Managing Access for External Users with ARMS

Transcription

1 Managing Access for External Users with ARMS White Paper 27 th September 2015 ProofID Limited 1

2 Author: Version: Status: Reference: Creation Date: Revision Date: Reviewed by: Approved by: Tom Eggleston Disclaimer ProofID Limited makes no representations or warranties with respect to the contents or use of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Copyright Copyright 2014 ProofID Limited. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of Proof ID Limited. Contact Questions related to the information contained in this document should be directed to Tom Eggleston at teggleston@proofid.co.uk. Tel: +44 (0) Mob: +44 (0) ProofID Limited Lancastrian Office Centre Talbot Road Manchester M32 0FP ProofID Limited 2

3 TABLE OF CONTENTS 1 ABOUT PROOFID ARMS EXTERNAL USER LIFECYCLE MANAGEMENT Adoption of Cloud Services THE SOLUTION - ARMS BY PROOFID ARMS Highlights ARMS DETAILED DESCRIPTION Authoritative Source for External Identities Source of authentication for External Identities End-to-end management of external user lifecycle Devolved administration of external users Delegated approval workflows Easy to Use, Web Based Interface Role Based Architecture SCIM provisioning module Self-service request form for external users Flexible CSV Import facility Audit trail Integration with Commercial IAM Products CONCLUSION TABLE of FIGURES Figure 1: ARMS user interface Figure 2: Role Based Access Figure 3: Self Service Form Figure 4: ARMS Audit Log ProofID Limited 3

4 1 ABOUT PROOFID ProofID is a specialist provider of fully managed identity management (IDM) solutions, based in Manchester, United Kingdom. Trading since 2008, ProofID has unrivalled depth of experience of delivering identity management solutions across multiple industries and sectors, with major clients across the UK, Ireland and Asia. ProofID's philosophy is to provide fully managed solutions of the highest quality, enabling our customers to focus on what they do best, while we get on with providing the identity management services they need to run their business in a flexible, secure and resilient manner. We believe that because of its inherent complexity, regardless of vendor, the best way to maximise return on investment in identity management technology is to ensure that it is managed and maintained by experts. Identity management can offer so much to the modern organisation in the digital age, as identity management moves out of the enterprise and onto the internet, yet at ProofID we have seen too many instances of incomplete or poorly configured identity management systems which do not deliver the benefits that were expected. Our 'raison d'etre' is to help our customers get the most out of their investment in identity management, allowing them to offer a better service to employees and customers, and ultimately to ensure their investment has a positive impact on the bottom line. We offer a wide portfolio of services, ranging from expert consultancy to fully managed solutions, in on-premise, cloud or hybrid scenarios. We also have innovative solutions in the emerging areas of digital identity proofing and social identity management. ProofID Limited 4

5 2 ARMS EXTERNAL USER LIFECYCLE MANAGEMENT External users are a fact of life in modern business, as technology enables and drives more collaborative working practices. Business initiatives and projects typically involve a workforce made up of internal staff, contractors, third party partner organisations or suppliers, as well as customers, which may be individuals or other businesses. Whilst the majority of organisations have now deployed identity and access management technology to provide provisioning, authentication and compliance for internal staff, only 20% of organisations feel that their identity and access management system is fit for purpose for managing external users. 1 Managing identities and access for external users presents a difficult problem for businesses; deciding on a suitable repository to store the identities is only the beginning of the process beyond that, it is imperative both that external users are given prompt access to the resources and services they need to work effectively, but also that access can be removed automatically when the relationship with the organisation ends, ensuring that there is no unauthorised access to sensitive data. Additionally, external user management is frequently the responsibility of central IT; not only does this place a significant burden on IT to process external user requests, but additionally this approach can lead to serious risks around compliance and governance. Unless IT services are advised that an external user no longer requires access, often these accounts can be left active long after they are no longer required, with all the security and compliance risks that this entails. It would be preferable if this responsibility could be delegated out to the business units working with external users; not only would this relieve the burden on IT services but also place the responsibility for security and compliance with those in the organisation best placed to determine when access is no longer required. Whilst it might be possible to build a custom solution to address these challenges within an enterprise Identity and Access Management Suite, the amount of custom development work and licensing costs in many cases make this a non-viable approach. SINGLE PANE OF GLASS EXPERIENCE FOR BIOTECH CUSTOMERS A UK based Biotech Startup offers a number of different customer facing applications. Having been developed in isolation, each application was an identity silo with users having a different username and password for each application. Having decided to implement an enterprise SSO solution to provide a single pane of glass experience for its customers, an authentication source was required which had the flexibility to import the users from the various applications, including passwords hashed with a variety of algorithms, such that the SSO service could be introduced with zero disruption to the several thousand customers (e.g. no need to issue new credentials). 1 Getting to know you, Quocirca, June 2015 ProofID Limited 5

