Identity and Access

Management
Objectives
 Find a common background for
discussing IAM
 Discuss problems and opportunities in
the field
 Introduce terminology
 Highlight a possible future direction
Today’s Problems
Who am I? Who are you?
 Networks use multiple identity
systems
 The Internet is no better
 Users get confused with all of these
IDs
 Management and audit has difficulty
keeping track of all these IDs
 The bad guys are quite happy
So many IDs!

Person

Active Directory Online HR Info PeopleSoft User

…
Account Account Account
Multiple Contexts
Remote Employees

Employees Suppliers

Customers Partners
Trends
 Regulation and Compliance
 SOX, HIPAA, GLB
 Increasing Threats
 Identity theft
 Exposure of confidential info
 Maintenance Costs
 The average employee needs access to 16
applications
 Companies spend an estimated $20-30
user/year for password resets
The Real Impact
End-users Too many IDs
Too many passwords
Must wait for access to
applications

Administrators Too many IDs

Too many end-user requests
Difficult or unreliable ways to
syncs all the accounts

Audit/Compliance Orphaned accounts

Limited or no audit capability
Where are the audit trails?
Making It All Better
Identity and Access Management

Password
Management

Role User
Management Provisioning

IAM

Authorization Directories

Audits &
Reporting
The Benefits of IAM
 Save money
 Improve operational efficiency
 Reduce time to deliver applications
and services
 Enhance security
 Enhance regulatory compliance
 Give more power to audit
Let’s Define IAM Terms
 Authentication (AuthN)
 Verify that a person is who they claim to be
 This is where multi-factor authentication comes
into play
 Identification and authentication are related but
not the same
 Authorization (AuthZ)
 Deciding what resources can be accessed/used
by a user
 Accounting
 Charges you for what you do
IAM is a Foundation
Identity Management Account Provisioning &
Deprovisioning
Synchronisation
Administration User Management
Password Management
Workflow
Delegation
Audit and Reporting
Access Management AuthN
AuthZ
Now What?
Implement IAM!
 Start Slow!
 Define your Single Source of Truth
(SSOT)
 Unfortunately, there may be more than
one, if that makes sense..
 Implement the “big wins”
 User provisioning to Active Directory
 Password resets
But How?
 SSOT
 Work with your team, IT, and
management to determine the true
source of user information
 User Provisioning to AD
 It’s already happening!
 Solutions
 Microsoft ILM
 CA eTrust Admin
 Sun IM
 …
The Results!
 User provisioning can be automated
 Password resets can be delegated to
the helpdesk
 And the big one:
 You can now audit both the user
provisioning and password resets
The Next Step
 Extend User Provisioning
 To PeopleSoft
 Lawson
 Oracle
 Custom/in-house applications
 Begin consolidating user directories
 Can you point some or all of your
applications at AD or LDAP?
Authorization
 This is the hard one!
 Applications define their AuthZ rules
differently
 Try to consolidate to an AD/LDAP
authz landscape
 Tackle this one application at a time!
The Power is Yours
 You can now audit/review:
 Who has what accounts?
 Why do they have those accounts?
 Who approved those accounts?
 Are there any orphaned accounts?
 Who has access to what?
 For how long have they had that access?
And there is more..
 You can control access to your web-
enabled applications using a Web
Access Manager (WAM)
 Don’t forget about SSO!
 What about federated identities and
your partners and suppliers?
Viva La Resistance!
IT Resistence
 Sometimes IT resist a formalized IAM
process because:
 “We are too busy”
 “We can’t afford it”
 “We don’t want to give up control!”
“We are Too Busy”
 This is a common response
 IT is too busy..
 Because they are resetting passwords all
day
 Working too hard to create accounts
 Learning too late that orphaned accounts
are being misused/attacked
“We Can’t Afford It”
 There are small and big solutions to
this problem
 If you are an AD-only shop with
minimal applications, then you can
start small
 Larger enterprises have no choice,
they can’t afford not to!
“We Don’t Want to Give Up
Control!”
 This is usually the root of the
disagreement.
 They are responsible for IT
 They don’t want problems in IAM to
reflect poorly on them
 They are used to the control, even if
it’s not necessary
A Compromise
 Take control without giving up
control!
 A middle-ground:
 IAM solutions can be used to explore
user directories/databases
 Reports can be generated
 IT can still do the provisioning itself
Summary
Summary
 It’s becoming impossible to manage
all of these accounts and rights by
hand
 You can automate controls
 You can automate audit reports
 You can control THE PROCESS!