ARC203 Planning an IAM Strategy for your Organisation Gary Williams Principal Consultant – Microsoft UK
Agenda Introduction Identity facts & stats Understanding the problem space Business benefits Defining the plan Structured approach Recommendations
Introduction: The Challenge Today’s IAM systems are ad hoc, built one app or system at a time Apps, databases, OS lack a scalable means of managing identity/credentials/policy across boundaries Fragmented identity infrastructure: Overlapping repositories, inconsistent policy frameworks, process discrepancies Error prone, creates security loopholes, expensive to manage The disappearing/extending perimeter has put identity on the radar Infrastructure requirements: extend reach and range Increased scalability, lower costs Balance of centralised and distributed management Infrastructure must become more general-purpose and re-usable
Islands Of Applications Has lead to islands of identities Pre 1980’s 1980’s1990’s2000’s # of Digital IDs Time Applications Mainframe Client Server Internet BusinessAutomation Company(B2E) Partners(B2B) Customers(B2C) Mobility
Identity Facts & Stats: The Problems Too Many User Repositories Enterprises have 68 internal and 12 external account directories 75% of internal users and 38% of external users are in multiple stores Increasing IT Operational costs 45% of all help desk calls are for p/w resets Organizations are managing on average 46 suppliers, spending over 1380 hours managing changes to access privilege. Inefficient Account Provisioning/De-Provisioning User management consumes 34% of the total time IT spends on IdM User accounts get created in 16 systems and deleted in 10. Impact on User Productivity On average IT is managing access to 73 unique applications requiring user access. Average user spends 16 minutes a day for logins SSO increases user productivity by 15% and efficiency by 18% Source: META Group research conducted on behalf of PricewaterhouseCoopers
Identity Facts & Stats: The Savings Reduction in time spent logging on and accessing systems increases productivity Average of 16 minutes per user per day Managing the identity lifecycle IT need to provide resource availability and ensure network security. Time spent managing user authentication and access control is 54,180 hours per year. A 25 percent improvement in IdM efficiency would equal 13,545 hours saving for a large organisation. Forty-five percent of Helpdesk calls are for password resets Automating password resets reduces this call volume by approximately one third. For an organisation with 10,000 users this is equivalent to an estimated annual cost saving of £375,532. Eliminating duplicate identity data Streamlines administration processes and reduces TCO The average timesaving for centralised and consolidated user store management is predicted to equal 1,236 hours per year for large organisations Source: META Group research conducted on behalf of PricewaterhouseCoopers,
I work in accounts I am a people manager I am based in the head office I have stock allocation Authorised to access personnel records Corporate Identity: A set of claims about someone
Identity Management construct The identity information at a minimum must hold the following: - Name and other basic common identifiers Roles and responsibilities Organisational units Line management Physical locations Contact details Coherent and consistent set of business rules and policies to determine systems access controls. Authentication, Authorisation and Auditing of the individual and admin staff Business processes that establish, capture and propagate changes to the organisational structure. Technical standards relating to Identity and Access Management Working towards compliance with industry/sector standards
Viewing the challenge
An Identity Lifecycle New User -User ID Creation -Credential Issuance -Access Rights Account Changes -Promotions -Transfers -New Privileges -Attribute Changes Password Mgmt -Strong Passwords -“Lost” Password -Password Reset Retire User -Delete/Freeze Accounts -Delete/Freeze Entitlements
Identity & Access Management The process of authenticating credentials and controlling access to networked resources based on trust and identity. Repositories for storing and managing accounts, identity information, and security credentials. The processes used to create and delete accounts, manage account and entitlement changes, and track policy compliance. DirectoryServices AccessServices IdentityLifecycleManagement A system of procedures and policies enabled by software to manage the lifecycle and entitlements of digital credentials
What must be included? Building the business case! Identity Management AuthenticationAuditingMonitoringIdentity LifecycleSecurity Regulatory Compliance AuthorisationJurisdictional Compliance
Identity & Access Management : Providing the right people with the right access at the right time Identity Store Authentication Authorisation Who am I What can I do Lifecycle Management / Administration Monitoring/Audit
When Identity Management fails Lack of process surrounding identities Fragmented management No overall view or strategy of all systems and their relationships. Different groups own the same parts of an identity No real single source of “truth”, data quality and currency. Identity data proliferation is endemic within the identity stores in the organisation Product integration (lack of) is preventing IAM clarity Product selection must achieve Business justification Work against business requirements Product selection without appropriate rationale and evaluative rigour against business requirements presents a risk for sustainability
