IAM Role Management

2,687 views

Published on

Role management

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,687
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
44
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

IAM Role Management

  1. 1. Identity and Access Management 10 Steps to Role-based Access Control Steve Jensen Senior Director and Chief Information Security Officer Blue Cross Blue Shield of Minnesota
  2. 2. Identity Lifecycle Management Business Requirements > The ability to request and review access in terminology understood by the business. > Speed up the on boarding process. > Role based access control
  3. 3. Complexity of IT Security Directories Systems and Servers Applications and Tools Databases Software as a Service Active Directory Mainframe SAP DB2 MeDecisions Novell E-Directory z/Linux Lotus Notes IMS Salesforce.com Lotus Notes Directory Unix STAR Oracle Vurv SAP Employee Directory Microsoft Focus SQL Centreq 10+ 600+ 300+ 100+ 20+ Users  Groups  Permissions Resources
  4. 4. Terminology > Application Role – A functional role that a user plays when utilizing a business application or interfacing with an infrastructure component. – Specific to a single application – For example, roles for a HR recruiting application > Human resource recruiter > Human resource benefit’s specialist > Hiring Manager > Approver > Clerk > Enterprise Role – A combination of application roles that when combined, give a person the access required to do their job across all applications they access.
  5. 5. Our Solution: Identity Lifecycle Management Establish App. Role Management Establish Ent. Role Management Segregation of Duties Management Conduct Control Review New Request System New Request System Conduct Control Review Establish ID Warehouse
  6. 6. Step 1 – Create an identity warehouse > Leverage purchase by quick-win – password self- service functionality > Platform coverage should be a key purchasing decision > You will still need to build custom feeds – Legacy systems – Externally hosted systems – Proprietary security systems > Move to directory services whenever possible > Don’t just buy an IAM suite for “automated provisioning”. Focus on role management
  7. 7. Step 2 – Establish enterprise role management > Either design/build or purchase a role management product > Ensure product can meet business requirements > Include role management, role mining, and role attestation as bare-bones minimum requirements > Plenty of choices now on the market
  8. 8. Step 3 – Define application roles > Create application roles – Don’t attempt enterprise roles on day one – Don’t attempt to link roles to HR > Map one or more access groups into application roles. Leverage documentation, group comments, and group description fields > Add entitlements to provide flexibility > Combine like entitlements that have been applied on multiple platforms
  9. 9. Step 4 – Conduct online role attestation > Validate the assignments of application functionality to users > Must be in business terms – No acronyms – No technical terms – No security specific terms > Provide timely adjustments
  10. 10. Step 5 – Adjust request system > Change your request system to request via application roles instead of “IT technical lingo” > Immediate business value > Generate processes to keep role management in synch > Can show what access is in place, and they can add checks, or remove checks > My advice – do not make automated provisioning your goal just yet
  11. 11. Step 6 – Create enterprise roles > Go to each line of business with a plan > Assign role ownership – usually the manager > Allow for multiple enterprise roles per person > Advice – don’t try to align with HR job codes > KISS - Don’t focus on keeping roles to a minimum – you have role management software to deal with the complexity. > Adjust your role approval processes
  12. 12. Step 7 – Transparency - Conduct online role attestation > Validate the assignments of enterprise roles to users > Must be in business terms – No acronyms – No technical terms – No security specific terms > Provide drill-down capabilities to application roles
  13. 13. Step 8 - Adjust request system (again) > Change your request system to request a enterprise roles instead of application role > New request type – grant access of an enterprise role to an application role. > Tremendous business value > Generate processes to keep role management in synch > Again, show what access is in place, and they can add checks, or remove checks > Automation of provisioning is best done at this phase
  14. 14. Step 9 – Segregation of Duties Analysis > Solicit from internal audit > Solicit from risk management > Provide mutually exclusive application roles and do not allow a enterprise role to have both
  15. 15. Step 10 – Leverage and Measure > Apply role management from internal employees to address customers, suppliers, business partners, etc.
  16. 16. The transformation of access After STEP 1 (2007 - Obscure Technical Lingo) SA_ACCTRECCLK SAS_CML_GROUP_6 CARSVIEW … After STEP 3 (2008 - Application Roles) •Select Account (SAM) Accounts Receivable Clerk Access •Compliance Audit Review & Reporting System (CARS) - View Access •… After STEP 6 (2009 - Enterprise Roles) Select Account Receivable Clerk
  17. 17. Questions?

×