2 Iam C Gould

1,123 views
1,020 views

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,123
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
80
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

2 Iam C Gould

  1. 1. IT Advisory Identity and Access Management 20 March 2008 ADVISORY
  2. 2. IAM Defined “Identity Management is a comprehensive set of business processes, and a supporting infrastructure for the creation, maintenance and use of digital identities” – Burton Group* Put simply, IAM defines who you are, manages what you can and cannot do, and provides compliance audits and reports on this information – within the context of enterprise systems it manages. * Source – Enterprise Identity Management: It’s About the Business, Burton Group © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 1
  3. 3. IAM Overview • Identity Management deals with the creation and management of identities and user accounts – provisioning to the right applications, termination of expired accounts, etc. • Access Management deals with the enforcement of access controls and security policies across the enterprise. This is achieved through Web access management products for Web-based systems and specialized products for other enterprise platforms. • IAM helps manage: ─ Authentication Who am I? How can I prove it? Do I have multiple identities across multiple systems? ─ Authorization What do I have access to? ─ Policies What do the enterprise’s business rules say I can do? ─ Profiles What attributes and characteristics do I have? ─ Relationships What role do I have? (Am I an employee, customer, supplier, or trading partner?) What organizational units and group(s) am I in? © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 2
  4. 4. A Typical Business Access Management Environment Today… Provisioning System administrators Privacy legislation Business managers Security administrators Data protection acts Employees Sarbanes-Oxley Short user life cycles 100,000+ Basel II Suppliers 100+ possible 1,000+ users applications functions Clients Segregation of duties Third parties SSO Immediate access Outstanding audit SAP Windows requirements Employee self issues service PeopleSoft Mainframe Mergers and Consolidation acquisitions How do you manage and control who has access to what in an efficient and effective way? © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 3
  5. 5. Identity Management Lifecycle Authentication • Validate user Provisioning identity • Create account and • Determine user’s personalize services role • Workflow approvals • (Enterprise) Single Sign-on Authorization • Establish and continually Relationship monitor user access rights Begins including segregation of duties New project • Procedures for treatment, processing and access to private information • Controls to recognize and resolve attempted breaches Change Identity Lifecycle locations, Self-Service roles, etc • Users can self-resolve routine administrative issues • Updates to user information is Forget synchronized with password appropriate systems Relationship Ends Password Management • Password rules established and enforced De-Provisioning Compliance • Procedures for creating, • Real-time ability to managing, and • Automated controls log and audit changing user to identify and security events passwords remove user access to applications & • Monitor user access • Self-service password systems reset • Ease of auditing and reporting © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 4
  6. 6. Problems with Managing Users Business-related: Technology-related: • Workforce productivity loss due to • Several identity stores to be managed delay in administrative tasks and synchronized • Inconsistent view of who has access • Plethora of user IDs and passwords to what for every user • Growing enterprise security concerns • Bloated help desk calls for forgotten due to lack of comprehensive user life passwords and user IDs cycle management • Manual practices for servicing • Increasing need for business process administrative requests leading to collaboration with other enterprises unacceptable service levels and • Growing concern for data privacy and greater potential for errors breach of personally identifiable • No clear documentation maintained information for creation/deletion of digital identities • Unable to map digital identities to users leading to several orphan accounts © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 5
  7. 7. Drivers for Identity and Access Management Drivers Pressures IAM Value proposition Increasing Business •Merger and Acquisition Activities •Consistent Security Value •Departmental Consolidation •Quicker Rebranding of Services •Diverse Business Mixes •Quicker Integration of New Users •Off-Shoring / Outsourcing •Reduced Lost Productivity •Business Process Improvement •Reduced Costs •Administrative Process Improvement •Improved Workflow Improving •Sarbanes Oxley •Compliance automation Compliance •Anti-Money Laundering •Improved Auditing and Logging •Privacy •Improved Monitoring •Basel II •Flexibility to Adapt to New Regulations •Local corporate governance regulations •Improved Reporting Reducing Risk •Diverse Security Postures •Reduce/Prevent Fraud •Increased Likelihood of Fraud •Increased segregation of duties •Increased Security Risk •Better Enforcement of Policy Containing Cost •Infrastructure Upgrades •Consistent Security •Applications Architecture Upgrades •Reduced Costs, Resources •Consolidation of IT •Reduced Licensing Fees •Quicker Time to Market with New Applications © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 6
