View
582
Download
0
Category
Preview:
Citation preview
© 2015 IBM Corporation
David Tyrrell IBM Identity Governance Specialist IBM Security Nick Oropall Market Segment Manager – Identity Governance IBM Security
The Cross-Examination of Identity Governance and Intelligence
2 © 2015 IBM Corporation
Who Has the Proper Access? Can You Prove it?
IBM and Business Partner internal use only
Source: WIRED
3 © 2015 IBM Corporation
Why is it important to understand who has what access?
IBM and Business Partner internal use only
55%
of all attacks are caused by insider
threats**
60%
Of all users have
unnecessary access
**Source: 2Q15 X-Force Report
4 © 2015 IBM Corporation
Roles- We’re here to help?
IBM and Business Partner internal use only
Accounting – New York Sales – New York Sales Managers – New York
Sales – Austin
HR - Austin
Roles are great for provisioning but cause problems when trying to find risk!
5 © 2015 IBM Corporation
CFO, CEO, COO
The Pain Chain Application Manager
3
IT Security
1
4
Business Manager 5
Are we properly managing user access? Will our
security controls pass the next audit?
2
Internal Auditor
6
Could you prove that John Smith has “appropriate” permissions for his job?
Can you confirm that John Smith has the
proper access?
I can tell you what access John has – I can’t
tell if it’s appropriate
I could… If I was technical enough to
understand all these IT details…
Can you confirm that John Smith has the proper entitlements?
6 © 2015 IBM Corporation
Mainframe CRM ERP HR
Bridging Business, Auditor and IT points of view Business-Centric activity mapping to better engage with the Business
IT Roles and Entitlements
Business Activities
View Accounts Payable
Create Sales Record
Create Purchase Order
Update Payroll
Map business activities to IT roles and entitlements
7 © 2015 IBM Corporation
IGI – User access and business activities view
• Who are the users that I can manage • What is the assigned access • Which business activity they can perform
8 © 2015 IBM Corporation
What is a role?
IBM and Business Partner internal use only
Accounting – New York Sales – New York Sales Managers – New York
Sales – Austin
HR - Austin
9 © 2015 IBM Corporation
How do we provide it?
Business Activity Mapping ! Linking application permissions to a unified Business
process taxonomy ! Application owner driven task
Application Permissions
10 © 2015 IBM Corporation
Audit findings are not the only driver
11 © 2015 IBM Corporation
APQC Process Classification Framework
IBM and Business Partner internal use only
Industry Specific Activity Trees ! High-level enterprise process model that allows organizations
to see their business processes in a structured taxonomy
! Open Standard administered by APQC
! The most used process framework in the world ! Easily extended to support specific audit & risk goals
! Industry specific trees developed in conjunction with IBM industry experts since 2008:-
Aerospace and Defence Airline Automotive Banking Broadcasting City Government* Consumer Electronics* Consumer Products Cross-Industry Health Insurance Payer*
Healthcare Provider* Life Sciences Petroleum Downstream Petroleum Upstream Pharmaceutical Property and Casualty Insurance Retail* Telco Utilities
SM
*Content from other contributors
12 © 2015 IBM Corporation
What Value Do Business Activities Bring to Customers?
1. Business-centric view versus technology-centric view ! “Raise Purchase Orders” vs “Z3-PRCH-1”
! “Business View” in Access Request and Review ! Revocation of Business Activity rather than Access
2. Sensitive/Privileged Access Risk ! Highlighting users who carry risk due to the activities they are able to perform
3. Business-centric SoD ! Speaks the language of the auditor – 1:1 mapping with the auditor provided SoD rules ! Removes any reliance on roles
13 © 2015 IBM Corporation
How wide is Access Risk?
Users Privileged Users
Access Risk
14 © 2015 IBM Corporation
Global Threat Intelligence
Consulting Services | Managed Services
Expand the value of security solutions through integration
Endpoint
Identity and
Access
Applications
Data
Mobile Network
Advanced Fraud
QRadar Risk Manager QRadar Incident Forensics
SiteProtector Network Protection XGS
Key Lifecycle Manager Guardium
zSecure
BigFix Trusteer Apex
IBM MaaS360
Trusteer Mobile Trusteer Rapport
Trusteer Pinpoint
IBM Security Research
Identity Manager
Access Manager
Identity Governance and Intelligence
Privileged Identity Manager
DataPower Web Security Gateway
AppScan Security Intelligence
Cloud
Cloud Security Enforcer
QRadar SIEM
QRadar Vulnerability Manager
QRadar Log Manager
15 © 2015 IBM Corporation
IBM is a Leader in the 2016 Gartner Magic Quadrant for Identity Governance and Administration
Source: Gartner (February 2016) This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from 2016 Gartner IGA Magic Quadrant Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Gartner, Inc. Positions IBM as a LEADER in Identity Governance and Administration (IGA)
"An increased focus on threat protection, including insider threats, is driving integration of IGA products with overall threat detection and analysis tools, specifically with SIEM and user and entity behavioral analytics (UEBA) products. IGA can provide identity context to SIEM and UEBA tools, and, in the opposite direction, UEBA can provide risk scores and activity data to IGA”
Gartner, Inc. “Magic Quadrant for Identity Governance and Administration” by Felix Gaehtgens, Brian Iverson, Perry Carpenter, February 2016 Report #G00274258
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOU www.ibm.com/security
Recommended