1 Corporate Reference Build. 2 Overview. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Transcription

1 1 Corporate Reference Build Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Expediting IAM deployment and minimizing TCO by adopting best practices. 2 Overview 2018 Hitachi ID Systems, Inc. All rights reserved. 1

2 2.1 Starting from scratch is costly Implementing an IAM implementation from scratch is complex: Integrations Processes Policies Systems of record Directories Mail systems Collaboration/filesystem Applications Operating systems Databases Strong auth, VPN SIEM, incidents, inventory/asset, monitoring Portal integration, branding Joiners, movers, leavers SoR-driven Request-driven Approvals process Access certification Automated fulfillment Manual fulfillment Unique identifiers (login, ) Resource assignment Role based access Segregation of duties Approval routing Escalation routing Privacy protection / search restriction Certification schedules / triggers Complexity leads to cost, delay and risk Hitachi ID Systems, Inc. All rights reserved. 2

3 2.2 ID Express Before reference implementations: Every implementation starts from scratch. Some code reuse, in the form of libraries. Even simple business processes have complex boundary conditions: Onboarding: initial passwords, blocking rehires. Termination: scheduled vs. immediate, warnings, cleanup. Transfers: move mailboxes and homedirs, trigger recertification. Complex processes often scripted. Delay, cost, risk. With Hitachi ID Identity Express: Start with a fully configured system. Handles all the basic user lifecycle processes out of the box. Basic integrations pre-configured (HR, AD, Exchange, Windows). Implementation means "adjust as required" not "build from scratch." Configuration is fully data driven (no scripts). Fast, efficient, reliable Hitachi ID Systems, Inc. All rights reserved. 3

4 2.3 ID Express - Corporate: details Integrations: SQL-based HR SoR. AD domain Exchange domain (mailboxes) Windows filesystem (homedirs) Entitlements: Login IDs. Group memberships. Roles. User communities: Employees. Contractors/other. Configuration: Based on user classes, rules tables and lookup tables. Near-zero script logic. Automation: Onboard/deactivate based on SoR. Identity attribute propagation. Self-service: Password, security question management. Update to contact info. Request for application, share, folder access. Delegated admin: Same as self-service, plus recert. Approval workflows: IT security (global rights). HR/managers (approve for each-other). Recertification: Scheduled. Ad-hoc Hitachi ID Systems, Inc. All rights reserved. 4

5 2.4 Data flow HR system employee database System of record: list employees, attributes Hitachi ID Suite Create user, delete user, enable / disable, set attribute, add to group, remove from group, move OU Active Directory List users, list groups Create, delete, update employee Request, approve Request, approve Update profile Create mbox, delete mbox, move mbox, send invitation Microsoft Exchange HR Managers Employees, contractors Various protocols HTTPS Secure native protocol 2.5 ID Express - Corporate: complex cases Transfer: New user: Scheduled term: New user: Authorization: Move mailbox, home directory. Invite old, new managers to recertify entitlements. Automatically detect, block accidental rehires. Provide separate reactivate process for allowed returnees. Early warning to manager. Allow manager, HR to defer term date. Disable on term date. Reassign, archive resources (homedir, mail folder). Cleanup accounts, etc. after N days. First login PII acquired during onboarding. Force new users to enroll security questions, set first password. Require user to read, accept AUP before first login. Detect if the requester matches valid authorizers. Route requests back to requester for auto-approval Hitachi ID Systems, Inc. All rights reserved. 5

6 3 Scenarios 3.1 SoR-driven onboarding To automatically create user profiles and login IDs for new users based on a system of record (SoR) such as HR. Batch job reads a list of users from the SoR and accounts from all other systems. Automated logic finds users new to the SoR without profiles or accounts and submits workflow requests to create profiles, accounts. Workflow requests are automatically approved because they originated in the SoR. Connectors run to create IDs, homedir, mailbox. 3.2 Request-driven onboarding To create user profiles based on a web portal request typically for non-employees / contractors. Authorized user signs into request portal, selects onboarding form and fills in the blank. Optionally: selects extra entitlements (roles, groups, accounts). Form becomes a workflow request, which is routed to appropriate people to approve / reject. Approvals process runs. If the request is approved, connectors are run to create IDs, homedir, mailbox. Participants get a notification about how the request was concluded. 3.3 Password initialization and profile completion New users need to set their initial password, enroll security questions and read/accept policy documents. Make this happen without relying on default or guessable initial passwords. Send the user his unique ID either via personal or to manager. Access password reset system from PC login screen. Authenticate using PII and/or sending random PIN via SMS. Prompt user to enroll security questions, select initial password, read/accept AUP. Return user to Windows login screen for first login with his own ID/password Hitachi ID Systems, Inc. All rights reserved. 6

