BPM Center of Excellence

Role Discovery and RBAC DesignA Case study with IBM RaPMAlex Ivkin, ProlificsGrey Thrasher, IBMMarch 3, 2012

1AgendaAlex Ivkin, CISSPPractice DirectorSecurity Line of BusinessProlifics

Grey ThrasherSenior Software EngineerL2 Technical Team LeadIBM SWG Client Support Software

Prolifics at a Glance

W h o A r e W e ?Off-Shore Development CenterHyderabad, IndiaApplication TestingSanta Clara, CA USAA Corporate Group of 1200 Employees Worldwide specializing in the expert delivery of end-to-end IBM SolutionsNew YorkBostonPhiladelphiaWashington DCOrlandoSan FranciscoLondonHamburgOver 30 years in business, Prolifics is an end-to-end systems integrator specializing in IBM technologies

S o l u t i o n L e a d e r s h i pServiced over 1600 IBM software accounts in the past 11 yearsProlifics boasts over 110 Security certifications for architecture, development, administration.IBM Tivoli AAA Accredited First For Security WWIBM Cloud Certification First of 5 PartnersAuthorized for SVP in 5 Industry Capabilities First in UtilitiesAlso in SOA, Information Management and BPM solutions and appliances for Business Process Management and IntegrationS t a b i l i t y, L o n g e v i t y & G r o w t h3

Business challengesDifficulty in the business understanding of security information causing a rubber stamp process, or simply too much data to sort through for the businessChallenges in the quarterly attestation cycleChallenges for supervisory personnel understanding how "least privilege" works in their business unitOnboarding (new hire user adds) requests requiring additional time and effort becuase access requests are submitted on a case by case basis using individual formsChallenges in managing the access of persons who transfer between jobs, creating complex modification requests for access on a case by case basisRisk due to inappropriate access, which could be misuse or simply audit findings - this is due to mirrored access (make John's access look like Mary's) that may grant too much permission, or through job transfers where old access is not removed properly

Role Based Access ControlRBAC is a methodology to align security entitlements to persons through an abstraction of organizational responsibilities using job function and relationship to the organization. The idea is to use roles to represent common access rights for users as sets of privileges on different systems.

BeforeAfterRole Based Access Control (RBAC) offers an effective operational model to drive IAM Governance Simplify roles and access assignments Ability to handle growth and scale Facilitate accountability and complianceDirect access assignments today are complex, difficult to track and change when needed

Business Benefits of RBACReduce risk by ensuring people are limited to the required access dictated by their job functionReduce dormant time for new hires during onboarding because their well defined access can be instantiated automaticallySimplify the attestation and audit process by reviewing privileges that are exceptions to the roles instead of reviewing every entitlementIncrease accuracy in the attestation process due to an easier to understand business interface to information security dataSimplify the cross boarding process and reduce the risk of personnel dragging inappropriate entitlements to their new job functionAddress compliance requirements through the inherent linkage to organizational definitions of least privilege and separation of duty

Reality checkHow many companies want to do RBAC?How many companies are doing RBAC?How many companies successfully completed RBAC in 2011?

Our study showed:97% of IdM customers in 2011 agreed that Role Based Access Control is a solid approach to tackle problems of compliance and security controlA third has engaged in RBAC design and implementation, internally and externallyLess than a tenth achieved the goals

Why?7

ChallengesTime consumingCorrelating massive dataHigh skill requiredNot business user friendlyInaccurate resultsRequires business change the 60/40 mixRequires proper toolingIdentity and Access management platformModeling ToolRole life-cycle toolRequires understanding, communication and motivationIts a process, not a state

How it is done (the secret recipe)Strong business processesClever technical instrumentationEffective review proceduresTight enforcement and integration

Introducing Role and Policy ModelerIT ManagementIT Systems and Applications Owners

Lines of BusinessGovernance GoalsScopeBusiness PoliciesInterview dataApprovals/certificationRisk AnalysisCollaborationCompliance Reports

CIO, CSO, Compliance Officers, Business OwnersResourcesIdentitiesEntitlementsRoles and policiesModelingToolsRole and Policy TemplatesReports

BUSINESS VIEWTECHNICAL VIEW ISIM (ITIM)

ISIM (ITIM)

