IBM Pulse 2012 presentation by Alex Ivkin (Prolifics) and Grey Thrasher (IBM) Synthesizing the business view of IT resources with the technical implementation of Role Based Access Control remains one of the toughest challenges in Identity Management today. We will walk through a real-world use case to understand how organizations can utilize the new IBM Role and Policy Modeler (RaPM) tool to discover essential business relationships and map them to IT access permissions, creating the schema for a comprehensive RBAC system. We will explain how the design criteria provided by RaPM has enabled the foundation of a comprehensive Identity and Role Lifecycle Management structure. The follow-on implementation of an RBAC system in the Identity Provisioning platform, IBM Tivoli Identity Manager, will be explored, as well as how this organization is automating access privileges, simplifying internal security controls and reducing the complexity of audit and compliance enforcement.

1. Role Discovery and RBAC Design
A Case study with IBM RaPM
Alex Ivkin, Prolifics
Grey Thrasher, IBM
March 19, 2012

2. Agenda
Alex Ivkin, CISSP Grey Thrasher
Practice Director Senior Software Engineer
Security Line of Business L2 Technical Team Lead
Prolifics IBM SWG Client Support – Software
Role Based
Process and Results and
Introductions Access Reality Check Q&A
Technology Discussion
Control

3. Prolifics at a Glance
Who Are We?
A Corporate Group of 1200 Employees Worldwide specializing in the expert delivery of end-to-end IBM Solutions
Over 30 years in business, Prolifics
is an end-to-end systems integrator
specializing in IBM technologies
New York Orlando
Boston San Francisco
Philadelphia London Application Testing
Washington DC Hamburg Santa Clara, CA USA
Off-Shore Development Center
Hyderabad, India
S t a b i l i t y, L o n g e v i t y & G r o w t h Solution Leadership
 Serviced over 1600 IBM software accounts in the past 11 years
$70
 Prolifics boasts over 110 Security certifications for architecture,
$60
Gross Revenue
development, administration.
$50
(millions)
$40  IBM Tivoli “AAA Accredited” – First For Security WW
$30  IBM Cloud Certification – First of 5 Partners
$20
 Authorized for SVP in 5 Industry Capabilities – First in Utilities
$10
$0  Also in SOA, Information Management and BPM solutions and
2004 2005 2006 2007 2008 2009 2010 2011 appliances for Business Process Management and Integration

4. Business challenges
• Difficulty in the business understanding of security information
causing a rubber stamp process, or simply too much data to sort
through for the business
• Challenges in the quarterly attestation cycle
• Challenges for supervisory personnel understanding how "least
privilege" works in their business unit
• Onboarding (new hire user adds) requests requiring additional
time and effort becuase access requests are submitted on a case
by case basis using individual forms
• Challenges in managing the access of persons who transfer
between jobs, creating complex modification requests for access
on a case by case basis
• Risk due to inappropriate access, which could be misuse or
simply audit findings - this is due to mirrored access (make
John's access look like Mary's) that may grant too much
permission, or through job transfers where old access is not
removed properly

5. Role Based Access Control
• RBAC is a methodology to align security entitlements to persons
through an abstraction of organizational responsibilities using job
function and relationship to the organization. The idea is to use roles to
represent common access rights for users as sets of privileges on different
systems.
Direct access assignments
Before today are complex,
difficult to track and
change when needed
• Simplify roles and access assignments
• Ability to handle growth and scale
• Facilitate accountability and compliance
Role Based Access Control
After (RBAC) offers an
effective operational
model to drive IAM
Governance

6. Business Benefits of RBAC
• Reduce risk by ensuring people are limited to the required access
dictated by their job function
• Reduce dormant time for new hires during onboarding because their
well defined access can be instantiated automatically
• Simplify the attestation and audit process by reviewing privileges
that are exceptions to the roles instead of reviewing every
entitlement
• Increase accuracy in the attestation process due to an easier to
understand business interface to information security data
• Simplify the cross boarding process and reduce the risk of personnel
dragging inappropriate entitlements to their new job function
• Address compliance requirements through the inherent linkage to
organizational definitions of least privilege and separation of duty

7. Reality check
 How many companies want to do RBAC?
 How many companies are doing RBAC?
 How many companies successfully completed RBAC in 2011?
 Our study showed:
 97% of IdM customers in 2011 agreed that Role Based Access Control
is a solid approach to tackle problems of compliance and security
control
 A third has engaged in RBAC design and implementation, internally
and externally
 Less than a tenth achieved the goals
 Why?
7

