A Pragmatic Approach to Identity and Access Management
1. A Pragmatic Solution For Identity & Access Management Hank Gruenberg, CISM, CRISC, PMP Information Security & IT Compliance Tokio Marine Management, Inc. [email_address]
2. This presentation is based on the paper “ A Pragmatic Solution for Identity and Access Management ” previously presented at various conferences. This paper is available on my LinkedIn page: http://www.linkedin.com/in/hankgruenberg For more information, contact me at: [email_address] or USA: 917-626-8604 Hank Gruenberg, CISM, CRISC, PMP Information Security & IT Compliance Tokio Marine Management, Inc. New York, NY U.S.A.
22. Reconciling Directories Phase 2 – Reconciliation… ? Active Directory Match? Paladin Meta Directory Name App Acct ID Role Y Berra CIS BERRAY User Mantle CIS MM7 User Maris CIS RM9 User T Kubek CIS xyz448 User Customer Information System Match? Problem
23. Which Directories To Automate? Phase 2 – Reconciliation… *SSIS: SQL Server Integration Services
Negative Business Value: Miss something that adversely impacted the business (Resource, role, etc)
Project Paladin
IT has little control in aspects of access management for acquired products (structure, platform, etc) Application delivery schedules are aggressive and access management cannot be on the critical path Evolves over time – (used Windows and now have a Linux app) Varies by how entitlements are represented, maintained and other issues related to referential integrity – Do not underestimate issues concerning auto provisioning or dir synch How to manage dir synch over 50+ data stores on different platforms, etc., and growing
Apps are concerned only with its own A&A requirements Different IDs were assigned to the same individual No authoritative source for non-employees Human resources was not concerned with A&A How to make terminations exhaustive and effective for all entitlements
Enterprise requirements needs a ‘top-down’ approach the design Must also work ‘bottom-up’ since disparate directories already exist Understand the organization HR functions Resource to be managed Roles within resources Roles within departments Who are the requestors? ROs? UAs? What are the policy, regulatory and security requirements?
Fixed deadline – How to meet it Fixed objectives Use automated processes where they can be easily implemented (i.e., minimum interfaces) An access management capability from the enterprise perspective Foundation for further automation
Two phased approach New workflow with governance; meta-directory Reconciliations
Incorporate people, resources, entitlements, roles, support personnel into workflows Define resource and roles Define role prototypes
Drives all workflows Authoritative source for non-employees Contains the downstream directories’ account IDs Has the org chart for both employees and non-employees Employee data, as provided by HR Schedules recertification of people and entitlements Supports reconciliation using keys, not names
What are the workflows? Request-Approval-Provision Termination-De-provisioning Recertify an employee Recertify a non-employee Recertify entitlements for a resource Requesting a new resource Reconciliation corrections Trigger recertifications
HR Interface: Cannot provide new hires until after they start Provisional Employee process
Do you have to? Avoid converting bad data Avoid converting non-employee entitlements
Comparing the MD against each downstream directory
Assume that not all downstream directories are easily accessible Prioritize the low-hanging fruit
Define processes to run on a schedule to extract downstream data Determine the differences between the directories Generate corrections
Define processes to run on a schedule to extract downstream data Determine the differences between the directories Generate corrections
What is the trend of errors found Are the manual processes error-prone? Which user admins are not doing a satisfactory job? Or is it just a timing problem? Determine how the functions can be improved