IAM E-GUIDE

PATECCO BEST PRACTICES IN

IDENTITY & ACCESS MANAGEMENT

o Identity & Access Management

o Privileged Account Management

o Public Key Infrastructure

o Microsoft Active Directory Integration

a

2

1. Introduction…………………………………………………………………………………………………………….3

2. Best Practices for IAM Implementation……………………….….…………………………………….4

3. Key Steps for Planning IAM Strategy……………………………………………………………………. 6

4. How to Achieve GDPR Compliance with IAM………………………………………………………….8

5. Protect Your Business with Privileged Account Management………………………………10

6. Building Public Key Infrastructure for Stronger User Verification and

Identification………………………………………………………………………………………………………….11

7. Microsoft Active Directory Integration. Designing, merging and separating IT

organizations...…………………………………………………………………………………….………….……16

Table of Contents:

3

Identity and Access Management, or IAM, is the business and technology

concerned with effective management of all users' access to an organisation's

assets and facilities. Identity and access management (IAM) solutions ensure

enterprises a secure and centralized approach to managing user identities and

access permissions. They work across different technology platforms,

consolidating all access controls on a single platform. In this way data security is

improved, costs are reduced and administrators are relieved of the burden of

managing access control on many diverse systems.

PATECCO is an international managed services company with a focus on Identity

and Access Management, Cloud Access Control, Security, Information and Event

management, Public Key Infrastructure and Privileged Account Management.

PATECCO's strategy and unique technology help customers to close security gaps

and leverage standards and guidelines for an easy application onboarding into IAM

systems.

o PATECCO is independent, no software reseller, strong cooperation with

vendors and product teams.

PATECCO ensures:

o Global capability: Designing, deploying, managing and monitoring for clients

of all sizes and industries around the world.

o Security: Securing, accelerating and improving the broad view of IT processes

in a heterogeneous IT landscape

o Compliance: Helping organizations meet compliance requirements

o Flexibility: Offering 3 levels of support for managed services: Remote, Onsite

Support for Business Critical Issues, and Onsite on Demand

o Industry expertise: Investing in robust training programs to ensure that our

consulting and managed services professionals deliver value, protect your

organisation, and stay abreast of global trends and best practices.

Introduction

4

Identity and Access Management has always been an ongoing process and an

essential element of the enterprises’ infrastructure that demands continuous

management. No matter you have completely implemented directory, it’s useful to

take advantage of best practices to help continuously manage this crucial part of

your IT environment.

PATECCO management team has a long experience in executing projects from

different industries. When it comes to IAM implementations, its experts know what

exactly works effectively and what not. For this article we have tapped the collective

knowledge of these experts to come up with these eight IAM implementation

tactics: They will help you improve your identity management system to ensure

better security, efficiency and compliance.

#1: Create a clear pan

IAM projects require excellent planning and project management expertise, with a

project team representing various stakeholders within the company. Most

importantly, you need to have a business perspective and tie the phases of your

IAM project to quantifiable business results and benefits. IAM solutions need regular

care and feeding long after the initial go-live date, which means planning for follow-

up optimizations is crucial.

#2. Implement IAM in phases

Implementing IAM in phases will definitely shorten the “time to value” of your

project — the time before the business sees a distinct benefit — in the process

giving you executive backing that will ensure the full funding of future phases.

#3. Define identities

Start implementing a single, integrated system that ensures end-to-end

management of employee identities and that retires orphaned identities at the

appropriate time. This is where IT responsibility begins in the identity management

lifecycle. You should also identify a primary directory service (often Active

Directory) and a messaging system (such as Exchange Server).

Best Practices for IAM Implementation

5

#4. Implement workflow

Implementing workflow on the base of “request and approval” provides a secure

way to manage and document change. A self-service web-based interface enables

users to request permission to resources they need. It’s necessary to define who

can control that list of services and who is responsible for managing workflow

designs.

#5. Make provisioning automated

Manging new users, users who leave the organisation, and users who are promoted

or demoted within the organisation require provisioning, de-provisioning and re-

provisioning. Automating them will reduce errors and will improve consistency.

Start first with automating the basic add/change/delete tasks for user accounts,

and then integrate additional tasks such as unlocking accounts.

#6. Manage roles

You will need a certain amount of inventorying and mining to precisely identify the

major roles within your organisation, based on the resource permissions currently

in force. When the user places a request, the owner of the affected data has the

ability to review, approve or deny the request. It is also important to define who

will manage these roles and to ensure that roles are created, modified and

deactivated by authorised individuals following the proper workflow.

