SlideShare a Scribd company logo

20170912_Identity_and_Access_Management.pptx

Download as PPTX, PDF
Anand Dhouni
Anand Dhouni

IAM

Internet
1 of 32
1 Identity and Access Management PMI Westchester Quality SIG Presentation September 12th 2017
2 Identity and Access Management is Everyone’s Responsibility What is Identity & Access Management (IAM)? A set of tools & services used to manage access to systems or resources used by personnel as well as our customers Why is Managing Access Important? Controlling access = Controlling risk How Do We Manage Applications? Centrally-Managed applications – you ask IT to do it. • Use one or more centrally-managed IAM services Business-Managed applications – you ask some in business to do it. • Applications the business manages locally. The business owns and creates the access to application. The owner has responsibility for and the timely removal of access when someone terminates or transfers jobs. • Who Is Responsible for Managing Access? Everyone who manages employees or contractors in the organization
3 3 3 Request, Review, Remove Identity and Access Management is Everyone’s Responsibility 1. The IAM team can/will manage access on my behalf 2. Eventually all applications will be centrally managed 3. When someone leaves the company, HR makes sure their access is terminated What Do I Need To Do As A Manager? Request Access For Your Personnel • Contact your Role Profile Owner • Visit the IAM Support Central Site Review Access When Prompted • High-risk applications reviewed quarterly, all others annually Remove Access When People Leave • Submit requests within 24 hours of a job change • Go to Workday for full-time employees • Go to IAM Portal for contract workers Common Misperceptions 2 3 1
IAM Program – Strategic Goals Identity & Credentials: 1. Move towards a culturally aware business climate around IAM and enforce the use of a common identifier for all personnel utilizing Organization assets, both employee and non-employee. 2. Centralize identity flows and the on/off-boarding experience wherever possible to reduce risk, improve consistency, and minimize cost. 3. Implement a robust privileged user management program to identify, manage, and monitor access of privileged accounts on the Organization network. 4. Automate the provisioning and de-provisioning of core credentials and roles tied to identity events. Entitlements and Access Control: 1. Implement a business application on-boarding paradigm (aka “adoption”) that enables targeted applications to integrate to IAM and minimizes the amount of re-work as the maturity of the overall IAM solution grows. 2. Target high-risk applications (e.g. SOX/PCI), to be fully integrated to IAM with identity-event-driven workflow to ensure full lifecycle automation and management (request, grant, review, remove, term, transfer). 3. Integrate high-risk physical and logical assets into program that have weak IAM controls and present risk to firm (e.g. local admin, laptops, badging system, etc.). Audit and Compliance: 1. Enable the business to perform scheduled or ad-hoc access reviews of any group of assets on Organization across all users and the access they hold (i.e. “Who has access to what ?”). 2. Provide accurate and timely compliance / auditing reports as well as metrics to operational teams, business areas, and other interested parties. Identities Entitlements Access Control Audit & Compliance Credentials
5 Application Classification: Functional Service Characteristics Target Level Highest Functional Service Characteristics High Functional Service Characteristics Medium Functional Service Characteristics Low Functional Service Characteristics  Event-Driven Account Lifecycle  Event-Driven Certification  Entitlement integrity enforced through programmatic reconciliation  Birthright-based Account Lifecycle  Access request and fulfillment automated  Closed-loop Certification  Privileged Account usage tracked; Session Recorded; Active Discovery of Privileged Accounts  Access Request Centralized  Workflow Routing  Single or Reduced Sign-On  Assisted Certifications  Privileged Accounts inventoried quarterly  User populations identifiable  Logs sufficient to illustrate IAM transactions Highest 4 High 3 Medium 2 Low 1 Functional service characteristics are determined based upon maturity level and are cumulative. They will be implemented for each application where technically feasible. Evidence required is dependent on Service Characteristics
6  IAM Capability Overview Program Services: Technical Development: • Level 1 team to support the primary On/OffBoarding processes for core credentials and logical assets. • Primary support for provisioning and de-provisioning of any IAM- integrated applications (~80+) • Level 2-3 core engineering support for Unix, AS400, Mainframe, and Active Directory. • RSA/MFA & VPN support including SecurID hard/soft token deployment. • Project-based core technical support specific to both small (new app) and large (Blue, Orange) projects. • Design, Development, and Deployment of in-house, COTS, and cloud-based solutions supporting the overall IAM program. • Technical leadership on all existing as well as new IAM projects. • SME of all existing and new IAM products, services, and tools. • External IS project support wherever IAM SME experience is needed. • Ownership and design of IAM- deployed architecture supporting all Organization internal and external customers. Technical Operations: • Role and Entitlement Engineering and the support of existing RBAC models. • Enterprise Business Support for existing services as well as new projects. • Oversight of Quarterly and Yearly reviews of end-user and privileged accounts. • IAM solution on-boarding and deployment. • User Acceptance Testing oversight and coordination with Testing COE. • Program communications, including metrics and reporting. Business Operations: To align Organization’s identity and access management capabilities closer to the industry and its peers by reengineering business processes, enabling the business with technology, and introducing automation wherever possible in a cost-effective and efficient manner. Programs: Department Mission: Technical Operations Identity and Access Management Business Operations Technical Developm ent
7 General IAM Services / Technical Portfolio IAM – Current Services Component Description Unix LDAP (Temporary) Unix User Store for UNIX Authentication and replicated with GE Unix LDAP Unix LDAP (Permanent) Unix User Store for UNIX Authentication/ Pre- populated with existing Synchrony Financials employees AS400, AD, Mainframe Critical care of core assets for account provisioning, PA mgmt., and Role Mgmt. SSO LDAP SSO LDAP Infrastructure for SSO Authentication, and VPN user configuration SSO Infrastructure to provide Single Sign On / Authorizations Ping Federation & CA Federation Federation infrastructure for External Federation partners – SAML2.0 Component Description Lifecycle Management Managing the lifecycle of user access (Joiner, Mover, Leaver, Converter, Rehire) Access Requests User interface to request access to systems for both normal and Privileged Access (PA) Access Provisioning Add, modify, remove user accounts on target applications through an (Resource Adapter/RA) or Admin notification (Virtual Resource Adapter/VRA) Role Lifecycle Management Manage the lifecycle of Roles (Role Profiles/RP and System Access Profiles/SAP) Access Review Review user access to applications, as well as privileged access, on a periodic basis. Component Description Privileged Identity Management PA Credential Management Solution for Vaulting and Managing Access Control for Windows and *NIX OS Server Shared Accounts and *NIX Super User Accounts RSA SecurID / RADIUS (Permanent Production Environment) Base Infrastructure Setup for Future Integration with IAM for User Creation, Self Service Features and integration with Active Directory and Ongoing User Migrations
8 Identity and Access Management Portal
9 IAM Portal Overview  The IAM Portal is the Identity & Access Management tool for Provisioning and Certifications  The main benefits include:  Automated access provisioning / deprovisioning  Requestor workflow transparency (“track my requests”)  Enhanced certification / attestation processes  Closed loop remediation  “SoD” prevention & detection  Centralized password reset  Contingent Worker creation / management  Delegation  VPN management  Distribution List management
10 Application Onboarding Onto Portal The application onboarding focuses on integrating business managed applications classified as IAM 1 & 2 onto the IAM Portal for centralized access management. In addition, applications will be enabled with Single-Sign-On, Privileged Access, and Logging capabilities.  Full Automation (wherever possible)  Eliminates manual provisioning errors  Nightly aggregations ensure the user base remains in sync and current  Terminations and removals are processed immediately  Centralized Certifications  Application access is certified within IAM Portal using current data  Multi-level review starting with user managers  Ability to delegate individual roles or users to another certifier  Transparency  Current user access (roles / entitlements)  User attributes (manager, dept., job function, etc.)  Ad hoc reporting & metrics
