<Insert Picture Here> Developing an Identity Management Strategy Yvonne Wilson Technical Director Identity Management Oracle On Demand Risk Management, Oracle Corporation. Copyright 2011 Yvonne Wilson,Oracle Corporation
Agenda The Problem What NOT to do How to engage the business Identify the impact of business initiatives on Identity Develop Functional Strategy Develop Technical Strategy Conduct Assessment Prioritization Solutioning Funding Copyright 2011 Yvonne Wilson,Oracle Corporation
Identity Management A Perfect Storm More applications More accounts to provision and track More usernames and passwords More phishing/malware Less control over user devices More use of hosted and cloud-based services More internet exposure for applications Rising levels of fraud Increasing requirements for compliance/regulation Where to BEGIN? Image transferred from en.wikipedia.org The Storm on the Sea of Galilea Date=1632 Author=Rembrandt van Rijn Permission=loth
What NOT to do You should talk to The Business but don t: Overwhelm with Identity Mgmt jargon What are your current identity mgmt needs? <Insert Picture Here> You ll get tactical issues you can t solve in time Please rank the priority of the following? The business has no idea what these are SPML Provisioning? Dual Factor Authentication? Federated Single Sign On? Role Model analytics? What should we focus on in 2-3 years? Avoid security fear-mongering
Identity Management is like the wheel on a car The car won t get very far without the wheel The business Identity Mgmt But the wheel by itself isn t terribly useful. The wheel s purpose in life is to help the car reach its destination Image from wikimedia commons US public domain
Identify Business Trends and talk to the business about them Examples (pick what applies to your business) Social Networking Mob discounts (e.g. groupon etc) Cloud Computing Mobile computing (mobile access, search, location-based ) Leveraged business models/partnerships (supply chain, etc) IPv6 The storing and mining of Big data Virtualization. Of everything The need to go green Increasing legislation and regulation (Privacy, SOX ) Tough economy <Insert Picture Here> The list doesn t have to be perfect just enough to start the discussion Inspiration EAEC Article by Toyota (resource #1)
What to do Ask the business about business trends. E.g. What are the top business initiatives in your org? What IT changes are needed to support them? What Mobile platforms do you need to support? How do you want to use Social Networking? <Insert Picture Here> What Cloud Computing services are you considering? Are you working on collaborations with any partners? Are you opening self-service systems to customers? Do you need connections to customers/partners for anything? Ask for explanations/details for each of the above
Business Trend Identity Impact Map Business Trend IT Impact Identity Mgmt Impact Increased outsourcing, use of cloud services Increased use of more powerful handheld devices Leveraging business partners The social enterprise Virtualization & Middleware Business using applications outside IT control Application access over insecure networks New categories of users New access routes Blending of work and personal Identity More admin accounts Provisioning Challenge Password Proliferation Password exposure Loss of compliance info Password exposure Strong Authentication challenge Deprovisioning challenges Login Authorization Persistent Identifiers Lack of account control Shared account mgmt Password rotation challenges Translate business trends to their impact on identity mgmt
Ask About IDM-related Pain Points too SSO and Identity Federation Are your users overwhelmed with too many usernames or passwords? Are your helpdesk costs too high for account setup and password resets? Would you like single sign on across domains, such as to cloud services? Provisioning Do you need better control over account provisioning? Does onboarding of users take longer than it should? Do you need faster or more automated approval of user accounts? Does deprovisioning for terminated employees need to be more timely? Do you need better visibility into who has what kind of access across applications? Is it getting costly to manually produce compliance reports? Strong Authentication Are you concerned that user login credentials might be phished or stolen? Do you want a risk-based approach to stronger authentication (not a one-sizefits-all model)?
Ask About IDM-related Pain Points too Role Analytics, Segregation of Duties and Attestation Do you know the definition of every role in your apps and what they allow? Is your org struggling to track the roles you use in a big excel spreadsheet? Are you suffering from role proliferation? Are you challenged with tracking attestation efforts in emails and spreadsheets? Are you confident that you have effective segregation of duties so that a given person doesn t have too much access, such as the role to create invoices and the role to approve them?
