Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Managing IdM In Uncertain Times - 2013 Edition


Published on

In this paper I address top five concerns that IT leaders, architects and managers of Identity & Access management would be concerned about when looking at managing and driving the enterprise IAM program. Many thanks to Rohit Gupta and Deepak Taneja for their reviewing and comments that helped me to create a much more interesting and valuable paper.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Managing IdM In Uncertain Times - 2013 Edition

  1. 1. A 5-step approach to managing Identity & Access Management Steve Tout July 2013 V002 Is now the time to hire a Director of IAM for your organization?
  3. 3. I coined the phrase “Managing IdM In Uncertain Times” for an assessment of Identity & Access Management I wrote for VMware in 2009. To me, it means running lean while minimizing risk to the business by ensuring higher levels of customer privacy and information assurance; operating efficiently while seeking ways to improve ROI and reduce costs through a holistic view of the IAM (Identity & Access Management) program. This paper identifies five key challenges we face today in IAM and the mindset required to achieve extraordinary success. Integrate Governance, Risk & Compliance – Most companies start out with an IAM program to improve manageability and streamline development by utilizing SSO and centralized administration. After some time, there can be significant gaps between GRC and Identity & Access Management that should be addressed for improved security and higher levels of assurance. Create organizational alignment – IdM is not fundamentally a development problem. It is not exclusively a security issue just as it is not intended to rest solely on the shoulders of operations. Create alignment of resources to avoid entropy from paralyzing the organization. Evolve the architecture – Technology changes quickly, but organizations often do not adapt as fast to the challenges. Creating and using an IAM reference architecture and 3-year roadmap will keep everyone focused on what matters, drive out redundancies, minimize risk and reduce TCO. Rethink the platform – Most companies have a significant investment in an IAM platform that is based on an outdated model for web access management. In rethinking the platform strategy, superior security and increased business competitiveness should top the list of priorities. Renew operational focus – An organization cannot move towards more efficient computing models like the cloud, reduce OpEx costs, increase operational efficiency or improve security without making some hard investment decisions. Manage This
  4. 4. 1. Integrate Governance, Risk & Compliance A GRC program provides critical controls and processes for any business. Governance aligns IT and the business and ensures continuing and consistent business value out of the IAM program. Supporting operational GRC within IT requires an integrated set of processes and solutions that should provide on-going and closed-loop monitoring, access certification, analytics, logging and alerting. At a minimum, an integrated GRC program should be able to answer the following questions:  Are you comfortable with data tampering or a customer/employee data breach due to compliant solutions not being consistently applied across the organization?  Are you comfortable with a disgruntled employee who has recently been terminated exploiting known vulnerabilities in our data and services without your knowledge?  Are you comfortable with the knowledge that security audits and dashboard reporting systems could have incomplete data, giving false confidence?  Are you comfortable with not knowing about partner/employee data being breached at SFDC and finding out about it days later?  With programs like PRISM undermining SaaS and CSPs on practically a daily basis, are you comfortable entrusting Salesforce as the system-of-record for identity & authentication data for more than 400M partner users?  Are you comfortable with knowing that policy audit and lifecycle management practices are not being followed, creating vulnerabilities exposed to the outside world?  Are you comfortable with the knowledge that there are inadequate and vulnerable authorization models in place as more of our compute goes to SaaS and Mobile platforms?  Are you comfortable with developers and admins accessing production outside of authorized window or with network admins or security engineers sniffing traffic unnoticed?  How do you feel about preparing your scorecard in context of how VMware ranks in each of these categories? The best response to the GRC challenges we face is to create better risk awareness and to drive convergence of security, GRC, IAM, SIEM and Big Data tools that do more inspection and that can correlate third-party intelligence. As a result, we achieve a more scalable and efficient model for threat management, security and identity management than before possible. Be Secure
  5. 5. Figure 1: Enterprise GRC should align and integrate more seamlessly and synergistically. Integrated GRC
  6. 6. 2. Create organizational alignment Without a leader whose sole focus is IAM & security concerns there will continue to be gaps in accountability and a constant feeling of under-achievement. (E.g. a feeling that we can and should be doing more!) Without a clear separation of duties, management and team members alike can spread themselves too thin as well as develop myopic vision from a too heavy emphasis on execution at the expense of valid strategy, architecture, planning and organization. With proper organizational structure, there will be excellent visibility both up and across the organization utilizing Joel Garfinkle’s PVI model for executive success. The barriers to collaboration must be demolished and a more effective approach to problem solving adopted for the greater good of the business, our shareholders value and customer privacy and security. Having one or more IAM veterans at the Director level reporting into a VP of Security or Operations will result in better visibility, streamlined accountability and reporting structure, improved collaboration in defining and executing IAM projects and significantly improved ability to deliver on the 3-year roadmap. As an industry benchmark, other companies in Silicon Valley have formed teams dedicated to this discipline, and VMware may learn from them as it continues to grow.  EBay - dedicated security & fraud division of over 80 people  Electronic Arts - security team responsible for internal and online assets with 20 people  BMC Software - internal security/compliance team of 5 experts and 3 directors of IAM Be Focused
