1. Identity ManagementThe What, Why and How?Airline CompanyPresenting: John BernhardEnterprise Architect/Director Bernhard Enterprise Architectures Pty Ltd Dated: May 18 , 2007

2. Identity Management Did you know?IT cost x dollars per year to maintain name and passwordsThere has been a x number of security breaches per yearSignificant Fraud instances per yearCost and time for auditsNewN application, however a simple set up of user access appears tli ti hi lt f tocost and takes significant resources and very complex Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 2 3. Identity ManagementThesisIdentity management (IdM) is a pervasive and federated infrastructure that transforms business relationships by managing access for the proper entities to the proper resources, both for the enterprise and our customersThe goal of an IdM service foundation is to consistently enforce business and security policies, regardless of network entry point by employees, contractors, business partners, and customers.Enterprises need to map their IdM strategy and align it with their business goalsIdentity management (IdM) gives Airline Company a competitive advantageIdentity management (IdM) enables Airline Company agile infrastructureShould be a service to the whole enterprise/internet extensionIdm is not a single product it is everywhere in the organisation today Date: May 18BEA Pty Ltd - IdM : The What, Why and How? Page: 3 4. Identity Management AgendaWHAT What is IdM?Introduction What is Identity Management Key Concepts and Principles Overview current state of IdM within Airline Company Conceptual Architecture Current StateWHY Rationale, Drivers and Benefits Business & Technical perspective B iT h i l ti IdM Case studyHOW IdM Services Architecture Conceptual Architecture - Provisioning Conceptual Architecture Access Management Compliancy (SOX 404, COBIT and ITIL)Programme of Work - Identity ServiceDate: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 4 5. Identity ManagementWHAT What is IdM? What is Identity Management? y gA set of processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities Involves both technology and process Involves managing unique IDs, attributes, credentials, entitlements Must enable enterprises to create manageable lifecycles Must scale from internally facing systems to externally facing applications and processesGoal state: Identity Service, infrastructure and authoritative sources, clean integration across people, process, and technologyDate: May 18 BEA Pty Ltd - IdM : The What, Why and How?Page: 5 6. Identity Management WHAT Wh t i IdM?What isThe IdM process: managing the identity lifecyclepg g yy Registration / Today IdM is fragmentedcreation Applications, databases, OSs lack a scalable,Propagation holistic means of managing identity, credentials,policy across boundaries Overlapping repositories, inconsistent policyframeworks, process discontinuitiesAccounts and Error prone, creates security loopholes, expensiveAccounts andto manageg policies li i policiesThe focus on business process, Web services, andnetworked applications has put identity on thefront burner This is currently managed in the current structure Terminationon a individual application & infrastructure basis Infrastructure requirementsMaintenance / Extend reach and rangemanagement Increase scalability, lower costs Balance centralized, distributed management vialoose coupling Date: May 18BEA Pty Ltd - IdM : The What, Why and How? Page: 6 7. Identity Management WHAT What is IdM?Beyond directory: IdM requires integrated infrastructureyyqg These technologies represent the major lifecycle management processes involved with IdM. In addition, audit surrounds these services for accountability and control y IdM technologiesIdentity management services Directory services Directory Provisioning services ServicesAuthentication services Web-based access management services Authorisation services Date: May 18BEA Pty Ltd - IdM : The What, Why and How? Page: 7 8. Identity Management WHAT Wh t i IdM?What isBurton Groups View of IdM Evolution p Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 8 9. Identity ManagementWHAT What is IdM? Directory services are the first step toward IdM for Airline Company y p p y Directory services support the other IdM and federated technologiesthrough:Repository services for policies, authentication credentials, roles, groupsand rulesInformation integration, mapping and referral between the IdMapplications and the enterprise repositories of recordProvides standardised LDAP authentication for applicationsProvides general purpose storage for IdM applicationsUse virtual directory technology to provide a federated identity dataservice Once the directory services