1. Identity Management
The What, Why and How?
Airline Company
Presenting: John Bernhard
Enterprise Architect/Director – Bernhard Enterprise Architectures Pty Ltd
Dated: May 18 , 2007
2. Identity Management
Did you know?
IT cost x dollars per year to maintain name and passwords
There has been a x number of security breaches per year
Significant Fraud instances per year
Cost and time for audits
New
N application, however a simple set up of user access appears t
li ti h i l t f to
cost and takes significant resources and very complex
Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 2
3. Identity Management
Thesis
Identity management (IdM) is a pervasive and federated infrastructure that
transforms business relationships by managing access for the proper entities to
the proper resources, both for the enterprise and our customers
The goal of an IdM service foundation is to consistently enforce business and
security policies, regardless of network entry point by employees, contractors,
business partners, and customers.
Enterprises need to map their IdM strategy and align it with their business goals
Identity management (IdM) gives Airline Company a competitive advantage
Identity management (IdM) enables Airline Company agile infrastructure
Should be a service to the whole enterprise/internet extension
Idm is not a single product – it is everywhere in the organisation today
Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 3
4. Identity Management
Agenda
WHAT – What is IdM?
Introduction
What is Identity Management
Key Concepts and Principles
Overview current state of IdM within Airline Company
Conceptual Architecture – Current State
WHY – Rationale, Drivers and Benefits
Business & Technical perspective
B i T h i l ti
IdM Case study
HOW – IdM Services Architecture
Conceptual Architecture - Provisioning
Conceptual Architecture – Access Management
Compliancy (SOX 404, COBIT and ITIL)
Programme of Work - Identity Service
Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 4
5. Identity Management
WHAT – What is IdM?
What is Identity Management?
y g
A set of processes, and a supporting infrastructure, for the creation, maintenance,
and use of digital identities
Involves both technology and process
Involves managing unique IDs, attributes, credentials, entitlements
Must enable enterprises to create manageable lifecycles
Must scale from internally facing systems to externally
facing applications and processes
Goal state: Identity Service, infrastructure and authoritative sources, clean
integration across people, process, and technology
Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 5
6. Identity Management
WHAT – Wh t i IdM?
What is
The IdM process: managing the identity lifecycle
p g g y y
Registration / • Today IdM is fragmented
creation • Applications, databases, OSs lack a scalable,
Propagation holistic means of managing identity, credentials,
policy across boundaries
• Overlapping repositories, inconsistent policy
frameworks, process discontinuities
Accounts and • Error prone, creates security loopholes, expensive
Accounts and to manageg
policies
li i •
policies The focus on business process, Web services, and
networked applications has put identity on the
front burner
• This is currently managed in the current structure
Termination on a individual application & infrastructure basis
• Infrastructure requirements
Maintenance /
• Extend reach and range
management • Increase scalability, lower costs
• Balance centralized, distributed management via
loose coupling
Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 6
7. Identity Management
WHAT – What is IdM?
Beyond directory: IdM requires integrated infrastructure
y y q g
These technologies represent the major
lifecycle management processes involved with
IdM. In addition, audit surrounds these
services for accountability and control
y
IdM technologies
Identity management services
Directory services
Directory Provisioning services
Services Authentication services
Web-based access management
services
Authorisation services
Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 7
8. Identity Management
WHAT – Wh t i IdM?
What is
Burton Group’s View of IdM Evolution
p
Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 8
9. Identity Management
WHAT – What is IdM?
Directory services are the first step toward IdM for Airline Company
y p p y
Directory services support the other IdM and federated technologies
through:
Repository services for policies, authentication credentials, roles, groups
and rules
Information integration, mapping and referral between the IdM
applications and the enterprise “repositories of record”
Provides standardised LDAP authentication for applications
Provides general purpose storage for IdM applications
Use virtual directory technology to provide a federated identity data
service
Once the directory services are in place, other IdM policies and technologies
can be implemented depending on the business justification required
Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 9
10. Identity Management
WHAT – What is IdM?
