Upload
mike-c
View
449
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Access governance health
Citation preview
Security Health Check: Access Governance
2 © 2013 KPMG in the Netherlands, registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
Content
• Access governance
• Challenges
• Digital identity life cycle and access
• Key questions
• Our approach
• Phases
• Assisting technology
• Example reports
• KPMG’s track-record on access governance
• Identity & access of today and beyond
• Contact
3
4
5
6
7
8
9
10
11
12
13
3 © 2013 KPMG in the Netherlands, registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
Access governance
Definition Access governance stands for governing who has access to what application, services and data in order to maintain security (integrity and confidentiality of data), to ensure compliance with laws and regulations as well as to provide business intelligence on access control.
Importance The integrity and confidentiality of corporate data, structured as well as unstructured, is vital to an organisation's success. If the data is stolen and/or its integrity is compromised in any way, the damage to the organisation's reputation and revenue stream could be irreparable.
Due to an increasing pressure to reduce costs, while adhering to regulatory pressure and to respond rapidly on changing business needs such as cloud computing and consumerization of mobile devices, professionalised access governance is preconditional in meeting business requirements.
Access governance is a business responsibility and should therefore be approached from a business perspective facilitated by effective technology and processes.
Business users System administrators (Privileged accounts)
External users
IT resources
Cloud services Applications
and data
Users
Access governance
Policies
Access permission control
Monitoring and reporting
Directories and repositories
Security requirements
Laws and regulations
Segregation of duties
4 © 2013 KPMG in the Netherlands, registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
Challenges
Despite the attention on security in general and access to valuable data in particular, access governance still poses tremendous challenges for many organisations. Why?
Complexity – The complexity of identities and access permissions to various IT resources and data types is often high. With the ongoing adoption of cloud services, federations with partner organisations and the proliferation of mobile devices, the complexity is steadily increasing.
Lack of information – Many organisations have insufficient information to efficiently manage their identities and access.
Technology-focused – While access governance is a business responsibility in principal, many organisations have limited its implementation to a deployment of software only.
Hence, the issues remain with a growing risk of security breaches and incidents. Typical vulnerabilities are:
• Obsolete accounts of employees who have left the organisation;
• Excessive permissions breaching segregation of duties or offering system administrators access to confidential data;
• Access to employees without authorisation from the management;
• Unmonitored access offering unauthorised users such as hackers to steal valuable data;
• Insufficient reporting leaving responsible managers without any clue.
Business users System administrators (Privileged accounts)
External users
IT resources
Cloud services Applications
and data
Users
Obsolete accounts
Excessive permissions
Access without authorisation
Directories and repositories
Unmonitored access
Insufficient reporting
5 © 2013 KPMG in the Netherlands, registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
Digital identity life cycle and access: issues in practice
User account creation
Authorisation of access permissions Provisioning Monitoring and
reporting
User account change
Authorisation of access permissions Provisioning Monitoring and
reporting
User account removal
Authorisation of removal Deprovisioning Monitoring and
reporting
No formal authorisation from management or data owner
Access permissions based on similar users (with excessive permissions)
Manual provisioning susceptible to errors
Limited monitoring and logging of access
Lack of data for reporting
Discrepancies with HR data
Additional access permissions on top of existing access permissions
Provisioning of excessive permissions
Limited monitoring on privileged accounts
Inadequate reporting on desired state and actual state of access permissions
Obsolete user accounts No deprovisioning of obsolete accounts and access permissions
No formal authorisation from management or data owner
Limited monitoring on unauthorised use of access permissions
6 © 2013 KPMG in the Netherlands, registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
Key questions
Concerning the maturity/health of access governance, the following questions need to addressed:
• What accounts on the applications/systems are obsolete – what accounts belong to employees who are not member of the organisation?
• What are the users with excessive access rights – what are the privileged accounts?
• How are these privileged accounts being monitored?
• What permissions have been authorised and what are the actual access permissions of users to sensitive data?
• What are the key items regarding access being reported to the responsible management?
• Do the access permission control measures reflect access governance policies?
• How is unstructured data being controlled on access (shares, cloud repositories)?
• How are the access permission being implemented on IT resources? Access permission on IT
resources
What accounts are obsolete?
What are privileged accounts?
How is user access being monitored?
What are the actual access permissions?
What are the key items being reported?
Does permission control align with access policies?
How are access permissions being implemented?