8. Challenges
 Time consuming
 Correlating massive data
 High skill required
 Not business user friendly
 Inaccurate results
 Requires business change – the 60/40 mix
 Requires proper tooling
 Identity and Access management platform
 Modeling Tool
 Role life-cycle tool
 Requires understanding, communication and motivation
 It’s a process, not a state

9. How it is done (the secret recipe)
 Strong business processes
 Clever technical instrumentation
 Effective review procedures
 Tight enforcement and integration

10. Introducing Role and Policy Modeler
CIO, CSO, Compliance Lines of Business
Officers, Business Owners
•Governance Goals Modeling
•Scope
Tools
•Business Policies •Approvals/certification
•Interview data
•Risk Analysis
•Collaboration
ROLE AND POLICY MODELER •Compliance Reports
BUSINESS VIEW
VALIDATE
TECHNICAL VIEW Extensible Exceptional
Data Layer Analytics
Intuitive UI Indepth report
•Resources
•Identities
•Entitlements •Role and Policy Templates
•Roles and policies •Reports
IT Systems and
Applications Owners IT Management

11. The beginning
Sizing
Scoping and size control
Focusing on stable business units
•Customer service
•Financial department
Focusing on well understood applications
•Core business applications
Product targeted at the business analyst
Engaging the sponsors and LoB managers
Involving IT Asset custodians
Aggregating existing data Business
View Role
Lifecycl
e
Role and
Policy
Modeler
Technical Integration
View

12. RaPM
RaPM: Home Page
 Designed for Business Analyst
 Simple View
 Model:
 Projects
 Role Mining/Modeling
 Reports
 Import

13. Modeling
CIO, CSO, Compliance
Officers, Business Owners Top-down:
•Governance Goals
•Scope
Modeling Business interviews
Tools
•Business Policies
•Interview data
Existing model
ROLE AND POLICY MODELER
BUSINESS VIEW
TECHNICAL VIEW Extensible Exceptional
Data Layer Analytics
Intuitive UI Indepth report
Bottom-up:
•Resources
•Identities Data aggregation
•Entitlements
•Roles and policies
System state
IT Systems and
Existing knowledge
Applications Owners

14. RaPM
RaPM: Model Roles and Policies
 Project Creation
 User selection
 Permission selection

15. RaPM: Generating roles
 Artificial intelligence algorithms
 Poor performance vs over-fitting
 Analytics
 IBM Research
 Parameters:
 Hierarchy
 Ownership
 Compatibility constraints
 Modeling flexibility
Business
View Role
Lifecycl
e
Role and
Policy
Modeler
Technical Integration
View
18

16. RaPM
RaPM: Role Generation
 IBM Research-created algorithms automatically generate
Roles/Hierarchies
 Options affect number of roles and depth of hierarchy

17. RBAC Modeling
Combine Roles Split Roles Rules for Roles
ROLE A ROLE B ROLE Z ROLE A ROLE B
ROLE C ROLE X ROLE Y
 Role Definition processes
 Role Management Review for HR Updates (Reorg, New job codes, etc)
 Role Review for Application changes (New system, retire system, new
features)
 Iterative approach and instant feedback Business
View Role
Lifecycl
e
Role and
Policy
Modeler
Technical Integration
View

18. Role Quality
RBAC Definition Lifecycle
Role Definition Iterations
Organizational Role
Definition -Business Structured steps of interviews,
View data gathering, engineering,
and tests to produce roles
Examine Cleanup Define Test Publish
Application Role
Definition – System
Empowerment and
View
Knowledge Transfer

19. RaPM
RaPM: Role Analysis
 Analysis Catalog provide different analyses to help determine potential
role members/permissions
 Ensure Membership/Permissions are accurate
 Ability to view granular user/permission details in analysis results

20. Analytics Engine
Dynamic and Adaptive Access Control
BUSINESS ROLE
Dynamic Role
Application / System
Entitlements
ROLE
Application / System
ROLE Entitlements
ROLE
Application / System
Entitlements
ROLE
A single RBAC statically assigned
role can be associated to a
specific specific set of
entitlements (permissions)
An RBAC dynamic role can inherit - VPN Access
collection of Roles that can relate - Access to GL Business
to a Job Family, which can be View Role
Lifecycl
Organization wide, Divisional, or Role and
e
Policy
Location – represented by person Modeler
type
Technical Integration
View

