Building an Effective Identity Management Strategy A Dark Reading Webcast A Dark Reading Webcast Sponsored by Sponsored by
May 16, 2015
Building an Effective Identity Management
Strategy
A Dark Reading Webcast A Dark Reading Webcast
Sponsored bySponsored by
Today’s PresentersToday’s Presenters
Erik Sherman
Moderator
Adrian Lane
Analyst & CTO
Securosis
Rick Wagner
Director
Product Management
Identity and Access Governance
NetIQ
PresentsPresents
Building an IAM Management Strategy
Building an IAM Management Strategy
Adrian Lane
Objectivity DisclaimerObjectivity Disclaimer
This is a sponsored webcast, but all of the content is developed
independently and represents Securosis objective research
positions.
For more information about our Totally Transparent Research
process, visit:
https://securosis.com/about/totally-transparent-research
This is a sponsored webcast, but all of the content is developed
independently and represents Securosis objective research
positions.
For more information about our Totally Transparent Research
process, visit:
https://securosis.com/about/totally-transparent-research
OutlineOutline• IAM in context
• Trends and Issues
• Deployment Strategies
• Key Questions & Recommendations
• IAM in context
• Trends and Issues
• Deployment Strategies
• Key Questions & Recommendations
When IAM was easierWhen IAM was easier
ProliferationProliferation
Identity & Access Management
Do more with less…Do more with less…
The Cloud…The Cloud…
…has many faces……has many faces…
…and many characteristics…and many characteristics
And let’s not forget mobile identity…
And let’s not forget mobile identity…
What’s changed?What’s changed?
• External cloud services forever alters IAM – forces changes
• Both customers & employees using internal & external resources
• Constant pressure to do more with less has IT ops looking for streamlined solutions
• These changes make it very difficult to manage identity & authorization across the enterprise
• External cloud services forever alters IAM – forces changes
• Both customers & employees using internal & external resources
• Constant pressure to do more with less has IT ops looking for streamlined solutions
• These changes make it very difficult to manage identity & authorization across the enterprise
Which is another way to say you have more
to do, in a more complex environment,
so you’d better automate!
Which is another way to say you have more
to do, in a more complex environment,
so you’d better automate!
Exactly OppositeExactly Opposite
• Need to distribute policy decisions & enforcement
• Need to centralize management
• Need to distribute policy decisions & enforcement
• Need to centralize management
Terms and DefinitionsTerms and Definitions
ConceptsConcepts
Federation and IdentityFederation and Identity
Authorization and Access Management
Authorization and Access Management
Policy Decision
Point
(PDP)
Determines the Rules
Policy Decision
Point
(PDP)
Determines the Rules
Policy
Enforcement Point
(PEP)
Enforces the Rules
Policy
Enforcement Point
(PEP)
Enforces the Rules
What is your
strategy?
What is your
strategy?
Deployment StrategiesDeployment Strategies
• Replication Model
• Federation Model
• Emerging Hybrids
• Replication Model
• Federation Model
• Emerging Hybrids
Replication & SynchronizationReplication & Synchronization
In-house
Remote
Web Services HR
Partner Services Off-site BackupDocument Management
Financial Systems
Directory Services
Federation Federation
In-house
Remote
Internal User
Software as a Service
Un-approved userApproved User
Directory Services
Federation
Extensions
HybridsHybrids
In-house
Web Services HR
Identity As A Service
SAML
IaaS Provider
Financial Systems
Directory Services
Federation
Extensions
SPML
XACML
SCIM
Vendor API
Cloud
InterfacesInterfaces
Service Providers
Identity / Attribute Providers
Central BrokerProxy or Repository
Service Providers
Identity / Attribute Providers
Quick Word on IAM StandardsQuick Word on IAM Standards
Key Identity Management Questions
Key Identity Management Questions
• How do we manage user accounts across multiple internal/external apps?
• Do we replicate directory services?
• How do we deal with cloud provider identity management & interfaces?
• How do we link internal & external functions?
• How do we manage user accounts across multiple internal/external apps?
• Do we replicate directory services?
• How do we deal with cloud provider identity management & interfaces?
• How do we link internal & external functions?
Key Access Management Questions
Key Access Management Questions• How do we integrate with internal apps? Cloud
apps? Mobile apps?
• How do we enforce policy?
• Do we have granular controls?
• Where do authorization maps reside?
• Who initiates authorization requests?
• How do we integrate with internal apps? Cloud apps? Mobile apps?
• How do we enforce policy?
• Do we have granular controls?
• Where do authorization maps reside?
• Who initiates authorization requests?
