Gartner iam 2011-analytics-aj-orig-recordednp-final

Editor's Notes

• #2: Overview – So today the process of certifying applications and and managing enterprise roles is largely spreadsheet driven and most companies today are able to manage entitlement certification for a handful of applications but the question everyone is asking is how do we scale to thousands of apps This presentation is about how Oracle can enable businesses to make the process repeatable, sustainable. More importantly orchestrate certification review campaigns and measure progress
• #5: Notes:To start with here is the process that companies conduct to perform access certification1. Extract Entitlements– This is typically scripted to pull from a systems like mainframes databases and ERP systems – The challenge is that it is ad-hoc – this process is done by each application owner . Because it is largely human dependent it takes lots of time and is not repeatable 2. Review Entitlements – After these entitlements are extracted into spreadsheets the data gets passes to each manager to certify their direct reports. The spreadsheets are complex and because there is often no built in data dictionary its difficult to understand . Often this is error probe – there have been cases where people have certified users who are no longer with the company.3. Correlate results – After the results are returned a central audit group typically has to take the data and correlate this. Its difficult to figure out historical information etc . And its not auditable 4. Remediate The last step is to fix any audit findings or changes that managers have and typically this is driven by an internal help desk– hard to verify what changes have been made and the delay in making changes makes this prohibitive.
• #6: The reason this is challenging is scale The audit requirements are becoming more intrusive Where we were looking at a handful of systems – we need to now look at thousands of systems and applications – If you are an organization that only needed to look at your erp system alone that would be easy but what about your UNIX systems – what about the home grown apps sitting on relational databases Where we were primarily looking at financial apps we are not looking at the extended applications that provide data to the financial apps. In many regulated industries like healthcare and financial services we have the line of business apps to contend with. As we leverage more apps in the cloud the number of total applications that are being scrutinized is increasing At the same time – we have 100’s of thousands of users – because we are letting more people in we have more access to scrutinize At the end of this is millions of entitlements – Many organizations today that have managed access via hierarchical groups and roles have witnessed the role explosion. This feeds the number of entitlements we need to certify
• #7: The process of adapting means scaling – and by focusing on the humanly challenging problems and simplifying the user experience we can address the problem.Optimize the ETL – instead of running scripts – we need to have a scheduled automated way of handling this and making it repeatable Simplify the user experience – We need to put our selves in the perspective of the end user and minimize the workload that the end user has to do in-order to finish a review – It has to be risk based … there are thousands of review to do which ones should come first Remediation – it should not sit on a help desk , it should be automatically fixed Aggregate your entitlements into roles – instead of certifying each entitlement we need a a managed way to produce roles which can be certified and change controlled to make sure we don’t get role explosionPreventively reduce the number of audit findings – Which means looking at the user lifecycle to prevent violations from happening – most of these audit violations can be prevented if they were caught in the provisioning cycle
• #8: To optimize the process we have benchmarked for scale and looked at the largest deployments To Scale we look at a few things The number of resources, The number of certs per campaign , the number of business units , users and entitlements We have benchmarked these internally and focused on how you make this repeatable on a quarterly basis. This process runs on quarterly or rolling process And being able to remediate all of this in a large volume automatically. All of this produces a warehouse which provides greater intelligence than the ad hoc process we started with
• #9: Scale requires prioritization and focus.Simplifying the user experience and providing analytics at their fingertips is another way OIA optimizes the process.Risk based reporting – When access is granted or changed during the provisioning process OIA can aggregate the risk and recognize high risk access rights – at the same time – OIA can recognize excessive access and separation of duties conflicts and flag these circumstances as high risk.Users need historical data – so with OIA – the reviewer can get a complete history of access reviews this makes reviewer’s job easy. Dashboards – To make the process of measuring results easier – we have incorporated dashboards – so that for a department or business unit we get a cumulative progress report for the entire department- Similarly an application owner can view the progress report on a per application basis To provides greater transparency of end users across certification reviews we have incorporated Approval notes to act as a journal across reviews – so the semantics of a decision does not get lost between reviewers Lastly delegation – which allows a manager to delegate the review to another manager of subordinate -
• #10: Most of the security risk due to orphaned accounts happen within a couple weeks of employees separating the company. The media is replete with stories of employees who have separated an logged back in to perform malicious activity. Most of this happens within a short time after separation SO automated remediation is critical.We can debate the merit of starting with certification or provisioning and many of our customers start with one or the other – what they will all agree on is that combined provisioning and certification review are critical to a complete solution. In fact these two things reinforce one another. Remediation needs to be closed loop.If we do certification review alone we end up with large help desk volumes which only shifts the workload to the help desk The reporting needs to be closed loop.. We need to be able to assure administrators and managers that the remediation is complete . It has to be integrated.