11 IAM Portal High Level Architecture (How it Works) (Employees) IAM Portal CW Management Lifecycle Manager Access Provisioning Compliance Manager VPN, DL, Delegation, etc. Man ual Auto Provisioning CSV Reporting & Metrics
12 Application Certifications and Attestations
13 User Access Management is an On-going Process throughout the entire User’s lifecycle
14 Attestation Landscape – How do we determine “who has access to what” in an application ? Centrally Managed Apps Business Managed Apps Connected Manual IAM automatically creates or modifies the access needed 1. IAM team manually creates or modifies the access needed 2. IAM team would load the file of “who has access to what” Manual Business Owner works with IT Owner to get a file of “who has access to what” for loading to the Excel Template Automated Attestations Manual Attestations • Evidence of Certification performed by Manager (new model) or RPO • Metrics: Revocations vs. Keeps, Time to Revoke, Time to Complete, etc. • Must complete process – only acceptable bar is 100% completion, every time Attestation principles are the same whether Centralized or Business Managed
15 IAM Attestations: The Attestation Lifecycle Assess Define Review Remediate Govern Assess • Certification Type & Scope: Regular, or targeted sub- group • Frequency: SOX/PCI and Privileged Access = Quarterly, all others Annually Define • Retrieve access information into Attestation Templates • Educate on Review & Remediation • Provide Training; Kick-off review cycle Review • Conduct user access reviews: Manager-based • Continuous Progress Reports weekly up to ELT • RPO support & assistance to Business where needed • 4 week cycle for reviews Remediate • Remediate user access where noted within 48 hours after closure of review • Ticket/Closure or Evidence of remediation required for Audit • Additional access pulls might be required to provide evidence of removals Govern • Establish enterprise standards/principles • Requirements & Controls for review • Set Roles & Responsibilities for user access review • Perform Quality Assurance / Spot Checking • Secure Sign-off’s from IT and Business Owners
16 Privileged Identity Management
17 Who Are Privileged Access Users Users who have access to do the following activities are considered to have privileged access: • Provision users • Reboot servers • System level administration access • System administrator level access within an application security module that allows individuals to override the controls of the application • IDs provided as part of third party software solutions used to complete installation of the software. • IDs that are used to run applications. • Administrators with the ability to grant access or elevate privileges on an in scope device
18 Account Administration Account Administration Procedures Exception & Violation Procedures PA Awareness Training PA Account Inventory PA Account Reduction Strategy Governance Reporting Criteria PA Metrics Criteria Policy, Standard and Procedures Roles and Responsibility Compliance Validation Efforts Monitoring Definition of Risk Criteria Alert Configuration Tool Configuration Reporting Metrics Operational Staffing Model Roles and Responsibility Enforcement Standard Operating Procedures Data Feed Inventory Technology On- boarding Procedures PA Logging Validation PA Program: Objectives
19 PA Program: Summary • Dedicated PA monitoring team • Daily alert reconciliation • Password vaulting for NPA accounts • Updated PA policies and Job Aid • Manual quarterly PA review • Alert tracking workflow • Violation tracking data form • Continuously working with teams to tune alerts • Manual IAM Feeds • Developed training for PA users • More robust Nix monitoring • Automation between IAM and Splunk • Real Time Monitoring • IAM quarterly PA reviews • Restricting of service account logon • Management of service accounts • Removal of PA from personal ids • Ability to discover PA accounts • Solution for root/super user access • Session recording • Access to IAM data to verify user access • CDI/SSO lookup tools • File level monitoring (Windows) • Technology not in place • Immaturity of IAM platform • Incorporation of PA requirements within IAM What needs to be done Whatis Needed Challenges
20 PIM Tool Rollout Strategy Privileged Identity Management (PIM) Project Overview: Release to Production and deployment of Enterprise Random Password Manager Include deployment to Applications, Databases, Appliances and Devices across Production environments that use non-personal accounts. ERPM will provide Privileged Identity Management (PIM) with the means to randomize and manage passwords for non-personal accounts on target systems High-level Deployment Plan  Deployment of all in-scope Applications, Databases, Appliances and Devices in subsequent phases  Migrate Class PXX/SOX  Migration of accounts, LDAP and Local accounts  Migrate Unix/Linux accounts  IAM Portal and Help Desk Integrations with PIM Tool  Develop End User support models for Implementation and Ongoing BAU Impact  Technology:  Platforms, Appliances, Mainframe, AS 400,Unix (Solaris & RHEL),Windows Database, Accounts: Shared Service  People:  Enterprise Architecture, Security, Architecture, Security Ops,  Infrastructure Teams: Compute and Build teams, Servers Admins, DB & Run teams, Networking, Mainframe/AS 400Application Teams
21 Why IAM ? Improves operational efficiency and regulatory compliance management 1. User on-boarding and other repetitive tasks. – Self-service for users requesting password resets 2. To protect systems, applications and information from internal and external threats. – Deleting sensitive files. 3. To comply with various regulatory, privacy and data protection requirements
22 Use cases: 1. Employees and on-site contractors of an organization accessing SaaS service using identity federation. 2. IT administrators accessing CSP management console to provision resources and access for users using a corporate identity. 3. Developers creating accounts in a PaaS platform 4. End users accessing storage service in the cloud and sharing files and objects with users, within and outside the domain using access policy management features. 5. An application residing in a cloud service provider accessing storage from another cloud service
23 IAM Definitions: Authentication – Verifying the identity of a user, system or service. Authorization – Privileges that a user or system or service has after being authenticated (e.g., access control) – In some cases, there is no authorization; any user may be use a resource or access a file simply by asking for it. Most of the web pages on the Internet require no authentication or authorization. Auditing – Review and examine what the user, system or service has carried out – Check for compliance
24 IAM Architecture and Practice User management – Activities for the effective governance and management of identity life cycles. Authentication management – Activities for the effective governance and management of the process for determining that an entity is who or what it claims to be. Authorization management – Activities for the effective governance and management of the process for determining entitlement rights that decide what resources an entity is permitted to access in accordance with the organization’s policies
25 Identity life cycle
26 IAM process consists of the following: – User management (for managing identity life cycles), – Authentication management, – Authorization management, – Access management, – Data management and provisioning, – Monitoring and auditing – Provisioning, – Credential and attribute management, – Entitlement management, – Compliance management, – Identity federation management, – Centralization of authentication and authorization,
27 IAM Standards and Specifications for Organizations 1. How can I avoid duplication of identity, attributes, and credentials and provide a single sign-on user experience for my users? SAML. 2. How can I automatically provision user accounts with cloud services and automate the process of provisioning and deprovisioning? SPML. 3. How can I provision user accounts with appropriate privileges and manage entitlements for my users? XACML. 4. How can I authorize cloud service X to access my data in cloud service Y without disclosing credentials? OAuth
28 Security Assertion Markup Language (SAML) • SAML is the most mature, detailed, and widely adopted specifications family for browserbased federated sign-on for cloud users.
29
30 The figure illustrates the following steps involved in the SSO process of a user who is federated to Google
31 Open Authentication (OAuth) • OAuth is an emerging authentication standard that allows consumers to share their private resources (e.g., photos, videos, contact lists, bank accounts) stored on one CSP with another CSP without having to disclose the authentication information (e.g., username and password). • OAuth is an open protocol and it was created with the goal of enabling authorization via a secure application programming interface (API)-a simple and standard method for desktop, mobile, and web applications
32

