a pragmatic approach to identity and access management
DESCRIPTION
A Powerpoint file that presents my paper: "A Pragmatic Approach to Identity and Access Management"TRANSCRIPT
![Page 1: A Pragmatic Approach to Identity and Access Management](https://reader036.vdocument.in/reader036/viewer/2022062514/5584ecb9d8b42a2f5c8b4bb7/html5/thumbnails/1.jpg)
A Pragmatic Solution ForA Pragmatic Solution ForIdentity & Access ManagementIdentity & Access Management
A Pragmatic Solution ForA Pragmatic Solution ForIdentity & Access ManagementIdentity & Access Management
Hank Gruenberg, CISM, CRISC, PMPHank Gruenberg, CISM, CRISC, PMP
Information Security & IT ComplianceInformation Security & IT ComplianceTokio Marine Management, Inc.Tokio Marine Management, Inc.
Hank Gruenberg, CISM, CRISC, PMPHank Gruenberg, CISM, CRISC, PMP
Information Security & IT ComplianceInformation Security & IT ComplianceTokio Marine Management, Inc.Tokio Marine Management, Inc.
[email protected]@hankgruenberg.com
![Page 2: A Pragmatic Approach to Identity and Access Management](https://reader036.vdocument.in/reader036/viewer/2022062514/5584ecb9d8b42a2f5c8b4bb7/html5/thumbnails/2.jpg)
This presentation is based on the paper “This presentation is based on the paper “A A Pragmatic Solution for Identity and Access Pragmatic Solution for Identity and Access ManagementManagement” previously presented at various ” previously presented at various conferences. This paper is available on my conferences. This paper is available on my LinkedIn page: LinkedIn page:
http://www.linkedin.com/in/hankgruenberg
For more information, contact me at:For more information, contact me at: [email protected]@hankgruenberg.com
ororUSA: 917-626-8604USA: 917-626-8604
Hank Gruenberg, CISM, CRISC, PMPHank Gruenberg, CISM, CRISC, PMP
Information Security & IT ComplianceInformation Security & IT ComplianceTokio Marine Management, Inc.Tokio Marine Management, Inc.
New York, NY U.S.A.New York, NY U.S.A.
This presentation is based on the paper “This presentation is based on the paper “A A Pragmatic Solution for Identity and Access Pragmatic Solution for Identity and Access ManagementManagement” previously presented at various ” previously presented at various conferences. This paper is available on my conferences. This paper is available on my LinkedIn page: LinkedIn page:
http://www.linkedin.com/in/hankgruenberg
For more information, contact me at:For more information, contact me at: [email protected]@hankgruenberg.com
ororUSA: 917-626-8604USA: 917-626-8604
Hank Gruenberg, CISM, CRISC, PMPHank Gruenberg, CISM, CRISC, PMP
Information Security & IT ComplianceInformation Security & IT ComplianceTokio Marine Management, Inc.Tokio Marine Management, Inc.
New York, NY U.S.A.New York, NY U.S.A.
2
![Page 3: A Pragmatic Approach to Identity and Access Management](https://reader036.vdocument.in/reader036/viewer/2022062514/5584ecb9d8b42a2f5c8b4bb7/html5/thumbnails/3.jpg)
3
Situation: Regulatory ComplianceSituation: Regulatory ComplianceSituation: Regulatory ComplianceSituation: Regulatory Compliance
![Page 4: A Pragmatic Approach to Identity and Access Management](https://reader036.vdocument.in/reader036/viewer/2022062514/5584ecb9d8b42a2f5c8b4bb7/html5/thumbnails/4.jpg)
4
Goals: Compliance & SecurityGoals: Compliance & SecurityGoals: Compliance & SecurityGoals: Compliance & Security
![Page 5: A Pragmatic Approach to Identity and Access Management](https://reader036.vdocument.in/reader036/viewer/2022062514/5584ecb9d8b42a2f5c8b4bb7/html5/thumbnails/5.jpg)
Solution: Custom ApplicationSolution: Custom ApplicationSolution: Custom ApplicationSolution: Custom Application
5
![Page 6: A Pragmatic Approach to Identity and Access Management](https://reader036.vdocument.in/reader036/viewer/2022062514/5584ecb9d8b42a2f5c8b4bb7/html5/thumbnails/6.jpg)
Why is Access Management Difficult?Why is Access Management Difficult?Why is Access Management Difficult?Why is Access Management Difficult?
