Business Analytics. Access governance services from IBM and Aveksa. Ensure
that only the right people can access their critical applications and data based on
...
IBM Global Technology Services Thought Leadership White Paper
Access governance services from IBM and Aveksa Ensure that only the right people can access their critical applications and data based on informed and reliable decisions
Business Analytics
Access governance services from IBM and Aveksa
Executive summary
way for security teams to balance the requirements for fast, flexible access delivery with the need to manage, and mitigate access related business risk.
Enterprise access governance is a fundamental business challenge facing every organization today. Enabling efficient and reliable user access to enterprise information resources, while also managing access-related business risk is a key objective not only for Information Security teams, but is also on the agenda of every high level management executive and board of directors.
The complexities of access management & governance – silos, scale and change There are several issues that make access governance a complex endeavor in most organizations.
Enterprise access governance is the organizational approach to ensure that only the right people can access their critical applications and data based on informed and reliable decisions, defensible to auditors, and meets internal and external security guidelines.
First, the last few decades have seen application infrastructure and applications evolve into security silos. While many applications leverage external directories (such as Microsoft Active Directory) as user account repositories, thus externalizing authentication and sign-on, they continue to use their own entitlement store and authorization model which makes the process of getting a single view of “who has access to what” difficult.
The operational imperative: Efficiency versus Security, Compliance and Risk Since every facet of a business is dependent on information technology, organizations must provide information resource access to an ever increasing number of employees, consultants, partners and customers. The pace of business dictates that these users must get access quickly. Business users need access to do their jobs effectively and running into delays translates into a loss in productivity.
The second key issue contributing to complexity is that of scale. An organization with 10,000 users may have as many as 10 million user-entitlements. That’s a lot of user entitlements for a security team to track! What makes the scale issue even harder to deal with is the pace of change; changes, whether they are related to joiners, movers or leavers in the organization, mergers, acquisitions or reorganizations, or the on-boarding of applications or new compliance policies, have an impact on what’s appropriate and what’s not. So a dynamic environment leads to an ever-changing risk posture, unless there’s a way to proactively manage changes and the risks that accompany them.
And yet, giving users access to enterprise applications and data can carry significant risks: security risks such as the risk of fraud and the risk of intellectual property being stolen, or regulatory risks such as the risk of being fined for being out of compliance with HIPAA or SOX or PCI. These security and regulatory risks translate into business risk since the potential impact of an incident could cause grievous harm to an enterprise’s brand, revenue or profitability.
The emergence of cloud computing is leading to even more complexity, with a new silo for every new cloud service provider. There is also a new dimension to scale, since privileged access by an unknown community of service provider administrators becomes a requirement, and the pace of change is quicker since LOBs are asking for and obtaining new services on demand. All of this introduces even greater risk, and can make an enterprise’s risk posture even more uncertain.
The challenge facing most security teams, therefore, is to provide line-of-business (LOB) users with the access they need while ensuring that the access is appropriate and does not expose the enterprise to unnecessary business risk. Carefully choosing and deploying an enterprise access governance platform is the best
2
Business Analytics
Enabling the business – the lines-of-business have the context Providing LOB users with the access they need, efficiently dealing with access management and all of its complexities, and also managing business risk is a responsibility that traditionally has fallen on the security team in an organization. The leader of this team, a CIO, CISO, VP of Security or Director of Security, shoulders this burden despite the fact that IT security teams and operations teams have very little of the context needed for enterprise-wide access management. Most of this context lies within the LOBs in an organization; supervisors and other business managers understand what functional responsibilities people have, business owners of specific applications or data resources understand how their applications are used and what policies are appropriate for them. Context relating to policy requirements lies either with risk, audit and compliance teams or with LOB managers. And yet, it is indeed IT security’s job to “get access management done”!
Many organizations choose to start with an Identity Management program, which is an excellent first step. But then sometimes the project stalls and often falls short in terms of expectations, usually when trying to connect the provisioning process of creating and managing user access with business rules and policies. Integration is key to success, and Henrique Teixeira, Security Product Offering Manager and Advisory Identity and Access Management Architect of IBM Canada states that many Access Governance projects that are successful are in most cases due to partnering with a major services integrator with broad portfolio capabilities (Software, Hardware and Services – Both Professional and Managed Services) and global diversified resources culture.
