Upload
risspa
View
838
Download
1
Tags:
Embed Size (px)
Citation preview
ADVISORY
Identity and Access Management
20 March 2008
IT Advisory
1© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia.
IAM Defined
“Identity Management is a comprehensive set of business processes, and a supporting infrastructure for the creation, maintenance and use
of digital identities” – Burton Group*
Put simply, IAM defines who you are, manages what you can and cannot do, and provides compliance audits and reports on this
information – within the context of enterprise systems it manages.
* Source – Enterprise Identity Management: It’s About the Business, Burton Group
2© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 2
IAM Overview
• Identity Management deals with the creation and management of identities and user accounts – provisioning to the right applications, termination of expired accounts, etc.
• Access Management deals with the enforcement of access controls and security policies across the enterprise. This is achieved through Web access management products for Web-based systems and specialized products for other enterprise platforms.
• IAM helps manage:─ Authentication
Who am I? How can I prove it? Do I have multiple identities across multiple systems?─ Authorization
What do I have access to?─ Policies
What do the enterprise’s business rules say I can do?─ Profiles
What attributes and characteristics do I have?─ Relationships
What role do I have? (Am I an employee, customer, supplier, or trading partner?) What organizational units and group(s) am I in?
3© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia.
A Typical Business Access Management Environment Today…
1,000+ users100+
applications
100,000+ possible functions
System administrators
Outstanding audit issues
Sarbanes-Oxley
Business managers
Short user life cycles
Immediate access requirements
Segregation of duties
Employees
Suppliers
Clients
Third parties
SAPPeopleSoft
WindowsEmployee self service
Security administrators
Mainframe
SSO
Provisioning
Data protection acts
Basel II
Privacy legislation
Mergers and acquisitions
Consolidation
How do you manage and control who has access to what in an efficient and effective way?
4© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia.
Identity Management Lifecycle
Compliance• Real-time ability to
log and audit security events
• Monitor user access• Ease of auditing and
reporting
Identity Lifecycle
New project
Change locations, roles, etc
Forget password
Relationship Begins
Relationship Ends
Provisioning• Create account and
personalize services• Workflow approvals
Authorization• Establish and continually
monitor user access rights including segregation of duties
• Procedures for treatment, processing and access to private information
• Controls to recognize and resolve attempted breaches
Self-Service• Users can self-resolve
routine administrative issues
• Updates to user information is synchronized with appropriate systems
Password Management• Password rules
established and enforced
• Procedures for creating, managing, and changing user passwords
• Self-service password reset
De-Provisioning• Automated controls
to identify and remove user access to applications & systems
Authentication• Validate user
identity• Determine user’s
role• (Enterprise) Single
Sign-on
5© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 5
Problems with Managing Users
Business-related:• Workforce productivity loss due to
delay in administrative tasks• Inconsistent view of who has access
to what• Growing enterprise security concerns
due to lack of comprehensive user life cycle management
• Increasing need for business process collaboration with other enterprises
• Growing concern for data privacy and breach of personally identifiable information
Technology-related:• Several identity stores to be managed
and synchronized• Plethora of user IDs and passwords
for every user• Bloated help desk calls for forgotten
passwords and user IDs• Manual practices for servicing
administrative requests leading to unacceptable service levels and greater potential for errors
• No clear documentation maintained for creation/deletion of digital identities
• Unable to map digital identities to users leading to several orphan accounts
6© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia.
