Technical White PaperCOMPLIANCE MANAGEMENT

www.novell.com

Integrated Identity, Access and Security ManagementNovell® Compliance Management Platform

Novell Logo1 The registered trademark, ®,

appears to the right and on thesame baseline as the Logo.

Minimum Size RequirementsThe Novell Logo should NOT beprinted smaller than 3 picas(0.5 inches or 12.5 mm) in width.

Clear-space Requirements2 Allow a clean visual separation

of the Logo from all other elements.The height of the "N" is themeasurement for the minimumclear-space requirements aroundthe Logo. This space is flat andunpatterned, free of other designelements and clear from the edgeof the page.

3 picas(0.5 in)

(12.5 mm)

21 3

3

p. 1

Integrated Identity, Access and Security Management

Table of Contents: 2 . . . . . Identity, Access and Security: How Do I Manage All of This?

8 . . . . . Access Management

9. . . . . . Security Information and Event Management

12 . . . . . Conclusion

p. 2

__________

† IDC, “Worldwide Identity and Access Management 2008–2012 Forecast and 2007 Vendor Shares.” Sally Hudson, August 2008

IT has become the cornerstone of most organizations’ efforts to achieve compliance. With the never-ending requirements to cut costs, maintain business agility and mitigate risk, IT departments are finding ways to auto-mate the enforcement of policies originally developed on paper. To achieve this goal, they are relying on identity and access management (IAM) and security information and event management (SIEM) technologies. IAM products determine users’ identities, and then grant and revoke appropriate access to corporate applications. SIEM soft-ware provides an enterprise-wide view of what is being accessed and by whom. In short, IAM defines who should have access to corporate resources, and SIEM identifies who is acces sing corporate resources. Both are integral components of policy and regulatory compliance.

Compliance continues to be the main business driver for deploying identity and access management solutions. In fact, IDC expects the identity and access management market alone to reach US$5 billion by 2011 as companies attempt to make sustainable com-pliance a reality.† But why? The answer, as it turns out, is a simple matter of communication.

Modern IAM products are extremely adept at validating identities, provisioning resources and enforcing access roles. SIEM solutions do an excellent job of aggregating security data from across the enterprise; however, in most cases, these two technologies are not very good at talking to each other. What

exists in most organizations is two informa-tion silos—one that holds IAM policies (who gets access to corporate applications) and another that contains security data (who is accessing corporate applications).

Bridging the gap between identity and secur-ity, the Novell® Compliance Management Platform provides a real-time, holistic view of the enterprise and its compliance posture. The platform cross-validates identity, access and policy information in real time, so the business always knows who is accessing what, when they are doing it and if they are authorized. In turn, if situations arise that are out of the norm, the platform takes appropriate action in real time, including sending simple notifications, initiating full remediation (e.g., revoking user access) or both. The actual “remedy” for the violation is determined by the policy of the organization and how it wants to manage a given situation.

By combining user provisioning, access control and security monitoring, the Novell Compliance Management Platform delivers business process automation that gives users the appropriate resources, validated in real time, to ensure compliance with company policies. This eliminates the gaps that have left so many companies at risk. Rather than a piecemeal solution made up of complex (and expensive) product silos, Compliance Management Platform delivers an enterprise-wide view and enforcement of policy as defined by corporate governance.

Identity, Access and Security: How Do I Manage All of This?

p. 3

Integrated Identity, Access and Security Management www.novell.com

Who has access to what? Why? Who granted that access? When was the access granted? These are just a few standard questions posed to IT administrators and security per-sonnel during any audit process. Identity management is intended to resolve the complexities of provisioning, automate the process and electronically maintain the policies that determine how users are pro-visioned to resources. As the cornerstone of the Novell Compliance Management

Platform, Novell Identity Manager addresses the complexities of provisioning. Identity Manager has a real-time component that’s unique in the industry—it automates provi-sioning processes in real time, ensuring that as changes occur throughout the enterprise, those changes are synchronized across the authoritative sources that house identity data. The result: systems consistently and correctly provision access to corporate resources.

Business Policies and Processes

Figure 1. Real-time enterprise visibility and compliance management

p. 4

Figure 2. Novell Identity Manager high-level architecture

Figure 3. Novell Identity Manager high-level architecture with a focus on Identity Manager components

p. 5

Integrated Identity, Access and Security Management www.novell.com

The Components of an Identity Infrastructure

One of the most critical components of an identity management deployment is the ability to connect to the disparate identity stores throughout the enterprise. To achieve this, you need a robust policy definition engine that can be easily configured to stringently maintain the integrity of identities and their attributes, yet can be flexible enough to match the nuances of company policy.

