Identity and Access Management —at the Core of Business

Andrew A. Afifi, M.Sc. Network Security, CISSPTechnology Strategist

Security Management - Challenges

Do you:– Control who has

access to which resources

– Know what is happening in your environment

– Know what to do about it

– Have the tools necessary to take action

Web

Time

Centralized Infrastructure

Client/Server

1960 1970 1980 1990 2000

Complexity

Fle

xib

ilit

y

On-Demand Computing

and Web Services

Information Technology Evolution

1st GenerationGates, Guns, Guards

Man

agem

ent

Time

Security Today

2nd GenerationReactive Security

3rd GenerationSecurity as an

Enabler

4th GenerationProactive Security and Accountability

Evolution of Information Security

Business Challenges

Optimize business– Eliminate inefficiencies – Reduce menial tasks

Reduce costs– Allow companies to do more with less– Enable on-demand capabilities

Mitigate risks– Manage identities — active and inactive

Enable compliance with industry regulations– Health Insurance Portability and Accountability Act (HIPAA),

Sarbanes-Oxley Act, Gramm-Leach-Bliley Act and others

Identity is at the Core of Business

Identities must be managed– Manage who is in your

environment

– Control what they can access and do

– Know what users have done

Identity and access management is critical to total security management

IAM Defined - Gartner

Analysts Input ...

Partners

Customers

Employees

What Analyst are Saying Complex

Integration is key

Trend towards suites

Research Results

Partners

Customers

Employees

Business Challenges

Costly to manage users and access to assets

Difficult to know who has access to what

Helpdesk costs continue to grow Difficult to manage users across

different systems and applications

Compliance for various regulations – Basel II, EU Directive, GLB, HIPAA, Sarbanes Oxley

Research Results

Partners

Customers

Employees

Costs Investing in point products to

create a total solution is expensive

Complexity of:– Technology– Organization structure– Consolidation of identity stores

The cost of doing nothing is not recognized

Research Results

Partners

Customers

Employees

Technology Needs Better Integration Common UI More automation Standards

Mainframe Becoming more critical for web

services New uses – expanded role

Success Factors

Understand and quantify the cost of doing nothing

Implement as you go — start small, then scale Support a heterogeneous environment

– Help ensure broad platform and target system support

Protect your investments Accommodate and correlate multiple data

repositories Help ensure you’re ready on-demand

Success Factors (cont’d)

Must contain end-to-end audit of all components

Couple provisioning, enforcement and audit

Proactive — discovery

Unified GUI — one touch provision/de-provision

Completeness — enterprise, customer and

partners

Flexible platform or suite — best of both worlds

IAM Strategy

Integrated Provisioning, Enforcement and AuditAcross Enterprise and Federated Environments

Identity and Access Management

“By 2005, the complexity of integrating the components of IAM solutions will cause 60 percent

of enterprises to choose product suites that are owned or licensed by, and supported through, one

vendor (0.7 probability).”

Source: Gartner Group — The Identity & Access Market Landscape , November 2003

Cost of Doing Nothing

RONTM – Return on Negligence– What is the true cost of status quo?

Calculating costs (define simple formula)

– Sum of

– What is your cost?

Annual turnover X cost of users managementplus

Annual reorganization X cost of users managementplus

Percentage of access growth (customers, partners) X costs of access management

plusCost of help desk support for password management

plusUsers lost productivity X annual turnover

Turning RON Into ROI

Identify costs leveraging RON calculator

Provision users, resources and privileges – Reduce costs — eliminate inefficiencies

– Enable compliance — adhere to regulatory requirements

– Increase productivity — do more with less

<Customer Name>

eTrust Return On Negligence (RoN) CalculatorIt's easy for businesses to quantify mistakes. But the bigger financial risk is the hidden cost of doing nothing.

Annual Potential for Cost Avoidance Related to eTrust SolutionsPotential IT Cost Avoidance Related to User Provisioning $290,649

Potential Lost Productivity Costs Avoidance Related to User Provisioning $220,027Total Potential for Cost Avoidance Related to eTrust Admin $510,676

Potential Lost Productivity (Due to Multiple Login Sessions) Costs Avoidance Related to SSO $673,828

Potential Lost Productivity (Due to Trial & Error) Costs Avoidance Related to SSO $485,156

Potential Help Desk Costs Avoidance Related to SSO $156,148Total Potential for Cost Avoidance Related to eTrust SSO $1,315,133

Potential Application Development Costs Avoidance Related to Web Access Control $135,000

Potential Security Audits Costs Avoidance Related to Web Access Control $20,000

Potential Extranets Help Desk Costs Avoidance Related to Web Access Control $195,186

Potential Downtime Costs Avoidance Related to Web Access Control $30,000Total Potential for Cost Avoidance Related to eTrust Web Access Control $380,186

Total Cost of Negligence per Year $2,205,995Total Cost of Negligence for 3 Years $6,617,984

“There can be a great temptation to do nothing and put off the deployment of an Identity and Access Management solution, however, this approach

can store up problems for the future.”

Source: Butler Group — Identity and Access Management, September 2003

Identity and Access Management

IAM Goals

Control and manage all Control and manage all enterprise and federated enterprise and federated identities with a single, identities with a single,

modular, integrated solutionmodular, integrated solution

Complete integration

Breadth and depth of the

solution

Investment protection

Total security management

On-Demand Provisioning

Provisions users, enforcement rights and

resources

Provides user access — when new services

become available — such as servers,

applications and systems

Enables users to be automatically created while

the correct access is granted to the right

resources

The Foundation for Total Identity and Access Management

Identity across the enterprise, partner and customer environments

Complete IdentityVisualization

User Management

Role Management

Policy-based Management

Self-Service Password Management

Workflow-based Approvals

Business Benefits

Business optimization– Eliminate inefficiencies – Reduce menial tasks

Cost reduction– Allow companies to do more with less– Enable on-demand capabilities

Risk mitigation– Manage identities — active and inactive

Regulatory compliance– HIPAA, Sarbanes-Oxley Act and others

16,000+ employees worldwide On the first day of employment:

– Users have access to applications and systems No delay in productivity

– Users who change roles at CA automatically get new access rights Role-based management

– Upon departure, users are immediately removed Reduces risks

Customer and partners access to service– Provisioning of users, access and privileges

Streamlines business processes

How CA Uses IAM

Marge GreeneDirector, Human Resources

Robert StoneEVP, Sales New Division

Mary RiversSr.VP, ProductNew Division

Bill WalthamStrategic Consultant“Hired Gun”eNEX Consulting, Inc.

Plus 24 Other New Hires — Globally — This Week

Case Study

WORK FLOW PROCESS

Enterprise Critical Reliability Unlimited Scalability and more

Case Study – Cont.

Legacy eTrust™ CA-ACF2® Security

Oracle

SAP

NT

MS Exchange

Sun Solaris

eTrust™ Web Access Control

Access & Accounts Created

Audit

Access Control

eTrust Admin

Marge GreeneDirector, Human Resources

HR System

HR Data

Passed to

Admin

Admin Maps Job to Roles

Robert StoneEVP, Sales New Division

New Hire

Procurement

FacilitiesDepartment

Manager Gives - OK

Questions?

Q & A