IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport...
Transcript of IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport...
IAM&EA:WORKINGTOGETHERTOCREATEANIAMVISIONSebas&anGonzales,SeniorManager,IAMVincentAumont,EnterpriseArchitectB CN E T 2 0 1 6
2
CONTEXT:IAM
Identity and Access Management (IAM) is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons.
IAM is the security discipline that enables secure communication and collaboration between our Global User Community and our resources for the purposes of Teaching, Learning, Research and Administration. Our user community being Student, Faculty, Staff, Alumni, Researchers, Private/Pubic Institutions, Community members, Guests, Parents.
3
CONTEXT:IAMPrograms’KeyChallenges
• The absence of a compelling business case makes it difficult to connect an IAM program's objectives and priorities with business drivers.
• IAM programs often experience difficulty with continued funding after initial budgeting because IAM leaders are unsure about how to communicate with the multitude of stakeholders that need to remain aware of the program's business drivers and benefits.
• IAM leaders can be too focused on IAM technology, and may not appreciate the extent to which ongoing communications with stakeholders and leadership and organizational maneuvering are needed to ensure adequate program funding.
• IAM programs must alter their roadmaps to keep pace with larger organizational transformations, which are happening quickly to meet the challenges of digital business.
4
OURSTORY
A Case Study in IAM & Enterprise Architecture Collaboration
5
THELASTTHREEYEARS
6
REALITYCHECK:TECHNICALCOMPLEXITY
Group Stores
Authorization
Authentication
Single Sign On
Identity Stores
Governance
Integration
Identity SoRs
Intelligence
Federation
Administration Apache Directory Studio
HitachiPAM
auth2 client library
CWL Database
SIS DB Views
SSD CWL->eLDAP
synch job
eDire
ctor
y
Grouper
openLDAP
openLDAPGrouper DB eDirectory
iManager
labsupportDB
labsupport
labsupport
ITMDBDB
ITMDB
ITMDB
ELDAP
HMRS SIS Guest Repository
Kerberos
Shibboleth
CAS ELDAP EAD
openLDAP
CWL: my Account
Enterprise Vulnerability Assessment (EVA)
Elastic SearchLogstash
Kibana (ELK)
CWL: SSC AdminCWL: ES Admin
CWL: PplSoft AdminCWL: CWl Admin
Access UBC Shopping CartAccess UBC Guest
AccountsCertificate Tracking
Spreadsheet
Nessus
HRMS DB Views
LDAP Synchronization Connector (LSC)
Pentaho
AccessUBCProv/Deprov
Access UBC
InfoSec Standards
PIA RepositoryExchange Inbox
NUAM
CWLweb services
auth2 web services
SSD UBCDir->eLDAP
synch jobFIM
EAD
UBCDir eDirectory
AccessUBC Identity Cubes
ELDAPEAD
7
REALITYCHECK:ORGANIZATIONALCOMPLEXITY
8
REACHINGAPLATEAUStrategicTh
inking
Time
9
WHYITMATTERS:ACHANGINGLANDSCAPE• Virtual Research Organizations • Emergence of Scholarly Identities (e.g. ORCID) • CRM Initiative • Student Information System Replacement • Flexible Learning • MOOCS • Expansion of of Career and Professional Education • personalization of the learning experience • New collaboration models with external partners • Emergence od mash-up architectures in the LMS space • The systematization of the cloud-first approach: • The pervasiveness of Social Identities • Security threats that focus on individuals • Upcoming Common Online Application Platform (COAP) & Education
Planning and Application Service (EPAS) • Increasing demand for better Learning Analytics and Institutional
Analytics • ...
10
GETTINGTOTHENEXTLEVEL
• IAMasaSecuritydiscipline
• IAMGovernancedefined&Accepted
• Business-aligned&Strategicpriori<es
• CentralizedManagement&decentralizedadministra<on
• Technologyconsolida<on
• En<resegmentson-boarded
AdHocusername/passwordmanagement
• Founda<onalIAMframework
• Tac<calpriori<es• Somebusinessdriversiden<fied
• Earlysuccesswithsomeon-boardeddepartments
• TechnologyRa<onaliza<on
• Con<nuousarchitectureop<miza<on
•MeetorexceedSLA's
• Con<nuousprocessimprovement
• IAMStrategypartofenterpriseStrategy
• IAMPMO•Allsegmentsoftheenterprise
DefinedIni(al Developing Op(mizedManaged
IAMI IAMII
11
IAMPrograms’KeyChallenges(Gartner)
• The absence of a compelling business case makes it difficult to connect an IAM program's objectives and priorities with business drivers.