6
![Page 7: A Pragmatic Approach to Identity and Access Management](https://reader036.vdocument.in/reader036/viewer/2022062514/5584ecb9d8b42a2f5c8b4bb7/html5/thumbnails/7.jpg)
Managing 80+ DirectoriesManaging 80+ DirectoriesManaging 80+ DirectoriesManaging 80+ Directories
Varying Directory FormatsVarying Directory FormatsVarying Directory FormatsVarying Directory Formats
Adding New ApplicationsAdding New ApplicationsAdding New ApplicationsAdding New Applications
Aggressive SchedulesAggressive SchedulesAggressive SchedulesAggressive Schedules
Many Varying DirectoriesMany Varying DirectoriesMany Varying DirectoriesMany Varying DirectoriesWhy Difficult…
7
![Page 8: A Pragmatic Approach to Identity and Access Management](https://reader036.vdocument.in/reader036/viewer/2022062514/5584ecb9d8b42a2f5c8b4bb7/html5/thumbnails/8.jpg)
Evolved Over TimeEvolved Over TimeEvolved Over TimeEvolved Over TimeWhy Difficult…
*A&A: Authentication & Authorization8
![Page 9: A Pragmatic Approach to Identity and Access Management](https://reader036.vdocument.in/reader036/viewer/2022062514/5584ecb9d8b42a2f5c8b4bb7/html5/thumbnails/9.jpg)
Checking EntitlementsChecking EntitlementsChecking EntitlementsChecking Entitlements
9
Why Difficult…
![Page 10: A Pragmatic Approach to Identity and Access Management](https://reader036.vdocument.in/reader036/viewer/2022062514/5584ecb9d8b42a2f5c8b4bb7/html5/thumbnails/10.jpg)
How Goals Were AchievedHow Goals Were AchievedHow Goals Were AchievedHow Goals Were Achieved
Consider Consider ‘Bottom ‘Bottom
Up’Up’IssuesIssues
10
![Page 11: A Pragmatic Approach to Identity and Access Management](https://reader036.vdocument.in/reader036/viewer/2022062514/5584ecb9d8b42a2f5c8b4bb7/html5/thumbnails/11.jpg)
Solved by…
11
Guiding PrinciplesGuiding PrinciplesGuiding PrinciplesGuiding Principles
Identity Management ScopeIdentity Management Scope
![Page 12: A Pragmatic Approach to Identity and Access Management](https://reader036.vdocument.in/reader036/viewer/2022062514/5584ecb9d8b42a2f5c8b4bb7/html5/thumbnails/12.jpg)
Paladin MethodologyPaladin MethodologyPaladin MethodologyPaladin Methodology
12
![Page 13: A Pragmatic Approach to Identity and Access Management](https://reader036.vdocument.in/reader036/viewer/2022062514/5584ecb9d8b42a2f5c8b4bb7/html5/thumbnails/13.jpg)
13
Phase 1Phase 1
![Page 14: A Pragmatic Approach to Identity and Access Management](https://reader036.vdocument.in/reader036/viewer/2022062514/5584ecb9d8b42a2f5c8b4bb7/html5/thumbnails/14.jpg)
Establish the Meta-DirectoryEstablish the Meta-DirectoryEstablish the Meta-DirectoryEstablish the Meta-Directory
Phase 1 – Meta Directory…
14
Key Point
Key Point
![Page 15: A Pragmatic Approach to Identity and Access Management](https://reader036.vdocument.in/reader036/viewer/2022062514/5584ecb9d8b42a2f5c8b4bb7/html5/thumbnails/15.jpg)
Paladin’s Meta DirectoryPaladin’s Meta DirectoryPaladin’s Meta DirectoryPaladin’s Meta Directory
Phase 1 – Meta Directory…
15
Key PointKey Point
![Page 16: A Pragmatic Approach to Identity and Access Management](https://reader036.vdocument.in/reader036/viewer/2022062514/5584ecb9d8b42a2f5c8b4bb7/html5/thumbnails/16.jpg)
What Paladin Isn’tWhat Paladin Isn’tWhat Paladin Isn’tWhat Paladin Isn’t
Phase 1 – Meta Directory…
16
ResultsResultsResultsResults
No Impact On ApplicationsNo Impact On ApplicationsNo Impact On ApplicationsNo Impact On Applications
![Page 17: A Pragmatic Approach to Identity and Access Management](https://reader036.vdocument.in/reader036/viewer/2022062514/5584ecb9d8b42a2f5c8b4bb7/html5/thumbnails/17.jpg)
Establish objects and relationships Establish objects and relationships Establish objects and relationships Establish objects and relationships
Phase 1 – Meta Directory…
17
![Page 18: A Pragmatic Approach to Identity and Access Management](https://reader036.vdocument.in/reader036/viewer/2022062514/5584ecb9d8b42a2f5c8b4bb7/html5/thumbnails/18.jpg)
Define WorkflowsDefine WorkflowsDefine WorkflowsDefine Workflows
Phase 1 – Workflows…
18
Onboarding
Recertification
