IBM Pulse 2012 presentation by Alex Ivkin (Prolifics) and Grey Thrasher (IBM)
Synthesizing the business view of IT resources with the technical implementation of Role Based Access Control remains one of the toughest challenges in Identity Management today. We will walk through a real-world use case to understand how organizations can utilize the new IBM Role and Policy Modeler (RaPM) tool to discover essential business relationships and map them to IT access permissions, creating the schema for a comprehensive RBAC system. We will explain how the design criteria provided by RaPM has enabled the foundation of a comprehensive Identity and Role Lifecycle Management structure. The follow-on implementation of an RBAC system in the Identity Provisioning platform, IBM Tivoli Identity Manager, will be explored, as well as how this organization is automating access privileges, simplifying internal security controls and reducing the complexity of audit and compliance enforcement.
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
1. Role Discovery and RBAC Design
A Case study with IBM RaPM
Alex Ivkin, Prolifics
Grey Thrasher, IBM
March 19, 2012
2. Agenda
Alex Ivkin, CISSP Grey Thrasher
Practice Director Senior Software Engineer
Security Line of Business L2 Technical Team Lead
Prolifics IBM SWG Client Support – Software
Role Based
Process and Results and
Introductions Access Reality Check Q&A
Technology Discussion
Control
3. Prolifics at a Glance
Who Are We?
A Corporate Group of 1200 Employees Worldwide specializing in the expert delivery of end-to-end IBM Solutions
Over 30 years in business, Prolifics
is an end-to-end systems integrator
specializing in IBM technologies
New York Orlando
Boston San Francisco
Philadelphia London Application Testing
Washington DC Hamburg Santa Clara, CA USA
Off-Shore Development Center
Hyderabad, India
S t a b i l i t y, L o n g e v i t y & G r o w t h Solution Leadership
Serviced over 1600 IBM software accounts in the past 11 years
$70
Prolifics boasts over 110 Security certifications for architecture,
$60
Gross Revenue
development, administration.
$50
(millions)
$40 IBM Tivoli “AAA Accredited” – First For Security WW
$30 IBM Cloud Certification – First of 5 Partners
$20
Authorized for SVP in 5 Industry Capabilities – First in Utilities
$10
$0 Also in SOA, Information Management and BPM solutions and
2004 2005 2006 2007 2008 2009 2010 2011 appliances for Business Process Management and Integration
4. Business challenges
• Difficulty in the business understanding of security information
causing a rubber stamp process, or simply too much data to sort
through for the business
• Challenges in the quarterly attestation cycle
• Challenges for supervisory personnel understanding how "least
privilege" works in their business unit
• Onboarding (new hire user adds) requests requiring additional
time and effort becuase access requests are submitted on a case
by case basis using individual forms
• Challenges in managing the access of persons who transfer
between jobs, creating complex modification requests for access
on a case by case basis
• Risk due to inappropriate access, which could be misuse or
simply audit findings - this is due to mirrored access (make
John's access look like Mary's) that may grant too much
permission, or through job transfers where old access is not
removed properly
5. Role Based Access Control
• RBAC is a methodology to align security entitlements to persons
through an abstraction of organizational responsibilities using job
function and relationship to the organization. The idea is to use roles to
represent common access rights for users as sets of privileges on different
systems.
Direct access assignments
Before today are complex,
difficult to track and
change when needed
• Simplify roles and access assignments
• Ability to handle growth and scale
• Facilitate accountability and compliance
Role Based Access Control
After (RBAC) offers an
effective operational
model to drive IAM
Governance
6. Business Benefits of RBAC
• Reduce risk by ensuring people are limited to the required access
dictated by their job function
• Reduce dormant time for new hires during onboarding because their
well defined access can be instantiated automatically
• Simplify the attestation and audit process by reviewing privileges
that are exceptions to the roles instead of reviewing every
entitlement
• Increase accuracy in the attestation process due to an easier to
understand business interface to information security data
• Simplify the cross boarding process and reduce the risk of personnel
dragging inappropriate entitlements to their new job function
• Address compliance requirements through the inherent linkage to
organizational definitions of least privilege and separation of duty
7. Reality check
How many companies want to do RBAC?
How many companies are doing RBAC?
How many companies successfully completed RBAC in 2011?
Our study showed:
97% of IdM customers in 2011 agreed that Role Based Access Control
is a solid approach to tackle problems of compliance and security
control
A third has engaged in RBAC design and implementation, internally
and externally
Less than a tenth achieved the goals
Why?
