Add to collection(s) Add to saved
  1. Business

The Evolution of Identity Management and It`s

Taking Control of Your User Accounts
Identity Management Basics
Dustin Puryear
Puryear IT, LLC
© Puryear IT, LLC. 2010 All Rights Reserved.
Who Are We?
Puryear IT, LLC
http://www.puryear-it.com/
Automating audit and compliance with solutions for user
and privilege management and reporting.
Contact us for a free consultation
contact-us@puryear-it.com
© Puryear IT, LLC. 2010 All Rights Reserved.
What is Identity Management?
•
•
•
•
Is it about users?
It is about passwords?
Authentication?
Three perspectives!
Identity
Management
Pure Identity
Paradigm
© Puryear IT, LLC. 2010 All Rights Reserved.
User Access
Paradigm
Service
Paradigm
Pure Identity Paradigm
•
•
•
•
•
Focus on Identity only
Creation of Identities
Management of Identities
Deletion of Identities
Notice that
Access/Entitlements are not
defined
Update Identity
Create Identity
Delete Identity
© Puryear IT, LLC. 2010 All Rights Reserved.
User Access Paradigm
•
•
•
Focus on use of the digital
identity
The digital identity is typically
unique
The unique identity simplifies
monitoring and verification
User
Identity
Authentication
(authn)
© Puryear IT, LLC. 2010 All Rights Reserved.
Authorization
(authz)
Logging, Audit,
Reporting
Service Paradigm
•
•
•
•
Focus on resources used to
deploy services
Examples include servers,
applications, network
devices, VPN
Broader, more
comprehensive view
This is often the view of the
audit/compliance team
© Puryear IT, LLC. 2010 All Rights Reserved.
Employee
User
Accounts
Applications
Issues Addressed by Identity Management
© Puryear IT, LLC. 2010 All Rights Reserved.
Management of Identities
Create, Modify,
Delete
Password
Synchronization
Workflow
Identities
Self-Service
Password
Reset (SSPR)
Delegation
© Puryear IT, LLC. 2010 All Rights Reserved.
“Breaches of identity and access
management (IAM) lead to
billions of dollars of losses
each year, both reported and
unreported.”
- Gartner
Directory Services
•
Directories are a critical
infrastructure component
–
–
–
© Puryear IT, LLC. 2010 All Rights Reserved.
Identity repositories
Metadata
replication/synchronization
services
Directory virtualization
Access Control
•
•
•
•
•
•
Role-based Access Control
Policy-based Access Control
Enterprise Single Sign On
(ESSO)
Web Single Sign On
(WebSSO)
Reduced Sign On
Federation
© Puryear IT, LLC. 2010 All Rights Reserved.
Protected
Data
Authorization
Authentication
Separation of Duties
•
•
•
•
•
•
Critical for internal controls
Implements checks and
balances on individuals
Reduces danger/risk of
individual actions
Can be difficult and
expensive to implement
Separate or Compensate
Bread and butter of
audit/compliance
© Puryear IT, LLC. 2010 All Rights Reserved.
Example: SOX, SoD, and IT
•
•
•
SOX places a large burden on IT
IT relies on RBAC for SoD and compliance
SoD items include
–
–
–
–
–
•
Identification of a requirement (business)
Authorization and approval (governance)
Design and development (developer)
Review, inspection, and approval (separate developer)
Implementation (systems administrators/operations)
Successful SoD implementation includes
–
–
–
Align authorization rights with organizational role
Align authentication method with value of data
Watch the watchers
© Puryear IT, LLC. 2010 All Rights Reserved.
Developing an Identity Management Roadmap
•
Several steps involved:
–
–
–
–
–
–
–
Needs Analysis
Management Involvement
Team Involvement
Selecting Best Solution
Technical Design Decisions
Roll Out
Monitor/ROI
© Puryear IT, LLC. 2010 All Rights Reserved.
Needs Analysis
•
•
•
•
Map existing processes into a set of business problems
Map business problems into requirements
Map requirements into technical specification
Map technical specification into:
–
–
Technical selection
Implementation design
© Puryear IT, LLC. 2010 All Rights Reserved.
Issue: New Hires
•
Business Problem
– New hires require new
accounts
– Accounts must get proper
access rights
– How do we maintain SoD?
– New hires must wait for
process to complete!
•
Business Solution
– Automate on-boarding that
relies on business rules and
workflow/approvals
© Puryear IT, LLC. 2010 All Rights Reserved.