• IAM programs often experience difficulty with continued funding after initial budgeting because IAM leaders are unsure about how to communicate with the multitude of stakeholders that need to remain aware of the program's business drivers and benefits.
• IAM leaders can be too focused on IAM technology, and may not appreciate the extent to which ongoing communications with stakeholders and leadership and organizational maneuvering are needed to ensure adequate program funding.
• IAM programs must alter their roadmaps to keep pace with larger organizational transformations, which are happening quickly to meet the challenges of digital business.
12
FIVERECOMMENDATIONS
1. Re-position IAM as an Information Security discipline
2. Adopt an IAM model that has been created for HE sector.
3. Scope Control
4. Re-engage with our stakeholders at a strategic level
5. Create a Planning Team
13
FIVERECOMMENDATIONS
1. Re-position IAM as an Information Security discipline
14
IAMISASECURITYDISCIPLINEBusiness Security Reference Model
Security Intelligence & Analytics
Governance, Risk, Compliance (GRC)
Advanced Security and Threat Research
InfrastructureApplications & ServicesDataPeople
Foundational Security Management
Physical Asset Management
Risk & Compliance Management
Security Policy Management
Command & Control Management
Identity, Access & Entitlement Management
Data & Information Protection Management
Threat & Vulnerability Management IT Service Management
Security Services and Infrastructure
Security Info & Event Infrascructure
Identity, Access & Entitlement Infrastructure
Security Policy Infrastructure
Crypto, Key & Certificate Management
Service Management Infrastructure
Storage Security Host & Endpoint Security Application Security Network Security Physical Security
Code Policies Events & LogsIdentity AttributesData Repository &
ClassificationSecurity Service
LevelsDesigns Config Info &
RegistryIT Security Knowledge
Operational Context
Software, System & Service Assurance
Awareness & Education
15
SECURITYISATOPPRIORITYINHIGHERED
16
IAMCONTEXT
Ente
rpris
e Ar
chite
ctur
e
Information SecurityOffice
Risk ManagementServices
IT G
over
nanc
e
Identity & AccessManagementFramework
17
APOLICY-DRIVENIAMFRAMEWORK
Ente
rpris
e Ar
chite
ctur
e
Information SecurityOffice
Risk ManagementServices
IT G
over
nanc
e
Governance
Architecture
Operations
Program Management
18
APOLICY-DRIVENIAMFRAMEWORK
IAMGovernance
Drivers
Security Operations
BusinessRequirements Compliance Threats Business
Opportuni6es
Strategy
Plan(PMO)Requirements
Enforce
Proced
ures,Stand
ards,G
uide
lines
Audit
CheckCo
mpliance Manage
Vulnerability
ManageIncidents De
ploy
ManageEvents
IAMServices
Architecture
Design&Develop
AnalyzeGaps ConInuouslyAssessProgram
Educate&Raise
Awareness
ManageRisk
IAM
Pro
gram
Man
agem
ent
: Process: Component/Deliverable
Tech
nolo
gy A
rchi
tect
ure
Principles
Policies
19
FIVERECOMMENDATIONS
2. Adopt an IAM model that has been created for HE sector.
20
IAM&THEHIGHEREDETHOS
• HE institutions are distributed, complex, highly collaborative, and mostly non-hierarchical.
• Their boundaries are not clearly delimited. • Affiliations with these organizations differ widely in strength (from
community member to employee), are multi-faceted (a person can be an employee, a student, a staff, and a community member at the same time), and are very dynamic (UBC has over 20,000 HR events per year).
• A tendency to distrust anything centralized; most units have a great deal of autonomy when it comes to rolling out the IT solutions they require.
21
THEIAMCONUNDRUM
Ø Centralization of Identity and Access Management is critical because it enables better collaboration and promotes security
Ø At the same time, the administration of IAM must be decentralized to accommodate the complexity and specificities of our organization
22
THEINTERNET2IAMMODELPolicyandGovernance
SystemsofRecords
PresidentProvost
Registrar HRFacultyAffairs
RiskManagement
HRMSFaculty,Staff
InfoSecOffice
AdmissionsStudents,CPE...
Registra@onStudents,CPE...
