Identity and Access Management: Overview
Download
Report
Transcript Identity and Access Management: Overview
Quality in Identity and Access
Management Systems
IDM: Overview
Michele Brass, PMP
PMI Westchester Chapter
Program Manager – Collaboration Tools
2
Objectives
Demonstrate how important data quality and
data accuracy is with Identity and Access
Management systems
Discuss data flows and the problems and
opportunities faced
Build a good conceptual background
Introduce terminology
Promote future discussions
3
Session Agenda
Identity Problem of Today
Identity Laws and Metasystem
Components and Terminology
4
Identity Problem of
Today
5
Universal Identity?
In-house networks use multiple, often mutuallyincompatible, proprietary identity systems
Users are incapable of handling multiple
identities
Criminals love to exploit this mess
6
Explosion of IDs
Business Partners
Automation (B2B)
# of
Digital IDs
Company
(B2E)
Customers
(B2C)
Mobility
Internet
Client Server
Mainframe
Time
Pre 1980’s
1980’s
1990’s
2000’s
7
The Identity And Access
Management Chaos
•Authentication
•Authorization
•Identity Data
HR
System
•Authentication
•Authorization
•Identity Data
NOS
•Authentication
•Authorization
•Identity Data
Enterprise Directory
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
Lotus
Notes Apps
Infra
Application
Kelly IT
Consulting Feed
In-House
Application
Other
Applications
8
Multiple Contexts
Customer satisfaction & customer intimacy
Cost competitiveness
Reach, personalization
Your SUPPLIERS
Your CUSTOMERS
Collaboration
Outsourcing
Faster business cycles;
process automation
Value chain
Your COMPANY and
your EMPLOYEES
M&A
Mobile/global workforce
Flexible/temp workforce
Your REMOTE and
VIRTUAL EMPLOYEES
Your PARTNERS
9
What is Identity Management?
Web Services
Security
Authorization
10
Identity And Access Management is
A system of procedures, policies and technologies to manage
the lifecycle of entitlements of electronic credentials for your
organization, business partners and customers.
11
Identity and Access Management
Touches
Directory
Services
Repositories for storing and managing
accounts, identity information, and
security credentials
Access
Management
The process of authenticating credentials and
controlling access to networked resources
based on trust and identity
Identity
Lifecycle
Management
The processes used to create and delete
accounts, manage account and entitlement
changes, and track policy compliance
12
Trends Impacting Identity
Rising Tide of Regulation and Compliance
SOX, HIPAA, GLB, Basel II, 21 CFR Part 11, …
$15.5 billion spend in 2005 on compliance (analyst estimate)
Deeper Line of Business Automation and Integration
One half of all enterprises have SOA under development
Web services spending growing 45% CAGR
Increasing Threat Landscape
Identity theft costs banks and credit card issuers $1.2 billion in 1 year
$250 billion lost in 2004 from exposure of confidential info
Maintenance Costs Dominate IT Budget
On average employees need access to 16 apps and systems
Companies spend $20-30 per user per year for PW resets
Data Sources: Gartner, AMR Research, IDC, eMarketer, U.S. Department. of Justice
13
Pain Points
IT Admin
Too many
user stores
and account
admin
requests
Unsafe sync
scripts
Developer
Redundant
code in each
app
Rework
code too
often
End User
Too many
passwords
Long waits
for access to
apps,
resources
Security/
Compliance
Too many
orphaned
accounts
Limited
auditing
ability
Business
Owner
Too
expensive to
reach new
partners,
channels
Need for
control
14
Simplify Enterprise Identity Management
Directory Synchronization
NOS
LDAP
IDM
SQL
Active Directory & ADAM
Sun/iPlanet Directory
Novell eDirectory
Microsoft SQL
Oracle
Lotus Notes
Microsoft Exchange
Microsoft NT
DSML, LDIF, CSV, fixed width
…others to follow
Password Management
LOB Apps
Identity Data
Self-service password reset
Helpdesk password reset
User Provisioning
Automate account create/delete
15
Who Are The Current Major
Vendors?
Microsoft Forefront Identity Management (FIM)
Oracle Identity Manager
Computer Associates Identity And Access
Manager
16
Identity Management Concepts
Connected
directory
Source and/or
destination for
synchronized
attributes
Connector space
(CS)
Staging area for
inbound or
outbound
synchronized
attributes
Metaverse (MV)
Central store of
identity
information
Matching CS
entries to a single
MV entry is called
“join”
iPlanet
User
Metaverse Connector
Space
Oracle
SQL
Exchange
5.5
Connected
Directories
17
Provisioning & de-provisioning
Title
Tel No.
Email
Source
Title
Tel No.
Email
Provisioning
Engine
Title
Tel No.
Email
Title
Tel No.
Email
18
Provisioning & de-provisioning
Title
Tel No.
Email
Source
Title
Tel No.
Email
Join
Provisioning
Engine
Title
Tel No.
Email
Title
Tel No.
Email
19
Provisioning Types
Simple Provisioning
MA code modifies attributes as they flow
MA config flows attributes intact
Email MA Connector Space
MA maps attributes
Flowed
Attributes
Metaverse
cn = Hendrix, Jimi
displayName = Jimi Hendrix
cn = Hendrix, Jimi
MailboxName = Jimi Hendrix
HR MA Connector Space
Constructed
Attributes
Surname = Hendrix
First Name = Jimi
20
Provisioning Lifetime
Provisioning & de-provisioning
Provision
Join and
synchronize
Password
Synch
De-provision
21
Password Management
Initial password set
Password Synchronization
Centralized password control via a Web app
Self-service password reset
Helpdesk password reset
Active Directory
Web app
IDM
Business Directory
22
Possible Savings
Directory Synchronization
Improved data accuracy
Improved updating of user data
Improved list management
Password Management
password reset costs range from $51 (best case) to $147 (worst case)
for labor alone.” – Gartner
User Provisioning
“Improved IT efficiency
“Reduced help desk costs: $75 per user per year”
- Giga Information Group
23
Can We Just Ignore It All?
Today, average corporate user spends 16 minutes a day
logging on
A typical home user maintains 12-18 identities
Number of phishing and pharming sites grew over
1600% over the past year
Corporate IT Ops manage an average of 73 applications
and 46 suppliers, often with individual directories
Regulators are becoming stricter about compliance and
auditing
Orphaned accounts and identities lead to security
problems
Source: Microsoft’s internal research and Anti-phishing Working Group Feb 2005
24
Solution?
Better Option:
Build a global, universal, federated identity metasystem
Will take years…
25
Identity Laws
www.identityblog.com – good source on the web
1. User Control and Consent
2. Minimal Disclosure for a Constrained Use
3. Directed Identity
4. Pluralism of Operations and Technologies
5. Human Integration
6. Consistent Experience Across Contexts
26
Remember the Chaos?
•Authentication
•Authorization
•Identity Data
HR
System
•Authentication
•Authorization
•Identity Data
NOS
•Authentication
•Authorization
•Identity Data
Enterprise Directory
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
Lotus
Notes Apps
Infra
Application
Kelly IT
Consulting Feed
In-House
Application
Other
Applications
27
Identity And Access Management
Benefits
Benefits today
(Tactical)
Save money and improve operational
efficiency
Improved time to deliver applications and
service
Benefits to take you
forward
(Strategic)
New ways of working
Improved time to market
Enhance Security
Regulatory Compliance and Audit
Closer Supplier, Customer,
Partner and Employee relationships
28
IDM Architecture
29
In the end...
The identity platform
is complex as it
touches the entire
enterprise!