Identity Management Network - ISACA Melbourne€¦ · BMC BMC launches a comprehensive Identity and...

transcript

Identity Management Network http://www.identitymanagement.net.au

The Universe of Identity Management

Guy Lupo (cissp) guy@securitydev.com www.securitydev.com

10.4.2005 www.identitymanagement.net.au 2

So What is Identity Management ?

•  Is it technology ? •  Is it Policy ? •  Is it business ? •  Who is responsible? •  What constitutes an

IDM solution ? •  How do I create

a business case ? •  Who are the

stakeholders ? •  More ……

Agenda

•  From account administration to Identity Management

•  Identity Management Building blocks

•  Identity Authority four domains

•  Looking at the big picture •  The Identity Management Network

•  Identity management News feed

Account Administration To Identity Management

The need to manage identities drives the 2005 market space :

Internal Application

Online Business

Regulations

Organized Crime

Business Intelligence

Fraud Insider

Control & Governance of Identities is essential for today’s business environment

Standards

Business Growth

Recent perception of Identities were as a collection of accounts, and IT technologies

Complex policy for ALICE_IA If ALICE_IA account , then allow A,B,C Block 1,2,3 If between 9-11 and ALICE_IA then Allow A,B

FW/VPN

Complex policy for ALICE_PM If ALICE_PM account , then allow C,D,E Block 1,2,6,7,8 If between 9-11 and ALICE_PM then Allow all

Internal Auditor ALICE_IA

Program Manager ALICE_PM

Switch Roles

1. Login ALICE_IA

2. Logout ALICE_IA

3. login ALICE_PM

Previous year focus was how to govern multiple accounts and their associated management challenges

Identity Management was perceived as Account Administration

•  Focus on the Administration and not on the governance

•  IDM solution were a collection of Automation, Synchronization tools & Scripts

•  Value adds were on cost of self service

•  No Authoritative source for authentication

The challenge : how to maintain control and enforce policies in this complex IT environment

What is the difference between Identity Administration and Management ?

•  Identity Administration (Technical) –  Account life cycle, Authentication, Credentials,

passwords, reports, vulnerabilities

•  Identity Management (Business strategic, Governance & Processes) –  Roles & Responsibilities, Authoritative source, trust,

Risk , Compliance , Security, Cost , Efficiency & effectiveness

Identity Management is the framework to control People’s Identities , Roles & Responsibilities,

Resources

Shift of priorities

•  Transition to business model driven by growing business requirements and need to manage identities.

technologies

Helpdesk costs Internal

management

Regulation

Security

… External Identities

Identities federation

Physical

Collection of technologies

Business looking for supporting technology

Identity management solutions

Identity Management – Organizational view

HR Finance Sales Legal Procurement

Processes

Policy

Roles & Responsibilities

Company Resources

CEO CIO CFO COO $$ Public Store

Stakeholders IT

Information

+ = Business Objectives

Business

+People

The challenge

•  Prioritizing business drivers in different environments –  Online business –  Personalized government services –  High turnover of employees –  Corporate competitive : Employees access to information –  Globalization and need for remote access –  Regulations and compliance –  Merger & Acquisitions –  Business partnership and sharing of information

•  How to plan roadmap, audit, architecture etc… •  Where technology aligns and fits to the big picture ?

Management of Identities effects the business in all area : Internal, external, physical, B2B, Authority

The pain Organization & Government

•  Main request : Clarity

Requirements Description “Need to know what others are

doing” Sharing of Best Practices in similar sectors

“Need to know in simple terms where each piece of technology fits in the big IDM map””

Easy way to map technology relevancy to business requirements

“Need a consolidated newsletter”

One comprehensive newsletter with relevant news from the region

“Need clarity and a shared language to describe IDM issues”

The requirement is to have a unified identity management language and to categorize the issues such that a clear roadmap can be constructed.

The pain Vendors/Integrators/Consulting firms

•  Main Request : Increase awareness, create a taxonomy to describe the universe of Identity management

Requirements Description Shorten sales cycle for IDM solution Faster answers to tenders by having a

pre-defined language to describe identity management.

Spend fewer $ on educating each customer as part of the sales cycle

Customer awareness levels are low and each sales cycle requires education and awareness activities.

Better awareness A lot of effort is invested in identifying the right people, understanding their needs and then offering the right solution.

A language to describe identity management as a business solution rather than a technological one.

A map, framework or methodology to align identity management technology with the business issues.