7
8. Challenges
Time consuming
Correlating massive data
High skill required
Not business user friendly
Inaccurate results
Requires business change – the 60/40 mix
Requires proper tooling
Identity and Access management platform
Modeling Tool
Role life-cycle tool
Requires understanding, communication and motivation
It’s a process, not a state
9. How it is done (the secret recipe)
Strong business processes
Clever technical instrumentation
Effective review procedures
Tight enforcement and integration
10. Introducing Role and Policy Modeler
CIO, CSO, Compliance Lines of Business
Officers, Business Owners
•Governance Goals Modeling
•Scope
Tools
•Business Policies •Approvals/certification
•Interview data
•Risk Analysis
•Collaboration
ROLE AND POLICY MODELER •Compliance Reports
BUSINESS VIEW
VALIDATE
TECHNICAL VIEW Extensible Exceptional
Data Layer Analytics
Intuitive UI Indepth report
•Resources
•Identities
•Entitlements •Role and Policy Templates
•Roles and policies •Reports
IT Systems and
Applications Owners IT Management
11. The beginning
Sizing
Scoping and size control
Focusing on stable business units
•Customer service
•Financial department
Focusing on well understood applications
•Core business applications
Product targeted at the business analyst
Engaging the sponsors and LoB managers
Involving IT Asset custodians
Aggregating existing data Business
View Role
Lifecycl
e
Role and
Policy
Modeler
Technical Integration
View
12. RaPM
RaPM: Home Page
Designed for Business Analyst
Simple View
Model:
Projects
Role Mining/Modeling
Reports
Import
13. Modeling
CIO, CSO, Compliance
Officers, Business Owners Top-down:
•Governance Goals
•Scope
Modeling Business interviews
Tools
•Business Policies
•Interview data
Existing model
ROLE AND POLICY MODELER
BUSINESS VIEW
TECHNICAL VIEW Extensible Exceptional
Data Layer Analytics
Intuitive UI Indepth report
Bottom-up:
•Resources
•Identities Data aggregation
•Entitlements
•Roles and policies
System state
IT Systems and
Existing knowledge
Applications Owners
14. RaPM
RaPM: Model Roles and Policies
Project Creation
User selection
Permission selection
15. RaPM: Generating roles
Artificial intelligence algorithms
Poor performance vs over-fitting
Analytics
IBM Research
Parameters:
Hierarchy
Ownership
Compatibility constraints
Modeling flexibility
Business
View Role
Lifecycl
e
Role and
Policy
Modeler
Technical Integration
View
18
16. RaPM
RaPM: Role Generation
IBM Research-created algorithms automatically generate
Roles/Hierarchies
Options affect number of roles and depth of hierarchy
17. RBAC Modeling
Combine Roles Split Roles Rules for Roles
ROLE A ROLE B ROLE Z ROLE A ROLE B
ROLE C ROLE X ROLE Y
Role Definition processes
Role Management Review for HR Updates (Reorg, New job codes, etc)
Role Review for Application changes (New system, retire system, new
features)
Iterative approach and instant feedback Business
View Role
Lifecycl
e
Role and
Policy
Modeler
Technical Integration
View
18. Role Quality
RBAC Definition Lifecycle
Role Definition Iterations
Organizational Role
Definition -Business Structured steps of interviews,
View data gathering, engineering,
and tests to produce roles
Examine Cleanup Define Test Publish
Application Role
Definition – System
Empowerment and
View
Knowledge Transfer
19. RaPM
RaPM: Role Analysis
Analysis Catalog provide different analyses to help determine potential
role members/permissions
Ensure Membership/Permissions are accurate
Ability to view granular user/permission details in analysis results
20. Analytics Engine
Dynamic and Adaptive Access Control
BUSINESS ROLE
Dynamic Role
Application / System
Entitlements
ROLE
Application / System
ROLE Entitlements
ROLE
Application / System
Entitlements
ROLE
A single RBAC statically assigned
role can be associated to a
specific specific set of
entitlements (permissions)
An RBAC dynamic role can inherit - VPN Access
collection of Roles that can relate - Access to GL Business
to a Job Family, which can be View Role
Lifecycl
Organization wide, Divisional, or Role and
e
Policy
Location – represented by person Modeler
type
Technical Integration
View
21. RaPM
RaPM: Membership Qualifier
Configure multiple Conditions
Automatically associated users with Role
Use analysis results to help build out Qualifiers
Membership View indicates members assigned directly or by qualifier
22. Separation of Duties
Separation of duty constraints and policies, both static
and dynamic in a role model
SOD
Constraints
Role Hierarchy
users Roles Permissions
Business
View Role
Lifecycl
e
Sessions Role and
Policy
Modeler
Technical Integration
View
23. RaPM
RaPM: Separation of Duties (SOD)
Alert when users are in disallowed combination of Roles
Indicates SOD configuration problems (inevitable conflicts)
Details Users/Roles in conflict
24. Role-Based Access Control
RBAC Administration Lifecycles
Attestation (tactical)
Request Based (mid range)
IdM Integrated (strategic)
HR RBAC
ROLE ROLE
Audit Review
A re-org, new data such as org ROLE ROLE
type, physical location, job title,
cost center, or the retirement ROLE ROLE
of any of these…
Business Owner
A new application or Info. Sec.
