2 Iam C Gould

ADVISORY

Identity and Access Management

20 March 2008

IT Advisory

1© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia.

IAM Defined

“Identity Management is a comprehensive set of business processes, and a supporting infrastructure for the creation, maintenance and use

of digital identities” – Burton Group*

Put simply, IAM defines who you are, manages what you can and cannot do, and provides compliance audits and reports on this

information – within the context of enterprise systems it manages.

* Source – Enterprise Identity Management: It’s About the Business, Burton Group

2© 2008 ZAO KPMG, the Russian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Russia. 2

IAM Overview

• Identity Management deals with the creation and management of identities and user accounts – provisioning to the right applications, termination of expired accounts, etc.

• Access Management deals with the enforcement of access controls and security policies across the enterprise. This is achieved through Web access management products for Web-based systems and specialized products for other enterprise platforms.

• IAM helps manage:─ Authentication

Who am I? How can I prove it? Do I have multiple identities across multiple systems?─ Authorization

What do I have access to?─ Policies

What do the enterprise’s business rules say I can do?─ Profiles

What attributes and characteristics do I have?─ Relationships

What role do I have? (Am I an employee, customer, supplier, or trading partner?) What organizational units and group(s) am I in?


A Typical Business Access Management Environment Today…

1,000+ users100+

applications

100,000+ possible functions

System administrators

Outstanding audit issues

Sarbanes-Oxley

Business managers

Short user life cycles

Immediate access requirements

Segregation of duties

Employees

Suppliers

Clients

Third parties

SAPPeopleSoft

WindowsEmployee self service

Security administrators

Mainframe

SSO

Provisioning

Data protection acts

Basel II

Privacy legislation

Mergers and acquisitions

Consolidation

How do you manage and control who has access to what in an efficient and effective way?


Identity Management Lifecycle

Compliance• Real-time ability to

log and audit security events

• Monitor user access• Ease of auditing and

reporting

Identity Lifecycle

New project

Change locations, roles, etc

Forget password

Relationship Begins

Relationship Ends

Provisioning• Create account and

personalize services• Workflow approvals

Authorization• Establish and continually

monitor user access rights including segregation of duties

• Procedures for treatment, processing and access to private information

• Controls to recognize and resolve attempted breaches

Self-Service• Users can self-resolve

routine administrative issues

• Updates to user information is synchronized with appropriate systems

Password Management• Password rules

established and enforced

• Procedures for creating, managing, and changing user passwords

• Self-service password reset

De-Provisioning• Automated controls

to identify and remove user access to applications & systems

Authentication• Validate user

identity• Determine user’s

role• (Enterprise) Single

Sign-on


Problems with Managing Users

Business-related:• Workforce productivity loss due to

delay in administrative tasks• Inconsistent view of who has access

to what• Growing enterprise security concerns

due to lack of comprehensive user life cycle management

• Increasing need for business process collaboration with other enterprises

• Growing concern for data privacy and breach of personally identifiable information

Technology-related:• Several identity stores to be managed

and synchronized• Plethora of user IDs and passwords

for every user• Bloated help desk calls for forgotten

passwords and user IDs• Manual practices for servicing

administrative requests leading to unacceptable service levels and greater potential for errors

• No clear documentation maintained for creation/deletion of digital identities

• Unable to map digital identities to users leading to several orphan accounts


Drivers for Identity and Access Management

Drivers Pressures

Increasing Business Value

•Merger and Acquisition Activities•Departmental Consolidation•Diverse Business Mixes•Off-Shoring / Outsourcing•Business Process Improvement•Administrative Process Improvement

•Sarbanes Oxley•Anti-Money Laundering•Privacy•Basel II•Local corporate governance regulations

•Diverse Security Postures•Increased Likelihood of Fraud•Increased Security Risk

•Infrastructure Upgrades•Applications Architecture Upgrades•Consolidation of IT

Improving Compliance

Reducing Risk •Reduce/Prevent Fraud•Increased segregation of duties•Better Enforcement of Policy

