Managing Access for External Users with ARMS



Similar documents
Identity Management Managed Service Monitor Element

Extend and Enhance AD FS

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

SAML SSO Configuration

Security management White paper. Develop effective user management to demonstrate compliance efforts and achieve business value.

People-Focused Access Management. Software Consulting Support Services

Flexible Identity Federation

Identity and Access Management for the Hybrid Enterprise

EXECUTIVE VIEW. EmpowerID KuppingerCole Report. By Peter Cummings October By Peter Cummings

Okta Identity Management for Portals Built on Salesforce.com. An Architecture Review. Okta Inc. 301 Brannan Street San Francisco, CA 94107

Password Self Service - Service Description

Simplify and Secure Cloud Access to Critical Business Data

The Recipe for Sarbanes-Oxley Compliance using Microsoft s SharePoint 2010 platform

White paper December Addressing single sign-on inside, outside, and between organizations

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

Oracle Role Manager. An Oracle White Paper Updated June 2009

solution brief February 2012 How Can I Obtain Identity And Access Management as a Cloud Service?

When millions need access: Identity management in an increasingly connected world

Understanding Enterprise Cloud Governance

Solving the Security Puzzle

An Overview of Samsung KNOX Active Directory-based Single Sign-On

<Insert Picture Here> Oracle Identity And Access Management

Business-Driven, Compliant Identity Management

NetIQ Identity Manager

Cloud Computing - Benefits and Barriers for Retail Adoption

White paper December IBM Tivoli Access Manager for Enterprise Single Sign-On: An overview

How to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions

Getting the Most From. Your Help Desk

White Paper. What is an Identity Provider, and Why Should My Organization Become One?

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce

Google Apps Deployment Guide

Enterprise Identity Management Reference Architecture

TrustedX - PKI Authentication. Whitepaper

Provisioning and Deprovisioning 1 Provisioning/De-provisiong replacement 1

Identity Management Overview. Bill Nelson Vice President of Professional Services

How To Manage A Plethora Of Identities In A Cloud System (Saas)

Oracle Identity Management Concepts and Architecture. An Oracle White Paper December 2003

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with Microsoft DirectAccess

Advanced Configuration Steps

The leading enterprise solution for banknote trading and currency exchange businesses

Identity and Access Management Services. G-Cloud 7

Connecting Users with Identity as a Service

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

Virtual Contact Center

UDiMan. Introduction. Benefits: Name: UDiMan Identity Management service. Service Type: Software as a Service (SaaS Lot 3)

Synchronization Agent Configuration Guide

Identity and Access Management (IAM) Across Cloud and On-premise Environments: Best Practices for Maintaining Security and Control

Oracle Identity Management for SAP in Heterogeneous IT Environments. An Oracle White Paper January 2007

Provide access control with innovative solutions from IBM.

NCSU SSO. Case Study

B2C, B2B and B2E:! Leveraging IAM to Achieve Real Business Value

Cloud SSO and Federated Identity Management Solutions and Services

Microsoft Lync and SharePoint: Increase productivity by connecting people and information

Identity Relationship and Access Management for the Extended Enterprise

1 Building an Identity Management Business Case. 2 Agenda. 3 Business Challenges

WHITEPAPER ForgeRock Identity Management. Identity lifecycle management for users, devices, and things

Microsoft Enterprise Mobility Suite

Introductions. KPMG Presenters: Jay Schulman - Managing Director, Advisory - KPMG National Leader Identity and Access Management

ORACLE WEBCENTER PORTAL

A HIGH-LEVEL GUIDE TO EFFECTIVE IDENTITY MANAGEMENT IN THE CLOUD

Configuration Guide. SafeNet Authentication Service AD FS Agent

Business and Process Requirements Business Requirements mapped to downstream Process Requirements. IAM UC Davis

Consumer Goods. itouch Vision s CRM for

The Top 5 Federated Single Sign-On Scenarios

ORACLE FUSION ACCOUNTING HUB

Course 50382A: Implementing Forefront Identity Manager 2010 OVERVIEW

MaaS360 On-Premises Cloud Extender

SHARPCLOUD SECURITY STATEMENT

STATE OF NEW YORK IT Transformation. Request For Information (RFI) Enterprise Identity and Access Management Consolidated Questions and Responses

Strengthen security with intelligent identity and access management

1 Introduction to Identity Management. 2 Identity and Access Needs are Ever-Changing

NetIQ Directory and Resource Administrator NetIQ Exchange Administrator. Installation Guide

Top 8 Identity and Access Management Challenges with Your SaaS Applications. Okta Inc. 301 Brannan Street San Francisco, CA 94107

How can Identity and Access Management help me to improve compliance and drive business performance?

