• Like
Id m what-why-how presentationv2.0
Upcoming SlideShare
Loading in...5
×

Id m what-why-how presentationv2.0

  • 985 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
985
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
56
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Identity Management The What, Why and How? Airline Company Presenting: John Bernhard Enterprise Architect/Director – Bernhard Enterprise Architectures Pty Ltd Dated: May 18 , 2007
  • 2. Identity Management Did you know? IT cost x dollars per year to maintain name and passwords There has been a x number of security breaches per year Significant Fraud instances per year Cost and time for audits New N application, however a simple set up of user access appears t li ti h i l t f to cost and takes significant resources and very complex Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 2
  • 3. Identity Management Thesis Identity management (IdM) is a pervasive and federated infrastructure that transforms business relationships by managing access for the proper entities to the proper resources, both for the enterprise and our customers The goal of an IdM service foundation is to consistently enforce business and security policies, regardless of network entry point by employees, contractors, business partners, and customers. Enterprises need to map their IdM strategy and align it with their business goals Identity management (IdM) gives Airline Company a competitive advantage Identity management (IdM) enables Airline Company agile infrastructure Should be a service to the whole enterprise/internet extension Idm is not a single product – it is everywhere in the organisation today Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 3
  • 4. Identity Management Agenda WHAT – What is IdM? Introduction What is Identity Management Key Concepts and Principles Overview current state of IdM within Airline Company Conceptual Architecture – Current State WHY – Rationale, Drivers and Benefits Business & Technical perspective B i T h i l ti IdM Case study HOW – IdM Services Architecture Conceptual Architecture - Provisioning Conceptual Architecture – Access Management Compliancy (SOX 404, COBIT and ITIL) Programme of Work - Identity Service Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 4
  • 5. Identity Management WHAT – What is IdM? What is Identity Management? y g A set of processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities Involves both technology and process Involves managing unique IDs, attributes, credentials, entitlements Must enable enterprises to create manageable lifecycles Must scale from internally facing systems to externally facing applications and processes Goal state: Identity Service, infrastructure and authoritative sources, clean integration across people, process, and technology Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 5
  • 6. Identity Management WHAT – Wh t i IdM? What is The IdM process: managing the identity lifecycle p g g y y Registration / • Today IdM is fragmented creation • Applications, databases, OSs lack a scalable, Propagation holistic means of managing identity, credentials, policy across boundaries • Overlapping repositories, inconsistent policy frameworks, process discontinuities Accounts and • Error prone, creates security loopholes, expensive Accounts and to manageg policies li i • policies The focus on business process, Web services, and networked applications has put identity on the front burner • This is currently managed in the current structure Termination on a individual application & infrastructure basis • Infrastructure requirements Maintenance / • Extend reach and range management • Increase scalability, lower costs • Balance centralized, distributed management via loose coupling Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 6
  • 7. Identity Management WHAT – What is IdM? Beyond directory: IdM requires integrated infrastructure y y q g These technologies represent the major lifecycle management processes involved with IdM. In addition, audit surrounds these services for accountability and control y IdM technologies Identity management services Directory services Directory Provisioning services Services Authentication services Web-based access management services Authorisation services Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 7
  • 8. Identity Management WHAT – Wh t i IdM? What is Burton Group’s View of IdM Evolution p Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 8
  • 9. Identity Management WHAT – What is IdM? Directory services are the first step toward IdM for Airline Company y p p y Directory services support the other IdM and federated technologies through: Repository services for policies, authentication credentials, roles, groups and rules Information integration, mapping and referral between the IdM applications and the enterprise “repositories of record” Provides standardised LDAP authentication for applications Provides general purpose storage for IdM applications Use virtual directory technology to provide a federated identity data service Once the directory services are in place, other IdM policies and technologies can be implemented depending on the business justification required Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 9
  • 10. Identity Management WHAT – What is IdM? • Process integration is just as important as the technology Identity-based company access business applications Advanced business infrastructure business process integration Meta Directory services Basic business LDAP Messag- PBX / CTI Security Manage- Object Web infrastructure Data- bases directories d ecto es ing g VoIP o / /PKI ment e t se ces services services Enabling technology network/basic network infrastructure (network, servers, routers, OS, transport services) Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 10
  • 11. Identity Management WHAT – What is IdM? Key Concepts and Principles y p p The IdM Service Components Architecture providing an infrastructure that supports the key Identity services. Reconciliation / Audit / Compliancy Provisioning P i i i Workflow Authentication, Authorization and Auditing Federation Synchronization S h i ti Delegation Secure Self Service Password Management A scalable, re-useable integrated set of business processes supported by the IdM infrastructure. Develop an IdM Service foundation of all IdM related elements Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 11
