Enterprise Consulting Services
Security Management

ECS provides IT Security Consulting, specifically targeting IT Security Access Provisioning using an Identity Management System to deploy Roles Based Security Management (RBSM). Security entitlement management is the No. 1 sore spot in most IT organizations. Does the following description sound familiar? "User interfaces are out of date, poor manual workflows contribute to audit deficiencies and chronic security access request backlogs result in frequent expediting and customer dissatisfaction. Specific issues include excessive lead time to achieve management and data owner approvals for security requests, lack of a centralized user access "roles" repository, overly labor intensive security request provisioning, lack of integration with existing infrastructure and inability to support IT request self service."

End user access provisioning is an absolute necessity, but from an ITIL perspective, it's just another IT service. ECS provides security consulting based on hands on experience implementing Roles Based Security Management (RBSM). Our specialty is integration with Self Service solutions - so end users can benefit from one stop shopping, for all assets and services provided by IT.

Security Access Management - What It Should Look Like:

RBSMOverviewv1.jpg

While complex, driving a RBSM project can be organized into four logical phases:

  • Identify Mapping
  • Role Template Identification and Development
  • Provisioning Automation
  • Compliance

Security Access Management Implementation - What It Should Look Like:

RolesBasedSecurityFlowv2.jpg

  1. Identity mapping and utilization of standard role templates eliminates end user request provisioning guess work. Identify mapping is the process of going department to department and identifying key systems and security entitlements required by staff in that area. Identity mapping - the process of programmatically mining end user entitlement attributes from target applications and storing this data in a centralized entitlement profile data base is complex and time consuming. Once completed however, the business will have a single repository that provides all entitlements for each employee in the organization rather than locked within dozens or hundreds of individual application security tables.
  2. Entitlements are segregated by the "roles" various employee play to perform essential job functions. Role Mining within an organizational unit is performed to identify high percentage logical groupings of access requirements which are then translated into templates. For instance, a Call Center Representative II may need LAN access and inclusion in several shares, Email, Customer Information System rights to perform their specific CSR II role and the Call Center Sharepoint portal. Every CSR II is the same.
  3. A manager hiring five new CSR II's need only identify the individuals and then select the "CSR II role template" and that's it. Because manager and data owner approvals were certified in advance as part of the template certification process, there is no approval lead time. Coupled with automated target system "connectors", provided by an Identity Management system, total lead time from request to final provisioning can be reduced from weeks to minutes and the labor component can be reduced to zero.
  4. Annual entitlement attestation by Data Owners can now be accomplished without time consuming application extract evaluations, Segregation of Duty checks and approval cycles. Instead, the centralized entitlement profile data base, which has been continuously updated with the latest identity mapping extracts, supports a self service web approval process. 

Case Study  For a case study documenting a recent ECS success story implementing RBMS, click here