Financials

• Access Governance: Why is it so difficult?
• There is no easy way out!
• Does Access Govenance have a business case?
• It�s a multi-dimensional challenge therefore many stakeholders need to contribute (e.g. HR, IT, Business, Legal, Data protection)
• How to define priorities?
• Strong program governance is key

Following the worldwide financial crisis all Financial Institutions are facing increasing regulatory requirements globally. A major focus is put on the evidence for having implemented a consistent approach to the “Segregation of Duties” (SoD) principle.

A key challenge is to not only achieve this within a specific application or organizational unit, but to continuously check and monitor the implementation across applications, business processes or entire departments in a complex, heterogeneous and global environment. Typical samples are the segregation of Front and Back Office or Development and Production.

To address this problem, in January 2012 Deutsche Bank launched the "Global SoD Program" involving all divisions and functions in designing and implementing SoD rules to cover all relevant scenarios. These rules are automatically executed detecting any SoD conflict or critical access right within the applications in scope. The designated SoD Managers are tasked to resolve these non-compliances by either revoking access or granting temporary exceptions e.g. if such a critical access right combination is required for a hand over period. Caroline Pfeil will describe the highlights of this project which had been finished in 2012.

When looking back at the evolution of Access Governance, this is a history of change and rapid innovation. From the days of “Enterprise Role Management”, before the term Access Governance even was known, to common marketing terms like IAG (Identity and Access Governance) or Access Intelligence, a lot has happened. Virtually all major players have entered this market. Products became more mature. Access Governance has replaced Identity Provisioning as the typical starting point for IAM (Identity and Access Management) initiatives. It delivered at least partially at the promise of a business instead of an IT tool. Advanced analytics are on the rise.

Nevertheless, Access Governance still hasn’t reached its final maturity level. It is still a relatively new segment and KuppingerCole expects to see massive innovation over the course of the next few years. Given that Information Security is facing new challenges in these days of the Computing Troika (Cloud, Mobile, Social Computing), given that more and more access is based on system-to-system communication (The API Economy) and resulting in the fact, that Dynamic Authorization Management and risk-/context-based authentication and authorization must and will gain massively on momentum, Access Governance is facing new challenges. It is about going beyond traditional, static role-based approaches. It is about integration with other GRC products. It is about integration with Service Catalogs. There are far more challenges Access Governance is facing.

Martin Kuppinger will define and prioritize these challenges and show how Access Governance can and should mature. He will talk about maturity levels for Access Governance. He will provide criteria for picking the Access Governance solution of choice, depending on the short-term priorities but with a longer term evolution in mind. And he for sure will also have a look at the brand new KuppingerCole Leadership Compass on Access Governance. This will be the session which gives you the information you need to make sustainable investments will also having some quick wins. It is a must attend session for all: Customers planning to start with Access Governance, customers rethinking their Access Governance investments, system integrators, and vendors thinking about their product roadmap.

Access Governance is a key building block in IAM (Identity and Access Management) deployments and as part of IT GRC. However, traditionally Access Governance focuses on managing access based on roles and thus on static assignments. It frequently lacks tight integration with Privilege Management for highly critical IT users like root, system accounts, or shared accounts. It also typically lacks support for managing business and security rules within Dynamic Authorization Management, for instance for XACML-based systems. However, managing not only roles but also rules consistently, with well-defined workflows for definition and approval, and managing all types of accounts appears to be increasingly important for customers. Other major trends are around Data Governance, i.e. a deeper view on systems holding less structured information like file systems or Microsoft SharePoint. And there is still the discussion about the level of integration with target systems: Shall Access Governance fully include Identity Provisioning? This panel will look at the future trends in the market around expanding Access Governance to all types of access and to support for direct reconciliation.

• Background and Motivation for introducing User Access Management
• Project challenges
• Critical success factors
• Obstacles and how to overcome them
• Recommendations and Lessons learned

For organizations that are under strong governance control and dealing  with sensitive information on a daily basis, it is essential to know who has access to which data. One of the most important topics is to know this along the  business process. Before granting access to data or applications there must be done several reviews to assure compliance. In the classical approach this is done in the organization manly with paperwork and organizational processes and ends then in the IT process.

The approach is now to do this by a central system before any access is granted in the IT system. This ensures traceability, segregation of duties and need to know principle, ordered access has to be checked before any action is taking in the IT system. Building up user friendly interface, online tracking and reporting also for historical data of all access rights towards all different systems without touching target systems is a challenge.

Access Intelligence is a hot new topic within the discipline of Access Governance. But what is this really about? Is it just better reporting? Or is it about applying advanced Data Warehouse capabilities to analyze existing access rights, the use of them, the access risks etc.? Should it be built based on standard BI tools or should it become more tightly integrated? What is the real benefit compared to standard reporting of Access Governance tools? These are questions customers are raising – and these will be answered within this session.

The objective of the Enhanced Access Management @Swiss Re is to improve and simplify access management. Shifting Swiss Re’s access rights philosophy from the "need-to-know", where only the information one needs to know is accessible, to the "need-to-protect" approach, a risk-based focus on protection of critical information. Strong business support and rule-based automation enabled this change.