TeachingAssignmentStudents,CPE...
FinancePI,Approvers
OrgModels
ResearchSupervisors
Applica@ons&Services
...
...
Portals
Library
LearningTools
Administra@veSystems
Wireless
...
FederatedPartners
UVic
PHSA
...
EstablishIden@@es DeterminePolicies
Departments Registrar Projects Programs Teams Users ...
Consolidate&Update
Access
Privileges
PersonsAccounts
Organiza@ons
Groups
EnrichIden@@es ApplyPolicies
ManageGroups ManagePrivileges
ManageIden@@es
23
FIVERECOMMENDATIONS
3. Control Scope
24
IAMSILOS
...LibraryRegistrarCommunityServicesHousingHRMSCWL Parking
DeptDDeptA DeptC ...DeptB
EnterpriseIAM
DepartmentalIAM
25
FIVERECOMMENDATIONS
4. Re-engage with our stakeholders at a strategic level
26
STAKEHOLDERSENGAGEMENT
• Who their own stakeholders and constituents are; how they engage with them
• The policies, rules and guidelines they follow (whether formalized or not).
• What policies they don't follow
• What policies need to be created or amended
• The level of control they need to retain when it comes to identifying their constituents and providing them access to systems
• How they balance risk management and business agility
• Their concerns about sharing their information
• What information they need to access
• Etc.
27
FIVERECOMMENDATIONS
5. Create a Planning Team
28
THEWORKAHEADOFUS
TO-BEAnalysisArchitecture
Opera5ngModel
AS-ISAnalysisMaturityAssessment
• Launchtheproject• StakeholdersAnalysis• Establishaninventoryofapplica;onsand
systems• ReviewcurrentOpera;ngModel(people,
process,tools)• Documentthecurrentstatecapabili;es• DocumentthemainIAMuse-cases• DefineaMaturityAssessmentFramework• Assessthecurrentcapabili;esagainstthe
maturityframework.
• StakeholdersEngagement• DocumentTo-BeState:
• Iden;tySystemofrecords• Integra;oncapabili;es• Iden;typroofing• Provisioning,de-provisioning• AOesta;on• Creden;alManagement• Enforcement• etc.
• Iden;fythepoliciesandstandardsthatneedtobecreatedorupdated
• DefinetheLogical&PhysicalArchitectures
• DocumentchangestotheOpera;ngModel(people,process,tools)
• GapAnalysis• Iden;fyandpriori;zecapability
increments• CreatetheRoadmap
• ProjectCharter• StakeholderEngagementplan• CurrentStateAnalysis• IAMMaturityHeatMap• IAMTechnologyMap
• IAMVision• BusinessRequirements• GovernanceModel• Architecture• To-BeState
• IAMRoadmap
Ar5facts
Ac5v
i5es
IAMRoadmap
29
THEPLANNINGTEAM
TO-BEAnalysisConceptualArchitecture
Opera7ngModel
AS-ISAnalysisMaturityAssessment
RequirementsGathering
• Launchtheproject
• Establishaninventoryofapplica7onsand
systems
• ReviewcurrentOpera7ngModel(people,
process,tools)
• Documentthecurrentstatecapabili7es
• DocumentthemainIAMusecases
• DefineaMaturityAssessmentFramework
• Assessthecurrentcapabili7esagainstthe
maturityframework.
• Gatherrequirementsfor:
• Iden7tySystemofrecords
• MainIAMprocesses
• Policyenforcement
• DocumentTo-BeState:
• Iden7tySystemofrecords
• Integra7oncapabili7es
• Iden7typroofing
• Provisioning,de-provisioning
• AQesta7on
• Creden7alManagement
• Enforcement
• etc.
• DefineConceptualArchitecture
• CreatenewPoliciesandstandards,or
updateexis7ngonesasrequired
• DocumentchangestotheOpera7ng
Model(people,process,tools)
• GapAnalysis
• Iden7fyandpriori7zecapability
increments
• DefineRoadmap
• ProjectCharter
• StakeholderEngagementplan
• CurrentStateAnalysis
• IAMRequirements
• IAMMaturityHeatMap
• ArchitecturePrinciples
• ConceptualArchitecture
• To-BeState
• IAMRoadmap
Ar7fac
tsAc7
vi7es
IAMRoadmap&Strategy
IAMProgramI
Planningteam Programteam
Programteam
IAMProgramII