Security health check access governance kpmg

Security Health Check: Access Governance

2 © 2013 KPMG in the Netherlands, registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International.

Content

• Access governance

• Challenges

• Digital identity life cycle and access

• Key questions

• Our approach

• Phases

• Assisting technology

• Example reports

• KPMG’s track-record on access governance

• Identity & access of today and beyond

• Contact

3

4

5

6

7

8

9

10

11

12

13


Access governance

Definition Access governance stands for governing who has access to what application, services and data in order to maintain security (integrity and confidentiality of data), to ensure compliance with laws and regulations as well as to provide business intelligence on access control.

Importance The integrity and confidentiality of corporate data, structured as well as unstructured, is vital to an organisation's success. If the data is stolen and/or its integrity is compromised in any way, the damage to the organisation's reputation and revenue stream could be irreparable.

Due to an increasing pressure to reduce costs, while adhering to regulatory pressure and to respond rapidly on changing business needs such as cloud computing and consumerization of mobile devices, professionalised access governance is preconditional in meeting business requirements.

Access governance is a business responsibility and should therefore be approached from a business perspective facilitated by effective technology and processes.

Business users System administrators (Privileged accounts)

External users

IT resources

Cloud services Applications

and data

Users

Access governance

Policies

Access permission control

Monitoring and reporting

Directories and repositories

Security requirements

Laws and regulations

Segregation of duties


Challenges

Despite the attention on security in general and access to valuable data in particular, access governance still poses tremendous challenges for many organisations. Why?

Complexity – The complexity of identities and access permissions to various IT resources and data types is often high. With the ongoing adoption of cloud services, federations with partner organisations and the proliferation of mobile devices, the complexity is steadily increasing.

Lack of information – Many organisations have insufficient information to efficiently manage their identities and access.

Technology-focused – While access governance is a business responsibility in principal, many organisations have limited its implementation to a deployment of software only.

Hence, the issues remain with a growing risk of security breaches and incidents. Typical vulnerabilities are:

• Obsolete accounts of employees who have left the organisation;

• Excessive permissions breaching segregation of duties or offering system administrators access to confidential data;

• Access to employees without authorisation from the management;

• Unmonitored access offering unauthorised users such as hackers to steal valuable data;

• Insufficient reporting leaving responsible managers without any clue.

Business users System administrators (Privileged accounts)

External users

IT resources

Cloud services Applications

and data

Users

Obsolete accounts

Excessive permissions

Access without authorisation

Directories and repositories

Unmonitored access

Insufficient reporting


Digital identity life cycle and access: issues in practice

User account creation

Authorisation of access permissions Provisioning Monitoring and

reporting

User account change

Authorisation of access permissions Provisioning Monitoring and

reporting

User account removal

Authorisation of removal Deprovisioning Monitoring and

reporting

No formal authorisation from management or data owner

Access permissions based on similar users (with excessive permissions)

Manual provisioning susceptible to errors

Limited monitoring and logging of access

Lack of data for reporting

Discrepancies with HR data

Additional access permissions on top of existing access permissions

Provisioning of excessive permissions

Limited monitoring on privileged accounts

Inadequate reporting on desired state and actual state of access permissions

Obsolete user accounts No deprovisioning of obsolete accounts and access permissions

No formal authorisation from management or data owner

Limited monitoring on unauthorised use of access permissions


Key questions

Concerning the maturity/health of access governance, the following questions need to addressed:

• What accounts on the applications/systems are obsolete – what accounts belong to employees who are not member of the organisation?

• What are the users with excessive access rights – what are the privileged accounts?

• How are these privileged accounts being monitored?

• What permissions have been authorised and what are the actual access permissions of users to sensitive data?

• What are the key items regarding access being reported to the responsible management?

• Do the access permission control measures reflect access governance policies?

• How is unstructured data being controlled on access (shares, cloud repositories)?

• How are the access permission being implemented on IT resources? Access permission on IT

resources

What accounts are obsolete?

What are privileged accounts?

How is user access being monitored?

What are the actual access permissions?

What are the key items being reported?

Does permission control align with access policies?

