Kuppinger Cole Virtual ConferenceThe Three Elements of Access Governance

Martin Kuppinger, Kuppinger Cole

mk@kuppingercole.com

December 8th, 2009

This virtual conference is sponsored by Axiomatics and Oracle

© Kuppinger Cole 2009Seite 2

www.id-conf.com/eic2010

• MARKET MATURITY

• REGULATION, PRIVACY, INFORMATION SECURITY

• GOVERNANCE, MITIGATING RISK

• CLOUD COMPUTING & TRUST

• ROLES AND ATTRIBUTES

• AUTHENTICATION & AUTHORIZATION

CREATING MORE VALUE FOR LESS THROUGH IDENTITY MANAGEMENT & GRC

Call for Speakers: http://www.id-conf.com/events/eic2010/callforspeakers

Sponsors/Exhibitors:

http://www.id-conf.com/events/eic2010/sponsorinfo

Virtual Conference

Enterprise Access GovernanceControlling Access, Ensuring Information Security

© Kuppinger Cole 2009Seite 3

www.kuppingercole.com/webinars

DECEMBER 8-9, 2009

• How to efficiently mitigate your “access risks”• Full Access Governance– combining access certification, role

management, provisioning, and privileged access management

• RBAC vs. ABAC: Comparing Role Based and Attribute based Access

• The business view – Enterprise GRC vs. IT-GRC and where they should be linked

• Mitigating application security risks

• How does Access Governance fit into your GRC roadmap?

Kuppinger Cole Reports

Some of the current reports:

•Market Report Cloud Computing

•Product Report Radiant Logic Virtual Directory Server

•Vendor Report Arcot Systems

•Product Report Sun Identity Manager

•Vendor Report ActivIdentity

•Trend Report Enterprise Role Management

•Vendor Report Quest Software

•Product Report SailPoint IdentityIQ

•Vendor Report BHOLD 2009

•Vendor Report Entrust 2009

•Vendor Report Oracle 2009

•Vendor Report Evidian

•Business Report Key Risk Indicators

© Kuppinger Cole 2009Page 4

http://www.kuppingercole.com/reports

Some guidelines for the Webinar

You will be muted centrally. You don„t have to mute/unmute yourself – we can control the mute/unmute features

We will record the Webinar

Q+A will be at the end – you can ask questions using the Q+A tool anytime which we will pick at the end or, if appropriate, during the Webinar

© Kuppinger Cole 2009Page 5

Agenda

• The Three Elements of Access Governance: Recertification/Attestation – Access Control – Privileged Access Management

Part 1, Martin

Kuppinger:

• Q+APart 2:

© Kuppinger Cole 2009Page 6

Access Governance defined

•Access

•Managing access to systems and information – who is allowed to do what?

•Governance

•Enforcing a good practice of management – in that case particularly for IT

Access Governance

•Identity and Access Management

•The management of identities and their access

•It„s mainly about access – but we need identities therefore

Context: IAM

•Governance, Risk Management, and Compliance

•Governance as the basic concept

•Risk Management and Compliance as elements of Governance

Context: GRC

•Information Security is the business term

•That„s why we mainly deal with topics like IAM and Access Governance

Context: Information Security

© Kuppinger Cole 2009Seite 7

The three elements of Access Governance

Management

Analysis

© Kuppinger Cole 2009Seite 8

The main elements

Analysis

Management

Types ofAccounts

„Standard“User

AdminUser

Att

esta

tion/

Recert

icia

tion

Auditin

g

Auth

ori

zation

Managem

ent Pri

vileged

Account

Managem

ent

Attestation and RecertificationAnalyzing the situation

The (manual) process of having responsible persons going

through existing access controls (authorizations, entitlements) and attesting or revoking them

Manual control process

Regularly performed at the departmental manager level

(but be careful on that)

Supported by escalations and other procedures

Attestation/

Recertification

© Kuppinger Cole 2009Seite 9

The need for attestation5 good reasons

Attestation is a first step to clean up access controls

Attestation is (if done right) an continuous audit mechanism

Attestation can show issues in identity and access lifecycle management

Attestation educates users about the need for security

Attestation can decrease access control-related IT security and depending operational risks

© Kuppinger Cole 2009Seite 10

Approaches to attestation

© Kuppinger Cole 2009Seite 11

One-way, audit-oriented Two-way, actionable

Single-layered Multi-layered

Point-of-time Continuous

Undifferentiated Risk-based

worse goodExample of vendor rating

Technical approaches

Attestation as singular solution

Attestation as part of IAM-GRC

platforms

Attestation as part of overall GRC platforms

Identity Provisioning w/ reconciliation

Attestation features in Provisioning

Expand/integrate/move to IAM-GRC platforms

© Kuppinger Cole 2009Seite 12

Threat:Multi-layered attestation

© Kuppinger Cole 2009Seite 13

System Security Access ControlSystem

Administration

Correct Access Controls?

