Pages

Saturday, January 13, 2007

Role Engineering & Auditing– Proof of concept / Survey

Many security administrators and managers are required to meet industry security standards, together with external or internal auditing compliance guidance.

It is highly recommended that before you decide what your approach is and what are the tools/solutions that you plan to purchase in order to address this challenge, to consult with experts that were involved in many Identity Auditing & RBAC projects and learn from their experiences.

Once you have researched, it is recommended that you test the solution in your labs, and get a true feel of how the solution addresses your business needs, performance, both with short and long term planning.

This engagement should take 5-10 working days. From my experience, if you have in your business up to 40000 employees, 5 days will be enough.

I would like to call this POC, a Survey, due to the fact that during these 5 days, you will actually be testing the product on your real data. Survey your data and experience how that product will work in production.

As part of the Survey, you should analyze 1-2 of the major systems (e.g., mainframe, directory, ERP, etc.), over a period of 5-10 days, and plan to check for the following:

  1. Get an enterprise view of users-privileges, and/or users-groups-privileges.
  2. Identify some simple exceptions and interesting findings through a visual exploration.
  3. Auditing - Perform high level analysis for the following entities:
    a. Users Privileges analysis
    b. Resources Privilege Analysis
    c. Links Analysis (Direct & Dual Links)
    d. Overlapping roles (same users & same resources)
  4. Audit – Generate auditing reports for the above entities and other auditing reports.
  5. Role Engineering – Perform bottom up role search based on various search methods & techniques. (I will elaborate about this topic in a future article)
  6. Create few examples of business constraints such as segregation of duty, and review privileges for compliance. (base on SOX, HIPAA etc)
  7. Execute business Work Flows such as user certification workflows, role approval work flow and others.

    In my next article, I will address other best practices
    Let me know if you have any questions and will try to address them as soon as possible.

    Ilan Sharoni

http://www.eurekify.com/

Posted by at