© puryear it, llc. 2010 all rights reserved. taking control of your user accounts identity...
Post on 20-Dec-2015
214 views
TRANSCRIPT
© Puryear IT, LLC. 2010 All Rights Reserved.
Taking Control of Your User AccountsIdentity Management Basics
Dustin PuryearPuryear IT, LLC
© Puryear IT, LLC. 2010 All Rights Reserved.
Who Are We?
Puryear IT, LLC
http://www.puryear-it.com/
Automating audit and compliance with solutions for user and privilege management and reporting.
Contact us for a free consultation
© Puryear IT, LLC. 2010 All Rights Reserved.
What is Identity Management?
• Is it about users?• It is about passwords?• Authentication?• Three perspectives!
Identity Management
Pure Identity Paradigm
User AccessParadigm
ServiceParadigm
© Puryear IT, LLC. 2010 All Rights Reserved.
Pure Identity Paradigm
• Focus on Identity only• Creation of Identities• Management of Identities• Deletion of Identities• Notice that
Access/Entitlements are not defined
Update Identity
Delete Identity
Create Identity
© Puryear IT, LLC. 2010 All Rights Reserved.
User Access Paradigm
• Focus on use of the digital identity
• The digital identity is typically unique
• The unique identity simplifies monitoring and verification
UserIdentity
Authentication(authn)
Authorization(authz)
Logging, Audit, Reporting
© Puryear IT, LLC. 2010 All Rights Reserved.
Service Paradigm
• Focus on resources used to deploy services
• Examples include servers, applications, network devices, VPN
• Broader, more comprehensive view
• This is often the view of the audit/compliance team
Applications
User Accounts
Employee
© Puryear IT, LLC. 2010 All Rights Reserved.
Issues Addressed by Identity Management
DirectoryServices
AccessControl
SeparationOf Duties
Audit/ComplianceIdentities
© Puryear IT, LLC. 2010 All Rights Reserved.
Management of Identities
Password Synchronization
Self-ServicePassword
Reset (SSPR)Delegation
Workflow
Create, Modify,Delete
Identities
“Breaches of identity and access management (IAM) lead to billions of dollars of losses each year, both reported and unreported.”
- Gartner
© Puryear IT, LLC. 2010 All Rights Reserved.
Directory Services
Site A
DirectoryA
Directory B
Site B
Unified DirectoryView
Directory C
• Directories are a critical infrastructure component– Identity repositories
– Metadata replication/synchronization services
– Directory virtualization
© Puryear IT, LLC. 2010 All Rights Reserved.
Access Control
• Role-based Access Control• Policy-based Access Control• Enterprise Single Sign On
(ESSO)• Web Single Sign On
(WebSSO)• Reduced Sign On• Federation
Authentication
Authorization
ProtectedData
© Puryear IT, LLC. 2010 All Rights Reserved.
Separation of Duties
• Critical for internal controls• Implements checks and
balances on individuals• Reduces danger/risk of
individual actions• Can be difficult and
expensive to implement• Separate or Compensate• Bread and butter of
audit/compliance
SeparationOf Duties
© Puryear IT, LLC. 2010 All Rights Reserved.
Example: SOX, SoD, and IT
• SOX places a large burden on IT• IT relies on RBAC for SoD and compliance• SoD items include
– Identification of a requirement (business)– Authorization and approval (governance)– Design and development (developer)– Review, inspection, and approval (separate developer)– Implementation (systems administrators/operations)
• Successful SoD implementation includes– Align authorization rights with organizational role– Align authentication method with value of data– Watch the watchers
© Puryear IT, LLC. 2010 All Rights Reserved.
Developing an Identity Management Roadmap
• Several steps involved:– Needs Analysis– Management Involvement– Team Involvement– Selecting Best Solution– Technical Design Decisions– Roll Out– Monitor/ROI
© Puryear IT, LLC. 2010 All Rights Reserved.
Needs Analysis
• Map existing processes into a set of business problems• Map business problems into requirements• Map requirements into technical specification• Map technical specification into:
– Technical selection– Implementation design
© Puryear IT, LLC. 2010 All Rights Reserved.