7 3.4 Detecting and blocking re-hires Prevent onboarding processes from creating new profiles for existing or returning users. Retain identity attributes for all users, active or historical. Mark departed users with a "rehire-allowed?" flag and notes. Compare new hire identity attributes to existing users match found? Block onboarding process with error or warning message (based on flag). Alternate request mechanism to reactivate returnees. Alternate request mechanism to onboard users that resemble returnees but are actually new. 3.5 Scheduled deactivation Deactivate all access at scheduled termination date. Send advance warning to enable deferral. Archive and clean up months later. X days before the scheduled deactivation date, send warning to manager. Possible deferral request. On the scheduled date, disable all IDs but make no other changes. Possible reactivation request. Escalate all workflow requests assigned to the user. Y days after deactivation, cleanup: Detach user from org-chart, reassign subordinates. Move account to new OU. Remove all group memberships. Attache new groups (e.g., terminated users). Copy / move / change ownership of homedir and mail folder. Z days after clean-up, delete accounts but retain profile and identity attributes. 3.6 Immediate user deactivation Sometimes termination is immediate (with cause). Same process as scheduled termination but starting with the disable step. Usually request based (can also be SoR/HR based). Normally only IT security can issue this type of request Hitachi ID Systems, Inc. All rights reserved. 7

8 3.7 Approvals workflow Some change requests, even if they originate with an SoR, require approval before they can be safely completed. invitations, authenticated web form approvals. Invite more authorizers than are required to approve a change. Invite all authorizers at once (faster response). Automated reminders if no response. Escalate after too many reminders or if authorizer has set an out-of-office message. Thank you / all done s. Some or all approvers may have veto power. 3.8 Transfer department, location or manager Change department, location or manager. Correctly handle approvals and side-effects. Triggered by request or SoR change. Access controls limit access to request form. Auto-approved or routed for approval based on relationship between requester/recipient and old/new managers. Update department, location, manager attributes on IDM system and targets. Possibly trigger recertification of user. Possibly change OU, move homedir or move mail folder. 3.9 Update contact information Reflect changes to user s personal , phone or mailing address. Initiated via self-service, by HR or from SoR. Attribute validation checks formatting, consistency. Update IDM and account attributes. If overriding data from SoR: IDM needs to temporarily take higher priority than SoR. Revert to SoR having priority when it next changes Hitachi ID Systems, Inc. All rights reserved. 8

9 3.10 Request entitlements using model user Automation from an SoR is usually coarse grained. Users often must request "something extra." Users don t know what to request, but usually know someone who already has it. This mechanism offers assistance without resorting to "clone user." Requester formulates a request by comparing "recipient" and "model" users. Recipient may be the requester (self-service). Access controls limit visibility of both recipients and model users based on their relationship to the requester Requester sees differences and selects some or all to be included in a request. Approvals, fulfillment proceed as with any other request Leave of absence Users sometimes leave for a while (mat leave, extended holiday, etc.). Support both immediate and scheduled LOA and return. Trigger by flag or date range from SoR or request form. Access controls limit who can request this on whose behalf based on requester/recipient relationship. Automatically submit enable/disable workflow requests Name change People sometimes change their name. Update integrated systems and if required change login ID, address, homedir path, etc. Triggered by SoR or request form (limited access) May requires authorization. May cause primary ID / login ID to be recalculated rename operation. May cause address to change retain old address as alias. May cause home directory to be moved. May have to propagate new IDs through workflow queue Hitachi ID Systems, Inc. All rights reserved. 9

10 3.13 Invite users to read/accept new policy documents New policies are published, users need to review/accept. Invite users automatically or web popup at login screen. Track document acceptance by each user. Pace invitations (total/day, frequency/user). Automatically send reminders. Report on progress Assign entitlements based on role Sometimes a role-based access control (RBAC) strategy is appropriate. Most helpful for large groups of users with identical requirements. Define roles as sets of entitlements. Define rules that assign roles based on identity attributes. Periodically: Calculate roles for each user. Predict entitlements for users based on roles. Compare predicted with actual entitlements. Automatically submit workflow requests to make actual match predicted. Activate the enforcement process gradually: Per-user, per-role, per-entitlement Control pace of requests that are automatically submitted to correct entitlements Hitachi ID Systems, Inc. All rights reserved. 10

