The Identity Management Challenge Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall
Dec 25, 2015
The Identity Management Challenge
Chapter 20
20-1© 2012 Pearson Education, Inc. Publishing as Prentice Hall
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
What is Identity Management (IDM)?
It is about:
Developing controls to prevent, detect, or correct harmful events.
Developing steps to identify and authenticate users, as well as to authorize their access to types of information.
20-2
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
What is Identity Management (IDM)? Continued
IDM is a key component for the safe and secure delivery of online information and services.
20-3
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
Three Main Components of IDM Frameworks (Aitoro 2008; Allan and Perkins 2009; Smith 2007)
20-4
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
IDM Basics
IDM Administration
Information privacy
Security
Risk
Regulatory compliance
20-5
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
IDM Basics Continued
IDM Administration
Involves user (de)registration of IT systems and management of passwords.
It determines the accessibility to types of systems and information.
20-6
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
IDM Basics Continued
Information Privacy
Involves the organizational practices to assure protection of information.
20-7
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
IDM Basics Continued
Security
Involves the organizational practices to assure protection of not only personal data but also of corporate intellectual property.
However, it cannot prevent authorized users to use information inappropriately.
20-8
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
IDM Basics Continued
Risk
IDM practices should be based on an assessment of the risk involved to both individuals and organizations.
IDM needs should also be linked to the level of risk involved.
20-9
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
IDM Basics Continued
Regulatory compliance
Organizations have legal responsibilities to identify and authenticate users of their data.
Organizations are legally required to review key transactions done by employees.
20-10
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
IDM as a Business Enabler
Effective IDM in collaboration with security is the means to balance organizational risk and flexibility needs.
Effective IDM helps businesses to make better decisions as they become more mobile, global, digital, and interconnected.
20-11
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
IDM as a Business Enabler Continued
Business needs that require strong IDM
20-12
• Support for a mobile and global workforce
• Speedier mergers and acquisitions
• Protection for massive amounts
• The ability to present a consolidate view of data
• Improved online customer service
• Increased collaboration
• Addressing complex external relationships
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
IDM Challenges for IT Managers
20-13
Limited understanding of the business benefits of effective IDM
No business benefits
No funds available
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
IDM Challenges for IT Managers Continued
20-14
A fragmented governance between
IT HR
The business
Legal departmen
ts
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
IDM Challenges for IT Managers Continued
20-15
Current IDM practices and processes are often manual.
Security risks are increasing rapidly.
The number and type of devices not provided by the organization and the number of remote users are increasing.
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
Principles of Effective IDM in the Future
20-16
1 2 3
4 5
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
Principles of Effective IDM in the Future Principle 1
20-17
Approach IDM holistically
IDM should be an integrated part of an organization’s overall security framework that consists on several layers.
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
Principles of Effective IDM in the Future Principle 1
20-18
Compliance – demonstrate policy enforcement aligned to regulations, standards, laws and agreements.
Identity and Access – provide controlled and secure access to information, applications and assets to both internal and external users.
Information Security – protect and secure data and information assets.
Application Security – continuously manage, monitor and audit access to applications.
Infrastructure Security – comprehensively manage threats and vulnerabilities across networks, servers and end-points.
Physical Security – monitor and control access to buildings and secure areas. IDM is Part of a Holistic Security
Framework
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
Principles of Effective IDM in the Future Principle 2
20-19
Focus on business value: IDM should be designed to:
Help make effective business decisionsReduce cost of providing effective IDMIncrease trust both internally and externallySupport the development of electronic services and virtual workEnhance productivity and adherence to acceptable-use policies
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
Principles of Effective IDM in the Future Principle 3
20-20
Adopt standards wherever possible
Enterprise IDM should adhere to open standards in order to facilitate provisioning of cross-enterprise services
(Smith 2008)
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
Principles of Effective IDM in the Future Principle 4
20-21
Develop a road map
Helps with the development of framework, policies, and standards for IDM as well as with the development of processes and infrastructure required to achieve IDM.
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
Principles of Effective IDM in the Future Principle 5
20-22
Decoupled IDM from applications, environments, and companies
So that IDM can be managed holistically. However, it should also make identities portable across systems, technical environments and devices.
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
Moving Forward with IDM: Advice for IT Managers
20-23
1
4
3
2
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
Moving Forward with IDM: Advice for IT Managers Advice 1
20-24
Identify IDM needs and set policy
There is no standard list of identity attributes, so organizations should develop their own acceptable internal and external authentication, IDM triggers, and the level of access.
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
Moving Forward with IDM: Advice for IT Managers Advice 2
20-25
Address IDM process and governance:
IDM processes need governance and business ownership of IDM so that right decisions about how the flexibility:risk trade-off can be achieved.
The IDM should be viewed as a life cycle to develop and manage an improved process.
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
Moving Forward with IDM: Advice for IT Managers Advice 2
20-26
Role-basedProvisioning
Consume
Manage
Monitor, Audit and Compliance
Register/Modify/Deregister
Authenticate/Authorize
The IDM Life Cycle
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
Moving Forward with IDM: Advice for IT Managers Advice 3
20-27
Integrated IDM with architecture:
Architecture group
Plans and designs how applications and infrastructure will evolve
SolveTechnical
issuesPoor system integration and a lack of standards
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
Moving Forward with IDM: Advice for IT Managers Advice 4
20-28
Incorporate traceability and auditability – a significant amount of time is spent on monitoring accounts, user activity, and compliance reports.
Automation of these process and governance to
incorporate them
Solution
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
Conclusion
IT managers must balance the risks in becoming networked and opening their firewalls to clients with the expected business value delivered.
Effective IDM initiatives must be articulated in both business and technical terms. This encourages business leaders to be involved in the process.
19-29
© 2012 Pearson Education, Inc. Publishing as Prentice Hall 20-30
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall