Identity and Access Management

Add a note hereIdentity and access management encompasses a number of concepts, including password self-service, user access provisioning and deprovisioning, directory services, single sign-on, role-based and rule-based access control, and federated identity. Each of these components is briefly described below. This chapter will then focus on the components that are the most relevant to audit compliance and cost savings.

Add a note herePassword Self-Service
Add a note herePassword self-service is a technical functionality that allows users to reset their passwords by answering certain personal questions, rather than calling the help desk. The popular password self-service tools integrate into a number of commonly used systems and provide the user a self-registration function. The tool is configured to display a certain number of prewritten personal questions that a user must answer. Most tools offer the option to allow users to select a subset of the available questions—the ones that are most meaningful to them. Most tools also offer the option to allow users to create their own questions.
Add a note hereDuring the self-registration process, the user enters answers to the questions, which are stored securely for future use. When the user needs to reset his or her password, the tool randomly selects a specified number of the saved questions and requires the user to answer those questions. If the answers provided by the user match the answers provided by the user at the time of registration, the user is allowed to enter and confirm a new password. The tool then automatically sets that new password for the user on all systems with which it interfaces.
Add a note hereMost users can reset their password faster than they can reach a help desk representative; because password resets tend to be the single most frequent reason why users call the help desk, a significant cost savings can be achieved in reducing help desk staff if you can reduce the number of password-related calls. Password self-service offers the added benefit of synchronizing a user's password across multiple systems. This enables users to access more systems with just one password, reducing the likelihood that the user will write down his or her passwords or select an easily guessed password.