• Process integration is just as important as the technology
Identity-based
company access
business
applications
Advanced
business
infrastructure
business
process
integration
Meta Directory services
Basic business LDAP Messag- PBX / CTI Security Manage- Object Web
infrastructure Data-
bases directories
d ecto es ing
g VoIP
o /
/PKI ment
e t se ces
services services
Enabling technology network/basic network infrastructure
(network, servers, routers, OS, transport services)
Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 10
11. Identity Management
WHAT – What is IdM?
Key Concepts and Principles
y p p
The IdM Service Components Architecture providing an infrastructure that supports the key
Identity services.
Reconciliation / Audit / Compliancy
Provisioning
P i i i
Workflow
Authentication, Authorization and Auditing
Federation
Synchronization
S h i ti
Delegation
Secure Self Service
Password Management
A scalable, re-useable integrated set of business processes supported by the IdM
infrastructure.
Develop an IdM Service foundation of all IdM related elements
Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 11
12. Identity Management
WHAT – Wh t i IdM?
What is
Current state with IdM within Airline Company?
Talk about current state
State current issues and problems
Problems:
Help desk, password reset
Provisioning, de-provisioning not really happening
p
Process complexityy
Bullet points on current employee processes
Bullet points on current customer/business partners registration
Admin Overhead
State current overhead in maintaining employee details
State current overhead of aligning current customers details with the
various applications
Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 12
13. Identity Management
WHAT – Wh t i IdM?
What is
Current state with IdM within Airline Company?
Identity access not controlled
No current governance or policies in place in relation to IdM
Not well defined “coming on-board” business processes
coming on board
Security issues, “PCI non-compliancy
PCI issue related to IdM
Identity theft – related to Koru, Frequent Flyer Points & Travel card
members
Security Policy – Compliance verification
Auditing:
External Auditors
State auditing issues specifically in relation to SOX 404
issues,
Manual VS Automated
Compliance problem:
very difficult to audit who has access in terms of PCI
SOX CCompliancy, Due diligence
li D dili
Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 13
14. Identity Management
WHAT – What is IdM?
Conceptual Architecture: Current State of Identity related Apps/Touch Points
p y pp
Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 14
15. Identity Management
WHY – Rationale Drivers and Benefits
Rationale,
Business Drivers for Identity service
*
From an executive’s point of view, the most important business drivers to address via IdM
include:
i l d
Regulatory Compliance Risk Management
• Sarbanes-Oxley (SOX) • Reporting (Custom/Automated)
• COBIT (ITIL Framework) • Terminations
(Business Best Practices) • Policy-based compliance – Adhere to
y p
• PCI Policy
• GAAP (third-party audit) • Audit management
Business Need Cost Containment (Internal/External)
• External users’ access Operational • Cost reduction/avoidance
• Employee personalisation efficiency • Common architecture
• Outsourcing • Productivity savings
• New Products – Services
(Time To Market) Operational Efficiency
• Improved SLAs Need to tie i t B i
N d t ti into Business Strategy
St t
• Enhanced user experience
*
Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 15
16. Identity Management
WHY – Rationale, Drivers and Benefits
IdM Infrastructure Benefits
Improved User Experience Cost savings
Hard-dollar
Hard dollar savings
• Improves employee efficiency • Helpdesk password resets easily measured
• Strengthens customer retention
• Avoids admin. duty duplication
• Minimises errors
• Eliminates redundant software and solutions
• Clarifies business processes
Soft-dollar savings
• Improved user productivity
• Avoids hidden administrative costs
Security: Lifecycle
Identity Administration Security: Policy
• Partition identity mgmt. Enforcement
• Eliminates dormant and orphan accounts • Ensures regulatory compliance
• Facilitates auditing and accountability Competitive • Protects corporate info
• Enables delegated and self-service advantage • Safeguards intellectual property
account admin.