Recommended

Co p
Co pCo p
Co pAllyn McGillicuddy
 
IDSA at Denver IAM Meetup
IDSA at Denver IAM MeetupIDSA at Denver IAM Meetup
IDSA at Denver IAM MeetupIdentity Defined Security Alliance
 
Co p
Co pCo p
Co pAllyn McGillicuddy
 
Silicon Valley IDSA Meetup October 2018
Silicon Valley IDSA Meetup October 2018 Silicon Valley IDSA Meetup October 2018
Silicon Valley IDSA Meetup October 2018 Identity Defined Security Alliance
 
Evolveum: All you need to know about identity & access management
Evolveum: All you need to know about identity & access managementEvolveum: All you need to know about identity & access management
Evolveum: All you need to know about identity & access managementEvolveum
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access managementVandana Verma
 
Resume
ResumeResume
ResumeKamran Suleman
 
IBM Solutions Connect 2013 - Increase Efficiency by Automating IT Asset & Ser...
IBM Solutions Connect 2013 - Increase Efficiency by Automating IT Asset & Ser...IBM Solutions Connect 2013 - Increase Efficiency by Automating IT Asset & Ser...
IBM Solutions Connect 2013 - Increase Efficiency by Automating IT Asset & Ser...IBM Software India
 

Recommended

Co p
Co pCo p
Co pAllyn McGillicuddy
 
IDSA at Denver IAM Meetup
IDSA at Denver IAM MeetupIDSA at Denver IAM Meetup
IDSA at Denver IAM MeetupIdentity Defined Security Alliance
 
Co p
Co pCo p
Co pAllyn McGillicuddy
 
Silicon Valley IDSA Meetup October 2018
Silicon Valley IDSA Meetup October 2018 Silicon Valley IDSA Meetup October 2018
Silicon Valley IDSA Meetup October 2018 Identity Defined Security Alliance
 
Evolveum: All you need to know about identity & access management
Evolveum: All you need to know about identity & access managementEvolveum: All you need to know about identity & access management
Evolveum: All you need to know about identity & access managementEvolveum
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access managementVandana Verma
 
