Identity Management Deployment Best Practices
Embed Size (px)
Transcript of Identity Management Deployment Best Practices
- 1.Addressing Deployment Challenges in Enterprise Identity Management 2014 Hitachi ID Systems, Inc. All rights reserved.
2. This Hitachi ID Systems white paper describes the major challenges in deploying an enterprise identity management (IdM) system, including data cleansing, role engineering and workow denition and main- tenance. The information presented here is derived from hundreds of deployments performed over many years. This paper presents practical solutions to the design and implementation of an IdM system, to overcome these challenges. Solutions include auto-discovery and self-service login ID reconciliation, minimizing the need for role denition and user-to-role classication and use of a single, dynamic authorization process rather than one workow per request type. Contents 1 Introduction 1 2 Enterprise Identity Management 2 3 Business Drivers and Use Cases for Enterprise Identity Management 3 4 Deployment Challenges 4 4.1 Login ID Reconciliation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.2 Role Engineering and User Classication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 4.3 Workow Denition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 5 Simplifying Deployment using Processes and Technology 8 5.1 Self-Service Login ID Reconciliation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 5.2 Role Engineering and User Classication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 5.3 Dynamic Workow Denition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 6 Summary 14 7 Hitachi ID Systems Products 15 i 3. Addressing Deployment Challenges in Enterprise Identity Management 1 Introduction Enterprise identity management systems bring many benets to large organizations and are increasingly a required feature in todays regulatory environment. Some of the important features of enterprise IdM include: Improved user productivity, due to reduced wait for new and updated systems access and fewer authentication problems. Lower security administration cost, as the bulk of user management is automated or delegated to business users and password resets are either eliminated or resolved with self-service. Enhanced security, as inappropriate access is terminated quickly and reliably. Regulatory compliance, including the ability to audit access rights globally, to ensure that only appro- priate users have access to sensitive systems and data. Unfortunately, despite two generations of user administration technology, enterprise identity management systems from many vendors remain difcult to deploy and costly to maintain. Many IdM projects end either in stripped-down installations or are entirely abandoned due to these factors. This paper discusses the main challenges encountered by large organizations in deploying enterprise iden- tity management systems, and offers solutions to help overcome each challenge. The solutions offered in this paper are implemented in the Hitachi ID Management Suite. 2014 Hitachi ID Systems, Inc.. All rights reserved. 1 4. Addressing Deployment Challenges in Enterprise Identity Management 2 Enterprise Identity Management Enterprise Identity and Access Management (IAM) is dened as a set of processes and technologies to effectively and consistently manage modest numbers of users and entitlements across multiple systems. In this denition, there are typically signicantly fewer than a million users, but users typically have access to multiple systems and applications. Typical enterprise identity and access management scenarios include: Password synchronization and self-service password reset. User provisioning, including identity synchronization, auto-provisioning and automatic access deacti- vation, self-service security requests, approvals workow and consolidated reporting. Enterprise single sign-on automatically lling login prompts on client applications. Web single sign-on consolidating authentication and authorization processes across multiple web applications. Enterprise IAM presents different challenges than identity and access management in Extranet (B2C or B2B) scenarios: Characteristic Enterprise IAM (typical) Extranet IAM (typical) Number of users under 1 million over 1 million Number of systems and directories 2 10,000 1 2 Users dened before IAM system is deployed Thousands Frequently only new users Login ID reconciliation Existing accounts may have different IDs on different systems. Single, consistent ID per user. Data quality Orphan and dormant accounts are common. Data inconsistencies between systems. Single or few objects per user. Consistent data. Dormant accounts often a problem. User diversity Many users have unique requirements. Users t into just a few categories. In short, Enterprise IAM has fewer but more complex users. Extranet IAM has more users and higher transaction rates, but less complexity. 2014 Hitachi ID Systems, Inc.. All rights reserved. 2 5. Addressing Deployment Challenges in Enterprise Identity Management 3 Business Drivers and Use Cases for Enterprise Identity Manage- ment There are several business drivers for deploying an enterprise identity management and access governance system, including: Security and regulatory compliance: Reliable access deactivation when users leave the organization. Secure access to privileged passwords. Enforce segregation of duties policies. Periodically review security entitlements and eliminate unneeded ones. Ensure that new access is provisioned in compliance with standards. IT support cost: Lower IT support call volume and head count. Reduce the amount of manual security administration required. User service: Simplify change request processes. Provision required access more quickly. Reduce the number of passwords users must manage. Reduce the number of login prompts users must complete. 2014 Hitachi ID Systems, Inc.. All rights reserved. 3 6. Addressing Deployment Challenges in Enterprise Identity Management 4 Deployment Challenges As dened in Section 2 on Page 2, enterprise identity management presents its own challenges, which are quite distinct from other types of identity management. While the number of users may be relatively modest, the complexity per user, in terms of data correlation, stale data, unsynchronized data, access requirements and controlling business processes is signicant. This complexity presents challenges for deploying an enterprise IdM system, described below. 4.1 Login ID Reconciliation Before user access to multiple systems can be managed by a single, coherent system, the various login IDs and proles that belong to each user must be connected to one another. Until this is done, it will be impossible to synchronize passwords or other data attributes, to report on the access rights of a single user across multiple systems, or to make updates to user prole data across more than one system at a time. The process of connecting possibly different login IDs, on different systems, back to their individual human owners, is called login ID reconciliation. While the process may be simple in principle, reconciling large numbers of login IDs in a time and cost-effective manner can be a major obstacle, as illustrated in Table 1. In practice, scenarios 1 and 4 in the table are the most common. Organizations fortunate enough to be in scenario 1 have no login ID reconciliation problem at all. Organizations in scenario 4 frequently undertake a manual data cleansing project, to populate an anchor attribute or rename login IDs on key systems to bring them into compliance with an enterprise-wide naming standard. Such data cleansing projects can take several months, and cost tens or hundreds of thousands of dollars to complete. As a result, many enterprise IdM projects encounter an unforeseen delay of many months, and deployment cost overruns that reach into the millions of dollars. Only after login ID reconciliation is complete can enterprise IdM functions such as password synchronization and reset, user prole data synchronization, consolidated access reporting and single-interface access termination be implemented. 2014 Hitachi ID Systems, Inc.. All rights reserved. 4 7. Addressing Deployment Challenges in Enterprise Identity Management Table 1: Login ID Reconciliation Options Scenario If: Then: Example: 1 Every user has just one login ID, used on every system. User objects can be connected using login ID as a key. jsmith on system A is the same user as jsmith on system B. 2 Every user object includes a globally unique key (an anchor attribute). User objects can be connected using the anchor attribute, in place of the login ID. Employee ID or SSN may be populated on every system. 3 Someone has already built or is actively maintaining a map le between login IDs on different systems. Login ID reconciliation is already done! Just load the data. CSV le: "jsmith", "john_smith", "smith01", 4 None of the above is true. This is the most common situation, especially in large organizations with a history of mergers, acquisitions and multiple, platform-specic security administration groups. There are three options to reconcile login IDs in this case: Correlate login IDs on different systems using exact or approximate match on full name as the anchor attribute. Embark on a data cleanup project, to populate some other anchor attribute or to normalize login IDs on every system. Employ self-service, to get login ID reconciliation data from the users themselves. The best choice will depend on what data is available, how complete and reliable it is, and on corporate culture. 2014 Hitachi ID Systems, Inc.. All rights reserved. 5 8. Addressing Deployment Challenges in Enterprise Identity Management 4.2 Role Engineering and User Classication A common strategy to more efciently and securely managing user access to systems is to dene roles,