#7. Become compliant

Many companies are now affected by the GDPR regulations, and your identity

management system plays a beneficial role in remaining compliant. You should

focus on clearly defining and documenting the job roles that have control over your

data, as well as the job roles that should have access to auditing information.

Determine compliance rules, and assign each step to a responsible job role.

#8. Provide knowledge and control to business owners

After the IAM system implementation, you should let business data owners manage

access to their data and to provide central reporting and control over those

permissions. For that purpose education is needed of both end users and the IT

staff that will be charged with ongoing administration and operation.

6

Identity and Access Management concerns everyone and everything inside an

enterprise - it moderates workflow, enables users to share information quickly and

easily establishes protocols that strike the proper balance between security and the

level of openness required to conduct business in today’s wired marketplace. The

execution of IAM Projects require a well-defined strategy, adequate analysis and

planning. It should be built on open standards, offer multifactor authentication and

be able to scale, potentially to millions of users and devices.

In this article PATECCO shares several core advices for successful implementation

of your strategy:

Provide the right access for the right people

One of the essential parts of an effective IAM implementation is the ability to

manage permissions accurately. The IAM system should be flexible enough to

provide varying levels of access to employees. The next step is making a

comprehensive audit of current practices. In this way you will know exactly what

types of systems or processes are used by employees to share and transfer

information.

Key steps for planning IAM strategy

7

Keep Efficient User experience

IAM technology should work properly and stringently, without affecting the user’s

experience. Organisations want employees to keep their data safe, in the place

sanctioned by the IT departments, no matter it is in the cloud or in an internally

managed storage facility. The IAM system should always provide a smooth user

experience for better productivity.

Ensure Good IAM Governance

Good governance is critical for ensuring a consistent approach to risks and

compliance. Governance not only determines the policies and procedures behind

compliance, it also sets the broader organisational goals. It is very important to

make sure that risk management and compliance guidelines are followed

consistently throughout the company. You should also focus on several key areas

such as efficient provisioning and de-provisioning procedures, handling privileged

accounts with care and record user actions.

Include Cloud-based IAM to Your Arsenal

If you want to increase the efficiencies and to provide easy scalability, you can trust

the cloud-based identity and access management services. Identity and Access

Management-as-a-Service (IDaaS) simplifies even the most complex user

management challenges.

These systems are built in environments defined by strict access and security for

both IT and physical assets. Scheduled backups and recovery plans prevent data

losses and access control measures are certified to industry standards with frequent

audits.

Creating the right identity and access management strategy for your company

requires knowledge, insight, consistent governance, and the flexibility to make

changes along the way. In a world of rapid-changing technology, it’s difficult to

effectively keep up without a strategic vision that addresses usability and security

while enabling a positive return on the IAM investment.

8

With the anticipated publication of the European General Data Protection

Regulation in May 2018, large and small enterprises are beginning to assess how

the new Regulation will affect their data protection and privacy compliance

programs. The new Regulation will likely affect companies based in the EU and

outside of the EU, so it is important to understand if the Regulation will apply to

them, and if so what new requirements and obligations the Regulation will impose.

According to Matthias Reinwarth (Senior Analyst at KuppingerCole) - “a strong,

robust, reliable & trustworthy IAM strategy & capability is a core building block

required to achieve compliance with GDPR." If done right, Identity and Access

Management greatly improves the chances for GDPR success. It encompasses the

practices and technologies to grant the right people appropriate access to the right

systems, data, and applications. When your organization knows exactly who all

your users are, what data those users have access to and what they are able to

do and not do with that data, a breach is much less likely to happen. And even if

a breach occurs, the impact is severely limited.

A core element of the GDPR is transparency, meaning that as a controller of

personal data you need to be completely upfront with consumers about:

- How their data will be used?

- How long it will be retained?

- How you will notify individuals in the case of a breach?

- Who will have access to the data (Employees, 3rd party business partners in

some cases)?

- The types of data you collect, and how it is processed (manually, automated)?

You must consider all of these factors in terms of who should have access to this

data and the potential ramifications of access to your organization’s data by

unauthorized internal or external person/s or parties. They reinforce how critical

it is to only provide access to data to those who need it to fulfil the requirements

of their employment. For that purpose, you need to enforce IAM controls, as far

How to Achieve GDPR Compliance with IAM

9

as role-based access, explicit denial of access to data in cases of conflict of

interest, and withdrawal of access when an employee leaves your organization.

Which IAM practices help your organization meet GDPR requirements?

In general, IAM aims to minimize unauthorized access to critical information, and

to prevent its disclosure, which is actually the main focus of the GDPR. The new

Regulation defines many requirements for the secure storage of personal data.

