Identity Management Presented by Richard Brown
Who is Cogito? Who are we? Why listen to us? Started as an information protection company working on the ADO PKI Moved into IdM as natural progression to information integrity and security work. Hard to see linkage? IdM can be the point from which all other access protections are provisioned or derived. IdM systems with incorrect data are worse than useless. Keeping the information correct and relevant to organisational needs is key. We re an SI all about ensuring information and identity integrity
Overview What is Identity Management (IdM)? What does it do? Why do we need IdM? Challenges Benefits Approach Where is IdM headed?
What is IdM? Definition: Identity Management is a collection of processes an organisation uses to manage the security lifecycle of resources for it s entities.
What is IdM? An entity refers to an identifiable user of enterprise resources and can include: Individuals Devices Processes Applications Generally anything that can interact in a network computing environment.
What is IdM? An Entity can also include users from outside the organisation: Customers Web Services An Entity is not limited to a single user and can represent a group or role.
Correspond to Consist of What is IdM? An identity is the set of attributes that uniquely identify an entity. We distinguish between real and online identity (although they are linked) Pure identities are defined by a series of properties Entities Identities Attributes
What does it do? Identity management helps an organisation manage their: Entities Organisations Sub organisations Resources
Why do we need IdM? It allows an organisation to protect its data. It protects data by: Access and rights management to resources Policy enforcement (on accounts, entitlements, etc.) Avoiding errors and omissions Managing relationships between Identities (more on this later)
Why do we need IdM? An effective IdM suite can provide: Security: Segregation of duties Multiple approval workflows Auditing: Fraud detection Fault detection and rectification Metrics: Reporting Analytics
Why do we need IdM? Identity Management integrates existing services: HR Directory services (LDAP, AD, etc.) Certificate authorities Smart-card issuance Physical Access as well as Logical Access Automation: Batch processing of thousands of users at once Workflows for resource access authorisation, software licence distribution etc.
Challenges Complexity It can be difficult to see full benefits: Prior to implementation Reporting of additional benefit after implementation Integration challenges Data Extraction, Transformation, Load and Sync can be complex and time consuming But this simplifies automation: Spend 2 minutes once to save 1 every week going forward
Challenges Benefit vs Costs Hard to sell the need Complex backend benefits can be hard to sell to wider executive. Long term nature of benefit vs up front cost Large outlay prior to realising benefit Cost comes prior to implementation Project Definition to define benefits Planning to: realise as many outcomes as is possible. Avoid exacerbating existing issues.
Challenges Hard to quantifying all benefits Benefits often spread wide across the organisation Some benefits small on individual but large collectively are not able to be measured. Defined ROI cycles: measured in 1 st year but not 10 th Stakeholders Successful engagement of a large number of stakeholders (touches many solutions). Protection of turf.
Benefits Cost savings: Prevention of losses through fraud, error or omission Rationalisation of: Effort Management of disparate processes and systems Silo data manipulation and sync Silo error rectification Systems Reduced storage Software, Hardware and Licencing Allow for cheaper options in disparate system Whole systems or processes can be retired
Benefits Improved efficiencies through: Automation Reduced errors and omissions Streamlined secondary authorisation Reduced helpdesk calls Compliance: Audit and reporting capabilities improve compliance with security policies and regulations
Benefits Improved client experience through: Streamlined user interface with a single portal Simplified provisioning and de-provisioning of services Simplified access to applications Reduced training imposts
Benefits Most important non-cost benefit to Government is Information Protection: Privacy National Security Note: NIST indicated that companies could save approx. $142 per user per annum in support costs ($14.2 million per annum for 100,000 users)
Approach Project Approach Large project benefits One large procurement exercise, but leads to less flexibility later. Achievements delivered faster, but more upfront costs less ongoing costs, but does not grow with the organisation Project based approach delivers defined goals on defined timelines to indicate success or failure. Easier to tie payments to milestone achievements, but often leads to cost overruns for items not envisaged. Don t see all or most of the benefits until the end
Approach Program Approach Program of works controlled by an overarching roadmap Can be seen as harder to judge success, but just needs defined timelines of deliver like a project. Longer times to deliver full capability, but less upfront costs and some milestones delivered sooner Less chance of cost blowouts during implementation More able to handle unexpected events, or changes in an organisation s priorities. Does not assume a static environment. Grows as needed Can see failure earlier and at less cost
Where is IdM headed? How did we get here (reminder)? Identity Management Traditional IdM is about management of an identity within an enterprise Allows the bringing together of information about an identity from disparate systems to provide a holistic view Allows the distribution of these details to disparate systems Provides management of the lifecycle of an identity Initially IdM within the Enterprise was targeted at employees only but was later extended to include Contractors/Partners.
Where is IdM headed? How did we get here? Access Management (AM) or Identity and Access Management (IAM) The management of access to applications within the Enterprise Traditional AM was for Single (or Simplified) Sign On within the Enterprise Reducing the number of user names and password increased security reduced the burden on individuals to remember passwords Achieved a cost reduction on password resets etc AM was extended to include access to applications outside the Enterprise or between Enterprises (Federation).
Where is IdM Headed? What have I become? Identity Relationship Management (IRM) Growth of the internet and ever increasing connectivity of people and devices. IdM has grown to now encompass customers of the Enterprise The definition of Identity now extends to include devices. No longer about just managing the identity of people accessing services Enterprise now needs to gain an understanding of the relationship it has with identities.
Pillars of IRM IRM is a growing area within the arena of IdM. It moves Identity from being a technical capability to include a business focus It has two pillars: Business Technical
Pillars of IRM Business Consumers and Things over Employees Adaptable over Predictable Top Line over Operating Expense Velocity over Process
Pillars of IRM Technical: Internet Scale over Enterprise Scale Dynamic Intelligence over Static Intelligence Borderless over Perimeter Modular over Monolithic
The laws of relationships The Kantara Initiative is an open organisation setup to share issues across the identity community. Works towards solving technical and interoperability issues. Work currently being conducted to establish a Laws of Relationships akin to the existing Laws of Identity
The laws of relationships Currently a work in progress but provides the following: Axioms of Relationships: Scalable Number of actors, relationships and attributes Administration Actionable Need to authorise actions
The laws of relationships Types of relationships Immutable Immutable relationships between a product and manufacturer. Contextual Can t access a system from overseas Transferable Delegation (Watch keeper)
The laws of relationships Laws of Relationships: Provable Proving a relationship between parties Acknowledgeable Parties must acknowledge the relationship Revocable Revoking a relationship Constrainable Constraining the relationships
Military How does this relate in a military context: Post Sept 11 the need for increased interoperability, sharing and collaboration was realised. Still need to maintain control over information and access Provide Adaptive Access Management: know the relationship between user and device know when an identity is logging in from a different device/area/region and challenge for additional authentication Provide flexible services to meet operational tempo Rapidly allow access to information/systems/collaborative tools Remove that access when no longer required
Questions? Thanks for listening. Please stop by our booth for: further discussion a demonstration of some IdM technologies a demonstration of other information protection solutions