Identity and Access Management —at the Core of Business
Andrew A. Afifi, M.Sc. Network Security, CISSPTechnology Strategist
Security Management - Challenges
Do you:– Control who has
access to which resources
– Know what is happening in your environment
– Know what to do about it
– Have the tools necessary to take action
Web
Time
Centralized Infrastructure
Client/Server
1960 1970 1980 1990 2000
Complexity
Fle
xib
ilit
y
On-Demand Computing
and Web Services
Information Technology Evolution
1st GenerationGates, Guns, Guards
Man
agem
ent
Time
Security Today
2nd GenerationReactive Security
3rd GenerationSecurity as an
Enabler
4th GenerationProactive Security and Accountability
Evolution of Information Security
Business Challenges
Optimize business– Eliminate inefficiencies – Reduce menial tasks
Reduce costs– Allow companies to do more with less– Enable on-demand capabilities
Mitigate risks– Manage identities — active and inactive
Enable compliance with industry regulations– Health Insurance Portability and Accountability Act (HIPAA),
Sarbanes-Oxley Act, Gramm-Leach-Bliley Act and others
Identity is at the Core of Business
Identities must be managed– Manage who is in your
environment
– Control what they can access and do
– Know what users have done
Identity and access management is critical to total security management
Analysts Input ...
Partners
Customers
Employees
What Analyst are Saying Complex
Integration is key
Trend towards suites
Research Results
Partners
Customers
Employees
Business Challenges
Costly to manage users and access to assets
Difficult to know who has access to what
Helpdesk costs continue to grow Difficult to manage users across
different systems and applications
Compliance for various regulations – Basel II, EU Directive, GLB, HIPAA, Sarbanes Oxley
Research Results
Partners
Customers
Employees
Costs Investing in point products to
create a total solution is expensive
Complexity of:– Technology– Organization structure– Consolidation of identity stores
The cost of doing nothing is not recognized
Research Results
Partners
Customers
Employees
Technology Needs Better Integration Common UI More automation Standards
Mainframe Becoming more critical for web
services New uses – expanded role
Success Factors
Understand and quantify the cost of doing nothing
Implement as you go — start small, then scale Support a heterogeneous environment
– Help ensure broad platform and target system support
Protect your investments Accommodate and correlate multiple data
repositories Help ensure you’re ready on-demand
Success Factors (cont’d)
Must contain end-to-end audit of all components
Couple provisioning, enforcement and audit
Proactive — discovery
Unified GUI — one touch provision/de-provision
Completeness — enterprise, customer and
partners
Flexible platform or suite — best of both worlds
IAM Strategy
Integrated Provisioning, Enforcement and AuditAcross Enterprise and Federated Environments
Identity and Access Management
“By 2005, the complexity of integrating the components of IAM solutions will cause 60 percent
of enterprises to choose product suites that are owned or licensed by, and supported through, one
vendor (0.7 probability).”
Source: Gartner Group — The Identity & Access Market Landscape , November 2003
Cost of Doing Nothing
RONTM – Return on Negligence– What is the true cost of status quo?
Calculating costs (define simple formula)
– Sum of
– What is your cost?
Annual turnover X cost of users managementplus
Annual reorganization X cost of users managementplus
Percentage of access growth (customers, partners) X costs of access management
plusCost of help desk support for password management
plusUsers lost productivity X annual turnover
Turning RON Into ROI
Identify costs leveraging RON calculator
Provision users, resources and privileges – Reduce costs — eliminate inefficiencies
– Enable compliance — adhere to regulatory requirements
– Increase productivity — do more with less
<Customer Name>
eTrust Return On Negligence (RoN) CalculatorIt's easy for businesses to quantify mistakes. But the bigger financial risk is the hidden cost of doing nothing.
Annual Potential for Cost Avoidance Related to eTrust SolutionsPotential IT Cost Avoidance Related to User Provisioning $290,649
Potential Lost Productivity Costs Avoidance Related to User Provisioning $220,027Total Potential for Cost Avoidance Related to eTrust Admin $510,676
Potential Lost Productivity (Due to Multiple Login Sessions) Costs Avoidance Related to SSO $673,828
Potential Lost Productivity (Due to Trial & Error) Costs Avoidance Related to SSO $485,156
Potential Help Desk Costs Avoidance Related to SSO $156,148Total Potential for Cost Avoidance Related to eTrust SSO $1,315,133
Potential Application Development Costs Avoidance Related to Web Access Control $135,000
Potential Security Audits Costs Avoidance Related to Web Access Control $20,000
Potential Extranets Help Desk Costs Avoidance Related to Web Access Control $195,186
Potential Downtime Costs Avoidance Related to Web Access Control $30,000Total Potential for Cost Avoidance Related to eTrust Web Access Control $380,186
Total Cost of Negligence per Year $2,205,995Total Cost of Negligence for 3 Years $6,617,984
“There can be a great temptation to do nothing and put off the deployment of an Identity and Access Management solution, however, this approach
can store up problems for the future.”
Source: Butler Group — Identity and Access Management, September 2003
Identity and Access Management
IAM Goals
Control and manage all Control and manage all enterprise and federated enterprise and federated identities with a single, identities with a single,
modular, integrated solutionmodular, integrated solution
Complete integration
Breadth and depth of the
solution
Investment protection
Total security management
On-Demand Provisioning
Provisions users, enforcement rights and
resources
Provides user access — when new services
become available — such as servers,
applications and systems
Enables users to be automatically created while
the correct access is granted to the right
resources
Business Benefits
Business optimization– Eliminate inefficiencies – Reduce menial tasks
Cost reduction– Allow companies to do more with less– Enable on-demand capabilities
Risk mitigation– Manage identities — active and inactive
Regulatory compliance– HIPAA, Sarbanes-Oxley Act and others
16,000+ employees worldwide On the first day of employment:
– Users have access to applications and systems No delay in productivity
– Users who change roles at CA automatically get new access rights Role-based management
– Upon departure, users are immediately removed Reduces risks
Customer and partners access to service– Provisioning of users, access and privileges
Streamlines business processes
How CA Uses IAM
Marge GreeneDirector, Human Resources
Robert StoneEVP, Sales New Division
Mary RiversSr.VP, ProductNew Division
Bill WalthamStrategic Consultant“Hired Gun”eNEX Consulting, Inc.
Plus 24 Other New Hires — Globally — This Week
Case Study
WORK FLOW PROCESS
Enterprise Critical Reliability Unlimited Scalability and more
Case Study – Cont.
Legacy eTrust™ CA-ACF2® Security
Oracle
SAP
NT
MS Exchange
Sun Solaris
eTrust™ Web Access Control
Access & Accounts Created
Audit
Access Control
eTrust Admin
Marge GreeneDirector, Human Resources
HR System
HR Data
Passed to
Admin
Admin Maps Job to Roles
Robert StoneEVP, Sales New Division
New Hire
Procurement
FacilitiesDepartment
Manager Gives - OK