SlideShare a Scribd company logo

Securing Citizen Facing Applications Presentation Notes

Download as DOC, PDF
E
edwinlorenzana

As requested by folks these are the presentation notes for Securing Citizen Facing Applications. Hope these help with your IDM planning and implementation

1 of 5
Securing Citizen Facing Applications 1. What personally have you seen as lessons learned to get the business on-board towards EA Security Model? Edwin Lorenzana In the public sector space the EA security model is usually dictated by the constraints of independent agencies with decentralized business objectives, technical initiatives and separate reporting structures. This challenge requires a holistic textbook approach to decentralized federation that introduces governance and standards to reduce business risk and minimize the security breaches. This governance initiative needs to be supported by technology that can enforce and report those controls while providing flexibility to the application owners to continue to deliver the expected service. Therefore I learned that you have to dedicate time to not only define the owners of each technology but the owner of each governance section and current business process. Once you succeed in creating your ownership “org chart” then you need to provide that group with a realistic roadmap of the prerequisites, a laundry list of “soft” projects to achieve a federated circle of trust. The initial initiatives should focus on: • Define governance • Define /document the business process (the security lifecycle) • Align the required data to be used to drive security (application security driven by HR Data) As you work through these projects you need to set goals that are a balance of the correct level of security controls, the required compliance and the needs of the individual owner. With that said I recommend that you dedicate a large amount of your time in the planning phases and work with your owners to kick off the internal “soft” projects to define the governance, document the business process and align the required data to automate those business processes. The key is that you drive the program and facilitate the projects, but work with them to define their own procedures as they will own the procedure behind the automation in the long term (post implementation).
– What are the initiatives that would help to define the required business process to correctly proof an identity along with defining the correct attributes and data points to align the identities across the various environments? Eddie Lorenzana As we discussed our focus is to drive a holistic direction to a decentralized federation model. This approach needs to be supported by an effort to collect and document the account lifecycle in each environment, the major ones being: • The HR account Lifecycle • The account Lifecycle of the various directories (Oracle Internet Directory, Active Directory etc..) • The application Lifecycle of the applications to be integrated. As you define the account lifecycle for each of these, you will need to work with the environment owner to analyze the state of the user stores. The goal of this analysis is to define a unique identifier that spans across all the user stores. In most cases you will find that this will lead you to an initiative usually referred to as ID aggregation and synchronization. To put it simply you will need to lead an effort to implement a comment unique identifier across all the environments (emp ID internal users and an assigned ID for citizens). As you work through be sure to work with the environments to define secure communication options across the environments, this is in support of future implementations for virtual directories, single sign on and password sync. Issue #4: Is a centralized or decentralized approach to authentication and authorization the more feasible approach? Eddie Lorenzana As we have been discussing, in the public sector space the EA security model is usually dictated by the constraints of independent agencies with decentralized business objectives, technical initiatives and separate reporting structures and therefore a decentralized federated approach is the correct approach. Follow up questions 1. What are the challenges of shared identity ownership? The challenges of shared identity ownership are: • Document the account lifecycle
• ID aggregation and synchronization As you define the account lifecycle, you will need to work with the environment owner to analyze the state of the user stores. The goal of this analysis is to define a unique identifier that spans across all the user stores. In most cases you will find that this will lead you to an initiative usually referred to as ID aggregation and synchronization. To put it simply you will need to lead an effort to implement a comment unique identifier across all the environments (emp ID internal users and an assigned ID for citizens). As you work through be sure to work with the environments to define secure communication options across the environments, this is in support of future implementations for virtual directories, single sign on and password sync. To attain that approach I like to work with a proven approach that clearly defines the “soft” initiatives and maps out how they must be completed to ease the deployment of the technical implementations. Follow up questions 1. What sort of phased approach works for government agencies? The Security Enterprise Architecture / Phased Approach model calls for the clear definition of the Enterprise IT Security Business Service goals in the areas of: • Enterprise Security Model • Enterprise Directory Model • Enterprise Access Control and User Management Model The details of these goals should be defined by the executive sponsors from both the business and IT from each independent agency. These details need to clear set direction for a Federated decentralized model that provides secure access to resources while allowing flexibility to the technology owners. These goals should not only be clear, they need to be grounded and realistic. You need to take special care to not be tempted to oversell goals in order to get the budget approved. As you work through this process sell the goals but be sure to clearly define the requirements in the next three phases. Phase 1 focuses on fostering continued executive support and identifying and developing the governance & standards teams that will provide the direction and political support to meet the Enterprise IT Security Business Service goals by developing:
• Governance ( CIO’s, CSIO, CFO, IT Director, HR Director, PS Mgr) • Governance Standards • Business & IT Policy ( Policy writers for IT, Business , Compliance/Audit, IT Sec, Law dept) • Data Standards & Procedures (Policy writers, user store owners, HR data entry, PS Mgr) • Directory Standards & Procedures ( user store owners, IT Sec, Compliance/Audit, Policy) • Application Standards & Procedures (user store owners, IT Sec, Compliance/Audit, Policy) During this phase you need to work on developing high level, industry best practices and get the proper sign off from each of the members from each agency. The risk here is that you will get push back to document the procedures before standards are set. Or you could be asked to use professional services that have experience in this area, if the budget allows it….do it If not.. then use best practice templates, and get the sign off from the members. The reason is that you will not succeed in getting the line managers to work with you if you do not have support and written guidance from the executive sponsors. Phase 2 focuses on getting the details from the line managers that are part of the user account lifecycle. This phase should clearly show the step by step of the user account provisioning and de-provisioning. This exercise is one of the most important phases as you cannot automate unless the procedure is clearly defined. As you work through each account lifecycle you may need to create two sets of documents….current state and future state as described by your governance documentation. As you create the future state you will need to clearly document and get sign off from the given line manager on the requirements in the areas of: • Composite Identity Management • Account Matching and DeDuping • Resource requirements for support & admin in phase 3 • Technical hurdles that will need to be tackled in phase 4 Phase 2 will be the longest and most difficult. As the line managers push back be sure to sell the cost savings that this will create during the implementation.
Once you have completed phase 2, check in with your implementation team and vendor to ensure your implementation forecast and check in on the required internal support team. I found that phase 3 is a good time to bring in your vendors technical implementation team for meeting as you work through defining your long term architecture and support. Phase 3 should be your time to focus on creating your internal long term support system for your Enterprise IT Security Business Service Goals. The challenge is that with a decentralized model you will need to create a core IDM team that works with the individual environments owners. This is can be done by implementing delegated administration and IDW workflows. In this phase you will need to work with the various environment owners to architect and document the new virtual connections (OVD /Federation) and how to maintain them. This will ease the implementation phases. Phase 4 is where you can then implement the technology solutions that automate the previous phases and create the “bridges” to join the various environments. These projects include the implementation of: • Virtual Directory • Password Synchronization • Role discovery (RBAC) • Automated provisioning via IDM to directory target systems (OID, AD etc..) Once you have completed the integration of the directories this opens the doors to enterprise application access in Phase 6. If you are starting a new project be sure to implement the early phase before spending the budget for tech servicers. If you are in the middle of this project you can still work through this approach to realign your implementation. As you do you will be challenged by the constant need to provide ROI for the selected t To navigate through this balance you will need to carefully select the low hanging fruit , like allowing a single sign on or password sync implementation in various environments that have met the data requirements and only require minimal role definition. But be sure to go back and work through the foundation phases as you work to improve your enterprise.