However from an Identity and Access Management (IAM) perspective, executives

who are responsible for the information governance, compliance and security

should be especially vigilant in managing the personal data. It should be processed

in a manner that ensures appropriate security, including protection against

unauthorized or unlawful processing and against accidental loss, destruction or

damage. Besides, appropriate technical and organizational measures should be

implemented for ensuring the ongoing confidentiality, integrity, availability and

resilience of processing systems and services. These measures could be realised

by using the following basic IAM technologies:

Multi-factor Authentication: It has a high level of importance in the battle to

avoid compromised credentials. It must be done in a seamless manner that works

across all channels and securely identifies and authenticates the user.

Access Governance/Provisioning: To make sure

that the users have appropriate access privileges to

the necessary applications - and only the necessary

applications (GDPR articles 25, 30 and 35),

automated user provisioning is also needed. With

user provisioning you can manage users on a group

basis, meaning that when a new employee joins your organization, he/she will

automatically inherit the access privileges that are associated with his/ hers job

role. When the employee leaves the organization, his/hers access privileges can

be immediately revoked for all applications at once and the user account will be

disabled.

Monitoring and Audit: A methodology should be established for periodical

review of the access rights granted to all identities in the company’s IT

environment.

10

Privileged Account Management (PAM) focuses on the specific requirements of

privileged user accounts in a company's IT infrastructure. PAM is used as an

information security and governance tool to support companies in complying with

legal and regulatory compliance regulations. It also helps to prevent internal data

misuse through the use of privileged accounts. If this does not work, PAM should

be used to detect and trace this abuse.

Typical regulations for dealing with privileged identities and users, as well as

accounts, can be found in standards, regulations and laws for specific industries.

PATECCO PAM Projects

o Demonstrate PAM capabilities allowing privileged users to have efficient and

secure access to the systems they manage

o Ensure that audit and compliance requirements are met

o Offer secure and streamlined way to authorize and monitor all privileged users for

all relevant systems

o Implement privacy policies adherent to GDPR compliance

o Privileged Password Management (PPM) enables secure (encrypted) storage,

release, control and change control of privileged passwords in a heterogeneous

environment of systems and applications. A Privileged Password Manager also

Protect Your Business with Privileged Account

Management

11

replaces embedded passwords that are encoded in scripts, procedures and

programs.

o Privileged Session Management (PSM) provides control, monitoring and

recording of sessions of high-risk users, including administrators and, for example,

remote support providers.

• Who (user name / ID) checked out or checked in ID?

• What role was requested and used and what was done with it (Audit Trail /

Session Recording)?

• When (timestamp) was the privileged ID checked in or checked out?

• On which (application or system) was the privileged ID used?

• Where (IP address) was the check-out requested from?

• Other factors, e.g. command detection

o Privileged Command Management (PCM) provides the ability to granularly

delegate user access to specific programs, tasks and commands across multiple

platforms. It provides command control capabilities with the ability to delegate

privileges (sometimes called “elevation”).

PAM implementation process

For the past several years, PATECCO developed high skills in implementing PAM

solutions, describing and designing necessary processes, and connecting systems

to these solutions. Its IT consulting team can offer best practices in the following

functional PAM subsets:

1. Identity Consolidation

o Consolidate UNIX, Linux, LDAP identities under a single unique ID in Active

Directory for centralized identity, role, and privilege management and Kerberos-

based authentication

o Deleting or disabling as many privileged accounts as possible to reduce the attack

surface

12

2. Privileged Access Request

o Establishing a solution (tool) that supports workflow-based privileged access

request across both SUPM and SAPM components for stronger security,

governance, and compliance

3. Super User Privilege Management (SUPM)

o Minimizing the number of shared accounts. Reduce/disable the number of

privileged accounts. Use of host-based SUPM for least privilege login with unique

ID and explicit privilege elevation wherever possible.

4. Shared Account Password Management (SAPM)

o Data breach mitigation is most effective when reducing the attack surface —

reducing the number of privileged accounts as close to zero as possible and only

using SAPM for emergency login scenarios such as “break glass”.

5. Application to Application Password Management (AAPM)

o Replacing plain text passwords embedded in scripts with an API call to a company’s

SAPM service for better security and reduced IT administrative overhead.

13

Securing the keys and certificates that govern machine identities is becoming much

more challenging. Not migrating your PKI to current standards could leave you

vulnerable in multiple areas due to misconfiguration, weakened cryptographic

configuration, expiration or outdated PKI design and architecture. Weakened PKI

can degrade the trust associated with digital certificates and leave your organization

prone to fraudulent certificate usage.