Comodo Certificate Manager. Comodo Enterprise

Connected Data. Connected Data requirements for SSO

An Oracle White Paper Dec Oracle Access Management OAuth Service

Data Protection Act Guidance on the use of cloud computing

Datacenter Management Optimization with Microsoft System Center

Five Business Drivers of Identity and Access Management

Foundation ACTIVE DIRECTORY AND MICROSOFT EXCHANGE PROVISIONING FOR HEALTHCARE PROVIDERS HEALTHCARE: A UNIQUELY COMPLEX ENVIRONMENT

Virtual Contact Center

What We Do: Simplify Enterprise Mobility

Governed Migration using Dell One Identity Manager

SAP Solution in Detail SAP NetWeaver SAP NetWeaver Identity Management. Business-Driven, Compliant Identity Management

An Overview of Samsung KNOX Active Directory and Group Policy Features

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

The Primer: Nuts and Bolts of Federated Identity Management

Sophos Mobile Control as a Service Startup guide. Product version: 3.5

Transcription:

Managing Access for External Users with ARMS White Paper 27 th September 2015 ProofID Limited 1

Author: Version: Status: Reference: Creation Date: Revision Date: Reviewed by: Approved by: Tom Eggleston Disclaimer ProofID Limited makes no representations or warranties with respect to the contents or use of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Copyright Copyright 2014 ProofID Limited. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of Proof ID Limited. Contact Questions related to the information contained in this document should be directed to Tom Eggleston at teggleston@proofid.co.uk. Tel: +44 (0) 161 906 1002 Mob: +44 (0) 7722 595701 ProofID Limited Lancastrian Office Centre Talbot Road Manchester M32 0FP ProofID Limited 2

TABLE OF CONTENTS 1 ABOUT PROOFID... 4 2 ARMS EXTERNAL USER LIFECYCLE MANAGEMENT... 5 2.1 Adoption of Cloud Services... 6 3 THE SOLUTION - ARMS BY PROOFID... 7 3.1 ARMS Highlights... 8 4 ARMS DETAILED DESCRIPTION... 9 4.1 Authoritative Source for External Identities... 9 4.2 Source of authentication for External Identities... 9 4.3 End-to-end management of external user lifecycle... 9 4.4 Devolved administration of external users... 9 4.5 Delegated approval workflows... 10 4.6 Easy to Use, Web Based Interface... 10 4.7 Role Based Architecture... 10 4.8 SCIM provisioning module... 11 4.9 Self-service request form for external users... 11 4.10 Flexible CSV Import facility... 12 4.11 Audit trail... 12 4.12 Integration with Commercial IAM Products... 13 5 CONCLUSION... 14 TABLE of FIGURES Figure 1: ARMS user interface... 10 Figure 2: Role Based Access... 11 Figure 3: Self Service Form... 12 Figure 4: ARMS Audit Log... 13 ProofID Limited 3

1 ABOUT PROOFID ProofID is a specialist provider of fully managed identity management (IDM) solutions, based in Manchester, United Kingdom. Trading since 2008, ProofID has unrivalled depth of experience of delivering identity management solutions across multiple industries and sectors, with major clients across the UK, Ireland and Asia. ProofID's philosophy is to provide fully managed solutions of the highest quality, enabling our customers to focus on what they do best, while we get on with providing the identity management services they need to run their business in a flexible, secure and resilient manner. We believe that because of its inherent complexity, regardless of vendor, the best way to maximise return on investment in identity management technology is to ensure that it is managed and maintained by experts. Identity management can offer so much to the modern organisation in the digital age, as identity management moves out of the enterprise and onto the internet, yet at ProofID we have seen too many instances of incomplete or poorly configured identity management systems which do not deliver the benefits that were expected. Our 'raison d'etre' is to help our customers get the most out of their investment in identity management, allowing them to offer a better service to employees and customers, and ultimately to ensure their investment has a positive impact on the bottom line. We offer a wide portfolio of services, ranging from expert consultancy to fully managed solutions, in on-premise, cloud or hybrid scenarios. We also have innovative solutions in the emerging areas of digital identity proofing and social identity management. ProofID Limited 4

