iam & ea: working together to create an iam vision · edirectory imanager labsupport db...
TRANSCRIPT
![Page 1: IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport labsupport ITMDB DB ITMDB ITMDB ELDAP HMRS SIS Guest Repository Kerberos Shibboleth](https://reader036.vdocument.in/reader036/viewer/2022070817/5f11d579c01a8e185b462362/html5/thumbnails/1.jpg)
IAM&EA:WORKINGTOGETHERTOCREATEANIAMVISIONSebas&anGonzales,SeniorManager,IAMVincentAumont,EnterpriseArchitectB CN E T 2 0 1 6
![Page 2: IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport labsupport ITMDB DB ITMDB ITMDB ELDAP HMRS SIS Guest Repository Kerberos Shibboleth](https://reader036.vdocument.in/reader036/viewer/2022070817/5f11d579c01a8e185b462362/html5/thumbnails/2.jpg)
2
CONTEXT:IAM
Identity and Access Management (IAM) is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons.
IAM is the security discipline that enables secure communication and collaboration between our Global User Community and our resources for the purposes of Teaching, Learning, Research and Administration. Our user community being Student, Faculty, Staff, Alumni, Researchers, Private/Pubic Institutions, Community members, Guests, Parents.
![Page 3: IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport labsupport ITMDB DB ITMDB ITMDB ELDAP HMRS SIS Guest Repository Kerberos Shibboleth](https://reader036.vdocument.in/reader036/viewer/2022070817/5f11d579c01a8e185b462362/html5/thumbnails/3.jpg)
3
CONTEXT:IAMPrograms’KeyChallenges
• The absence of a compelling business case makes it difficult to connect an IAM program's objectives and priorities with business drivers.
• IAM programs often experience difficulty with continued funding after initial budgeting because IAM leaders are unsure about how to communicate with the multitude of stakeholders that need to remain aware of the program's business drivers and benefits.
• IAM leaders can be too focused on IAM technology, and may not appreciate the extent to which ongoing communications with stakeholders and leadership and organizational maneuvering are needed to ensure adequate program funding.
• IAM programs must alter their roadmaps to keep pace with larger organizational transformations, which are happening quickly to meet the challenges of digital business.
![Page 4: IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport labsupport ITMDB DB ITMDB ITMDB ELDAP HMRS SIS Guest Repository Kerberos Shibboleth](https://reader036.vdocument.in/reader036/viewer/2022070817/5f11d579c01a8e185b462362/html5/thumbnails/4.jpg)
4
OURSTORY
A Case Study in IAM & Enterprise Architecture Collaboration
![Page 5: IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport labsupport ITMDB DB ITMDB ITMDB ELDAP HMRS SIS Guest Repository Kerberos Shibboleth](https://reader036.vdocument.in/reader036/viewer/2022070817/5f11d579c01a8e185b462362/html5/thumbnails/5.jpg)
5
THELASTTHREEYEARS
![Page 6: IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport labsupport ITMDB DB ITMDB ITMDB ELDAP HMRS SIS Guest Repository Kerberos Shibboleth](https://reader036.vdocument.in/reader036/viewer/2022070817/5f11d579c01a8e185b462362/html5/thumbnails/6.jpg)
6
REALITYCHECK:TECHNICALCOMPLEXITY
Group Stores
Authorization
Authentication
Single Sign On
Identity Stores
Governance
Integration
Identity SoRs
Intelligence
Federation
Administration Apache Directory Studio
HitachiPAM
auth2 client library
CWL Database
SIS DB Views
SSD CWL->eLDAP
synch job
eDire
ctor
y
Grouper
openLDAP
openLDAPGrouper DB eDirectory
iManager
labsupportDB
labsupport
labsupport
ITMDBDB
ITMDB
ITMDB
ELDAP
HMRS SIS Guest Repository
Kerberos
Shibboleth
CAS ELDAP EAD
openLDAP
CWL: my Account
Enterprise Vulnerability Assessment (EVA)
Elastic SearchLogstash
Kibana (ELK)
CWL: SSC AdminCWL: ES Admin
CWL: PplSoft AdminCWL: CWl Admin
Access UBC Shopping CartAccess UBC Guest
