How to successfully implement Identity and Access Governance Frank Schubert Senior Product Strategist, RSA Aveksa ©EMC Corporation. All rights reserved. 1 Step 1: Ask Why? - Assure the right value drivers Increase Visibility and Control of User Access Enable Business Users to Make Accurate & Timely Access Decisions Reduce Cost of Identity and Access Management Identity & Access Management Reduce Risk caused by Inappropriate User Access Improve Audit Readiness & Continuous Compliance Enable Rapid and Secure Access to Applications ©EMC Corporation. All rights reserved. 2 Step 2: Prioritize - Processes Governance Visibility and Certification Policy Management Role and Group Management Entitlement Collection and Analysis Segregation of Duties Role Discovery and Definition Data Ownership Identification Compliance Controls Group Analysis and Cleanup Access Reviews Provisioning Task Notification Joiners, Movers, and Leavers Lifecycle Management Service Desk Integration ©EMC Corporation. All rights reserved. 3 Request Management Access Request Portal Policy-Based Change Management Automated Provisioning Step 2: Prioritize - Assets  Applications and/or unstructured data?  Where do I have audit findings?  What causing too much acceptable risk?  What does cost me a lot of time & money? ©EMC Corporation. All rights reserved. 4 Step 3: Let’s go and don’t get distracted 75% of new customers are in production within the first 4 months ©EMC Corporation. All rights reserved. 5 Examples ©EMC Corporation. All rights reserved. 6 Supervisor Access Certification – Before Aveksa Collection Applications Security Administrators Database Administrators Run Reports Manual import & reconciliation Run DB Extracts MS Access DB Review Managers Delegate to Admin or team Emailed to Reviewers Manual creation of spreadsheets ! Reminder & Harassment Integration Logic Remediation Manual Logging of Results into Database Review Results & Change Requests App Owner & System Administrators Manual Change Validation & Ticket Creation ©EMC Corporation. All rights reserved. 7 Execution of Changes in Systems Duration: 36 weeks Supervisor Access Certification – with Aveksa Collection Applications Centralized Access Governance System Scheduled & Automated Entitlement Collection Review Managers perform reviews directly Reviews Initiated Web-Based UI Automated System, Automated Reminders Integration Logic Automated validation of change completion Results automatically stored in centralized DB Execution of Changes in Systems Automatic Change Validation & Ticket Creation ©EMC Corporation. All rights reserved. 8 Remediation Duration: 9 weeks Customer Benefits Realized  Elimination of Audit Exceptions for Access Management  Earned Trust of Business Managers and Audit Group Metric Before After Improvement 36 weeks 9 weeks 75% 5 FTEs 2.5 during; 1 off-cycle 50%+ 12,000+ 0 100% 0 150+ Mid-stream entitlement visibility No Yes Mid-stream actions on access changes No Yes Application Owner Reviews No Yes Platform Access Reviews No Yes Validation of Access Changes No Yes Time to complete User Entitlement Reviews FTEs to manage Review Process Orphan accounts SoD Rules Defined & Enforced ©EMC Corporation. All rights reserved. 9 Case Study: Enterprise Class Architecture Before Aveksa Aveksa Phase 1 Aveksa Phase 2 Total number of accounts reviewed 51,815 211,072 ~1,600,000 Total number of entitlements reviewed 322,985 2,031,270 ~9,500,000 Total number of applications reviewed 28 84 589 Total number of reviewers 2,417 17,815 49,500 Peak number of concurrent reviewers Unknown 430 500+ ©EMC Corporation. All rights reserved. 10 Aveksa Customers – EMEA ©EMC Corporation. All rights reserved. 11 Thank You ©EMC Corporation. All rights reserved. 12