1. PRESENTATION TITLE Presented by: Xxxx Xxxxx

2. Providence Health & Services Very large Catholic healthcare system 33 hospitals in AK, CA, MT, OR, WA 65,000 employees

3. Topics of Discussion Capabilities IAM tools can bring. Challenges of implementing an IAM tool in the enterprise. How you can improve your security program with an IAM tool.

4. What is Identity Management  In short it’s the ability to provide provisioning and governance of users within your environment. This includes:  Password Management  Access Requests  Enforcement of role based policies

5. Capabilities IAM tools can bring to bear around Identity & Access Governance:  Management of employee life cycle from beginning to end.  Provides an overall view of how effective your policies are.  Centralize authentication and authorization of applications across an enterprise.  Gives greater transparency into who has access to what.  Reduce the fears that management has around Identity and Access Governance.

6. Management of employee life cycle  Add an employee  Move an employee  Employee leaves

7. Provides an overall view of how effective your polices are by:  Providing reports that show employee violations of polices.  Showing you where there could be potential conflicts with a role or group that could limit an employee’s productivity.

8. Centralize authentication and authorization of applications across an enterprise  Provides accountability  Allows for the burden of account management to be taken off a department like applications support.  One piece of software can control access to all applications in an enterprise reducing redundancy.

9. Allows for greater transparency  Gives a high level of who has access and to what based on role or group.  Shows who your super users are and where your areas of high risk are.

10. High Privilege Group

11. Reduce managements fears around Identity and Access Governance  Executives and Mangers both fear  Providing leadership with tangible results that allow them the necessary transparency to see that the IAM program is working. Account management is being done incorrectly For the integrity of their data and applications

12. Report Summary

13. Privilege group membership report

14. Challenges Implementing an IAM tool within the enterprise:  Required skills and resources to be successful.  Scoping what you are going to handle and what you are not. (eg. Cloud applications)  Getting buy in and cooperation from other departments.

15. Required skills and resources to be successful  Understanding different environments.  How does the software work?  Support from the vendor  Trouble shooting

16. Understanding different environments  What infrastructure are you connecting to (AD, SharePoint, database) and how does it look?  How does that connection work (flat file, database connection etc.)?

17. How does the software work?  What OS does the software run on?  Needed programming skills  What upkeep skills are needed to keep the machine happy (eg.patching, upgrades)

18. Rule to add multiple groups to a certification (Java beans)

19. Support from the vendor  Monthly and Weekly meeting with account manager Discuss projects Discuss milestones Discuss outstanding objectives

20. Trouble shooting  Who can you call?  What resources are available? Expert Services Customer Portal Google etc.

21. Scoping what you are going to handle and what you are not?  Hosted & non-hosted applications?  Provisioning or governance?  What is going to be the goal of your IAM program?

22. How to get buy in from:  Your Leadership.  Your Managers

23. Getting buy in from Leadership  Show how this is beneficial to the company.  Show you need it even if you haven’t had a problem.

24. Getting buy in from Managers  Setting up a relationship with our managers.  Straight forward and easy for mangers.

25. Manager certification

26. Manager Certification cont.

27. How you can improve your security program with an IAM tool :  Allows for better creation of role based polices.  Used as a provisioning tool allows for better management of employee life cycle.  Reduce your attack surfaces.

28. Allows for better creation of role based policies:  Clarity around when to use least privilege.  Performing audits and reports.  High level view allows you to make more informed decisions when setting up rules.

29. Used as a provisioning tool allows for better management of employee life cycle Setup includes:  Password Management  Application Access  Closing of Accounts

30. Reduction in attack surface.  Able to clean up old accounts that could be used to access sensitive information.  Mitigates the insider threat.  High privilege accounts can be monitored.  Reduces the risk of super user accounts being created by having it approved by another dept.  Forrester study showed “insiders” were the top source of breaches in the last 12 months. 36% of breaches were due to insiders” (Forrester)

31. High Privilege Account Certification

32. Today’s Takeaways  An IAM tool in your enterprise gives you the benefits of a detective tool and a prevention tool.  IAM needs to be a cornerstone of a security program without there is the potential for other controls to break down.  Having an IAM tool gives the business confidence that process of governance and access is being monitored and performed correctly.

33. Thank you! Thanks for attending my talk today on Identity Management: Tools to govern system access Questions…?

34. Contact On Twitter: @fornalm Security blog: Fighting In.Security http://fightinginsecurity.wordpress.com/