  7. 7. 3. Evolve the architecture The requirements for Next-Gen Identity & Access Management are clear. Security, as well as IAM, must respond to growing business demands with solutions to address the need for scale, cloud, mobility and standards. IAM should not be viewed as merely a platform for providing security, SSO and provisioning solutions, but as a rich data source for delivering insights from big data and analytics platform that can spur increased conversion rates, improved customer engagement and satisfaction. IAM must continue to evolve as an enterprise shared service and continue to expand the scope of capabilities by driving adoption of next generation technologies to meet the needs of mobile and cloud-driven workforce – and the customers they serve. The IAM architecture must evolve to easily integrate with cloud applications, federate with partners, support multi-factor authentication and enrich authorization and access policies. With a focus on developing future-proof, standards based solutions, the following simple strategic roadmap demonstrates how one might deliver a Next-Generation IAM ecosystem. • Performance optimization • Multi-tenant scale & management (E.g. SDLC instances) • Elastic management Scale • Identity bridge for SaaS • Identity provider for IaaS/PaaS (E.g. vCHS, SFDC) • Hybrid cloud management Cloud • Mobile REST SDK • Mobile enterprise (BYOD, MDM, MAM, and EMM) • Mobile IAM toolkit (SDK, Gateway) Mobile • Common frameworks & reusable code libraries • SAML, SCIM, OAuth and OpenID Connect • Common STS • Cloud AuthZ Standards/API Be Elastic
  8. 8. 4. Rethink the platform The wisdom or insanity of ripping and replacing an enterprise IAM system such as the Oracle IdM Suite cannot be rationalized without diving into the details of how the product is being used or without examining Oracle’s roadmap and upgrade options and evaluating the alternatives out there. Web Access Management software is a mature category and has reached commodity status. As enterprise software goes, we should value it for what it is and pay accordingly. Oracle Access Manager has enjoyed a good run for over thirteen years but it is built on a bit outdated model that hinges on domain-centric policy management and an agent based architecture. There are alternative solutions that can provide equal - if not better - capabilities, for a fraction of the price. (Think open-source here) Based on experts and executives I have spoken with, potential savings in the range of 15% - 40% year over year looks to be possible. Also one must factor in the costs associated with migrating from 10g to 11g including architecture, infrastructure, operations, training and pro services just to name a few. In rethinking the platform, one really needs to understand the drivers and the rationale:  Are you comfortable knowing that only a fraction of the solution capabilities are used?  Are you comfortable with using it less as more of your applications turn to SaaS model, and yet you are still paying the same as you were before?  Are you comfortable with the costs to replace existing IAM growing exponentially year by year as the enterprise becomes more heavily invested in its use? Though Oracle Access Manager has proven to be very stable and predictable, it has remained relatively static as well, without realizing any security, performance or functionality advancements made since 2010. Then a fully rationalized architecture and quantitative analysis of expected TCO will yield insights into the financial model and help to identify potentially significant cost savings. At the same time, the world continues to adopt SaaS and BYOD thus the need for a modern, secure and scalable IAM platform cannot be underscored enough times. Be Open
  9. 9. 5. Renew operational focus "Unless you change how you are, you will always have what you've got." - Jim Rohn Achieving success with next generation of security and IAM infrastructure will not happen as the result of big bang upgrades. Much depends on understanding how new solutions impact existing applications, how new requirements impact architecture and how new systems and capabilities can be deployed within VMware’s cloud operating model. Success will be measured by the ease with which solutions achieve the most common coexistence and migration scenarios as well as the ability to realize value from the 3-year roadmap. Additionally, success could not be possible without training Sr. Managers and Tech Leads in Operations on how to monitor, maintain and support the new systems and processes that will be implemented as a result of executing against the 3-year roadmap. Installing a Leader or Director of IAM will add significant advantages in achieving success and for effectively managing all of the challenges mentioned in this paper. He or she would provide guidance to the Operations group while executing on the 3-year roadmap, such as:  Guidance on end-to-end SSO scenarios such as enterprise to cloud, cloud to enterprise, cloud to cloud, mobile enterprise and how to support the use cases  Guidance about how authentication, authorization, account provisioning and governance works in the web services world  Governance, analytics and audit for user/partner/employee identity and entitlements across on-prem, SaaS and mobile applications for privacy assurance and risk management  Guidance and support for leveraging CMDB and ITSM for managing IAM in a hybrid cloud environment for operational efficiency and scale  Integration of IAM and SIEM systems to improve user/role management, enable real-time risk and audit capabilities for threat and compliance management and prevent APTs Now is as good a time as ever to re-think VMware’s IAM platform and strategy to potentially realize cost savings of 15-40% and that would bring about the opportunity to modernize the platform with advanced technologies such as Identity Analytics, Big Data and Integrated GRC for superior security and competitive edge. Be Adaptable
  10. 10. Additional reading and list of references Do You Need An Identity Officer? Leadership, not Process, is the Keystone of Innovation Moving Towards Proactive & Holistic Security The Impact of Total Cost of Ownership in IAM Investment Decisions ITIL V3 and IAM Governance: the PBR Model The PVI Model Dismantling Your Legacy Identity Management Forrester Research: Navigate the Future of Identity and Access Management Be Curious