Post on 14-Jun-2015
description
transcript
Page
A 5-step
approach to
managing
Identity &
Access
Management
Steve Tout
July 2013
V002
Is now the time to hire a Director of IAM for your organization?
Page
“THE PACE OF ENTERPRISE CHANGE IS AFFECTING HOW SECURITY AND
RISK PROS ENGAGE WITH THE DEVELOPERS, USERS, AND BUSINESS
STAKEHOLDERS THEY SERVE. YOU CAN’T SLOW THE PACE, SO YOU NEED
AN IAM APPROACH THAT WITHSTANDS EXTREME HETEROGENEITY IN
YOUR BUSINESS INFRASTRUCTURE SO THAT YOU CAN SUPPORT
INCREASED COMPETITIVENESS WITH SUPERIOR SECURITY.”
Eve Maler - Principal Analyst serving Security & Risk Professionals, Forrester
Report: Navigate The Future Of Identity And Access Management
Page
I coined the phrase “Managing IdM In Uncertain Times” for an assessment of Identity & Access
Management I wrote for VMware in 2009. To me, it means running lean while minimizing
risk to the business by ensuring higher levels of customer privacy and information
assurance; operating efficiently while seeking ways to improve ROI and reduce costs
through a holistic view of the IAM (Identity & Access Management) program.
This paper identifies five key challenges we face today in IAM and the mindset required to
achieve extraordinary success.
Integrate Governance, Risk & Compliance – Most companies start out with an IAM program to
improve manageability and streamline development by utilizing SSO and centralized administration.
After some time, there can be significant gaps between GRC and Identity & Access Management that
should be addressed for improved security and higher levels of assurance.
Create organizational alignment – IdM is not fundamentally a development problem. It is not
exclusively a security issue just as it is not intended to rest solely on the shoulders of operations.
Create alignment of resources to avoid entropy from paralyzing the organization.
Evolve the architecture – Technology changes quickly, but organizations often do not adapt as fast to
the challenges. Creating and using an IAM reference architecture and 3-year roadmap will keep
everyone focused on what matters, drive out redundancies, minimize risk and reduce TCO.
Rethink the platform – Most companies have a significant investment in an IAM platform that is
based on an outdated model for web access management. In rethinking the platform strategy,
superior security and increased business competitiveness should top the list of priorities.
Renew operational focus – An organization cannot move towards more efficient computing models
like the cloud, reduce OpEx costs, increase operational efficiency or improve security without making
some hard investment decisions.
Manage This
Page
1. Integrate Governance, Risk & Compliance
A GRC program provides critical controls and processes for any business. Governance aligns IT and the
business and ensures continuing and consistent business value out of the IAM program. Supporting
operational GRC within IT requires an integrated set of processes and solutions that should provide
on-going and closed-loop monitoring, access certification, analytics, logging and alerting.
At a minimum, an integrated GRC program should be able to answer the following questions:
Are you comfortable with data tampering or a customer/employee data breach due to compliant
solutions not being consistently applied across the organization?
Are you comfortable with a disgruntled employee who has recently been terminated exploiting known
vulnerabilities in our data and services without your knowledge?
Are you comfortable with the knowledge that security audits and dashboard reporting systems could
have incomplete data, giving false confidence?
Are you comfortable with not knowing about partner/employee data being breached at SFDC and
finding out about it days later?
With programs like PRISM undermining SaaS and CSPs on practically a daily basis, are you comfortable
entrusting Salesforce as the system-of-record for identity & authentication data for more than 400M
partner users?
Are you comfortable with knowing that policy audit and lifecycle management practices are not being
followed, creating vulnerabilities exposed to the outside world?
Are you comfortable with the knowledge that there are inadequate and vulnerable authorization
models in place as more of our compute goes to SaaS and Mobile platforms?
Are you comfortable with developers and admins accessing production outside of authorized window or with network admins or security engineers sniffing traffic unnoticed?
How do you feel about preparing your scorecard in context of how VMware ranks in each of these categories?