  8. 8. Potential Benefits of IAM • Centralized account management – creation, management, and terminations • Automated account provisioning and de-provisioning • Improved and enforceable business processes • Real-time views of a user’s account • Employee self-service • Tracking for audit information • Improved security • Delegated administration © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 7
  9. 9. Provisioning Financial ROI There is tangible ROI that can be achieved by streamlining the identity management process: • The Gartner Group completed a study of a 10,000-employee company with 12 applications. They estimated an automated provisioning solution saves more than 14,000 hours in security administration time and 6,600 hours of help desk staff time. ─ The result: An ROI of 295% and savings of $3.5 million over three years. • The Giga Information Group found that improved IT efficiency from automated provisioning results in a savings of $70,000 annually for every 1,000 users and reduces help desk cost by $75,000 for 1,000 users. • Giga also found that faster assess to Enterprise solutions through automated provisioning resulted in a savings of $1,000 per new employee. For existing employees, the savings were $350 per year. • These savings were derived by the user being able to access critical systems sooner, while responsibility for invoking business changes is pushed out to business unit reducing the time it takes to grant access, etc. • Automating provisioning reduces the cost of S-O–404 compliance. • However, ROI has been difficult to justify to management – data is not collected in an effective manner, is widespread in the enterprise, and is not calculated correctly to reflect true ROI. © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 8
  10. 10. IAM Capability Stack IAM Capability Decentralized Centralized Centralized Enterprise Enterprise Administration Administration Management Administration Management Advanced Authorization Management (Role-Based Access) Distributed Administration Capabilities/Complexity Advanced Auditing Provisioning Automation Access and Authorization Management Password Management Integration of Controlled Systems Time © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 9
  11. 11. KPMG’s vision on IAM • Identity and Access Management (IAM) is the process of creating value and addressing IT governance and compliance through effectively and efficiently: • Managing users • Authenticating the identity of users • Managing users’ access to IT resources • Monitoring what users are doing with that access. • Despite the hype surrounding IAM, there are four key “facts of life” that are often overlooked: • Organisations are already managing identity. • Proper IAM is fundamental to securing resources in organizations. • The management of identities and authorisations consists of processes, parts of which can be automated. • IAM aims to resolve business issues; IAM programs therefore require strong involvement from the business. IT can support this by providing efficient tools to the business. © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 10
  12. 12. KPMG’s vision on how to approach IAM • Identity and Access Management should rest on the following foundations: • A clear and consistent vision and strategy with regard to identities, authentication management, authorisation management, user management, provisioning, monitoring and auditing. • An iterative approach that builds on successful steps towards meeting an overarching business vision and strategy. • A coordinated, multidisciplinary approach that takes all the different dimensions of IAM into account. • An approach that makes it possible to easily demonstrate compliance with relevant legislation and regulations. © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 11
  13. 13. KPMG’s IAM Methodology Access Management Policies, processes and systems for effectively • Enforcing policies for access control in response to a request from an entity wanting to access an IT resource within the organisation. governing and managing who has access to Agility what is within an organization. • The ability to adapt to the chaning user environment and grow systems and applications to meet these demands with out comprimising their integrity. Authentication Management • Activities for effectively governing and managing the process for determining that an entity is who or what they claim to be. Authorization Management • Activities for effectively governing and managing the process for determining entitelment rights that determine what resources an entity is permitted to access in accordance with the organisation´s policies. Data Management • Data Management is the process and technologies that enable the management of a users Identity. Governance • Development and management of consistent policies, processes, Identity organizational structures and decision rights for IAM. Identity • The collection of the identifier and attributes for an entity (person, organization, device, resource, or service). Monitoring and Audit • Monitoring, auditing and reporting compliance of users access to resources within the organization based on the defined policies. Provisioning • Propagation of identity and authorization data to IT resources via automated or manual processes. User Management • Activities for effectively governing and managing the lifecycle of identities. © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 12
