IDENTITY MANAGEMENT AND WEB SECURITY A Customer s Pragmatic Approach
AGENDA What is Identity Management (IDM) or Identity and Access Management (IAM)? Benefits of IDM IDM Best Practices Challenges to Implement Wrapping Up 2
IDM VS. IAM Identity Management (IDM) is a broad administrative area that deals with identifying individuals in a system (such as a country, a network, or an enterprise) and controlling their access to resources within that system by associating user rights and restrictions with the established identity. (Techtarget, http://searchunifiedcommunications.t echtarget.com/definition/identitymanagement) Identity and Access Management (IAM) model provides a framework for simplifying the management of access to services, implementing policy, increasing transparency, and enabling operations to scale by integrating an enterprise identity management infrastructure with services provided by both central and distributed IT. (Internet2, Identity and Access Management) 3
IDENTITY AND ACCESS MANAGEMENT What Is It? Provisioning / De provisioning process improvement Life Cycle User On Boarding Access Control and Management Authentication (including multi factor and physical security) User Termination / Disablement Access Provisioning Single Sign On Password Self Service Access Management Access Control Provides security framework to assist with compliance 4
ORGANIZATIONAL IDENTITY MANAGEMENT DREAMS The Dream The Reality Centralized authentication and authorization infrastructure Common enterprise wide constituent identifier Strong authentication for all applications Centralized Identity Store Uniform and efficient provisioning workflow Multiple authentication and authorization infrastructures Multiple identifiers Variable authentication dependent on application Multiple Identity Stores / User repositories Disjointed workflows 5
Why Identity Management? Solution Web Single Sign On (WebSSO) Provisioning & Governance Role Based Access Control (RBAC) Federated Services Business Problem Multiple UserID s & Passwords Password Management Security Delayed On boarding Costly Password Resets Error Prone Orphan Accounts / De Provisioning Manual Periodic Access Review Hard to Detect Inappropriate Privileges Difficult to Enforce Segregation of Duties Control High Cost of Project Integration for future Partner site / Customer Integration Burden of Identity Ownership Value Single UserID Single Password Strong Authentication Audit Reports Centralized Password Automated Hire to Retire Process Self Service Approval Workflows Audit Reports Automate Audit and Compliance Reporting, Detect and Eliminate Orphan Accounts Streamline Periodic Access Review Process Improved Customer / Partner Relationship Improved Customer Enrollment New Services Value for Organization Single Password for Administrators/ Developers/ Non standard Users Eliminate need to logic multiple times Elimination of Network Service Request Form Access to view paystubs online VPN for all Self password reset Periodic Access Review to Peoplesoft Access Fine Grained Access Review Web Based Audit report dashboard egovernance Compliant 6
BASIC CAPABILITIES Automated account creation Directory/AD integration and synchronization Centralized authentication and authorization Delegated Administration Reduced/Single Sign On Event logging 7
ENHANCED CAPABILITIES User Self service Automated provisioning User interfaces ( My Identity ) Logging, auditing, and report Automated workflow IT User asset inventory Automated notifications Strong authentication 8
ADVANCED CAPABILITIES Role Based Access Control (RBAC) Advanced provisioning Role based self service Policy based asset management Customized compliance reports Advanced auditing and reporting Federated identity services IDM/SIEM integration Identity as a service (SOA) Physical access card integration 9
CHALLENGES Complexity of IAM software and product offerings Lack of education and awareness Poor understanding/communication of program benefits Platform vs. Point Solutions IT sponsorship vs. business sponsorship Budget Authoritative Sources Data Integrity Reluctance of system/data owners Slow deployment; failure to show rapid value or benefit capture 10
BEST PRACTICES Identity Strategy and Organizational Positioning Define the Business Benefit Planning and Effective Implementation Future Ready Architecture Today Select Best Identity Services Technology and Functionality Develop and communicate a Roadmap 11
Desired Future State Reduced / Single Sign-On PeopleSoft SSO Server Provisioning PeopleSoft Compliance Automation and Role Based Access Control Federations and Strong AuthN Maximo Portal Virtual Directory Provisioning Identity Analytics / RBAC Federation Trapeze SSO Server SharePoint OWA All Accounts A D AD Mail PSFT Max imo VPN / Laptop CRM Reporting Engine Workflow Engine Strong AuthN Internet Users /Customers / Partners Reduce Password Reset Reduced /Single Sign-On Establish Unique Global IDs Fraud Prevention Initiate Role Based Access Control Streamline Hire to Retire Process Self Password Reset Self Service Account Request Delegated Administration Approval Based Provisioning Periodic Access Review Compliance Reporting Segregation of Duties ( SoD) Access Certifications / Attestation Role Governance Rogue Acct Mgmt Multi-Factor AuthN Partner On-Boarding Authentication Security Real-time Anomaly Detection Proactive Fraud Prevention Reporting and forensics Security and Identity Governance Framework 12
WEB SECURITY Identity Federation Services Oriented Architecture (SOA) Centralized Account De/Provisioning Integration with Physical Security Attestation and Entitlements Role Based Access Control (RBAC) 13
Federated Services What is Identity Federation? Identity personal information used to identify a user Federation establish trust relationships among decentralized security and policy domains Benefits: Each domain shares its local identity and security information via standard mechanism Each domain retains its owns internal directory, meta-directory, account provisioning and PKI services No central identity repository SSO to heterogeneous applications on federal site 14
STREAMLINED PROVISIONING OF ACCOUNTS AND GROUPS HR CRM ABC + HR Application EPM Maximo Portal New Employee Maximo PAR / SPAR Trapeze GIS COGNOS New Contractors Manager Enters New Contractor Details AD Exchange Directory Net New Customers, Partners, Delegated Administrators Self Registration Approve or Reject IT Infrastructure Systems Physical Assets and IT Assets 15
Role Based Access Control 16
Advanced Security 17
WRAPPING UP Research Administrative / Programmatic Business Sponsor / Stakeholder Acceptance Communicate Plan Communicate Technical A well defined, single, logical identity repository shall contain the gold copy of all identity information that is in turn updated solely by trusted, authoritative sources. The identity infrastructure shall provide meaningful reports on auditable identity events as required for compliance purposes. The identity management infrastructure shall be sufficiently flexible and interoperable to support a heterogeneous environment. 18
Victor Iwugo Chief Information Security Officer Washington Metropolitan Area Transit Authority (WMATA) 19