Identity and Access Management (IAM) :

Providing the right people with the right access at the right time

· Authentication
– Single Sign Un
– Session Management
– Strong Authentication
– Password Service

· Authorization
– Role based
– Rule-based
– Attribute based
– Remote Authorization

· User Management
– Delegated Administration
– User and Role Management
– Provisioning
– Password Management
– Self-service

· Central User Repository

– Directory
– Data Synchronization
– Meta-directory
– Virtual directory

_________________________________________________________________________

Access Management (AM)

Access management refers to the processes and technologies used to control and monitor
network access. Access management features, such as authentication, authorization, trust and
security auditing, are part and parcel of the top ID management systems for both on-premises
and cloud-based systems.
Authentication

Any combination of the following 3 factors will be considered as Strong authentication:

· What you know

– Password
– Passphrase

· What you are

– Iris
– Fingerprint

· What you have

– Token
– Smartcard

Authorization

2 primary forms of Authorization:

· Coarse-Grain
– High-level and overarching entitlements
– Create, Read. Update, Modify

· Fine-Grain
– Detailed and explicit entitlements
– Based on factors such as time. dept, role and location

_______________________________________________________________________

Five Elements of Security

1. Authentication

2. Authorization

3. AAA Services

4. Auditing

5. Accountability

________________________________________________________________________

Authentication

· The process of verifying or testing that the claimed identity is valid is authentication.
Authentication requires from the subject additional information that must exactly
correspond to the identity indicated. The most common form of authentication is using a
password (this includes the password variations of PINs and passphrases).
· Authentication verifies the identity of the subject by comparing one or more factors
against the database of valid identities (that is, user accounts).

___________________________________________________________________________
 Authorization

· Once a subject is authenticated, access must be authorized. The process of

authorization ensures that the requested activity or access to an object is possible given
the rights and privileges assigned to the authenticated identity.
· In most cases, the system evaluates an access control matrix that compares the subject,
the object, and the intended activity. If the specific action is allowed, the subject is
authorized. If the specific action is not allowed, the subject is not authorized.

___________________________________________________________________________

AAA Services

· You may have heard of the concept of AAA services. The three As in this acronym refer
to authentication, authorization, and accounting (or sometimes auditing). However, what
is not as clear is that although there are three letters in the acronym, it refers to five
elements: identification, authentication, authorization, auditing, and accounting. Thus,
the first and the third/last Aactually represent two concepts instead of just one.

These five elements represent the following processes of security:

 Identification claiming an identity when attempting to access a secured area or system.

 Authentication proving that you are that identity.

 Authorization defining the allows and denials of resource and object access for a specific
identity.

 Auditing recording a log of the events and activities related to the system and subjects.

 Accounting (aka accountability) reviewing log files to check for compliance and violations in
order to hold subjects accountable for their actions Although AAA is often referenced in relation
to authentication systems, it is in fact a foundational concept of all forms of security. As without
any one of these five elements, a security mechanism would be incomplete.

____________________________________________________________________________

Auditing

· Auditing, or monitoring, is the programmatic means by which a subject’s actions are

tracked and recorded for holding the subject accountable for their actions while
authenticated on a system.
· It is also the process by which unauthorized or abnormal activities are detected on a
system.
· Auditing is recording activities of a subject and its objects as well as recording the
activities of core system functions that maintain the operating environment and the
security mechanisms.

____________________________________________________________________________
 Accountability

· An organization’s security policy can be properly enforced only if accountability is

maintained. In other words, you can maintain security only if subjects are held
accountable for their actions. Effective accountability relies on the capability to prove a
subject’s identity and track their activities.
· Accountability is established by linking a human to the activities of online identity through
the security services and mechanisms of auditing, authorization, authentication, and
identification. Thus, human accountability is ultimately dependent on the strength of the
authentication process.
· Without a strong authentication process, there is doubt that the human-associated with a
specific user account was the actual entity controlling that user account when the
undesired action took place.

____________________________________________________________________________

What IAM terms should I know?

 Active Directory (AD): Microsoft developed AD as a user-identity directory service for

Windows domain networks. Though proprietary, AD is included in the Windows Server
operating system and is thus widely deployed.

 Biometric authentication: A security process for authenticating users that relies upon the
user’s unique characteristics. Biometric authentication technologies include fingerprint sensors,
iris and retina scanning, and facial recognition.

