Presented at DevSecOps Indonesia 4th Meetup. 14 Nov 2019

1. Identity & Access Management
for Securing DevOps Lifecycle
Eryk Budi Pratama
DevSecOps ID 4th Meetup | 14 Nov 2019

2. Start with problems

3. IT Audit as the primary driver
Understanding the business, entity, and IT
Environment
Identify account, significant accounts and
processes
Understand process, including related
applications
Identify WCGW and relevant controls
Manual control or Application Control
IT General Control
Test of Design (TOD) and Test of Effectiveness
(TOE)
IT General
Control
IT-Dependent
Manual Controls
Manual Controls
Application Controls
Objective of Control
TypeofControl
Manual
Automated
Prevent Detect
Misstatement in The Financial Statements
Audit Process IT Audit as part of Financial Audit

4. IT General Control as part of IT Audit
Access to Program and Data
▪ Policies and procedures
▪ User access provisioning
and de-provisioning
▪ Periodic access reviews
▪ Password requirements
▪ Privileged user accounts
▪ Physical access
▪ Appropriateness of access/
segregation of duties
▪ Encryption
▪ System authentication
▪ Audit logs
▪ Network security
Program Changes &
Development
Computer Operations
▪ Change management
procedures and system
development methodology
▪ Authorization, development,
implementation, testing,
approval, and
documentation
▪ Migration to the production
environment (Separation of
Duties)
▪ Configuration changes
▪ Emergency changes
▪ Data migration and version
controls
▪ Post change/implementation
testing and reviews
▪ Batch job processing
▪ Monitoring of jobs (success/
failure)
▪ Backup and recovery
procedures
▪ Incident handling and
problem management
▪ Changes to the batch job
schedules
▪ Environmental controls
▪ Disaster Recovery Plan
(DRP) and Business
Continuity Plan (DRP)
▪ Patch management

5. User and Access Management as primary concern
User access provisioning and de-provisioning
Periodic access reviews
Privileged user accounts
Segregation of duties
System authentication
User Management
Access Management

6. IAM Foundation

7. Identity and Access Management
Security Management
Provides the overarching framework, policies, and procedures
Identity Management Access Management
Manages individual identities and their access to
resources and services
Manages the “who has access to what” question
and allows access based on individual relationship
with the resources and services
Directory Services
Maintains an identity repository that store identity data and attributes, and provides access and
authorization information
“ IAM grants authorized users the right to use a service,
while preventing access to non-authorized users “

8. From Simply Managing Identities to Managing Complex Relationships
source: Forrester Research
Identity Access Management Identity Relationship Management

9. IAM Business Value
Automation &
Repeatability
Consistency
Accountability
Reduce Cost
Better Service
Optimize Compliance
Core Benefits Drive Results
Managing Risk Efficiently
Sample Metrics
▪ % of access request in
compliance with policy
▪ % of privileges covered by
periodic review
▪ % of changes done through
the tool
▪ % of request initiated through
proper channel / procedure
▪ Avg time to obtain approval
from access request
▪ etc….

10. Major Drivers for IAM Investments
source: https://assets.kpmg/content/dam/kpmg/ch/pdf/ch-identity-and-access-management.pdf

11. IAM – NIST Cybersecurity Framework View
Identity Management and Access Control (PR.AC) is part of Protect domain within NIST Cybersecurity Framework. Access to
physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed
consistent with the assessed risk of unauthorized access to authorized activities and transactions.
PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized
devices, users and processes
PR.AC-2: Physical access to assets is managed and protected
PR.AC-3: Remote access is managed
PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of
least privilege and separation of duties
PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)
PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions
PR.AC-7: Users, devices, and other assets are authenticated

