dtt rbac presentation 20080724
TRANSCRIPT
-
8/14/2019 DTT RBAC Presentation 20080724
1/41
"The Time Has Come".Identity & Access Management, Role Management& Role-Based Access Control
Matthew Collinson
-
8/14/2019 DTT RBAC Presentation 20080724
2/41
2 "The Time Has Come" 2008 Deloitte Touche Tohmatsu
Why are we here today?
Traditional models of access control consist ofpoint orapplication-specific solutions that make management,reporting and compliance extremely costly and unwieldy.
Moving to Identity & Access Management, Role Management
(RM) and Role-Based Access Control (RBAC) brings thefocus back to the business by defining access purely in termsof business requirements.
It streamlines the user access lifecycle, simplifies the
enforcement of Segregation of Duties (SoD) and supports theorganisation's reporting and compliance activities.
-
8/14/2019 DTT RBAC Presentation 20080724
3/41
3 "The Time Has Come" 2008 Deloitte Touche Tohmatsu
This Sessions Agenda
Identity & Access Management an overview
IAM Business Case Example
Access control todays business challenges
What are RM & RBAC?
Who are the stakeholders?
What are the benefits?
Dos & Donts
Deloitte Methodologies a snapshot
-
8/14/2019 DTT RBAC Presentation 20080724
4/41
Identity & Access
Management anoverview
-
8/14/2019 DTT RBAC Presentation 20080724
5/41
5 "The Time Has Come" 2008 Deloitte Touche Tohmatsu
Definitions: Identity
Identity (Digital Identity): the digital representation of a user, including a uniqueidentifier, credentials, common profiles and entitlements
The complete digital identity of an individual may be scattered across multiple repositorieswithin an enterprise, with no hard links between the various pieces
Person
Core Identity Attributes:
First Name, Last Name, Unique Identifier
Account Credentials:
Login ID and password SecurID card, other strong authentication factors
Common Profiles:
Job Functional Roles Business Unit Office Location Manager/Supervisor
Entitlements:
Permission levels, access rights Access control items
UpdatePersonal WebParts
Limited
Access*
Add/RemovePersonalWeb Parts
Read
ManagePersonalViews
Contri-
bute
DeleteVersions
Full
Control
ApproveItems
Design
Cancel Checkout
View Versions
ViewItems
Open Items
DeleteItems
New inWindow
SharePoint Services
(version3)?
No
No
No
New
New
New
No
New
No
No
Users Digital ID
-
8/14/2019 DTT RBAC Presentation 20080724
6/41
6 "The Time Has Come" 2008 Deloitte Touche Tohmatsu
Definitions: Authentication, Authorization
Authentication: the process of establishing the validity of an identity claim
Gets you in the front door
Authorization: the process of determining the appropriate rights and privilegesfor a given identity
Determines what you are allowed to touch/see, once inside
Multi-factor authentication: using a combination of two or more factors(something you know/have/are) to authenticate a user to achieve a higher levelof authentication assurance
Note: Username and password does not count as two-factor authentication!
-
8/14/2019 DTT RBAC Presentation 20080724
7/417 "The Time Has Come" 2008 Deloitte Touche Tohmatsu
Definitions: SSO, Federation
SSO (Single Sign On, a.k.a. Reduced Sign-On, Simplified Sign-On)
Access control method which enables a user to authenticate once to gain access tomultiple systems
Identity Federation
Standards-based method ofexchanging identity information
across autonomous securitydomains (organizations)
Facilitates SSO across separateenterprises or security domains
Vendor
-
8/14/2019 DTT RBAC Presentation 20080724
8/418 "The Time Has Come" 2008 Deloitte Touche Tohmatsu
Definition: Identity and Access Management
Identity and Access Management (IAM) is a set of business processes, information, andtechnology for the creation, maintenance and use of peoples digital identities withinthe bank and eventual termination of that identity in a controlled and secure manner.
