Identity Management Roadmap andMaturityLevels · PDF fileRequest Management Identity Services...
Transcript of Identity Management Roadmap andMaturityLevels · PDF fileRequest Management Identity Services...
Identity ManagementRoadmap and Maturity Levels
Martin Kuppinger
Kuppinger Cole + Partner
Major Trends in Identity ManagementGuidelines for an IAM roadmap
Service-orientation:
•Identity Management has to provide defined services for applications and systems
Integration in Business Service Lifecycles
•Identity Management will become part of central approaches for Service LifecycleManagement, in the context of ITIL and change/configuration management
Convergence of Access Management and Federation
•Federation will become increasingly important as a means of centralized, policy-driven access management
End-to-End Auditing
•Auditing must be end-to-end, from the system up to the business level, to fulfillcompliance requirements
Integrated User-centric IAM and „claims-based“ approaches
•Users and their open identities will be fully integrated in enterprise IAM models
•Claims and Federation as a means for identity interoperability
2 © Kuppinger Cole + Partner 2007
Level 1:Basic Identity Management
•Internal users (no customers, no suppliers, no partners)
•One trusted, central directoryTrusted Identity
•Basic Provisioning, mainly HR-driven, focus on creation of users
•No or rudimentary role management
Provisioning andRole Management
•None beyond the level of network operating systems (Windows authentication) and isolated SSO-solutions
Single Sign-On andAuthentication
•Web Access Management as point solution, no application integration
•No Federation
Access andFederation
•Auditing only on system level
•No consistent policy-driven approach
•If at all, only point solutions for compliance
Auditing, Policies, and Compliance
© Kuppinger Cole + Partner 20073
Level 2:Advanced Identity Management
•Internal user, customers, suppliers
•One consistent view on identities, independent of the type of userTrusted Identity
•Defined processes for creation, change, and deletion of users, consistent across all types of user
•Basic role management on the provisioning layer
Provisioning andRole Management
© Kuppinger Cole + Partner 20074
•Enterprise Single Sign-On
•Strong Authentication for internal users (Two-factor)
Single Sign-On andAuthentication
•Multiple Access Management concepts on portal, application serverand web access management level
•Singular Federation implementations
Access andFederation
•Policy-driven control for singular systems, no consistent approach
•Auditing and Compliance solutions on the system level, some degreeof integration
Auditing, Policies, and Compliance
Concept:Consistent identity
Employee
Customer
System A
System B
© Kuppinger Cole + Partner 20075
Central ID
Customer
SupplierSyntax
…
Roles System C
System D
System E
Concept:Provisioning processes
Add newuser
ChangeAttribute A
RequestRole B
Delete …
HRSystem
OMDept.
ManagerHRDept.
…
Defined Defined Defined
© Kuppinger Cole + Partner 20076
Provisioning-System
ERP AD/eDir LDAP …
DefinedWorkflow
DefinedWorkflow
DefinedWorkflow
Concept:„Distributed“ Access Management
Web Access Management
Browser
Browser
Browser
PEP
PDP
App 1
App 2
App 3
Partial integration ondifferent levels…
© Kuppinger Cole + Partner 20077
Enterprise PortalBrowser
Browser
Browser
Browser
Browser
Portal
Portlet 1
Portlet 2
Portlet 3
Portlet 4Directory
Concept:Basic compliance integration
Centralized Log Data
Centralized Audit Application
© Kuppinger Cole + Partner 20078
Audit Log Audit Log Audit Log Audit Log Audit Log
ApplicationProvisioning-System
Application Directory Firewall
Decentral Audit Logs
Level 3:Service-oriented Identity Management
•Defined storage service interfaces
•Separating applications and identity storage, use of identity storagevirtualization
Trusted Identity
•External/open provisioning workflows
•Enterprise Entitlement approaches in provisioning
•Enhanced role concepts
Provisioning andRole Management
© Kuppinger Cole + Partner 20079
•Authentication service, enabling Single Sign-On for applications
•Federation as a means for Single Sign-On
Single Sign-On andAuthentication
•Federation as standard approach for distributed authentication andauthorization
•Centralized federation services for service-oriented applications
Access andFederation
•Consistent policy approach across systems
•Audit log service interfaces for access to different logs
•Pre-defined compliance services
Auditing, Policies, and Compliance
Concept:Identity storage services
