building an effective identity management program€¢future-state identity architecture...
TRANSCRIPT
Building an Effective Identity Management Program
Gino Levine
Agenda
• Identity Management Concepts
• Identity Strategy and Roadmap
• Roles and Provisioning
• IDM Operational Model
• Governance and Success Factors
• Technical Best Practices and Customer Stories
Concepts
Identity
The representation of an entity. Each entity has a finite set of attributes
Identity Management
The ability to securely grant or deny users access to applications, services, data, assets,
physical locations as a fully auditable, enterprise service
Identity Services
A common, standards-based infrastructure and set of Identity-related capabilities that are
shared and leveraged across the enterprise to provide secure access, provisioning and
auditing services that enable multiple applications, systems and user constituencies.
Concepts
Challenges
ApplicationsSAP/GHRT
OraclePhysical Security
Phone Switches
Exchange
Office 365
DataBases
Directories
AD - Azure SaaS
PaaS
Employees Retirees IT Staff Suppliers Partners Contractors Consumers IOT
Gartner IDM IGA (Identity, Governance, Administration)
UAPUser administration
and provisioning
IGAIdentity governance
and administration
IAGIdentity and access
governance
Entitlements
Administration
Access
Identity Intelligence
Strategy and Roadmap
Strategy and Roadmap
Assessment Phase
• Stakeholders
• Business drivers
• Current state
• Identity stores and
data
• Processes
Analysis Phase
• Gaps
• Business and technology
capabilities
• Integration points and
strategies
• IAM initiatives
• Recommendations
Planning Phase
• Prioritize initiatives
• Future-state identity
architecture
• Implementation roadmap
• Final recommendations
• Business Value
Business Justification
• Productivity
• Development
• Assets
• Help Desk
• IT Administration
• Manager Administration
• Business Agility• Revenue• Risk• Compliance
Deliverables
• Assessment and gap analysis
• Future-state
• Prioritized roadmap
• Implementation plan
• Value justification
• Success factors and best practices
• Focus areas
Proprietary NetIQ Inc, ©
“Before” – Provisioning
No auditing, notification, delegation, reassignment of tasks
New hire provisioning
cycle time 3-4 weeks
Server AdminData Owner
/ Custodian
Requesting folder & application access is
not based on standard profiles
Cumbersome and
unreliable
process
Bu
sin
ess P
roce
sse
sM
an
ua
lly P
rovis
ion
ed
Syste
ms
Ba
tch
Pro
vis
ion
ed
Syste
ms
No notification or
auditing
Foundational and "Quick Win" Initiatives Medium-term Initiatives Longer-term Initiatives
Identity and
Access
Management
Foundation
Provisioning
Process
Automation
User Self
Service
Identity
Application
Integration
Compliance
/ Auditing
Enhancements
Enabling
Activities
Integrate HR with IDV
ISM Governance, policy development and deployment
Program Management
Sponsorship, communications, training
Automate provisioning
of core requirements
Password Self Service
Corporate White Pages
Automate
Certification Process
Federated IDM with Partners
Financially Significant
Application Integration
Integrate Highly
Requested Applications
RBAC Role
Engineering
Badging System
Integration
Migrate off XYZ
ISM Event Correlation
RBAC
Provisionin
gRBAC Role
Management
Password Self Service for Agents
Password Self Service for Customers
Integrate with Oracle HR
Modify AD Driver
Extend ID Vault
Upgrade RBPM
Gather requirements
for provisioning
workflows
Integrate apps for core entitlements
Exchange, eLearning, Service Desk
Data
definition
and
mapping
Implement Base Auditing & Reporting
Migrate ABC to Oracle
BOS
Clue
Directed Sends
Express Payments
Profile Editor
SSO
Identity Profiles for Customers
Ongoing Application IntegrationOracle Fin
Mainframe
Ongoing Provisioning Workflow
Replace InfoSec
Request Form
Implement ISM event auditing
Compliance Dashboard
Define Compliance
Reporting
Requirements
Password Policy
Enforcement
Roadmap
Capabilities
Compliance
Dashboard /
Reporting
Enterprise
Authentication
Service
Identity
Synchronization
with AD
Role Based
Access
Control
Entitlement
Attestation and
Recertification
Identity
Synchronization
with HR
Identity VaultCorporate White
Pages with
Self-Service
Automated Provisioning
of Ubiquitous
Entitlements
Provisioning Workflow with
Proxy / Delegation
Integration of Financially
Significant Systems with ID Vault
Help Desk
Integration
with ISM
Enterprise
Reduced
Sign-on
Password Self
ServiceISM Auditing
and Reporting
Identity Governance Processes
and Structure
Integration of
Additional
Applications with
ID Vault
Basic IDM
Event
Logging
IDM for
Contractors /
Partners
IDM for
Customers
Role Life
Cycle
Management
Physical
Security
Integration
Identity
Federation
with Partners
Advanced
Authenticatio
n Methods
Asset Management Integration
Identity-Related Security Event Correlation and
Alerts
Fine-Grained Access Control
Identity-based
Storage
Privileged User
Management
What Are Your Priorities?