Drivers for Identity and Access Management
Drivers Pressures
Increasing Business Value
•Merger and Acquisition Activities•Departmental Consolidation•Diverse Business Mixes•Off-Shoring / Outsourcing•Business Process Improvement•Administrative Process Improvement
•Sarbanes Oxley•Anti-Money Laundering•Privacy•Basel II•Local corporate governance regulations
•Diverse Security Postures•Increased Likelihood of Fraud•Increased Security Risk
•Infrastructure Upgrades•Applications Architecture Upgrades•Consolidation of IT
Improving Compliance
Reducing Risk •Reduce/Prevent Fraud•Increased segregation of duties•Better Enforcement of Policy
Containing Cost
IAM Value proposition
•Consistent Security•Quicker Rebranding of Services•Quicker Integration of New Users•Reduced Lost Productivity•Reduced Costs•Improved Workflow
•Compliance automation•Improved Auditing and Logging•Improved Monitoring•Flexibility to Adapt to New Regulations•Improved Reporting
•Consistent Security•Reduced Costs, Resources•Reduced Licensing Fees•Quicker Time to Market with New Applications
7© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 7
Potential Benefits of IAM
• Centralized account management – creation, management, and terminations • Automated account provisioning and de-provisioning • Improved and enforceable business processes• Real-time views of a user’s account• Employee self-service• Tracking for audit information• Improved security • Delegated administration
8© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 8
Provisioning Financial ROI
There is tangible ROI that can be achieved by streamlining the identity management process:
• The Gartner Group completed a study of a 10,000-employee company with 12 applications. They estimated an automated provisioning solution saves more than 14,000 hours in security administration time and 6,600 hours of help desk staff time.─ The result: An ROI of 295% and savings of $3.5 million over three years.
• The Giga Information Group found that improved IT efficiency from automated provisioning results in a savings of $70,000 annually for every 1,000 users and reduces help desk cost by $75,000 for 1,000 users.
• Giga also found that faster assess to Enterprise solutions through automated provisioning resulted in a savings of $1,000 per new employee. For existing employees, the savings were $350 per year.
• These savings were derived by the user being able to access critical systems sooner, while responsibility for invoking business changes is pushed out to business unit reducing the time it takes to grant access, etc.
• Automating provisioning reduces the cost of S-O–404 compliance.• However, ROI has been difficult to justify to management – data is not collected in an
effective manner, is widespread in the enterprise, and is not calculated correctly to reflect true ROI.
9© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia.
IAM Capability Stack
Time
DecentralizedAdministration
CentralizedAdministration
CentralizedManagement
EnterpriseAdministration
EnterpriseManagement
Integration of Controlled Systems
Password Management
Access and AuthorizationManagement
Provisioning Automation
Advanced Auditing
Distributed Administration
Advanced Authorization Management (Role-Based Access)
Cap
abili
ties
/Co
mp
lexi
ty
IAM Capability
10© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia.
KPMG’s vision on IAM
• Identity and Access Management (IAM) is the process of creating value and addressing IT governance and compliance through effectively and efficiently:
• Managing users• Authenticating the identity of users• Managing users’ access to IT resources• Monitoring what users are doing with that access.
• Despite the hype surrounding IAM, there are four key “facts of life” that are often overlooked:
• Organisations are already managing identity.• Proper IAM is fundamental to securing resources in organizations.• The management of identities and authorisations consists of processes, parts of which can be
automated.• IAM aims to resolve business issues; IAM programs therefore require strong involvement from the
business. IT can support this by providing efficient tools to the business.
11© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia.
KPMG’s vision on how to approach IAM
• Identity and Access Management should rest on the following foundations:• A clear and consistent vision and strategy with regard to identities, authentication
management, authorisation management, user management, provisioning, monitoring and auditing.
• An iterative approach that builds on successful steps towards meeting an overarching business vision and strategy.
• A coordinated, multidisciplinary approach that takes all the different dimensions of IAM into account.
• An approach that makes it possible to easily demonstrate compliance with relevant legislation and regulations.
12© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia.
Access Management• Enforcing policies for access control in response to a request from an
entity wanting to access an IT resource within the organisation.
Agility• The ability to adapt to the chaning user environment and grow systems
and applications to meet these demands with out comprimising their integrity.
Authentication Management• Activities for effectively governing and managing the process for
determining that an entity is who or what they claim to be.
Authorization Management• Activities for effectively governing and managing the process for
determining entitelment rights that determine what resources an entity is permitted to access in accordance with the organisation´s policies.
Data Management• Data Management is the process and technologies that enable the
management of a users Identity.
Governance• Development and management of consistent policies, processes,
organizational structures and decision rights for IAM.
Identity• The collection of the identifier and attributes for an entity (person,
organization, device, resource, or service).
