![Page 1: CrossIdeas Roadshow IAM Governance IBM Marco Venuti](https://reader037.vdocuments.site/reader037/viewer/2022103001/5580beced8b42ac6088b527c/html5/thumbnails/1.jpg)
© 2014 IBM Corporation
IBM Security
1 © 2014 IBM Corporation
IBM Security Identity Governance (CrossIdeas)
Technical presentation & Demo
Marco Venuti
VP Technical Sales
CrossIdeas – an IBM Company
![Page 2: CrossIdeas Roadshow IAM Governance IBM Marco Venuti](https://reader037.vdocuments.site/reader037/viewer/2022103001/5580beced8b42ac6088b527c/html5/thumbnails/2.jpg)
© 2014 IBM Corporation
IBM Security
2 IBM sellers and business partners use only
Agenda
• ISIM + ISIG Integration scenario
• Integration roadmap
• Live demo
• Q&A
![Page 3: CrossIdeas Roadshow IAM Governance IBM Marco Venuti](https://reader037.vdocuments.site/reader037/viewer/2022103001/5580beced8b42ac6088b527c/html5/thumbnails/3.jpg)
3 © 2014 IBM Corporation
ISIM + ISIGIntegration Scenario
![Page 4: CrossIdeas Roadshow IAM Governance IBM Marco Venuti](https://reader037.vdocuments.site/reader037/viewer/2022103001/5580beced8b42ac6088b527c/html5/thumbnails/4.jpg)
© 2014 IBM Corporation
IBM Security
4
ISIM + ISIG for existing ISIM customers
• Existing ISIM customer with Access Request Management exposed to business users
• Introducing ISIG to deliver Recertification campaign and Analytics capabilities
IBM Security Identity Governance and Administration
Access Review/Recertification
Compliance Controls/SoD
Role Management
Access Request Mgmt.
ISIM Identity Store CrossIdeas Warehouse
Password Management/Self Service
Security Identity Manager
ISIM Adapter
Security Identity Governance
Provisioning, Fulfillment
Access Request Mgmt.
Reconciliation
![Page 5: CrossIdeas Roadshow IAM Governance IBM Marco Venuti](https://reader037.vdocuments.site/reader037/viewer/2022103001/5580beced8b42ac6088b527c/html5/thumbnails/5.jpg)
© 2014 IBM Corporation
IBM Security
5
ISIM – ISIG Integration
Person User
Org Unit Org Unit
Service Application
Account Account
<Permission>* Permission
Role Role
Available now, developed as a TDI adapter TDI Assembly line for full and delta synchronization Developed on TDI version 7.1, ISIM 6.1 – TDI7.0 and ITIM
5.1 are supported IDEAS API based integration
* Connector Specific (e.g. “Group” for AD)
For IBM and business partner use only
![Page 6: CrossIdeas Roadshow IAM Governance IBM Marco Venuti](https://reader037.vdocuments.site/reader037/viewer/2022103001/5580beced8b42ac6088b527c/html5/thumbnails/6.jpg)
© 2014 IBM Corporation
IBM Security
6
ISIM ISIG: Supported Events
Org Unit• Add / Modify / Delete • Add / Remove Member
6
Permission• Add / Remove • Add / Remove Member
User• Add / Modify / Delete• Suspend / Restore
Service• Add / Modify / Delete
Account• Add / Modify / Delete• Suspend / Restore
Role• Add / Remove• Add / Remove Member
Bulk Sync + Incremental
For IBM and business partner use only
![Page 7: CrossIdeas Roadshow IAM Governance IBM Marco Venuti](https://reader037.vdocuments.site/reader037/viewer/2022103001/5580beced8b42ac6088b527c/html5/thumbnails/7.jpg)
© 2014 IBM Corporation
IBM Security
7
ISIG ISIM: Supported Events
7
User• Add / Modify / Delete• Suspend / Restore
Account• Add / Modify / Delete• Suspend / Restore
Role• Add / Remove• Add / Remove Member
Permission• Add / Remove • Add / Remove Member
Org Unit• Add / Modify / Delete • Add / Remove Member
Service• Add / Modify / Delete
Write Back
For IBM and business partner use only
![Page 8: CrossIdeas Roadshow IAM Governance IBM Marco Venuti](https://reader037.vdocuments.site/reader037/viewer/2022103001/5580beced8b42ac6088b527c/html5/thumbnails/8.jpg)
8 © 2014 IBM Corporation
Integration Roadmap
![Page 9: CrossIdeas Roadshow IAM Governance IBM Marco Venuti](https://reader037.vdocuments.site/reader037/viewer/2022103001/5580beced8b42ac6088b527c/html5/thumbnails/9.jpg)
© 2014 IBM Corporation
IBM Security
9
Scenario based easy to use interface for a line of business persona and do-it-yourself administrators. Option on ISC are controlled via user permissions.