Functional Strategy For each impact/pain point identified Categorize it (my categories below) Provisioning Authentication Authorization Self Service Audit/Compliance For each category Identify starting/current state Identify best practices / target state <Insert Picture Here> Have a parking lot for flying cars ideas (avoid distraction) Review Functional Strategy with business stakeholders Build a shared vision of target state
Functional Strategy (example) Area OriginalState Target State Provisioning Authentication Authorization Who gives out keys to kingdom? Lengthy manual provisioning Scattered email approvals Many usernames & passwords Many usernames/passwords Many logins every day Static password & OTP device Poor support for handhelds Decentralized local in apps Scattered audit trail of grants Spotty updates for job changes All approvers are known Fast, centralized provisioning Authenticated, logged approvals governed by automated workflows Single username and password Single username/password Single Sign On Choice of strong authn solutions Strong authn solution for handhelds Centralized grants of roles Authentication & log of approvals Access updated upon internal transfer Reviewed with business stakeholders sanity check, judge interest
Functional Strategy (example) Area Original State Target State Self Service Compliance Data Center Forgotten password = helpdesk cost Users call around to request accounts from different app owners Admin created Bob s account How many know Admin password? Who was user 53782? What can role Manager do? Costly manual compliance reporting Attestation managed in Excel & Email Local accounts on each server Roles for pre-vm/partner world Shared account pw not rotated Command logging for some systems Self-service password reset (cheap) One place to make Self-service account/role request Named user approved Bob s account We know who has Admin privilege ID-to-person mapping forever Reports show Manager role privileges Automated compliance reporting Delegation workflows for attestation Accounts in scalable directory Updated role model accomodates partners, virtual machines etc Password mgmt for all shared accts Command logging for all systems
Identity Management Target State (Example) Provisioning / Reconciliation / Attestation Automate, authenticate and log all account/privilege requests and approvals Provide adequate context to approvers so they can make informed decisions Automate de-provisioning upon job termination or internal transfer Implement reconciliation to identity local/rogue accounts created outside IDM system Implement Segregation Of Duties to limit each individual person s access appropriately Conduct periodic account/privilege reviews and have owners attest the access is ok Eliminate/prevent local/manual accounts (not governed by IDM infrastructure) Use named accounts wherever possible (minimize use of generic accounts) Self Service Self-service profile update for profile information not used by security decisions Self-service forgotten password reset with previously registered security questions One place to go to reset password (not done individually in a lot of applications) Password Management Use Single Sign-On to reduce number and location of passwords Periodic password expiry for all accounts Use of a Password Manager wherever generic accounts are needed Enforce password standards at time of set/reset
Identity Management Target State (Example) Authentication Use single sign on to centralize authentication policy and credential validation Use strong authentication for higher risk environments (internet access, administration) Provide a choice of strong authentication if possible (no single perfect solution) Use Federation where cross-domain single sign-on is needed (outsourcing/cloud) to minimize exposure of SSO credential and control strong authentication mechanism Leverage context info (device fingerprint, location, time of day etc) for security decisions Access Control Ensure data integrity of data used for access control decisions (it is current, approved) Centralize policy decisions where applications allow such externalization Track roles in use, their definition, where used, who grants them, who has them A person s access and privileges are reviewed/updated upon job transfer within the org Logging Log activity to capture who did what when, and the data used for the policy decision Log unique identifiers that forever resolve to a specific person, even as time passes Retain a repository of identifiers that has info even on users who ve left the company Implement tamper-evident log files Provide visibility and reporting to facilitate periodic & anomaly-based reporting of access and ensure use by those who know what to look for
Identity Management Target State (Example) Compliance There is visibility of what accounts and access a specific person has or had There is visibility of who has or had a particular type of access at any point in time There is visibility of when accounts and privileges started and stopped There is visibility of who approved every account or role that requires approval All provisioning of roles/access is governed by Segregation of Duties check so one individual person doesn t have too much access. Reports can be automatically generated to produce most of what is needed for compliance Architecture There is a recognized, authoritative source for each type of user, each profile attribute For employees it is usually an HR system (some info, such as cellphone # might be self-service maintained) For customer users it is usually a self-registration system on a customer portal For partner users it varies some are self registered, some are in a contractor database, some are treated like employees and enterer into HR. Security decisions use trusted identity information from authoritative sources Separate administrative access and access to business data where possible All repositories of identity and access information are protected with security best practices You can t do this all at once that s ok. Make steady progress.
