Identity and Access Management

Add a note hereIdentity and access management encompasses a number of concepts, including password self-service, user access provisioning and deprovisioning, directory services, single sign-on, role-based and rule-based access control, and federated identity. Each of these components is briefly described below. This chapter will then focus on the components that are the most relevant to audit compliance and cost savings.

Add a note herePassword Self-Service
Add a note herePassword self-service is a technical functionality that allows users to reset their passwords by answering certain personal questions, rather than calling the help desk. The popular password self-service tools integrate into a number of commonly used systems and provide the user a self-registration function. The tool is configured to display a certain number of prewritten personal questions that a user must answer. Most tools offer the option to allow users to select a subset of the available questions—the ones that are most meaningful to them. Most tools also offer the option to allow users to create their own questions.
Add a note hereDuring the self-registration process, the user enters answers to the questions, which are stored securely for future use. When the user needs to reset his or her password, the tool randomly selects a specified number of the saved questions and requires the user to answer those questions. If the answers provided by the user match the answers provided by the user at the time of registration, the user is allowed to enter and confirm a new password. The tool then automatically sets that new password for the user on all systems with which it interfaces.
Add a note hereMost users can reset their password faster than they can reach a help desk representative; because password resets tend to be the single most frequent reason why users call the help desk, a significant cost savings can be achieved in reducing help desk staff if you can reduce the number of password-related calls. Password self-service offers the added benefit of synchronizing a user's password across multiple systems. This enables users to access more systems with just one password, reducing the likelihood that the user will write down his or her passwords or select an easily guessed password.

