Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Crossideas Segregation of Duty Approach
1. CrossIdeas
IDEAS
for
Iden4ty
&
Access
Governance
Our
Unique
SOD
(Segrega/on
of
Du/es)
approach
crossideas.com
2. Company
overview
• CrossIdeas is a leading innovator in Identity & Access Governance Solutions,
enabling organizations to achieve their Compliance, Audit and Risk Management
goals
• CrossIdeas is the result of the MBO of Engiweb Security – originally founded in
2001 – from the Engineering Group, one the largest SI in Europe.
• CrossIdeas is the only vendor in the market to offer Access Governance and
Entitlement Management on a single platform
• 90 customers in Energy, Banking, Manufacturing, Public administration and Law
Enforcement
• Key clients are ENEL (Energy), Piaggio (Manufacturing), Italian Tax Enforcement
Police (Govt), Italian Health Care Ministry, Regione Veneto, Ministry of Internal
Affairs
crossideas.com
3. IDEAS
Capabili4es
• IDEAS
addresses
all
areas
of
Audit
and
Access
Compliance
Iden4ty
&
Access
Governance
Repor:ng
Cer:fica:on
and
Risk
Intelligence
• IDEAS
is
“IAM
agnos4c”,
integra4ng
with
your
exis4ng
Iden4ty
Management
layer
Authoriza:on
Workflow
Role
Life
Cycle
Segrega:on
of
Du:es
• IDEAS
offers
En4tlement
Server
Management
capability
as
part
of
the
IAG
Role
Mining
En:tlement
Compliance
Management
Control
for
SAP
plaGorm
(unique
in
the
market)
Compliant
User
Provisioning
Processing
Applica:on
SOA
SPML
Connec/vity
Connectors
Integra:on
crossideas.com
4. IDEAS
Segrega:on
of
Du:es:
Key
Strengths
• Both detection and prevention of SoD conflicts
• Centralized SoD policies enforced across the whole enterprise
• Real-time SoD checks for all new authorizations
• Automatic assignment of compensating controls
• Business-oriented SoD model simplifies administration
• Platform-independent model supports heterogeneous environments
• Native support for SAP roles and authorization objects
• Data-domain concept reduces false-positive SoD conflicts
• “Dry-run” feature tests changes to SoD policies before deploying to
production
crossideas.com
5. IDEAS
covers
SOD
as
part
of
the
full
Access
Lifecycle
Access
Governance
Iden/ty
Segrega:on
of
Du:es
Intelligence
Iden:ty
SAP
Risk
Compliance
Repor:ng
&
Access
Dashboards
Cer:fica:on
Roles
En:tlements
IDEAS
Core
Access
Iden:ty
Policies
Events
Role
Audit
Life-‐Cycle
Access
Request
Role
Mining
Workflow
Compliant
En:tlement
Server
User
Provisioning
En/tlement
Management
crossideas.com
7. Business-‐Oriented
SoD
Model
Business-oriented SoD model
is easily managed by business
specialists.
• Business processes broken
down into “activities”
• SoD rules define conflicts
Purchase Order Creation
Purchase
Order
Crea:on
among these activities
Purchase
Order
Approval
Purchase Order Approval
Receive
Supplier
Shipment
Verify
Supplier
Shipment
Example: Purchase Order Creation
conflicts with Purchase Order Approval
and 2 other activities.
crossideas.com
8. Business-‐Oriented
SoD
Model
Business and IT aspects of Process Process
the SoD rules can be Process
Business
managed independently: 1
Specialists
Activity
Activity
• Business specialists define Activity 2 !
processes and conflicting Ac/vity
Activity IT
activities. 3
Specialists
Permission
Permission
• IT specialists map activities to Permission
technical permissions.
Applica4on
Applica4on
ü This reduces management overhead and improves scalability.
crossideas.com
9. SoD
Demo
–
Ac4vi4es
and
Conflicts
Associate
conflic4ng
ac4vi4es
Conflic4ng
ac4vi4es
Navigate activity
hierarchy – select
activity to inspect it.
Business specialists
manage this part.
crossideas.com
10. SoD
Demo
–
Ac4vi4es
and
Permissions
Associate
profiles
Associated
permissions
IT specialists manage
this part.
crossideas.com
12. SoD
Demo
–
SoD
Detec4on
5
different
SoD
analyses,
typically
run
nightly,
or
on
demand
A full scan of users and
roles detects existing SoD
risks.
crossideas.com
13. SoD
Demo
–
SoD
Detec4on
SoD
conflict
details
for
a
specific
user
Users
with
SoD
conflicts
listed
here.