Technical Strategy For each category identified Identify steps to achieve target state Identify dependencies Identify foundational elements These enable many projects-prioritize them first Ensure interim steps deliver some benefit <Insert Picture Here> May need separate strategies for different environments Internal, employee-facing environment External, customer-facing environment Data center Review resulting Technical Strategy with business Explain benefits in context of Functional Strategy Different constituency for each
Technical Strategy (Example) Highlighted items are foundational/core elements Area Near Term (yr 1) Midterm (yr 2) Long term (yr 3) Provisioning Deploy provisioning tool Integrate HR as source Integrate corp directory Integrate SOX apps Integrate HR apps Integrate data center Integrate other apps Authentication Deploy WW directory Deploy Single signon Integrate SOX apps Strong authn pilots Integrate HR apps Integrate Datacenter Deploy federation Strong AuthN within HR Integrate other apps Federation for cloud services Two+ strong authn solutions Authorization Role model design Role Request workflow Role Provisioning SOD Integration Deploy Role Analytics Automate attestation This gives you a high level project roadmap
Technical Strategy (Example) Highlighted items are foundational/core elements Area Near Term (yr 1) Midterm (yr 2) Long term (yr 3) Self Service Provisioning tool allows profile updates, password updates for employees Provisioning tool allows self-service registration for partners, customers Support for role requests Custom workflows for other types of resources Compliance Identify reporting needed Ensure adequate audit log levels/info Automate compliance reporting SOX apps Integrate compliance reporting HR apps Data Center Account/role cleanup LDAP replaces NIS LDAP integration OS level authentication Password manager for OS shared accounts SSO integration for web console tools Provisioning Integration Use attestation tools Modify as needed for your organization s state and needs
Assessment Good for identifying tactical issues Create inventory of applications/systems Highlight those critical to identity mgmt Focus on systems which control accts/access Conduct assessment of current capability / gaps Use a clear scoring rubric reduce subjectivity <Insert Picture Here> Include a notes area for respondents to comment/clarify Interview respondents if possible for best understanding Track context/scope for each response if appropriate Analysis tools to slice and dice data helpful
Scorecard Assessment (Example) Identity Area Clear Scoring Rubric Notes Account Provisioning Authentication Application Integration 5=All accts, roles centrally provisioned, reconciled 4=All accts, roles centrally provisioned 3=Internal accts provisioned, roles local in applications 2=Some accts centrally provisioned, some local 1=No central provisioning, all accounts local 5=Federated Single Sign On 4=Single Sign On with strong authentication 3= Single Sign On, static password 2=LDAP directory authentication, static password 1=Local username, local static password 5=Most applications integrated with SSO 4=HR applications integrated with SSO 3=SOX applications integrated with SSO 2=most applications integrated with directory 1=Few applications integrated with directory or SSO Inspired by assessment from Information Security Forum securityforum.org (#2) Include items to assess against your target state e.g. slides 13-17 in my example
Prioritization Make a master list of initiatives Strategic projects strategy team Tactical/mitigation projects sec ops Data center projects data center team <Insert Picture Here> Each security team allocated X points across initiatives Variation of 100 points prioritization scheme Voting informed by assessment results Informed also by dependencies, foundational elements Team leads met to synthesize results across teams Result: Master list of ranked priorities Fed tactical items back into strategic/technical roadmaps
Prioritization by Business Initiatives? Business Initiative Make Money 1 Increase Market Share 2 Supply chain partnership 3 Web-enabled customer portal Rank 4 A scheme I will try next time includes biz initiative ranking in prioritization See resource #5 Project Initiatives Supported Avg of Rank Supported (low wins) Provisioning 1,3 2 = [(1+3)/2] Data Retention 1,3 2 = [(1+3)/2] New log mgmt system none n/a Implement SSO 1,2,3,4 2.5 = [(1+2+3+4)/4
