Identity Lifecycle Management. Lessons Learned

Transcription

1 Identity Lifecycle Management Lessons Learned

2 Who is Advancive Pasadena, CA Bangalore, India Established in May 2009 Headquartered in Southern California, with additional delivery center in Bangalore and serving clients globally Consulting and systems integration firm with core competency in Identity & Access Management Solutions Design & Implementation Serving clients in several key verticals, such as Financial, Healthcare, Telecom, High-Tech and Manufacturing RSA Service Partner 2

3 Enterprise Identity Life Cycle Management Defined ILM Stages Hire Onboard Transfer Terminate Fulfillment Request & Approval The process of requesting and approving access (new, transfer, termination) to a target system, application, or resource for a user (person, system or applications) Review & Certification The process of identifying the responsible person to review and certify access, and initiating remedial actions for inappropriate access Leavers Joiners Request & Approval Fulfillment Enforcement Review & Certification Movers Accounts Entitlements Resources Special Permissions Privileged Rights The process of granting or removing access on a target system or application to a user (person, service, or application). Enforcement The process of enforcing coarse and fine-grained access decisions within systems and applications for a user (person, system, or application). 3

4 Enterprise Identity Life Cycle Management Defined People, processes and technology required to manage digital identities and their access to enterprise resources Typically covers an entire spectrum of identities within organization: employees, contractors, customers, partners, etc Manages identities throughout the entire relationship with the organization: acquisition, modification, termination Different processes for workforce vs customers 4

5 Case Study: Multinational Banking Institution Over 15,000 users worldwide Major branches in North America, Europe and Asia Highly manual, complex ILM processes that differ from region to region Some level of automation via several in-house built tools Purchased RSA IMG platform for their IAM initiative 5

6 Analysis: Organizational Readiness We bought the tool, now what do we do? Enterprise security (project owner) fully onboard However clear lack of communication or buy-in from other major stakeholders, especially HR and application owners Requirements were poorly defined, the team had trouble articulating AS-IS and TO-BE system requirements Significant portion of project budget was spent on helping the client define basic use cases for the project, which wasn t planned for 6

7 Analysis: Organizational Readiness The client was not prepared to streamline or adjust existing business processes with expectation that the tool will be able to solve existing problems 7

8 Analysis: Project Execution Scope creep. As the project progressed, new requirements were constantly added without much thought given to criticality or prioritization Best practices and recommendations were frequently discarded, because that s not going to work for us 8

9 Analysis: Project Execution Client s original intent to avoid any customization was quickly abandoned in order to implement complex requirement X Inadequate skillset of resources assigned by client to the project, as well as poor understanding of product capabilities and limitations 9

10 Analysis: Identity Lifecycle Process No good idea of where user identities were coming from or who was responsible for managing them Especially true for non-employee identities, such as contractors and temp workers No standards governing quality of identity data Lack of global unique identifier across different types of users Some contingent workers did not have unique identifier at all. Those that did would sometimes conflict with employee IDs Mainly manual user onboarding and access request process that differs across locations 10

11 Analysis: Identity Lifecycle Process Review and removal of access for people changing job functions or business units (transfers) has not been performed Removal of access for terminated people was ad-hoc and inconsistent No clear understanding or process definition for terminating or extending access for contingent workers No standard account naming convention across applications and lack of account correlation attributes, for example B12345 with little additional information nobody knows who this account belongs to 11

12 Lessons Learned: Governance & Delivery Ensure strong executive project sponsorship with authority to affect change Communication, communication, communication Engage IT AND business stakeholders early in the process Do your homework BEFORE jumping on product implementation Define existing state, future state and a clear roadmap Define use cases and requirements 12

13 Lessons Learned: Governance & Delivery Build IAM architecture IAM Governance (oversight, policies and procedures, processes and compliance) Identity Architecture Access Architecture Authoritative Sources Business process reengineering is as much part of the process. Not all manual processes can be effectively automated NOR SHOULD THEY BE Good project management Incorporate agile development techniques, such as sprints and timeboxing Manage scope and prioritize requirements 13

14 Lessons Learned: Governance & Delivery Follow best practices, even if it means changing certain business processes. It may cause some pain now, but will make life easier down the road Take the IAM project as an opportunity to streamline and simplify processes and technology architecture Invest in the right talent and training 14

15 Lessons Learned: Identity Lifecycle Management Establish an authoritative source of identity data for ALL in-scope users Establish identity data governance framework. Understand user onboarding and off-boarding processes and establish data and process ownership Standardize identity lifecycle and access provisioning/de-provisioning process across different locations and business units Focus on lifecycle process automation using authoritative source attributes and role and rule based access provisioning/de-provisioning and access review/certification 15

16 Lessons Learned: Identity Lifecycle Management Create globally unique identifiers for ALL classes of users Provisioned accounts follow standard naming conventions and maintain account correlation attributes 16

17 Key Contacts Advancive Technology Solutions Headquarters 201 South Lake Avenue Suite 703 Pasadena, CA Art Poghosyan, Managing Director E: T: Alex Gudanis, CTO E: T: Sameer Hiremath, Director (India Operations) E: T:

18 THANK YOU