-
8/14/2019 DTT RBAC Presentation 20080724
9/419 "The Time Has Come" 2008 Deloitte Touche Tohmatsu
IAM Services Conceptual View
-
8/14/2019 DTT RBAC Presentation 20080724
10/4110 "The Time Has Come" 2008 Deloitte Touche Tohmatsu
IAM: Business value perspective
Security & RiskManagement CostBusiness Facilitation
Reduced Sign-On,registration and passwordself-services for internal
usersConsistent andstreamlined userprovisioning processeswith automated workflow(escalation and approvalpoints)Business integration andlarge technology roll-outs
Consistent security policyenforcement andautomated controls
(protection of customerdata)Identity lifecycleadministration (accurateand timely terminationsand access management)Improved privacy andregulatory complianceEffective logging,
comprehensive auditingand timely reporting
Operational Efficiency
Improved service levels(user management andprovisioning) and
good quality of serviceStreamlined securityadministration & reportingFlexible infrastructure forrapid deployment ofapplications (enablementof shared services andService-OrientedArchitecture)
Improved user experienceand business integration
capabilities:Build once, deploy often
Managing business risksthrough effective and
demonstrable controls
Cost and productivityimpacts:
Deliver more for less
Efficient operations, highquality services:
Better, faster, cheaper
User productivity costsavings due to:
Quicker provisioning
processesReduced time forpassword re-setsSingle Sign-On
Reduced cost of:User Administrationand ProvisioningHelpdesk (passwordmanagement)
Security Administration(auditing, reporting)
Avoiding uncoordinatedand overlappingapplication developmentefforts.
-
8/14/2019 DTT RBAC Presentation 20080724
11/4111 "The Time Has Come" 2008 Deloitte Touche Tohmatsu
IAM Program - Key Success Factors
Recognize business ownership of IAM
Recognize the size of the problem Inventory of identity objects
High ratio of accounts to individuals
Build a clearly defined, realistic roadmap which:
Leads towards the target architecture: common/re-usable services
Leverages good work already done, or in flight Allows for better decision making
Results in cross pollination of strategies allowing for more enterprise-focused, scalable solutions
-
8/14/2019 DTT RBAC Presentation 20080724
12/41
IAM Business
Case Example
-
8/14/2019 DTT RBAC Presentation 20080724
13/41
13 "The Time Has Come" 2008 Deloitte Touche Tohmatsu
Our analysis of business needs indicated that Identity and Access Management
problems need to be addressed and the time is right now.
Business Problems: Observations
UserExperience
Delay in onboarding (user access provisioning)causes unacceptable loss of productivity.
BUs are constantly asking for the ability to managegroups and roles for their users.
Too many IDs and passwords to remember.
Users are frustrated with login and password issueswhen dealing with externally hosted applications.
ApplicationDelivery
Many applications require user profile/groupmanagement capabilities. In the absence of anenterprise solution, they develop tactical solutions.
Tactical solutions increase overall spent andcomplicate the existing IT challenges.
Simplified Sign-On is a common requirement forapplications, but there is no enterprise solution.
Risk andCompliance
Automated creation,modification and deletion ofuser accounts and relatedaccess attributes.
Provides seamlessauthentication acrossorganizations, where a 3rdparty application relies on
Client credentials.Provide Simplified Sign-Onand policy-based accesscontrol to Intranet or webresources.
Audit finding: current user administration processesare not consistent and lack effective controls.
Lack of automated role/group assignment for usersresults in excessive privileges (accumulated access).
Access control mechanisms developed by individualapplications are inconsistent, difficult to manage andreport on (to demonstrate compliance).
Allows end users managetheir profile/access informationvia self-service or delegatedadministration (i.e. designatedmanagers) interfaces.
Web AccessManagement
FederatedSign-On
UserManagement
Service
ProvisioningService
Enterprise Solution
-
8/14/2019 DTT RBAC Presentation 20080724
14/41
14 "The Time Has Come" 2008 Deloitte Touche Tohmatsu
Detailed review and analysis of needs enabled us to prioritize the IAM services
based on cost benefit analysis and available alternatives. The Provisioning and
User Management Services were identified as a high priority.
IAM Services: Key Findings and Priorities
Service
Web Access Management
Federated Sign-On
User Management Service
Key Findings
Large potential for cost savings
Significant contribution to efficient application delivery (as a keyshared service in the SOA framework)
No existing solutions or viable alternatives.
Provisioning Service Large potential for cost savings
Significant contribution to risk management & compliance
No existing solutions or viable alternatives.
Some potential for cost savings, mostly in application delivery
Enterprise-wide adoption could be challenging due to difficulties
with external application integration (multiple vendors).
Point solutions are being considered to address immediateneeds.