Add a note hereUser Access Provisioning and Deprovisioning
Add a note hereUser access provisioning and deprovisioning can be accomplished through a technical functionality whereby user IDs are created and permissions are granted automatically by a system, rather than by a person. The implementation and configuration of a user provisioning tool is highly complex, but if it is correctly done, it results in near-instantaneous provisioning (and deprovisioning) of user access. There are a number of advantages to implementing such a tool:
§  Add a note hereUsers receive their access immediately, avoiding the need or inclination to share accounts with others while they wait.
§  Add a note hereAccess is granted accurately every time, reducing the number of user complaints about incorrect implementation and eliminating audit findings around extraneous access that may have been inadvertently granted.
§  Add a note hereAccess is granted uniformly to specified groups of people, simplifying audit reviews.
§  Add a note hereThe tool can determine what access a user has, ensuring that terminations can be executed completely and accurately.
§  Add a note hereMost tools come with a built-in or associated workflow module that allows users to submit requests that can be automatically provisioned if they are asking for preapproved access. If the request is not preapproved, it can be automatically routed to an approver and, upon approval, the provisioning will happen automatically.
§  Add a note hereAutomating a portion of user provisioning and deprovisioning can help reduce the user administration staff, resulting in a head-count savings.
Add a note hereThere are also a number of challenges in implementing a provisioning tool, including:
§  Add a note hereNot all tools can provision or deprovision. Some tools can only create a user ID, and perhaps partially provision the ID. Much of the provisioning process—and therefore the deprovisioning process—may remain manual. It is helpful to determine, roughly, how many times a person's access is expected to change in your organization in the course of the average person's career. Then consider that an ID is only created once on each system. If the average number of expected changes is just five (and it will be more at most companies) and you consider that provisioning an ID is much more time consuming than creating the ID, a tool that can only create IDs is adding very little value.
§  Add a note hereNone of the current tools on the market is compatible with every system. This is impossible. The top vendors do their best to interface "out of the box" with the major systems used in the marketplace, such as Windows, various versions of UNIX and Linux, certain mainframes, Oracle/PeopleSoft, SAP, the top Directory vendors, and so on. Most of the vendors provide software development toolkits (SDKs), application programming interfaces (APIs), or other similar functionality that allow you to build custom interfaces to systems that they do not support directly. If your company has a lot of home-grown or legacy applications, you may end up doing a lot of development work or employ the provisioning tool vendor's professional services to build all of the necessary interfaces at a high cost.
§  Add a note hereMany of the tools are still agent based to some degree. Provisioning tools these days can be agent based or agentless. "Agent based" means that an agent (a piece of code) resides on the target system. The tool interacts with that agent, which then executes commands on the target. "Agentless" means that the tool interacts directly with the target system through a compatible protocol, without the need of an installed agent. Many tools are still at least partially agent based and some are as yet entirely agent based. If yours is a large and dynamic company, you may find it difficult to implement an agent-based solution. Consider that you would need to deploy an agent to each one of your hundreds or thousands of devices, first testing that the agent does not interfere with the operation of those devices. Also, consider that each time you need to upgrade a device, you will need to ensure that the agent remains compatible. This must be weighed against a potential loss in functionality with a comparable agentless tool. In some cases, agentless tools cannot provision to the level of detail that an agent-based tool can, although that is not true of all tools. Finally, some provisioning vendors may charge you on a per-agent or per-seat basis, which adds administrative complexity and fluctuating costs due to the licensing true-up processes.
§  Add a note hereProvisioning tools rely on an accurate system of record. Whether this is your Human Resources (HR) system directly or a directory that pulls data from HR, if key user data is not available to the tool, it will not function.
§  Add a note hereProvisioning tools are only as good as the information they execute. Interfacing with target systems is only half the problem. Even if you can get the provisioning tool to communicate with all of your key systems, it still needs to know what to "say" to those systems. Some provisioning tool vendors have come up with clever tools and processes to help you more quickly determine what access everyone needs so that you can input that information into the tool and get it working. But at the end of the day, the tool will do what it is told and has no way of validating the accuracy of the access data you have input. If you code the wrong access instructions into the tool or the instructions are outdated or not sufficiently granular, the tool will diligently grant all of your users the wrong permissions.
§  Add a note hereNot all provisioning tools can do introspection or reconciliation. Introspection is the tool's ability to "look" at an existing target system and determine the users that currently exist on that system and the access that they have been assigned. Reconciliation is the tool's ability to compare what exists on the target system with what should be, according to its access programming, and do something about the differences. This should include creating reports, overriding the discrepancies on the target system, directly incorporating the discrepancies from the target system, or triggering approval workflows to validate the discrepancies before they are incorporated or overridden. Introspection and reconciliation are critical activities when a new system is brought under the management of a provisioning tool because these activities enable you to ensure that the system is "clean" from an access perspective; thus, it can be accurately managed going forward. If the tool cannot help you with these activities, although it may prevent additional violations from occurring, you may be stuck with manually trying to clean up potentially thousands of existing users to achieve a clean state.
Add a note hereIn a perfect world, your provisioning tool will integrate with all of your platforms and applications, and it will accurately and granularly provision and deprovision users on a nearly instantaneous basis. You can then redeploy almost all of your user administrators, leaving just a few to manage access permission data on an ongoing basis to ensure that it remains accurate over time. Auditing of user access will be a snap: with the press of a few buttons, you will be able to generate reams of reports showing the auditors how everything is in perfect order—everyone has "least privilege" access, transferred users have all been accounted for and verified, and all terminated users have had their access revoked.
Add a note hereIn the real world, your provisioning tool will:
§  Add a note hereIntegrate with a hopefully not too small subset of your platforms and applications out of the box
§  Add a note hereHelp you clean up existing user records through introspection and reconciliation
§  Add a note hereProvision and deprovision accounts to a reasonable level of granularity
Add a note hereSome manual intervention is not out of the question, reducing the number of user administrators that you can redeploy and eliminating the likelihood that your audit reports will be perfect. You will also be faced with months' or years' worth of development activities (or the vendor's professional services) to build additional interfaces, and some may never be worth building. Nevertheless, even partial automation can be a tremendous help in reducing your administrative costs, facilitating your audits, and making your user community happier.

Add a note hereDirectory Services
Add a note hereMuch of identity and access management involves creating and maintaining a repository of users and their various attributes, such as user positions, job function information, password self-service information, and so on. These attributes are most commonly stored in one or more directories. The directory structure must be architected so that there is a clear hierarchy of information that flows in the right direction. Because authentication and authorization in an identity and access management solution depend on the integrity and availability of the directories, it is imperative that the architecture account for this.

