PATECCO BEST PRACTICES IN IDENTITY & ACCESS ...IAM E-GUIDE PATECCO BEST PRACTICES IN IDENTITY &...
Transcript of PATECCO BEST PRACTICES IN IDENTITY & ACCESS ...IAM E-GUIDE PATECCO BEST PRACTICES IN IDENTITY &...
IAM E-GUIDE
PATECCO BEST PRACTICES IN
IDENTITY & ACCESS MANAGEMENT
o Identity & Access Management
o Privileged Account Management
o Public Key Infrastructure
o Microsoft Active Directory Integration
a
2
1. Introduction…………………………………………………………………………………………………………….3
2. Best Practices for IAM Implementation……………………….….…………………………………….4
3. Key Steps for Planning IAM Strategy……………………………………………………………………. 6
4. How to Achieve GDPR Compliance with IAM………………………………………………………….8
5. Protect Your Business with Privileged Account Management………………………………10
6. Building Public Key Infrastructure for Stronger User Verification and
Identification………………………………………………………………………………………………………….11
7. Microsoft Active Directory Integration. Designing, merging and separating IT
organizations...…………………………………………………………………………………….………….……16
Table of Contents:
3
Identity and Access Management, or IAM, is the business and technology
concerned with effective management of all users' access to an organisation's
assets and facilities. Identity and access management (IAM) solutions ensure
enterprises a secure and centralized approach to managing user identities and
access permissions. They work across different technology platforms,
consolidating all access controls on a single platform. In this way data security is
improved, costs are reduced and administrators are relieved of the burden of
managing access control on many diverse systems.
PATECCO is an international managed services company with a focus on Identity
and Access Management, Cloud Access Control, Security, Information and Event
management, Public Key Infrastructure and Privileged Account Management.
PATECCO's strategy and unique technology help customers to close security gaps
and leverage standards and guidelines for an easy application onboarding into IAM
systems.
o PATECCO is independent, no software reseller, strong cooperation with
vendors and product teams.
PATECCO ensures:
o Global capability: Designing, deploying, managing and monitoring for clients
of all sizes and industries around the world.
o Security: Securing, accelerating and improving the broad view of IT processes
in a heterogeneous IT landscape
o Compliance: Helping organizations meet compliance requirements
o Flexibility: Offering 3 levels of support for managed services: Remote, Onsite
Support for Business Critical Issues, and Onsite on Demand
o Industry expertise: Investing in robust training programs to ensure that our
consulting and managed services professionals deliver value, protect your
organisation, and stay abreast of global trends and best practices.
Introduction
4
Identity and Access Management has always been an ongoing process and an
essential element of the enterprises’ infrastructure that demands continuous
management. No matter you have completely implemented directory, it’s useful to
take advantage of best practices to help continuously manage this crucial part of
your IT environment.
PATECCO management team has a long experience in executing projects from
different industries. When it comes to IAM implementations, its experts know what
exactly works effectively and what not. For this article we have tapped the collective
knowledge of these experts to come up with these eight IAM implementation
tactics: They will help you improve your identity management system to ensure
better security, efficiency and compliance.
#1: Create a clear pan
IAM projects require excellent planning and project management expertise, with a
project team representing various stakeholders within the company. Most
importantly, you need to have a business perspective and tie the phases of your
IAM project to quantifiable business results and benefits. IAM solutions need regular
care and feeding long after the initial go-live date, which means planning for follow-
up optimizations is crucial.
#2. Implement IAM in phases
Implementing IAM in phases will definitely shorten the “time to value” of your
project — the time before the business sees a distinct benefit — in the process
giving you executive backing that will ensure the full funding of future phases.
#3. Define identities
Start implementing a single, integrated system that ensures end-to-end
management of employee identities and that retires orphaned identities at the
appropriate time. This is where IT responsibility begins in the identity management
lifecycle. You should also identify a primary directory service (often Active
Directory) and a messaging system (such as Exchange Server).
Best Practices for IAM Implementation
5
#4. Implement workflow
Implementing workflow on the base of “request and approval” provides a secure
way to manage and document change. A self-service web-based interface enables
users to request permission to resources they need. It’s necessary to define who
can control that list of services and who is responsible for managing workflow
designs.
#5. Make provisioning automated
Manging new users, users who leave the organisation, and users who are promoted
or demoted within the organisation require provisioning, de-provisioning and re-
provisioning. Automating them will reduce errors and will improve consistency.
Start first with automating the basic add/change/delete tasks for user accounts,
and then integrate additional tasks such as unlocking accounts.
