OneIdentity - A Future-Ready Approach to IAM
•Download as PPTX, PDF•
2 likes•1,105 views
The material discusses Quest's "future-ready" approach to IAM in the perspective of covering the EU GDPR compliance. We discuss about the five foundational concepts of the One Identity family of solutions, and our advantage and approach on covering the four IAM pillars. With regards to the present audience, we also included an overview of the One Identity platform. The presentation was developed for the RISK 2018 Conference in Lasko, Slovenia
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to OneIdentity - A Future-Ready Approach to IAM
Similar to OneIdentity - A Future-Ready Approach to IAM (20)
More from Adrian Dumitrescu
More from Adrian Dumitrescu (7)
Recently uploaded
Recently uploaded (13)
OneIdentity - A Future-Ready Approach to IAM
- 1. A Future-Ready Approach to IAM Adrian Dumitrescu Q-East Software adrian.dumitrescu@qeast.ro
- 2. Quest’s “future-ready” approach to IAM #1 Invest in simplicity #2 Embrace open standards #3 Think software first #4 Build end-to-end security #5 Modernize and automate A modular and integrated approach with the end purpose of delivering one identity, one set of policies, one set of access controls, and one set of rights to audit True single sign-on that works across any technology standard, from the most modern federated applications to legacy ones, and adoptable new functionalities in the future Propose configuration as opposed to customization, open standards rather than closed systems, and interoperability instead of solving one new problem a day Deploy the entire range of security needs and unify as many disparate systems and practices as possible. Replace the cumbersome manual processes and non-integrated tools with one integrated solution and put the IAM in the hands of the business – not IT.
- 3. Addressing the concern of context-aware security The who, what, when, where and why of access Context-aware security (or adaptive security) empowers organizations to base real-time security decisions on the total risk associated with multiple pieces of security information One Identity leverages a security analytics engine that is configurable to weigh the who, what, when, where, and why of access requests according to the organization’s needs, user populations, threats, practices, applications and infrastructure
- 4. Covering the four pillars of IAM IAM is “Anything you do to make sure that people can get to the stuff they need to do their jobs” Setting up user access to applications, data and systems Ensuring that the access given to that user is the access, or privileges, that user is supposed to have Providing for oversight, or governance, to ensure that the organization and those who regulate it know what that access is and agree that is appropriate
- 5. One Identity – Recipe for success Setting up user access to applications, data and systems Ensuring that the access given to that user is the access, or privileges, that user is supposed to have Providing for oversight, or governance, to ensure that the organization and those who regulate it know what that access is and agree that is appropriate What IAM is about: The value we add: Unify, unify, unify The ability to arrive at a single source of the truth and then implement it enterprise-wide Minimize customization as much as possible Adding configuration instead of customization Get provisioning right Unified, tailored provisioning, re-provisioning and deprovisioning Put the business in charge Let managers decide who should have access to what Automate and enable Don’t rely on manual processess Always look forward Approach the project with a “what if…” mindset and build on open standards
- 6. One Identity full stack of solutions One Identity provides access management, identity governance and privileged management for the widest range of user types and access scenarios
- 7. Identity intelligence at the center of One Identity The One Identity family of IAM solutions offers business-centric, modular and integrated, and future-ready solutions for identity governance, access management and privileged management. # Access Governance # Access Management # Identity Governance # Mobility # Privileged Account Management # Simplify complexity # User Activity Monitoring
- 8. One Identity Advantage Access Governance Privileged Account Management Identity Administration User Activity Monitoring Solution simplicity Business driven Rapid time-to- value Broad portofolio that is modular & integrated Granular access controls
- 9. Complete identity and access management Access Governance Manage access to business-critical information • Access request and certification • Fine-grained application security • Data access management • Role engineering • Automated provisioning Privileged Account Management Understand and control administrator activity • Granular delegation • Enforce Separation of Duty • Enterprise privilege safe • Session management • Keystroke logging Identity Administration Simplify account management • Directory Consolidation • AD Administration • Virtual Directory Services • Single Sign-on • Strong Authentication User Activity Monitoring Audit user activity • Granular AD auditing • Permissions reporting • Log management • Event alerting • Crisis resolution
- 10. #1: Identity Governance A modular and integrated approach with the end purpose of delivering one identity, one set of policies, one set of access controls, and one set of rights to audit
- 11. #2: Access Governance Extensive management of identities, built as a single modular, integrated solution Alligns access governance through centralized management of users and access control
- 12. #3: Privileged Account Management Unix Delegation Sessions Passwords AD Bridge • Helps the business solve the shared password accountability challenge • Enables the business to determine: “Who did what with their access?” • Lets the business enable the least privilege model, Solves the Unix “root” problem • Extend the benefits of Active Directory in a heterogeneous environment • Consolidate the number of identities • Enforce Active Directory based security to Unix Deploy the entire range of security needs and unify as many disparate systems and practices as possible.