Roles and Provisioning
“Hola soy Dr. Smith”
“Bonjour, cest Sally en finance”
Roles
• A role is a collection of permissions to access resources
required to perform all or part of a job function
• Users are given memberships to one or many roles,
based upon the requirements of their job(s)
• Coarse grained and fine grained roles
RolesUsers & Groups Resources (Objects, Operations)
PermissionsMemberships
Roles Model
Business
Roles Physician
Functional
Roles
Technical
Roles /
Resources
Accountant
E-mailUser
ComputerUser
Account
Distribution
List ABC
Network
Account
Desktop
Account
Acct Pay
Screen
Employee
Role Life-CycleEngineer roles
(discovery, definition, hierarchy)
Assign roles(onboard, transfer, change,
terminate)
Manage roles(analyze, refine, and retire)
Manage exceptions (request, approve, delegate)
Recertify roles(review, renewal,
expiration)
Provisioning
Rule-Based
Role- Based
Request-Based
Automated fulfilment or
manual fulfilment
Logging / Auditing
Role entitlementsEntitlements defined by role engineering
2Workflow or
Driver configuration
Person fills a role
1
Automated fulfilment or
manual fulfilment
1
Manageror user
3
Initiate requestrequest / approval
workflow
Denied
Approved?
NO2
Workflow or
Driver configurationYES
Logging / Auditing
Automated fulfilment or
manual fulfilment
1Workflow or
Driver configuration
Authoritative Source is Updated
2
Logging / Auditing
Foundation
• Identity
• Role Model
• Exceptions
• Automation
• Applications
• Visibility
• Compliance
Identity
Business Role
Functional Role
Technical Role
Auto
matio
n
Provisioning
Exceptio
n R
equest
Loggin
g a
nd R
eportin
g
App1
App2
App3
Operational Model
Security Operations
Legal & HR
Governance
Selling
Risk Management
Identity Management
Compliance & Audits
Architecture
Project Delivery
Business Enablement
Budget
Leadership
Roles and Resources
Assumes individuals may have
multiple roles
Role FTE'sOperational Roles
Directory
Specialist
Workflow
Specialist
IDM Architect
IDM
Administrator
Audit System
Specialist
Business
Analyst
IDM Architect 0.2
IDM Administrator 0.7
Directory Specialist 0.2
Workflow Specialist 0.5
Audit System Specialist 0.5
Business Analyst 0.2
Total FTE 2.3
Operational Team
Business
Stakeholders
Databases
Applications
AD
Windows
Web Services
Unix
Virtualization
Directory
Specialist
Workflow
Specialist
IDM Architect
IDM
Administrator
Audit System
Specialist
Business
Analyst
Governance
Governance Model
Identity ownership
• Employees
• Contractors
• Customers
• Partners
Policy
Scope
Functionality
Requirements
Logic, rules, access
Process
Role engineering
Attributes
Security policy
Architecture
Infrastructure
Policy
Standards
Data strategy
• Data management
• Data flows
• Data synchronization
• Data structures
Scope
Functionality
Requirements
Business to Code
Process
Operations
Structure
Leadership Level
Ongoing OperationsLevel
IDM Executive Sponsor(s)
Representatives from Information Security,
HR, IT Infrastructure, Applications, Sales etc.
