1 Introduction to Identity Management. 2 Access needs evolve. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Transcription

1 1 Introduction to Identity Management Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications An overview of business drivers and technology solutions. 2 Access needs evolve Digital identities require frequent updates to reflect business changes: Who? (Types of users): Employees, contractors, vendors, partners, customers. Why? (Business events): Hire, move, change job function, terminate. What? (Change types:) Create/move/disable/delete user, update identity data and entitlements, reset passwords. Where? (Applications:) AD, Exchange, Notes, ERP, Linux/Unix, database, mainframe, physical assets. Complexity creates delay and reliability problems: Productivity: Slow onboarding, change fulfillment. Cost: Many FTEs needed to implement security changes. Security: Unreliable access termination, inappropriate user entitlements. Enforce SoD policies. Accountability: Who has access to what? How/when did they get it? 2018 Hitachi ID Systems, Inc. All rights reserved. 1

2 3 IAM in silos In most organizations, many processes affect many applications. This many-to-many relationship creates complexity: 4 Access and credential challenges (1/2) For users How to request a change? Who must approve the change? When will the change be completed? Too many passwords. Too many login prompts. For IT support Onboarding, deactivation across many apps is challenging. More apps all the time! What data is trustworthy and what is obsolete? Not notified of new-hires/terminations on time. Hard to interpret end user requests. Who can request, who should authorize changes? What entitlements are appropriate for each user? The problems increase as scope grows from internal to external Hitachi ID Systems, Inc. All rights reserved. 2

3 5 Access and credential challenges (2/2) For Security / risk / audit Orphan, dormant accounts. Too many people with privileged access. Static admin, service passwords a security risk. Weak password, password-reset processes. Inappropriate, outdated entitlements. Who owns ID X on system Y? Who approved entitlement W on system Z? Limited/unreliable audit logs in apps. For Developers Temporary access (e.g., prod migration). Half the code in every new app is the same: Identify. Authenticate. Authorize. Audit. Manage the above. Mistakes in this infrastructure create security holes. 6 Externalize IAM from application silos The problem with IAM is complexity, due to silos. The obvious solution is to extract IAM functions from system and application silos. A shared infrastructure for managing users, their authentication factors and their security entitlements is the answer Hitachi ID Systems, Inc. All rights reserved. 3

4 7 Integrated IAM processes Business processes IT processes Hire Retire Resign Finish contract New application Retire application Transfer Fire Start contract Password expiry Password reset Identity and Access Management System Operating systems Directory Application Database system ERP Legacy app Mainframe Systems and applications with users, passwords, groups, attributes 8 Business drivers for IAM Security / controls. Regulatory compliance. IT support costs. Service / SLA. Reliable deactivation. Strong authentication. Appropriate security entitlements. PCI-DSS, SOX, HIPAA, EU Privacy Directive, etc. Audit user access rights. Help desk call volume. Time/effort to manage access rights. Faster onboarding. Simpler request / approvals process. Reduce burden of too many login prompts and passwords Hitachi ID Systems, Inc. All rights reserved. 4

5 9 IAM strengthens security Reliable, prompt and complete access deactivation. Robust authentication prior to changes to credentials, access. Policy around: Audit: Password complexity / reuse / expiry. Non-password authentication. Access request approval routing. Segregation of duties. Access review/certification. Shared account password changes. New-user and per-role entitlements. Who has what? Access request/approval/grant history? Regulatory compliance: governance- and privacy-related rules. 10 Cost savings Cost Item Before After Savings Help desk cost of password resets: 10,000 x 3 x $25 = $750,000 / year 10,000 x.6 x $13 = $78,000 / year = $672,000 / year New hire lost productivity 10,000 x 10% x 10 x $400 x 50% = $2M / year 10,000 x 10% x 1 x $400 x 50% = $200,000 / year = $1.8M / year Access change lost productivity 10,000 x 2 x 2 x $400 x 10% = $1.6M / year 10,000 x 2 x 1 x $400 x 10% = $800,000 / year = $800,000 / year 2018 Hitachi ID Systems, Inc. All rights reserved. 5

6 11 Elements of IAM Identity and access management solutions may incorporate many components, from multiple vendors: Privileged Telephone Access User Password Management Provisioning Identity Reset Synchronization Enterprise Role Single Management Signon Resource Password Access Management Requests ID Reconciliation Access Certification Web System of Single Record Signon Federation Directory Strong Virtual Authentication Directory Hitachi ID Systems Partners 12 Summary The problem with managing identities, security entitlements, passwords and related data is a business, not a technology problem: Too many business events, which impact Too many systems and applications. Technology solutions are available to address these problems: Password synchronization and reset Automated user provisioning and deactivation. Identity synchronization. Enforcement of policies using segregation-of-duties and roles. Periodic access review and cleanup (certification). Various kinds of single signon. 500, Street SE, Calgary AB Canada T2G 2J3 Tel: Fax: sales@hitachi-id.com hitachi-id.com Date: File: PRCS:pres