Identity and Access Management is Everyone’s Responsibility
What is Identity & Access Management (IAM)?
A set of tools & services used to manage access to systems or resources used by personnel as well as
Why is Managing Access Important?
Controlling access = Controlling risk
How Do We Manage Applications?
Centrally-Managed applications – you ask IT to do it.
• Use one or more centrally-managed IAM services
Business-Managed applications – you ask some in business to do it.
• Applications the business manages locally. The business owns and creates the access to
application. The owner has responsibility for and the timely removal of access when someone
terminates or transfers jobs.
• Who Is Responsible for Managing Access?
Everyone who manages employees or contractors in the organization
Request, Review, Remove
Identity and Access Management is Everyone’s Responsibility
1. The IAM team can/will manage
access on my behalf
2. Eventually all applications will be
3. When someone leaves the
company, HR makes sure their
access is terminated
What Do I Need To Do As A Manager?
Request Access For Your Personnel
• Contact your Role Profile Owner
• Visit the IAM Support Central Site
Review Access When Prompted
• High-risk applications reviewed quarterly, all
Remove Access When People Leave
• Submit requests within 24 hours of a job change
• Go to Workday for full-time employees
• Go to IAM Portal for contract workers
4. IAM Program – Strategic Goals
Identity & Credentials:
1. Move towards a culturally aware business climate around IAM and enforce the use of a common
identifier for all personnel utilizing Organization assets, both employee and non-employee.
2. Centralize identity flows and the on/off-boarding experience wherever possible to reduce risk, improve
consistency, and minimize cost.
3. Implement a robust privileged user management program to identify, manage, and monitor access of
privileged accounts on the Organization network.
4. Automate the provisioning and de-provisioning of core credentials and roles tied to identity events.
Entitlements and Access Control:
1. Implement a business application on-boarding paradigm (aka “adoption”) that enables targeted
applications to integrate to IAM and minimizes the amount of re-work as the maturity of the overall IAM
2. Target high-risk applications (e.g. SOX/PCI), to be fully integrated to IAM with identity-event-driven
workflow to ensure full lifecycle automation and management (request, grant, review, remove, term,
3. Integrate high-risk physical and logical assets into program that have weak IAM controls and present
risk to firm (e.g. local admin, laptops, badging system, etc.).
Audit and Compliance:
1. Enable the business to perform scheduled or ad-hoc access reviews of any group of assets on
Organization across all users and the access they hold (i.e. “Who has access to what ?”).
2. Provide accurate and timely compliance / auditing reports as well as metrics to operational teams,
business areas, and other interested parties.
Audit & Compliance
Application Classification: Functional Service Characteristics
Access request and
Privileged Account usage
tracked; Session Recorded;
Active Discovery of
Access Request Centralized
Single or Reduced Sign-On
Logs sufficient to
Functional service characteristics are determined based upon maturity level and are cumulative. They will be implemented
for each application where technically feasible.
Evidence required is dependent on Service Characteristics
IAM Capability Overview
• Level 1 team to support the
processes for core credentials
and logical assets.
• Primary support for provisioning
and de-provisioning of any IAM-
integrated applications (~80+)
• Level 2-3 core engineering
support for Unix, AS400,
Mainframe, and Active Directory.
• RSA/MFA & VPN support
including SecurID hard/soft token
• Project-based core technical
support specific to both small
(new app) and large (Blue,
• Design, Development, and
Deployment of in-house, COTS,
and cloud-based solutions
supporting the overall IAM
• Technical leadership on all
existing as well as new IAM
• SME of all existing and new IAM
products, services, and tools.
• External IS project support
wherever IAM SME experience is
• Ownership and design of IAM-
deployed architecture supporting
all Organization internal and
• Role and Entitlement Engineering
and the support of existing RBAC
• Enterprise Business Support for
existing services as well as new
• Oversight of Quarterly and Yearly
reviews of end-user and
• IAM solution on-boarding and
• User Acceptance Testing
oversight and coordination with
• Program communications,
including metrics and reporting.
To align Organization’s identity and access management capabilities
closer to the industry and its peers by reengineering business
processes, enabling the business with technology, and introducing
automation wherever possible in a cost-effective and efficient manner.
Programs: Department Mission:
General IAM Services / Technical Portfolio
IAM – Current Services
Unix User Store for UNIX
replicated with GE Unix
Unix User Store for UNIX
populated with existing
Critical care of core
assets for account
provisioning, PA mgmt.,
and Role Mgmt.
