Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity and Access Management

Published byBartholomew Sims Modified over 6 years ago

Similar presentations

Presentation on theme: "Identity and Access Management"— Presentation transcript:

1 Identity and Access Management
PMI Westchester Quality SIG Presentation September 12th 2017

2 Identity and Access Management is Everyone’s Responsibility
What is Identity & Access Management (IAM)? A set of tools & services used to manage access to systems or resources used by personnel as well as our customers Why is Managing Access Important? Controlling access = Controlling risk How Do We Manage Applications? Centrally-Managed applications – you ask IT to do it. Use one or more centrally-managed IAM services Business-Managed applications – you ask some in business to do it. Applications the business manages locally. The business owns and creates the access to application. The owner has responsibility for and the timely removal of access when someone terminates or transfers jobs. Who Is Responsible for Managing Access? Everyone who manages employees or contractors in the organization

3 Common Misperceptions
Identity and Access Management is Everyone’s Responsibility What Do I Need To Do As A Manager? Common Misperceptions The IAM team can/will manage access on my behalf Eventually all applications will be centrally managed When someone leaves the company, HR makes sure their access is terminated Request Access For Your Personnel Contact your Role Profile Owner Visit the IAM Support Central Site Review Access When Prompted High-risk applications reviewed quarterly, all others annually Remove Access When People Leave Submit requests within 24 hours of a job change Go to Workday for full-time employees Go to IAM Portal for contract workers 1 2 3 Request, Review, Remove

4 IAM Program – Strategic Goals
Identities Entitlements Access Control Audit & Compliance Credentials Identity & Credentials: Move towards a culturally aware business climate around IAM and enforce the use of a common identifier for all personnel utilizing Organization assets, both employee and non-employee. Centralize identity flows and the on/off-boarding experience wherever possible to reduce risk, improve consistency, and minimize cost. Implement a robust privileged user management program to identify, manage, and monitor access of privileged accounts on the Organization network. Automate the provisioning and de-provisioning of core credentials and roles tied to identity events. Entitlements and Access Control: Implement a business application on-boarding paradigm (aka “adoption”) that enables targeted applications to integrate to IAM and minimizes the amount of re-work as the maturity of the overall IAM solution grows. Target high-risk applications (e.g. SOX/PCI), to be fully integrated to IAM with identity-event-driven workflow to ensure full lifecycle automation and management (request, grant, review, remove, term, transfer). Integrate high-risk physical and logical assets into program that have weak IAM controls and present risk to firm (e.g. local admin, laptops, badging system, etc.). Audit and Compliance: Enable the business to perform scheduled or ad-hoc access reviews of any group of assets on Organization across all users and the access they hold (i.e. “Who has access to what ?”). Provide accurate and timely compliance / auditing reports as well as metrics to operational teams, business areas, and other interested parties.

5 Application Classification: Functional Service Characteristics
Functional service characteristics are determined based upon maturity level and are cumulative. They will be implemented for each application where technically feasible. Target Level Highest Functional Service Characteristics High Medium Low Event-Driven Account Lifecycle Event-Driven Certification Entitlement integrity enforced through programmatic reconciliation Birthright-based Account Lifecycle Access request and fulfillment automated Closed-loop Certification Privileged Account usage tracked; Session Recorded; Active Discovery of Privileged Accounts Access Request Centralized Workflow Routing Single or Reduced Sign-On Assisted Certifications Privileged Accounts inventoried quarterly User populations identifiable Logs sufficient to illustrate IAM transactions 4 3 2 1 Evidence required is dependent on Service Characteristics