Add a note hereUser Access Provisioning and Deprovisioning
Add a note hereUser access provisioning and deprovisioning can be accomplished through a technical functionality whereby user IDs are created and permissions are granted automatically by a system, rather than by a person. The implementation and configuration of a user provisioning tool is highly complex, but if it is correctly done, it results in near-instantaneous provisioning (and deprovisioning) of user access. There are a number of advantages to implementing such a tool:
§  Add a note hereUsers receive their access immediately, avoiding the need or inclination to share accounts with others while they wait.
§  Add a note hereAccess is granted accurately every time, reducing the number of user complaints about incorrect implementation and eliminating audit findings around extraneous access that may have been inadvertently granted.
§  Add a note hereAccess is granted uniformly to specified groups of people, simplifying audit reviews.
§  Add a note hereThe tool can determine what access a user has, ensuring that terminations can be executed completely and accurately.
§  Add a note hereMost tools come with a built-in or associated workflow module that allows users to submit requests that can be automatically provisioned if they are asking for preapproved access. If the request is not preapproved, it can be automatically routed to an approver and, upon approval, the provisioning will happen automatically.
§  Add a note hereAutomating a portion of user provisioning and deprovisioning can help reduce the user administration staff, resulting in a head-count savings.
Add a note hereThere are also a number of challenges in implementing a provisioning tool, including:
§  Add a note hereNot all tools can provision or deprovision. Some tools can only create a user ID, and perhaps partially provision the ID. Much of the provisioning process—and therefore the deprovisioning process—may remain manual. It is helpful to determine, roughly, how many times a person's access is expected to change in your organization in the course of the average person's career. Then consider that an ID is only created once on each system. If the average number of expected changes is just five (and it will be more at most companies) and you consider that provisioning an ID is much more time consuming than creating the ID, a tool that can only create IDs is adding very little value.
§  Add a note hereNone of the current tools on the market is compatible with every system. This is impossible. The top vendors do their best to interface "out of the box" with the major systems used in the marketplace, such as Windows, various versions of UNIX and Linux, certain mainframes, Oracle/PeopleSoft, SAP, the top Directory vendors, and so on. Most of the vendors provide software development toolkits (SDKs), application programming interfaces (APIs), or other similar functionality that allow you to build custom interfaces to systems that they do not support directly. If your company has a lot of home-grown or legacy applications, you may end up doing a lot of development work or employ the provisioning tool vendor's professional services to build all of the necessary interfaces at a high cost.
§  Add a note hereMany of the tools are still agent based to some degree. Provisioning tools these days can be agent based or agentless. "Agent based" means that an agent (a piece of code) resides on the target system. The tool interacts with that agent, which then executes commands on the target. "Agentless" means that the tool interacts directly with the target system through a compatible protocol, without the need of an installed agent. Many tools are still at least partially agent based and some are as yet entirely agent based. If yours is a large and dynamic company, you may find it difficult to implement an agent-based solution. Consider that you would need to deploy an agent to each one of your hundreds or thousands of devices, first testing that the agent does not interfere with the operation of those devices. Also, consider that each time you need to upgrade a device, you will need to ensure that the agent remains compatible. This must be weighed against a potential loss in functionality with a comparable agentless tool. In some cases, agentless tools cannot provision to the level of detail that an agent-based tool can, although that is not true of all tools. Finally, some provisioning vendors may charge you on a per-agent or per-seat basis, which adds administrative complexity and fluctuating costs due to the licensing true-up processes.
§  Add a note hereProvisioning tools rely on an accurate system of record. Whether this is your Human Resources (HR) system directly or a directory that pulls data from HR, if key user data is not available to the tool, it will not function.
§  Add a note hereProvisioning tools are only as good as the information they execute. Interfacing with target systems is only half the problem. Even if you can get the provisioning tool to communicate with all of your key systems, it still needs to know what to "say" to those systems. Some provisioning tool vendors have come up with clever tools and processes to help you more quickly determine what access everyone needs so that you can input that information into the tool and get it working. But at the end of the day, the tool will do what it is told and has no way of validating the accuracy of the access data you have input. If you code the wrong access instructions into the tool or the instructions are outdated or not sufficiently granular, the tool will diligently grant all of your users the wrong permissions.
§  Add a note hereNot all provisioning tools can do introspection or reconciliation. Introspection is the tool's ability to "look" at an existing target system and determine the users that currently exist on that system and the access that they have been assigned. Reconciliation is the tool's ability to compare what exists on the target system with what should be, according to its access programming, and do something about the differences. This should include creating reports, overriding the discrepancies on the target system, directly incorporating the discrepancies from the target system, or triggering approval workflows to validate the discrepancies before they are incorporated or overridden. Introspection and reconciliation are critical activities when a new system is brought under the management of a provisioning tool because these activities enable you to ensure that the system is "clean" from an access perspective; thus, it can be accurately managed going forward. If the tool cannot help you with these activities, although it may prevent additional violations from occurring, you may be stuck with manually trying to clean up potentially thousands of existing users to achieve a clean state.
Add a note hereIn a perfect world, your provisioning tool will integrate with all of your platforms and applications, and it will accurately and granularly provision and deprovision users on a nearly instantaneous basis. You can then redeploy almost all of your user administrators, leaving just a few to manage access permission data on an ongoing basis to ensure that it remains accurate over time. Auditing of user access will be a snap: with the press of a few buttons, you will be able to generate reams of reports showing the auditors how everything is in perfect order—everyone has "least privilege" access, transferred users have all been accounted for and verified, and all terminated users have had their access revoked.
Add a note hereIn the real world, your provisioning tool will:
§  Add a note hereIntegrate with a hopefully not too small subset of your platforms and applications out of the box
§  Add a note hereHelp you clean up existing user records through introspection and reconciliation
§  Add a note hereProvision and deprovision accounts to a reasonable level of granularity
Add a note hereSome manual intervention is not out of the question, reducing the number of user administrators that you can redeploy and eliminating the likelihood that your audit reports will be perfect. You will also be faced with months' or years' worth of development activities (or the vendor's professional services) to build additional interfaces, and some may never be worth building. Nevertheless, even partial automation can be a tremendous help in reducing your administrative costs, facilitating your audits, and making your user community happier.

