A Pragmatic Approach to Identity and Access Management
Upcoming SlideShare
Loading in...5
×
 

A Pragmatic Approach to Identity and Access Management

on

  • 882 views

A Powerpoint file that presents my paper: "A Pragmatic Approach to Identity and Access Management"

A Powerpoint file that presents my paper: "A Pragmatic Approach to Identity and Access Management"

Statistics

Views

Total Views
882
Views on SlideShare
870
Embed Views
12

Actions

Likes
0
Downloads
15
Comments
0

1 Embed 12

http://www.linkedin.com 12

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Negative Business Value: Miss something that adversely impacted the business (Resource, role, etc)
  • Project Paladin
  • IT has little control in aspects of access management for acquired products (structure, platform, etc) Application delivery schedules are aggressive and access management cannot be on the critical path Evolves over time – (used Windows and now have a Linux app) Varies by how entitlements are represented, maintained and other issues related to referential integrity – Do not underestimate issues concerning auto provisioning or dir synch How to manage dir synch over 50+ data stores on different platforms, etc., and growing
  • Apps are concerned only with its own A&A requirements Different IDs were assigned to the same individual No authoritative source for non-employees Human resources was not concerned with A&A How to make terminations exhaustive and effective for all entitlements
  • Enterprise requirements needs a ‘top-down’ approach the design Must also work ‘bottom-up’ since disparate directories already exist Understand the organization HR functions Resource to be managed Roles within resources Roles within departments Who are the requestors? ROs? UAs? What are the policy, regulatory and security requirements?
  • Fixed deadline – How to meet it Fixed objectives Use automated processes where they can be easily implemented (i.e., minimum interfaces) An access management capability from the enterprise perspective Foundation for further automation
  • Two phased approach New workflow with governance; meta-directory Reconciliations
  • Incorporate people, resources, entitlements, roles, support personnel into workflows Define resource and roles Define role prototypes
  • Drives all workflows Authoritative source for non-employees Contains the downstream directories’ account IDs Has the org chart for both employees and non-employees Employee data, as provided by HR Schedules recertification of people and entitlements Supports reconciliation using keys, not names
  • What are the workflows? Request-Approval-Provision Termination-De-provisioning Recertify an employee Recertify a non-employee Recertify entitlements for a resource Requesting a new resource Reconciliation corrections Trigger recertifications
  • HR Interface: Cannot provide new hires until after they start Provisional Employee process
  • Do you have to? Avoid converting bad data Avoid converting non-employee entitlements
  • Comparing the MD against each downstream directory
  • Assume that not all downstream directories are easily accessible Prioritize the low-hanging fruit
  • Define processes to run on a schedule to extract downstream data Determine the differences between the directories Generate corrections
  • Define processes to run on a schedule to extract downstream data Determine the differences between the directories Generate corrections
  • What is the trend of errors found Are the manual processes error-prone? Which user admins are not doing a satisfactory job? Or is it just a timing problem? Determine how the functions can be improved

A Pragmatic Approach to Identity and Access Management A Pragmatic Approach to Identity and Access Management Presentation Transcript

  • A Pragmatic Solution For Identity & Access Management Hank Gruenberg, CISM, CRISC, PMP Information Security & IT Compliance Tokio Marine Management, Inc. [email_address]
  • This presentation is based on the paper “ A Pragmatic Solution for Identity and Access Management ” previously presented at various conferences. This paper is available on my LinkedIn page: http://www.linkedin.com/in/hankgruenberg For more information, contact me at: [email_address] or USA: 917-626-8604 Hank Gruenberg, CISM, CRISC, PMP Information Security & IT Compliance Tokio Marine Management, Inc. New York, NY U.S.A.
  • Situation: Regulatory Compliance
  • Goals: Compliance & Security
  • Solution: Custom Application
  • Why is Access Management Difficult?
  • Managing 80+ Directories Varying Directory Formats Adding New Applications Aggressive Schedules Many Varying Directories Why Difficult…
  • Evolved Over Time Why Difficult… *A&A: Authentication & Authorization
  • Checking Entitlements Why Difficult…
  • How Goals Were Achieved Consider ‘Bottom Up’ Issues
  • Solved by… Guiding Principles Identity Management Scope
  • Paladin Methodology
  • Phase 1
  • Establish the Meta-Directory Phase 1 – Meta Directory… Key Point
  • Paladin’s Meta Directory Phase 1 – Meta Directory… Key Point
  • What Paladin Isn’t Phase 1 – Meta Directory… Results No Impact On Applications
  • Establish objects and relationships Phase 1 – Meta Directory…
  • Define Workflows Phase 1 – Workflows… Onboarding Recertification Governance: Request/Approve/Provision Termination: De-provisioning
  • Incorporate Data & User Interfaces Feed Phase 1 – Workflows… Downstream Account Administrator Resource Owner Manager Updates Employees Account IDs Work Order Add Non-Employees Provision / De-provision Accounts Approve Entitlement Key Point Request Entitlement Paladin Meta Directory Employee Roster Directory 1 Directory 1 Directory 1
  • Converting Existing Entitlements Phase 1 – Data Conversion…
  • Phase 2
  • Reconciling Directories Phase 2 – Reconciliation… ? Active Directory Match? Paladin Meta Directory Name App Acct ID Role Y Berra CIS BERRAY User Mantle CIS MM7 User Maris CIS RM9 User T Kubek CIS xyz448 User Customer Information System Match? Problem
  • Which Directories To Automate? Phase 2 – Reconciliation… *SSIS: SQL Server Integration Services
  • Automated Reconciliation Phase 2 – Reconciliation…
  • Semi-Automated Reconciliation Phase 2 – Reconciliation… Only Difference
  • Effectiveness & Adjustments Phase 2 – Metrics Fixed the process Conversion Issues Numbers are illustrative
  • Key Points