinger Cole 2009Page 6
![Page 7: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/7.jpg)
Access Governance defined
•Access
•Managing access to systems and information – who is allowed to do what?
•Governance
•Enforcing a good practice of management – in that case particularly for IT
Access Governance
•Identity and Access Management
•The management of identities and their access
•It„s mainly about access – but we need identities therefore
Context: IAM
•Governance, Risk Management, and Compliance
•Governance as the basic concept
•Risk Management and Compliance as elements of Governance
Context: GRC
•Information Security is the business term
•That„s why we mainly deal with topics like IAM and Access Governance
Context: Information Security
© Kuppinger Cole 2009Seite 7
![Page 8: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/8.jpg)
The three elements of Access Governance
Management
Analysis
© Kuppinger Cole 2009Seite 8
The main elements
Analysis
Management
Types ofAccounts
„Standard“User
AdminUser
Att
esta
tion/
Recert
icia
tion
Auditin
g
Auth
ori
zation
Managem
ent Pri
vileged
Account
Managem
ent
![Page 9: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/9.jpg)
Attestation and RecertificationAnalyzing the situation
The (manual) process of having responsible persons going
through existing access controls (authorizations, entitlements) and attesting or revoking them
Manual control process
Regularly performed at the departmental manager level
(but be careful on that)
Supported by escalations and other procedures
Attestation/
Recertification
© Kuppinger Cole 2009Seite 9
![Page 10: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/10.jpg)
The need for attestation5 good reasons
Attestation is a first step to clean up access controls
Attestation is (if done right) an continuous audit mechanism
Attestation can show issues in identity and access lifecycle management
Attestation educates users about the need for security
Attestation can decrease access control-related IT security and depending operational risks
© Kuppinger Cole 2009Seite 10
![Page 11: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/11.jpg)
Approaches to attestation
© Kuppinger Cole 2009Seite 11
One-way, audit-oriented Two-way, actionable
Single-layered Multi-layered
Point-of-time Continuous
Undifferentiated Risk-based
worse goodExample of vendor rating
![Page 12: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/12.jpg)
Technical approaches
Attestation as singular solution
Attestation as part of IAM-GRC
platforms
Attestation as part of overall GRC platforms
Identity Provisioning w/ reconciliation
Attestation features in Provisioning
Expand/integrate/move to IAM-GRC platforms
© Kuppinger Cole 2009Seite 12
![Page 13: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/13.jpg)
Threat:Multi-layered attestation
© Kuppinger Cole 2009Seite 13
System Security Access ControlSystem
Administration
Correct Access Controls?
Identity Management + System Administration
System RolesGroups, Roles,
ProfilesIdentity
Management
Correct Assignments?
Business IT +Identity Management
Business RolesJob, Hierarchy,
Location, Project,…Business IT
Correct Business Roles?
Management +Business IT
Employees Tasks, Projects,… Management
Multi-la
yere
d A
ttesta
tion
![Page 14: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/14.jpg)
More AnalysisAdding Automated Controls
Automated Controls support the ongoing analysis and (potentially) the realtime detection of issues
Advanced analysis mechanisms support the ad hoc analysis
Specific attestation/recertification solutions typically support at least ad hoc controls
Relevant as well for typical day-by-day IT operations
© Kuppinger Cole 2009Seite 14
![Page 15: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/15.jpg)
The situation
Increasing pressure on
IT management
and operations
Growing number of compliance regulations
Increasing awareness of the
need of IT Governance
Increasing complexity of IT environments –
breadth and depth Changing role of
IT – less autonomy, more focus on efficient
fulfillment
More fear and awareness of
security breaches
© Kuppinger Cole 2009Seite 15
![Page 16: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/16.jpg)
The result
More requests
More answers to provide
Less time to deliver
Higher workload for fewer people
Operational work is heavily affected
© Kuppinger Cole 2009Seite 16
![Page 17: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/17.jpg)
The real world of core systems
Many servers Different systems
Different operators, frequently some inconsistency in
operations
Large amount of data
Large amount of controls
The answers to questions like „what
has Mr. X done when“ requires
access to different systems at a detailed level
strong capabilities in mapping and normalizing data
strong analytic capabilities
good reporting tools
© Kuppinger Cole 2009Seite 17
![Page 18: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/18.jpg)
The RealityMissing auditability
•Few enterprises know them allWhich systems are out there?