• #11: To make it work – it has to be sustainable – so as we are certifying oracle identity analytics can help build roles which aggregate entitlements to simplify the process and because OIA has a complete role lifecycle process we can avoid the role explosion problem So what OIA does is once we have streamlined the ETL process and the data is loaded into a warehouse – OIA can perform role mining on the warehouse to provide guidance on possible roles. From here the roles can be re-factored and refined. OIA also lets the security group model roles free from and do what if analysis The result is:A more simple certification review process: Because instead of certifying millions of entitlements the manager only has to certify individual roles Improves audit results – because instead of scrutinizing millions of entitlements the auditors can focus on rolesAnd we get better more accurate reporting since the roles tie more closely to job roles – auditors and managers can look at reporting at the role level instead of the system or entitlement level
• #12: To reduce the audit exposure OIA is both preventive and detective. OIA combines with OIM so that as privileges are granted OIM can capture a risk score that is visible to OIA – example emergency access increases the risk and the reviewer needs to know that the access was granted temporarily – OIM tracks this and sends to OIA. This is also and example of being preventive.At the same time OIA and OIM combine to check SOD conflicts while access is being granted – so if a conflicting privilege is being selected in OIM the requester can see a form validation error and the system can route the request to a reviewer for approval Additionally – OIA provides 360 degree visibility – instead of looking at reporting on a single application at a time a reviewer gets a complete view of the users access across systems – This allows the reviewer to look at potential risks across several applicationsAnd to provide on-going monitoring OIA provides regular reconciliations to check for changes that are made out of band.
• #13: Analytics is part of a larger Identity Value Chain –which drives the compliance and audit lifecycle. In order to be effective The solutions have to move from being a series tools to a platform that provides intelligence and risk management. - At the foundation we have to know who’s who across all of our applications. Providing secure authentication is next typically this is user name and password or strong authentication Slightly more sophisticated is administration because it has to be flexible to handle all of the nuances of moves adds and changes To provide compliance reporting is next in the ladder because this requires intelligence of SOD At the highest level is understanding risk- understanding patterns of behavior so we can step up authentication and authorization – and understanding what access may be risky during a certification review Finally – it has to scale to address the opportunity At the identity level – this means massive scale for numbers of users because we not only have to manage our enterprise users we have to manage our subscribers and customers. NOTE: China mobile has over 600 Million subscribers . Vodaphone in the UK has about 341 million subscribers – If we want to take advantage of opportunities in china we have to more than double our scale. So imagine if you are ATT with 100 million subscribers and you have to merge with T mobile at 34 million subscribers and you have to integrate.The authentication level – The scale is also increasing because of mobile use and social networking – with social networking I am referring to services that allow users to authenticate to get access to applications or data resources via their social networking login. Interesting stat If facebook were a country it would be the 3rd largest with double the population of the US. At the mobile level many customers are building internal application stores to provide applications to their employees. They have to be able to provide single sign on across applications. The administration has to scale to the cloudTo take advantage of the cloud – organizations have to bridge the gap between the security in the enterprise with the security in the cloud. This means delegated administration and managing moves adds and changes directly to the cloud.The audit has to scale Many customers have done their initial projects on certification review – but now need to scale the process to more applications the volume of entitlements is only increasing. Identity management has to evolve to provide
• #15: Certification review is one part of a complete Identity and access management strategy. A recent study by Aberdeen of 160 companies world wide found that companies who adopt integrated iAM products from a single vendor as part of a strategy had better economies of scale.They saved 48% over all – were 46% more responsive and had 35% fewer audit deficiencies Read paper:http://www.oracle.com/go/?&Src=7319991&Act=11&pcode=WWMK11053701MPP015