#6. Manage roles
You will need a certain amount of inventorying and mining to precisely identify the
major roles within your organisation, based on the resource permissions currently
in force. When the user places a request, the owner of the affected data has the
ability to review, approve or deny the request. It is also important to define who
will manage these roles and to ensure that roles are created, modified and
deactivated by authorised individuals following the proper workflow.
#7. Become compliant
Many companies are now affected by the GDPR regulations, and your identity
management system plays a beneficial role in remaining compliant. You should
focus on clearly defining and documenting the job roles that have control over your
data, as well as the job roles that should have access to auditing information.
Determine compliance rules, and assign each step to a responsible job role.
#8. Provide knowledge and control to business owners
After the IAM system implementation, you should let business data owners manage
access to their data and to provide central reporting and control over those
permissions. For that purpose education is needed of both end users and the IT
staff that will be charged with ongoing administration and operation.
6
Identity and Access Management concerns everyone and everything inside an
enterprise - it moderates workflow, enables users to share information quickly and
easily establishes protocols that strike the proper balance between security and the
level of openness required to conduct business in today’s wired marketplace. The
execution of IAM Projects require a well-defined strategy, adequate analysis and
planning. It should be built on open standards, offer multifactor authentication and
be able to scale, potentially to millions of users and devices.
In this article PATECCO shares several core advices for successful implementation
of your strategy:
Provide the right access for the right people
One of the essential parts of an effective IAM implementation is the ability to
manage permissions accurately. The IAM system should be flexible enough to
provide varying levels of access to employees. The next step is making a
comprehensive audit of current practices. In this way you will know exactly what
types of systems or processes are used by employees to share and transfer
information.
Key steps for planning IAM strategy
7
Keep Efficient User experience
IAM technology should work properly and stringently, without affecting the user’s
experience. Organisations want employees to keep their data safe, in the place
sanctioned by the IT departments, no matter it is in the cloud or in an internally
managed storage facility. The IAM system should always provide a smooth user
experience for better productivity.
Ensure Good IAM Governance
Good governance is critical for ensuring a consistent approach to risks and
compliance. Governance not only determines the policies and procedures behind
compliance, it also sets the broader organisational goals. It is very important to
make sure that risk management and compliance guidelines are followed
consistently throughout the company. You should also focus on several key areas
such as efficient provisioning and de-provisioning procedures, handling privileged
accounts with care and record user actions.
Include Cloud-based IAM to Your Arsenal
If you want to increase the efficiencies and to provide easy scalability, you can trust
the cloud-based identity and access management services. Identity and Access
Management-as-a-Service (IDaaS) simplifies even the most complex user
management challenges.
These systems are built in environments defined by strict access and security for
both IT and physical assets. Scheduled backups and recovery plans prevent data
losses and access control measures are certified to industry standards with frequent
audits.
Creating the right identity and access management strategy for your company
requires knowledge, insight, consistent governance, and the flexibility to make
changes along the way. In a world of rapid-changing technology, it’s difficult to
effectively keep up without a strategic vision that addresses usability and security
while enabling a positive return on the IAM investment.
8
With the anticipated publication of the European General Data Protection
Regulation in May 2018, large and small enterprises are beginning to assess how
the new Regulation will affect their data protection and privacy compliance
programs. The new Regulation will likely affect companies based in the EU and
outside of the EU, so it is important to understand if the Regulation will apply to
them, and if so what new requirements and obligations the Regulation will impose.
According to Matthias Reinwarth (Senior Analyst at KuppingerCole) - “a strong,
robust, reliable & trustworthy IAM strategy & capability is a core building block
required to achieve compliance with GDPR." If done right, Identity and Access
Management greatly improves the chances for GDPR success. It encompasses the
practices and technologies to grant the right people appropriate access to the right
systems, data, and applications. When your organization knows exactly who all
your users are, what data those users have access to and what they are able to
do and not do with that data, a breach is much less likely to happen. And even if
a breach occurs, the impact is severely limited.
A core element of the GDPR is transparency, meaning that as a controller of
personal data you need to be completely upfront with consumers about:
- How their data will be used?
- How long it will be retained?
- How you will notify individuals in the case of a breach?
- Who will have access to the data (Employees, 3rd party business partners in
some cases)?
- The types of data you collect, and how it is processed (manually, automated)?
You must consider all of these factors in terms of who should have access to this
data and the potential ramifications of access to your organization’s data by
unauthorized internal or external person/s or parties. They reinforce how critical
it is to only provide access to data to those who need it to fulfil the requirements
of their employment. For that purpose, you need to enforce IAM controls, as far
How to Achieve GDPR Compliance with IAM
9
as role-based access, explicit denial of access to data in cases of conflict of
interest, and withdrawal of access when an employee leaves your organization.
Which IAM practices help your organization meet GDPR requirements?
