Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2019 | SailPoint Presents: Real-World Case Study - CSL IAM Journey | Identiverse | Day 1, June 25

56 views

Published on

Rebecca Daniels, Senior Identity and Access Management Architect at CSL Behring is addressing their compliance and security challenges by tackling identity governance head on. Join this session as she discusses the business challenges that lead to building an integrated identity program that secures the organization and enables the workforce. Rebecca will share their approach to governing all applications, data and users, as well as their successes and lessons learned along the way. She will also highlight the impact the program has had to date and her plans for growth using a governance-based approach.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

2019 | SailPoint Presents: Real-World Case Study - CSL IAM Journey | Identiverse | Day 1, June 25

  1. 1. CSL IAM Journey Past, Present, Future
  2. 2. PRESENTATION OBJECTIVES • Overview CSL’s Identity & Access Management Journey • Where We Were: Highlight the original Business Case and Project Objectives • What We Accomplished: Highlight CSL’s first 24 months • Improvements & Changing with the Business • Single Sign-On Integrations • What We Learned: Lessons Learned & How we’ve Improved • Where We Are Going: Future Plans 2 | Driven by Our Promise™
  3. 3. | Driven by Our Promise™3 Business Case / Project Objectives Accomplishments Lessons Learned IAM Roadmap Q&A / Discussion
  4. 4. ORIGINAL BUSINESS CASE | Driven by Our Promise™4 • Audit Finding to Improve Security of Offboarding • Introduce technology to improve efficiencies and minimize business technology personnel growth demand • Streamline off-boarding / onboarding • Support accelerated business growth (15K – 35K managed identities) • Ease Service Desk staff demand • Everything ready for a new starter Day 1 • Deploy SailPoint IdentityIQ and initial services • Introduce Single Sign-On (IdentityNow) / Deploy platform • User experience improvements
  5. 5. | Driven by Our Promise™5 | Driven by Our Promise™ 5 Business Case / Project Objectives Accomplishments Lessons Learned IAM Roadmap Q&A / Discussion
  6. 6. LIFECYCLE EVENTS 6 Relationship Ends End-to-End Digital Identity Lifecycle Relationship Begins New Hire / ReHire Creation / Provisioning Create / Re-enable identity and identifying data Determine organization / department / job duty / role data Provision Birthright access Terminations / De-provisioning Revoking permissions / authorizations De-provisioning groups / access Initiate 30/60/90 de-provisioning actions LOA Returns From LOA | Driven by Our Promise™ Initial Services
  7. 7. CSL IDENTITY & ACCESS MANAGEMENT PROGRAM • Identity & Access Management is a program that provides services around a defined framework to address a set of clear objectives • Programs emphasize ongoing improvement • IAM includes services to manage: • Identity Lifecycle • Access and Access Authorization • Credential & Authentication • Audit, Governance, and Risk Oversight ID EN TITY LIFEC YC LE M A N A G EM EN T A U TH EN TIC A TIO N & C R ED EN TIA L M A N A G EM EN T A U TH O R IZA TIO N & A C C ESS M A N A G EM EN T A U D IT & G O VER N A N C E M A N A G EM EN T IDENTITY AND ACCESS MANAGEMENT Policies Processes Infrastructure
  8. 8. | Driven by Our Promise™8 ESTABLISH IDENTITY AGGREGATION IDENTITY LIFECYCLE MANAGEMENT IDENTITY AND ACCESS MANAGEMENT WITHDRAW IDENTITY AGGREGATION AGGREGATE IDENTITIES TERMINATE IDENTITY UPDATE IDENTITY ATTRIBUTES CREATE IDENTITY AGGREGATE ACCOUNTS / ACCESS PERMISSIONS MANAGE ENTITLEMENTS MANAGE AUTOMATED IDENTITY LIFECYCLE AUTHORIZATION & ACCESS MANAGEMENT REQUEST IDENTITY TERMINATE IDENTITY UPDATE IDENTITY ATTRIBUTES AUTHORIZE IDENTITY REQUEST MANAGE MANUAL IDENTITY LIFECYCLE ESTABLISH ACCESS AGGREGATION WITHDRAW ACCESS AGGREGATION MANAGE ACCESS LIFECYCLE AUTHORIZE REQUEST UPDATE ACCESS APPLY ACCESS PERMISSIONS REVOKE ACCESS REQUEST ACCESS MANAGE ACCESS CONTROL STRUCTURE ENFORCE POLICY GRANT ACCESS DENY ACCESS CREATE USER ACCOUNT REVOKE USER ACCOUNT AGGREGATE & CORRELATE ACCOUNTS / ACCESS PERMISSIONS MANAGE ROLES CONTROL ACCESS UPDATE IDENTITY IN SOURCE DISABLE ACCESS AUTHENTICATION & CREDENTIAL MANAGEMENT RECERTIFY MANUAL CREATED IDENTITY MANAGE RISK PROFILES MANAGE POLICIES RECERTIFY PRIVILEDGED ACCESS MITIGATE POLICY VIOLATIONS AUDIT & GOVERNANCE MANAGEMENT RECERTIFY ACCESS AUTHENTICATE USER [PASSWORD] AUTHENTICATE USER [MULTIFACTOR] MANAGE KBA CREATE TEMPORARY PASSWORD AUTHENTICATE USER [KBA] LOCK OUT USER RELEASE LOCK OUT ENROLL MULTIFACTOR CREDENTIAL PROVIDE CREDENTIAL MANAGE CREDENTIAL MANAGE AUTHENTICATION REVOKE CREDENTIAL CHANGE PASSWORD SYNCHRONIZE PASSWORD MANAGE PASSWORD POLICY ESTABLISH KBA VERIFY EMAIL RESET FORGOTTEN PASSWORD ENFORCE PASSWORD POLICY REMIND UPCOMING PASSWORD EXPIRATION FORCE RE- AUTHENTICATION DEPROVISION ACCESSID EN TITY LIFEC YC LE M A N A G EM EN T A U TH EN TIC A TIO N & C R ED EN TIA L M A N A G EM EN T A U TH O R IZA TIO N & A C C ESS M A N A G EM EN T A U D IT & G O VER N A N C E M A N A G EM EN T IDENTITY AND ACCESS MANAGEMENT Policies Processes Infrastructure
  9. 9. 9 SERVICES AT WORK example: Certification | Driven by Our Promise™