ISC – Single, Common Portal for SIG+SIM
Govern Access
Open
IBM Security Identity Governance and Administration
Enhance
Launch
![Page 10: CrossIdeas Roadshow IAM Governance IBM Marco Venuti](https://reader037.vdocuments.site/reader037/viewer/2022103001/5580beced8b42ac6088b527c/html5/thumbnails/10.jpg)
© 2014 IBM Corporation
IBM Security
10
Integrated IGA vision
IBM Security Identity Manager
IBM Security Identity
Governance (CrossIdeas)
IBM Security Directory Integrator
IBM Security Access Manager
Identity GovernanceIdentity Administration
On /Off Premises Applications and Enterprise Resources
Access Enforcement
• User Provisioning• Password Management• Access Request
• Access Certification • Role Modelling• Identity Warehouse
• Web, Federated SSO • Strong Authentication• Context-based Access
Identity Governance & Administration
![Page 11: CrossIdeas Roadshow IAM Governance IBM Marco Venuti](https://reader037.vdocuments.site/reader037/viewer/2022103001/5580beced8b42ac6088b527c/html5/thumbnails/11.jpg)
11 © 2014 IBM Corporation
Live Demo
![Page 12: CrossIdeas Roadshow IAM Governance IBM Marco Venuti](https://reader037.vdocuments.site/reader037/viewer/2022103001/5580beced8b42ac6088b527c/html5/thumbnails/12.jpg)
© 2014 IBM Corporation
IBM Security
12
ISIG… to answer common IGA questions
How do I model policies and then detect and manage violations?
IT Security
How can I build meaningful roles?
Application Managers
What does an attestation campaign or an access request look like?
Business Manager
How do I measure access risk and monitor progresses?
CFO / CRO Office
![Page 13: CrossIdeas Roadshow IAM Governance IBM Marco Venuti](https://reader037.vdocuments.site/reader037/viewer/2022103001/5580beced8b42ac6088b527c/html5/thumbnails/13.jpg)
© 2014 IBM Corporation
IBM Security
13
IDEAS Glossary - Entitlement Hierarchy
Business Roles
IT Roles
Application Permissions
Application 1 Application 2
Entitlements
![Page 14: CrossIdeas Roadshow IAM Governance IBM Marco Venuti](https://reader037.vdocuments.site/reader037/viewer/2022103001/5580beced8b42ac6088b527c/html5/thumbnails/14.jpg)
© 2014 IBM Corporation
IBM Security
14
Role Deployment
How do I deal with existing users?
✓
✓ Identify users whose access matches role content
New role assignment
Fine grain assignments removal
Upshifting applicable assignment - from permission to role– Reduction of user assigned items in the IDEAS perspective– No impact on user access
![Page 15: CrossIdeas Roadshow IAM Governance IBM Marco Venuti](https://reader037.vdocuments.site/reader037/viewer/2022103001/5580beced8b42ac6088b527c/html5/thumbnails/15.jpg)
15 © 2014 IBM Corporation
Managing Segregation of Duties
![Page 16: CrossIdeas Roadshow IAM Governance IBM Marco Venuti](https://reader037.vdocuments.site/reader037/viewer/2022103001/5580beced8b42ac6088b527c/html5/thumbnails/16.jpg)
© 2014 IBM Corporation
IBM Security
16
About Roles…
The company invested in Roles to better model ‘who-could-do-what’
![Page 17: CrossIdeas Roadshow IAM Governance IBM Marco Venuti](https://reader037.vdocuments.site/reader037/viewer/2022103001/5580beced8b42ac6088b527c/html5/thumbnails/17.jpg)
© 2014 IBM Corporation
IBM Security
17
About Roles…
The company invested in Roles to better model ‘who-could-do-what’
They started implementing SoD on Roles
e.g. Role A should not be jointly delivered with Role B
![Page 18: CrossIdeas Roadshow IAM Governance IBM Marco Venuti](https://reader037.vdocuments.site/reader037/viewer/2022103001/5580beced8b42ac6088b527c/html5/thumbnails/18.jpg)
© 2014 IBM Corporation
IBM Security
18
About Roles…
Detected Violation
But….. auditors do not “trust” roles
The company invested in Roles to better model ‘who-could-do-what’
They started implementing SoD on Roles
e.g. Role A should not be jointly delivered with Role B
![Page 19: CrossIdeas Roadshow IAM Governance IBM Marco Venuti](https://reader037.vdocuments.site/reader037/viewer/2022103001/5580beced8b42ac6088b527c/html5/thumbnails/19.jpg)
© 2014 IBM Corporation
IBM Security
19
IT Thinks in Terms of Roles – Auditors Don’t
Auditor: “Let me ignore roles and look directly
at user permissions assignments” “By the way…roles should be subject
to the audit too”
![Page 20: CrossIdeas Roadshow IAM Governance IBM Marco Venuti](https://reader037.vdocuments.site/reader037/viewer/2022103001/5580beced8b42ac6088b527c/html5/thumbnails/20.jpg)