•
Technical Solution
– Define HR system as System
of Record (SoR)
– Creation of “minimum
privileged” accounts based on
HR data
– Use of workflow to increase
privileges
Issue: Costly User Administration
•
Business Problem
–
–
–
–
–
•
Each application is a silo
Helpdesk can’t easily change
passwords
Lacks consistent audit trail
Inconsistent end-user information
in databases
Security administrators perform
user management activities
Business Solution
–
–
Develop consistent user
management process for
administrators and helpdesk
Use SoR to define/update user
information
© Puryear IT, LLC. 2010 All Rights Reserved.
•
Technical Solution
–
–
–
–
Develop single interface to user
management
Develop single interface for
password management/changes
Develop automation of updates
for “most critical” data
Identify SoD violations and
eliminateXX
Issue: Inconsistent Login IDs and Passwords
•
Business Problem
–
–
–
•
Users have different Login IDs for
applications
Users have too many passwords
Lack of consistency in password
policy across the enterprise
Business Solution
–
–
–
–
Develop enterprise Login ID
convention
Migrate existing Login IDs to new
convention
Develop enterprise password
policy
Migrate existing passwords to
new policy
© Puryear IT, LLC. 2010 All Rights Reserved.
•
Technical Solution
–
–
–
Reconcile Login IDs to new
convention using batch and
manual methods
Implement consistent password
policy
Implement password
synchronization, reduced sign-on,
single sign-on
Issue: Security Vulnerabilities
•
Business Problem
–
–
–
–
–
•
Delayed terminations result in
critical vulnerabilities
Disgruntled terminated staff
Unused/dormant accounts
Access rights increase over time
Access rights incorrectly granted:
“Set the new guy up just like
Susan in HR”
Business Solution
–
–
–
Develop process/workflow to
handle terminations
Periodically review/audit user
access rights
Develop request and
authorization process for
increasing user access rights
© Puryear IT, LLC. 2010 All Rights Reserved.
•
Technical Solution
–
–
–
Automate user account
terminations via SoR
Develop automated reports for
user access rights, focusing on
exception reporting for elevated
rights
Implement workflow solution for
user access rights
Issue: Audit, Reporting
•
Business Problem
–
–
–
–
•
Lack of audit trails within
application silos
Many enterprise applications lack
administrative logging
For those that have it, those
applications don’t have a
consistent log format
Difficult to monitor and enforce
SoD policies
Business Solution
–
–
Require enterprise-wide logging
of accounts changes and use
Develop process to use account
change and use logging for SoD
reporting
© Puryear IT, LLC. 2010 All Rights Reserved.
•
Technical Solution
–
–
Replace manual account
management with software
solutions that include logging
capabilities
Enable SoD rules within user
management solution to require
workflow for SoD-sensitive
positions
Management Involvement
•
A mandate is crucial!
–
–
•
Develop a clear mandate
Outline likely
issues/problems
Budget
–
–
–
–
–
–
Software license
Support
Training
Hardware and support
software
Professional Services
Internal Resources
© Puryear IT, LLC. 2010 All Rights Reserved.
Team Involvement
•
•
•
•
•
Security Administrators
Security Managers
Audit/Compliance
Systems Administrators
Human Resources
© Puryear IT, LLC. 2010 All Rights Reserved.
Selecting Best Solution
Define
Business Needs
Define Technical
Needs
Develop RFP
Identify Vendors
Issue RFP
To Vendors
Compare
Lab Results
Evaluate
Products
In Lab
Compare
Vendor Proposals
Decision
© Puryear IT, LLC. 2010 All Rights Reserved.
Identify Feature Requirements
Core
Capabilities
Local
Integration
Product
Scalability
Technical
Features
Ease of
Deployment
Product
Security
Product
Flexibility
© Puryear IT, LLC. 2010 All Rights Reserved.
Core Capabilities
Product
Capabilities
Automation
Auto-Discovery
Of Resources
SoD
Workflow
Login ID
Reconciliation
Admin
Usage
Consolidated
View
Passwords
Delegation
Logging
© Puryear IT, LLC. 2010 All Rights Reserved.
Policies
Synchronization
Local Integration
•
•
•
•
•
•
•
•
•
Localization is key to end-user acceptance!
Local language support
Logo
Corporate look&feel
Customization of request forms
Integration into helpdesk
Ability to send emails
Accessible for performance & availability monitoring
Support for local network and application, e.g., AD,
RSA
© Puryear IT, LLC. 2010 All Rights Reserved.
Ease of Deployment
Auto-Discovery
Of Resources
Login ID
Reconciliation
Web-based
Access
Deployment
Characteristics
Non-local
Agents
Support
Existing Directories
Support
Existing
Databases
© Puryear IT, LLC. 2010 All Rights Reserved.