  14. 14. KPMG’s IAM Methodology Plan Insight Design Implement Monitor Objective Effective and efficient Assess current state and Help design the IAM Help implement the IAM Help assess and enhance project kick-off envision future state process and solution the operation of the infrastructure solution solution Activities Define the project Assist with the Clarify IAM solution Facilitate the establishment Conduct post- approach understanding of the business requirements and of PMO and governance implementation review Facilitate the planning current state and future KPIs model Assess IAM Program activities for the overall state vision and areas of Assist with IAM strategy, Assist client with designing Assist with ongoing IAM engagement improvement roadmap and conceptual the IAM solution compliance auditing and Gain an understanding of Transition in to designing architecture Assist client with solution performance monitoring the client’s issues and the IAM solution Obtain business case selection objectives related to the approval Provide project advisory engagement Assist the client to design and risk / control support the IAM PMO and throughout the governance model implementation process Tools KPMG Identity and Access ISO 27001questionnaire Industry practices Implementation tools and IAM Assessment programs deployed Management methodology and mapping tool Business case template templates Assessment work plans KPMG Project Current state workshop Roadmap template Implementation plan Segregation of Duties tools Management methodology guidance Future state strategy Use case examples Remediation and KPMG Change Stakeholder matrix and sample RFI and RFP templates Improvement templates Management methodology portfolio template ROI calculator Infrastructure design KPMG Business IAM interview examples Performance Improvement questionnaire Interface development methodology guidance Deliverables Project Plan Current state assessment Future state strategy IAM use cases IAM assessment status Stakeholder matrix report Future state roadmap RFI and RFP report High-level future state IAM conceptual Pilot testing program Benefits realization report model architecture Implementation program Remediation and Gap analysis and IAM Business case enhancement report remediation IAM PMO design Performance scorecard recommendations IAM governance design Defined CSF’s and KPI’s © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 13
  15. 15. User Management © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 14
  16. 16. User Provisioning – Conceptual View Automation can decrease the cost of administration and increase the accuracy of access. LDAP/ HR System Directory Operating • Resource Systems User Control Identity • Policies CRM • Work flow Agents • Audit trails ERP Access Databases request via intranet e-Mail SCM • Access Requests • Approvals • Status HR • Password Management Applications User Account Reconciliation © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 15
  17. 17. User Services Directory Management Provisioning • Profile Management • Password Synchronization Management of an object’s (e.g., a A password synchronization system is user’s) attribute(s) (e.g., phone any software or process used to help number) on the user store (e.g., users maintain a single password directory server) value on multiple password-protected • Password Management systems Password Management includes tools • Reconciliation of Users Across that help users and administrators Systems manage passwords, either by creating The process of synchronizing the a universal password for all systems accounts and supporting data on the or by remembering stored passwords. central data repository with the Additionally, these tools provide user accounts and supporting data on the self-service capabilities. managed resource • Work Flow • Work Flow The sequence of activities performed The sequence of activities performed in accordance with the business in accordance with the business processes of an enterprise processes of an enterprise © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 16
  18. 18. Conventional User Provisioning Work Flow Administration of users and user access proves more and more cumbersome as the organization grows. Cost BACKLOGS of administration increases and accuracy of user REQUEST access goes down. FOR ACCESS GENERATED REQUESTS New Users DELAYED Provisioned Users Administrators GROWING RESOURCES MISSING AUDIT TRAIL Policy and Role Examined ERRORS IT In Box Approval INCOMPLETE Routing REQUEST FORMS © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 17
  19. 19. Authorization Management © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 18
  20. 20. What problem are we trying to address? Important issues in authorization management: • Manageability • Effectiveness • Verifiability • Responsibility © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 19
