Your SlideShare is downloading. ×
A Pragmatic Approach to Identity and Access Management
A Pragmatic Approach to Identity and Access Management
A Pragmatic Approach to Identity and Access Management
A Pragmatic Approach to Identity and Access Management
A Pragmatic Approach to Identity and Access Management
A Pragmatic Approach to Identity and Access Management
A Pragmatic Approach to Identity and Access Management
A Pragmatic Approach to Identity and Access Management
A Pragmatic Approach to Identity and Access Management
A Pragmatic Approach to Identity and Access Management
A Pragmatic Approach to Identity and Access Management
A Pragmatic Approach to Identity and Access Management
A Pragmatic Approach to Identity and Access Management
A Pragmatic Approach to Identity and Access Management
A Pragmatic Approach to Identity and Access Management
A Pragmatic Approach to Identity and Access Management
A Pragmatic Approach to Identity and Access Management
A Pragmatic Approach to Identity and Access Management
A Pragmatic Approach to Identity and Access Management
A Pragmatic Approach to Identity and Access Management
A Pragmatic Approach to Identity and Access Management
A Pragmatic Approach to Identity and Access Management
A Pragmatic Approach to Identity and Access Management
A Pragmatic Approach to Identity and Access Management
A Pragmatic Approach to Identity and Access Management
A Pragmatic Approach to Identity and Access Management
A Pragmatic Approach to Identity and Access Management
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

A Pragmatic Approach to Identity and Access Management

1,136

Published on

A Powerpoint file that presents my paper: "A Pragmatic Approach to Identity and Access Management"

A Powerpoint file that presents my paper: "A Pragmatic Approach to Identity and Access Management"

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,136
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
25
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Negative Business Value: Miss something that adversely impacted the business (Resource, role, etc)
  • Project Paladin
  • IT has little control in aspects of access management for acquired products (structure, platform, etc) Application delivery schedules are aggressive and access management cannot be on the critical path Evolves over time – (used Windows and now have a Linux app) Varies by how entitlements are represented, maintained and other issues related to referential integrity – Do not underestimate issues concerning auto provisioning or dir synch How to manage dir synch over 50+ data stores on different platforms, etc., and growing
  • Apps are concerned only with its own A&A requirements Different IDs were assigned to the same individual No authoritative source for non-employees Human resources was not concerned with A&A How to make terminations exhaustive and effective for all entitlements
  • Enterprise requirements needs a ‘top-down’ approach the design Must also work ‘bottom-up’ since disparate directories already exist Understand the organization HR functions Resource to be managed Roles within resources Roles within departments Who are the requestors? ROs? UAs? What are the policy, regulatory and security requirements?
  • Fixed deadline – How to meet it Fixed objectives Use automated processes where they can be easily implemented (i.e., minimum interfaces) An access management capability from the enterprise perspective Foundation for further automation
  • Two phased approach New workflow with governance; meta-directory Reconciliations
  • Incorporate people, resources, entitlements, roles, support personnel into workflows Define resource and roles Define role prototypes
  • Drives all workflows Authoritative source for non-employees Contains the downstream directories’ account IDs Has the org chart for both employees and non-employees Employee data, as provided by HR Schedules recertification of people and entitlements Supports reconciliation using keys, not names
  • What are the workflows? Request-Approval-Provision Termination-De-provisioning Recertify an employee Recertify a non-employee Recertify entitlements for a resource Requesting a new resource Reconciliation corrections Trigger recertifications
  • HR Interface: Cannot provide new hires until after they start Provisional Employee process
  • Do you have to? Avoid converting bad data Avoid converting non-employee entitlements
  • Comparing the MD against each downstream directory
  • Assume that not all downstream directories are easily accessible Prioritize the low-hanging fruit
  • Define processes to run on a schedule to extract downstream data Determine the differences between the directories Generate corrections
  • Define processes to run on a schedule to extract downstream data Determine the differences between the directories Generate corrections
  • What is the trend of errors found Are the manual processes error-prone? Which user admins are not doing a satisfactory job? Or is it just a timing problem? Determine how the functions can be improved
  • Transcript

    • 1. A Pragmatic Solution For Identity & Access Management Hank Gruenberg, CISM, CRISC, PMP Information Security & IT Compliance Tokio Marine Management, Inc. [email_address]
    • 2. This presentation is based on the paper “ A Pragmatic Solution for Identity and Access Management ” previously presented at various conferences. This paper is available on my LinkedIn page: http://www.linkedin.com/in/hankgruenberg For more information, contact me at: [email_address] or USA: 917-626-8604 Hank Gruenberg, CISM, CRISC, PMP Information Security & IT Compliance Tokio Marine Management, Inc. New York, NY U.S.A.
    • 3. Situation: Regulatory Compliance
    • 4. Goals: Compliance & Security
    • 5. Solution: Custom Application
    • 6. Why is Access Management Difficult?
    • 7. Managing 80+ Directories Varying Directory Formats Adding New Applications Aggressive Schedules Many Varying Directories Why Difficult…
    • 8. Evolved Over Time Why Difficult… *A&A: Authentication & Authorization
    • 9. Checking Entitlements Why Difficult…
    • 10. How Goals Were Achieved Consider ‘Bottom Up’ Issues
    • 11. Solved by… Guiding Principles Identity Management Scope
    • 12. Paladin Methodology
    • 13. Phase 1
    • 14. Establish the Meta-Directory Phase 1 – Meta Directory… Key Point
    • 15. Paladin’s Meta Directory Phase 1 – Meta Directory… Key Point
    • 16. What Paladin Isn’t Phase 1 – Meta Directory… Results No Impact On Applications
    • 17. Establish objects and relationships Phase 1 – Meta Directory…
    • 18. Define Workflows Phase 1 – Workflows… Onboarding Recertification Governance: Request/Approve/Provision Termination: De-provisioning
    • 19. Incorporate Data & User Interfaces Feed Phase 1 – Workflows… Downstream Account Administrator Resource Owner Manager Updates Employees Account IDs Work Order Add Non-Employees Provision / De-provision Accounts Approve Entitlement Key Point Request Entitlement Paladin Meta Directory Employee Roster Directory 1 Directory 1 Directory 1
    • 20. Converting Existing Entitlements Phase 1 – Data Conversion…
    • 21. Phase 2
    • 22. Reconciling Directories Phase 2 – Reconciliation… ? Active Directory Match? Paladin Meta Directory Name App Acct ID Role Y Berra CIS BERRAY User Mantle CIS MM7 User Maris CIS RM9 User T Kubek CIS xyz448 User Customer Information System Match? Problem
    • 23. Which Directories To Automate? Phase 2 – Reconciliation… *SSIS: SQL Server Integration Services
    • 24. Automated Reconciliation Phase 2 – Reconciliation…
    • 25. Semi-Automated Reconciliation Phase 2 – Reconciliation… Only Difference
    • 26. Effectiveness & Adjustments Phase 2 – Metrics Fixed the process Conversion Issues Numbers are illustrative
    • 27. Key Points

    ×