Eight Best Practices for Identity and Access Management



Similar documents
An Introduction to Toad Extension for Visual Studio. Written By Thomas Klughardt Systems Consultant Quest Software, Inc.

10.2. Auditing Cisco PIX Firewall with Quest InTrust

Secure and Efficient Log Management with Quest OnDemand

Go Beyond Basic Up/Down Monitoring

Direct Migration from SharePoint 2003 to SharePoint 2010

Taking Unix Identity and Access Management to the Next Level

Migrating Your Applications to the Cloud

Six Steps to Achieving Data Access Governance. Written By Quest Software

Key Methods for Managing Complex Database Environments

Using Stat with Custom Applications

Quest ChangeAuditor 5.0. For Windows File Servers. Events Reference

Quest Management Agent for Forefront Identity Manager

Proactive Performance Management for Enterprise Databases

Foglight for SQL Server

Toad for Oracle Compatibility with Windows 7 Revealed

The Case for Quest One Identity Manager

An Innovative Approach to SOAP Monitoring. Written By Quest Software

Quest One Privileged Account Appliance

2007 Quest Software, Inc. ALL RIGHTS RESERVED. TRADEMARKS. Disclaimer

6.0. Planning for Capacity in Virtual Environments Reference Guide

Top Seven Tips and Tricks for Group Policy in Windows 7

How to Use Custom Site Templates and Definitions supporting Corporate look-and-feel

Enterprise Single Sign-On 8.0.3

Quest Application Performance Monitoring Implementation Methodology

The Active Directory Recycle Bin: The End of Third-Party Recovery Tools?

Are You Spending More than You Realize on Active Directory Management?

How to Use Custom Site Templates and Definitions supporting Corporate look-and-feel

Enterprise Single Sign-On Installation and Configuration Guide

Achieving ISO/IEC Compliance with Quest One Solutions for Privileged Access. Written By Quest Software, Inc.

6.5. Web Interface. User Guide

Exchange 2010 and Your Audit Strategy

Protecting and Auditing Active Directory with Quest Solutions

2009 Quest Software, Inc. ALL RIGHTS RESERVED. Trademarks. Disclaimer

The Quest Cloud Automation Platform

Quest Support: vworkspace Troubleshooting Guide. Version 1.0

Top Five Reasons to Choose Toad Over SQL Developer

Moving to the Cloud : Best Practices for Migrating from Novell GroupWise to Microsoft Exchange Online Standard

Best Practices for SharePoint Development and Customization

Unified and Intelligent Identity and Access Management

Foglight Foglight Experience Viewer (FxV) Upgrade Field Guide

Controlling & Managing Super User Access

formerly Help Desk Authority Quest Free Network Tools User Manual

Migrating Lotus Notes Applications to Microsoft Office 365 and SharePoint Online

Choosing the Right Active Directory Bridge Solution

Quest ActiveRoles Server

Data Center Consolidation Strategies for the Federal CIO

Quest Solutions for PCI Compliance

Benchmark Factory for Databases 6.5. User Guide

Authentication Services 4.1. Authentication Services Single Sign-on for SAP Integration Guide

Foglight. Managing Java EE Systems Supported Platforms and Servers Guide

4.0. Offline Folder Wizard. User Guide

Extending Native Active Directory Capabilities to Unix and Linux

Quest SQL Optimizer 6.5. for SQL Server. Installation Guide

for Oracle User Guide

ChangeAuditor 5.6. For Windows File Servers Event Reference Guide

Foglight Managing SQL Server Database Systems Getting Started Guide. for SQL Server

2010 Quest Software, Inc. ALL RIGHTS RESERVED. Trademarks. Third Party Contributions

Quest One Password Manager

ChangeAuditor 6.0 For Windows File Servers. Event Reference Guide

Data center and cloud management. Enabling data center modernization and IT transformation while simplifying IT management

FOR WINDOWS FILE SERVERS

System Requirements and Platform Support Guide

Quest ChangeAuditor 5.1 FOR ACTIVE DIRECTORY. User Guide

Foglight for Oracle. Managing Oracle Database Systems Getting Started Guide

Spotlight on SQL Server 7.0. Reporting and Trending Guide

Dell InTrust Preparing for Auditing Cisco PIX Firewall

Foglight. Dashboard Support Guide

Enterprise Single Sign-On Getting Started with SSOWatch

Top 10 Tips for Optimizing SQL Server Performance

Top 10 Most Popular Reports in Enterprise Reporter

Foglight Managing SQL Server Database Systems Getting Started Guide. for SQL Server

Quest vworkspace Virtual Desktop Extensions for Linux

Dell Spotlight on Active Directory Server Health Wizard Configuration Guide

2.0. Quick Start Guide

Web Portal Installation Guide 5.0

How to Use SQL Server s Extended Events and Notifications to Proactively Resolve Performance Issues. Written By Jason Strate

Quest Migration Manager 3.2

Transcription:

