Embed Size (px)
Citation preview
1 Introduction to Identity Management
Managing the User LifecycleAcross On-Premises andCloud-Hosted Applications
An overview of business drivers and technology solutions.
2 Access needs evolve
Digital identities require frequent updates toreflect business changes:
Complexity creates delay and reliabilityproblems:
• Who? (Types of users):Employees, contractors, vendors,partners, customers.
• Why? (Business events):Hire, move, change job function,terminate.
• What? (Change types:)Create/move/disable/delete user, updateidentity data and entitlements, resetpasswords.
• Where? (Applications:)AD, Exchange, Notes, ERP, Linux/Unix,database, mainframe, physical assets.
• Productivity:Slow onboarding, change fulfillment.
• Cost:Many FTEs needed to implement securitychanges.
• Security:Unreliable access termination,inappropriate user entitlements. EnforceSoD policies.
• Accountability:Who has access to what? How/when didthey get it?
© 2020 Hitachi ID Systems, Inc. All rights reserved. 1
Slide Presentation
3 IAM in silos
In most organizations, many processes affect many applications.This many-to-many relationship creates complexity:
4 Access and credential challenges (1/2)
For users For IT support
• How to request a change?• Who must approve the change?• When will the change be completed?• Too many passwords.• Too many login prompts.
• Onboarding, deactivation across manyapps is challenging.
• More apps all the time!• What data is trustworthy and what is
obsolete?• Not notified of new-hires/terminations on
time.• Hard to interpret end user requests.• Who can request, who should authorize
changes?• What entitlements are appropriate for
each user?• The problems increase as scope grows
from internal to external.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 2
Slide Presentation
5 Access and credential challenges (2/2)
For Security / risk / audit For Developers
• Orphan, dormant accounts.• Too many people with privileged access.• Static admin, service passwords a
security risk.• Weak password, password-reset
processes.• Inappropriate, outdated entitlements.• Who owns ID X on system Y?• Who approved entitlement W on system
Z?• Limited/unreliable audit logs in apps.
• Temporary access (e.g., prod migration).• Half the code in every new app is the
same:
– Identify.– Authenticate.– Authorize.– Audit.– Manage the above.
• Mistakes in this infrastructure createsecurity holes.
6 Externalize IAM from application silos
• The problem with IAM is complexity, due to silos.• The obvious solution is to extract IAM functions from system and application silos.• A shared infrastructure for managing users, their authentication factors and their security
entitlements is the answer.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 3
Slide Presentation
7 Integrated IAM processes
Business processes
Systems and applications with users, passwords, groups, attributes
IT processes
Identity and Access Management System
Hire Retire Resign Finish contract
Transfer Fire Start contract
New application Retire application
Password resetPassword expiry
Operating
systems
Directory Application Database E-mail
system
ERP Legacy
app
Mainframe
8 Business drivers for IAM
Security / controls. • Reliable deactivation.• Strong authentication.• Appropriate security entitlements.
Regulatorycompliance.
• PCI-DSS, SOX, HIPAA, EU Privacy Directive, etc.• Audit user access rights.
IT support costs. • Help desk call volume.• Time/effort to manage access rights.
Service / SLA. • Faster onboarding.• Simpler request / approvals process.• Reduce burden of too many login prompts and passwords.
© 2020 Hitachi ID Systems, Inc. All rights reserved. 4
Slide Presentation
9 IAM strengthens security
• Reliable, prompt and complete access deactivation.• Robust authentication prior to changes to credentials, access.• Policy around:
– Password complexity / reuse / expiry.– Non-password authentication.– Access request approval routing.– Segregation of duties.– Access review/certification.– Shared account password changes.– New-user and per-role entitlements.
• Audit:
– Who has what?– Access request/approval/grant history?
• Regulatory compliance: governance- and privacy-related rules.
10 Cost savings
Cost Item Before After Savings
Help desk cost ofpassword resets:
New hire lostproductivity
Access changelost productivity
10,000 x 3 x $25= $750,000 / year
10,000 x 10% x 10 x$400 x 50%= $2M / year
10,000 x 2 x 2 x$400 x 10%= $1.6M / year
10,000 x 2 x 1 x$400 x 10%= $800,000 / year
10,000 x 10% x 1 x$400 x 50%= $200,000 / year
= $1.8M / year
= $800,000 / year
10,000 x .6 x $13= $78,000 / year
= $672,000 / year
© 2020 Hitachi ID Systems, Inc. All rights reserved. 5
Slide Presentation
11 Elements of IAM
Identity and accessmanagement solutionsmay incorporate manycomponents, frommultiple vendors:
Resource
Access
Requests
ID
Reconciliation
Access
Certification
User
Provisioning
Password
Management
Enterprise
Single
Signon
Web
Single
Signon
Virtual
Directory
Directory
Identity
Synchronization
System of
Record
Hitachi ID Systems
Partners
Telephone
Password
Reset
Privileged
Access
Management
Strong
Authentication
Federation
Role
Management
12 Summary
• The problem with managing identities, security entitlements, passwords and related data is abusiness, not a technology problem:
– Too many business events, which impact– Too many systems and applications.
• Technology solutions are available to address these problems:
– Password synchronization and reset– Automated user provisioning and deactivation.– Identity synchronization.– Enforcement of policies using segregation-of-duties and roles.– Periodic access review and cleanup (certification).– Various kinds of single signon.
hitachi-id.com
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 E-Mail: [email protected]
Date: 2020-03-23 | 2020-03-23 File: PRCS:pres