AccountsCertificate Tracking
Spreadsheet
Nessus
HRMS DB Views
LDAP Synchronization Connector (LSC)
Pentaho
AccessUBCProv/Deprov
Access UBC
InfoSec Standards
PIA RepositoryExchange Inbox
NUAM
CWLweb services
auth2 web services
SSD UBCDir->eLDAP
synch jobFIM
EAD
UBCDir eDirectory
AccessUBC Identity Cubes
ELDAPEAD
![Page 7: IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport labsupport ITMDB DB ITMDB ITMDB ELDAP HMRS SIS Guest Repository Kerberos Shibboleth](https://reader036.vdocument.in/reader036/viewer/2022070817/5f11d579c01a8e185b462362/html5/thumbnails/7.jpg)
7
REALITYCHECK:ORGANIZATIONALCOMPLEXITY
![Page 8: IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport labsupport ITMDB DB ITMDB ITMDB ELDAP HMRS SIS Guest Repository Kerberos Shibboleth](https://reader036.vdocument.in/reader036/viewer/2022070817/5f11d579c01a8e185b462362/html5/thumbnails/8.jpg)
8
REACHINGAPLATEAUStrategicTh
inking
Time
![Page 9: IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport labsupport ITMDB DB ITMDB ITMDB ELDAP HMRS SIS Guest Repository Kerberos Shibboleth](https://reader036.vdocument.in/reader036/viewer/2022070817/5f11d579c01a8e185b462362/html5/thumbnails/9.jpg)
9
WHYITMATTERS:ACHANGINGLANDSCAPE• Virtual Research Organizations • Emergence of Scholarly Identities (e.g. ORCID) • CRM Initiative • Student Information System Replacement • Flexible Learning • MOOCS • Expansion of of Career and Professional Education • personalization of the learning experience • New collaboration models with external partners • Emergence od mash-up architectures in the LMS space • The systematization of the cloud-first approach: • The pervasiveness of Social Identities • Security threats that focus on individuals • Upcoming Common Online Application Platform (COAP) & Education
Planning and Application Service (EPAS) • Increasing demand for better Learning Analytics and Institutional
Analytics • ...
![Page 10: IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport labsupport ITMDB DB ITMDB ITMDB ELDAP HMRS SIS Guest Repository Kerberos Shibboleth](https://reader036.vdocument.in/reader036/viewer/2022070817/5f11d579c01a8e185b462362/html5/thumbnails/10.jpg)
10
GETTINGTOTHENEXTLEVEL
• IAMasaSecuritydiscipline
• IAMGovernancedefined&Accepted
• Business-aligned&Strategicpriori<es
• CentralizedManagement&decentralizedadministra<on
• Technologyconsolida<on
• En<resegmentson-boarded
AdHocusername/passwordmanagement
• Founda<onalIAMframework
• Tac<calpriori<es• Somebusinessdriversiden<fied
• Earlysuccesswithsomeon-boardeddepartments
• TechnologyRa<onaliza<on
• Con<nuousarchitectureop<miza<on
•MeetorexceedSLA's
• Con<nuousprocessimprovement
• IAMStrategypartofenterpriseStrategy
• IAMPMO•Allsegmentsoftheenterprise
DefinedIni(al Developing Op(mizedManaged
IAMI IAMII
![Page 11: IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport labsupport ITMDB DB ITMDB ITMDB ELDAP HMRS SIS Guest Repository Kerberos Shibboleth](https://reader036.vdocument.in/reader036/viewer/2022070817/5f11d579c01a8e185b462362/html5/thumbnails/11.jpg)
11
IAMPrograms’KeyChallenges(Gartner)
• The absence of a compelling business case makes it difficult to connect an IAM program's objectives and priorities with business drivers.
• IAM programs often experience difficulty with continued funding after initial budgeting because IAM leaders are unsure about how to communicate with the multitude of stakeholders that need to remain aware of the program's business drivers and benefits.
• IAM leaders can be too focused on IAM technology, and may not appreciate the extent to which ongoing communications with stakeholders and leadership and organizational maneuvering are needed to ensure adequate program funding.
• IAM programs must alter their roadmaps to keep pace with larger organizational transformations, which are happening quickly to meet the challenges of digital business.