Eight Best Practices for Identity and Access Management BUSINESS BRIEF

2011 Quest Software, Inc. ALL RIGHTS RESERVED. This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose without the written permission of Quest Software, Inc. ( Quest ). The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 www.quest.com Email: legal@quest.com Refer to our Web site for regional and international office information. Trademarks Quest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix, AppAssure, Benchmark Factory, Big Brother, BridgeAccess, BridgeAutoEscalate, BridgeSearch, BridgeTrak, BusinessInsight, ChangeAuditor, ChangeManager, Defender, DeployDirector, Desktop Authority, DirectoryAnalyzer, DirectoryTroubleshooter, DS Analyzer, DS Expert, Foglight, GPOADmin, Help Desk Authority, Imceda, IntelliProfile, InTrust, Invirtus, itoken, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere, MultSess, NBSpool, NetBase, NetControl, Npulse, NetPro, PassGo, PerformaSure, Point,Click,Done!, PowerGUI, Quest Central, Quest vtoolkit, Quest vworkspace, ReportADmin, RestoreADmin, ScriptLogic, Security Lifecycle Map, SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, Storage Horizon, Tag and Follow, Toad, T.O.A.D., Toad World, vautomator, vcontrol, vconverter, vfoglight, voptimizer, vranger, Vintela, Virtual DBA, VizionCore, Vizioncore vautomation Suite, Vizioncore vbackup, Vizioncore vessentials, Vizioncore vmigrator, Vizioncore vreplicator, WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. Other trademarks and registered trademarks used in this guide are property of their respective owners. Business Brief: Eight Best Practices for Identity and Access Management 1

Contents Introduction... 3 Eight Best Practices for IAM... 4 Choosing the Right Tool... 6 Traditional Approaches... 6 Quest One Identity Manager... 6 Business Brief: Eight Best Practices for Identity and Access Management 2

Introduction Identity and access management (IAM) isn t something you do once and then forget about. It s an ongoing process, a critical part of your infrastructure that demands continuous management. Even if you have a fully implemented directory, it s never too late to take advantage of best practices to help continuously manage this crucial part of your environment. A key insight about identity and access management is beginning to emerge in our industry: contrary to common practice, IT should not be heavily involved in identity management. Too often, IT is placed in the role of gatekeeper simply because only IT has the tools needed to manage identity. With the right identity management tools in place, IT maintains the tools and infrastructure, and the business controls the actual identities. Here are eight key practices, gleaned from years of experience and informed by this key insight that will help you improve your identity management system to ensure better security, efficiency and compliance. Business Brief: Eight Best Practices for Identity and Access Management 3

Eight Best Practices for IAM 1. Define Your Workforce Your organization s workforce is managed by your personnel or human resources department. They also have to manage information about people who are not employees, such as contractors and consultants. Most of these people require access to company resources. The first best practice is to use your HR systems as much as possible as an authoritative source of data for your identity and access management system. This will help you avoid repetitive work, errors, inconsistencies and other problems as the IAM system grows. Ideally, you ll provide some kind of managed front-end, such as a web-based interface that can be used to verify the quality of the imported data, revise data as needed and so on. 2. Define Identities The next best practice is to implement a single, integrated system that provides end-to-end management of employee identities and that retires orphaned or unneeded identities at the appropriate time. This is where IT responsibility formally begins in the identity management lifecycle. Typically, you ll identify a primary directory service (often Active Directory), a messaging system (such as Exchange Server or Lotus Notes), and a primary Enterprise Resource Planning (ERP) system (such as SAP). Once identified, these crucial systems are integrated into the overall identity management architecture. Why focus on these three kinds of systems? Primarily because they deliver a quick win, providing identity integration across the most-visible and most-used resources that users interact with on a daily basis. More systems can be integrated later. In reality, each disparate system will continue to have its own user accounts. Your integrated system simply maps identities to these accounts, and you ll often use a web-based front-end to manage that mapping process. There will be invariably a few identities that can t be automatically mapped, and the front-end will allow those to be handled on an exception basis. 3. Provide Knowledge and Control to Business Owners You also need to regularly answer the question, Who has access to what? IT coordinates the inventory of identities and permissions and provides that information to business data owners and custodians. Again, a web-based frontend is ideal for this. The idea is to let business data owners manage access to their data and to provide central reporting and control over those permissions. 4. Implement Workflow Although technology is always about embracing change, unmanaged change causes problems. Implementing a request and approval workflow provides an efficient way to manage and document change. A self-service user interface (often web-based) enables users to request permission to resources they need. Data owners and custodians can respond to these requests, helping the business ensure appropriate access, while removing IT from the decision-making role in permissions management. You might begin by defining different kinds of permission sets, each with their own workflows. This enables different kinds of data and tasks to be treated appropriately, depending upon their sensitivity. Take the time to define who can control that list of services, and who is responsible for managing workflow designs, and so on. For example, financial data might require more extensive approvals when changing permissions than company-wide information (such as details about the next company picnic), which might be changed with relatively little workflow required. Business Brief: Eight Best Practices for Identity and Access Management 4

