DTT RBAC Presentation 20080724

8/14/2019 DTT RBAC Presentation 20080724

1/41

"The Time Has Come".Identity & Access Management, Role Management& Role-Based Access Control

Matthew Collinson


2/41

2 "The Time Has Come" 2008 Deloitte Touche Tohmatsu

Why are we here today?

Traditional models of access control consist ofpoint orapplication-specific solutions that make management,reporting and compliance extremely costly and unwieldy.

Moving to Identity & Access Management, Role Management

(RM) and Role-Based Access Control (RBAC) brings thefocus back to the business by defining access purely in termsof business requirements.

It streamlines the user access lifecycle, simplifies the

enforcement of Segregation of Duties (SoD) and supports theorganisation's reporting and compliance activities.


3/41


This Sessions Agenda

Identity & Access Management an overview

IAM Business Case Example

Access control todays business challenges

What are RM & RBAC?

Who are the stakeholders?

What are the benefits?

Dos & Donts

Deloitte Methodologies a snapshot


4/41

Identity & Access

Management anoverview


5/41


Definitions: Identity

Identity (Digital Identity): the digital representation of a user, including a uniqueidentifier, credentials, common profiles and entitlements

The complete digital identity of an individual may be scattered across multiple repositorieswithin an enterprise, with no hard links between the various pieces

Person

Core Identity Attributes:

First Name, Last Name, Unique Identifier

Account Credentials:

Login ID and password SecurID card, other strong authentication factors

Common Profiles:

Job Functional Roles Business Unit Office Location Manager/Supervisor

Entitlements:

Permission levels, access rights Access control items

UpdatePersonal WebParts

Limited

Access*

Add/RemovePersonalWeb Parts

Read

ManagePersonalViews

Contri-

bute

DeleteVersions

Full

Control

ApproveItems

Design

Cancel Checkout

View Versions

ViewItems

Open Items

DeleteItems

New inWindow

SharePoint Services

(version3)?

No

No

No

New

New

New

No

New

No

No

Users Digital ID


6/41


Definitions: Authentication, Authorization

Authentication: the process of establishing the validity of an identity claim

Gets you in the front door

Authorization: the process of determining the appropriate rights and privilegesfor a given identity

Determines what you are allowed to touch/see, once inside

Multi-factor authentication: using a combination of two or more factors(something you know/have/are) to authenticate a user to achieve a higher levelof authentication assurance

Note: Username and password does not count as two-factor authentication!


7/417 "The Time Has Come" 2008 Deloitte Touche Tohmatsu

Definitions: SSO, Federation

SSO (Single Sign On, a.k.a. Reduced Sign-On, Simplified Sign-On)

Access control method which enables a user to authenticate once to gain access tomultiple systems

Identity Federation

Standards-based method ofexchanging identity information

across autonomous securitydomains (organizations)

Facilitates SSO across separateenterprises or security domains

Vendor



Definition: Identity and Access Management

Identity and Access Management (IAM) is a set of business processes, information, andtechnology for the creation, maintenance and use of peoples digital identities withinthe bank and eventual termination of that identity in a controlled and secure manner.



IAM Services Conceptual View



IAM: Business value perspective

Security & RiskManagement CostBusiness Facilitation

Reduced Sign-On,registration and passwordself-services for internal

usersConsistent andstreamlined userprovisioning processeswith automated workflow(escalation and approvalpoints)Business integration andlarge technology roll-outs

Consistent security policyenforcement andautomated controls

(protection of customerdata)Identity lifecycleadministration (accurateand timely terminationsand access management)Improved privacy andregulatory complianceEffective logging,

comprehensive auditingand timely reporting

Operational Efficiency

Improved service levels(user management andprovisioning) and

good quality of serviceStreamlined securityadministration & reportingFlexible infrastructure forrapid deployment ofapplications (enablementof shared services andService-OrientedArchitecture)

Improved user experienceand business integration

capabilities:Build once, deploy often

Managing business risksthrough effective and

demonstrable controls

Cost and productivityimpacts:

Deliver more for less

Efficient operations, highquality services:

Better, faster, cheaper

User productivity costsavings due to:

Quicker provisioning

processesReduced time forpassword re-setsSingle Sign-On

Reduced cost of:User Administrationand ProvisioningHelpdesk (passwordmanagement)

Security Administration(auditing, reporting)

Avoiding uncoordinatedand overlappingapplication developmentefforts.