VALIDATE

TSPM

EnterpriseSystems

DEPLOYROLE AND POLICY MODELER

Indepth reportIntuitive UIExtensible Data LayerExceptionalAnalytics

*****************************Additional information to expand on this chart

Organizational Structure to Roles and PoliciesOperational Structures to RolesBusiness Structures to Roles

Questions to answer for input into InterviewsWhat are the organizational structures? What is the structure for the subset of the organization?What are the job functions of the organizations? Who owns review?Roles that persons should not have at the same time? What are the applications and application scenarios?CRM Transactions -- Change Client Profile (preferences), Change Name, Change Payment Method, Change Credit Limit

Questions to answer to develop roles based on Interview outputWhat Attributes of the organization correlate to application scenarios (business abstraction of a permission [business role?])?In order to create a quality membership selection for a role, for a job code, department, set of department, (or other key attribute), what application scenarios are in common? What is the percentage of overlap?Percentage of people with the key attribute who also currently have the permission? Percentage of people without the key attribute who have the permission?Percentage of people with the key currently without the permission assignment?For a role I created, Percentage of people who are members of this role?Percentage of people who are not members of this role who also currently have the permission because of some other role or out of role assignment role? For a set of users, Percentage of people who have a permission because of a role assignment role?Percentage of people who have the permission because of an out of role assignment role?Suggest RolesSoDWill new role of change to role create an SoD exceptions?Metrics in the answers to combine, split, and reuse existing roles

ACL to RBACExisting ACL groups are converted to roles. Roles are created based on existing access users have attained on various systems.

Questions to answer to develop roles based on AccessWhat are the application groups?What users are not in those groups?What are the groups with similar or the same membership?Are there direct permissions? Can these be covered by existing groups?Suggest roles based on these groups? Can the roles cover job code?

Compare Organizational Roles with IT Access AssignmentComparing IT bottoms up and Actuals with Top DownOrganizational Results can be compared to IT dataConnecting business roles to IT roles and optimizing the modelA paper exercise

IntegrationRole LifecycleBusiness ViewTechnical ViewRole and Policy ModelerThe beginningSizingScoping and size controlFocusing on stable business unitsCustomer serviceFinancial departmentFocusing on well understood applicationsCore business applicationsProduct targeted at the business analystEngaging the sponsors and LoB managersInvolving IT Asset custodians Aggregating existing data

Business ViewTechnical View

RaPM: Home PageDesigned for Business AnalystSimple ViewModel:ProjectsRole Mining/ModelingReportsImport

RaPMRaPM: ImportLoad Schema and DataValidate Schema/DataImport session status/detailsMultiple Import Sessions

RaPMRaPM: Model Roles and PoliciesProject ManagementRole Mining/ModelingRole AnalysisExport Roles / Separation of Duty Policies / User to Role Assignments

RaPMModelingTop-down:Business interviewsExisting model

Bottom-up:Data aggregationSystem stateExisting knowledge

IT Systems and Applications Owners

Governance GoalsScopeBusiness PoliciesInterview data

CIO, CSO, Compliance Officers, Business OwnersResourcesIdentitiesEntitlementsRoles and policiesModelingTools

BUSINESS VIEWTECHNICAL VIEW ISIM (ITIM)

ROLE AND POLICY MODELER

Indepth reportIntuitive UIExtensible Data LayerExceptionalAnalytics

RaPM: Model Roles and PoliciesProject CreationUser selectionPermission selection

RaPMRaPM: Manual Role CreationTop Down approach:Manually Assign:Parent/Child Roles (Hierarchy)Members / Member QualifiersPermissionsSeparation of Duty ConstraintsAdditional Information

RaPM18RaPM: Generating rolesArtificial intelligence algorithmsPoor performance vs over-fittingAnalyticsIBM Research Parameters:HierarchyOwnershipCompatibility constraintsModeling flexibility

IntegrationRole LifecycleBusiness ViewTechnical ViewRole and Policy ModelerRole and Policy ModelerRaPM: Role GenerationIBM Research-created algorithms automatically generate Roles/HierarchiesOptions affect number of roles and depth of hierarchy

RaPMRaPM: Copy Roles into ProjectImported Roles can be copied into ProjectsSearch by Extended Attributes (Template, etc)Modify Existing Roles or use to create new RolesCan include Membership, Permissions, SOD constraints