![Page 12: IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport labsupport ITMDB DB ITMDB ITMDB ELDAP HMRS SIS Guest Repository Kerberos Shibboleth](https://reader036.vdocument.in/reader036/viewer/2022070817/5f11d579c01a8e185b462362/html5/thumbnails/12.jpg)
12
FIVERECOMMENDATIONS
1. Re-position IAM as an Information Security discipline
2. Adopt an IAM model that has been created for HE sector.
3. Scope Control
4. Re-engage with our stakeholders at a strategic level
5. Create a Planning Team
![Page 13: IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport labsupport ITMDB DB ITMDB ITMDB ELDAP HMRS SIS Guest Repository Kerberos Shibboleth](https://reader036.vdocument.in/reader036/viewer/2022070817/5f11d579c01a8e185b462362/html5/thumbnails/13.jpg)
13
FIVERECOMMENDATIONS
1. Re-position IAM as an Information Security discipline
![Page 14: IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport labsupport ITMDB DB ITMDB ITMDB ELDAP HMRS SIS Guest Repository Kerberos Shibboleth](https://reader036.vdocument.in/reader036/viewer/2022070817/5f11d579c01a8e185b462362/html5/thumbnails/14.jpg)
14
IAMISASECURITYDISCIPLINEBusiness Security Reference Model
Security Intelligence & Analytics
Governance, Risk, Compliance (GRC)
Advanced Security and Threat Research
InfrastructureApplications & ServicesDataPeople
Foundational Security Management
Physical Asset Management
Risk & Compliance Management
Security Policy Management
Command & Control Management
Identity, Access & Entitlement Management
Data & Information Protection Management
Threat & Vulnerability Management IT Service Management
Security Services and Infrastructure
Security Info & Event Infrascructure
Identity, Access & Entitlement Infrastructure
Security Policy Infrastructure
Crypto, Key & Certificate Management
Service Management Infrastructure
Storage Security Host & Endpoint Security Application Security Network Security Physical Security
Code Policies Events & LogsIdentity AttributesData Repository &
ClassificationSecurity Service
LevelsDesigns Config Info &
RegistryIT Security Knowledge
Operational Context
Software, System & Service Assurance
Awareness & Education
![Page 15: IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport labsupport ITMDB DB ITMDB ITMDB ELDAP HMRS SIS Guest Repository Kerberos Shibboleth](https://reader036.vdocument.in/reader036/viewer/2022070817/5f11d579c01a8e185b462362/html5/thumbnails/15.jpg)
15
SECURITYISATOPPRIORITYINHIGHERED
![Page 16: IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport labsupport ITMDB DB ITMDB ITMDB ELDAP HMRS SIS Guest Repository Kerberos Shibboleth](https://reader036.vdocument.in/reader036/viewer/2022070817/5f11d579c01a8e185b462362/html5/thumbnails/16.jpg)
16
IAMCONTEXT
Ente
rpris
e Ar
chite
ctur
e
Information SecurityOffice
Risk ManagementServices
IT G
over
nanc
e
Identity & AccessManagementFramework
![Page 17: IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport labsupport ITMDB DB ITMDB ITMDB ELDAP HMRS SIS Guest Repository Kerberos Shibboleth](https://reader036.vdocument.in/reader036/viewer/2022070817/5f11d579c01a8e185b462362/html5/thumbnails/17.jpg)
17
APOLICY-DRIVENIAMFRAMEWORK
Ente
rpris
e Ar
chite
ctur
e
Information SecurityOffice
Risk ManagementServices
IT G
over
nanc
e
Governance
Architecture
Operations
Program Management
![Page 18: IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport labsupport ITMDB DB ITMDB ITMDB ELDAP HMRS SIS Guest Repository Kerberos Shibboleth](https://reader036.vdocument.in/reader036/viewer/2022070817/5f11d579c01a8e185b462362/html5/thumbnails/18.jpg)
18
APOLICY-DRIVENIAMFRAMEWORK
IAMGovernance
Drivers
Security Operations
BusinessRequirements Compliance Threats Business
Opportuni6es
Strategy
Plan(PMO)Requirements
Enforce
Proced
ures,Stand
ards,G
uide
lines
Audit
CheckCo
mpliance Manage
Vulnerability
ManageIncidents De
ploy
ManageEvents
IAMServices
Architecture
Design&Develop
AnalyzeGaps ConInuouslyAssessProgram
Educate&Raise
Awareness
ManageRisk
IAM
Pro
gram
Man
agem
ent
: Process: Component/Deliverable
Tech
nolo
gy A
rchi
tect
ure
Principles
Policies
![Page 19: IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport labsupport ITMDB DB ITMDB ITMDB ELDAP HMRS SIS Guest Repository Kerberos Shibboleth](https://reader036.vdocument.in/reader036/viewer/2022070817/5f11d579c01a8e185b462362/html5/thumbnails/19.jpg)
19
FIVERECOMMENDATIONS
2. Adopt an IAM model that has been created for HE sector.
![Page 20: IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport labsupport ITMDB DB ITMDB ITMDB ELDAP HMRS SIS Guest Repository Kerberos Shibboleth](https://reader036.vdocument.in/reader036/viewer/2022070817/5f11d579c01a8e185b462362/html5/thumbnails/20.jpg)
20
IAM&THEHIGHEREDETHOS
• HE institutions are distributed, complex, highly collaborative, and mostly non-hierarchical.
