Identity and Access Management Dustin Puryear Sr. Consultant, Puryear IT, LLC dustin@puryear-it.com http://www.puryear-it.com/ Objectives Find a common background for discussing IAM Discuss problems and opportunities in the field Introduce terminology Highlight a possible future direction Session Agenda Today’s Problems Making It All Better Now What? Viva La Resistance! Puryear IT This Presentation This presentation was written with audit/compliance in mind. Contact dustin@puryear-it.com to have Dustin Puryear present this topic to your organization or company. Today’s Problems Who am I? Who are you? Networks use multiple identity systems The Internet is no better Users get confused with all of these IDs Management and audit has difficulty keeping track of all these IDs The bad guys are quite happy So many IDs! Person Active Directory Account Online HR Info Account PeopleSoft User Account … Multiple Contexts Remote Employees Employees Customers Suppliers Partners Trends Regulation and Compliance SOX, HIPAA, GLB Increasing Threats Identity theft Exposure of confidential info Maintenance Costs The average employee needs access to 16 applications Companies spend an estimated $20-30 user/year for password resets The Real Impact End-users Too many IDs Too many passwords Must wait for access to applications Administrators Too many IDs Too many end-user requests Difficult or unreliable ways to syncs all the accounts Audit/Compliance Orphaned accounts Limited or no audit capability Where are the audit trails? Making It All Better Identity and Access Management Password Management Role Management User Provisioning IAM Authorization Directories Audits & Reporting The Benefits of IAM Save money Improve operational efficiency Reduce time to deliver applications and services Enhance security Enhance regulatory compliance Give more power to audit Let’s Define IAM Terms Authentication (AuthN) Verify that a person is who they claim to be This is where multi-factor authentication comes into play Identification and authentication are related but not the same Authorization (AuthZ) Deciding what resources can be accessed/used by a user Accounting Charges you for what you do IAM is a Foundation Identity Management Administration Account Provisioning & Deprovisioning Synchronisation User Management Password Management Workflow Delegation Audit and Reporting Access Management AuthN AuthZ Now What? Implement IAM! Start Slow! Define your Single Source of Truth (SSOT) Unfortunately, there may be more than one, if that makes sense.. Implement the “big wins” User provisioning to Active Directory Password resets But How? SSOT Work with your team, IT, and management to determine the true source of user information User Provisioning to AD It’s already happening! Solutions Microsoft ILM CA eTrust Admin Sun IM … The Results! User provisioning can be automated Password resets can be delegated to the helpdesk And the big one: You can now audit both the user provisioning and password resets The Next Step Extend User Provisioning To PeopleSoft Lawson Oracle Custom/in-house applications Begin consolidating user directories Can you point some or all of your applications at AD or LDAP? Authorization This is the hard one! Applications define their AuthZ rules differently Try to consolidate to an AD/LDAP authz landscape Tackle this one application at a time! The Power is Yours You can now audit/review: Who has what accounts? Why do they have those accounts? Who approved those accounts? Are there any orphaned accounts? Who has access to what? For how long have they had that access? And there is more.. You can control access to your webenabled applications using a Web Access Manager (WAM) Don’t forget about SSO! What about federated identities and your partners and suppliers? Viva La Resistance! IT Resistence Sometimes IT resist a formalized IAM process because: “We are too busy” “We can’t afford it” “We don’t want to give up control!” “We are Too Busy” This is a common response IT is too busy.. Because they are resetting passwords all day Working too hard to create accounts Learning too late that orphaned accounts are being misused/attacked “We Can’t Afford It” There are small and big solutions to this problem If you are an AD-only shop with minimal applications, then you can start small Larger enterprises have no choice, they can’t afford not to! “We Don’t Want to Give Up Control!” This is usually the root of the disagreement. They are responsible for IT They don’t want problems in IAM to reflect poorly on them They are used to the control, even if it’s not necessary A Compromise Take control without giving up control! A middle-ground: IAM solutions can be used to explore user directories/databases Reports can be generated IT can still do the provisioning itself Summary Summary It’s becoming impossible to manage all of these accounts and rights by hand You can automate controls You can automate audit reports You can control THE PROCESS! Who We Are? Puryear IT is THE IAM specialist in Louisiana We help small and large companies, ranging from 100 users to well over 20,000+ users We are vendor-agnostic, and have worked with everyone, including: Microsoft CA Sun We Can Help IT to.. Help you tackle your IAM needs Integrate Linux, UNIX, and J2EE into Active Directory Build out AAA solutions Deploy Microsoft ILM, Sun IM, Novell IM, and CA IM Deploy small and large solutions We Can Help Audit/Compliance to.. Build an automated user account and access rights tracking solution Log changes to user accounts and access rights Ensure passwords are changed as policies and regulations require Help you communicate your needs to IT Automate your manual tasks Doing IAM Right Puryear uses a methodical approach to: Identify organization pain points Identify organization audit requirements Work with IT and audit to prioritize needs Develop an initial pilot deployment Roll out the final solution Help you manage and extend the solution Dustin Puryear Sr. Consultant, Puryear IT, LLC dustin@puryear-it.com http://www.puryear-it.com/