IAM Role Management
-
Upload
sgjense -
Category
Technology
-
view
2.043 -
download
2
description
Transcript of IAM Role Management
Identity and Access Management10 Steps to Role-based Access Control
Steve JensenSenior Director and Chief Information Security Officer
Blue Cross Blue Shield of Minnesota
Identity Lifecycle Management
Business Requirements
> The ability to request and review access in terminology understood by the business.
> Speed up the on boarding process.
> Role based access control
Complexity of IT Security
Directories Systems and Servers
Applications and Tools
Databases Software as a Service
Active Directory Mainframe SAP DB2 MeDecisions
Novell E-Directory z/Linux Lotus Notes IMS Salesforce.com
Lotus Notes Directory
Unix STAR Oracle Vurv
SAP Employee Directory
Microsoft Focus SQL Centreq
10+ 600+ 300+ 100+ 20+
Users Groups Permissions Resources
Terminology
> Application Role– A functional role that a user plays when utilizing a business
application or interfacing with an infrastructure component.– Specific to a single application– For example, roles for a HR recruiting application
> Human resource recruiter> Human resource benefit’s specialist > Hiring Manager> Approver> Clerk
> Enterprise Role– A combination of application roles that when combined, give a
person the access required to do their job across all applications they access.
Our Solution:Identity Lifecycle Management
EstablishApp. Role
Management
EstablishEnt. Role
Management
Segregation ofDuties
Management
ConductControlReview
NewRequestSystem
NewRequestSystem
ConductControlReview
EstablishID
Warehouse
Step 1 – Create an identity warehouse> Leverage purchase by quick-win – password self-
service functionality> Platform coverage should be a key purchasing
decision> You will still need to build custom feeds
– Legacy systems– Externally hosted systems– Proprietary security systems
> Move to directory services whenever possible> Don’t just buy an IAM suite for “automated
provisioning”. Focus on role management
Step 2 – Establish enterprise role management> Either design/build or purchase a role
management product
> Ensure product can meet business requirements
> Include role management, role mining, and role attestation as bare-bones minimum requirements
> Plenty of choices now on the market
Step 3 – Define application roles
> Create application roles– Don’t attempt enterprise roles on day one– Don’t attempt to link roles to HR
> Map one or more access groups into application roles. Leverage documentation, group comments, and group description fields
> Add entitlements to provide flexibility
> Combine like entitlements that have been applied on multiple platforms
Step 4 – Conduct online role attestation> Validate the assignments of application
functionality to users
> Must be in business terms– No acronyms– No technical terms– No security specific terms
> Provide timely adjustments
Step 5 – Adjust request system
> Change your request system to request via application roles instead of “IT technical lingo”
> Immediate business value
> Generate processes to keep role management in synch
> Can show what access is in place, and they can add checks, or remove checks
> My advice – do not make automated provisioning your goal just yet
Step 6 – Create enterprise roles
> Go to each line of business with a plan
> Assign role ownership – usually the manager
> Allow for multiple enterprise roles per person
> Advice – don’t try to align with HR job codes
> KISS - Don’t focus on keeping roles to a minimum – you have role management software to deal with the complexity.
> Adjust your role approval processes
Step 7 – Transparency - Conduct online role attestation> Validate the assignments of enterprise
roles to users
> Must be in business terms– No acronyms– No technical terms– No security specific terms
> Provide drill-down capabilities to application roles
Step 8 - Adjust request system (again)> Change your request system to request a enterprise
roles instead of application role
> New request type – grant access of an enterprise role to an application role.
> Tremendous business value
> Generate processes to keep role management in synch
> Again, show what access is in place, and they can add checks, or remove checks
> Automation of provisioning is best done at this phase
Step 9 – Segregation of Duties Analysis> Solicit from internal audit
> Solicit from risk management
> Provide mutually exclusive application roles and do not allow a enterprise role to have both
Step 10 – Leverage and Measure
> Apply role management from internal employees to address customers, suppliers, business partners, etc.
The transformation of access
After STEP 1 (2007 - Obscure Technical Lingo)SA_ACCTRECCLKSAS_CML_GROUP_6CARSVIEW…
After STEP 3 (2008 - Application Roles)•Select Account (SAM) Accounts Receivable Clerk Access•Compliance Audit Review & Reporting System (CARS) - View Access•…
After STEP 6 (2009 - Enterprise Roles)Select Account Receivable Clerk
Questions?