t d i • Supports internal audits
• Assures stronger authorisation based on
info value/sensitivity
Competitive Advantage • Enables risk and liability mgmt
• Improves corp. image and employee
relationships
• Yields flexible IdM infrastructure
• Facilitates mergers/divestments
Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 16
17. Identity Management
WHY – Rationale, Drivers and Benefits
The Challenge
g
Today’s identity management systems are ad hocracies, built one application or
system at a time
Apps, databases, OSes lack a scalable, holistic means of managing identity,
credentials, policy across boundaries
,p y
Fragmented identity infrastructure: Overlapping repositories, inconsistent
policy frameworks, process discontinuities
Error prone, creates security loopholes, expensive to manage
The disappearing perimeter has put identity on the front burner
Infrastructure requirements: extend reach and range
Increased scalability, lower costs
Balance of centralised and distributed management
Infrastructure must be delivered as a Service (Identity Service) and re-usable
Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 17
18. Identity Management
WHY – Rationale, Drivers and Benefits
Risks
Reduced risk of improper use of IT systems
Reduce risk of privacy or other regulatory violations
Substantial administration cost savings by reducing redundant
security administration
Accelerated time to market for new Products and Services to
Customers (Targeted Audience) , reduced deployment costs
Reduced cost of internal and external auditing
Better
B tt customer experience and increased retention
t i di d t ti
Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 18
19. Identity Management
HOW – IdM Services Architecture
Objectives
j
Define the role of identity management in the context of business requirements
Develop an IdM Framework and guidelines
Implement re-usable Identity services
Develop and Implement company-wide role management
company wide
Document and streamline current and new identity related business processes
To provide a single view of Employee, Contractor, Customer and Business Partner
identity and entitlement
Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 19
20. Identity Management
HOW – IdM S i
Services A hit t
Architecture
IdM Business Drivers IdM Benefits IdM Services
Improves user Identity and policy
Cost containment Administration
experience (Quality of
Experience [QoE])
Provides cost Directory services
y
Operational
O i l
efficiency savings
Access
Supports policy management
Business need
enforcement
Remote access
Regulatory Adds to competitive
advantage Federation
compliance
Provides lifecycle Provisioning
Risk management
identity
administration Portals/
Self-service
One of the key tasks to understand is how to map the executive’s business drivers into the benefits of IdM services-and then to map them into
technologies selected for deployment. As illustrated here, there are a lot of overlaps and disconnects that make the mapping difficult though not
deployment here difficult,
impossible.
Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 20
21. Identity Management
HOW – IdM Services Architecture
Conceptual Architecture: Provisioning
p g
Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 21
22. Identity Management
HOW – IdM S i
Services A hit t
Architecture
Conceptual Architecture: Access Management
p g
Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 22
23. Identity Management
HOW – IdM S i
Services A hit t
Architecture
7 of Top 10 Control Deficiencies focus on Secure Identity Management
1. Operating System (e.g. Unix) access controls supporting financial applications or Portal
not secure
2.
2 Database (e.g. Oracle) access controls supporting financial applications (e.g. SAP
(e g (e g SAP,
Oracle, Peoplesoft, JDE) not secure
3. Development staff can run business transactions in production
4. Large number of users with access to “super user" transactions in production
g p p
5. Terminated employees or departed consultants still have access
6. Posting periods not restricted within GL application
7. Custom programs, tables & interfaces are not secured
8. Unidentified or unresolved segregation of duties issues
9. Procedures for manual processes do not exist or are not followed
10. System documentation does not match actual process
Source: Ken Vander Wal, Partner, National Quality Leader, E&YISACA Sarbanes Conference, 4/6/04
Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 23
24. Identity Management
HOW – IdM Services Architecture
Compliancy
What is SOX (Sarbanes Oxley) Compliancy?
Companies must regularly provide external auditors with proof of their compliance
with laws and regulations. An example is the Sarbanes-Oxley (SOX) law, which applies to
listed American companies and, generally, to non-US companies listed on a US Stock
Exchange.
h
These laws and regulations may aim at preserving the integrity of financial data (case
of SOX and the French Law on Financial Security).