Add a note hereDirectory Services
Add a note hereMuch of identity and access management involves creating and maintaining a repository of users and their various attributes, such as user positions, job function information, password self-service information, and so on. These attributes are most commonly stored in one or more directories. The directory structure must be architected so that there is a clear hierarchy of information that flows in the right direction. Because authentication and authorization in an identity and access management solution depend on the integrity and availability of the directories, it is imperative that the architecture account for this.

Add a note hereSingle Sign-On
Add a note hereSingle sign-on is a technical functionality that allows a user to move from system to system or application to application without having to re-enter authentication credentials every time. There are several ways to implement this functionality. Two common ways are by relying heavily on the directory and constantly referring to it for authentication information or by implementing an authentication system such as Kerberos. Single sign-on may have audit and security implications if it is implemented insecurely. A password or credential that is compromised will equate to a breach of all systems or applications the user is authorized to access. If adequate security controls are implemented in the single sign-on solution, there will be no audit impact or any hard cost benefit to the organization. But there will be an enormous perception of benefit from the users. Users will be thrilled not to type in their password all the time or remember multiple passwords, and they will view this as a significant time savings (i.e., soft benefit).

Add a note hereRole-Based and Rule-Based Access Controls
Add a note hereRole-based and rule-based access controls are procedural concepts at the core of identity and access management; without their definitions any provisioning tool you implement will be useless. Role-based access control is the concept that all users with the same job function will have the same system access, and users with different job functions will have different system access. Access roles tend to be fixed and apply consistently to everyone within a particular job function. Rule-based access control is the concept that users with certain attributes are allowed or denied certain system access. Access rules tend to be dynamic and are applied circumstantially—for example, based on location, time of day, other privileges assigned, seniority, completion of certain training, or other criteria.
Add a note hereEspecially at large companies that have many individuals in specialized functions, it is impractical to formulate roles for the entire company 100 percent. The goal of role basing is to create some generalizations that allow for easier management of users. However, in executing this role basing, some large companies find that they have as many as — or more — roles than they have users. This clearly becomes counter-productive. Therefore, as with anything else, role basing should be done pragmatically. The 80/20 rule applies well here: define the most common 80 percent of what people need as access roles to facilitate user provisioning and audit validation. Handle the remaining 20 percent with access rules or an approval workflow.
Add a note hereOnce established, access roles and rules will make the lives of your user administrators much easier and will enable you to implement an automated provisioning solution effectively. It will also make it easier to generate clean user reports for the use of your auditors. However, establishing the roles and rules is an enormously painstaking and largely manual process, and you can expect a multi-person team to take months to complete it.

Add a note hereFederated Identity
Add a note hereFederated identity is the set of technologies and processes that enables a user to log in with the same user ID and password on the systems of multiple companies or entities. Think of it as a sort of global single sign-on. At the core of the federated identity model is a directory that correlates a user's credentials from multiple sources. That directory serves as the translator for the user so that he or she can use a single set of credentials while the directory pushes the relevant equivalent to the target system. Clearly, this points to a need for interorganizational interoperability, and today that is still a very tall order. However, as more and more systems begin to use industry standard protocols, federated identity will become increasingly manageable to implement.
Add a note hereCommon uses for federated identity include:
§  Add a note hereEmployee benefits: Employees of your company can use their company network IDs and passwords to access their health insurance, retirement, and other benefits, despite the fact that the benefits information is maintained by the individual providers on their proprietary Web sites.
§  Add a note hereGovernment interagency communications: Most governments in this world have numerous disparate agencies that provide services to their citizens. It will be much easier for citizens to make use of the online services offered by these agencies if they can have one ID and password to give them access to all services. This in turn would increase the use of online government services, thus reducing operating costs for the corresponding agencies.
§  Add a note hereElectronic commerce: Many large retailers and manufacturers have hundreds or even thousands of suppliers and other business partners. Standardizing authentication between them would facilitate electronic commerce substantially.

No comments:

More?