11 3.15 Resolve Access Denied errors Allow users to navigate directly from an Access Denied error on Windows or SharePoint to a suitable access request form. Intercept access denied error dialogs Shell extension on Windows clients. Extended error page on SharePoint. Provide a link to a suitable request form. IDM system examines resource, offers users alternatives: Group / set of rights / group owner User selects a group, submits a workflow group membership request Recertify users, relationships and entitlements Users accumulate security entitlements over time. Termination processes may not be 100% reliable. The org-chart may not be well maintained. Periodic review and clean-up can address all these issues. Invite managers and resource owners to perform review. One-off / scheduled / event-triggered Review lists and either certify or ask to revoke: Users does this person still work here? Manager has this person been transferred? Roles, accounts, groups entitlement still needed? SoD, RBAC approved exceptions can compliance be restored? Remediation in certification triggers workflow requests Hitachi ID Systems, Inc. All rights reserved. 11

12 3.17 Password expiry early warning Notify users that their password will expire soon. Drive users to a web-based password change/synchronization page. Bulk load expiry data from AD or use last password change date from IDM. Send users invitations prior to expiry or web popup at login. Time invitations to avoid end-of-day, weekend to minimize changed-and-forgotten passwords. Provide a web UI to change multiple passwords: Explain, enforce policy. Show which systems will be affected. Show real-time results. Update cached passwords on the user s PC Transparent password synchronization Help users to minimize the number of passwords they must manage. Reduce problem incidence and consequent IT help desk call volume. Intercept password changes made natively on key systems such as AD. Enforce extra policy to supplement what the trigger system already requires. Propagate new password to all other accounts attached to the user s profile Self-service password reset Assist users who forgot or locked out their password without a help desk call. Expose multiple user interfaces, to make the system readily available: Web browser / PC login screen / pre-boot + telephone call / on-premises / off-site Connect the user to a temporary VPN connection, if off-site. Identify the user (enter ID, , employee number) Authenticate the user (security questions, token, SMS/PIN, voice biometrics). Allow the user to choose a new password. Write new password to target systems (AD, etc.) and update passwords cached on the user s PC Hitachi ID Systems, Inc. All rights reserved. 12

13 3.20 Enroll security questions Prompt users to complete profiles with security questions, mobile phone number. Data can be used to authenticate users who forget their password. Identify users with incomplete profiles. Invite them to enroll: invitations with embedded URL or browser popup at PC login. Limited number sent out per day. Limited frequency per user. Users identify (enter login ID), authenticate (AD password) and fill in a form. 4 Schema 4.1 Identifiers and resources System of record / HR: employee number. Directory / AD: Short ID (samaccountname or similar). Long ID (cn=x, ou=y format). address (first.last.uniq@domain). Configurable logic to formulate unique IDs. Rules tables assign OU, path to homedir, mail volume, etc. based on identity attributes 4.2 User profiles Contact info Work location PII Organization Termination related Leave of absence Assets Home address, phone, mobile, , emergency contact Building, floor, cubicle, phone, SSN/SIN, DoB, D/L, mother s maiden name, etc. User type, status, department, manager Scheduled term date, reason, rehire allowed Flag, start date, end date PC, laptop, software image, phone, badge 2018 Hitachi ID Systems, Inc. All rights reserved. 13

14 5 Deployment and management 5.1 Implementing ID Express Prepare servers (Win2K12, SQL2K12) Install IM, PM software. Configure replication, load balancing. Load configuration of Hitachi ID Identity Express (from XML files). Adjust target systems to actual HR feed, AD domain, etc. Set attribute mappings, validation rules. Review and adjust policy settings. Test use cases: Identify problems, required changes. Remediate. Repeat Subsequent project phases mainly add integrations. 5.2 Rules engines Business logic is mapped to rules tables. Approvals Attributes Lookup tables Match request object against rules. Consider requester, recipient, form ID, operation, attribute ID. Authorizers may be related to requester, recipient. Validation. Reformatting (standardization). Calculation composition or lookup. Organizational unit (directory container). Home directory UNC. Container for mail folder Hitachi ID Systems, Inc. All rights reserved. 14

15 5.3 Expandable platform Organizations should consider starting with Hitachi ID Identity Express, to get quick ROI. Once in production, the system can be expanded: Change Policy Logic: Who can request? Who authorizes? Escalation, delegation? Identity attribute validation? Automated actions? Customize the UI: Installed, Working Identity Management System Add Systems of Record: SAP HR PeopleSoft Lawson Oracle ebiz SQL, CSV Add Target Systems: Corporate branding Pre-defined forms Lotus Notes SAP R/3 PeopleSoft Oracle ebiz zos Unix, Linux Oracle DB Microsoft SQL DB2 / UDB SaaS 6 Demo 500, Street SE, Calgary AB Canada T2G 2J3 Tel: Fax: sales@hitachi-id.com hitachi-id.com Date: File: PRCS:pres