6 Identity and Access Management
IAM Capability Overview Programs: Department Mission: To align Organization’s identity and access management capabilities closer to the industry and its peers by reengineering business processes, enabling the business with technology, and introducing automation wherever possible in a cost-effective and efficient manner. Technical Operations Identity and Access Management Business Operations Technical Development Program Services: Technical Operations: Technical Development: Business Operations: Level 1 team to support the primary On/OffBoarding processes for core credentials and logical assets. Primary support for provisioning and de-provisioning of any IAM-integrated applications (~80+) Level 2-3 core engineering support for Unix, AS400, Mainframe, and Active Directory. RSA/MFA & VPN support including SecurID hard/soft token deployment. Project-based core technical support specific to both small (new app) and large (Blue, Orange) projects. Design, Development, and Deployment of in-house, COTS, and cloud-based solutions supporting the overall IAM program. Technical leadership on all existing as well as new IAM projects. SME of all existing and new IAM products, services, and tools. External IS project support wherever IAM SME experience is needed. Ownership and design of IAM-deployed architecture supporting all Organization internal and external customers. Role and Entitlement Engineering and the support of existing RBAC models. Enterprise Business Support for existing services as well as new projects. Oversight of Quarterly and Yearly reviews of end-user and privileged accounts. IAM solution on-boarding and deployment. User Acceptance Testing oversight and coordination with Testing COE. Program communications, including metrics and reporting.

7 General IAM Services / Technical Portfolio
IAM – Current Services Component Description Unix LDAP (Temporary) Unix User Store for UNIX Authentication and replicated with GE Unix LDAP (Permanent) Unix User Store for UNIX Authentication/ Pre-populated with existing Synchrony Financials employees AS400, AD, Mainframe Critical care of core assets for account provisioning, PA mgmt., and Role Mgmt. SSO LDAP SSO LDAP Infrastructure for SSO Authentication, and VPN user configuration SSO Infrastructure to provide Single Sign On / Authorizations Ping Federation & CA Federation Federation infrastructure for External Federation partners – SAML2.0 Component Description Lifecycle Management Managing the lifecycle of user access (Joiner, Mover, Leaver, Converter, Rehire) Access Requests User interface to request access to systems for both normal and Privileged Access (PA) Access Provisioning Add, modify, remove user accounts on target applications through an (Resource Adapter/RA) or Admin notification (Virtual Resource Adapter/VRA) Role Lifecycle Management Manage the lifecycle of Roles (Role Profiles/RP and System Access Profiles/SAP) Access Review Review user access to applications, as well as privileged access, on a periodic basis. Component Description Privileged Identity Management PA Credential Management Solution for Vaulting and Managing Access Control for Windows and *NIX OS Server Shared Accounts and *NIX Super User Accounts RSA SecurID / RADIUS (Permanent Production Environment) Base Infrastructure Setup for Future Integration with IAM for User Creation, Self Service Features and integration with Active Directory and Ongoing User Migrations

8 Identity and Access Management Portal

9 IAM Portal Overview The IAM Portal is the Identity & Access Management tool for Provisioning and Certifications The main benefits include: Automated access provisioning / deprovisioning Requestor workflow transparency (“track my requests”) Enhanced certification / attestation processes Closed loop remediation “SoD” prevention & detection Centralized password reset Contingent Worker creation / management Delegation VPN management Distribution List management

10 Application Onboarding Onto Portal
The application onboarding focuses on integrating business managed applications classified as IAM 1 & 2 onto the IAM Portal for centralized access management. In addition, applications will be enabled with Single-Sign-On, Privileged Access, and Logging capabilities. Full Automation (wherever possible) Eliminates manual provisioning errors Nightly aggregations ensure the user base remains in sync and current Terminations and removals are processed immediately Centralized Certifications Application access is certified within IAM Portal using current data Multi-level review starting with user managers Ability to delegate individual roles or users to another certifier Transparency Current user access (roles / entitlements) User attributes (manager, dept., job function, etc.) Ad hoc reporting & metrics

11 IAM Portal High Level Architecture (How it Works)
CW Management Lifecycle Manager Access Provisioning Compliance Manager VPN, DL, Delegation, etc. Auto Provisioning (Employees) CSV Manual Reporting & Metrics

