(Authored by Steve Schlarman, Portfolio Strategist, RSA)
It was Mark’s big shot. He finally had a meeting with Sharon, the CIO. Her schedule was so busy it was legendary and for her to spend time with a risk analyst was a clear indicator she recognized the new challenges facing their company. Although he only had 15 minutes, Mark was prepared - notepad at the ready, brimming with nervous energy. After some brief chit-chat he got down to business – ready to drill into a conversation about their company’s biggest obstacles; the most impactful concerns; the top of mind issues; the coup de grace that could spell disaster for the organization. He took a deep breath and went to his big money question… ‘So, what keeps you up at night? What are you worried about?’
Sharon beamed. She spun around to her white board and spewed a litany of projects fueling their company’s digital transformation – an IoT project, the SalesForce.com implementation, a massive VMWare migration and their hybrid cloud, the new employee work-at-home program, the impending customer mobile portal…
While that question got Sharon started, let’s think about this a bit differently.
With all the benefits the new digital world offers, there are a host of risks that must be managed. The major areas of risk remain the ‘usual suspects’ such as security, compliance, resiliency, inherited risks from third parties and operational risk. However, digital business amplifies uncertainty for organizations today. For example:
Factors such as these are why digital initiatives are forcing organizations to rethink and increasingly integrate their risk and security strategies.
The objective for today’s risk professional is not just about defending against the bad. Just like Mark discussing the parade of initiatives with Sharon that clearly impact their company’s future, you must be ready to help usher in a new age of digital operations. Merely riding the buzzword wave - IoT, social media, big data analytics, augmented reality… - is not enough.
You must look at opportunities to enable innovation in your business while building trust with your customers and throughout your enterprise. Your business must be comfortable with embracing risk and aggressively pursuing market opportunities offered by new technology. To do that, risk associated with the use of emerging or disruptive technology in transforming traditional business processes needs to be identified and assessed in the context of fueling innovation. You also must keep focus on the negative side of risk. Your business today demands an open, yet controlled, blend of traditional and emerging business tactics. You must help manage the ongoing risk as these transformed business operations are absorbed into the organization fully, i.e. the new model becomes the normal model of doing business.
Risk is, by definition, uncertainty. Everyone is concerned about uncertainty in today’s world. However, if we go back to the simple equation (risk = likelihood * impact), risk should be something we can dissect, understand, and maybe even calculate. While you are helping your organization embrace the advantages (positive risk) of technologies like IoT, data analytics, machine learning and other emerging digital enablers, the volatile, hyperconnected nature of digital business amplifies the negative side of risk. It is anxiety about the unknown that leads us into that executive conversation, but it shouldn’t lead to worry.
Worry is about fear. Your executives shouldn’t be afraid in today’s world. They should have informed concerns. And you – as the security or risk person in the room – should be feeding insights to raise their visibility of the likelihood of events and diminish their distress on the negative impacts. Risk is part of riding the waves of business opportunities.
Risk is not something you should WORRY about… it is something you should ACT on.
To learn more about digital risk management, click on our new Solutions Banners located in the right-hand column of each RSA product page: Third Party Risk, Cloud Transformation, Dynamic Workforce, and Cyber Attack Risk.
Our 7.1.1 release continues to build on many of areas of improvement we have made across the 7.x releases including enhancing the user experience, delivering analytics to make informed decisions, and reducing the complexity of Identity Governance and Administration.
As we look at our recent releases we have provided innovations such as the new user access review making it easier to understand if access is appropriate, quick start deployments, and analytics that make your processes easier to manage, while enhancing some of the screens in the product to be simpler and easier to use.
So, what about 7.1.1?
Segregation of Duties, made simple
Management of Segregation of Duties (SoD) rules and processes can be hard; when you try and scale it to hundreds or thousands of applications it can feel impossible. To meet the every increasing risk and compliance requirements of many organizations SOD management at this scale is being demanded by audit and the business. To achieve this businesses are defining SoD matrix, a set of access classifications that cannot be held in combination. These organizations are then classifying their access and in this way are able to have simple dynamic SoD detection based on access classification.