Monitoring and Audit• Monitoring, auditing and reporting compliance of users access to
resources within the organization based on the defined policies.
Provisioning• Propagation of identity and authorization data to IT resources via
automated or manual processes.
User Management• Activities for effectively governing and managing the lifecycle of identities.
Policies, processes and systems for effectively governing and managing who has access to
what is within an organization.
Identity
KPMG’s IAM Methodology
13© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia.
KPMG’s IAM Methodology
Assess current state and envision future state
Effective and efficient project kick-off
Help design the IAM process and infrastructure solution
Help implement the IAM solution
Help assess and enhance the operation of the solution
Plan Design MonitorImplementInsight
Define the project approach Facilitate the planning activities for the overall IAM engagementGain an understanding of the client’s issues and objectives related to the engagement
Assist with the understanding of the current state and future state vision and areas of improvementTransition in to designing the IAM solution
Clarify IAM solution business requirements and KPIsAssist with IAM strategy, roadmap and conceptual architectureObtain business case approvalAssist the client to design the IAM PMO and governance model
Facilitate the establishment of PMO and governance modelAssist client with designing the IAM solutionAssist client with solution selectionProvide project advisory and risk / control support throughout the implementation process
Conduct post-implementation reviewAssess IAM ProgramAssist with ongoing compliance auditing and performance monitoring
KPMG Identity and Access Management methodologyKPMG Project Management methodologyKPMG Change Management methodologyKPMG Business Performance Improvement methodology
ISO 27001questionnaire and mapping toolCurrent state workshop guidanceStakeholder matrix and portfolio templateIAM interview questionnaire
Industry practices Business case template Roadmap templateFuture state strategy sampleROI calculator
Implementation tools and templatesImplementation planUse case examples RFI and RFP templatesInfrastructure design examplesInterface development guidance
IAM Assessment programsAssessment work plansSegregation of Duties toolsRemediation and Improvement templates
Project PlanStakeholder matrix
Current state assessment reportHigh-level future state modelGap analysis and remediation recommendationsDefined CSF’s and KPI’s
Future state strategyFuture state roadmapIAM conceptual architectureIAM Business caseIAM PMO designIAM governance design
IAM use casesRFI and RFPPilot testing programImplementation program
IAM assessment status reportBenefits realization reportRemediation and enhancement reportPerformance scorecard
Objective
Activities
Tools deployed
Deliverables
14© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 14
User Management
15© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 15
User Provisioning – Conceptual View
Automation can decrease the cost of administration and increase the accuracy of access.
• Access Requests• Approvals• Status• Password Management
LDAP/HR System
Accessrequest via
intranet
CRM
ERP
SCM
HR
OperatingSystems
Databases
Applications
• Resource ControlAgents
User Identity
Directory
• Policies • Work flow• Audit trails
User AccountReconciliation
16© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 16
User Services
Directory Management• Profile Management
Management of an object’s (e.g., a user’s) attribute(s) (e.g., phone number) on the user store (e.g., directory server)
• Password ManagementPassword Management includes tools that help users and administrators manage passwords, either by creating a universal password for all systems or by remembering stored passwords. Additionally, these tools provide user self-service capabilities.
• Work FlowThe sequence of activities performed in accordance with the business processes of an enterprise
Provisioning• Password Synchronization
A password synchronization system is any software or process used to help users maintain a single password value on multiple password-protected systems
• Reconciliation of Users Across SystemsThe process of synchronizing the accounts and supporting data on the central data repository with the accounts and supporting data on the managed resource
• Work FlowThe sequence of activities performed in accordance with the business processes of an enterprise
17© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 17
Conventional User Provisioning Work Flow
Administration of users and user access proves more and more cumbersome as the organization grows. Cost of administration increases and accuracy of user access goes down.
GROWING RESOURCES
New Users
REQUEST FOR ACCESSGENERATED
Policy and Role Examined
Approval Routing
IT In Box
Administrators
Provisioned Users
MISSING AUDIT TRAIL
BACKLOGS
REQUESTS DELAYED
ERRORS
INCOMPLETEREQUEST FORMS
18© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 18
Authorization Management
19© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 19
What problem are we trying to address?