6 ARMS provides an ideal solution to these challenges: As commercial, off-the-shelf software designed specifically for managing external identities, ARMS is quick to deploy and start yielding benefits. ARMS s delegated administration framework means that the burden of managing external identities can be passed from IT to the relevant business units, empowering individuals within the organisation to provision access on-demand in a more efficient manner. With a role based architecture, ARMS ensures that external users gain access to the resources and services they need to do their job, quickly. ARMS delegated approval workflows and governance framework ensures that the organisation has the tools required to ensure that access is automatically removed from external users when their relationship with the organisation is finished. With built-in integration to major IAM vendors and standards based provisioning via SCIM, ARMS can easily be integrated into the enterprise, alongside existing enterprise IAM technology if necessary. ProofID Limited 6

7 3 THE SOLUTION ARMS BY PROOFID ARMS from ProofID is a web based application providing user lifecycle management and governance capabilities for external users which need to interact with the enterprise. Examples of such users include contractors, partners, suppliers or customers, who need to have access to online services or applications. Often, it is not desirable or practical for these identities to be stored in the central enterprise directory service (e.g. Active Directory), so ARMS provides an alternative identity store with many additional benefits. ARMS provides off the shelf workflow driven automation to ensure that not only can the enterprise quickly provision external access with minimal overhead on central IT services, but crucially that the lifecycle of these accounts can be properly managed, ensuring that access is cleanly removed when no longer required. Implemented alongside an enterprise Identity and Access Management solution, ARMS yields significant benefits: Productivity: Quickly enrol external users and provide access to the applications they need, via delegated administrators or self-service Security: Ensure that access is removed when it is no longer required, so there is no risk of external users accessing sensitive applications after their association with the enterprise is over Compliance: Role based approach ensures external users only have access to services they need, and attestation workflows make sure that levels of access are still appropriate A standalone application built around a specific use case, ARMS can be quickly deployed, enabling enterprises to start reaping the benefits immediately. IT Outsourcing Firm Home Valuation Application A large IT outsourcing firm is launching an on-demand application providing home valuation services to professionals in the property sector. Users of the service are very varied, ranging from internal administrators with Active Directory accounts to very large external organisations such as banks, who have their own SAML compliant Identity provider. Plus there are a large number of property valuers who need to access the service; these range from individuals to small businesses, who are too small to have their own IDP. ARMS provided the solution; user creation was made possible via delegated administration, bulk import and a workflow driven selfregistration portal. Each organisation was modeled within ARMS with the appropriate access privileges and expiry dates aligned to contractual arrangements, with delegated administrators within the organisation granted the ability to manage the accounts accordingly. ARMS also acted as an authentication source in its own right, removing the need to provision user accounts into the central Active Directory or alternative directory service. ProofID Limited 7

8 3.1 ARMS Highlights Authoritative source for external identities Source of authentication for external identities End-to-end management of external user lifecycle Devolved administration of external users Delegated approval workflows Easy to use, web based interface Role-based architecture SCIM provisioning module Self-service request form for external users Flexible CSV Import facility Audit trail Integration with commercial Identity and Access Management products including PingFederate, PingOne, Microsoft FIM and NetIQ Identity Manager. ProofID Limited 8

9 4 ARMS DETAILED DESCRIPTION This section provides a detailed description of ARMS core features. 4.1 Authoritative Source for External Identities ARMS provides an alternative location for storing external user identities, meaning there is no need to store external identities in the core directory service such as Active Directory. External identities can be created within ARMS via several methods including web UI, CSV upload and self-service form, with sophisticated rulesets available for username and initial password generation. With a highly flexible, role based data model, featuring the ability to add additional fields as required, ARMS can accommodate most external user scenarios. 4.2 Source of authentication for External Identities In addition to being an authoritative source of external identities, ARMS can also be used to authenticate users. Passwords are held securely using a variety of encryption policies, and password management rules can be used to govern password resets etc. In this model, ARMS can be used alongside SSO/Federation products to authenticate external users and provide access to applications. 4.3 End-to-end management of external user lifecycle ARMS provides a framework for the management of external users, from initial account creation through to removal of access at the end of the user s association with the enterprise. Designated administrators can process Creates, Updates and Deletions of user records as required, and can managed the applications and services each user has been granted access to. 4.4 Devolved administration of external users A key feature of ARMS is its delegated administrative architecture. Rather than requiring central IT to bear the burden of creating and managing external user access, ARMS allows the relevant administrative privileges to be delegated to whichever individuals in the organisation will have responsibility for the external users. This significantly reduces the burden on central IT, whilst empowering business users and increasing productivity. High Street Retailer Management of Seasonal Staff A major UK high street retailer faces high seasonal demand, which drives significant recruitment of temporary staff around the Christmas period. With staffing doubling over the period, provisioning access and then deprovisioning access to LOB applications for these users in a timely fashion was a significant challenge. The result was a highly labour intensive process which was prone to errors, and many orphaned accounts which were not properly cleaned up after the busy period, generating serious security and compliance risks. By deploying ARMS, the retailer was able to delegate recruitment of seasonal staff to local store managers, securing significant efficiency improvements by removing the reliance on central IT to perform this function. In addition, ARMS role based architecture enabled the seasonal accounts to be created with access to the appropriate systems, and access to be removed after the termination of the temporary contract after the seasonal rush. ProofID Limited 9