Access governance policies
Access permission control
How is unstructured data being controlled?
7 © 2013 KPMG in the Netherlands, registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
Our approach
We will provide you clear and decisive insight into your organisation’s state concerning access governance.
Our approach is simple yet efficient and effective. By gathering HR data enriched with access permissions/business rules data, the desired state of access will be defined – how the access permissions should be implemented.
By gathering access permission data from the IT resources in scope (structured data, unstructured data, data in the cloud), the actual state of access will be defined – what the access permissions are in reality.
We will transform these data sets into our specialised software, compare and verify them which will result in a access governance health check report.
This report which will answer the key questions comprises the following parts:
• Outline of the desired state of access permissions;
• Outline of the actual state of access permissions on IT resources (applications/systems, directories, services);
• Delta – the deviations/deficiencies;
• Risks involved;
• Comparison with industry peers (benchmark);
• Recommendations.
Desired state
HR data
Actual state
Access permission data on IT resources
Access permissions/ business rules data
Data transformation, comparison and
verification Health Check Report
Delta, risks and recommendations
Structured data
Unstructured data
Data in the cloud
8 © 2013 KPMG in the Netherlands, registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
Phases
Phase 1: Scope definition During this step, the scope of applications/systems, directories and (if applicable) services will be defined, as well as the scope of users and processes. Also the key questions that need to be answered will be defined.
Phase 2: Planning During this step, all stakeholders will be informed system engineers be contacted to request technical assistance where needed.
Phase 3: Collection of data extractions During this step, KPMG will collect data extractions. Typically these are:
• Active Directory data (users, security groups, share settings);
• Databases (User/group and privilege correlations);
• Data on file servers and cloud-based data repositories;
• Applications (Roles and privilege correlations);
• Data extractions from HR system(s);
• If available, data extractions from business rules engines.
Phase 4: Analysis During this step, KPMG will analyse the data using specialised software (Quest).
Phase 5: Reporting and presentation
1. Scope definition -IT resources (applications/systems, directories, services)
-Users and processes -Key questions
2. Planning -Stakeholder involvement
-Technical engineers involvement
3. Collection of data extractions -Collection of business data
-Collection of IT data
4. Analysis -Data transformation
-Comparison -Verification
5. Reporting & presentation -Reporting
-Management presentation
9 © 2013 KPMG in the Netherlands, registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
Assisting technology
Quest One IM application We use Quest One Identity Manager application by Dell Software Group to facilitate our research during phase 3 to 5. The collection as well as the analysis of the data are automated where applicable and possible.
The value of this automated approach lies in the far greater amount of data which can be analysed much more efficiently and effectively. As a rule, the application itself will not be installed on the customer’s premises but only used as a collection/analysis application on a KPMG’s computer.
Steps 1. Import of available corporate data (HR data, directory data,
access permission data) – the data (.csv files or other formats) can be imported easily via the wizard.
2. Definition of business rules – via a special function of the application, business rules on various aggregation levels can be defined.
3. Data mapping and matching – the gathered data can be mapped and matched.
4. Correlation of gathered data – the gathered data can be correlated and analysed.
5. Reporting of findings – the analysed data can be displayed in a user-friendly manner to the analyst or business user.
Data import Rules definition
Mapping & matching Correlation
Reporting
10 © 2013 KPMG in the Netherlands, registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
Example reports
Orphaned accounts Risk index
Multiple accounts on the same system Compliance violations Data quality
11 © 2013 KPMG in the Netherlands, registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
KPMG’s track-record on access governance
Dutch university
Public and healthcare
Large public railway organisation
Dutch college of advanced education
Dutch secondary education
organisation
Global oil company
Industry & food
Global energy company
Dutch container carrier
International electricity company
Nationalised Dutch bank
Finance
International banking co-operation
Independent Dutch bank
Dutch payment services organisation
Dutch pension fund
Dutch organisation in the financial-legal
sector
Dutch insurance company
International insurance company
Hospital in Rotterdam Dutch/Italian food manufacturer
Dutch bank focused on sustainability KPMG
12 © 2013 KPMG in the Netherlands, registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
Identity & access of today and beyond
13 © 2013 KPMG in the Netherlands, registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.
Contact
ing. John Hermans RE | Partner Telephone: +31 (0)6 5136 6389
E-mail: [email protected]
drs. Mike Chung RE | Senior manager
Telephone: +31 (0)6 1455 9916
E-mail: [email protected]