12. IAM – CIS Top 20 CSC View
▪ Deploy Port Level Access Control
▪ Utilize Client Certificates to Authenticate
Hardware Assets
▪ Maintain Inventory of Administrative Accounts
▪ Change Default Passwords
▪ Ensure the Use of Dedicated Administrative
Accounts
▪ Use Multifactor Authentication For All
Administrative Access
▪ Manage Network Devices Using Multi-Factor
Authentication and Encrypted Sessions
▪ Manage Network Infrastructure Through a
Dedicated Network
▪ Require All Remote Login to Use Multi-Factor
Authentication
▪ Segment the Network Based on Sensitivity
▪ Enable Firewall Filtering Between VLANs
▪ Disable Workstation to Workstation
Communication
▪ Protect Information through Access Control List
▪ Maintain an Inventory of Authentication Systems
▪ Require Multi-Factor Authentication
▪ Encrypt or Hash all Authentication Credentials
▪ Maintain an Inventory of Accounts
▪ Establish Process for Revoking Access
▪ Disable Any Unassociated Accounts
▪ Disable Dormant Accounts
▪ Ensure All Accounts Have An Expiration Date
▪ Manage All Devices Remotely Logging into
Internal Network

13. Identity Management Basic Process
Authoritative/Trusted Source
Middleware / Identity
Management Solution
Target System
HR Data IDM Solution
Active Directory
Email Server
ERP
Others Applications
Provisioning
Reconciliation
Create,Update,Revoke

14. Access Management Basic Process
Receive Request Verification Provide Rights Log and Track Access
▪ Change requests
▪ Services requests
▪ HR requests
▪ App / Script requests
▪ Valid user ?
▪ Valid request ?
▪ Request access ?
▪ Remove access ?
▪ Provide access
▪ Remove access
▪ Restrict access
▪ Check and monitor
identity status
▪ Violations to Incident
Management Process
Business Rules, Policies, Procedures, Controls
ISMS

15. User Account & Access Lifecycle
Application Lifecycle
Role Mining &
Definition
Change
location
s, roles,
etc
Forget p
assword
• Zero Day Access Provisioning
• Rehire
• Reinstate Access
Person Onboarding
• Self-Service Request
• Request on behalf of another user
Access Request
Access Request • Segregation of Duties Policies
• Policy-violation scan
Policy & Risk
Policy & Risk
• Application Periodic Access Review
• Role Periodic Access Review
• Privileged Account Periodic Access Review
Periodic Access Review
Periodic Access Review
• Produce or Export Operational Metrics
• Configurable Auditing of all Identity-
related events
Reporting
Reporting
• Job Transfer
• Authoritative System Attribute
Change
• Temporary Leave
User Access Change Events
User Access
Change Events
Termination
• Planned Exit
• Emergency Termination
• Third Party Resource Termination
Termination
• Standardized On-boarding of
Applications
• Application Change
• Role Lifecycle Management
Application Lifecycle
Role Mining & Definition
Person
Onboarding
source: https://home.kpmg/content/dam/kpmg/us/pdf/2018/10/kpmg-access-management-orchestration-suite.PDF

16. Common Challenges
source: EY – Identity and Access Management Beyond Compliance
User access
request and
approve
Provision/de-
provision
Enforce
Report and
audit
Review and
certify
Reconcile
▪ Processes differ by location, business
unit and resource
▪ Approvers have insufficient context of
user access needs —do users really
need access to private or confidential
data
▪ Users find it difficult to request required
access
▪ Time lines to grant/remove access are
excessive
▪ Inefficient and error-prone manual
provisioning processes are used
▪ Access profile cloning occurs
inappropriately
▪ Inappropriate access may not be de-
provisioned.
▪ Applications do not support central
access management
▪ Access management policies do not
exist
▪ Segregation of duties is not enforced
▪ Role/rule-based access is used
inconsistently
▪ Actual rights on systems exceed
access levels that were originally
approved/provisioned
▪ There is no single authoritative
identity repository for employees/
non-employees.
▪ Processes are manual and
differ by location, business
unit and resource
▪ Reviewers must complete
multiple, redundant and
granular access reviews
▪ KPIs/metrics do not exist or
do not align with business-
driven success criteria (e.g.,
reduce risk by removing
terminated user access on the
day of termination)
▪ Audits are labor intensive

17. On Premise IAM
Disclaimer:
Because of time limitation to present the material, for example purpose, this section will cover
the overview of Sailpoint IdentityIQ & Forgerock OpenAM as the speaker’s team experiences
are on the described platform.

