Docstoc

ir

Document Sample
ir Powered By Docstoc
					    New Challenges for
   Identity Management
  Assessing Identity Risk


Mark McClain
CEO & Founder, SailPoint
Agenda

• Today’s Environment: Pressures and
  Business Drivers
• State of Identity & Access Management
  (IAM) Compliance
• What’s Needed: A New Approach
• Identity Risk Management: A Next-
  Generation Solution
Increasing Security and Compliance Pressure


                                     Theft of IP &
    Identity                         Trade Secrets            Financial
                     Unauthorized
     Theft                                                      Fraud
                       Access
                                            Sabotage
    Data Altering/                                        Privacy
      Deletion                  Security                 Breaches
                                 Risks

                               Regulatory               HIPAA
   Sarbanes-
                                 Risks
     Oxley
               FISMA                                   GLBA
                                      EU Data
                        California    Privacy                  Basel II
     PIPEDA
                        SB 1386                  PCI
The Cost Burden of Compliance


• Estimated that IT budgets dedicated to
  compliance would increase from < 4%
  to 15% of IT budget over 3 year period.


                                            External Labor         Technology
• 2006: Estimated $6B was spent on              $1.8B                 $1.9B
  compliance – 68% on labor costs.                    29%          32%
                                                             39%


• 76% of finance executives: “Automating                Internal Labor
  compliance and control is a priority.”                     $2.3B
The Insider Threat
• 70% of security incidents that cause monetary loss involve
  insiders.
  – Gartner
• 33% of information security attacks originate from internal
  employees, while 28% came from ex-employees and partners.
   – PricewaterhouseCoopers, The Global State of Information Security
• On average, workers receive 35% more access rights than
  needed.
   – Insider Threat
• Malicious insiders used simple, legitimate user commands 87% of
  the time.
   – U.S. Secret Service and Carnegie Mellon
• After a material data breach, 50% of public companies lost
  more than 20% of stock value.
   – Deloitte
 Insider Threat Examples

         IRS – a disgruntled contractor
        sabotages three servers and is                      FBI – BAE contractor hacks
     sentenced to 15 months in prison and                   into systems to gain access to
     ordered to pay $108,800 in restitution.                      employee records.

                                         •Sabotage
                                        •Espionage                         Prudential – IT staffer steals
       Wachovia – bank              •Abuse of privileges                 records on 60,000 employees and
         employees sell           • Unauthorized access                  is caught trying to sell identities for
        customer data to                                                          credit card fraud.
       collection agencies.      •Theft of proprietary data
                                   •Data altering/deletion
                                      •Financial fraud                     UBS – sys admin sabotages
Bank of America – former contractor                                       corporate network, then makes
                                                                         financial bets that the company's
  steals Social Security numbers and
                                                                            stock would tank as a result.
    other personal information from
         Charleston customers.                  DuPont – employee
                                                gains access to R&D
                                               documents unrelated to
                                                 job – compromises
                                               $400M in trade secrets.
Agenda

• Today’s Environment: Pressures and
  Business Drivers
• State of Identity & Access Management
  (IAM) Compliance
• What’s Needed: A New Approach
• Identity Risk Management: A Next-
  Generation Solution
Importance of IAM Compliance
Importance of IAM Compliance in large organizations is high for both
compliance and IT security practitioners.

                   How important is IAM compliance compared to other
                             IT compliance requirements?

          45%
          40%
          35%
          30%
          25%                                                                            Important
          20%                                                                            Very Important
          15%
          10%
           5%
           0%
                            Compliance                        IT Security
                            Practitioners                    Practitioners

     Source: Ponemon Institute Survey Report: Audit & Compliance Professionals: Survey on Identity Compliance, 2007
     Ponemon Institute Survey Report: Survey on Identity Compliance, 2007
Barriers to IAM Compliance
Four main barriers to identity compliance were revealed
in both groups.


                                    Barriers to IAM Compliance

     100%
      90%
      80%                                                                                  Compliance
      70%
      60%                                                                                  Practitioners
      50%
      40%                                                                                  IT Security
      30%                                                                                  Practitioners
      20%
      10%
        0%
                    Manual        Decentralized Little or no           Lack of
                   Processes        Strategy    collaboration        information



   Source: Ponemon Institute Survey Report: Audit & Compliance Professionals: Survey on Identity Compliance, 2007
   Ponemon Institute Survey Report: Survey on Identity Compliance, 2007
Lack of Focus on Risk
The majority of respondents do not take a risk-based approach to IAM
policies and controls.
                         Does your organization effectively focus its
                          IAM policies and controls on the greatest
                                   areas of business risk?
                    70%
                                         59%
                    60%
                                                                       50%
                    50%
                    40%
                                                                                               No
                    30%
                    20%
                    10%
                     0
                                    IT Security                   Compliance
                                   Practitioners                  Practitioners
    Source: Ponemon Institute Survey Report: Audit & Compliance Professionals: Survey on Identity Compliance, 2007
    Ponemon Institute Survey Report: Survey on Identity Compliance, 2007
Why Is Identity Risk Management So Difficult?