IAM Program - Key Success Factors

Recognize business ownership of IAM

Recognize the size of the problem Inventory of identity objects

High ratio of accounts to individuals

Build a clearly defined, realistic roadmap which:

Leads towards the target architecture: common/re-usable services

Leverages good work already done, or in flight Allows for better decision making

Results in cross pollination of strategies allowing for more enterprise-focused, scalable solutions


12/41

IAM Business

Case Example


13/41


Our analysis of business needs indicated that Identity and Access Management

problems need to be addressed and the time is right now.

Business Problems: Observations

UserExperience

Delay in onboarding (user access provisioning)causes unacceptable loss of productivity.

BUs are constantly asking for the ability to managegroups and roles for their users.

Too many IDs and passwords to remember.

Users are frustrated with login and password issueswhen dealing with externally hosted applications.

ApplicationDelivery

Many applications require user profile/groupmanagement capabilities. In the absence of anenterprise solution, they develop tactical solutions.

Tactical solutions increase overall spent andcomplicate the existing IT challenges.

Simplified Sign-On is a common requirement forapplications, but there is no enterprise solution.

Risk andCompliance

Automated creation,modification and deletion ofuser accounts and relatedaccess attributes.

Provides seamlessauthentication acrossorganizations, where a 3rdparty application relies on

Client credentials.Provide Simplified Sign-Onand policy-based accesscontrol to Intranet or webresources.

Audit finding: current user administration processesare not consistent and lack effective controls.

Lack of automated role/group assignment for usersresults in excessive privileges (accumulated access).

Access control mechanisms developed by individualapplications are inconsistent, difficult to manage andreport on (to demonstrate compliance).

Allows end users managetheir profile/access informationvia self-service or delegatedadministration (i.e. designatedmanagers) interfaces.

Web AccessManagement

FederatedSign-On

UserManagement

Service

ProvisioningService

Enterprise Solution


14/41


Detailed review and analysis of needs enabled us to prioritize the IAM services

based on cost benefit analysis and available alternatives. The Provisioning and

User Management Services were identified as a high priority.

IAM Services: Key Findings and Priorities

Service

Web Access Management

Federated Sign-On

User Management Service

Key Findings

Large potential for cost savings

Significant contribution to efficient application delivery (as a keyshared service in the SOA framework)

No existing solutions or viable alternatives.

Provisioning Service Large potential for cost savings

Significant contribution to risk management & compliance

No existing solutions or viable alternatives.

Some potential for cost savings, mostly in application delivery

Enterprise-wide adoption could be challenging due to difficulties

with external application integration (multiple vendors).

Point solutions are being considered to address immediateneeds.

Low potential for cost savings.

There are alternative (low cost) solutions to address SSO.

The Intranet Strategy makes the need for this service lesscompelling.

IdentityManagement

AccessManagement

Priority

High

High

Medium

Low


15/41


The implementation of the Provisioning and User Management services will require $13.1M of investment over 5 years,

which includes $2M of one-time process/application integration costs and $0.9M of annual run costs.

Incremental Solution Costs over 5 years

Assumptions

24 Intel/Linux servers costing $20,000 will be used as a hardware/OSplatform to run all core components of the solution

Component Value ($M)

Hardware

Software

External Consulting

Internal FTE Expenses

Integration Costs

Capital

Non-Capital

Expenses

One-time Total

0.5

1.3

2.2

1.0

2.0

7.0

Hardware & SoftwareMaintenance

Operational Run CostsAnnual

Annual Total

0.3

0.9

1.2

Total Notional Costs (over 5 years) 13.1

Annual Costs (over 5 years) 6.2

One-time Total (year 0) 7.0

Annual hardware capitalization and overhead are estimated at 55% of total

hardware costs. Plus 4 FTEs at $150K/year for ongoing support.

Provisioning software will be required for 50,000 users at $25 per user(based on industry average price)

Approximately 3 external consultants for 55 weeks will be required

Internal project team will include Project Manager, Architect and

implementation/testing specialists at an average cost of $100/ hr

Application integration and process integration will require involvement ofinternal staff outside of the project team, estimated at 8 FTEs.