IDM Steering Committee
Implementation Management Level
Program Management Office
IDM Implementation focus
Operate, maintain, and extend
IDM Operations Team
Subject matter input as needed
Sub Group Task Teams as
needed
Success Factors
Why IDM Programs Fail
“Too much focus on technology and a lack of organizational
understanding and support”
• Many IDM project failures are attributable to poor governance
• Lack of executive sponsorship- IT and business sponsorship
• Slow deployment, failure to show rapid value or benefit capture
• Unclear roadmap for moving forward
• Technology, people and process
• Insufficient levels of cross-functional consensus
• Technical complexity, integration issues
• Project vs. Program View
Implementation
Strategy and
Goals
Clear and well-understood
strategic intent
Linked to high-priority
organizational strategies
Supported with well-
defined goals and
objectives
Unambiguous scope
Technology Appropriate architecture,
infrastructure, and tools
Clear technology roadmap
Business Processes and Organization
People and Change
Management
Effective and efficient processes
Appropriate organization structures
needed to achieve goals
Sufficient sponsorship and
communication.
Adequate resources and skills
Project Management
and Governance
Visible oversight and review
Processes and systems for ongoing
guidance and decision-making
Success Factors Going Forward
Executives understand IDM enables strategic goals
• Understand how IDM enables high-priority business goals
• Set clear direction and expectations
Active business and IT executive sponsorship
• Define accountability and ownership
• Establish governance mechanisms for decision-making
Business stakeholders involved in implementation
• Create roadmap driven by business demand
• Focus efforts on pressing business problems
• Establish strong business and IT partnership
Detailed communications, adoption strategies
• What is it? What will change? Why?
Identity Governance & Administration
• Business users feel governance is inflicted on them
• Lack of guidance and decision support info leads to certification fatigue
• Rubber stamping and poor participation
• Compliance for compliance sake does not reduce risk
• Compliance outcome of good practices not means to an end
Blind Spots• How, when and from where are applications being utilized
• Business users need current information to make decisions
• Periodic access review only provides periodic security
# 1 Business Doesn’t Care
# 2 Compliance Tunnel Vision
# 3
Challenges with IGA
Achieving Adaptive Identity Governance
1. Establish an Identity and Entitlement Catalog
3. Employ Business Driven IGA
4. Leverage Analytics
2. Build a Maintainable IGA Model
Access
Internal Applications & Services
Cloud-Based Services
Partners
Employees and Contractors
Customers / Citizens
Right Access Everywhere
AccessManagement
Access – Mobile & Consumers
Please create an account
Consumerization: The specific impact that consumer technologies can have on enterprises. It reflects how enterprises will be
affected by new technologies that originate in the consumer space, rather than in the enterprise IT sector. *Gartner
Risk Based & Step Up Authentication
RiskEngine
ExternalParameters
Geolocation UserCookies
User History
HTTPHeaders
IPAddress
Device IDUser Profile
Calculated Level of Risk
Low risk
Medium Risk
High Risk
Allow Access
Deny Access
Resource or Application
Financials
HR
Salesforce
Travel Site
Café Menu
Privileged Identity Management
45
SpearfishingUsing emails from known users
to target other users.
Social engineeringTricking insiders into breaking
normal security procedures.
Custom malwareCreating hostile software to
steal your data.
Hunting for Insider Access
Network Engineer?IT Security Practitioner?IT Audit Practitioner?Super User?
Database Admin?Systems Admin?Application Developer?Data Center Manager?
40% of breaches caused by insiders
2. Access rights are too broad1. Looking for the obvious
Top 3 Risks
3. Privileged accounts aren’t just people anymore
You need to …
Privileged Identity Management
…while still enabling the business !
