a pragmatic approach to identity and access management
DESCRIPTION
A Powerpoint file that presents my paper: "A Pragmatic Approach to Identity and Access Management"TRANSCRIPT
A Pragmatic Solution ForA Pragmatic Solution ForIdentity & Access ManagementIdentity & Access Management
A Pragmatic Solution ForA Pragmatic Solution ForIdentity & Access ManagementIdentity & Access Management
Hank Gruenberg, CISM, CRISC, PMPHank Gruenberg, CISM, CRISC, PMP
Information Security & IT ComplianceInformation Security & IT ComplianceTokio Marine Management, Inc.Tokio Marine Management, Inc.
Hank Gruenberg, CISM, CRISC, PMPHank Gruenberg, CISM, CRISC, PMP
Information Security & IT ComplianceInformation Security & IT ComplianceTokio Marine Management, Inc.Tokio Marine Management, Inc.
[email protected]@hankgruenberg.com
This presentation is based on the paper “This presentation is based on the paper “A A Pragmatic Solution for Identity and Access Pragmatic Solution for Identity and Access ManagementManagement” previously presented at various ” previously presented at various conferences. This paper is available on my conferences. This paper is available on my LinkedIn page: LinkedIn page:
http://www.linkedin.com/in/hankgruenberg
For more information, contact me at:For more information, contact me at: [email protected]@hankgruenberg.com
ororUSA: 917-626-8604USA: 917-626-8604
Hank Gruenberg, CISM, CRISC, PMPHank Gruenberg, CISM, CRISC, PMP
Information Security & IT ComplianceInformation Security & IT ComplianceTokio Marine Management, Inc.Tokio Marine Management, Inc.
New York, NY U.S.A.New York, NY U.S.A.
This presentation is based on the paper “This presentation is based on the paper “A A Pragmatic Solution for Identity and Access Pragmatic Solution for Identity and Access ManagementManagement” previously presented at various ” previously presented at various conferences. This paper is available on my conferences. This paper is available on my LinkedIn page: LinkedIn page:
http://www.linkedin.com/in/hankgruenberg
For more information, contact me at:For more information, contact me at: [email protected]@hankgruenberg.com
ororUSA: 917-626-8604USA: 917-626-8604
Hank Gruenberg, CISM, CRISC, PMPHank Gruenberg, CISM, CRISC, PMP
Information Security & IT ComplianceInformation Security & IT ComplianceTokio Marine Management, Inc.Tokio Marine Management, Inc.
New York, NY U.S.A.New York, NY U.S.A.
2
3
Situation: Regulatory ComplianceSituation: Regulatory ComplianceSituation: Regulatory ComplianceSituation: Regulatory Compliance
4
Goals: Compliance & SecurityGoals: Compliance & SecurityGoals: Compliance & SecurityGoals: Compliance & Security
Solution: Custom ApplicationSolution: Custom ApplicationSolution: Custom ApplicationSolution: Custom Application
5
Why is Access Management Difficult?Why is Access Management Difficult?Why is Access Management Difficult?Why is Access Management Difficult?
