RoleBased Privileges Management

1
Role-Based Privileges Management How to Quickly
and Effectively Implement Compliance June 2007
Dr. Ron Rymon Founder, Eurekify
Ltd. rrymon_at_Eurekify.com
2
Eurekify at a Glance

• Leading provider of role-based management
  solutions
• Privileges Quality Management
• Role Management
• Identity Management
• Compliance Management
• Eurekify did not invent RBAC, but our unique
  patented pattern recognition technology makes it
  a lot easier to implement
• History and current presence
• Since 2002, with more than 50 customers worldwide
• Partners include Consultants, Integrators,
  Vendors, and Auditors
• Based in Israel, with offices in NY and CA, and
  Worldwide partners

3
Examples of Eurekify Projects
4
Customers
5
IBM Partnership

• Eurekify works as an independent solution and/or
  complementing any Identity Management system
• Special partnership with IBM Optimized
  Partner
• Integrated interface with Tivoli Identity Manager
  (ITIM)
• Working closely with ITIM lab in Irvine, CA
• Certified as Ready for Tivoli
• More than 20 joint customers worldwide

6
What is Role-based Management
7
Privileges Quality is the Source of All Evil

• Currently Many Systems, Many People, Many
  Changes
• Hundreds of even thousands of applications
• Many people came, many changed positions, many
  left
• Many privileges were granted ad-hoc
• The Result Poor Unmanageable Privileges
• 1MM privileges for 20,000 users, many are ad-hoc
• 50 more accounts than people in average system
• 30 out-of-pattern privileges
• 20-50 of groups are redundant or unnecessary
• No central view of privileges
• The Immediate Impact
• ... Serious security holes abound
• Administration costs and productivity losses
• Other Impact
• Difficult to implement Identity Management
• Difficult to achieve and demonstrate compliance

8
Solution Role-based Management

• Role-based Access Control ties IT privileges
  management practices to BUSINESS concepts,
  processes, and culture
• Role based access control (RBAC) is intended to
  simplify and strengthen security administration
• Attach relevant privileges
• Associate users with relevant roles
• Avoid managing individual privileges
• Instead of 50 privileges/person, manage 3-5
  roles/person
• Roles can be expressed based on membership, or as
  rules
• e.g., Marketing users, in division X, that work
  out of CA, shall have access to A, B, and C.
• e.g. All the members of project X, and the
  rights to the project materials
• Roles and rules, combined, constitute a
  privileges model. Role engineering is the
  construction of the privileges model.

9

• Eurekifys Approach

10
Eurekify Pattern Recognition Analytics

• We did not invent Role-based Access Control
  (RBAC)
• But we made it a lot easier with our pattern
  recognition technology

Role

• Discover business structure and define role model

• Detect and remove out-of-pattern exceptions

• Identify and adapt to business changes

11

• Privileges Quality Management
• Compliance Management
• Role Management

12
Five Steps to Privileges Quality Management

• Implement full role-based privileges model across
  platforms (incrementally)

• Review of privileges and exceptions by business
  managers (online)

• Correct groups/profiles on individual systems and
  applications

• Systematically detect cleanup pattern-based
  exceptions

• Visually review privileges, to ensure valid HR
  and account information across systems

Initial assessment
13
Current Statistics

• Users, Groups, Access rights, Access levels
• Individual system or application
• Cross system (IdM view)
• Any level of granularity

14
Privileges Querying

• Who has which privileges? who else? what else?
  whats in common? through which roles? who/what
  is the exception? what is the overlap? what other
  role is similar?

15
Privileges Quality Assessment

• HR mismatches
• Out-of-pattern privileges
• Suspected users, groups
• Redundant groups/roles
• Dual links
• Much more

16
Privileges Cleanup

• Each system, cross systems
• Orphan users, groups
• Privileges collectors
• All levels of granularity
• Out-of-pattern alerts
• Rule violation alerts
• Easy review/fixing
• User/Manager review workflow

17
Analytics-Assisted Privileges Verification
18
Privileges Quality Management

• Detect
• Automatically detect inconsistencies
• Critique
• Collaborative analysis and review
• Set and review quality targets
• Adapt
• Analyze update role model
• Fix privileges
• Approve
• Approve changes