PATECCO prevents the problem by PKI migration and automation which simplify

complex operations, maintain security assurance, and facilitate future projects and

growth.

The Germany - based company is a leading provider of trusted identity and security

solutions enabling businesses and large enterprises around the world to secure

online communications, manage millions of verified identities and automate

authentication and encryption.

Building Public Key Infrastructure for Stronger User

Verification and Identification

?

14

PATECCO PKI Architecture

PATECCO’s PKI Capabilities

o PATECCO uses Public Key Infrastructure (PKI) as an effective method for

implementing strong multi-factor authentication and to meet security compliance

regulations

o PATECCO finds a great way for assigning digital identities for all employees and

machines, allowing for secure access to data, networks and physical locations.

o PATECCO can implement PKI in the following high-security scenarios - S/MIME,

Data encryption, Code signing, Expiring User/Server certificates, Expiring CRLs,

Certificate automation and delivery, VPN/Direct Access.

o PATECCO provides secure PKI Migration to new environment (following Microsoft

baseline security rules) and PKI Automation (PowerShell scripting automation of

S/MIME user certificates).

PKI Migration

o During the PKI migration, PATECCO ensures that the old certificates are

expired/revoked and new ones are issued within the update PKI environment.

Following Microsoft baseline security rules, it has the ability to seamlessly migrate

to a newly-deployed PKI without user or server downtime.

Key Benefits

o Provided consultants with years of PKI experience and knowledge of various

approaches

o Protected internal infrastructure and efficient management of employee life-cycle.

o Saved valuable IT resources and reduced risk of expired certificates.

o Assured compatibility and interoperability.

PKI Automation

o PATECCO uses techniques to automate the method of recovering mail encryption

certificates, S/MIME. There is an automation of the recovery of certificates, of

SMIME certificates and management of the process via FIM or MIM certificate

Management Services.

15

o PKI Automation helps deliver on the promises of PKI and the goals of your IT

strategy.

Key Benefits

o Automates your PKI Security to reduce risks to your PKI Infrastructure

o Ensures that the correct certificate is always requested and issued using the correct

template and parameters.

o Ensures that all endpoints requiring that new certificate being installed are

immediately addressed.

o Provides the strongest levels of confidentiality and security for electronic

communications.

Key advantages of PATECCO PKI Management

o Bringing experience and expertise in using PKI and S/MIME technologies and

applying them towards solving cybersecurity problems

o Ensuring comprehensive security, operational efficiency, and business continuity

o Automating certificate requests and renewals

o Continuous monitoring of keys and certificates for anomalies

o Rapid replacement of compromised keys and certificates

o Enforcing key and certificate security policies to maintain compliance

16

Changes in companies are normal. Sometimes they merge with other companies

to sell or buy parts of business. If they set up subsidiaries they have a change, as

well. Merger and Carve-Out projects transform the company into a new

organizational structure.

Older Active Directories are built with a lot of self-made scripts. To find a

consultant who can handle this is not easy. If you have a new, clean infrastructure,

each Microsoft administrator can support it and that reduces the costs of

administration.

Security is currently a very important point. It is easier to include new security

solutions during the Active Directory migration or in a structure which is like

Microsoft’s best practices.

Benefits of using Active Directory Services

o Highly secure: it has policies and permissions for security at different levels

o Objects can be located anywhere physically yet access the domain/network's

resources securely

Microsoft Active Directory Integration

Designing, merging and separating IT organizations

17

o Easily Scalable, Highly Flexible, Readily Extensible: Millions of users can be

added to a single domain

o Easy, Efficient search mechanism to locate an object

o Centralized Storage -for users, departments which makes Back Up and Restore

Efficient, Fast and Easy

o Efficient and Effective management of services

o Enable Single Sign-on (SSO) like log on script

o Centralized Auditing: makes it easier to track all the operations

Who can use Active Directory Services?

o Organisations that have a network setup

o Organisations which require 24/7 uptime

o Organisations where the number of users, computers or resources will keep

changing

o Organisations where INFORNATION/DATA SECURITY is vital

o Organisations that operate in multiple locations

Key advantage of Active Directory Services

o Cost effective management and control mechanism to control all the objects,

resources and information in an organisation/network.

SECURE

EFFICIENT

FLEXIBLE

EASY

EFFECTIVE

SCALABLE

PATECCO GmbH Ringstrasse 44627,

Herne, Germany

7 Ringstrasse 72

44627, Herne, Germany

2

44627, Herne, Germany

Telephone: +49 (0) 23 23 - 9 87 97 96

Telefax: +49 (0) 23 23 - 9 87 97 98

info@patecco.com

www.patecco.com