Containing Cost

IAM Value proposition

•Consistent Security•Quicker Rebranding of Services•Quicker Integration of New Users•Reduced Lost Productivity•Reduced Costs•Improved Workflow

•Compliance automation•Improved Auditing and Logging•Improved Monitoring•Flexibility to Adapt to New Regulations•Improved Reporting

•Consistent Security•Reduced Costs, Resources•Reduced Licensing Fees•Quicker Time to Market with New Applications


Potential Benefits of IAM

• Centralized account management – creation, management, and terminations • Automated account provisioning and de-provisioning • Improved and enforceable business processes• Real-time views of a user’s account• Employee self-service• Tracking for audit information• Improved security • Delegated administration


Provisioning Financial ROI

There is tangible ROI that can be achieved by streamlining the identity management process:

• The Gartner Group completed a study of a 10,000-employee company with 12 applications. They estimated an automated provisioning solution saves more than 14,000 hours in security administration time and 6,600 hours of help desk staff time.─ The result: An ROI of 295% and savings of $3.5 million over three years.

• The Giga Information Group found that improved IT efficiency from automated provisioning results in a savings of $70,000 annually for every 1,000 users and reduces help desk cost by $75,000 for 1,000 users.

• Giga also found that faster assess to Enterprise solutions through automated provisioning resulted in a savings of $1,000 per new employee. For existing employees, the savings were $350 per year.

• These savings were derived by the user being able to access critical systems sooner, while responsibility for invoking business changes is pushed out to business unit reducing the time it takes to grant access, etc.

• Automating provisioning reduces the cost of S-O–404 compliance.• However, ROI has been difficult to justify to management – data is not collected in an

effective manner, is widespread in the enterprise, and is not calculated correctly to reflect true ROI.


IAM Capability Stack

Time

DecentralizedAdministration

CentralizedAdministration

CentralizedManagement

EnterpriseAdministration

EnterpriseManagement

Integration of Controlled Systems

Password Management

Access and AuthorizationManagement

Provisioning Automation

Advanced Auditing

Distributed Administration

Advanced Authorization Management (Role-Based Access)

Cap

abili

ties

/Co

mp

lexi

ty

IAM Capability


KPMG’s vision on IAM

• Identity and Access Management (IAM) is the process of creating value and addressing IT governance and compliance through effectively and efficiently:

• Managing users• Authenticating the identity of users• Managing users’ access to IT resources• Monitoring what users are doing with that access.

• Despite the hype surrounding IAM, there are four key “facts of life” that are often overlooked:

• Organisations are already managing identity.• Proper IAM is fundamental to securing resources in organizations.• The management of identities and authorisations consists of processes, parts of which can be

automated.• IAM aims to resolve business issues; IAM programs therefore require strong involvement from the

business. IT can support this by providing efficient tools to the business.


KPMG’s vision on how to approach IAM

• Identity and Access Management should rest on the following foundations:• A clear and consistent vision and strategy with regard to identities, authentication

management, authorisation management, user management, provisioning, monitoring and auditing.

• An iterative approach that builds on successful steps towards meeting an overarching business vision and strategy.

• A coordinated, multidisciplinary approach that takes all the different dimensions of IAM into account.

• An approach that makes it possible to easily demonstrate compliance with relevant legislation and regulations.


Access Management• Enforcing policies for access control in response to a request from an

entity wanting to access an IT resource within the organisation.

Agility• The ability to adapt to the chaning user environment and grow systems

and applications to meet these demands with out comprimising their integrity.

Authentication Management• Activities for effectively governing and managing the process for

determining that an entity is who or what they claim to be.

Authorization Management• Activities for effectively governing and managing the process for

determining entitelment rights that determine what resources an entity is permitted to access in accordance with the organisation´s policies.

Data Management• Data Management is the process and technologies that enable the

management of a users Identity.

Governance• Development and management of consistent policies, processes,

organizational structures and decision rights for IAM.

