Identity and Access Management for the Real World: The Fundamentals

Transcription

1 Identity and Access Management for the Real World: The Fundamentals By Todd Peterson IAM evangelist, Dell Software

2 Introduction In an ideal world, we'd have the budget and time we need to get things done. And tomorrow would be predictable. But that's simply not the case, especially in the IT universe. As you well know, the world of identity and access management (IAM) is one of constant change, shrinking deadlines, minuscule budgets, overtaxed staff and unmerciful regulations. Unfortunately, the historical approach to IAM involves piecing together half solutions, in hope that tomorrow s solutions will address real-world needs. This short e-book evaluates what IAM for the real world would, should and can look like. It delves into the most pressing IAM issues faced by virtually every organization and offers actionable, affordable and sustainable approaches to the IAM challenges you face. At Dell, we help you achieve your IAM objectives for your real world (not ours), in a way that moves you and your business towards your goals. We hope you find value in Identity and Access Management for the Real World. ii

3 Conventions Throughout this e-book, we've used a number of conventions to help highlight important points, provide supporting evidence, or advise you of our obvious bias. Look for the following conventions: Real-world example Stories of real organizations, facing real challenges, and really solving their problems (often the names have been changed to protect the innocent) Facts & figures Research-based information that supports principles discussed throughout the e-book Techie alert Definitions and terms used in the identity and access management industry that may not be familiar to you (Then again they might.) Useful tip Information that will help you easily achieve things discussed throughout the e-book Blatant sales pitch Where we get to why we actually wrote this e-book. It may be a little biased, but we suspect that the reason you re reading this e-book is to find solutions to your challenges. This is where we give them to you. iii

4 Well, we know where we're goin' But we don't know where we've been And we know what we're knowin' But we can't say what we've seen And we're not little children And we know what we want And the future is certain Give us time to work it out Talking Heads, Road to Nowhere,

5 Identity and access management for your world not someone else s The words of David Byrne in this mid-80 s anthem perfectly capture the sentiment of many organizations trying to keep up with the ever-changing IT security landscape. The more we try to keep up with the latest threat, or apply security to the latest technology, the more it seems like an elusive destination. While the Talking Heads try to strike an optimistic tone in an increasing complex world, the future is definitely not certain. There s the proliferation of new operating systems. Then there s the explosion of an increasingly mobile workforce and new devices outside of the comfortable control of the organization. We have our old friends stifling regulations such as SOX, HIPAA, PCI, and many more likely to come. And, of course, there s the next mega trend that everyone seems to be talking about, such as cloud, BYOD, big data, and the Internet of things. It seems the only constant is change. We long for the days when security was as simple as a password change every 90 days, following a few complexity rules. User access? That was easy. All you had to do was grant the secure access users needed to do their jobs on a handful of applications and one, maybe two, platforms. But password management, user access and security are far, far more complex in today s IT reality. The Talking Heads lyrics seem to echo the desire of many IT pros in dealing with these complex issues Give us time to work it out. IAM fundamental concepts There are many major aspects of IT security worth discussing. But we d like to focus on just one identity and access management (IAM). IAM is concerned with some fundamental concepts that can be summed up as the four A s: Authentication Entails ensuring that the person logging on to a system is who they say they are. This is usually done with usernames and passwords that, when combined, give you some assurance of the authenticity of the person logging on. Authorization Involves the parameters placed around what a user is allowed to do once they are authenticated. Authorization is concerned not with who you are, but why you are logging on and what you are allowed to do. Authorization can be influenced by a range of variables. These can include everything from file and application permission and sharing, to very finely defined access rules based on role, location and even circumstance. Administration In order to enable someone to authenticate and to be correctly 2

6 authorized, there are many managerial tasks that must be performed on an account, often called provisioning. Provisioning can literally be thousands of tasks designed to achieve a very elusive balance between security and user productivity. Administration also includes role management or defining and managing the roles that place the right people (or accounts and identities) in the right position to be correctly authorized. Finally, administration includes managing passwords for complexity, frequency of change and ease of reset. Audit Includes those activities that help prove that authentication, authorization and administration are done at a sufficient level of security, measured by a set of standards. Audit may be concerned with ensuring PCI compliance, or it may be concerned with satisfying a best practice framework, such as ITIL. Or it may simply be designed to conform to internally developed security standards or policies. All of the A s assume there is an identity established for each user. This identity or account resides somewhere (typically in a directory) so it can be authenticated, authorized, managed and audited. And typically the directory is tied specifically and exclusively to the application or system that controls user access. If all this is done correctly, the four A s are easily satisfied. But we all know that easily satisfied is an elusive target. That classic retro pop song rings true today And we know what we're knowin', but we can't say what we've seen. Today s IT security complexity is illustrated very effectively by statistics gathered by The Aberdeen Group when surveying thousands of companies on their IAM strategy, success and challenges. The real world The problem comes when diverse technologies are introduced. Almost everyone has Microsoft Active Directory (AD) in their organization acting as the single point of control for Windows-based resources. However non-microsoft platforms Unix or Linux, Macs or mainframes each require their own directories and their own authentication, authorization, administration and auditing. And we haven t even mentioned the 3

7 applications that add to this complexity in the first place. Most applications also require a directory and application-specific ways to satisfy the four A s. Inevitably, each A is executed independently on dozens, hundreds or even thousands of systems. It s not uncommon for a single user to have multiple passwords. Each password represents another system where authentication, authorization, administration and audit are performed with no regard for the other systems in the enterprise. Analysts estimate a typical user can have as many as 14 passwords. Today s IT security complexity is illustrated very effectively by statistics gathered by The Aberdeen Group when surveying thousands of companies on their IAM strategy, success and challenges. (Average company size = 21,100 employees) The average IAM initiative has been ongoing for six years. On average, four point solutions are deployed for IAM. 57 percent cite complexity of IT environment as an inhibitor to achieving IAM objectives. But logging on, or authentication, is the least of our worries. While each system or application may have its own way to authenticate with its own password rules, each must also have its own authorization structure. It is not uncommon for IT to define roles for each access scenario, on each application. The result is role bloat. Every time a new authorization need arises, a new role is defined in the application affected. This is repeated across the entire range of applications. Many organizations end up with more roles than users. The real world sure can be a mess. And, unfortunately, the administrative responsibility for ensuring that authentication is set up right and authorization is adequate often falls squarely on IT. That means highly paid and specialized IT professionals often find themselves bogged down in the most mundane of identity administration tasks. Because they have the correct rights and expertise of the inner workings of the application or system, IT specialists end up acting as a highly specialized (and very expensive) help desk. The real issue is that critical IT initiatives are not getting done while these experts are helping end users with access. Audit is not much better. When it comes time to prove that authentication, authorization and administration are playing by the rules, IT specialists are often the only reliable source for the required audit information. It s enough to make you want to call in sick at audit time. Reducing complexity is the key to creating an IAM strategy for the real world. 4

8 The Dell One Identity family of IAM solutions is entirely focused on reducing complexity. These solutions can help you consolidate disparate identities into a single existing directory, unify authentication across a diverse mix of applications and access scenarios, marry governance with provisioning, or cover the complete range of privileged account management needs. Dell One Identity gives you the simplest, most affordable real world solutions. Who s running the show anyway? There s a real efficiency issue with specialized IT resources being so heavily involved in IAM operations. The fact is that the job of IT professionals is to keep the systems running and users productive, not to be involved in the day-to-day use of specific applications by a specific user. Is the IT specialist responsible for an accounting system really the right person to make decisions on user access and permissions? Obviously not. So who is responsible for ensuring that those decisions are made correctly? Put simply, it s the business that has the most at stake for IAM. Decisions on what roles are required in an accounting system and what they represent, who needs to approve actions, and how strongly the data and functions should be secured is ideally the responsibility of the line-of-business personnel and managers. These are the folks that use the application every day, so they have a more complete and holistic understanding of its implications. But the reality is that specialized IT pros are often those who know how to get things done, so it s mistakenly assumed they also understand why they need to happen. Have you ever overheard a line-of-business manager instructing IT to set up Bill s access just like Mary s? Access is then duplicated, but there is no guarantee that Mary even has the right access in the first place. And what was Mary s access originally based on? Somebody else? How many obsolete rights exist? Are there exceptions that have crept into the authorization that have never been revoked? There are simply too many unknowns in this common scenario that can put your organization s security at risk. But the reality is that specialized IT pros are often those who know how to get things done, so it s mistakenly assumed they also understand why they need to happen. 5

