The Path to Identity Access Management Assessment
- 1. The Path to IAM Maturity Jerod Brennen, Security Architect
- 3. #GetIAMRight 3 A Decade of Data Breaches: Lessons Learned From https://www.f5.com/labs/articles/threat-intelligence/lessons-learned-from-a-decade-of-data-breaches-29035
- 5. IAM Fundamental s Maturity Models Getting From Here to There Next Steps
- 7. #GetIAMRight 7 Users Need “Things” Entitlements – The things tied to a user (hardware, licenses, access, etc.) Attributes – Flags that indicate which things a user should have Provisioning – Granting entitlements to a user account Deprovisioning – Removing entitlements from a user account
- 8. #GetIAMRight 8 Traditional IAM Lifecycle Image from https://www.kuppingercole.com/watch/consumer_focused_identity_management
- 10. Maturity Models
- 11. #GetIAMRight 11 Capability Maturity Model Level Description 5 - Efficient Process management includes deliberate process optimization/improvement. 4 – Capable The process is quantitatively managed in accordance with agreed- upon metrics. 3 – Defined The process is defined/confirmed as a standard business process. 2 – Repeatable The process is at least documented sufficiently such that repeating the same steps may be attempted. 1 – Initial Chaotic, ad hoc, individual heroics; the starting point for use of a new or undocumented repeat process. From https://en.wikipedia.org/wiki/Capability_Maturity_Model
- 14. Getting From Here to There
- 15. #GetIAMRight 15 1 – Initial • Chaotic, ad hoc, individual heroics; the starting point for use of a new or undocumented repeat process. • Getting from 1 to 2 • Perform an IAM program maturity assessment • Document manual procedures • Explore automation opportunities (provisioning, deprovisioning, self-service password resets)
- 16. #GetIAMRight 16 2 – Repeatable • The process is at least documented sufficiently such that repeating the same steps may be attempted. • Getting from 2 to 3 • Document IAM policies, procedures, and standards • Start consolidating identities (centralize directories, single sign-on, federated authentication) • Take inventory of privileged/service accounts • Take inventory of remote/cloud users and applications
- 17. #GetIAMRight 17 3 – Defined • The process is defined/confirmed as a standard business process. • Getting from 3 to 4 • Align provisioning/deprovisioning activities with business processes • Explore integration between IAM and security incident response • Improve privilege management (2FA) • Improve remote/cloud IAM (2FA) • Document IAM metrics
- 18. #GetIAMRight 18 4 – Capable • The process is quantitatively managed in accordance with agreed-upon metrics. • Getting from 4 to 5 • Improve IAM / business process integration • Measure and manage those improvements • Update IAM controls in conjunction with policies, procedures, and standards
- 19. #GetIAMRight 19 5 - Efficient • Process management includes deliberate process optimization / improvement.
- 20. #GetIAMRight 20 EY IAM Transformation Graph From https://www.ey.com/Publication/vwLUAssets/EY_-_Evolving_identity_and_access_management/$ FILE/EY-Evolving-identity-and-access-management.pdf
- 21. #GetIAMRight 21 Point Solution or Platform? • Feature set (want vs. need) • Architecture (open vs. closed) • IT resource availability • User experience • Total cost of ownership
- 22. Next Steps
- 23. #GetIAMRight 23 Ask Strategic Questions • Do you have an IAM strategy in place? • If so, what is that strategy? • Do you have executive/stakeholder support for your IAM initiatives? • How would you prioritize the following IAM benefits? • Governance • User & Administrator Experience (e.g., automation, efficiency) • Cost Avoidance / Cost Reduction • How widespread is current SaaS/PaaS/IaaS usage in your environment?
- 24. #GetIAMRight 24 People • Start talking to people (users, administrators, HR) • Identify your internal advocates (leadership, business, IT, etc.) • Engage (or assemble) your Information Security/Risk Governance Committee
- 25. #GetIAMRight 25 Process • Identify your IAM processes (manual and automated) • Sit down with those being provisioned to learn the process • Sit down with those doing the provisioning/deprovisioning to learn the process
- 27. #GetIAMRight 27 Resources Capability Maturity Model • https://en.wikipedia.org/wiki/Capability_Maturity_Model Gartner IAM Program Maturity Model • https://www.slideshare.net/smooregartner/the-gartner-iam-program-maturity-model EY - Identity and access management - Beyond compliance • http://www.ey.com/gl/en/services/advisory/identity-and-access-management--- beyond-compliance Using an IAM maturity model to hone identity and access management strategy • http:// searchsecurity.techtarget.com/tip/Using-an-IAM-maturity-model-to-hone-identity-and-acce ss-management-strategy
- 28. #GetIAMRight 28 Contact Info Email – Jerod.Brennen@OneIdentity.com LinkedIn - https://www.linkedin.com/in/slandail/ Twitter - https://twitter.com/slandail GitHub - https://github.com/slandail SlideShare - https://www.slideshare.net/JerodBrennenCISSP Speaker Deck - https://speakerdeck.com/slandail/
Editor's Notes
- #17: Streamline user identity management, privilege access, and security Integrate IAM with incident response SSO / federation for SaaS applications
- #18: Refine existing IAM controls, based on feedback from the business.
- #20: By understanding an individual organization’s drivers (business value vs. risk reduction), we can help them identify the solutions closely aligned with those drivers.