Professional Documents
Culture Documents
Quest IAM Challenges
Quest IAM Challenges
Quest IAM Challenges
ing Everything Ea Ma k
Compliments of
DUMmIES
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
How This Book Is Organized .................................................... 1 Icons Used in This Book ............................................................ 1
Chapter 2: Ten Benefits of Quest One for Identity and Access Management . . . . . . . . . . . . . . . . . . . . . . .15
Getting to One Password ........................................................ 15 Getting to One Identity ............................................................ 16 Managing Privileged Accounts Securely ............................... 16 Achieving Single Sign-on ......................................................... 18 Streamlining Provisioning ....................................................... 18 Improving Role Management.................................................. 19 Using Multifactor Authentication .......................................... 19 Making Users Happy ................................................................ 20 Handling Identity Administration More Efficiently ................ 21 Knowing What Users Are Doing ............................................. 22
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
Publishers Acknowledgments
Were proud of this book and of the people who worked on it. For details on how tocreate a custom For Dummies book for your business or organization, contact info@dummies.biz. For details on licensing the For Dummies brand for products orservices, contact BrandedRights&Licenses@Wiley.com. Some of the people who helped bring this book to market include the following: Acquisitions, Editorial, and Media Development Project Editor: Linda Morris Editorial Manager: Rev Mengle Business Development Representative: Melody Layne Custom Publishing Project Specialist: Michael Sullivan Composition Services Project Coordinator: Kristie Rees Layout and Graphics: Carrie A. Cesavice Proofreader: John Greenough Special Help: Brian Underdahl
Publishing and Editorial for Technology Dummies Richard Swadley, Vice President and Executive Group Publisher Andy Cummings, Vice President and Publisher Mary Bednarek, Executive Director, Acquisitions Mary C. Corder, Editorial Director Publishing and Editorial for Consumer Dummies Diane Graves Steele, Vice President and Publisher, Consumer Dummies Composition Services Debbie Stailey, Director of Composition Services Business Development Lisa Coleman, Director, New Market and Brand Development
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
Introduction
re you ready to tackle identity and access management for your enterprise? Would you like to improve efficiency, enhance security, and also tackle thorny compliance issues? If so, youve come to the right place. Overcoming IAM Challenges For Dummies, Quest Software Edition, shows you how to use Quest One Identity Solution to manage administrative access. Youll see how the right identity and access management solution can save you money, improve your security, and result in happier users.
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
Paragraphs marked with the Warning icon call attention to common pitfalls that you may encounter.
Need more?
This book was excerpted from Identity & Access Management For Dummies, Quest Software Edition, done on behalf of Quest. If youd like a copy of the full book, which describes the Quest One Identity Solution in greater detail, please contact your Quest representative or contact Quest directly at www.quest. com/IAMbookregistration or 1-800-306-9329.
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 1
n recent years, enterprise networks have evolved from relatively simple configurations to complex user environments made up of diverse operating systems, applications, and databases. Add demanding users (especially those mobile types you never see) who want things now, and its enough to make your head spin. But all is not lost. You can get your arms around managing your user identities by utilizing identity and access management tools. Sounds simple, huh? Well, its not that straightforward. Identity and access management presents many difficult, complex, and expensive challenges. These challenges increase the cost of doing business, reduce efficiency, adversely affect your profitability, and unfortunately, they continue to grow. In this chapter, we look at some of those challenges to give you a clearer picture of the problems and the solutions.
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
These many different identities, passwords, policies, and so on bring a level of complexity that gets in the way of maintaining control of your resources and costs. The parent book to this e-book, Identity & Access Management For Dummies, Quest Software Edition, discusses the Quest One Identity Solution answers to these problems.
When users do forget their passwords, system policies often lock them out of their various accounts after a couple of failed logon attempts. When this happens, the user usually has to call someone to get a password reset. Not only is this call a waste of the users time, but it also results in increased support costs. Analysts estimate that a single call to a help desk for a password reset costs at least $20 and thats not taking into account the lost productivity for the user! Organizations need a better way for users to deal with passwords if they want to keep these costs in check. Quest One has the solutions that can reduce the hassle of usernames and passwords to a much more manageable level.
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
Databases: The backbone of all these platforms and applications is the data. Oracle, DB2, SQL Server, Sybase, and other databases may support any of the previously listed applications. Other applications: Beyond enterprise applications, an organization may have any number of additional critical applications to address its unique needs. Whether these applications are industry-specific, home-grown, or custombuilt by outside developers, they often include built-in access control options that may not integrate with the mechanisms of the underlying operating systems and other applications. Access to these applications may be hard-wired or Web-based, and it may be restricted to specific employees, open to all employees, available to partners, or even include customer-facing components. Many enterprises have grown organically adding platforms and applications when needed without consideration to the additions long-term impacts on the other systems. Each system functions as an island unto itself without integration or interoperability with the rest of the enterprise, which can have some adverse side effects. Dont misunderstand what were saying, though. Certain islands, such as those in the South Pacific, are wonderful just not these types of islands. This is especially true when it comes to user identity and access. The implications of having so many different requirements for the disparate systems and applications are easy to guess increased costs and the likelihood that errors will occur. For example, a user who moves to a different department or leaves the company may not be removed from all of the organizations systems, resulting in security or compliance issues. Such oversights create the perfect scenario for attracting the attention of those pesky auditors. Quest One can help you bring the problems of dealing with so many different systems and applications to a manageable size. We go into more detail about Quest Ones solutions to these problems in Identity & Access Management For Dummies, Quest Software Edition, the parent book to this e-book.