Issue: New Hires
• Business Problem– New hires require new
accounts
– Accounts must get proper access rights
– How do we maintain SoD?
– New hires must wait for process to complete!
• Business Solution– Automate on-boarding that
relies on business rules and workflow/approvals
• Technical Solution– Define HR system as System
of Record (SoR)
– Creation of “minimum privileged” accounts based on HR data
– Use of workflow to increase privileges
© Puryear IT, LLC. 2010 All Rights Reserved.
Issue: Costly User Administration
• Business Problem– Each application is a silo– Helpdesk can’t easily change
passwords– Lacks consistent audit trail– Inconsistent end-user information
in databases– Security administrators perform
user management activities
• Business Solution– Develop consistent user
management process for administrators and helpdesk
– Use SoR to define/update user information
• Technical Solution– Develop single interface to user
management– Develop single interface for
password management/changes– Develop automation of updates
for “most critical” data – Identify SoD violations and
eliminateXX
© Puryear IT, LLC. 2010 All Rights Reserved.
Issue: Inconsistent Login IDs and Passwords
• Business Problem– Users have different Login IDs for
applications– Users have too many passwords– Lack of consistency in password
policy across the enterprise
• Business Solution– Develop enterprise Login ID
convention– Migrate existing Login IDs to new
convention– Develop enterprise password
policy– Migrate existing passwords to
new policy
• Technical Solution– Reconcile Login IDs to new
convention using batch and manual methods
– Implement consistent password policy
– Implement password synchronization, reduced sign-on, single sign-on
© Puryear IT, LLC. 2010 All Rights Reserved.
Issue: Security Vulnerabilities
• Business Problem– Delayed terminations result in
critical vulnerabilities– Disgruntled terminated staff– Unused/dormant accounts– Access rights increase over time– Access rights incorrectly granted:
“Set the new guy up just like Susan in HR”
• Business Solution– Develop process/workflow to
handle terminations– Periodically review/audit user
access rights– Develop request and
authorization process for increasing user access rights
• Technical Solution– Automate user account
terminations via SoR– Develop automated reports for
user access rights, focusing on exception reporting for elevated rights
– Implement workflow solution for user access rights
© Puryear IT, LLC. 2010 All Rights Reserved.
Issue: Audit, Reporting
• Business Problem– Lack of audit trails within
application silos– Many enterprise applications lack
administrative logging– For those that have it, those
applications don’t have a consistent log format
– Difficult to monitor and enforce SoD policies
• Business Solution– Require enterprise-wide logging
of accounts changes and use– Develop process to use account
change and use logging for SoD reporting
• Technical Solution– Replace manual account
management with software solutions that include logging capabilities
– Enable SoD rules within user management solution to require workflow for SoD-sensitive positions
© Puryear IT, LLC. 2010 All Rights Reserved.
Management Involvement
• A mandate is crucial!– Develop a clear mandate
– Outline likely issues/problems
• Budget– Software license
– Support
– Training
– Hardware and support software
– Professional Services
– Internal Resources
© Puryear IT, LLC. 2010 All Rights Reserved.
Team Involvement
• Security Administrators• Security Managers• Audit/Compliance• Systems Administrators• Human Resources
© Puryear IT, LLC. 2010 All Rights Reserved.
Selecting Best Solution
DefineBusiness Needs
Define Technical Needs
Develop RFP
Identify Vendors
Issue RFP To Vendors
EvaluateProducts
In Lab
Compare Lab Results
CompareVendor Proposals
Decision
© Puryear IT, LLC. 2010 All Rights Reserved.
Identify Feature Requirements
ProductScalability
ProductSecurity
ProductFlexibility
Ease ofDeployment
Local Integration
Core Capabilities
TechnicalFeatures
© Puryear IT, LLC. 2010 All Rights Reserved.
Core Capabilities
ProductCapabilities
Automation Workflow
AdminUsage
ConsolidatedView
Delegation
Passwords
Policies Synchronization
Auto-DiscoveryOf Resources
SoDLogin ID
Reconciliation
Logging
© Puryear IT, LLC. 2010 All Rights Reserved.
