Building an Effective Identity Management Strategy
Download as PPT, PDF10 likes6,717 views
The document outlines the challenges and strategies involved in building an effective Identity and Access Management (IAM) strategy, particularly in light of evolving cloud and mobile environments. Key recommendations include centralizing management frameworks, leveraging automation, and utilizing federated identities for authentication and authorization. It also emphasizes the importance of understanding organizational needs and selecting appropriate IAM models to manage identities across diverse systems.
Building an Effective Identity Management Strategy
- 1. Building an Effective Identity Management Strategy Webcast A Dark Reading Sponsored by
- 2. Today’s Presenters Erik Sherman Moderator Adrian Lane Analyst & CTO Securosis Rick Wagner Director Product Management Identity and Access Governance NetIQ
- 4. Objectivity Disclaimer This is a sponsored webcast, but all of the content is developed independently and represents Securosis objective research positions. For more information about our Totally Transparent Research process, visit: https://securosis.com/about/totally-transparent-research
- 5. Outline • IAM in context • Trends and Issues • Deployment Strategies • Key Questions & Recommendations
- 9. The Cloud…
- 10. …has many faces…
- 12. And let’s not forget mobile identity…
- 13. What’s changed? • External cloud services forever alters IAM – forces changes • Both customers & employees using internal & external resources • Constant pressure to do more with less has IT ops looking for streamlined solutions • These changes make it very difficult to manage identity & authorization across the enterprise
- 14. Which is another way to say you have more to do, in a more complex environment, so you’d better automate!
- 15. Exactly Opposite • Need to distribute policy decisions & enforcement • Need to centralize management
- 17. Concepts
- 19. Authorization and Access Management Policy Decision Policy Decision Policy Policy Point Point Enforcement Point Enforcement Point (PDP) (PDP) (PEP) (PEP) Determines the Rules Determines the Rules Enforces the Rules Enforces the Rules
- 20. What is your strategy?
- 21. Deployment Strategies • Replication Model • Federation Model • Emerging Hybrids
- 22. Replication & Synchronization Document Management Partner Services Off-site Backup Remote Web Services HR Financial Systems In-house Directory Services
- 23. Federation Software as a Service Approved User Un-approved user Remote Internal User Federation Extensions In-house Directory Services
- 24. Hybrids SAML Identity As A Service XACML IaaS Provider Cloud SPML Vendor API SCIM Web Services HR Financial Systems Federation Extensions In-house Directory Services
- 25. Interfaces Identity / Attribute Providers Identity / Attribute Providers Central Broker Proxy or Repository Service Providers Service Providers
- 26. Quick Word on IAM Standards
- 27. Key Identity Management Questions • How do we manage user accounts across multiple internal/external apps? • Do we replicate directory services? • How do we deal with cloud provider identity management & interfaces? • How do we link internal & external functions?
- 28. Key Access Management Questions • How do we integrate with internal apps? Cloud apps? Mobile apps? • How do we enforce policy? • Do we have granular controls? • Where do authorization maps reside? • Who initiates authorization requests?
- 29. Provisioning Courtesy of Axiomatics
- 30. Key Provisioning Questions • User registration & identity propagation • Account revocation • Identity Management • De-provisioning • Auditing
- 31. Recommendations • Centralized management framework • Leverage models that work for cloud and local • No one ‘right’ strategy for all customers • Select model that maximizes automation • Understand that management and storage is likely shared responsibility
- 32. IAM Recommendations • Use Federated Identity to authenticate locally and authorize remotely • Define authoritative sources for policies – often HR instead of standard directory services • Determine if providers supports roles and attributes
- 33. Adrian Lane Securosis, L.L.C. alane@securosis.com Twitter: AdrianLane
- 34. Building an IAM Management Strategy Using NetIQ Identity & Access Governance Products Rick Wagner Director, Product Management rwagner@netiq.com
- 35. Key Elements of “Access” – the Verb Right People, Right Access, Right Time, Right Business Purpose Elements of Identity - Who/What are you? - Name, location, etc. - Roles/Privilege - Title, Manager, etc. - Relationship to business - Employee, Contractor, etc. 36 © 2012 NetIQ Corporation. All rights reserved.
