JohnHermans NGIpresentatie

IT Advisory
Identity & Access Management new

complex so dont start?
Ing. John A.M. Hermans RE Associate Partner
March 2009
ADVISORY
Agenda
KPMGs view on IAM
KPMGs IAM Survey 2008
Best approach for IAM
Questions & Answers
2009 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative.
Changing operating environment for companies
Medium to Large Entity w/ diverse

operations and (a) complex
compliance mandates and (b)
aggressive financial goals
Company
Company X
X
Business
Business Unit
Unit A
A
Overseas
Overseas Affiliate
Affiliate B
B
rd
Trusted
Trusted 33rd Party
Party C
C
each business unit, affiliate, and

trusted third party utilizes numerous,
sometimes disparate, information
systems and repositories
each utilizing unique processes

and information assets to manage
their business objectives.
which leads to: exploding data

populations; control deficiencies (i.e.
access and SOD); redundant data;
lack of data integrity; limited query
capability; information inaccessibility;
data leakage.
A Typical Business Access Management Environment Today
System administrators
Provisioning
Privacy legislation
Security administrators
Data protection acts
Business managers
Employees
Sarbanes-Oxley
Short user
life cycles
Suppliers
1,000+
users
100+
applications
Clients
Immediate
access
Third parties
requirements
SSO
SAP
Employee self
service
Windows
Mergers and
PeopleSoft
acquisitions
Mainframe
Consolidation
100,000+
possible
functions
Basel II
Segregation
of duties
Outstanding
audit issues
How do you manage and control who has access to what in an efficient
and effective way?
Definition of Identity & Access Management
The policies, processes and systems for efficiently and

effectively governing and managing who has access to which
resources within an organisation
The processes covered by IAM are:

User management
Authentication management
Authorisation management
Access management
Provisioning
Monitoring & audit
KPMGs view on envisioned end-state of IAM
Governance
Authentication
Management (1)
User Management (2)

User
Lifecycle
Authorization
model
Contract
Authoritative
Sources
Authentication
Management
Services
Authorization Management (3)
Automated
trigger
Employees,
Suppliers,
Partner,
Customers, etc.
Usage
Approve user
authorizations
based on
roles/rules
User Management
Services
Desired
state
Data Management &

Provisioning (5)
Monitoring Services
Provisioning Services
Data Management Services
(manual / automated)
Auditing Services
Access
Management
Services
Reporting Services
Actual
state
Federation
Access
Management (4)
Systems and Applications
Monitoring & Audit (6)
IAM process model (simplified) problem statement
User Management
User
Lifecycle
Automated
trigger
Approve user
authorisations
based on standard
roles
Authoritative
source
Authorisation
model
Manage
End-Users
Self
Service
Authorisation Management
IAM Administration
Desired
state
Provisioning
Provisioning
Service
Monitoring Services
Auditing Services
Use
Reporting Services
Actual
state
Monitoring & Audit
IT ADVISORY
KPMGs 2008 European Identity &

Access Management Survey
Main findings
ADVISORY
Current status and IAM projects
z All
participants started one or more IAM projects in the last three years
z Two-thirds
z Financial
of participants have separate IAM budgets
sector has highest budgets, government sector has lowest budgets
All respondents initiated an IAM journey,

IAM is here to stay!
Scope of IAM projects
z IAM
projects focus on employees/contractors and internal systems/ information
z Federated
Identity Management, the cross-boundary connection of IAM environments

with business partners, is not yet broadly used
Most projects are focused on employees and contractors.

The main reason appears to be the obligation
to comply with internal and external regulations
Drivers & benefits
Significant benefits are expected for regulatory compliance and risk management, especially
in Financial Services sector and Information, Communication & Entertainment sector
For the Infrastructure,

