IAM&EA:WORKINGTOGETHERTOCREATEANIAMVISIONSebas&anGonzales,SeniorManager,IAMVincentAumont,EnterpriseArchitectB CN E T 2 0 1 6

2

CONTEXT:IAM

Identity and Access Management (IAM) is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons.

IAM is the security discipline that enables secure communication and collaboration between our Global User Community and our resources for the purposes of Teaching, Learning, Research and Administration. Our user community being Student, Faculty, Staff, Alumni, Researchers, Private/Pubic Institutions, Community members, Guests, Parents.

3

CONTEXT:IAMPrograms’KeyChallenges

•  The absence of a compelling business case makes it difficult to connect an IAM program's objectives and priorities with business drivers.

•  IAM programs often experience difficulty with continued funding after initial budgeting because IAM leaders are unsure about how to communicate with the multitude of stakeholders that need to remain aware of the program's business drivers and benefits.

•  IAM leaders can be too focused on IAM technology, and may not appreciate the extent to which ongoing communications with stakeholders and leadership and organizational maneuvering are needed to ensure adequate program funding.

•  IAM programs must alter their roadmaps to keep pace with larger organizational transformations, which are happening quickly to meet the challenges of digital business.

4

OURSTORY

A Case Study in IAM & Enterprise Architecture Collaboration

5

THELASTTHREEYEARS

6

REALITYCHECK:TECHNICALCOMPLEXITY

Group Stores

Authorization

Authentication

Single Sign On

Identity Stores

Governance

Integration

Identity SoRs

Intelligence

Federation

Administration Apache Directory Studio

HitachiPAM

auth2 client library

CWL Database

SIS DB Views

SSD CWL->eLDAP

synch job

eDire

ctor

y

Grouper

openLDAP

openLDAPGrouper DB eDirectory

iManager

labsupportDB

labsupport

labsupport

ITMDBDB

ITMDB

ITMDB

ELDAP

HMRS SIS Guest Repository

Kerberos

Shibboleth

CAS ELDAP EAD

openLDAP

CWL: my Account

Enterprise Vulnerability Assessment (EVA)

Elastic SearchLogstash

Kibana (ELK)

CWL: SSC AdminCWL: ES Admin

CWL: PplSoft AdminCWL: CWl Admin

Access UBC Shopping CartAccess UBC Guest

AccountsCertificate Tracking

Spreadsheet

Nessus

HRMS DB Views

LDAP Synchronization Connector (LSC)

Pentaho

AccessUBCProv/Deprov

Access UBC

InfoSec Standards

PIA RepositoryExchange Inbox

NUAM

CWLweb services

auth2 web services

SSD UBCDir->eLDAP

synch jobFIM

EAD

UBCDir eDirectory

AccessUBC Identity Cubes

ELDAPEAD

7

REALITYCHECK:ORGANIZATIONALCOMPLEXITY

8

REACHINGAPLATEAUStrategicTh

inking

Time

9

WHYITMATTERS:ACHANGINGLANDSCAPE• Virtual Research Organizations • Emergence of Scholarly Identities (e.g. ORCID) • CRM Initiative • Student Information System Replacement •  Flexible Learning • MOOCS • Expansion of of Career and Professional Education •  personalization of the learning experience • New collaboration models with external partners • Emergence od mash-up architectures in the LMS space •  The systematization of the cloud-first approach: •  The pervasiveness of Social Identities • Security threats that focus on individuals • Upcoming Common Online Application Platform (COAP) & Education

Planning and Application Service (EPAS) •  Increasing demand for better Learning Analytics and Institutional

Analytics •  ...

10

GETTINGTOTHENEXTLEVEL

• IAMasaSecuritydiscipline

• IAMGovernancedefined&Accepted

• Business-aligned&Strategicpriori<es

• CentralizedManagement&decentralizedadministra<on

• Technologyconsolida<on

• En<resegmentson-boarded

AdHocusername/passwordmanagement

• Founda<onalIAMframework

• Tac<calpriori<es• Somebusinessdriversiden<fied

• Earlysuccesswithsomeon-boardeddepartments

• TechnologyRa<onaliza<on

• Con<nuousarchitectureop<miza<on

•MeetorexceedSLA's

• Con<nuousprocessimprovement

• IAMStrategypartofenterpriseStrategy

• IAMPMO•Allsegmentsoftheenterprise

DefinedIni(al Developing Op(mizedManaged

IAMI IAMII

11

IAMPrograms’KeyChallenges(Gartner)

•  The absence of a compelling business case makes it difficult to connect an IAM program's objectives and priorities with business drivers.

