General Motors Corporation 2008
Identity and Access Identity and Access ManagementManagement
Stuart McCubbreyStuart McCubbreyDirector, Information Director, Information
Technology AuditTechnology AuditGeneral Motors CorporationGeneral Motors Corporation
IIA Detroit Chapter Dinner MeetingIIA Detroit Chapter Dinner MeetingVis Ta Tech Conference CenterVis Ta Tech Conference Center
January 8, 2008January 8, 2008
Sajai RaiSajai RaiPartner, Advisory Solutions Partner, Advisory Solutions
PracticePracticeErnst & Young LLPErnst & Young LLP
2General Motors Corporation 2008
Agenda
• Introduction– Business Drivers– Identity and Access Management Background
• Key Concepts– Identity Management vs Entitlement Management– Identity Components– Access Rights and Entitlements– Provisioning Process– Administration of Identities and Access Rights Process– Enforcement Process– Use of Technology
• The Role of Internal Auditors– Identifying Key Risks and Controls
3General Motors Corporation 2008
Business Drivers
• Identity and Access Management– Touches entire business– Mix of Technology and Process
• Key Drivers– Reduced information security risks– Reduced IT operating and development costs– Improved operating efficiencies and transparency– Improved user satisfaction– Increased effectiveness of key business initiatives– Improved regulatory compliance
4General Motors Corporation 2008
Identity and Access Management Background
• Three Key Questions– Define who has access to what information?– Is access appropriate?– Is access and activity logged and appropriately
monitored?
• Adoption Risks– Organization complacency– Participation– Planning– Communication– Incorporation of all systems into the process– Process complexity– Weak process– Lack of enforcement
5General Motors Corporation 2008
Key Concepts
• Identity Management vs. Entitlement Management– Identity and Access Management Process– Entitlement Management
Identity and Access Management
Identity Access
Provision
· Request· Validate· Approve· Propagate· Communicate
Administer
· Monitor· Manage passwords· Audit and reconcile· Administer policies· Strategize· Manage systems
Enforce
· Authenticate· Authorize· Log activity
Information Systems and Data
Activities
Com
pone
ntsP
rocesses
6General Motors Corporation 2008
Key Concepts
• Identity Components– Identity Types– Identity Onboarding– Identity Offboarding
Approve Payment
RequestPayment
SegregationOf Duties
• Access Rights And Entitlements– Entitlement Changes– Privileged Account
Management– Segregation of Duties
IndividualUser
User Groups
User Groups
`
MachineAccounts
`Access needed for job?
7General Motors Corporation 2008
User Provisioning Process
• Request • Approve • Propagate•
Com
mu
nic
ate
• Log
``
PreventiveSegregation of Duties
Check
Route to Primary Approver
Route to Additional Approvers
Automatically Grant Access
Any person or system
Submit request
Manager orsecurity administrator
Approve request
Application owner
Approve request
Target application
Entitlement Repository
Segregation of Duties Rules
Ap
pro
val H
iera
rch
y
Ap
pro
val H
iera
rch
yEntitlement Configuration Rules
Application maintains responsibility for enforcing
access control.
8General Motors Corporation 2008
Administration
• Periodic Audit– Segregation of Duties– Entitlement Review
• Policy Administration– Creation of IAM Policy if non-existant– Periodic update of IAM Policies
• IAM Strategy– Components– Process– Activities
• IAM System Administration– Manage processes & systems
• End-user Password Administration– Creation and communication of initial passwords– Resetting lost or stolen passwords– Managing complexity of passwords
• Reporting– Lists of identities and accesses for review– Approval lists– Lists of group and supervisory accounts
9General Motors Corporation 2008
Enforcement Process
`
Access Logging
Authorization
AuthenticateWho are you? I am jsmith123. Yes, your credentials support that claim.
AuthorizeWhat can jsmith123 do on this system? Jsmith123 can issue purchase orders for…
Log Activity What did jsmith123 do during this session?
10General Motors Corporation 2008
Use of Technology in Identity and Access Management
• Provisioning Process– Request forms & Workflow capabilities– Communication of changes– Generate initial passwords– Perform Segregation of Duties Analysis
• Enforcement Process– Authentication– Authorization
• Logging and Reporting– Create logs of use– Generate reports of users with access
• Single-Sign On• Remote Access
General Motors Corporation 2008
The Role Of Internal Audit In Assessing IAM
12General Motors Corporation 2008
Assessing Inherent Risk – Four Foundational Questions
• Can all users accessing any system be uniquely identified?
• As a supervisor, do you know all systems your employees have access to?
• Are all roles that create segregation of duties conflicts identified and do you know who can use them?
• When Human Resources exits employees from the organization, is all system access terminated?
Show of hands – Who can confidently answer “Yes” to Show of hands – Who can confidently answer “Yes” to all four questions? Yes = Apply your Audit Resources all four questions? Yes = Apply your Audit Resources
elsewhere; No = There is risk to assesselsewhere; No = There is risk to assess
13General Motors Corporation 2008
Assessing Inherent Risk – Why is IAM important?