Resume
ResumeResume
ResumeKamran Suleman
 
IBM Solutions Connect 2013 - Increase Efficiency by Automating IT Asset & Ser...
IBM Solutions Connect 2013 - Increase Efficiency by Automating IT Asset & Ser...IBM Solutions Connect 2013 - Increase Efficiency by Automating IT Asset & Ser...
IBM Solutions Connect 2013 - Increase Efficiency by Automating IT Asset & Ser...IBM Software India
 
Identity and Access Management (IAM) in Cloud Computing
Identity and Access Management (IAM) in Cloud ComputingIdentity and Access Management (IAM) in Cloud Computing
Identity and Access Management (IAM) in Cloud ComputingCiente
 
SAP GRC
SAP GRC SAP GRC
SAP GRC Kellton Tech Solutions Ltd
 
IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant Saravanan Purushothaman
 
[WSO2Con EU 2017] IAM: Catalyst for Digital Transformation
[WSO2Con EU 2017] IAM: Catalyst for Digital Transformation[WSO2Con EU 2017] IAM: Catalyst for Digital Transformation
[WSO2Con EU 2017] IAM: Catalyst for Digital TransformationWSO2
 
Why IAM is the Need of the Hour
Why IAM is the Need of the HourWhy IAM is the Need of the Hour
Why IAM is the Need of the HourTechdemocracy
 
How much does it cost to be Secure?
How much does it cost to be Secure?How much does it cost to be Secure?
How much does it cost to be Secure?mbmobile
 
Identity and access management
Identity and access managementIdentity and access management
Identity and access managementPiyush Jain
 
The Good, the Bad and the Ugly: A Different Perspective on Identity Governance
The Good, the Bad and the Ugly: A Different Perspective on Identity GovernanceThe Good, the Bad and the Ugly: A Different Perspective on Identity Governance
The Good, the Bad and the Ugly: A Different Perspective on Identity GovernanceIBM Security
 
Capgemini ses - security po v (gr)
Capgemini ses - security po v (gr)Capgemini ses - security po v (gr)
Capgemini ses - security po v (gr)Gord Reynolds
 
Need of Adaptive Authentication in defending the borderless Enterprise
Need of Adaptive Authentication in defending the borderless EnterpriseNeed of Adaptive Authentication in defending the borderless Enterprise
Need of Adaptive Authentication in defending the borderless Enterprisehardik soni
 
Saipraveen_Cirrculum_Vitae
Saipraveen_Cirrculum_VitaeSaipraveen_Cirrculum_Vitae
Saipraveen_Cirrculum_VitaeSaipraveen Gottuparthy
 
Privleged Access Management
Privleged Access ManagementPrivleged Access Management
Privleged Access ManagementLance Peterman
 
IDM in telecom industry
IDM in telecom industryIDM in telecom industry
IDM in telecom industryAjit Dadresa
 
Building an Identity Management Business Case
Building an Identity Management Business CaseBuilding an Identity Management Business Case
Building an Identity Management Business CaseHitachi ID Systems, Inc.
 
Identity and Access Management Solutions
Identity and Access Management SolutionsIdentity and Access Management Solutions
Identity and Access Management Solutionskiranrollingrock
 
Tuebora Self Driven IAM
Tuebora Self Driven IAMTuebora Self Driven IAM
Tuebora Self Driven IAMIranna Hurakadli
 
Sreedhar CV_PKI - Certificate Management
Sreedhar CV_PKI - Certificate Management Sreedhar CV_PKI - Certificate Management
Sreedhar CV_PKI - Certificate Management Sreedhar Roddam
 
ObserveIT Webinar: Privileged Identity Management
ObserveIT Webinar: Privileged Identity ManagementObserveIT Webinar: Privileged Identity Management
ObserveIT Webinar: Privileged Identity ManagementObserveIT
 
Guarding Your Business's Core The Vital Role of Privileged Access Management ...
Guarding Your Business's Core The Vital Role of Privileged Access Management ...Guarding Your Business's Core The Vital Role of Privileged Access Management ...
Guarding Your Business's Core The Vital Role of Privileged Access Management ...manoharparakh
 
Guarding Your Business's Core The Vital Role of Privileged Access Management ...
Guarding Your Business's Core The Vital Role of Privileged Access Management ...Guarding Your Business's Core The Vital Role of Privileged Access Management ...
Guarding Your Business's Core The Vital Role of Privileged Access Management ...manoharparakh
 
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...akbard9823
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝9953056974 Low Rate Call Girls In Saket, Delhi NCR
 

More Related Content

Similar to 20170912_Identity_and_Access_Management.pptx

Identity and Access Management (IAM) in Cloud Computing
Identity and Access Management (IAM) in Cloud ComputingIdentity and Access Management (IAM) in Cloud Computing
Identity and Access Management (IAM) in Cloud ComputingCiente
 
IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant Saravanan Purushothaman
 
[WSO2Con EU 2017] IAM: Catalyst for Digital Transformation
[WSO2Con EU 2017] IAM: Catalyst for Digital Transformation[WSO2Con EU 2017] IAM: Catalyst for Digital Transformation
[WSO2Con EU 2017] IAM: Catalyst for Digital TransformationWSO2
 
Why IAM is the Need of the Hour
Why IAM is the Need of the HourWhy IAM is the Need of the Hour
Why IAM is the Need of the HourTechdemocracy
 
How much does it cost to be Secure?
How much does it cost to be Secure?How much does it cost to be Secure?
How much does it cost to be Secure?mbmobile
 
Identity and access management
Identity and access managementIdentity and access management
Identity and access managementPiyush Jain
 
The Good, the Bad and the Ugly: A Different Perspective on Identity Governance
The Good, the Bad and the Ugly: A Different Perspective on Identity GovernanceThe Good, the Bad and the Ugly: A Different Perspective on Identity Governance
The Good, the Bad and the Ugly: A Different Perspective on Identity GovernanceIBM Security
 
