NetworkingPS Role-Based Access Control ...


Background


In an end-to-end Identity Management framework, the span of the provisioning process can extend beyond basic user provisioning activities and can incorporate greater access control mechanisms over each provisioned user. This is the concept of Role-Based Access Control, more commonly known as RBAC. With an RBAC IdM initiative, users are grouped into business roles that correspond to their IT functions, thus giving them the minimum required access to the resources they are entitled to use. NetworkingPS supports a complete RBAC solution through its partnership with CA Technologies using the Eurekify product suite.

 

 

 

A role-based approach to privileges management is widely considered as a best practice in the deployment of an effective provisioning system. Most organizations believe RBAC is necessary to unlock the full benefits of Identity Management, and that without this change in paradigm, mismanaged user roles will be amplified by the new privileges automation systems. Yet, 81% of IdM project managers find that existing IdM solutions do not provide adequate tools for the creation and ongoing management of a role-based privileges model.

NetworkingPS' Role Management Offer provides an integrated approach by incorporating the CA Eurekify Role and Compliance Manager (formerly known as Eurekify Sage), which complements and extends the functionality of any existing IdM solution with these new and powerful capabilities. Eurekify is the only solution that provides for the full lifecycle of Enterprise Role Management, making many of the difficult processes feasible through the assistance of unique and patented analytics. Eurekify reflects business needs and ongoing changes into IdM provisioning policies and processes.


Sage Survey

The Sage Survey is a service offering that leverages the entire Eurekify product suite to help customers gain a better understanding of the complexity of their organization’s systems and general requirements for an IdM rollout.

The Sage Survey includes an analysis of the existing privileges that reside within an organization’s various systems; a process that provides the following benefits: 

  • Evaluating the current user environment

  • Assessing and ranking needs/building a solid business case for an IdM

  • Using Sage to explore privileges and run various investigative queries

  • Identifying and quantifying excessive and out-of-pattern privileges

  • Identifying and quantifying duplicate and overlapping group definitions, etc.

  • Discovering privileges that result from flawed provisioning processes

  • "Reverse engineering" role definitions from patterns in existing privileges

  • Reviewing, refining, and optimizing existing role definitions (if existing)

  • Identifying key systems and assessing the complexity of the full IdM project

  • Automating verification of compliance with policies and regulations, such as SOX, HIPPA, GLBA, etc.

A typical Sage Survey project lasts 5-10 days. NetworkingPS will review the relevant platforms and privileges with the client, identifying the systems that are key for IdM deployment.

Based on privileges data for a select part of the organization, from 1-2 platforms of choice, we will perform a standard Survey analysis. The analysis is performed offline, so as not to interfere with any production systems. The analysis will identify dead accounts, excessive privileges, and duplicate user groups. We will then map organizational privileges into common business roles, across applications and will demonstrate how they can be used to automate your day to day management. We will also try to quantify the complexity of the systems and of the required role engineering project, in order to provide a factual foundation and ROI analysis for your IdM deployment plans.

Quantifies the quality of privileges assigned to users:

No Privileges - users that do not have any resources (possibly dead accounts, or accounts of users that no longer work for the company).

Suspected Collectors - users that have many suspected resources, possibly associated with a past role.

Suspected Privileges - users that do not seem to fit the overall pattern of other users with the same resources.

INPUTS

  • A complete set of users, resources, and privileges, for a subset of up to 10,000 users, in a specified flat file format.

  • A reference, usually a local administrator, to help review and decipher the results of analysis and audit alerts.


 

Quantifies the number of role definitions that have twins in terms of their assigned privileges (100% overlap), or almost twins (90% and 70% respectively).

Such role definitions are likely redundant and could possibly be merged.

 

DELIVERABLES

  • Identification of few exceptions and deviations.

  • Analysis of existing role definitions.

  • Role definitions for a few identified roles.

  • A partial Sage AuditCard report.

  • Some estimates of the complexity of IdM deployment and the role engineering project.


Sage ERM Product Suite

Eurekify's Sage ERM Product Suite is designed to manage the lifecycle of role definitions for role-based management environments. Sage ERM’s functionality includes:

  • Bottom-up role engineering, referring to the process of "reverse engineering" an existing set of privileges in order to arrive at role definitions that reflect the current privileges assignment practices

  • Top-down role engineering, referring to the process of defining roles from scratch, e.g., based on analysis of business processes, or based on roles that are defined for a part of the organizations, e.g., in a specific platform or application

  • Role-based auditing, referring to the process of identifying exceptions and deviations in an existing set of privileges (and role definitions, if existing)

  • Compliance, referring to the process of identifying violations of pre-defined policies, each of which defined as a set of rules and constraints on top of the role-based privileges structure.

