IBM Identity Management Solution Update European User Group -

IBM Security Systems
IBM Identity Management
Solution Update
European User Group May 2014
1
© 2014 IBM Corporation
IBM Security Systems
Recap: IBM’s Threat-Aware Identity and Access Management
Capabilities to help organizations secure enterprise identity as a new perimeter
Safeguard
mobile, cloud and social
access
• Validate “who is who”
especially when users connect
from outside the enterprise
• Proactively enforce access
policies on web, social and
mobile collaboration channels
Deliver
actionable identity
intelligence
• Streamline identity management across
all security domains
• Manage and monitor user entitlements
and activities with security intelligence
2
Prevent
advanced
insider threats
• Manage and audit privileged
access across the enterprise
• Defend applications and data
against unauthorized access
Simplify
cloud integrations and
identity silos
• Provide federated access to
enable secure online business
collaboration
• Unify “Universe of Identities”
for efficient directory management
© 2014 IBM Corporation
IBM Security Systems
Identity Management Update
ISAM
ESSO
ISPIM
1.0
• Automated, secure checkout/in of shared IDs
• Session recording option
ISPIM
ISPIM
1.0.1
1.0.1.1
• PIM virtual appliance
Full Cognos reporting
Time to value: v. appliance w/ HA
Misc. governance enhancements
Enhanced session recording
ISIM
ISIM
6.0.0.2
6.0.0.3
ISIM 6
• Web Services
• Role management
enhancements
• Admin/management
enhancements
• Cognos custom reports
•
•
•
•
•Service Center UI Introduction
•Full Cognos reporting
•WAS 8.0 support
2012
2013
• Usability – Service Center UI Ph 2;
• Customer-sponsored enhancements
• Platform updates
2014
Ongoing Quarterly ISIM Adapter updates
3
© 2014 IBM Corporation
IBM Security Systems
Identity Service Center today
Launch pad for all your Identity tasks
IBM Security
Identity Manager
Deliver actionable
Identity intelligence
Key v6.0.0.3 Capabilities
 Request access – self and manager
 View status of request – self and manager
 View current entitlements – self or my employee
 Approve access request
 Password management via launch to Self
Service UI
 Cognos reporting via launch from ISC home
page
 Other Self Service UI functions – via launch in
context from ISC home page
 Delegation via launch of Admin Console home
page
Custom links
4
 Other functions in Admin Console – launch from
ISC home page to Admin Console home
© 2014 IBM Corporation
IBM Security Systems
DEMO
5
© 2014 IBM Corporation
Prevent advanced
insider threats
IBM Security Systems
IBM Security Privileged Identity Manager: Delivers effective privileged identity
control with a secure vault and automated sign-on
Configure Privileged Account
1
Admin
ID
2
User’s credential is automatically
checked out of the vault and used to
log user into privileged account.
Credential is automatically checked in to
vault upon logout
3
User activity is logged
Built-on proven IBM Security Identity and Enterprise Single Sign-On
capabilities and supports integrated deployment
6
© 2014 IBM Corporation
IBM Security Systems
Prevent advanced
insider threats
Audit Privileged User Activity and Sensitive Data Access
 Privileged User Activity Monitoring with Privileged Session Recorder option:
•
•
7
Recording and logging of user activity in sessions accessed through a shared ID
Discourage users with privilege from abusing their rights
Control and audit shared and privileged Identity activity
© 2014 IBM Corporation
Prevent advanced
insider threats
IBM Security Systems
Easy to deploy, use and extend appliance based solution
 Improved User Experience
• PIM UI provides a specific PIM user
interface for customers focused on PIMonly use cases
• Allows PIM administrators to easily
perform privileged management tasks
• Faster loading of PIM credential vault with
bulk loading tool
• Citrix user support
 Virtual Appliance improves TTV
from days to hours
NEW
8
• PIM capabilities in a virtual appliance
form factor with pre-installed components
& middleware, configured through VA
panels.
• HA configurations supported
• Reduces the skills requirements for IT
admins. i.e. install/config, patch/upgrade
efforts, etc.