Some customers still have experienced pains with current IAM solutions •
•
That leads one to the inescapable conclusion that the only way IT security can deliver on its own job responsibilities is to enable the LOBs to do what they are uniquely qualified to do; what’s needed is a way to get audit, risk and compliance team to drive access-related policy requirements as they understand them, and for IT to translate those requirements into a set of operational activities that are, for the most part, fulfilled by LOB decision, and driven by business processes.
The Journey – A Phased Approach (or why Identity and Access Management alone is not enough) The business process automation approach to access governance clearly has tremendous potential. But how do organizations put it into practice? Where do they start? How do they combine people, process and technology to chart a course for access governance nirvana?
•
•
•
•
User provisioning products deliver value but deployments can stall without scalable administration Web access management solutions fail when not integrated to offer business context Inability to manage business conflicts that arise due to granting of user access Lack of flexible and continuous validation of user access and remediation Poor integration with security information and event management for user activity monitoring Desire for more policy-based governance around IAM but market fragmentation makes it difficult
The answer to these problems lies in an integrated phased strategy that delivers step-by-step results. It starts with getting visibility into the reality of access within the enterprise and establishing business ownership and accountability – it then shifts to developing higher level business abstractions to provide simplification and automation – and ends with creating a business self-service and access change management process that delivers both operational efficiency and built-in security and compliance policy management.
3
Access governance services from IBM and Aveksa
Fig 2 below illustrates this pathway and outlines the capabilities required at each stage of this access governance journey.
VISIBILITY & CERTIFICATION
POLICY MANAGEMENT
ROLE MANAGEMENT
may be taken automatically. Organizations typically require the ability to define policies to detect and respond to Segregationof-Duties (SOD) violations, as well as to handle the events that occur when an employee joins the organization, moves around within it, or leaves the organization (Joiner-Mover-Leaver rules).
REQUEST MANAGEMENT
In this access governance phase, organizations usually establish a process for defining and maintaining rules, evaluating rules against entitlements, triaging the resulting violations, and establishing robust Joiner-Mover-Leaver business processes.
Maturity
Figure 2: Access Governance Pathway
Phase 1: Visibility & Certification
Phase 3: Role Management
Having an accurate picture of the access reality of an organization is central to a sound access governance strategy. In the first phase, therefore, an organization should focus on two key capabilities.
The next phase of the access governance journey tackles roles, abstractions that have a huge potential to deliver simplification, but can be somewhat harder to define and maintain. Roles are coarse-grained entitlements that provide a bridge between users and entitlements, in order to achieve simplification. With roles in place, a pre-approved framework of access ensures that managers assigning access, approving access or reviewing access rarely deal with granular entitlements; they work at a more abstract level, thus reducing the number of interactions between people and software. That’s how roles deliver the desired simplification and efficiency.
First, organizations need to focus on being able to deploy systems to automatically capture the reality of its user access – by collecting access (entitlement data), cleaning up the captured data, and obtaining a single unified and normalized view of that reality. This process delivers data cleanup, access visibility and full transparency. Second, organizations need to be able to transforms the technical view of access into a business view of access so that LOB managers become accountable for reviewing who has access to what and enable automated access certifications by the LOBs. Access certifications (Reviews) are a critical compliance control for most organizations and implementing an automated certification process is an excellent way to begin to shift ownership of access decisions to the business.
There are two key challenges with roles – first, defining them so that they deliver optimum value in terms of efficiency and simplification as described above and second, maintaining them to ensure that they continue to provide that business value despite all the changes occurring in the organization.
Phase 4: Request Management An organization that has worked through the first three phases of the access governance roadmap has established both a business view of access and the abstractions to simplify and automate access management. The fourth and last phase of the access governance roadmap leverages this business view and these abstractions to provide a self-service access request front-end for the business and an auditable and policy compliant
Phase 2: Policy Management The second phase in our access governance roadmap is about capturing decision-making context and logic into a set of policies that are defined in terms of business rules, so that an access governance platform can automate much of the decision-making. When the rules trigger, one or more actions
4
Business Analytics
change management engine for IT on the backend. In this phase, an access change management process is put in place to that LOBs are fully enabled to invoke access requests without any knowledge of the infrastructure and details involved in servicing the requests.