21. RaPM
RaPM: Membership Qualifier
 Configure multiple Conditions
 Automatically associated users with Role
 Use analysis results to help build out Qualifiers
 Membership View indicates members assigned directly or by qualifier

22. Separation of Duties
 Separation of duty constraints and policies, both static
and dynamic in a role model
SOD
Constraints
Role Hierarchy
users Roles Permissions
Business
View Role
Lifecycl
e
Sessions Role and
Policy
Modeler
Technical Integration
View

23. RaPM
RaPM: Separation of Duties (SOD)
 Alert when users are in disallowed combination of Roles
 Indicates SOD configuration problems (inevitable conflicts)
 Details Users/Roles in conflict

24. Role-Based Access Control
RBAC Administration Lifecycles
Attestation (tactical)
Request Based (mid range)
IdM Integrated (strategic)
HR RBAC
ROLE ROLE
Audit Review
A re-org, new data such as org ROLE ROLE
type, physical location, job title,
cost center, or the retirement ROLE ROLE
of any of these…
Business Owner
A new application or Info. Sec.
system, a new group is
added, a group or system
is consolidated or retired Roles are analyzed,
changes are proposed,
and a draft is circulated
Role Approver
Roles are published and ready for use
IT

25. RaPM
RaPM: Reports
 TCR/Cognos based reports
 Operations report
 Permissions report
 Roles report
 User Access report

26. RaPM
Role Lifecycle Manager
 Business Process Manager
 Approval request sent to Role Owner(s)
 Attach Role Reports to Approval request for more details

27. Real World Role Automation
User Account
HR
Role and Policy Modeler
User Account
ROLE PROFILE
ROLE
Identity Management User Account
ROLE
User Account
ROLE
Automatic Permission Assignment User Account
Manual Permission Assignment Security Administration
Business
View Role
Lifecycl
e
Role and
Relationship between RBAC and Policy
Modeler
Identity Provisioning - Mature Technical Integratio
Integration
View n

28. RaPM
RaPM: Export Project
 Generates XML containing:
 Roles
 Separation of Duty constraints
 User to Role assignments (optional)
 Immediately consumable by ITIM Load utility

29. RaPM
RaPM: ITIM Load
 Utility to load exported Roles/SODs/User-to-Role assignments
 Preview option shows number of:
 New or Modified Roles
 Modified Hierarchies
 New or Modified Separation of Duty Constraints
 User-to-Role assignments to be added or deleted

30. Role and Policy Modeler Highlights
Role Management capabilities are integral to
the Security Identity Manager
Integrated built-in functionality in one package, rather than 2 or 3 from
competitors. Costs less than comparable solutions in the market.
Integration and automation provide immediately effective operations
Simple and yet sophisticated role modeling helps accelerate results
Business-user centric Web UI ensures faster adoption and easy to deploy. Powerful, built-in
analytics guide role analyst in generating a timely role structure. IBM’s solid technology
and experience with roles built-into a product
Flexibility to adapt to the client-specific IT processes
Handles scale and large access data sources with project based approach. Extensible policy
& graphical role model to analyze particular enterprise scenarios. Offer business process
automation platform to quickly get stakeholder validation
Ability to drive IAM Governance – beyond role Business
View Role
management Lifecycl
e
Customers can easily deploy and integrate run-time enforcement Role and
Policy
(entitlement management) with IBM’s Identity and Access Management Modeler
Governance strategy. Security Intelligence: Identity Analytics in role
modeling provide valuable business insight, helping customers achieve Technical Integration
the next level of security alignment with the business View

32. Summing up
Role Based Access Management improves compliance postures and reduces cost of
administration in an evolving IT environment,…….
… but there are still challenges achieving this goal
Face to face
Approvals The traditional solution for Role Modeling
Reject
Certify
generates results that are obsolete by the
Face to
Face Collect
Written time they are ready
Report
Consult
ABAC, RuBAC, ZBAC …
Manual
This is about 60% business process
Data consulting and 40% tool.
Collect
Spreadsheet
Written You need both to be strong to get to the
Reports
Evaluation 100%
Manual
Enforcemen Business
View Role
t Lifecycle
Role and
Policy
Modeler
Technical Integration
View
37

33. RBAC Change Control and Notification Processes
Foundational processes will Foundational processes will
allow business to keep allow business to keep system
organizational structure up to entitlements clean up to date
date on systems.
After foundational processes are implemented, and RBAC is in place, these processes can be
leveraged and integrated with RBAC Management Processes

34. Business
View Role
Lifecycle
Role and
Policy
Modeler
Technical Integration
View
39