• Deployment is the stumbling
block for many organizations.
• Be sure to map your needs to
the technical capabilities of the
product!
Product Security
•
Encryption
–
–
•
Authentication
–
–
–
•
Local data
Remote access
Admin users
End-users/SSPR
Web Services
Accountability
–
–
Logging
Reporting
© Puryear IT, LLC. 2010 All Rights Reserved.
Product Scalability
•
•
•
•
Can it handle your current organization?
Can your organization handle it?
Can it handle your organization in the future?
Calculating scalability requirements
–
–
–
–
Servers
Service layer
Network
Target systems
© Puryear IT, LLC. 2010 All Rights Reserved.
Product Flexibility
•
Organization specific data
elements
–
–
–
–
•
Handle wide-range of
applications
–
–
•
HR#
Student#
Job code
Facility
Network OS (NOS): AD, Novell,
Linux/UNIX
Applications: Exchange,
GroupWise, Mainframe apps
Handle custom applications
–
Many enterprises have more
custom applications than COTS
applications
© Puryear IT, LLC. 2010 All Rights Reserved.
Octopus = Flexible
Get it?
Customization for Custom Applications
•
•
Pre-built agents for common applications
SDK for new custom agents
–
–
–
•
•
•
C++, Java is most common
Java: Oracle, Sun, CA
C#: Microsoft
Developer documentation
SDK should be free or low-cost
ODBC Wizard!
© Puryear IT, LLC. 2010 All Rights Reserved.
Password Management
•
•
Deserves its own slide!
Must support your password
policies
–
–
•
•
Password complexity
Password expiration
Think about password
synchronization
WebSSO, SSO, reduced
sign-on!
© Puryear IT, LLC. 2010 All Rights Reserved.
Roll Out/Deployment
•
Design and pilot stages are critical
–
–
•
Pilot stage will identify internal technical weaknesses
Failure to do a pilot can kill the project
Pilot stage can help determine
–
–
–
Features to enable
User population that will access IdM solution
Security policies
•
•
•
–
•
•
•
Password policies
Authentication
Account configuration policies
Types of roles needed
Develop SoR and IdM integration
Develop request and workflow rules
Helpdesk integration
–
–
Email only
Application-level integration
© Puryear IT, LLC. 2010 All Rights Reserved.
Request & Workflow Rules
•
This is where the power
really is!
–
–
–
–
–
What can be requested
What data must be
included in request
Request validation
Request authorization
Request escalation
New
Hire
Is In
Finance?
No
Yes
Escalate
To CFO
Approved?
No
© Puryear IT, LLC. 2010 All Rights Reserved.
Create
Account
Yes
Return Error
Training
•
Update users about changes
– Angry users translate to non-conforming users
•
Train HR staff on SoR updates
– The SoR is critical to accuracy
– Bad data in the SoR may trigger inappropriate workflow rules
•
Train Security Administrators
– Local app management should be a no-no
– Only available in “break-the-glass” situation
•
Train Security Officers and Auditors
– Develop consistent reporting procedures
– Automate reports
© Puryear IT, LLC. 2010 All Rights Reserved.
Monitor and ROI
•
Track helpdesk time before and after deployment
– Without hard numbers, how do you justify?
•
Track audit time before and after deployment
– Typically a fast return
– Easy win!
•
Integrate into app deployment process
– They will leave you behind
– Create a standing meeting every six months or more
•
Don’t become a new silo!
© Puryear IT, LLC. 2010 All Rights Reserved.
Q&A
• Questions!
Puryear IT, LLC
http://www.puryear-it.com/
Automating audit and compliance with solutions for user
and privilege management and reporting.
* Portions of this presentation were taken from
Wikipedia, Sun, Oracle, Microsoft, Novell,
Hitachi ID, and other resources.
© Puryear IT, LLC. 2010 All Rights Reserved.
Related documents
Business Plan Basics - The Controllership Group
Business Plan Basics - The Controllership Group
So You Don`t Want CM?
So You Don`t Want CM?
View Presentation - FloorPlanOnline
View Presentation - FloorPlanOnline
mutual fund - American Bar Association
mutual fund - American Bar Association
Period 5: 1750-1900 - Financial Reactions to Industrialization Aim
Period 5: 1750-1900 - Financial Reactions to Industrialization Aim
How to Make Money Blogging
How to Make Money Blogging
Lesson 4.1 - Slides
Lesson 4.1 - Slides
Download