The Identity Vault and Integration Modules

At the center of Novell Identity Manager is the Identity Vault, which maintains all of the rules, roles and workflow request definitions that determine how users are provisioned to applications through the enterprise. The core of this technology is an industry-unique event bus, patented replication technology and rich ACL support for ease of management and execution. The event bus allows for distributed management and authoritative control while providing centralized gover-nance of policy and process.

Each application is connected by an Identity Manager Integration Module which allows bi-directional communication between the Identity Vault and the remote identity store (see Figure 4). The Integration Module consists of the policies that determine the management of user accounts on the target system as well as various entitlements (e.g., group memberships). Managing the data flow from the remote identity store to the Identity Vault and the various attributes of the user throughout the systems ensures that only the proper sources can initiate a provisioning activity, and that the proper systems maintain authority over the user attributes (see Figure 2).

An HR system, such as one built on SAP* software, stores basic employee information,

and therefore generally acts as the authori-tative source for initiating the provisioning process. Since the HR department is usually responsible for knowing when a new user is hired and when existing users change (move departments, physical location, etc.) or leave the organization, the HR system becomes the default source for basic provisioning actions.

As users are provisioned to corporate resources, additional information is appended to their identity. For example, when a user’s e-mail account is created, a new component of their identity—Internet e-mail address—is added to their identity profile. This additional piece of information would most likely be shared with the HR system. However, a chal-lenge of bi-directionally synchronizing identity data stores is maintaining authority for each individual attribute so that a non-authoritative source cannot inadvertently update the iden-tity. What if this shared data is modified by an HR employee in SAP? Having this bad data propagated to the e-mail system could cause a serious issue. Similarly, if a directory admin-istrator changed the user’s department—which was stored in the corporate directory—this change would propagate the data back to the HR system, causing more problems.

These problems can be avoided. Through a policy on each connected system, Novell Identity Manager allows administrators to define which systems are authoritative for each shared attribute, and to react when an attribute is changed. When identity attributes are changed, determining how to handle the change is the job of the Filter Policy. The Filter Policy (shown in Figure 5 on the following page) enforces how the data will be shared. If a non-authoritative source initiates the change, the data is automatically reset back to the value in the Identity Vault, which is populated from the authoritative source.

p. 6

The Identity Manager Development Environment

Novell Identity Manager ships with a set of tools to help administrators simplify the configuration and management of their identity infrastructure. These tools include Designer, Analyzer and the Resource Kit for Identity Manager.

Designer for Novell Identity Manager is the primary administration tool for creating connections to the various identity stores, defining workflow definitions, roles and all other tasks. Designer is an industry-unique architectural tool for designing, debugging, deploying and documenting the Identity Manager deployment. Designer includes capabilities for provisioning policy creation and simulation, version control for change management, and automated documentation.

Analyzer for Novell Identity Manager, an extension of the Designer framework, provides tools for completing the analysis, cleansing, reconciliation and reporting of identity-related data throughout the enterprise. One of the most challenging aspects of identity inte-gration is the state of the data in the various identity stores, also known as “dirty data.” Analyzer allows administrators to gather identity attributes from the systems being integrated and to discover anomalies and inconsistencies. This helps pinpoint potential data integrity issues before a live integration.

The Resource Kit for Novell Identity Manager is a set of components (policies, documenta-tion, best practices and solution deployment guides) that accelerate deployments based on best practices from real-world implementa-tions (see Figure 6). A ready-to-deploy virtual machine provides configuration templates and test cases that can greatly accelerate the time- to-value for your organization. Preconfigured policies can be exported from the virtual machine and imported directly into your production environment. Utilizing predefined and deployment-tested scenarios provides

Figure 4. Novell Identity Manager integration module architecture

Figure 5. Novell Identity Manager filter—enforcing attribute authority

p. 7

Integrated Identity, Access and Security Management www.novell.com

Identity Manager administrators with a launch pad from which to begin the architecture,

testing and deployment of the Novell Compliance Management Platform.

Figure 6. Components of the Resource Kit for Novell Identity Manager

Rules, Roles and Requests

Rules, roles and requests underpin most provisioning deployments, but dependence on any one of these by itself can lead to an ineffective or incomplete provisioning solution. However, the ability to seamlessly intermix the capabilities of rules-, roles- or request-based provisioning enables organizations to use the right methodology for the right job.

Figure 7. Finding the provisioning sweet spot

p. 8

Rules allow users to seamlessly and easily access appropriate applications with auto-mated provisioning, based on predefined criteria. When proper conditions are met, provisioning processes occur automatically.