SSO LDAP Infrastructure
for SSO Authentication,
and VPN user
Infrastructure to provide
Single Sign On /
for External Federation
partners – SAML2.0
Managing the lifecycle of
user access (Joiner,
User interface to request
access to systems for
both normal and
Privileged Access (PA)
Add, modify, remove
user accounts on target
applications through an
or Admin notification
Manage the lifecycle of
Roles (Role Profiles/RP
and System Access
Review user access to
applications, as well as
privileged access, on a
for Vaulting and
Control for Windows
and *NIX OS Server
Shared Accounts and
*NIX Super User
Setup for Future
Integration with IAM for
User Creation, Self
Service Features and
integration with Active
Directory and Ongoing
IAM Portal Overview
The IAM Portal is the Identity & Access Management tool for Provisioning and Certifications
The main benefits include:
Automated access provisioning / deprovisioning
Requestor workflow transparency (“track my requests”)
Enhanced certification / attestation processes
Closed loop remediation
“SoD” prevention & detection
Centralized password reset
Contingent Worker creation / management
Distribution List management
Application Onboarding Onto Portal
The application onboarding focuses on integrating business managed applications classified as IAM
1 & 2 onto the IAM Portal for centralized access management. In addition, applications will be
enabled with Single-Sign-On, Privileged Access, and Logging capabilities.
Full Automation (wherever
Eliminates manual provisioning errors
Nightly aggregations ensure the user
base remains in sync and current
Terminations and removals are
Application access is certified
within IAM Portal using current data
Multi-level review starting with user
Ability to delegate individual roles
or users to another certifier
Current user access (roles /
User attributes (manager, dept., job
Ad hoc reporting & metrics
IAM Portal High Level Architecture (How it Works)
VPN, DL, Delegation, etc.
Reporting & Metrics
Attestation Landscape – How do we determine “who has access to
what” in an application ?
Centrally Managed Apps Business Managed Apps
1. IAM team manually
creates or modifies
the access needed
2. IAM team would
load the file of “who
has access to
Business Owner works with IT
Owner to get a file of “who has
access to what” for loading to
the Excel Template
Automated Attestations Manual Attestations
• Evidence of Certification performed by Manager (new model) or RPO
• Metrics: Revocations vs. Keeps, Time to Revoke, Time to Complete, etc.
• Must complete process – only acceptable bar is 100% completion, every time
Attestation principles are the same whether Centralized or Business
IAM Attestations: The Attestation Lifecycle
• Certification Type & Scope: Regular, or targeted sub-
• Frequency: SOX/PCI and Privileged Access = Quarterly,
all others Annually
• Retrieve access information into Attestation Templates
• Educate on Review & Remediation
• Provide Training; Kick-off review cycle
• Conduct user access reviews: Manager-based
• Continuous Progress Reports weekly up to ELT
• RPO support & assistance to Business where needed
• 4 week cycle for reviews
• Remediate user access where noted within 48 hours after
closure of review
• Ticket/Closure or Evidence of remediation required for
• Additional access pulls might be required to provide
evidence of removals
• Establish enterprise standards/principles
• Requirements & Controls for review
• Set Roles & Responsibilities for user access review
• Perform Quality Assurance / Spot Checking
• Secure Sign-off’s from IT and Business Owners
Who Are Privileged Access Users
Users who have access to do the following activities are considered to have
• Provision users
• Reboot servers
• System level administration access
• System administrator level access within an application security module
that allows individuals to override the controls of the application
• IDs provided as part of third party software solutions used to complete
installation of the software.
• IDs that are used to run applications.
• Administrators with the ability to grant access or elevate privileges on an
in scope device
Exception & Violation
PA Awareness Training
PA Account Inventory
PA Account Reduction
PA Metrics Criteria
Policy, Standard and
Definition of Risk
Data Feed Inventory
PA Logging Validation
PA Program: Objectives
PA Program: Summary
• Dedicated PA monitoring team
• Daily alert reconciliation
• Password vaulting for NPA accounts
• Updated PA policies and Job Aid
• Manual quarterly PA review
• Alert tracking workflow
• Violation tracking data form
• Continuously working with teams to tune
• Manual IAM Feeds
• Developed training for PA users
• More robust Nix monitoring
• Automation between IAM and Splunk
• Real Time Monitoring
• IAM quarterly PA reviews
• Restricting of service account logon
• Management of service accounts
• Removal of PA from personal ids
• Ability to discover PA accounts
• Solution for root/super user access
• Session recording
• Access to IAM data to verify user access
• CDI/SSO lookup tools
• File level monitoring (Windows)
• Technology not in place
• Immaturity of IAM platform
• Incorporation of PA requirements within IAM
What needs to be done Whatis Needed
PIM Tool Rollout Strategy
Privileged Identity Management (PIM)
Release to Production and deployment of Enterprise Random Password
Manager Include deployment to Applications, Databases, Appliances and Devices
across Production environments that use non-personal accounts. ERPM will provide
Privileged Identity Management (PIM) with the means to randomize and manage
passwords for non-personal accounts on target systems
High-level Deployment Plan
Deployment of all in-scope Applications, Databases, Appliances and Devices in
Migrate Class PXX/SOX
Migration of accounts, LDAP and Local accounts
Migrate Unix/Linux accounts
IAM Portal and Help Desk Integrations with PIM Tool
Develop End User support models for Implementation and Ongoing BAU
Platforms, Appliances, Mainframe, AS 400,Unix (Solaris &
RHEL),Windows Database, Accounts: Shared Service
Enterprise Architecture, Security, Architecture, Security Ops,
Infrastructure Teams: Compute and Build teams, Servers Admins, DB &
Run teams, Networking, Mainframe/AS 400Application Teams
Why IAM ?