• Limit access• Ensure appropriate use• Minimize risks
IAM Solution Architecture
Service Now
Badging
Mainframe
Linux/Unix
Peoplesoft
Database
SAP HR
SaaS Access
Web SSO(Step Up Auth. )
Remote Users
FederatedUsers
External Personalization
MobileAccess
BusinessPortal
Access Visibility
Certification
Request
Un- Managed
Applications
User Activity Monitoring, Auditing and Reporting - File & Change Monitoring
Privileged and AD Administration
Cloud Apps
SaaS
AD- Azure
IntraNet-Portals
O365
Workday
Composite User
Self-Service
Automated provisioning
Desktop SSO
Technical Best Practices
• DON’T approach an IDM project as just another IT project
• DO seek executive sponsorship
Dos & Don’ts
• DON’T underestimate the effort of an IDM project
• DO set short and easy-to-achieve milestones, or phases
Dos & Don’ts
• DON’T assume all is good in your environment
• DO plan for various staged environments
Dos & Don’ts
• DON’T try to include everything
• DO define the proper Identities to be managed
Dos & Don’ts
• DON’T assume you can accomplish everything in-house,
But Also…
• DON’T rely only on external help (contractors / vendors)
• DO get in-house resources involved
Dos & Don’ts
Customer Stories
Bell Canada
Bell Canada is a Canadian telecommunications and media company headquartered in Montreal, Quebec. Its subsidiaries include Bell Aliant, Northwestel, Télébec, and NorthernTel.
Issue Action Impact
.
• The Canadian federal government, with 63 email systems to support 600,000 employees in over 40 departments, needed to outsource the management of its email infrastructure.
• Exchange 2013 was hard requirement to be deployed in in an exchange resource forest scenario
• Requirements for provisioning user/mailbox and ongoing mailbox management delegation in a secure manner
• Timeline very aggressive: “within 90 days after award start implementation
• Provided granular delegation of mailbox management
• Workflows for provisioning of user access and mailboxes in Exchange resource forest
• Provided the ability to properly delegated “just enough” authority for people to get their jobs done
• Reduced number of domain administrators
• Can demonstrate
compliance with various
regulations, and reduce
risks of improper
administrative activity
• Saved thousands of
hours a month in IT
administration work
• Improved efficiencies, increased security, and lowered the costs of administering Exchange access
Canada Post
Canada Post is responsible for postal delivery in Canada
Ontario Tele–Medicine Network
OTN has become a global leader in telemedicine and connected care.
They reduce hospital readmissions, transform primary care, and
expand home and community care across Ontario. They’re helping
Ontario build a sustainable, reliable, and responsive virtual healthcare
delivery system.
Saskatchewan Government Insurance
SGI is the province's compulsory auto insurance program, operating the driver licensing and vehicle registration system. They also provides property and casualty insurance products in Saskatchewan, in Alberta, Manitoba, British Columbia, and Ontario. Products are sold through a network of independent insurance brokers.
Issue Action Impact
• Automated Provisioning and De-Provisioning of user access
• Improved the user experience by providing SSO to employees, business partners, brokers, agents and 200,000 citizens
• Centralized Authentication• Self Registration of Identities• Self Service Password restes and
access request• Reduced risks of providing
access to a diverse and mobile user
• Improved auditing and reporting• Increased revenues• Improved user satisfaction
• Implemented a web access solution to provide web SSO, secure remote, social and mobile access, and self service capabilities.
• Implemented a central authentication and authorization system to provide, secure, auditable access to a diverse user population.
• Silos of identity information in multiple directories and applications.
• High App Dev costs of coding security into Web exposed applications
• Difficult to provide a single view into all of a user’s access privileges
• The user experience for employees, business partners and citizens was cumbersome and frustrating
• Lack of easy user self service capabilities
• Losing insurance business because independent agents were going to other competitors
• Current access systems negatively impacted business agility
Husky Energy
Issue Action Impact
Husky Energy is one of Canada’s largest integrated energy companies and is traded on the Toronto Stock Exchange. It has operations in Canada, the United States, and the Asia Pacific region. It operates upstream and downstream businesses with a emphasis on heavy oil in Western Canada and growth in Asia Pacific.
• Increasing demands on provisioning users and their access to corporate resources
• Escalating requirements to prove sound corporate governance
• Growing operational demands regarding compliance requirements including a range of Segregation of Duty (SoD) policies
• Automated user provisioning from SAP to enterprise applications
• Real time inspection and validation of business policies and controls with Novell Sentinel
• Extending SAP roles and policies to the enterprise including legacy systems, applications and resources
• Automating compliance-related activities
• Improving transparency across the enterprise
• Ability to leverage existing SAP investments
• Faster and lower-cost implementation
www.microfocus.com