a pragmatic approach to identity and access management

27
A Pragmatic Solution For A Pragmatic Solution For Identity & Access Management Identity & Access Management Hank Gruenberg, CISM, CRISC, PMP Hank Gruenberg, CISM, CRISC, PMP Information Security & IT Compliance Information Security & IT Compliance Tokio Marine Management, Inc. Tokio Marine Management, Inc. 1 [email protected] [email protected]

Upload: hankgruenberg

Post on 20-Jun-2015

1.181 views

Category:

Documents


0 download

DESCRIPTION

A Powerpoint file that presents my paper: "A Pragmatic Approach to Identity and Access Management"

TRANSCRIPT

Page 1: A Pragmatic Approach to Identity and Access Management

A Pragmatic Solution ForA Pragmatic Solution ForIdentity & Access ManagementIdentity & Access Management

A Pragmatic Solution ForA Pragmatic Solution ForIdentity & Access ManagementIdentity & Access Management

Hank Gruenberg, CISM, CRISC, PMPHank Gruenberg, CISM, CRISC, PMP

Information Security & IT ComplianceInformation Security & IT ComplianceTokio Marine Management, Inc.Tokio Marine Management, Inc.

Hank Gruenberg, CISM, CRISC, PMPHank Gruenberg, CISM, CRISC, PMP

Information Security & IT ComplianceInformation Security & IT ComplianceTokio Marine Management, Inc.Tokio Marine Management, Inc.

[email protected]@hankgruenberg.com

Page 2: A Pragmatic Approach to Identity and Access Management

This presentation is based on the paper “This presentation is based on the paper “A A Pragmatic Solution for Identity and Access Pragmatic Solution for Identity and Access ManagementManagement” previously presented at various ” previously presented at various conferences. This paper is available on my conferences. This paper is available on my LinkedIn page: LinkedIn page:

http://www.linkedin.com/in/hankgruenberg

For more information, contact me at:For more information, contact me at: [email protected]@hankgruenberg.com

ororUSA: 917-626-8604USA: 917-626-8604

Hank Gruenberg, CISM, CRISC, PMPHank Gruenberg, CISM, CRISC, PMP

Information Security & IT ComplianceInformation Security & IT ComplianceTokio Marine Management, Inc.Tokio Marine Management, Inc.

New York, NY U.S.A.New York, NY U.S.A.

This presentation is based on the paper “This presentation is based on the paper “A A Pragmatic Solution for Identity and Access Pragmatic Solution for Identity and Access ManagementManagement” previously presented at various ” previously presented at various conferences. This paper is available on my conferences. This paper is available on my LinkedIn page: LinkedIn page:

http://www.linkedin.com/in/hankgruenberg

For more information, contact me at:For more information, contact me at: [email protected]@hankgruenberg.com

ororUSA: 917-626-8604USA: 917-626-8604

Hank Gruenberg, CISM, CRISC, PMPHank Gruenberg, CISM, CRISC, PMP

Information Security & IT ComplianceInformation Security & IT ComplianceTokio Marine Management, Inc.Tokio Marine Management, Inc.

New York, NY U.S.A.New York, NY U.S.A.

2

Page 3: A Pragmatic Approach to Identity and Access Management

3

Situation: Regulatory ComplianceSituation: Regulatory ComplianceSituation: Regulatory ComplianceSituation: Regulatory Compliance

Page 4: A Pragmatic Approach to Identity and Access Management

4

Goals: Compliance & SecurityGoals: Compliance & SecurityGoals: Compliance & SecurityGoals: Compliance & Security

Page 5: A Pragmatic Approach to Identity and Access Management

Solution: Custom ApplicationSolution: Custom ApplicationSolution: Custom ApplicationSolution: Custom Application

5

Page 6: A Pragmatic Approach to Identity and Access Management

Why is Access Management Difficult?Why is Access Management Difficult?Why is Access Management Difficult?Why is Access Management Difficult?

6

Page 7: A Pragmatic Approach to Identity and Access Management

Managing 80+ DirectoriesManaging 80+ DirectoriesManaging 80+ DirectoriesManaging 80+ Directories

Varying Directory FormatsVarying Directory FormatsVarying Directory FormatsVarying Directory Formats

Adding New ApplicationsAdding New ApplicationsAdding New ApplicationsAdding New Applications

Aggressive SchedulesAggressive SchedulesAggressive SchedulesAggressive Schedules

Many Varying DirectoriesMany Varying DirectoriesMany Varying DirectoriesMany Varying DirectoriesWhy Difficult…

7

Page 8: A Pragmatic Approach to Identity and Access Management

Evolved Over TimeEvolved Over TimeEvolved Over TimeEvolved Over TimeWhy Difficult…

*A&A: Authentication & Authorization8

Page 9: A Pragmatic Approach to Identity and Access Management

Checking EntitlementsChecking EntitlementsChecking EntitlementsChecking Entitlements

9

Why Difficult…

Page 10: A Pragmatic Approach to Identity and Access Management

How Goals Were AchievedHow Goals Were AchievedHow Goals Were AchievedHow Goals Were Achieved