Important issues in authorization management:• Manageability• Effectiveness• Verifiability• Responsibility
20© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 20
Authorization Management – Manageability
With regard to manageability, we have observed the following in practice:• When introducing authorizations, it is often the case that more than ten
authorization registers are involved, with the same number of administrators.
• Authorizations are formally requested in the form of “just like user xxx,”because no one knows which authorizations are needed to perform the activities.
• There is no complete picture of a staff member’s authorizations. • The process of requesting and implementing all the necessary
authorizations is time-consuming.• In-sourced staff members are not paid to wait a long time; business
partners also do not want to wait. • There is ineffective internal control; this is experienced as labor intensive.
21© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 21
Authorization Management – Effectiveness
With regard to effectiveness, we have observed the following in practice:• Users often have more authorizations than necessary.• The number of authorizations often increases when a person changes jobs,
because rights no longer needed are seldom completely withdrawn.• Staff members cannot perform all their tasks if they do not have all the
authorizations needed for these activities.• External parties can demand adequate access rules for your system.
22© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 22
Authorization Management – Verifiability
With regard to verifiability, we have observed the following in practice: • Authorization matrices do not exist or are not updated; this interferes with
the control process.• It is practically impossible to establish a breach in the segregation of duties
because:─ There are no authorization matrixes─ There is a lack of clarity surrounding a staff member’s authorizations ─ From the perspective of segregation of duties, there are no records of
the authorizations which conflict• The auditors’ findings and recommendations generally lead to temporary
improvements instead of structural improvements.• In practical terms, it is impossible to compare the actual authorizations with
the approved authorization matrices by means of an automated process.
23© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 23
Authorizations and Compliance – Key IT Control Issues for Compliance
Segregation of Duties (SoD)• Root Cause: Disjointed “identity lifecycle processes” both within and across business
cycle─ Transfers not taken into account─ Changes at the Business Process level not taken into account
Excessive Access (Access Creep)• Root Cause: “identity lifecycle processes” incomplete or operated ineffectively
─ User authorizations not reviewed regularly for appropriateness─ Transfers not taken into account
Resulting Remediation Issues:• A number of authorizations and user assignment changes may be required• Broader authorization redesign (e.g., Role-Based Access Control (RBAC)) may be
required
24© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 24
Roles and IAM
• New user e.g., employee/ contractor/business partner/ customer
• Change• Resign
AuthoritativeSource
IAM tool
Automated trigger Approve user authorizations based
on roles and rules
User management
Monitoring and Auditing
Authorization management
Provisioning
(Actual situation)
(“To be” situation)
(Automatic) reporting
AuthenticationManagement
Authentication management
Authorizationmodel
25© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 25
Access Management
26© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 26
Access Management
• Access management solutions are the gatekeepers that help to determine which entities or users have the right to use enterprise systems and resources.
• This component may intercept attempts to access protected Web resources. • The Access Management tool checks the Security Policy and the User &
Entitlement store to authenticate the user and authorize (or reject) the user’s request to perform the desired transactions.
• Additional discussions are required to determine if the Access Management tool should perform the authorization or pass the request to the application for authorization.
• The Access Management tool should support multiple levels of user authentication.
27© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 27
Access Management – Conceptual View
Content Management
Web DataWeb Server
Agent
1. Is the resource protected?2. Is the user authenticated?3. Is the user authorized?4. Personalize the content5. Log the process
Process
• Employees• Partners • Customers
NT DomainODBCLDAPADSI
User & Entitlement Store
RACF
HTTP, SSL
Policy Server
EncryptedConnection
28© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 28
Access Controls
• Determine rights and privileges using policy-based systems• Combine authentication and authorization by using Web-based access
management products• Use roles-based, group-based, rules-based systems for scalability• Integrate with applications and application servers• Identify objects by URL and operate at page, button, and field level• Integrate with identity repositories (e.g., directory, database)• Support multiple authentication systems• Include user management functions• Provide dynamic enforcement with variables (e.g., location, time)• Provide session management after authentication
29© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 29
Data Management
30© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 30
Introduction
• IAM is an integrated system of business processes, policies, and technologies that help enable clients to facilitate and control their users’ access to critical applications and resources, while protecting confidential personal and organizational information from unauthorized users.