12 Application Certifications and Attestations

13 Data Security – Must be compliant with our Data Security for the multitude of reasons
Policy – We demonstrate and follow Data Policy for the OCC and the ability to show evidence of that adherence which ultimately reduces our overall risk. We tend to focus on the initial hire of an employee to ensure access is set correctly from the onset but really the larger issues comes when transfers and terminations occur. Initially – We want to have minimum amount of access for every employee. Job Changes – All access needs to be re “certified” and approved Temporary Exception access is time-bound and must be monitored closely and removed on expiration date. LOA require that all access be disabled. It is required by regulations and we need to work better on the ability to be able to “disable” vs “delete” across all our applications. – must be very closely monitored.. Terminations – 24 to 48 hours must be disabled and xx time we delete (which I not sure if 30,60 or 90 today?) LifeCycle Management is harder then initial setup so this is the area where we need to be Hyper focused going forward.. Good Access is from Start to Exit!! good, I think the key thing here is that they walk away understanding there are so many places "access" can be impacted...wheher new hire, job change, temp access, LOA, etc...and that is WHY we need to do regular certifications of access... User Access Management is an On-going Process throughout the entire User’s lifecycle

14 Attestation Landscape – How do we determine “who has access to what” in an application ?
Centrally Managed Apps Business Managed Apps Connected Manual Manual IAM team manually creates or modifies the access needed IAM team would load the file of “who has access to what” Business Owner works with IT Owner to get a file of “who has access to what” for loading to the Excel Template IAM automatically creates or modifies the access needed Automated Attestations Manual Attestations Evidence of Certification performed by Manager (new model) or RPO Metrics: Revocations vs. Keeps, Time to Revoke, Time to Complete, etc. Must complete process – only acceptable bar is 100% completion, every time Attestation principles are the same whether Centralized or Business Managed

15 IAM Attestations: The Attestation Lifecycle
Assess Define Review Remediate Govern Assess Certification Type & Scope: Regular, or targeted sub- group Frequency: SOX/PCI and Privileged Access = Quarterly, all others Annually Define Retrieve access information into Attestation Templates Educate on Review & Remediation Provide Training; Kick-off review cycle Review Conduct user access reviews: Manager-based Continuous Progress Reports weekly up to ELT RPO support & assistance to Business where needed 4 week cycle for reviews Remediate Remediate user access where noted within 48 hours after closure of review Ticket/Closure or Evidence of remediation required for Audit Additional access pulls might be required to provide evidence of removals Govern Establish enterprise standards/principles Requirements & Controls for review Set Roles & Responsibilities for user access review Perform Quality Assurance / Spot Checking Secure Sign-off’s from IT and Business Owners

16 Privileged Identity Management

17 Who Are Privileged Access Users
Users who have access to do the following activities are considered to have privileged access: Provision users Reboot servers System level administration access System administrator level access within an application security module that allows individuals to override the controls of the application IDs provided as part of third party software solutions used to complete installation of the software. IDs that are used to run applications. Administrators with the ability to grant access or elevate privileges on an in scope device

18 PA Program: Objectives
Account Administration Account Administration Procedures Exception & Violation Procedures PA Awareness Training PA Account Inventory PA Account Reduction Strategy Governance Reporting Criteria PA Metrics Criteria Policy, Standard and Procedures Roles and Responsibility Compliance Validation Efforts Monitoring Definition of Risk Criteria Alert Configuration Tool Configuration Reporting Metrics Operational Staffing Model Roles and Responsibility Enforcement Standard Operating Procedures Data Feed Inventory Technology On-boarding Procedures PA Logging Validation

