4. 4
Introduction
Dan Houser, CISSP-ISSAP, CISM, CISA, CSSLP, CGEIT
• Sr. Security & Identity Architect
• Cardinal Health
– $103 Billion Healthcare Corp, 19 on Fortune 500
– 350+ facilities, 90 Countries
• 20 years IT experience
– Banking, Financial Services, Education, Consulting,
Telecommunications, Healthcare
• (ISC)² Board Member
• RSA Conference Committee
5. 5
Level Set: Common Problems
• Too many identity repositories & identity islands
• Users want Single Sign-on, but no $$ to fund it
• Single Sign-on should be free, but requires capital
• You have identity problems that seem impossible to fix
• Identity gets no respect in your organization
• Reporting, compliance needs getting more complex, not
less
• eDiscovery & regulations causing headaches
• Heavy knowledge-base of identity admins, but little
documentation
• No cohesive identity strategy
• Authentication complexity is growing, but no appetite
for addressing with enterprise PKI
6. 6
Level Set: Common Problems
• Authentication risk management emerging
• Break-glass / privileged user access with accountability
gaps
• Rapid move to Cloud / Outsourcing / etc…with identity a
distant afterthought
• More Federation than ever before
• More AD domains than you want
• HR owns employee identity, but doesn’t know it
• Managing Service/ system accounts big problem
• More non-employees than ever with our data
• User context missing from security event processes
• More exceptions than rules?
7. 7
Forces of change affecting identity…
• Data Privacy & Invasive Technology
– Massive Consumer Info Aggregation
– Context Sensitive Computing with Consumerization
– Ubiquity of Mobile & Wearable Computing
– Highly mobile storage & capture devices
– Social networking & HTTP-based storage
• Degradation of Trust
– Spam & Phishing
– Credit card theft
– Malware Everywhere
– Identity Theft
• Reactionary Legislation
• The world has changed
8. 8
Laws and Regulations eSecurity
• Sarbanes - Oxley Act of 2002
• Basel II Accord
• Privacy
– Gramm Leach Bliley Act
– HIPAA / HITECH
– FERPA
– EU Directive on Data Protection
– State, County & Municipality
privacy laws
• FTC Act
• Bank Secrecy Act
• General Negligence Law
• Electronic Communications
Privacy Act
• Anti-Money Laundering
• FFIEC Auth-N Guidance I & II
• Nevada NRS-603A &
Massachusetts 201CMR17.00
• PCI DSS
• California (SB)1386
• OFAC –OCC Rules
• Negligence Law
• NDAA 2012
• SEC Regulations 10b(5)
• FTC Do-Not-Call Law
• Digital Millennium Copyright Act
• Super-DMCA
• Foreign Corrupt Practices Act
• Know Your Customer
• eDiscovery Law and Spoliation
• PCI-DSS Codification
• Fractal Breach Notification Laws
• EU – Right to be Forgotten
and the list goes on….
9. 9
Cloud Computing, Virtualization & SaaS change the
game
– Network inversion: Our data everywhere
– Extranet access to core systems
– SOAP identity components
– Authentication & authorization challenges in a world without borders
– Dynamic workforce
– Autonomous systems
– Outsourced authentication through federated identity
– Shrinking time to market, change control, and presentation layer
– How is identity managed in an Enterprise Service Bus?
Rapid Business Model Changes
10. 10
eBusiness Trust
Unqualified Trust cannot exist in eBusiness
• “Sure I trust you, but let me cut the cards
*
”
• “Trust but Verify” – Ronald Reagan
• Trust must be earned to be granted
• Fundamental “W” questions:
– What is being trusted?
– When, Who, Where, Why, in what context?
• Identity Management enables us to answer:
– Who are they?
– Why should they have access?
– Increasingly Where and What context are being added to identity
* Harry DeMaio, “B2B and Beyond”, 2003
11. 11
Increased Pressure for Identity
Management
• Identity Theft, data theft and phishing
• Missing laptops, PDAs, backup tapes
• Organized crime
• Regulatory pressure
• Application Integration forces
• Identity silos slowing down business
• Due-diligence bar has been raised
“Identity is the New Perimeter” -Cisco
12. 12
Level-set
• Identity problems are not unique
• Common components – but no universal answers
• Different needs, starting points, drivers
– Industry, capital investment, risk tolerance, regulators
• Good news:
Common patterns from which we might learn
Learning opportunities might be sitting beside you
• Bad news:
There is no silver bullet or checklist
13. 13
Why an Identity Architecture?
• Reduce operational costs
• Duty to the shareholders, employees
• Ensure fiduciary responsibility
• Create confidence and trust, which are vital to eBusiness
(c.f. HBGary, RSA, ChoicePoint, TJX, Heartland)
• Repeatable operations
• Reliable information
• Enabling customer/ associate self-service
• Availability for revenue generating projects
• Potential for reduced time to market
14. 14
Why identity management?
