1. Identity & Access
Management
K. K. Mookhey
CISA, CISSP, CISM
Principal Consultant
www.niiconsulting.com

2. Agenda
 Introduction
 Ground Reality
 Cases
 Real-world impacts
 Vulnerabilities
 Building the Business Case
 What is IAM?
 Demystifying IAM
 Implementation Challenges
www.niiconsulting.com

3. Speaker Introduction
 Founder & Principal Consultant, Network
Intelligence
 Certified as CISA, CISSP and CISM
 Speaker at Blackhat 2004, Interop 2005, IT
Underground 2005, OWASP Asia 2008,2009
 Co-author of book on Metasploit Framework
(Syngress), Linux Security & Controls (ISACA)
 Author of numerous articles on SecurityFocus,
IT Audit, IS Controls (ISACA)
 Conducted numerous pen-tests, application
security assessments, forensics, etc.
www.niiconsulting.com

4. Ground Reality
www.niiconsulting.com

5. Strong passwords
 Written down
www.niiconsulting.com

6. Shoulder surfing
www.niiconsulting.com

7. Phishing
www.niiconsulting.com

8. www.niiconsulting.com

9. Password reset mechanism
 Vote for Cyber Security!
www.niiconsulting.com

10. www.niiconsulting.com

11. www.niiconsulting.com

12. Problem Description
www.niiconsulting.com

13. User Provisioning / De-provisioning
 Unique user IDs
 Providing access to applications
 Removing access across all applications &
systems
 Ghost IDs
 Vendor/System IDs
 Logging & Auditing
 Reviewing User Access Rights
 Default Credentials
www.niiconsulting.com

14. Password Management
 Password policies
 Complexity
 Aging
 Length
 History
 Account lockout
 Resetting passwords – 70% helpdesk calls
 Universal implementation
 System & Network Administrator Passwords
 User Passwords
 Application / Functional ID Passwords
www.niiconsulting.com

15. Access Management
 Cumbersome for users to remember
multiple IDs
 Multiple access control matrices increase
complexity
 Heterogeneous environments
 Deperimeterization
www.niiconsulting.com

16. Demystifying IAM Solutions
www.niiconsulting.com

17. What does it stand for?
 Identity & Access Management
“Identity management is the set of business
processes, and a supporting infrastructure, for the
creation, maintenance, and use of digital identities.”
The Burton Group
 But then what are Solutions for:
 User Provisioning
 Single Sign On
 Web Access Management
 Multi-Factor Authentication
 Identity Lifecycle Management
www.niiconsulting.com

18. Basic Layout
www.niiconsulting.com

19. www.niiconsulting.com

20. IAM Solutions
 User Provisioning
 Enterprise Single
Sign On
 Web Access
Management
www.niiconsulting.com

21. Features to look out for
Critical Decision Criteria
www.niiconsulting.com

22. Top 5 Critical Success Factors
1. Identify Business Unit Champions
 Foundation of IAM Project
 Enterprise Applications or BU’s most likely to improve
(SAP, Core Banking, etc.) through IAM
 Business owner who has fully bought into the project
2. Perform Vendor Analysis
 Vendor’s Financial Stability
 Usability without Vendor Presence
 Revenue Growth
 Customer Base – Similar Size/Industry
 Strategic Partners
 Product Vision & Roadmap
www.niiconsulting.com

23. Top 5 Critical Success Factors
3. Define project  Non-Functional Requirements
requirements  Non-Functional Requirements
 Functional Requirements  Scalability & Performance (#
 User administration of users per server)
 Delegation of user  Fault Tolerance
administration  Disaster Recovery –
 Role-based access control Geographically Diversified
 User self-service  Solution configuration
 Customization of user  Training – Administrator &
interface End-User
 Workflow
 Auditing & reporting
 Extensibility
 Applications interface with
 Security of the product itself
www.niiconsulting.com

24. Top 5 Critical Success Factors
4. Thorough Knowledge of Technical Features
 Architecture –
 Does it fit with your architecture
 Is it cohesive or put together
 Ability to adapt and improve your business processes
 Integration with your technology – AS400, SAP, Core
Banking Solution, Windows, Unix, etc.
 Password Management capabilities
 Policy Management – Canned policies, policy wizards
 TCO –money, FTEs to administer the product
 Tiered, delegated, self-serviced administration
 Deployability
 Reporting & Auditing – Regulatory/Privacy
 New Features – Virtual Directory Support, Web Access
Management
www.niiconsulting.com

25. Top 5 Critical Success Factors
5. Bring business into the picture centrally
 Did it meet the business requirements
 Can you quantify the benefits from the solution
 Constantly communicate project expectations
and benefits to business units
 Not just another vendor/solution
www.niiconsulting.com

26. Multi-factor authentication
www.niiconsulting.com

27. User Provisioning
www.niiconsulting.com

28. Integration with Physical Security
www.niiconsulting.com

29. Extensive Reporting Capability
www.niiconsulting.com

30. Key Benefits
www.niiconsulting.com

31. 5 Key Benefits
 Improved user experience
 Help users control their online identities
 Enables simplified sign-on
 Create a "circle of trust" in which participating organizations can
verify the authenticity of users in a federated model.
 Enhanced integration
 Enable organizations to manage digital identities across their
diverse and expanding infrastructure.
 A standards-based approach ensures investment protection and
dramatically reducing the risk of custom integration.
 Multipurpose platform
 Manage multiple authentication options from a single platform,
providing choice in any environment.
 Varying levels of authorization functionality
www.niiconsulting.com

32. 5 Key Benefits
 Centralized administration
 Simplify the management of digital identities and security policies
with one administrative model.
 Delegated administration of users and user self-service across
different identity and access management applications (i.e.,
authentication and authorization).
 Lower administrative costs and a reduced resource burden.
 Enhanced security
 Ensure greater levels of security to match the growing risk of
exposure and high stakes involved in e-business.
 Shift fluidly with an organization's perimeter, protecting the
business at the application level.
 Be the cornerstone to security enforcement, providing a basis for
consistent enforcement, audit and reporting of policies across the
e-business environment.
 Ensure regulatory and legal compliance
www.niiconsulting.com

33. Conclusion
 Benefits
 Improved user experience
 Enhanced integration
 Multipurpose platform
 Centralized administration
 Enhanced security
 Critical Success Factors
 Identify Business Unit Champions
 Thorough Vendor Analysis
 Well-defined Project Requirements
 Thorough Product Feature Understanding
 Taking Business On the Journey
www.niiconsulting.com

34. Questions?
Thank you! kkmookhey@niiconsulting.com
Information Security Information Security
Consulting Services Training Services
www.niiconsulting.com