OIM .pptx

What is Identity Management?

Provisioning

Single Sign

On

PKIStrong

Authentication

Federation

Directories

Authorization

Secure Remote Access

Password

Management

Web ServicesSecurity

Auditing &

Reporting

RoleManagement

DigitalRights Management

Identity Management

Identity management is the combination of business process and technology used to manage data on IT systems and applications about users. Managed data includes user objects, identity attributes, security entitlements and authentication factors.

IAM technology can be used to initiate, capture, record and manage user identities and their related access permissions in an automated fashion. This ensures that access privileges are granted according to one interpretation of policy and all individuals and services are properly authenticated, authorized and audited.

Definitions

• Identity Management (IDM): IDM is the process by which various components in an identity management system manage the account life cycle for network entities in an organization, and most commonly refers to the management of an organization’s application users

• Provisioning refers to a technology and process based solution for enforcing and managing the creation, read, update, and deletion of user accounts based on a defined security policy. Provisioning is also a means of propagating security policy, for example by setting access rights on management systems based on group memberships and/or role assignments

• Authentication: The process of verifying the identity claimed by an entity based on its credentials • Authorization: Authorization is the process of determining if a user has the right to access a requested resource• Authorization Policies: Declarations that define entitlements of a security principal and any constraints related to that

entitlement• Account Life Cycle : The steps that are taken to provision access for a user to a given system resource• RBAC – Role based access: Providing access to a system resource based on programmatic logic based on roles• Authoritative Resource: System of reference for employment status and position description • Target System Resource: System/application where the automated provisioning will occur• LDAP: The Lightweight Directory Access Protocol is an application protocol for querying and modifying directory

services running over TCP/IP• Single Sign On: is a property of access control of multiple, related, but independent software systems. With this

property a user logs in once and gains access to all systems without being prompted to log in again at each of them. Single sign-off is the reverse property whereby a single action of signing out terminates access to multiple software systems

Identity Management overview

Midsize-to-large Organization identity sources

• Active Directory• Other directory services• HR systems• Databases• Custom line-of-business (LOB) applications• Third-party Software as a Service (SaaS) Web applications• Local system accounts on Windows, Linux or Unix• Email

Different kinds of users

• Enterprises manage identity data about two broad kinds of users:

• Insiders: including employees and contractors.Insiders spend most of their working hours engaged with the enterprise. They often access multiple internal systems and their identity profiles are relatively complex.

• Outsiders: including customers, partners and vendors.There are normally many more outsiders than insiders. Outsiders generally access only a few systems (e.g., CRM, e-Commerce, retirement benefits, etc.) and access these systems infrequently. Identity profiles about outsiders tend to be less detailed and less accurate than about insiders.

Different kinds of identity data• Just as there are different kinds of users whose identity an

enterprise must manage, there are different kinds of data about these users that must be managed:

• Personal information.This includes names, contact information and demographic data such as gender or date of birth.

• Legal information.This includes information about the legal relationship between the enterprise and the user: social security number, compensation, contract, start date, termination date, etc.

• Login credentials to target systems.On most systems, this is a login ID and password. Identification may also use a PKI certificate and authentication may use tokens or biometrics or a set of personal questions that the user must answer

Key identity challenges

• Identity management presents several challenges in most organizations:• Security:Do user entitlements exactly match their needs? Are policies, such as segregation

of duties rules, violated? Do access rights persist after they are no longer needed?• Consistency:User profile data entered into different systems should be consistent. This

includes name, login ID, contact information, termination date, etc.• The fact that each system has its own user profile management system makes this difficult.• Efficiency:Setting a user to access multiple systems is repetitive. Doing so with the tools

provided with each system is needlessly costly.• Usability:When users access multiple systems, they may be presented with multiple login

IDs, multiple passwords and multiple sign-on screens. This complexity is burdensome to users, who consequently have problems accessing systems and incur productivity and support costs.

• Reliability:User profile data should be reliable -- especially if it is used to control access to sensitive data or resources. That means that the process used to update user information on every system must produce data that is complete, timely and accurate.

• Scalability:Enterprises manage user profile data for large numbers of people. There may be tens of thousands of insiders and hundreds of thousands of outsiders.

• Any identity management system used in this environment must scale to support the data volumes and peak transaction rates produced by large user populations.