Low potential for cost savings.
There are alternative (low cost) solutions to address SSO.
The Intranet Strategy makes the need for this service lesscompelling.
IdentityManagement
AccessManagement
Priority
High
High
Medium
Low
-
8/14/2019 DTT RBAC Presentation 20080724
15/41
15 "The Time Has Come" 2008 Deloitte Touche Tohmatsu
The implementation of the Provisioning and User Management services will require $13.1M of investment over 5 years,
which includes $2M of one-time process/application integration costs and $0.9M of annual run costs.
Incremental Solution Costs over 5 years
Assumptions
24 Intel/Linux servers costing $20,000 will be used as a hardware/OSplatform to run all core components of the solution
Component Value ($M)
Hardware
Software
External Consulting
Internal FTE Expenses
Integration Costs
Capital
Non-Capital
Expenses
One-time Total
0.5
1.3
2.2
1.0
2.0
7.0
Hardware & SoftwareMaintenance
Operational Run CostsAnnual
Annual Total
0.3
0.9
1.2
Total Notional Costs (over 5 years) 13.1
Annual Costs (over 5 years) 6.2
One-time Total (year 0) 7.0
Annual hardware capitalization and overhead are estimated at 55% of total
hardware costs. Plus 4 FTEs at $150K/year for ongoing support.
Provisioning software will be required for 50,000 users at $25 per user(based on industry average price)
Approximately 3 external consultants for 55 weeks will be required
Internal project team will include Project Manager, Architect and
implementation/testing specialists at an average cost of $100/ hr
Application integration and process integration will require involvement ofinternal staff outside of the project team, estimated at 8 FTEs.
Hardware maintenance cost is estimated at 10% of Hardware Cost andSoftware maintenance cost is estimated at 20% of Software Cost
-
8/14/2019 DTT RBAC Presentation 20080724
16/41
16 "The Time Has Come" 2008 Deloitte Touche Tohmatsu
Cost benefits, which are estimated at 4.3M/year, are resulted from productivity cost savings and reduction of Vendor
costs, due to the automation in access provisioning, password management and access administration.
Annual Incremental Benefits
Assumptions
At a minimum, 1 day of delay can be eliminated by implementing an automated provisioningsystem resulting in an on-going productivity savings of $1.5M/year.
Approximately 13,475 non-retail employees are transferred or hired every year and on-boarding takes approximately 5-21 days.While 50% of the time spent by new employees and transferees is on reviewingmanuals, training, orientation, etc., the remaining 50% are assumed to be unproductive.Average employee salary is assumed to be $30 per hour.
Cost Component Value ($M)
User Productivity CostSavings (faster on-boarding)
Reduction of VendorFTEs (Access
Provisioning)
Reduction of VendorWorkload (PasswordManagement)
Reduction of VendorFTEs (AccessAdministration)
Provisioning
UserManagement
1.5 4.5
0.6
2.0 2.2
0.2
Total Benefits (over 5 years) 19.1 33.9
Total Annual Benefits 4.3 7.6
With the implementation of the provisioning solution, services provided by 4 FTEs (accessservices at Vendor, including login ID creation) would not be required.
Currently, access provisioning team at Vendor includes 18-20 FTEs.
Average fully loaded salary of Vendor staff (if billed to Client directly) is $150,000 p.a.
With the implementation of the Delegated Administration, services provided by 1 FTEs(access administration at Vendor) would not be required.
Average fully loaded salary of Vendor (if billed to Client directly) is $150,000 per annum.
Using self-service password reset functionality, the request volume for help desk passwordresets would reduce by 90%. This will yield approximately $2M/year in cash flow savings.
Approximately 168,000 password reset requests per year are processed by Vendor forActive Directory, Email, Host, Novell, RLAN and Web Based Applications.Average cost of processing one password request is $15.It is assumed that the benefit realization will be 50% for the first year and 75% for thesecond year. From year 3 the benefit realization is assumed to be 100%.
Benefits Calculations / Assumptions
Notes:1. For most benefits, the benefit realization for first year is assumed to be less than 100%.2. Ranges are based on low and high estimate projections. The lower end represents a
conservative approach and the higher end represents a more optimistic calculation.
