Upload
prolifics
View
2.764
Download
0
Embed Size (px)
DESCRIPTION
IBM Pulse 2012 presentation by Alex Ivkin (Prolifics) and Grey Thrasher (IBM)Synthesizing the business view of IT resources with the technical implementation of Role Based Access Control remains one of the toughest challenges in Identity Management today. We will walk through a real-world use case to understand how organizations can utilize the new IBM Role and Policy Modeler (RaPM) tool to discover essential business relationships and map them to IT access permissions, creating the schema for a comprehensive RBAC system. We will explain how the design criteria provided by RaPM has enabled the foundation of a comprehensive Identity and Role Lifecycle Management structure. The follow-on implementation of an RBAC system in the Identity Provisioning platform, IBM Tivoli Identity Manager, will be explored, as well as how this organization is automating access privileges, simplifying internal security controls and reducing the complexity of audit and compliance enforcement.
Citation preview
Role Discovery and RBAC DesignA Case study with IBM RaPM
Alex Ivkin, ProlificsGrey Thrasher, IBM
April 10, 2023
Agenda
Introductions
Role Based Access Control
Reality Check
Process and Technology
Results and Discussion Q&A
Alex Ivkin, CISSPPractice Director
Security Line of BusinessProlifics
Grey ThrasherSenior Software EngineerL2 Technical Team Lead
IBM SWG Client Support – Software
$0$10$20$30$40$50$60$70
2004 2005 2006 2007 2008 2009 2010 2011
Gro
ss
Re
ve
nu
e
(millio
ns
)
Prolifics at a Glance
W h o A r e W e ?
Off-Shore Development CenterHyderabad, India
Application TestingSanta Clara, CA USA
A Corporate Group of 1200 Employees Worldwide specializing in the expert delivery of end-to-end IBM Solutions
New YorkBostonPhiladelphiaWashington DC
OrlandoSan FranciscoLondonHamburg
Over 30 years in business, Prolifics is an end-to-end systems integrator specializing in IBM technologies
S o l u t i o n L e a d e r s h i p
Serviced over 1600 IBM software accounts in the past 11 years
Prolifics boasts over 110 Security certifications for architecture, development, administration.
IBM Tivoli “AAA Accredited” – First For Security WW
IBM Cloud Certification – First of 5 Partners
Authorized for SVP in 5 Industry Capabilities – First in Utilities
Also in SOA, Information Management and BPM solutions and appliances for Business Process Management and Integration
S t a b i l i t y, L o n g e v i t y & G r o w t h
Business challenges
• Difficulty in the business understanding of security information causing a rubber stamp process, or simply too much data to sort through for the business
• Challenges in the quarterly attestation cycle• Challenges for supervisory personnel understanding how "least
privilege" works in their business unit • Onboarding (new hire user adds) requests requiring additional
time and effort becuase access requests are submitted on a case by case basis using individual forms
• Challenges in managing the access of persons who transfer between jobs, creating complex modification requests for access on a case by case basis
• Risk due to inappropriate access, which could be misuse or simply audit findings - this is due to mirrored access (make John's access look like Mary's) that may grant too much permission, or through job transfers where old access is not removed properly
Role Based Access Control
• RBAC is a methodology to align security entitlements to persons through an abstraction of organizational responsibilities using job function and relationship to the organization. The idea is to use roles to represent common access rights for users as sets of privileges on different systems.
Before
AfterRole Based Access Control (RBAC) offers an effective operational model to drive IAM Governance
• Simplify roles and access assignments• Ability to handle growth and scale
• Facilitate accountability and compliance
Direct access assignments today are complex, difficult to track and change when needed
Business Benefits of RBAC• Reduce risk by ensuring people are limited to the required
access dictated by their job function• Reduce dormant time for new hires during onboarding
because their well defined access can be instantiated automatically
• Simplify the attestation and audit process by reviewing privileges that are exceptions to the roles instead of reviewing every entitlement
• Increase accuracy in the attestation process due to an easier to understand business interface to information security data
• Simplify the cross boarding process and reduce the risk of personnel dragging inappropriate entitlements to their new job function
• Address compliance requirements through the inherent linkage to organizational definitions of least privilege and separation of duty
Reality check
How many companies want to do RBAC? How many companies are doing RBAC? How many companies successfully completed RBAC in
2011?
Our study showed: 97% of IdM customers in 2011 agreed that Role Based Access
Control is a solid approach to tackle problems of compliance and security control
A third has engaged in RBAC design and implementation, internally and externally
Less than a tenth achieved the goals
Why?