ProvisioningProvisioning
Courtesy of Axiomatics
Key Provisioning QuestionsKey Provisioning Questions
• User registration & identity propagation
• Account revocation
• Identity Management
• De-provisioning
• Auditing
• User registration & identity propagation
• Account revocation
• Identity Management
• De-provisioning
• Auditing
RecommendationsRecommendations• Centralized management framework
• Leverage models that work for cloud and local
• No one ‘right’ strategy for all customers
• Select model that maximizes automation
• Understand that management and storage is likely shared responsibility
• Centralized management framework
• Leverage models that work for cloud and local
• No one ‘right’ strategy for all customers
• Select model that maximizes automation
• Understand that management and storage is likely shared responsibility
IAM RecommendationsIAM Recommendations
• Use Federated Identity to authenticate locally and authorize remotely
• Define authoritative sources for policies – often HR instead of standard directory services
• Determine if providers supports roles and attributes
• Use Federated Identity to authenticate locally and authorize remotely
• Define authoritative sources for policies – often HR instead of standard directory services
• Determine if providers supports roles and attributes
Building an IAM Management StrategyUsing NetIQ Identity & Access Governance Products
Rick Wagner
Director, Product Management
© 2012 NetIQ Corporation. All rights reserved.36
Elements of Identity
- Who/What are you?- Name, location, etc.
- Roles/Privilege- Title, Manager, etc.
- Relationship to business- Employee, Contractor, etc.
Key Elements of “Access” – the VerbRight People, Right Access, Right Time, Right Business Purpose
© 2012 NetIQ Corporation. All rights reserved.37
Access is a Relationship
- Applications
- Systems
- Data
- Resources
- Physical Facilities
Key Elements of “Access” – the VerbRight People, Right Access, Right Time, Right Business Purpose
© 2012 NetIQ Corporation. All rights reserved.38
Key Elements of “Access” – the VerbRight People, Right Access, Right Time, Right Business Purpose
Access Utilization
-Is activity aligned to roles and policy
-Orphans, dormant access and entitlement creep
-Privileged access control
-Distinguish attacker from insider activity
© 2012 NetIQ Corporation. All rights reserved.39
Right Access Requires Proper ContextWhat, Where, Why and When add critical value to the Who
Who has access to what?
Where is the access originating
from?
When was the access granted?
Is the access appropriate?
What is being
accessed?
Why was the access granted?
© 2012 NetIQ Corporation. All rights reserved.40
Flexible Manageable
What is “Right” Varies By OrganizationMoving at the speed of business vs. mitigating business risks
© 2012 NetIQ Corporation. All rights reserved.41
What Are Your Priorities and Needs?Modular, Integrated Solutions – Start Where Your Need is Greatest
FlexibilityManageability
Key Capabilities To Deliver Business Centric Access
Access Fulfillment
Access Authorization
Access Monitoring
Access Certification Access Request
Access Administration
Single Sign-on User Authentication
Authorization Enforcement
Dashboards, Risks & Trends
Security & Activity Intelligence
Forensic Analytics & Reporting
Delegated Administration
Privileged Access
Management
Log Management Reporting
© 2012 NetIQ Corporation. All rights reserved.42
Identity Management Market
Identity Management / User ProvisioningIdentity Management / User Provisioning
Access GovernanceAccess Governance
Driven by IT
Driven by the business
• Improve operational efficiency• Automated on boarding / off boarding• User management / self-service
• Security and Compliance• Automated policy enforcement• Reporting
2002 2004 2006 2008 2010 2012 2014
• Improved user interface• Simplified interface for non-IT business users• Quick time to value – aggregation vs. integration
• Access certification to achieve compliance objectives• Immediate business need
Identity Administration
andGovernance
© 2012 NetIQ Corporation. All rights reserved.43
Identity Administration & Governance2012 2013 2014 2015 2016
Industry leading provisioning•Manual•Semi-automated•Fully automated
Access governance•Access certification•Access request•Role management•Risk monitoring
On-demand Anomaly Detection•Continuous compliance•Dynamic transparency
Identity Intelligence•Information you need, when you need it to make better business decisions
Identity Administration & Governance
Identity Administration & Governance
© 2012 NetIQ Corporation. All rights reserved.44
The Evolving Marketplace
Identity Intelligence and Business Visibility
© 2012 NetIQ Corporation. All rights reserved.45
Identity Intelligence
36036000 View View of Identity of Identity
and and AccessAccess
© 2012 NetIQ Corporation. All rights reserved.46
Nearly 7,000 Customers
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.
Copyright © 2013 NetIQ Corporation. All rights reserved.
ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States and other countries.
Q&AQ&A
Erik Sherman
Moderator
Adrian Lane
Analyst & CTO
Securosis
Rick Wagner
Director
Product Management
Identity and Access Governance
NetIQ
© 2012 NetIQ Corporation. All rights reserved.49
Learn More at www.netiq.com
• Access informative white papers:
– “Navigate the Future of Identity and Access Management,” by Eve Maler, Forrester Research
– http://bit.ly/SPXWKI
– “Identity and Access Governance – Bringing IT and Business Together,” NetIQ
– http://bit.ly/VFWPv6
• Continue the conversation!
– Twitter.com/NetIQ
– Linkedin.com/company/NetIQ
49