Capgemini ses - security po v (gr)
Capgemini ses - security po v (gr)Capgemini ses - security po v (gr)
Capgemini ses - security po v (gr)Gord Reynolds
 
Need of Adaptive Authentication in defending the borderless Enterprise
Need of Adaptive Authentication in defending the borderless EnterpriseNeed of Adaptive Authentication in defending the borderless Enterprise
Need of Adaptive Authentication in defending the borderless Enterprisehardik soni
 
Privleged Access Management
Privleged Access ManagementPrivleged Access Management
Privleged Access ManagementLance Peterman
 
IDM in telecom industry
IDM in telecom industryIDM in telecom industry
IDM in telecom industryAjit Dadresa
 
Building an Identity Management Business Case
Building an Identity Management Business CaseBuilding an Identity Management Business Case
Building an Identity Management Business CaseHitachi ID Systems, Inc.
 
Identity and Access Management Solutions
Identity and Access Management SolutionsIdentity and Access Management Solutions
Identity and Access Management Solutionskiranrollingrock
 
Sreedhar CV_PKI - Certificate Management
Sreedhar CV_PKI - Certificate Management Sreedhar CV_PKI - Certificate Management
Sreedhar CV_PKI - Certificate Management Sreedhar Roddam
 
ObserveIT Webinar: Privileged Identity Management
ObserveIT Webinar: Privileged Identity ManagementObserveIT Webinar: Privileged Identity Management
ObserveIT Webinar: Privileged Identity ManagementObserveIT
 
Guarding Your Business's Core The Vital Role of Privileged Access Management ...
Guarding Your Business's Core The Vital Role of Privileged Access Management ...Guarding Your Business's Core The Vital Role of Privileged Access Management ...
Guarding Your Business's Core The Vital Role of Privileged Access Management ...manoharparakh
 
Guarding Your Business's Core The Vital Role of Privileged Access Management ...
Guarding Your Business's Core The Vital Role of Privileged Access Management ...Guarding Your Business's Core The Vital Role of Privileged Access Management ...
Guarding Your Business's Core The Vital Role of Privileged Access Management ...manoharparakh
 

Similar to 20170912_Identity_and_Access_Management.pptx (20)

Identity and Access Management (IAM) in Cloud Computing
Identity and Access Management (IAM) in Cloud ComputingIdentity and Access Management (IAM) in Cloud Computing
Identity and Access Management (IAM) in Cloud Computing
 
SAP GRC
SAP GRC SAP GRC
SAP GRC
 
IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant IT_Security_Service Delivery_Consultant
IT_Security_Service Delivery_Consultant
 
[WSO2Con EU 2017] IAM: Catalyst for Digital Transformation
[WSO2Con EU 2017] IAM: Catalyst for Digital Transformation[WSO2Con EU 2017] IAM: Catalyst for Digital Transformation
[WSO2Con EU 2017] IAM: Catalyst for Digital Transformation
 
Why IAM is the Need of the Hour
Why IAM is the Need of the HourWhy IAM is the Need of the Hour
Why IAM is the Need of the Hour
 
How much does it cost to be Secure?
How much does it cost to be Secure?How much does it cost to be Secure?
How much does it cost to be Secure?
 
Identity and access management
Identity and access managementIdentity and access management
Identity and access management
 
The Good, the Bad and the Ugly: A Different Perspective on Identity Governance
The Good, the Bad and the Ugly: A Different Perspective on Identity GovernanceThe Good, the Bad and the Ugly: A Different Perspective on Identity Governance
The Good, the Bad and the Ugly: A Different Perspective on Identity Governance
 
Capgemini ses - security po v (gr)
Capgemini ses - security po v (gr)Capgemini ses - security po v (gr)
Capgemini ses - security po v (gr)
 
Need of Adaptive Authentication in defending the borderless Enterprise
Need of Adaptive Authentication in defending the borderless EnterpriseNeed of Adaptive Authentication in defending the borderless Enterprise
Need of Adaptive Authentication in defending the borderless Enterprise
 
Saipraveen_Cirrculum_Vitae
Saipraveen_Cirrculum_VitaeSaipraveen_Cirrculum_Vitae
Saipraveen_Cirrculum_Vitae
 
Privleged Access Management
Privleged Access ManagementPrivleged Access Management
Privleged Access Management
 
IDM in telecom industry
IDM in telecom industryIDM in telecom industry
IDM in telecom industry
 
Building an Identity Management Business Case
Building an Identity Management Business CaseBuilding an Identity Management Business Case
Building an Identity Management Business Case
 
Identity and Access Management Solutions
Identity and Access Management SolutionsIdentity and Access Management Solutions
Identity and Access Management Solutions
 
Tuebora Self Driven IAM
Tuebora Self Driven IAMTuebora Self Driven IAM
Tuebora Self Driven IAM
 
Sreedhar CV_PKI - Certificate Management
Sreedhar CV_PKI - Certificate Management Sreedhar CV_PKI - Certificate Management
Sreedhar CV_PKI - Certificate Management
 
ObserveIT Webinar: Privileged Identity Management
ObserveIT Webinar: Privileged Identity ManagementObserveIT Webinar: Privileged Identity Management
ObserveIT Webinar: Privileged Identity Management
 
Guarding Your Business's Core The Vital Role of Privileged Access Management ...
Guarding Your Business's Core The Vital Role of Privileged Access Management ...Guarding Your Business's Core The Vital Role of Privileged Access Management ...
Guarding Your Business's Core The Vital Role of Privileged Access Management ...
 
Guarding Your Business's Core The Vital Role of Privileged Access Management ...
Guarding Your Business's Core The Vital Role of Privileged Access Management ...Guarding Your Business's Core The Vital Role of Privileged Access Management ...
Guarding Your Business's Core The Vital Role of Privileged Access Management ...
 