Government and Healthcare
sector, significant gain expected
for process improvements
Cost containment and competitive advantages are

the least important drivers of IAM.
Improving compliance and reducing
risk are the main driver behind IAM projects
10
Satisfaction
More than half of the IAM projects did not achieve the intended goals
There is a clear gap between expected and actual benefits of IAM projects
Most organisations lack insight into the benefits of IAM projects
A confirmed strategy, business case and expectations management

are essential for a successful IAM project
11
Project failures
z The
biggest challenges for a successful IAM project are not the technical issues
z The
main cause of project failure is that the business is not ready
12
How to approach IAM
KPMGs IAM Methodology
Plan
Insight
Design
Implement
Monitor
Objective
Effective and efficient

project kick-off
Assess current state and

envision future state
Help design the IAM

process and infrastructure
solution
Help implement the IAM

solution
Help assess and enhance

the operation of the
solution
Activities
Define the project approach

z Facilitate the planning
activities for the overall IAM
engagement
z Gain an understanding of the
clients issues and objectives
related to the engagement
Assist with the understanding

of the current state and future
state vision and areas of
improvement
z Transition in to designing the
IAM solution
Clarify IAM solution business

requirements and KPIs
z Assist with IAM strategy,
roadmap and conceptual
architecture
z Obtain business case approval
z Assist the client to design the
IAM PMO and governance
model
Facilitate the establishment of

PMO and governance model
z Assist client with designing
the IAM solution
z Assist client with solution
selection
z Provide project advisory and
risk / control support
throughout the
implementation process
Tools
deployed
KPMG Identity and Access

Management methodology
z KPMG Project Management
methodology
z KPMG Change Management
methodology
z KPMG Business Performance
Improvement methodology
Deliverables
Project Plan
Stakeholder matrix
ISO 27001questionnaire and

mapping tool
z Current state workshop
guidance
z Stakeholder matrix and
portfolio template
z IAM interview questionnaire
Industry practices
Business case template
z Roadmap template
z Future state strategy sample
z ROI calculator
z
z
z
z
z
z
Current state assessment

report
z High-level future state model
z Gap analysis and remediation
recommendations
z Defined CSFs and KPIs
z
z
z
z
z
z
Future state strategy

Future state roadmap
IAM conceptual architecture
IAM Business case
IAM PMO design
IAM governance design
Implementation tools and

templates
Implementation plan
Use case examples
RFI and RFP templates
Infrastructure design
examples
Interface development
guidance
Conduct post-implementation
review
z Audit IAM Program
z Assist with ongoing
compliance auditing and
performance monitoring
IAM Assessment programs

Assessment work plans
z Segregation of Duties tools
z Remediation and
Improvement templates
z
IAM use cases

RFI and RFP
z Pilot testing program
z Implementation program
IAM assessment status report

Benefits realization report
z Remediation and
enhancement report
z Performance scorecard
14
Step 1: Build your strategy and business case

Who to involve?
Business
HR
Responsible for Management /

controlling of business activities
Responsible for management of

employee information
IT Architecture & Ops

Responsible for IT architecture and
IT operations
Programs & Projects

Responsible for updating the IT of
the business environment of the
enterprise
Audit
Identity & Access
Management
Responsible for Internal Audit
Security
Responsible for the organisations
security processes
15

What are you aiming for?
Overall ambition level
Minimum
scenario
Maximum
scenario
Common security
principles and
policies
Separate IAM
solutions per
organizational unit
Common security
principles and
policies, common
processes but
separate IAM
solutions per
organizational unit
One IAM solution as

Shared Service for all
organizational units
but limited to core
and critical business
applications
One IAM solution as

Shared Service for all
organizational units
and all business
applications
Based on IAM governance model
16

Identity & Access Management Business Value
Core Benefits
Drives Results
Automation
&
Automation &
Repeatability
Repeatability
Reduced Cost
Consistency
Consistency
Better Service
Accountability
Increased Compliance
Metrics
Avg access request turn-around time
Avg time between user termination and the disablement
of the user's IDs
Avg time between a user's role change and the access
rights update
Avg time to obtain approval for a request
Time interval to re-notify an approver about unfulfilled
access requests
% of requests initiated through the proper channel
% of requests that are fully processed through roles
% of requests that do not require re-work
% of changes done through the tool
% of requests processed with mgt approval
% of residual active accounts employed with
employees who were termed
% of requests processed with an audit trail
% of privileges covered by periodic access reviews
% of privileges that can be reviewed thru audit reports
% of audit findings employed with security
administration lapses
% of access requests processed in compliance with the
policies and procedures
Managing Risks Efficiently