In general, IAM aims to minimize unauthorized access to critical information, and
to prevent its disclosure, which is actually the main focus of the GDPR. The new
Regulation defines many requirements for the secure storage of personal data.
However from an Identity and Access Management (IAM) perspective, executives
who are responsible for the information governance, compliance and security
should be especially vigilant in managing the personal data. It should be processed
in a manner that ensures appropriate security, including protection against
unauthorized or unlawful processing and against accidental loss, destruction or
damage. Besides, appropriate technical and organizational measures should be
implemented for ensuring the ongoing confidentiality, integrity, availability and
resilience of processing systems and services. These measures could be realised
by using the following basic IAM technologies:
Multi-factor Authentication: It has a high level of importance in the battle to
avoid compromised credentials. It must be done in a seamless manner that works
across all channels and securely identifies and authenticates the user.
Access Governance/Provisioning: To make sure
that the users have appropriate access privileges to
the necessary applications - and only the necessary
applications (GDPR articles 25, 30 and 35),
automated user provisioning is also needed. With
user provisioning you can manage users on a group
basis, meaning that when a new employee joins your organization, he/she will
automatically inherit the access privileges that are associated with his/ hers job
role. When the employee leaves the organization, his/hers access privileges can
be immediately revoked for all applications at once and the user account will be
disabled.
Monitoring and Audit: A methodology should be established for periodical
review of the access rights granted to all identities in the company’s IT
environment.
10
Privileged Account Management (PAM) focuses on the specific requirements of
privileged user accounts in a company's IT infrastructure. PAM is used as an
information security and governance tool to support companies in complying with
legal and regulatory compliance regulations. It also helps to prevent internal data
misuse through the use of privileged accounts. If this does not work, PAM should
be used to detect and trace this abuse.
Typical regulations for dealing with privileged identities and users, as well as
accounts, can be found in standards, regulations and laws for specific industries.
PATECCO PAM Projects
o Demonstrate PAM capabilities allowing privileged users to have efficient and
secure access to the systems they manage
o Ensure that audit and compliance requirements are met
o Offer secure and streamlined way to authorize and monitor all privileged users for
all relevant systems
o Implement privacy policies adherent to GDPR compliance
o Privileged Password Management (PPM) enables secure (encrypted) storage,
release, control and change control of privileged passwords in a heterogeneous
environment of systems and applications. A Privileged Password Manager also
Protect Your Business with Privileged Account
Management
11
replaces embedded passwords that are encoded in scripts, procedures and
programs.
o Privileged Session Management (PSM) provides control, monitoring and
recording of sessions of high-risk users, including administrators and, for example,
remote support providers.
• Who (user name / ID) checked out or checked in ID?
• What role was requested and used and what was done with it (Audit Trail /
Session Recording)?
• When (timestamp) was the privileged ID checked in or checked out?
• On which (application or system) was the privileged ID used?
• Where (IP address) was the check-out requested from?
• Other factors, e.g. command detection
o Privileged Command Management (PCM) provides the ability to granularly
delegate user access to specific programs, tasks and commands across multiple
platforms. It provides command control capabilities with the ability to delegate
privileges (sometimes called “elevation”).
PAM implementation process
For the past several years, PATECCO developed high skills in implementing PAM
solutions, describing and designing necessary processes, and connecting systems
to these solutions. Its IT consulting team can offer best practices in the following
functional PAM subsets:
1. Identity Consolidation
o Consolidate UNIX, Linux, LDAP identities under a single unique ID in Active
Directory for centralized identity, role, and privilege management and Kerberos-
based authentication
o Deleting or disabling as many privileged accounts as possible to reduce the attack
surface
12
2. Privileged Access Request
o Establishing a solution (tool) that supports workflow-based privileged access
request across both SUPM and SAPM components for stronger security,
governance, and compliance
3. Super User Privilege Management (SUPM)
o Minimizing the number of shared accounts. Reduce/disable the number of
privileged accounts. Use of host-based SUPM for least privilege login with unique
ID and explicit privilege elevation wherever possible.
4. Shared Account Password Management (SAPM)
o Data breach mitigation is most effective when reducing the attack surface —
reducing the number of privileged accounts as close to zero as possible and only
using SAPM for emergency login scenarios such as “break glass”.
5. Application to Application Password Management (AAPM)
o Replacing plain text passwords embedded in scripts with an API call to a company’s
SAPM service for better security and reduced IT administrative overhead.
13
Securing the keys and certificates that govern machine identities is becoming much
more challenging. Not migrating your PKI to current standards could leave you
vulnerable in multiple areas due to misconfiguration, weakened cryptographic
configuration, expiration or outdated PKI design and architecture. Weakened PKI
can degrade the trust associated with digital certificates and leave your organization
prone to fraudulent certificate usage.
