evolveum: idm story for a growing company
If you can't read please download the document
TRANSCRIPT
Simple and easy start
Keeping access rights matrix in spreadsheetSome manual work but still quite OK
It gets quite complex very soon ...
Login Nightmares
Shippin' DeLuxe v99.02Login:
mjones
Password:
NaviGATE+Username:
p0054358
Password:
Forgot password?
CrashSoft WoknousLogin:
jones3
Password:
Realm: PIRACY
Login: marryPassword:
versus
# LDAPv3# base with scope subtree# filter: (entryUUID=48b2295e-c131-4300-835a-fa85c863233e)# requesting: ALL#
# jack, people, example.comdn: uid=jack,ou=people,dc=example,dc=commail: [email protected]: JackobjectClass: personobjectClass: inetOrgPersonobjectClass: organizationalPersonobjectClass: topuid: jackcn: cpt. Jack Sparrowsn: Sparrow
Policy
What the spreadsheet says
Reality
This is what really matters
# LDAPv3# base with scope subtree# filter: (entryUUID=48b2295e-c131-4300-835a-fa85c863233e)# requesting: ALL#
# jack, people, example.comdn: uid=jack,ou=people,dc=example,dc=commail: [email protected]: JackobjectClass: personobjectClass: inetOrgPersonobjectClass: organizationalPersonobjectClass: topuid: jackcn: cpt. Jack Sparrowsn: Sparrow
no feedback
manual synchronization(unreliable, slow, costly)
untrackedchanges
# LDAPv3# base with scope subtree# filter: (entryUUID=48b2295e-c131-4300-835a-fa85c863233e)# requesting: ALL#
# jack, people, example.comdn: uid=jack,ou=people,dc=example,dc=commail: [email protected]: JackobjectClass: personobjectClass: inetOrgPersonobjectClass: organizationalPersonobjectClass: topuid: jackcn: cpt. Jack Sparrowsn: Sparrow
The only way how to compare policy and reality
# LDAPv3# base with scope subtree# filter: (entryUUID=48b2295e-c131-4300-835a-fa85c863233e)# requesting: ALL#
# jack, people, example.comdn: uid=jack,ou=people,dc=example,dc=commail: [email protected]: JackobjectClass: personobjectClass: inetOrgPersonobjectClass: organizationalPersonobjectClass: topuid: jackcn: cpt. Jack Sparrowsn: Sparrow
VERY COSTLY
And it will be repeated every year
Call Center Goes Crazy
Password reset
Password reset
Password reset
Password reset
Password reset
Password reset
Password reset
Access request
Access request
IAM To The Rescue
Identity and Access Management
Saves moneyCheaper audits, less sysadmin overhead, lower callcenter load
Improves efficiencyFaster time to market, minimizes employee wait time
Enhances securityVisibility, faster incident responses, cheaper investigation
Chaos is reduced
Identity Management
Managing user accountsCreate, update, delete, rename, password reset, ...
User self-servicePassword reset, requesting access, ...
Driving business processesApproving access requests, ...
Auditing and ReportingWho and when approved this account?
Who's is this B1gH4x0r account?
Who can benefit from IAM?
Measurable Benefits (selection)
Time to get new access rights
3 weeks 1 dayTime to reset a password
4 hours 10 minutesCall center load reduction
10-50%
If you have any questions,
please feel free to ask
Thank you for your attention