• Central to Confidentiality & Integrity of Business Information– Information Security is commonly defined as
protecting the Confidentiality, Integrity & Availability of Business Information
– IAM directly covers the “C” and the “I” and even indirectly the “A”
– Applies to:• The Information element itself• Credentials to access the information• System software that hosts the information• Application transactions that can allow access
Do you care who can view and change your business Do you care who can view and change your business information? Of course you do…… Your Company’s information? Of course you do…… Your Company’s
success depends on itsuccess depends on it
14General Motors Corporation 2008
Assessing Inherent Risk – Why is IAM important?
• Regulatory Compliance– If IAM is linked to Information Security,
then multiple laws and regulations apply: Sarbanes Oxley, HIPAA, Gramm-Leach-Bliley, various privacy laws etc., etc., etc.
– Companies have received SOX Significant Deficiencies for Access Control deficiencies (STATS ??)
10 years ago – A Big Collective Yawn from Management10 years ago – A Big Collective Yawn from ManagementToday – Public disclosure of control weaknessesToday – Public disclosure of control weaknesses
15General Motors Corporation 2008
Assessing Inherent Risk – Why is IAM so problematic?
• Proliferation of Identities Required– # of applications (GM has over 2,500)– # of different platforms hosting applications &
devices: Mainframe, Windows, UNIX, Cisco, VPN etc.– # of non-employee users: Suppliers, Dealers, Joint
Ventures, Consumers, Outsourced Providers etc.– Human beings & programs– Varying levels of access required, from limited view
access to full administrative control– Bigger risk issue for larger, de-centralized companies
In 1989, I had one ID & password to log onto the In 1989, I had one ID & password to log onto the mainframe – That changed with PC & Server platformsmainframe – That changed with PC & Server platforms
16General Motors Corporation 2008
Assessing Inherent Risk – Why is IAM so problematic?
(CHART – LAYERS OF IT CIRCLE DIAGRAM)
17General Motors Corporation 2008
Assessing Inherent Risk – The Big Picture
• Assess IAM risk in terms of People, Process & Technology:– People: Any process or technology is going
to be executed by human beings– Are people aware of policies & processes?– Are those policies & processes clear and
effectively communicated?– Are there specific management control
expectations?– Are there consequences for non-compliance?
• Accountability without consequences is meaningless
The “problem” is rarely access change requests not The “problem” is rarely access change requests not being processed, its more they were never submittedbeing processed, its more they were never submitted
18General Motors Corporation 2008
Assessing Inherent Risk – The Big Picture
• Assess IAM risk in terms of People, Process & Technology:– Process: Is everybody on the same page?– Is there a common understanding of how to
add/change/delete Identities and Access levels? If not, execution will be all over the map
– Are the processes documented?– Are the processes manual-intensive? If so,
they are very people-dependent and prone to error and/or non-performance
How global, common, standard are the processes?How global, common, standard are the processes?
19General Motors Corporation 2008
Assessing Inherent Risk – The Big Picture
• Assess IAM risk in terms of People, Process & Technology:– Technology: Is it there?– Are there multiple directories holding access
data (identities, authentication credentials, authorization levels)? Are they at all linked?
– Is there any automated workflow in the various access add/change/delete processes? All manual?
– Are their usable reports for data owners to conduct periodic access reviews?
You can’t control what you don’t knowYou can’t control what you don’t know
20General Motors Corporation 2008
Assessing Controls – Key Control Themes
• Prevention vs. Detection– Sure, you need periodic access reviews – But
they are after-the-fact, typically manually intensive and resisted by system owners
– Focus on controls at the front-end of the “Add-Change-Delete” access process:• Are SOD conflicts and business need truly assessed
before access is granted?• Are their links between Human Resource processes
and systems and down-stream systems to revoke access?
A controlled process at the start should mean cleaner A controlled process at the start should mean cleaner access reviews later onaccess reviews later on
21General Motors Corporation 2008
Assessing Controls – Key Control Themes
• Use layers to your advantage– When users leave, ensure the front doors are
shut off first: Network, e-Mail, VPN– Helps mitigate the risk of unauthorized
external access, can work on internal application access revocation next
– With internal application access, the risk is narrowed to users with existing access using inactive accounts
22General Motors Corporation 2008
Assessing Controls – Key Control Themes
• Data Cleansing– Is Management addressing dirty data?– Identify and remediate duplicate IDs: How
can you have accountability if you can’t link access activity to a specific human being or program?
– Identify and remove application segregation of duties conflicts
23General Motors Corporation 2008
Assessing Controls – Key Control Themes
• Reduced Signon (let’s not call it “Single Signon” just yet…)– As you reduce the distinct numbers of
identities required, you reduce potential points of control failure
– Have applications use central authentication sources (e.g., LDAP Directories, Active Directory)
– Synchronize passwords between applications
Start to unwind the complexityStart to unwind the complexity
24General Motors Corporation 2008
Assessing Controls – Key Control Themes
• User Education & Awareness– Usually the most cost-effective control– Do employees know the true cost of
uncontrolled access? Can you make them care?
– Do they want to do the right thing, but just don’t know how?
– Does an existing Information Security Awareness Program exist and does it address access risks?
25General Motors Corporation 2008
GTAG 9 – Identity and Access Management
General Motors Corporation 2008
Questions and Answers