Beyond the Password: Business Enablement Through Identity

Beyond the Password:Business Enablement Through IAM

Ken Williams, CISSP, CFEVice President, Technology ServicesCA, Inc.

2 © 2006, CA, Inc. Confidential and proprietary information. Do not copy or distribute without permission

25 years in risk management domain: Ken is Vice President for CA, Inc. in Canada with over 25 years of experience in the enterprise risk services

specializing in enterprise security architectures, information security operations, and regulatory compliance solutions globally within the banking, healthcare, government and telecommunications sector.

Ken manages CA’s Technology Services within the below sectors:HealthcareBanking & FinanceGas & OilElectricity & PowerTransportationTelecommunicationsLocal, State, FederalEmergency Services

Ken has authored technical security standards for State and Federal Government Agencies, Regional Banks, Regional Telecommunications carriers and authored technology white papers in the area of information security and regulatory compliance.

Prior to CA, Ken was a manager in the KPMG LLP Information Risk Management practice, Chief Security Officer of a international telecommunications provider, and founder of META Security Group .

Extensive past / present credentials:Certified Fraud Examiner (CFE)Certified Homeland Security Consultant (CHS)Certified Information Systems Security Professional (CISSP)Certified Protection Professional (CPP)Certified IT Infrastructure Library (ITIL)Defense Security Services – Active T/S Clearance

About Ken Williams


Abstract

Enterprise security is a quality that must be embedded into all corporate functions.

We are experiencing a convergence of the need for reliability, privacy and accountability.

Commerce and IT are interconnected in ways that could not have been envisioned a generation ago.

Data security and privacy concerns are pervasive, while threats include situations that are simultaneously intentional and difficult to quantify and anticipate.

The only logical response to the requirement to maintain financial integrity, investor confidence and sustainable operations, is a program with a comprehensive approach to corporate governance as it relates to information management, security and availability.


What CSOs and CIOs are Telling Us

Costly to manage user accounts

Vulnerabilities are expensive

Security data overload is real

Must reduce corporate liability

Need to demonstrate regulatory compliance

(PIPEDA, HIPAA, Sarbanes-Oxley)


On-Demand Security Challenges…

Provision users automatically

Assess and fix vulnerabilities

Deliver instant security for regulatory compliance

Securely manage events and take action


Lack of transparency into business processes, business data and IT operations leads to lack of required corporate oversight

Unavailable business-critical applications and processes

Inefficient and labor-intensive operations; insufficient information on for budgeting and planning

Security breaches; loss of critical business data; inconsistent processes

Uninformed procurement; unnecessary hardware and software

Governance

Compliance

Operating Costs

Capital Costs

Losses/Risk

Downtime

Agility and Time to Market

Slow and costly change, inflexible business processes

Fines and/or sanctions for non-compliance

These issues have been top-of-mind for the last several years, and remain so today

Today’s Business Challenges


Today’s IT Challenges

IT organizations are still grappling with solving Increasing complexity Labor-intensive Underutilized assets Security incidents Lack of transparency Extended enterprise Compliance and IT governance

The result is a lack of alignment between IT and business needs


“95% of IT organizations still create IT strategic plans without fully understanding the business benefits … It is these plans that fall by the wayside … CIOs must create more focused, business-friendly, and actionable plans.”

--Meta (March 2005)

To date, CIOs have not had the tools available to: Create a business-driven IT organization Solve business challenges, and Manage IT operations like a business

This is the mandate for the next phase of IT evolution

To Meet These Challenges, IT Must Evolve


Business Benefits of IAM Functionality

INFORMATION CONSOLIDATION

AUTHENTICATION & AUTHORIZATION

REGISTRATION & ENROLLMENT

SINGLE SIGN-ON

Enabling a comprehensive picture of the entire organizational data

Facilitating an easy implementation of future applications

Managing resources more effectively

Scaling security

Increasing control

Eliminating redundancy in data management

Securing the company’s reputation

Attracting prospective customers to do business online

Securing important corporate data such as branding info

Complying with regulations such HIPAA, Gramm -Leach-Bliley act, 21 CFR part 11 and the Sarbanes-Oxley act

