rsa identity management & governance (aveksa) · rsa identity management & governance...

1 © Copyright 2014 EMC Corporation. All rights reserved. © Copyright 2014 EMC Corporation. All rights reserved.

RSA Identity Management & Governance (Aveksa)


RSA IAM Enabling trusted interactions between identities and information

Applications/Data/Resources

Identity Lifecycle

Compliance

Access Platform Governance Platform

Federation/SSO

Authentication

Employees/Partners/Customers

Provisioning

Identity Intelligence


RSA’s Governance Platform


Access Platform

Federation/SSO

Authentication


Identity Intelligence Identity Lifecycle

Compliance

Governance Platform

Provisioning

Governance Platform

•Supervisor Reviews

•App Owner Reviews

•Data Ownership Reviews

•Segregation of Duties Policies

•Data Compliance Policies

Compliance

•Joiner, Mover, Leaver

•Access Request Portal

•Policy-Based Change Management

•Password Management

Identity Lifecycle

•Task Notification

•Service Desk Integration

•Automated Provisioning

Provisioning

• Purpose-Built for Governance • Lowest Cost of Ownership • Fastest Time to Value

•Compliance • Reduce Compliance Efforts • Improve Compliance Effectiveness • Applications and Data Resources

• Identity Lifecycle • Automate Joiner, Mover, Leavers • Access Request with policy enforcement

• Provisioning • Simple architecture streamlines deployment • Business-driven provisioning


RSA’s Identity Intelligence


Identity Lifecycle

Compliance

Access Platform Governance Platform

Federation/SSO

Authentication


Provisioning


• Unified view of Business Context •“One Brain” for Better Access Decisions • Complete Picture of User Access Rights, Job Roles, Business Attributes

• Role Management • Simplify Access Reviews and Policies • Achieve Role-based Access Control

• Connection to Business-level Goals • Corporate and Application Risk

• Integration with Security Ecosystem • Enforce and Validate Authentication Policies • Leverage Context for Better Threat Analysis and Triage


• Accounts & Entitlements

• Rich User Context

• Business Roles

• Risk Analytics

• Authentication Policies

User Context and Activity


RSA Takes a Business Driven Approach to IAM

Shift Decision Making and Accountability to the Business

– Governed by Info Security constraints

Centralized Identity & Business Context

– “One Brain”for intelligence and operational efficiency

Process-Driven

– Discrete, Measurable, Efficient Business Processes

Policy-Based Automation

– Automated Policy Enforcement


IT Security

Information Security

Line of Business

Ensure Compliance and Manage Risk

Audit, Risk & Compliance

Enterprise, Mobile & Cloud Applications and Data, DLP, SIEM, GRC

Enable the Business: Ownership & Accountability Business

Processes

A Business Process Perspective


Customer Case Study


Overview & Business Drivers Profile

– Fortune 100 Investment and Retirement Planning Services:

▪ $500B USD under management

– 11,000 Users, 900 Managers

– 130 Critical Applications (Audited, High-Risk)

IAM Program Shortcomings

– No Unified Visibility of Access Across Applications

– Manual and Inefficient Access Review processes

– Inefficient and Error-Prone Paper-Based Access Request Process

– Poor Business User Experience

– Inability to Define and Enforce Access Policies

– 12,000+ Orphan Accounts – Unowned and Unmanaged

Result : Audit Findings and Unhappy Line-of-Business


IAM Project Focus

Governance Platform

•Supervisor Reviews

•App Owner Reviews

•Data Ownership Reviews

•Segregation of Duties Policies

•Data Compliance Policies

Compliance

•Joiner, Mover, Leaver

•Access Request Portal

•Policy-Based Change Management

•Password Management

Identity Lifecycle

•Task Notification

•Service Desk Integration

•Automated Provisioning

Provisioning


• Accounts & Entitlements

• Rich User Context

• Business Roles

• Risk Analytics

• Authentication Policies

User Context and Activity


IAM Project Overview Audit Findings

– Manual Access Review Process

– Poor Controls Around Access Request & Provisioning

– Uncontrolled Direct Access to Application Databases

Deployed RSA Aveksa Solution

– Collaboration with Line-of-Business was Key to Success

New Access Reviews

– Supervisor, Application Owner, Platform Owner

New Access Request Portal

– Simple Web-Based UI

– Enforcement of Policies and Approval Processes


Before and After: Access Reviews


Supervisor Access Reviews: Before RSA

Collection

Review

Remediation

Manual import & reconciliation

Applications

Review Results & Change Requests

Security Administrators

Run Reports

Database Administrators

Run DB Extracts

Desktop Database

Manual creation of

spreadsheets

Emailed to Reviewers

Reminders & Harassment

!