-
8/14/2019 DTT RBAC Presentation 20080724
17/41
17 "The Time Has Come" 2008 Deloitte Touche Tohmatsu
The implementation of the Provisioning and User Management services form a compelling business case: 3.5 years pay back
and Net Present Value of cash flow is estimated at $3.4M, as the most conservative estimate.
Component Value ($000)
Net Present Value of Cash Flow1, 2 $3,439 - $15,315
Incremental Costs and Benefits over 5 years
Total Discounted Costs1 $12,026
Total Benefits2 $19,139 $33,854
Return on Investment 22% - 62%
Total Notional Costs $13,137
Total Discounted Benefits1, 2 $15,466 - $27,341
Discounted Cash FlowPayback1, 2
3.5 yrs - 1.75 yrs
Notes:1. The Weighted Cost of Capital is assumed to be 7%2. Ranges are based on low and high estimate projections. The lower end represents a conservative approach and the higher end represents a
more optimistic calculation.
Cumulative Costs and Benefits
(15,000,000)
(10,000,000)
(5,000,000)
-
5,000,000
10,000,000
15,000,000
20,000,000
2007 2008 2009 2010 2011 2012Cumulative Discounted Investment Cumulative Discounted Benefits
Cumulative Net Value
Cumulative Costs and Benefits
-
8/14/2019 DTT RBAC Presentation 20080724
18/41
18 "The Time Has Come" 2008 Deloitte Touche Tohmatsu
Faster on-boarding process leading to improved user experience and productivity.
Increased end-user productivity and better user experience (due to delegation and self-service)
In addition to significant financial returns, the implementation of the Provisioning and User
Management services will contribute to better business facilitation, enhance application
delivery capabilities and improve compliance and risk management posture of Client.
Qualitative Benefits
UserExperience
ApplicationDelivery
Risk andCompliance
Improved compliance and risk management posture due to automated and effective controls for
identity life cycle administration (timely de-provisioning).
Streamlined security administration and audit/compliance reporting.
Improved data quality and integrity for identity information.
Improved application access controls due to more accurate and timely role/group assignment inapplications.
Reduced cost of tactical solutions development and avoiding unnecessary support costs.
Flexible SOA infrastructure for rapid deployment of applications.
I d t i i b i b fit d hi i k i d ti i t t t ith th P i i i S i
-
8/14/2019 DTT RBAC Presentation 20080724
19/41
19 "The Time Has Come" 2008 Deloitte Touche Tohmatsu
In order to maximize business benefits and achieve quick wins, our recommendation is to start with the Provisioning Service,
then proceed with the Password Self-service and continue with the Role-based Access Provisioning and Delegated
Administration.
Faster on-boarding process Productivity Gain $1.5M/yrIncreased productivity andemployee satisfaction.
Provisioning:Core User Provisioning
User Management:Password & Identity Self-Service
Implementation Roadmap
Provisioning:Role-based Access Provisioning
User Management:Delegated Administration
Reduced FTE (Vendor costs) forPassword Management - $0.5M/yrImproved User Experience.Faster on-boarding process Productivity Gain $1.5MIncreased productivity and
employee satisfaction.
Integration with (connectors to):ACF2ADEDNovell
Feed from PeopleSoft (events)Basic workflows, basic rolesUI only for Administrators
Reduced FTE (Vendor costs) forAccess Provisioning - $0.5M/yrAutomated controls for IdentityLifecycle administration.Streamlined reporting; improvedregulatory compliance posture.Reduced FTE (Vendor costs) forPassword Management - $0.5MImproved User Experience.Faster on-boarding process Productivity Gain $1.5MIncreased productivity and
employee satisfaction.
Reduced FTE (Vendor costs) forAccess Administration - $0.2M/yrReduced cost of applicationdevelopment (SOA services).Reduced FTE (Vendor costs) forAccess Provisioning - $0.5MAutomated controls for IdentityLifecycle administration.Streamlined reporting; improvedregulatory compliance posture.Reduced FTE (Vendor costs) forPassword Management - $0.5MImproved User Experience.Faster on-boarding process Productivity Gain $1.5MIncreased productivity and
employee satisfaction.
Password synchronization for allconnected platforms, initiatedfrom the provisioning engine.Password change Self-service.Password re-set Self-service(forgotten password function).Identity Self-service to updatebasic attributes (contact info).