Identity• The collection of the identifier and attributes for an entity (person,

organization, device, resource, or service).

Monitoring and Audit• Monitoring, auditing and reporting compliance of users access to

resources within the organization based on the defined policies.

Provisioning• Propagation of identity and authorization data to IT resources via

automated or manual processes.

User Management• Activities for effectively governing and managing the lifecycle of identities.

Policies, processes and systems for effectively governing and managing who has access to

what is within an organization.

Identity

KPMG’s IAM Methodology


KPMG’s IAM Methodology

Assess current state and envision future state

Effective and efficient project kick-off

Help design the IAM process and infrastructure solution

Help implement the IAM solution

Help assess and enhance the operation of the solution

Plan Design MonitorImplementInsight

Define the project approach Facilitate the planning activities for the overall IAM engagementGain an understanding of the client’s issues and objectives related to the engagement

Assist with the understanding of the current state and future state vision and areas of improvementTransition in to designing the IAM solution

Clarify IAM solution business requirements and KPIsAssist with IAM strategy, roadmap and conceptual architectureObtain business case approvalAssist the client to design the IAM PMO and governance model

Facilitate the establishment of PMO and governance modelAssist client with designing the IAM solutionAssist client with solution selectionProvide project advisory and risk / control support throughout the implementation process

Conduct post-implementation reviewAssess IAM ProgramAssist with ongoing compliance auditing and performance monitoring

KPMG Identity and Access Management methodologyKPMG Project Management methodologyKPMG Change Management methodologyKPMG Business Performance Improvement methodology

ISO 27001questionnaire and mapping toolCurrent state workshop guidanceStakeholder matrix and portfolio templateIAM interview questionnaire

Industry practices Business case template Roadmap templateFuture state strategy sampleROI calculator

Implementation tools and templatesImplementation planUse case examples RFI and RFP templatesInfrastructure design examplesInterface development guidance

IAM Assessment programsAssessment work plansSegregation of Duties toolsRemediation and Improvement templates

Project PlanStakeholder matrix

Current state assessment reportHigh-level future state modelGap analysis and remediation recommendationsDefined CSF’s and KPI’s

Future state strategyFuture state roadmapIAM conceptual architectureIAM Business caseIAM PMO designIAM governance design

IAM use casesRFI and RFPPilot testing programImplementation program

IAM assessment status reportBenefits realization reportRemediation and enhancement reportPerformance scorecard

Objective

Activities

Tools deployed

Deliverables


User Management


User Provisioning – Conceptual View

Automation can decrease the cost of administration and increase the accuracy of access.

• Access Requests• Approvals• Status• Password Management

LDAP/HR System

Accessrequest via

intranet

CRM

ERP

e-Mail

SCM

HR

OperatingSystems

Databases

Applications

• Resource ControlAgents

User Identity

Directory

• Policies • Work flow• Audit trails

User AccountReconciliation


User Services

Directory Management• Profile Management

Management of an object’s (e.g., a user’s) attribute(s) (e.g., phone number) on the user store (e.g., directory server)

• Password ManagementPassword Management includes tools that help users and administrators manage passwords, either by creating a universal password for all systems or by remembering stored passwords. Additionally, these tools provide user self-service capabilities.

• Work FlowThe sequence of activities performed in accordance with the business processes of an enterprise

Provisioning• Password Synchronization

A password synchronization system is any software or process used to help users maintain a single password value on multiple password-protected systems

• Reconciliation of Users Across SystemsThe process of synchronizing the accounts and supporting data on the central data repository with the accounts and supporting data on the managed resource

• Work FlowThe sequence of activities performed in accordance with the business processes of an enterprise


Conventional User Provisioning Work Flow

Administration of users and user access proves more and more cumbersome as the organization grows. Cost of administration increases and accuracy of user access goes down.