Scaling organizational security

Reducing account management time

Streamlining business processes

Delivering better web services

Increasing productivity of help-desk and IT services

Increasing satisfaction of both internal and external users

Reducing calls to help desk

Enabling easy access with one account and one password


Improving help-desk services

Delivering a better client web experience

Increasing user satisfaction


Business Benefits of IAM Functionality

PASSWORD MANAGEMENT

DELEGATED ADMINISTRATION & SELF-SERVICES

AUDIT PROVISIONING & FEDERATED IDENTITY

Increasing organizational security

Eliminating calls to help-desk regarding password reset

Closing security gaps


Increasing user satisfaction


Increasing IT & help desk productivity

Decentralizing organizational control

Complying with regulations

Increasing control and management of information flow

Maintaining security through de-provisioning on termination, user clean-up and robust auditing capabilities

Managing access rights through centralized user management and delegated administration

Providing automated workflow

Addressing e-business initiatives promptly and efficiently to gain and maintain market share

Leveraging the system across the value chain and strengthening commitment


BUSINESS FACILITATION

COST CONTAINMEN

T

OPERATIONAL EFFICIENCY

RISK MANAGMEN

T

USER SATISFACTIO

N

REGULATORY

COMPLIANCE

Information Consolidation

Authentication and Authorization

Registration & Enrollment

Single Sign-On

Password Management

Delegated Administration & Self-Service

Audit

Provisioning & Federated Identity

Business Impact of IAM Functionality


Where Do Savings Come From?

Increasing revenue IAM facilitates repeat business by improving online business. IAM attracts new business by improving the organizational image. IAM facilitates new business by enabling federated identity and

convenient web access. Cutting costs

IAM streamlines business processes. IAM reduces future costs by spending less on new capabilities. IAM scales organizational security. IAM is doing more with less. IAM increases organizational productivity.


Where Do Savings Come From?

Complying with regulation IAM helps avoid fines related to non-compliance with regulation.

IAM supports business opportunities by enabling the organization to work with existing or prospective customers and suppliers who have already achieved a certain security level.

IAM makes the organization competitive by matching your competitor’s existing regulation compliance.


Where Do Savings Come From? (p2)

Reducing risk IAM prevents loss resulting from damage to the supply chain.

IAM prevents monetary loss resulting from an accounting system breach.

IAM keeps intellectual property and competitive information safe.

IAM provides legal protection the organization.


Key Questions Every Organization Must Consider

What is the maximum capacity of your current system?

What is the average growth in application development?

What is the average impact of a reorganization?

How often does a reorganization occur?

What is the average turnover?

What menial tasks you would like to eliminate?

How long does it take to set up a new user in the current system?


Key Questions Every Organization Must Consider (p2)

What is the cost associated with this process?

How many users (customers, partners) will be given access?

What is your annual application management cost?

What is the cost of new user management?

What is the annual cost of existing user management?

What is the cost by security feature, per application?

What is the financial impact of faster access to applications?


Aligning To Needs


Enterprise IT Management VisionTo Manage & Secure It All

Application EnvironmentsApplication Environments

AssetsAssetsUsersUsers

Business ProcessesBusiness Processes

IT ServicesIT Services

IT Processes & Best PracticesIT Processes & Best Practices

Sec

urity M

anag

emen

tS

ecu

rity Man

agem

ent

En

terprise S

ystem

s Ma

nag

emen

tE

nterp

rise Syste

ms M

an

agem

ent

Bu

siness S

ervice Op

timizatio

nB

usin

ess Service O

ptim

ization

Sto

rage

Man

agem

ent

Sto

rage

Man

agem

ent


Enterprise IT Management

Enterprise IT Management (EITM) is CA’s vision and strategy for integrated IT management across traditionally distinct IT disciplines

Optimizes and automates the performance, reliability, high-availability and efficiency of enterprise IT environments.

Enables our customers to deliver IT seamlessly as a service and reduces TCO

Leverages common services and a central management database that provides a unified view of all aspects of the enterprise

EITM is supported by CA and partners and is based on industry best practices


Business Enablement and protection Protect the entity’s IT assets in open

global network environment Secure current infrastructure Include security in ongoing

development Include security in ongoing

implementation Effective deployment of security

technology to increase effectiveness and efficiency of security processes

Enable privacy Protect intellectual property

The strategic business objectives should be mapped to the strategic vision, mission and service objectives

for the security organization.

