Role-Based Privileges Management How to Quickly and Effectively Implement Compliance June 2007

2. 2 Eurekify at a Glance Leading provider of role-based management solutions Privileges Quality Management Role Management Identity Management Compliance Management Eurekify did not invent RBAC, but our unique & patented pattern recognition technology makes it a lot easier to implement History and current presence Since 2002, with more than 50 customers worldwide Partners include Consultants, Integrators, Vendors, and Auditors Based in Israel, with offices in NY and CA, and Worldwide partners

3. 3 Examples of Eurekify Projects

4. 4 Customers

5. 5 IBM Partnership Eurekify works as an independent solution and/or complementing any Identity Management system Special partnership with IBM – “Optimized Partner” Integrated interface with Tivoli Identity Manager (ITIM) Working closely with ITIM lab in Irvine, CA Certified as “Ready for Tivoli” More than 20 joint customers worldwide

7. 7 Privileges Quality is the Source of All Evil Currently: Many Systems, Many People, Many Changes Hundreds of even thousands of applications Many people came, many changed positions, many left Many privileges were granted ad-hoc The Result: Poor & Unmanageable Privileges 1MM privileges for 20,000 users, many are ad-hoc 50% more accounts than people in average system 30% out-of-pattern privileges 20-50% of groups are redundant or unnecessary No central view of privileges The Immediate Impact: ... Serious security holes abound… … Administration costs and productivity losses Other Impact Difficult to implement Identity Management Difficult to achieve and demonstrate compliance

8. 8 Solution: Role-based Management Role-based Access Control ties IT privileges management practices to BUSINESS concepts, processes, and culture Role based access control (RBAC) is intended to simplify and strengthen security administration: Attach relevant privileges Associate users with relevant roles Avoid managing individual privileges Instead of 50 privileges/person, manage 3-5 roles/person Roles can be expressed based on membership, or as rules e.g., “Marketing users, in division X, that work out of CA, shall have access to A, B, and C”. e.g. “All the members of project X”, and the rights to the project materials Roles and rules, combined, constitute a privileges model. Role engineering is the construction of the privileges model.

9. Eurekify’s Approach

10. 10 Eurekify Pattern Recognition Analytics We did not invent Role-based Access Control (RBAC) But we made it a lot easier with our pattern recognition technology

11. Privileges Quality Management Compliance Management Role Management

12. 12 Five Steps to Privileges Quality Management Implement full role-based privileges model across platforms (incrementally)

13. 13 Current Statistics Users, Groups, Access rights, Access levels Individual system or application Cross system (IdM view) Any level of granularity

14. 14 Privileges Querying Who has which privileges? who else? what else? what’s in common? through which roles? who/what is the exception? what is the overlap? what other role is similar?

15. 15 Privileges Quality Assessment HR mismatches Out-of-pattern privileges Suspected users, groups Redundant groups/roles Dual links Much more…

16. 16 Privileges Cleanup Each system, cross systems Orphan users, groups Privileges collectors All levels of granularity Out-of-pattern alerts Rule violation alerts Easy review/fixing User/Manager review workflow

17. 17 Analytics-Assisted Privileges Verification

18. 18 Privileges Quality Management Detect Automatically detect inconsistencies Critique Collaborative analysis and review Set and review quality targets Adapt Analyze & update role model Fix privileges Approve Approve changes

19. Privileges Quality Management Compliance Management Role Management

20. 20 Five Steps to Compliance Management Implement full role-based privileges management and compliance

21. 21 Privileges Recertification/Attestation Quick setup of recertification processes User initiated via portal E-mail campaigns

22. 22 Business Process Rules (including SoD) Easily specified into a portable catalog Can be specified by business and/or IT people and/or auditors Segregation of duty (SoD) Business process rules and constraints Restricted relationships between HR attributes and allowed privileges All levels of granularity

23. 23 Policy and Compliance Verification Automated compliance reverification, periodically via batch processes Compliance reporting and dashboard Easy review/fixing by business owners and administrators Easy integration with external reporting, workflow, and IdM tools

24. 24 Compliance Management

25. Privileges Quality Management Compliance Management Role Management

26. 26 Five Steps to Role Management Define and implement administrative provisioning processes (IT, HR)

27. 27 Eurekify Role Engineering Methodology Combined RE methodologies Target coverage: 80% of privileges Comparison of alternative role engineering methodologies Critiquing of new/existing roles

28. 28 Eurekify Role Management Processes Role Model Management processes Detect and adapt to business changes Consistency and compliance tests Review and approval processes Role Administration processes (for customers that do not deploy a strong IdM system) Add/change/request role definitions Add/change/remove privileges Eurekify analytics are key for effective processes Independent processes that can also be integrated into any external workflow Role provisioning usually done by IdM or Meta-Directory

29. 29 Easy Integration with Other Systems Quick import/export (asynchronous) Privileges data and role definitions File-based or API-based exchange Easy real-time synchronization Real-time exchange of roles & privileges data (snapshot/delta) Real-time analytics available via web services calls All levels of granularity Web services integration Flexible web services for third-party workflow Identity Management, Help Desk, company standard workflow All are empowered with Eurekify’s analytics

30. 30 Role Management Detect Exceptions Inconsistencies Policy violations Business changes that affect roles Critique Collaborative analysis & review Adapt Analyze & update role model Fix privileges Approve Approve changes Synch it

31. Customer Case

32. 32 KPN – The Dutch National Telecom The scenario Multiple business units: “fixed”, mobile, cable, IPTV 28,000 people 48 systems subject to SOX + 19 to National Competition Regulation Very diverse, including mainframe, SAP, and many homegrown systems The approach and project Performed jointly by PwC and KPMG Used Eurekify Sage to code BPRs Analyzed 80 business processes, creating one policy for each A total of over 1000 BPRs (10-15 per policy) 3 Layers of controls: commonly accepted principles, organizational structure and processes, time and location The result Project completed in under 4 months ! Several thousand violations were removed or rationalized Passed SOX review

33. How to Start

34. 34 How to Start? A Eurekify “Survey” is the best way to start Only 5 days ! Lots of immediate value Qualitative and quantitative assessment Privileges review Piloting compliance tests Role engineering tryouts You will then know What you need, and how to justify your needs How to best start a successful project Call Eurekify or a local partner, or email sales@eurekify.com

35. END