  10. 10. SINGLE SIGN-ON INTEGRATIONS 10 IDENTITY AND ACCESS MANAGEMENT Policies Processes Infrastructure | Driven by Our Promise™ Initial Objectives: • Reduce Sign-On & Improve User Experience • Password Management from Anywhere 2017 Sources 3 Clusters 1 Identities 18,000 Applications 5 2018 Sources 3 Clusters 1 Identities 28,727 Applications 45 2019 Sources 5 Clusters 2 Identities 32,144 Applications 72
  11. 11. IAM SERVICES 11
  12. 12. We are Here ID EN TITY LIFEC YC LE M A N A G EM EN T A U TH EN TIC A TIO N & C R ED EN TIA L M A N A G EM EN T A U TH O R IZA TIO N & A C C ESS M A N A G EM EN T A U D IT & G O VER N A N C E M A N A G EM EN T IDENTITY AND ACCESS MANAGEMENT Policies Processes Infrastructure IDENTITY MANAGMENT EVOLUTION | Driven by Our Promise™3 Strengthen the foundation  Infrastructure & Software Upgrade  Workday integration data quality and process review  50 SSO Applications  Multi-Factor Authentication IAM Program Roadmap  Objectives  Timeline  Communication Lay the foundation  Identity platform selection & implementation  IAM Operations services for incident resolution and service improvements 2016 2017 2018 2019 Benefits Identify the need  E&Y audit IAM Roadmap Execution  Service expansion  Application onboarding  Manufacturing support Broaden the foundation  Privileged account platform selection & implementation  Manage Wintel privileged accounts IAM Operations  Monthly enhancements  Single sign on  Multi factor authentication
  13. 13. | Driven by Our Promise™13 13 Business Case / Project Objectives Accomplishments Lessons Learned IAM Roadmap Q&A / Discussion
  14. 14. | Driven by Our Promise™14 Lessons Learned CATEGORY COLLABORATION / RESOURCES / ISSUES IMPROVEMENTS Resource Management CSL Internal IAM team onboarding delay (some roles after initial launch) HR support was hard to obtain Frequent resource turnover on the vendor side  IAM Ops Team staffed in May 2017 and continued through Feb 2018  P2 execution was more streamlined  Ticket resolution improved significantly Change Management Uninformed HR changes impacted IAM projects - Acquisitions Skype4B upgrade AD improvement Project Unclear O365 and DW changes  Improved Coordination with HR and Applications  Streamlined SSO Onboarding Environmental Challenges Non-Prod environment was not available initially Non Prod environments were not built Prod like, Some of the components could only be tested in Prod Non-Prod HR system weekly refresh-caused test data issues Still suffer with inadequate collaboration tools testing env.  Non-Prod environment was deployed  HR system stabilized in Nov 2018 intial and continued improvement for P3  Separate QA AD Domain for P3 Test Management  Underestimated Testing time  Manual Testing Process/Documentation  Dedicated Infra/HR resource availability  Important stake holders were not involved  Improved Testing Plan  Dedicated Test and HR resources  Digitized Testing Process/Documentation for P3
  15. 15. | Driven by Our Promise™15 15 Business Case / Project Objectives Accomplishments Lessons Learned IAM Roadmap Q&A / Discussion
  16. 16. | Driven by Our Promise™16 Objective 1: Manage all identities  Standard, privileged, external, shared, service, manufacturing  Read-only connections used to collect accounts, identify and correlate permissions, and remove IdentityIQ unmanaged accounts Objective 2: Provide a single and complete view of user application access across the enterprise  Applications selected based on prioritization criteria (next slide) Objective 3: Generate periodic user access recertification to support compliance requirements Objective 4: Process access requests to provide enterprise access control and enhanced user experience  Data Ownership and application participation are critical success factors  Centralized self-service access request with training validation checks, incorporate multiple fulfillment methods Objective 5: Automate birthright provisioning and incorporated Role Based Access Control (RBAC) for Manufacturing and Applications Objective 6: Facilitate provisioning and deprovisioning of user access  Achieved by completing Objectives 1-5 IAM PROGRAM OBJECTIVES ID EN TITY LIFEC YC LE M A N A G EM EN T A U TH EN TIC A TIO N & C R ED EN TIA L M A N A G EM EN T A U TH O R IZA TIO N & A C C ESS M A N A G EM EN T A U D IT & G O VER N A N C E M A N A G EM EN T IDENTITY AND ACCESS MANAGEMENT Policies Processes Infrastructure
  17. 17. | Driven by Our Promise™17
  18. 18. IAM MESSAGE • Evolutionary program with Significant Business Benefit • Identity and access management program is more than meets the eye • Benefits the business, users, and IT • Simplifies the application access request process • Provides self-service password reset capabilities • Protects CSL assets • Simple user interface belies the complexity lurking below • New applications must include SSO • Multifactor authentication needed for internet facing hosted applications | Driven by Our Promise™18
  19. 19. | Driven by Our Promise™19 19 Question / Answer Segment Discussion – Learning from Others Business Case / Project Objectives Accomplishments Lessons Learned IAM Roadmap Q&A / Discussion
  20. 20. | Driven by Our Promise™20 Thank You

×