Identity and Access Management

PMI Westchester Quality SIG Presentation

September 12th 2017

1
Identity and Access Management is Everyone’s Responsibility
What is Identity & Access Management (IAM)?
A set of tools & services used to manage access to systems or resources used by personnel as well as
our customers

Why is Managing Access Important?

Controlling access = Controlling risk

How Do We Manage Applications?

Centrally-Managed applications – you ask IT to do it.
• Use one or more centrally-managed IAM services
Business-Managed applications – you ask some in business to do it.
• Applications the business manages locally. The business owns and creates the access to
application. The owner has responsibility for and the timely removal of access when someone
terminates or transfers jobs.

• Who Is Responsible for Managing Access?

Everyone who manages employees or contractors in the organization

2
Identity and Access Management is Everyone’s Responsibility
What
What Do
Do II Need
Need To
To Do
Do As
As A
A Manager?
Manager? Common
Common Misperceptions
Misperceptions
1. The IAM team can/will manage
1 Request Access For Your Personnel access on my behalf
• Contact your Role Profile Owner
• Visit the IAM Support Central Site 2. Eventually all applications will be
centrally managed
2 Review Access When Prompted
• High-risk applications reviewed quarterly, all 3. When someone leaves the
others annually company, HR makes sure their
access is terminated
3 Remove Access When People Leave
• Submit requests within 24 hours of a job change
• Go to Workday for full-time employees
• Go to IAM Portal for contract workers

Request, Review, Remove 3

 IAM Program – Strategic Goals Credentials

Identities
Access
Entitlements
Control
Identity & Credentials:
Audit & Compliance
1. Move towards a culturally aware business climate around IAM and enforce the use of a common
identifier for all personnel utilizing Organization assets, both employee and non-employee.
2. Centralize identity flows and the on/off-boarding experience wherever possible to reduce risk, improve
consistency, and minimize cost.
3. Implement a robust privileged user management program to identify, manage, and monitor access of
privileged accounts on the Organization network.
4. Automate the provisioning and de-provisioning of core credentials and roles tied to identity events.

Entitlements and Access Control:

5. Implement a business application on-boarding paradigm (aka “adoption”) that enables targeted
applications to integrate to IAM and minimizes the amount of re-work as the maturity of the overall IAM
solution grows.
6. Target high-risk applications (e.g. SOX/PCI), to be fully integrated to IAM with identity-event-driven
workflow to ensure full lifecycle automation and management (request, grant, review, remove, term,
transfer).
7. Integrate high-risk physical and logical assets into program that have weak IAM controls and present
risk to firm (e.g. local admin, laptops, badging system, etc.).

Audit and Compliance:

8. Enable the business to perform scheduled or ad-hoc access reviews of any group of assets on
Organization across all users and the access they hold (i.e. “Who has access to what ?”).
9. Provide accurate and timely compliance / auditing reports as well as metrics to operational teams,
business areas, and other interested parties.
Application Classification: Functional Service Characteristics

Functional service characteristics are determined based upon maturity level and are cumulative. They will be implemented
for each application where technically feasible.

Highest Low
Target High Medium
Functional Service Functional Service
Level Functional Service Characteristics Functional Service Characteristics
Characteristics Characteristics

 Birthright-based Account
 Event-Driven Account
Lifecycle
Lifecycle  Access Request Centralized
 Access request and  User populations
 Event-Driven  Workflow Routing
fulfillment automated identifiable
Certification  Single or Reduced Sign-On
 Closed-loop Certification  Logs sufficient to
 Entitlement integrity  Assisted Certifications
 Privileged Account usage illustrate IAM
enforced through  Privileged Accounts
tracked; Session Recorded; transactions
programmatic inventoried quarterly
Active Discovery of
reconciliation
Privileged Accounts
Highest
4

High
3

Medium
2

Low
1

Evidence required is dependent on Service Characteristics 5

 IAM Capability Overview
Programs: Department Mission:
To align Organization’s identity and access management capabilities
closer to the industry and its peers by reengineering business
Technical
processes, enabling the business with technology, and introducing
Operations
Technical automation wherever possible in a cost-effective and efficient manner.
Business
Developm
ent Operations
Identity and
Access
Management

