Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

The Identity Management Challenge

Chapter 20

20-1© 2012 Pearson Education, Inc. Publishing as Prentice Hall

© 2012 Pearson Education, Inc. Publishing as Prentice Hall

What is Identity Management (IDM)?

It is about:

Developing controls to prevent, detect, or correct harmful events.

Developing steps to identify and authenticate users, as well as to authorize their access to types of information.

20-2


What is Identity Management (IDM)? Continued

IDM is a key component for the safe and secure delivery of online information and services.

20-3


Three Main Components of IDM Frameworks (Aitoro 2008; Allan and Perkins 2009; Smith 2007)

20-4


IDM Basics

IDM Administration

Information privacy

Security

Risk

Regulatory compliance

20-5


IDM Basics Continued

IDM Administration

Involves user (de)registration of IT systems and management of passwords.

It determines the accessibility to types of systems and information.

20-6



Information Privacy

Involves the organizational practices to assure protection of information.

20-7



Security

Involves the organizational practices to assure protection of not only personal data but also of corporate intellectual property.

However, it cannot prevent authorized users to use information inappropriately.

20-8



Risk

IDM practices should be based on an assessment of the risk involved to both individuals and organizations.

IDM needs should also be linked to the level of risk involved.

20-9



Regulatory compliance

Organizations have legal responsibilities to identify and authenticate users of their data.

Organizations are legally required to review key transactions done by employees.

20-10


IDM as a Business Enabler

Effective IDM in collaboration with security is the means to balance organizational risk and flexibility needs.

Effective IDM helps businesses to make better decisions as they become more mobile, global, digital, and interconnected.

20-11


IDM as a Business Enabler Continued

Business needs that require strong IDM

20-12

• Support for a mobile and global workforce

• Speedier mergers and acquisitions

• Protection for massive amounts

• The ability to present a consolidate view of data

• Improved online customer service

• Increased collaboration

• Addressing complex external relationships


IDM Challenges for IT Managers

20-13

Limited understanding of the business benefits of effective IDM

No business benefits

No funds available


IDM Challenges for IT Managers Continued

20-14

A fragmented governance between

IT HR

The business

Legal departmen

ts


IDM Challenges for IT Managers Continued

20-15

Current IDM practices and processes are often manual.

Security risks are increasing rapidly.

The number and type of devices not provided by the organization and the number of remote users are increasing.


Principles of Effective IDM in the Future

20-16

1 2 3

4 5


Principles of Effective IDM in the Future Principle 1

20-17

Approach IDM holistically

IDM should be an integrated part of an organization’s overall security framework that consists on several layers.



20-18

Compliance – demonstrate policy enforcement aligned to regulations, standards, laws and agreements.

Identity and Access – provide controlled and secure access to information, applications and assets to both internal and external users.

Information Security – protect and secure data and information assets.

Application Security – continuously manage, monitor and audit access to applications.

Infrastructure Security – comprehensively manage threats and vulnerabilities across networks, servers and end-points.

Physical Security – monitor and control access to buildings and secure areas. IDM is Part of a Holistic Security

Framework



20-19

Focus on business value: IDM should be designed to:

Help make effective business decisionsReduce cost of providing effective IDMIncrease trust both internally and externallySupport the development of electronic services and virtual workEnhance productivity and adherence to acceptable-use policies



20-20

Adopt standards wherever possible

Enterprise IDM should adhere to open standards in order to facilitate provisioning of cross-enterprise services

(Smith 2008)



20-21

Develop a road map

Helps with the development of framework, policies, and standards for IDM as well as with the development of processes and infrastructure required to achieve IDM.



20-22

Decoupled IDM from applications, environments, and companies

So that IDM can be managed holistically. However, it should also make identities portable across systems, technical environments and devices.


Moving Forward with IDM: Advice for IT Managers

20-23

1

4

3

2


Moving Forward with IDM: Advice for IT Managers Advice 1

20-24

Identify IDM needs and set policy

There is no standard list of identity attributes, so organizations should develop their own acceptable internal and external authentication, IDM triggers, and the level of access.



20-25

Address IDM process and governance:

IDM processes need governance and business ownership of IDM so that right decisions about how the flexibility:risk trade-off can be achieved.

The IDM should be viewed as a life cycle to develop and manage an improved process.



20-26

Role-basedProvisioning

Consume

Manage

Monitor, Audit and Compliance

Register/Modify/Deregister

Authenticate/Authorize

The IDM Life Cycle



20-27

Integrated IDM with architecture:

Architecture group

Plans and designs how applications and infrastructure will evolve

SolveTechnical

issuesPoor system integration and a lack of standards



20-28

Incorporate traceability and auditability – a significant amount of time is spent on monitoring accounts, user activity, and compliance reports.

Automation of these process and governance to

incorporate them

Solution


Conclusion

IT managers must balance the risks in becoming networked and opening their firewalls to clients with the expected business value delivered.

Effective IDM initiatives must be articulated in both business and technical terms. This encourages business leaders to be involved in the process.

19-29

© 2012 Pearson Education, Inc. Publishing as Prentice Hall 20-30

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Documents

prentice hall slide

pearson education

prentice hall security

prentice hall effective

prentice hall business

idm needs

funds available slide

specific resource slide