Add a note hereSingle Sign-On
Add a note hereSingle sign-on is a technical functionality that allows a user to move from system to system or application to application without having to re-enter authentication credentials every time. There are several ways to implement this functionality. Two common ways are by relying heavily on the directory and constantly referring to it for authentication information or by implementing an authentication system such as Kerberos. Single sign-on may have audit and security implications if it is implemented insecurely. A password or credential that is compromised will equate to a breach of all systems or applications the user is authorized to access. If adequate security controls are implemented in the single sign-on solution, there will be no audit impact or any hard cost benefit to the organization. But there will be an enormous perception of benefit from the users. Users will be thrilled not to type in their password all the time or remember multiple passwords, and they will view this as a significant time savings (i.e., soft benefit).

Add a note hereRole-Based and Rule-Based Access Controls
Add a note hereRole-based and rule-based access controls are procedural concepts at the core of identity and access management; without their definitions any provisioning tool you implement will be useless. Role-based access control is the concept that all users with the same job function will have the same system access, and users with different job functions will have different system access. Access roles tend to be fixed and apply consistently to everyone within a particular job function. Rule-based access control is the concept that users with certain attributes are allowed or denied certain system access. Access rules tend to be dynamic and are applied circumstantially—for example, based on location, time of day, other privileges assigned, seniority, completion of certain training, or other criteria.
Add a note hereEspecially at large companies that have many individuals in specialized functions, it is impractical to formulate roles for the entire company 100 percent. The goal of role basing is to create some generalizations that allow for easier management of users. However, in executing this role basing, some large companies find that they have as many as — or more — roles than they have users. This clearly becomes counter-productive. Therefore, as with anything else, role basing should be done pragmatically. The 80/20 rule applies well here: define the most common 80 percent of what people need as access roles to facilitate user provisioning and audit validation. Handle the remaining 20 percent with access rules or an approval workflow.
Add a note hereOnce established, access roles and rules will make the lives of your user administrators much easier and will enable you to implement an automated provisioning solution effectively. It will also make it easier to generate clean user reports for the use of your auditors. However, establishing the roles and rules is an enormously painstaking and largely manual process, and you can expect a multi-person team to take months to complete it.

Add a note hereFederated Identity
Add a note hereFederated identity is the set of technologies and processes that enables a user to log in with the same user ID and password on the systems of multiple companies or entities. Think of it as a sort of global single sign-on. At the core of the federated identity model is a directory that correlates a user's credentials from multiple sources. That directory serves as the translator for the user so that he or she can use a single set of credentials while the directory pushes the relevant equivalent to the target system. Clearly, this points to a need for interorganizational interoperability, and today that is still a very tall order. However, as more and more systems begin to use industry standard protocols, federated identity will become increasingly manageable to implement.
Add a note hereCommon uses for federated identity include:
§  Add a note hereEmployee benefits: Employees of your company can use their company network IDs and passwords to access their health insurance, retirement, and other benefits, despite the fact that the benefits information is maintained by the individual providers on their proprietary Web sites.
§  Add a note hereGovernment interagency communications: Most governments in this world have numerous disparate agencies that provide services to their citizens. It will be much easier for citizens to make use of the online services offered by these agencies if they can have one ID and password to give them access to all services. This in turn would increase the use of online government services, thus reducing operating costs for the corresponding agencies.
§  Add a note hereElectronic commerce: Many large retailers and manufacturers have hundreds or even thousands of suppliers and other business partners. Standardizing authentication between them would facilitate electronic commerce substantially.