Solutioning For each item prioritized Research potential solutions Evaluate against requirements Conduct POCs/Trials as needed Involve business stakeholders in POC, trials Keep the discussion going If the business says a solution is horrible, keep looking <Insert Picture Here>
Funding Identify owners of projects enabled by initiatives Should be same stakeholders as before Go over initiative, benefits to their projects Key: <Insert Picture Here> Timing several months before annual budget cycle Early discussion of business initiatives Explanation of how strategy supports business initiatives Involvement in product reviews, pilots skin in the game Several discussions before the ask Goal: Business teams include our projects in their roadmap Business teams fund our initiatives
Questions? <Insert Picture Here>
Resources 1. Enterprise Architecture Executive Council http://www.eaec.executiveboard.com 2. Assessment Information Security Forum http://securityforum.org used their security assessment 3. Description of several prioritization methods https://buildsecurityin.us-cert.gov/bsi/articles/bestpractices/requirements/545-bsi.html 4. Prioritization as in Capital Allocation Problem http://www.prioritysystem.com/mathematics1.html 5. Priority Modeling based on Business Initiatives http://it.toolbox.com/blogs/irm-blog/priority-modeling-6079
Oracle Identity Management Products Identity Administration Identity Manager Identity & Access Governance Access Management* Access Manager Adaptive Access Manager Enterprise Single Sign-On Identity Federation Entitlements Server Identity Analytics Directory Services Directory Server EE Internet Directory Virtual Directory Oracle Platform Security Services Operational Manageability Management Pack For Identity Management *Access Management includes Oracle OpenSSO STS and Oracle OpenSSO Fedlet
Recommendations Early projects Directory service deployment (technology, DIT design, governance model, usage policy) (avg 6 mo) Virtual/Meta directory if you have many directories or repositories of identity info Addressing namespace overlap across directories/domains/environments Single sign on (focus on critical apps first SOX, HR, Legal, PI etc) Benefits: User convenience, Static password credential only exposed to single place, Single place to quickly shut off access, Central log of authentication activity, Single place to implement other services such as strong authentication and federation Deploying SSO avg 6 mo, Apps avg 2-3 months per app
Recommendations Second projects Provisioning Focus on employee community first use HR as a source Probably need to include internal partners (consultants etc) find best source clean up data, process to ensure integrity Automatic workflows to apps everybody gets efficiency Approval workflows for apps requiring approval for access Default is two approvals manager and resource owner Can show ROI from automating compliance reporting and reducing help desk costs with self-service features Single place to control roles/privileges Reconciliation features can find local/rogue accounts Break this deployment into several steps
Recommendations Second projects (Continued) Federation Good if you have outsourced/cloud apps (or many domains) Puts you in control of authentication (and ability to add strong authentication, and what form) Avg 3 months per federation if other side experienced Avg 6 months per federation if first time for either side Strong Authentication Good if you have internet-facing apps There isn t really one perfect solution for all users, devices Plan for two if you can afford it. Don t ignore mobile/handheld devices your users use them Timeframe varies widely by type of solution (6 mo to 1+ yrs) Shortest server side device fingerprinting, longest - certs
Recommendations Third Wave Segregation of Duties Incorporate SOD checks into your provisioning workflows (as opposed to just periodic checks) so violations are never provisioned. Attestation Use a provisioning or identity analytics tool to manage the periodic inventory of accounts better than a lot of spreadsheets Identity Analytics If you think your accounts/privileges are really out of control, you might consider deploying this early on to help with the analysis and cleanup. Otherwise, these can be useful to analyze and streamline/refine role models and access.