Manual Logging of Results

App Owner & System Administrators

Manual Ticket Creation and

Change Validation

Execution of Changes in Systems Duration:

36 weeks

Managers Delegate to

Admin or team


Supervisor Access Reviews: With RSA

Scheduled & Automated

Entitlement Collection

Applications

Review Results & Change Requests

Centralized IAM System

Web-Based UI

Automated Reminders

!

App Owner & System Administrators

Manual Ticket Creation

Execution of Changes in Systems

Duration: 9 weeks

Reviews Initiated Managers

perform reviews directly

Automated System

Results automatically stored in centralized DB

Automated validation of change completion

Collection

Review

Remediation


Before and After: Access Request


Access Request: Before RSA

Access Request

Approval Flow

Provisioning

Provisioning Request Email Sent to Help Desk

User Fills Out Entitlements Access

Request Form (Word Document)

Manual Approval Request Email to Business Process Owner

Manual Reminder & Harassment

!

Help Desk Administrators

Manual Ticket Creation

Manual Provisioning

Duration: ~ 10 days

End Users Manual Approval Request

Email to LOB Manager


Access Request: With RSA

Approval Flow

Provisioning

Provisioning Request Email Sent to Help Desk

User Submits Access Request

Approval Request Emailed To Business Process Owner

Automated Reminders

! Help Desk

Administrators

Manual Ticket Creation Duration:

3 Days

End Users Approval Notification

Emailed to LOB Manager Web-Based UI

Web-Based Approval UI

Access Request

Manual Provisioning


Benefits Realized

Metric Before After Improvement

Time to complete User Entitlement Reviews 36 weeks 9 weeks 75%

FTEs to manage Review Process 5 FTEs 2.5 during; 1 off-cycle

50%+

Orphan accounts 12,000+ 0 100%

SoD Rules Defined & Enforced 0 150+

Unified Access Request Portal No Yes

Automated Routing to Correct Approvers No Yes

Application Owner Reviews No Yes

Validation of Access Changes No Yes

Improved Business and IT Efficiency

Elimination of Audit Exceptions

Earned Trust of Business Managers and Audit Group

18 © Copyright 2014 EMC Corporation. All rights reserved.

Why RSA Aveksa?

• Purpose-Built for Identity Management & Governance

• Scalability and Performance Architectural Superiority

• Configuration vs. Customization

• Business-Logic Driven not IT-provisioning Driven

Lowest TCO and Fastest

Time-To-Value

• Integrated IAM Platform: Governance, Authentication, Intelligence

• Unified management of on-premise and cloud, Apps and Data

Completeness of Solution


Q&A


Thank You


RSA’s Platform Architecture

Integration Logic

Business-Friendly UI

Business Logic for Policy-based Governance

Business Agility

Operational Efficiency

Access Lifecycle Policy Lifecycle Resource Lifecycle

Provisioning Remediation Monitoring

Audit and Review Exception Handling Risk Analytics

Reduced Risk

Compliance Assurance

Cloud Applications

Directory Systems

HR Systems

Data On-premise Applications

Shared Files

GRC DLP SIEM

Identity, Resource, Policy

Security Integration Fabric Collection Provisioning

Events Data Query

App Access Portal

Authentication / SSO Process Orchestration Integrated

Workflow


Aveksa Functionality by Module

•Compliance Manager •Role Manager •Self-Service Access Request

• Automated, Agentless Collection

• User Access Certification

• Group Reviews

• Configurable Workflow

• Controls Automation (Rules)

• Reporting and Dashboards

• SaaS Version Available

• Role Mining and Design

• Role Life Cycle Management

• Role Synchronization

• Flexible, Hierarchical Role Model

• Role Membership and Entitlement Policies

• Business Friendly Access Request Self-Service

• Attribute and Policy Based Form Generation

• Proactive Policy Enforcement

• Orchestration Across Provisioning Endpoints

• SaaS Version Available

•Data Access Governance •Provisioning and Fulfillment •Single Sign On

• Access Governance for Unstructured Data

• File Shares and SharePoint

• Data Ownership Identification

• Data Access Reviews

• DLP Integration

• Automated User Access Changes

• Password Management

• Attribute Synchronization

• Configuration-Based Connector Development

• Integration with Existing Provisioning and Ticketing Systems

• Cloud-Based Service

• Desktop and Tablet Application Launchpad

• Pre-built SSO integration with over 2,700 SaaS applications.

• Multi-factor authentication and one-time password support.

• Integrated with Governance and Provisioning

rsa identity management & governance (aveksa) · rsa identity management & governance...

Documents