PCI compliance: What it is and why it matters (Q&A) | InSecurity Complex - CNET News

PCI compliance: What it is and why it matters (Q&A) | InSecurity Complex - CNET News.

Role Manager 5.0 and Directory Server 7.0 Product Updates

Check out the webinar replay done by Nick Wooler and me on the latest product offerings (Sun Role Manager 5.0 and Directory Server 7.0):

The presentation can be downloaded below:

Download RM5_DSEE7_Customer_Webinar_Presentation_v5

BTQ Podcast - Real World Role Management

Check out the podcast by Matt Modica from ESI and Nick Crown, PLM for Sun Role Manager & Identity Manager on here. 

The discussion is centered around the Identity & Access Mgmt. project undertaken by ESI, their architecture, challenges faced and lessons learned.

On glossary management...

Last week, I discussed a very interesting requirement posed by a customer where they were looking for complete glossary management for entitlements being managed in their warehouse of user identities. A major problem for them today is most entitlements, especially for mainframes, is not clearly understood by the business when they perform their quarterly attestation reviews. To add to that, there are no tools available in the market today that provide a centralized view for managing glossary definitions and security features that allow multiple owners to complete glossary definitions, that can later be leveraged by not just an attestation solution, but also by provisioning solutions and other downstream applications that require lines of business to thoroughly understand the meaning of cryptic entitlements (such as a RACF group membership or the true meaning of an SAP role).

According to them, this solution would truly provide an enterprise wide capability to effectively manage glossary definitions across applications and target systems, at the same time providing a means to attest to the validity of the entitlements themselves. According to another large banking customer, there is an entitlement creep that happens to an organization across time, and these entitlements are never cleaned up in the target systems. A mechanism to truly understand the meaning and whether the entitlement is indeed needed or not, is called for.

This begs for another question, in addition to regular glossary management capabilities (CRUD) do glossaries need to be approved before being defined or modified, for all entitlements? This would require workflow capabilities in order for designated for "glossary owners" to approve any changes being made to glossaries. Moreover, glossary owners would then be required to attest glossaries, and most importantly, the need for all entitlements pertaining to a target system or application on a regular basis, to provide comprehensive evidence to auditors that unwanted entitlements are actually being revoked from the target systems on a regular basis, furthermore, moving towards least privilege. 

PCI Compliance Only the Start of Security

PCI Compliance Only the Start of Security.

Is all the PCI DSS compliance whining and complaining justified?

Is all the PCI DSS compliance whining and complaining justified? .

How can we make User Attestations easier for Managers?

Its that time of the quarter again! Lets do some User Access Reviews! Its pretty much the case with most organizations, its one task managers do not look forward to. And I wouldn't blame them. Certifying a users access on a mainframe or Active Directory is not a manager's dream job. As a vendor and product manager, some questions related to this problem arise:

1. How do we make it easier for managers to perform their access reviews? 

2. How do we ensure that access reviews are a breeze, enabling our managers to move on to more important tasks? 

3. How do we provide managers with sufficient information that allows them to make educated decisions on certifying a users access? As Mat Hamlin writes, they can't, they won't, if they don't understand what they are attesting to.

From a product perspective, a few solutions come to mind (in addition to the ones Mat talks about in his blog entry), that make it easier for managers to quickly and accurately get through their attestations:

1. User Interface! User Interface! Make it a seamless, easy to use, UI that allows Managers flexible options to certify hundreds of user entitlements with fewer clicks, while presenting the information they need to see (no cryptic entitlements! use glossary!).

2. Flag High Privileged, High Risk Entitlements. Red Alert!

3. Display the type of account a manager is certifying to, is it a System Account, is it an Email Account, etc.

4. Was the account a part of a Segregation of Duties violation? Is the violation still open? Was the account a part of a Segregation of Duties violation and was accepted as a risk for a particular time period?

5. Flag access that was previously revoked in a prior certification. Red Alert! The users access was not cleaned up in Q1, IT sucks!

6. For ongoing attestations, display user access that was changed (added/modified) since the last attestation. Maybe grey out the access that was constant so the manager does not have to attest it again, unless they really want to. Makes it faster for a manager to go through a larger attestation, spanning multiple departments or cost centers.

7. Move towards Role based access control! Isn't it easier for a manager to certify his employee accessing the "Accountant" role with access to underlying applications, that certifying on each individual application itself? 

8. Display any role assignment rules that were used to assign Roles to a user. Provides validation on why a user has access to them.

9. Integrate with your Provisioning solution (assuming it uses a self service interface and has approvals and workflow set up). Extract Workflow approval logs from the solution and display 1) Who Approved What? 2) When was it approved? 3) Approval Comments. This informs managers that the users entitlements went through a legitimate approval process and are a no-brainer to approve during the attestation.

 

10. Integrate with an SIEM Solution. How cool would it be for managers to not only see what entitlements a user has access to, but whether those entitlements were being put to good use or not? If a user has not logged into an accounting application for the past one year, but still has access to it, maybe he or she does not need it anymore. This would prove to be extremely valuable for managers to make quick decisions and move their users towards least privilege.

Lets make life easier for our managers...they have more important work to do!