- 36. Key Elements of “Access” – the Verb Right People, Right Access, Right Time, Right Business Purpose Access is a Relationship - Applications - Systems - Data - Resources - Physical Facilities 37 © 2012 NetIQ Corporation. All rights reserved.
- 37. Key Elements of “Access” – the Verb Right People, Right Access, Right Time, Right Business Purpose Access Utilization - Is activity aligned to roles and policy - Orphans, dormant access and entitlement creep - Privileged access control - Distinguish attacker from insider activity 38 © 2012 NetIQ Corporation. All rights reserved.
- 38. Right Access Requires Proper Context What, Where, Why and When add critical value to the Who What is being Who has access to what? accessed? When was the Where is the access granted? access originating from? Is the access appropriate? Why was the access granted? 39 © 2012 NetIQ Corporation. All rights reserved.
- 39. What is “Right” Varies By Organization Moving at the speed of business vs. mitigating business risks Flexible Manageable 40 © 2012 NetIQ Corporation. All rights reserved.
- 40. What Are Your Priorities and Needs? Modular, Integrated Solutions – Start Where Your Need is Greatest Mana ibility geab Flex ility Key Capabilities To Deliver Business Centric Access Access Access Delegated Access Request Certification Administration Administration Access Fulfillment User Authorization Privileged Single Sign-on Access Authentication Enforcement Management Access Authorization Dashboards, Security & Activity Forensic Log Management Risks & Trends Intelligence Analytics & Reporting Reporting Access Monitoring 41 © 2012 NetIQ Corporation. All rights reserved.
- 41. Identity Management Market Driven by IT Identity Management //User Provisioning Identity Management User Provisioning • Improve operational efficiency • Automated on boarding / off boarding • User management / self-service • Security and Compliance • Automated policy enforcement Identity • Reporting Administration 2002 2004 2006 2008 2010 2012 2014 and • Improved user interface Governance • Simplified interface for non-IT business users • Quick time to value – aggregation vs. integration • Access certification to achieve compliance objectives • Immediate business need Driven by the business Access Governance Access Governance 42 © 2012 NetIQ Corporation. All rights reserved.
- 42. Identity Administration & Governance 2012 2013 2014 2015 2016 Industry leading provisioning •Manual •Semi-automated •Fully automated Access governance •Access certification •Access request Identity Administration & Identity Administration & •Role management Governance Governance •Risk monitoring On-demand Anomaly Detection •Continuous compliance •Dynamic transparency Identity Intelligence •Information you need, when you need it to make better business decisions 43 © 2012 NetIQ Corporation. All rights reserved.
- 43. The Evolving Marketplace Identity Intelligence and Business Visibility 44 © 2012 NetIQ Corporation. All rights reserved.
- 44. Identity Intelligence 3600 View of Identity and Access 45 © 2012 NetIQ Corporation. All rights reserved.
- 45. Nearly 7,000 Customers 46 © 2012 NetIQ Corporation. All rights reserved.
- 46. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time. Copyright © 2013 NetIQ Corporation. All rights reserved. ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States and other countries.
- 47. Q&A Erik Sherman Moderator Adrian Lane Analyst & CTO Securosis Rick Wagner Director Product Management Identity and Access Governance NetIQ
- 48. Learn More at www.netiq.com • Access informative white papers: – “Navigate the Future of Identity and Access Management,” by Eve Maler, Forrester Research – http://bit.ly/SPXWKI – “Identity and Access Governance – Bringing IT and Business Together,” NetIQ – http://bit.ly/VFWPv6 • Continue the conversation! – Twitter.com/NetIQ – Linkedin.com/company/NetIQ 49 49 © 2012 NetIQ Corporation. All rights reserved.
Editor's Notes
- #7: With the client server model – we worried about single-central place to manage identities and provilges Our biggest problem was password resets.
