Académique Documents
Professionnel Documents
Culture Documents
Agenda
2009 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
Company
Company X
X
Business
Business Unit
Unit A
A
Overseas
Overseas Affiliate
Affiliate B
B
rd
Trusted
Trusted 33rd Party
Party C
C
2009 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
System administrators
Provisioning
Privacy legislation
Security administrators
Data protection acts
Business managers
Employees
Sarbanes-Oxley
Short user
life cycles
Suppliers
1,000+
users
100+
applications
Clients
Immediate
access
Third parties
requirements
SSO
SAP
Employee self
service
Windows
Mergers and
PeopleSoft
acquisitions
Mainframe
Consolidation
100,000+
possible
functions
Basel II
Segregation
of duties
Outstanding
audit issues
How do you manage and control who has access to what in an efficient
and effective way?
2009 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
2009 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
Governance
Authentication
Management (1)
Authorization
model
Contract
Authoritative
Sources
Authentication
Management
Services
Automated
trigger
Employees,
Suppliers,
Partner,
Customers, etc.
Usage
Approve user
authorizations
based on
roles/rules
User Management
Services
Desired
state
Monitoring Services
Provisioning Services
Data Management Services
(manual / automated)
Auditing Services
Access
Management
Services
Reporting Services
Actual
state
Federation
Access
Management (4)
2009 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
User Management
User
Lifecycle
Automated
trigger
Approve user
authorisations
based on standard
roles
Authoritative
source
Authorisation
model
Manage
End-Users
Self
Service
Authorisation Management
IAM Administration
Desired
state
Provisioning
Provisioning
Service
Monitoring Services
Auditing Services
Use
Reporting Services
Actual
state
Monitoring & Audit
2009 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
IT ADVISORY
z All
participants started one or more IAM projects in the last three years
z Two-thirds
z Financial
2009 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
z IAM
z Federated
2009 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
Significant benefits are expected for regulatory compliance and risk management, especially
in Financial Services sector and Information, Communication & Entertainment sector
10
Satisfaction
More than half of the IAM projects did not achieve the intended goals
There is a clear gap between expected and actual benefits of IAM projects
Most organisations lack insight into the benefits of IAM projects
11
Project failures
z The
biggest challenges for a successful IAM project are not the technical issues
z The
2009 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
12
Plan
Insight
Design
Implement
Monitor
Objective
Activities
Tools
deployed
Deliverables
Project Plan
Stakeholder matrix
Industry practices
Business case template
z Roadmap template
z Future state strategy sample
z ROI calculator
z
z
z
z
z
z
z
z
z
z
z
z
Conduct post-implementation
review
z Audit IAM Program
z Assist with ongoing
compliance auditing and
performance monitoring
2009 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
14
Business
HR
Audit
Identity & Access
Management
Security
Responsible for the organisations
security processes
2009 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
15
Maximum
scenario
Common security
principles and
policies
Separate IAM
solutions per
organizational unit
Common security
principles and
policies, common
processes but
separate IAM
solutions per
organizational unit
2009 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
16
Core Benefits
Drives Results
Automation
&
Automation &
Repeatability
Repeatability
Reduced Cost
Consistency
Consistency
Better Service
Accountability
Increased Compliance
Metrics
Avg access request turn-around time
Avg time between user termination and the disablement
of the user's IDs
Avg time between a user's role change and the access
rights update
Avg time to obtain approval for a request
Time interval to re-notify an approver about unfulfilled
access requests
% of requests initiated through the proper channel
% of requests that are fully processed through roles
% of requests that do not require re-work
% of changes done through the tool
% of requests processed with mgt approval
% of residual active accounts employed with
employees who were termed
% of requests processed with an audit trail
% of privileges covered by periodic access reviews
% of privileges that can be reviewed thru audit reports
% of audit findings employed with security
administration lapses
% of access requests processed in compliance with the
policies and procedures
17
17
jewels)?
18
z Project costs
PMO-related, such as project management and quality assurance
Design, build, integration and test of IAM-environment (including building of connectors)
z Investments (CAPEX)
IAM software & hardware
z Cost of operations (OPEX)
Activities of security administrations (IT)
Activities related to authorization request process (Business)
Activities related to authorization definitions (e.g. SoD matrices, business rules, etc)
z Cost of control (OPEX)
Periodical reviews by management and application / business owner (process control costs)
Periodical audits
2009 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
19
Business / IT / Audit
management
z Limiting
z Sourcing
fee
2009 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
20
Strategic
Examples:
Outsourcing
Increasing time horizon for planning and choices
Strategic divestiture
Location rationalization
Fundamental shift technology
architecture
Tactical
Examples:
Discretionary spend reduction
De-layering
Contract renegotiation
Survival
improvement
Examples:
Stopping all non-essential spend
Sale of assets for cash technology
carve outs
Rapid cease of non-core services
2009 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
21
Strategic
Project
Investments
Consolidation of IAM
Platforms (HW / SW)
Establish IAM as
consolidated onlien
service to be used for
all key apps
Use of experienced
IAM team
Tactical
Redefine IAM
strategy and focus on
key concerns/areas
Survival
Off shoring
development and
testing of connectors
Cost of operations
Use of Federated
Identity management
(for business partners)
Role based authorization
Automation of
Authorization Request
Management process
Cost of control
Integrate IAM
controls with GRC
controls
Automating periodical
control (attestation)
Single Sign On
Introduction of
Password
reset/synchronization
Renting of / Pay per
use for IAM software
Automation of
provisioning
Off shoring of
IdM Services
2009 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
22
the architecture into a physical architecture (consisting of the technology choices) per stage of the program
2009 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
23
management
Most of our clients implement a best of breed solution, since no solution is seen to be complete
2009 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
24
2009 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
25
Organisations
current state
Level 1
Performed
Informally
security models
z Native user stores
Level 2
Planned and
Tracked
Capabilities
z Limited Password Mgt
z Disparate application
End of
2010
2007 / 2008
Level 3
Well Defined
z Simple RBAC
capabilities
z Limited SSO
capabilities
z Consolidated
Directories
z Self-service Password
Mgt
z Limited Automated
Provisioning
Level 4
Mature
Level 5
Industry
Leading
z Centralized Directory
Infrastructure
z Fully Automated
Capabilities
z Enterprise Monitoring
Tracking
z Automated Compliance
Tracking
z Auditing Capabilities
z Compliance Tracking
2009 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
26
Estimated timeline
(1) Introduction of IAM solution infrastructure
Plateau 1
Q4 2007
Plateau 2
Limited Role Based Access Control
for organizations' Portal
Plateau 3
Extensive Role Based Access Control
for organization's Business Systems
Q3 2008
2009
Management decision
Plateau 4
Extensive Role Based Access Control
for other systems
2009 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
TBD
27
To conclude
z Identity
z Drivers
Research shows that risk management function needs to improve, resulting in more
compliance obligations
z The
What to do?
In what order?
To what extent?
2009 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
28
John Hermans
Associate Partner
KPMG Advisory N.V.
Tel: +31 6 51 366 389
Email: hermans.john@kpmg.nl
2009 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
29