Providing Comprehensive Identity Management Across ... · •Standards based (BYOI) •If wrong,...
Transcript of Providing Comprehensive Identity Management Across ... · •Standards based (BYOI) •If wrong,...
![Page 1: Providing Comprehensive Identity Management Across ... · •Standards based (BYOI) •If wrong, all efforts are at risk. Identity life cycle fundamentals Joiner Mover Leaver Identity](https://reader035.fdocuments.in/reader035/viewer/2022071105/5fdf55f44074d76f776a39eb/html5/thumbnails/1.jpg)
![Page 2: Providing Comprehensive Identity Management Across ... · •Standards based (BYOI) •If wrong, all efforts are at risk. Identity life cycle fundamentals Joiner Mover Leaver Identity](https://reader035.fdocuments.in/reader035/viewer/2022071105/5fdf55f44074d76f776a39eb/html5/thumbnails/2.jpg)
Providing Comprehensive Identity Management Across Multiple
Business Units
Patrick LandryIT Technical Director
USAA@PatrickDLandry
![Page 3: Providing Comprehensive Identity Management Across ... · •Standards based (BYOI) •If wrong, all efforts are at risk. Identity life cycle fundamentals Joiner Mover Leaver Identity](https://reader035.fdocuments.in/reader035/viewer/2022071105/5fdf55f44074d76f776a39eb/html5/thumbnails/3.jpg)
Identity Proofing
• First level of assurance
• Background checks
• Standards based (BYOI)
• If wrong, all efforts are at risk
![Page 4: Providing Comprehensive Identity Management Across ... · •Standards based (BYOI) •If wrong, all efforts are at risk. Identity life cycle fundamentals Joiner Mover Leaver Identity](https://reader035.fdocuments.in/reader035/viewer/2022071105/5fdf55f44074d76f776a39eb/html5/thumbnails/4.jpg)
Identity life cycle fundamentals
Joiner
Mover
Leaver
Identity
Accounts
Accesses
Remove Revoked
Certify Remaining
Remove Elevated
Lock/Logoff
Prevent Login
Mobile Threat
![Page 5: Providing Comprehensive Identity Management Across ... · •Standards based (BYOI) •If wrong, all efforts are at risk. Identity life cycle fundamentals Joiner Mover Leaver Identity](https://reader035.fdocuments.in/reader035/viewer/2022071105/5fdf55f44074d76f776a39eb/html5/thumbnails/5.jpg)
Joiner - One Identity…Many Accounts
HR• Inbound
• Triggers Changes
AD/RACF• Server Farm
• Admin
Cloud
• Team Share
• Work Files
• Outlook
• Worker Folder
App1• App Ent1
• App Ent2
App2• App Ent2
• App Role2
Zero Day
Birthright
Request Based
![Page 6: Providing Comprehensive Identity Management Across ... · •Standards based (BYOI) •If wrong, all efforts are at risk. Identity life cycle fundamentals Joiner Mover Leaver Identity](https://reader035.fdocuments.in/reader035/viewer/2022071105/5fdf55f44074d76f776a39eb/html5/thumbnails/6.jpg)
What it looked like for us
Onboarding (5 days)
• Started before worker arrives!
Day Zero for Worker
Access Request (2 days)
All Access Provisioned (3
days)
Total time from acceptance to productivity =10 days5 workers over an 8 day cycle
![Page 7: Providing Comprehensive Identity Management Across ... · •Standards based (BYOI) •If wrong, all efforts are at risk. Identity life cycle fundamentals Joiner Mover Leaver Identity](https://reader035.fdocuments.in/reader035/viewer/2022071105/5fdf55f44074d76f776a39eb/html5/thumbnails/7.jpg)
What it looks like now
Day Zero for Worker
Onboarding (2 minutes)
Birthright Provisioning
(<1 day)
Request Submission (immediate)
All Access Provisioned
(2 days)
Total time from acceptance to productivity = 2 days1 worker for <30 minutes
![Page 8: Providing Comprehensive Identity Management Across ... · •Standards based (BYOI) •If wrong, all efforts are at risk. Identity life cycle fundamentals Joiner Mover Leaver Identity](https://reader035.fdocuments.in/reader035/viewer/2022071105/5fdf55f44074d76f776a39eb/html5/thumbnails/8.jpg)
Automation
Improved Accuracy
Removed NVA Tasks
Joiner - What did we do?