Cost Reduction
– Drive down cost of managing identities
– Increase user and administrator efficiency
– Speeds up provisioning cycle
– Reduced password repositories = $avings
15. 15
Why identity management?
Increased Security
– At times, IAM is the most visible & effective
control
– Reduction in stale accounts
– Visibility to, and reduction of excessive rights
– Sufficient controls over vital process
– Documented, consistent process for audit
– Without IAM, Defense in Depth is negated
16. 16
Why identity management?
Increased compliance
– Enables data security and privacy controls
– Reduces potential for privacy breaches
– Reduces risk of non-compliance
– Provides ability to demonstrate compliance
– Binding entitlements to authorization decision
17. 17
Enables the business
– Customer identity mapping enables deeper selling
and cross-selling
– Reduces time to market for new systems
– Enables private-label service offerings and
seamless outsourcing through federation
– The business doesn’t have to worry about
management of access to systems… freeing them
to focus on the business
WHY IDENTITY MANAGEMENT?
18. 18
Improved user experience
– Easy to use interfaces
– Reduced provisioning & access frustration
– Enables reduced sign-on, reducing customer
frustration
– Permits self-service, further enabling 24x7
customer access
– Customization of the user experience
WHY IDENTITY MANAGEMENT?
19. 19
Selling Identity Management
Points of pain of your organization
– Reduction in password resets?
– Hundreds of identity repositories to manage?
– Rapid associate onboarding?
– Reduction in risk?
– Regulatory compliance?
Three primary considerations:
• ROI
• Management Commitment
• Prioritization of IAM tasks / roadmap
20. 20
If your company looks like this:
Quantifiable ROI
8%Job change10%Turnover ratio
200E-mail Lists16Audits per year
50kCustomers8kEmployees
200Total Apps15Web Apps
21. 21
Quantifiable ROI
Then your ROI is estimated to be:
£ 5,9MM€ 7,94MM$ 11.6MMCentralized LDAP
£ 286MM€ 384MM$ 561MMProvisioning
£ 9,8MM€ 12,2MM$ 17.7MMWeb SSO
Study by Giga Information Group
Source: Enterprise Identity Management, IT Governance Institute
No longer published by ITGI
22. 22
Specific ROI Savings
• Improved IT efficiency
• Improved data management
• Reduced development of security features
• Reduced helpdesk costs
• Quicker access to applications
• Improved searching/updating user data
• Improved managerial tasks
• Improved e-mail list management
• Audit savings
• Elimination of paper costs
23. 23
Management Commitment
• Identity Management will touch every corner of
the organization
• Along the way:
– Significant changes in infrastructure and process
– Corporate Politics
– IT turf wars
– Potential for outages
• Very long road
• Search for vocal, demonstrable early wins
– Enough to move you down the road
– Not so tough that you can’t demonstrate competency
24. 24
Typical Stakeholders
• CIO
• CISO/CSO
• Human Resources
• Infrastructure (Server/database/network)
• CFO
• Principal Lines of Business
25. 25
Obtaining Buy-in
• Focus on quick wins to demonstrate early success
• Establish executive sponsorship
– Identity Management Steering Committee
– Senior executive to own (e.g. CIO)
• Funding a program, not a project
– Realistic expectations
– Long-term funding model
– Changing how IT does business
• Sell slow, gradual migration path of many small
projects – NOT Big Bang
26. 26
Prioritization
• Critical to manage expectations and limit
impact
• Long journey
• Many moving parts and dependencies
• Infrastructure build-out typically precedes
procedural and workflow implementations
• Important to communicate and demonstrate
progress and savings
27. 27
Roadmaps help sell and tell
2Q12 4Q12 2Q13 4Q13 2Q14
SunFUN v7
Identity Mangler 2.0
Enterprise Directory
Meta-Directory
Virtual Directory
Gradient Chaos*
Active Refrectory 2004
Product DIRECTORY SERVICES
Technology
AR 2009
28. 28
IAM Program Roadmap
Infrastructure
Application Integration
Provisioning
AutomationAccess ReportingPaperlessProvisioning Planning
• Current/Future
• Role Analysis
• Provisioning Roadmap
• Access Review Process • Process Automation
Provisioning Upgrade
Performance
Tuning
Core Infrastructure
• Hardware Build
• Prototype
• Base Product Installation/
Configuration
• Performance Updates
Base
Provisioning
• Employee
Joiners/Leavers
• Temp Workers
• PW Synch
InfrastructureImplementationProject
• Self Service Request
Process
• HR Integration
B2CB2B Pilot
Extend B2E
B2E Pilot
• HR System
• Employee File
• AD Passwords
• LDAP • Mail system
• Asset management
• Financial/accounting
• Pilot App • WAM
Audit Integrations
Provisioning Process
Pilot
• B2E Apps
• Associate Onboarding
• Majority of Apps
• Pilot App • WAM/SSO
Federate
Federated Identity
Web Services
Support
PKI
• XML/SOAP Gateway
• Service Bus
B2CB2B Pilot
29. 29
Identity Management Program
• Running a successful IAM program is about PROCESS
not technology
• Every component of IAM is part of a larger plan:
Think strategically, then deliver components that
align with the strategy
• Architecture & Assessments are key to a successful
IAM implementation
31. 31
IAM Program: Getting started
As with any architectural endeavour:
–What shall we build?
