Transcription
Accelerating Identity Governance & Administration (IGA) ROI using SaviyntLeader in 2018, 2019 Gartner’s Magic Quadrant for Identity Governance and Administration (IGA)Dawn Kongvongsay, IAM ArchitectHow does saving 2,000,000 annually for maturing your IGA program sound?Implementing Saviynt, we reduced our core application connector spend 90% from 2.5M to 257,000 for 25 applications.This includes user IDs provisioned two hours after HR updates new hire status to “Active”, automation of 25 of your mostrisky and prized applications for compliance, security and provisioning. It also manages IGA for cloud Infrastructure anddata. More importantly, your ROI increases exponentially the more applications and platforms you manage with Saviynt.Let’s examine the ROI of using Saviynt for an IGA program to speed automation, access security and compliance.When I first looked into Saviynt, I thought this thing can cook dinner for us! It is several levels up in the IAM maturitymodel. Why is that? Saviynt has built-in front-end, out of box connectors, very loosely-coupled and uses the power ofaccess risk analytics and intelligence to drive big increases in productivity including: Continuous controls monitoringIntelligent access Request / ReviewApplication SOD ManagementRole / Privilege / Policy Design Management
The advantage is the Saviynt platform converges Identity Governance and Administration (IGA), Data Access Governance(DAG), IaaS Governance, Segregation of Duties (SoD), Consumer Identity and Access Management (CIAM), Cloud PAM,Cloud Security and Hybrid IT. Saviynt forward thinking takes tremendous advantage of the Amazon Web Services platformto help build its product sets into a single dashboard.2
Customers often asked, “How do we get started and which tools should we use for our Identity & Access Managementprogram to be compliant? We are paying a lot of money to hire auditors as they work with our internal compliance teamtaking time away from their daily tasks for compliance, and we are assessed fines for noncompliance.”The systematic value of IAM portfolio programs is to Increase Security, Process Automation, and Compliance. The IAMLifecycle and Services illustration below (Figure 1) shows Onboarding, Transfers and Termination. The Saviynt IGA platformcovers 70% of the functionalities needed:Figure 1: Saviynt provides UI and automates 70% of functionalities listed here.a. Access Requests Systemb. Access Governance and Intelligencefor cloud and enterprise applicationsc. Data Access Governanced. Segregation of DutiesAssessmentOut of the box rulebookImport / update Custom RulesAutomated recommendationse. Custom controlsCreate or use our out of box ITsecurity, risk and threatcontrols mapped to specificapplications access and usagef. Access Certificationg. Role and rule mining and designengineh. Compliancei. Usage/Behavioral Analyticsj. Certification of Fire Fighter Usagek. License Managementl. Cloud Privilege Access Management3
Enabling these functionalities by 1) making them requirements in your IAM portfolio program and 2) executing thesecomponents gives Saviynt the transactional data needed for analytics. These analytics create the reports thatAudit/Compliance and other Information Security personnel require.A high-level map of the IAM Lifecycle & Services to Saviynt:Identity Lifecycle & Services1. RequestSaviynta. Access Requests System2. Approvea. Access Requests System3. Provisiond.Segregation of Duties – a rules check during Provisioning4. Deprovision5. Reconcilea.a.Access Requests SystemAccess Requests Systemg.Role and Rule mining and design engine6.7.8.9.10.11.Password ManagementPKIMFASSOIdentity FederationShared AuthenticationService (OAuth, OIDC)12. Entitlement Management13. Policy ManagementSaviynt connects to multiple Domains for Active Directory or Azure AD and provides the lift needed to passdata for an Authentication Tool which typically comes with Password Management such as Okta, Ping, andOneLogina. Access Requests Systemd. Segregation of Dutiesc.Data Access Governancel.Cloud-Privilege Access Governance14. Role Management15. Privilege AccessManagementg. Role and Rule mining and design engineb. Access Governance and Intelligence for cloud and enterprise applications16. Reportingj.Certification of Fire Fighter Usagei.Usage/Behavioral Analyticsc. Data Access Governance4
17. Privilege Access Monitoringb. Access Governance and Intelligence for cloud and enterprise applicationsi. Usage/Behavioral Analyticsj.18. SIEM19. Log Consolidation &AnalysisIdentity Lifecycle & Services20. Policy Compliance MonitoringCertification of Fire Fighter UsageExport to AWS S3 buckets for Rapid7 or QRadar to consume or Connect to Splunki. Usage/Behavioral AnalyticsSaviynte. Custom controlsh. Compliancej. Certification of Fire Fighter Usage21. Identity Audit*Additional Compliancef. Access Certificationa. Access Requests System - Saviynt Workflow Campaign for RevaluationData Access Governance*Costingk. License Management5