Impact on Security ObjectivesBusiness Objectives

Increase sales and expand to new markets

Extend the enterprise

Technology enable the organization

Reduce cost

Increase Customer satisfaction

Enhance business processes

Step 1: Define Your Business Operations and Needs


Step 2: Determine Overall Maturity

Level 2

Information Delivery Maturity Level

Centralized Access to Data content &applications

Level 1

DATA INFORMATION

Refine, analyze & sort data delivering security information

Va l

ue

(Co

st t

oo

!)

SECURITY MONITORING

Level 4Level 3

Apply business relevance to information to determine business priorities!

KNOWLEDGE ACTION

Act on real business knowledge in a single place according to business need

SECURITY MANAGEMENT

Security Command CenterPro

vid

ing

Situ

atio

na

l Aw

are

ne

ss


Step 3: Align Business and IT Strategy

Focus on producing a baseline blueprint, developing a high level target state, and IS strategy alignment.

MigrationPlan

ArchitectureDocumentation

ResourcePlan

How should we get there?

Organization andCore Competencies

Where are we today?

TechnologyEnvironment

Information andProcess Support

Applications

CommunicationsNetworks

Process State

Information State

What should we look like?

Organization State

IT

TechnologyState

InformationTechnology

Architecture & Processes

BusinessOperations &

Needs

SecurityVision

& Mission

Alignment

IS StrategyExisting Baseline Target StateAlignment

Project Planning and Management

IS

BU


Step 4: Define IT Processes

IIF consists of one or more stages involving different departments, roles and

responsibilities.

Every IIF has distinct stages and each stage

represents a desired result as input to the next

stage. Every activity may involve one or multiple roles. It is important to understand the

specific roles so that Sales can positioning to the right audience. Secondly it is

important understand the people required to achieve the desired outcome.

Each IIF results in desired

outcomes (e.g., cost reduced

because software licenses are re-harvested

or available assets are located and redeployed.)

Each box represent an activity in a

business process. An activity can be a

manual or automated.

This represents an external event that triggers an

IT process.

IIF consists of one or more stages involving different departments, roles and

responsibilities.

Every IIF has distinct stages and each stage

represents a desired result as input to the next

stage. Every activity may involve one or multiple roles. It is important to understand the

specific roles so that Sales can positioning to the right audience. Secondly it is

important understand the people required to achieve the desired outcome.

Each IIF results in desired

outcomes (e.g., cost reduced

because software licenses are re-harvested

or available assets are located and redeployed.)

Each box represent an activity in a

business process. An activity can be a

manual or automated.

This represents an external event that triggers an

IT process.

An IIF consists of a set of IT processes An IIF represents people, technology, and processes required to achieve a desired outcome The desired outcome should be measurable and auditable


Step 5: Align Process & Roles

Internal/External Identity Mgt Processes Request

Request

Approval

Approval

Enterprise Identity Management

Develop/Acquire

Review Manage

– Develop/acquirenew application

– Validate withsecurity standards

– Integrate with common security

ImplementChangeRequest

IAM SDK - Directory

New Application

Request

Verify DeliverAndSupport

Workflow Provisioning System

Incident/

Service Metrics

Central Loggin

g

– Security review– Check

complianceto security standards

– Acceptance tests– Manage users via

Provisioning system

– Reduce application identity management costs

– Reduce application cycle times

– Enhance application security

Compliance Management and ReportingAudit Resources

GenerateReports

SupportAudit

– How many incidents have occurred?

– How many requests were self service?

– Who approved access?– Monitor usage against

security policies– Application Usage

– Identify invalid accounts

– Recertify Users– Who has access

to what resources?