Hardware maintenance cost is estimated at 10% of Hardware Cost andSoftware maintenance cost is estimated at 20% of Software Cost


16/41


Cost benefits, which are estimated at 4.3M/year, are resulted from productivity cost savings and reduction of Vendor

costs, due to the automation in access provisioning, password management and access administration.

Annual Incremental Benefits

Assumptions

At a minimum, 1 day of delay can be eliminated by implementing an automated provisioningsystem resulting in an on-going productivity savings of $1.5M/year.

Approximately 13,475 non-retail employees are transferred or hired every year and on-boarding takes approximately 5-21 days.While 50% of the time spent by new employees and transferees is on reviewingmanuals, training, orientation, etc., the remaining 50% are assumed to be unproductive.Average employee salary is assumed to be $30 per hour.

Cost Component Value ($M)

User Productivity CostSavings (faster on-boarding)

Reduction of VendorFTEs (Access

Provisioning)

Reduction of VendorWorkload (PasswordManagement)

Reduction of VendorFTEs (AccessAdministration)

Provisioning

UserManagement

1.5 4.5

0.6

2.0 2.2

0.2

Total Benefits (over 5 years) 19.1 33.9

Total Annual Benefits 4.3 7.6

With the implementation of the provisioning solution, services provided by 4 FTEs (accessservices at Vendor, including login ID creation) would not be required.

Currently, access provisioning team at Vendor includes 18-20 FTEs.

Average fully loaded salary of Vendor staff (if billed to Client directly) is $150,000 p.a.

With the implementation of the Delegated Administration, services provided by 1 FTEs(access administration at Vendor) would not be required.

Average fully loaded salary of Vendor (if billed to Client directly) is $150,000 per annum.

Using self-service password reset functionality, the request volume for help desk passwordresets would reduce by 90%. This will yield approximately $2M/year in cash flow savings.

Approximately 168,000 password reset requests per year are processed by Vendor forActive Directory, Email, Host, Novell, RLAN and Web Based Applications.Average cost of processing one password request is $15.It is assumed that the benefit realization will be 50% for the first year and 75% for thesecond year. From year 3 the benefit realization is assumed to be 100%.

Benefits Calculations / Assumptions

Notes:1. For most benefits, the benefit realization for first year is assumed to be less than 100%.2. Ranges are based on low and high estimate projections. The lower end represents a

conservative approach and the higher end represents a more optimistic calculation.


17/41


The implementation of the Provisioning and User Management services form a compelling business case: 3.5 years pay back

and Net Present Value of cash flow is estimated at $3.4M, as the most conservative estimate.

Component Value ($000)

Net Present Value of Cash Flow1, 2 $3,439 - $15,315

Incremental Costs and Benefits over 5 years

Total Discounted Costs1 $12,026

Total Benefits2 $19,139 $33,854

Return on Investment 22% - 62%

Total Notional Costs $13,137

Total Discounted Benefits1, 2 $15,466 - $27,341

Discounted Cash FlowPayback1, 2

3.5 yrs - 1.75 yrs

Notes:1. The Weighted Cost of Capital is assumed to be 7%2. Ranges are based on low and high estimate projections. The lower end represents a conservative approach and the higher end represents a

more optimistic calculation.

Cumulative Costs and Benefits

(15,000,000)

(10,000,000)

(5,000,000)

-

5,000,000

10,000,000

15,000,000

20,000,000

2007 2008 2009 2010 2011 2012Cumulative Discounted Investment Cumulative Discounted Benefits

Cumulative Net Value

Cumulative Costs and Benefits


18/41


Faster on-boarding process leading to improved user experience and productivity.

Increased end-user productivity and better user experience (due to delegation and self-service)

In addition to significant financial returns, the implementation of the Provisioning and User

Management services will contribute to better business facilitation, enhance application

delivery capabilities and improve compliance and risk management posture of Client.

Qualitative Benefits

UserExperience

ApplicationDelivery

Risk andCompliance

Improved compliance and risk management posture due to automated and effective controls for

identity life cycle administration (timely de-provisioning).

Streamlined security administration and audit/compliance reporting.

Improved data quality and integrity for identity information.

