Identity and Access Management Dustin Puryear Sr. Consultant, Puryear IT, LLC
Objectives Find a common background for discussing IAM Discuss problems and opportunities in the field Introduce terminology Highlight a possible future direction
Session Agenda Today’s Problems Making It All Better Now What? Viva La Resistance! Puryear IT
This Presentation This presentation was written with audit/compliance in mind. Contact to have Dustin Puryear present this topic to your organization or company.
Today’s Problems
Who am I? Who are you? Networks use multiple identity systems The Internet is no better Users get confused with all of these IDs Management and audit has difficulty keeping track of all these IDs The bad guys are quite happy
So many IDs! Person Active Directory Account Online HR Info Account PeopleSoft User Account …
Multiple Contexts Remote Employees Suppliers PartnersCustomers Employees
Trends Regulation and Compliance SOX, HIPAA, GLB Increasing Threats Identity theft Exposure of confidential info Maintenance Costs The average employee needs access to 16 applications Companies spend an estimated $20-30 user/year for password resets
The Real Impact End-users Too many IDs Too many passwords Must wait for access to applications Administrators Too many IDs Too many end-user requests Difficult or unreliable ways to syncs all the accounts Audit/Compliance Orphaned accounts Limited or no audit capability Where are the audit trails?
Making It All Better
Identity and Access Management IAM Password Management User Provisioning Directories Audits & Reporting Authorization Role Management
The Benefits of IAM Save money Improve operational efficiency Reduce time to deliver applications and services Enhance security Enhance regulatory compliance Give more power to audit
Let’s Define IAM Terms Authentication (AuthN) Verify that a person is who they claim to be This is where multi-factor authentication comes into play Identification and authentication are related but not the same Authorization (AuthZ) Deciding what resources can be accessed/used by a user Accounting Charges you for what you do
IAM is a Foundation Identity Management Account Provisioning & Deprovisioning Synchronisation Administration User Management Password Management Workflow Delegation Audit and Reporting Access Management AuthN AuthZ
Now What?
Implement IAM! Start Slow! Define your Single Source of Truth (SSOT) Unfortunately, there may be more than one, if that makes sense.. Implement the “big wins” User provisioning to Active Directory Password resets
But How? SSOT Work with your team, IT, and management to determine the true source of user information User Provisioning to AD It’s already happening! Solutions Microsoft ILM CA eTrust Admin Sun IM …
The Results! User provisioning can be automated Password resets can be delegated to the helpdesk And the big one: You can now audit both the user provisioning and password resets
The Next Step Extend User Provisioning To PeopleSoft Lawson Oracle Custom/in-house applications Begin consolidating user directories Can you point some or all of your applications at AD or LDAP?
Authorization This is the hard one! Applications define their AuthZ rules differently Try to consolidate to an AD/LDAP authz landscape Tackle this one application at a time!
The Power is Yours You can now audit/review: Who has what accounts? Why do they have those accounts? Who approved those accounts? Are there any orphaned accounts? Who has access to what? For how long have they had that access?
And there is more.. You can control access to your web- enabled applications using a Web Access Manager (WAM) Don’t forget about SSO! What about federated identities and your partners and suppliers?
Viva La Resistance!
IT Resistence Sometimes IT resist a formalized IAM process because: “We are too busy” “We can’t afford it” “We don’t want to give up control!”
“We are Too Busy” This is a common response IT is too busy.. Because they are resetting passwords all day Working too hard to create accounts Learning too late that orphaned accounts are being misused/attacked
“We Can’t Afford It” There are small and big solutions to this problem If you are an AD-only shop with minimal applications, then you can start small Larger enterprises have no choice, they can’t afford not to!
“We Don’t Want to Give Up Control!” This is usually the root of the disagreement. They are responsible for IT They don’t want problems in IAM to reflect poorly on them They are used to the control, even if it’s not necessary
A Compromise Take control without giving up control! A middle-ground: IAM solutions can be used to explore user directories/databases Reports can be generated IT can still do the provisioning itself
Summary
It’s becoming impossible to manage all of these accounts and rights by hand You can automate controls You can automate audit reports You can control THE PROCESS!
Who We Are? Puryear IT is THE IAM specialist in Louisiana We help small and large companies, ranging from 100 users to well over 20,000+ users We are vendor-agnostic, and have worked with everyone, including: Microsoft CA Sun
We Can Help IT to.. Help you tackle your IAM needs Integrate Linux, UNIX, and J2EE into Active Directory Build out AAA solutions Deploy Microsoft ILM, Sun IM, Novell IM, and CA IM Deploy small and large solutions
We Can Help Audit/Compliance to.. Build an automated user account and access rights tracking solution Log changes to user accounts and access rights Ensure passwords are changed as policies and regulations require Help you communicate your needs to IT Automate your manual tasks
Doing IAM Right Puryear uses a methodical approach to: Identify organization pain points Identify organization audit requirements Work with IT and audit to prioritize needs Develop an initial pilot deployment Roll out the final solution Help you manage and extend the solution
Dustin Puryear Sr. Consultant, Puryear IT, LLC