Patch Management—System Resiliency

"Sophos research shows that connecting an unprotected, unpatched computer running Windows XP (without SP2) to the Internet leads to a 40% risk of infection from an Internet worm within about 10 minutes, rising to a 94% chance after 60 minutes." Self-propagating worms and viruses typically appear days after the public announcement of vulnerabilities. The risk of not patching your systems in short order could have serious implications due to the speed and fury of virus outbreaks in recent months. For example, in 2005, Zotob took five days to hit after the patch was released; in 2000, Nimda struck systems a year after the vulnerability was announced. Notice the precipitous decline in the time frame to patch.
Add a note herePatch management is not an easy path to navigate in any company. The common complaints about patching include:
§  Add a note herePatches cause instability in systems and must be sufficiently tested prior to their release into production. Administrators or security personnel often get the blame for any system woes after a patch is deployed.
§  Add a note hereMost patches require system reboot, which adds to the instability factor and causes downtime to business functions. Closely tied to this is the issue of identifying a maintenance window for patching.
§  Add a note herePatching affects every system. Due to its wide ranging impact at the server, workstation, and laptop levels, patching requires significant coordination and buy-in from a large number of stakeholders. Not only do administrators need to take into consideration the variants of operating systems, database systems, and network devices, but in many cases they also need to consider the applications or processes running on each component.
§  Add a note hereThere are too many patches, many of which are irrelevant to any given environment. SC Magazine reported a total of 3,780 patches in the first two quarters of 2005.7
Add a note hereTo counter the stigma associated with patching, focus on building an effective patch management process (PMP) with these practical guidelines:
§  Add a note herePublicize the objectives of your PMP to executives and management. The key message to carry across is that patching is a necessity that every company faces. Because there are no options not to patch, the goal of the PMP is to make patching a predictable, reliable, and efficient process. Predictability is realized by adhering to a set patching schedule. Reliability is achieved by having the proper testing processes as well as the right staff on hand after the patch has been deployed to validate the system processes and to support any potential issues that may arise. Efficiency is gained by tuning the PMP with each iterative cycle to make it more seamless and less disruptive to the business. When faced with resistance, emphasize that a planned downtime with reliable personnel on staff to bring the systems back up (as well as contingency plans) is more desirable than an unplanned downtime and potential loss of systems or data caused by a security breach.
§  Add a note hereEstablish the roles and responsibilities of all the parties involved in the PMP. Your patching should cover servers, workstations, and laptops and include network devices as well. Gather key representatives from each group to form a patch management committee (PMC) that makes joint decisions on patching strategies and contributes to the continual improvement of the PMP.
§  Add a note hereCreate contingency plans for patching. Work with the PMC to formulate rollback and communications plans in the event that the patch proves problematic. What we have found in most organizations is that patches are often the culprit of a system failure. A patch, however, may root out a deficiency in the way an application communicates with the kernel causing it to choke. Set the right expectations with the appropriate parties to work on improving problematic systems rather than reverse the patch application.
§  Add a note hereEstablish a regular maintenance window for patching following the week of Microsoft's Patch Tuesday (regular patching cycle). Virus writers are moving at unprecedented speed to produce malware as soon as five days after the patch is released; the term "zero-day" exploit has ceased to be as theoretical as it once was. Allocate testing for the four days following Patch Tuesday and set the target of patching production over that weekend.
§  Add a note hereInvolve your change management committee or board. Patching requires the appropriate approvals because it has a wide-ranging impact to all systems in the enterprise. Ensure that you embed the PMP into the monthly routine of the change control meetings.
§  Add a note hereCreate an exception procedure. There will be business or IT managers whose initiatives will result in your inability to patch their systems. Put the onus on them to inform the PMC at the change control meetings. Review and grant these exceptions accordingly. Set a cutoff date for the list of systems to be exempt and set expectations of the requestor as to when the systems on the exception list will be patched.
§  Add a note hereInclude an emergency PMP (EPMP). There will be critical patches that must be applied sooner rather than later due to impending attacks. In those cases, evoke the EPMP and rush the patching through in no more than two days.
Add a note hereA successful PMP saves you from significant hours of downtime and damage control.

Add a note hereLocal Administrator Rights
Add a note hereA zero-day virus is malware that infects computers before a protection (i.e., signature-based antivirus update) against it is known. Preventing your normal end users from being local administrators on their work computers is probably your least expensive defense against zero-day viruses. Most malware relies on the user's administrative privilege to write or install malicious programs to the system folder or registry. By giving the user a nonprivileged account, a variety of malware would fail to infect the host computer.
Add a note hereRemoving local administrative rights has other security benefits, such as preventing users from installing nonapproved software or devices. Users would need to get the appropriate approvals to have company-licensed software pushed out to them. However, this may also be a source of contention due to the limitation of printer or other types of installations that require administrative rights. Users who are used to getting their way are not going to welcome this change in policy. Be sure to get the proper executive support, especially from the business side, to push such an initiative. Provide alternatives to approved installations by creating scripts that allow users to run as administrators while they are logged in as a nonprivileged account.
Add a note hereOther solutions allow you to right-click and send installation files to an administrator stand-in application to facilitate the installation. This method allows you to present a warning banner to inform the users of their responsibilities. Both administrator substitute options require you to provide end users with an administrative password. To ensure the proper safeguarding of this privilege, change the password on a regular basis and communicate that to your end-user support teams.