RaPMRaPM: UndoChanges are automatically committedUndo feature allows for rollback of changesChanges/Undo are Project specific

RaPMRBAC ModelingRole Definition processesRole Management Review for HR Updates (Reorg, New job codes, etc)Role Review for Application changes (New system, retire system, new features)Iterative approach and instant feedback

Split RolesCombine RolesRules for RolesIntegrationRole LifecycleBusiness ViewTechnical ViewRole and Policy ModelerRole LifecycleBusiness ViewRole and Policy Modeler

22RBAC Definition LifecycleRole Definition IterationsOrganizational Role Definition -Business ViewApplication Role Definition System ViewCleanupDefineTestPublishExamineEmpowerment and Knowledge TransferStructured steps of interviews, data gathering, engineering, and tests to produce rolesRole Quality

23RaPM: Role AnalysisAnalysis Catalog provide different analyses to help determine potential role members/permissionsEnsure Membership/Permissions are accurateAbility to view granular user/permission details in analysis results

RaPMA single RBAC statically assigned role can be associated to a specific specific set of entitlements (permissions)VPN AccessAccess to GLAn RBAC dynamic role can inherit collection of Roles that can relate to a Job Family, which can be Organization wide, Divisional, or Location represented by person type

Dynamic RoleDynamic and Adaptive Access ControlAnalytics EngineIntegrationRole LifecycleBusiness ViewTechnical ViewRole and Policy ModelerRole LifecycleTechnical ViewRole and Policy ModelerRaPM: Membership QualifierConfigure multiple ConditionsAutomatically associated users with RoleUse analysis results to help build out QualifiersMembership View indicates members assigned directly or by qualifier

RaPMSeparation of DutiesSeparation of duty constraints and policies, both static and dynamic in a role modelusersRolesPermissionsRole HierarchySessionsSODConstraintsIntegrationRole LifecycleBusiness ViewTechnical ViewRole and Policy ModelerRole LifecycleBusiness ViewTechnical ViewRole and Policy Modeler

Separation of duty ensures that the same user cannot have conflicting roles that would provide them with an unacceptable level of authority. Constraints can be applied to user/role assignments (static constraints), to session/role assignments (dynamic constraints), or to role hierarchies.27RaPM: Separation of Duties (SOD)Alert when users are in disallowed combination of RolesIndicates SOD configuration problems (inevitable conflicts)Details Users/Roles in conflict

RaPM

RBAC Administration Lifecycles

A re-org, new data such as org type, physical location, job title, cost center, or the retirement of any of theseA new application or system, a new group is added, a group or system is consolidated or retired

Roles are analyzed, changes are proposed, and a draft is circulated

Roles are published and ready for useAttestation (tactical)Request Based (mid range)IdM Integrated (strategic)Role-Based Access Control

29RaPM: ReportsTCR/Cognos based reportsOperations reportPermissions reportRoles reportUser Access report

RaPMRole Lifecycle ManagerBusiness Process ManagerApproval request sent to Role Owner(s)Attach Role Reports to Approval request for more details

RaPMRelationship between RBAC and Identity Provisioning - Mature

Data Feed

Automatic Permission AssignmentManual Permission AssignmentIntegration

Role and Policy ModelerReal World Role AutomationIntegrationRole LifecycleBusiness ViewTechnical ViewRole and Policy ModelerIntegrationRole and Policy Modeler

RaPM: Export ProjectGenerates XML containing:RolesSeparation of Duty constraintsUser to Role assignments (optional)Immediately consumable by ITIM Load utility

RaPMRaPM: ITIM LoadUtility to load exported Roles/SODs/User-to-Role assignmentsPreview option shows number of:New or Modified RolesModified HierarchiesNew or Modified Separation of Duty ConstraintsUser-to-Role assignments to be added or deleted

RaPM

Role Management capabilities are integral to the Security Identity ManagerIntegrated built-in functionality in one package, rather than 2 or 3 from competitors. Costs less than comparable solutions in the market.Integration and automation provide immediately effective operations

Simple and yet sophisticated role modeling helps accelerate resultsBusiness-user centric Web UI ensures faster adoption and easy to deploy. Powerful, built-in analytics guide role analyst in generating a timely role structure. IBMs solid technology and experience with roles built-into a product

