Identity and Access Positioning of Paradgimo

Transcription

1 1 1 Identity and Access Positioning of Paradgimo Olivier Naveau Managing Director assisted by Bruno Guillaume, CISSP

2 IAM in 4D 1. Data Model 2. Functions & Processes 3. Key Components 4. Business Values 2 2

3 1. Data Model IAM can be viewed as a set of complex func7ons or processes that manipulate three kinds of data: ü Iden&ty data ü Access data ü Ac&vity data Users' digital identities Identity Attributes Accounts Profiles Data Model Entitlements Permissions Roles Rules Policies Success & failed login Success & failed access Changes to Identity data Changes to Access data 3

4 2. Functions & Processes Create, Maintain & Retire IAM Data Use IAM Data Log Correlate Analyze Report 4

5 2. Functions & Processes is the construc7on phase of iden7ty, and subsequently providing it with a "personality" by assigning abributes, en7tlements, creden7als It provides the create/maintain/re7re capabili7es of IAM. Administra7on also provides the plaeorm for intelligence: a means to make sense of the iden7ty and access events. serves as a founda7onal plaeorm to facilitate authen7ca7on and authoriza7on, and the capabili7es within them, from single sign- on to en7tlements resolu7on and enforcement of access decisions. Access is the "engine" of IAM that takes iden77es and their informa7on and uses them to effect. generates reports for auditors, provides real- 7me monitoring for opera7ons and delivers the analy7cs necessary for analysts and business stakeholders to make intelligent, ac7onable decisions in the business and in IT. 5 5

6 3. Key Components Policies & Practices instantiation Formal sets of Actions & Information Flows Optimal organizational structure Optimal human resources allocation All products, services, open-source software and in-house developments 6 6

7 4. Business Values ü Improve Operational Level ü Improve Service Level ü Reduce Costs ü Governance ü Risk Management ü Compliance ü Business Agility ü Business Decisions 7

8 IAM in a Users' digital identities Identity Attributes Accounts Profiles Policies & Practices instantiation Formal sets of Actions & Information Flows Optimal organizational structure Data Model Optimal human resources allocation All products, services, open-source software and in-house developments Entitlements Permissions Roles Rules Policies Succes & failed login Success & failed access Changes to Identity & Access data! Improve Operational Level! Improve Service Level! Reduce Costs! Governance! Risk Management! Compliance! Business Agility! Business Decisions 8 8

9 Why IAM often fails? Efficiency ü No vision / No strategy ü No feedback loop / No measurements (KPI s) ü Efficiency? ü Effec7veness? Business ü Business Improvement? Enablement ü Lack of execu7ve sponsorship ü No quick win à Tunnel effect ü Lack of true IAM Governance ü Lack of con7nuous improvement process ü Insufficient involvement from the business ü Technology focus instead of Process focus (à 7 P s model) ü Poor data model Doesn t match reality ü Effec&veness 9 9

10 IAM 7 P s Model Complexity Time to Deliver Proper planning direc&on Killing Added Complexity I A M 10

11 New trends in IAM Iden&ty & Access Governance (IAG) & Iden&ty & Access Intelligence (IAI) 11

12 From User Provisioning to IAG & IAI «Identity Life Cycle» Basic Changes Advanced Changes Data Model «Role Life cycle management» Basic Business Intelligence Governance Compliance Performance Business Decisions «Intelligent» Reports «Bulk» Reports Advanced Refined Data Model Who had this access? Who? Access Rights? Assets? Rules? Policies? Discover Mine Engineer Monitor & Report Analysis Model Correlate Report Who did what? «Bulk» Reports Potential Enrichment SIEM 12 Authentications Autorizations Security Incident & Event Monitoring DLP Data Loss Prevention NAC Network Access Control

13 IAM challenges for the coming years? Mobile Crisis Cloud Crisis Governed Crisis Intelligence Collect Correlate Analytics Reporting Compliance Business improvement Social Networks 13

14 IAM at 14 14

15 Gartner s Hype Cycle for IAM Technologies, 07/2011 s expertise 15 15

16 Major references 16 16

17 Web Access Management ü Defini&on : Web access management (WAM) tools provide control of users' iden77es and Web en7tlements, authen7ca7on and authoriza7on to Web- based applica7ons and to some non Web- based resources. ü Maturity : Mature mainstream ü Technology: AM OpenSSO OAM 11g 17 17