• Their boundaries are not clearly delimited. • Affiliations with these organizations differ widely in strength (from
community member to employee), are multi-faceted (a person can be an employee, a student, a staff, and a community member at the same time), and are very dynamic (UBC has over 20,000 HR events per year).
• A tendency to distrust anything centralized; most units have a great deal of autonomy when it comes to rolling out the IT solutions they require.
![Page 21: IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport labsupport ITMDB DB ITMDB ITMDB ELDAP HMRS SIS Guest Repository Kerberos Shibboleth](https://reader036.vdocument.in/reader036/viewer/2022070817/5f11d579c01a8e185b462362/html5/thumbnails/21.jpg)
21
THEIAMCONUNDRUM
Ø Centralization of Identity and Access Management is critical because it enables better collaboration and promotes security
Ø At the same time, the administration of IAM must be decentralized to accommodate the complexity and specificities of our organization
![Page 22: IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport labsupport ITMDB DB ITMDB ITMDB ELDAP HMRS SIS Guest Repository Kerberos Shibboleth](https://reader036.vdocument.in/reader036/viewer/2022070817/5f11d579c01a8e185b462362/html5/thumbnails/22.jpg)
22
THEINTERNET2IAMMODELPolicyandGovernance
SystemsofRecords
PresidentProvost
Registrar HRFacultyAffairs
RiskManagement
HRMSFaculty,Staff
InfoSecOffice
AdmissionsStudents,CPE...
Registra@onStudents,CPE...
TeachingAssignmentStudents,CPE...
FinancePI,Approvers
OrgModels
ResearchSupervisors
Applica@ons&Services
...
...
Portals
Library
LearningTools
Administra@veSystems
Wireless
...
FederatedPartners
UVic
PHSA
...
EstablishIden@@es DeterminePolicies
Departments Registrar Projects Programs Teams Users ...
Consolidate&Update
Access
Privileges
PersonsAccounts
Organiza@ons
Groups
EnrichIden@@es ApplyPolicies
ManageGroups ManagePrivileges
ManageIden@@es
![Page 23: IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport labsupport ITMDB DB ITMDB ITMDB ELDAP HMRS SIS Guest Repository Kerberos Shibboleth](https://reader036.vdocument.in/reader036/viewer/2022070817/5f11d579c01a8e185b462362/html5/thumbnails/23.jpg)
23
FIVERECOMMENDATIONS
3. Control Scope
![Page 24: IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport labsupport ITMDB DB ITMDB ITMDB ELDAP HMRS SIS Guest Repository Kerberos Shibboleth](https://reader036.vdocument.in/reader036/viewer/2022070817/5f11d579c01a8e185b462362/html5/thumbnails/24.jpg)
24
IAMSILOS
...LibraryRegistrarCommunityServicesHousingHRMSCWL Parking
DeptDDeptA DeptC ...DeptB
EnterpriseIAM
DepartmentalIAM
![Page 25: IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport labsupport ITMDB DB ITMDB ITMDB ELDAP HMRS SIS Guest Repository Kerberos Shibboleth](https://reader036.vdocument.in/reader036/viewer/2022070817/5f11d579c01a8e185b462362/html5/thumbnails/25.jpg)
25
FIVERECOMMENDATIONS
4. Re-engage with our stakeholders at a strategic level
![Page 26: IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport labsupport ITMDB DB ITMDB ITMDB ELDAP HMRS SIS Guest Repository Kerberos Shibboleth](https://reader036.vdocument.in/reader036/viewer/2022070817/5f11d579c01a8e185b462362/html5/thumbnails/26.jpg)
26
STAKEHOLDERSENGAGEMENT
• Who their own stakeholders and constituents are; how they engage with them
• The policies, rules and guidelines they follow (whether formalized or not).
• What policies they don't follow
• What policies need to be created or amended
• The level of control they need to retain when it comes to identifying their constituents and providing them access to systems
• How they balance risk management and business agility
• Their concerns about sharing their information
• What information they need to access
• Etc.