  • 12. Identity Management WHAT – Wh t i IdM? What is Current state with IdM within Airline Company? Talk about current state State current issues and problems Problems: Help desk, password reset Provisioning, de-provisioning not really happening p Process complexityy Bullet points on current employee processes Bullet points on current customer/business partners registration Admin Overhead State current overhead in maintaining employee details State current overhead of aligning current customers details with the various applications Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 12
  • 13. Identity Management WHAT – Wh t i IdM? What is Current state with IdM within Airline Company? Identity access not controlled No current governance or policies in place in relation to IdM Not well defined “coming on-board” business processes coming on board Security issues, “PCI non-compliancy PCI issue related to IdM Identity theft – related to Koru, Frequent Flyer Points & Travel card members Security Policy – Compliance verification Auditing: External Auditors State auditing issues specifically in relation to SOX 404 issues, Manual VS Automated Compliance problem: very difficult to audit who has access in terms of PCI SOX CCompliancy, Due diligence li D dili Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 13
  • 14. Identity Management WHAT – What is IdM? Conceptual Architecture: Current State of Identity related Apps/Touch Points p y pp Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 14
  • 15. Identity Management WHY – Rationale Drivers and Benefits Rationale, Business Drivers for Identity service * From an executive’s point of view, the most important business drivers to address via IdM include: i l d Regulatory Compliance Risk Management • Sarbanes-Oxley (SOX) • Reporting (Custom/Automated) • COBIT (ITIL Framework) • Terminations (Business Best Practices) • Policy-based compliance – Adhere to y p • PCI Policy • GAAP (third-party audit) • Audit management Business Need Cost Containment (Internal/External) • External users’ access Operational • Cost reduction/avoidance • Employee personalisation efficiency • Common architecture • Outsourcing • Productivity savings • New Products – Services (Time To Market) Operational Efficiency • Improved SLAs Need to tie i t B i N d t ti into Business Strategy St t • Enhanced user experience * Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 15
  • 16. Identity Management WHY – Rationale, Drivers and Benefits IdM Infrastructure Benefits Improved User Experience Cost savings Hard-dollar Hard dollar savings • Improves employee efficiency • Helpdesk password resets easily measured • Strengthens customer retention • Avoids admin. duty duplication • Minimises errors • Eliminates redundant software and solutions • Clarifies business processes Soft-dollar savings • Improved user productivity • Avoids hidden administrative costs Security: Lifecycle Identity Administration Security: Policy • Partition identity mgmt. Enforcement • Eliminates dormant and orphan accounts • Ensures regulatory compliance • Facilitates auditing and accountability Competitive • Protects corporate info • Enables delegated and self-service advantage • Safeguards intellectual property account admin. t d i • Supports internal audits • Assures stronger authorisation based on info value/sensitivity Competitive Advantage • Enables risk and liability mgmt • Improves corp. image and employee relationships • Yields flexible IdM infrastructure • Facilitates mergers/divestments Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 16
  • 17. Identity Management WHY – Rationale, Drivers and Benefits The Challenge g Today’s identity management systems are ad hocracies, built one application or system at a time Apps, databases, OSes lack a scalable, holistic means of managing identity, credentials, policy across boundaries ,p y Fragmented identity infrastructure: Overlapping repositories, inconsistent policy frameworks, process discontinuities Error prone, creates security loopholes, expensive to manage The disappearing perimeter has put identity on the front burner Infrastructure requirements: extend reach and range Increased scalability, lower costs Balance of centralised and distributed management Infrastructure must be delivered as a Service (Identity Service) and re-usable Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 17
  • 18. Identity Management WHY – Rationale, Drivers and Benefits Risks Reduced risk of improper use of IT systems Reduce risk of privacy or other regulatory violations Substantial administration cost savings by reducing redundant security administration Accelerated time to market for new Products and Services to Customers (Targeted Audience) , reduced deployment costs Reduced cost of internal and external auditing Better B tt customer experience and increased retention t i di d t ti Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 18
  • 19. Identity Management HOW – IdM Services Architecture Objectives j Define the role of identity management in the context of business requirements Develop an IdM Framework and guidelines Implement re-usable Identity services Develop and Implement company-wide role management company wide Document and streamline current and new identity related business processes To provide a single view of Employee, Contractor, Customer and Business Partner identity and entitlement Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 19
  • 20. Identity Management HOW – IdM S i Services A hit t Architecture IdM Business Drivers IdM Benefits IdM Services Improves user Identity and policy Cost containment Administration experience (Quality of Experience [QoE]) Provides cost Directory services y Operational O i l efficiency savings Access Supports policy management Business need enforcement Remote access Regulatory Adds to competitive advantage Federation compliance Provides lifecycle Provisioning Risk management identity administration Portals/ Self-service One of the key tasks to understand is how to map the executive’s business drivers into the benefits of IdM services-and then to map them into technologies selected for deployment. As illustrated here, there are a lot of overlaps and disconnects that make the mapping difficult though not deployment here difficult, impossible. Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 20
  • 21. Identity Management HOW – IdM Services Architecture Conceptual Architecture: Provisioning p g Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 21
  • 22. Identity Management HOW – IdM S i Services A hit t Architecture Conceptual Architecture: Access Management p g Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 22
  • 23. Identity Management HOW – IdM S i Services A hit t Architecture 7 of Top 10 Control Deficiencies focus on Secure Identity Management 1. Operating System (e.g. Unix) access controls supporting financial applications or Portal not secure 2. 2 Database (e.g. Oracle) access controls supporting financial applications (e.g. SAP (e g (e g SAP, Oracle, Peoplesoft, JDE) not secure 3. Development staff can run business transactions in production 4. Large number of users with access to “super user" transactions in production g p p 5. Terminated employees or departed consultants still have access 6. Posting periods not restricted within GL application 7. Custom programs, tables & interfaces are not secured 8. Unidentified or unresolved segregation of duties issues 9. Procedures for manual processes do not exist or are not followed 10. System documentation does not match actual process Source: Ken Vander Wal, Partner, National Quality Leader, E&YISACA Sarbanes Conference, 4/6/04 Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 23
  • 24. Identity Management HOW – IdM Services Architecture Compliancy What is SOX (Sarbanes Oxley) Compliancy? Companies must regularly provide external auditors with proof of their compliance with laws and regulations. An example is the Sarbanes-Oxley (SOX) law, which applies to listed American companies and, generally, to non-US companies listed on a US Stock Exchange. h These laws and regulations may aim at preserving the integrity of financial data (case of SOX and the French Law on Financial Security). Generally, Generally compliance requires identifying risks defining control objectives in order to risks, tackle them, and deciding on control activities to attain these objectives. Finally, in view of these activities, it is necessary to prepare adequate tests to ensure that these processes exist, are applied and working effectively. These tests have two objectives. On the one hand, they are used to constantly improve the processes and to provide information to the management and external auditors. On the other hand, these tests will be used as evidence during certification to convince external auditors about the organisation’s compliance with laws and regulations. Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 24
  • 25. Identity Management HOW – IdM Services Architecture Compliancy Why SOX (Sarbanes Oxley) Compliancy? In some organisations, a large part of the risk of non-conformity to those regulations is due to inadequate identity and access management. In fact, beyond the problem of identity theft, actions made possible by wrongly assigned rights are a major source of security breaches Therefore, an Identity and Access Management (IAM) solution can be significant help in the effort to comply with these laws and regulations. Moreover, such a solution can be t ee o t co p y t t ese a s a d egu at o s o eo e , suc so ut o ca used to simply upgrade a set of existing control procedures so as to simplify or adapt to organisational changes In addition to the functions it brings in, identity and access management must show evidence of its effectiveness. This evidence must be made available in writing and on demand to an auditor, for review and archiving Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 25
  • 26. Identity Management HOW – IdM Services Architecture Compliancy SOX Reference Framework Section 404 of SOX does not specify which set of formal evaluation categories, known as “framework”, must be used in the assessment of controls over financial reporting. Specific IT control frameworks may be chosen by a company, as long as the company can convince its external auditor that its controls satisfy the requirements for effectiveness. A framework of IT control objectives that is often used in the context of SOX is the Control Objectives for information and related Technology – COBIT, issued by the IT Governance institute – ITGI (www.itgi.org ). SOX created the Public Company Accounting Oversight Board (PCAOB), a non-profit organisation, organisation to oversee auditors of public companies The PCAOB is charged with issuing companies. guidelines for auditors ion how to audit different aspects of reports, including the ones related to section 404. As long as the resulting controls satisfy the requirements set forth by the PCAOB’s auditing standard, companies can conceivably use IT control frameworks other than COBIT. Such frameworks can be the ones included in the IT Infrastructure Library – ITIL (www.itil.co.uk ) or ISO17799. Companies may also choose a proprietary control framework developed by consulting and audit firms. It is important that companies work closely with their external auditors, especially in the first rounds of SOX section 404 implementation and certification certification. Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 26
  • 27. Identity Management HOW – IdM Services Architecture Compliancy ITIL Framework You can only maintain the ITIL Framework, once you have completed Identity Services Foundation to enable compliant ITIL operations support and Services Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 27
  • 28. Identity Management HOW – IdM Services Architecture Programme of Work – Identity service 1) Agree on IdM Service strategy 2) Agree on Programme/Timeframe 3) Agree on First 12 months projects Project 1: Service Foundation – Reconciliation Process: 1 to 4 Months A. A Understanding the problem reconciliation of the main applications in relation to Employee Contractors problem, Employee, B. Understanding the problem, reconciliation of our main Customer/Business partner applications (in light of a drive to a single view of Customer) This will identify the accounts related to business Users, which in turn can be used once completed as input to Project 5 Project 2: Provisioning – Phase 1: 2 to 8 Months Project 3: Access Management – Phase 1: 3 to 9 Months Project 4: Active Directory clean-up / Re-design of AD 1 to 6 Months Project 5: Profile-Based System Access: Profile Based 6 to 9 Months Inception / Validate Approach Profile Discovery / HR Business Role Alignment Profile Lifecycle Management Governance Framework Development & Technology Road mapping 9 to 18 Months Note: Business Analyst need to be assigned to this project for defining the service elements from a business requirements perspective (IdM based BA) Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 28