The best response to the GRC challenges we face is to create better risk awareness and to drive
convergence of security, GRC, IAM, SIEM and Big Data tools that do more inspection and that can
correlate third-party intelligence. As a result, we achieve a more scalable and efficient model for
threat management, security and identity management than before possible.
Be Secure
Page
Figure 1: Enterprise GRC should align and integrate more seamlessly and synergistically.
Integrated GRC
Page
2. Create organizational alignment
Without a leader whose sole focus is IAM & security concerns there will continue to be gaps in
accountability and a constant feeling of under-achievement. (E.g. a feeling that we can and should be
doing more!) Without a clear separation of duties, management and team members alike can spread
themselves too thin as well as develop myopic vision from a too heavy emphasis on execution at the
expense of valid strategy, architecture, planning and organization.
With proper organizational structure, there will be excellent visibility both up and across the
organization utilizing Joel Garfinkle’s PVI model for executive success. The barriers to collaboration
must be demolished and a more effective approach to problem solving adopted for the greater good
of the business, our shareholders value and customer privacy and security.
Having one or more IAM veterans at the Director level reporting into a VP of Security or Operations
will result in better visibility, streamlined accountability and reporting structure, improved
collaboration in defining and executing IAM projects and significantly improved ability to deliver on
the 3-year roadmap. As an industry benchmark, other companies in Silicon Valley have formed teams
dedicated to this discipline, and VMware may learn from them as it continues to grow.
EBay - dedicated security & fraud division of over 80 people
Electronic Arts - security team responsible for internal and online assets with 20 people
BMC Software - internal security/compliance team of 5 experts and 3 directors of IAM
Be Focused
Page
3. Evolve the architecture
The requirements for Next-Gen Identity & Access Management are clear. Security, as well as IAM,
must respond to growing business demands with solutions to address the need for scale, cloud,
mobility and standards. IAM should not be viewed as merely a platform for providing security, SSO
and provisioning solutions, but as a rich data source for delivering insights from big data and analytics
platform that can spur increased conversion rates, improved customer engagement and satisfaction.
IAM must continue to evolve as an enterprise shared service and continue to expand the scope of
capabilities by driving adoption of next generation technologies to meet the needs of mobile and
cloud-driven workforce – and the customers they serve. The IAM architecture must evolve to easily
integrate with cloud applications, federate with partners, support multi-factor authentication and
enrich authorization and access policies.
With a focus on developing future-proof, standards based solutions, the following simple strategic
roadmap demonstrates how one might deliver a Next-Generation IAM ecosystem.
• Performance optimization
• Multi-tenant scale & management (E.g. SDLC instances)
• Elastic managementScale
• Identity bridge for SaaS
• Identity provider for IaaS/PaaS (E.g. vCHS, SFDC)
• Hybrid cloud managementCloud
• Mobile REST SDK
• Mobile enterprise (BYOD, MDM, MAM, and EMM)
• Mobile IAM toolkit (SDK, Gateway)Mobile
• Common frameworks & reusable code libraries
• SAML, SCIM, OAuth and OpenID Connect
• Common STS
• Cloud AuthZ
Standards/API
Be Elastic
Page
4. Rethink the platform
The wisdom or insanity of ripping and replacing an enterprise IAM system such as the Oracle IdM Suite
cannot be rationalized without diving into the details of how the product is being used or without
examining Oracle’s roadmap and upgrade options and evaluating the alternatives out there.
Web Access Management software is a mature category and has reached commodity status. As
enterprise software goes, we should value it for what it is and pay accordingly. Oracle Access
Manager has enjoyed a good run for over thirteen years but it is built on a bit outdated model that
hinges on domain-centric policy management and an agent based architecture.
There are alternative solutions that can provide equal - if not better - capabilities, for a fraction of the
price. (Think open-source here) Based on experts and executives I have spoken with, potential
savings in the range of 15% - 40% year over year looks to be possible. Also one must factor in the
costs associated with migrating from 10g to 11g including architecture, infrastructure, operations,
training and pro services just to name a few.