GROWING RESOURCES

New Users

REQUEST FOR ACCESSGENERATED

Policy and Role Examined

Approval Routing

IT In Box

Administrators

Provisioned Users

MISSING AUDIT TRAIL

BACKLOGS

REQUESTS DELAYED

ERRORS

INCOMPLETEREQUEST FORMS


Authorization Management


What problem are we trying to address?

Important issues in authorization management:• Manageability• Effectiveness• Verifiability• Responsibility


Authorization Management – Manageability

With regard to manageability, we have observed the following in practice:• When introducing authorizations, it is often the case that more than ten

authorization registers are involved, with the same number of administrators.

• Authorizations are formally requested in the form of “just like user xxx,”because no one knows which authorizations are needed to perform the activities.

• There is no complete picture of a staff member’s authorizations. • The process of requesting and implementing all the necessary

authorizations is time-consuming.• In-sourced staff members are not paid to wait a long time; business

partners also do not want to wait. • There is ineffective internal control; this is experienced as labor intensive.


Authorization Management – Effectiveness

With regard to effectiveness, we have observed the following in practice:• Users often have more authorizations than necessary.• The number of authorizations often increases when a person changes jobs,

because rights no longer needed are seldom completely withdrawn.• Staff members cannot perform all their tasks if they do not have all the

authorizations needed for these activities.• External parties can demand adequate access rules for your system.


Authorization Management – Verifiability

With regard to verifiability, we have observed the following in practice: • Authorization matrices do not exist or are not updated; this interferes with

the control process.• It is practically impossible to establish a breach in the segregation of duties

because:─ There are no authorization matrixes─ There is a lack of clarity surrounding a staff member’s authorizations ─ From the perspective of segregation of duties, there are no records of

the authorizations which conflict• The auditors’ findings and recommendations generally lead to temporary

improvements instead of structural improvements.• In practical terms, it is impossible to compare the actual authorizations with

the approved authorization matrices by means of an automated process.


Authorizations and Compliance – Key IT Control Issues for Compliance

Segregation of Duties (SoD)• Root Cause: Disjointed “identity lifecycle processes” both within and across business

cycle─ Transfers not taken into account─ Changes at the Business Process level not taken into account

Excessive Access (Access Creep)• Root Cause: “identity lifecycle processes” incomplete or operated ineffectively

─ User authorizations not reviewed regularly for appropriateness─ Transfers not taken into account

Resulting Remediation Issues:• A number of authorizations and user assignment changes may be required• Broader authorization redesign (e.g., Role-Based Access Control (RBAC)) may be

required


Roles and IAM

• New user e.g., employee/ contractor/business partner/ customer

• Change• Resign

AuthoritativeSource

IAM tool

Automated trigger Approve user authorizations based

on roles and rules

User management

Monitoring and Auditing

Authorization management

Provisioning

(Actual situation)

(“To be” situation)

(Automatic) reporting

AuthenticationManagement

Authentication management

Authorizationmodel


Access Management


Access Management

• Access management solutions are the gatekeepers that help to determine which entities or users have the right to use enterprise systems and resources.

• This component may intercept attempts to access protected Web resources. • The Access Management tool checks the Security Policy and the User &

Entitlement store to authenticate the user and authorize (or reject) the user’s request to perform the desired transactions.

• Additional discussions are required to determine if the Access Management tool should perform the authorization or pass the request to the application for authorization.

• The Access Management tool should support multiple levels of user authentication.


Access Management – Conceptual View

Content Management

Web DataWeb Server

Agent

1. Is the resource protected?2. Is the user authenticated?3. Is the user authorized?4. Personalize the content5. Log the process

Process

• Employees• Partners • Customers

NT DomainODBCLDAPADSI

User & Entitlement Store

RACF

HTTP, SSL

Policy Server

EncryptedConnection


Access Controls

• Determine rights and privileges using policy-based systems• Combine authentication and authorization by using Web-based access

management products• Use roles-based, group-based, rules-based systems for scalability• Integrate with applications and application servers• Identify objects by URL and operate at page, button, and field level• Integrate with identity repositories (e.g., directory, database)• Support multiple authentication systems• Include user management functions• Provide dynamic enforcement with variables (e.g., location, time)• Provide session management after authentication


Data Management


Introduction

• IAM is an integrated system of business processes, policies, and technologies that help enable clients to facilitate and control their users’ access to critical applications and resources, while protecting confidential personal and organizational information from unauthorized users.