Program Services:
Technical Operations:
• Level 1 team to support the
primary On/OffBoarding
processes for core credentials
and logical assets.
• Primary support for provisioning
and de-provisioning of any IAM-
integrated applications (~80+)
• Level 2-3 core engineering
support for Unix, AS400,
Mainframe, and Active Directory.
• RSA/MFA & VPN support
including SecurID hard/soft token
deployment.
• Project-based core technical
support specific to both small
(new app) and large (Blue,
Orange) projects.
Technical Development:
• Design, Development, and
Deployment of in-house, COTS,
and cloud-based solutions
supporting the overall IAM
program.
• Technical leadership on all
existing as well as new IAM
projects.
• SME of all existing and new IAM
products, services, and tools.
• External IS project support
wherever IAM SME experience is
needed.
• Ownership and design of IAM-
deployed architecture supporting
all Organization internal and
external customers.
Business Operations:
• Role and Entitlement Engineering
and the support of existing RBAC
models.
• Enterprise Business Support for
existing services as well as new
projects.
• Oversight of Quarterly and Yearly
reviews of end-user and
privileged accounts.
• IAM solution on-boarding and
deployment.
• User Acceptance Testing
oversight and coordination with
Testing COE.
• Program communications,
including metrics and reporting.

6
General IAM Services / Technical Portfolio

IAM – Current Services

Component Description Component Description Component Description
Unix User Store for UNIX Managing the lifecycle of PA Credential
Unix LDAP Authentication and Lifecycle user access (Joiner, Management Solution
(Temporary) replicated with GE Unix Management Mover, Leaver, for Vaulting and
LDAP Converter, Rehire) Privileged Managing Access
Identity Control for Windows
Unix User Store for UNIX User interface to request Management and *NIX OS Server
Authentication/ Pre- Access access to systems for Shared Accounts and
Unix LDAP
populated with existing Requests both normal and *NIX Super User
(Permanent)
Synchrony Financials Privileged Access (PA) Accounts
employees
Add, modify, remove Base Infrastructure
Critical care of core user accounts on target RSA Setup for Future
AS400, AD, assets for account applications through an SecurID / Integration with IAM for
Mainframe provisioning, PA mgmt., Access
(Resource Adapter/RA) RADIUS User Creation, Self
and Role Mgmt. Provisioning
or Admin notification (Permanent Service Features and
SSO LDAP Infrastructure (Virtual Resource Production integration with Active
for SSO Authentication, Adapter/VRA) Environment) Directory and Ongoing
SSO LDAP User Migrations
and VPN user Manage the lifecycle of
configuration Role Lifecycle Roles (Role Profiles/RP
Infrastructure to provide Management and System Access
SSO Single Sign On / Profiles/SAP)
Authorizations Review user access to
Ping Federation infrastructure Access applications, as well as
Federation & for External Federation Review privileged access, on a
CA Federation partners – SAML2.0 periodic basis.

7
Identity and Access Management Portal

8
IAM Portal Overview
 The IAM Portal is the Identity & Access Management tool for Provisioning and Certifications

 The main benefits include:

 Automated access provisioning / deprovisioning

 Requestor workflow transparency (“track my requests”)

 Enhanced certification / attestation processes

 Closed loop remediation

 “SoD” prevention & detection

 Centralized password reset

 Contingent Worker creation / management

 Delegation

 VPN management

 Distribution List management

9
Application Onboarding Onto Portal
The application onboarding focuses on integrating business managed applications classified as IAM
1 & 2 onto the IAM Portal for centralized access management. In addition, applications will be
enabled with Single-Sign-On, Privileged Access, and Logging capabilities.

 Full Automation (wherever

possible)
 Eliminates manual provisioning errors
 Nightly aggregations ensure the user
base remains in sync and current
 Terminations and removals are
processed immediately
 Centralized Certifications
 Application access is certified
within IAM Portal using current data
 Multi-level review starting with user
managers
 Ability to delegate individual roles
or users to another certifier
 Transparency
 Current user access (roles /
entitlements)
 User attributes (manager, dept., job
function, etc.)
 Ad hoc reporting & metrics

10
IAM Portal High Level Architecture (How it Works)

IAM Portal
IAM Portal
Auto Provisioning
Auto Provisioning
CW Lifecycle
Management Manager

(Employees) CSV
Access Compliance
Provisioning Manager
Man
ual
VPN, DL, Delegation, etc.

