A Study in Borderless Over Perimeter
1 like2,340 views
The document outlines the evolution of Identity and Access Management (IAM) at a major U.S. financial service, emphasizing challenges with scalability, integration, and user intuitiveness in existing systems. It introduces Saviynt's IAM solutions, which provide fine-grained access management and improved onboarding processes, resulting in the integration of 182 applications within 4.5 months and significant compliance and security enhancements. Furthermore, the implementation of advanced analytics and insider threat management aims to address growing security concerns and improve operational efficiency.
A Study in Borderless Over Perimeter
- 1. A study in Borderless over Perimeter
- 2. Evolution of IAM at a US financial services major • Increased adoption of Cloud & Big Data – Workday, Office 365, SaaS, Hadoop,… • Adoption of BYOD is diluting traditional perimeter • Growing security concerns on critical platforms • Expanding compliance mandates • Increased collaboration with business partners • End users did not find IAM processes intuitive enough • Existing Sun IAM platform was challenged to scale and deliver • Extremely long turn around to onboard new applications to IAM platform • No single view of employees and contingent workers • Different service windows for logical and physical access 2
- 3. Saviynt elevates traditional IAM with fine-grained access management and usage analytics 3 Access / Usage Logs Roles Workflow SOD Controls Life-cycle Management Self-service Critical applications Infrastructure platforms E.g. AD, RACF, AS/400, LDAP, Identity Management platforms,… Fine- grained Access Epic: templates, classes, security points SAP HANA: roles, privileges, usage logs,.. Oracle EBS: Responsibilities, Menus, Functions Office 365: groups, sites, folders, files,…
- 4. (Saviynt + ForgeRock) provided the next generation IAM architecture Core architecture deployed in 2 months 4 Managed Systems BigDataCloudEnterprise Enterprise IAM Identity Warehouse Fine-grained Roles and SOD Collection engines for user access and usage logs Audit and Control SSO / Authentication Password Management REST APIs BusinessView Coarse-grained Provisioning, Synchronization End-users, Managers, IT Security, Auditors, Platform owners Fine-grained SOD Management & Remediation Enterprise / Application Role Engineering & Management Controls Library (200+ security & SOD controls) Access Simulation & Version Mgmt. Collectors Access Request System Access Review Security & Compliance Reporting Saviynt AppSec Manager Identity Stores / Authoritative Sources Custom AppsAD LDAP RACF Badging
- 5. Step 1 – Introduced an intuitive web and mobile UI for access request and certification 5 • Simple grid layout for easy navigation • Supports personalization Mobile app available on iOS and Android Single window to request logical and physical access
- 6. Step 1 – Introduced an intuitive web and mobile UI for access request and certification 6 • Simple grid layout for easy navigation • Supports personalization Mobile app available on iOS and Android Single window to request logical and physical access • End users did not find IAM processes intuitive enough • Different service windows for logical and physical access
- 7. Step 2 – Single best-practice enterprise workflow and pre-built modules to accelerate application onboarding 7 • Out-of-box single enterprise workflow drives access request behavior • Enhanced with access recommendations • Met requirements of more than 90% of enterprise apps and platforms • Promoted configuration instead of coding to onboard applications • Reduced customization and # of workflows, accelerated application onboarding • Based on industry based practices Integrated 182 applications with new IAM platform in just 4.5 months • Integration varied from automated to semi-automated provisioning • Usage logs were fed in for critical applications, Cloud and Big Data platforms Privilege User Management Badge Management Contingent Worker Onboarding Service Account Management
- 8. Step 2 – Single best-practice enterprise workflow and pre-built modules to accelerate application onboarding 8 • Out-of-box single enterprise workflow drives access request behavior • Enhanced with access recommendations • Met requirements of more than 90% of enterprise apps and platforms • Promoted configuration instead of coding to onboard applications • Reduced customization and # of workflows, accelerated application onboarding • Based on industry based practices Integrated 182 applications with new IAM platform in just 4.5 months • Integration varied from automated to semi-automated provisioning • Usage logs were fed in for critical applications, Cloud and Big Data platforms Privilege User Management Badge Management Contingent Worker Onboarding Service Account Management • Extremely long turn around to onboard new applications to IAM platform • No single view of employees and contingent workers
