Identity Management Roadmap andMaturityLevels · PDF fileRequest Management Identity Services...

Identity ManagementRoadmap and Maturity Levels

Martin Kuppinger

Kuppinger Cole + Partner

[email protected]

Major Trends in Identity ManagementGuidelines for an IAM roadmap

Service-orientation:

•Identity Management has to provide defined services for applications and systems

Integration in Business Service Lifecycles

•Identity Management will become part of central approaches for Service LifecycleManagement, in the context of ITIL and change/configuration management

Convergence of Access Management and Federation

•Federation will become increasingly important as a means of centralized, policy-driven access management

End-to-End Auditing

•Auditing must be end-to-end, from the system up to the business level, to fulfillcompliance requirements

Integrated User-centric IAM and „claims-based“ approaches

•Users and their open identities will be fully integrated in enterprise IAM models

•Claims and Federation as a means for identity interoperability

2 © Kuppinger Cole + Partner 2007

Level 1:Basic Identity Management

•Internal users (no customers, no suppliers, no partners)

•One trusted, central directoryTrusted Identity

•Basic Provisioning, mainly HR-driven, focus on creation of users

•No or rudimentary role management

Provisioning andRole Management

•None beyond the level of network operating systems (Windows authentication) and isolated SSO-solutions

Single Sign-On andAuthentication

•Web Access Management as point solution, no application integration

•No Federation

Access andFederation

•Auditing only on system level

•No consistent policy-driven approach

•If at all, only point solutions for compliance

Auditing, Policies, and Compliance

© Kuppinger Cole + Partner 20073

Level 2:Advanced Identity Management

•Internal user, customers, suppliers

•One consistent view on identities, independent of the type of userTrusted Identity

•Defined processes for creation, change, and deletion of users, consistent across all types of user

•Basic role management on the provisioning layer



•Enterprise Single Sign-On

•Strong Authentication for internal users (Two-factor)


•Multiple Access Management concepts on portal, application serverand web access management level

•Singular Federation implementations


•Policy-driven control for singular systems, no consistent approach

•Auditing and Compliance solutions on the system level, some degreeof integration


Concept:Consistent identity

Employee

Customer

System A

System B


Central ID

Customer

SupplierSyntax

…

Roles System C

System D

System E

Concept:Provisioning processes

Add newuser

ChangeAttribute A

RequestRole B

Delete …

HRSystem

OMDept.

ManagerHRDept.

…

Defined Defined Defined


Provisioning-System

ERP AD/eDir LDAP …

DefinedWorkflow

DefinedWorkflow

DefinedWorkflow

Concept:„Distributed“ Access Management

Web Access Management

Browser

Browser

Browser

PEP

PDP

App 1

App 2

App 3

Partial integration ondifferent levels…


Enterprise PortalBrowser

Browser

Browser

Browser

Browser

Portal

Portlet 1

Portlet 2

Portlet 3

Portlet 4Directory

Concept:Basic compliance integration

Centralized Log Data

Centralized Audit Application


Audit Log Audit Log Audit Log Audit Log Audit Log

ApplicationProvisioning-System

Application Directory Firewall

Decentral Audit Logs

Level 3:Service-oriented Identity Management

•Defined storage service interfaces

•Separating applications and identity storage, use of identity storagevirtualization

Trusted Identity

•External/open provisioning workflows

•Enterprise Entitlement approaches in provisioning

•Enhanced role concepts



•Authentication service, enabling Single Sign-On for applications

•Federation as a means for Single Sign-On


•Federation as standard approach for distributed authentication andauthorization

•Centralized federation services for service-oriented applications


•Consistent policy approach across systems

•Audit log service interfaces for access to different logs

•Pre-defined compliance services


Concept:Identity storage services

Application

Layer

Application Application Application Application

Providing a virtual set of attributes to applications


Physical

Storage

Layer

Virtual

Storage

Layer

Virtual Directory Services

ActiveDirectory

Corporate Directory

…ApplicationDirectories

VirtualDirectory

VirtualDirectory

VirtualDirectory

VirtualDirectory

Concept:Further identity services

Application

Layer

Application Application Application Application


Identity

Maagement

Layer

Identity

Service Layer

Application Security Infrastructure

ActiveDirectory

LDAPFederation

Hub

AuthenticationServices

ComplianceServices

FederationServices

LogServices

Concept:Provisioning and enterprise entitlement

Provisioning System Workflow System

Provisioning System

Today „Tomorrow“ - optional

Workflows

Account Management

Workflows


Connected Systems Layer Connected Systems Layer

Provisioning System

Group/Role Assignment

Rights Assignment Rights Assignment

Rights Assignment

Account Management

Group/Role Assignment

Level 4:Business-driven Identity Management

•Full integration with external identities and user-centric IAM

•Integration of all identity systems (e.g. CRM, Supplier Management,…)Trusted Identity

