NetworkingPS Role-Based Access Control ...
Background
In an end-to-end Identity Management framework, the span of the
provisioning process can extend beyond basic user provisioning activities and
can incorporate
greater access control mechanisms over each provisioned user. This is the
concept of Role-Based Access Control, more commonly known as RBAC. With an RBAC
IdM initiative, users are grouped into business roles that correspond to their
IT functions, thus giving them the minimum required access to the resources they
are entitled to use. NetworkingPS supports a complete RBAC solution through its
partnership with CA Technologies using the Eurekify product suite.
 A role-based approach to privileges management is widely
considered as a best practice in the deployment of an effective provisioning
system. Most organizations believe RBAC is necessary to unlock the full benefits
of Identity Management, and that without this change in paradigm, mismanaged
user roles will be amplified by the new privileges automation systems. Yet, 81%
of IdM project managers find that existing IdM solutions do not provide adequate
tools for the creation and ongoing management of a role-based privileges model.
NetworkingPS' Role Management Offer provides an integrated
approach by incorporating the CA Eurekify Role and Compliance
Manager (formerly known as Eurekify Sage), which complements and extends the functionality of any existing IdM
solution with these new and powerful capabilities. Eurekify is the only
solution that provides for the full lifecycle of Enterprise Role Management,
making many of the difficult processes feasible through the assistance of unique
and patented analytics. Eurekify reflects business needs and ongoing
changes into IdM provisioning policies and processes.


Sage Survey
The Sage
Survey is a service offering that leverages the entire Eurekify product
suite to help customers gain a better understanding of the complexity of their
organization’s systems and general requirements for an IdM rollout.
The Sage
Survey includes an analysis of the existing privileges that reside within an
organization’s various systems; a process that provides the following benefits:
-
Evaluating the current
user environment
-
Assessing and ranking
needs/building a solid business case for an IdM
-
Using Sage to explore
privileges and run various investigative queries
-
Identifying and
quantifying excessive and out-of-pattern privileges
-
Identifying and
quantifying duplicate and overlapping group definitions, etc.
-
Discovering privileges
that result from flawed provisioning processes
-
"Reverse engineering" role
definitions from patterns in existing privileges
-
Reviewing, refining, and
optimizing existing role definitions (if existing)
-
Identifying key systems
and assessing the complexity of the full IdM project
-
Automating verification of
compliance with policies and regulations, such as SOX, HIPPA, GLBA, etc.
A typical Sage
Survey project lasts 5-10 days. NetworkingPS will review the
relevant platforms and privileges with the client, identifying the systems that
are key for IdM deployment.
Based on
privileges data for a select part of the organization, from 1-2 platforms of
choice, we will perform a standard Survey analysis. The analysis is performed
offline, so as not to interfere with any production systems. The analysis will
identify dead accounts, excessive privileges, and duplicate user groups. We will
then map organizational privileges into common business roles, across
applications and will demonstrate how they can be used to automate your day to
day management. We will also try to quantify the complexity of the systems and
of the required role engineering project, in order to provide a factual
foundation and ROI analysis for your IdM deployment plans.

Quantifies the
quality of privileges assigned to users:
No Privileges - users that do not have any resources (possibly dead
accounts, or accounts of users that no longer work for the company).
Suspected Collectors - users that have many suspected resources, possibly
associated with a past role.
Suspected Privileges - users that do not seem to fit the overall pattern
of other users with the same resources.
INPUTS
-
A complete
set of users, resources, and privileges, for a subset of up to 10,000 users,
in a specified flat file format.
-
A
reference, usually a local administrator, to help review and decipher the
results of analysis and audit alerts.
|
|
Quantifies the
number of role definitions that have twins in terms of their assigned privileges
(100% overlap), or almost twins (90% and 70% respectively).
Such role
definitions are likely redundant and could possibly be merged.
DELIVERABLES
-
Identification of few exceptions and deviations.
-
Analysis
of existing role definitions.
-
Role
definitions for a few identified roles.
-
A partial
Sage AuditCard report.
-
Some
estimates of the complexity of IdM deployment and the role engineering
project.
|

Sage ERM Product Suite
Eurekify's
Sage ERM Product Suite is designed to manage the lifecycle of role definitions
for role-based management environments. Sage ERM’s functionality includes:
-
Bottom-up role engineering, referring to the process of "reverse
engineering" an existing set of privileges in order to arrive at role
definitions that reflect the current privileges assignment practices
-
Top-down role engineering, referring to the process of defining roles from
scratch, e.g., based on analysis of business processes, or based on roles
that are defined for a part of the organizations, e.g., in a specific
platform or application
-
Role-based auditing, referring to the process of identifying exceptions and
deviations in an existing set of privileges (and role definitions, if
existing)
-
Compliance, referring to the process of identifying violations of
pre-defined policies, each of which defined as a set of rules and
constraints on top of the role-based privileges structure.
Sage is
applicable to all Identity Management systems, as well as other privileges
management systems, e.g., mainframe security systems, enterprise directories,
and other enterprise applications.


