Enterprises have always struggled with keeping privileges to their IT systems in good order. With millions of access rights, this has been very difficult, especially during periods of restructuring, and whenever new applications are introduced. A recent survey shows that most organizations believe that at least 20% of their privileges are incorrect. As a result, organizations experience
- Lack of control over privileges – it is difficult to respond to simple questions such as who is allowed to do what, and why
- Significant security issues – wrong privileges are an open door to improper use
- High costs of privileges administration – It is very difficult to manage up to 50 privileges per user, on a variety of systems and platforms
- Lower level of service to business users – it takes more time to provide accurate access to legitimate users
Most enterprises today consider Role-based Access Control (RBAC) -- the management of IT privileges in accordance to business roles -- as best practice and as a solution to the privileges quality and control issues. In a role-based environment, 500 roles may replace a million individual access rights, making it easier to manage and maintain. Furthermore, roles correspond to business practices, and as such enhance collaboration between business and IT.
Since 2002, Eurekify has pioneered the use of role management as an independent enterprise paradigm, as well as for Identity Management and Compliance projects, as well as for the management of privileges in various enterprise platforms.
Enterprises wish to align IT privileges with Business Roles
- To gain control over privileges and ensure that they are granted based on business needs
- To respond to regulatory requirements (such as Sarbanes-Oxley, HIPAA, Basel II, Gramm Leach Bliley, etc)
- To enable effective deployment of Identity Management and Automated Provisioning systems
- To reduce exposure to misuse and other security risks
- To increase productivity and responsiveness of security administration teams
The 5Cs of Role Management
Customers and analysts have defined the 5 main capabilities (5C’s) that are required from an Enterprise Role Management solution:
- Control – Quickly gain enterprise-wide view of “who’s doing what and why”
- Create – Rapidly build a role based model according to business needs, and then continuously adapt it as the business changes
- Comply – Promptly comply with policies and regulations, prepare for audits, and certify by auditors and business managers… as they change
- Correlate – Continuously correlate privileges to detect inconsistencies, exceptions, or changes in model, assisting all stakeholders all the time
- Collaborate - Provide IT and business managers a collaborative environment to review, certify, and manage violations and conflicts between existing privileges and stated policies, and to analyze risks
Key Deliverables of Eurekify Sage ERM
- Review and query privileges immediately. Covering any and all systems and applications, at any level of granularity.
- Create and/or critique a role-based privileges model more quickly than with any other tool or methodology.
- Use Eurekify pattern recognition technology to automatically discover business and IT roles and rules, or to design and refine roles based on business analysis.
- Top-down and bottom up. Role-based and rule-based. Organizational, functional, project-oriented, applicative roles, and more
- Automate periodical privileges review and cleanup processes. Identify, review, and track exceptional access based on a variety of pattern-oriented analyses.
- Automate periodical verification and demonstration of compliance with segregation of duty (SoD) rules and other IT controls.
- Automate periodical privileges certification/attestation processes quickly and easily. Business line managers can easily review and make requests over privileges of subordinates and/or privileges to resources they own.
Eurekify Approach to Enterprise Role Management
Eurekify Sage ERM is an analytical enterprise platform that enables collaboration between role managers and security administrators, business managers, and auditors
Eurekify uses a classical IT management cycle consisting of "assess, adapt, and approve" actions to create, and then to continuously maintain and approve the role-based privileges model. As part of this cycle, Eurekify's pattern recognition technology is first used to assess the current situation, then to assist in the construction of role definitions and/or ongoing adaptation of roles and of individual privileges, and finally to involve the relevant stakeholders in the approval and certification of relevant changes. This role management cycle is repeated continuously to assure that the role-based privileges model remains in sync with the business on one hand and with the IT systems on the other hand.
Analytics are Critical to Effective Role Management
Eurekify's advanced analytical technology was developed based on our experience and in order to substantially improve the role management processes required to address the 5Cs. Without sophisticated analytics, many role management processes are very difficult, and may even be infeasible
- Control – Without clearly mapping privileges, commonalities, and exceptions, one cannot be sure to gain control
- Create – Without automated discovery of role candidates, role engineering is extremely laborious and error prone
- Comply – Without automated identification of exceptions and violations, one cannot demonstrate compliance
- Correlate – Without automated detection of changing patterns, as well as new inconsistencies, one cannot adapt to business changes, and cannot balance business and security needs
- Collaborate – Without automated detection and highlighting of the most pertinent changes and exceptions, one is not empowering business managers, but merely setting them up with an impossible certification task