Job codes from PeopleSoft aremapped to enterprise roles.Multiple BU-specific roles aredefined and mapped to specificaccess entitlements (e.g. ADgroups, ED groups, etc.).Complex workflows for approval,RFI and notification
Administrative roles are definedto allow for multiple tiers ofadministration.Delegated Administration UI.Access controls are defined to alldelegated administrators tomanage only users (andattributes) in their scope.
Benefits
Scope
-
8/14/2019 DTT RBAC Presentation 20080724
20/41
20 "The Time Has Come" 2008 Deloitte Touche Tohmatsu
It was identified that many projects and initiatives across Client are asking for Identity Management and
Access Management capabilities.
IAM Business Needs
Service
Web Access Management
AuthorizationAuthentication
Federated Sign-On
SecureToken Svc
Authentication
SecureToken Svc
Monitoring &Reporting
User Management Service
DelegatedAdministration IdentitySelf-service
PasswordSelf-Service
Provisioning Service
Role-based accessprovisioning Workflow
Core UserProvisioning
Auditing &Reporting
IdentityManagement
AccessM
anagement
Specific Business Needs
Multiple applications require User Profile & Group Management capabilities. Role-based AccessControl is strategic vision at Client.
Business units want to control assignment of roles/groups to their users, hence requiredelegated administration.
Current provisioning & de-provisioning processes are not consistent, not timely and lackautomation as reported in audit f indings.
Access provisioning processes require automation to eliminate manual steps andresulting high set-up costs.
Business units are asking for faster on-boarding process for their employees.
Over 150 external applications deliver some sensitive data that can be accessed from homewithout involving Client authentication. Robust authentication controls are required.
Risk and audit concerns related to gaps in de-provisioning processes for externally hostedapplications (e.g. Iron Mountain).
Users are frustrated with numerous credentials required for externally-hosted applications.
Seamless authentication and access control mechanisms are required to provide granular andselective access to Intranet and web resources.
Intranet Portal roadmap requires SSO and Access Management
Simplified Sign-On from desktop is a business requirement for many application projects.
-
8/14/2019 DTT RBAC Presentation 20080724
21/41
21 "The Time Has Come" 2008 Deloitte Touche Tohmatsu
The Identity and Access Management services have various sets of associated benefits, however some services have less
compelling costs benefits and already have alternative strategies in place to address the priority needs.
IAM Services: Analysis of Benefit Drivers and Alternatives
Service Solution CostsDrivers / Benefit Categories
Cost Savings
User Productivity
Risk / Compliance
Alternatives
Some tactical solutions in Retail,Wealth and Intranet Portal to manage
user profiles and group information.
No alternatives at the Enterprise level.
One Time =Provisioning + $1.6M
Annual Run =Provisioning + $0.4M
Application Integration- $0.9
Low Degree ofcompelling benefits
Medium Degree ofcompelling benefits
High Degree ofcompelling benefits
No viable alternatives to performautomated identity lifecycle.
One Time - $3.4M
Annual Run - $0.8M
Process Integration -$1.1M
Cost Savings
User Productivity
Risk / Compliance
Cost Savings
User Productivity
Risk / Compliance
Some proprietary mechanisms arecurrently in use to achieve SSO acrossexternal domains.
Point solutions are being considered toaddress immediate needs.
One Time - $2.5M
Annual Run - $0.7M
Application Integration- $0.7M`
Cost Savings
User Productivity
Risk / Compliance
The current strategy is to useKerberos/SPNEGO.
The Intranet Portal strategy will be ableto provide access control to Webapplications and resources at theportal level.
One Time - $2.7M
Annual Run - $0.6M
Application Integration- $1.1M
Web Access Management
AuthorizationAuthentication
Federated Sign-On
SecureToken Svc
Authentication
SecureToken Svc
Monitoring &Reporting
User Management Service
DelegatedAdministration IdentitySelf-service
PasswordSelf-Service
Provisioning Service
Role-based accessprovisioning Workflow
Core UserProvisioning
Auditing &Reporting
IdentityManageme
nt
AccessM
anagement
-
8/14/2019 DTT RBAC Presentation 20080724
22/41
Access Control
Todays BusinessChallenges
-
8/14/2019 DTT RBAC Presentation 20080724
23/41
23 "The Time Has Come" 2008 Deloitte Touche Tohmatsu
Todays Business Challenges
Operational
Inefficiencies
Compliance
Management
IT & Business
Alignment
Delay in gettingrequired and
correctaccess leading to loss ofproductivity
Complex approvalprocesses requiringmultiple personnel
and manualworkarounds increased cost ofoperations
Challenges inestablishing the
right access to theright people
Resource intensiveattestation process
Challenges in
identifying jobfunctions andenforcement of SoD
Multiple reportingsystems
Inconsistency inapplication ofEnterprise Securitypolicies, processesacross disparatesystems
Effective ChangeManagement
-
8/14/2019 DTT RBAC Presentation 20080724
24/41
What are RM
and RBAC?