• Within the context of IAM, data management can be defined as follows:─ Data management is the set of business processes and a supporting infrastructure for

the creation, maintenance, and use of digital identities.

• Data management is seen as the fundamental building block (foundation) for IAM solutions. Without effective “identities,” all other IAM-related initiatives will probably fail.

• KPMG has experience in the field of identity data management. We can help you to define what a digital identity is and help identify authoritative sources of information, the approaches to address dirty data, and the building of a trusted identity store. Our ambition extends further than just defining what a digital identity is for your organization. We will design and assist in implementing a data model that you should be able to use and maintain in your organization for your future IAM initiatives.


Data Management in Practice

• From a technical perspective, a digital identity is a set of related electronic records that represent network subjects, including people, machines, devices, applications, and services.

• A digital identity consists of multiple layers, including a relatively stable unique identifier attribute and value (e.g., badge or employee number for enterprise staff), along with the relatively transient profiles that add context to the identity (e.g., location attribute or department).

• An Identity Repository is a storage area of several identity data items, typically from several resources, joined into one combined electronic record. This repository may be based on the LDAP standard (e.g., Oracle Internet Directory).



Data modeling• This aspect of the integration deals with the rationalization of the data managed by

each system, starting with the definition of common data elements for these systems that need to be considered, as well as the appropriate authoritative source and the synchronization rule that should apply for each element. In most cases an enterprise Directory service will act as an authoritative source of identities feeding the IAM infrastructure.

Authoritative Sources• Where do digital identities come from within an organization? Or perhaps more

accurately, where are identities recorded/stored electronically within an organization. This is typically an HR system whereby an HR representative enters identity data into the system. However, it is important to understand that an HR system may not have accurate identity data or the processes relating to maintaining identity data within the HR system may not be efficient.

• A system where identities are recorded and “trusted” is often referred to as an authoritative source.

• It is important to categorize the types of identity and their authoritative source (if possible) within an organization.



Quality Matters • How strong a foundation the Identity Repository can provide for a client’s IAM

depends in large part on the quality of the information it contains. Most organizations have multiple directories or identity repositories. The information in those directories is often redundant or incorrect.

• An important first step toward getting one’s “identity house” in order, then, is to understand how and where identity information is stored. Understanding the underlying directory environment and evaluating how best to integrate that environment is an essential step in creating a more authoritative source for identity information.

Privacy considerations and controls• Data minimization, authentication and authorization, encryption, and separation of

data may all be techniques and controls required to help ensure any privacy requirements.



Data Cleaning• Cleaning data can be a laborious and time-consuming task. What is important is how

an organization identifies dirty data.

Why clean data?There are several reasons why data cleaning is required:

• User experience – users who see inaccurate data may get annoyed or upset that theinformation about them is inaccurate

• Policy decisions – some IAM solutions rely on data to determine rules (e.g., provisioning rules, policy enforcement etc.)

• Security – system accounts that no longer have an associated user (e.g., orphaned accounts or accounts that do not have an associated owner) may be considered a threat to security

• Management – ongoing cleaning of data may take considerable time and effort and is often difficult to sustain

• Regulations – some regulations (e.g., UK Data Protection Act, GLBA, Safe Harbor, etc.) hold an organization responsible and accountable, to help ensure that employee data is accurate in all electronic systems where information of the employee is held.



Data Integrity and Synchronization• Clients should define the means by which identity data on identified systems can be

kept up to date and in sync, by using a combination of centralized Directory, Meta Directory, and/or Virtual Directory.