Flexibility to adapt to the client-specific IT processesHandles scale and large access data sources with project based approach. Extensible policy & graphical role model to analyze particular enterprise scenarios. Offer business process automation platform to quickly get stakeholder validation

Ability to drive IAM Governance beyond role management Customers can easily deploy and integrate run-time enforcement(entitlement management) with IBMs Identity and Access ManagementGovernance strategy. Security Intelligence: Identity Analytics in role modeling provide valuable business insight, helping customers achieve the next level of security alignment with the business

Role and Policy Modeler Highlights

IntegrationRole LifecycleBusiness ViewTechnical ViewRole and Policy ModelerTo conclude, I would like to summarize that IBM has shown leadership in the RBAC space for a long time. We have made these role management capabilities available in an integrated solution for Identity Management. And we have targeted our delivery of strong functionality to what enterprises need today. Our IAM Governance strategy and vision also encompasses a broader perspective that goes beyond role management. While we are completing this vision with role modeling and lifecycle management, we are also well prepared to make the next evolutionary step into identity analytics.

Thanks for your time and attention. I would like to answer any questions you may have.

***************Win deal

Arla Foods: Originally acquired TIM to have a handle over the 10+% of orphan accounts in their SAP applications that cause them to fail ISO 17799 audit. MN Security helped them reduce the number of roles by 95% using TIM's SOD, certification, approval workflow, and UP. 50% reduction in service desk calls.

GameStop - game retailer with 3000 employees. Got TIM because it was failing audits due to churn and lack of access tracking. Orphan accounts, obsolete accounts. They needed to understand their access and clean it.

CommonWealth Bank (Australia) - TIM 4.6 customer that bought Sailpoint, and then changed by Sun RM because TIM did not cover roles. Now wants to get TIM 5.1. (48K users, 125apps)35

Role Based Access Management improves compliance postures and reduces cost of administration in an evolving IT environment,.37The traditional solution for Role Modeling generates results that are obsolete by the time they are ready

ABAC, RuBAC, ZBAC This is about 60% business process consulting and 40% tool. You need both to be strong to get to the 100%

but there are still challenges achieving this goalWritten ReportManual Data Collect

Face to Face CollectConsult

Reject

Written ReportsCertify

Manual EnforcementSpreadsheet EvaluationFace to face ApprovalsSumming upIntegrationRole LifecycleBusiness ViewTechnical ViewRole and Policy Modeler

Pain Points addressed with IBMs Role Management

Role management solutions are difficult to install, hard to use, and not integrated with Identity ManagementDifficult to migrate from IT request based access to business role based accessLong process. Projects abandoned due to scope and slow roll outMassive amounts of data can be dauntingNo business level insight into roles and security Need business definitions of security rolesDifficult to map business functions to application roles Difficult to visualize relationships between permissions, users, and rolesNeed business based analytical tools to understand the impact of organizational structure and changes on roles and accessBusiness people need a business oriented UI to understand, create, and manage roles

RBAC Change Control and Notification Processes

Foundational processes will allow business to keep organizational structure up to date on systems.Foundational processes will allow business to keep system entitlements clean up to dateAfter foundational processes are implemented, and RBAC is in place, these processes can be leveraged and integrated with RBAC Management Processes39IntegrationRole LifecycleBusiness ViewTechnical ViewRole and Policy ModelerIntegrationRole LifecycleBusiness ViewTechnical ViewRole and Policy ModelerChart121.225.73052.254556170

Gross Revenue (millions)Gross Revenue (millions)

Sheet120042005200620072008200920102011Gross Revenue (millions)21.225.73052.254556170

ROLE A

ROLE B

ROLE C

ROLE Z

ROLE X

ROLE Y

ROLE A

ROLE B

ROLE

Application / System Entitlements

Application / System Entitlements

Application / System Entitlements

BUSINESS ROLE

ROLE

ROLE

ROLE

ROLE

RBAC

ROLE

ROLE

ROLE

ROLE

ROLE

Board of Directors

Info. Sec.

Accounting

Role Approver

Accounting

Business Owner

Accounting

Audit Review

Personnel

HR

Information Systems

IT

Personnel

HR

User

User Account

User

User Account

ROLE PROFILE

ROLE

ROLE

ROLE

Reception

Security Administration

User

User Account

User

User Account

User

User Account