–What are the needs?
–What materials are available?
–What engineering/technical skills do we
have?
–What does the environment look like?
32. 32
IAM Program: Getting started
• Gap analysis: Missing skills, support,
infrastructure, funding, sponsorship
• Needs assessment: What are the critical
business drivers that are to be met?
• As-is assessment:
– Determine unique identity repositories
– What IAM components need replaced?
• Map gaps to needs, and prioritize
• Develop roadmap, including infrastructure,
process and integration components
33. 33
IAM Program Roadmap
Infrastructure
Application Integration
Provisioning
AutomationAccess ReportingPaperless
Provisioning
Planning
• Current/Future
• Role Analysis
• Provisioning Roadmap
• Access Review Process • Process Automation
Provisioning
Upgrade
Performance
Tuning
Core Infrastructure
• Hardware Build
• Prototype
• Base Product Installation/
Configuration
• Performance Updates
Base
Provisioning
• Employee
Joiners/Leavers
• Temp Workers
• PW Synch
InfrastructureImplementationProject
• Self Service Request
Process
• HR Integration
B2CB2B Pilot
Extend B2E
B2E Pilot
• HR System
• Employee File
• AD Passwords
• LDAP • Mail system
• Asset management
• Financial/accounting
• Pilot App • WAM
Audit Integrations
Provisioning Process
Pilot
• B2E Apps
• Associate Onboarding
• Majority of Apps
• Pilot App • WAM/SSO
Federate
Federated Identity
Web Services
Support
PKI
• XML/SOAP Gateway
• Service Bus
B2CB2B Pilot
34. 34
IAM Program
• Identity Management requires a program office –
much more than a project or series of projects
• IAM Program Office
– Metrics, reporting and demonstrable progress
– Coordination of identity initiatives: many projects
– Provisioning coordinator
– Visible agent for IAM in organization
– Single accountable party
– Visibility to senior management
– Coordination with Steering & Advisory Committees
35. 35
Identity Program Organization
Program
Management
IntegrationProvisioningInfrastructure
· Program Measurement
· Program Monitoring
· Program Status
· Steering Committee Coordination
· Release Definition
· Program Finance
· Program Communications
· Issue Management & Resolution
Architecture
· Technical Architecture Vision
· Release Plans
· Requirements
· Use Case Definition
Testing DeploymentReporting
· Network/Server Architecture
· Infrastructure Administration
(System, Database,
WebSphere)
· Core Product Specialists
(Thor, Radiant, SunOne,
ClearTrust)
· Operations Architecture
· Environment Design and
Coordination (Development,
Test, Staging, Production)
· Infrastructure Issue Resolution
· As-is Process
· To-be Process
· Thor configuration &
customization
(Workflows, Self
Service, Delegated
Admin, etc.)
· Thor adapter
development
· Integration Analysis
(Functional &
Technical)
· Integration Support
(Thor Adapter
Configuration,
Directory Integration
Support, ClearTrust
Agents)
· Access Review
Process
· Report Definition
· Report Development
· Warehousing
Architecture
· System Test
· User Acceptance
Test
· Performance Test
· Requirements
Traceability
· Build Coordination
· Code Configuration
Management
36. 36
Advanced IdM
SSO Strategy: Critical Success Factors
• Strategic Staffing
• Evangelist with credibility
• Management commitment for 3+ years
• Demonstration of short-term success, but…
• Long view needed
• Examine offshore for integration
• MBOs / Performance Goals / KPIs
• HR, Procurement & Architecture on-board
• Communicate, communicate, communicate
37. 37
Recommendations
• Get executive sponsorship
• Sell business solution, not technology
• Ensure that the message is clear
• Solicit representation from all groups to be affected
• Get quick hits, show success
• Underpromise, overdeliver
• Be persistent
• Realize that deployment is easy; politics and money can get
in the way
38. 38
Recommendations
• KISS – Keep it simple
• Avoid product focus where possible
• Focus on Demonstrated CAPABILITIES not
products
• Document, document, document
• Get help – good consultant(s) with strong
BUSINESS skills as well as IAM experience
• Make presentations of broad architectural
concepts to senior management
• Run identity as a Program Office
39. 39
• Intellectual horsepower & meditation
required – study, research, network
• Long road – 3-5 years, don’t expect
overnight results.
• Publish all documents to all participants to
facilitate understanding
• Join peer group for fertile soil
– (ISC)2 Chapter
– ISSA
– InfraGard
– ISACA
– ISF
What Next?