  21. 21. Authorization Management – Manageability With regard to manageability, we have observed the following in practice: • When introducing authorizations, it is often the case that more than ten authorization registers are involved, with the same number of administrators. • Authorizations are formally requested in the form of “just like user xxx,” because no one knows which authorizations are needed to perform the activities. • There is no complete picture of a staff member’s authorizations. • The process of requesting and implementing all the necessary authorizations is time-consuming. • In-sourced staff members are not paid to wait a long time; business partners also do not want to wait. • There is ineffective internal control; this is experienced as labor intensive. © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 20
  22. 22. Authorization Management – Effectiveness With regard to effectiveness, we have observed the following in practice: • Users often have more authorizations than necessary. • The number of authorizations often increases when a person changes jobs, because rights no longer needed are seldom completely withdrawn. • Staff members cannot perform all their tasks if they do not have all the authorizations needed for these activities. • External parties can demand adequate access rules for your system. © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 21
  23. 23. Authorization Management – Verifiability With regard to verifiability, we have observed the following in practice: • Authorization matrices do not exist or are not updated; this interferes with the control process. • It is practically impossible to establish a breach in the segregation of duties because: ─ There are no authorization matrixes ─ There is a lack of clarity surrounding a staff member’s authorizations ─ From the perspective of segregation of duties, there are no records of the authorizations which conflict • The auditors’ findings and recommendations generally lead to temporary improvements instead of structural improvements. • In practical terms, it is impossible to compare the actual authorizations with the approved authorization matrices by means of an automated process. © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 22
  24. 24. Authorizations and Compliance – Key IT Control Issues for Compliance Segregation of Duties (SoD) • Root Cause: Disjointed “identity lifecycle processes” both within and across business cycle ─ Transfers not taken into account ─ Changes at the Business Process level not taken into account Excessive Access (Access Creep) • Root Cause: “identity lifecycle processes” incomplete or operated ineffectively ─ User authorizations not reviewed regularly for appropriateness ─ Transfers not taken into account Resulting Remediation Issues: • A number of authorizations and user assignment changes may be required • Broader authorization redesign (e.g., Role-Based Access Control (RBAC)) may be required © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 23
  25. 25. Roles and IAM Authorization User management management • New user e.g., employee/ contractor/business partner/ customer • Change Authorization • Resign model IAM tool (“To be” situation) Authoritative Automated trigger Approve user Source authorizations based on roles and rules Authentication Provisioning Monitoring and Auditing management Authentication (Automatic) Management reporting (Actual situation) © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 24
  26. 26. Access Management © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 25
  27. 27. Access Management • Access management solutions are the gatekeepers that help to determine which entities or users have the right to use enterprise systems and resources. • This component may intercept attempts to access protected Web resources. • The Access Management tool checks the Security Policy and the User & Entitlement store to authenticate the user and authorize (or reject) the user’s request to perform the desired transactions. • Additional discussions are required to determine if the Access Management tool should perform the authorization or pass the request to the application for authorization. • The Access Management tool should support multiple levels of user authentication. © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 26
  28. 28. Access Management – Conceptual View Process 1. Is the resource protected? 2. Is the user authenticated? 3. Is the user authorized? 4. Personalize the content 5. Log the process Web Server Web Data HTTP, SSL Encrypted Connection Agent Content • Employees Management • Partners • Customers Policy Server ADSI LDAP ODBC NT Domain RACF User & Entitlement Store © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 27
  29. 29. Access Controls • Determine rights and privileges using policy-based systems • Combine authentication and authorization by using Web-based access management products • Use roles-based, group-based, rules-based systems for scalability • Integrate with applications and application servers • Identify objects by URL and operate at page, button, and field level • Integrate with identity repositories (e.g., directory, database) • Support multiple authentication systems • Include user management functions • Provide dynamic enforcement with variables (e.g., location, time) • Provide session management after authentication © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 28
  30. 30. Data Management © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 29