 Identity Data Challenges
   Identity and access info is
  fragmented in application silos                     Web Apps
                                                                   Database
                  +                    Mainframe

 High amount of employee and
           contractor churn                                           Directories

                  +
No central archive of user activity   ERP Apps

    or historical entitlement data
                  =                                                   Custom
                                                                       Apps
Automation of policy compliance            Identity   File Share
                                         Management
        is nearly impossible!
Why Is Identity Risk Management So Difficult?

                              Executive Corporate governance
                             Management Risk management
Business & IT Disconnect                  Audit & compliance




Compliance is intensifying
                              Business    Business processes
the need for business and                 Business job functions
                               Units
     IT collaboration.                    Business policies



   Unfortunately, IT and             ?             ?
  business groups lack a                   Users
   common vocabulary.        Corporate     Entitlements
                                IT         Applications
                                           Logic/rules
Why Is Identity Risk Management So Difficult?


Organizations Lack Tools & Expertise
•    Don’t have the right tools to assess risk
•    Lack appropriate staff resources
•    Can’t assign risk to technical resources
•    IT staff lacks understanding of risk management and
     compliance

    Source: Ponemon Institute Survey Report: Audit & Compliance Professionals: Survey on Identity Compliance, 2007
Agenda

• Today’s Environment: Pressures and
  Business Drivers
• State of Identity & Access Management
  (IAM) Compliance
• What’s Needed: A New Approach
• Identity Risk Management: A Next-
  Generation Solution
Identity Risk Management

            Identity Risk Management combines
   identity analytics and automated controls in order
   to measure and manage the business risk associated
      with user access to critical applications and data.

     Identity Risk Management delivers business-level
   insight into technical data, significantly reducing the
   complexity and frustration associated with compliance
                 and other control objectives.
Gartner
"Managing risk is an inherent part of every business. When it comes to
understanding the risks associated with user access privileges and
activities on sensitive information systems, enterprises will need to
augment traditional provisioning tools with products that provide:

•   sophisticated reporting
•   data analytics
•   decision support capabilities

These will help organizations achieve new business efficiencies
associated with their identity and access management compliance
initiatives."

Roberta Witty, Research VP, Gartner, Inc. | January 30, 2007
The Burton Group

"The cost and complexity of complying with various federal and state
compliance regulations continues to drive corporate investments in
identity management deployments.

“The challenge lies in how to help organizations identify and
prioritize critical risks and remediation activities across the
enterprise.

“Solutions that offer rich identity analytics and controls automation
capabilities will help companies better detect the 'signal from the noise'
associated with their identity compliance initiatives."

Lori Rowland, Analyst, Burton Group | January 30, 2007
Agenda

• Today’s Environment: Pressures and
  Business Drivers
• State of Identity & Access Management
  (IAM) Compliance
• What’s Needed: A New Approach
• Identity Risk Management: A Next-
  Generation Solution
Identity Risk Management Lifecycle

                      Identify and Assess Risk    • Model business roles
                                                    and policies
                                                  • Model risk
                                                  • Identify unacceptable
                                                    risk



Audit and Monitor
                                    Apply Automated Controls
• Measure
  effectiveness of
  controls
                                            • Apply automated controls to
• Refine risk model                           reduce or mitigate unacceptable
  based on feedback                           risk
                                            • Remove inappropriate access
                                            • Use monitoring as a
                                              compensating control
Key Elements of Identity Risk Management



Define what users   Control what   Verify what users   Monitor what   Identify high-risk
     can do         users can do         can do         users do            users




      Role             Policy          Access            Activity          Risk
   Management       Enforcement      Certification      Monitoring       Analytics
Where Does Identity Risk Management Fit?

                            Compliance/Control Frameworks
                               SOX PCI GLBA COBiT COSO



 Control & policy
  definition
 Audit & verification         Identity Risk Management
 Risk modeling

 Administration &
  operations
                                      Provisioning
 Integrated workflow


 Identity                                Access Management
  infrastructure           SSO/
  services               Federation
 Authentication &                         Directory Services
  authorization
  Power of Risk-Based Analytics
                                  Identity Risk Scoring
                                       Access to systems-at-risk         Score

 Identify key areas of              Low                      High        160

  identity risk to better focus
                                   No. of super-user access privileges
  compliance efforts
                                                                          230
 Combine user information           Low                      High

  into a profile “risk score”        SOD policy violations detected
 Measure reductions in              Low                      High        80
  risk achieved through
  automated controls/             Days since last management review
  monitoring                                                              180
                                     Low                      High


                                  Composite identity risk score           650
Power of Risk-Based Analytics
                                   User       Query: All entitlements for
                                  Access      John Smith on Feb. 1, 2006
                                              Query: All users who had
                                              access to files containing
                                              sensitive financial data over
                                              past two years
        Risk                                                              Job
                                                                        Function

 Query: All employees                                             Query: All business roles
 with risk scores greater                                         that have three or more
 than 700                                                         entitlements in common




                User
                          Query: All super-user               Policy
               Activity
                          transactions on General
                          Ledger system in the last
                          30 days                                   Query: All SOD
                                                                    violations detected in
                                                                    10/30 scan
Benefits of Identity Risk Management


 Focus governance activities
  where they matter the most
 Gain multi-dimensional
  insight and analysis of
  identities
 Minimize cost/burden of
  governance-related activities
Questions?


 Click on the questions tab on your screen, type in your
       question (and name if you wish) and hit send.

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:18
posted:8/4/2011
language:English
pages:25