Recommended

Best Practices for Identity Management Projects
Best Practices for Identity Management ProjectsBest Practices for Identity Management Projects
Best Practices for Identity Management ProjectsHitachi ID Systems, Inc.
 
Paradigmo specialised in Identity & Access Management
Paradigmo specialised in Identity & Access ManagementParadigmo specialised in Identity & Access Management
Paradigmo specialised in Identity & Access ManagementJulie Beuselinck
 
A Pragmatic Approach to Identity and Access Management
A Pragmatic Approach to Identity and Access ManagementA Pragmatic Approach to Identity and Access Management
A Pragmatic Approach to Identity and Access Managementhankgruenberg
 
50 data principles for loosely coupled identity management v1 0
50 data principles for loosely coupled identity management v1 050 data principles for loosely coupled identity management v1 0
50 data principles for loosely coupled identity management v1 0Ganesh Prasad
 
COBIT 2019 - DIGITAL TRUST FRAMEWORK
COBIT 2019 - DIGITAL TRUST FRAMEWORKCOBIT 2019 - DIGITAL TRUST FRAMEWORK
COBIT 2019 - DIGITAL TRUST FRAMEWORKMaganathin Veeraragaloo
 
Identity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsIdentity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsAlain Huet
 
IT Asset Management System for UL-Software Engineering
IT Asset Management System for UL-Software EngineeringIT Asset Management System for UL-Software Engineering
IT Asset Management System for UL-Software EngineeringShiv Koppad
 
Making Executives Accountable for IT Security
Making Executives Accountable for IT SecurityMaking Executives Accountable for IT Security
Making Executives Accountable for IT SecuritySeccuris Inc.
 

Recommended

Best Practices for Identity Management Projects
Best Practices for Identity Management ProjectsBest Practices for Identity Management Projects
Best Practices for Identity Management ProjectsHitachi ID Systems, Inc.
 