are in place, other IdM policies and technologiescan be implemented depending on the business justification required Date: May 18BEA Pty Ltd - IdM : The What, Why and How? Page: 9 10. Identity ManagementWHAT What is IdM? Process integration is just as important as the technologyIdentity-basedcompany access business applicationsAdvancedbusinessinfrastructure business processintegration Meta Directory servicesBasic businessLDAP Messag- PBX / CTI Security Manage- ObjectWeb infrastructure Data- basesdirectoriesd ecto es ingg VoIP o//PKImente t se cesservices servicesEnabling technology network/basic network infrastructure (network, servers, routers, OS, transport services)Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 10 11. Identity Management WHAT What is IdM? Key Concepts and Principles yp pThe IdM Service Components Architecture providing an infrastructure that supports the keyIdentity services. Reconciliation / Audit / Compliancy Provisioning P i i i Workflow Authentication, Authorization and Auditing Federation Synchronization S h i ti Delegation Secure Self Service Password Management A scalable, re-useable integrated set of business processes supported by the IdMinfrastructure. Develop an IdM Service foundation of all IdM related elementsDate: May 18BEA Pty Ltd - IdM : The What, Why and How? Page: 11 12. Identity Management WHAT Wh t i IdM?What isCurrent state with IdM within Airline Company? Talk about current stateState current issues and problemsProblems:Help desk, password resetProvisioning, de-provisioning not really happening pProcess complexityyBullet points on current employee processesBullet points on current customer/business partners registrationAdmin OverheadState current overhead in maintaining employee detailsState current overhead of aligning current customers details with thevarious applications Date: May 18BEA Pty Ltd - IdM : The What, Why and How? Page: 12 13. Identity Management WHAT Wh t i IdM?What isCurrent state with IdM within Airline Company?Identity access not controlledNo current governance or policies in place in relation to IdMNot well defined coming on-board business processescoming on boardSecurity issues, PCI non-compliancyPCI issue related to IdMIdentity theft related to Koru, Frequent Flyer Points & Travel cardmembersSecurity Policy Compliance verificationAuditing:External AuditorsState auditing issues specifically in relation to SOX 404 issues,Manual VS AutomatedCompliance problem:very difficult to audit who has access in terms of PCISOX CCompliancy, Due diligence li DdiliDate: May 18BEA Pty Ltd - IdM : The What, Why and How? Page: 13 14. Identity ManagementWHAT What is IdM?Conceptual Architecture: Current State of Identity related Apps/Touch Points p ypp Date: May 18BEA Pty Ltd - IdM : The What, Why and How?Page: 14 15. Identity Management WHY Rationale Drivers and Benefits Rationale, Business Drivers for Identity service*From an executives point of view, the most important business drivers to address via IdMinclude:i l d Regulatory Compliance Risk Management Sarbanes-Oxley (SOX) Reporting (Custom/Automated) COBIT (ITIL Framework) Terminations (Business Best Practices) Policy-based compliance Adhere toy p PCI Policy GAAP (third-party audit) Audit management Business NeedCost Containment (Internal/External) External users access Operational Cost reduction/avoidance Employee personalisation efficiency Common architecture Outsourcing Productivity savings New Products Services (Time To Market)Operational Efficiency Improved SLAs Need to tie i t B i N d t ti into Business StrategySt t Enhanced user experience *Date: May 18 BEA Pty Ltd - IdM : The What, Why and How?Page: 15 16. Identity ManagementWHY Rationale, Drivers and BenefitsIdM Infrastructure BenefitsImproved User ExperienceCost savings Hard-dollar Hard dollar savings Improves employee efficiency Helpdesk password resets easily measured Strengthens customer retention Avoids admin. duty duplication Minimises errors Eliminates redundant software and solutions Clarifies business processes Soft-dollar savings Improved user productivity Avoids hidden administrative costsSecurity: Lifecycle Identity AdministrationSecurity: Policy Partition identity mgmt. Enforcement Eliminates dormant and orphan accounts Ensures regulatory compliance Facilitates auditing and accountabilityCompetitive Protects corporate info Enables delegated and self-service advantage Safeguards intellectual property account admin.t d i Supports internal audits Assures stronger authorisation based oninfo value/sensitivity Competitive Advantage Enables risk and liability mgmt Improves corp. image and employeerelationships Yields flexible IdM infrastructure Facilitates mergers/divestments Date: May 18BEA