  31. 31. Introduction • IAM is an integrated system of business processes, policies, and technologies that help enable clients to facilitate and control their users’ access to critical applications and resources, while protecting confidential personal and organizational information from unauthorized users. • Within the context of IAM, data management can be defined as follows: ─ Data management is the set of business processes and a supporting infrastructure for the creation, maintenance, and use of digital identities. • Data management is seen as the fundamental building block (foundation) for IAM solutions. Without effective “identities,” all other IAM-related initiatives will probably fail. • KPMG has experience in the field of identity data management. We can help you to define what a digital identity is and help identify authoritative sources of information, the approaches to address dirty data, and the building of a trusted identity store. Our ambition extends further than just defining what a digital identity is for your organization. We will design and assist in implementing a data model that you should be able to use and maintain in your organization for your future IAM initiatives. © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 30
  32. 32. Data Management in Practice • From a technical perspective, a digital identity is a set of related electronic records that represent network subjects, including people, machines, devices, applications, and services. • A digital identity consists of multiple layers, including a relatively stable unique identifier attribute and value (e.g., badge or employee number for enterprise staff), along with the relatively transient profiles that add context to the identity (e.g., location attribute or department). • An Identity Repository is a storage area of several identity data items, typically from several resources, joined into one combined electronic record. This repository may be based on the LDAP standard (e.g., Oracle Internet Directory). © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 31
  33. 33. Data Management in Practice Data modeling • This aspect of the integration deals with the rationalization of the data managed by each system, starting with the definition of common data elements for these systems that need to be considered, as well as the appropriate authoritative source and the synchronization rule that should apply for each element. In most cases an enterprise Directory service will act as an authoritative source of identities feeding the IAM infrastructure. Authoritative Sources • Where do digital identities come from within an organization? Or perhaps more accurately, where are identities recorded/stored electronically within an organization. This is typically an HR system whereby an HR representative enters identity data into the system. However, it is important to understand that an HR system may not have accurate identity data or the processes relating to maintaining identity data within the HR system may not be efficient. • A system where identities are recorded and “trusted” is often referred to as an authoritative source. • It is important to categorize the types of identity and their authoritative source (if possible) within an organization. © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 32
  34. 34. Data Management in Practice Quality Matters • How strong a foundation the Identity Repository can provide for a client’s IAM depends in large part on the quality of the information it contains. Most organizations have multiple directories or identity repositories. The information in those directories is often redundant or incorrect. • An important first step toward getting one’s “identity house” in order, then, is to understand how and where identity information is stored. Understanding the underlying directory environment and evaluating how best to integrate that environment is an essential step in creating a more authoritative source for identity information. Privacy considerations and controls • Data minimization, authentication and authorization, encryption, and separation of data may all be techniques and controls required to help ensure any privacy requirements. © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 33
  35. 35. Data Management in Practice Data Cleaning • Cleaning data can be a laborious and time-consuming task. What is important is how an organization identifies dirty data. Why clean data? There are several reasons why data cleaning is required: • User experience – users who see inaccurate data may get annoyed or upset that the information about them is inaccurate • Policy decisions – some IAM solutions rely on data to determine rules (e.g., provisioning rules, policy enforcement etc.) • Security – system accounts that no longer have an associated user (e.g., orphaned accounts or accounts that do not have an associated owner) may be considered a threat to security • Management – ongoing cleaning of data may take considerable time and effort and is often difficult to sustain • Regulations – some regulations (e.g., UK Data Protection Act, GLBA, Safe Harbor, etc.) hold an organization responsible and accountable, to help ensure that employee data is accurate in all electronic systems where information of the employee is held. © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 34