• Vendor IAM solutions provide a range of integration options that clients could leverage, including APIs, middleware integration such as EAI, Web services, or through sharing a common database/directory repository. Therefore, in planning the integration, special attention should be paid to items such as the nature of the synchronization process:─ Bidirectional or unidirectional─ Real time─ Work flow driven─ Items of data to be synchronized─ Reconciliation process─ How to help ensure uniqueness─ Conflicts and exception handling.



Managing Multiple Directories• It is estimated that typical enterprises have approximately 120+ applications in which

user management is required. Managing so many special purpose directories can cause the following general problems: ─ High cost of administration─ Inconsistent data─ Security issues

• Directory synchronization is one leading practice approach to consolidating Identity information for client use. Directory synchronization provides a mechanism for copying select identities, attributes, and group information between two or more disparate identity repositories according to predefined rules. Directory synchronization is essential for many IAM-related applications.

• The IAM technology that provides directory synchronization is typically defined as either a “Meta Directory” or “Virtual Directory.”


KPMG’s Vision

The data model, processes and tools used make it possible to realize a manageable and efficient data management process that is:

• Effective• Controlled• Accurate• Verifiable

This helps enable management to take responsibility for the integrity of data for use in an IAM program.

• Record the identity model

• Clean and accurate identity data

• Automatic “decision” points based on the identity

• Record the identity model

• Clean and accurate identity data

• Automatic “decision” points based on the identity

Data

management


Our Approach

2. Create model and identify data synchronization and cleansing activities

3. Design and deploy datarepository

Requirementsgathering Design Build Test

1. Analysis and agreement of current data models and

authoritative sources

Agree data model and synchronizationrequirements, deploy identity data repository

Deploy Post production

Design, implementation, and deployment of data management infrastructure

Migrate from current data model to envisioned data model


Our Approach

The result of our approach is: • Agreed identity data model• Agreed authoritative sources aligned with data ownership• A model that is extensible and supportable• Transparency, maintainability, verifiability, and effectiveness• Efficient and effective data management• The foundation for all IAM program initiatives• Data management that is clearly “under control”


Authentication Management



• Authentication is the process of determining, to a specified level of confidence, that an entity is who or what they claim to be

• Authentication Management covers the policies, processes, and systems for effectively governing and managing the authentication of individuals and services

• Main activities:─ Enrollment – identification and registration processes ─ Risk-based Authentication Framework─ Credential lifecycle management – issuance, activation, support, revocation ─ Design and implementation of authentication infrastructure


Authentication Management – Conceptual View

Authentication engineenforcement point

Authentication and Access policies

ApplicationsUsers

User and Access Management

IAM system


Authentication Management – Terms Used and Related Activities

Technology areas:• Strong authentication• Two-factor authentication• User name/password• One Time Password (OTP)• Smartcards/PKI• Tokens• Biometrics• SMS authentication• CardSpace• Claims-based authentication

Policies, frameworks, and processes:• Original identification• Evidence of Identity (EOI)• Enrollment policies and processes• EOI capture and storage• Authentication frameworks• Risk assessment tool• Authenticator selector tools• Credential lifecycle management• Support processes – password reset, PIN

management, etc.

Industry standards:• SAML• WS-*• OATH• Liberty Alliance


Observations


KPMG’s Observations

Most IAM projects focus initially on improving user management and automating provisioning of accounts and basic authorizations, supported by workflows

• Driver: increasing operational excellence• In most cases, basic employee roles are assigned

Second stage of most projects focuses on improving the quality of the authorizations• Driver: increasing level of compliance• Roles are currently seen as the way forward for managing fine-grained authorizations

In most software solutions of the suite vendors (such as IBM, SUN, HP, Oracle, Computer Associates) some role functionalities exist, although they are too limited

• Only the administration of technical roles is included• No real role management capabilities• When organizations require extensive role management, most suite vendors are

teaming with pure-play role management vendors such as VAAU, BHOLD Company, Bridgestream, Eurekify, and RMAN.