6
Managing 80+ DirectoriesManaging 80+ DirectoriesManaging 80+ DirectoriesManaging 80+ Directories
Varying Directory FormatsVarying Directory FormatsVarying Directory FormatsVarying Directory Formats
Adding New ApplicationsAdding New ApplicationsAdding New ApplicationsAdding New Applications
Aggressive SchedulesAggressive SchedulesAggressive SchedulesAggressive Schedules
Many Varying DirectoriesMany Varying DirectoriesMany Varying DirectoriesMany Varying DirectoriesWhy Difficult…
7
Evolved Over TimeEvolved Over TimeEvolved Over TimeEvolved Over TimeWhy Difficult…
*A&A: Authentication & Authorization8
Checking EntitlementsChecking EntitlementsChecking EntitlementsChecking Entitlements
9
Why Difficult…
How Goals Were AchievedHow Goals Were AchievedHow Goals Were AchievedHow Goals Were Achieved
Consider Consider ‘Bottom ‘Bottom
Up’Up’IssuesIssues
10
Solved by…
11
Guiding PrinciplesGuiding PrinciplesGuiding PrinciplesGuiding Principles
Identity Management ScopeIdentity Management Scope
Paladin MethodologyPaladin MethodologyPaladin MethodologyPaladin Methodology
12
13
Phase 1Phase 1
Establish the Meta-DirectoryEstablish the Meta-DirectoryEstablish the Meta-DirectoryEstablish the Meta-Directory
Phase 1 – Meta Directory…
14
Key Point
Key Point
Paladin’s Meta DirectoryPaladin’s Meta DirectoryPaladin’s Meta DirectoryPaladin’s Meta Directory
Phase 1 – Meta Directory…
15
Key PointKey Point
What Paladin Isn’tWhat Paladin Isn’tWhat Paladin Isn’tWhat Paladin Isn’t
Phase 1 – Meta Directory…
16
ResultsResultsResultsResults
No Impact On ApplicationsNo Impact On ApplicationsNo Impact On ApplicationsNo Impact On Applications
Establish objects and relationships Establish objects and relationships Establish objects and relationships Establish objects and relationships
Phase 1 – Meta Directory…
17
Define WorkflowsDefine WorkflowsDefine WorkflowsDefine Workflows
Phase 1 – Workflows…
18
Onboarding
Recertification
Governance: Request/Approve/Provision
Termination: De-provisioning
FeedFeedFeedFeed
Incorporate Data & User InterfacesIncorporate Data & User InterfacesIncorporate Data & User InterfacesIncorporate Data & User Interfaces
Phase 1 – Workflows…Phase 1 – Workflows…
19
PaladinPaladinMeta Meta
DirectoryDirectory
EmployeeEmployeeRosterRoster
Directory 1Directory 1Directory
1
DownstreamDownstreamAccountAccountAdministratorAdministrator
DownstreamDownstreamAccountAccountAdministratorAdministrator
Resource OwnerResource OwnerResource OwnerResource Owner
ManagerManagerManagerManager
UpdatesUpdatesUpdatesUpdates EmployeesEmployeesEmployeesEmployees
Account IDsAccount IDsAccount IDsAccount IDs
Work OrderWork OrderWork OrderWork Order Add Non-EmployeesAdd Non-EmployeesAdd Non-EmployeesAdd Non-Employees
Provision /Provision /De-provisionDe-provisionAccountsAccounts
Provision /Provision /De-provisionDe-provisionAccountsAccounts
ApproveApproveEntitlementEntitlementApproveApproveEntitlementEntitlement
Key P
oint
Key P
oint
Request EntitlementRequest EntitlementRequest EntitlementRequest Entitlement
Converting Existing EntitlementsConverting Existing EntitlementsConverting Existing EntitlementsConverting Existing Entitlements
Phase 1 – Data Conversion…
20
21
Phase 2Phase 2
Reconciling DirectoriesReconciling DirectoriesReconciling DirectoriesReconciling Directories
Phase 2 – Reconciliation…
Active DirectoryActive Directory
Match?Match? 22
Paladin Meta DirectoryPaladin Meta Directory
NameName AppApp Acct IDAcct ID RoleRoleY Berra CIS BERRAY User
Mantle CIS MM7 User
Maris CIS RM9 User
T Kubek CIS xyz448 User
Customer Information SystemCustomer Information System
Match?Match?
?ProblemProblem
Which Directories To Automate?Which Directories To Automate?Which Directories To Automate?Which Directories To Automate?
Phase 2 – Reconciliation…
*SSIS: SQL Server Integration Services23
Automated ReconciliationAutomated ReconciliationAutomated ReconciliationAutomated Reconciliation
Phase 2 – Reconciliation…
24
Semi-Automated ReconciliationSemi-Automated ReconciliationSemi-Automated ReconciliationSemi-Automated Reconciliation
Phase 2 – Reconciliation…
25
Only Difference
Only Difference
Effectiveness & AdjustmentsEffectiveness & AdjustmentsEffectiveness & AdjustmentsEffectiveness & Adjustments
26
Phase 2 – Metrics
Fixed the Fixed the processprocess
ConversionConversionIssuesIssues
Numbers are illustrative
27
Key PointsKey PointsKey PointsKey Points