Identity Access Management
Identity Access Management
Management
Objectives
Find a common background for
discussing IAM
Discuss problems and opportunities in
the field
Introduce terminology
Highlight a possible future direction
Today’s Problems
Who am I? Who are you?
Networks use multiple identity
systems
The Internet is no better
Users get confused with all of these
IDs
Management and audit has difficulty
keeping track of all these IDs
The bad guys are quite happy
So many IDs!
Person
Employees Suppliers
Customers Partners
Trends
Regulation and Compliance
SOX, HIPAA, GLB
Increasing Threats
Identity theft
Exposure of confidential info
Maintenance Costs
The average employee needs access to 16
applications
Companies spend an estimated $20-30
user/year for password resets
The Real Impact
End-users Too many IDs
Too many passwords
Must wait for access to
applications
Password
Management
Role User
Management Provisioning
IAM
Authorization Directories
Audits &
Reporting
The Benefits of IAM
Save money
Improve operational efficiency
Reduce time to deliver applications
and services
Enhance security
Enhance regulatory compliance
Give more power to audit
Let’s Define IAM Terms
Authentication (AuthN)
Verify that a person is who they claim to be
This is where multi-factor authentication comes
into play
Identification and authentication are related but
not the same
Authorization (AuthZ)
Deciding what resources can be accessed/used
by a user
Accounting
Charges you for what you do
IAM is a Foundation
Identity Management Account Provisioning &
Deprovisioning
Synchronisation
Administration User Management
Password Management
Workflow
Delegation
Audit and Reporting
Access Management AuthN
AuthZ
Now What?
Implement IAM!
Start Slow!
Define your Single Source of Truth
(SSOT)
Unfortunately, there may be more than
one, if that makes sense..
Implement the “big wins”
User provisioning to Active Directory
Password resets
But How?
SSOT
Work with your team, IT, and
management to determine the true
source of user information
User Provisioning to AD
It’s already happening!
Solutions
Microsoft ILM
CA eTrust Admin
Sun IM
…
The Results!
User provisioning can be automated
Password resets can be delegated to
the helpdesk
And the big one:
You can now audit both the user
provisioning and password resets
The Next Step
Extend User Provisioning
To PeopleSoft
Lawson
Oracle
Custom/in-house applications
Begin consolidating user directories
Can you point some or all of your
applications at AD or LDAP?
Authorization
This is the hard one!
Applications define their AuthZ rules
differently
Try to consolidate to an AD/LDAP
authz landscape
Tackle this one application at a time!
The Power is Yours
You can now audit/review:
Who has what accounts?
Why do they have those accounts?
Who approved those accounts?
Are there any orphaned accounts?
Who has access to what?
For how long have they had that access?
And there is more..
You can control access to your web-
enabled applications using a Web
Access Manager (WAM)
Don’t forget about SSO!
What about federated identities and
your partners and suppliers?
Viva La Resistance!
IT Resistence
Sometimes IT resist a formalized IAM
process because:
“We are too busy”
“We can’t afford it”
“We don’t want to give up control!”
“We are Too Busy”
This is a common response
IT is too busy..
Because they are resetting passwords all
day
Working too hard to create accounts
Learning too late that orphaned accounts
are being misused/attacked
“We Can’t Afford It”
There are small and big solutions to
this problem
If you are an AD-only shop with
minimal applications, then you can
start small
Larger enterprises have no choice,
they can’t afford not to!
“We Don’t Want to Give Up
Control!”
This is usually the root of the
disagreement.
They are responsible for IT
They don’t want problems in IAM to
reflect poorly on them
They are used to the control, even if
it’s not necessary
A Compromise
Take control without giving up
control!
A middle-ground:
IAM solutions can be used to explore
user directories/databases
Reports can be generated
IT can still do the provisioning itself
Summary
Summary
It’s becoming impossible to manage
all of these accounts and rights by
hand
You can automate controls
You can automate audit reports
You can control THE PROCESS!