2 ARMS EXTERNAL USER LIFECYCLE MANAGEMENT External users are a fact of life in modern business, as technology enables and drives more collaborative working practices. Business initiatives and projects typically involve a workforce made up of internal staff, contractors, third party partner organisations or suppliers, as well as customers, which may be individuals or other businesses. Whilst the majority of organisations have now deployed identity and access management technology to provide provisioning, authentication and compliance for internal staff, only 20% of organisations feel that their identity and access management system is fit for purpose for managing external users. 1 Managing identities and access for external users presents a difficult problem for businesses; deciding on a suitable repository to store the identities is only the beginning of the process beyond that, it is imperative both that external users are given prompt access to the resources and services they need to work effectively, but also that access can be removed automatically when the relationship with the organisation ends, ensuring that there is no unauthorised access to sensitive data. Additionally, external user management is frequently the responsibility of central IT; not only does this place a significant burden on IT to process external user requests, but additionally this approach can lead to serious risks around compliance and governance. Unless IT services are advised that an external user no longer requires access, often these accounts can be left active long after they are no longer required, with all the security and compliance risks that this entails. It would be preferable if this responsibility could be delegated out to the business units working with external users; not only would this relieve the burden on IT services but also place the responsibility for security and compliance with those in the organisation best placed to determine when access is no longer required. Whilst it might be possible to build a custom solution to address these challenges within an enterprise Identity and Access Management Suite, the amount of custom development work and licensing costs in many cases make this a non-viable approach. SINGLE PANE OF GLASS EXPERIENCE FOR BIOTECH CUSTOMERS A UK based Biotech Startup offers a number of different customer facing applications. Having been developed in isolation, each application was an identity silo with users having a different username and password for each application. Having decided to implement an enterprise SSO solution to provide a single pane of glass experience for its customers, an authentication source was required which had the flexibility to import the users from the various applications, including passwords hashed with a variety of algorithms, such that the SSO service could be introduced with zero disruption to the several thousand customers (e.g. no need to issue new credentials). 1 Getting to know you, Quocirca, June 2015 ProofID Limited 5

ARMS provides an ideal solution to these challenges: As commercial, off-the-shelf software designed specifically for managing external identities, ARMS is quick to deploy and start yielding benefits. ARMS s delegated administration framework means that the burden of managing external identities can be passed from IT to the relevant business units, empowering individuals within the organisation to provision access on-demand in a more efficient manner. With a role based architecture, ARMS ensures that external users gain access to the resources and services they need to do their job, quickly. ARMS delegated approval workflows and governance framework ensures that the organisation has the tools required to ensure that access is automatically removed from external users when their relationship with the organisation is finished. With built-in integration to major IAM vendors and standards based provisioning via SCIM, ARMS can easily be integrated into the enterprise, alongside existing enterprise IAM technology if necessary. ProofID Limited 6