- 13. Business Challenges There are simply too many identities in an enterprise, resulting in too many passwords and too many user IDs to remember
- 14. #4: Common Single Sign-On Approaches
- 15. #5: Active Directory - The Foundation for ESSO AD is already there AD is scalable AD is reliable AD is an extensible technology platform AD already controls the access to a lot of resources AD is already used by all corporate users AD is already there IAM is “Anything you do to make sure that people can get to the stuff they need to do their jobs”
- 16. The One Identity Solution Replace the cumbersome manual processes and non-integrated tools with one integrated solution and put the IAM in the hands of the business – not IT. Visionary architecture Identity repository Business process management Secure identity federation Secure single sign-on Adaptive security Multifactor authentication Simplified access control and auditing Codeless provisioning Scalable just-in-time cloud provisioning All-in-one single sign-on, identity and access management, web access management and identity federation solution that is both modular and integrated to meet any customer expectations
- 17. The One Identity Solution
- 22. Heat map
- 24. Unstructured data access management
- 25. Unstructured data access management
- 26. Ready for the cloud
- 27. Extending Kerberos authentication over non-Windows environment
- 28. … and providing a single administrative console for AD Bridge and Unix delegation management
- 29. … including roles and permissions administration
- 30. … keystroke logging and replay
- 31. … & single source reporting for the whole Unix access
- 32. Securing external privileged access with a purpose-built appliance Privileged Passwords Privileged Sessions Privileged Password Management Privileged Session Management Application Password Management Privileged Command Management AUDITONE IDENTITY SAFEGUARD FOR PRIVILEGED PASSWORDS AND SESSIONS
- 33. … that covers fully and completely the PAM niche
- 34. Identity Management for the real world
- 35. Flexibility to address both current needs and future requirements Single Sign-On Provisioning Role Management Identity Intelligence Multifactor Authentication Password Management Privileged Account Management Optimizing an IAM Framework
Editor's Notes
- #1 Invest in Simplicity One of the foundational concepts of the One Identity family of solutions is a modular and integrated approach that ensures that each IAM solution can strongly stand on its own, and the cumulative effect is greater than the sum of its parts. Even the name of One Identity’s IAM suite “One Identity” connotes the concept of simplicity. IAM through One Identity helps you to get to one identity, one set of policies, one set of access controls, and one set of rights to audit. Removing the need to define identities and controls each and every time a system is introduced, a new access scenario is necessary, or a new user population emerges is the ultimate manifestation of future-ready IAM. #2 Embrace Open Standards Open standards allow for new functionality to flow into any organization, resulting in improved collaboration and interoperability – plus a competitive edge. One Identity’s single sign-on solutions work across everything from the most modern federated application to legacy applications that cannot support the latest thing. Or, a multifactor authentication solution can be implemented across virtually any system or user population. With One Identity, there is no proprietary secret sauce that is designed to “hook” a customer into our technology trap with no easy way out. Standards are the essence of future-ready IAM. #3 Think Software First One Identity embraces the concept of configuration as opposed to customization, open standards rather than closed systems, and interoperability for universal utility instead of solving the problemof-the-day at the expense of tomorrow’s challenge. For example, tackling the provisioning challenge with One Identity, automatically puts you in a position to address governance needs, without additional investment or another project. Overcoming the management and security challenges of Active Directory with One Identity IAM solutions easily expands to non-Windows systems with the simple addition of an AD bridge; addressing federation needs for the latest SaaS application automatically can tackle the single sign-on needs for legacy applications, the need for secure remote access, and the emerging requirement to deliver context-aware security – all from the same solution with no additional investment and no customization. #4 Build End-to-End Security End-to-end security allows businesses to remain protected and compliant while building confidence to adopt