Paradigmo specialised in Identity & Access Management
Paradigmo specialised in Identity & Access ManagementParadigmo specialised in Identity & Access Management
Paradigmo specialised in Identity & Access ManagementJulie Beuselinck
 
A Pragmatic Approach to Identity and Access Management
A Pragmatic Approach to Identity and Access ManagementA Pragmatic Approach to Identity and Access Management
A Pragmatic Approach to Identity and Access Managementhankgruenberg
 
50 data principles for loosely coupled identity management v1 0
50 data principles for loosely coupled identity management v1 050 data principles for loosely coupled identity management v1 0
50 data principles for loosely coupled identity management v1 0Ganesh Prasad
 
COBIT 2019 - DIGITAL TRUST FRAMEWORK
COBIT 2019 - DIGITAL TRUST FRAMEWORKCOBIT 2019 - DIGITAL TRUST FRAMEWORK
COBIT 2019 - DIGITAL TRUST FRAMEWORKMaganathin Veeraragaloo
 
Identity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsIdentity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsAlain Huet
 
IT Asset Management System for UL-Software Engineering
IT Asset Management System for UL-Software EngineeringIT Asset Management System for UL-Software Engineering
IT Asset Management System for UL-Software EngineeringShiv Koppad
 
Making Executives Accountable for IT Security
Making Executives Accountable for IT SecurityMaking Executives Accountable for IT Security
Making Executives Accountable for IT SecuritySeccuris Inc.
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Eryk Budi Pratama
 
Forefront Identity Manager 2010 (Av Rune Lystad)
Forefront Identity Manager 2010 (Av Rune Lystad)Forefront Identity Manager 2010 (Av Rune Lystad)
Forefront Identity Manager 2010 (Av Rune Lystad)Microsoft Norge AS
 
E-RBAC Development - A Risk Based Security Architecture Approach
E-RBAC Development - A Risk Based Security Architecture ApproachE-RBAC Development - A Risk Based Security Architecture Approach
E-RBAC Development - A Risk Based Security Architecture ApproachFemi Ashaye
 
Modern IT Service Management Transformation - ITIL Indonesia
Modern IT Service Management Transformation - ITIL IndonesiaModern IT Service Management Transformation - ITIL Indonesia
Modern IT Service Management Transformation - ITIL IndonesiaEryk Budi Pratama
 
BMC Discovery IDC Research Study 470 ROI in 5 Years
BMC Discovery IDC Research Study 470 ROI in 5 YearsBMC Discovery IDC Research Study 470 ROI in 5 Years
BMC Discovery IDC Research Study 470 ROI in 5 YearsChris Farwell
 
ANALYSIS ON IDENTITY MANAGEMENT SYSTEMS WITH EXTENDED STATE-OF-THE-ART IDM TA...
ANALYSIS ON IDENTITY MANAGEMENT SYSTEMS WITH EXTENDED STATE-OF-THE-ART IDM TA...ANALYSIS ON IDENTITY MANAGEMENT SYSTEMS WITH EXTENDED STATE-OF-THE-ART IDM TA...
ANALYSIS ON IDENTITY MANAGEMENT SYSTEMS WITH EXTENDED STATE-OF-THE-ART IDM TA...ijasuc
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?rbrockway
 
Iam cloud security_vision_wp_236732
Iam cloud security_vision_wp_236732Iam cloud security_vision_wp_236732
Iam cloud security_vision_wp_236732Sandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
Identity Management: What Solution is Right for You?
Identity Management: What Solution is Right for You?Identity Management: What Solution is Right for You?
Identity Management: What Solution is Right for You?C/D/H Technology Consultants
 
Business Operation
Business OperationBusiness Operation
Business OperationTimothyNdakalu
 
Software Asset Management
Software Asset ManagementSoftware Asset Management
Software Asset Managementicomply
 
Expectations in DRAAS from CSP
Expectations in DRAAS from CSPExpectations in DRAAS from CSP
Expectations in DRAAS from CSPContinuity and Resilience
 
Identity Management for the 21st Century IT Mission
Identity Management for the 21st Century IT MissionIdentity Management for the 21st Century IT Mission
Identity Management for the 21st Century IT MissionCA API Management
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditBob Rhubart
 
A Proposed Security Model for Web Enabled Business Process Management System
A Proposed Security Model for Web Enabled Business Process Management SystemA Proposed Security Model for Web Enabled Business Process Management System
A Proposed Security Model for Web Enabled Business Process Management SystemCSCJournals
 
Case Management Reference Architecture
Case Management Reference ArchitectureCase Management Reference Architecture
Case Management Reference Architecturesuhail100
 
Social Brand Value
Social Brand ValueSocial Brand Value
Social Brand ValueVolker Bilgram
 
Design for Mobile
Design for MobileDesign for Mobile
Design for MobileSales Hub Pro
 
Your Business Is Not the Story
Your Business Is Not the StoryYour Business Is Not the Story
Your Business Is Not the StoryKayak Online Marketing
 
Hi 121 Power Point Aug Sep09
Hi 121 Power Point Aug Sep09Hi 121 Power Point Aug Sep09
Hi 121 Power Point Aug Sep09h20ho
 
3.Innova Oba
3.Innova Oba3.Innova Oba
3.Innova ObaErmando
 
Etiologia de la celulitis y Predicción clínica de la enfermedad Estreptocócic...
Etiologia de la celulitis y Predicción clínica de la enfermedad Estreptocócic...Etiologia de la celulitis y Predicción clínica de la enfermedad Estreptocócic...
Etiologia de la celulitis y Predicción clínica de la enfermedad Estreptocócic...Alex Castañeda-Sabogal
 