The ROIExamine Saviynt IGA platform ROI calculations using these factors:1.2.3.4.5.current user provisioning management and provisioning costs - access for joiners, leavers and transfersadministration costscompliance reporting and audit costsoverall rapid employee productivity due to automated access*costs of security breach, risk, damages - these are not factored in, in the illustration shown in Table 1 belowFor example: assuming an average salary of 65,000, every day of lost work due to slow provisioning could cost anenterprise, school, or governmental agency nearly 260 a day. A large company with 500 new hires a year couldeasily lose 130,000 to 2M per year.Below is a typical organizational setup with before and after costs showing ROI. Implementing Saviynt generates animmediate11% resource and cost utilization savings. This frees organizational resources to restructure as needed.6
BeforeColumn1Typical Medium-LargeOrganization Setup forAccess, Security,ComplianceManagers' work w/ NewHires and Transfers forAccessExternal AuditorsAuditor 1 (Ernst & Young)Auditor 2 (Ernst & Young)Organization ComplianceCompliance ResourceSR Compliance ResourceAudit and ComplianceDirectorApplication Owner AccessReviews X 25 resourcesAWSAccess (IAM Users,Groups, Roles, Policies)Governance WorkCI/CD, Jenkins, GitHubDevSecOpsApplication & NetworkSecurity (Sec Groups,NACL, Routing tables),Solutions ArchitectColumn2AccessSecurityCompliance% nual Cost:After w/ SaviyntNew Annual Cost: 2,584,400 259,400% Time Spent*25 Main & LegacyApplications toautomate** if more applications areconnected to Saviynt, thesavings growexponentially10%avg 105,000 105,0003% 3,150100%100% 250,000 250,000 250,000 250,00015%0 37,500 050%50% 90,000 100,000 45,000 50,00010%10% 9,000 10,00050% 180,000 90,0005% 9,000avg 112,000 448,0001% * 25 28,00025%3% 135,000 140,000 33,750 4,20003% 0 4,20025% 140,000 35,0003% 4,20030% 140,000 42,0005% 7,00016% * 257
BeforeColumn1Typical Medium-LargeOrganization Setup forAccess, % nual Cost:After w/ SaviyntNew Annual Cost: 1,231,450 147,350% Time Spent*25 Main & LegacyApplications toautomateAzureAccess (IAM, Groups, Roles,Policies)Governance WorkCI/CD, TFS-DevSecOpsApplication & NetworkSecurity, Solutions ArchitectIAM & Active DirectoryTeam (Info Sec)IAM to Update AD on GroupnameIAM to Update AD onApplication Group InfoIAM for Contractors 1IAM for Contractors 2IAM for Password and RolesManagementDirector of Info SecurityManager of InfrastructureO365Email creationsSharePoint (Data AccessGovernance)** if more applications areconnected to Saviynt, thesavings grow exponentially25%3%25% 140,000 140,000 140,000 35,000 4,200 35,0000%3%3% 0 4,200 4,20030% 140,000 42,0003% 4,20090% 50,000 45,0000% 090%90%75% 50,000 65,000 75,000 45,000 58,500 56,2505%25%5% 2,500 16,250 3,75050%25%25% 65,000 175,000 135,000 32,500 43,750 33,7501%5%10% 650 8,750 13,50075% 50,000 37,5000% 010% 85,000 8,5001% 8508
BeforeColumn1Typical Medium-LargeOrganization Setup forAccess, Security,ComplianceIAM placement in O365GroupCollaborations (Data AccessGovernance)Salesforce CRMAdministrator/ArchitectsModule CustodianSalesforce MarketingAdministratorModule CustodianWorkday HCMAdministrator/ArchitectsModule RecruitingModule T&A, BenefitsModule Compensation,PayrollDay-1 HR for New HiresOracle FinancialsResponsibility Custodian withSOD analysisModule GLModule FAModule AP, ARModule POColumn2AccessSecurityCompliance% ter w/ SaviyntAnnual Cost: 738,500New Annual Cost: 87,650% TimeSpent15% 50,000 7,5000% 010% 85,000 8,5001%15%50% 125,000 75,000 18,750 37,5005%015%50% 95,000 75,000 14,250 37,50015%20%20% 125,000 75,000 75,000 18,750 15,000 15,0005%0010%00 850 0 6,250 0 0 4,750 0 0 12,500 0 040%75% 85,000 75,000 34,000 56,25003% 0 2,250 075%15%15%15%15% 85,000 75,000 75,000 75,000 75,000 63,750 11,250 11,250 11,250 11,25010%0%0%0%0% 8,500 0 0 0 09
BeforeColumn1Typical Medium-Large Organization Setupfor Access, Security, ComplianceSaaS Level 1 (10 Apps)SaaS Level 2 (20 Apps)Legacy and Other ApplicationsLegacy Data Visualization ToolLegacy 11 BILegacy 12 - Enterprise Service Bus (MuleSoft,Oracle SOA, IBM WebSphere, JBoss SoaPlatform)Legacy 13Legacy 14Legacy 15Legacy 16Legacy 17Legacy 18Legacy 19Legacy 20Legacy 21Legacy 22Legacy 23Column2AccessSecurityCompliance% nual Cost:After w/ SaviyntNew Annual Cost: 382,750 53,400% Time Spent15%15% 75,000 60,000 11,250 9,0003%3% 2,250 1,80025%25% 85,000 70,000 21,250 17,5003%3% 2,550 2,10025%25%25%25%25%25%25%25%25%25%25%25% 115,000 55,000 50,000 65,000 65,000 50,000 55,000 65,000 55,000 65,000 55,000 60,000 28,750 13,750 12,500 16,250 16,250 12,500 13,750 16,250 13,750 16,250 13,750 15,0003%3%3%3%3%3%3%3%3%3%3%3% 3,450 1,650 1,500 1,950 1,950 1,500 1,650 1,950 1,650 1,950 1,650 1,80010
