Professional Documents
Culture Documents
1
Identity and Access Management is Everyone’s Responsibility
What is Identity & Access Management (IAM)?
A set of tools & services used to manage access to systems or resources used by personnel as well as
our customers
2
Identity and Access Management is Everyone’s Responsibility
What
What Do
Do II Need
Need To
To Do
Do As
As A
A Manager?
Manager? Common
Common Misperceptions
Misperceptions
1. The IAM team can/will manage
1 Request Access For Your Personnel access on my behalf
• Contact your Role Profile Owner
• Visit the IAM Support Central Site 2. Eventually all applications will be
centrally managed
2 Review Access When Prompted
• High-risk applications reviewed quarterly, all 3. When someone leaves the
others annually company, HR makes sure their
access is terminated
3 Remove Access When People Leave
• Submit requests within 24 hours of a job change
• Go to Workday for full-time employees
• Go to IAM Portal for contract workers
Identities
Access
Entitlements
Control
Identity & Credentials:
Audit & Compliance
1. Move towards a culturally aware business climate around IAM and enforce the use of a common
identifier for all personnel utilizing Organization assets, both employee and non-employee.
2. Centralize identity flows and the on/off-boarding experience wherever possible to reduce risk, improve
consistency, and minimize cost.
3. Implement a robust privileged user management program to identify, manage, and monitor access of
privileged accounts on the Organization network.
4. Automate the provisioning and de-provisioning of core credentials and roles tied to identity events.
Functional service characteristics are determined based upon maturity level and are cumulative. They will be implemented
for each application where technically feasible.
Highest Low
Target High Medium
Functional Service Functional Service
Level Functional Service Characteristics Functional Service Characteristics
Characteristics Characteristics
Birthright-based Account
Event-Driven Account
Lifecycle
Lifecycle Access Request Centralized
Access request and User populations
Event-Driven Workflow Routing
fulfillment automated identifiable
Certification Single or Reduced Sign-On
Closed-loop Certification Logs sufficient to
Entitlement integrity Assisted Certifications
Privileged Account usage illustrate IAM
enforced through Privileged Accounts
tracked; Session Recorded; transactions
programmatic inventoried quarterly
Active Discovery of
reconciliation
Privileged Accounts
Highest
4
High
3
Medium
2
Low
1
Program Services:
Technical Operations: Technical Development: Business Operations:
• Level 1 team to support the • Design, Development, and • Role and Entitlement Engineering
primary On/OffBoarding Deployment of in-house, COTS, and the support of existing RBAC
processes for core credentials and cloud-based solutions models.
and logical assets. supporting the overall IAM • Enterprise Business Support for
• Primary support for provisioning program. existing services as well as new
and de-provisioning of any IAM- • Technical leadership on all projects.
integrated applications (~80+) existing as well as new IAM • Oversight of Quarterly and Yearly
• Level 2-3 core engineering projects. reviews of end-user and
support for Unix, AS400, • SME of all existing and new IAM privileged accounts.
Mainframe, and Active Directory. products, services, and tools. • IAM solution on-boarding and
• RSA/MFA & VPN support • External IS project support deployment.
including SecurID hard/soft token wherever IAM SME experience is • User Acceptance Testing
deployment. needed. oversight and coordination with
• Project-based core technical • Ownership and design of IAM- Testing COE.
support specific to both small deployed architecture supporting • Program communications,
(new app) and large (Blue, all Organization internal and including metrics and reporting.
Orange) projects. external customers.
6
General IAM Services / Technical Portfolio
7
Identity and Access Management Portal
8
IAM Portal Overview
The IAM Portal is the Identity & Access Management tool for Provisioning and Certifications
Delegation
VPN management
9
Application Onboarding Onto Portal
The application onboarding focuses on integrating business managed applications classified as IAM
1 & 2 onto the IAM Portal for centralized access management. In addition, applications will be
enabled with Single-Sign-On, Privileged Access, and Logging capabilities.
10
IAM Portal High Level Architecture (How it Works)
IAM Portal
IAM Portal
Auto Provisioning
Auto Provisioning
CW Lifecycle
Management Manager
(Employees) CSV
Access Compliance
Provisioning Manager
Man
ual
VPN, DL, Delegation, etc.
11
Application Certifications and Attestations
12
User Access Management is an On-going Process throughout the entire User’s lifecycle
13
Attestation Landscape – How do we determine “who has access to
what” in an application ?
Remediate
Define
Define
• Retrieve access information into Attestation Templates
Govern • Educate on Review & Remediation
• Provide Training; Kick-off review cycle
Review
• Conduct user access reviews: Manager-based
Review • Continuous Progress Reports weekly up to ELT
• RPO support & assistance to Business where needed
• 4 week cycle for reviews
Govern
• Establish enterprise standards/principles Remediate
• Remediate user access where noted within 48 hours after
• Requirements & Controls for review
closure of review
• Set Roles & Responsibilities for user access review
• Ticket/Closure or Evidence of remediation required for
• Perform Quality Assurance / Spot Checking
Audit
• Secure Sign-off’s from IT and Business Owners • Additional access pulls might be required to provide
evidence of removals
15
Privileged Identity Management
16
Who Are Privileged Access Users
Users who have access to do the following activities are considered to have
privileged access:
• Provision users
• Reboot servers
• System level administration access
• System administrator level access within an application security module
that allows individuals to override the controls of the application
• IDs provided as part of third party software solutions used to complete
installation of the software.
• IDs that are used to run applications.
• Administrators with the ability to grant access or elevate privileges on an
in scope device
17
PA Program: Objectives
Account
Administratio Governance Monitoring Operational
n
Account
Definition of Risk Staffing Model
Administration Reporting Criteria
Criteria
Procedures
Roles and
Responsibility
Exception & Violation Enforcement
PA Metrics Criteria Alert Configuration
Procedures
Standard Operating
Procedures
Policy, Standard and
PA Awareness Training Tool Configuration
Procedures
Data Feed Inventory
Roles and
PA Account Inventory Reporting
Responsibility Technology On-
boarding Procedures
18
PA Program: Summary
Challenges
19
PIM Tool Rollout Strategy
Privileged Identity Management (PIM)
Project Overview:
Release to Production and deployment of Enterprise Random Password
Manager Include deployment to Applications, Databases, Appliances and Devices
across Production environments that use non-personal accounts. ERPM will provide
Privileged Identity Management (PIM) with the means to randomize and manage
passwords for non-personal accounts on target systems
Impact
Technology:
Platforms, Appliances, Mainframe, AS 400,Unix (Solaris &
RHEL),Windows Database, Accounts: Shared Service
People:
Enterprise Architecture, Security, Architecture, Security Ops,
Infrastructure Teams: Compute and Build teams, Servers Admins, DB &
Run teams, Networking, Mainframe/AS 400Application Teams
20