More Related Content

What's hot

Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Eryk Budi Pratama
 
Forefront Identity Manager 2010 (Av Rune Lystad)
Forefront Identity Manager 2010 (Av Rune Lystad)Forefront Identity Manager 2010 (Av Rune Lystad)
Forefront Identity Manager 2010 (Av Rune Lystad)Microsoft Norge AS
 
E-RBAC Development - A Risk Based Security Architecture Approach
E-RBAC Development - A Risk Based Security Architecture ApproachE-RBAC Development - A Risk Based Security Architecture Approach
E-RBAC Development - A Risk Based Security Architecture ApproachFemi Ashaye
 
Modern IT Service Management Transformation - ITIL Indonesia
Modern IT Service Management Transformation - ITIL IndonesiaModern IT Service Management Transformation - ITIL Indonesia
Modern IT Service Management Transformation - ITIL IndonesiaEryk Budi Pratama
 
BMC Discovery IDC Research Study 470 ROI in 5 Years
BMC Discovery IDC Research Study 470 ROI in 5 YearsBMC Discovery IDC Research Study 470 ROI in 5 Years
BMC Discovery IDC Research Study 470 ROI in 5 YearsChris Farwell
 
ANALYSIS ON IDENTITY MANAGEMENT SYSTEMS WITH EXTENDED STATE-OF-THE-ART IDM TA...
ANALYSIS ON IDENTITY MANAGEMENT SYSTEMS WITH EXTENDED STATE-OF-THE-ART IDM TA...ANALYSIS ON IDENTITY MANAGEMENT SYSTEMS WITH EXTENDED STATE-OF-THE-ART IDM TA...
ANALYSIS ON IDENTITY MANAGEMENT SYSTEMS WITH EXTENDED STATE-OF-THE-ART IDM TA...ijasuc
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?rbrockway
 
Identity Management: What Solution is Right for You?
Identity Management: What Solution is Right for You?Identity Management: What Solution is Right for You?
Identity Management: What Solution is Right for You?C/D/H Technology Consultants
 
Software Asset Management
Software Asset ManagementSoftware Asset Management
Software Asset Managementicomply
 
Identity Management for the 21st Century IT Mission
Identity Management for the 21st Century IT MissionIdentity Management for the 21st Century IT Mission
Identity Management for the 21st Century IT MissionCA API Management
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditBob Rhubart
 
A Proposed Security Model for Web Enabled Business Process Management System
A Proposed Security Model for Web Enabled Business Process Management SystemA Proposed Security Model for Web Enabled Business Process Management System
A Proposed Security Model for Web Enabled Business Process Management SystemCSCJournals
 
Case Management Reference Architecture
Case Management Reference ArchitectureCase Management Reference Architecture
Case Management Reference Architecturesuhail100
 

What's hot (16)

Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)
 
Forefront Identity Manager 2010 (Av Rune Lystad)
Forefront Identity Manager 2010 (Av Rune Lystad)Forefront Identity Manager 2010 (Av Rune Lystad)
Forefront Identity Manager 2010 (Av Rune Lystad)
 
E-RBAC Development - A Risk Based Security Architecture Approach
E-RBAC Development - A Risk Based Security Architecture ApproachE-RBAC Development - A Risk Based Security Architecture Approach
E-RBAC Development - A Risk Based Security Architecture Approach
 
Modern IT Service Management Transformation - ITIL Indonesia
Modern IT Service Management Transformation - ITIL IndonesiaModern IT Service Management Transformation - ITIL Indonesia
Modern IT Service Management Transformation - ITIL Indonesia
 
BMC Discovery IDC Research Study 470 ROI in 5 Years
BMC Discovery IDC Research Study 470 ROI in 5 YearsBMC Discovery IDC Research Study 470 ROI in 5 Years
BMC Discovery IDC Research Study 470 ROI in 5 Years
 
ANALYSIS ON IDENTITY MANAGEMENT SYSTEMS WITH EXTENDED STATE-OF-THE-ART IDM TA...
ANALYSIS ON IDENTITY MANAGEMENT SYSTEMS WITH EXTENDED STATE-OF-THE-ART IDM TA...ANALYSIS ON IDENTITY MANAGEMENT SYSTEMS WITH EXTENDED STATE-OF-THE-ART IDM TA...
ANALYSIS ON IDENTITY MANAGEMENT SYSTEMS WITH EXTENDED STATE-OF-THE-ART IDM TA...
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
 
Iam cloud security_vision_wp_236732
Iam cloud security_vision_wp_236732Iam cloud security_vision_wp_236732
Iam cloud security_vision_wp_236732
 
Identity Management: What Solution is Right for You?
Identity Management: What Solution is Right for You?Identity Management: What Solution is Right for You?
Identity Management: What Solution is Right for You?
 