 Context-aware network access control: Context-aware network access control is a policy-

based method of granting access to network resources according to the current context of the
user seeking access. For example, a user attempting to authenticate from an IP address that
hasn’t been whitelisted would be blocked.

 Credential: An identifier employed by the user to gain access to a network such as the user’s
password, public key infrastructure (PKI) certificate, or biometric information (fingerprint, iris
scan).

 De-provisioning: The process of removing an identity from an ID repository and terminating

access privileges.

 Digital identity: The ID itself, including the description of the user and his/her/its access
privileges. (“Its” because an endpoint, such as a laptop or smartphone, can have its own digital
identity.)

 Entitlement: The set of attributes that specify the access rights and privileges of an
authenticated security principal.

 Identity as a Service (IDaaS): Cloud-based IDaaS offers identity and access management
functionality to an organization’s systems that reside on-premises and/or in the cloud.

 Identity lifecycle management: Identity synchronization: The process of ensuring that multiple
identity stores—say, the result of an acquisition— contain consistent data for a given digital ID.
 Lightweight Directory Access Protocol (LDAP): LDAP is openstandan ards-basedd protocol
for managing and accessing a distributed directory service, such as Microsoft’s AD

 Multi-factor authentication (MFA): MFA is when more than just a single factor, such as a user
name and password, is required for authentication to a network or system. At least one
additional step is also required, such as receiving a code sent via SMS to a smartphone,
inserting a smart card or USB stick, or satisfying a biometric authentication requirement, such
as a fingerprint scan.

 Password reset: In this context, it’s a feature of an ID management system that allows users
to re-establish their own passwords, relieving the administrators of the job and cutting support
calls. The reset application is often accessed by the user through a browser. The application
asks for a secret word or a set of questions to verify the user’s identity.

 Privileged account management: This term refers to managing and auditing accounts and
data access based on the privileges of the user. In general terms, because of his or her job or
function, a privileged user has been granted administrative access to systems. A privileged
user, for example, would be able set up and delete user accounts and roles.

 Provisioning: The process of creating identities, defining their access privileges and adding
them to an ID repository.

 Risk-based authentication (RBA): Risk-based authentication dynamically adjusts

authentication requirements based on the user’s situation at the moment authentication is
attempted. For example, when users attempt to authenticate from a geographic location or IP
address not previously associated with them, those users may face additional authentication
requirements.

 Security principal: A digital identity with one or more credentials that can be authenticated and
authorized to interact with the network.

 Single sign-on (SSO): A type of access control for multiple related but separate systems. With
a single username and password, a user can access a system or systems without using
different credentials.

 User behaviour analytics (UBA): UBA technologies examine patterns of user behaviour and
automatically apply algorithms and analysis to detect important anomalies that may indicate
potential security threats. UBA differs from other security technologies, which focus on tracking
devices or security events. UBA is also sometimes grouped with entity behaviour analytics and
known as UEBA.

____________________________________________________________________________

Uniting Identity and Access Management

· Provision
– Validate
– Approve
– Propagate
– Communicate
– Request

· Administer
– Monitor
 – Manage passwords.
– Audit and reconcile
– Strategize
– Manage systems
– Administer policies

· Enforce
– Authenticate
– Authorize
– Log activity

___________________________________________________________________

Need of IAM

· Secure user access plays a key role in the exchange of data and information.
· electronic data is becoming ever more valuable for most companies.
· an issue that is often solved by introducing strong authentication.
· Modern IAM solutions allow administering users and their access rights flexibly and
effectively, enabling multiple ways of cooperation.

______________________________________________________________________

Business Challenges

· An increasingly distributed workforce

· Distributed applications
· Productive provisioning
· Bring your own device (BYOD)
· Password problems
· Regulatory compliance

________________________________________________________________________
 An increasingly distributed workforce

Organizations can recruit and retain the best talent is to removing the constraints of geographic
location and offering a flexible work environment. A remote workforce allows businesses to
boost productivity while keeping expenses in check as well as untethering employees from a
traditional office setting. However, with employees scattered all over a country or even the
world, enterprise IT teams face a much more daunting challenge: maintaining a consistent
experience for employees connecting to corporate resources without sacrificing security. The
growth of mobile computing means that IT teams have less visibility into and control over
employees’ work practices. The solution is, a comprehensive, centrally managed IAM solution
that returns the visibility and control needed for a distributed workforce to an enterprise IT team.