18 User Provisioning ü Defini&on : User- provisioning or account- provisioning technology creates, modifies, disables and deletes user accounts and their profiles across IT infrastructure and business applica7ons. Provisioning tools use approaches such as cloning, roles and business rules so businesses can automate on- boarding, off- boarding and other administra7on workforce processes (for example, new hires, transfers, promo7ons and termina7ons). Provisioning tools also automa7cally aggregate and correlate iden7ty data from HR, CRM, systems and other iden7ty stores. ü Maturity : Mature mainstream IDM OIM 11g Custom scripts 18 18

19 Federated Identity Management ü Defini&on : Federated iden7ty management enables iden7ty informa7on to be shared among several en77es and across trust domains. Tools and standards permit iden7ty abributes to be transferred from one trusted iden7fying and authen7ca7ng en7ty to another for authen7ca7on, authoriza7on and other purposes. ü Maturity : Early mainstream ü Technology : OpenSSO OIF SAML

20 IAM Services Consulting & Integration IAM Managed Services ü Defini&on : Iden7ty and Access management (IAM) consul7ng and integra7on providers deliver specific presales and implementa7on services for clients seeking to select, install, configure and customize IAM products and services. Managed iden7ty and access management (IAM) services are IAM product implementa7ons whose opera7ons and maintenance responsibili7es are handled by IAM service providers. Thus, the customers of those IAM products can handle IAM via outsourcing. ü Maturity : Early mainstream ü Technology : see other slides 20

21 «Identity Life Cycle» Basic Changes Who? Access Rights? Assets? Rules? Policies? Data Model Discover Mine Engineer «Role Life cycle management» Refined Data Model Business Intelligence Governance Compliance Performance Business Decisions «Intelligent» Reports Analysis Model Correlate Report Authentications Autorizations Who did what? «Bulk» Reports Potential Enrichment SIEM ü Defini&on : «Bulk» Reports Advanced Basic Monitor & Report Who had this access? Identity & Access Governance Changes Advanced Security Incident & Event Monitoring DLP Data Loss Prevention NAC Network Access Control Iden7ty and Access Governance (IAG) is a broad discipline that ul7mately delivers a life cycle of control and decision making to the management of iden77es and how they are used to access systems, applica7ons and data. Role life cycle management is part of IAG, and is replaced on the Hype Cycle with IAG. ü Maturity : Adolescent ü Technology : IDM OIM 11g Oracle Iden&ty Analy&cs (OIA) 21 21

22 «Identity Life Cycle» Basic Changes Who? Access Rights? Assets? Rules? Policies? Data Model Discover Mine Engineer «Role Life cycle management» Refined Data Model Business Intelligence Governance Compliance Performance Business Decisions «Intelligent» Reports «Bulk» Reports Advanced Basic Monitor & Report Who had this access? Identity & Access Intelligence Changes Advanced Analysis Model Correlate Report Who did what? «Bulk» Reports Potential Enrichment SIEM ü Defini&on : Security Incident & Event Monitoring DLP Data Loss Prevention NAC Network Access Control Iden7ty and Access Intelligence (IAI) is the output derived from: Collec7ng iden7ty and access ac7vity and event data Correla7ng that data with iden7ty and access repositories Applying formal (BI) analy7cs to the collected informa7on in search of paberns and other useful knowledge for IT and the business Then using that output for: Repor7ng for compliance and IAM performance management Providing modeling and simula7on func7onality for applying en7tlements Providing the means to improve IAM and business decisions ü Maturity : Emerging ü Technology : Iden&ty GRC 22 Authentications Autorizations

23 Maturity Levels Maturity Level Status Products/Vendors Embryonic Emerging s presence Identity & Access Intelligence Adolescent Maturing technology capabilities and process understanding Uptake beyond early adopters Second generation Less customization Identity & Access Governance Early mainstream Proven technology Vendors, technology and adoption rapidly evolving Third generation More out of box Methodologies Public Key Operations IAM Services Consulting & Integration IAM Managed Services Federated Identity Management Mature mainstream Robust technology Not much evolution in vendors or technology Several dominant vendors User Provisioning Web Access Management Privilege Account Activity Management Legacy Obsolete 23