new technologies – like cloud, mobile, and big data. A future-ready approach considers the entire range of security needs and unifies as many previously disparate systems and practices as possible. For example, typically a firewall is deployed to protect the perimeter and IAM solutions are implemented to control user access. Rarely, do they communicate. In fact, they are rarely even mentioned in the same security breath or purchased in the same security project. Similarly, a typical IAM deployment addresses provisioning first (often with a rigid, entirely customized, and not future-ready IAM framework) and then adds governance after, with an entirely different solution from an entirely different vendor, along with all the integration headaches and retro fitting that prevent future-readiness. The same can be said for privileged account management. Implementing one type of solution (lets’ say a Unix root delegation solution) from one vendor and another (perhaps a privilege safe) from another, does not bode well for the future. #5 Modernize and Automate A heavy reliance on IT—with its accompanying glut of manual processes, tribal knowledge, and doing the best you can with what you have—can derail even the most well-meaning IAM project. One Identity solutions are all designed to remove the cumbersome manual processes (or the cumbersome collections of non-integrated tools) from the equation, freeing IT and the rest of the organization to focus on what matters most. But it doesn’t stop there, One Identity’s IAM portfolio also focuses on putting the visibility and power of IAM in the hands of the right people – not just the people that know how to use the tools.
- The static approach views security as a ring of keys, in which each new situation requires installing a new lock and issuing new keys. Eventually, though, the result is a jangling ring of keys that impedes access to every door. In that model, security is based on siloed yes/no decisions that ignore the many static security decisions being made elsewhere in the organization. The disadvantage of the ring-of-keys security approach is its limited view of each request for access. When the organization allows or denies access based on a series of unrelated yes/no decisions, the likely result is incorrectly denying access to too many users with legitimate needs. But if the organization can base security decisions on the who, what, where, when and why behind the user’s request, it can make access control more accurate and increase the ease of legitimate access. Contrary to the ring-of-keys approach, context-aware security is like a wellinformed, completely ethical guard accompanying each user and unlocking the door only when appropriate. As an additional measure of security, the guard may ask the user for a second form of ID if he does not recognize the user or if knows that the user rarely enters by that door. One context-aware model implements a security analytics engine (SAE) that returns a risk score based on multiple factors: Browser used – Includes historical analysis of any browser use that falls outside of normal behavior for the user Location pattern – Detects any requests for access originating from an abnormal location Specific location – Prevents access initiated from specific locations or geographies known to foster malicious activity Time – Detects any requests for access that occur outside of customary times and days for the user Blacklist – Prohibits requests for access based on a list of forbidden networks or network addresses Whitelist – Authorizes requests for access based on a list of approved networks or network addresses
- IAM is concerned with four fundamental concepts: 1. Authentication – ensuring that the person logging on to a system is who they say they are 2. Authorization – the parameters placed around what a user is allowed to do (access) once they are authenticated 3. Administration – in order to enable someone to authenticate and to be correctly authorized, there a re managerial tasks that must be undertaken to set up the user account 4. Audit (Compliance) – those activities that help „prove” that authentication, authorization and administration are done at a level of security sufficient to satisfy established standards All of the „A”assume there is an identity established for each user. This identity or account resides somewhere (typically in a directory) so it can be authenticated, authorized, managed and audited. And typically the directory is tied specifically and exclusively to the application or system that controls user access. If all this is done correctly, the four „A” are easily satisfied. All systems include these requirements for authentication, authorization, administration and audit.