• Within the context of IAM, data management can be defined as follows:─ Data management is the set of business processes and a supporting infrastructure for
the creation, maintenance, and use of digital identities.
• Data management is seen as the fundamental building block (foundation) for IAM solutions. Without effective “identities,” all other IAM-related initiatives will probably fail.
• KPMG has experience in the field of identity data management. We can help you to define what a digital identity is and help identify authoritative sources of information, the approaches to address dirty data, and the building of a trusted identity store. Our ambition extends further than just defining what a digital identity is for your organization. We will design and assist in implementing a data model that you should be able to use and maintain in your organization for your future IAM initiatives.
31© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 31
Data Management in Practice
• From a technical perspective, a digital identity is a set of related electronic records that represent network subjects, including people, machines, devices, applications, and services.
• A digital identity consists of multiple layers, including a relatively stable unique identifier attribute and value (e.g., badge or employee number for enterprise staff), along with the relatively transient profiles that add context to the identity (e.g., location attribute or department).
• An Identity Repository is a storage area of several identity data items, typically from several resources, joined into one combined electronic record. This repository may be based on the LDAP standard (e.g., Oracle Internet Directory).
32© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 32
Data Management in Practice
Data modeling• This aspect of the integration deals with the rationalization of the data managed by
each system, starting with the definition of common data elements for these systems that need to be considered, as well as the appropriate authoritative source and the synchronization rule that should apply for each element. In most cases an enterprise Directory service will act as an authoritative source of identities feeding the IAM infrastructure.
Authoritative Sources• Where do digital identities come from within an organization? Or perhaps more
accurately, where are identities recorded/stored electronically within an organization. This is typically an HR system whereby an HR representative enters identity data into the system. However, it is important to understand that an HR system may not have accurate identity data or the processes relating to maintaining identity data within the HR system may not be efficient.
• A system where identities are recorded and “trusted” is often referred to as an authoritative source.
• It is important to categorize the types of identity and their authoritative source (if possible) within an organization.
33© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 33
Data Management in Practice
Quality Matters • How strong a foundation the Identity Repository can provide for a client’s IAM
depends in large part on the quality of the information it contains. Most organizations have multiple directories or identity repositories. The information in those directories is often redundant or incorrect.
• An important first step toward getting one’s “identity house” in order, then, is to understand how and where identity information is stored. Understanding the underlying directory environment and evaluating how best to integrate that environment is an essential step in creating a more authoritative source for identity information.
Privacy considerations and controls• Data minimization, authentication and authorization, encryption, and separation of
data may all be techniques and controls required to help ensure any privacy requirements.
34© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 34
Data Management in Practice
Data Cleaning• Cleaning data can be a laborious and time-consuming task. What is important is how
an organization identifies dirty data.
Why clean data?There are several reasons why data cleaning is required:
• User experience – users who see inaccurate data may get annoyed or upset that theinformation about them is inaccurate
• Policy decisions – some IAM solutions rely on data to determine rules (e.g., provisioning rules, policy enforcement etc.)
• Security – system accounts that no longer have an associated user (e.g., orphaned accounts or accounts that do not have an associated owner) may be considered a threat to security
• Management – ongoing cleaning of data may take considerable time and effort and is often difficult to sustain
• Regulations – some regulations (e.g., UK Data Protection Act, GLBA, Safe Harbor, etc.) hold an organization responsible and accountable, to help ensure that employee data is accurate in all electronic systems where information of the employee is held.
35© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 35
Data Management in Practice
Data Integrity and Synchronization• Clients should define the means by which identity data on identified systems can be
kept up to date and in sync, by using a combination of centralized Directory, Meta Directory, and/or Virtual Directory.
• Vendor IAM solutions provide a range of integration options that clients could leverage, including APIs, middleware integration such as EAI, Web services, or through sharing a common database/directory repository. Therefore, in planning the integration, special attention should be paid to items such as the nature of the synchronization process:─ Bidirectional or unidirectional─ Real time─ Work flow driven─ Items of data to be synchronized─ Reconciliation process─ How to help ensure uniqueness─ Conflicts and exception handling.
36© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 36
Data Management in Practice
Managing Multiple Directories• It is estimated that typical enterprises have approximately 120+ applications in which
user management is required. Managing so many special purpose directories can cause the following general problems: ─ High cost of administration─ Inconsistent data─ Security issues
• Directory synchronization is one leading practice approach to consolidating Identity information for client use. Directory synchronization provides a mechanism for copying select identities, attributes, and group information between two or more disparate identity repositories according to predefined rules. Directory synchronization is essential for many IAM-related applications.
• The IAM technology that provides directory synchronization is typically defined as either a “Meta Directory” or “Virtual Directory.”
37© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 37
KPMG’s Vision
The data model, processes and tools used make it possible to realize a manageable and efficient data management process that is:
• Effective• Controlled• Accurate• Verifiable
This helps enable management to take responsibility for the integrity of data for use in an IAM program.
• Record the identity model
• Clean and accurate identity data
• Automatic “decision” points based on the identity
• Record the identity model
• Clean and accurate identity data
• Automatic “decision” points based on the identity
Data
management
38© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 38
Our Approach
2. Create model and identify data synchronization and cleansing activities
3. Design and deploy datarepository
Requirementsgathering Design Build Test
1. Analysis and agreement of current data models and
authoritative sources
Agree data model and synchronizationrequirements, deploy identity data repository
Deploy Post production
Design, implementation, and deployment of data management infrastructure
Migrate from current data model to envisioned data model
39© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 39
Our Approach
The result of our approach is: • Agreed identity data model• Agreed authoritative sources aligned with data ownership• A model that is extensible and supportable• Transparency, maintainability, verifiability, and effectiveness• Efficient and effective data management• The foundation for all IAM program initiatives• Data management that is clearly “under control”
40© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 40
Authentication Management
41© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 41
Authentication Management
• Authentication is the process of determining, to a specified level of confidence, that an entity is who or what they claim to be
• Authentication Management covers the policies, processes, and systems for effectively governing and managing the authentication of individuals and services
• Main activities:─ Enrollment – identification and registration processes ─ Risk-based Authentication Framework─ Credential lifecycle management – issuance, activation, support, revocation ─ Design and implementation of authentication infrastructure
42© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 42
Authentication Management – Conceptual View
Authentication engineenforcement point
Authentication and Access policies
ApplicationsUsers
User and Access Management
IAM system
43© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 43
Authentication Management – Terms Used and Related Activities
Technology areas:• Strong authentication• Two-factor authentication• User name/password• One Time Password (OTP)• Smartcards/PKI• Tokens• Biometrics• SMS authentication• CardSpace• Claims-based authentication
Policies, frameworks, and processes:• Original identification• Evidence of Identity (EOI)• Enrollment policies and processes• EOI capture and storage• Authentication frameworks• Risk assessment tool• Authenticator selector tools• Credential lifecycle management• Support processes – password reset, PIN
management, etc.
Industry standards:• SAML• WS-*• OATH• Liberty Alliance
44© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 44
Observations
45© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 45
KPMG’s Observations
Most IAM projects focus initially on improving user management and automating provisioning of accounts and basic authorizations, supported by workflows
• Driver: increasing operational excellence• In most cases, basic employee roles are assigned
Second stage of most projects focuses on improving the quality of the authorizations• Driver: increasing level of compliance• Roles are currently seen as the way forward for managing fine-grained authorizations
In most software solutions of the suite vendors (such as IBM, SUN, HP, Oracle, Computer Associates) some role functionalities exist, although they are too limited
• Only the administration of technical roles is included• No real role management capabilities• When organizations require extensive role management, most suite vendors are
teaming with pure-play role management vendors such as VAAU, BHOLD Company, Bridgestream, Eurekify, and RMAN.
46© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 46
KPMG’s Observations when Organizations are Entering Role Modeling
Optimistic view on required starting points for role modeling, such as:• Lack of clear job descriptions• Lack of (up-to-date) authorization matrixes for platforms and applications• Lack of commitment of the organization to engage in role modeling
Theoretical/conceptual view on role modeling, leading to role explosion • Top-down approach for role engineering takes too long and requires too much effort
and interaction with the business─ No short term results
• No room for flexibility – SoD breach may occur, if documented• Only attention for “to be” situation• How to keep the role model future-proof?
Too ambitious – revolution instead of evolution• Big bang – scope is entire organization and all applications?• Phased approach is crucial
47© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 47
Next Steps
48© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 48
How to Proceed – User Management
• IAM should be considered as a long-term strategy• Define requirements for identity management within your enterprise• Develop a strategic roadmap with realistic timelines that can be broken down into distinct work streams• Develop a set of use cases for the management, creation, and deletion of users• Develop workflows, processes, and roles that can be leveraged through a identity management solution• Hold vendor bake-offs to determine “best” fit for your environment• Conduct Proof of Concepts (POC) with selected vendors• Deploy a limited pilot to determine validity and capabilities of chosen solution• Develop a phased rollout plan to incorporate an 80/20 rule for centralized user provisioning
49© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 49
How to Proceed – Authorization Management
Putting the foundation in place by:• Implementing role management• Providing infrastructure for analyzing, engineering, and maintaining roles (mostly as part of enterprise IAM
infrastructure)
Role engineering• Using role mining tools will decrease role engineering efforts and will provide faster results
Implementing roles – evolution versus revolution• Staged approach is required
50© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 50
Authorization Management – Suggested Approach
Cleansing of existingauthorizations
Automatic role mining/ role engineering
Confirmvision
DevelopIAM
architecture
Selecttools
Automating (parts of)authorization
management processes
(Periodic) reporting ongranted authorizations
(Automated) analysis of
current authorizations
Envisionconcept
operational
Implementing role management process
51© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 51
How to Proceed – Authentication Management
Putting the foundation in place by:• Conducting a risk assessment to understand information asset classification and risk within the organization• Developing a risk-based authentication framework
First phase:• Developing policies and processes for different authentication mechanisms within the organization (including
strong authentication)• Implementing a first phase of infrastructure deployment for helping to enable and enforce access policies relating
to authentication
Future phases:• Iterating authentication framework, policies, and procedures• Implementing strong authentication, Enterprise Single/Simplified Sign On, Federation, etc.
52© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 52
Authentication Management
2. Development of enrollmentpolicies and processes
4. ACCESS Management – Design and build authentication infrastructure
Requirementsgathering Design Build Test
3. Develop operationalstructures for credentiallife cycle management
1. Development of authentication framework
Implementing authentication management policies, standards and process
Deploy Post-production
Design, implement, and deploy authentication management processes
Develop framework and processes
53© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 53
KPMG’s View of Implementation Strategy – Preparing and Planning
Preparation and planning:• Put foundation in place• Determine scope
─ Are you really envisioning managing all authorizations by using roles? Maybe 80/20 rule is more realistic.• Setting priorities
─ Depending on business case─ Deployment strategy: organizational entities versus processes versus applications – which deployment
strategy to choose?• Managing expectations and keeping commitment is key
54© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 54
Migrate from project
to process
approach
Staged Approach is Required
Preparing and planning
Stage 1:Reestablish
identity life cycle processes
Stage 2: Implement role managementfor prioritized
applications/systems
Stage 3: Optimize role model
for prioritizedapplications/systems
End goal: Role management and assignment processesin place and effective
55© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 55
Identity Management Reference Architecture
EmployeesIT Staff ApplicationsPartners