17
17
And then there was the CRISIS..
z Consequences of the crisis

Budget cuts, resulting in reassessing project portfolio
Search for cost optimization opportunities
Increased need of adequate risk management, leading to an increase of compliance obligations
z Most IAM initiatives are currently being reassessed
Is there are still a business case / business need ? Or is it changed?
Does the original approach still meet the requirements of the business?
Can we cut the budget for IAM or delay the program?
z Are there different options?
z Re-scoping of the original scope?
From corporate-wide to departmental or application domain specific (i.e. focus on the crown
jewels)?
The current economic slow-down requires organizations to

reformulate their IAM strategy
18
Costs related to Identity & Access Management
z Project costs
PMO-related, such as project management and quality assurance
Design, build, integration and test of IAM-environment (including building of connectors)
z Investments (CAPEX)
IAM software & hardware
z Cost of operations (OPEX)
Activities of security administrations (IT)
Activities related to authorization request process (Business)
Activities related to authorization definitions (e.g. SoD matrices, business rules, etc)
z Cost of control (OPEX)
Periodical reviews by management and application / business owner (process control costs)
Periodical audits
19
Reformulating the IAM strategy requires to focus more on potential

cost savings
Direct cost savings
z Operational
excellence (see next slides)
Business / IT / Audit
Indirect cost savings

z License
management
z Limiting
costs use of new technologies such SAAS
z Sourcing
fee
20
In the current climate there is no one size fits all - circumstances

vary
Long-term view to generating sustainable performance
improvements consistent with strategic goals and long-term
value creation.
Strategic
Examples:
Outsourcing
Increasing time horizon for planning and choices
Strategic divestiture
Performance improvements may reflect high degree of

improvement and shifts of fundamental technology.
Location rationalization
Fundamental shift technology
architecture
Opportunistic response to improve performance of existing

technology function to take account of:
Tactical
Examples:
Discretionary spend reduction
Emerging competitive pressures
De-layering
Deteriorating cost control or other margin pressures
Process optimisation (Lean/6)
Stakeholder pressure for short-term performance
Contract renegotiation
Survival
improvement
Rapid cost reduction to stay in business speed is of the

essence.
Examples:
Stopping all non-essential spend
Sale of assets for cash technology
carve outs
Rapid cease of non-core services
Cash is usually paramount

Most options 'non-discretionary'
Immediate divestment or closure of business lines may form
part of the approach
21
Cost optimization opportunities related to IAM (some examples)
Strategic
Project
Investments
Consolidation of IAM
Platforms (HW / SW)
Use of well know

Methodology / best
practices
Establish IAM as
consolidated onlien
service to be used for
all key apps
Use of experienced
IAM team
Tactical
Align IAM initiatives

across organization
Redefine IAM
strategy and focus on
key concerns/areas
Survival
Off shoring
development and
testing of connectors
STOP IAM initiative
Cost of operations
Use of Federated
Identity management
(for business partners)
Role based authorization
Automation of
Authorization Request
Management process
Cost of control
Integrate IAM
controls with GRC
controls
Automating periodical
control (attestation)
Single Sign On
Introduction of
Password
reset/synchronization
Renting of / Pay per
use for IAM software
Use of Open Source

products
Automation of
provisioning
Automating factfinding audits
Off shoring of
IdM Services
Sale / lease back

Equipment
22
Step 2: IAM Solution Design (1)
z Need for one confirmed architecture

Starting point for the deployment of IAM is a confirmed architecture, consisting of:
z Governance (in terms of RACI model)
z Processes and Procedures
z Functional components of IAM
Attention point:
z As IAM is a multiyear program, it is recommended to start with a high-level conceptual architecture and detail
the architecture into a physical architecture (consisting of the technology choices) per stage of the program
23
z Single vendor / Multiple vendor strategy

Most IdM solutions provide almost identical functionalities for user management and provisioning
Workflows
Connectivity to authoritative sources
Connectivity to target systems & applications
Limited authorization management capabilities
Limited reporting capabilities
Most IdM solutions do provided limited capabilities for access certification / role engineering / role
management
Most of our clients implement a best of breed solution, since no solution is seen to be complete
24