9 The same holds true for audits. IT pros know how to get the information, but do not need to understand it. On the other hand, the business knows what they need, but rarely understands what IT delivers. It s an endless cycle where all the parties make very risky assumptions: I m sure it s right. Usually that actually means, I think it s right and hope this doesn t come back to bite me later. Unfortunately, the auditor s teeth can be sharp and the animal is hungry. Growth takes place when the next step forward is subjectively more delightful, more joyous, more intrinsically satisfying than the previous gratification with which we have become familiar and even bored. Abraham Maslow A hierarchy of IAM needs You might think equating something as mundane as identity and access management with something as important as self-actualization is an overreach, but there are parallels between Maslow s Hierarchy of Needs and IAM. If you remember Psychology 101, Abraham Maslow developed a widely accepted theory that human needs can be defined as a pyramid, with each level attainable only if the one below it has been satisfied. According to Maslow, until physiological needs are met, such as food, water and air, the need for safety cannot be addressed. And until you have safety in the form of shelter and protection, your social needs cannot be met. Satisfying social needs is the foundation for self-esteem, which must be satisfied before self-actualization, or reaching one s full potential, can be realized. By no means are we implying that deep philosophical theory and IAM technology are in the same ballpark in terms of weight and significance to humankind. But it is a useful analogy that all of us can easily and quickly understand. There are similarities between this hierarchical approach to human development and the progression we all go through with technology, and specifically with IAM. Achieving higher levels of self-actualization demands that lower levels be satisfied. IAM is no different. 6

10 According to our IT hierarchy of IAM needs (Figure 1) and in the real world: The foundation for everything is access. If users cannot access systems, or if it is difficult to even create access, nothing else matters. Once that access has been enabled, ensuring that it is done securely becomes paramount. When security is established control can be added in the form of policies, standards, guidelines, and procedures the rules that influence and improve security. With control in place, management can be added or the ability to audit and report on all lower levels of the hierarchy. Finally self-actualization is achieved as the organization is able to undertake risk management and adhere to external standards. Selfactualization Governance Esteem Management Social Control Safety Security Physiological Access Figure 1: Maslow's pyramid and the hierarchy of IAM needs When all effort is being expended to maintain the foundational levels of the pyramid (access, security, and control) management and governance cannot be achieved. Organizations are challenged as they attempt to navigate the conflict between individuals who know how to do the various tasks that move them up the hierarchy, and those who know why, and are held accountable for success or failure. IT typically knows how, and the business knows why, with the most at stake. The pyramid is relevant to the how and why discussion. The narrower a level is, or the higher it ascends the hierarchy, the less IT can or should be driving the bus, and the more holistically the solution must address needs. As the four A s are 7

11 addressed in silos, individual systems may be placed anywhere on the hierarchy, but at the governance level, individual systems become irrelevant when compared to the unified whole of the business and the enterprise. Governance does not give a pass to systems still struggling to climb out of access. The narrower a level is, or the higher it ascends the hierarchy, the less IT can or should be driving the bus, and the more holistically the solution must address needs. So why is it all so hard? The vast majority of organizations spend most of their time on the day-to-day tasks associated with granting access or securing individual systems. Their never-ending focus seems to be on making IAM processes as efficient as possible. But, once again, the challenge is complexity and diversity. You know that with every system, a point of authentication and an account must be set up or provisioned for user access, including a password that must be maintained. These tasks usually fall on IT because they have the rights and tools to set up accounts and enforce password security rules, as well as reset passwords, when necessary. This complexity is well illustrated by data from The Aberdeen Group, who surveyed thousands of companies with an average size of 21,000 employees on the current state of their IAM approach. Results show a tangled web of complexity that traps organizations in the lower tiers of the pyramid. On average, surveyed companies supported 198 applications. That s potentially 198 places where accounts must be set up and managed, 198 different passwords and password policies, and dozens of IT professionals just to support users on this wide range of applications. On average the typical end user must access 27 different applications. Even if only half of those require unique passwords, how many of your users can remember 13 different passwords? And who has to help them when they forget? On average it takes 12 hours to provision a new user. That s a full day and a half 8

