Risk Based Identity Governance Ken Willén, Senior System Engineer NetIQ
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved. 2 Identity governance is often a time-consuming necessity, of which it can be hard to prove the business value With Risk Based Governance, the required re- certifications will be based on the risk the different entitlements poses to the business and the employees actual use or misuse of them
3 All types of attacks misuse Identities! Insider attacks Accidental disclosures Hackers Advanced Persistent Threats
Identity is the key
5 Focus on the basics Identity, Access & Security together Enforce access controls Monitor user activity Minimize rights
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved. 6 Minimize rights - Re-Certification
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved. 7 The Burden of Re-certification Cost: Static re-certification schema: – Re-certification of users with no change Security: Re-certification according to potential risk – Re-certification schema does not follow increased/de-creased actual company risk – Re-certification is done with no insight in real use or potential misuse of entitlements – Too many re-certifications leads to bulk execution
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved. 8 Risk Based Re-Certification - Identity, Access and Security Together Has he logged on to the application in the last 6 month? Do he show suspicious behavior on high risk applications? Has his entitlements changed since the last full review?
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved. 9 Context Enrichment
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved. 10 Summary Identities poses a threat to our business Re-certification can minimize risk - but is costly Risk Based Re-certification improves security and reduces costs
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved. 11
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time. Copyright © 2014 NetIQ Corporation and its affiliates. All Rights Reserved. ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States and other countries.