5. Automate Provisioning You need to manage new users, users who leave the organization, and users who move or are promoted or demoted within the organization. Provisioning, de-provisioning and re-provisioning are often time-consuming manual tasks, and automating them can not only reduce overhead but also reduce errors and improve consistency. These provisioning tasks typically involve connections to numerous systems, including e-mail, ERP and databases. Prioritize these systems so that the most important and visible ones can be automated first, and clearly define and document the flow of data between these systems and your identity management toolset. Focus first on automating the basic add/change/delete tasks for user accounts, and then integrate additional tasks such as unlocking accounts. 6. Become Compliant Many companies are now affected by one or more industry or governmental regulations, and your identity management system can play a central, beneficial role in helping you to become and remain compliant. You ll need to focus on clearly defining and documenting the job roles that have control over your data, as well as the job roles that should have access to auditing information. Define compliance rules step by step, and assign each step to a responsible job role. Integrate rule checking in your identity management system and workflow operations to help automate remediation of incorrect actions; this will help improve consistency and security as well as compliance. 7. Check and Recheck In a well-designed identity management system, permissions are typically assigned to job roles rather than to individuals, but organizations are still likely to simply assign permissions as needed and never review them again. This practice invites security risks. Permissions require periodic recertification, meaning you need to review who has access to what and determine whether or not they should still have those permissions. Define job roles within your organization that can recertify permissions, such as system owners, managers, information security officers and so forth. Recertification can be defined in a workflow in which data owners and custodians review a current permission set and verify the accuracy (or inaccuracy) of that set. The idea is to regularly make sure that the roles and people who have permissions to resources should continue to have those permissions. This process should also include recertification of job role membership to ensure that the users assigned a given job role are still performing that role within the organization. 8. Manage Roles Permissions are best assigned to job roles rather than to individuals. Making those roles correspond to real-life job tasks and job titles is a powerful way to manage identities and access over the long term. A certain amount of inventorying and mining will be needed to accurately identify the major roles within your organization, based at least, in part, on the resource permissions currently in force. Through user self-service interfaces, enable users to request the roles they need to access the appropriate resources and services. This way, a user can request access to nonpersonal human resources information (for example) without needing to understand the underlying technical details required to make that happen. Once a user places such a request, the owner or custodian of the affected data has the opportunity to review and either approve or deny the request taking IT out of the permissions management loop entirely. You ll also need to define who will manage these roles in order to ensure that roles are created, modified and deactivated only by authorized individuals following the proper workflow. Business Brief: Eight Best Practices for Identity and Access Management 5

Choosing the Right Tool Traditional Approaches Unfortunately, it s unlikely that your business can rely on native tools to effectively implement these eight best practices. You simply have to deal with too many native toolsets, such as Microsoft Active Directory, SAP, PeopleSoft, Unix or Mac. You need a central place to manage the identities used by all of these systems, and you need to do so in a consistent, secure, efficient and controlled fashion. Traditional IAM frameworks are often expensive and require extensive implementation, often making them impractical. Many companies instead opt for adhoc IAM, cobbling together home-grown and third-party tools into a disjointed workaround that basically gets the job done but at a high cost in efficiency and security. Ultimately, identity management becomes driven by what IT is capable of, and not by what the business needs. Quest One Identity Manager Quest One Identity Manager helps organizations achieve effective IAM for less money, and with markedly less effort, than previously possible. Employees enjoy full access to their applications, platforms, systems and data throughout their time with the organization, and your organization doesn t have to invest in long, expensive customizations or never-ending consulting engagements. You can even enable line-of-business employees to manage the identity lifecycle process through self-service, offloading IT overhead onto actual business data owners and custodians. Quest One Identity Manager also provides full workflow, including separation of duties that are often lacking in IAM solutions. With Quest One Identity Manager, identity management can finally be driven by the business needs, not simply by what IT can do. Quest One Identity Manager provides comprehensive yet simplified identity and access management, which enables organizations to follow the eight best practices for IAM outlined in this brief. Business Brief: Eight Best Practices for Identity and Access Management 6

BUSINESS BRIEF About Quest Software, Inc. Quest simplifies and reduces the cost of managing IT for more than 100,000 customers worldwide. Our innovative solutions make solving the toughest IT management problems easier, enabling customers to save time and money across physical, virtual and cloud environments. For more information about Quest go to www.quest.com. Contacting Quest Software PHONE 800.306.9329 (United States and Canada) If you are located outside North America, you can find your local office information on our Web site. E-MAIL MAIL sales@quest.com Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA Contacting Quest Support Quest Support is available to customers who have a trial version of a Quest product or who have purchased a commercial version and have a valid maintenance contract. Quest Support provides around-the-clock coverage with SupportLink, our Web self-service. Visit SupportLink at https://support.quest.com. SupportLink gives users of Quest Software products the ability to: Search Quest s online Knowledgebase Download the latest releases, documentation, and patches for Quest products Log support cases Manage existing support cases View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policies and procedures. 5 Polaris Way, Aliso Viejo, CA 92656 PHONE 800.306.9329 WEB www.quest.com E-MAIL sales@quest.com If you are located outside North America, you can find local office information on our Web site. 2011 Quest Software, Inc. ALL RIGHTS RESERVED. Quest, Quest Software, the Quest Software logo are registered trademarks of Quest Software, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners. BBW_8BestPractices4IAM_US_EC_20110208

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information