19

• Privileges Quality Management
• Compliance Management
• Role Management

20
Five Steps to Compliance Management

• Implement full role-based privileges management
  and compliance

• Verify Segregation of Duty and business policies
  (automatically)

• Review and certify privileges by business
  managers (online)

• Detect pattern-based exceptions systematically

• Review query privileges across multiple systems

Initial assessment
21
Privileges Recertification/Attestation

• Quick setup of recertification processes
• User initiated via portal
• E-mail campaigns

• Users certified by their managers
• Resource owners certify access
• Roles
• Individual privileges

22
Business Process Rules (including SoD)

• Easily specified into a portable catalog
• Can be specified by business and/or IT people
  and/or auditors
• Segregation of duty (SoD)
• Business process rules and constraints
• Restricted relationships between HR attributes
  and allowed privileges
• All levels of granularity

23
Policy and Compliance Verification

• Automated compliance reverification, periodically
  via batch processes
• Compliance reporting and dashboard
• Easy review/fixing by business owners and
  administrators
• Easy integration with external reporting,
  workflow, and IdM tools

24
Compliance Management

• Detect
• Automatically detect policy violations
  inconsistencies
• Critique
• Collaborative analysis and review
• Adapt
• Analyze update role model
• Fix privileges
• Approve
• Approve changes

25

• Privileges Quality Management
• Compliance Management
• Role Management

26
Five Steps to Role Management

• Define and implement administrative provisioning
  processes (IT, HR)

• Define deploy role model and role management
  processes (administrative analytical)

• Iteratively define review deeper and broader
  role model (to reach 80 coverage)

• Identify and test fitness of alternative role
  engineering methods

• Cleanup privileges

Initial assessment
27
Eurekify Role Engineering Methodology

• Top-down
• Analytics-assisted Top-Down
• Bottom-up (role/rule mining)
• Multitude of role engineering methods
• Automatic discovery of HR-based as well as
  project-based provisioning patterns
• Other methods obvious, modeled-after,

• Combined RE methodologies
• Target coverage 80 of privileges
• Comparison of alternative role engineering
  methodologies
• Critiquing of new/existing roles

28
Eurekify Role Management Processes

• Role Model Management processes
• Detect and adapt to business changes
• Consistency and compliance tests
• Review and approval processes
• Role Administration processes (for customers that
  do not deploy a strong IdM system)
• Add/change/request role definitions
• Add/change/remove privileges
• Eurekify analytics are key for effective
  processes
• Independent processes that can also be integrated
  into any external workflow
• Role provisioning usually done by IdM or
  Meta-Directory

29
Easy Integration with Other Systems

• Quick import/export (asynchronous)
• Privileges data and role definitions
• File-based or API-based exchange
• Easy real-time synchronization
• Real-time exchange of roles privileges data
  (snapshot/delta)
• Real-time analytics available via web services
  calls
• All levels of granularity
• Web services integration
• Flexible web services for third-party workflow
• Identity Management, Help Desk, company standard
  workflow
• All are empowered with Eurekifys analytics

30
Role Management

• Detect
• Exceptions
• Inconsistencies
• Policy violations
• Business changes that affect roles
• Critique
• Collaborative analysis review
• Adapt
• Analyze update role model
• Fix privileges
• Approve
• Approve changes
• Synch it

31

• Customer Case

32
KPN The Dutch National Telecom

• The scenario
• Multiple business units fixed, mobile, cable,
  IPTV
• 28,000 people
• 48 systems subject to SOX 19 to National
  Competition Regulation
• Very diverse, including mainframe, SAP, and many
  homegrown systems
• The approach and project
• Performed jointly by PwC and KPMG
• Used Eurekify Sage to code BPRs
• Analyzed 80 business processes, creating one
  policy for each
• A total of over 1000 BPRs (10-15 per policy)
• 3 Layers of controls commonly accepted
  principles, organizational structure and
  processes, time and location
• The result
• Project completed in under 4 months !
• Several thousand violations were removed or
  rationalized
• Passed SOX review

33

• How to Start

34
How to Start?

• A Eurekify Survey is the best way to start
• Only 5 days !
• Lots of immediate value
• Qualitative and quantitative assessment
• Privileges review
• Piloting compliance tests
• Role engineering tryouts
• You will then know
• What you need, and how to justify your needs
• How to best start a successful project
• Call Eurekify or a local partner, or email
  sales_at_eurekify.com

35

• END