•Sometimes known for central system, if there is a provisioning tool deployed (sometimes even via E-SSO)
Which users have access to which systems?
•Usually even for core systems like Active Directory and SAP insufficiently solved
Which granular entitlements do
they have?
© Kuppinger Cole 2009Seite 18
![Page 19: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/19.jpg)
Auditing, SIEM, Operations Management
System-level Auditing
SIEM OperationsManagement
Current state and historical data
Current events, sometimes historical
Current events
Ex post Real time Real time
Security-focused Security-focused Operations-focused,all types of operational aspects
Mainly access controls
All types of securityevents, frequently more „classical security“ than access controls
All types of events
© Kuppinger Cole 2009Seite 19
![Page 20: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/20.jpg)
Approaches to audit optimization
Integration
• Define the required elements – less is more
• Platforms help – few platforms are better than many point solutions
• Integrate these elements to support drill-down
Automation
• Focus on automated collection and
• strong analytical capabilities
© Kuppinger Cole 2009Seite 20
![Page 21: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/21.jpg)
Authorization ManagementClosing the loop
The different terms – all about the same
• Access Control
• Authorization Management
• Entitlement Management
Authorization Management
• Actively managing access
• Not detective, but preventive
© Kuppinger Cole 2009Seite 21
![Page 22: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/22.jpg)
Authorization ManagementClosing the loop
Managing Authorizations
Analysis and Recertification
© Kuppinger Cole 2009Seite 22
![Page 23: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/23.jpg)
Authorization ManagementBeyond Attestation
Business Policies
Business Roles
IT Management
IT Controls
Policies
Roles, Groups
Entitlements
Attestation
© Kuppinger Cole 2009Seite 23
![Page 24: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/24.jpg)
Multi-layeredAuthorization Management
Management of detailed Entitlements (System and App level, might be XACML based,…)
Assigment of Users to Groups, Roles, Profiles (Provisioning)
Business-Policies
© Kuppinger Cole 2009Seite 24
![Page 25: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/25.jpg)
The RealityMissing consistency
Consistent, centralized Authorization Management for heterogeneous environments?
Windows, Active
Directory, Exchange,
SharePoint,…
SAP, Enterprise
Portals, other Business
Applications,…
Host, own applications,…
© Kuppinger Cole 2009Seite 25
![Page 26: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/26.jpg)
The RealityMissing management
Controls layer
Status analysis
System layer
Authorization Management
© Kuppinger Cole 2009Seite 26
![Page 27: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/27.jpg)
Privileged Account ManagementFocus on sensitive accounts
Adding privileged accounts
How to control the access of users using these accounts?
Emerging field, not fully covered by existing approaches (neither detective nor preventive)
© Kuppinger Cole 2009Seite 27
![Page 28: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/28.jpg)
Many termsOne target
•PAM: Privileged Account Management
•PIM: Privileged Identity Management
•PUM: Privileged User Management
•Root Account Management
The terms
•Controlling privileged accounts and how they are used
The target
© Kuppinger Cole 2009Seite 28
![Page 29: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/29.jpg)
Privileged AccountsBeyond „root“
• root
• Windows Administrators (Domain and local)
• Database Administrators
• …
Administrators:
Technical users
System accounts
Service accounts
© Kuppinger Cole 2009Seite 29
![Page 30: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/30.jpg)
Why are these accounts that critical?