12 where users are being paid, but don t have the access they need to do their jobs. And who is responsible for setting up those accounts? How many IT teams must be involved to fully provision a user? On average it takes 4.9 hours to de-provision a user. That s more than half a day, giving a disgruntled former employee plenty of time to do damage. For these reasons, IAM has often been considered the realm of provisioning and single sign-on. After all, setting up an account and giving a user only one password should eliminate the need for IT-assisted password resets, at least in theory. But let s not forget what should be the top self-actualization level in our IAM version of Maslow s pyramid governance. Ultimately IAM exists to help organizations achieve business agility. That means the ability to better achieve business objectives such as generating revenue, serving constituents or changing the world through innovation. Agility is dependent on governance the ability to enforce and know that activities being performed are done according to the rules. And governance cannot be achieved without each of the lower levels of the hierarchy. You can address each level of the hierarchy for each system in an ad-hoc manner. Or you can seek a unified approach and cohesive product set that grants access, enables security, delivers control, puts management in the hands of the right people, and ultimately helps you achieve governance across the entire range of systems, user populations, and real-world needs. The Dell One Identity family of IAM solutions does all this and more. Working things out I can hear the chorus of IT professionals grappling with complexity There are too many identities. I don t want role bloat. This is so inefficient. But these concerns are simply no match for technologies available today that can address these complex IAM issues effectively. Diversity is the norm. Dealing with that diversity is the challenge. And it s up to us to do it in a way that makes life easier for end users, saves money, improves security and helps achieve compliance. Diversity is the norm. Dealing with that diversity is the challenge. 9

13 Ever since workplace IT technology emerged and evolved into the highly complex and diverse core capability it is today, organizations have grappled with these challenges. A few options have emerged: Do nothing. Many organizations have simply pretended the problem doesn t exist. They re content to continue to address complexity through specialized IT teams, doing the best they can with the tools they have, hoping it all works out in the end. Inevitably though, a breach will occur, an auditor will find a material weakness that demands action, or maintaining the IAM status quo will become too expensive. Put a bandage on it. When the breach occurs, the auditor comes calling or the accountants raise a red flag, many organizations shop for solutions to address the specific source of the problem. For example, if account management on a single system is the problem, a solution is tailored and implemented to solve it. Unfortunately when the same challenge comes up on another system, the incumbent solution cannot help. So another solution is bought. This bandage approach is extremely common and, while it automates tasks, typically it only preserves the underlying complexity. And specialized IT personnel are still tasked with dealing with the problems. Build a framework on top of everything. The traditional approach to the problem is to custom-build a framework that provides a centralized administration point, and satisfies the authentication and authorization needs of a highly diverse enterprise. Typically these solutions are expensive and take years to build. Consequently only the largest and most well-funded organizations have been able to tackle IAM in this way. But these solutions do nothing to reduce the complexity that lies at the core of the problem. They synchronize disparate identity stores and administrative tasks, yet they introduce additional layers of complexity. Plus, they re so rigid that by the time they are rolled out and things have changed, it s too late. Unfortunately, these technology-heavy solutions drag IT even deeper into the day-to-day activities associated with IAM. Modular and integrated, business-focused IAM. Recently the next wave of IAM technologies has combined the urgency of addressing point problems within a more holistic IAM framework. Because these technologies rely much less on customization favoring a configurable modeled approach instead they can be implemented quicker and at a lower cost than traditional solutions. And they don t stand in the way of addressing the next challenge. Wherever you start, adding the next layer is affordable and effective. But the biggest benefit of this IAM approach is that it places power, visibility and control where it should be firmly in the hands of the business. 10

14 The real-world approach to IAM The last option above is obviously preferred, but what about all of the attempts you ve already made using the other approaches? You can t simply pull the plug on your existing investments, retrain your entire staff and start fresh. But what you can do is use a business-centric, real-world approach the next time you are compelled to take action. For example, if you already have an IAM framework in place, reducing complexity by consolidating Unix, Linux and Mac OS X identities and authentication into Active Directory can dramatically improve efficiency. If you have several point solutions for specific needs, addressing the next need with a modular and integrated solution will yield large benefits down the road and might just solve those nagging inadequacies of existing solutions. And don t forget, compliance will always uncover the next thing for you to worry about. Most initial compliance findings are associated with non-secure authentication and administration practices. Inevitably authorization rises to the surface when the others are well covered. Implementing authorization capabilities that are business centered, modular and integrated for both end users and privileged users is prudent. Focus on IAM for the real world. Like every IT professional, you ve got a lot on your plate. But the choice to focus on IAM for the real world can reap significant rewards. Forwardthinking IAM can be achieved through a modular and integrated approach, and with visibility and control in the hands of the business, not solely IT. Three major areas of IAM, each with numerous sub-capabilities include: 1. Access management Simplifying account management, including popular IAM capabilities such as: Account creation, modification and termination (provisioning) Password management and resets Single sign-on (SSO) including Web SSO and federation Strong authentication Reducing the underlying complexity of diverse ad disparate systems 2. Privilege management Understanding and controlling administrator activities, including common capabilities such as: Least-privilege access Separation of Duties (SoD) Privilege safe technologies Session audit and keystroke logging 11