7
Challenges
Time consuming Correlating massive data
High skill required Not business user friendly
Inaccurate results Requires business change – the 60/40 mix Requires proper tooling
Identity and Access management platform Modeling Tool Role life-cycle tool
Requires understanding, communication and motivation It’s a process, not a state
How it is done (the secret recipe)
Strong business processes Clever technical instrumentation Effective review procedures Tight enforcement and integration
RBAC
Business
IT Review Process
Integration
Introducing Role and Policy Modeler
IT Management
IT Systems and Applications Owners
Lines of Business
• Governance Goals
• Scope• Business Policies• Interview data
• Approvals/certification
• Risk Analysis• Collaboration• Compliance Reports
CIO, CSO, Compliance Officers, Business
Owners
• Resources• Identities• Entitlements• Roles and
policies
ModelingTools
• Role and Policy Templates
• Reports
BUSINESS VIEW
TECHNICAL VIEW
ISIM (ITIM)
ISIM (ITIM)
VALIDATE
TSPM Enterprise
Systems
DEP
LOY
ROLE AND POLICY MODELER
Indepth report
Intuitive UI
Extensible Data Layer
ExceptionalAnalytics
Integration
Role Lifecy
cle
Business View
Technical View
Role and Policy
Modeler
The beginning
SizingScoping and size control
Focusing on stable business units•Customer service•Financial department
Focusing on well understood applications•Core business applications
Product targeted at the business analystEngaging the sponsors and LoB managersInvolving IT Asset custodians
Aggregating existing data Business View
Technical View
RaPM: Home Page
Designed for Business Analyst
Simple View Model:
Projects Role Mining/Modeling
Reports Import
RaPM
Modeling
Top-down:Business interviewsExisting model
Bottom-up:Data aggregationSystem stateExisting knowledgeIT Systems and
Applications Owners
• Governance Goals• Scope• Business Policies• Interview data
CIO, CSO, Compliance Officers, Business
Owners
• Resources• Identities• Entitlements• Roles and
policies
ModelingTools
BUSINESS VIEW
TECHNICAL VIEW
ISIM (ITIM)
ROLE AND POLICY MODELER
Indepth report
Intuitive UI
Extensible Data Layer
ExceptionalAnalytics
RaPM: Model Roles and Policies Project Creation
User selection Permission selection
RaPM
18
RaPM: Generating roles Artificial intelligence algorithms
Poor performance vs over-fitting Analytics IBM Research
Parameters: Hierarchy Ownership Compatibility constraints
Modeling flexibility
Integration
Role Lifecy
cle
Business View
Technical View
Role and Policy
Modeler
Role and Policy
Modeler
RaPM: Role Generation IBM Research-created algorithms automatically generate
Roles/Hierarchies Options affect number of roles and depth of hierarchy
RaPM
RBAC Modeling
Role Definition processes Role Management Review for HR Updates (Reorg, New job codes,
etc) Role Review for Application changes (New system, retire system,
new features) Iterative approach and instant feedback
ROLE A ROLE B
ROLE C
ROLE Z
ROLE X ROLE Y
ROLE A ROLE B
Split RolesCombine Roles Rules for Roles
Integration
Role Lifecy
cle
Business View
Technical View
Role and Policy
Modeler
Role Lifecy
cle
Business View
Role and Policy
Modeler
RBAC Definition Lifecycle
Role Definition IterationsOrganizational
Role Definition -Business View
Application Role Definition – System View
Cleanup Define Test Publish
Examine
Empowerment and Knowledge Transfer
Structured steps of interviews, data gathering, engineering, and tests to produce roles
Role Quality
RaPM: Role Analysis Analysis Catalog provide different analyses to help determine
potential role members/permissions Ensure Membership/Permissions are accurate Ability to view granular user/permission details in analysis results
RaPM
A single RBAC statically assigned role can be associated to a specific specific set of entitlements (permissions)- VPN Access- Access to GL
An RBAC dynamic role can inherit collection of Roles that can relate to a Job Family, which can be Organization wide, Divisional, or Location – represented by person type
ROLE
Application / System Entitlements
Application / System Entitlements
Application / System Entitlements
BUSINESS ROLE
ROLE
ROLE
ROLE
Dynamic Role
Dynamic and Adaptive Access Control
Analytics Engine
Integration
Role Lifecy
cle
Business View
Technical View
Role and Policy
Modeler
Role Lifecy
cle
Technical View
Role and Policy
Modeler
RaPM: Membership Qualifier Configure multiple Conditions Automatically associated users with Role Use analysis results to help build out Qualifiers Membership View indicates members assigned directly or by qualifier
RaPM
Separation of Duties
Separation of duty constraints and policies, both static and dynamic in a role model
users Roles Permissions
Role Hierarchy
Sessions
SODConstraints
Integration
Role Lifecy
cle
Business View
Technical View
Role and Policy
Modeler
Role Lifecy
cle
Business View
Technical View
Role and Policy
Modeler
RaPM: Separation of Duties (SOD) Alert when users are in disallowed combination of Roles Indicates SOD configuration problems (inevitable conflicts) Details Users/Roles in conflict
RaPM
RBAC Administration Lifecycles
HR
IT
RBAC
ROLE
ROLE
ROLE
ROLE
ROLE
ROLE
Info. Sec.