19 PA Program: Summary What needs to be done What is Needed
Dedicated PA monitoring team Daily alert reconciliation Password vaulting for NPA accounts Updated PA policies and Job Aid Manual quarterly PA review Alert tracking workflow Violation tracking data form Continuously working with teams to tune alerts Manual IAM Feeds Developed training for PA users More robust Nix monitoring Automation between IAM and Splunk Real Time Monitoring IAM quarterly PA reviews Restricting of service account logon Management of service accounts Removal of PA from personal ids Ability to discover PA accounts Solution for root/super user access Session recording Access to IAM data to verify user access CDI/SSO lookup tools File level monitoring (Windows) Challenges Technology not in place Immaturity of IAM platform Incorporation of PA requirements within IAM

20 PIM Tool Rollout Strategy
Privileged Identity Management (PIM) Project Overview: Release to Production and deployment of Enterprise Random Password Manager Include deployment to Applications, Databases, Appliances and Devices across Production environments that use non-personal accounts. ERPM will provide Privileged Identity Management (PIM) with the means to randomize and manage passwords for non-personal accounts on target systems High-level Deployment Plan Deployment of all in-scope Applications, Databases, Appliances and Devices in subsequent phases Migrate Class PXX/SOX Migration of accounts, LDAP and Local accounts Migrate Unix/Linux accounts IAM Portal and Help Desk Integrations with PIM Tool Develop End User support models for Implementation and Ongoing BAU Impact Technology: Platforms, Appliances, Mainframe, AS 400,Unix (Solaris & RHEL),Windows Database, Accounts: Shared Service People: Enterprise Architecture, Security, Architecture, Security Ops, Infrastructure Teams: Compute and Build teams, Servers Admins, DB & Run teams, Networking, Mainframe/AS 400Application Teams

Download ppt "Identity and Access Management"

Similar presentations

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM
Identity, Governance and Administration as forefront of IT Security model: European and North American Experience Vladislav Shapiro Director of Identity.

Identity, Governance and Administration as forefront of IT Security model: European and North American Experience Vladislav Shapiro Director of Identity.
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
Identity and Access Management

Identity and Access Management
High-Level Assessment Month Year

High-Level Assessment Month Year
ITIL: Why Your IT Organization Should Care Service Support

ITIL: Why Your IT Organization Should Care Service Support
Network security policy: best practices

Network security policy: best practices
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
#CONVERGE2014 Session 1304 Managing Telecom Directories in a Distributed or Multi-Vendor Environment David Raanan Starfish Associates.

#CONVERGE2014 Session 1304 Managing Telecom Directories in a Distributed or Multi-Vendor Environment David Raanan Starfish Associates.
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Automates Infrastructure Outsourcing.

© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Automates Infrastructure Outsourcing.
Microsoft Identity and Access Solutions Market Trends and Futures

Microsoft Identity and Access Solutions Market Trends and Futures
SOA – Development Organization Yogish Pai. 2 IT organization are structured to meet the business needs LOB-IT Aligned to a particular business unit for.

SOA – Development Organization Yogish Pai. 2 IT organization are structured to meet the business needs LOB-IT Aligned to a particular business unit for.
Rev Jul-o6 Oracle Identity Management Automate Provisioning to Oracle Applications and Beyond Kenny Gilbert Director of Technology Services.

Rev Jul-o6 Oracle Identity Management Automate Provisioning to Oracle Applications and Beyond Kenny Gilbert Director of Technology Services.
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Successful Deployment and Solid Management … Close Relatives Tim Sinclair, General Manager, Windows Enterprise Management.

Successful Deployment and Solid Management … Close Relatives Tim Sinclair, General Manager, Windows Enterprise Management.
©2011 Quest Software, Inc. All rights reserved. Patrick Hunter EMEA IDAM Team Lead 7 th February 2012 Creating simple, effective and lasting IDAM solutions.

©2011 Quest Software, Inc. All rights reserved. Patrick Hunter EMEA IDAM Team Lead 7 th February 2012 Creating simple, effective and lasting IDAM solutions.
Service Transition & Planning Service Validation & Testing

Service Transition & Planning Service Validation & Testing

Similar presentations

Ads by Google