•
•
Further, policy-based compliance is embedded into the end-to-end change management process and the organization’s stance shifts from detective compliance to proactive compliance since access policies can be checked and enforced before access is granted.
Is access governance for you? Access governance resonates to every modern organization. Ask yourself this question: Do I need to ensure that only the right people can access their critical applications and data based on informed and reliable decisions? The Penom institute conducted a survey called: 2010 Access Governance Trends Survey http://pages.aveksa.com/201Access GovernanceTrendsSurvey.html. These trends were observed among the respondents, including multinational corporations and governmental organizations. The overall objective of this study is to track the perspectives of IT security and compliance practitioners about how well they are achieving access governance within their organizations. These are the top trends: • •
•
User access rights poorly managed—Eighty-seven percent of respondents believe that individuals have too much access to information resources that are not pertinent to their job description – up nine percent from the 2008 study. Not able to keep pace with changes of user’s job responsibilities— Nearly three out of four organizations (72 percent) said they cannot quickly respond to changes in employee access requirements; and more than half (52 percent) reported that they are unable keep pace with the number of access change requests that come in on a regular basis.
•
Policies not regularly checked and enforced—Fifty-nine percent of organizations do not have or do not strictly enforce access governance policies, and 61 percent do not immediately check user access requests against security policies before the access is approved and assigned. Organizations lack budget, resources and staff for effective access governance—Nearly two-thirds (65 percent) of respondents said that a lack of IT staff was a key problem in enforcing access compliance policies. Fifty-seven percent of organizations reported that they don’t have enough technologies to manage and govern end-user access to information resources. Further, with organizations struggling to contain costs in a recessionary climate, 63 percent say they do not have enough resources to do so. Cloud computing is expected to impact access governance processes—Nearly three out of four (73 percent) respondents said that adoption of cloud-based applications will have a very significant or significant impact on users’ ability to circumvent existing access policies.
Conclusion All modern organizations need visibility and control of who has access to which applications and data in their enterprise. This is has led to the creation of a part of the software industry called Access Governance. Aveksa is the leader in this industry, according to The Forrester Wave™: Role Management And Access Recertification, Q3 2011. That was one of indicators that led IBM to choose Aveksa’s software solution to create the Access Governance Services solution offering. Together with IBM’s extensive Identity and Access Assurance experience and leadership, and with the broad reach of IBM’s datacenters, IBM’s strategic outsourcing and cloud business supported by IBM, the Access Governance Services solution offering becomes one unique and definitive response to Access Governance needs.
5
Access governance services from IBM and Aveksa
The four phase roadmap presented by IBM and Aveksa is being used by organizations worldwide to make access governance operational. The approach has been leveraged with great success in multiple industry verticals, and has consistently delivered both concrete business value, and enabled organizations to meet their compliance and security goals.
•
•
•
The next step, or the first step, complimentary to Identity and Access Management •
•
• •
•
Role and entitlement management can deliver an abstraction to manage administration and access Entitlement management can provide business context (e.g. location, data classification, time of day, etc…) for access control policies Separation of duty policies can manage access conflict Access certification tightly integrated with user provisioning can deliver validation and remediation of user access Log collection is good, integrated suspension of access based on abnormal activity is better
Case Study: One Enterprise’s Journey One global financial institution was facing significant compliance challenges. With over $500B USD in assets under management, they were facing stringent new compliance requirements due to several audit findings, coupled with negative feedback from their 11,000 users. With over 130 high-risk applications, they needed a better access governance solution. They implemented the Aveksa solution, integrating it to their IBM Tivoli Identity Manager system, and obtained significant, quantifiable benefits, including:
Value Proposition •
• • • • •
•
•
Automation of the entire access, entitlement and role certification process Phased implementation approach allowing for quick wins Reduce the cost of managing access Reduce the risk caused by inappropriate access Improve readiness and achieve continuous compliance Empower the business to make accurate and timely access decisions IT Auditors are driving for proof of process
•
• • •
•
•
Elimination of audit findings Reduction in application certification time from 36 weeks to 9 weeks Reduced orphan accounts from 12,000 to Zero Positive user experience for system users Over 50% labor savings for review process
For more information About IBM •
The IBM + Aveksa Differentiation •
Closed loop remediation with IBM’s Tivoli Identity Manager and Aveksa Access Governance Many successful IBM Identity and Access Assurance references, together with many Aveksa’s Access Governance references allows logical progression into both areas for evolution of compliance maturity IBM + Aveksa solution allows an integrated phased implementation approach allowing for quick wins
The best software for role management and access recertification (according to The Forrester Wave™) Integrated and flexible services offering: Professional Services, Managed Services, Outsourcing from IBM + Aveksa Integrated solution, one point of contact: Software, Hardware, Services
6
•
•
IBM software and services manage more than seven billion security events daily. The IBM X-Force research and development database tracks more than 48,000 vulnerabilities and advises clients and the general public on how to respond to emerging and critical threats. 15,000 IBM researchers, developers and subject matter experts from around the world are committed to security initiatives.
