identity and access management dustin puryear sr. consultant, puryear it, llc [email protected]
TRANSCRIPT
Identity and Access Management
Dustin PuryearSr. Consultant, Puryear IT, [email protected]://www.puryear-it.com/
Objectives
Find a common background for discussing IAM
Discuss problems and opportunities in the field
Introduce terminology Highlight a possible future direction
Session Agenda
Today’s Problems Making It All Better Now What? Viva La Resistance! Puryear IT
This Presentation
This presentation was written with audit/compliance in mind.
Contact [email protected] to have Dustin Puryear present this topic to your organization or company.
Today’s Problems
Who am I? Who are you?
Networks use multiple identity systems
The Internet is no better Users get confused with all of these
IDs Management and audit has difficulty
keeping track of all these IDs The bad guys are quite happy
So many IDs!
Person
Active DirectoryAccount
Online HR InfoAccount
PeopleSoft UserAccount
…
Multiple Contexts
Remote Employees
Suppliers
PartnersCustomers
Employees
Trends Regulation and Compliance
SOX, HIPAA, GLB
Increasing Threats Identity theft Exposure of confidential info
Maintenance Costs The average employee needs access to 16
applications Companies spend an estimated $20-30
user/year for password resets
The Real Impact
End-users Too many IDsToo many passwordsMust wait for access to applications
Administrators Too many IDsToo many end-user requestsDifficult or unreliable ways to syncs all the accounts
Audit/Compliance Orphaned accountsLimited or no audit capabilityWhere are the audit trails?
Making It All Better
Identity and Access Management
RoleManagement
Authorization
Audits &Reporting
Directories
UserProvisioning
PasswordManagement
IAM
The Benefits of IAM
Save money Improve operational efficiency Reduce time to deliver applications
and services Enhance security Enhance regulatory compliance Give more power to audit
Let’s Define IAM Terms Authentication (AuthN)
Verify that a person is who they claim to be This is where multi-factor authentication comes
into play Identification and authentication are related but
not the same Authorization (AuthZ)
Deciding what resources can be accessed/used by a user
Accounting Charges you for what you do
IAM is a FoundationIdentity Management Account Provisioning &
DeprovisioningSynchronisation
Administration User ManagementPassword ManagementWorkflowDelegationAudit and Reporting
Access Management AuthN AuthZ
Now What?
Implement IAM!
Start Slow! Define your Single Source of Truth
(SSOT) Unfortunately, there may be more than
one, if that makes sense.. Implement the “big wins”
User provisioning to Active Directory Password resets
But How? SSOT
Work with your team, IT, and management to determine the true source of user information
User Provisioning to AD It’s already happening! Solutions
Microsoft ILM CA eTrust Admin Sun IM …
The Results!
User provisioning can be automated Password resets can be delegated to
the helpdesk And the big one:
You can now audit both the user provisioning and password resets
The Next Step
Extend User Provisioning To PeopleSoft Lawson Oracle Custom/in-house applications
Begin consolidating user directories Can you point some or all of your
applications at AD or LDAP?
Authorization
This is the hard one! Applications define their AuthZ rules
differently Try to consolidate to an AD/LDAP
authz landscape Tackle this one application at a time!
The Power is Yours
You can now audit/review: Who has what accounts? Why do they have those accounts? Who approved those accounts? Are there any orphaned accounts? Who has access to what? For how long have they had that access?
And there is more..
You can control access to your web-enabled applications using a Web Access Manager (WAM)
Don’t forget about SSO! What about federated identities and
your partners and suppliers?
Viva La Resistance!
IT Resistence
Sometimes IT resist a formalized IAM process because: “We are too busy” “We can’t afford it” “We don’t want to give up control!”
“We are Too Busy”
This is a common response IT is too busy..
Because they are resetting passwords all day
Working too hard to create accounts Learning too late that orphaned accounts
are being misused/attacked
“We Can’t Afford It”
There are small and big solutions to this problem
If you are an AD-only shop with minimal applications, then you can start small
Larger enterprises have no choice, they can’t afford not to!
“We Don’t Want to Give Up Control!”
This is usually the root of the disagreement.
They are responsible for IT They don’t want problems in IAM to
reflect poorly on them They are used to the control, even if
it’s not necessary
A Compromise
Take control without giving up control!
A middle-ground: IAM solutions can be used to explore
user directories/databases Reports can be generated IT can still do the provisioning itself
Summary
Summary
It’s becoming impossible to manage all of these accounts and rights by hand
You can automate controls You can automate audit reports You can control THE PROCESS!
Who We Are? Puryear IT is THE IAM specialist in Louisiana We help small and large companies,
ranging from 100 users to well over 20,000+ users
We are vendor-agnostic, and have worked with everyone, including: Microsoft CA Sun
We Can Help IT to..
Help you tackle your IAM needs Integrate Linux, UNIX, and J2EE into
Active Directory Build out AAA solutions Deploy Microsoft ILM, Sun IM, Novell
IM, and CA IM Deploy small and large solutions
We Can Help Audit/Compliance to..
Build an automated user account and access rights tracking solution
Log changes to user accounts and access rights
Ensure passwords are changed as policies and regulations require
Help you communicate your needs to IT
Automate your manual tasks
Doing IAM Right Puryear uses a methodical approach
to: Identify organization pain points Identify organization audit requirements Work with IT and audit to prioritize needs Develop an initial pilot deployment Roll out the final solution Help you manage and extend the
solution
