Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Identity Management
Similar to Identity Management (20)
More from Venkatesh Jambulingam
More from Venkatesh Jambulingam (13)
Recently uploaded
Recently uploaded (20)
Identity Management
- 1. Presented by Venkatesh Jambulingam Cloud Security Expert 22-Jan-2022 Identity Management
- 2. | 22-Jan-2022 | Venkatesh Jambulingam | ▶Identity & Access Management Overview ▶Identity Management – Types of Identities – Identity Lifecycle / JML – Provisioning/De-Provisioning – Identity Mapping & Orphan accounts ▶Self Service – Password reset – Access Request – Name / Profile Change ▶Consumer Identity & Access Management 2 Contents
- 3. IAM Overview
- 4. | 22-Jan-2022 | Venkatesh Jambulingam | 4 Identity & Access Management Overview Ensuring right entities have right access to right resources at the right time for right reasons and hence protect the confidentiality of the data Identity Management Access Management Identity Governance Privileged Access Management
- 5. | 22-Jan-2022 | Venkatesh Jambulingam | 5 Identity & Access Management Components Self Service Access Request Management Self Service Password Management Policy, Role & Attribute based Access Control Application Onboarding & Integration Automated & On-Demand Provisioning Identity Management Automated Lifecycle Management Role Management Access Review Segregation of Duties Identity Governance Identity Analytics & Insights Compliance Controls & Certification Cloud & Data Access Governance Authentication Multi-Factor Authentication Single Sign on Password less Access Management Authorization Federation Password Vault Session Manager Access Manager Compliance Control Privileged Access Management Password manager Privileged Threat Analytics
- 7. | 22-Jan-2022 | Venkatesh Jambulingam | 7 Type of Identities B2B Identities B2C Identities Consumer Servers & Network Devices APIs/Services Smart Watch Managed in IAM system Managed in CIAM system Employees & Contractors Programs & Applications Desktops, Laptops, Printers, Scanners Connected Car AR/VR/MR Headsets
- 8. | 22-Jan-2022 | Venkatesh Jambulingam | 8 Identity Lifecyle Create New Identity Create Accounts Provision Access & Birth Right Access Maintain Profile & Manage Access De-Provision Access New identity is created in authoritative source system (HR, CRM, AD, Asset Inventory) based on physical word identity (Driving License, Passport, Serial Number of device etc.,) For human identities, AD/LDAP account & mailbox is created. For non-human identities, service accounts are created in AD/LDAP Multiple apps could be given access by default based on role or attributes. This is called birth right access. Additional access is granted based on request Email & Phone number change Promotion & location change Department & Project Change Legal Entity Change Maintain access levels for each of these changes. User account is deactivated immediately if user is terminated User account is deactivated on midnight of LWD+1 if user resigned/retired
- 9. | 22-Jan-2022 | Venkatesh Jambulingam | 9 Identity Lifecycle - Joiner New person identity Govt issued identity provided by the person to the organization e.g. Driving License, Passport Organization Application identity or device identity is created based in CMDB/Asset Inventory New non-person identity Device Serial Number, Make, Model or Application identifiers are shared with Organization User identity is created in HRMS by the HR team based on physical govt issued ID card HR (Employee ID) AD (Login ID) Mailbox (Email ID) Payroll (Employee ID) Collaboration (Email ID) Digital Certificate Service account in AD Digital certificates Provisioning system creates the necessary accounts needed for given identity Identity
- 10. | 22-Jan-2022 | Venkatesh Jambulingam | 10 Identity Lifecycle - Mover Person identity User Changes project, location or gets promoted Moves/Changes for identity Allocation details of device / application is captured in CMDB/Asset Inventory Non-person identity Device is allocated/moved for specific use in a specific environment HR team updates the location, designation, or project details in HRMS Profile details updated in other downstream systems Old permissions are revoked New permissions are added Network / other Access permission granted Provisioning system updates the necessary permission/access for given identity Identity
- 11. | 22-Jan-2022 | Venkatesh Jambulingam | 11 Identity Lifecycle - Leaver Person identity User Retires or User is Fired Retire / Fire / Decommission Allocation details of device / application is updated as decommissioned in CMDB/Asset Inventory Non-person identity Device is decommissioned as not fit for use HR team updates the person’s employment status in HRMS as retired or fired with along with last working day User identity is deactivated on LWD +1 midnight in AD In case of firing, it is deactivated immediately All access permissions are revoked Identity of the application / device is deactivated Provisioning system updates the necessary permission/access for given identity Identity
- 12. | 22-Jan-2022 | Venkatesh Jambulingam | ▶Provisioning is a process that involves creation of user accounts, assigning & managing roles and permissions for these accounts in various target resources like applications, systems and networks performed in an automated or semi-automated way ▶Provisioning application will read user information from identity system, read application roles from application onboarding information and will create a role mapping based on the organization policies ▶Role mapping information can be sent to the target application based on the provisioning configuration type. ▶Authorization information can be sent by the provisioning application or local authorization can be done by the application based on role mapping data sent by provision application 12 Provisioning User1 User2 Role #1: App Owner Role #2: Manager Authoritative Identity System Provisioning app Application Roles, Permissions Application #1 Database User 2 Role Mapped Database for each provisioning target application Identity Token/Roles User 4 User 5 Group 1 User 4 User 5 Group 1 User3 Role Mapping based on organization policy Role #3: Analyst