Business Operation
Business OperationBusiness Operation
Business Operation
 
Software Asset Management
Software Asset ManagementSoftware Asset Management
Software Asset Management
 
Expectations in DRAAS from CSP
Expectations in DRAAS from CSPExpectations in DRAAS from CSP
Expectations in DRAAS from CSP
 
Identity Management for the 21st Century IT Mission
Identity Management for the 21st Century IT MissionIdentity Management for the 21st Century IT Mission
Identity Management for the 21st Century IT Mission
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to audit
 
A Proposed Security Model for Web Enabled Business Process Management System
A Proposed Security Model for Web Enabled Business Process Management SystemA Proposed Security Model for Web Enabled Business Process Management System
A Proposed Security Model for Web Enabled Business Process Management System
 
Case Management Reference Architecture
Case Management Reference ArchitectureCase Management Reference Architecture
Case Management Reference Architecture
 

Viewers also liked

Hi 121 Power Point Aug Sep09
Hi 121 Power Point Aug Sep09Hi 121 Power Point Aug Sep09
Hi 121 Power Point Aug Sep09h20ho
 
3.Innova Oba
3.Innova Oba3.Innova Oba
3.Innova ObaErmando
 
Etiologia de la celulitis y Predicción clínica de la enfermedad Estreptocócic...
Etiologia de la celulitis y Predicción clínica de la enfermedad Estreptocócic...Etiologia de la celulitis y Predicción clínica de la enfermedad Estreptocócic...
Etiologia de la celulitis y Predicción clínica de la enfermedad Estreptocócic...Alex Castañeda-Sabogal
 
Scrum overview
Scrum overviewScrum overview
Scrum overviewPaul Boos
 
SMiB09 Maz Nadjm
SMiB09 Maz NadjmSMiB09 Maz Nadjm
SMiB09 Maz Nadjmsmibevents
 
Sponsoredtweets
SponsoredtweetsSponsoredtweets
SponsoredtweetsSeoheaven
 
1.Innova Zurich
1.Innova Zurich1.Innova Zurich
1.Innova ZurichErmando
 
Pontormo e Bill Viola
Pontormo e Bill ViolaPontormo e Bill Viola
Pontormo e Bill Violadsavoia
 
Guideline itu en transplantado organo solido
Guideline itu en transplantado organo solidoGuideline itu en transplantado organo solido
Guideline itu en transplantado organo solidoAlex Castañeda-Sabogal
 
G*ワークショップ+忘年LT大会
G*ワークショップ+忘年LT大会G*ワークショップ+忘年LT大会
G*ワークショップ+忘年LT大会ikikko
 
Right And Left Brain
Right And Left BrainRight And Left Brain
Right And Left Brainnix101
 

Viewers also liked (20)

Social Brand Value
Social Brand ValueSocial Brand Value
Social Brand Value
 
Design for Mobile
Design for MobileDesign for Mobile
Design for Mobile
 
Your Business Is Not the Story
Your Business Is Not the StoryYour Business Is Not the Story
Your Business Is Not the Story
 
Hi 121 Power Point Aug Sep09
Hi 121 Power Point Aug Sep09Hi 121 Power Point Aug Sep09
Hi 121 Power Point Aug Sep09
 
3.Innova Oba
3.Innova Oba3.Innova Oba
3.Innova Oba
 
Etiologia de la celulitis y Predicción clínica de la enfermedad Estreptocócic...
Etiologia de la celulitis y Predicción clínica de la enfermedad Estreptocócic...Etiologia de la celulitis y Predicción clínica de la enfermedad Estreptocócic...
Etiologia de la celulitis y Predicción clínica de la enfermedad Estreptocócic...
 
Scrum overview
Scrum overviewScrum overview
Scrum overview
 
SMiB09 Maz Nadjm
SMiB09 Maz NadjmSMiB09 Maz Nadjm
SMiB09 Maz Nadjm
 
Sponsoredtweets
SponsoredtweetsSponsoredtweets
Sponsoredtweets
 
Cucumber
CucumberCucumber
Cucumber
 
1.Innova Zurich
1.Innova Zurich1.Innova Zurich
1.Innova Zurich
 
373inquirypro
373inquirypro373inquirypro
373inquirypro
 
Pijanci
PijanciPijanci
Pijanci
 
Proposal Guidelines
Proposal GuidelinesProposal Guidelines
Proposal Guidelines
 
Seeing Red Cars
Seeing Red CarsSeeing Red Cars
Seeing Red Cars
 
Pontormo e Bill Viola
Pontormo e Bill ViolaPontormo e Bill Viola
Pontormo e Bill Viola
 
Guideline itu en transplantado organo solido
Guideline itu en transplantado organo solidoGuideline itu en transplantado organo solido
Guideline itu en transplantado organo solido
 
G*ワークショップ+忘年LT大会
G*ワークショップ+忘年LT大会G*ワークショップ+忘年LT大会
G*ワークショップ+忘年LT大会
 
Right And Left Brain
Right And Left BrainRight And Left Brain
Right And Left Brain
 
Prueba 1
Prueba 1Prueba 1
Prueba 1
 

Similar to Securing Citizen Facing Applications Presentation Notes

infox technologies
infox technologiesinfox technologies
infox technologiesfidharash
 
6 Steps to Confirm Successful Workday Deployment
6 Steps to Confirm Successful Workday Deployment6 Steps to Confirm Successful Workday Deployment
6 Steps to Confirm Successful Workday DeploymentZaranTech LLC
 