Identity Management + System Administration

System RolesGroups, Roles,

ProfilesIdentity

Management

Correct Assignments?

Business IT +Identity Management

Business RolesJob, Hierarchy,

Location, Project,…Business IT

Correct Business Roles?

Management +Business IT

Employees Tasks, Projects,… Management

Multi-la

yere

d A

ttesta

tion

More AnalysisAdding Automated Controls

Automated Controls support the ongoing analysis and (potentially) the realtime detection of issues

Advanced analysis mechanisms support the ad hoc analysis

Specific attestation/recertification solutions typically support at least ad hoc controls

Relevant as well for typical day-by-day IT operations

© Kuppinger Cole 2009Seite 14

The situation

Increasing pressure on

IT management

and operations

Growing number of compliance regulations

Increasing awareness of the

need of IT Governance

Increasing complexity of IT environments –

breadth and depth Changing role of

IT – less autonomy, more focus on efficient

fulfillment

More fear and awareness of

security breaches

© Kuppinger Cole 2009Seite 15

The result

More requests

More answers to provide

Less time to deliver

Higher workload for fewer people

Operational work is heavily affected

© Kuppinger Cole 2009Seite 16

The real world of core systems

Many servers Different systems

Different operators, frequently some inconsistency in

operations

Large amount of data

Large amount of controls

The answers to questions like „what

has Mr. X done when“ requires

access to different systems at a detailed level

strong capabilities in mapping and normalizing data

strong analytic capabilities

good reporting tools

© Kuppinger Cole 2009Seite 17

The RealityMissing auditability

•Few enterprises know them allWhich systems are out there?

•Sometimes known for central system, if there is a provisioning tool deployed (sometimes even via E-SSO)

Which users have access to which systems?

•Usually even for core systems like Active Directory and SAP insufficiently solved

Which granular entitlements do

they have?

© Kuppinger Cole 2009Seite 18

Auditing, SIEM, Operations Management

System-level Auditing

SIEM OperationsManagement

Current state and historical data

Current events, sometimes historical

Current events

Ex post Real time Real time

Security-focused Security-focused Operations-focused,all types of operational aspects

Mainly access controls

All types of securityevents, frequently more „classical security“ than access controls

All types of events

© Kuppinger Cole 2009Seite 19

Approaches to audit optimization

Integration

• Define the required elements – less is more

• Platforms help – few platforms are better than many point solutions

• Integrate these elements to support drill-down

Automation

• Focus on automated collection and

• strong analytical capabilities

© Kuppinger Cole 2009Seite 20

Authorization ManagementClosing the loop

The different terms – all about the same

• Access Control

• Authorization Management

• Entitlement Management

Authorization Management

• Actively managing access

• Not detective, but preventive

© Kuppinger Cole 2009Seite 21

Authorization ManagementClosing the loop

Managing Authorizations

Analysis and Recertification

© Kuppinger Cole 2009Seite 22

Authorization ManagementBeyond Attestation

Business Policies

Business Roles

IT Management

IT Controls

Policies

Roles, Groups

Entitlements

Attestation

© Kuppinger Cole 2009Seite 23

Multi-layeredAuthorization Management

Management of detailed Entitlements (System and App level, might be XACML based,…)

Assigment of Users to Groups, Roles, Profiles (Provisioning)

Business-Policies

© Kuppinger Cole 2009Seite 24

The RealityMissing consistency

Consistent, centralized Authorization Management for heterogeneous environments?

