Gartner for Technical Professionals Tutorial: Fundamentals...
-
Upload
truongkhanh -
Category
Documents
-
view
219 -
download
1
Transcript of Gartner for Technical Professionals Tutorial: Fundamentals...
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity."
Heidi Wachs Twitter: @hlwachs
Gartner for Technical Professionals — Tutorial: Fundamentals of User Provisioning and Identity and Access Governance
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Topics to Be Covered
• User account provisioning fundamentals
• Identity and access governance fundamentals
• Deployment best practices
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. © 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Gartner for Technical Professionals
User Account Provisioning
Fundamentals
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
What Is User Provisioning?
User provisioning: The process by which the life cycle of users and their associations to IT entitlements are managed:
Also known as: User account provisioning, provisioning, account management, user management
Provisioning services: An integrated set of tools used to manage the life cycle of users and IT entitlements.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Provisioning Introduction
• Provisioning technologies evolved from directory/metadirectory service technologies.
• Provisioning technologies aimed to:
- Increase user productivity:
• Automation of user account creation — "zero day start"
- Improve security:
• Automated user account deletion — "zero day stop"
• Automated access policy assignment
- Eliminate administrative inefficiencies and costs:
• Access policy automation
• Self-service capabilities
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Provisioning Functions
• A provisioning service consists of three primary functions:
- Identity life cycle events:
• Join, move, leave … and "do"
• Hire, change, termination, access request
- Access policy management:
• Automated policy assignment, roles, workflow approvals
- Fulfillment:
• Automated and/or manual user account creation and manipulation on the target
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Provisioning Architecture
Authoritative source(s)
Target applications
Entitlement catalog
Provisioning server
Identity repository
End user & administrator
interface
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Provisioning: Authoritative Sources
Target applications
Provisioning server
End user & administrator
interface
Authoritative source(s)
Entitlement catalog
Identity repository
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Authoritative Sources
• HRMS is the gold standard of authoritative sources …
- Until it isn't
• Contingent workers, partners, customers (etc.) do not often appear in an HR system:
- Directories
- Databases
- Even the provisioning system can become the de facto authoritative source for some constituents
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Provisioning: Target Applications
Target applications
Provisioning server
End user & administrator
interface
Authoritative source(s)
Entitlement catalog
Identity repository
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Target Applications
• Legacy systems were not designed for remote user management:
- This requires some trickery on the part of the provisioning system.
• Beware of target dependencies:
- Provisioning an application may require an account in an operating system, database, and directory to be created.
• Beware of virtual applications:
- A portal may use Active Directory to manage users.
- Provisioning the portal may actually require provisioning AD.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Authoritative source(s)
Target applications
Provisioning server
End user & administrator
interface
Provisioning: Provisioning Server
Entitlement catalog
Identity repository
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Provisioning Servers
• The brains of the operation
• Services include:
- Workflow
- Policy management
- Connector management
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Authoritative source(s)
Provisioning: Connectors
Target applications
Provisioning server
End user & administrator
interface
Entitlement catalog
Identity repository
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Connectors
• Broker "conversation" between the provisioning server and the target.
• Connectors are purpose-built for the targets:
- Tied to the APIs of the target.
- This can lead to fragile deployments.
• Connectors can often run in multiple places:
- On a connector server.
- In the cloud.
• Sometimes, however, connectors must run on the target itself.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Authoritative source(s)
Target applications
Provisioning server
End user & administrator
interface
Provisioning: Identity Repository
Entitlement catalog
Identity repository
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Identity Repositories
• Multiple architectures:
- Directory
- Relational database
• Can point to and/or store identity information
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Target applications
Provisioning server
End user & administrator
interface
Provisioning: Entitlement Catalog
Authoritative source(s)
Entitlement catalog
Identity repository
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Entitlement Catalogs
• Crucial component for success
• Extensible information store for entitlement data, including:
- Name
- Business meaning
- Technical meaning
- Categorizations
- Information classification
- Regulatory sensitivity
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Provisioning: User Interfaces
Target applications
Provisioning server
End user & administrator
interface
Authoritative source(s)
Entitlement catalog
Identity repository
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Users and User Interfaces
• User interfaces were often Web-based, but sometimes required a thick client:
- Especially for workflow design
• User interfaces were traditionally optimized for administrators.
• End users, especially mobile users, were not part of the original planning.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
User Provisioning Recap
• Manage user accounts and entitlements in target systems:
- By way of connectors
- Based on access policies (roles and rules)
- Triggered by life cycle events in authoritative systems
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. © 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Gartner for Technical Professionals
Identity and Access Governance
Fundamentals
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Provisioning Systems Were Designed for This Guy
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
But What About Everyone Else?
• Compliance pushed IAM needs to the business and IAG became the "pretty" front end to the provisioning system.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
IAG: The Pretty Side of Provisioning
• IAG functions were decoupled from the provisioning infrastructure.
Identity and access governance
Provisioning
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
What Is IAG?
• Access Certification/Attestation
• Access Request
• Role Life Cycle Management
• Access Policy Management
• Entitlement Catalog
• Identity Risk Scoring and Analytics
• Self-service, Delegated Administration, and Workflow
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Access Certification (aka Attestation)
• The ongoing review of people's access (accounts, entitlements, roles) to identify inappropriate access.
