www.everett.nl www.everett.nl

Achieving compliance with Identity & Access Management EEMA meeting Amstelveen, March 6th 2012

Thomas van Vooren, Principal Consultant IAM thomas at everett dot nl

2

The shifting business case for IAM

▶  Risk and compliance increasingly driving IT spending: §  Increased pressure on compliance from:

§  Regulatory bodies (law and regulation) §  Key stakeholders such as shareholders (concerns over fraud and brand

exposure), clients and the general public (concerns over privacy).

§  Intrinsic motivation to reduce risk: §  Think of R&D industries and protection of intellectual property (IP) for

instance.

▶  So the IAM business case is shifting: §  More focus on information security;

§  Increased need for transparency.

3

IAM and and the relationship with compliance

▶  The bottom-line: §  Be in control: adhere to regulation and policy and be

able to demonstrate it;

§  But still in a cost effective way, and balanced with business

opportunity & needs.

▶  Challenges with regard to identity and access management: How do I … ? §  … define authorisation in line with policy and administer those?

§  … roll out resulting access rights to ICT assets (applications, systems, and services)?

§  … check and report on policy versus practice?

§  … adjust authorisations and rights where necessary?

4

•  Compliance dashboards •  Security Incident & •  Event Monitoring •  Reporting (such as soll-ist comparison) •  Access attestaton / certification •  Other detective controls

IAM capabilities

Identity

•  (Delegated) Identity Administration •  Self Service •  Entitlement management •  Authorisation management (role/context/risk/claims based) •  Other preventive controls

•  Provisioning •  Single Sign On •  Access enforcement on systems, (web)services & information objects

5

Case: VGZ

▶  Organisation profile: §  Health insurance company;

§  4.2 million clients in the Netherlands serviced by a 3.000 FTE workforce;

§  Formed through a series of mergers during consolidation wave of Dutch health insurance market.

▶  Issue: §  Main issue: lack of transparency in authorisation management

process and effective authorisations in IT systems;

§  But also: long time-to-service and substantial operational costs due to disparate and manual administration processes.

6

Case: VGZ

▶  Solution driven by compliance, but it contains capabilities that address all business drivers for a balanced approach;

▶  Selected capabilities: §  Authorisation management:

§  Performed by business line management putting them in control (enables the business, secures responsibility)

§  Provisioning; §  Reduction of manual administration saves cost

and reduces time to service;

§  Reporting: §  Periodic evaluation of access rights by

line management increasing control.

▶  (A)Typical Identity Management project

Governance

& Compliance

Cos

t effi

cien

cy

BusinessEnablement

7

Case: VGZ

Oracle Identity Manager

SAP Business Objects

WofkflowAuthorisation Management

Data Layer

ProvisioningIdentityAdmin

SOLL

Datawarehouse

Reporting

Identity & Access Management Service

IST

Role Management

HR

AD

App

App

App

App

App

Internals

Externals

HR Sources Applications

Read/retrieve

Data exchange/flow

Legend

8

Rabobank International

▶  Organisation profile: §  Global wholesale and retail bank;

§  Present in 29 countries employing 15,600 FTE.

▶  Issue: §  Over 100 systems are subject to access review (most as per

requirement by regulatory body);

§  Review of access to systems is a manual process;

§  This makes it a very time consuming and costly exercise.

9

Rabobank International

▶  Solution driven by compliance, but capability selected out of need for cost effectiveness.

▶  Selected capabilities: §  Access certification (attestation);

§  Automatic aggregation of authorisation data from applications; §  Periodic evaluation of access rights by business owners

and system owners;

§  Reporting: §  Ability for ad-hoc management reports on

collected authorisation data.

▶  Typical Identity & Access Governance project

Governance

& Compliance

Cos

t effi

cien

cy

BusinessEnablement

10

Rabobank International

Sailpoint IdentityIQ

Role Mining

Certificationworkflow

and

Reporting

Access Certifcation and Reporting

Servicedesk Ticketing System

AD

App

App

App

App

App

Applications

OS

Database

Dataaggregation

Business Glossary

IdentityCorrelation

IdentitiesChange

Management (remediation)

IST

IST

11

Take aways

▶  Identify key (compliance) problems and select relevant IAM capabilities; §  The right horse for your next course

▶  Capability is a combination of process, organisation and technology; §  Not all spreadsheets are bad; and organising it right is key.

▶  Lay out target IAM architecture & define roadmap to address business value; §  .. and build just-in-time solutions along the roadmap to deliver the

value timely.

12

Questions

13

References

▶  Everett is online at www.everett.nl for more information on our services and to get a copy of our complimentary whitepapers.

▶  Gartner Magic Quadrant for Identity & Access Governance (December 2011) is available at http://www.gartner.com/technology/reprints.do?id=1-18D0O87&ct=111216 (reprint)