access management vision document

7/30/2019 Access Management Vision Document

1/16

Company ABC

Access ManagementVision Document

Version 0.0

This document has been reviewed by:

Stakeholder Date Approved


2/16

access Management Version: 0.0

Date: 07/10/07

Confidential Page 2

Revision HistoryDate Version Description Author


3/16


Date: 07/10/07

Confidential Page 3

Table of Contents

1. Introduction 5

1.1 Document Purpose 5

1.2 Document Scope 51.3 Overview 5

2. Positioning 5

2.1 Business Opportunity 52.2 Business Objective 62.3 Problem Statement 6

3. Vision, Assumptions and Scope 7

3.1 Vision 73.2 Assumptions 73.3 In scope 7

3.4 Out of Scope 83.5 Open Issues 8

4. Alternatives and competition 8

4.1 Vendors 8

5. Product Overview 9

5.1 Context Diagram 95.2 System Functions 11

5.2.1 Authentication 115.2.2 Authorization 115.2.3 Role based access 11

5.2.4 User life-cycle management 115.2.5 Self Administration 115.2.6 Single Sign on 115.2.7 Provisioning access data to various systems 115.2.8 Auditing and Reporting 12

5.3 Summary of Capabilities 12

6. Product Features 12

6.1 Password Management 126.2 Self Service 126.3 User Account Administration 126.4 Provisioning 126.5 Workflows 12

6.6 Audit Reporting and Audit Control 126.7 Defining and Enforcing policies 12

7. Development Tools 12

7.1 Environmental Requirements 13

8. Risks and Constraints 13

8.1 Constraints 13


4/16


Date: 07/10/07

Confidential Page 4

8.2 Risks 13

9. Quality Ranges 13

10. Use Case Diagram 14

10.1 Overall 1410.2 User Functions Use Case Diagram 1510.3 Administrative Functions Use Case diagram 1510.4 Audit and Reporting Functions Use case diagram 15

A. Appendices 16

A.1 Definitions, Acronyms, and Abbreviations 16A.2 References 16


5/16


Date: 07/10/07

Confidential Page 5

1. Introduction

1.1 Document Purpose

The purpose of this document is to describe the positioning, scope and features of the Enterpriseaccess Management initiative. It focuses on defining the ABC need for access Management andproviding details on how this initiative would help fulfill those needs. The content in thisdocument reflects

1.2 Document Scope

This document will focus on the features of access Management. It will supply projectimplementation teams with the background and objectives for developing access framework. It isnot intended to describe the processes associated with future usage of the framework. .

1.3 Overview

This document is intended for anybody who is interested in understanding the scope of thesolution that will be provided by this project.

This document begins with an overview of the business problem, project assumptions and projectscope. A summary of product capabilities is followed by a description of major features.

2. Positioning

2.1 Business Opportunity

Describe benefits of having a centralized access management from a security stand point,ease of user life-cycle management across multiple platforms.

The centralization of the cross-environment management provides a common interfacefor administration of user access information, thus reducing education and maintenance

costs.

access management policies should be implemented as part of the standards andprocedures which are derived from the corporate security policy. Without centralizedaccess management it is extremely difficult to enforce the corporate policy in a complexenvironment dealing with a variety of target platforms, different system specificationsand administrators.

The user typically has multiple accounts and passwords. The ability to synchronizepasswords across platforms and applications provides ease of use for the user. It can alsoimprove the security of the environment because each user does not have to remembermultiple passwords and is therefore less likely to write them down. Password strength

policy can also be applied consistently across the enterprise. Centralized password resetsenable a user or administrator to reset one or all account passwords from a centralinterface. This prevents lost productivity due to the inability to access critical systems.

As the number and type of users within the scope of an organizations accessmanagement system changes, there will be increasing burdens on the system. Anycentralized system run buy an IT department could face the burden of having to manageusers that are within other business units, or even within other partner organizations.A key feature of any centralized system therefore is the ability to delegate the day to daymanagement of users to nominated leaders in other business units or partner


6/16


Date: 07/10/07

Confidential Page 6

organizations.

Managing access and account related data involves a great deal of approvals anddependencies. It takes a lot of time and effort in order to collect the necessary approvalsand check for all sorts of dependencies between related components. To reduce these

often manually conducted chores the access management system should have anautomated workflow capability that allows the system to Gather approvals, Reduceadministrative workload, Reduce turn-on time for new managed identities, Enforcecompleteness of information.

2.2 Business Objective

2.3 Problem Statement

1. ABC has a very complex environment with multiple access data stores scatteredover various directory servers and databases namely, iPlanet, Active Directory,PRODUCT TOOL and with in applications databases that support authentication for

individual applications.