•  IAM programs often experience difficulty with continued funding after initial budgeting because IAM leaders are unsure about how to communicate with the multitude of stakeholders that need to remain aware of the program's business drivers and benefits.

•  IAM leaders can be too focused on IAM technology, and may not appreciate the extent to which ongoing communications with stakeholders and leadership and organizational maneuvering are needed to ensure adequate program funding.

•  IAM programs must alter their roadmaps to keep pace with larger organizational transformations, which are happening quickly to meet the challenges of digital business.

12

FIVERECOMMENDATIONS

1. Re-position IAM as an Information Security discipline

2. Adopt an IAM model that has been created for HE sector.

3. Scope Control

4. Re-engage with our stakeholders at a strategic level

5. Create a Planning Team

13

FIVERECOMMENDATIONS

1. Re-position IAM as an Information Security discipline

14

IAMISASECURITYDISCIPLINEBusiness Security Reference Model

Security Intelligence & Analytics

Governance, Risk, Compliance (GRC)

Advanced Security and Threat Research

InfrastructureApplications & ServicesDataPeople

Foundational Security Management

Physical Asset Management

Risk & Compliance Management

Security Policy Management

Command & Control Management

Identity, Access & Entitlement Management

Data & Information Protection Management

Threat & Vulnerability Management IT Service Management

Security Services and Infrastructure

Security Info & Event Infrascructure

Identity, Access & Entitlement Infrastructure

Security Policy Infrastructure

Crypto, Key & Certificate Management

Service Management Infrastructure

Storage Security Host & Endpoint Security Application Security Network Security Physical Security

Code Policies Events & LogsIdentity AttributesData Repository &

ClassificationSecurity Service

LevelsDesigns Config Info &

RegistryIT Security Knowledge

Operational Context

Software, System & Service Assurance

Awareness & Education

15

SECURITYISATOPPRIORITYINHIGHERED

16

IAMCONTEXT

Ente

rpris

e Ar

chite

ctur

e

Information SecurityOffice

Risk ManagementServices

IT G

over

nanc

e

Identity & AccessManagementFramework

17

APOLICY-DRIVENIAMFRAMEWORK

Ente

rpris

e Ar

chite

ctur

e

Information SecurityOffice

Risk ManagementServices

IT G

over

nanc

e

Governance

Architecture

Operations

Program Management

18

APOLICY-DRIVENIAMFRAMEWORK

IAMGovernance

Drivers

Security Operations

BusinessRequirements Compliance Threats Business

Opportuni6es

Strategy

Plan(PMO)Requirements

Enforce

Proced

ures,Stand

ards,G

uide

lines

Audit

CheckCo

mpliance Manage

Vulnerability

ManageIncidents De

ploy

ManageEvents

IAMServices

Architecture

Design&Develop

AnalyzeGaps ConInuouslyAssessProgram

Educate&Raise

Awareness

ManageRisk

IAM

Pro

gram

Man

agem

ent

: Process: Component/Deliverable

Tech

nolo

gy A

rchi

tect

ure

Principles

Policies

19

FIVERECOMMENDATIONS

2. Adopt an IAM model that has been created for HE sector.

20

IAM&THEHIGHEREDETHOS

•  HE institutions are distributed, complex, highly collaborative, and mostly non-hierarchical.

•  Their boundaries are not clearly delimited. •  Affiliations with these organizations differ widely in strength (from

community member to employee), are multi-faceted (a person can be an employee, a student, a staff, and a community member at the same time), and are very dynamic (UBC has over 20,000 HR events per year).

•  A tendency to distrust anything centralized; most units have a great deal of autonomy when it comes to rolling out the IT solutions they require.

21

THEIAMCONUNDRUM

Ø  Centralization of Identity and Access Management is critical because it enables better collaboration and promotes security

Ø  At the same time, the administration of IAM must be decentralized to accommodate the complexity and specificities of our organization

22

THEINTERNET2IAMMODELPolicyandGovernance

SystemsofRecords

PresidentProvost

Registrar HRFacultyAffairs

RiskManagement

HRMSFaculty,Staff

InfoSecOffice

AdmissionsStudents,CPE...

Registra@onStudents,CPE...