External
Delegated Admin
Applications Customers
Internal
Auditingand
ReportingWorkflow
Identity Management Service
Access Management•Authentication & SSO•Authorization & RBAC
Identity Administration•Delegated Administration•Self-registration and Self-service•Entitlement management
Directory Services•LDAP Directory•Meta-Directory•Virtual Directory
Identity Provisioning•Who, what, when, where, why•Rules and access policies•Integration framework
Monitoringand
Management
NOS/DirectoriesOS (Unix)
Systems and RepositoriesApplications
ERP CRM HR Mainframe
Physical Assets
Cell Phone Physical Access* Source – Oracle Enterprise IdM Reference architecture
EmployeesIT Staff ApplicationsPartners
External
Delegated Admin
Applications Customers
Internal
NOS/DirectoriesOS (Unix)
Applications
ERP CRM HR Mainframe
Physical Assets
Cell Phone Physical Access
56© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 56
A Look at the Pieces when Fit Together
Policy
Enforcement
Directory
Authentication
Portal Applications
• Policies • Workflow• Audit trails• Provisioning• Delegated
administrationU
ser Account
Reconciliation
• Operating Systems
• Databases• Applications
Databases
Authoritative Directory Stores
Existing Directories
Access Management
Directory Management
User Management
• Self-service• Workflow
Audit Verification & Validation
Real-time enforcement
Administration
57© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 57
Structured IAM Approach
58© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 58
Deployment Life Cycle
Planning
Transition
Maintenance
Requirements
DesignBuild and Test
DeploymentLife Cycle
• Management of expectations• Custom versus out-of-the-box• Legacy platform readiness• Security and compliance req.• Holistic view people, proc., & tech
• Identify architecture risks• Requirements tradeoffs• Address non-functional req.• Define suitable RBAC model.• Define reconciliation plan
• Gap between test versus prod• Test non-functional req.• Knowledge transfer• Change management• Stakeholder involvement in testing
• Rollout communication• Business process training• Organizational readiness
• Project scope• Stakeholder education/buy-in• Executive support• Definition of business drivers
• Technical support help desk• Assess usability• Develop enhancement strategy
59© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 59
Methodology and Deliverables
Planning TasksRequirements
Tasks Design TasksBuild and Test
Tasks Transition Tasks
Rollout/ Maintenance
Tasks• Identify stakeholders
• Inventory and review current state
• Develop:
Project plan
Defect tracking
Communication plan
Change management
Team roles
Risk management
• Define solution requirements
• Develop solution metrics
• Refine project plan
• Manage to plan
• Develop detailed design
• Identify requirement GAPs
• Build Dev environment
• Develop test plans
• Manage to project plan
• Configure and build IDM solution in Dev environment
• Develop unit and integration test scripts
• Develop training materials
• Develop cutover plan
• Develop user acceptance test scripts
• Develop reconciliation procedures
• Deploy and configure product environment
• Load and stress testing
• Acceptance testing
• Develop user procedure documents
• Execute communication plan
• Develop ongoing roles and responsibilities
• Develop production support procedures
• Develop incident response procedures
Planning Deliverables
Requirements Deliverables
Design Deliverables
Build and Test Deliverables
Transition/ Cutover
Deliverables
Rollout/ Maintenance Deliverables
• Stakeholder and KPMG team roles and responsibilities
• Project work plan
• Documentation standard
• Change management plan
• Defect tracking and prioritization guidelines
• Communications and issues management plan
• Risk log and mitigation plan
• Functional requirements
• Nonfunctional requirements
• Security and compliance requirements
• Roles for IDM solution implementation
• Legacy systems data cleansing requirements and strategy
• SRS document
• SDD document
• System architecture document
• Build document
• Baseline build of Dev environment for IDM solution
• Reconciliation plan for resources
• Test and training plan
• Configuration document.
• Unit and integration test scripts
• Training materials
• Cutover plan
• User acceptance test scripts
• Reconciliation procedures
• Production checklist
• Load and stress test results
• Acceptance test results
• Acceptance sign-off
• User documents
• Build documents for production environment
• Production environment
• Ongoing roles and responsibilities
• Production support procedures
• Incident response procedures
60© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 60
All information provided is of a general nature not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
KPMG in Russia refers to KPMG Limited, a company incorporated under the Guernsey Companies Act, and ZAO KPMG, a company registered under the Laws of the Russian Federation.
Christopher GouldKPMG
+7 495 937 [email protected]
www.kpmg.ru