To help our customers, RSA has provided a SOD solution including a recommended practice and two new product capabilities in this area.
New SoD Remediator Experience
Working with our customer design partners, RSA has significantly enhanced the remediator experience to reduce the level of effort needed to make decisions when a violation occurs. The experience provides more analytics and data while also allowing bulk actions and reassignments to take place when needed.
SoD Recommended Practice
This recommended practice talks you through our solution for implementing SoD detection, including building the classifications matrix and implementing it within our platform.
Advanced SoD Analysis rules
The new advanced rule process allows for a third data element to be considered when detecting SoD violations. This is needed when using a classification model to detect true violations and remove false positives. For example, you could say that having front office access together with back office access is a violation, but if they have that access in two different applications or countries, it might not be. The advanced rule capabilities allow you to make these correlations .
Continued evolution of the New Reviewer Experience
After RSA released the new Access Reviews experience in 7.1, we wanted to continue to enhance reviews based on the feedback from our customers. In 7.1.1 we have added several changes based on your input.
Give your reviewers more insight into the access they review, build your own custom views of data to highlight areas of risk or provide importance context to reviewers such as critical or privileged entitlements.
Give your reviewers the time to complete their review successfully, take into account weekends and holidays when setting the amount of time they have to complete a review. All review types now allow you to specify the calendar they use when setting the timing of the review.
Pending Revoke, Automatically Marked Revoke
Reviewers are always frustrated when things don’t make sense. In 7.1 when we added categories into the review we provided a category called “Pending Revoke”. This means the items in this category are already in the process of being removed. Then reviewers asked “Why do we have to mark them as revoke again?” The default now is that everything in this category is immediately marked as revoked in the review.
Diagnostics & Heuristics
Collecting and testing key performance indicators
How successful am I being? How many applications have I onboarded? How many requests have I processed? What are the trends on my system? Is the way I configured the system the best way?
These are the types of questions we want to answer with this feature, which collects over 130+ data points daily to give you a better understanding of the successes and trends in your system.
These are things like the number of users, application, entitlement, orphan accounts, or time it takes to collect the data, approve a request, or complete a review. You can also provide the data to RSA, where we can give you with deeper insights looking at best practice and your status against other similar customers.
7.1.1 provides a number of new trending dashboards allowing you to visualize the trends in key areas such as reviews, requests, rules, and roles. Customers can create their own as well, leveraging a new public view against the diagnostics and heuristics data.
So, as you can see, there are some great innovations in this release and these are just some of the highlights. Check out the release notes for full details and look out for the RSA Identity Governance and Lifecycle quarterly webinar series here where we will give more insights into what’s coming in the future!
In the recent RSA Identity Governance and Lifecycle 7.1.1 Service Pack Release we have added some new web services. In previous releases you could use the findApprovals, getApprovalDetails, and performApproval web services to interact with approvals. In this release the following web services have been introduced to interact with any type of work item including approvals:
The getWorkItemsForUser web service returns high level details for the work items including the work item IDs. The getWorkItemDetails takes a work item ID and returns more details including what actions can be taken. The actions that are returned are based on the transitions modeled in the workflow. The performWorkItem web service is used to complete the work item using the provided action and comment.
The approval-specific web services will be deprecated in a future release. Any implementations based on this should be updated to use the more generic work item web services.
Lastly, the new web service findReviews has be introduced in this release. This allows you to search for reviews by name or other search criteria. The web service returns details about the reviews based on the requested columns. In particular, the review ID is returned which is needed for other calls like getReviewStatus, refreshReview, setReviewState, and updateUnreviewedItems.
As part of the release we are excited to introduce advanced Segregation of Duty (SOD) violation analysis capabilities that make it even easier for global organizations to identify and remediate where this risky access truly exists in their organization.
To scale at the enterprise level, across thousands of applications and hundreds of millions of entitlements, Segregation of Duty policy analysis needs not only examine if access on one side of the equation is in violation with access that is on the other side (for example, the ability to submit a check request and the ability to approve a check) but also inspect deeper and across business processes to determine if there is a false positive violation present or there is truly a violation and inappropriate access.