  36. 36. Data Management in Practice Data Integrity and Synchronization • Clients should define the means by which identity data on identified systems can be kept up to date and in sync, by using a combination of centralized Directory, Meta Directory, and/or Virtual Directory. • Vendor IAM solutions provide a range of integration options that clients could leverage, including APIs, middleware integration such as EAI, Web services, or through sharing a common database/directory repository. Therefore, in planning the integration, special attention should be paid to items such as the nature of the synchronization process: ─ Bidirectional or unidirectional ─ Real time ─ Work flow driven ─ Items of data to be synchronized ─ Reconciliation process ─ How to help ensure uniqueness ─ Conflicts and exception handling. © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 35
  37. 37. Data Management in Practice Managing Multiple Directories • It is estimated that typical enterprises have approximately 120+ applications in which user management is required. Managing so many special purpose directories can cause the following general problems: ─ High cost of administration ─ Inconsistent data ─ Security issues • Directory synchronization is one leading practice approach to consolidating Identity information for client use. Directory synchronization provides a mechanism for copying select identities, attributes, and group information between two or more disparate identity repositories according to predefined rules. Directory synchronization is essential for many IAM-related applications. • The IAM technology that provides directory synchronization is typically defined as either a “Meta Directory” or “Virtual Directory.” © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 36
  38. 38. KPMG’s Vision The data model, processes and tools used make it possible to realize a manageable and efficient data management process that is: • Effective • Controlled • Accurate • Verifiable This helps enable management to take responsibility for the integrity of data for use in an IAM program. • • Record the identity model Record the identity model Data • • Clean and accurate identity data Clean and accurate identity data management • • Automatic “decision” points based on the Automatic “decision” points based on the identity identity © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 37
  39. 39. Our Approach Agree data model and synchronization requirements, deploy identity data repository Migrate from current data model to envisioned data model 1. Analysis and agreement of current data models and authoritative sources 2. Create model and identify data synchronization and cleansing activities 3. Design and deploy data repository Requirements Post Design Build Test Deploy gathering production Design, implementation, and deployment of data management infrastructure © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 38
  40. 40. Our Approach The result of our approach is: • Agreed identity data model • Agreed authoritative sources aligned with data ownership • A model that is extensible and supportable • Transparency, maintainability, verifiability, and effectiveness • Efficient and effective data management • The foundation for all IAM program initiatives • Data management that is clearly “under control” © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 39
  41. 41. Authentication Management © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 40
  42. 42. Authentication Management • Authentication is the process of determining, to a specified level of confidence, that an entity is who or what they claim to be • Authentication Management covers the policies, processes, and systems for effectively governing and managing the authentication of individuals and services • Main activities: ─ Enrollment – identification and registration processes ─ Risk-based Authentication Framework ─ Credential lifecycle management – issuance, activation, support, revocation ─ Design and implementation of authentication infrastructure © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 41
  43. 43. Authentication Management – Conceptual View User and Access Management Authentication and Access policies Authentication engine IAM system enforcement point Applications Users © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 42
  44. 44. Authentication Management – Terms Used and Related Activities Technology areas: Policies, frameworks, and processes: • Strong authentication • Original identification • Two-factor authentication • Evidence of Identity (EOI) • User name/password • Enrollment policies and processes • One Time Password (OTP) • EOI capture and storage • Smartcards/PKI • Authentication frameworks • Tokens • Risk assessment tool • Biometrics • Authenticator selector tools • SMS authentication • Credential lifecycle management • CardSpace • Support processes – password reset, PIN • Claims-based authentication management, etc. Industry standards: • SAML • WS-* • OATH • Liberty Alliance © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 43
  45. 45. Observations © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 44