Role Approver
A re-org, new data such as org type, physical location, job title, cost center, or the retirement of any of these…
A new application or system, a new group is added, a group or system is consolidated or retired Roles are analyzed,
changes are proposed, and a draft is circulated
Business Owner
Audit Review
Roles are published and ready for use
Attestation (tactical)Request Based (mid range)
IdM Integrated (strategic)
Role-Based Access Control
RaPM: Reports TCR/Cognos based
reports Operations report Permissions report Roles report User Access report
RaPM
Role Lifecycle Manager Business Process Manager Approval request sent to Role Owner(s) Attach Role Reports to Approval request for more details
RaPM
Relationship between RBAC and Identity Provisioning - Mature
ROLE PROFILE
ROLE
ROLE
ROLE
Identity Management
Security Administration
User Account
User Account
User Account
HR
Data Feed
User Account
User AccountAutomatic Permission Assignment
Manual Permission Assignment
IntegrationRole and Policy Modeler
Real World Role Automation
Integration
Role Lifecy
cle
Business View
Technical View
Role and Policy
Modeler
Integration
Role and Policy
Modeler
RaPM: Export Project Generates XML containing:
Roles Separation of Duty constraints User to Role assignments (optional)
Immediately consumable by ITIM Load utility
RaPM
RaPM: ITIM Load Utility to load exported Roles/SODs/User-to-Role assignments Preview option shows number of:
New or Modified Roles Modified Hierarchies New or Modified Separation of Duty Constraints User-to-Role assignments to be added or deleted
RaPM
Role Management capabilities are integral to the Security Identity Manager
Integrated built-in functionality in one package, rather than 2 or 3 from competitors. Costs less than comparable solutions in the market.
Integration and automation provide immediately effective operations
Simple and yet sophisticated role modeling helps accelerate results
Business-user centric Web UI ensures faster adoption and easy to deploy. Powerful, built-in analytics guide role analyst in generating a timely role structure. IBM’s solid technology and experience with roles built-into a product
Flexibility to adapt to the client-specific IT processesHandles scale and large access data sources with project based approach. Extensible policy & graphical role model to analyze particular enterprise scenarios. Offer business process automation platform to quickly get stakeholder validation
Ability to drive IAM Governance – beyond role management Customers can easily deploy and integrate run-time enforcement(entitlement management) with IBM’s Identity and Access ManagementGovernance strategy. Security Intelligence: Identity Analytics in role modeling provide valuable business insight, helping customers achieve the next level of security alignment with the business
Role and Policy Modeler Highlights
Integration
Role Lifecy
cle
Business View
Technical View
Role and Policy
Modeler
Role Based Access Management improves compliance postures and reduces cost of administration in an evolving IT environment,…….
37
The traditional solution for Role Modeling generates results that are obsolete by the
time they are ready
ABAC, RuBAC, ZBAC …This is about 60% business process
consulting and 40% tool.
You need both to be strong to get to the 100%
… but there are still challenges achieving this goal
Written Report
Manual Data Collect
Face to Face CollectConsult
Reject
Written Reports
Certify
Manual Enforcement
Spreadsheet Evaluation
Face to face Approvals
Summing up
Integration
Role Lifecycle
Business View
Technical View
Role and Policy
Modeler
RBAC Change Control and Notification Processes
Foundational processes will allow business to keep organizational structure up to date on systems.
Foundational processes will allow business to keep system entitlements clean up to date
After foundational processes are implemented, and RBAC is in place, these processes can be leveraged and integrated with RBAC Management Processes
39
Integration
Role Lifecycle
Business View
Technical View
Role and Policy
Modeler
Integration
Role Lifecycle
Business View
Technical View
Role and Policy
Modeler