– Review evidence– Of controls– Document

exceptions

Central Audit Collector and Report Generator

– Sustained Compliance

– Improved Automation

– Reduced Costs

Close Request

LogEvents

Get Request

– Identity and Access Managed

– LAN, Email, Corporate

Directory, AuthenticationTechnology, Security Web Services, Security Infrastructure, Federated Services

Create

Modify

Delete

Policy Verification

Add AccessRights

Change AccessRights

Remove Access Rights

Provisioning Business Rules Engine – Roles Engine

Standardsand policies

– Define self-registration policy

– Define delegated managers– Define federated trust

Identity Management

Internal Identity Mgt Processes

Standardsand policies

– Define authoritative sources– Map attributes

Role Management

Open Service Request

Workflow

Open Service Request

Workflow

– Delegated request– Password reset

Delegated Service

– Service request approved (if required)– Workflow Process Followed

– Separation of Duties Checked– Function/Project approved– Workflow Process Followed

Multiple Approvers (0 or many)

Multiple Approvers (1 or many)

HR Feed

Delegated mgt

Self management

SPML Request

New Hire

Transfer

Termination

– Attributes Received from Authoritative Source– Unique Identifier Established or Checked

Roles LegendApplications Developer

EndUser

InternalAudit Manager

Security Manager

ApplicationManager

HR

IT OperationsManager

BusinessManager


Step 6: Develop a BlueprintC

om

po

nen

t L

evel

Tec

hn

ical

C

apab

iliti

es

IT

Org

aniz

atio

nal

C

har

acte

rist

ics

VirtualIdentity

Directory

• Focused on Traditional Services

• Slow to Handle Change

• Silo-ed Administration

• Informal and Reactive Processes

Active

EnterpriseIdentity

Inventory

PasswordPolicy

Enforcement

CentralizedPassword

Management

Self-servePassword

Reset

PasswordManagement

System

System/AppLevel

Mgt of Users

ConsistentCross-platformWeb Interface

Manual UserExport fromHR System

Efficient

• Change in Business Priorities

• IT Change Driven by Cost / Regulatory Pressure

• Commitment to Centralization and Automation

• Adopts ITIL Svc Mgt to Formalize Processes

Automated Identity

Provisioning

WorkflowProcess

Automation

Correlation withAuthoritative

Source (i.e. HR)

Entitlement &Change Report

Generation

Web/DesktopPassword

Reset

IdentityManagement

System

Workflow EngineWeb forms,

Rules

IdentityReportingSystem

DelegatedUser

Administration

Feeds fromHR Authoritative

Source

Integration With Key

Identity Systems

• IT Now Involved in Business Change Planning

• Manages to SLA and Controls

• Integrated Enterprise-wide IT Management

• Tracks Performance of Processes

Responsive

Automated Identity & Role

Processing

EntitlementsExceptionReporting

Syncs MultipleAuthoritative Srcs(e.g. Contractors)

Self-serveRegistration

Process

RoleManagement

System

Feeds fromAll Authoritative

Sources

BusinessApplicationProvisioning

Workflow forApplication

Security Review

Role-based EntitlementsManagement

ApplicationDirectory

Integration

Integration WithBusiness Apps& Infrastructure

EntitlementSynchronization

System

Business-Driven

• Ready for Business-Driven Change

• Rapidly Support New Services and Customers

• Enables Support for Growing Partner Ecosystem

• Automated Process Improvement

Web ServicesSecurity

Interoperabilityw/SPML &

Enabling SAML

AutomatedResource

Provisioning

FederatedTrust

Management

ProvisioningAuthenticationTechnologies

Web ServicesBusiness

Integration

Integration With Building

Access Systems

PartnerIdentity

Management

IntegratedBusiness

Processes

CMDBIntegration

Reduced cost in partner access and

change management

Reduced cost in business application and compliance due to automation of role and entitlement management

Administrative cost savings due to automation of processes for

identity management

Reduced helpdesk costs with automated

password management

RO I


Step 7: Initiate Transition To Next Level Of Maturity EIM Components: SecurityIIF: Administration to Identity & Access Management

ROI Components & Metrics: Administration Reduction,

Enhanced Productivity

Maturity Capability Blueprint Active to Efficient

Co

nd

uct

So

luti

on

-Lea

din

g A

sses

smen

t to

Det

erm

ine

Cu

rren

t S

tate

& C

reat

e G

AP

An

alys

is

Maturity LevelActive

Maturity LevelEfficient

Additional Capabilities Needed to Advance

to Next Level

- CISO Accountable- Dedicated Security Mgt Staff- CISSP Certified Security Mgt Staff- ID administration role separated from IT Operations (either automated or handled by Sec Mgt Staff)

- Processes, workflows and owners defined for: - New hire - Password reset - Terminations - Delegated identity administration - Automated ID management - Privilege/group management (manual)

