Securing Citizen Facing Applications Presentation Notes
- 1. Securing Citizen Facing Applications 1. What personally have you seen as lessons learned to get the business on-board towards EA Security Model? Edwin Lorenzana In the public sector space the EA security model is usually dictated by the constraints of independent agencies with decentralized business objectives, technical initiatives and separate reporting structures. This challenge requires a holistic textbook approach to decentralized federation that introduces governance and standards to reduce business risk and minimize the security breaches. This governance initiative needs to be supported by technology that can enforce and report those controls while providing flexibility to the application owners to continue to deliver the expected service. Therefore I learned that you have to dedicate time to not only define the owners of each technology but the owner of each governance section and current business process. Once you succeed in creating your ownership “org chart” then you need to provide that group with a realistic roadmap of the prerequisites, a laundry list of “soft” projects to achieve a federated circle of trust. The initial initiatives should focus on: • Define governance • Define /document the business process (the security lifecycle) • Align the required data to be used to drive security (application security driven by HR Data) As you work through these projects you need to set goals that are a balance of the correct level of security controls, the required compliance and the needs of the individual owner. With that said I recommend that you dedicate a large amount of your time in the planning phases and work with your owners to kick off the internal “soft” projects to define the governance, document the business process and align the required data to automate those business processes. The key is that you drive the program and facilitate the projects, but work with them to define their own procedures as they will own the procedure behind the automation in the long term (post implementation).
- 2. – What are the initiatives that would help to define the required business process to correctly proof an identity along with defining the correct attributes and data points to align the identities across the various environments? Eddie Lorenzana As we discussed our focus is to drive a holistic direction to a decentralized federation model. This approach needs to be supported by an effort to collect and document the account lifecycle in each environment, the major ones being: • The HR account Lifecycle • The account Lifecycle of the various directories (Oracle Internet Directory, Active Directory etc..) • The application Lifecycle of the applications to be integrated. As you define the account lifecycle for each of these, you will need to work with the environment owner to analyze the state of the user stores. The goal of this analysis is to define a unique identifier that spans across all the user stores. In most cases you will find that this will lead you to an initiative usually referred to as ID aggregation and synchronization. To put it simply you will need to lead an effort to implement a comment unique identifier across all the environments (emp ID internal users and an assigned ID for citizens). As you work through be sure to work with the environments to define secure communication options across the environments, this is in support of future implementations for virtual directories, single sign on and password sync. Issue #4: Is a centralized or decentralized approach to authentication and authorization the more feasible approach? Eddie Lorenzana As we have been discussing, in the public sector space the EA security model is usually dictated by the constraints of independent agencies with decentralized business objectives, technical initiatives and separate reporting structures and therefore a decentralized federated approach is the correct approach. Follow up questions 1. What are the challenges of shared identity ownership? The challenges of shared identity ownership are: • Document the account lifecycle
- 3. • ID aggregation and synchronization As you define the account lifecycle, you will need to work with the environment owner to analyze the state of the user stores. The goal of this analysis is to define a unique identifier that spans across all the user stores. In most cases you will find that this will lead you to an initiative usually referred to as ID aggregation and synchronization. To put it simply you will need to lead an effort to implement a comment unique identifier across all the environments (emp ID internal users and an assigned ID for citizens). As you work through be sure to work with the environments to define secure communication options across the environments, this is in support of future implementations for virtual directories, single sign on and password sync. To attain that approach I like to work with a proven approach that clearly defines the “soft” initiatives and maps out how they must be completed to ease the deployment of the technical implementations. Follow up questions 1. What sort of phased approach works for government agencies? The Security Enterprise Architecture / Phased Approach model calls for the clear definition of the Enterprise IT Security Business Service goals in the areas of: • Enterprise Security Model • Enterprise Directory Model • Enterprise Access Control and User Management Model The details of these goals should be defined by the executive sponsors from both the business and IT from each independent agency. These details need to clear set direction for a Federated decentralized model that provides secure access to resources while allowing flexibility to the technology owners. These goals should not only be clear, they need to be grounded and realistic. You need to take special care to not be tempted to oversell goals in order to get the budget approved. As you work through this process sell the goals but be sure to clearly define the requirements in the next three phases. Phase 1 focuses on fostering continued executive support and identifying and developing the governance & standards teams that will provide the direction and political support to meet the Enterprise IT Security Business Service goals by developing:
- 4. • Governance ( CIO’s, CSIO, CFO, IT Director, HR Director, PS Mgr) • Governance Standards • Business & IT Policy ( Policy writers for IT, Business , Compliance/Audit, IT Sec, Law dept) • Data Standards & Procedures (Policy writers, user store owners, HR data entry, PS Mgr) • Directory Standards & Procedures ( user store owners, IT Sec, Compliance/Audit, Policy) • Application Standards & Procedures (user store owners, IT Sec, Compliance/Audit, Policy) During this phase you need to work on developing high level, industry best practices and get the proper sign off from each of the members from each agency. The risk here is that you will get push back to document the procedures before standards are set. Or you could be asked to use professional services that have experience in this area, if the budget allows it….do it If not.. then use best practice templates, and get the sign off from the members. The reason is that you will not succeed in getting the line managers to work with you if you do not have support and written guidance from the executive sponsors. Phase 2 focuses on getting the details from the line managers that are part of the user account lifecycle. This phase should clearly show the step by step of the user account provisioning and de-provisioning. This exercise is one of the most important phases as you cannot automate unless the procedure is clearly defined. As you work through each account lifecycle you may need to create two sets of documents….current state and future state as described by your governance documentation. As you create the future state you will need to clearly document and get sign off from the given line manager on the requirements in the areas of: • Composite Identity Management • Account Matching and DeDuping • Resource requirements for support & admin in phase 3 • Technical hurdles that will need to be tackled in phase 4 Phase 2 will be the longest and most difficult. As the line managers push back be sure to sell the cost savings that this will create during the implementation.
- 5. Once you have completed phase 2, check in with your implementation team and vendor to ensure your implementation forecast and check in on the required internal support team. I found that phase 3 is a good time to bring in your vendors technical implementation team for meeting as you work through defining your long term architecture and support. Phase 3 should be your time to focus on creating your internal long term support system for your Enterprise IT Security Business Service Goals. The challenge is that with a decentralized model you will need to create a core IDM team that works with the individual environments owners. This is can be done by implementing delegated administration and IDW workflows. In this phase you will need to work with the various environment owners to architect and document the new virtual connections (OVD /Federation) and how to maintain them. This will ease the implementation phases. Phase 4 is where you can then implement the technology solutions that automate the previous phases and create the “bridges” to join the various environments. These projects include the implementation of: • Virtual Directory • Password Synchronization • Role discovery (RBAC) • Automated provisioning via IDM to directory target systems (OID, AD etc..) Once you have completed the integration of the directories this opens the doors to enterprise application access in Phase 6. If you are starting a new project be sure to implement the early phase before spending the budget for tech servicers. If you are in the middle of this project you can still work through this approach to realign your implementation. As you do you will be challenged by the constant need to provide ROI for the selected t To navigate through this balance you will need to carefully select the low hanging fruit , like allowing a single sign on or password sync implementation in various environments that have met the data requirements and only require minimal role definition. But be sure to go back and work through the foundation phases as you work to improve your enterprise.