PATECCO prevents the problem by PKI migration and automation which simplify
complex operations, maintain security assurance, and facilitate future projects and
growth.
The Germany - based company is a leading provider of trusted identity and security
solutions enabling businesses and large enterprises around the world to secure
online communications, manage millions of verified identities and automate
authentication and encryption.
Building Public Key Infrastructure for Stronger User
Verification and Identification
?
14
PATECCO PKI Architecture
PATECCO’s PKI Capabilities
o PATECCO uses Public Key Infrastructure (PKI) as an effective method for
implementing strong multi-factor authentication and to meet security compliance
regulations
o PATECCO finds a great way for assigning digital identities for all employees and
machines, allowing for secure access to data, networks and physical locations.
o PATECCO can implement PKI in the following high-security scenarios - S/MIME,
Data encryption, Code signing, Expiring User/Server certificates, Expiring CRLs,
Certificate automation and delivery, VPN/Direct Access.
o PATECCO provides secure PKI Migration to new environment (following Microsoft
baseline security rules) and PKI Automation (PowerShell scripting automation of
S/MIME user certificates).
PKI Migration
o During the PKI migration, PATECCO ensures that the old certificates are
expired/revoked and new ones are issued within the update PKI environment.
Following Microsoft baseline security rules, it has the ability to seamlessly migrate
to a newly-deployed PKI without user or server downtime.
Key Benefits
o Provided consultants with years of PKI experience and knowledge of various
approaches
o Protected internal infrastructure and efficient management of employee life-cycle.
o Saved valuable IT resources and reduced risk of expired certificates.
o Assured compatibility and interoperability.
PKI Automation
o PATECCO uses techniques to automate the method of recovering mail encryption
certificates, S/MIME. There is an automation of the recovery of certificates, of
SMIME certificates and management of the process via FIM or MIM certificate
Management Services.
15
o PKI Automation helps deliver on the promises of PKI and the goals of your IT
strategy.
Key Benefits
o Automates your PKI Security to reduce risks to your PKI Infrastructure
o Ensures that the correct certificate is always requested and issued using the correct
template and parameters.
o Ensures that all endpoints requiring that new certificate being installed are
immediately addressed.
o Provides the strongest levels of confidentiality and security for electronic
communications.
Key advantages of PATECCO PKI Management
o Bringing experience and expertise in using PKI and S/MIME technologies and
applying them towards solving cybersecurity problems
o Ensuring comprehensive security, operational efficiency, and business continuity
o Automating certificate requests and renewals
o Continuous monitoring of keys and certificates for anomalies
o Rapid replacement of compromised keys and certificates
o Enforcing key and certificate security policies to maintain compliance
16
Changes in companies are normal. Sometimes they merge with other companies
to sell or buy parts of business. If they set up subsidiaries they have a change, as
well. Merger and Carve-Out projects transform the company into a new
organizational structure.
Older Active Directories are built with a lot of self-made scripts. To find a
consultant who can handle this is not easy. If you have a new, clean infrastructure,
each Microsoft administrator can support it and that reduces the costs of
administration.
Security is currently a very important point. It is easier to include new security
solutions during the Active Directory migration or in a structure which is like
Microsoft’s best practices.
Benefits of using Active Directory Services
o Highly secure: it has policies and permissions for security at different levels
o Objects can be located anywhere physically yet access the domain/network's
resources securely
Microsoft Active Directory Integration
Designing, merging and separating IT organizations
17
o Easily Scalable, Highly Flexible, Readily Extensible: Millions of users can be
added to a single domain
o Easy, Efficient search mechanism to locate an object
o Centralized Storage -for users, departments which makes Back Up and Restore
Efficient, Fast and Easy
o Efficient and Effective management of services
o Enable Single Sign-on (SSO) like log on script
o Centralized Auditing: makes it easier to track all the operations
Who can use Active Directory Services?
o Organisations that have a network setup
o Organisations which require 24/7 uptime
o Organisations where the number of users, computers or resources will keep
changing
o Organisations where INFORNATION/DATA SECURITY is vital
o Organisations that operate in multiple locations
Key advantage of Active Directory Services
o Cost effective management and control mechanism to control all the objects,
resources and information in an organisation/network.
SECURE
EFFICIENT
FLEXIBLE
EASY
EFFECTIVE
SCALABLE
PATECCO GmbH Ringstrasse 44627,
Herne, Germany
7 Ringstrasse 72
44627, Herne, Germany
2
44627, Herne, Germany
Telephone: +49 (0) 23 23 - 9 87 97 96
Telefax: +49 (0) 23 23 - 9 87 97 98
www.patecco.com