- #14: Cloud and mobile have forced a re-examination of identity and authorization. Even if you’re not in the cloud the products you use are evolving to use new concepts to promote efficiency But most of you are in the cloud if you like it or not. Mobile devices permeate every enterprise. Cloud services are too cheap and too compelling Constant budgetary pressures both push us to better/faster/cheaper solutions, and force us to automate more and more mundane tasks. The problem is these changes – in order to make IAM more efficient and effective – also make it more complex
- #18: Reduced Sign-on (RSO). The use of an account and/or credential synchronization tool to minimize the number of credentials (usually username and password) a user has to remember; most of these solutions result in some form of security compromise. Single Sign On (SSO). The ability to pass Identity and Attributes to a cloud service, securely, using secure standards such as SAML and Oauth Federation. The connection of one Identity repository to another. Persona. Identity plus the particular Attributes that provide context to the environment the Entity is operating within. A Persona may be an aggregation of an individual Identity together with an Organizational Identity and Organization Attributes (e.g. a corporate Persona, Fred Smith as CEO of ACME Corp., or a Personal Computer belonging to ACME Corp.). Attributes. Facets of an Identity
- #19: Cloud as a forcing functions – cloud services forced a fundamental rethink on how we propagate identity. Federation of identity is really the first step in this process.
- #20: Also fundamental to this shift is the separation of policy and enforcement PDP Internal for private apps, may be cloud for consumer/public apps PEP is typically in the cloud provider, no matter if it is a public facing or private app. Authorization and Access Management is the process by which the entitlement rules are translated (via the Authorization layer) into Access Management rules. In most cloud based systems, the Authorization layer is likely to be a “Policy Decision Point” ( PDP) or the point that evaluates and issues authorization decisions, and the Access Management layer, the “Policy Enforcement Point” ( PEP), the point that enforces the PDP's decision.
- #21: Automation is more important than
- #24: Quite literally trucking your existing directory services in house, and externally to the cloud. Makes things the same – but security of the directory, propagation delays and incompatibility with cloud and mobile services are all problems. IaaS is OK – PaaS maybe not -- Management is more difficult depending upon synchronization capabilities.
- #25: One way to manage access to a SaaS application is to rely on federated identity. Basically existing directory does a bulk of the work SAML extends identity and – in some cases – provisioning to the cloud. Here’s how it works: Implement federation extensions to the internal directory server. Disable username/password login with the SaaS provider. When a user logs in, they are issued a federation (e.g. SAML) token. This token is accepted by the SaaS application to log the user in. The user is unable to log in to the SaaS application unless they are logged into the organization’s network, since that’s the only way to get the federation token.
- #26: Quite literally trucking your existing directory services in house, and externally to the cloud. Makes things the same – but security of the directory, propagation delays and incompatibility with cloud and mobile services are all problems. IaaS is OK – PaaS maybe not -- Management is more difficult depending upon synchronization capabilities.
- #27: There are three basic architectures for interfacing to Identity and Attribute providers: A “hub-and-spoke” model where Identity and Attributes are centrally managed (coordinated) by the hub, which then interacts with the cloud service(s) or cloud application(s) The free-form model where the cloud service and/or application can be configured to accept Identities and Attributes from multiple sources The hybrid solution, where the components are distributed, potentially using other cloud services. Each model has its merits, and the choice will be based on the number of factors, including: Where the customers for the service have their identity The capability of the cloud service chosen The capability of the enterprise to provide assertion-based Identity and Attributes .
- #28: The enterprise must understand the choices in identity standards, what problems each solves and how, and finally the level of maturity of the standard. These are the most-commonly used standards and align with what’s on the exam. This is part of the reason that the identity as a service model is being adopted – cheaper to let someone else glue all the bits together.
- #29: Identity and Access Management are separate but related concerns Identity management is related to provisioning accounts, this includes registration in the system (such as directory), propagation (synchronization or replication), managing attributes, de-provisioning (deactivation), and audit reporting. The provisioning process provides accounts that are used by the Access management system. The access management system adjudicates access control decisions such as authentication and authorization.
- #32: Identity and Access Management are separate but related concerns Identity management is related to provisioning accounts, this includes registration in the system (such as directory), propagation (synchronization or replication), managing attributes, de-provisioning (deactivation), and audit reporting. The provisioning process provides accounts that are used by the Access management system. The access management system adjudicates access control decisions such as authentication and authorization.