In rethinking the platform, one really needs to understand the drivers and the rationale:
Are you comfortable knowing that only a fraction of the solution capabilities are used?
Are you comfortable with using it less as more of your applications turn to SaaS model, and yet you are
still paying the same as you were before?
Are you comfortable with the costs to replace existing IAM growing exponentially year by year as the
enterprise becomes more heavily invested in its use?
Though Oracle Access Manager has proven to be very stable and predictable, it has remained
relatively static as well, without realizing any security, performance or functionality advancements
made since 2010.
Then a fully rationalized architecture and quantitative analysis of expected TCO will yield insights into
the financial model and help to identify potentially significant cost savings. At the same time, the
world continues to adopt SaaS and BYOD thus the need for a modern, secure and scalable IAM
platform cannot be underscored enough times.
Be Open
Page
5. Renew operational focus
"Unless you change how you are, you will always have what you've got." - Jim Rohn
Achieving success with next generation of security and IAM infrastructure will not happen as the result
of big bang upgrades. Much depends on understanding how new solutions impact existing
applications, how new requirements impact architecture and how new systems and capabilities can be
deployed within VMware’s cloud operating model. Success will be measured by the ease with which
solutions achieve the most common coexistence and migration scenarios as well as the ability to
realize value from the 3-year roadmap.
Additionally, success could not be possible without training Sr. Managers and Tech Leads in
Operations on how to monitor, maintain and support the new systems and processes that will be
implemented as a result of executing against the 3-year roadmap.
Installing a Leader or Director of IAM will add significant advantages in achieving success and for
effectively managing all of the challenges mentioned in this paper. He or she would provide guidance
to the Operations group while executing on the 3-year roadmap, such as:
Guidance on end-to-end SSO scenarios such as enterprise to cloud, cloud to enterprise, cloud to cloud,
mobile enterprise and how to support the use cases
Guidance about how authentication, authorization, account provisioning and governance works in the
web services world
Governance, analytics and audit for user/partner/employee identity and entitlements across on-prem,
SaaS and mobile applications for privacy assurance and risk management
Guidance and support for leveraging CMDB and ITSM for managing IAM in a hybrid cloud environment
for operational efficiency and scale
Integration of IAM and SIEM systems to improve user/role management, enable real-time risk and audit
capabilities for threat and compliance management and prevent APTs
Now is as good a time as ever to re-think VMware’s IAM platform and strategy to potentially realize
cost savings of 15-40% and that would bring about the opportunity to modernize the platform with
advanced technologies such as Identity Analytics, Big Data and Integrated GRC for superior security
and competitive edge.
Be Adaptable
Page
Additional reading and list of references
Do You Need An Identity Officer? http://blogs.kuppingercole.com/kearns/2013/07/02/do-you-need-an-identity-officer
Leadership, not Process, is the Keystone of Innovation http://www.innovationexcellence.com/blog/2013/07/13/leadership-not-process-is-the-keystone-of-innovation
Moving Towards Proactive & Holistic Security http://blog.identropy.com/IAM-blog/bid/47519/Moving-Towards-Proactive-and-Holistic-Security
The Impact of Total Cost of Ownership in IAM Investment Decisions http://www.novell.com/docrep/2010/11/rencana_novell_iam_tco_report_methodology.pdf
ITIL V3 and IAM Governance: the PBR Model http://blog.identropy.com/IAM-blog/bid/62180/ITIL-V3-and-IAM-Governance-the-PBR-Model
The PVI Model http://www.garfinkleexecutivecoaching.com/downloads/getting-ahead/The-PVI-Model.pdf
Dismantling Your Legacy Identity Management http://www.stevetout.com/oracle-idm/dismantling-your-legacy-identity-management
Forrester Research: Navigate the Future of Identity and Access Management http://www.forrester.com/Navigate+The+Future+Of+Identity+And+Access+Management/fulltext/-/E-RES61625
Be Curious