Aspiring Future State| - Access Management System

Information Security
November 2016

1. Introduction
1.1. Outline:
This document outlines an Access Management system that is capable of supporting a programmatic approach to manage user
access. The future state design leverage several concepts that are not fully developed or mature at State Farm today.
1.2. General Overview:
The design strive to automatically provision pre-defined roles for associates, but also to de-provision those same users if an
associates job change or they leave the company. To ensure the RBAC roles repository remain accurate the workflow pull
together role owners, application stewards and managers to keep roles up to date and systems secure from unauthorized
access.
The concept of an Entitlement Filter and Segregation of Duties (SoD) Engine are also incorporated in the design, this
provides the ability to place additional restrictions on granted access. For instance, an associate with access to sales account
data at 3 p.m. may be restricted by the Entitlement Filter to the same data at 3 a.m. And an associate allowed to get into a
database could be cut short if he tried to download amounts of data that exceeded pre-set thresholds. The SoD Engine users
both a set of pre-defined SoD rules and AI based algorithms to identify toxic combinations of user access and provide real-
time enforcement of access control policies.

2. Design Considerations:
2.1. Design Leverages:
Access Management concepts that are not fully developed or mature at State Farm the design leverages:
2.1.1. Comprehensive Associate Code a code which reflect the department and job role an associate is aligned with. The
ultimate solution would accommodate internal, external and agency associates.
2.1.2. Role Based Access Control (RBAC) a method of regulating access to system resources based on the roles of individual
users within the enterprise.
2.1.3. Separation of Duties (SoD) Engine an automated SoD analysis tool which interegates system access an associate has
and flags existing toxic combinations.
2.1.4. Entitlement Filter the capability to provide refined restrictions on granted access, such as time of day.
2.1.5. Associate User Access Database a signal respository which documents all user access that an associate is assigned.
2.1.6. Entitlement Catalog a comprehensive reposity of enterprise entitlements.
2.1.7. Access Tracking Report System - track and report access to applications and systems to provide data for audit purposes

2.2. Systematic Strategy:

Senario: An onboard associate move from Underwriting to Claims
2.2.1. RBAC System A comprehensive system in which all user access in management via access role which provides a
grouping or package of access that provides the minium access for an associate to do their job. Perodic Role Reviews are
conducted by managers, team leads and qualified staff to ensure access within roles are adjusted to remain accurate and
current.
2.2.2. Provisioning and User Access adjustment When an onboard associate changes jobs Human Resources (HR) will trigger
a change in the employee code. The employee code change triggers an automated RBAC system that will take away all user
roles associated with their previous job. The system will also assign the associate the user roles that align with their new job.
2.2.3. Entitlement Filter An associates manager has the ability to apply a pre-defined entitlement filter or request a new filter
which provides specific restrictions on granted access such as the time of day which access is available.

FOR INTERNAL STATE FARM USE ONLY

Contains information that may not be disclosed outside State Farm without authorization
1
 2.2.4. SoD Engine To ensure SoD controls are enforced the SoD Engine monitors the combination of granted user access to
identify toxic combinations in real-time. The engine utilize an Associate User Access Database which is a repository that
documents all user access associated with an associate. The engine utilize pre-defined rules and it also evaluate access
combinations utilizing algorithms that flag potential toxic combinations.
2.2.5. Access Tracking Report System - track and report access to applications and systems to provide data for audit purposes.
2.2.6. De-provision When the associate changes jobs or leave the company the HR. while initiate an employee code change
which in turns triggers deactivations of their previous access. The appropriate new access will be granted automatically by
the RBAC system.

3. Detailed Design
3.1. Data Flow Diagram:
Following is the data flow diagram of future state:

Associate
Access Assigned
Code Assign Access Roles Filter Access Role
Includes:
Job Role
Database
Apply
RBAC System selected
Access Roles
restrictions to
granted access

System Resources Acces

User Access s
SoD Logs
Engine

3.2. Functioning:
1. The RBAC System determines the appropriate pre-defined access roles to grant to associates.
2. Apply pre-defined Access Filter if applicable and update the Assigned Access Role Database.
3. The SoD Engine applies SoD rules and evaluate user access combinations for toxic
combinations.
4. Associate access system resources permitted by their assigned assess roles.
5. The Access Tracking Report Systems generates logs which provides audit trail of access

STATE FARM CONFIDENTIAL INFORMATION

Distribution on a Business Need to Know Basis Only
2