Your COMPANY andyour EMPLOYEES

Your SUPPLIERS

Your PARTNERSYour REMOTE andVIRTUAL EMPLOYEES

Your CUSTOMERS

Customer satisfaction & customer intimacyCost competitivenessReach, personalization

CollaborationOutsourcingFaster business cycles; process automationValue chain

M&AMobile/global workforceFlexible/temp workforce

Multiple Contexts

The Disconnected Reality

• “Identity Chaos” – Lots of users and systems required to do business– Multiple repositories of identity information; Multiple user IDs, multiple passwords– Decentralized management, ad hoc data sharing

Enterprise Directory

HRSystem

InfraApplication

LotusNotes Apps

In-HouseApplication

COTSApplication

NOS

In-HouseApplication

•Authentication•Authorization•Identity Data




•Authorization•Identity Data

•Authentication



BusinessOwnerEnd UserIT Admin Developer Security/ Compliance

Too expensive to reach new partners, channels

Need for control

Too many passwords

Long waits for access to apps, resources

Too many user stores and account admin requests

Unsafe sync scripts

Pain Points

Redundant code in each app

Rework code too often

Too many orphaned accounts

Limited auditing ability

Identity IntegrationHRSystem

InfraApplication

LotusNotes Apps

In-HouseApplication

COTSApplication

Student Admin

In-HouseApplication





•Authorization•Identity Data

•Authentication



Identi

ty Inte

gra

tion S

erv

er

Enterprise Directory

IAM Benefits

Benefits to take you forward (Strategic)

Benefits today(Tactical)

Save money and improve operational efficiency

Improved time to deliver applications and service

Enhance Security

Regulatory Compliance and Audit

New ways of working

Improved time to market

Closer Supplier, Customer, Partner and Employee relationships

What is IDM ?Identity and Access as a Service

End Users

Policy Managers

Apps & Services

DBAs

Self-Service

DelegatedAdministration

Identity & RoleLifecycle Management

IdentityAnalytics

Authentication &Authorization

Monitoring

FraudPrevention

Workflow

RBAC & SoD

Benefits Trusted and reliable security

Efficient regulatory compliance

Lower administrative and dev costs

Enable online business networks

Better end-user experience

New Hire

Step TwoManager submits forms &

phone calls for access

· Facilities/Security· Telecom· MIS

Step ThreeHelpdesk receives forms &

assigns to appropriate department

· LAN· App SQL· BAIS· Facitlities

DatabaseStorage GroupActive Directory

Account

Step FourSystem admin per resource creates accounts & access

· AD Account· Application access· Telecom· Facilities· Desktop set up· Security badge

Step OneEmployee is entered into PeopleSoft HR system

· Payroll· Benefits· Job Data

Step FiveSystem Administrators

& Physical access support teams notify the employee’s manager of the completed

items.Manager approves & notifies new hire

Account Life CycleWhat are we capturing??Manual-New Hire-Employee Provisioning Process

Account Life CycleWhat about removal of access?

Manual – Employee De-Provisioning ProcessStep Three

Helpdesk receives forms & assigns to appropriate

department

· LAN· App SQL· BAIS· Facitlities

DatabaseStorage GroupActive Directory

Account

Step FourSystem admin per resource removes accounts & access

· AD Account· Application access· Telecom· Facilities· Desktop set up· Security badge

Step OneHR is notified of the

employee termination

· Payroll· Benefits· Job Data

Step FiveSystem Administrators

& Physical access support teams notify the employee’s manager of the completed

items.Manager is notified

Leaves the City of Boston

Step TwoManager submits forms &

phone calls for access termination

· Facilities/Security· Telecom· MIS

Relevant technologies: the solutions

Several types of technologies are available to manage user identity data across the enterprise. In general, these systems focus on streamlining the identity management process and managing data consistently across multiple systems.

• Directories• The cornerstone of many identity management and access governance infrastructures is

a corporate directory.• Major platform vendors make inexpensive, robust and scalable directory products. These

include:• Microsoft Active Directory.• Novell eDirectory (built on top of NDS).• Sun ONE Directory (formerly Netscape and then iPlanet LDAP).• IBM Directory (formerly Tivoli Directory).• Oracle Internet Directory (OID).

• Meta Directories• Meta directories are engines that synchronize data about users between different

systems. Most modern IAG systems include what amounts to a meta directory, though it may not be labeled as such.

Web access management / Web single sign-on• A Web access management (WebAM) / Web single sign-on (WebSSO)

system is middleware used to manage authentication and authorization of users accessing one or more web-enabled applications. Is supports single sign-on across systems and applications which do not natively support federation.

• Password management• Password synchronization is any process or technology that helps

users to maintain a single password, subject to a single security policy, across multiple systems.

• Enterprise single sign-on• Enterprise single sign-on (E-SSO) systems do just that: users sign into

the E-SSO application, which stores every user's login ID and password to every supported application. Users launch various applications through the E-SSO client software, which opens the appropriate client program and sends keystrokes to that program simulating the user typing his own login ID and password.

Conclusions

• Identity management is a class of technologies intended to streamline the management of user identity information both inside and outside an enterprise. It includes:

• Directories, especially those using LDAP.• Password management.• Enteprise single sign-on.• Web access management and web single sign-on.• User provisioning.• Federation.

OIM .pptx

Documents

Transcript of OIM .pptx