  46. 46. KPMG’s Observations Most IAM projects focus initially on improving user management and automating provisioning of accounts and basic authorizations, supported by workflows • Driver: increasing operational excellence • In most cases, basic employee roles are assigned Second stage of most projects focuses on improving the quality of the authorizations • Driver: increasing level of compliance • Roles are currently seen as the way forward for managing fine-grained authorizations In most software solutions of the suite vendors (such as IBM, SUN, HP, Oracle, Computer Associates) some role functionalities exist, although they are too limited • Only the administration of technical roles is included • No real role management capabilities • When organizations require extensive role management, most suite vendors are teaming with pure-play role management vendors such as VAAU, BHOLD Company, Bridgestream, Eurekify, and RMAN. © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 45
  47. 47. KPMG’s Observations when Organizations are Entering Role Modeling Optimistic view on required starting points for role modeling, such as: • Lack of clear job descriptions • Lack of (up-to-date) authorization matrixes for platforms and applications • Lack of commitment of the organization to engage in role modeling Theoretical/conceptual view on role modeling, leading to role explosion • Top-down approach for role engineering takes too long and requires too much effort and interaction with the business ─ No short term results • No room for flexibility – SoD breach may occur, if documented • Only attention for “to be” situation • How to keep the role model future-proof? Too ambitious – revolution instead of evolution • Big bang – scope is entire organization and all applications? • Phased approach is crucial © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 46
  48. 48. Next Steps © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 47
  49. 49. How to Proceed – User Management • IAM should be considered as a long-term strategy • Define requirements for identity management within your enterprise • Develop a strategic roadmap with realistic timelines that can be broken down into distinct work streams • Develop a set of use cases for the management, creation, and deletion of users • Develop workflows, processes, and roles that can be leveraged through a identity management solution • Hold vendor bake-offs to determine “best” fit for your environment • Conduct Proof of Concepts (POC) with selected vendors • Deploy a limited pilot to determine validity and capabilities of chosen solution • Develop a phased rollout plan to incorporate an 80/20 rule for centralized user provisioning © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 48
  50. 50. How to Proceed – Authorization Management Putting the foundation in place by: • Implementing role management • Providing infrastructure for analyzing, engineering, and maintaining roles (mostly as part of enterprise IAM infrastructure) Role engineering • Using role mining tools will decrease role engineering efforts and will provide faster results Implementing roles – evolution versus revolution • Staged approach is required © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 49
  51. 51. Authorization Management – Suggested Approach Implementing role management process (Automated) (Periodic) reporting on analysis of granted authorizations current authorizations Cleansing of existing authorizations Automatic role mining/ role engineering Develop Automating (parts of) Envision Confirm Select IAM authorization concept vision tools architecture management processes operational © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 50
  52. 52. How to Proceed – Authentication Management Putting the foundation in place by: • Conducting a risk assessment to understand information asset classification and risk within the organization • Developing a risk-based authentication framework First phase: • Developing policies and processes for different authentication mechanisms within the organization (including strong authentication) • Implementing a first phase of infrastructure deployment for helping to enable and enforce access policies relating to authentication Future phases: • Iterating authentication framework, policies, and procedures • Implementing strong authentication, Enterprise Single/Simplified Sign On, Federation, etc. © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 51
  53. 53. Authentication Management Design, implement, and deploy Implementing authentication authentication management management policies, standards and process processes Develop framework and processes 3. Develop operational 1. Development of structures for credential authentication framework life cycle management 2. Development of enrollment policies and processes 4. ACCESS Management – Design and build authentication infrastructure Requirements Post- Design Build Test Deploy gathering production © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 52
  54. 54. KPMG’s View of Implementation Strategy – Preparing and Planning Preparation and planning: • Put foundation in place • Determine scope ─ Are you really envisioning managing all authorizations by using roles? Maybe 80/20 rule is more realistic. • Setting priorities ─ Depending on business case ─ Deployment strategy: organizational entities versus processes versus applications – which deployment strategy to choose? • Managing expectations and keeping commitment is key © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 53