Windows, Active

Directory, Exchange,

SharePoint,…

SAP, Enterprise

Portals, other Business

Applications,…

Host, own applications,…

© Kuppinger Cole 2009Seite 25

The RealityMissing management

Controls layer

Status analysis

System layer

Authorization Management

© Kuppinger Cole 2009Seite 26

Privileged Account ManagementFocus on sensitive accounts

Adding privileged accounts

How to control the access of users using these accounts?

Emerging field, not fully covered by existing approaches (neither detective nor preventive)

© Kuppinger Cole 2009Seite 27

Many termsOne target

•PAM: Privileged Account Management

•PIM: Privileged Identity Management

•PUM: Privileged User Management

•Root Account Management

The terms

•Controlling privileged accounts and how they are used

The target

© Kuppinger Cole 2009Seite 28

Privileged AccountsBeyond „root“

• root

• Windows Administrators (Domain and local)

• Database Administrators

• …

Administrators:

Technical users

System accounts

Service accounts

© Kuppinger Cole 2009Seite 29

Why are these accounts that critical?

Not necessarily associated with a single physical

person

Elevated Privileges

High risk

Missing Lifecycle

Management

Missing Auditability

© Kuppinger Cole 2009Seite 30

PAMThe approaches

Differentiated auditing of administrative

activities

Integration with Lifecycle Management

approaches – no orphaned privileged

accounts

One time passwords for privileged

accounts

Reduced entitlements of privileged accounts,

for example using specialized shells

Organizational actions

Automatic generation of passwords for accounts without interactive logon

Avoiding technical users

SSO for privileged accounts

© Kuppinger Cole 2009Seite 31

PAM marketEvolution

Point solutions

PAM suites

Integration with Identity Lifecycle

Management

Application Security Infrastructures

Identity Federation, End-to-End Security

Changing Security Models at the System Level (OS,

Business Apps,…)

© Kuppinger Cole 2009Seite 32

Maturity Levels ofPAM approaches

Missing

•Status

•No PAM at all

•Tools

•None

•Risk

•Very high

Ad hoc

•Status

•Point solutions, typically for UNIX/Linux

•Tools

•Mainly sudo

•Risk

•Very high

Unplanned

•Status

•Non coordinated use of point solutions

•Tools

•PAM Tools for specific system environments

•Risk

•Still high

Isolated

•Status

•Coordinated use of PAM tools, but not integrated with other security approaches

•Tools

•Cross-platform PAM solutions

•Risk

•Reduced

Integrated

•Status

•Integration of PAM with provisioning, Access Governance, and Application Architectures

•Tools

•Cross-Platform PAM, Provisioning, Access Governance, Application Security Infrastructures

•Risk

•Minimized

© Kuppinger Cole 2009Seite 33

Putting it all togetherConsistent strategies

Define a strategy –go beyond tactics

Understand the relationship

between different GRC layers

Combine reactive and preventive

approaches

Combine analyis/attestation

and active management

Focus on a small set of tools – keep

it simple

© Kuppinger Cole 2009Seite 34

Information Security andAccess Governance

Access Governance

Attestation and

Recertification

Advanced Analysis and

Auditing

Authorization Management

Privileged Account

Management

Access Governance

Information Security

© Kuppinger Cole 2009Seite 35

© Kuppinger Cole 2009Seite 36

www.id-conf.com/eic2010

• MARKET MATURITY

• REGULATION, PRIVACY, INFORMATION SECURITY

• GOVERNANCE, MITIGATING RISK

• CLOUD COMPUTING & TRUST

• ROLES AND ATTRIBUTES

• AUTHENTICATION & AUTHORIZATION

CREATING MORE VALUE FOR LESS THROUGH IDENTITY MANAGEMENT & GRC

Call for Speakers: http://www.id-conf.com/events/eic2010/callforspeakers

Sponsors/Exhibitors:

http://www.id-conf.com/events/eic2010/sponsorinfo

Virtual Conference

Enterprise Access GovernanceControlling Access, Ensuring Information Security

© Kuppinger Cole 2009Seite 37

www.kuppingercole.com/webinars

DECEMBER 8-9, 2009

• How to efficiently mitigate your “access risks”• Full Access Governance– combining access certification, role

management, provisioning, and privileged access management

• RBAC vs. ABAC: Comparing Role Based and Attribute based Access

• The business view – Enterprise GRC vs. IT-GRC and where they should be linked

• Mitigating application security risks

• How does Access Governance fit into your GRC roadmap?