![Page 9: Providing Comprehensive Identity Management Across ... · •Standards based (BYOI) •If wrong, all efforts are at risk. Identity life cycle fundamentals Joiner Mover Leaver Identity](https://reader035.fdocuments.in/reader035/viewer/2022071105/5fdf55f44074d76f776a39eb/html5/thumbnails/9.jpg)
Mover – Where the Risk hits the Road
• Automatically remove privileged administrative access
• What about high-risk business access?
• Segregation of Duties
• Access Certification
• But…I need {worker} to keep their old accesses until I can backfill them
![Page 10: Providing Comprehensive Identity Management Across ... · •Standards based (BYOI) •If wrong, all efforts are at risk. Identity life cycle fundamentals Joiner Mover Leaver Identity](https://reader035.fdocuments.in/reader035/viewer/2022071105/5fdf55f44074d76f776a39eb/html5/thumbnails/10.jpg)
Privileged Access Removal
• Administrative Entitlements
– Remove highest risk roles/entitlements
– Key risk control! – measure it
• High Risk Business Applications
– Business partners love this option
– Separate process
![Page 11: Providing Comprehensive Identity Management Across ... · •Standards based (BYOI) •If wrong, all efforts are at risk. Identity life cycle fundamentals Joiner Mover Leaver Identity](https://reader035.fdocuments.in/reader035/viewer/2022071105/5fdf55f44074d76f776a39eb/html5/thumbnails/11.jpg)
Event Driven Certifications
• Review all remaining roles/entitlements
– Direct manager accountability
– Exempt rules provisioning
• Limit time for review (2 weeks)
• Set workload expectations
• Must have ‘teeth’ to be effective
![Page 12: Providing Comprehensive Identity Management Across ... · •Standards based (BYOI) •If wrong, all efforts are at risk. Identity life cycle fundamentals Joiner Mover Leaver Identity](https://reader035.fdocuments.in/reader035/viewer/2022071105/5fdf55f44074d76f776a39eb/html5/thumbnails/12.jpg)
Leaver – Should be easy, but…
• Real-Time considerations
• Scheduled terminations
• Close all the gaps!
• Don’t forget mobile
![Page 13: Providing Comprehensive Identity Management Across ... · •Standards based (BYOI) •If wrong, all efforts are at risk. Identity life cycle fundamentals Joiner Mover Leaver Identity](https://reader035.fdocuments.in/reader035/viewer/2022071105/5fdf55f44074d76f776a39eb/html5/thumbnails/13.jpg)
Great risk if not complete
• Scan the network for logins/remove them
• Real-Time and Scheduled options
• Watch those external applications– ESSO closes the gap
• Mobile Device Management Considerations
![Page 14: Providing Comprehensive Identity Management Across ... · •Standards based (BYOI) •If wrong, all efforts are at risk. Identity life cycle fundamentals Joiner Mover Leaver Identity](https://reader035.fdocuments.in/reader035/viewer/2022071105/5fdf55f44074d76f776a39eb/html5/thumbnails/14.jpg)
Key Takeaways
• Identity functions are integral to all insider threat possibilities
• Partner with the business owners early in the process
• Control partners and regulators will have lots of questions
• IDaaS has a way to go yet
![Page 15: Providing Comprehensive Identity Management Across ... · •Standards based (BYOI) •If wrong, all efforts are at risk. Identity life cycle fundamentals Joiner Mover Leaver Identity](https://reader035.fdocuments.in/reader035/viewer/2022071105/5fdf55f44074d76f776a39eb/html5/thumbnails/15.jpg)
Determining What to Manage
• Know your portfolio
• Objectively rank it
• Determine “High Risk”
• Work with Control Partners