Business Analytics
•
•
IBM monitors and manages the security infrastructures of more than 4,000 customers at IBM Security Operations Centres around the world. IBM holds more than 3,000-patented inventions that enable clients to secure their business information and processes.
Globally, IBM is one of the largest technology providers in any. IBM provides strategic outsourcing, consulting services and best in class software and hardware products globally to 85% of the world’s leading corporations on the Forbes 1000 list. IBM is best equipped to be the strategic provider of Access Governance, and Identity and Access Management products and associated services. This excellence has been recognized globally, including by Gartner who placed IBM’s Identity Management Solution in the Leader Quadrant, and by SC Magazine who named IBM as the Best Security Company in 2010, recognizing IBM’s leadership in IT and our outstanding security solutions. IBM is the only security vendor in the market with end-to-end coverage of the security foundation including 15,000 researchers, developers and SMEs on security initiatives; over 3,000 security & risk management patents; more than 2000 security customers and scores of published case studies. As a managed security provider IBM manages 7 Billion+ security events per day for clients. IBM offers the most comprehensive security operations and capabilities with: • • • • • • •
8 security operations centers (SOCs) around the world 7 security research centers 133 monitored countries 20,000+ devices under contract 3,700+ managed security services (MSS) clients worldwide 2.5 billion+ monitored events per day 15,000 researchers, developers and SMEs on security initiatives, including IBM X-Force
• •
3,000+ security & risk management patents 40+ years of proven IT security success securing the z-Series environment
To learn more about IBM Security Services Identity and Access Management Services, please contact your IBM representative or IBM Business Partner, or visit the following Web site: ibm.com/services/security/
About Aveksa Aveksa provides the most comprehensive, enterprise-class, access governance, risk management and compliance solution. Aveksa automates the on-boarding, change management, monitoring, reporting, certification and remediation of user entitlements and roles; enables role discovery and lifecycle management; and delivers unmatched visibility into the true state of user access rights. With Aveksa, business, security and compliance teams can effectively collaborate and enforce accountability. Our growing customer base includes leading Global 2000 organizations in financial services, healthcare, retail, energy/utility, transportation and manufacturing. For more information, go to www.aveksa.com.
About The Aveksa Access Governance Platform The Aveksa Access Governance Platform is the industry’s first comprehensive solution for access governance, risk and compliance management which delivers unmatched visibility into the true state of user access rights. The Access Governance Platform is comprised of Aveksa Compliance Manager, which automates the monitoring, reporting, certification and remediation of user entitlements; Aveksa Role Manager, which enables role discovery, modeling and maintenance; and Aveksa Access Request and Change Manager, which combines a business-centric interface and an automated, streamlined request process with policy controls to ensure that access is always appropriate.
7
© Copyright IBM Corporation 2011 IBM Global Services Route 100 Somers, NY 10589 U.S.A. Produced in the United States of America October 2011 All Rights Reserved IBM, the IBM logo, ibm.com and Tivoli are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries or both. These and other IBM trademarked terms are marked on their first occurrence in this information with the appropriate symbol (® or ™), indicating US registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at ibm.com/legal/copytrade.shtml Other company, product and service names may be trademarks or service marks of others. Use of the information here in is at the recipient’s own risk. Information herein may be changed or updated without notice. IBM may also make improvements and/or changes in the products and/or the programs described herein at anytime without notice. References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates. P27000 Please Recycle