Pty Ltd - IdM : The What, Why and How?Page: 16 17. Identity Management WHY Rationale, Drivers and BenefitsThe ChallengegTodays identity management systems are ad hocracies, built one application orsystem at a timeApps, databases, OSes lack a scalable, holistic means of managing identity, credentials, policy across boundaries,p yFragmented identity infrastructure: Overlapping repositories, inconsistentpolicy frameworks, process discontinuitiesError prone, creates security loopholes, expensive to manageThe disappearing perimeter has put identity on the front burner Infrastructure requirements: extend reach and range Increased scalability, lower costs Balance of centralised and distributed management Infrastructure must be delivered as a Service (Identity Service) and re-usable Date: May 18BEA Pty Ltd - IdM : The What, Why and How? Page: 17 18. Identity ManagementWHY Rationale, Drivers and Benefits RisksReduced risk of improper use of IT systemsReduce risk of privacy or other regulatory violationsSubstantial administration cost savings by reducing redundant security administrationAccelerated time to market for new Products and Services to Customers (Targeted Audience) , reduced deployment costs Reduced cost of internal and external auditing Better B tt customer experience and increased retention t idid t ti Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 18 19. Identity Management HOW IdM Services Architecture Objectives jDefine the role of identity management in the context of business requirementsDevelop an IdM Framework and guidelinesImplement re-usable Identity servicesDevelop and Implement company-wide role managementcompany wideDocument and streamline current and new identity related business processesTo provide a single view of Employee, Contractor, Customer and Business Partneridentity and entitlement Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 19 20. Identity ManagementHOW IdM S iServices A hit t ArchitectureIdM Business DriversIdM BenefitsIdM ServicesImproves userIdentity and policy Cost containmentAdministrationexperience (Quality ofExperience [QoE])Provides costDirectory services y Operational O il efficiency savings AccessSupports policymanagement Business needenforcement Remote accessRegulatory Adds to competitiveadvantageFederation compliance Provides lifecycle Provisioning Risk managementidentityadministration Portals/ Self-service One of the key tasks to understand is how to map the executives business drivers into the benefits of IdM services-and then to map them into technologies selected for deployment. As illustrated here, there are a lot of overlaps and disconnects that make the mapping difficult though not deployment heredifficult, impossible. Date: May 18BEA Pty Ltd - IdM : The What, Why and How? Page: 20 21. Identity Management HOW IdM Services Architecture Conceptual Architecture: Provisioningpg Date: May 18BEA Pty Ltd - IdM : The What, Why and How? Page: 21 22. Identity Management HOW IdM S i Services A hit tArchitecture Conceptual Architecture: Access Managementpg Date: May 18BEA Pty Ltd - IdM : The What, Why and How? Page: 22 23. Identity Management HOW IdM S i Services A hit tArchitecture 7 of Top 10 Control Deficiencies focus on Secure Identity Management1.Operating System (e.g. Unix) access controls supporting financial applications or Portalnot secure2.2 Database (e.g. Oracle) access controls supporting financial applications (e.g. SAP(e g (e g SAP,Oracle, Peoplesoft, JDE) not secure3.Development staff can run business transactions in production4.Large number of users with access to super user" transactions in production gpp5.Terminated employees or departed consultants still have access6.Posting periods not restricted within GL application7.Custom programs, tables & interfaces are not secured8.Unidentified or unresolved segregation of duties issues9.Procedures for manual processes do not exist or are not followed10. System documentation does not match actual process Source: Ken Vander Wal, Partner, National Quality Leader, E&YISACA Sarbanes Conference, 4/6/04 Date: May 18BEA Pty Ltd - IdM : The What, Why and How? Page: 23 24. Identity ManagementHOW IdM Services Architecture CompliancyWhat is SOX (Sarbanes Oxley) Compliancy?Companies must regularly provide external auditors with proof of their compliance with laws and regulations. An example is the Sarbanes-Oxley (SOX) law, which applies to listed American companies and, generally, to non-US companies listed on a US Stock Exchange.h These laws and regulations may aim at preserving the integrity of financial data (case of SOX and the French Law on Financial Security). Generally, Generally compliance requires identifying risks defining control objectives in order to