18. Forgerock Architecture
source: https://backstage.forgerock.com/docs/openam/12/deployment-planning/
▪ OpenAM Context-Based Access
Management System. OpenAM is an all-in-
one industry-leading access management sol
ution, providing authentication, authorization,
federation, Web services security, adaptive
risk, and entitlements services among many
other features.
▪ OpenIDM. Cloud-Focused Identity Administra
tion. OpenIDM is a lightweight provisioning
system, built on resource-oriented principles.
▪ OpenDJ. Internet Scale Directory Server.
OpenDJ provides full LDAP protocol support,
multi-protocol access, cross-domain replicatio
n, common REST framework, SCIM support,
and many other features.
▪ OpenIG. No Touch Single Sign-On (SSO) to
enterprise, legacy, and custom applications.
OpenIG is a reverse proxy server with special
ized session management and credential
replay functionality.
▪ OpenICF. Enterprise and Cloud Identity
Infrastructure Connectors.

19. OpenAM Architecture
source: https://backstage.forgerock.com/docs/openam/12/deployment-planning/

20. OpenAM Deployment Example
OpenAM Frontend Load Balancer
Reverse Proxy Layer

21. Sailpoint IdentityIQ Architecture
source: https://allaboutiam.com/2014/12/25/generic-identityiq-implementation-architecture/

22. Sailpoint IdentityIQ – Sample Dashboard

23. Cloud IAM
Disclaimer:
Because of time limitation to present the material, for example purpose, this section will cover
the overview of Google cloud-based IAM as the speaker experience is on GCP platform.

24. Cloud IAM Resource Hierarchy
source: https://cloud.google.com/iam/docs/overview
Policy is set on a resource, and
each policy contains a set of:
▪ Roles
▪ Role members
Resources inherit policies from
parent:
▪ Resource policies are a union
of parent and resource.
If parent policy is less restrictive,
it overrides a more restrictive
resource policy

25. Permissions Management in Cloud IAM
source: https://cloud.google.com/iam/docs/overview

26. Cloud IAM Policy
source: https://cloud.google.com/iam/docs/overview

27. IAM in DevOps

28. Cloud Access Security Broker (CASB) at glance
source: https://www.skyhighnetworks.com/cloud-security-blog/how-to-deploy-a-casb-the-first-cloud-security-reference-architecture/

29. Integrate IDM to Jenkins (via SAML Plugin)
source: https://github.com/jenkinsci/saml-plugin/
Configure Global Security
Enable Security
SAML 2.0
Configure plugin settings

30. Basic SAML Transaction Steps (Sample)
source: https://github.com/jenkinsci/saml-plugin/
1. The user attempts to reach a hosted Google application,
such as Gmail, Start Pages, or another Google service.
2. Google generates a SAML authentication request. The
SAML request is encoded and embedded into the URL
for the partner's SSO service.
3. Google sends a redirect to the user's browser. The
redirect URL includes the encoded SAML authentication
request that should be submitted to the partner's SSO
service.
4. The partner decodes the SAML request and extracts the
URL for both Google's ACS (Assertion Consumer
Service) and the user's destination URL (RelayState
parameter).
5. The partner generates a SAML response that contains
the authenticated user's username
6. The partner encodes the SAML response and the Relay
State parameter and returns that information to the
user's browser.
7. Google's ACS verifies the SAML response using the
partner's public key. If the response is successfully
verified, ACS redirects the user to the destination URL.
8. The user has been redirected to the destination URL
and is logged in to Google.

31. Authorization Workflow between IDM and AM
source: https://forum.forgerock.com/2018/05/forgerock-identity-platform-version-6-integrating-idm-ds/

32. Integrate IDM to Kubernetes (via OIDC)
source: https://kubernetes.io/docs/reference/access-authn-authz/authentication/

33. Access Management Orchestration (sample)
source: https://home.kpmg/content/dam/kpmg/us/pdf/2018/10/kpmg-access-management-orchestration-suite.PDF
Policy
Lifecycle
Orch’s

34. Case Study
Disclaimer:
The case study has been sanitized to ensure the confidentiality of speaker’s team experience
in delivering Identity & Access Management services.

