A Pragmatic Approach to Identity and Access Management


Published on

A Powerpoint file that presents my paper: "A Pragmatic Approach to Identity and Access Management"

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Negative Business Value: Miss something that adversely impacted the business (Resource, role, etc)
  • Project Paladin
  • IT has little control in aspects of access management for acquired products (structure, platform, etc) Application delivery schedules are aggressive and access management cannot be on the critical path Evolves over time – (used Windows and now have a Linux app) Varies by how entitlements are represented, maintained and other issues related to referential integrity – Do not underestimate issues concerning auto provisioning or dir synch How to manage dir synch over 50+ data stores on different platforms, etc., and growing
  • Apps are concerned only with its own A&A requirements Different IDs were assigned to the same individual No authoritative source for non-employees Human resources was not concerned with A&A How to make terminations exhaustive and effective for all entitlements
  • Enterprise requirements needs a ‘top-down’ approach the design Must also work ‘bottom-up’ since disparate directories already exist Understand the organization HR functions Resource to be managed Roles within resources Roles within departments Who are the requestors? ROs? UAs? What are the policy, regulatory and security requirements?
  • Fixed deadline – How to meet it Fixed objectives Use automated processes where they can be easily implemented (i.e., minimum interfaces) An access management capability from the enterprise perspective Foundation for further automation
  • Two phased approach New workflow with governance; meta-directory Reconciliations
  • Incorporate people, resources, entitlements, roles, support personnel into workflows Define resource and roles Define role prototypes
  • Drives all workflows Authoritative source for non-employees Contains the downstream directories’ account IDs Has the org chart for both employees and non-employees Employee data, as provided by HR Schedules recertification of people and entitlements Supports reconciliation using keys, not names
  • What are the workflows? Request-Approval-Provision Termination-De-provisioning Recertify an employee Recertify a non-employee Recertify entitlements for a resource Requesting a new resource Reconciliation corrections Trigger recertifications
  • HR Interface: Cannot provide new hires until after they start Provisional Employee process
  • Do you have to? Avoid converting bad data Avoid converting non-employee entitlements
  • Comparing the MD against each downstream directory
  • Assume that not all downstream directories are easily accessible Prioritize the low-hanging fruit
  • Define processes to run on a schedule to extract downstream data Determine the differences between the directories Generate corrections
  • Define processes to run on a schedule to extract downstream data Determine the differences between the directories Generate corrections
  • What is the trend of errors found Are the manual processes error-prone? Which user admins are not doing a satisfactory job? Or is it just a timing problem? Determine how the functions can be improved
  • A Pragmatic Approach to Identity and Access Management

    1. 1. A Pragmatic Solution For Identity & Access Management Hank Gruenberg, CISM, CRISC, PMP Information Security & IT Compliance Tokio Marine Management, Inc. [email_address]
    2. 2. This presentation is based on the paper “ A Pragmatic Solution for Identity and Access Management ” previously presented at various conferences. This paper is available on my LinkedIn page: http://www.linkedin.com/in/hankgruenberg For more information, contact me at: [email_address] or USA: 917-626-8604 Hank Gruenberg, CISM, CRISC, PMP Information Security & IT Compliance Tokio Marine Management, Inc. New York, NY U.S.A.
    3. 3. Situation: Regulatory Compliance
    4. 4. Goals: Compliance & Security
    5. 5. Solution: Custom Application
    6. 6. Why is Access Management Difficult?
    7. 7. Managing 80+ Directories Varying Directory Formats Adding New Applications Aggressive Schedules Many Varying Directories Why Difficult…
    8. 8. Evolved Over Time Why Difficult… *A&A: Authentication & Authorization
    9. 9. Checking Entitlements Why Difficult…
    10. 10. How Goals Were Achieved Consider ‘Bottom Up’ Issues
    11. 11. Solved by… Guiding Principles Identity Management Scope
    12. 12. Paladin Methodology
    13. 13. Phase 1
    14. 14. Establish the Meta-Directory Phase 1 – Meta Directory… Key Point
    15. 15. Paladin’s Meta Directory Phase 1 – Meta Directory… Key Point
    16. 16. What Paladin Isn’t Phase 1 – Meta Directory… Results No Impact On Applications
    17. 17. Establish objects and relationships Phase 1 – Meta Directory…
    18. 18. Define Workflows Phase 1 – Workflows… Onboarding Recertification Governance: Request/Approve/Provision Termination: De-provisioning
    19. 19. Incorporate Data & User Interfaces Feed Phase 1 – Workflows… Downstream Account Administrator Resource Owner Manager Updates Employees Account IDs Work Order Add Non-Employees Provision / De-provision Accounts Approve Entitlement Key Point Request Entitlement Paladin Meta Directory Employee Roster Directory 1 Directory 1 Directory 1
    20. 20. Converting Existing Entitlements Phase 1 – Data Conversion…
    21. 21. Phase 2
    22. 22. Reconciling Directories Phase 2 – Reconciliation… ? Active Directory Match? Paladin Meta Directory Name App Acct ID Role Y Berra CIS BERRAY User Mantle CIS MM7 User Maris CIS RM9 User T Kubek CIS xyz448 User Customer Information System Match? Problem
    23. 23. Which Directories To Automate? Phase 2 – Reconciliation… *SSIS: SQL Server Integration Services
    24. 24. Automated Reconciliation Phase 2 – Reconciliation…
    25. 25. Semi-Automated Reconciliation Phase 2 – Reconciliation… Only Difference
    26. 26. Effectiveness & Adjustments Phase 2 – Metrics Fixed the process Conversion Issues Numbers are illustrative
    27. 27. Key Points