- IAM is concerned with four fundamental concepts: 1. Authentication – ensuring that the person logging on to a system is who they say they are 2. Authorization – the parameters placed around what a user is allowed to do (access) once they are authenticated 3. Administration – in order to enable someone to authenticate and to be correctly authorized, there a re managerial tasks that must be undertaken to set up the user account 4. Audit (Compliance) – those activities that help „prove” that authentication, authorization and administration are done at a level of security sufficient to satisfy established standards All of the „A”assume there is an identity established for each user. This identity or account resides somewhere (typically in a directory) so it can be authenticated, authorized, managed and audited. And typically the directory is tied specifically and exclusively to the application or system that controls user access. If all this is done correctly, the four „A” are easily satisfied. All systems include these requirements for authentication, authorization, administration and audit.
- Access Governance Imbunatatirea vizibilitatii asupra cui are acces la informatiile critice de business, automatizarea provizionarii si impunerea controalelor de acces. Privileged Account Management Gestionarea centralizata a conturilor privilegiate si furnizarea unui control granular al accesului administrativ. Identity Administration Simplificarea mediului de lucru si experientei utilizator prin administrare centralizata si automata a conturilor. User Activity Monitoring Auditarea conformitatii in utilizarea drepturilor de acces care le-au fost acordate angajatilor.
- One Identity solutions eliminate the complexities and time-consuming processes often required to govern identities, manage privileged accounts and control access. Our solutions enhance business agility while addressing your IAM challenges with on-premises, cloud and hybrid environments. See how you can: Define a clear path to governance, access control and privileged management Empower line-of-business managers to make access decisions Leverage modular, integrated components to start building from anywhere Deploy IAM solutions and achieve ROI in weeks – not months or years Say yes to IAM projects that accelerate business operations
- Access Governance Imbunatatirea vizibilitatii asupra cui are acces la informatiile critice de business, automatizarea provizionarii si impunerea controalelor de acces. Privileged Account Management Gestionarea centralizata a conturilor privilegiate si furnizarea unui control granular al accesului administrativ. Identity Administration Simplificarea mediului de lucru si experientei utilizator prin administrare centralizata si automata a conturilor. User Activity Monitoring Auditarea conformitatii in utilizarea drepturilor de acces care le-au fost acordate angajatilor.
- Quest One Identity Solutions are focused on addressing the most common challenges that companies face regarding IdAM We improve visibility into who has access to what and automate the provisioning with fine grained access controls. This process can often be manual for the execution of access request so the on going auditing of access. We improve the users experience and reduce cost of management <click> Access Governance - How to provide the appropriate access effectively and efficiently? <click> Privileged Account Management - How do I make sure that administrators have least privileged access and monitor <click> Identity Administration – Simplify my environment, reduce manual administrative tasks and improve the user experience <click> User Activity Monitoring - How to ensure that that access is within policy? Quest One addresses your enterprise needs for improved users experience for both the business user and the administrator while providing appropriate security access controls across the systems and applications. <click to go to next slide>
- How do we address these challenges Quest One provides simple, powerful, and easily implemented solutions that address the four main areas of concern for most organizations starting with Access Governance We Manage Access to Business Critical Information through: Access Request and Certification Fine Grained Application Security <click and the icons will start to go in the box, just one click is needed> Data Access Management Role Engineering Automated Provisioning <click to go to next slide>
- Privileged Account Management covers centralized privileged account management and providing granular control over administrative access Central Unix management Enforce separation of duty Enterprise password vault Session management Keystroke logging <click to go to next slide>
- How do we address these challenges Dell One provides simple, powerful, and easily implemented solutions that address the four main areas of concern for most organizations starting with Access Governance We Manage Access to Business Critical Information through: Access Request and Certification Fine Grained Application Security <click and the icons will start to go in the box, just one click is needed> Data Access Management Role Engineering Automated Provisioning <click to go to next slide>
- Single sign-on is a method of access control that allows a user to log in once and gain access to the rescources of multiple software systems without being prompted to log-in again. There are three common approaches to SSO and Dell is the only vendor covering all: - Sync: multiple user accounts, but a single password (usually the least secure password) - ESSO: multiple accounts, multiple passwords, but the ESSO remembers them all and automatically fills them when entering the applications - Holy Grail: the identity is only in the AD, and a kerberos ticket is issued to all other applications The problem with ESSO is there are different accounts in each application for a single person (multiply the number of applications by the number of users and get the share adminisrative burden) There are a few applications that cannot use the Holy Grail approach; that’s why Quest offers the full spectrum of single sign-on.