The pain – Auditing community

• Work in progress ……

IDM Building Blocks

Identity Management Building block

•  Business Objectives –  Business targets determine IDM

investments –  Business defines the risk –  Risk profile influence the identity

controls

•  People –  Have roles & responsibilities –  Need to use resources to perform

their job –  Resource usage should be controlled –  Risk to people & risk from people

•  Technologies –  Need to align with people and

business

IDM facilitate the alignment of People, IT, Business

Identity Authority

Four Domains

Authoritative Source

•  Critical success factor for the alignment is the source of identity information

•  An authoritative source is required to be : –  Up to date –  Synchronized with all relevant sub-authority identity sources –  Aligned with the business processes –  Available, Secured –  Trusted –  Compliant

The IDM Authority is the starting point

Identity Management Authority four domains

•  Internal –  Employees, passwords, accounts, access, Authorization, …

•  External –  non employees, customers, online services, and more..

•  Physical –  doors, access, cards, biometrics

•  Federated –  B2B –  Trust between organization –  Delegation of authority

More than 50% of each domain are the same IDM basics

Looking at the big

picture

The Universe of Identity Management – Draft3

Technologies

Processes

Domain Authority

Risk – What can go wrong !

•  Fraud Internal/External (e.g. Enron, Worldcom…) •  Information Leaking (Choicepoint) •  Breach of privacy (spam) •  Identity Theft •  Illegal Access •  Illegal entry •  Impersonation •  Non repudiation •  Reputation •  Disaster recovery •  Incompliance & Financial implication •  Manual Authorization The risk from people and the risk to people

Authoritative Source highlights

•  Multiple Identity stores •  Redundant information •  Outsourcing •  Off-shoring •  Identity information syndication •  Identification of External vs. Internal vs. Federated •  Lack of synchronization between physical and IT •  Conflict of business interests due to regulation

–  HIPAA marketing vs. core business •  Role & Responsibilities •  Authorization

Trusted Identity Authority The key is planning a roadmap

•  Access Control •  Authentication •  Excessive rights •  Ghost accounts •  Inactive Accounts •  Separation of Duties •  Rotation of Duties •  phishing & Pharming •  Spam •  Aggregation of Identity Data •  Audit & Monitoring •  Physical •  Stolen Tokens, Smart Card •  Password management

Security highlights

Who has access to what ?

Who did what ?

Who can authorize ?

Cost Effective highlights

•  Self Service for Identity information •  Consolidation of Identity Stores •  Reduced Sign on •  Discovery phase & Cleanup of accounts •  Roles & Responsibilities •  Licensing management •  Workflows •  Automatic Provisioning •  Compliance & Audit •  B2B capabilities •  Reduction of Risk (Capital Allocation – Basel II)

Only one business case is enough to kick start a project

Compliance

•  Privacy Regulation all around the world •  Financial regulations

–  Sarbanes Oxley –  GLBA –  Basel II –  CLERP 9

•  Healthcare –  HIPAA –  FDA

•  Homeland Security •  Patriot Act •  Data Protection – Europe

Integrity, Transparency, Interoperability

Administration & Revocation

•  Administration model –  Centralized –  Delegated

•  Self Service Administration •  Delegation via Workflows •  PKI-Based Administration •  Federated Administration •  Administration control & Governance

•  Revocation verification model –  Real time –  Revocation lists

Monitoring & Measure

•  Integrity assurance •  Compliance •  Change management (access rights) •  Abuse •  Internal usage •  Authorization •  Cost effectiveness •  Usage

Standards & Methodologies & Frameworks

•  Access Control Strategies –  RBAC- Role based Access control –  Location based –  Groups

•  Standards & frameworks –  Cobit –  ITIL –  ISO 17799

Identity Management Planning & Strategy

IDM Thumb rule !

Identity Management Project •  80% of the project is around Strategic

Planning –  Discovery : find out what you already

have –  Planning : how to leverage your

existing assets •  20% of the project is

–  Implementation –  Measure & Review

Spending •  20% of the spending goes

over planning •  80% of the spending goes

over implementation

More than 50% of each domain are the same IDM basics

Identity Management roadmap is critical

Highlight of IDM project planning risks

•  Usage of external resources and knowledge should fit the organization business objectives

•  Identification of the stakeholders is critical •  IDM projects are lengthy, plan should be flexible to

consider change of people, technologies, priorities •  Documentation of “know how” •  Adopting a vendor methodology doesn’t mean you have

to buy all the product from one place Always keep in mind that you enable people

to do their job better and they enable the business to do better

Market Drivers Now & Before

Main Market drivers 2005

•  Cost & Alignment –  Leverage Existing investment in Directories –  Internal Identity management is recognized as a need and as a first

step in the roadmaps •  Risks

–  Identity Theft –  Breech of privacy –  Fraud , Insider threats

•  Security –  2 Factor authentication –  Phishing –  Web Access Control

•  Compliance –  Accountability & Audit capabilities –  Automated compliance monitoring

Identity Management Network - ISACA Melbourne€¦ · BMC BMC launches a comprehensive Identity and...

Documents