2. A request for setting up a user account in the desired systems takes anywhere from 4-6 weeks. There is a need to reduce the cost and latency associated with this process.

This process is even slower for the contractors. There is no system in ABC thatstores contractor information.

3. Once a user in the system, they typically have multiple accounts and passwords tomanage. This not only results in inefficiency but there is also associated cost asmore frequent assistance is sought by each individual user to maintain their myriadof accounts and passwords.

4. We have security policies but a lack of awareness and no clearly defined way ofenforcing them consistently across the enterprise.

5. We are moving towards becoming a role based organization but there is no accessmanagement to reflect and support that.

6. Orphan user ids, contractors??

7. There is no Single Sign-on capability.

8. No one clearly defined process for data synchronization.


7/16


Date: 07/10/07

Confidential Page 7

3. Vision, Assumptions and Scope

3.1 Vision

To have an access Management solution that provides a product, which together with a set of standard

processes around it, manage the complete life cycle of Security Profile of ABC systems users, from asingle authoritative source. The vision is to achieve a single source of truth for all identities and acrossall systems.

System Users: ABC employees across all businesses, all contractors, vendors and trading partnersthat need access to ABC systemsABC Systems: LDAP, AD, Lotes Notes, PRODUCT TOOL , OS/Platforms and Applicationdatabases

Trusted Sources: HR database, CORE Database.Standardized processes:

- Process that feeds into access Management- Process that ensures compliance with ABC security policies- Unified password policy across all systems

- Standard process for password management and profile management- Standard process for administering the access management including managing security

policies and access control

3.2 Assumptions

1. Active Directory and iPlanet will stay as they do in the current system and will continue to supportthe various Unix and MS desktop applications.

2. Commitment from the stakeholders is key to the success of this project.

3.3 In scope

The scope for this project has been divided into three phases. This will allow the project team tofocus on the immediate tasks without loosing sight of the long term vision as stated above. Eachphase assumes a successful completion of the previous one and builds upon that.

Phase I Current state analysis and Completion of FPOC

1. Produce a current state document that details the current system in terms of access data flowand the dependency of various applications and systems on the iPlanet and Active directoryservers. This document will also capture the cost associated with the operations

2. Deliver a full Proof-of-concept including selected product, Portal Framework, iPlanet andActive directory. Investigate the viability of provisioning to PRODUCT TOOL , Lotus notesand Unix accounts. The FPOC will include user administration, Single Sign on, workflows

and automated provisioning. The project team will produce a post FPOC document manualand a decision to accept/reject product will be made based upon the FPOC results.

3. This phase will produce a future state description document that will discuss the accessmanagement as it aligns with the vision.

Phase II Support the EPF release in Qtr 1 of 2004.

1. During this phase, the access Management product will be implemented with partial scope.


8/16


Date: 07/10/07

Confidential Page 8

The scope will include functionality of receiving the feed from HR and other trusted sourcesand for generating the account IDs. The access Management will ensure pushing the data toiPlanet, Active Directory and the BroadVision Database to completely support the launch ofthe second release of EPF.

2. As part of this initiative, we will visit the use of MMS and Psync and make a recommendationabout it.

Phase III This may involve a series of projects implementing the complete access ManagementSolution, piece by piece, until the envisioned future state is reached. The processes may continueto evolve and new policies set up as part of standard change management effort.

3.4 Out of Scope

1. Actual conversion of existing systems and applications to utilize the access managementframework is not in scope.

2. Integrating the various applications into access Management, that currently authenticate

against iPlanet and/or Active Directory is not in scope.

3. Implementing an enterprise wide SSO.

3.5 Open Issues

1. There is a huge endeavor of cleansing of data which will be a pre-requisite to implementing accessmanagement. This involves data resulting from name changes, generic Access assignments as well asmissing ids.

2. Understanding the current security policies and how clearly defined they are. How will these translateto our project. This would be a question for xxx when we discuss Risk.

3. Is investigating the re-design of LDAP schema, in scope of this project. This was brought up by xxxand we need to discuss this today.

4. IM track, Solar Upgrade and Associate Data Synchronization efforts.

5. What is ABC strategy about including Trading Partners under the access Management umbrella.Feed back from MPIP is sought on this issue.

6. Role categories at a very high level in order to a Access the standardization of user set up processbased upon their role/category.