Planning Think strategically act tactically Phased approach This is generally not a technical problem Business processes Workflow definition An IAM solution is a services engagement There is no out of the box solution
How do you deliver it? Act Tactically Think Strategically Identity & Access Management (IAM) White Pages Web Single Sign-on Self Service Profile Management Automated Hire and Fire Role Based Access Password Management Directory Consolidate/ Rationalise Provision / De-provision
IAM Strategy Lifecycle Management Self-Service Interface Automated Synch. Automated Provisioning Password Management IDM Workflow Auditing & Reporting Policy Mgmt. Enterprise Role-Mgmt. Enterprise User-Mgmt. Enterprise Front-end Services Provisioning Services Web SSO Federated SSO Unix/Linux SSO Host SSO Remote Access Access Audit & Rep System Access Services Presence Access Services User Mgmt. Infrastructure Mgmt Network Security Access Control Network Mgmt. Service Mgmt. Directory Services Smartcard Mgmt. Certificate Mgmt. Information Rights Mgmt. Extended Directory Services Directory Services
What are the business benefits? Benefits to take you forward (Strategic) Benefits today (Tactical) Enabling Compliance with Regulation Improved time to deliver applications and service Increasing Security, Reducing Risk Reduced Operating Costs through IT and Process efficiency Image & reputationCompetitive advantagePolicy enforcementRetention & loyalty
Goals of an IAM Strategy Provide a secure, pervasive, consistent and reliable authentication and authorisation mechanism to users Adherence to open standards that allow heterogeneous integration across security boundaries. Reduce the overall cost of IAM infrastructure. Reduce cost of managing identities Extending access to applications & files to out of office/mobile users Improve management and maintenance of user identities.
IAM Strategy Recommendations Document the identity and access management (IAM) infrastructure. Understand what the business has, How it operates, Who is responsible for which pieces and how they function. Produce fast results – achieve some quick, low cost results Address high risk areas early – security issues are often the primary business concerns. Allow easier security auditing Increase integration between directory and security and application services Improve capabilities that promote the ease and efficiency of finding organisational data Precise management of identity entitlements and modification or termination of system access rights through provisioning and de- provisioning mechanisms
IAM Strategy Recommendations Assess existing systems for accreditation and adherence to industry standards Use a standard set of security protocols Rationalise, synchronise and where appropriate reduce numbers of directory services and identity information repositories Reduce identity duplication and combine capabilities To simplify overall infrastructure Reduce management/administration efforts Enable a greater degree of single sign-on capabilities across the business systems Allow easier security auditing Improve capabilities that promote the ease and efficiency of finding organisational data Manage identity entitlements of system access rights through provisioning and de-provisioning mechanisms
Best Practices Insights and lessons learned Most IAM projects are bigger than organisations expect Justification can be broken down with one or more applicable to your project business case Not all technologies within IAM provide direct benefits though all are necessary for the complete framework Be careful that the use fits your environment, use the proper justification and benefit statements as part of your deployment
Best Practices Insights and lessons learned (cont.) Understand your requirements, the IAM marketplace is evolving and not all tools provide the same functionality Hard numbers for ROI are just coming to light Some of the benefits will not be recognised until the IAM tools for the justification have been fully deployed Business justifications are personal to an organisation, use the ones shown by market analysts as the starting point toward achieving the goals you set out
Best Practices: Conclusion Benefits will vary depending on what your goals are Combine as many justifications as possible in your IAM roadmap Pick a high visibility project with a short deployment timeframe to start reaping the benefits and to help in justifying future initiatives e.g. Password Management Continue to monitor the market analyst websites as new ROI information and cost models are developed and published
©2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Scenarios Automated management of user accounts Delegation Delegation Management Automated group management Automated management of user entitlements Group consolidation and management Role consolidation and managementClaims management Automated management of user resources Self-service for temporary access privileges IAM Scenarios
Scenarios Self-service credentials management Self-service group & distribution list management Self-service access management Self-service personal data management Resource entitlement reporting Self-service delegation Account creation/deletion reporting Compliance reportingPolicy reportingCertificate lifecycle managementCertificate authority managementLogical/physical access management IAM Scenarios