•Business role management for control of information and system access

•Role-driven Information rights management

•Full integration into business service management



•Single Sign-On for all types of users with the appropriate mechanismSingle Sign-On andAuthentication

•Consistent access management and authorization in integration withfederation technologies and business-driven control


•Cross-system policies for control of information and system access

•Consistent compliance automation across all systems


Concept:Consistent identities and Sign-On

OpenIDCRM

Legacy Apps

ERP„Enterprise-ID mapsto still existing accounts


Digital Customer

Example: Customer identity

Central ID

ERP

…

„Internet“-ID mapsto „Enterprise“-ID

to still existing accountsand systems withcustomer data

Concept: Business-driven controlof information and systems

Business Role Management

Assignment through Dept. Manager

Information Rights Management:

Assignment through Information OwnerAssignment through Information Owner

Mapping of Business Roles to „techroles/groups“:

Provisioning layer

Assignment of concrete rights:

Controlled through business, implementedconsistently from Business layer to system layer


Concept:Business service integration

Business Requirements

Request ManagementIdentity Services

Identity Storage

Business Service Management


Portfolio Management

Quality Management

Change & Configuration

Identity Storage

Federation

Compliance

Authentication

…

controls

Concept:Compliance automation

Compliance Dashboard

Compliance Policies


Audit Log Collection

System A System B System C System D

Policy Enforcement

Roadmap:Trusted identity

Advanced Identity Management

Establishing a central ID concept

Basic Identity Management

Establishing Identity Information Quality

Business-driven Identity Management

Integrating ID-driven business systems

Service-oriented Identity Management

Separating ID storage from applications and systems



Roadmap overview



Separating ID storage fromsystems andapplications

Integrating ID-driven business

systems

Basic provisioningprocesses

Role-based, completeProvisioning

Enhanced role andentitlementmanagement

Business role-driven, Business service-driven



Service-orientedIdentity

Management

Business-drivenIdentity

Management

Trusted Identity



Provisioning management service-driven

System-oriented, decentralized Sign-

On

E-SSO e/ strong authentication

Definedauthenticationservices

SSO for all types ofusers

Basic (Web) Access Management

Decentralizedaccess management

integration

Centralizedfederation services

Integrated accessmanagement

System-levelauditing

Policy approacheson system level

Audit an complianceservices

Consistent, policy-driven compliance

automation

Single Sign-On and

Authentication



Roadmap:Provisioning and Role Management


Role-based, complete Provisioning


Basic provisioning processes





Enhanced role and entitlement management

Role-based, complete Provisioning

Roadmap:Single Sign-On and Authentication


E-SSO w/ strong authentication


System-oriented, decentralized Sign-On



SSO for all types of users


Defined authentication services

E-SSO w/ strong authentication

Roadmap:Access and Federation


Decentralized access management integration





Integrated access management


Centralized federation services

Decentralized access management integration

Roadmap:Auditing, Policies and Compliance


Policy approaches on system level


System-level auditing



Consistent, policy-driven compliance automation


Audit and compliance services

Policy approaches on system level

Measuring your status:Fulfilment on different levels





systems








Management


Management

Trusted Identity





On






integration







automation

Single Sign-On and

Authentication



Defining the next steps:Identifying work areas





systems








Management


Management

Trusted Identity


Target:




On






integration







automation

Single Sign-On and

Authentication



Target:1. Business control of information2. Integration with Business Service

Management3. Defined Application Security

Infrastructure

Identity Management RoadmapFast Track

Define and implement a central ID concept

Create an identity service layer at least for storage and authentication

Start with business role managementStart with business role management

Use pre-defined provisioning processes (GenericIAM)

Implement E-SSO

Use Federation whenever appropriate

Focus on policy-driven systems


Not complete, but feasible…

Vendor call to action:Missing technologies

Exchangeable provisioning processes – using BPEL?

Exchangeable policies

Standardization of audit log entries and interfaces

Role-drive, cross-platform/-vendor Information RightsManagement

Optional enterprise entitlement to the system level


Identity Management Roadmap andMaturityLevels · PDF fileRequest Management Identity Services...

Documents

Transcript of Identity Management Roadmap andMaturityLevels · PDF fileRequest Management Identity Services...