4. Alternatives and competition

The access Management was in the scope of ABC Enterprise Portal Framework (EPF) project to meet therequirement for a secure portal, provide Single Sign-on ability and role based access. The EPF accessServices team investigated several Industry-standard solutions, drawing from a list of vendors recommendedby AMR. As part of a formal procurement process, RFPs were sent to Oblix, Netegrity, VENDOR XXX,Sun and Novell. After evaluating the RFP responses, three vendors were short listed: VENDOR XXX, Oblixand Netegrity. These three vendor finalists were invited to perform product demonstrations, based on a ABC-provided script.

4.1 Vendors

Netegrity was eliminated due to weakness in administration tool and batch processing.

VENDOR XXX and Oblix were evaluated according to a rigorous scoring model.


9/16


Date: 07/10/07

Confidential Page 9

VENDOR XXX was selected due to viability and strategic fit.

5. Product Overview

A complete security and access product would provide a solution for access control, user credentials,policy enforcement, business process automation, auditing, and ease of administration. It should alsoprovide interconnectivity and support for existing sub-systems in the enterprise. The solution should beflexible as to adapt to the change needs of access management in the enterprise.

The product should provide mechanisms for access control that address component protection, securitymanagement, component access, cryptographic support, identification and authentication of system users.

Implementing access management policies that comply with the corporate security policy is a key factorfor a successful access and Credential Management system. Providing central control makes it possible toaccommodate the business and security policies, enabling security administrators to implement them in anefficient and enforceable way.

The product should provide for business process automation by automating approvals and dependencies inthe account creation process. It should reduce administrative workload, reduce turn-on time for newmanaged identities, and enforce completeness.

The ability to centralize auditing and logging of all additions, changes and deletions made on userrepositories should be provided for to reduce tracing of events on disparate systems.

The selected solution should reduce the need for several administrative interfaces for user management. Itshould also provide a level of self-service to reduce the administrative workload. Delegated administrationshould be provided

The selected solution should allow for the administration of several user repositories that exist in the

enterprise. This will reduce the need for specialist administrators for various sub-systems that exist in theenterprise. This will also allow for security policies to be uniformly applied across the organization.

5.1 Context Diagram


10/16


Date: 07/10/07

Confidential Page 10

Identity Management

Authentication Authorization Role Based Access

Auditing andReporting

User Life-CycleManagement

Single Sign On

ProvisioningIdentity Data to

Various Systems

Self Administration

Managed Assets

Data

Databases

DirectoryServers

Databases

User accounts/Identitie

Users

Administrators

ApplicationsApplications

Enterprise systems and resources


11/16


Date: 07/10/07


5.2 System Functions

The access Management system functions are described below to give a high level understanding of thefunctionality.

5.2.1 AuthenticationThe process of identifying an individual usually based on a user name and password. In security systems,authentication is distinct from authorization, which is the process of giving individuals access to systemobjects based on their access. Authentication merely ensures that the individual is who he or she claims tobe, but says nothing about the access rights of the individual.

5.2.2 Authorization

Authorization is the process of granting or denying access to a resource based upon credentials. Mostcomputer security systems are based on a two-step process. The first stage is authentication, which ensuresthat a user is who he or she claims to be. The second stage is authorization, which allows the user access tovarious resources based on the users access and access rights.

5.2.3 Role based access

Role Based Access Control or RBAC, security is managed at a level that corresponds closely to theorganization's structure. Each user is assigned one or more roles, and each role is assigned one or moreprivileges that are permitted to users in that role. Security administration with RBAC consists ofdetermining the operations that must be executed by persons in particular jobs, and assigning employees tothe proper roles to provide access to the appropriate systems.

5.2.4 User life-cycle management

Lifecycle management is a term used to describe how entities (e.g. identities, accounts) - becomeavailable, are interacted with, managed and finally destroyed. The life cycle of a typical user includes theinitial creation of the users account, provisioning accounts for the users use, maintenance or modification of

the user and users rights, and finally the termination of the user accounts and access rights.

5.2.5 Self Administration

Self administration refers to a users ability to perform or request administrative request for their accounts.Typical self-administration features include the ability to change a password, reset a password, update theirpersonal and account information, and place requests for access to sub-systems.

5.2.6 Single Sign on

Single Sign-On is a term used to refer to a system that allows a user to log into a system once and thereafteruse applications without further Authentication.

5.2.7 Provisioning access data to various systems

access provisioning is the act of creating, updating and deleting user account data in given targetedsystems, in order to maintain the data used by other applications or resources, up to date with the centralaccess data store.


12/16


Date: 07/10/07


5.2.8 Auditing and Reporting

In order to comply with the security policies for any company, there are requirements from any accesssystem to provide auditing and reporting capabilituy. This could include auditing some or all transactionsat system level and generating reports based on audits and other mechanisms that would a Access inmonitoring and maintaining the system and processes on an ongoing basis.