________________________________________________________________________

Distributed applications

With the growth of cloud-based and Software as a Service (SaaS) applications, users now have
the power to log in to critical business apps like Salesforce, Office365, Concur, and more
anytime, from any place, using any device. However, with the increase of distributed
applications comes an increase in the complexity of managing user identities for those
applications. Without a seamless way to access these applications, users struggle with
password management while IT is faced with rising support costs from frustrated users. Solution
is a holistic IAM solution can help administrators consolidate, control, and simplify access
privileges, whether the critical applications are hosted in traditional data centers, private clouds,
public clouds, or a hybrid combination of all these spaces.

________________________________________________________________________

Productive provisioning

Without a centralized IAM system, IT staff must provision access manually. The

longer it takes for a user to gain access to crucial business applications, the less productive that
user will be. On the flip side, failing to revoke the access rights of employees who have left the
organization or transferred to different departments can have serious security consequences.
To close this window of exposure and risk, IT staff must de-provision access to corporate data
as quickly as possible.

Especially for large organizations, it is not an efficient or sustainable way to manage user
identities and access. Solution is the a robust IAM solution can fully automate the provisioning
and de-provisioning process, giving IT full power over the access rights of employees, partners,
contractors, vendors, and guests. Automated provisioning and de provisioning speed the
enforcement of strong security policies while helping to eliminate human error.

________________________________________________________________________
 Bring your own device (BYOD)

To manage or not to manage—there really is no choice between the two for today’s enterprises.
Employees, contractors, partners, and others are bringing in personal devices and connecting
to the corporate network for professional and personal reasons. The challenge with BYOD is not
whether outside devices are brought into the enterprise network, but whether IT can react
quickly enough to protect the organization’s business assets—without disrupting employee
productivity and while offering freedom of choice. Nearly every company has some sort of
BYOD policy that allows users to access secure resources from their own devices. However,
accessing internal and saas applications on a mobile device can be more cumbersome than
doing so from a networked laptop or desktop workstation.

________________________________________________________________________

Password problems

The growth of cloud-based applications means that employees must remember an increasing
number of passwords for applications that may cross domains and use numerous different
authentication and attribute-sharing standards and protocols. User frustration can mount when
an employee spends more and more time managing the resulting lists of passwords which, for
some applications, may require changing every 30 days. Plus, when employees have trouble
with their passwords, they most often contact IT, staff, for help, which can quickly and
repeatedly drain important.

________________________________________________________________________

Regulatory compliance

Compliance and corporate governance concerns continue to be major drivers of IAM spending.
For example, much of the onus to provide the corporate governance data required by
Sarbanes- Oxley regulations fall on the IT department. Ensuring support for processes such as
determining access privileges for specific employees, tracking management approvals for
expanded access, and documenting who has accessed what data and when they did it can go a
long way to easing the burden of regulatory compliance and ensuring a smooth audit process.

________________________________________________________________________

IAM STRATEGY FRAMEWORK

When developing an IAM strategy, we need to consider the below matters

· The risks associated with IAM and how they are addressed.
· The needs of the organization.
· How to start looking at IAM within the organization and what an effective
· IAM process looks like.
· The process for identifying users and the number of users present within the
organization.
· The process for authenticating users.
· The access permissions that are granted to users.
· Whether users are inappropriately accessing IT resources.
 · The process for tracking and recording user activity.
· The risks associated with IAM and how they are addressed.

[1. INVENTORY Current State Analysis and Evaluation

5. REPORT

Build reports for monitoring and reguler

2. CREATE

Future State and Sep

Arolysis

and identies

Step 1 Define

Step 2 Map

Build processes required for mapping identities to

Step 3 Assign

71 Assign rules and access rights to individaars

Define Roles required based on rules and pelicios

4. OPTIMIZE

and een

3. DEPLOY

Assignoles workows

Assign denies to co]

________________________________________________________________________

· Inventory: gather information about users, access requirements, applications and data
· Create: future state roadmap, associating user groups with access controls, and
designing operational support and workflow processes.
· Deploy: begin assigning access to systems and data using new processes and
workflows.
· Optimize: deploy automated and delegated processes only after a steady state has
been achieved.
· Report: leverage investment to satisfy reporting requirements for legislation and internal
controls.