Sage is applicable to all Identity Management systems, as well as other privileges management systems, e.g., mainframe security systems, enterprise directories, and other enterprise applications.


Compliance Manager

Eurekify Compliance Manager is used to help enterprises create and maintain a role-based privileges model. For several years, role-based privileges management is considered best practice within systems and applications, as well as across platforms and in Identity Management systems. Role-based privileges management is also mandated in several regulations and company policies and best practices. With Eurekify, you can leverage proven analytical capabilities to quickly create a role model that best fits your organization needs and practices. Same technology also provides invaluable support to the analytical and business processes that will keep your role model up to date and in sync with business changes. Eurekify can also be applied to individual systems to create and maintain a well managed user group structure.

Eurekify Compliance Manager is simple to deploy and quick to master, allowing you to:

  • Easily browse and click-query privileges and role definitions across systems and applications

  • Effectively construct an enterprise role-based privileges model

  • Use analytics to easily review and adapt role model to ongoing business and IT changes

  • Quickly set up a web-based collaborative environment for role definition, role approval, and role management processes, supported by Eurekify’s pattern-based analytics

  • Establish real-time analytical decision support for privileges management processes that take place in an Identity Management system and in other corporate workflow systems

  • Integrate role management with virtually any Identity Management suite, and any target system

  • Utilize role management in any level of privileges granularity

When to use Compliance Manager:

  • Use to define a role model for Identity Management and automated Provisioning

  • Use to review an existing role model within a platform or application

  • Use to periodically review and adapt a role model to business changes

  • Use to provide real-time analytical support to privileges management processes that occur in Identity Management and other corporate workflow systems.

  • Use to implement role approval and privileges recertification campaigns

  • Use to implement effective ongoing role management business processes

 


Quality Manager

Eurekify Quality Manager is used to help enterprises improve and ultimately maintain the quality of privileges across systems and applications. Recent research among large enterprise uses has shown that one of three or four privileges is typically incorrect. Same research has also shown that 20-50% of user groups are redundant, outdated, or otherwise unnecessary. With Eurekify Quality Manager, you can harness Eurekify’s outstanding analytical capabilities to audit, review, and correct privileges in virtually any system, and in virtually all levels of granularity.

  • Eurekify Compliance Manager is simple to deploy and quick to master, allowing you to:

  • Easily browse and click-query privileges and role definitions across systems and applications

  • Quickly audit, review, and correct privileges in any and all systems

  • Apply quality management to any computing platform, enterprise application or identity management system (including homegrown and legacy applications)

When to use Quality Manager:

  • Use to periodically assess and quantify the current quality of privileges

  • Use in privileges cleanup projects

  • Use to prepare for Identity Management deployment

  • Use regularly to address audit points related to privileges quality

  • Use periodically in privileges attestation projects

  • Use in compliance efforts, together with Eurekify Compliance Manager

  • Use in role engineering and role management efforts, with Eurekify Role Manager

 


Single Platform Solutions

Organizations need to manage privileges and access rights according to their business needs while making sure they are aligned with security requirements as well as internal policies and external regulations. The challenge is enormous when addressing frequent business changes and piles of wrong assignments that have been gathered through the years. Eurekify also offers many out-of-the-box single platform modules to implement role-based management on virtually all major enterprise platforms and applications.

Sage Single Platform provides out-of-the-box solutions for the following systems:

  • RACF, ACF2, Top Secret, ERP, Unix, MS Active Directory, LDAP, DB2, Lotus Notes, Oracle, Novel eDirectory, iPlanet (Sun One)

  • OS 400, Linux, Adabas, Sybase, SQL Server, Siebel, Billing systems, SAP, PeopleSoft

      *Custom platform solutions are also available

Access data cleanup

Eurekify identifies exceptions and deviations in privileges, allowing rapid clean up of wrong assignment data. Sage identifies group duplications and overlaps as well as optimizes group definitions.

Role-based privileges management

Eurekify creates group definitions that reflect business practices as well as updates and optimizes existing group definitions, easing privileges administration and improving IT responsiveness.

Role-based compliance

Eurekify provides automated verification of IT controls and segregation of duty rules as well as automated privileges certification by business managers. Hence, facilitates demonstrating compliance with policies and regulations, e.g., Sarbanes-Oxley, HIPAA, FERC and Basel II.

 

 

 

For More Information

To download information about this and other NetworkingPS Security Management Services offers, please click here.