The document discusses identity and access management (IAM). It outlines common IAM problems like weak passwords, password sharing, and lack of single sign-on. The presentation then discusses how IAM solutions can provide benefits like improved user experience through single sign-on, enhanced integration across systems, centralized administration to reduce costs, and increased security. Critical success factors for IAM projects include identifying business champions, thorough vendor analysis, defining requirements, understanding product features, and ensuring business support.

1. Identity & Access
Management
K. K. Mookhey
CISA, CISSP, CISM
Principal Consultant
www.niiconsulting.com

2. Agenda
 Introduction
 Ground Reality
 Cases
 Real-world impacts
 Vulnerabilities
 Building the Business Case
 What is IAM?
 Demystifying IAM
 Implementation Challenges
www.niiconsulting.com

3. Speaker Introduction
 Founder & Principal Consultant, Network
Intelligence
 Certified as CISA, CISSP and CISM
 Speaker at Blackhat 2004, Interop 2005, IT
Underground 2005, OWASP Asia 2008,2009
 Co-author of book on Metasploit Framework
(Syngress), Linux Security & Controls (ISACA)
 Author of numerous articles on SecurityFocus,
IT Audit, IS Controls (ISACA)
 Conducted numerous pen-tests, application
security assessments, forensics, etc.
www.niiconsulting.com

4. Ground Reality
www.niiconsulting.com

5. Strong passwords
 Written down
www.niiconsulting.com

6. Shoulder surfing
www.niiconsulting.com

7. Phishing
www.niiconsulting.com

8. www.niiconsulting.com

9. Password reset mechanism
 Vote for Cyber Security!
www.niiconsulting.com

10. www.niiconsulting.com

11. www.niiconsulting.com

12. Problem Description
www.niiconsulting.com

13. User Provisioning / De-provisioning
 Unique user IDs
 Providing access to applications
 Removing access across all applications &
systems
 Ghost IDs
 Vendor/System IDs
 Logging & Auditing
 Reviewing User Access Rights
 Default Credentials
www.niiconsulting.com

14. Password Management
 Password policies
 Complexity
 Aging
 Length
 History
 Account lockout
 Resetting passwords – 70% helpdesk calls
 Universal implementation
 System & Network Administrator Passwords
 User Passwords
 Application / Functional ID Passwords
www.niiconsulting.com

15. Access Management
 Cumbersome for users to remember
multiple IDs
 Multiple access control matrices increase
complexity
 Heterogeneous environments
 Deperimeterization
www.niiconsulting.com

16. Demystifying IAM Solutions
www.niiconsulting.com

17. What does it stand for?
 Identity & Access Management
“Identity management is the set of business
processes, and a supporting infrastructure, for the
creation, maintenance, and use of digital identities.”
The Burton Group
 But then what are Solutions for:
 User Provisioning
 Single Sign On
 Web Access Management
 Multi-Factor Authentication
 Identity Lifecycle Management
www.niiconsulting.com

18. Basic Layout
www.niiconsulting.com

19. www.niiconsulting.com

20. IAM Solutions
 User Provisioning
 Enterprise Single
Sign On
 Web Access
Management
www.niiconsulting.com

21. Features to look out for
Critical Decision Criteria
www.niiconsulting.com

22. Top 5 Critical Success Factors
1. Identify Business Unit Champions
 Foundation of IAM Project
 Enterprise Applications or BU’s most likely to improve
(SAP, Core Banking, etc.) through IAM
 Business owner who has fully bought into the project
2. Perform Vendor Analysis
 Vendor’s Financial Stability
 Usability without Vendor Presence
 Revenue Growth
 Customer Base – Similar Size/Industry
 Strategic Partners
 Product Vision & Roadmap
www.niiconsulting.com

23. Top 5 Critical Success Factors
3. Define project  Non-Functional Requirements
requirements  Non-Functional Requirements
 Functional Requirements  Scalability & Performance (#
 User administration of users per server)
 Delegation of user  Fault Tolerance
administration  Disaster Recovery –
 Role-based access control Geographically Diversified
 User self-service  Solution configuration
 Customization of user  Training – Administrator &
interface End-User
 Workflow
 Auditing & reporting
 Extensibility
 Applications interface with
 Security of the product itself
www.niiconsulting.com

24. Top 5 Critical Success Factors
4. Thorough Knowledge of Technical Features
 Architecture –
 Does it fit with your architecture
 Is it cohesive or put together
 Ability to adapt and improve your business processes
 Integration with your technology – AS400, SAP, Core
Banking Solution, Windows, Unix, etc.
 Password Management capabilities
 Policy Management – Canned policies, policy wizards
 TCO –money, FTEs to administer the product
 Tiered, delegated, self-serviced administration
 Deployability
 Reporting & Auditing – Regulatory/Privacy
 New Features – Virtual Directory Support, Web Access
Management
www.niiconsulting.com

25. Top 5 Critical Success Factors
5. Bring business into the picture centrally
 Did it meet the business requirements
 Can you quantify the benefits from the solution
 Constantly communicate project expectations
and benefits to business units
 Not just another vendor/solution
www.niiconsulting.com

26. Multi-factor authentication
www.niiconsulting.com

27. User Provisioning
www.niiconsulting.com

28. Integration with Physical Security
www.niiconsulting.com

29. Extensive Reporting Capability
www.niiconsulting.com

30. Key Benefits
www.niiconsulting.com

31. 5 Key Benefits
 Improved user experience
 Help users control their online identities
 Enables simplified sign-on
 Create a "circle of trust" in which participating organizations can
verify the authenticity of users in a federated model.
 Enhanced integration
 Enable organizations to manage digital identities across their
diverse and expanding infrastructure.
 A standards-based approach ensures investment protection and
dramatically reducing the risk of custom integration.
 Multipurpose platform
 Manage multiple authentication options from a single platform,
providing choice in any environment.
 Varying levels of authorization functionality
www.niiconsulting.com

32. 5 Key Benefits
 Centralized administration
 Simplify the management of digital identities and security policies
with one administrative model.
 Delegated administration of users and user self-service across
different identity and access management applications (i.e.,
authentication and authorization).
 Lower administrative costs and a reduced resource burden.
 Enhanced security
 Ensure greater levels of security to match the growing risk of
exposure and high stakes involved in e-business.
 Shift fluidly with an organization's perimeter, protecting the
business at the application level.
 Be the cornerstone to security enforcement, providing a basis for
consistent enforcement, audit and reporting of policies across the
e-business environment.
 Ensure regulatory and legal compliance
www.niiconsulting.com

33. Conclusion
 Benefits
 Improved user experience
 Enhanced integration
 Multipurpose platform
 Centralized administration
 Enhanced security
 Critical Success Factors
 Identify Business Unit Champions
 Thorough Vendor Analysis
 Well-defined Project Requirements
 Thorough Product Feature Understanding
 Taking Business On the Journey
www.niiconsulting.com

34. Questions?
Thank you! kkmookhey@niiconsulting.com
Information Security Information Security
Consulting Services Training Services
www.niiconsulting.com