Identity, Governance and
Administration as forefront of IT
Security model: European and
North American Experience
Vladislav Shapiro
Director of Identity Practice – IGA
Dell/Immersion Consulting
Established in 1995, Orient Logic is a leading IT company
and system integrator in Georgia.
Discussion points
• Current state of affairs in IT Security
• Basics of Identity Governance Administration
• Connecting the dots: agile I-G-A
• Use cases – Government of Austria, Bayern Department of Justice
and State of Alabama
Current State of
Affairs in IT
Security
IT Security realities of today
• Change of focus: from protection the perimeter (external only) to
the governance of the whole infrastructure (internal and external)
• Change of mentality: from “castle under siege” to “enemy is
already here”
• Main external goal: advanced threat protection
• Main internal goal: IGA – Identity Governance and Administration
• Shift from pure technical-based to business and human factor
focused solutions
WHO ARE THE “BAD GUYS”?
ATTACKS ALWAYS RELY ON INTERNAL PROCESS FLAWS
• No established business process for granting rights to individuals
• Lack of governance, access controls and monitoring
• No actionable reporting
IGA SHOULD BE READY FOR ADVANCED THREATS
Best response practice: ATR+ IGA
ATR
Incident Occurs: Point-In-Time or Ongoing
Status Reporting
Pre-Incident
Preparation
Collect Data:
Detect
Triage
Identity
Data
Sync
- Volatile Data
- Forensic Dup.
- Network Traffic
Perform
Analysis
Take Action:
Admin and
Legal
Reporting
Remediation: Technical Recovery from the Incident
Data
feed
Data
feed
Data
feed
Data
feed
Data
feed
Identity Governance and Administration central authority
IGA
Account checks
Access freeze
Risk-based
provisioning
Notifications, access restore and
provisioning
Targets/Applications/Devices
9
Basics of Identity
Governance and
Administration
(IGA)
Three dimensions of IGA
• I - Identity Management
• G - Governance, Risk and Compliance (GRC)
• A – Administration – Access Management and Provisioning
Main challenge:
Make all three components connected to work as one
Three forces of IGA in your enterprise
• Identity owners (HR, Identity suppliers) - I
– Responsibilities: manage identities, organization charts
– Goal: make sure that identity and organization information is up to
date
• Business owners (C-level managers, PM, compliance officers) - G
– Responsibilities: manage all business-related matters, including
governance, risk and compliance
– Goal: make business successful and customers happy
• Technology owners (System admins, DB admins, etc.) - A
– Responsibilities: support business with technology
– Goal: All systems should be up and running 24-7 with no downtime
Identity Posture - how to evaluate
• Identity Posture is about how connected and in-sync three forces are
– Three forces collaboration
– Maturity of each force
• Identity Posture is about measuring maturity of
– Identity model
– Governance model
– Administration model
• Identity Posture is about how enterprise can handle CHANGES
– Identity updates
– Governance processes restructuring
– Administration redesigning
Connecting the
dots – agile IGA
Connected I-G-A goal – be agile
• All elements are connected into one solution where each responsible person is a contributor
to the system
• Each contributor has means to configure his/her own IGA elements within his knowledge
• IGA project should have short length phases with clear achievable milestones
G
I
Identity Governance Administration
G
A
G
A
15
Identity - Identity Goal - Enterprise Visibility
Managers should easily see
all the entitlements of an
employee in one clear view
• Actionable
• All logical, physical
systems, resources and
assets.
Identity goal – separate business and technical views
• Business view
• Technical view
Governance goal – give dashboard views for current status visibility
Managers should easily find the overall
and specific status of requests and
processes in the system
Governance goal - Access granting history audit
People responsible for auditing should be able to see the history of assigning
access and entitlements to the individuals
Governance goal – Approval Workflow builder
Approval workflows should be built by the same people who are responsible for
the granting process using regular tools, not scripts
Use Cases
Government of Austria
• Central portal for
Austrian citizens
requests
• Central business
workflow engine for
handling requests
• Monitoring automation
and actionable reports
Bayern Department of Justice
• Internal personnel IGA: access
control, governance and
attestation
• Centralized Policy engine
• Advanced threat protection:
external and internal
• Constant activity monitoring
and actionable reports
State of Alabama
• State of Alabama was breached in
2012
– Millions of data records were stolen
– State Web site was disabled
– IT operations was paralyzed
• IT Security and IGA solution
– Advanced threat detection software
– IGA full suite solution
– Privileged access manager
• Security and IGA education of the
personnel