TeachingAssignmentStudents,CPE...

FinancePI,Approvers

OrgModels

ResearchSupervisors

Applica@ons&Services

...

...

Portals

Library

LearningTools

Administra@veSystems

Wireless

...

FederatedPartners

UVic

PHSA

...

EstablishIden@@es DeterminePolicies

Departments Registrar Projects Programs Teams Users ...

Consolidate&Update

Access

Privileges

PersonsAccounts

Organiza@ons

Groups

EnrichIden@@es ApplyPolicies

ManageGroups ManagePrivileges

ManageIden@@es

23

FIVERECOMMENDATIONS

3. Control Scope

24

IAMSILOS

...LibraryRegistrarCommunityServicesHousingHRMSCWL Parking

DeptDDeptA DeptC ...DeptB

EnterpriseIAM

DepartmentalIAM

25

FIVERECOMMENDATIONS

4. Re-engage with our stakeholders at a strategic level

26

STAKEHOLDERSENGAGEMENT

•  Who their own stakeholders and constituents are; how they engage with them

•  The policies, rules and guidelines they follow (whether formalized or not).

•  What policies they don't follow

•  What policies need to be created or amended

•  The level of control they need to retain when it comes to identifying their constituents and providing them access to systems

•  How they balance risk management and business agility

•  Their concerns about sharing their information

•  What information they need to access

•  Etc.

27

FIVERECOMMENDATIONS

5. Create a Planning Team

28

THEWORKAHEADOFUS

TO-BEAnalysisArchitecture

Opera5ngModel

AS-ISAnalysisMaturityAssessment

• Launchtheproject• StakeholdersAnalysis• Establishaninventoryofapplica;onsand

systems• ReviewcurrentOpera;ngModel(people,

process,tools)• Documentthecurrentstatecapabili;es• DocumentthemainIAMuse-cases• DefineaMaturityAssessmentFramework• Assessthecurrentcapabili;esagainstthe

maturityframework.

• StakeholdersEngagement• DocumentTo-BeState:

• Iden;tySystemofrecords• Integra;oncapabili;es• Iden;typroofing• Provisioning,de-provisioning• AOesta;on• Creden;alManagement• Enforcement• etc.

• Iden;fythepoliciesandstandardsthatneedtobecreatedorupdated

• DefinetheLogical&PhysicalArchitectures

• DocumentchangestotheOpera;ngModel(people,process,tools)

• GapAnalysis• Iden;fyandpriori;zecapability

increments• CreatetheRoadmap

• ProjectCharter• StakeholderEngagementplan• CurrentStateAnalysis• IAMMaturityHeatMap• IAMTechnologyMap

• IAMVision• BusinessRequirements• GovernanceModel• Architecture• To-BeState

• IAMRoadmap

Ar5facts

Ac5v

i5es

IAMRoadmap

29

THEPLANNINGTEAM

TO-BEAnalysisConceptualArchitecture

Opera7ngModel

AS-ISAnalysisMaturityAssessment

RequirementsGathering

• Launchtheproject

• Establishaninventoryofapplica7onsand

systems

• ReviewcurrentOpera7ngModel(people,

process,tools)

• Documentthecurrentstatecapabili7es

• DocumentthemainIAMusecases

• DefineaMaturityAssessmentFramework

• Assessthecurrentcapabili7esagainstthe

maturityframework.

• Gatherrequirementsfor:

• Iden7tySystemofrecords

• MainIAMprocesses

• Policyenforcement

• DocumentTo-BeState:

• Iden7tySystemofrecords

• Integra7oncapabili7es

• Iden7typroofing

• Provisioning,de-provisioning

• AQesta7on

• Creden7alManagement

• Enforcement

• etc.

• DefineConceptualArchitecture

• CreatenewPoliciesandstandards,or

updateexis7ngonesasrequired

• DocumentchangestotheOpera7ng

Model(people,process,tools)

• GapAnalysis

• Iden7fyandpriori7zecapability

increments

• DefineRoadmap

• ProjectCharter

• StakeholderEngagementplan

• CurrentStateAnalysis

• IAMRequirements

• IAMMaturityHeatMap

• ArchitecturePrinciples

• ConceptualArchitecture

• To-BeState

• IAMRoadmap

Ar7fac

tsAc7

vi7es

IAMRoadmap&Strategy

IAMProgramI

Planningteam Programteam

Programteam

IAMProgramII