risks, tackle them, and deciding on control activities to attain these objectives. Finally, in view of these activities, it is necessary to prepare adequate tests to ensure that these processes exist, are applied and working effectively. These tests have two objectives. On the one hand, they are used to constantly improve the processes and to provide information to the management and external auditors. On the other hand, these tests will be used as evidence during certification to convince external auditors about the organisations compliance with laws and regulations.Date: May 18BEA Pty Ltd - IdM : The What, Why and How? Page: 24 25. Identity ManagementHOW IdM Services Architecture Compliancy Why SOX (Sarbanes Oxley) Compliancy? In some organisations, a large part of the risk of non-conformity to those regulationsis due to inadequate identity and access management. In fact, beyond the problem ofidentity theft, actions made possible by wrongly assigned rights are a major source ofsecurity breaches Therefore, an Identity and Access Management (IAM) solution can be significant helpin the effort to comply with these laws and regulations. Moreover, such a solution can be t ee o tco p y t t ese a s a d egu at o so eo e , sucso ut o caused to simply upgrade a set of existing control procedures so as to simplify or adapt toorganisational changes In addition to the functions it brings in, identity and access management must showevidence of its effectiveness. This evidence must be made available in writing and ondemand to an auditor, for review and archivingDate: May 18BEA Pty Ltd - IdM : The What, Why and How?Page: 25 26. Identity Management HOW IdM Services Architecture Compliancy SOX Reference FrameworkSection 404 of SOX does not specify which set of formal evaluation categories, known as framework, must be used in the assessment of controls over financial reporting.Specific IT control frameworks may be chosen by a company, as long as the company can convince its external auditor that its controls satisfy the requirements for effectiveness. A framework of IT control objectives that is often used in the context of SOX is the Control Objectives for information and related Technology COBIT, issued by the IT Governance institute ITGI (www.itgi.org ).SOX created the Public Company Accounting Oversight Board (PCAOB), a non-profit organisation, organisation to oversee auditors of public companies The PCAOB is charged with issuingcompanies. guidelines for auditors ion how to audit different aspects of reports, including the ones related to section 404.As long as the resulting controls satisfy the requirements set forth by the PCAOBs auditing standard, companies can conceivably use IT control frameworks other than COBIT. Such frameworks can be the ones included in the IT Infrastructure Library ITIL (www.itil.co.uk ) or ISO17799. Companies may also choose a proprietary control framework developed by consulting and audit firms. It is important that companies work closely with their external auditors, especially in the first rounds of SOX section 404 implementation and certification certification.Date: May 18BEA Pty Ltd - IdM : The What, Why and How? Page: 26 27. Identity Management HOW IdM Services Architecture CompliancyITIL Framework You can only maintain the ITIL Framework, once you have completed IdentityServices Foundation to enable compliant ITIL operations support and Services Date: May 18 BEA Pty Ltd - IdM : The What, Why and How?Page: 27 28. Identity ManagementHOW IdM Services ArchitectureProgramme of Work Identity service1) Agree on IdM Service strategy 2) Agree on Programme/Timeframe 3) Agree on First 12 months projectsProject 1: Service Foundation Reconciliation Process:1 to 4 Months A.A Understanding the problem reconciliation of the main applications in relation to Employee Contractorsproblem, Employee, B. Understanding the problem, reconciliation of our main Customer/Business partner applications (in lightof a drive to a single view of Customer) This will identify the accounts related to business Users, which in turn can be used once completed as inputto Project 5 Project 2: Provisioning Phase 1:2 to 8 Months Project 3: Access Management Phase 1: 3 to 9 Months Project 4: Active Directory clean-up / Re-design of AD1 to 6 Months Project 5: Profile-Based System Access: Profile Based6 to 9 Months Inception / Validate Approach Profile Discovery / HR Business Role Alignment Profile Lifecycle Management Governance Framework Development & Technology Road mapping9 to 18 Months Note: Business Analyst need to be assigned to this project for defining the service elements from a business requirements perspective (IdM based BA)Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 28