Reporting & Metrics

11
Application Certifications and Attestations

12
User Access Management is an On-going Process throughout the entire User’s lifecycle

13
Attestation Landscape – How do we determine “who has access to
what” in an application ?

Centrally Managed Apps Business Managed Apps

Connected Manual Manual

1. IAM team manually

IAM
automatically
creates or modifies Business Owner works with IT
the access needed Owner to get a file of “who
creates or
modifies the
2. IAM team would has access to what” for loading
access
needed
load the file of “who to the Excel Template
has access to
what”
Automated Attestations Manual Attestations

• Evidence of Certification performed by Manager (new model) or RPO

• Metrics: Revocations vs. Keeps, Time to Revoke, Time to Complete, etc.
• Must complete process – only acceptable bar is 100% completion, every time

Attestation principles are the same whether Centralized or Business Managed

14
 IAM Attestations: The Attestation Lifecycle
Assess
• Certification Type & Scope: Regular, or targeted sub-
group
Assess • Frequency: SOX/PCI and Privileged Access = Quarterly,
all others Annually

Remediate
Define

Define
• Retrieve access information into Attestation Templates
Govern • Educate on Review & Remediation
• Provide Training; Kick-off review cycle

Review
• Conduct user access reviews: Manager-based
Review • Continuous Progress Reports weekly up to ELT
• RPO support & assistance to Business where needed
• 4 week cycle for reviews

Govern
• Establish enterprise standards/principles Remediate
• Remediate user access where noted within 48 hours after
• Requirements & Controls for review
closure of review
• Set Roles & Responsibilities for user access review
• Ticket/Closure or Evidence of remediation required for
• Perform Quality Assurance / Spot Checking
Audit
• Secure Sign-off’s from IT and Business Owners • Additional access pulls might be required to provide
evidence of removals

15
Privileged Identity Management

16
Who Are Privileged Access Users

Users who have access to do the following activities are considered to have
privileged access:

• Provision users
• Reboot servers
• System level administration access
• System administrator level access within an application security module
that allows individuals to override the controls of the application
• IDs provided as part of third party software solutions used to complete
installation of the software.
• IDs that are used to run applications.
• Administrators with the ability to grant access or elevate privileges on an
in scope device

17
PA Program: Objectives

Account
Administratio Governance Monitoring Operational
n

Account
Definition of Risk Staffing Model
Administration Reporting Criteria
Criteria
Procedures
Roles and
Responsibility
Exception & Violation Enforcement
PA Metrics Criteria Alert Configuration
Procedures

Standard Operating
Procedures
Policy, Standard and
PA Awareness Training Tool Configuration
Procedures
Data Feed Inventory

Roles and
PA Account Inventory Reporting
Responsibility Technology On-
boarding Procedures

PA Account Reduction Compliance Validation

Metrics PA Logging Validation
Strategy Efforts

18
 PA Program: Summary
What needs to be done
• Dedicated PA monitoring team
• Daily alert reconciliation
• Password vaulting for NPA accounts
• Updated PA policies and Job Aid
• Manual quarterly PA review
• Alert tracking workflow
• Violation tracking data form
• Continuously working with teams to tune
alerts
• Manual IAM Feeds
• Developed training for PA users
Challenges
• Technology not in place
• Immaturity of IAM platform
• Incorporation of PA requirements within IAM
What is Needed
• More robust Nix monitoring
• Automation between IAM and Splunk
• Real Time Monitoring
• IAM quarterly PA reviews
• Restricting of service account logon
• Management of service accounts
• Removal of PA from personal ids
• Ability to discover PA accounts
• Solution for root/super user access
• Session recording
• Access to IAM data to verify user access
• CDI/SSO lookup tools
• File level monitoring (Windows)
19
PIM Tool Rollout Strategy
Privileged Identity Management (PIM)
Project Overview:
Release to Production and deployment of Enterprise Random Password
Manager Include deployment to Applications, Databases, Appliances and Devices
across Production environments that use non-personal accounts. ERPM will provide
Privileged Identity Management (PIM) with the means to randomize and manage
passwords for non-personal accounts on target systems

High-level Deployment Plan

 Deployment of all in-scope Applications, Databases, Appliances and Devices in
subsequent phases
 Migrate Class PXX/SOX
 Migration of accounts, LDAP and Local accounts
 Migrate Unix/Linux accounts
 IAM Portal and Help Desk Integrations with PIM Tool
 Develop End User support models for Implementation and Ongoing BAU

Impact
 Technology:
 Platforms, Appliances, Mainframe, AS 400,Unix (Solaris &
RHEL),Windows Database, Accounts: Shared Service
 People:
 Enterprise Architecture, Security, Architecture, Security Ops,
 Infrastructure Teams: Compute and Build teams, Servers Admins, DB &
Run teams, Networking, Mainframe/AS 400Application Teams

20