10 4.5 Delegated approval workflows Account creation within ARMS triggers approval workflows, whereby the relevant delegated adminstrator, determined by the role and department of the new user, must approve or deny the new account creation. Delegated administrators can be notified by when there is an approval workflow which requires their attention. 4.6 Easy to Use, Web Based Interface The ARMS interface has been designed to be intuitive and easy to use, recognising the fact that the delegated architecture means that it will be used by non-technical users. Figure 1: ARMS user interface 4.7 Role Based Architecture ARMS has a comprehensive and flexible role based architecture which makes it easy for administrators to grant external access to the applications and services they will need according to their interaction with the enterprise. Applications or services may be mapped to user roles (known as classes within ARMS), and access to applications can be marked as mandatory or optional. In turn, roles may be mapped to departments or units within the organisation, meaning that devolved administrators may only allocate new users into roles that are appropriate for that business function. The schematic below shows at a high level how departments, roles and applications relate to each other within ARMS. ProofID Limited 10

11 Figure 2: Role Based Access 4.8 SCIM provisioning module ARMS includes a user provisioning capability built upon the industry provisioning standard SCIM, or the System for Cross Domain Identity Management. SCIM provides a standardised framework for exchanging identity information between applications, and is gaining wide traction particularly with SaaS applications (e.g. PingOne, Salesforce). ARMS can provision users into any application which supports inbound provisioning via SCIM. Additionally, the SCIM module supports synchronisation of changes and de-provisioning. 4.9 Self-service request form for external users ARMS provides a self-service form allowing external users to request an account with the organisation. The form, which can be branded in line with organisational branding guidelines and incorporated into an Internet or Intranet site, has the following features: - Customisable form, allowing the organisation to choose which fields to include - Workflow driven, with requests routed to appropriate administrators from across the business to approve requests, depending on the role requested - Allows the user to select the desired role and department - Can require the user to provide comments to support their application ProofID Limited 11

12 Figure 3: Self Service Form 4.10 Flexible CSV Import facility ARMS supports the bulk upload of users via CSV file. This is particularly useful for an initial load of users into the system, or is a specific business initiative requires mass creation of many users. The CSV import facility is very flexible, and provides a means of mapping fields within the CSV file to fields within ARMS Audit trail ARMS maintains a comprehensive audit trail, recording every operation, including which user carried out the operation and when it took place. The audit log provides a key part of an organisation s compliance responsibilities around Identity and Access Management. Whilst the user interface provides a means of viewing the audit log (as shown below), for more advanced requirements, the audit database can be queried directly. ProofID Limited 12

13 Figure 4: ARMS Audit Log 4.12 Integration with Commercial IAM Products ARMS features modules for integration with the following commercial Identity and Access Management products. IAM Product Ping Identity PingFederate Ping Identity PingOne Microsoft FIM NetIQ Identity Manager Generic ARMS Integration ARMS Password Credential Validator allowing PingFederate to authenticate users against ARMS and return role information in SAML assertions Automated provisioning into PingOne via SCIM provisioning module ARMS Management Agent facilitating the synchronisation of users from ARMS into the FIM MetaVerse Identity Manager Driver to synchronise users from ARMS into the NetIQ Identity Vault Automated standards based provisioning into any SCIM compliant application ProofID Limited 13

14 5 CONCLUSION ARMS provides an ideal solution to enable modern businesses to manage external identities effectively. Commercial off-the-shelf software, specifically designed for the external user use case and with a proven track record across multiple sectors, ARMS is a much quicker and more cost-effective route to addressing the challenges of managing external users as compared to custom development of a bespoke solution within an enterprise Identity and Access Management solution. As commercial, off-the-shelf software designed specifically for managing external identities, ARMS is quick to deploy and quick to start yielding benefits. ARMS s delegated administration framework means that the burden of managing external identities can be passed from IT to the relevant business units, empowering individuals within the organisation to provision access on-demand in a more efficient manner. With a role based architecture, ARMS ensures that external users gain access to the resources and services they need to do their job, quickly ARMS delegated approval workflows and governance framework ensures that the organisation has the tools required to ensure that access is automatically removed from external users when their relationship with the organisation is finished. With built-in integration to major IAM vendors and standards based provisioning via SCIM, ARMS can easily be integrated into the enterprise, alongside existing enterprise IAM technology if necessary. ProofID Limited 14