achieving compliance with iam and client cases - eema conference 20120306 (english)
DESCRIPTION
Achieving Compliance with IAM and Client Cases - EEMA Conference 20120306 (English)TRANSCRIPT
www.everett.nl www.everett.nl
Achieving compliance with Identity & Access Management EEMA meeting Amstelveen, March 6th 2012
Thomas van Vooren, Principal Consultant IAM thomas at everett dot nl
2
The shifting business case for IAM
▶ Risk and compliance increasingly driving IT spending: § Increased pressure on compliance from:
§ Regulatory bodies (law and regulation) § Key stakeholders such as shareholders (concerns over fraud and brand
exposure), clients and the general public (concerns over privacy).
§ Intrinsic motivation to reduce risk: § Think of R&D industries and protection of intellectual property (IP) for
instance.
▶ So the IAM business case is shifting: § More focus on information security;
§ Increased need for transparency.
3
IAM and and the relationship with compliance
▶ The bottom-line: § Be in control: adhere to regulation and policy and be
able to demonstrate it;
§ But still in a cost effective way, and balanced with business
opportunity & needs.
▶ Challenges with regard to identity and access management: How do I … ? § … define authorisation in line with policy and administer those?
§ … roll out resulting access rights to ICT assets (applications, systems, and services)?
§ … check and report on policy versus practice?
§ … adjust authorisations and rights where necessary?
4
• Compliance dashboards • Security Incident & • Event Monitoring • Reporting (such as soll-ist comparison) • Access attestaton / certification • Other detective controls
IAM capabilities
Identity
• (Delegated) Identity Administration • Self Service • Entitlement management • Authorisation management (role/context/risk/claims based) • Other preventive controls
• Provisioning • Single Sign On • Access enforcement on systems, (web)services & information objects
5
Case: VGZ
▶ Organisation profile: § Health insurance company;
§ 4.2 million clients in the Netherlands serviced by a 3.000 FTE workforce;
§ Formed through a series of mergers during consolidation wave of Dutch health insurance market.
▶ Issue: § Main issue: lack of transparency in authorisation management
process and effective authorisations in IT systems;
§ But also: long time-to-service and substantial operational costs due to disparate and manual administration processes.
6
Case: VGZ
▶ Solution driven by compliance, but it contains capabilities that address all business drivers for a balanced approach;
▶ Selected capabilities: § Authorisation management:
§ Performed by business line management putting them in control (enables the business, secures responsibility)
§ Provisioning; § Reduction of manual administration saves cost
and reduces time to service;
§ Reporting: § Periodic evaluation of access rights by
line management increasing control.
▶ (A)Typical Identity Management project
Governance
& Compliance
Cos
t effi
cien
cy
BusinessEnablement
7
Case: VGZ
Oracle Identity Manager
SAP Business Objects
WofkflowAuthorisation Management
Data Layer
ProvisioningIdentityAdmin
SOLL
Datawarehouse
Reporting
Identity & Access Management Service
IST
Role Management
HR
AD
App
App
App
App
App
Internals
Externals
HR Sources Applications
Read/retrieve
Data exchange/flow
Legend
8
Rabobank International
▶ Organisation profile: § Global wholesale and retail bank;
§ Present in 29 countries employing 15,600 FTE.
▶ Issue: § Over 100 systems are subject to access review (most as per
requirement by regulatory body);
§ Review of access to systems is a manual process;
§ This makes it a very time consuming and costly exercise.
9
Rabobank International
▶ Solution driven by compliance, but capability selected out of need for cost effectiveness.
▶ Selected capabilities: § Access certification (attestation);
§ Automatic aggregation of authorisation data from applications; § Periodic evaluation of access rights by business owners
and system owners;
§ Reporting: § Ability for ad-hoc management reports on
collected authorisation data.
▶ Typical Identity & Access Governance project
Governance
& Compliance
Cos
t effi
cien
cy
BusinessEnablement
10
Rabobank International
Sailpoint IdentityIQ
Role Mining
Certificationworkflow
and
Reporting
Access Certifcation and Reporting
Servicedesk Ticketing System
AD
App
App
App
App
App
Applications
OS
Database
Dataaggregation
Business Glossary
IdentityCorrelation
IdentitiesChange
Management (remediation)
IST
IST
11
Take aways
▶ Identify key (compliance) problems and select relevant IAM capabilities; § The right horse for your next course
▶ Capability is a combination of process, organisation and technology; § Not all spreadsheets are bad; and organising it right is key.
▶ Lay out target IAM architecture & define roadmap to address business value; § .. and build just-in-time solutions along the roadmap to deliver the
value timely.
12
Questions
13
References
▶ Everett is online at www.everett.nl for more information on our services and to get a copy of our complimentary whitepapers.
▶ Gartner Magic Quadrant for Identity & Access Governance (December 2011) is available at http://www.gartner.com/technology/reprints.do?id=1-18D0O87&ct=111216 (reprint)