- Process defined for security management - Use of HR authoritative source - Change Report Generation - Entitlement report review (manual) - Informal security review of applications for conformance to Identity Mgt standards

People

Process

Technology

AutomatedIdentity

Provisioning

Workflow

ProcessAutomation

- Workflow Training (Employee)- CISSP Certification (Security Mgt Staff)- ID Provisioning Training (Sec Mgt Staff)

SA

O-D

efin

ed R

oad

map

an

d A

sso

ciat

ed R

OI D

eliv

ered

to

Clie

nt

to M

ove

fro

m A

ctiv

e to

Eff

icie

nt

Mat

uri

ty L

evel

- Technology Standards for: - ID formats and Password quality - Application use of Directory for Identity Mgt - Interchange format with HR system

- Virtual Directory of Users Established- Workflow engine, web forms, and rules- Policy distribution infrastructure for Identity provisioning- Reporting toolset

CA Offerings to Satisfy Need

Technology Design, Implementation, and Integration

Identity Management Architecture

Correlationwith AuthoritativeSource (i.e. HR)

Entitlement &Change Report

Generation

DelegatedUser

Administration

- CISO Accountable- End-users can reset passwords- Password administration can now be performed by helpdesk, rather than Sysadmins- IT Operations (Sysadmins) and Application Managers still perform ID/account administration\

- Processes defined for: - Password reset

- Manual processes (e.g. email/fax) for new hire and access entitlement change- Password reset requires requests to system administration- Manual process for generating change and entitlement reports- Informal process for de-provisioning users- No defined standards for application development to integrate identitymanagement

- Technology Standards for: - ID formats and Password quality

- Password management system in place- Virtual Directory of Users Established


Step 8: Integrate Within The Enterprise


Building Sustainability


Sustaining the Program…

Once you have built the security program you must maintain it at an appropriate level while continuing to evolve it for the next business generation.

A security communication process and regular plan

“Ease of Use” and practical solutions and approaches

Process based capabilities focus versus technology/project/initiative focus

Architectural models with reusable, scalable components

Foundation built on principles Business Units actively involved in self

assessment, risk assessment and awareness Funding and resource levels appropriate with

business risk profile, with differentiation between maintaining current capabilities (IS budget) and new capabilities for new changes in BU operations (BU or IT budget)

Connection to the business units and alignment of strategies and priorities

Monitoring and feedback loop with enforcement

Measurement system focused on performance management not statistics

Executive focus, sponsorship and reinforcement

BU ownership of security and requirements with IT delivering the services

BU leadership evaluated on security performance through individual and BU results (charge units for failure to comply)

Interfaces and formalized communications among the related parties (audit, legal, compliance, technology)


ISO17799

Communicationsand

OperationsManagement

OrganizationalSecurity

Security Policy

AssetClassification

andControl

BusinessContinuity

Management

Access Control

Physicaland

EnvironmentalSecurity

PersonnelSecurity

SystemsDevelopment

andMaintenance

Compliance

COBiT

Monitorand

Support

Acquireand

Implement

Planand

Organize

Defineand

Support

COSO

Monitoring

InternalEnvironment

RiskAssessment

ControlActivities

Informationand

Communications

ITIL

ICT InfrastructureManagement

ServiceDelivery /Support

BusinessPerspective

Planning toImplement

ServiceManagement

ApplicationManagement

SecurityManagement

ObjectiveSetting

RiskResponse

EventIdentification

With Best Practices Across The Enterprise


Focusing Across Key Areas of IT Security …

PrivacyIdentity and

Access Management

Threat Management

Intelligent Security

Management


Alerts Correlate Align to BusinessAttack

New Attack

IDS SensorsAV Alerts

FW MessagesHost Logs

Check Assets&

Vulnerabilities

Prioritizeto

Business Level

InitiateRemediation

Actions

Resolution

Remediate

NetskyBagel

MydoomData

Provides Sustainable Security Management

Discovery


Alerts Correlate Align to BusinessAttack

New Attack

IDS SensorsAV Alerts

FW MessagesHost Logs

Check Assets&

Vulnerabilities

Prioritizeto

Business Level

InitiateRemediation

Actions

Discovery Resolution

Remediate

NetskyBagel

MydoomData

Security needs to help organizations

understand what is happening

and how it relates to the business

Provides Sustainable Security Management


Case Study


Factor Impact Probability of Occurrence

Downtime

Loss of Reputation

Regulatory Non-Compliance

Overall Current Risk

Description: Current Maturity With Respect to Leading Practices

Impact and Probability Maturity Aggregate

Need: Identity and Access Management Analysis

Organization requires an analysis of external audit results.