Local Integration
• Localization is key to end-user acceptance!• Local language support• Logo• Corporate look&feel• Customization of request forms• Integration into helpdesk• Ability to send emails• Accessible for performance & availability monitoring• Support for local network and application, e.g., AD,
RSA
© Puryear IT, LLC. 2010 All Rights Reserved.
Ease of Deployment
Web-basedAccess
SupportExisting Directories
SupportExisting
Databases
Non-localAgents
Login ID Reconciliation
Auto-DiscoveryOf Resources
DeploymentCharacteristics
• Deployment is the stumbling block for many organizations.
• Be sure to map your needs to the technical capabilities of the product!
© Puryear IT, LLC. 2010 All Rights Reserved.
Product Security
• Encryption– Local data
– Remote access
• Authentication– Admin users
– End-users/SSPR
– Web Services
• Accountability– Logging
– Reporting
© Puryear IT, LLC. 2010 All Rights Reserved.
Product Scalability
• Can it handle your current organization?• Can your organization handle it?• Can it handle your organization in the future?• Calculating scalability requirements
– Servers– Service layer– Network– Target systems
© Puryear IT, LLC. 2010 All Rights Reserved.
Product Flexibility
• Organization specific data elements– HR#– Student#– Job code– Facility
• Handle wide-range of applications– Network OS (NOS): AD, Novell,
Linux/UNIX– Applications: Exchange,
GroupWise, Mainframe apps
• Handle custom applications– Many enterprises have more
custom applications than COTS applications
Octopus = Flexible
Get it?
© Puryear IT, LLC. 2010 All Rights Reserved.
Customization for Custom Applications
• Pre-built agents for common applications• SDK for new custom agents
– C++, Java is most common– Java: Oracle, Sun, CA– C#: Microsoft
• Developer documentation• SDK should be free or low-cost• ODBC Wizard!
© Puryear IT, LLC. 2010 All Rights Reserved.
Password Management
• Deserves its own slide!• Must support your password
policies– Password complexity
– Password expiration
• Think about password synchronization
• WebSSO, SSO, reduced sign-on!
© Puryear IT, LLC. 2010 All Rights Reserved.
Roll Out/Deployment
• Design and pilot stages are critical– Pilot stage will identify internal technical weaknesses– Failure to do a pilot can kill the project
• Pilot stage can help determine– Features to enable– User population that will access IdM solution– Security policies
• Password policies• Authentication• Account configuration policies
– Types of roles needed• Develop SoR and IdM integration• Develop request and workflow rules• Helpdesk integration
– Email only– Application-level integration
© Puryear IT, LLC. 2010 All Rights Reserved.
Request & Workflow Rules
• This is where the power really is!– What can be requested
– What data must be included in request
– Request validation
– Request authorization
– Request escalation
NewHire
CreateAccount
Is InFinance?
No
EscalateTo CFO
Yes
Approved?
Return Error
Yes
No
© Puryear IT, LLC. 2010 All Rights Reserved.
Training
• Update users about changes– Angry users translate to non-conforming users
• Train HR staff on SoR updates– The SoR is critical to accuracy– Bad data in the SoR may trigger inappropriate workflow rules
• Train Security Administrators– Local app management should be a no-no– Only available in “break-the-glass” situation
• Train Security Officers and Auditors– Develop consistent reporting procedures– Automate reports
© Puryear IT, LLC. 2010 All Rights Reserved.
Monitor and ROI
• Track helpdesk time before and after deployment– Without hard numbers, how do you justify?
• Track audit time before and after deployment– Typically a fast return– Easy win!
• Integrate into app deployment process– They will leave you behind– Create a standing meeting every six months or more
• Don’t become a new silo!
© Puryear IT, LLC. 2010 All Rights Reserved.
Q&A
• Questions!
Puryear IT, LLC
http://www.puryear-it.com/
Automating audit and compliance with solutions for user and privilege management and reporting.
* Portions of this presentation were taken from
Wikipedia, Sun, Oracle, Microsoft, Novell,
Hitachi ID, and other resources.