Why IAM is the Need of the Hour
Why IAM is the Need of the HourWhy IAM is the Need of the Hour
Why IAM is the Need of the HourTechdemocracy
 
Enterprise Architecture Verification Validation
Enterprise Architecture Verification Validation Enterprise Architecture Verification Validation
Enterprise Architecture Verification Validation William Francis
 
A comprehensive guide to Salesforce Org Strategy
A comprehensive guide to Salesforce Org StrategyA comprehensive guide to Salesforce Org Strategy
A comprehensive guide to Salesforce Org StrategyGaytri khandelwal
 
IdM Reference Architecture
IdM Reference ArchitectureIdM Reference Architecture
IdM Reference ArchitectureHannu Kasanen
 
Sreedhar CV_PKI - Certificate Management
Sreedhar CV_PKI - Certificate Management Sreedhar CV_PKI - Certificate Management
Sreedhar CV_PKI - Certificate Management Sreedhar Roddam
 
ShivamThakur_CV_Business Analyst
ShivamThakur_CV_Business AnalystShivamThakur_CV_Business Analyst
ShivamThakur_CV_Business AnalystShivam Thakur
 
Appendix AProof of effectiveness of some of the agile methods us.docx
Appendix AProof of effectiveness of some of the agile methods us.docxAppendix AProof of effectiveness of some of the agile methods us.docx
Appendix AProof of effectiveness of some of the agile methods us.docxarmitageclaire49
 
How to choose a Loan Document Management Software.pdf
How to choose a Loan Document Management Software.pdfHow to choose a Loan Document Management Software.pdf
How to choose a Loan Document Management Software.pdfTechugo
 
ThinkDox implementation whitepaper for ECM
ThinkDox implementation whitepaper for ECMThinkDox implementation whitepaper for ECM
ThinkDox implementation whitepaper for ECMChristopher Wynder
 
SOC 2 Compliance Made Easy with Process Street amp Drata
SOC 2 Compliance Made Easy with Process Street amp DrataSOC 2 Compliance Made Easy with Process Street amp Drata
SOC 2 Compliance Made Easy with Process Street amp DrataKashish Trivedi
 
CRJS466 – Psychopathology and CriminalityUnit 5 Individual Proje.docx
CRJS466 – Psychopathology and CriminalityUnit 5 Individual Proje.docxCRJS466 – Psychopathology and CriminalityUnit 5 Individual Proje.docx
CRJS466 – Psychopathology and CriminalityUnit 5 Individual Proje.docxfaithxdunce63732
 
project (Salon Management).pptx
project (Salon Management).pptxproject (Salon Management).pptx
project (Salon Management).pptxssuserefca8b
 
Cryptography is the application of algorithms to ensure the confiden.docx
Cryptography is the application of algorithms to ensure the confiden.docxCryptography is the application of algorithms to ensure the confiden.docx
Cryptography is the application of algorithms to ensure the confiden.docxmydrynan
 
CRM system for WeLoveVideo.pptCRM System for WeLoveVid.docx
CRM system for WeLoveVideo.pptCRM System for WeLoveVid.docxCRM system for WeLoveVideo.pptCRM System for WeLoveVid.docx
CRM system for WeLoveVideo.pptCRM System for WeLoveVid.docxmydrynan
 
Week8 Topic1 Translate Business Needs Into Technical Requirements
Week8 Topic1 Translate Business Needs Into Technical RequirementsWeek8 Topic1 Translate Business Needs Into Technical Requirements
Week8 Topic1 Translate Business Needs Into Technical Requirementshapy
 
Introduction to Business Process Management
Introduction to Business Process ManagementIntroduction to Business Process Management
Introduction to Business Process ManagementMustafa Jarrar
 

Similar to Securing Citizen Facing Applications Presentation Notes (20)

infox technologies
infox technologiesinfox technologies
infox technologies
 
6 Steps to Confirm Successful Workday Deployment
6 Steps to Confirm Successful Workday Deployment6 Steps to Confirm Successful Workday Deployment
6 Steps to Confirm Successful Workday Deployment
 
Why IAM is the Need of the Hour
Why IAM is the Need of the HourWhy IAM is the Need of the Hour
Why IAM is the Need of the Hour
 
Enterprise Architecture Verification Validation
Enterprise Architecture Verification Validation Enterprise Architecture Verification Validation
Enterprise Architecture Verification Validation
 
A comprehensive guide to Salesforce Org Strategy
A comprehensive guide to Salesforce Org StrategyA comprehensive guide to Salesforce Org Strategy
A comprehensive guide to Salesforce Org Strategy
 
IdM Reference Architecture
IdM Reference ArchitectureIdM Reference Architecture
IdM Reference Architecture
 
Sreedhar CV_PKI - Certificate Management
Sreedhar CV_PKI - Certificate Management Sreedhar CV_PKI - Certificate Management
Sreedhar CV_PKI - Certificate Management
 