Full details of detected
SoD conflicts facilitate
analysis and remediation.
crossideas.com
15. SoD
Demo
–
Compensa4ng
Controls
A pair of conflicting activities can have one or
more associated “compensating controls”.
• The compensating control allows the conflicting
activities to be safely assigned to a user.
• IDEAS SoD automatically requires that at least one
of the compensating controls be assigned.
crossideas.com
16. SoD
Demo
–
Defining
a
Compensa4ng
Control
Pre-define compensating controls,
such as periodic reviews, or
automated or manual checks.
crossideas.com
17. SoD
Demo
–
Associa4ng
a
Compensa4ng
Control
List
of
suitable
compensa4ng
controls
Add
more
suitable
compensa4ng
controls
here
Select
conflic4ng
ac4vity
Select
ac4vity
Associate one or more suitable
compensating controls with each
pair of conflicting activities.
crossideas.com
19. SoD
Demo
–
Real-‐4me
SoD
Preven4on
IDEAS automatically identifies SoD conflicts in real-
time when they arise in access request workflow:
• Displays the conflict details
• Automatically proposes appropriate compensating
controls according to the conflict or risk level
• Workflow for escalation and compensation is very
flexible and configurable.
crossideas.com
20. SoD
Demo
–
Workflow
Example
We will demo real-time SoD prevention using this
workflow example:
Informal
Request
Risk
Analysis
Approval
Request
formaliza4on
User or Application Risk Business
Manager Manager Officer Process Owner
• User
or
Manager
• Applica4on
• If
there
is
a
• Business
process
enters
request
in
Manager
conflict,
Risk
owner
approves
free
text
translates
the
Officer
reviews
or
denies
the
request
into
the
authoriza4on
request
• No
technical
and
assigns
a
specific
roles
knowledge
risk-‐mi4ga4ng
required
• SoD
detec:on
control
here
crossideas.com
21. SoD
Demo
–
Informal
Access
Request
UI
skinnable
with
company
branding
Role-‐based
menu
Enter “informal”
access request here
in free-text.
User or Manager makes an
access request in simple text –
not technical application
Self-‐service
func4ons
knowledge required.
crossideas.com
22. SoD
Demo
–
Informal
Access
Request
SoD conflict is detected as
soon as the access request is
formalized.
Conflict
details
here
crossideas.com
23. SoD
Demo
–
Risk
Analysis
SoD conflict escalated to Risk
Officer for analysis and
compensation.
Select
Compensa4ng
Control
Approve
SoD
conflict
with
compensa4ng
control.
crossideas.com
25. SoD
Demo
–
SoD
Domains
Without the SoD Domain concept, this example
SoD Domains would generate a false positive SoD conflict:
separate Create purchase order ⊗ Approve purchase order
independent
business units: Order office Approve generator
materials order
• SoD conflicts do not
cross domains.
Corporate Services
Operations Domain
• SoD Domains
Domain
No conflict!
reduce false positive
SoD conflicts.
SoD conflicts require follow-up analysis by a person, so too many false-
positive results are time-consuming and wasteful. If false-positives are
too common, then the system cannot be considered reliable.
crossideas.com
26. SoD
Demo
–
SoD
Domains
Domains are easy to define
because they typically correspond
to groups of applications.
These
are
the
defined
domains.
A
domain
is
defined
as
a
set
of
applica4ons
that
manage
the
data
in
the
domain.
crossideas.com
27. SoD
Demo
–
SoD
Domains
This is the domain
SoD conflicts are always
within a single domain.
crossideas.com
29. SoD
Demo
–
“Dry-‐Run”
Tests
Changes
to
SoD
Rules
SoD “dry-run” tests changes to SoD policies before
deploying to production:
• Multiple SoD environments can be created or copied
to test alternative sets of SoD rules
• After dry-run testing, changes can be promoted to
production
crossideas.com
30. SoD
Demo
–
“Dry-‐Run”
with
SoD
Environments
Promote
environment
Create
new
to
produc4on
environment
Copy
environment
Specify
which
parts
of
the
environment
to
copy
Create as many SoD environments as required to test alternate
SoD rule sets. At any time, an environment can be switched into
or out of production, so deployment and fallback are predictable.
crossideas.com
32. IDEAS
SoD:
Value
and
Benefits
• Reduce the risk of fraud, conflicts of interest and human error in
business processes
• Detect and remediate existing SoD conflicts, including SAP
• Prevent new SoD conflicts before they arise
• Consolidate SoD controls under business oversight
• Assure a transparent and auditable authorization process
• Promote a clean separation between business-oriented access
policies and technical administration
• Promote best-practice processes in change management for SoD
rules
crossideas.com
33. Any
IDEAS?
For
more
informa4on
Andrea.rossi@crossideas.com
+39
335
1435578
crossideas.com