Improved application access controls due to more accurate and timely role/group assignment inapplications.

Reduced cost of tactical solutions development and avoiding unnecessary support costs.

Flexible SOA infrastructure for rapid deployment of applications.

I d t i i b i b fit d hi i k i d ti i t t t ith th P i i i S i


19/41


In order to maximize business benefits and achieve quick wins, our recommendation is to start with the Provisioning Service,

then proceed with the Password Self-service and continue with the Role-based Access Provisioning and Delegated

Administration.

Faster on-boarding process Productivity Gain $1.5M/yrIncreased productivity andemployee satisfaction.

Provisioning:Core User Provisioning

User Management:Password & Identity Self-Service

Implementation Roadmap

Provisioning:Role-based Access Provisioning

User Management:Delegated Administration

Reduced FTE (Vendor costs) forPassword Management - $0.5M/yrImproved User Experience.Faster on-boarding process Productivity Gain $1.5MIncreased productivity and

employee satisfaction.

Integration with (connectors to):ACF2ADEDNovell

Feed from PeopleSoft (events)Basic workflows, basic rolesUI only for Administrators

Reduced FTE (Vendor costs) forAccess Provisioning - $0.5M/yrAutomated controls for IdentityLifecycle administration.Streamlined reporting; improvedregulatory compliance posture.Reduced FTE (Vendor costs) forPassword Management - $0.5MImproved User Experience.Faster on-boarding process Productivity Gain $1.5MIncreased productivity and


Reduced FTE (Vendor costs) forAccess Administration - $0.2M/yrReduced cost of applicationdevelopment (SOA services).Reduced FTE (Vendor costs) forAccess Provisioning - $0.5MAutomated controls for IdentityLifecycle administration.Streamlined reporting; improvedregulatory compliance posture.Reduced FTE (Vendor costs) forPassword Management - $0.5MImproved User Experience.Faster on-boarding process Productivity Gain $1.5MIncreased productivity and


Password synchronization for allconnected platforms, initiatedfrom the provisioning engine.Password change Self-service.Password re-set Self-service(forgotten password function).Identity Self-service to updatebasic attributes (contact info).

Job codes from PeopleSoft aremapped to enterprise roles.Multiple BU-specific roles aredefined and mapped to specificaccess entitlements (e.g. ADgroups, ED groups, etc.).Complex workflows for approval,RFI and notification

Administrative roles are definedto allow for multiple tiers ofadministration.Delegated Administration UI.Access controls are defined to alldelegated administrators tomanage only users (andattributes) in their scope.

Benefits

Scope


20/41


It was identified that many projects and initiatives across Client are asking for Identity Management and

Access Management capabilities.

IAM Business Needs

Service


AuthorizationAuthentication

Federated Sign-On

SecureToken Svc

Authentication

SecureToken Svc

Monitoring &Reporting


DelegatedAdministration IdentitySelf-service

PasswordSelf-Service

Provisioning Service

Role-based accessprovisioning Workflow

Core UserProvisioning

Auditing &Reporting

IdentityManagement

AccessM

anagement

Specific Business Needs

Multiple applications require User Profile & Group Management capabilities. Role-based AccessControl is strategic vision at Client.

Business units want to control assignment of roles/groups to their users, hence requiredelegated administration.

Current provisioning & de-provisioning processes are not consistent, not timely and lackautomation as reported in audit f indings.

Access provisioning processes require automation to eliminate manual steps andresulting high set-up costs.

Business units are asking for faster on-boarding process for their employees.

Over 150 external applications deliver some sensitive data that can be accessed from homewithout involving Client authentication. Robust authentication controls are required.

Risk and audit concerns related to gaps in de-provisioning processes for externally hostedapplications (e.g. Iron Mountain).

Users are frustrated with numerous credentials required for externally-hosted applications.

Seamless authentication and access control mechanisms are required to provide granular andselective access to Intranet and web resources.

Intranet Portal roadmap requires SSO and Access Management

Simplified Sign-On from desktop is a business requirement for many application projects.


21/41


The Identity and Access Management services have various sets of associated benefits, however some services have less

compelling costs benefits and already have alternative strategies in place to address the priority needs.

