Identity and Access Management

advertisement
Identity and Access
Management
Dustin Puryear
Sr. Consultant, Puryear IT, LLC
dustin@puryear-it.com
http://www.puryear-it.com/
Objectives
 Find a common background for
discussing IAM
 Discuss problems and opportunities in
the field
 Introduce terminology
 Highlight a possible future direction
Session Agenda





Today’s Problems
Making It All Better
Now What?
Viva La Resistance!
Puryear IT
This Presentation
 This presentation was written with
audit/compliance in mind.
 Contact dustin@puryear-it.com to
have Dustin Puryear present this
topic to your organization or
company.
Today’s Problems
Who am I? Who are you?
 Networks use multiple identity
systems
 The Internet is no better
 Users get confused with all of these
IDs
 Management and audit has difficulty
keeping track of all these IDs
 The bad guys are quite happy
So many IDs!
Person
Active Directory
Account
Online HR Info
Account
PeopleSoft User
Account
…
Multiple Contexts
Remote Employees
Employees
Customers
Suppliers
Partners
Trends
 Regulation and Compliance
 SOX, HIPAA, GLB
 Increasing Threats
 Identity theft
 Exposure of confidential info
 Maintenance Costs
 The average employee needs access to 16
applications
 Companies spend an estimated $20-30
user/year for password resets
The Real Impact
End-users
Too many IDs
Too many passwords
Must wait for access to
applications
Administrators
Too many IDs
Too many end-user requests
Difficult or unreliable ways to
syncs all the accounts
Audit/Compliance
Orphaned accounts
Limited or no audit capability
Where are the audit trails?
Making It All Better
Identity and Access Management
Password
Management
Role
Management
User
Provisioning
IAM
Authorization
Directories
Audits &
Reporting
The Benefits of IAM
 Save money
 Improve operational efficiency
 Reduce time to deliver applications
and services
 Enhance security
 Enhance regulatory compliance
 Give more power to audit
Let’s Define IAM Terms
 Authentication (AuthN)
 Verify that a person is who they claim to be
 This is where multi-factor authentication comes
into play
 Identification and authentication are related but
not the same
 Authorization (AuthZ)
 Deciding what resources can be accessed/used
by a user
 Accounting
 Charges you for what you do
IAM is a Foundation
Identity Management
Administration
Account Provisioning &
Deprovisioning
Synchronisation
User Management
Password Management
Workflow
Delegation
Audit and Reporting
Access Management
AuthN
AuthZ
Now What?
Implement IAM!
 Start Slow!
 Define your Single Source of Truth
(SSOT)
 Unfortunately, there may be more than
one, if that makes sense..
 Implement the “big wins”
 User provisioning to Active Directory
 Password resets
But How?
 SSOT
 Work with your team, IT, and
management to determine the true
source of user information
 User Provisioning to AD
 It’s already happening!
 Solutions




Microsoft ILM
CA eTrust Admin
Sun IM
…
The Results!
 User provisioning can be automated
 Password resets can be delegated to
the helpdesk
 And the big one:
 You can now audit both the user
provisioning and password resets
The Next Step
 Extend User Provisioning




To PeopleSoft
Lawson
Oracle
Custom/in-house applications
 Begin consolidating user directories
 Can you point some or all of your
applications at AD or LDAP?
Authorization
 This is the hard one!
 Applications define their AuthZ rules
differently
 Try to consolidate to an AD/LDAP
authz landscape
 Tackle this one application at a time!
The Power is Yours
 You can now audit/review:






Who has what accounts?
Why do they have those accounts?
Who approved those accounts?
Are there any orphaned accounts?
Who has access to what?
For how long have they had that access?
And there is more..
 You can control access to your webenabled applications using a Web
Access Manager (WAM)
 Don’t forget about SSO!
 What about federated identities and
your partners and suppliers?
Viva La Resistance!
IT Resistence
 Sometimes IT resist a formalized IAM
process because:
 “We are too busy”
 “We can’t afford it”
 “We don’t want to give up control!”
“We are Too Busy”
 This is a common response
 IT is too busy..
 Because they are resetting passwords all
day
 Working too hard to create accounts
 Learning too late that orphaned accounts
are being misused/attacked
“We Can’t Afford It”
 There are small and big solutions to
this problem
 If you are an AD-only shop with
minimal applications, then you can
start small
 Larger enterprises have no choice,
they can’t afford not to!
“We Don’t Want to Give Up
Control!”
 This is usually the root of the
disagreement.
 They are responsible for IT
 They don’t want problems in IAM to
reflect poorly on them
 They are used to the control, even if
it’s not necessary
A Compromise
 Take control without giving up
control!
 A middle-ground:
 IAM solutions can be used to explore
user directories/databases
 Reports can be generated
 IT can still do the provisioning itself
Summary
Summary
 It’s becoming impossible to manage
all of these accounts and rights by
hand
 You can automate controls
 You can automate audit reports
 You can control THE PROCESS!
Who We Are?
 Puryear IT is THE IAM specialist in
Louisiana
 We help small and large companies,
ranging from 100 users to well over
20,000+ users
 We are vendor-agnostic, and have worked
with everyone, including:
 Microsoft
 CA
 Sun
We Can Help IT to..
 Help you tackle your IAM needs
 Integrate Linux, UNIX, and J2EE into
Active Directory
 Build out AAA solutions
 Deploy Microsoft ILM, Sun IM, Novell
IM, and CA IM
 Deploy small and large solutions
We Can Help Audit/Compliance to..
 Build an automated user account and
access rights tracking solution
 Log changes to user accounts and
access rights
 Ensure passwords are changed as
policies and regulations require
 Help you communicate your needs to
IT
 Automate your manual tasks
Doing IAM Right
 Puryear uses a methodical approach
to:
 Identify organization pain points
 Identify organization audit requirements
 Work with IT and audit to prioritize
needs
 Develop an initial pilot deployment
 Roll out the final solution
 Help you manage and extend the
solution
Dustin Puryear
Sr. Consultant, Puryear IT, LLC
dustin@puryear-it.com
http://www.puryear-it.com/
Download