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
10
11
Identity and access management processes and technologies allow you to focus on roles instead of people, ensuring that the concept of business need-to-know meaning users have a legitimate business reason to access the systems and information theyve been granted access to that oh-somany regulators and auditors like to quote becomes a reality. Bridging the gap between current practices, policies, compliance requirements, and business needs through the execution of RBAC can be a difficult and troublesome undertaking. Organizations need a way to consolidate and coordinate enterprise roles and associate those roles with the appropriate access rights, workflows, policies, permissions, and attestations. In addition, the ongoing management of a diverse and non-correlated set of roles can undercut the effectiveness of a role management strategy. An ideal solution to help take the pain out of role management has the following attributes: Empowers you to establish roles based on your business processes and the way your company operates Provides you the capability to automate role management processes efficiently and securely ensuring effective RBAC Firmly establishes a hierarchy of permissions within those roles to granularly address all administration and access activities Streamlines the administration of roles over time including modifications to roles themselves, movement of individuals within and among roles, as well as the addition of new roles and access points as your business evolves Empowers you to accurately and efficiently associate roles with resources for effective access control driven by business processes Associates existing business processes and policies with roles (new or previously established) to arrive at the correct stance for maximum security, compliance, and administrative efficiency Quest One solutions can help you automatically provision, re-provision, and, more importantly, de-provision users quickly, cost-efficiently, and securely. Quest One can provide strictly enforced role-based security, automated group
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
12
13
Table 1-1
Task Employee starts
Employee logs in
Once for AD Once for SAP Once for Oracle Once for Unix (x50)
Single sign-on
Call help desk for AD Call IT for Unix Call IT for Oracle Call IT for other applications
Secure login based on AD role and protected through reverse proxy Web single sign-on
(continued)
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
14
Much of the difficulty in identity and access management is rooted in the diversity of the systems, applications, and platforms within organizations. When users have many disparate identities across systems, efficiency, security, and compliance often suffer. The Quest One solution for IAM empowers organizations to get to one with their identities and associated tasks. By implementing the Quest One solution, organizations improve efficiency, enhance security, and achieve compliance.
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 2
n this chapter, we look at ten benefits your organization will discover by following the Quest One Identity Solution approach to identity and access management all of which can lead to more efficient IT management and reduce business risks.
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
16
17
challenges. These accounts are typically shared between several users, which can lead to mismanagement or worse, abuse of privileges. On Windows systems, administrators have much greater control over the access that is granted to individual users. Quite simply, Windows systems offer a granularity of control that is lacking in Unix and Linux systems. On Windows systems, you can use Quest ActiveRoles Server to implement strictly enforced role-based security or granular control over exactly what administrative users are able to do and which resources they can access. ActiveRoles Server helps you achieve and sustain regulatory compliance by implementing secure, automated and auditable internal controls over granting and revoking access to network resources. Quest also empowers you to have the same level of control in Unix and Linux systems. Quest Privilege Manager for Unix enhances security by protecting the full power of root access from potential misuse or abuse through fine-grained, policy-based control. Unix systems pose a special risk to the enterprise because of the virtually unlimited power that root access gives an administrator. You need a way to control this power while still enabling users to have the access they need. Privilege Manager helps you to define a security policy that stipulates who has access to which root function, as well as when and where individuals can perform those functions. It controls access to existing programs as well as any purposebuilt utilities used for common system administration tasks. With Privilege Manager, you dont need to worry about someone deleting critical files, modifying file permissions or databases, reformatting disks, or damaging Unix systems in more subtle ways. By enabling administrators to define fine-grained security policies, delegating common management tasks and logging all Unix root activities down to the keystroke level, Privilege Manager for Unix reduces security risks, increases IT productivity, and enables organizations to achieve and sustain compliance in a cost-effective manner.
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
18
Streamlining Provisioning
Quest One helps you control your identity management universe and creates a single point of administration for identities across the enterprise, eliminates redundant efforts, reduces errors, and saves time. For example, a single provisioning action in AD can take care of users in Unix, Linux, and Mac systems that have become unified with AD through Quest One solutions. Similarly, turning off that single user account in AD immediately terminates access across the same wide range of non-Windows systems. Quest One also offers solutions that
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
19
are not centered around AD. Enterprise-wide provisioning capabilities are available through Quest One Identity Manager and implement a foundation for all provisioning actions without requiring heavy amounts of custom coding. The bottom line is that with fewer places to perform provisioning actions (as well as re-provisioning and de-provisioning), you can benefit from increased efficiency in your identity administration, a higher level of security as human error is reduced, and elevated compliance as de-provisioning is accelerated and more securely controlled.
20
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
21
For example, self-service password reset helps improve productivity for users who are on a different schedule than your help desk or those calling during off-hours. By having access to an automated, 24x7x365 password reset and account unlock interface, users can continue to be productive, rather than being locked out until the help desk opens up in the morning.
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.
22
These materials are the copyright of Wiley Publishing, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.