Professional Documents
Culture Documents
Note
Note
Providing the right people with the right access at the right time
· Authentication
– Single Sign Un
– Session Management
– Strong Authentication
– Password Service
· Authorization
– Role based
– Rule-based
– Attribute based
– Remote Authorization
· User Management
– Delegated Administration
– User and Role Management
– Provisioning
– Password Management
– Self-service
_________________________________________________________________________
Access management refers to the processes and technologies used to control and monitor
network access. Access management features, such as authentication, authorization, trust and
security auditing, are part and parcel of the top ID management systems for both on-premises
and cloud-based systems.
Authentication
Authorization
· Coarse-Grain
– High-level and overarching entitlements
– Create, Read. Update, Modify
· Fine-Grain
– Detailed and explicit entitlements
– Based on factors such as time. dept, role and location
_______________________________________________________________________
1. Authentication
2. Authorization
3. AAA Services
4. Auditing
5. Accountability
________________________________________________________________________
Authentication
· The process of verifying or testing that the claimed identity is valid is authentication.
Authentication requires from the subject additional information that must exactly
correspond to the identity indicated. The most common form of authentication is using a
password (this includes the password variations of PINs and passphrases).
· Authentication verifies the identity of the subject by comparing one or more factors
against the database of valid identities (that is, user accounts).
___________________________________________________________________________
Authorization
___________________________________________________________________________
AAA Services
· You may have heard of the concept of AAA services. The three As in this acronym refer
to authentication, authorization, and accounting (or sometimes auditing). However, what
is not as clear is that although there are three letters in the acronym, it refers to five
elements: identification, authentication, authorization, auditing, and accounting. Thus,
the first and the third/last Aactually represent two concepts instead of just one.
Authorization defining the allows and denials of resource and object access for a specific
identity.
Auditing recording a log of the events and activities related to the system and subjects.
Accounting (aka accountability) reviewing log files to check for compliance and violations in
order to hold subjects accountable for their actions Although AAA is often referenced in relation
to authentication systems, it is in fact a foundational concept of all forms of security. As without
any one of these five elements, a security mechanism would be incomplete.
____________________________________________________________________________
Auditing
____________________________________________________________________________
Accountability
____________________________________________________________________________
Biometric authentication: A security process for authenticating users that relies upon the
user’s unique characteristics. Biometric authentication technologies include fingerprint sensors,
iris and retina scanning, and facial recognition.
Credential: An identifier employed by the user to gain access to a network such as the user’s
password, public key infrastructure (PKI) certificate, or biometric information (fingerprint, iris
scan).
Digital identity: The ID itself, including the description of the user and his/her/its access
privileges. (“Its” because an endpoint, such as a laptop or smartphone, can have its own digital
identity.)
Entitlement: The set of attributes that specify the access rights and privileges of an
authenticated security principal.
Identity as a Service (IDaaS): Cloud-based IDaaS offers identity and access management
functionality to an organization’s systems that reside on-premises and/or in the cloud.
Identity lifecycle management: Identity synchronization: The process of ensuring that multiple
identity stores—say, the result of an acquisition— contain consistent data for a given digital ID.
Lightweight Directory Access Protocol (LDAP): LDAP is openstandan ards-basedd protocol
for managing and accessing a distributed directory service, such as Microsoft’s AD
Multi-factor authentication (MFA): MFA is when more than just a single factor, such as a user
name and password, is required for authentication to a network or system. At least one
additional step is also required, such as receiving a code sent via SMS to a smartphone,
inserting a smart card or USB stick, or satisfying a biometric authentication requirement, such
as a fingerprint scan.
Password reset: In this context, it’s a feature of an ID management system that allows users
to re-establish their own passwords, relieving the administrators of the job and cutting support
calls. The reset application is often accessed by the user through a browser. The application
asks for a secret word or a set of questions to verify the user’s identity.
Privileged account management: This term refers to managing and auditing accounts and
data access based on the privileges of the user. In general terms, because of his or her job or
function, a privileged user has been granted administrative access to systems. A privileged
user, for example, would be able set up and delete user accounts and roles.
Provisioning: The process of creating identities, defining their access privileges and adding
them to an ID repository.
Security principal: A digital identity with one or more credentials that can be authenticated and
authorized to interact with the network.
Single sign-on (SSO): A type of access control for multiple related but separate systems. With
a single username and password, a user can access a system or systems without using
different credentials.