- 9. Step 3 – Implemented over 200+ security, process and SOD controls ingrained in security platform, and actionable usage analytics 9 Financial platforms (180 SOD rules) o Core banking o Investment management o Life insurance o Property and casualty o Treasury o Core financials o Fraud management o Information technology SOX Privacy FFIEC Access Logs Analytics Engine Access Recommendations Access Request – Peer recommendations Access Approval – Outlier analysis Access Certification – Outlier & Usage analysis
- 10. Step 3 – Implemented over 200+ security, process and SOD controls ingrained in security platform, and actionable usage analytics 10 Financial platforms (180 SOD rules) o Core banking o Investment management o Life insurance o Property and casualty o Treasury o Core financials o Fraud management o Information technology SOX Privacy FFIEC Access Logs Analytics Engine Access Recommendations Access Request – Peer recommendations Access Approval – Outlier analysis Access Certification – Outlier & Usage analysis • Growing security concerns on critical platforms • Expanding compliance mandates
- 11. Step 4 – Implemented fine-grained entitlement management for critical apps, cloud and big data platforms 11 Managed Systems BigDataCloudEnterprise Fine-grained Roles and SOD Collection engines for user access and usage logs Audit and Control BusinessView IT Security, Auditors, IAM Admins Fine-grained SOD Management & Remediation Enterprise / Application Role Engineering & Management Controls Library (200+ security & SOD controls) Access Simulation & Version Mgmt. Collectors Access Request System Access Review Security & Compliance Reporting Saviynt AppSec Manager Custom Critical Apps Workday Admins, Big Data Admins, Platform Owners
- 12. Step 4 – Implemented fine-grained entitlement management for critical apps, cloud and big data platforms 12 Managed Systems BigDataCloudEnterprise Fine-grained Roles and SOD Collection engines for user access and usage logs Audit and Control BusinessView IT Security, Auditors, IAM Admins Fine-grained SOD Management & Remediation Enterprise / Application Role Engineering & Management Controls Library (200+ security & SOD controls) Access Simulation & Version Mgmt. Collectors Access Request System Access Review Security & Compliance Reporting Saviynt AppSec Manager Custom Critical Apps Workday Admins, Big Data Admins, Platform Owners • Increased adoption of Cloud & Big Data – Workday, Office 365, SaaS, Hadoop,… • Adoption of BYOD is diluting traditional perimeter • Growing security concerns on critical platforms
- 13. Step 5 – We are now implementing advanced behavioral analytics 13 User Amount transactions Date & Time IP Address User Time Slices Activity frequency Network Sources Daily, Weekly, Monthly, Day of the Week, Time of Day, Holidays, Weekend Behavior Profile Suspicious Activities John. Doe 10/10/2011, 12:03:20, 10.12.132.1, John Doe, Email sent
- 14. Step 5 – …and activating various insider threat management use cases 14 Insider Threat Intelligence • Data theft detection and prevention • Fraud detection and prevention • VIP Snooping • Sabotage detection and prevention Data Exfiltration Analytics • Data theft detection/prevention • Signature less and correlation analysis of Network and Host DLP • Risk ranking of incidents and case management Fraud Intelligence • Enterprise Fraud detection • Web Fraud detection • Customer Service Rep Fraud detection Identity & Access Intelligence • Global Identity Warehouse • Access risk monitoring & cleanup • Risk-based access requests • Risk-based access certifications Big Data Analytics • Data Mining for security intelligence • Purpose-built Security Analytics on Hadoop, Greenplum and other Big Data stores • Visualization of linkages in large datasets Cyber Threat Detection • Targeted attack detection • Low and slow attacks • Advanced malware detection • Investigation & Response Application Security Intelligence • Privilege Misuse • Unusual view/download of sensitive information • Account Takeover • Off the shelf and Custom Apps Security Risk Monitoring • Continuous risk monitoring • Organization Risk Scorecard • User Risk Scorecard • System Risk Scorecard Case Management • Graphical Link analysis using investigation workbench • Case management • Fully configurable workflow • Reporting
- 15. We helped realize tangible benefits for the client… 15 Uniform risk and security management • Consistent security model using roles, SOD policies, rules, templates, etc. across various critical / enterprise applications, Big Data and Cloud providers • Over 200+ security and SOD controls library, compliance dashboards provide visibility to security posture • Automated security life-cycle management combined with actionable usage analytics • REST APIs enable easy integration with enterprise applications Faster time to value • Saves >70% time in implementing security vis-à-vis traditional methods • Pre-built life-cycle management modules and best practice workflow • Rapid application integration promotes factory model Lower TCO • Subscription-based pricing model • Cloud-based deployment option available, lowers hardware footprint • Reduce administrative overhead for audit reporting and user access management • Improve end user satisfaction with intuitive and mobile ready security tools 1 2 3
- 16. Visit us at www.saviynt.com or our booth at IRM Summit Thank You Questions?