© 2014 IBM Corporation
IBM Security Systems
Prevent advanced
insider threats
ISPIM Virtual Appliance - Management dashboard
9
© 2014 IBM Corporation
IBM Security Systems
Risk analytics - usage and threat: Identity enriched security intelligence:
ISIM and QRadar Integration
Security Identity
Manager
Applications
Databases
Operating
Systems
Networks &
Physical Access
Identity
Repository
• Identity mapping data
and user attributes
• SIM Server logs
• Application logs
 QRadar Device Support Module for
Identity Manager (including PIM vault
functions)
• Centrally reports in QRadar, the activities of
the ISIM admin users
 Collect identity attribute info from ISIM
registry. Use data in conjunction with log
events and network flow data in rules to
provide “identity context aware’ security
intelligence
• Map ISIM identities and groups to activities
in QRadar-monitored applications. Help
correlate enterprise-wide user activities.
Generated reports can assist with ISIM user
recertification or role planning
 User ID Mappings: multiple user ids from
systems are mapped to a common ID, i.e.
SKumar and SureshKumar are the same
person - for comprehensive activity
correlation
10
© 2014 IBM Corporation
Prevent advanced
insider threats
IBM Security Systems
Example: Detect Privileged User Activity Threats
 Consolidated view of User/System Activities of a Typical Privileged User Logon via PIM
SEE THE VIDEO: http://w3.tap.ibm.com/medialibrary/media_view?id=225130
11
Implement closed-loop IAM integration with Security Intelligence
© 2014 IBM Corporation
IBM Security Systems
Governance: more tomorrow!
Integrations - Broader Access Governance: CrossIdeas
 “IDEAS” product
– Strong attestation/ recertification and SoD capabilities, SAP specific controls, innovative Risk Scoring
– Provides bidirectional synchronization between ISIM and IDEAS
– Helps ISIM customers rapidly introduce Access Governance capabilities with no changes in their
existing ISIM environment
 Enables Access Governance on top of ISIM infrastructure and data;
 Deployed and configured as an ordinary ISIM Adapter;
 API based integration;
12
© 2014 IBM Corporation
more to come tomorrow!
IBM Security Systems
Deliver actionable
Identity intelligence
Three Waves of Identity Governance and Administration
Wave 1
Wave 2
Wave 3
Administration
Governance
Analytics
•
•
•
Cost savings
Automation
User lifecycle
•
•
Role management
Access certification
• Application usage
•
• Risk-based control
•
Key on premise
apps & employees
Extended enterprise –
business partners
On and off-premise
apps
• Employees, partners,
consumers – anywhere
•
• Privileged activity
• Baseline normal behavior
IAM Analytics – Collect and Analyze Identity Data
•
•
•
13
Improved visibility into how access being utilized
Risk-based insights for prioritized compliance actions
Clear actionable dashboards for better business decision making
© 2014 IBM Corporation
IBM Security Systems
IBM Security Access Manager
for Enterprise Single Sign-On
14
© 2012 IBM Corporation
IBM Security Systems
IBM ISAM for Enterprise Single Sign-on v8.2.1.3 improved profiling,
broader platform support and enhanced performance
Prevent advanced
insider threats
 Improved Profile capturing, maintenance and debugging
Increase coverage for auto-learn profile
Playback and trace the Observer log files on the AccessStudio Real-Time Logs pane
Easy to maintain multiple versions of profiles
Enhanced troubleshooting by using more meaningful labels in scripts
 Broader Platform support
Citrix XenDesktop 7.0 and 7.1 support
Windows 8.1 32 bit and 64 bit support (does not support Windows Store Apps)
 Support for Host on Demand
Introducing IBM Host on Demand support for providing mainframe coverage
 Improved Performance
Enhancement for start up and loading time for AccessAgent
Loading time improvement for Credential Provider
 Enhanced Monitoring
Ensuring recovery of the system using System Health Monitoring in case of AccessAgent
crashes
15
© 2014 IBM Corporation
IBM Security Systems
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
16
© 2014 IBM Corporation