Application
Layer
Application Application Application Application
Providing a virtual set of attributes to applications
© Kuppinger Cole + Partner 200710
Physical
Storage
Layer
Virtual
Storage
Layer
Virtual Directory Services
ActiveDirectory
Corporate Directory
…ApplicationDirectories
VirtualDirectory
VirtualDirectory
VirtualDirectory
VirtualDirectory
Concept:Further identity services
Application
Layer
Application Application Application Application
© Kuppinger Cole + Partner 200711
Identity
Maagement
Layer
Identity
Service Layer
Application Security Infrastructure
ActiveDirectory
LDAPFederation
Hub
AuthenticationServices
ComplianceServices
FederationServices
LogServices
Concept:Provisioning and enterprise entitlement
Provisioning System Workflow System
Provisioning System
Today „Tomorrow“ - optional
Workflows
Account Management
Workflows
© Kuppinger Cole + Partner 200712
Connected Systems Layer Connected Systems Layer
Provisioning System
Group/Role Assignment
Rights Assignment Rights Assignment
Rights Assignment
Account Management
Group/Role Assignment
Level 4:Business-driven Identity Management
•Full integration with external identities and user-centric IAM
•Integration of all identity systems (e.g. CRM, Supplier Management,…)Trusted Identity
•Business role management for control of information and system access
•Role-driven Information rights management
•Full integration into business service management
Provisioning andRole Management
© Kuppinger Cole + Partner 200713
•Single Sign-On for all types of users with the appropriate mechanismSingle Sign-On andAuthentication
•Consistent access management and authorization in integration withfederation technologies and business-driven control
Access andFederation
•Cross-system policies for control of information and system access
•Consistent compliance automation across all systems
Auditing, Policies, and Compliance
Concept:Consistent identities and Sign-On
OpenIDCRM
Legacy Apps
ERP„Enterprise-ID mapsto still existing accounts
© Kuppinger Cole + Partner 200714
Digital Customer
Example: Customer identity
Central ID
ERP
…
„Internet“-ID mapsto „Enterprise“-ID
to still existing accountsand systems withcustomer data
Concept: Business-driven controlof information and systems
Business Role Management
Assignment through Dept. Manager
Information Rights Management:
Assignment through Information OwnerAssignment through Information Owner
Mapping of Business Roles to „techroles/groups“:
Provisioning layer
Assignment of concrete rights:
Controlled through business, implementedconsistently from Business layer to system layer
© Kuppinger Cole + Partner 200715
Concept:Business service integration
Business Requirements
Request ManagementIdentity Services
Identity Storage
Business Service Management
© Kuppinger Cole + Partner 200716
Portfolio Management
Quality Management
Change & Configuration
Identity Storage
Federation
Compliance
Authentication
…
controls
Concept:Compliance automation
Compliance Dashboard
Compliance Policies
© Kuppinger Cole + Partner 200717
Audit Log Collection
System A System B System C System D
Policy Enforcement
Roadmap:Trusted identity
Advanced Identity Management
Establishing a central ID concept
Basic Identity Management
Establishing Identity Information Quality
Business-driven Identity Management
Integrating ID-driven business systems
Service-oriented Identity Management
Separating ID storage from applications and systems
Establishing a central ID concept
© Kuppinger Cole + Partner 200718
Roadmap overview
Establishing Identity Information Quality
Establishing a central ID concept
Separating ID storage fromsystems andapplications
Integrating ID-driven business
systems
Basic provisioningprocesses
Role-based, completeProvisioning
Enhanced role andentitlementmanagement
Business role-driven, Business service-driven
Basic Identity Management
Advanced Identity Management
Service-orientedIdentity
Management
Business-drivenIdentity
Management
Trusted Identity
Provisioning andRole Management
© Kuppinger Cole + Partner 200719
Provisioning management service-driven
System-oriented, decentralized Sign-
On
E-SSO e/ strong authentication
Definedauthenticationservices
SSO for all types ofusers
Basic (Web) Access Management
Decentralizedaccess management
integration
Centralizedfederation services
Integrated accessmanagement
System-levelauditing
Policy approacheson system level
Audit an complianceservices
Consistent, policy-driven compliance
automation
Single Sign-On and
Authentication
Access andFederation
Auditing, Policies, and Compliance