____________________________________________________________________________

Identity Management Drivers

· Regulatory Compliance
– SOX
– GLBA
– HIPAA

· Efficiencies
– Productivity Loss
– Excessive Administration points

· Cost Savings
– Password resets
– Centralized reporting/attestation

· Security
– Rogue users (de-provision accounts)

__________________________________________________________________________
 Cost of iam over time

· The higher initial cost of implementing and deploying an I&AM solution compared to
maintaining existing processes and tools.

However, over a period of time:

-Maintaining existing tools for managing identities will increase in costs.

-The deployment of I&AM will reduce costs.

___________________________________________________________________

Business Drivers of IAM

· Improved Regulatory Compliance

· Reduced Information Security Risk
· Reduced IT Operating and Development Costs
· Improved Operating Efficiencies and Transparency
· Improved User Satisfaction
· Increased Effectiveness of Key Business Initiatives

___________________________________________________________________

Improved Regulatory Compliance

Without overstating the effects of the regulations mentioned in the previous paragraph, it is
important to note that Sarbanes- Oxley, HIPAA, GLBA, Basel II, and other regulations have
significantly impacted organizations worldwide. However, while IAM initiatives have helped fill
the gaps related to system access controls, they may not have gone far enough. Many
companywide IAM initiatives are merely stopgaps to regulatory compliance. Although this
approach to dealing with IAM may pass an audit, it may hinder the organization in the future as
the IAM program becomes overly complex, inoperable, and costly. Organizations also must be
aware that IAM programs frequently collect personal information about system users.

___________________________________________________________________

Reduced Information Security Risk

A key driver to successful IAM implementation is the improved risk posture that comes from the
implementation of better identity and access controls. By knowing who has access to what, and
how access is directly relevant to a particular job or function, IAM improves the strength of the
organization’s overall control environment. In many organizations, the removal of user access
rights or access rights for a digital identity can take up to three to four months. This may present
an unacceptable risk to the organization, especially if an individual is able to continue accessing
company systems and resources during the access removal period.

___________________________________________________________________

Reduced IT Operating and Development Costs

Ironically, the proliferation of automated systems can negatively impact worker efficiency due to
the different sign-on mechanisms used. As a result, workers must remember or carry a variety
of credentials that change frequently.

For example, many organizations are faced with the following circumstances:

• A lack of defined and automated approval workflows, resulting in a best guess by an

administrative assistant when initiating the provisioning process and handling access requests.

• An increased number of help desk calls, many of which are related to identity and access
support, such as password-reset requests.

• Having new employees wait a week or longer to obtain baseline access to IT systems, such as
e-mail and network resources.

• Not documenting access requirements by role, so users have to make several follow-up calls
to get the access they need.

__________________________________________________________________________

Improved Operating Efficiencies and Transparency

Having a well-defined process for managing access to information can greatly enhance a
company’s operating efficiency. Many times, organizations struggle with getting users the
access they require to perform their job functions. For instance, requests are forwarded to
various members of the IT or administration team who may not know what access or information
a user is requesting or has a business need to obtain. Additionally, without a defined process,
requests may go unfulfilled or be performed incorrectly, resulting in additional work on the part
of the IT or administration team.

__________________________________________________________________________

Improved User Satisfaction

Besides the operating efficiencies mentioned earlier, implementing an effective IAM process can
enable users to identify the access they need, submit the request to the appropriate approver,
and quickly gain access to work information. This, in turn, helps to reduce user frustration, which
is particularly important as new employees are hired (e.g., when new team members are
provided timely access to perform their job functions, they are productive sooner).

__________________________________________________________________________

Increased Effectiveness of Key Business Initiatives

Often, certain business initiatives require access rights to be changed. These typically include
joint ventures, outsourcing partnerships, divestitures, mergers, and acquisitions. For companies
that are involved in these activities, the ability to quickly provide access to the appropriate levels
of information can enhance the activity’s success significantly.

__________________________________________________________________________

IAM Vendors

The identity and access management vendor landscape is a crowded one, consisting of both
pureplay providers such as Okta and OneLogin and large vendors such as IBM, Microsoft and
Oracle. Below is a list of leading players based on Gartner’s Magic Quadrant for Access
Management, Worldwide, which was published in June 2017.

Atos (Evidan) - OneLogin

Optimal idM - Okta

CA Technologies - Oracle Identity Cloud Service

Centrify - Ping

Covisint - SecureAuth

ForgeRock - Micro Focus

IBM Security Identity and Access Assurance - Microsoft Azure Active Directory

I-Spring Innovations

__________________________________________________________________________

__________________________________________________________________________

__________________________________________________________________________