-
8/14/2019 DTT RBAC Presentation 20080724
25/41
25 "The Time Has Come" 2008 Deloitte Touche Tohmatsu
How do we define role?
Arole
defines functions performed by and access privilegesgranted to a group of users, sharing the same job, position orperforming the same tasks.
Access Privileges
System
Directory
Database
E-mail
Internet
Employees Role
Supervisor
Functions
ApproveInvoices
Monitor Staff
Base Access
-
8/14/2019 DTT RBAC Presentation 20080724
26/41
26 "The Time Has Come" 2008 Deloitte Touche Tohmatsu
Types of Roles: Job vs. Function
Job Roles
Roles based on Job Title eg.
Supervisor Role
Service Associate Role
Analyst Role
Example: Many Users to One Job Role
Function Roles
- Roles based on Job Function eg.
Approve Invoices Role
Monitor Staff Role
Report Status Role
Example: Many Users to Many FunctionRoles
User 3
SupervisorUser 2
User 1
User C
User B
User A
ReportStatus
Monitor Staff
ApproveInvoices
-
8/14/2019 DTT RBAC Presentation 20080724
27/41
27 "The Time Has Come" 2008 Deloitte Touche Tohmatsu
Role-Based Access Control (1)
A method ofdefining, managing and enforcing access control privileges
through the use ofroles between end user and permission assignments.
Todays
Access Control:
by process
Tomorrows
Access Control:
RBAC
Permissions
Permissions
Request
Request
User(s)
User(s)
Process 1
Process 2
Process 3
Direct
Role(s)
-
8/14/2019 DTT RBAC Presentation 20080724
28/41
28 "The Time Has Come" 2008 Deloitte Touche Tohmatsu
Role-Based Access Control (2)
RBAC is a mechanism which limits resource access (system, applicationetc) based on a users job functions.
Users do not own objects for which they are allowed access.
Access rights are granted via roles, which serves as layer ofabstraction between users and IT objects.
Protection policies are unavoidably imposed on all users there isno concept of a superuser.
Users Roles
Privileges
Operations Resourcen:nn:n n:n
-
8/14/2019 DTT RBAC Presentation 20080724
29/41
Who are the
stakeholders?
-
8/14/2019 DTT RBAC Presentation 20080724
30/41
30 "The Time Has Come" 2008 Deloitte Touche Tohmatsu
Stakeholder Groups
UserAdministration
ITOperations
CXO
End Users
ApplicationOwners
BusinessOwners
IT Audit
Enterprise
Architecture
HumanResources
RiskManagement
Help Desk
Assessors
Maintainers
Users
Acquirers
SupportStaff
Administrators
-
8/14/2019 DTT RBAC Presentation 20080724
31/41
What are the
benefits?
-
8/14/2019 DTT RBAC Presentation 20080724
32/41
32 "The Time Has Come" 2008 Deloitte Touche Tohmatsu
In the Board Room
Allows the enterprise to address Pain Pointsand business initiatives
from the IT Manager to the CxO
$RegulatoryCompliance SOD
requirements
Role-basedaccess
Least privilege
access Real-timevisibility anddisclosure
Basiccompliancereporting
Governance& Security Consistentsecurity policy
Immediatesystem-wideaccessupdates
Consistentidentity data
Automated riskmitigation
Enterprise SoD
IncreasedProductivity& CostReduction Eliminate
redundantadministration
tasks Reduce
helpdeskburden
Fast employeeramp-up
IncreasedService Level User selfservice
Focused,personalizedcontent
DelegatedAdministration
Comprehensiveprofile view
Passwordmanagement
BusinessFacilitation
Reach globalcustomers
Tightersupplier
relationships Moreproductivepartnerships
-
8/14/2019 DTT RBAC Presentation 20080724
33/41
33 "The Time Has Come" 2008 Deloitte Touche Tohmatsu
At the coal face
Request for one user, one
application at a time
Reduced set of access
but approved
Model role after access providedRole pre-approved easier to use,
streamlined process for access
Multiple options to select from
to provide user accessAccess defined in business terms
SOD between application Easier reporting
Before After
-
8/14/2019 DTT RBAC Presentation 20080724
34/41
Dos & Donts
-
8/14/2019 DTT RBAC Presentation 20080724
35/41
35 "The Time Has Come" 2008 Deloitte Touche Tohmatsu
Dos & Donts
The effectiveness of an RM / RBAC implementation is dependent upon your
ability to get the project moving, successfully completing development, andinstitutionalising RBAC in your culture.