Recently uploaded

Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...akbard9823
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Denver Web Design brochure for public viewing
Denver Web Design brochure for public viewingDenver Web Design brochure for public viewing
Denver Web Design brochure for public viewingbigorange77
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一3sw2qly1
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...aditipandeya
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 

Recently uploaded (20)

Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Denver Web Design brochure for public viewing
Denver Web Design brochure for public viewingDenver Web Design brochure for public viewing
Denver Web Design brochure for public viewing
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
 
Call Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
Call Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICECall Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
Call Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
 
sasti delhi Call Girls in munirka 🔝 9953056974 🔝 escort Service-
sasti delhi Call Girls in munirka 🔝 9953056974 🔝 escort Service-sasti delhi Call Girls in munirka 🔝 9953056974 🔝 escort Service-
sasti delhi Call Girls in munirka 🔝 9953056974 🔝 escort Service-
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 

20170912_Identity_and_Access_Management.pptx

  • 1. 1 Identity and Access Management PMI Westchester Quality SIG Presentation September 12th 2017
  • 2. 2 Identity and Access Management is Everyone’s Responsibility What is Identity & Access Management (IAM)? A set of tools & services used to manage access to systems or resources used by personnel as well as our customers Why is Managing Access Important? Controlling access = Controlling risk How Do We Manage Applications? Centrally-Managed applications – you ask IT to do it. • Use one or more centrally-managed IAM services Business-Managed applications – you ask some in business to do it. • Applications the business manages locally. The business owns and creates the access to application. The owner has responsibility for and the timely removal of access when someone terminates or transfers jobs. • Who Is Responsible for Managing Access? Everyone who manages employees or contractors in the organization
  • 3. 3 3 3 Request, Review, Remove Identity and Access Management is Everyone’s Responsibility 1. The IAM team can/will manage access on my behalf 2. Eventually all applications will be centrally managed 3. When someone leaves the company, HR makes sure their access is terminated What Do I Need To Do As A Manager? Request Access For Your Personnel • Contact your Role Profile Owner • Visit the IAM Support Central Site Review Access When Prompted • High-risk applications reviewed quarterly, all others annually Remove Access When People Leave • Submit requests within 24 hours of a job change • Go to Workday for full-time employees • Go to IAM Portal for contract workers Common Misperceptions 2 3 1
  • 4. IAM Program – Strategic Goals Identity & Credentials: 1. Move towards a culturally aware business climate around IAM and enforce the use of a common identifier for all personnel utilizing Organization assets, both employee and non-employee. 2. Centralize identity flows and the on/off-boarding experience wherever possible to reduce risk, improve consistency, and minimize cost. 3. Implement a robust privileged user management program to identify, manage, and monitor access of privileged accounts on the Organization network. 4. Automate the provisioning and de-provisioning of core credentials and roles tied to identity events. Entitlements and Access Control: 1. Implement a business application on-boarding paradigm (aka “adoption”) that enables targeted applications to integrate to IAM and minimizes the amount of re-work as the maturity of the overall IAM solution grows. 2. Target high-risk applications (e.g. SOX/PCI), to be fully integrated to IAM with identity-event-driven workflow to ensure full lifecycle automation and management (request, grant, review, remove, term, transfer). 3. Integrate high-risk physical and logical assets into program that have weak IAM controls and present risk to firm (e.g. local admin, laptops, badging system, etc.). Audit and Compliance: 1. Enable the business to perform scheduled or ad-hoc access reviews of any group of assets on Organization across all users and the access they hold (i.e. “Who has access to what ?”). 2. Provide accurate and timely compliance / auditing reports as well as metrics to operational teams, business areas, and other interested parties. Identities Entitlements Access Control Audit & Compliance Credentials
  • 5. 5 Application Classification: Functional Service Characteristics Target Level Highest Functional Service Characteristics High Functional Service Characteristics Medium Functional Service Characteristics Low Functional Service Characteristics  Event-Driven Account Lifecycle  Event-Driven Certification  Entitlement integrity enforced through programmatic reconciliation  Birthright-based Account Lifecycle  Access request and fulfillment automated  Closed-loop Certification  Privileged Account usage tracked; Session Recorded; Active Discovery of Privileged Accounts  Access Request Centralized  Workflow Routing  Single or Reduced Sign-On  Assisted Certifications  Privileged Accounts inventoried quarterly  User populations identifiable  Logs sufficient to illustrate IAM transactions Highest 4 High 3 Medium 2 Low 1 Functional service characteristics are determined based upon maturity level and are cumulative. They will be implemented for each application where technically feasible. Evidence required is dependent on Service Characteristics
  • 6. 6  IAM Capability Overview Program Services: Technical Development: • Level 1 team to support the primary On/OffBoarding processes for core credentials and logical assets. • Primary support for provisioning and de-provisioning of any IAM- integrated applications (~80+) • Level 2-3 core engineering support for Unix, AS400, Mainframe, and Active Directory. • RSA/MFA & VPN support including SecurID hard/soft token deployment. • Project-based core technical support specific to both small (new app) and large (Blue, Orange) projects. • Design, Development, and Deployment of in-house, COTS, and cloud-based solutions supporting the overall IAM program. • Technical leadership on all existing as well as new IAM projects. • SME of all existing and new IAM products, services, and tools. • External IS project support wherever IAM SME experience is needed. • Ownership and design of IAM- deployed architecture supporting all Organization internal and external customers. Technical Operations: • Role and Entitlement Engineering and the support of existing RBAC models. • Enterprise Business Support for existing services as well as new projects. • Oversight of Quarterly and Yearly reviews of end-user and privileged accounts. • IAM solution on-boarding and deployment. • User Acceptance Testing oversight and coordination with Testing COE. • Program communications, including metrics and reporting. Business Operations: To align Organization’s identity and access management capabilities closer to the industry and its peers by reengineering business processes, enabling the business with technology, and introducing automation wherever possible in a cost-effective and efficient manner. Programs: Department Mission: Technical Operations Identity and Access Management Business Operations Technical Developm ent