35. Case Study – Identity Management Platform Deployment
Insurance Company
Challenge
Approach
Deliverable
— Leading global insurance company, had a number of outstanding audit points arising from the lack of visibility into “who has
access to what”. The client, in order to address these audit points, embarked on an Identity and Access Management programme in XXXX
that saw the replacement of their existing legacy automated provisioning tool with a strategic Identity Management platform. This project involved the
management of 5000 users and covered the on-boarding of 35 business critical applications.
— [Consultant] was selected to help the client deploy the strategic Identity Management platform.
— [Consultant] followed an access governance led approach to the deployment i.e; authoritative source data was reconciled prior to applications
being on-boarded. Entitlement review was conducted across all on-boarded applications.
— Once periodic entitlement reviews were instituted as a BAU process, the platform was further enhanced to support access requests and Joiner,
Movers and Leavers policies.
— Business and IT roles were on-boarded to conduct role based certifications for specific applications.
— [Consultant] helped with the remediation of orphan and dormant accounts, including the establishment of unique identifiers for every identity
record.
— The project was successfully transitioned to deployment support after the deployment of core functionality.
— [Consultant] put together a multi location support team to help the client consolidate the functionality built and to support the continued roll-out of the
platform across their application estate.
— Delivery of a comprehensive strategic user access programme that is supported by all divisions within the organization and satisfies
the regulator.
— A clear vision of the target state and practical implementation phases for sustained growth.
— A multi location support team to help consolidate the functionality built and to support the continued roll-out of the platform across application estate.

36. Identity Management Platform Deployment – Holistic View
source: KPMG – Identity and Access Management the new Complex

37. Identity Management Platform Deployment (1/3)
Project Governance
Initiate
Infrastructure
Analysis & Design
Configure & Build
Test & Verify
Release
Close
Tasks Deliverables
Baseline [Tools] install in
development environment
▪ Infrastructure Validation Host Instance
Diagrams
▪ Baseline [Tools] Installation in
Development Environment
▪ [Tools] environment ready for Test and
Verification
Source repository configured with a
Standard Build Environment and tools.
Environment connection details captured
and documented.
Developer and system accounts created
Development, UAT, and Production
environments in place

38. Identity Management Platform Deployment (2/3)
Project Governance
Initiate
Infrastructure
Analysis & Design
Configure & Build
Test & Verify
Release
Close
Tasks Deliverables
Requirements definition and update to
Project planning
▪ Requirements Traceability Matrix
▪ High Level Architecture Specification
▪ Detailed Design document
Requirements Stakeholder Interviews
Requirements Traceability Matrix Approval
Initial draft of Design Specification
(developed iteratively throughout the
engagement)
High Level Architecture Specification
Approval

39. Identity Management Platform Deployment (3/3)
Project Governance
Initiate
Infrastructure
Analysis & Design
Configure & Build
Test & Verify
Release
Close
Tasks Deliverables
Iterative updates to Design Specification ▪ Identity cubes built and populated
▪ Models and policies defined in [Tools]
▪ Workflows implemented
▪ Simple Branded Pages
▪ Build Guide Established
▪ All configurations complete
Data loading
Load authoritative source
Load account and entitlement data
Correlate accounts to identities
Review orphans
Workflow definition
Policy modeling
Create Build Guide (UAT)
Configuration of access certifications
Development of rule libraries
General configuration of reporting, and dashboard
Pass-Through Authentication / SSO Configuration
Simple Branding
Preparation of UAT-ready system

40. Key Success Factor – Who should involved
Identity &
Access
Management
Business
Responsible for management /
controlling of business activities
IT Architecture & Ops
Responsible for IT Architecture &
IT Ops
Programs & Projects
Responsible for updating the IT of
the business environment of the
enterprise
HR
Responsible for management of
employee information
Audit
Responsible for internal audit
Security
Responsible for organization’s
Security processes

41. Thank You