1 IAM Assembly Line. 2 Overview. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Transcription

1 1 IAM Assembly Line Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Evolving from hand-assembled to "factory-built" IAM systems. Idan Shoham CTO, Hitachi ID Systems Overview In the past, IAM deployments were very customized. aborted or truncated projects. This led to cost overruns, missed deadlines and We present a standardized approach to IAM implementations that significantly lowers cost, shortens timelines and reduces risk Hitachi ID Systems, Inc. All rights reserved. 1

2 3 What we ll cover Past problems Risk Cost overruns Schedule overruns Rolled back deliverables Root cause analysis Solution Real world examples 4 What kind of IAM? Everyone has a different idea of what IAM means. What kind of IAM will we discuss here? The kind that creates new identities, manages them, assigns and revokes entitlements and ultimately deletes them. a.k.a. "user provisioning" or "access governance." Including: Create/delete accounts. Move/enable/disable/rename. Assign and revoke group memberships. Reset forgotten passwords and clear lockouts. With automation for: HR-driven processes. Request-driven processes. Approvals workflow. Periodic recertification and remediation. 5 Past problems 2014 Hitachi ID Systems, Inc. All rights reserved. 2

3 5.1 By category Cost Timelines Deliverables Risk Major cost overruns. Deployments running from $1M to $10M. Years in deployment. Teams of 3 or more consultants. Promised the world. Actually deployed few processes, few connectors. Often with no user-facing UI. Stop early due to high cost / long delay. Management sometimes pulled the plug entirely. 6 Root cause analysis 6.1 Is it really this complicated? Every medium to large organization needs IAM processes. Why should automating this stuff be so hard? 2014 Hitachi ID Systems, Inc. All rights reserved. 3

4 6.2 Process complexity There is almost fractal detail to some processes. Onboarding, transfers: Composing, reserving unique IDs. Assets (homedirs, mail folders), permissions. Deactivation: Scheduled vs. immediate. Advance warning, disable, undo, archive, delete. Retain records, detect returnees. Are roles the answer? Only helpful when many users need the same thing. Role management can be very costly. Automation from an HR feed? HR are not willing participants in this. Data may be late, coarse grained or obsolete. 6.3 Project/program management Executive sponsor? Lots of stake-holders. Someone has to make decisions. Unrealistic promises: Promise a feast, budget for a snack. They lose patience when time/money runs out and results are still small. Some of this stuff looks like business process re-engineering : (run for the hills!) If you can t do it quickly, sometimes you shouldn t do it at all Hitachi ID Systems, Inc. All rights reserved. 4

5 6.4 Where did the time and money go? Implementation eats up 5x to 10x as much cost as software and runtime platform. All those consultants are expensive. Some integrators try to park consultants on-site, indefinitely. 6.5 Technical and usability challenges Users don t know what/how to request. Roles sound good until you have to define/assign them! Users forget their password in awkward situations. Off-site, where they can t get to your password reset system. Pre-boot, where they don t even have an OS running yet. The IT landscape keeps changing. You can t just deploy this stuff and go home. New apps, upgrades, SaaS constant churn! 7 Solution 2014 Hitachi ID Systems, Inc. All rights reserved. 5

6 7.1 Problem analogy Imagine that you want to buy a car... But there are no industrial auto makers! You have to define requirements, put out an RFP and hire someone to build a one-off car just for you! This is the state of the IAM business. Built by craftsmen using technology frameworks. Not standard products put together on an assembly line. Leads to cost, risk and delay. 7.2 But we re special! Your organization has its own: Business processes. Systems and applications. Surely you need a custom-fit solution? 2014 Hitachi ID Systems, Inc. All rights reserved. 6

7 7.3 Maybe not so unique If you are a corporation... Does your recruitment work so differently than everyone else s? Do you terminate people in a really weird way? Are moves and transfers uniquely your own? Maybe all that special process is just an accident of history. Maybe using standardized processes wouldn t cause any harm. Or not a corporation... Higher education. Hospitals. Partner web portals. Consumer enrollment. Maybe you should use processes that organizations resembling yours all share? 7.4 Reference builds A reference build is a pre-configured IAM system. It should fit every organization in a category: Corporations. Higher education. Hospitals. etc. You can tweak it if you have to. The idea is to start with a fully functional, complete system and make minor adjustments. Don t build everything from scratch. 7.5 A trade-off Give... Throw away your old processes, which are just a historical accident anyways. Adopt best practices from your category of business.... and take Implement a fully featured IAM system in weeks. Improve SLA, security, user service Hitachi ID Systems, Inc. All rights reserved. 7