  • 7. 7 General IAM Services / Technical Portfolio IAM – Current Services Component Description Unix LDAP (Temporary) Unix User Store for UNIX Authentication and replicated with GE Unix LDAP Unix LDAP (Permanent) Unix User Store for UNIX Authentication/ Pre- populated with existing Synchrony Financials employees AS400, AD, Mainframe Critical care of core assets for account provisioning, PA mgmt., and Role Mgmt. SSO LDAP SSO LDAP Infrastructure for SSO Authentication, and VPN user configuration SSO Infrastructure to provide Single Sign On / Authorizations Ping Federation & CA Federation Federation infrastructure for External Federation partners – SAML2.0 Component Description Lifecycle Management Managing the lifecycle of user access (Joiner, Mover, Leaver, Converter, Rehire) Access Requests User interface to request access to systems for both normal and Privileged Access (PA) Access Provisioning Add, modify, remove user accounts on target applications through an (Resource Adapter/RA) or Admin notification (Virtual Resource Adapter/VRA) Role Lifecycle Management Manage the lifecycle of Roles (Role Profiles/RP and System Access Profiles/SAP) Access Review Review user access to applications, as well as privileged access, on a periodic basis. Component Description Privileged Identity Management PA Credential Management Solution for Vaulting and Managing Access Control for Windows and *NIX OS Server Shared Accounts and *NIX Super User Accounts RSA SecurID / RADIUS (Permanent Production Environment) Base Infrastructure Setup for Future Integration with IAM for User Creation, Self Service Features and integration with Active Directory and Ongoing User Migrations
  • 8. 8 Identity and Access Management Portal
  • 9. 9 IAM Portal Overview  The IAM Portal is the Identity & Access Management tool for Provisioning and Certifications  The main benefits include:  Automated access provisioning / deprovisioning  Requestor workflow transparency (“track my requests”)  Enhanced certification / attestation processes  Closed loop remediation  “SoD” prevention & detection  Centralized password reset  Contingent Worker creation / management  Delegation  VPN management  Distribution List management
  • 10. 10 Application Onboarding Onto Portal The application onboarding focuses on integrating business managed applications classified as IAM 1 & 2 onto the IAM Portal for centralized access management. In addition, applications will be enabled with Single-Sign-On, Privileged Access, and Logging capabilities.  Full Automation (wherever possible)  Eliminates manual provisioning errors  Nightly aggregations ensure the user base remains in sync and current  Terminations and removals are processed immediately  Centralized Certifications  Application access is certified within IAM Portal using current data  Multi-level review starting with user managers  Ability to delegate individual roles or users to another certifier  Transparency  Current user access (roles / entitlements)  User attributes (manager, dept., job function, etc.)  Ad hoc reporting & metrics
  • 11. 11 IAM Portal High Level Architecture (How it Works) (Employees) IAM Portal CW Management Lifecycle Manager Access Provisioning Compliance Manager VPN, DL, Delegation, etc. Man ual Auto Provisioning CSV Reporting & Metrics
  • 13. 13 User Access Management is an On-going Process throughout the entire User’s lifecycle
  • 14. 14 Attestation Landscape – How do we determine “who has access to what” in an application ? Centrally Managed Apps Business Managed Apps Connected Manual IAM automatically creates or modifies the access needed 1. IAM team manually creates or modifies the access needed 2. IAM team would load the file of “who has access to what” Manual Business Owner works with IT Owner to get a file of “who has access to what” for loading to the Excel Template Automated Attestations Manual Attestations • Evidence of Certification performed by Manager (new model) or RPO • Metrics: Revocations vs. Keeps, Time to Revoke, Time to Complete, etc. • Must complete process – only acceptable bar is 100% completion, every time Attestation principles are the same whether Centralized or Business Managed
  • 15. 15 IAM Attestations: The Attestation Lifecycle Assess Define Review Remediate Govern Assess • Certification Type & Scope: Regular, or targeted sub- group • Frequency: SOX/PCI and Privileged Access = Quarterly, all others Annually Define • Retrieve access information into Attestation Templates • Educate on Review & Remediation • Provide Training; Kick-off review cycle Review • Conduct user access reviews: Manager-based • Continuous Progress Reports weekly up to ELT • RPO support & assistance to Business where needed • 4 week cycle for reviews Remediate • Remediate user access where noted within 48 hours after closure of review • Ticket/Closure or Evidence of remediation required for Audit • Additional access pulls might be required to provide evidence of removals Govern • Establish enterprise standards/principles • Requirements & Controls for review • Set Roles & Responsibilities for user access review • Perform Quality Assurance / Spot Checking • Secure Sign-off’s from IT and Business Owners
  • 17. 17 Who Are Privileged Access Users Users who have access to do the following activities are considered to have privileged access: • Provision users • Reboot servers • System level administration access • System administrator level access within an application security module that allows individuals to override the controls of the application • IDs provided as part of third party software solutions used to complete installation of the software. • IDs that are used to run applications. • Administrators with the ability to grant access or elevate privileges on an in scope device
  • 18. 18 Account Administration Account Administration Procedures Exception & Violation Procedures PA Awareness Training PA Account Inventory PA Account Reduction Strategy Governance Reporting Criteria PA Metrics Criteria Policy, Standard and Procedures Roles and Responsibility Compliance Validation Efforts Monitoring Definition of Risk Criteria Alert Configuration Tool Configuration Reporting Metrics Operational Staffing Model Roles and Responsibility Enforcement Standard Operating Procedures Data Feed Inventory Technology On- boarding Procedures PA Logging Validation PA Program: Objectives