3 THE SOLUTION ARMS BY PROOFID ARMS from ProofID is a web based application providing user lifecycle management and governance capabilities for external users which need to interact with the enterprise. Examples of such users include contractors, partners, suppliers or customers, who need to have access to online services or applications. Often, it is not desirable or practical for these identities to be stored in the central enterprise directory service (e.g. Active Directory), so ARMS provides an alternative identity store with many additional benefits. ARMS provides off the shelf workflow driven automation to ensure that not only can the enterprise quickly provision external access with minimal overhead on central IT services, but crucially that the lifecycle of these accounts can be properly managed, ensuring that access is cleanly removed when no longer required. Implemented alongside an enterprise Identity and Access Management solution, ARMS yields significant benefits: Productivity: Quickly enrol external users and provide access to the applications they need, via delegated administrators or self-service Security: Ensure that access is removed when it is no longer required, so there is no risk of external users accessing sensitive applications after their association with the enterprise is over Compliance: Role based approach ensures external users only have access to services they need, and attestation workflows make sure that levels of access are still appropriate A standalone application built around a specific use case, ARMS can be quickly deployed, enabling enterprises to start reaping the benefits immediately. IT Outsourcing Firm Home Valuation Application A large IT outsourcing firm is launching an on-demand application providing home valuation services to professionals in the property sector. Users of the service are very varied, ranging from internal administrators with Active Directory accounts to very large external organisations such as banks, who have their own SAML compliant Identity provider. Plus there are a large number of property valuers who need to access the service; these range from individuals to small businesses, who are too small to have their own IDP. ARMS provided the solution; user creation was made possible via delegated administration, bulk import and a workflow driven selfregistration portal. Each organisation was modeled within ARMS with the appropriate access privileges and expiry dates aligned to contractual arrangements, with delegated administrators within the organisation granted the ability to manage the accounts accordingly. ARMS also acted as an authentication source in its own right, removing the need to provision user accounts into the central Active Directory or alternative directory service. ProofID Limited 7

3.1 ARMS Highlights Authoritative source for external identities Source of authentication for external identities End-to-end management of external user lifecycle Devolved administration of external users Delegated approval workflows Easy to use, web based interface Role-based architecture SCIM provisioning module Self-service request form for external users Flexible CSV Import facility Audit trail Integration with commercial Identity and Access Management products including PingFederate, PingOne, Microsoft FIM and NetIQ Identity Manager. ProofID Limited 8

4 ARMS DETAILED DESCRIPTION This section provides a detailed description of ARMS core features. 4.1 Authoritative Source for External Identities ARMS provides an alternative location for storing external user identities, meaning there is no need to store external identities in the core directory service such as Active Directory. External identities can be created within ARMS via several methods including web UI, CSV upload and self-service form, with sophisticated rulesets available for username and initial password generation. With a highly flexible, role based data model, featuring the ability to add additional fields as required, ARMS can accommodate most external user scenarios. 4.2 Source of authentication for External Identities In addition to being an authoritative source of external identities, ARMS can also be used to authenticate users. Passwords are held securely using a variety of encryption policies, and password management rules can be used to govern password resets etc. In this model, ARMS can be used alongside SSO/Federation products to authenticate external users and provide access to applications. 4.3 End-to-end management of external user lifecycle ARMS provides a framework for the management of external users, from initial account creation through to removal of access at the end of the user s association with the enterprise. Designated administrators can process Creates, Updates and Deletions of user records as required, and can managed the applications and services each user has been granted access to. 4.4 Devolved administration of external users A key feature of ARMS is its delegated administrative architecture. Rather than requiring central IT to bear the burden of creating and managing external user access, ARMS allows the relevant administrative privileges to be delegated to whichever individuals in the organisation will have responsibility for the external users. This significantly reduces the burden on central IT, whilst empowering business users and increasing productivity. High Street Retailer Management of Seasonal Staff A major UK high street retailer faces high seasonal demand, which drives significant recruitment of temporary staff around the Christmas period. With staffing doubling over the period, provisioning access and then deprovisioning access to LOB applications for these users in a timely fashion was a significant challenge. The result was a highly labour intensive process which was prone to errors, and many orphaned accounts which were not properly cleaned up after the busy period, generating serious security and compliance risks. By deploying ARMS, the retailer was able to delegate recruitment of seasonal staff to local store managers, securing significant efficiency improvements by removing the reliance on central IT to perform this function. In addition, ARMS role based architecture enabled the seasonal accounts to be created with access to the appropriate systems, and access to be removed after the termination of the temporary contract after the seasonal rush. ProofID Limited 9