Outsourcing
z Outsourcing of technical management of IAM solution
Various multinationals do outsource the technical management of (parts of their) IAM solution
z As-Is is sourced, most times organised per client
Key for success:
z Linkage to clients HR and contract management processes
z Linkage to authorization management processes
z Identity Management as a service is still in the early stages of development
25
Step 3: Define High level IAM roadmap (Maturity Model)
Organisations
current state
Level 1
Performed
Informally
z Manual Account Mgt

z Disparate application
security models
z Native user stores
Level 2
Planned and
Tracked
z Manual Account Mgt

z Limited Auditing
Capabilities
z Limited Password Mgt
z Disparate application
security models adhering

to standards
z Multiple directory stores
with duplicative data
End of
2010
2007 / 2008
Level 3
Well Defined
z Simple RBAC
capabilities
z Limited SSO
capabilities
z Consolidated
Directories
z Self-service Password
Mgt
z Limited Automated
Provisioning
Level 4
Mature
Level 5
Industry
Leading
z Limited RBAC capabilities
z Advanced RBAC capabilities
z Centralized Directory
z Federated Identity Mgt
Infrastructure
z Fully Automated
Provisioning and SSO

z Automated Auditing
Capabilities
z Enterprise Monitoring
z Fully Integrated Provisioning

z Advanced Auditing Capabilities
z Enterprise Metrics
z Enterprise Compliance
Tracking
z Automated Compliance
Tracking
z Auditing Capabilities
z Compliance Tracking
26
Step 3: Example of roadmap
Estimated timeline
(1) Introduction of IAM solution infrastructure
Plateau 1
(2) User management is linked with (aggregated) HR
Basic Provisioning for Employees
Q4 2007
(3) Automated provisioning of generic IT-services
Plateau 2
Limited Role Based Access Control
for organizations' Portal
IAM solution manages SAP Portal accounts

and authorizations
Plateau 3
Extensive Role Based Access Control
for organization's Business Systems
IAM solution manages

Organization's Business Systems
Q3 2008
2009
Management decision
Plateau 4
Extensive Role Based Access Control
for other systems
IAM solution manages other (legacy)

systems
TBD
27
To conclude
z Identity
& Access Management is here to stay!
z Drivers
for Identity & Access Management (compliance, operational excellence and

business agility) are still valid, despite of the current economic climate
Research shows that risk management function needs to improve, resulting in more
compliance obligations
z The
economic crisis requires organizations to reformulate their Identity & Access

Management strategy
What to do?
In what order?
To what extent?
Within current budget restrictions!
28
KPMG Key Contact Details
John Hermans
Associate Partner
KPMG Advisory N.V.
Tel: +31 6 51 366 389
Email: hermans.john@kpmg.nl
29

JohnHermans NGIpresentatie

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

JohnHermans NGIpresentatie

Transféré par

Droits d'auteur :

Formats disponibles

IT Advisory

Identity & Access Management new

KPMGs view on IAM

KPMGs IAM Survey 2008

Best approach for IAM

Questions & Answers

Changing operating environment for companies

Medium to Large Entity w/ diverse

each business unit, affiliate, and

each utilizing unique processes

which leads to: exploding data

A Typical Business Access Management Environment Today

Definition of Identity & Access Management

The policies, processes and systems for efficiently and

The processes covered by IAM are:

KPMGs view on envisioned end-state of IAM

User Management (2)

Authorization Management (3)

Data Management &

Systems and Applications

Monitoring & Audit (6)

IAM process model (simplified) problem statement

KPMGs 2008 European Identity &

Current status and IAM projects

of participants have separate IAM budgets

sector has highest budgets, government sector has lowest budgets

All respondents initiated an IAM journey,

Scope of IAM projects

projects focus on employees/contractors and internal systems/ information

Identity Management, the cross-boundary connection of IAM environments

Most projects are focused on employees and contractors.

Drivers & benefits

For the Infrastructure,

Cost containment and competitive advantages are

A confirmed strategy, business case and expectations management

main cause of project failure is that the business is not ready

How to approach IAM

KPMGs IAM Methodology

Effective and efficient

Assess current state and

Help design the IAM

Help implement the IAM

Help assess and enhance

Define the project approach

Assist with the understanding

Clarify IAM solution business

Facilitate the establishment of

KPMG Identity and Access

ISO 27001questionnaire and

Current state assessment

Future state strategy

Implementation tools and

IAM Assessment programs

IAM use cases

IAM assessment status report

Step 1: Build your strategy and business case

Responsible for Management /

Responsible for management of

IT Architecture & Ops

Programs & Projects

Responsible for Internal Audit

Step 1: Build your strategy and business case

One IAM solution as