© 2014 IBM Corporation
IBM Security
20
Activity A Activity B Conflict details
Auditors do think of SoD in terms of conflicting business activities
Source: xls deliverable by a major auditor firm – extract
SoD Rules = Business Rules
![Page 21: CrossIdeas Roadshow IAM Governance IBM Marco Venuti](https://reader037.vdocuments.site/reader037/viewer/2022103001/5580beced8b42ac6088b527c/html5/thumbnails/21.jpg)
© 2014 IBM Corporation
IBM Security
21
The xls based activity list can be converted in IDEAS in a tree like representation
Pure business level description of a company’s tasks • Derived from Auditor / Advisor recommendations • OR Extracted from company existing GRC/PM systems• OR Created from industry specific templates
IDEAS Glossary – Activity TreeActivity A Activity B
![Page 22: CrossIdeas Roadshow IAM Governance IBM Marco Venuti](https://reader037.vdocuments.site/reader037/viewer/2022103001/5580beced8b42ac6088b527c/html5/thumbnails/22.jpg)
© 2014 IBM Corporation
IBM Security
22
SoD constraints are links among activities, also coming from the xls version
IDEAS Glossary – SoD ConstraintsConflict details
Pure business level description of a Risk - no IT details • Derived from Auditor / Advisor recommendations • OR Extracted from company existing GRC/PM systems• OR Created from industry specific templates
![Page 23: CrossIdeas Roadshow IAM Governance IBM Marco Venuti](https://reader037.vdocuments.site/reader037/viewer/2022103001/5580beced8b42ac6088b527c/html5/thumbnails/23.jpg)
© 2014 IBM Corporation
IBM Security
23
IDEAS Glossary – Technical Transformation
Business activities mapping onto required Application Entitlements
– Making IT Entitlement names understandable to business users
– Provided by the application owners
![Page 24: CrossIdeas Roadshow IAM Governance IBM Marco Venuti](https://reader037.vdocuments.site/reader037/viewer/2022103001/5580beced8b42ac6088b527c/html5/thumbnails/24.jpg)
© 2014 IBM Corporation
IBM Security
24
IDEAS Glossary – SoD Modeling Two complementary ways to look at the application estate….
Activities and SoD rules Best practices or business-owner
defined
User and Roles Subject of the violation analysis
Technical Transformation Application-owner defined
![Page 25: CrossIdeas Roadshow IAM Governance IBM Marco Venuti](https://reader037.vdocuments.site/reader037/viewer/2022103001/5580beced8b42ac6088b527c/html5/thumbnails/25.jpg)
© 2014 IBM Corporation
IBM Security
25
User assigned to entitlements linked to conflicting activities, either through conflicting roles…
IDEAS Glossary - User Analysis
User Violation
![Page 26: CrossIdeas Roadshow IAM Governance IBM Marco Venuti](https://reader037.vdocuments.site/reader037/viewer/2022103001/5580beced8b42ac6088b527c/html5/thumbnails/26.jpg)
© 2014 IBM Corporation
IBM Security
26
IDEAS Glossary - User Analysis
User Violation
User assigned to entitlements linked to conflicting activities, either through conflicting roles…or directly
![Page 27: CrossIdeas Roadshow IAM Governance IBM Marco Venuti](https://reader037.vdocuments.site/reader037/viewer/2022103001/5580beced8b42ac6088b527c/html5/thumbnails/27.jpg)
© 2014 IBM Corporation
IBM Security
27
Roles
• Best Approach for effective Provisioning
Activities
• Best approach for effective SoD modeling
Roles Vs Activities
Clean distinction between Access delivery Vs. Access control
![Page 28: CrossIdeas Roadshow IAM Governance IBM Marco Venuti](https://reader037.vdocuments.site/reader037/viewer/2022103001/5580beced8b42ac6088b527c/html5/thumbnails/28.jpg)
© 2014 IBM Corporation
IBM Security
28
Activity vs. Role Based SoD
Role Mining / Modeling
Define SoD on Roles
Entitlements
Collection
Role Mining / Modeling
Entitlements
CollectionActivity
Based SoD
Activity Based SoD
Role Based SoD Role needs to come first
Access Review to allow Role Mining is further delaying the SoD Introduction
SoD Analysis can be the first, or the only, objective
Roles can be the subject of the SoD Analysis
![Page 29: CrossIdeas Roadshow IAM Governance IBM Marco Venuti](https://reader037.vdocuments.site/reader037/viewer/2022103001/5580beced8b42ac6088b527c/html5/thumbnails/29.jpg)
© 2014 IBM Corporation
IBM Security
29
![Page 30: CrossIdeas Roadshow IAM Governance IBM Marco Venuti](https://reader037.vdocuments.site/reader037/viewer/2022103001/5580beced8b42ac6088b527c/html5/thumbnails/30.jpg)
© 2014 IBM Corporation
IBM Security
30