Governance: Request/Approve/Provision
Termination: De-provisioning
![Page 19: A Pragmatic Approach to Identity and Access Management](https://reader036.vdocument.in/reader036/viewer/2022062514/5584ecb9d8b42a2f5c8b4bb7/html5/thumbnails/19.jpg)
FeedFeedFeedFeed
Incorporate Data & User InterfacesIncorporate Data & User InterfacesIncorporate Data & User InterfacesIncorporate Data & User Interfaces
Phase 1 – Workflows…Phase 1 – Workflows…
19
PaladinPaladinMeta Meta
DirectoryDirectory
EmployeeEmployeeRosterRoster
Directory 1Directory 1Directory
1
DownstreamDownstreamAccountAccountAdministratorAdministrator
DownstreamDownstreamAccountAccountAdministratorAdministrator
Resource OwnerResource OwnerResource OwnerResource Owner
ManagerManagerManagerManager
UpdatesUpdatesUpdatesUpdates EmployeesEmployeesEmployeesEmployees
Account IDsAccount IDsAccount IDsAccount IDs
Work OrderWork OrderWork OrderWork Order Add Non-EmployeesAdd Non-EmployeesAdd Non-EmployeesAdd Non-Employees
Provision /Provision /De-provisionDe-provisionAccountsAccounts
Provision /Provision /De-provisionDe-provisionAccountsAccounts
ApproveApproveEntitlementEntitlementApproveApproveEntitlementEntitlement
Key P
oint
Key P
oint
Request EntitlementRequest EntitlementRequest EntitlementRequest Entitlement
![Page 20: A Pragmatic Approach to Identity and Access Management](https://reader036.vdocument.in/reader036/viewer/2022062514/5584ecb9d8b42a2f5c8b4bb7/html5/thumbnails/20.jpg)
Converting Existing EntitlementsConverting Existing EntitlementsConverting Existing EntitlementsConverting Existing Entitlements
Phase 1 – Data Conversion…
20
![Page 21: A Pragmatic Approach to Identity and Access Management](https://reader036.vdocument.in/reader036/viewer/2022062514/5584ecb9d8b42a2f5c8b4bb7/html5/thumbnails/21.jpg)
21
Phase 2Phase 2
![Page 22: A Pragmatic Approach to Identity and Access Management](https://reader036.vdocument.in/reader036/viewer/2022062514/5584ecb9d8b42a2f5c8b4bb7/html5/thumbnails/22.jpg)
Reconciling DirectoriesReconciling DirectoriesReconciling DirectoriesReconciling Directories
Phase 2 – Reconciliation…
Active DirectoryActive Directory
Match?Match? 22
Paladin Meta DirectoryPaladin Meta Directory
NameName AppApp Acct IDAcct ID RoleRoleY Berra CIS BERRAY User
Mantle CIS MM7 User
Maris CIS RM9 User
T Kubek CIS xyz448 User
Customer Information SystemCustomer Information System
Match?Match?
?ProblemProblem
![Page 23: A Pragmatic Approach to Identity and Access Management](https://reader036.vdocument.in/reader036/viewer/2022062514/5584ecb9d8b42a2f5c8b4bb7/html5/thumbnails/23.jpg)
Which Directories To Automate?Which Directories To Automate?Which Directories To Automate?Which Directories To Automate?
Phase 2 – Reconciliation…
*SSIS: SQL Server Integration Services23
![Page 24: A Pragmatic Approach to Identity and Access Management](https://reader036.vdocument.in/reader036/viewer/2022062514/5584ecb9d8b42a2f5c8b4bb7/html5/thumbnails/24.jpg)
Automated ReconciliationAutomated ReconciliationAutomated ReconciliationAutomated Reconciliation
Phase 2 – Reconciliation…
24
![Page 25: A Pragmatic Approach to Identity and Access Management](https://reader036.vdocument.in/reader036/viewer/2022062514/5584ecb9d8b42a2f5c8b4bb7/html5/thumbnails/25.jpg)
Semi-Automated ReconciliationSemi-Automated ReconciliationSemi-Automated ReconciliationSemi-Automated Reconciliation
Phase 2 – Reconciliation…
25
Only Difference
Only Difference
![Page 26: A Pragmatic Approach to Identity and Access Management](https://reader036.vdocument.in/reader036/viewer/2022062514/5584ecb9d8b42a2f5c8b4bb7/html5/thumbnails/26.jpg)
Effectiveness & AdjustmentsEffectiveness & AdjustmentsEffectiveness & AdjustmentsEffectiveness & Adjustments
26
Phase 2 – Metrics
Fixed the Fixed the processprocess
ConversionConversionIssuesIssues
Numbers are illustrative
![Page 27: A Pragmatic Approach to Identity and Access Management](https://reader036.vdocument.in/reader036/viewer/2022062514/5584ecb9d8b42a2f5c8b4bb7/html5/thumbnails/27.jpg)
27
Key PointsKey PointsKey PointsKey Points