- Security challenges with Active Directory: Protect critical data and enforce policies to eliminate non-compliant access Give users and administrators exactly the needed rights and permissions – nothing more, nothing less Know what changed, when and who made the change Overcome the reporting limitations in order to attain a certain leven of visibility Management challenges with Active Directory: Overcome limits that come with native tools Improve efficiency in frequent creation and modification operations for users and groups Cut operational costs Improve native reporting capabilities
- Users see only the actions and products that are approved for access
- Users see only the actions and products that are approved for access Users can easily review and edit their contact data on one page
- Free up IT resources with self-service tools and features
- Get an instant visual of potential risk by organizational entity
- Get an instant visual of potential risk by organizational entity
- One Identity Cloud Access Manager is an all-in-one SSO, web access management and identity federation solution: Single Sign-On (type a password once, get access to multiple applications) solutions include password management tools in browsers, client-side password replay solutions like our Enterprise Single Sign-On, and server-based solutions like CAM Web Access Management provides centralized authentication and authorization services for web applications. The category was invented by Netegrity (now CA) SiteMinder, and focused primarily on integrating into homegrown applications Identity Federation means cross-domain SSO using standardized protocols like Security Assertion Markup Language (SAML). Federation became popular in early 2000s, and is now the de facto model for handling SSO in cloud-hosted application scenarios
- Active Directory Bridge: Centralized authentication Authenticate through AD Consolidate identities Extend AD Kerberos SSO Unix, Linux and MacOS Standard applications and SAP Configuration and administration Migrate and manage NIS data Leverage GPOs for Unix and Mac Extend AD password capabilities Unix Delegation: Enhance or replace Sudo Central administration and management Centralized access reporting No need to update scripts and applications Advanced capabilities Restricts shells Restricts remote host command execution Removes escape out
- Privileged Password Management Dual or more release controls Automated change control Time based Last-use based Force change Apply complexity to groups Detect new systems and passwords Extensive integration Account auto discovery Conflict remediation Strong authentication solutions Ticketing systems Service Account Management Scheduled Task Management Privileged Sessions Management Fine grain access control Limits view based on role Full control over connections Dual authorization controls Session time limits Alarm notification session overrun Event logging & searching Remove passwords from the equation Users will never need to know the password to open a session Monitor sessions in real time
- Quest understands that every organization is unique and that you need the right IdAM solution for your environment, your challenges and your goals. That’s why the Quest One offering is designed with flexibility in mind. Use the solutions you need now to address your short-term challenges and rely on an unparalleled depth of capabilities to meet your needs down the road. Single Sign-on Often considered the mythical “Holy Grail” of IAM, single sign-on (SSO) is a reality through Quest One. By removing identity from a high number of systems (Unix, Linux, Mac, Java and many applications) in favor of the ubiquitous Active Directory identity, Quest One provides true SSO for a major portion of your enterprise. But Quest One doesn’t stop there. For systems that cannot be integrated with Active Directory, Quest One delivers enterprise single sign-on that initiates non-Windows authentication from initial AD logon—and it’s transparent to the user. No other solution can offer world-class “true” SSO combined with enterprise SSO for complete coverage. Provisioning The traditional first step in IdAM, provisioning is often one of the most time-consuming, error-prone and troublesome aspects of IdAM in complex environments. Quest One drives provisioning with a layer of identity intelligence that delivers automation, workflows and attestation based on your business objectives, not the limitations of