  55. 55. Staged Approach is Required h ac End goal: ro app Role management and e ss assignment processes oc in place and effective pr o tt Stage 3: ec oj pr Optimize role model m for prioritized e fro applications/systems t ra ig Stage 2: M Implement role management for prioritized applications/systems Stage 1: Preparing Reestablish and planning identity life cycle processes © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 54
  56. 56. Identity Management Reference Architecture External Internal Applications Delegated Customers Partners IT Staff Employees Applications Admin Identity Management Service Access Management Identity Administration •Authentication & SSO •Delegated Administration •Authorization & RBAC •Self-registration and Self-service •Entitlement management Auditing Monitoring and Workflow and Reporting Management Directory Services Identity Provisioning •LDAP Directory •Who, what, when, where, why •Meta-Directory •Rules and access policies •Virtual Directory •Integration framework Applications Systems and Repositories Physical Assets ERP CRM OS (Unix) HR Mainframe NOS/Directories Cell Phone Physical Access * Source – Oracle Enterprise IdM Reference architecture © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 55
  57. 57. A Look at the Pieces when Fit Together Access Directory User Management Management Management Authoritative • Policies • Self-service Directory Stores • Workflow • Workflow Reconciliation User Account • Audit trails • Provisioning • Delegated administration Databases Portal Applications Authentication Directory Policy Enforcement • Operating Systems • Databases • Applications Existing Directories Real-time Administration enforcement Audit Verification & Validation © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 56
  58. 58. Structured IAM Approach © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 57
  59. 59. Deployment Life Cycle • Project scope • Technical support help desk • Stakeholder education/buy-in • Assess usability • Executive support • Develop enhancement strategy • Definition of business drivers Maintenance Planning • Rollout communication Deployment • • Management of expectations Custom versus out-of-the-box • Business process training • Organizational readiness Transition Life Cycle Requirements • Legacy platform readiness • Security and compliance req. • Holistic view people, proc., & tech Build and Test Design • Gap between test versus prod • Identify architecture risks • Test non-functional req. • Requirements tradeoffs • Knowledge transfer • Address non-functional req. • Change management • Define suitable RBAC model. • Stakeholder involvement in testing • Define reconciliation plan © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 58
  60. 60. Methodology and Deliverables Rollout/ Requirements Build and Test Maintenance Planning Tasks Tasks Design Tasks Tasks Transition Tasks Tasks • Identify stakeholders • Define solution • Develop detailed design • Configure and build IDM • Deploy and configure • Develop ongoing roles requirements solution in Dev product environment and responsibilities • Inventory and review • Identify requirement environment current state • Develop solution metrics GAPs • Load and stress testing • Develop production • Develop unit and support procedures • Develop: • Refine project plan • Build Dev environment • Acceptance testing integration test scripts • Develop incident Project plan • Manage to plan • Develop test plans • Develop user procedure • Develop training response procedures documents Defect tracking • Manage to project plan materials • Execute communication Communication plan • Develop cutover plan plan Change • Develop user management acceptance test scripts Team roles • Develop reconciliation procedures Risk management Transition/ Rollout/ Planning Requirements Design Build and Test Cutover Maintenance Deliverables Deliverables Deliverables Deliverables Deliverables Deliverables • Stakeholder and KPMG • Functional requirements • SRS document • Configuration • Load and stress test • Ongoing roles and team roles and document. results responsibilities • Nonfunctional • SDD document responsibilities requirements • Unit and integration test • Acceptance test results • Production support • System architecture • Project work plan scripts procedures • Security and compliance document • Acceptance sign-off • Documentation requirements • Training materials • Incident response • Build document • User documents standard procedures • Roles for IDM solution • Cutover plan • Baseline build of Dev • Build documents for • Change management implementation environment for IDM • User acceptance test production environment plan • Legacy systems data solution scripts • Production environment • Defect tracking and cleansing requirements • Reconciliation plan for • Reconciliation prioritization guidelines and strategy resources procedures • Communications and • Test and training plan • Production checklist issues management plan • Risk log and mitigation plan © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 59
  61. 61. All information provided is of a general nature not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. Christopher Gould KPMG +7 495 937 4477 cgould@kpmg.ru www.kpmg.ru KPMG in Russia refers to KPMG Limited, a company incorporated under the Guernsey Companies Act, and ZAO KPMG, a company registered under the Laws of the Russian Federation. © 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 60

×