Compliance Manager
Eurekify Compliance Manager is used to help
enterprises create and maintain a role-based privileges model. For several
years, role-based privileges management is considered best practice within
systems and applications, as well as across platforms and in Identity Management
systems. Role-based privileges management is also mandated in several
regulations and company policies and best practices. With Eurekify, you
can leverage proven analytical capabilities to quickly create a role
model that best fits your organization needs and practices. Same technology also
provides invaluable support to the analytical and business processes that will
keep your role model up to date and in sync with business changes. Eurekify can also be applied to individual systems to create and maintain a well
managed user group structure.
Eurekify Compliance Manager is simple to deploy and quick to
master, allowing you to:
-
Easily browse and click-query privileges and role definitions across systems
and applications
-
Effectively construct an enterprise role-based privileges model
-
Use analytics to easily review and adapt role model to ongoing business and
IT changes
-
Quickly set up a web-based collaborative environment for role definition,
role approval, and role management processes, supported by Eurekify’s
pattern-based analytics
-
Establish real-time analytical decision support for privileges management
processes that take place in an Identity Management system and in other
corporate workflow systems
-
Integrate role management with virtually any Identity Management suite, and
any target system
-
Utilize role management in any level of privileges granularity
When to use Compliance Manager:
-
Use to define a role model for Identity Management and automated
Provisioning
-
Use to review an existing role model within a platform or application
-
Use to periodically review and adapt a role model to business changes
-
Use to provide real-time analytical support to privileges management
processes that occur in Identity Management and other corporate workflow
systems.
-
Use to implement role approval and privileges recertification campaigns
-
Use to implement effective ongoing role management business processes


Quality Manager
Eurekify Quality Manager is used to
help enterprises improve and ultimately maintain the quality of privileges
across systems and applications. Recent research among large enterprise uses has
shown that one of three or four privileges is typically incorrect. Same research
has also shown that 20-50% of user groups are redundant, outdated, or otherwise
unnecessary. With Eurekify Quality Manager, you can harness Eurekify’s
outstanding analytical capabilities to audit, review, and correct privileges in
virtually any system, and in virtually all levels of granularity.
-
Eurekify Compliance Manager is simple to deploy and quick to master,
allowing you to:
-
Easily browse and click-query privileges and role definitions across systems
and applications
-
Quickly audit, review, and correct privileges in any and all systems
-
Apply quality management to any computing platform, enterprise application
or identity management system (including homegrown and legacy applications)
When to use Quality Manager:
-
Use to periodically assess and quantify the current quality of privileges
-
Use in privileges cleanup projects
-
Use to prepare for Identity Management deployment
-
Use regularly to address audit points related to privileges quality
-
Use periodically in privileges attestation projects
-
Use in compliance efforts, together with Eurekify Compliance Manager
-
Use in role engineering and role management efforts, with Eurekify Role
Manager


Single Platform Solutions
Organizations need to manage privileges and
access rights according to their business needs while making sure they are
aligned with security requirements as well as internal policies and external
regulations. The challenge is enormous when addressing frequent business changes
and piles of wrong assignments that have been gathered through the years. Eurekify also offers many out-of-the-box single platform modules to implement
role-based management on virtually all major enterprise platforms and
applications.
Sage Single Platform provides out-of-the-box solutions for
the following systems:
-
RACF, ACF2, Top Secret, ERP, Unix, MS Active Directory, LDAP, DB2, Lotus
Notes, Oracle, Novel eDirectory, iPlanet (Sun One)
-
OS 400, Linux, Adabas, Sybase, SQL Server, Siebel, Billing systems, SAP,
PeopleSoft
*Custom platform solutions
are also available
Access
data cleanup
Eurekify identifies exceptions and deviations in privileges, allowing rapid
clean up of wrong assignment data. Sage identifies group duplications and
overlaps as well as optimizes group definitions.
Role-based
privileges management
Eurekify creates group definitions that reflect business practices as well as
updates and optimizes existing group definitions, easing privileges
administration and improving IT responsiveness.
Role-based compliance
Eurekify provides automated verification of IT controls and segregation of duty
rules as well as automated privileges certification by business managers. Hence,
facilitates demonstrating compliance with policies and regulations, e.g.,
Sarbanes-Oxley, HIPAA, FERC and Basel II.

For More
Information
To download information about this and other NetworkingPS Security Management
Services offers, please click
here.
|