your technologies or resources. Our solutions enable you to “codeless” provision, re-provision and de-provision users across the entire enterprise. We provide self-service for end users and line-of-business personnel that frees IT from the tedious burden of many provisioning tasks. The Quest One approach lets you realize benefits in a matter of months, not years, and at a fraction of the cost of traditional provisioning frameworks. Role Management A key to effective IdAM is establishing roles to associate your users with the appropriate policies, access rights and business processes that IAM should control. Quest One gives you the power to build a single set of roles and apply them across the enterprise. Our capabilities for consolidating identities and implementing identity intelligence make ad hoc role definition and enforcement things of the past. Quest One can even mine your existing role structure and provide you with the easy-to-use tools to normalize the roles enterprise-wide. Then, you can apply them according to the business driven policies, rules and objectives you’ve established. Identity Intelligence What makes IdAM especially tough is correlating the disparate components (identities, roles, rules, workflows, policies and approvals) with the systems and entitlements required for users to do their jobs. Quest One delivers the 360-degree visibility and enterprise-wide control necessary to actually achieve your IdAM objectives—based on your business needs, not the limitations of specific technologies. This intelligent approach (combined with key, unifying IdAM components) dramatically streamlines and secures IdAM, including provisioning, role management, compliance and access control. Multifactor Authentication Chances are, you’re moving toward multifactor authentication to further secure user access and satisfy regulations. Quest One lets you affordably implement this important technology—without having to add infrastructure. Our multifactor authentication options rely on Active Directory—not a proprietary identity store—and allow you to manage authentication through interfaces you already use. When combined with Quest One’s identity consolidation capabilities, your single solution can be applied to the largest possible portion of your environment. Password Management Analysts report that as much as 35 percent of help desk workload is dedicated to helping users reset forgotten passwords. Quest One helps you address this productivity-killing burden by reducing the number of passwords for each user through identity consolidation. We also strengthen and standardize policy across systems and relieve IT of the password-reset burden entirely. With fewer passwords to forget and the power to securely help themselves, users have fewer interruptions and IT can focus on more critical work. Privileged Account Management Let’s face it, in some IT departments today there are too many administrators who have too much power on too many systems. Native tools can’t address this issue of too many with “keys to the kingdom” because they rarely provide compliance visibility or the flexibility to manage privilege delegation or command control. Quest One gives you the power to granularly delegate administrative rights and execute command control on Windows-, AD- and Unix based systems and devices, while providing a compliance ready audit trail of administrative activities, rights and permissions that spans the entire enterprise. In addition, Quest One secures and automates the request, approval, release, use, return and changing of administrative credentials regardless of which system or which administrator account is required. Optimizing an IdAM Framework Perhaps you have already invested heavily in an IdAM framework. Quest One can help you achieve more value from existing solutions by accelerating their deployment and reducing their complexity. By consolidating a high number of identities (from Unix, Linux, Mac, Java and other applications) into Active Directory, Quest One gives you the power to immediately secure and control those other systems without custom coding and dedicated synchronization points. In addition, the Quest One approach perfectly complements an existing deployment with enhanced, business-driven identity intelligence. We also fill critical functionality gaps with capabilities such as single sign-on, strong authentication, efficient Active Directory administration and privileged account management.