4.5 Delegated approval workflows Account creation within ARMS triggers approval workflows, whereby the relevant delegated adminstrator, determined by the role and department of the new user, must approve or deny the new account creation. Delegated administrators can be notified by email when there is an approval workflow which requires their attention. 4.6 Easy to Use, Web Based Interface The ARMS interface has been designed to be intuitive and easy to use, recognising the fact that the delegated architecture means that it will be used by non-technical users. Figure 1: ARMS user interface 4.7 Role Based Architecture ARMS has a comprehensive and flexible role based architecture which makes it easy for administrators to grant external access to the applications and services they will need according to their interaction with the enterprise. Applications or services may be mapped to user roles (known as classes within ARMS), and access to applications can be marked as mandatory or optional. In turn, roles may be mapped to departments or units within the organisation, meaning that devolved administrators may only allocate new users into roles that are appropriate for that business function. The schematic below shows at a high level how departments, roles and applications relate to each other within ARMS. ProofID Limited 10

Figure 2: Role Based Access 4.8 SCIM provisioning module ARMS includes a user provisioning capability built upon the industry provisioning standard SCIM, or the System for Cross Domain Identity Management. SCIM provides a standardised framework for exchanging identity information between applications, and is gaining wide traction particularly with SaaS applications (e.g. PingOne, Salesforce). ARMS can provision users into any application which supports inbound provisioning via SCIM. Additionally, the SCIM module supports synchronisation of changes and de-provisioning. 4.9 Self-service request form for external users ARMS provides a self-service form allowing external users to request an account with the organisation. The form, which can be branded in line with organisational branding guidelines and incorporated into an Internet or Intranet site, has the following features: - Customisable form, allowing the organisation to choose which fields to include - Workflow driven, with requests routed to appropriate administrators from across the business to approve requests, depending on the role requested - Allows the user to select the desired role and department - Can require the user to provide comments to support their application ProofID Limited 11

Figure 3: Self Service Form 4.10 Flexible CSV Import facility ARMS supports the bulk upload of users via CSV file. This is particularly useful for an initial load of users into the system, or is a specific business initiative requires mass creation of many users. The CSV import facility is very flexible, and provides a means of mapping fields within the CSV file to fields within ARMS. 4.11 Audit trail ARMS maintains a comprehensive audit trail, recording every operation, including which user carried out the operation and when it took place. The audit log provides a key part of an organisation s compliance responsibilities around Identity and Access Management. Whilst the user interface provides a means of viewing the audit log (as shown below), for more advanced requirements, the audit database can be queried directly. ProofID Limited 12

Figure 4: ARMS Audit Log 4.12 Integration with Commercial IAM Products ARMS features modules for integration with the following commercial Identity and Access Management products. IAM Product Ping Identity PingFederate Ping Identity PingOne Microsoft FIM NetIQ Identity Manager Generic ARMS Integration ARMS Password Credential Validator allowing PingFederate to authenticate users against ARMS and return role information in SAML assertions Automated provisioning into PingOne via SCIM provisioning module ARMS Management Agent facilitating the synchronisation of users from ARMS into the FIM MetaVerse Identity Manager Driver to synchronise users from ARMS into the NetIQ Identity Vault Automated standards based provisioning into any SCIM compliant application ProofID Limited 13

5 CONCLUSION ARMS provides an ideal solution to enable modern businesses to manage external identities effectively. Commercial off-the-shelf software, specifically designed for the external user use case and with a proven track record across multiple sectors, ARMS is a much quicker and more cost-effective route to addressing the challenges of managing external users as compared to custom development of a bespoke solution within an enterprise Identity and Access Management solution. As commercial, off-the-shelf software designed specifically for managing external identities, ARMS is quick to deploy and quick to start yielding benefits. ARMS s delegated administration framework means that the burden of managing external identities can be passed from IT to the relevant business units, empowering individuals within the organisation to provision access on-demand in a more efficient manner. With a role based architecture, ARMS ensures that external users gain access to the resources and services they need to do their job, quickly ARMS delegated approval workflows and governance framework ensures that the organisation has the tools required to ensure that access is automatically removed from external users when their relationship with the organisation is finished. With built-in integration to major IAM vendors and standards based provisioning via SCIM, ARMS can easily be integrated into the enterprise, alongside existing enterprise IAM technology if necessary. ProofID Limited 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information