IAM Services: Analysis of Benefit Drivers and Alternatives

Service Solution CostsDrivers / Benefit Categories

Cost Savings

User Productivity

Risk / Compliance

Alternatives

Some tactical solutions in Retail,Wealth and Intranet Portal to manage

user profiles and group information.

No alternatives at the Enterprise level.

One Time =Provisioning + $1.6M

Annual Run =Provisioning + $0.4M

Application Integration- $0.9

Low Degree ofcompelling benefits

Medium Degree ofcompelling benefits

High Degree ofcompelling benefits

No viable alternatives to performautomated identity lifecycle.

One Time - $3.4M

Annual Run - $0.8M

Process Integration -$1.1M

Cost Savings

User Productivity

Risk / Compliance

Cost Savings

User Productivity

Risk / Compliance

Some proprietary mechanisms arecurrently in use to achieve SSO acrossexternal domains.

Point solutions are being considered toaddress immediate needs.

One Time - $2.5M

Annual Run - $0.7M

Application Integration- $0.7M`

Cost Savings

User Productivity

Risk / Compliance

The current strategy is to useKerberos/SPNEGO.

The Intranet Portal strategy will be ableto provide access control to Webapplications and resources at theportal level.

One Time - $2.7M

Annual Run - $0.6M

Application Integration- $1.1M


AuthorizationAuthentication

Federated Sign-On

SecureToken Svc

Authentication

SecureToken Svc

Monitoring &Reporting


DelegatedAdministration IdentitySelf-service

PasswordSelf-Service

Provisioning Service

Role-based accessprovisioning Workflow

Core UserProvisioning

Auditing &Reporting

IdentityManageme

nt

AccessM

anagement


22/41

Access Control

Todays BusinessChallenges


23/41


Todays Business Challenges

Operational

Inefficiencies

Compliance

Management

IT & Business

Alignment

Delay in gettingrequired and

correctaccess leading to loss ofproductivity

Complex approvalprocesses requiringmultiple personnel

and manualworkarounds increased cost ofoperations

Challenges inestablishing the

right access to theright people

Resource intensiveattestation process

Challenges in

identifying jobfunctions andenforcement of SoD

Multiple reportingsystems

Inconsistency inapplication ofEnterprise Securitypolicies, processesacross disparatesystems

Effective ChangeManagement


24/41

What are RM

and RBAC?


25/41


How do we define role?

Arole

defines functions performed by and access privilegesgranted to a group of users, sharing the same job, position orperforming the same tasks.

Access Privileges

System

Directory

Database

E-mail

Internet

Employees Role

Supervisor

Functions

ApproveInvoices

Monitor Staff

Base Access


26/41


Types of Roles: Job vs. Function

Job Roles

Roles based on Job Title eg.

Supervisor Role

Service Associate Role

Analyst Role

Example: Many Users to One Job Role

Function Roles

- Roles based on Job Function eg.

Approve Invoices Role

Monitor Staff Role

Report Status Role

Example: Many Users to Many FunctionRoles

User 3

SupervisorUser 2

User 1

User C

User B

User A

ReportStatus

Monitor Staff

ApproveInvoices


27/41


Role-Based Access Control (1)

A method ofdefining, managing and enforcing access control privileges

through the use ofroles between end user and permission assignments.

Todays

Access Control:

by process

Tomorrows

Access Control:

RBAC

Permissions

Permissions

Request

Request

User(s)

User(s)

Process 1

Process 2

Process 3

Direct

Role(s)


28/41


Role-Based Access Control (2)

RBAC is a mechanism which limits resource access (system, applicationetc) based on a users job functions.

Users do not own objects for which they are allowed access.

Access rights are granted via roles, which serves as layer ofabstraction between users and IT objects.

Protection policies are unavoidably imposed on all users there isno concept of a superuser.

Users Roles

Privileges

Operations Resourcen:nn:n n:n


29/41

Who are the

stakeholders?


30/41


Stakeholder Groups

UserAdministration

ITOperations

CXO

End Users

ApplicationOwners

BusinessOwners

IT Audit

Enterprise

Architecture

HumanResources

RiskManagement

Help Desk

Assessors

Maintainers

Users

Acquirers

SupportStaff

Administrators


31/41

What are the

benefits?