ShivamThakur_CV_Business Analyst
ShivamThakur_CV_Business AnalystShivamThakur_CV_Business Analyst
ShivamThakur_CV_Business Analyst
 
Appendix AProof of effectiveness of some of the agile methods us.docx
Appendix AProof of effectiveness of some of the agile methods us.docxAppendix AProof of effectiveness of some of the agile methods us.docx
Appendix AProof of effectiveness of some of the agile methods us.docx
 
How to choose a Loan Document Management Software.pdf
How to choose a Loan Document Management Software.pdfHow to choose a Loan Document Management Software.pdf
How to choose a Loan Document Management Software.pdf
 
Business analyst
Business analystBusiness analyst
Business analyst
 
ThinkDox implementation whitepaper for ECM
ThinkDox implementation whitepaper for ECMThinkDox implementation whitepaper for ECM
ThinkDox implementation whitepaper for ECM
 
Defining Enterprise Identity Management
Defining Enterprise Identity ManagementDefining Enterprise Identity Management
Defining Enterprise Identity Management
 
SOC 2 Compliance Made Easy with Process Street amp Drata
SOC 2 Compliance Made Easy with Process Street amp DrataSOC 2 Compliance Made Easy with Process Street amp Drata
SOC 2 Compliance Made Easy with Process Street amp Drata
 
CRJS466 – Psychopathology and CriminalityUnit 5 Individual Proje.docx
CRJS466 – Psychopathology and CriminalityUnit 5 Individual Proje.docxCRJS466 – Psychopathology and CriminalityUnit 5 Individual Proje.docx
CRJS466 – Psychopathology and CriminalityUnit 5 Individual Proje.docx
 
project (Salon Management).pptx
project (Salon Management).pptxproject (Salon Management).pptx
project (Salon Management).pptx
 
Cryptography is the application of algorithms to ensure the confiden.docx
Cryptography is the application of algorithms to ensure the confiden.docxCryptography is the application of algorithms to ensure the confiden.docx
Cryptography is the application of algorithms to ensure the confiden.docx
 
CRM system for WeLoveVideo.pptCRM System for WeLoveVid.docx
CRM system for WeLoveVideo.pptCRM System for WeLoveVid.docxCRM system for WeLoveVideo.pptCRM System for WeLoveVid.docx
CRM system for WeLoveVideo.pptCRM System for WeLoveVid.docx
 
Week8 Topic1 Translate Business Needs Into Technical Requirements
Week8 Topic1 Translate Business Needs Into Technical RequirementsWeek8 Topic1 Translate Business Needs Into Technical Requirements
Week8 Topic1 Translate Business Needs Into Technical Requirements
 
Introduction to Business Process Management
Introduction to Business Process ManagementIntroduction to Business Process Management
Introduction to Business Process Management
 