• Regulatory requirement in some cases:
- But ideal in all situations
• The single best administrative task to reduce access-related risks.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Access Request
• The process by which:
- End users ask for new access, either for themselves or on behalf of others.
- Managers and/or administrators review and approve requests via workflow.
- Accounts are created/modified to reflect requested changes.
• Helping the end user determine what to ask for is important:
- The entitlement catalog plays a major role here.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Role Life Cycle Management
• Roles can be a collection of entitlements associated with a:
- Business function within an application(s) (e.g., accounts payable within ERP).
- Job responsibility across multiple applications (e.g., customer manager).
• Tools to:
- Aggregate entitlements into meaningful collections.
- Identify commonly assigned access to similar job functions and people.
- Collaborate on role definitions.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Access Policy Management
• Policies are needed to govern:
- Who is allowed to have which entitlements
- What roles people should have
- Which entitlements are forbidden (including segregation of duty rules)
- Who automatically receives access to which systems (birthright access)
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Entitlement Catalogs
• Crucial component for success.
• An extensible information store.
• IAG functions highlighted the need for better catalog data:
- Access certifications perform poorly as risk management tools if reviewers cannot figure out what they are reviewing.
- Access request tools are less effective if people cannot figure out what to request.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Identity Risk Scoring and Analytics
• Ability to evaluate users, roles, and entitlements, and to assign a risk score to them.
• This risk score can be used to:
- Refine reports
- Enhance dashboards
- Trigger access certifications (and even account suspension or deprovisioning)
• Using risk in identity is aspirational for many organizations, but few are mature enough to do so.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
IAG Architecture
Target applications
Provisioning server
End user & administrator
interface
Authoritative source(s)
Entitlement catalog
Identity repository
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
IAG: Connectors
• At first these were read-only connectors:
- Sped up deployments
- But required a user provisioning tool for fulfillment*
• As IAG vendors have added user provisioning capabilities, these connectors have become read/write.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
IAG: Authoritative Sources
• At first, IAG tools "listened" to directory changes
• But as IAG vendors have added user provisioning capabilities, they have added the ability to listen to HR systems
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
A Bit of Confusion, a Bit of Clarity
• Vendors have added user provisioning capabilities to their IAG tools and IAG capabilities to their user provisioning tools.
• But you still might end up with two tools deployed:
- User provisioning for:
• Approvals
• Fulfillment
- IAG for:
• Access policy and role management
• Access certification
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
IAG Recap
• Tools to manage user accounts, entitlements, and associated risk by:
- Providing business-friendly user interfaces
- Powered by an entitlement catalog
- Focused (initially) on access certification and access request
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. © 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Gartner for Technical Professionals
Deployment Best Practices
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
What Should Be My Order of Deployment?
• The order of deployment has changed in the past eight years.
• Ensure that the order matches expectations.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
User Provisioning Roles Self-service
(Access Request)
Traditional Order of Deployment
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Role-oriented Order of Deployment
Roles User
Provisioning
Self-service (Access Request)
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Contemporary Order of Deployment
Access Certification
Access Request
User Provisioning
Roles
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Contemporary Order of Deployment
Access Certification
Access Request
Roles
User Provisioning
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
How Much Should I Automate?
• There are three items up for consideration:
- Life cycle
- Access policy
- Fulfillment
• Each can be independently automated to differing degrees.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
• Automated:
- Join
- Move/Change
- Leave
• Manual:
- Do
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
• Automated:
- Policies
- Roles
- Role membership
• Manual:
- Workflow
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Spectrum of automation:
• Help desk ticket
• External provisioning connector
• Direct connection
• JIT via federation
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
LOB responsible for triggering life cycle events
Workflow approvals
Emails to system admins. for account
changes
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Lights-out provisioning
Approval workflow
Automated user account provisioning
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Policy-based entitlement filtering
Self-service access request
Help desk ticket created for manual entry
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
HR "listener"
Policy-driven eligibility
Provisioning connector
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Should I Replace My Existing User Provisioning System's Connectors?
• If they are currently working, then no — not yet.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Should I Replace My Existing User Provisioning System's Connectors?
• For new targets, use the new IAG system's connectors.
• For existing targets, use the existing user provisioning system's connectors:
- Integrate the new IAG system to use the older provisioning system as a connector bus.
- Replace incumbent target connectors only when there is sufficient political capital, resources available, and demonstrable need.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. © 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Gartner for Technical Professionals
Recommendations
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Recommendations
Assess and document use cases.
Understand the purpose and strengths of the various technologies, and align use cases accordingly:
- Deploy the right technology for the right job.
Consider using standards-based technologies wherever possible.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Recommendations
Scope projects realistically.
Deploy IAG and provisioning in parallel.
Automate only when it makes sense:
- High volume/high value
Think outside the box.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.
Recommended Gartner Research
Mitigate Risk by Implementing Effective Access Certifications Ian Glazer (G00252940)
User Provisioning Heidi Wachs (G00252853)
Decision Point for User Provisioning Lori Robinson (G00227156)
Rethinking User Provisioning Ian Glazer, Lori Robinson (G00214489)
Access Request: Serving the Doers Ian Glazer (G00211928)
Identity and Access Governance Ian Glazer (G00234478)
For more information, stop by Gartner Research Zone.
© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. 66
Get more
Gartner for Technical Professionals
research at Catalyst Conference 2014
August 11-14, San Diego, CA
Gartner.com/us/catalyst
Research written for technologists by technologists…