![Page 27: IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport labsupport ITMDB DB ITMDB ITMDB ELDAP HMRS SIS Guest Repository Kerberos Shibboleth](https://reader036.vdocument.in/reader036/viewer/2022070817/5f11d579c01a8e185b462362/html5/thumbnails/27.jpg)
27
FIVERECOMMENDATIONS
5. Create a Planning Team
![Page 28: IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport labsupport ITMDB DB ITMDB ITMDB ELDAP HMRS SIS Guest Repository Kerberos Shibboleth](https://reader036.vdocument.in/reader036/viewer/2022070817/5f11d579c01a8e185b462362/html5/thumbnails/28.jpg)
28
THEWORKAHEADOFUS
TO-BEAnalysisArchitecture
Opera5ngModel
AS-ISAnalysisMaturityAssessment
• Launchtheproject• StakeholdersAnalysis• Establishaninventoryofapplica;onsand
systems• ReviewcurrentOpera;ngModel(people,
process,tools)• Documentthecurrentstatecapabili;es• DocumentthemainIAMuse-cases• DefineaMaturityAssessmentFramework• Assessthecurrentcapabili;esagainstthe
maturityframework.
• StakeholdersEngagement• DocumentTo-BeState:
• Iden;tySystemofrecords• Integra;oncapabili;es• Iden;typroofing• Provisioning,de-provisioning• AOesta;on• Creden;alManagement• Enforcement• etc.
• Iden;fythepoliciesandstandardsthatneedtobecreatedorupdated
• DefinetheLogical&PhysicalArchitectures
• DocumentchangestotheOpera;ngModel(people,process,tools)
• GapAnalysis• Iden;fyandpriori;zecapability
increments• CreatetheRoadmap
• ProjectCharter• StakeholderEngagementplan• CurrentStateAnalysis• IAMMaturityHeatMap• IAMTechnologyMap
• IAMVision• BusinessRequirements• GovernanceModel• Architecture• To-BeState
• IAMRoadmap
Ar5facts
Ac5v
i5es
IAMRoadmap
![Page 29: IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport labsupport ITMDB DB ITMDB ITMDB ELDAP HMRS SIS Guest Repository Kerberos Shibboleth](https://reader036.vdocument.in/reader036/viewer/2022070817/5f11d579c01a8e185b462362/html5/thumbnails/29.jpg)
29
THEPLANNINGTEAM
TO-BEAnalysisConceptualArchitecture
Opera7ngModel
AS-ISAnalysisMaturityAssessment
RequirementsGathering
• Launchtheproject
• Establishaninventoryofapplica7onsand
systems
• ReviewcurrentOpera7ngModel(people,
process,tools)
• Documentthecurrentstatecapabili7es
• DocumentthemainIAMusecases
• DefineaMaturityAssessmentFramework
• Assessthecurrentcapabili7esagainstthe
maturityframework.
• Gatherrequirementsfor:
• Iden7tySystemofrecords
• MainIAMprocesses
• Policyenforcement
• DocumentTo-BeState:
• Iden7tySystemofrecords
• Integra7oncapabili7es
• Iden7typroofing
• Provisioning,de-provisioning
• AQesta7on
• Creden7alManagement
• Enforcement
• etc.
• DefineConceptualArchitecture
• CreatenewPoliciesandstandards,or
updateexis7ngonesasrequired
• DocumentchangestotheOpera7ng
Model(people,process,tools)
• GapAnalysis
• Iden7fyandpriori7zecapability
increments
• DefineRoadmap
• ProjectCharter
• StakeholderEngagementplan
• CurrentStateAnalysis
• IAMRequirements
• IAMMaturityHeatMap
• ArchitecturePrinciples
• ConceptualArchitecture
• To-BeState
• IAMRoadmap
Ar7fac
tsAc7
vi7es
IAMRoadmap&Strategy
IAMProgramI
Planningteam Programteam
Programteam
IAMProgramII
![Page 30: IAM & EA: WORKING TOGETHER TO CREATE AN IAM VISION · eDirectory iManager labsupport DB labsupport labsupport ITMDB DB ITMDB ITMDB ELDAP HMRS SIS Guest Repository Kerberos Shibboleth](https://reader036.vdocument.in/reader036/viewer/2022070817/5f11d579c01a8e185b462362/html5/thumbnails/30.jpg)