Generally,
Generally compliance requires identifying risks defining control objectives in order to
risks,
tackle them, and deciding on control activities to attain these objectives. Finally, in view
of these activities, it is necessary to prepare adequate tests to ensure that these
processes exist, are applied and working effectively.
These tests have two objectives. On the one hand, they are used to constantly improve
the processes and to provide information to the management and external auditors. On
the other hand, these tests will be used as evidence during certification to convince
external auditors about the organisation’s compliance with laws and regulations.
Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 24
25. Identity Management
HOW – IdM Services Architecture
Compliancy
Why SOX (Sarbanes Oxley) Compliancy?
In some organisations, a large part of the risk of non-conformity to those regulations
is due to inadequate identity and access management. In fact, beyond the problem of
identity theft, actions made possible by wrongly assigned rights are a major source of
security breaches
Therefore, an Identity and Access Management (IAM) solution can be significant help
in the effort to comply with these laws and regulations. Moreover, such a solution can be
t ee o t co p y t t ese a s a d egu at o s o eo e , suc so ut o ca
used to simply upgrade a set of existing control procedures so as to simplify or adapt to
organisational changes
In addition to the functions it brings in, identity and access management must show
evidence of its effectiveness. This evidence must be made available in writing and on
demand to an auditor, for review and archiving
Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 25
26. Identity Management
HOW – IdM Services Architecture
Compliancy SOX Reference Framework
Section 404 of SOX does not specify which set of formal evaluation categories, known as
“framework”, must be used in the assessment of controls over financial reporting.
Specific IT control frameworks may be chosen by a company, as long as the company
can convince its external auditor that its controls satisfy the requirements for effectiveness.
A framework of IT control objectives that is often used in the context of SOX is the
Control Objectives for information and related Technology – COBIT, issued by the IT
Governance institute – ITGI (www.itgi.org ).
SOX created the Public Company Accounting Oversight Board (PCAOB), a non-profit
organisation,
organisation to oversee auditors of public companies The PCAOB is charged with issuing
companies.
guidelines for auditors ion how to audit different aspects of reports, including the ones
related to section 404.
As long as the resulting controls satisfy the requirements set forth by the PCAOB’s
auditing standard, companies can conceivably use IT control frameworks other than COBIT.
Such frameworks can be the ones included in the IT Infrastructure Library – ITIL
(www.itil.co.uk ) or ISO17799. Companies may also choose a proprietary control
framework developed by consulting and audit firms.
It is important that companies work closely with their external auditors, especially in the
first rounds of SOX section 404 implementation and certification
certification.
Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 26
27. Identity Management
HOW – IdM Services Architecture
Compliancy
ITIL Framework
You can only maintain the ITIL Framework, once you have completed Identity
Services Foundation to enable compliant ITIL operations support and Services
Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 27
28. Identity Management
HOW – IdM Services Architecture
Programme of Work – Identity service
1) Agree on IdM Service strategy
2) Agree on Programme/Timeframe
3) Agree on First 12 months projects
Project 1: Service Foundation – Reconciliation Process: 1 to 4 Months
A.
A Understanding the problem reconciliation of the main applications in relation to Employee Contractors
problem, Employee,
B. Understanding the problem, reconciliation of our main Customer/Business partner applications (in light
of a drive to a single view of Customer)
This will identify the accounts related to business Users, which in turn can be used once completed as input
to Project 5
Project 2: Provisioning – Phase 1: 2 to 8 Months
Project 3: Access Management – Phase 1: 3 to 9 Months
Project 4: Active Directory clean-up / Re-design of AD 1 to 6 Months
Project 5: Profile-Based System Access:
Profile Based 6 to 9 Months
Inception / Validate Approach
Profile Discovery / HR Business Role Alignment
Profile Lifecycle Management
Governance Framework Development & Technology Road mapping 9 to 18 Months
Note: Business Analyst need to be assigned to this project for defining the service elements from a business requirements
perspective (IdM based BA)
Date: May 18 BEA Pty Ltd - IdM : The What, Why and How? Page: 28