Accept the fact that all the information may not be there to start
Plan up front with as much detail as you can
Implementing RBAC requires the convergence of business andtechnology with the emphasis on business
Take advantage ofcommunication opportunities with various groups inthe organisation
Implementing RBAC is a culture-changing event
Maintain management support throughout the project
and finally
Its a Journey youll learn along the way!
-
8/14/2019 DTT RBAC Presentation 20080724
36/41
Deloitte Methodologies
a snapshot
-
8/14/2019 DTT RBAC Presentation 20080724
37/41
37 "The Time Has Come" 2008 Deloitte Touche Tohmatsu
IAMethodsTM overview
IAMethodsTM is an iterative, architecture-centric and use case-driven set of processes,
procedures, and accelerators for transforming business requirements into deliveredsolutions. The methodology defines a project lifecycle with phases, threads, work packagesand milestones with decision points for aligning the delivered solution with business needs.Emphasis is placed on collaborative definition and validation of stakeholder requirements viaearly delivery of working prototypes which are developed through iterative steps into thedeployed IAM solution.
-
8/14/2019 DTT RBAC Presentation 20080724
38/41
38 "The Time Has Come" 2008 Deloitte Touche Tohmatsu
The IAMethodsTM Framework
-
8/14/2019 DTT RBAC Presentation 20080724
39/41
39 "The Time Has Come" 2008 Deloitte Touche Tohmatsu
Role Management for Enterprise (RM4E) Methodology
Solution
Desig
n
TransitionElaboration ConstructionInception
Define RM4E Vision
Design RM4EConceptualArchitecture
Establish RM4EGovernance Model
RM4E Process andRole Design
Pilot Groupselection
Develop enterpriseroles for the
business units
Deploy roles,processes and
technology
RM4E Pilot ResultsSummary
RM4E OrganizationDeployment
roadmap
Project ManagementFramework
Change ManagementStrategy
Build Developmentenvironment
Develop RM4E Deploymentframework
Develop Knowledge transferplan
Deploy roles, processesand technology inproduction environment
Solution
Delivery
Project/Change Management Framework
Project & Change Management
Test Processes andtechnology
Prepare Test Report
Prepare deployment design
Conduct Knowledge transfer
Evaluate/Select
Technology
Detailed Schedule Project closure
-
8/14/2019 DTT RBAC Presentation 20080724
40/41
40 "The Time Has Come" 2008 Deloitte Touche Tohmatsu
RM4E Implementation
Set stage for RBACimplementation
Gather and review LOBinformation
Gather, review & assessLOB system accessinformation
Begin RM4Eimplementation
Understand LOB functionsand system access
Initiate role design
Select technology (RoleEngineering, Role LifecycleManagement)
Conduct detailed roledevelopment
Design RM4E processes
Design technology solution
Provide training
Test roles, processes andtechnology
Identify exception
Finalize roles with allappropriate individuals andgroups
Obtain approval on roles
Deploy enterprise roles
Deploy RBAC processes,procedures, and guidelines
Deploy technology
Finalize LOB RBACimplementation
Jumpstart
Initial
Activities
Development
Deployment
Role Validation
& Approval
Methodology
1
23
4
5
Key activities: Build roles for organizational groups (standard, repeatable process)
-
8/14/2019 DTT RBAC Presentation 20080724
41/41
Deloitte Touche Tohmatsu, 2008. All rights reserved.
Liability limited by a scheme approved under Professional Standards Legislation.
Confidential This document and the information contained in it are confidential and should not be used
or disclosed in any way without our prior consent.