32/41


In the Board Room

Allows the enterprise to address Pain Pointsand business initiatives

from the IT Manager to the CxO

$RegulatoryCompliance SOD

requirements

Role-basedaccess

Least privilege

access Real-timevisibility anddisclosure

Basiccompliancereporting

Governance& Security Consistentsecurity policy

Immediatesystem-wideaccessupdates

Consistentidentity data

Automated riskmitigation

Enterprise SoD

IncreasedProductivity& CostReduction Eliminate

redundantadministration

tasks Reduce

helpdeskburden

Fast employeeramp-up

IncreasedService Level User selfservice

Focused,personalizedcontent

DelegatedAdministration

Comprehensiveprofile view

Passwordmanagement

BusinessFacilitation

Reach globalcustomers

Tightersupplier

relationships Moreproductivepartnerships


33/41


At the coal face

Request for one user, one

application at a time

Reduced set of access

but approved

Model role after access providedRole pre-approved easier to use,

streamlined process for access

Multiple options to select from

to provide user accessAccess defined in business terms

SOD between application Easier reporting

Before After


34/41

Dos & Donts


35/41


Dos & Donts

The effectiveness of an RM / RBAC implementation is dependent upon your

ability to get the project moving, successfully completing development, andinstitutionalising RBAC in your culture.

Accept the fact that all the information may not be there to start

Plan up front with as much detail as you can

Implementing RBAC requires the convergence of business andtechnology with the emphasis on business

Take advantage ofcommunication opportunities with various groups inthe organisation

Implementing RBAC is a culture-changing event

Maintain management support throughout the project

and finally

Its a Journey youll learn along the way!


36/41

Deloitte Methodologies

a snapshot


37/41


IAMethodsTM overview

IAMethodsTM is an iterative, architecture-centric and use case-driven set of processes,

procedures, and accelerators for transforming business requirements into deliveredsolutions. The methodology defines a project lifecycle with phases, threads, work packagesand milestones with decision points for aligning the delivered solution with business needs.Emphasis is placed on collaborative definition and validation of stakeholder requirements viaearly delivery of working prototypes which are developed through iterative steps into thedeployed IAM solution.


38/41


The IAMethodsTM Framework


39/41


Role Management for Enterprise (RM4E) Methodology

Solution

Desig

n

TransitionElaboration ConstructionInception

Define RM4E Vision

Design RM4EConceptualArchitecture

Establish RM4EGovernance Model

RM4E Process andRole Design

Pilot Groupselection

Develop enterpriseroles for the

business units

Deploy roles,processes and

technology

RM4E Pilot ResultsSummary

RM4E OrganizationDeployment

roadmap

Project ManagementFramework

Change ManagementStrategy

Build Developmentenvironment

Develop RM4E Deploymentframework

Develop Knowledge transferplan

Deploy roles, processesand technology inproduction environment

Solution

Delivery

Project/Change Management Framework

Project & Change Management

Test Processes andtechnology

Prepare Test Report

Prepare deployment design

Conduct Knowledge transfer

Evaluate/Select

Technology

Detailed Schedule Project closure


40/41


RM4E Implementation

Set stage for RBACimplementation

Gather and review LOBinformation

Gather, review & assessLOB system accessinformation

Begin RM4Eimplementation

Understand LOB functionsand system access

Initiate role design

Select technology (RoleEngineering, Role LifecycleManagement)

Conduct detailed roledevelopment

Design RM4E processes

Design technology solution

Provide training

Test roles, processes andtechnology

Identify exception

Finalize roles with allappropriate individuals andgroups

Obtain approval on roles

Deploy enterprise roles

Deploy RBAC processes,procedures, and guidelines

Deploy technology

Finalize LOB RBACimplementation

Jumpstart

Initial

Activities

Development

Deployment

Role Validation

& Approval

Methodology

1

23

4

5

Key activities: Build roles for organizational groups (standard, repeatable process)


41/41

Deloitte Touche Tohmatsu, 2008. All rights reserved.

Liability limited by a scheme approved under Professional Standards Legislation.

Confidential This document and the information contained in it are confidential and should not be used

or disclosed in any way without our prior consent.

DTT RBAC Presentation 20080724

Documents

Transcript of DTT RBAC Presentation 20080724