User behaviour analytics (UBA): UBA technologies examine patterns of user behaviour and
automatically apply algorithms and analysis to detect important anomalies that may indicate
potential security threats. UBA differs from other security technologies, which focus on tracking
devices or security events. UBA is also sometimes grouped with entity behaviour analytics and
known as UEBA.
____________________________________________________________________________
· Provision
– Validate
– Approve
– Propagate
– Communicate
– Request
· Administer
– Monitor
– Manage passwords.
– Audit and reconcile
– Strategize
– Manage systems
– Administer policies
· Enforce
– Authenticate
– Authorize
– Log activity
___________________________________________________________________
Need of IAM
· Secure user access plays a key role in the exchange of data and information.
· electronic data is becoming ever more valuable for most companies.
· an issue that is often solved by introducing strong authentication.
· Modern IAM solutions allow administering users and their access rights flexibly and
effectively, enabling multiple ways of cooperation.
______________________________________________________________________
Business Challenges
________________________________________________________________________
An increasingly distributed workforce
Organizations can recruit and retain the best talent is to removing the constraints of geographic
location and offering a flexible work environment. A remote workforce allows businesses to
boost productivity while keeping expenses in check as well as untethering employees from a
traditional office setting. However, with employees scattered all over a country or even the
world, enterprise IT teams face a much more daunting challenge: maintaining a consistent
experience for employees connecting to corporate resources without sacrificing security. The
growth of mobile computing means that IT teams have less visibility into and control over
employees’ work practices. The solution is, a comprehensive, centrally managed IAM solution
that returns the visibility and control needed for a distributed workforce to an enterprise IT team.
________________________________________________________________________
Distributed applications
With the growth of cloud-based and Software as a Service (SaaS) applications, users now have
the power to log in to critical business apps like Salesforce, Office365, Concur, and more
anytime, from any place, using any device. However, with the increase of distributed
applications comes an increase in the complexity of managing user identities for those
applications. Without a seamless way to access these applications, users struggle with
password management while IT is faced with rising support costs from frustrated users. Solution
is a holistic IAM solution can help administrators consolidate, control, and simplify access
privileges, whether the critical applications are hosted in traditional data centers, private clouds,
public clouds, or a hybrid combination of all these spaces.
________________________________________________________________________
Productive provisioning
Without a centralized IAM system, IT staff must provision access manually. The
longer it takes for a user to gain access to crucial business applications, the less productive that
user will be. On the flip side, failing to revoke the access rights of employees who have left the
organization or transferred to different departments can have serious security consequences.
To close this window of exposure and risk, IT staff must de-provision access to corporate data
as quickly as possible.
Especially for large organizations, it is not an efficient or sustainable way to manage user
identities and access. Solution is the a robust IAM solution can fully automate the provisioning
and de-provisioning process, giving IT full power over the access rights of employees, partners,
contractors, vendors, and guests. Automated provisioning and de provisioning speed the
enforcement of strong security policies while helping to eliminate human error.
________________________________________________________________________
Bring your own device (BYOD)
To manage or not to manage—there really is no choice between the two for today’s enterprises.
Employees, contractors, partners, and others are bringing in personal devices and connecting
to the corporate network for professional and personal reasons. The challenge with BYOD is not
whether outside devices are brought into the enterprise network, but whether IT can react
quickly enough to protect the organization’s business assets—without disrupting employee
productivity and while offering freedom of choice. Nearly every company has some sort of
BYOD policy that allows users to access secure resources from their own devices. However,
accessing internal and saas applications on a mobile device can be more cumbersome than
doing so from a networked laptop or desktop workstation.
________________________________________________________________________
Password problems
The growth of cloud-based applications means that employees must remember an increasing
number of passwords for applications that may cross domains and use numerous different
authentication and attribute-sharing standards and protocols. User frustration can mount when
an employee spends more and more time managing the resulting lists of passwords which, for
some applications, may require changing every 30 days. Plus, when employees have trouble
with their passwords, they most often contact IT, staff, for help, which can quickly and
repeatedly drain important.
________________________________________________________________________
Regulatory compliance
Compliance and corporate governance concerns continue to be major drivers of IAM spending.
For example, much of the onus to provide the corporate governance data required by
Sarbanes- Oxley regulations fall on the IT department. Ensuring support for processes such as
determining access privileges for specific employees, tracking management approvals for
expanded access, and documenting who has accessed what data and when they did it can go a
long way to easing the burden of regulatory compliance and ensuring a smooth audit process.
________________________________________________________________________
· The risks associated with IAM and how they are addressed.
· The needs of the organization.