Not necessarily associated with a single physical
person
Elevated Privileges
High risk
Missing Lifecycle
Management
Missing Auditability
© Kuppinger Cole 2009Seite 30
![Page 31: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/31.jpg)
PAMThe approaches
Differentiated auditing of administrative
activities
Integration with Lifecycle Management
approaches – no orphaned privileged
accounts
One time passwords for privileged
accounts
Reduced entitlements of privileged accounts,
for example using specialized shells
Organizational actions
Automatic generation of passwords for accounts without interactive logon
Avoiding technical users
SSO for privileged accounts
© Kuppinger Cole 2009Seite 31
![Page 32: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/32.jpg)
PAM marketEvolution
Point solutions
PAM suites
Integration with Identity Lifecycle
Management
Application Security Infrastructures
Identity Federation, End-to-End Security
Changing Security Models at the System Level (OS,
Business Apps,…)
© Kuppinger Cole 2009Seite 32
![Page 33: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/33.jpg)
Maturity Levels ofPAM approaches
Missing
•Status
•No PAM at all
•Tools
•None
•Risk
•Very high
Ad hoc
•Status
•Point solutions, typically for UNIX/Linux
•Tools
•Mainly sudo
•Risk
•Very high
Unplanned
•Status
•Non coordinated use of point solutions
•Tools
•PAM Tools for specific system environments
•Risk
•Still high
Isolated
•Status
•Coordinated use of PAM tools, but not integrated with other security approaches
•Tools
•Cross-platform PAM solutions
•Risk
•Reduced
Integrated
•Status
•Integration of PAM with provisioning, Access Governance, and Application Architectures
•Tools
•Cross-Platform PAM, Provisioning, Access Governance, Application Security Infrastructures
•Risk
•Minimized
© Kuppinger Cole 2009Seite 33
![Page 34: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/34.jpg)
Putting it all togetherConsistent strategies
Define a strategy –go beyond tactics
Understand the relationship
between different GRC layers
Combine reactive and preventive
approaches
Combine analyis/attestation
and active management
Focus on a small set of tools – keep
it simple
© Kuppinger Cole 2009Seite 34
![Page 35: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/35.jpg)
Information Security andAccess Governance
Access Governance
Attestation and
Recertification
Advanced Analysis and
Auditing
Authorization Management
Privileged Account
Management
Access Governance
Information Security
© Kuppinger Cole 2009Seite 35
![Page 36: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/36.jpg)
© Kuppinger Cole 2009Seite 36
www.id-conf.com/eic2010
• MARKET MATURITY
• REGULATION, PRIVACY, INFORMATION SECURITY
• GOVERNANCE, MITIGATING RISK
• CLOUD COMPUTING & TRUST
• ROLES AND ATTRIBUTES
• AUTHENTICATION & AUTHORIZATION
CREATING MORE VALUE FOR LESS THROUGH IDENTITY MANAGEMENT & GRC
Call for Speakers: http://www.id-conf.com/events/eic2010/callforspeakers
Sponsors/Exhibitors:
http://www.id-conf.com/events/eic2010/sponsorinfo
![Page 37: Kuppinger Cole Virtual Conference The Three Elements of ... · Analyzing the situation The (manual) process of having responsible persons going through existing access controls (authorizations,](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec4a875f97204754e20a0e3/html5/thumbnails/37.jpg)
Virtual Conference
Enterprise Access GovernanceControlling Access, Ensuring Information Security
© Kuppinger Cole 2009Seite 37
www.kuppingercole.com/webinars
DECEMBER 8-9, 2009
• How to efficiently mitigate your “access risks”• Full Access Governance– combining access certification, role
management, provisioning, and privileged access management
• RBAC vs. ABAC: Comparing Role Based and Attribute based Access
• The business view – Enterprise GRC vs. IT-GRC and where they should be linked
• Mitigating application security risks
• How does Access Governance fit into your GRC roadmap?