BeforeColumn1Typical Medium-Large Organization Setupfor Access, Security, ComplianceSAPAnalyticsFinancialsHuman Capital ManagementProcurement and Logistics ExecutionProduct Development and ManufacturingSales and ServiceCorporate ServicesColumn2AccessSecurityCompliance% SalariesAnnualCostsAnnual Cost:After w/ SaviyntNew Annual Cost: 135,000 22,050% Time Spent 90,000 95,000 100,000 100,000 100,000 95,000 95,000 18,000 19,000 20,000 20,000 20,000 19,000 19,0005%3%3%3%3%3%3% 4,500 2,850 3,000 3,000 3,000 2,850 2,850More on Saviynt Saviynt’s built-in intelligence derives Governance details and mash up with its out-of-the-box controls that auditors arelooking for. On compliance, internal and external auditors typically work year-round to catch up with monthly andquarterly access reviews, capture evidence and sit with any of the application owners to pull access details, orphanaccounts, and privilege access reports among others. There is additional risk of error in manual reporting for auditreports.If you look into integration you will see that technologies such as connectivity through database, flat-file, web services,and java are loosely coupled with credentials such as client IDs, secret IDs and connection parameters which are entereddirectly into Saviynt configuration platform. These configurations can be exported for deployment to the next environmentor a new tool. Governance and security controls are in place from the start.11
A. Infrastructure Access Governance400 infrastructure and security controls for your cloudassets for AWS and Azure which make migration to thecloud faster with cloud standards security on infrastructure,network, database, storageEC2 instances with missing IAM RolesHigh Privileged IAM UsersOpen Ports (SSH, RDP, DNS, MySQL, FTP, etc.)Instances deployed outside VPCRoot MFA DisabledS3 Buckets with Versioning DisabledValidate PAM, Rogue Workloads, HPA users against CloudTrailExpired CertificatesRDS with high last restorable timeProvides a detailed audit trail of all privileged actions performedduring the duration for further reviewC. Data Access GovernanceB. Out of the box preintegrated Connectors forcommon applications and platforms such asMS O365SalesforceMuleSoftAWS, AzureActive DirectoryMainframeBox, DropboxGoogle AppsWorkdayOracle EBSPeoplesoftSAPGoogle AppsEpic many othersD. Hundreds of additional technologies used forIntegration to onboard Applications,Entitlements, Profiles, Permissions, Roles intoSaviyntContent inspection and data classification, near real-timedata protection during upload, share, access modificationscontent-aware data access policies12
On Cloud and SaaS (Oracle EBS, Workday, Salesforce)AWS and Azure call to mind an on-premise resource pool of developers, DBAs, testers, system admins, and releasemanagement who check out code from a repository to build. These resources have a duty to perform and they cannotstep all over each other. Through Saviynt’s integration with AWS and Azure you eliminate the guesswork of where toapply security.For the still relevant Oracle HCM and Financials, Saviynt has out of the box controls to catch separation of duties foraccess.In summary Saviynt is:-Identity Access GovernanceDiscover, design and manage roles and rules. Manage delegated administration of users with integrated audit andtraceability. Leverage risk profiling as a trigger for adaptive authentication Policy and Group Management.-Application Access GovernanceApplication level separation of duties. Management usage analytics and transaction monitoring. Role and privilege accessdesign, mining and governance. Continuous controls monitoring.13
-Infrastructure Access GovernanceRobust controls library for visibility and actionable remediation. Near real time workload security policy enforcement.Integration tools to enable DevOps with less risk. Privileged account and management and monitoring.-Data Access GovernanceSee who and what data is saved and shared in Box, DropBox, O365, SharePoint, GSuite, and Hadoop-Privilege Access Management Cloud Privileged Access ManagementMaintaining Effective Security Across IT EnvironmentsContinuous Controls Monitoring, Visibility & ComplianceInfrastructure & Identity Lifecycle GovernanceAutomation Eases Compliance Burdens14
Leader in 2018, 2019 Gartner's Magic Quadrant for Identity Governance and Administration (IGA) Dawn Kongvongsay, IAM Architect . . IAM for Contractors 2 75% 75,000 56,250 5% 3,750 IAM for Password and Roles Management 50% 65,000 32,500 1% 650 Director of Info Security 25% 175,000 43,750 5% 8,750 .