5.3 Summary of Capabilities

User Administration Account Provisioning Policy Enforcement Life Cycle Management and Workflow Delegated user administration Access Control, Authorization and Authentication Role based Access control (RBAC) User Self Service and Password management Single Sign on capabilities Auditing and Reporting capabilities

6. Product Features

6.1 Password Management

6.2 Self Service

6.3 User Account Administration

6.4 Provisioning

6.5 Workflows

6.6 Audit Reporting and Audit Control

6.7 Defining and Enforcing policies

7. Development Tools

?.


13/16


Date: 07/10/07


7.1 Environmental Requirements

8. Risks and Constraints

8.1 Constraints

Project team met with the representatives from Risk Management to discuss the risk areas. The currentPRODUCT TOOL process was discussed at length. Some key facts and constraints associated with thatare documented here:

1. There are about 200 mainframe applications that require PRODUCT TOOL ids. There are currentlyanywhere between 75 to 78 thousand PRODUCT TOOL ids which translates to less a third of ABCemployees. A lot of these are generic IDs which are used by the store associates. The understanding isthat there is a 1:1 correlation between the generic Access and person using that id.

2. ABC use the same PRODUCT TOOL database that is shared across many other companies. Thisposes a challenge in the processes of achieving uniqueness of IDs.

3. Until two months ago when a new hire was established into ABC system, without the request for aPRODUCT TOOL id, a unique user friendly LDAP Access was created for the user. If a request fora PRODUCT TOOL Access came at a later time and the LDAP user Access already existed in thePRODUCT TOOL database, then the user was assigned a new unique PRODUCT TOOL Accesswhich would also become their LDAP id. What this meant was that the LDAP Access had to bechanged in order to provide a single user Access to the user.

4. The current process, which has been in place for two months now, interfaces with a system calledMaster Users Database System (MUDS) that has visibility into all existing PRODUCT TOOL IDswith in and outside of ABC. What this does is, at the time of hire, it looks up the MUDS and reservesa unique ACCESS in the MUDS for the user, without actually creating the PRODUCT TOOLAccess (if there is no request for one). It then checks LDAP for the uniqueness and then creates the

LDAP id. The process of checking both MUDS and LDAP for uniqueness and generating a newAccess continues till an Access is found that is unique in both. This is the ACCESS that is reservedin MUDs for this user. If at a later time a PRODUCT TOOL request is made for this user, thereserved Access is assigned. access management will have to replicate this process.

5. Home Services PRODUCT TOOL processes are outsourced to VENDOR XXX. They areapproximately 15000 in number and are mostly generic IDs. These also use MUDS for the Accesslookup.

6. There is no single source of contractor information and the requests for their PRODUCT TOOL idscome from individual businesses.

7.

List any contractual constraints

8.2 Risks

Risk Probabili ty Impact Mitigation Strategy

Lack of securityawareness among users -this is a potential risk asSSN will be replaced witha system generated

high high


14/16


Date: 07/10/07


ACCESS for employeesACCESS in the HRsystem. The generatedACCESS can potentiallybe exposed more if theuser does not treat it withsame level of protection asthe SSN.

Current password resetdoes not use SSL and thedata is sent as cleartext

low high The selected productshould send data overSSL during selfadministration

For access Managementto replicate the currentprocess that reserves aPRODUCT TOOLAccess for a new user, aprogrammatic lookup intoMUDS will be required.

MUDS is owned byVENDOR XXX andcontract does not allowany visibility into that.

high high

There is an indication thatABC as an organizationwill not move towards arole based structure anytime in the near future.Since the role basedaccess control (RBAC) isan integral part ofsuccessful accessmanagement solution andis closely tied to theorganizational structure,this may result in a lessthan optimal solution forABC.

9. Quality Ranges

10. Use Case Diagram

10.1 Overall


15/16


Date: 07/10/07


10.2 User Functions Use Case Diagram

10.3 Administrative Functions Use Case diagram

10.4 Audit and Reporting Functions Use case diagram

User Sign on

(from Use Case View)

User

User Self Administration


Manage Password


Manage Profile


Uses

Uses

Administrator

Define Policies

Manage Access levels

Manage Identities

AuditorRun Audit Reports


16/16


Date: 07/10/07


A. Appendices

A.1 Defini tions, Acronyms, and Abbreviat ions

A.2 References

Id Reference Document Date Owner or Source

1. Enterprise access Management Kick off presentationdeck

Mm/dd/yy xxx

2. EI_331_PORTAL_FRAMEWORK_BFS - V.1.6.doc Mm/dd/yy xxx

3. Integrity.intra.ABC.com

access management vision document

Documents