In this example, a user should not have the ability to submit a check and approve a check in the payroll expense system and accounting system. However, they may have the ability to approve a check request in the contractor management and vendor management systems. If organizations look at just the ability to submit and approve checks as violations, false-positives would be detected. This will lead to an overhead to cleanup before violations are sent to business users or policy managers or even having to create thousands of rules – which is unmanageable!
With this new and advanced SOD detection and correlation analysis, organizations can create a few number of rules that look across the enterprise and evaluate if the access is truly a violation. This is an advanced analysis that can look across the entire global set of applications and entitlements and determine not only if there is access that is truly in violation (based on a common business interface / application relationship), but also to reduce and virtually eliminate the number of false positives that can be typically be presented when just looking at two sides of the equation.
This analysis is performed at the business application level and determining if entitlements across both sides are in violation based on a “correlation” between the applications. That correlation is where the applications are considered part of the same business process, such as if they interface with each other. Following the example, instead of creating hundreds of rules to look for a submit and approve toxic access combinations, organizations can create a single rule that looks for these access types, using a correlation to identify where access should be considered a violation and access that is found on one side (but no correlating access on the other), is not a violation.
Otherwise without the correlation of the business applications the potential for several false positive violations surface. This creates a burden on the team to clean up before sending out violation to address or if not cleaned up before, creates a mess of information that is inaccurate and creating the potential for appropriate access to be inadvertently removed.
Organizations can effectively analyze across their enterprise applications where risky access exists and truly represents a SOD policy violation; therefore, reducing risk by quickly getting access violations in-front of the right people for review and remediation. In concert with this advanced analysis, a simplified and streamlined new policy violation review and remediation user experience has also been added.
For additional information on this update – please check out this additional context:
Have you ever wanted to be able to review and remediation multiple access violations at once? Have you ever wanted to be able to see how widespread access violations were across a grouping of users, business units, or applications? Have you ever wanted a streamlined, intuitive, and single screen to review and remediate access violations in your organization?
As part of the release we have introduced a new streamlined, intuitive, and simple policy remediation experience that allows you to address the above questions. This new remediation experience follows the streamlined experience of the Risk Based Reviewer Experience; which, based on customer feedback, delivers a very successful and intuitive user review experience that has reduced risk in their organizations.
Some notable highlights for this new remediation experience
For additional information on this update – please check out this additional context:
The log artifact is a new feature in RSA Identity Governance and Lifecycle Version 7.1.1 that will aide in the gathering of log information in the event that a support ticket is created. It is an administrator-only feature that can gather the most widely used log files when troubleshooting problems in the application, thereby reducing the time to identify the root cause of an issue. It is designed to work on a node-by-node basis and will work for different architectures such as Hard Appliance, Software Bundle with remote database, and Clusters, along with the different application servers we support. The page can be found under the Admin > Diagnostics menu.
It is located on the Log Artifact tab.
The following is a description of the different areas of the page:
When in progress the Current Status will contain the current step.
Once completed the zip file will be available for download
Upon completion of the process the status section will show the pertinent information about what was chosen for this invocation. As detailed in the picture we will store the zipped file on the server and it will stay there until the next invocation of the process. To store the file locally just press the Download button.
See the following video which demonstrates the use of the feature.
RSA Identity and Governance Release 7.1 introduced a new interface for user access reviews, to provide a better user experience and improve efficiency in performing reviews with help of analytics-based prioritization and identification of high risk access and violations.
To continue enhancing the enriched user experience, the Display Views feature for the new user interface (for user access and rule remediation reviews) is introduced in Identity Governance and Lifecycle Service Pack Release v 7.1.1.
With the introduction of Display Views, you now have ability to organize review items in multiple ways to meet your requirements.
Here are some of the capabilities added to support Display Views in version 7.1.1.
Select multiple display views in review definition
The system now supports using display views in the legacy as well as the new user interface (for user access and rule remediation reviews). When more than one display views are selected in the review definition, the resulting review in the new user interface lists the display views in the left panel above Guidance and Analysis.