system, a new group is
added, a group or system
is consolidated or retired Roles are analyzed,
changes are proposed,
and a draft is circulated
Role Approver
Roles are published and ready for use
IT
26. RaPM
Role Lifecycle Manager
Business Process Manager
Approval request sent to Role Owner(s)
Attach Role Reports to Approval request for more details
27. Real World Role Automation
User Account
HR
Role and Policy Modeler
User Account
ROLE PROFILE
ROLE
Identity Management User Account
ROLE
User Account
ROLE
Automatic Permission Assignment User Account
Manual Permission Assignment Security Administration
Business
View Role
Lifecycl
e
Role and
Relationship between RBAC and Policy
Modeler
Identity Provisioning - Mature Technical Integratio
Integration
View n
28. RaPM
RaPM: Export Project
Generates XML containing:
Roles
Separation of Duty constraints
User to Role assignments (optional)
Immediately consumable by ITIM Load utility
29. RaPM
RaPM: ITIM Load
Utility to load exported Roles/SODs/User-to-Role assignments
Preview option shows number of:
New or Modified Roles
Modified Hierarchies
New or Modified Separation of Duty Constraints
User-to-Role assignments to be added or deleted
30. Role and Policy Modeler Highlights
Role Management capabilities are integral to
the Security Identity Manager
Integrated built-in functionality in one package, rather than 2 or 3 from
competitors. Costs less than comparable solutions in the market.
Integration and automation provide immediately effective operations
Simple and yet sophisticated role modeling helps accelerate results
Business-user centric Web UI ensures faster adoption and easy to deploy. Powerful, built-in
analytics guide role analyst in generating a timely role structure. IBM’s solid technology
and experience with roles built-into a product
Flexibility to adapt to the client-specific IT processes
Handles scale and large access data sources with project based approach. Extensible policy
& graphical role model to analyze particular enterprise scenarios. Offer business process
automation platform to quickly get stakeholder validation
Ability to drive IAM Governance – beyond role Business
View Role
management Lifecycl
e
Customers can easily deploy and integrate run-time enforcement Role and
Policy
(entitlement management) with IBM’s Identity and Access Management Modeler
Governance strategy. Security Intelligence: Identity Analytics in role
modeling provide valuable business insight, helping customers achieve Technical Integration
the next level of security alignment with the business View
31.
32. Summing up
Role Based Access Management improves compliance postures and reduces cost of
administration in an evolving IT environment,…….
… but there are still challenges achieving this goal
Face to face
Approvals The traditional solution for Role Modeling
Reject
Certify
generates results that are obsolete by the
Face to
Face Collect
Written time they are ready
Report
Consult
ABAC, RuBAC, ZBAC …
Manual
This is about 60% business process
Data consulting and 40% tool.
Collect
Spreadsheet
Written You need both to be strong to get to the
Reports
Evaluation 100%
Manual
Enforcemen Business
View Role
t Lifecycle
Role and
Policy
Modeler
Technical Integration
View
37
33. RBAC Change Control and Notification Processes
Foundational processes will Foundational processes will
allow business to keep allow business to keep system
organizational structure up to entitlements clean up to date
date on systems.
After foundational processes are implemented, and RBAC is in place, these processes can be
leveraged and integrated with RBAC Management Processes
34. Business
View Role
Lifecycle
Role and
Policy
Modeler
Technical Integration
View
39
Notes de l'éditeur
Separation of duty ensures that the same user cannot have conflicting roles that would provide them with an unacceptable level of authority. Constraints can be applied to user/role assignments (static constraints), to session/role assignments (dynamic constraints), or to role hierarchies.
To conclude, I would like to summarize that IBM has shown leadership in the RBAC space for a long time. We have made these role management capabilities available in an integrated solution for Identity Management. And we have targeted our delivery of strong functionality to what enterprises need today. Our IAM Governance strategy and vision also encompasses a broader perspective that goes beyond role management. While we are completing this vision with role modeling and lifecycle management, we are also well prepared to make the next evolutionary step into identity analytics.Thanks for your time and attention. I would like to answer any questions you may have.***************Win dealArla Foods: Originally acquired TIM to have a handle over the 10+% of orphan accounts in their SAP applications that cause them to fail ISO 17799 audit. MN Security helped them reduce the number of roles by 95% using TIM's SOD, certification, approval workflow, and UP. 50% reduction in service desk calls.GameStop - game retailer with 3000 employees. Got TIM because it was failing audits due to churn and lack of access tracking. Orphan accounts, obsolete accounts. They needed to understand their access and clean it.CommonWealth Bank (Australia) - TIM 4.6 customer that bought Sailpoint, and then changed by Sun RM because TIM did not cover roles. Now wants to get TIM 5.1. (48K users, 125apps)