Improves operational efficiency and regulatory compliance management
1. User on-boarding and other repetitive tasks. – Self-service for users
requesting password resets
2. To protect systems, applications and information from internal and external
threats. – Deleting sensitive files.
3. To comply with various regulatory, privacy and data protection requirements
1. Employees and on-site contractors of an organization accessing SaaS service
using identity federation.
2. IT administrators accessing CSP management console to provision resources
and access for users using a corporate identity.
3. Developers creating accounts in a PaaS platform
4. End users accessing storage service in the cloud and sharing files and objects
with users, within and outside the domain using access policy management
5. An application residing in a cloud service provider accessing storage from
another cloud service
Authentication – Verifying the identity of a user, system or service.
Authorization – Privileges that a user or system or service has after being
authenticated (e.g., access control) – In some cases, there is no authorization; any
user may be use a resource or access a file simply by asking for it. Most of the web
pages on the Internet require no authentication or authorization.
Auditing – Review and examine what the user, system or service has carried out –
Check for compliance
IAM Architecture and Practice
User management – Activities for the effective governance and management of
identity life cycles.
Authentication management – Activities for the effective governance and
management of the process for determining that an entity is who or what it claims to
Authorization management – Activities for the effective governance and
management of the process for determining entitlement rights that decide what
resources an entity is permitted to access in accordance with the organization’s
IAM process consists of the following:
– User management (for managing identity life cycles),
– Authentication management,
– Authorization management,
– Access management,
– Data management and provisioning,
– Monitoring and auditing
– Credential and attribute management,
– Entitlement management,
– Compliance management,
– Identity federation management,
– Centralization of authentication and authorization,
IAM Standards and Specifications for Organizations
1. How can I avoid duplication of identity, attributes, and credentials and provide
a single sign-on user experience for my users? SAML.
2. How can I automatically provision user accounts with cloud services and
automate the process of provisioning and deprovisioning? SPML.
3. How can I provision user accounts with appropriate privileges and manage
entitlements for my users? XACML.
4. How can I authorize cloud service X to access my data in cloud service Y
without disclosing credentials? OAuth
Security Assertion Markup Language (SAML) • SAML is the most
mature, detailed, and widely adopted specifications family for
browserbased federated sign-on for cloud users.
Open Authentication (OAuth)
• OAuth is an emerging authentication standard
that allows consumers to share their private
resources (e.g., photos, videos, contact lists,
bank accounts) stored on one CSP with
another CSP without having to disclose the
(e.g., username and password).
• OAuth is an open protocol and it was created
with the goal of enabling authorization via a
secure application programming interface
(API)-a simple and standard method for
desktop, mobile, and web applications
Data Security – Must be compliant with our Data Security for the multitude of reasons
Policy – We demonstrate and follow Data Policy for the OCC and the ability to show evidence of that adherence which ultimately reduces our overall risk.
We tend to focus on the initial hire of an employee to ensure access is set correctly from the onset but really the larger issues comes when transfers and terminations occur.
Initially – We want to have minimum amount of access for every employee.
Job Changes – All access needs to be re “certified” and approved
Temporary Exception access is time-bound and must be monitored closely and removed on expiration date.
LOA require that all access be disabled. It is required by regulations and we need to work better on the ability to be able to “disable” vs “delete” across all our applications. – must be very closely monitored..
Terminations – 24 to 48 hours must be disabled and xx time we delete (which I not sure if 30,60 or 90 today?)
LifeCycle Management is harder then initial setup so this is the area where we need to be Hyper focused going forward.. Good Access is from Start to Exit!!
good, I think the key thing here is that they walk away understanding there are so many places "access" can be impacted...wheher new hire, job change, temp access, LOA, etc...and that is WHY we need to do regular certifications of access...