8 7.6 Obvious questions Is this the only way to build an IAM system? What about IAMaaS (move it to the cloud)? Does this mean that Hitachi ID only does "cookie cutter" IAM deployments? No, special-built solutions remain possible. Even if needs are exotic, it s more cost effective to start with a reference implementation than to start from scratch. Where the IAM system is installed makes little difference. IAMaaS vendors will want to push a standard model too. Zero on-premise footprint is a pipe dream you need a proxy for integration to your on-premise systems/apps. No, but we recommend them wherever possible. This is a serious effort to minimize customer TCO. 8 Real world examples 8.1 Specialized per style of organization Corporate Intranet-facing. 50,000 users Employees. Contractors. Vendors. HR SoR. AD/Windows/Exchange. Thousands of users. B2B Extranet-facing partners 100,000 users No SoR. Single LDAP. Infrequent users. Delegated admin. B2C Extranet-facing. 1,000,000+ users No SoR. Single LDAP. Infrequent users. Pure self-service admin Hitachi ID Systems, Inc. All rights reserved. 8

9 8.2 Corporate reference build: details Integrations: SQL-based HR SoR. AD domain Exchange domain (mailboxes) Windows filesystem (homedirs) Entitlements: Login IDs. Group memberships. Roles. User communities: Employees. Contractors/other. Configuration: Based on user classes, rules tables and lookup tables. Near-zero script logic. Automation: Onboard/deactivate based on SoR. Identity attribute propagation. Self-service: Password, security question management. Update to contact info. Request for application, share, folder access. Delegated admin: Same as self-service, plus recert. Approval workflows: IT security (global rights). HR/managers (approve for each-other). Recertification: Scheduled. Ad-hoc. 8.3 Corporate reference: complex cases Transfer: New user: Scheduled term: New user: Authorization: Move mailbox, home directory. Invite old, new managers to recertify entitlements. Automatically detect, block accidental rehires. Provide separate reactivate process for allowed returnees. Early warning to manager. Allow manager, HR to defer term date. Disable on term date. Reassign, archive resources (homedir, mail folder). Cleanup accounts, etc. after N days. First login PII acquired during onboarding. Force new users to enroll security questions, set first password. Require user to read, accept AUP before first login. Detect if the requester matches valid authorizers. Route requests back to requester for auto-approval Hitachi ID Systems, Inc. All rights reserved. 9

10 8.4 Customer experience - corporate reference build Time to deploy Return on investment Real world examples 1 month to 4 months. Depends on process complexity and change approval. Automate the most common, complex access requests. Better SLA for new hires. Reliable deactivation for departed users. Multi-national energy company: 30 days effort / 2 months calendar to deploy. Automated 2,500 changes/month. Mid-size operator of retirement homes: 20 days effort / 8 months calendar to deploy (lots of delays). Automated 100 changes/month. 9 How does it look? 9.1 View Org Chart Data 2014 Hitachi ID Systems, Inc. All rights reserved. 10

11 9.2 User Profile Screen 9.3 Advanced Search 2014 Hitachi ID Systems, Inc. All rights reserved. 11

12 9.4 Create a New User 9.5 Compare User Profiles 2014 Hitachi ID Systems, Inc. All rights reserved. 12

13 9.6 Intercepting an Access Denied Error 9.7 User Details 2014 Hitachi ID Systems, Inc. All rights reserved. 13

14 9.8 New Password 9.9 Define a Relationship 2014 Hitachi ID Systems, Inc. All rights reserved. 14

15 9.10 Authorization Policy 10 Summary 10.1 Available now Hitachi ID offers IAM reference builds for corporate, B2B and B2C. Other patterns coming soon. Implementation and modest customization take just days of work. Visit us at hitachi-id.com or at our booth at Gartner IAM to learn more. Questions? Be sure to stop by our session on Enterprise Compliance and Risk Mitigation Senior IAM Specialist, Bruce Macdonald Thursday 10am - Augustus III. Visit booth #204 in the Octavius Ballroom. 500, Street SE, Calgary AB Canada T2G 2J3 Tel: Fax: sales@hitachi-id.com Date: December 5, 2014 File: PRCS:pres