However, some business processes require human interaction to provision access. At times, it may be necessary for application owners or managers to approve access to resources. Defining how workflow and approval requests function in provisioning processes is easy with Novell Identity Manager. It includes a graphically driven development environment, which allows administrators to easily define the flow, approvals and audit components of the workflow processes. The same flexibility for defining workflow processes (see Figure 8) is available for defining approval processes. Novell Identity Manager includes the capability of serial, parallel, individual, group and quorum approvals in addition to digital signatures.

Roles-based provisioning can be very effective when a subsection of users need similar entitlements to applications. The Roles Based Provisioning Module for Novell Identity Manager allows organizations to define:

Roles Segregation of duties (SoD) violations

between roles Attestation processes for a user’s identity

attributes Possible roles for a particular user Possible roles and members that can

be used for validation, certification or recertification

Novell Identity Manager can provision users based on one or more of these methodologies using a single, intuitive, policy-based engine. By incorporating rules, roles and requests into a common provisioning engine, Identity Manager reduces administrative burden and end-user confusion by eliminating multiple, potentially overlapping or conflicting products, and consolidating multiple product interfaces into one.

Figure 8. Novell Identity Manager workflow definition

Access ManagementGranting users access to resources should be automatic and seamless. Identity-enabled access management fulfills this requirement by dynamically provisioning users with access to needed corporate resources. This capability is available through the Novell Compliance Management Platform.

Under ideal circumstances, access policies are automatically updated as users are provi-sioned to resources. Once users have been provisioned, the Compliance Management Platform integrates identity management with access management to immediately grant the appropriate rights to resources. However, there are circumstances in which users attempt to access resources that fall outside of their defined roles. When this happens, the user generally receives a very IT-centric “access denied” error message and is left wondering what to do next. By integrating access management with identity manage-ment, the Novell Compliance Management Platform removes the guesswork for the user.

The following scenario depicts the ability of Novell Compliance Management Platform to integrate identity and access management.

p. 9

Integrated Identity, Access and Security Management www.novell.com

Josh, an employee in the finance department, has been provisioned to basic corporate appli-cations and some financial applications. In the course of his daily work activities, Josh attempts to access the accounts pay-able system. As defined in Novell Access Manager™ policy, Josh is a finance employee and, based on his role, does not have the appropriate rights to access this system. So, when Josh attempts to access the resource, he is presented with an “access denied” message. However, since Access Manager understands the identity context of Josh’s request, it delivers the necessary instructions for being provisioned to the sys-tem. By clicking the link within the message, Access Manager seamlessly links Josh to the Identity Manager request tool, where he can request approval to access the accounts payable system from his manager and the system owner.

Figure 9. Novell Identity and Access Management integration

If Allison, a marketing employee, attempts to access the same accounts payable resource, Novell Access Manager determines that she is not in the finance department and, there-fore, should not have access. Instead of the typical “access denied” message, Allison is informed that, based on her role in the marketing department, she cannot access this resource.

Figure 11. Novell Identity and Access Management integration

Security Information and Event ManagementPerforming IT audits and meeting standards and regulatory requirements is now a fact of life for most enterprises. In fact, organizations are spending significant time and energy scrutinizing their security and event logs to track which systems have been accessed by whom, what activity took place and whether it was appropriate. Organizations are increas-ingly looking towards data-driven automation to help ease the burden. As a result, the SIEM category has taken shape and provided focused solutions to the problem.

SIEM automates the analysis process of security, network and applications logs. When coupled with identity and access management, a SIEM solution provides the ability to link system access to individual users. According to most of today’s regulations, tracking and reviewing access is a primary audit requirement, especially concerning access granted with administrative privileges.

The combination of these two technologies—identity and access management and SIEM—provides a framework that enables business policies to drive IT policy, and to

Figure 10. Novell Identity and Access Management integration

p. 10

The following is an example of how the IAM and SIEM integration works:

1. Security events are gathered from appli-cations and systems spread across the enterprise. Analysis and correlation of events occurs in the iScale™ Message Bus for potential policy violations and is then stored in a central data repository for historical analysis.

2. As security events are identified in the various applications, network devices and other stores, Novell Identity Manager provides identity context, inserting user- specific information into the security events.

3. Operational events are collected and stored in Novell Identity Manager, Novell Access Manager and the Identity Vault.

4. All events are analyzed. If event correlation detects suspicious activities or a policy violation, the system triggers remediation activities to protect the organization from the potential security threat. This can take the form of provisioning activities or approval workflow processes automated by Novell Identity Manager.

By mapping security information to identity profiles, Novell Compliance Management Platform enables organizations to improve

deliver the evidence needed to demonstrate compliance with internal policies, industry standards and government regulations—including Sarbanes-Oxley, PCI DSS, HIPAA, GLBA, FISMA and others.