- 13. | 22-Jan-2022 | Venkatesh Jambulingam | ▶Discretionary access provisioning –Often used in small to mid-sized companies, this approach allows a network administrator to decide which applications and data end users can access. ▶Self-service access provisioning –Typically, this approach is used to help reduce an administrator’s workload. It enables users to participate in some aspects of the provisioning process such as requesting an account and self-managing passwords. ▶Workflow-based account provisioning – Approvals from designated approvers are required before granting user access to an application or data. For example, access to finances would require approval from the company’s chief financial officer. ▶Automated account provisioning –With this method, every account is added in the same manner through a centralized management application interface –This streamlines the process of adding and managing user credentials and provides administrators with the most accurate way to track who has access to specific applications and data sources –Although provisioning and identity management processes are the same, the extent and type of provisioning varies greatly among different users (e.g. patients, clinicians, customers, and partners) 13 Provisioning Types
- 14. | 22-Jan-2022 | Venkatesh Jambulingam | ▶Identity mapping is an activity that links various accounts across applications in different formats to single authoritative identity in HRMS or active directory ▶Orphan accounts are identities in the applications that do not point to any authoritative identity ▶Orphan accounts represent two kinds of security risk: –If the account actually has no owner, or the owner has left, they represent an elevated risk of misuse, since any unusual use of the account will not be detected by the account's (absent) owner. –Orphan accounts cannot be reliably deactivated when their owner leaves, because of the missing linkage to that owner. 14 Identity Mapping & Orphan Accounts Data Integration Tools Rules and Stored Procedures Performed using IDM/IGA tools or even without them Orphan Accounts HR (Employee ID) Authoritative Source Identity Map HCM AD (Login ID) Mailbox (Email ID) Payroll (Employee ID) Collaboration (Email ID) AD E.g., SSIS or ODI
- 15. Self Service
- 16. | 22-Jan-2022 | Venkatesh Jambulingam | ▶ Self-service password reset is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate method and repair their own problem, without calling the help desk ▶ Self-service password reset solutions perform the reset and unlock functions by directly interacting with the user directory, typically this is Active Directory 16 Self Service Password Management User account Gets locked/Password Reset Self service portal challenges the users with security questions and asks for additional details to verify the identity User opens into self service portal and requests password reset or account unlock Password Reset / Account Unlocked in AD / IDP by self service portal and user is notified User provides the correct response
- 17. | 22-Jan-2022 | Venkatesh Jambulingam | ▶ Workflow Automation refers to the design, execution, and automation of processes based on workflow rules where human tasks, data or files are routed between people or systems based on pre-defined business rules. ▶ Workflow allows business users and automated processes to request and authorize access changes. ▶ The changes are executed across the network according to predefined IAM rule sets. 17 Self Service Access Request Management User raises a request in self service portal for new access /change in access Approver(s) review requests based on needed approval levels Notify user and update the ticket status in the self service portal Request forwarded to IAM team or the automated provisioning system picks up the approved ticket for processing User assigned the new access or change in access done as per request Approved
- 18. | 22-Jan-2022 | Venkatesh Jambulingam | ▶ Self-service profile change is a process or technology that allows users to modify their name and other profile details like phone number, address and photo without a need for calling the help desk or support team 18 Self Service Profile Change User wants to change their profile information like phone number, address, photo In case of name change, employee uploads govt issued id or marriage certificate Updated information is replicated across other downstream systems automatically User logs into and makes the changes in the HR system or other authoritative system In case of name change, human resources team will verify the physical id / marriage certificate and approve the name change Downstream systems displays the updated information
- 19. Consumer Identity & Access Management
- 20. | 22-Jan-2022 | Venkatesh Jambulingam | ▶ Customer identity and access management is a special type of IAM system that enables organizations to securely capture and manage end consumer or customer identity and profile data, and control customer access to applications and services in a B2C environment. ▶ CIAM solutions ensure a secure, seamless customer experience at extreme scale and performance, no matter which channels (web, mobile, etc.) customers use to engage with an organization brand. 20 Consumer Identity & Access Management (CIAM) CIAM Features Social Registration Self Service Account Management SSO/MFA & Access Management Consent Management Customer Registration Registration Authentication Self Service Support Self Service Support Personalization Security & Privacy Customer Onboarding & Engagement Brand Loyalty & Customer Experience Customer Trust
- 21. | 22-Jan-2022 | Venkatesh Jambulingam | 21 IAM vs CIAM ▶ CIAM solutions are designed to support millions of customers or consumers of an organization ▶ CIAM solutions are built to handle rapid spikes in traffic volume and frequency. ▶ Built for B2C setup ▶ Consumers can have multiple identities ▶ Identities are self-registered & manged by customers themselves ▶ Provides with a consistent login experience no matter where the end-user is or what device they’re using. ▶ Supports Social Authentication ▶ Enables Consent Management ▶ Allows organizations to create personalized user experience ▶ IAM solutions are designed to handle thousands of identities in a given organization ▶ Traditional IAM solutions have less capability to handle sudden spikes in authentication & authorization traffic ▶ Suitable for B2B setup ▶ Single identity per user ▶ Identities are created by on organization for their employees or contractors ▶ Primarily used for authentication & authorization with strict security policies for corporate and business applications IAM CIAM
- 22. Thank you Creative Commons By Non Commercial Share Alike This document is shared under CC BY-NC-SA 4.0 license
- 23. | 22-Jan-2022 | Venkatesh Jambulingam | 23 About me Venkatesh Jambulingam Cloud Security Expert Email: cybervattam@gmail.com cybervattam@outlook.com Follow me on