KPMG’s Observations when Organizations are Entering Role Modeling

Optimistic view on required starting points for role modeling, such as:• Lack of clear job descriptions• Lack of (up-to-date) authorization matrixes for platforms and applications• Lack of commitment of the organization to engage in role modeling

Theoretical/conceptual view on role modeling, leading to role explosion • Top-down approach for role engineering takes too long and requires too much effort

and interaction with the business─ No short term results

• No room for flexibility – SoD breach may occur, if documented• Only attention for “to be” situation• How to keep the role model future-proof?

Too ambitious – revolution instead of evolution• Big bang – scope is entire organization and all applications?• Phased approach is crucial


Next Steps


How to Proceed – User Management

• IAM should be considered as a long-term strategy• Define requirements for identity management within your enterprise• Develop a strategic roadmap with realistic timelines that can be broken down into distinct work streams• Develop a set of use cases for the management, creation, and deletion of users• Develop workflows, processes, and roles that can be leveraged through a identity management solution• Hold vendor bake-offs to determine “best” fit for your environment• Conduct Proof of Concepts (POC) with selected vendors• Deploy a limited pilot to determine validity and capabilities of chosen solution• Develop a phased rollout plan to incorporate an 80/20 rule for centralized user provisioning


How to Proceed – Authorization Management

Putting the foundation in place by:• Implementing role management• Providing infrastructure for analyzing, engineering, and maintaining roles (mostly as part of enterprise IAM

infrastructure)

Role engineering• Using role mining tools will decrease role engineering efforts and will provide faster results

Implementing roles – evolution versus revolution• Staged approach is required


Authorization Management – Suggested Approach

Cleansing of existingauthorizations

Automatic role mining/ role engineering

Confirmvision

DevelopIAM

architecture

Selecttools

Automating (parts of)authorization

management processes

(Periodic) reporting ongranted authorizations

(Automated) analysis of

current authorizations

Envisionconcept

operational

Implementing role management process


How to Proceed – Authentication Management

Putting the foundation in place by:• Conducting a risk assessment to understand information asset classification and risk within the organization• Developing a risk-based authentication framework

First phase:• Developing policies and processes for different authentication mechanisms within the organization (including

strong authentication)• Implementing a first phase of infrastructure deployment for helping to enable and enforce access policies relating

to authentication

Future phases:• Iterating authentication framework, policies, and procedures• Implementing strong authentication, Enterprise Single/Simplified Sign On, Federation, etc.



2. Development of enrollmentpolicies and processes

4. ACCESS Management – Design and build authentication infrastructure

Requirementsgathering Design Build Test

3. Develop operationalstructures for credentiallife cycle management

1. Development of authentication framework

Implementing authentication management policies, standards and process

Deploy Post-production

Design, implement, and deploy authentication management processes

Develop framework and processes


KPMG’s View of Implementation Strategy – Preparing and Planning

Preparation and planning:• Put foundation in place• Determine scope

─ Are you really envisioning managing all authorizations by using roles? Maybe 80/20 rule is more realistic.• Setting priorities

─ Depending on business case─ Deployment strategy: organizational entities versus processes versus applications – which deployment

strategy to choose?• Managing expectations and keeping commitment is key


Migrate from project

to process

approach

Staged Approach is Required

Preparing and planning

Stage 1:Reestablish

identity life cycle processes

Stage 2: Implement role managementfor prioritized

applications/systems

Stage 3: Optimize role model

for prioritizedapplications/systems

End goal: Role management and assignment processesin place and effective


Identity Management Reference Architecture

EmployeesIT Staff ApplicationsPartners

External

Delegated Admin

Applications Customers

Internal

Auditingand

ReportingWorkflow

Identity Management Service

Access Management•Authentication & SSO•Authorization & RBAC

Identity Administration•Delegated Administration•Self-registration and Self-service•Entitlement management

Directory Services•LDAP Directory•Meta-Directory•Virtual Directory

Identity Provisioning•Who, what, when, where, why•Rules and access policies•Integration framework

Monitoringand

Management

NOS/DirectoriesOS (Unix)