Figure 12. Integration between IAM and SIEM capabilities

p. 11

Integrated Identity, Access and Security Management www.novell.com

the identification and investigation of security breaches. Without this integration, if a user attempted to access a sensitive customer database by overriding security protocols, database administrators would only know that someone tried to break in. With identity-enabled security information, those same administrators could refer to an easy-to-read, real-time dashboard showing who attempted the security breach, what else he or she has been doing recently and what other accounts that user has across the enterprise. This clear graphical overview of identity and security throughout the organization enables admin-istrators to make sense of mountains of security data, identifying legitimate threats while eliminating false positives.

Identity management systems can identify which users are provisioned to which appli-cations. But are those employees actually using the applications? That’s a question

that can only be answered when identity management and security management are integrated—as they are with Novell Compliance Management Platform. Adminis-trators gain an additional level of inspection and validation— they get visibility into not only which users have access to corporate appli-cations, but also how often those employees log in to and use those applications. Tracking application usage is an excellent way to gauge whether corporate policies and role definitions actually line up with day-to-day operations.

Providing identity context to security events significantly enhances the ability to act on security data. For example, using the identity data provided by the Identity Manager Integration Module for Novell Sentinel™, administrators can review user-specific security records that provide real-time and historical identity information.

Figures 13a and 13b. Identity-enriched Security Data

The automation of identity-driven policy and process together with the continuous monitoring of the IT environment allows for immediate notification of out-of-policy or non-compliant behavior. Further, being able to correlate device-based event logs with the activities of individual users allows administrators to take action in a timely manner.

p. 12

To illustrate, take the example of an IT admin-istrator who provisions an employee with access to the accounts receivable invoicing system. Security personnel soon detect that, unbeknownst to the IT department, the em-ployee is attempting to generate payments, a clear violation of the segregation of duties policy. The ability to correlate the authorization attempts in the context of the user’s identity provides the information needed to manage the risk. Once risks are uncovered, organiza-tions can remediate the problem based on policies and processes. The actual “remedy” can range from a simple notification to the appropriate individuals alerting them of the violation, to removing a user’s access rights to all systems. Tightly coupling identity and access management and SIEM capabilities makes a range of responses possible. Turning to a more proactive approach, imagine the same user is attempting to access an appli ca-tion to complete a job assignment. However, this time the system requires approval, which has not been granted. The integration of security events and identity information automates the interpretation of the user and his or her identity profile, and then enables the user to request access. This represents a much more user-friendly, proactive approach, instead of merely telling users they’ve been denied access.

ConclusionCompanies around the world continue to struggle with issues of policy compliance. Security and business policy violations con-tinue to multiply and evolve, even as spending increases—leaving many organizations with a feeling that they have little recourse but to spend more. That’s what makes Novell Compliance Management Platform different from other piecemeal offerings. By blending its award-winning identity, access and security management technology, Novell has deliv ered the ultimate governance solution: a platform that provides a real-time, holistic view of the enterprise to mitigate the risk posed by inter-nal and external threats, and ultimately, to ensure an organization’s image, brand and reputation are safe.

Novell expertise in compliance-related solutions is second to none. The company is not only an established leader in identity and security management, but is also a solution provider to thousands of organiza-tions around the globe. That deployment experience allows Novell to go beyond just installing a patchwork of products. Novell Compliance Management Platform combines powerful technology with preconfigured policies and documented best practices to provide a comprehensive approach to policy compliance—plus the most impressive return on investment available anywhere.

p. 13

Integrated Identity, Access and Security Management www.novell.com

www.novell.com

Contact your local Novell Solutions Provider, or call Novell at:

1 800 714 3400 U.S./Canada1 801 861 1349 Worldwide1 801 861 8473 Facsimile

Novell, Inc.404 Wyman Street Waltham, MA 02451 USA

462-002107-001 | 02/09 | © 2009 Novell, Inc. All rights reserved. Novell, the Novell logo and the N logo are registered trademarks, and Access Manager, iScale, iTrac and Sentinel are trademarks of Novell, Inc. in the United States and other countries.

*All third-party trademarks are the property of their respective owners.

Novell Logo1 The registered trademark, ®,

appears to the right and on thesame baseline as the Logo.

Minimum Size RequirementsThe Novell Logo should NOT beprinted smaller than 3 picas(0.5 inches or 12.5 mm) in width.

Clear-space Requirements2 Allow a clean visual separation

of the Logo from all other elements.The height of the "N" is themeasurement for the minimumclear-space requirements aroundthe Logo. This space is flat andunpatterned, free of other designelements and clear from the edgeof the page.

3 picas(0.5 in)

(12.5 mm)

21 3

3

Compliance Management Platform combines powerful technology with preconfigured policies and documented best practices to provide

a comprehensive approach to policy compliance—plus the most impressive return on investment available anywhere.