How are access permissions being implemented?

Access governance policies

Access permission control

How is unstructured data being controlled?


Our approach

We will provide you clear and decisive insight into your organisation’s state concerning access governance.

Our approach is simple yet efficient and effective. By gathering HR data enriched with access permissions/business rules data, the desired state of access will be defined – how the access permissions should be implemented.

By gathering access permission data from the IT resources in scope (structured data, unstructured data, data in the cloud), the actual state of access will be defined – what the access permissions are in reality.

We will transform these data sets into our specialised software, compare and verify them which will result in a access governance health check report.

This report which will answer the key questions comprises the following parts:

• Outline of the desired state of access permissions;

• Outline of the actual state of access permissions on IT resources (applications/systems, directories, services);

• Delta – the deviations/deficiencies;

• Risks involved;

• Comparison with industry peers (benchmark);

• Recommendations.

Desired state

HR data

Actual state

Access permission data on IT resources

Access permissions/ business rules data

Data transformation, comparison and

verification Health Check Report

Delta, risks and recommendations

Structured data

Unstructured data

Data in the cloud


Phases

Phase 1: Scope definition During this step, the scope of applications/systems, directories and (if applicable) services will be defined, as well as the scope of users and processes. Also the key questions that need to be answered will be defined.

Phase 2: Planning During this step, all stakeholders will be informed system engineers be contacted to request technical assistance where needed.

Phase 3: Collection of data extractions During this step, KPMG will collect data extractions. Typically these are:

• Active Directory data (users, security groups, share settings);

• Databases (User/group and privilege correlations);

• Data on file servers and cloud-based data repositories;

• Applications (Roles and privilege correlations);

• Data extractions from HR system(s);

• If available, data extractions from business rules engines.

Phase 4: Analysis During this step, KPMG will analyse the data using specialised software (Quest).

Phase 5: Reporting and presentation

1. Scope definition -IT resources (applications/systems, directories, services)

-Users and processes -Key questions

2. Planning -Stakeholder involvement

-Technical engineers involvement

3. Collection of data extractions -Collection of business data

-Collection of IT data

4. Analysis -Data transformation

-Comparison -Verification

5. Reporting & presentation -Reporting

-Management presentation


Assisting technology

Quest One IM application We use Quest One Identity Manager application by Dell Software Group to facilitate our research during phase 3 to 5. The collection as well as the analysis of the data are automated where applicable and possible.

The value of this automated approach lies in the far greater amount of data which can be analysed much more efficiently and effectively. As a rule, the application itself will not be installed on the customer’s premises but only used as a collection/analysis application on a KPMG’s computer.

Steps 1. Import of available corporate data (HR data, directory data,

access permission data) – the data (.csv files or other formats) can be imported easily via the wizard.

2. Definition of business rules – via a special function of the application, business rules on various aggregation levels can be defined.

3. Data mapping and matching – the gathered data can be mapped and matched.

4. Correlation of gathered data – the gathered data can be correlated and analysed.

5. Reporting of findings – the analysed data can be displayed in a user-friendly manner to the analyst or business user.

Data import Rules definition

Mapping & matching Correlation

Reporting


Example reports

Orphaned accounts Risk index

Multiple accounts on the same system Compliance violations Data quality


KPMG’s track-record on access governance

Dutch university

Public and healthcare

Large public railway organisation

Dutch college of advanced education

Dutch secondary education

organisation

Global oil company

Industry & food

Global energy company

Dutch container carrier

International electricity company

Nationalised Dutch bank

Finance

International banking co-operation

Independent Dutch bank

Dutch payment services organisation

Dutch pension fund

Dutch organisation in the financial-legal

sector

Dutch insurance company

International insurance company

Hospital in Rotterdam Dutch/Italian food manufacturer

Dutch bank focused on sustainability KPMG


Identity & access of today and beyond


Contact

ing. John Hermans RE | Partner Telephone: +31 (0)6 5136 6389

E-mail: [email protected]

drs. Mike Chung RE | Senior manager

Telephone: +31 (0)6 1455 9916

E-mail: [email protected]