Provide a gap analysis utilizing EDM - Maturity Model tools.

Develop a solution blueprint for Identity and Access Management based upon Integrated Information Technology Flows (IIF).

Develop Solution Architecture Overview (SAO).

L

H

M M

L

H

35

5 Control is in place without exceptions.

4 Control is in place with exceptions.

3 Control is partially in place with approved plans to implement.

2 Control is partially in place with no current plans to implement.

1 Control is not in place with approved plans to implement.

0 Control is not in place with no current plans to implement.

Application Access Management 1.75Operating System Access Management 2.25

Network Access Management 2.5Identity Management 1.75

Entitlement Management 1.5

0 1 2 3 4 5

Entitlement Management

Identity Management

Network Access Management

Operating System Access Management

Application Access Management

H


Business-DrivenEfficient

EnterpriseRepository

• Technology Orientated

• Point Solution Focused

• Centralized Security Reporting

• Security View

• Transaction Orientated

• Enterprise Solution Focused

• Centralized Process Controls

• Operations View

• Regulatory Orientated

• Controls Solution Focused

• Integrated Process Management

• Risk Management View

• Business Orientated

• Value Solution Focused

• Integrated Corporate Management

(Operations, Risk Management & Security)

• Dynamic Entitlement Management View

Co

mp

on

ent

Lev

elT

ech

nic

al

Cap

abili

ties

Org

aniz

atio

nal

C

har

acte

rist

ics

AuditAggregation

Tools

PlatformAccess Control

Responsive

Active

PerimeterAccess Control

ApplicationAccess Control

CentralizedAudit

Management

Data & StorageAccess Control

CentralizedMonitoring

ComponentProvisioning

Enterprise-wideProvisioning

TransactionalAccess Control

IntegratedComplianceManagement

Self-ServiceEntitlements

UserMulti Factor

Authentication

CentralizedAuthoritative

Sources

TransactionalValue Approval

Control

Integration with Asset Mgt

Anti-MoneyLaunderingCapabilities

InteractivePrivilege

Management

Platform & AppSecurityControls

ProvisioningSolutions

EnterpriseReportingSystems

SecureCommonServices

Correlation &Analysis Tools

Self-ServiceTools

WorkflowEngine

TransactionalEngine

IntegratedProvisioning

Platforms

Biometric, Tokenand/or PKISolutions

PrivilegeManagement

Tools

ComplianceManagement

Tools

SAMLSolutionPlatform

ForensicsTools

ProcessMonitoring

Tools

SecureTransactional

Repository

ReportingSystems

EnterpriseUser IDs

OperationalProcessing

Engine

KnowledgeBasedEngine

RiskManagement

Engine

BusinessReporting

Engine

PersonalizationIntegratedWorkflow

Management

FederatedIdentity

Management

AutomatedForensics

Capabilities

BehavioralPattern Analysis

ProcessManagement

On-DemandResource

Management

IntegratedRegulatory

Management

ProductivityManagement

KnowledgeBased

Authentication

BusinessProcess Cost

Value Reporting

IntegratedBusiness RiskManagement

IntegratedOperations

Center

ExternalUser & 3rd PartyValue Reporting

ResourceOptimization

Tools

Operational Auditing &Compliance Phase

IdentityManagement

Access Entitlements Management

BusinessEnhancement Phase

Solution Blueprint…


To Summarize, Integrated IT Flows (IIFs) are Key

Process-centric approach to IT management Both the means and a framework for advancing an

organization’s IT maturity level Implemented through:

Industry best-practices instantiated in automated workflows that invoke management and security functions

Comprehensive management and security solutions Solutions integrated at the data, UI and process levels Blueprints and assessment services to identify an organization’s

starting points and next steps in the IT maturity model


Questions

Discussion

Documents

Beyond the Password: Business Enablement Through Identity