Securing Citizen Facing Applications Presentation Notes

  • 1. Securing Citizen Facing Applications 1. What personally have you seen as lessons learned to get the business on-board towards EA Security Model? Edwin Lorenzana In the public sector space the EA security model is usually dictated by the constraints of independent agencies with decentralized business objectives, technical initiatives and separate reporting structures. This challenge requires a holistic textbook approach to decentralized federation that introduces governance and standards to reduce business risk and minimize the security breaches. This governance initiative needs to be supported by technology that can enforce and report those controls while providing flexibility to the application owners to continue to deliver the expected service. Therefore I learned that you have to dedicate time to not only define the owners of each technology but the owner of each governance section and current business process. Once you succeed in creating your ownership “org chart” then you need to provide that group with a realistic roadmap of the prerequisites, a laundry list of “soft” projects to achieve a federated circle of trust. The initial initiatives should focus on: • Define governance • Define /document the business process (the security lifecycle) • Align the required data to be used to drive security (application security driven by HR Data) As you work through these projects you need to set goals that are a balance of the correct level of security controls, the required compliance and the needs of the individual owner. With that said I recommend that you dedicate a large amount of your time in the planning phases and work with your owners to kick off the internal “soft” projects to define the governance, document the business process and align the required data to automate those business processes. The key is that you drive the program and facilitate the projects, but work with them to define their own procedures as they will own the procedure behind the automation in the long term (post implementation).
  • 2. – What are the initiatives that would help to define the required business process to correctly proof an identity along with defining the correct attributes and data points to align the identities across the various environments? Eddie Lorenzana As we discussed our focus is to drive a holistic direction to a decentralized federation model. This approach needs to be supported by an effort to collect and document the account lifecycle in each environment, the major ones being: • The HR account Lifecycle • The account Lifecycle of the various directories (Oracle Internet Directory, Active Directory etc..) • The application Lifecycle of the applications to be integrated. As you define the account lifecycle for each of these, you will need to work with the environment owner to analyze the state of the user stores. The goal of this analysis is to define a unique identifier that spans across all the user stores. In most cases you will find that this will lead you to an initiative usually referred to as ID aggregation and synchronization. To put it simply you will need to lead an effort to implement a comment unique identifier across all the environments (emp ID internal users and an assigned ID for citizens). As you work through be sure to work with the environments to define secure communication options across the environments, this is in support of future implementations for virtual directories, single sign on and password sync. Issue #4: Is a centralized or decentralized approach to authentication and authorization the more feasible approach? Eddie Lorenzana As we have been discussing, in the public sector space the EA security model is usually dictated by the constraints of independent agencies with decentralized business objectives, technical initiatives and separate reporting structures and therefore a decentralized federated approach is the correct approach. Follow up questions 1. What are the challenges of shared identity ownership? The challenges of shared identity ownership are: • Document the account lifecycle
  • 3. ID aggregation and synchronization As you define the account lifecycle, you will need to work with the environment owner to analyze the state of the user stores. The goal of this analysis is to define a unique identifier that spans across all the user stores. In most cases you will find that this will lead you to an initiative usually referred to as ID aggregation and synchronization. To put it simply you will need to lead an effort to implement a comment unique identifier across all the environments (emp ID internal users and an assigned ID for citizens). As you work through be sure to work with the environments to define secure communication options across the environments, this is in support of future implementations for virtual directories, single sign on and password sync. To attain that approach I like to work with a proven approach that clearly defines the “soft” initiatives and maps out how they must be completed to ease the deployment of the technical implementations. Follow up questions 1. What sort of phased approach works for government agencies? The Security Enterprise Architecture / Phased Approach model calls for the clear definition of the Enterprise IT Security Business Service goals in the areas of: • Enterprise Security Model • Enterprise Directory Model • Enterprise Access Control and User Management Model The details of these goals should be defined by the executive sponsors from both the business and IT from each independent agency. These details need to clear set direction for a Federated decentralized model that provides secure access to resources while allowing flexibility to the technology owners. These goals should not only be clear, they need to be grounded and realistic. You need to take special care to not be tempted to oversell goals in order to get the budget approved. As you work through this process sell the goals but be sure to clearly define the requirements in the next three phases. Phase 1 focuses on fostering continued executive support and identifying and developing the governance & standards teams that will provide the direction and political support to meet the Enterprise IT Security Business Service goals by developing:
  • 4. Governance ( CIO’s, CSIO, CFO, IT Director, HR Director, PS Mgr) • Governance Standards • Business & IT Policy ( Policy writers for IT, Business , Compliance/Audit, IT Sec, Law dept) • Data Standards & Procedures (Policy writers, user store owners, HR data entry, PS Mgr) • Directory Standards & Procedures ( user store owners, IT Sec, Compliance/Audit, Policy) • Application Standards & Procedures (user store owners, IT Sec, Compliance/Audit, Policy) During this phase you need to work on developing high level, industry best practices and get the proper sign off from each of the members from each agency. The risk here is that you will get push back to document the procedures before standards are set. Or you could be asked to use professional services that have experience in this area, if the budget allows it….do it If not.. then use best practice templates, and get the sign off from the members. The reason is that you will not succeed in getting the line managers to work with you if you do not have support and written guidance from the executive sponsors. Phase 2 focuses on getting the details from the line managers that are part of the user account lifecycle. This phase should clearly show the step by step of the user account provisioning and de-provisioning. This exercise is one of the most important phases as you cannot automate unless the procedure is clearly defined. As you work through each account lifecycle you may need to create two sets of documents….current state and future state as described by your governance documentation. As you create the future state you will need to clearly document and get sign off from the given line manager on the requirements in the areas of: • Composite Identity Management • Account Matching and DeDuping • Resource requirements for support & admin in phase 3 • Technical hurdles that will need to be tackled in phase 4 Phase 2 will be the longest and most difficult. As the line managers push back be sure to sell the cost savings that this will create during the implementation.
  • 5. Once you have completed phase 2, check in with your implementation team and vendor to ensure your implementation forecast and check in on the required internal support team. I found that phase 3 is a good time to bring in your vendors technical implementation team for meeting as you work through defining your long term architecture and support. Phase 3 should be your time to focus on creating your internal long term support system for your Enterprise IT Security Business Service Goals. The challenge is that with a decentralized model you will need to create a core IDM team that works with the individual environments owners. This is can be done by implementing delegated administration and IDW workflows. In this phase you will need to work with the various environment owners to architect and document the new virtual connections (OVD /Federation) and how to maintain them. This will ease the implementation phases. Phase 4 is where you can then implement the technology solutions that automate the previous phases and create the “bridges” to join the various environments. These projects include the implementation of: • Virtual Directory • Password Synchronization • Role discovery (RBAC) • Automated provisioning via IDM to directory target systems (OID, AD etc..) Once you have completed the integration of the directories this opens the doors to enterprise application access in Phase 6. If you are starting a new project be sure to implement the early phase before spending the budget for tech servicers. If you are in the middle of this project you can still work through this approach to realign your implementation. As you do you will be challenged by the constant need to provide ROI for the selected t To navigate through this balance you will need to carefully select the low hanging fruit , like allowing a single sign on or password sync implementation in various environments that have met the data requirements and only require minimal role definition. But be sure to go back and work through the foundation phases as you work to improve your enterprise.