Systems and RepositoriesApplications

ERP CRM HR Mainframe

Physical Assets

Cell Phone Physical Access* Source – Oracle Enterprise IdM Reference architecture

EmployeesIT Staff ApplicationsPartners

External

Delegated Admin

Applications Customers

Internal

NOS/DirectoriesOS (Unix)

Applications

ERP CRM HR Mainframe

Physical Assets

Cell Phone Physical Access


A Look at the Pieces when Fit Together

Policy

Enforcement

Directory

Authentication

Portal Applications

• Policies • Workflow• Audit trails• Provisioning• Delegated

administrationU

ser Account

Reconciliation

• Operating Systems

• Databases• Applications

Databases

Authoritative Directory Stores

Existing Directories

Access Management

Directory Management

User Management

• Self-service• Workflow

Audit Verification & Validation

Real-time enforcement

Administration


Structured IAM Approach


Deployment Life Cycle

Planning

Transition

Maintenance

Requirements

DesignBuild and Test

DeploymentLife Cycle

• Management of expectations• Custom versus out-of-the-box• Legacy platform readiness• Security and compliance req.• Holistic view people, proc., & tech

• Identify architecture risks• Requirements tradeoffs• Address non-functional req.• Define suitable RBAC model.• Define reconciliation plan

• Gap between test versus prod• Test non-functional req.• Knowledge transfer• Change management• Stakeholder involvement in testing

• Rollout communication• Business process training• Organizational readiness

• Project scope• Stakeholder education/buy-in• Executive support• Definition of business drivers

• Technical support help desk• Assess usability• Develop enhancement strategy


Methodology and Deliverables

Planning TasksRequirements

Tasks Design TasksBuild and Test

Tasks Transition Tasks

Rollout/ Maintenance

Tasks• Identify stakeholders

• Inventory and review current state

• Develop:

Project plan

Defect tracking

Communication plan

Change management

Team roles

Risk management

• Define solution requirements

• Develop solution metrics

• Refine project plan

• Manage to plan

• Develop detailed design

• Identify requirement GAPs

• Build Dev environment

• Develop test plans

• Manage to project plan

• Configure and build IDM solution in Dev environment

• Develop unit and integration test scripts

• Develop training materials

• Develop cutover plan

• Develop user acceptance test scripts

• Develop reconciliation procedures

• Deploy and configure product environment

• Load and stress testing

• Acceptance testing

• Develop user procedure documents

• Execute communication plan

• Develop ongoing roles and responsibilities

• Develop production support procedures

• Develop incident response procedures

Planning Deliverables

Requirements Deliverables

Design Deliverables

Build and Test Deliverables

Transition/ Cutover

Deliverables

Rollout/ Maintenance Deliverables

• Stakeholder and KPMG team roles and responsibilities

• Project work plan

• Documentation standard

• Change management plan

• Defect tracking and prioritization guidelines

• Communications and issues management plan

• Risk log and mitigation plan

• Functional requirements

• Nonfunctional requirements

• Security and compliance requirements

• Roles for IDM solution implementation

• Legacy systems data cleansing requirements and strategy

• SRS document

• SDD document

• System architecture document

• Build document

• Baseline build of Dev environment for IDM solution

• Reconciliation plan for resources

• Test and training plan

• Configuration document.

• Unit and integration test scripts

• Training materials

• Cutover plan

• User acceptance test scripts

• Reconciliation procedures

• Production checklist

• Load and stress test results

• Acceptance test results

• Acceptance sign-off

• User documents

• Build documents for production environment

• Production environment

• Ongoing roles and responsibilities

• Production support procedures

• Incident response procedures


All information provided is of a general nature not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

KPMG in Russia refers to KPMG Limited, a company incorporated under the Guernsey Companies Act, and ZAO KPMG, a company registered under the Laws of the Russian Federation.

Christopher GouldKPMG

+7 495 937 [email protected]

www.kpmg.ru

mailto:[email protected]