  • 19. 19 PA Program: Summary • Dedicated PA monitoring team • Daily alert reconciliation • Password vaulting for NPA accounts • Updated PA policies and Job Aid • Manual quarterly PA review • Alert tracking workflow • Violation tracking data form • Continuously working with teams to tune alerts • Manual IAM Feeds • Developed training for PA users • More robust Nix monitoring • Automation between IAM and Splunk • Real Time Monitoring • IAM quarterly PA reviews • Restricting of service account logon • Management of service accounts • Removal of PA from personal ids • Ability to discover PA accounts • Solution for root/super user access • Session recording • Access to IAM data to verify user access • CDI/SSO lookup tools • File level monitoring (Windows) • Technology not in place • Immaturity of IAM platform • Incorporation of PA requirements within IAM What needs to be done Whatis Needed Challenges
  • 20. 20 PIM Tool Rollout Strategy Privileged Identity Management (PIM) Project Overview: Release to Production and deployment of Enterprise Random Password Manager Include deployment to Applications, Databases, Appliances and Devices across Production environments that use non-personal accounts. ERPM will provide Privileged Identity Management (PIM) with the means to randomize and manage passwords for non-personal accounts on target systems High-level Deployment Plan  Deployment of all in-scope Applications, Databases, Appliances and Devices in subsequent phases  Migrate Class PXX/SOX  Migration of accounts, LDAP and Local accounts  Migrate Unix/Linux accounts  IAM Portal and Help Desk Integrations with PIM Tool  Develop End User support models for Implementation and Ongoing BAU Impact  Technology:  Platforms, Appliances, Mainframe, AS 400,Unix (Solaris & RHEL),Windows Database, Accounts: Shared Service  People:  Enterprise Architecture, Security, Architecture, Security Ops,  Infrastructure Teams: Compute and Build teams, Servers Admins, DB & Run teams, Networking, Mainframe/AS 400Application Teams
  • 21. 21 Why IAM ? Improves operational efficiency and regulatory compliance management 1. User on-boarding and other repetitive tasks. – Self-service for users requesting password resets 2. To protect systems, applications and information from internal and external threats. – Deleting sensitive files. 3. To comply with various regulatory, privacy and data protection requirements
  • 22. 22 Use cases: 1. Employees and on-site contractors of an organization accessing SaaS service using identity federation. 2. IT administrators accessing CSP management console to provision resources and access for users using a corporate identity. 3. Developers creating accounts in a PaaS platform 4. End users accessing storage service in the cloud and sharing files and objects with users, within and outside the domain using access policy management features. 5. An application residing in a cloud service provider accessing storage from another cloud service
  • 23. 23 IAM Definitions: Authentication – Verifying the identity of a user, system or service. Authorization – Privileges that a user or system or service has after being authenticated (e.g., access control) – In some cases, there is no authorization; any user may be use a resource or access a file simply by asking for it. Most of the web pages on the Internet require no authentication or authorization. Auditing – Review and examine what the user, system or service has carried out – Check for compliance
  • 24. 24 IAM Architecture and Practice User management – Activities for the effective governance and management of identity life cycles. Authentication management – Activities for the effective governance and management of the process for determining that an entity is who or what it claims to be. Authorization management – Activities for the effective governance and management of the process for determining entitlement rights that decide what resources an entity is permitted to access in accordance with the organization’s policies
  • 26. 26 IAM process consists of the following: – User management (for managing identity life cycles), – Authentication management, – Authorization management, – Access management, – Data management and provisioning, – Monitoring and auditing – Provisioning, – Credential and attribute management, – Entitlement management, – Compliance management, – Identity federation management, – Centralization of authentication and authorization,
  • 27. 27 IAM Standards and Specifications for Organizations 1. How can I avoid duplication of identity, attributes, and credentials and provide a single sign-on user experience for my users? SAML. 2. How can I automatically provision user accounts with cloud services and automate the process of provisioning and deprovisioning? SPML. 3. How can I provision user accounts with appropriate privileges and manage entitlements for my users? XACML. 4. How can I authorize cloud service X to access my data in cloud service Y without disclosing credentials? OAuth
  • 28. 28 Security Assertion Markup Language (SAML) • SAML is the most mature, detailed, and widely adopted specifications family for browserbased federated sign-on for cloud users.
  • 29. 29
  • 30. 30 The figure illustrates the following steps involved in the SSO process of a user who is federated to Google
  • 31. 31 Open Authentication (OAuth) • OAuth is an emerging authentication standard that allows consumers to share their private resources (e.g., photos, videos, contact lists, bank accounts) stored on one CSP with another CSP without having to disclose the authentication information (e.g., username and password). • OAuth is an open protocol and it was created with the goal of enabling authorization via a secure application programming interface (API)-a simple and standard method for desktop, mobile, and web applications
  • 32. 32

Editor's Notes

  1. Data Security – Must be compliant with our Data Security for the multitude of reasons Policy – We demonstrate and follow Data Policy for the OCC and the ability to show evidence of that adherence which ultimately reduces our overall risk. We tend to focus on the initial hire of an employee to ensure access is set correctly from the onset but really the larger issues comes when transfers and terminations occur. Initially – We want to have minimum amount of access for every employee. Job Changes – All access needs to be re “certified” and approved Temporary Exception access is time-bound and must be monitored closely and removed on expiration date. LOA require that all access be disabled. It is required by regulations and we need to work better on the ability to be able to “disable” vs “delete” across all our applications. – must be very closely monitored.. Terminations – 24 to 48 hours must be disabled and xx time we delete (which I not sure if 30,60 or 90 today?) LifeCycle Management is harder then initial setup so this is the area where we need to be Hyper focused going forward.. Good Access is from Start to Exit!! good, I think the key thing here is that they walk away understanding there are so many places "access" can be impacted...wheher new hire, job change, temp access, LOA, etc...and that is WHY we need to do regular certifications of access...