Consider Consider ‘Bottom ‘Bottom

Up’Up’IssuesIssues

10

Page 11: A Pragmatic Approach to Identity and Access Management

Solved by…

11

Guiding PrinciplesGuiding PrinciplesGuiding PrinciplesGuiding Principles

Identity Management ScopeIdentity Management Scope

Page 12: A Pragmatic Approach to Identity and Access Management

Paladin MethodologyPaladin MethodologyPaladin MethodologyPaladin Methodology

12

Page 13: A Pragmatic Approach to Identity and Access Management

13

Phase 1Phase 1

Page 14: A Pragmatic Approach to Identity and Access Management

Establish the Meta-DirectoryEstablish the Meta-DirectoryEstablish the Meta-DirectoryEstablish the Meta-Directory

Phase 1 – Meta Directory…

14

Key Point

Key Point

Page 15: A Pragmatic Approach to Identity and Access Management

Paladin’s Meta DirectoryPaladin’s Meta DirectoryPaladin’s Meta DirectoryPaladin’s Meta Directory

Phase 1 – Meta Directory…

15

Key PointKey Point

Page 16: A Pragmatic Approach to Identity and Access Management

What Paladin Isn’tWhat Paladin Isn’tWhat Paladin Isn’tWhat Paladin Isn’t

Phase 1 – Meta Directory…

16

ResultsResultsResultsResults

No Impact On ApplicationsNo Impact On ApplicationsNo Impact On ApplicationsNo Impact On Applications

Page 17: A Pragmatic Approach to Identity and Access Management

Establish objects and relationships Establish objects and relationships Establish objects and relationships Establish objects and relationships

Phase 1 – Meta Directory…

17

Page 18: A Pragmatic Approach to Identity and Access Management

Define WorkflowsDefine WorkflowsDefine WorkflowsDefine Workflows

Phase 1 – Workflows…

18

Onboarding

Recertification

Governance: Request/Approve/Provision

Termination: De-provisioning

Page 19: A Pragmatic Approach to Identity and Access Management

FeedFeedFeedFeed

Incorporate Data & User InterfacesIncorporate Data & User InterfacesIncorporate Data & User InterfacesIncorporate Data & User Interfaces

Phase 1 – Workflows…Phase 1 – Workflows…

19

PaladinPaladinMeta Meta

DirectoryDirectory

EmployeeEmployeeRosterRoster

Directory 1Directory 1Directory

1

DownstreamDownstreamAccountAccountAdministratorAdministrator

DownstreamDownstreamAccountAccountAdministratorAdministrator

Resource OwnerResource OwnerResource OwnerResource Owner

ManagerManagerManagerManager

UpdatesUpdatesUpdatesUpdates EmployeesEmployeesEmployeesEmployees

Account IDsAccount IDsAccount IDsAccount IDs

Work OrderWork OrderWork OrderWork Order Add Non-EmployeesAdd Non-EmployeesAdd Non-EmployeesAdd Non-Employees

Provision /Provision /De-provisionDe-provisionAccountsAccounts

Provision /Provision /De-provisionDe-provisionAccountsAccounts

ApproveApproveEntitlementEntitlementApproveApproveEntitlementEntitlement

Key P

oint

Key P

oint

Request EntitlementRequest EntitlementRequest EntitlementRequest Entitlement

Page 20: A Pragmatic Approach to Identity and Access Management

Converting Existing EntitlementsConverting Existing EntitlementsConverting Existing EntitlementsConverting Existing Entitlements

Phase 1 – Data Conversion…

20

Page 21: A Pragmatic Approach to Identity and Access Management

21

Phase 2Phase 2

Page 22: A Pragmatic Approach to Identity and Access Management

Reconciling DirectoriesReconciling DirectoriesReconciling DirectoriesReconciling Directories

Phase 2 – Reconciliation…

Active DirectoryActive Directory

Match?Match? 22

Paladin Meta DirectoryPaladin Meta Directory

NameName AppApp Acct IDAcct ID RoleRoleY Berra CIS BERRAY User

Mantle CIS MM7 User

Maris CIS RM9 User

T Kubek CIS xyz448 User

Customer Information SystemCustomer Information System

Match?Match?

?ProblemProblem

Page 23: A Pragmatic Approach to Identity and Access Management

Which Directories To Automate?Which Directories To Automate?Which Directories To Automate?Which Directories To Automate?

Phase 2 – Reconciliation…

*SSIS: SQL Server Integration Services23

Page 24: A Pragmatic Approach to Identity and Access Management

Automated ReconciliationAutomated ReconciliationAutomated ReconciliationAutomated Reconciliation

Phase 2 – Reconciliation…

24

Page 25: A Pragmatic Approach to Identity and Access Management

Semi-Automated ReconciliationSemi-Automated ReconciliationSemi-Automated ReconciliationSemi-Automated Reconciliation

Phase 2 – Reconciliation…

25

Only Difference

Only Difference

Page 26: A Pragmatic Approach to Identity and Access Management

Effectiveness & AdjustmentsEffectiveness & AdjustmentsEffectiveness & AdjustmentsEffectiveness & Adjustments

26

Phase 2 – Metrics

Fixed the Fixed the processprocess

ConversionConversionIssuesIssues

Numbers are illustrative

Page 27: A Pragmatic Approach to Identity and Access Management

27

Key PointsKey PointsKey PointsKey Points