Identity and Access Management
Download
Report
Transcript Identity and Access Management
Identity and Access
Management
Dustin Puryear
Sr. Consultant, Puryear IT, LLC
[email protected]
http://www.puryear-it.com/
Objectives
Find a common background for
discussing IAM
Discuss problems and opportunities in
the field
Introduce terminology
Highlight a possible future direction
Session Agenda
Today’s Problems
Making It All Better
Now What?
Viva La Resistance!
Puryear IT
This Presentation
This presentation was written with
audit/compliance in mind.
Contact [email protected] to
have Dustin Puryear present this
topic to your organization or
company.
Today’s Problems
Who am I? Who are you?
Networks use multiple identity
systems
The Internet is no better
Users get confused with all of these
IDs
Management and audit has difficulty
keeping track of all these IDs
The bad guys are quite happy
So many IDs!
Person
Active Directory
Account
Online HR Info
Account
PeopleSoft User
Account
…
Multiple Contexts
Remote Employees
Employees
Customers
Suppliers
Partners
Trends
Regulation and Compliance
SOX, HIPAA, GLB
Increasing Threats
Identity theft
Exposure of confidential info
Maintenance Costs
The average employee needs access to 16
applications
Companies spend an estimated $20-30
user/year for password resets
The Real Impact
End-users
Too many IDs
Too many passwords
Must wait for access to
applications
Administrators
Too many IDs
Too many end-user requests
Difficult or unreliable ways to
syncs all the accounts
Audit/Compliance
Orphaned accounts
Limited or no audit capability
Where are the audit trails?
Making It All Better
Identity and Access Management
Password
Management
Role
Management
User
Provisioning
IAM
Authorization
Directories
Audits &
Reporting
The Benefits of IAM
Save money
Improve operational efficiency
Reduce time to deliver applications
and services
Enhance security
Enhance regulatory compliance
Give more power to audit
Let’s Define IAM Terms
Authentication (AuthN)
Verify that a person is who they claim to be
This is where multi-factor authentication comes
into play
Identification and authentication are related but
not the same
Authorization (AuthZ)
Deciding what resources can be accessed/used
by a user
Accounting
Charges you for what you do
IAM is a Foundation
Identity Management
Administration
Account Provisioning &
Deprovisioning
Synchronisation
User Management
Password Management
Workflow
Delegation
Audit and Reporting
Access Management
AuthN
AuthZ
Now What?
Implement IAM!
Start Slow!
Define your Single Source of Truth
(SSOT)
Unfortunately, there may be more than
one, if that makes sense..
Implement the “big wins”
User provisioning to Active Directory
Password resets
But How?
SSOT
Work with your team, IT, and
management to determine the true
source of user information
User Provisioning to AD
It’s already happening!
Solutions
Microsoft ILM
CA eTrust Admin
Sun IM
…
The Results!
User provisioning can be automated
Password resets can be delegated to
the helpdesk
And the big one:
You can now audit both the user
provisioning and password resets
The Next Step
Extend User Provisioning
To PeopleSoft
Lawson
Oracle
Custom/in-house applications
Begin consolidating user directories
Can you point some or all of your
applications at AD or LDAP?
Authorization
This is the hard one!
Applications define their AuthZ rules
differently
Try to consolidate to an AD/LDAP
authz landscape
Tackle this one application at a time!
The Power is Yours
You can now audit/review:
Who has what accounts?
Why do they have those accounts?
Who approved those accounts?
Are there any orphaned accounts?
Who has access to what?
For how long have they had that access?
And there is more..
You can control access to your webenabled applications using a Web
Access Manager (WAM)
Don’t forget about SSO!
What about federated identities and
your partners and suppliers?
Viva La Resistance!
IT Resistence
Sometimes IT resist a formalized IAM
process because:
“We are too busy”
“We can’t afford it”
“We don’t want to give up control!”
“We are Too Busy”
This is a common response
IT is too busy..
Because they are resetting passwords all
day
Working too hard to create accounts
Learning too late that orphaned accounts
are being misused/attacked
“We Can’t Afford It”
There are small and big solutions to
this problem
If you are an AD-only shop with
minimal applications, then you can
start small
Larger enterprises have no choice,
they can’t afford not to!
“We Don’t Want to Give Up
Control!”
This is usually the root of the
disagreement.
They are responsible for IT
They don’t want problems in IAM to
reflect poorly on them
They are used to the control, even if
it’s not necessary
A Compromise
Take control without giving up
control!
A middle-ground:
IAM solutions can be used to explore
user directories/databases
Reports can be generated
IT can still do the provisioning itself
Summary
Summary
It’s becoming impossible to manage
all of these accounts and rights by
hand
You can automate controls
You can automate audit reports
You can control THE PROCESS!
Who We Are?
Puryear IT is THE IAM specialist in
Louisiana
We help small and large companies,
ranging from 100 users to well over
20,000+ users
We are vendor-agnostic, and have worked
with everyone, including:
Microsoft
CA
Sun
We Can Help IT to..
Help you tackle your IAM needs
Integrate Linux, UNIX, and J2EE into
Active Directory
Build out AAA solutions
Deploy Microsoft ILM, Sun IM, Novell
IM, and CA IM
Deploy small and large solutions
We Can Help Audit/Compliance to..
Build an automated user account and
access rights tracking solution
Log changes to user accounts and
access rights
Ensure passwords are changed as
policies and regulations require
Help you communicate your needs to
IT
Automate your manual tasks
Doing IAM Right
Puryear uses a methodical approach
to:
Identify organization pain points
Identify organization audit requirements
Work with IT and audit to prioritize
needs
Develop an initial pilot deployment
Roll out the final solution
Help you manage and extend the
solution
Dustin Puryear
Sr. Consultant, Puryear IT, LLC
[email protected]
http://www.puryear-it.com/