Ever since the big financial scandals, checking and reviewing of access rights, access rights concepts as well as compliance with the separation of functions in a company have been gaining more and more significance. We all know sensitive data in the wrong hands could cause substantial damage. Especially with growing IT landscapes and systems of multiple manufacturers it is important to overview the access rights situation continuously.

Let´s talk about segregation of duties (SoD), statutory requirements, MaRisk, continuous auditing and all those little changes they just happen within a company’s life cycle always and every day:

• The systems of international and national subsidiaries may need to be linked to each other.
• Employees switch departments or they may leave the company.
• Employees work together in different teams.
• They may also work with external staff who have access to systems for a certain project.
• Interns pass through all departments and thus collect numerous access rights, irrespective of regulations.

How is it possible to keep the overview of all those potential risks? The answer will be given within the discussion.

On February 7, 2013, the European Commission launched its cybersecurity strategy for the European Union (“Strategy”). As part of this Strategy, the European Commission also proposed a draft directive on measures to ensure a common level of network and information security (“NIS”) across the EU. The proposed Directive is a key component of this Strategy. It introduces a number of measures to enhance cybersecurity, including:

• The requirement for EU Member States to adopt a NIS strategy and to designate national NIS authorities to prevent, handle and respond to NIS risks and incidents;
• The creation of a cooperation network to enable the national NIS authorities, the European Commission and, in certain cases, the European Network and Information Security Agency (“ENISA”) and the Europol Cybercrime Center, to share early warnings on risks and incidents and cooperate on further steps;
• The obligation for (1) operators of “critical” infrastructures in certain sectors (financial services, transport, energy and health), (2) providers of information society services and (3) public administrations to implement appropriate security measures and to report incidents having a “significant” impact on the services they provide (e.g., the unavailability of a cloud computing service as a result of which users cannot access their data). Such incidents would have to be reported to the national NIS authorities, who may then decide to inform the public or require companies and public administrations to do so.

The FAQs that accompany the proposed NIS Directive include examples of companies that would be obliged to report cyber incidents, such as cloud computing service providers, search engines; e-Commerce platform providers, Internet payment service providers,

providers of VoIP and other communications services, social network providers, platforms enabling the provision and sharing of videos, platforms enabling the provision and sharing of music, major online computer games, and application stores.

How can hybrid clouds join together so that a user company operating the respective compliance requirements in the necessary deployment option (leave) and still be able to ensure a consistent and legally compliant process execution? Hybrid cloud connectivity capabilities are a key enabler of the near and long term usage of cloud services. During this session we will show what kind of different hybrid scenarios we see as applicable today at our members, what are the detailed challenges and key obstacles from their point of view and how different approaches were seen by them.

Will your Cloud fail the next audit? Do you have a handle on your risk strategy for the Cloud? Is this level of maturity only suited for Enterprises? Can a smaller businesses do this effectively? This session will outline how to build a scalable Cloud risk strategy based on ISO 27005 and CSA Guidance. This talk will set the tone and enable delegates to come home and fast track a Cloud risk strategy.

Cloud Security is only valuable if you have a robust process to identify risk. Managing risk for consuming Cloud is often overlooked. Many organizations feel that only the largest Enterprises can afford to understand and assess the potential or future risks. Instead of security, they focus on the perceived outcome of utilizing the Cloud- the supposed silver lining.In this session, we will describe how to fast track a Cloud risk strategy. Discussing how we built an effective toolkit based on trusted industry tools: ISO/IEC 27005, The Cloud Security Alliance (CSA) Guidance and CCM.

We will bring two true-to-life examples with case studies showing how this was done at a $34B enterprise and then scaled to an e-commerce SMB. We will explain how CSA and ISO 27005 set the tone for our Cloud risk assessment strategy. We will rationalize how these were complemented by external attestations such as SOC1/2/3, penetration and vulnerability testing. We will expand on areas of concern between SMBs and Enterprises.

We will discuss how one gets started by providing a checklist driven road-map to fast-track a Cloud risk strategy. We will start with identifying assets and their overall value to your organization. We will jump into the deep-end on asset classification and explore the particular importance of understanding implementation models and mapping out your data-flow. We will identify how this feeds into a holistic questionnaire to establish a baseline. We will educate delegates on how to assess responses through real-world examples that illustrate how to poke holes.

The presentation details how insecure RLB´s IT systems and infrastructure once were; the server infrastructure was held in a local government building with open public access, the building was classified by the British security services as being a terrorist target and there were periods where we couldn´t enter the building safely in case of an emergency because the building is often used for filming TV series (I walked past Robert Vaughan from "The Magnificent Seven" once!) and for holding outdoor pop concerts.

How can an organization safely adopt cloud services to gain the benefits they provide? The easy availability of cloud services has sometimes led to line of business managers bypassing the normal procurement processes to obtain cloud services directly without any consideration of the governance and risks involved. There is a confusing jungle of advice on the risks of cloud computing and how to manage these risks. This talk considers advice available and the practical approaches to negotiating and assuring cloud services.