· How to start looking at IAM within the organization and what an effective
· IAM process looks like.
· The process for identifying users and the number of users present within the
organization.
· The process for authenticating users.
· The access permissions that are granted to users.
· Whether users are inappropriately accessing IT resources.
· The process for tracking and recording user activity.
· The risks associated with IAM and how they are addressed.
5. REPORT
2. CREATE
Arolysis
and identies
Step 1 Define
Step 2 Map
Step 3 Assign
4. OPTIMIZE
and een
3. DEPLOY
Assignoles workows
· Inventory: gather information about users, access requirements, applications and data
· Create: future state roadmap, associating user groups with access controls, and
designing operational support and workflow processes.
· Deploy: begin assigning access to systems and data using new processes and
workflows.
· Optimize: deploy automated and delegated processes only after a steady state has
been achieved.
· Report: leverage investment to satisfy reporting requirements for legislation and internal
controls.
____________________________________________________________________________
· Regulatory Compliance
– SOX
– GLBA
– HIPAA
· Efficiencies
– Productivity Loss
– Excessive Administration points
· Cost Savings
– Password resets
– Centralized reporting/attestation
· Security
– Rogue users (de-provision accounts)
__________________________________________________________________________
Cost of iam over time
· The higher initial cost of implementing and deploying an I&AM solution compared to
maintaining existing processes and tools.
___________________________________________________________________
___________________________________________________________________
Without overstating the effects of the regulations mentioned in the previous paragraph, it is
important to note that Sarbanes- Oxley, HIPAA, GLBA, Basel II, and other regulations have
significantly impacted organizations worldwide. However, while IAM initiatives have helped fill
the gaps related to system access controls, they may not have gone far enough. Many
companywide IAM initiatives are merely stopgaps to regulatory compliance. Although this
approach to dealing with IAM may pass an audit, it may hinder the organization in the future as
the IAM program becomes overly complex, inoperable, and costly. Organizations also must be
aware that IAM programs frequently collect personal information about system users.
___________________________________________________________________
A key driver to successful IAM implementation is the improved risk posture that comes from the
implementation of better identity and access controls. By knowing who has access to what, and
how access is directly relevant to a particular job or function, IAM improves the strength of the
organization’s overall control environment. In many organizations, the removal of user access
rights or access rights for a digital identity can take up to three to four months. This may present
an unacceptable risk to the organization, especially if an individual is able to continue accessing
company systems and resources during the access removal period.
___________________________________________________________________
Ironically, the proliferation of automated systems can negatively impact worker efficiency due to
the different sign-on mechanisms used. As a result, workers must remember or carry a variety
of credentials that change frequently.
For example, many organizations are faced with the following circumstances:
• An increased number of help desk calls, many of which are related to identity and access
support, such as password-reset requests.
• Having new employees wait a week or longer to obtain baseline access to IT systems, such as
e-mail and network resources.
• Not documenting access requirements by role, so users have to make several follow-up calls
to get the access they need.
__________________________________________________________________________
Having a well-defined process for managing access to information can greatly enhance a
company’s operating efficiency. Many times, organizations struggle with getting users the
access they require to perform their job functions. For instance, requests are forwarded to
various members of the IT or administration team who may not know what access or information
a user is requesting or has a business need to obtain. Additionally, without a defined process,
requests may go unfulfilled or be performed incorrectly, resulting in additional work on the part
of the IT or administration team.
__________________________________________________________________________
Besides the operating efficiencies mentioned earlier, implementing an effective IAM process can
enable users to identify the access they need, submit the request to the appropriate approver,
and quickly gain access to work information. This, in turn, helps to reduce user frustration, which
is particularly important as new employees are hired (e.g., when new team members are
provided timely access to perform their job functions, they are productive sooner).
__________________________________________________________________________
Often, certain business initiatives require access rights to be changed. These typically include
joint ventures, outsourcing partnerships, divestitures, mergers, and acquisitions. For companies
that are involved in these activities, the ability to quickly provide access to the appropriate levels
of information can enhance the activity’s success significantly.
__________________________________________________________________________
IAM Vendors
The identity and access management vendor landscape is a crowded one, consisting of both
pureplay providers such as Okta and OneLogin and large vendors such as IBM, Microsoft and
Oracle. Below is a list of leading players based on Gartner’s Magic Quadrant for Access
Management, Worldwide, which was published in June 2017.
Centrify - Ping
Covisint - SecureAuth
IBM Security Identity and Access Assurance - Microsoft Azure Active Directory
I-Spring Innovations
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________