Roadmap:Provisioning and Role Management
Advanced Identity Management
Role-based, complete Provisioning
Basic Identity Management
Basic provisioning processes
© Kuppinger Cole + Partner 200720
Business-driven Identity Management
Business role-driven, Business service-driven
Service-oriented Identity Management
Enhanced role and entitlement management
Role-based, complete Provisioning
Roadmap:Single Sign-On and Authentication
Advanced Identity Management
E-SSO w/ strong authentication
Basic Identity Management
System-oriented, decentralized Sign-On
© Kuppinger Cole + Partner 200721
Business-driven Identity Management
SSO for all types of users
Service-oriented Identity Management
Defined authentication services
E-SSO w/ strong authentication
Roadmap:Access and Federation
Advanced Identity Management
Decentralized access management integration
Basic Identity Management
Basic (Web) Access Management
© Kuppinger Cole + Partner 200722
Business-driven Identity Management
Integrated access management
Service-oriented Identity Management
Centralized federation services
Decentralized access management integration
Roadmap:Auditing, Policies and Compliance
Advanced Identity Management
Policy approaches on system level
Basic Identity Management
System-level auditing
© Kuppinger Cole + Partner 200723
Business-driven Identity Management
Consistent, policy-driven compliance automation
Service-oriented Identity Management
Audit and compliance services
Policy approaches on system level
Measuring your status:Fulfilment on different levels
Establishing Identity Information Quality
Establishing a central ID concept
Separating ID storage fromsystems andapplications
Integrating ID-driven business
systems
Basic provisioningprocesses
Role-based, completeProvisioning
Enhanced role andentitlementmanagement
Business role-driven, Business service-driven
Basic Identity Management
Advanced Identity Management
Service-orientedIdentity
Management
Business-drivenIdentity
Management
Trusted Identity
Provisioning andRole Management
© Kuppinger Cole + Partner 200724
Provisioning management service-driven
System-oriented, decentralized Sign-
On
E-SSO e/ strong authentication
Definedauthenticationservices
SSO for all types ofusers
Basic (Web) Access Management
Decentralizedaccess management
integration
Centralizedfederation services
Integrated accessmanagement
System-levelauditing
Policy approacheson system level
Audit an complianceservices
Consistent, policy-driven compliance
automation
Single Sign-On and
Authentication
Access andFederation
Auditing, Policies, and Compliance
Defining the next steps:Identifying work areas
Establishing Identity Information Quality
Establishing a central ID concept
Separating ID storage fromsystems andapplications
Integrating ID-driven business
systems
Basic provisioningprocesses
Role-based, completeProvisioning
Enhanced role andentitlementmanagement
Business role-driven, Business service-driven
Basic Identity Management
Advanced Identity Management
Service-orientedIdentity
Management
Business-drivenIdentity
Management
Trusted Identity
Provisioning andRole Management
Target:
© Kuppinger Cole + Partner 200725
Provisioning management service-driven
System-oriented, decentralized Sign-
On
E-SSO e/ strong authentication
Definedauthenticationservices
SSO for all types ofusers
Basic (Web) Access Management
Decentralizedaccess management
integration
Centralizedfederation services
Integrated accessmanagement
System-levelauditing
Policy approacheson system level
Audit an complianceservices
Consistent, policy-driven compliance
automation
Single Sign-On and
Authentication
Access andFederation
Auditing, Policies, and Compliance
Target:1. Business control of information2. Integration with Business Service
Management3. Defined Application Security
Infrastructure
Identity Management RoadmapFast Track
Define and implement a central ID concept
Create an identity service layer at least for storage and authentication
Start with business role managementStart with business role management
Use pre-defined provisioning processes (GenericIAM)
Implement E-SSO
Use Federation whenever appropriate
Focus on policy-driven systems
© Kuppinger Cole + Partner 200726
Not complete, but feasible…
Vendor call to action:Missing technologies
Exchangeable provisioning processes – using BPEL?
Exchangeable policies
Standardization of audit log entries and interfaces
Role-drive, cross-platform/-vendor Information RightsManagement
Optional enterprise entitlement to the system level
© Kuppinger Cole + Partner 200727