Custom display views
You can now define custom display views that can be used for the legacy user interface as well as the new user interface. The process to create custom display views is same as that for the legacy user interface. When custom display view definitions are used with new user interface:
For additional information, follow the online help pages.
Here is a video on display views.
This blog describes what all diagnostics data is collected in RSA Identity Governance and Lifecycle V7.1.1 and how it can be useful to customers.
The diagnostic data collection in RSA Identity Governance and Lifecycle is turned on by default and collects system information daily. The frequency of data collection is configurable (see Admin > Diagnostics in the product help). Customers should review the schedule for diagnostic gathering to ensure it does not conflict or delay nightly collections. With this feature enabled, statistical information is gathered about the product components like reviews, rules, access request, AFX, roles, reports, as well as information related to the deployed environment and the applications that are configured.
Trends related to the change in the application configurations can be assessed by looking at the application parameters like the number of accounts, users, orphan accounts, users with multiple accounts, roles, entitlements over time. Assessment of sudden increase in data volume or spikes can be tied to symptoms like application slowness and performance degradations. Admins can use the historical data to explain such anomalous behavior or trace and tighten rouge jobs that could be the cause.
Deployment related information can similarly be used to get the big picture of the type of Database configured (remote/local), number of “Remote Agents” deployed, number of AFX servers, number of nodes in cluster. This information can be used to compare any deviations from the recommended configuration by RSA and corrective actions can be taken.
AFX related information like the number of connectors, daily status, number of active running connectors, and count of fulfillment request sent in a day, including failures. These can be used to understand the trend and make necessary changes including tuning of the end points to adjust the overall performance.
Health of collectors can be learned from the trend in time taken for collections to complete, frequency of collection, and number of collection failures. This information will help in tuning the collection schedule and avoid redundant collections.
Out of the box Reports/Charts in 7.1.1 are provided for the following components:
Weekly and Monthly views are available for customers to include in their dashboards to get their statistics.
The public view PV_TELEMETRY_DATA is also provided so customers can develop their own reports and charts against the diagnostic information gathered.
Diagnostics data use for troubleshooting:
The complete set of data collected can be downloaded from the UI as a zip file containing a set of JSON files, which can be shared with RSA while reporting issues on the product. This data will be used by RSA to diagnose the reported issues and troubleshoot /fix them. Also the data will help RSA understand how customers are using the product and if the scale of objects defined is different from other customers. This will improve the time to resolve issues while reducing the number of meetings with customers. The likelihood of root causing a problem at first level of support (CS) would increase as the data is more intuitive.
See V7.1.1 Diagnostics overview video in the attachments.
RSA CHARGE 2019 CALL FOR SPEAKERS OPEN FOR SUBMISSIONS
For larger enterprises, creating a clustered environment for RSA Identity Governance and Lifecycle helps to scale the product. The RSA Identity Governance and Lifecycle 7.1 Configuring WildFly Clustering document (RSA Identity Governance and Lifecycle 7.1: Configuring Wildfly Clustering ) describes how to configure a cluster using multicast/UDP for communication between the nodes of the cluster.
RSA Identity Governance and Lifecycle 7.1 now allows communication between the nodes in a cluster to use TCP, rather than multicast/UDP, because TCP is highly reliable and key to a more stable cluster. The new document,
Configure WildFly Cluster to Use TCP (RSA Identity Governance and Lifecycle 7.1 Configure WildFly Cluster to Use TCP ), describes how to change current UDP/multicast clusters to use TCP-based communication.
RSA recommends that clusters use TCP rather than multicast/UDP because of some of the key differences between UDP and TCP:
1. TCP is connection-oriented, unlike UDP, which is a connectionless protocol.
2. TCP is highly reliable for transferring data because it uses the acknowledgment of sent information and automatically resends any lost packets. UDP does not request retransmission if the packet is lost.
3. While TCP is slower compared to UDP, this is because TCP establishes the connection before transmitting data, and ensures the proper delivery of packets.
4. The header size of UDP is 8 bytes, while the header size of TCP is more than 16 bytes. Releases higher than 7.1 deprecate the UDP/Multicast setup in favor of TCP protocol.