15 3. Identity governance Managing access to business-critical data and capabilities including: Access request and fulfillment Attestation and access certification Data access management Role engineering Governance of privileged accounts and administrative-level access Suffice it to say that every organization must be concerned with all three. Regardless of any organization s IAM maturity, none have everything perfectly executed. There is always room for improvements, and making them with an eye towards real-world IAM will increase security, facilitate better compliance and improve operational efficiency. That s IAM for today and tomorrow. One of the United States largest banks estimates that it was spending a million dollars a month on password resets alone. A million dollars for your passwords One of the United States largest banks estimates that it was spending a million dollars a month on password resets alone. This cost was largely due to the bank s many retail tellers frequently accessing several Unix-based applications to do their jobs. By its nature, Unix systems do not share identity data (such as username, password and unique identifiers or attributes) so each system required its own login. Consequently each teller had multiple passwords to remember and often forget. Add to this challenge the fact that the tasks of maintaining this access fell to the Unix IT team, which was a much more expensive resource than the bank s traditional help desk staff. When a teller forgot one of his or her 13 passwords, costly IT resources were required to help them get back to work. Unfortunately, this happened a lot. Adding to the inefficiency was the fact that maintaining the lifecycle of these myriad identities also fell to expensive IT resources. This usually resulted in delays in account setup, modification and, most importantly, termination. The bank was one of the early adopters of technology to consolidate Unix identities and authentication into the ubiquitous single identity offered by Microsoft Active Directory (AD) for Windows-based systems. Simply by eliminating these Unix 12

16 identities in favor of the single AD identity, each teller now had only one password to remember, and the Unix IT team no longer had to deal with identity lifecycle management. In addition, password resets and account management activities could be performed by the much less expensive Windows help desk. Upon rolling out this get to one password strategy, the bank experienced an immediate 35 percent decrease in help desk costs. This positive trend continued to improve as the strategy perpetuated itself through the retail teller organization and other areas of the bank. Dell One Identity The Dell One Identity family of solutions from Dell Software include each of the capabilities discussed above. But One Identity is different from all other IAM solutions. It includes the breadth to cover not only access management, but also identity governance and privilege management. One Identity is also different from IAM frameworks because it offers the business-centric, modular and integrated approach that has been so elusive in legacy solutions. One Identity can claim numerous accolades including: Designated as a leader in the Gartner Magic Quadrant for User Administration and Provisioning (2012) and the leading visionary in the 2013 Magic Quadrant for Identity Governance and Administration Named the Overall Leader by Kuppinger Cole in its 2013 Leadership Compass for Access Governance and a Leader for the Identity Provisioning market segment Named SC Magazine s Best Bet for Identity and Access Management Named Editor s Best Management Suite by Windows IT Pro in 2011 The fastest growing IAM offering as determined by IDC at nearly 40 percent growth Manages more than 6,000 customers representing more than 110 million identities Pioneered the Active Directory bridge, sudo privileged account management, Active Directory management, and access governance spaces Offers the most complete offerings for privileged account management and single sign-on For more information on One Identity, visit us at software.dell.com/solutions/identity-and-access-management/. 13

17 14

18 Identity and Access Management for the Real World Copyright 2014 Dell, Inc. ALL RIGHTS RESERVED. This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose without the written permission of Dell, Inc. ( Dell ). Dell, Dell Software, the Dell Software logo and products as identified in this document are registered trademarks of Dell, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners. The information in this document is provided in connection with Dell products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell products. EXCEPT AS SET FORTH IN DELL S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Dell does not make any commitment to update the information contained in this document. About Dell Dell Inc. (NASDAQ: DELL) listens to customers and delivers worldwide innovative technology, business solutions and services they trust and value. For more information, visit If you have any questions regarding your potential use of this material, contact: Dell Software 5 Polaris Way Aliso Viejo, CA Refer to our Web site for regional and international office information. iam.askanexpert@software.dell.com 15