how to govern and maintain compliance using open source ......oracle hcm 3. ldap apachecon na, miami...

How to Govern and Maintain Compliance Using Open Source

Identity Management Components

May 17, 2017

ApacheCon NA, Miami

Introductions

ApacheCon NA, Miami 2017

2

• Katarina Valalikova – @KValalikova

– k.valalikova@evolveum.com

• Shawn McKinney – @shawnmckinney

– smckinney@symas.com

Session Objective

Learn about identity governance and demo common use cases w/ open source infrastructure.

ApacheCon NA, Miami 2017

3

Session Agenda

ApacheCon NA, Miami 2017

4

• Terminology

• Benefits • Scenarios • Solution

• Demo

• Questions

Image from: HTTP://EVENTS.LINUXFOUNDATION.ORG/EVENTS/APACHECON-NORTH-AMERICA

Terminology

ApacheCon NA, Miami 2017

5

Terminology

ApacheCon NA, Miami 2017

6

Terminology

ApacheCon NA, Miami 2017

7

Terminology

ApacheCon NA, Miami 2017

8

Terminology

ApacheCon NA, Miami 2017

9

Terminology

ApacheCon NA, Miami 2017

10

What can possibly go wrong here?

1. Too many accounts 2. Too few accounts 3. Don’t know many accounts

ApacheCon NA, Miami 2017

What can possibly go wrong here?

1. Improper account retention policies 2. Violation of principle of least privileges 3. Sharing credentials instead of accounts

4. No account approval process. 5. Non-determinant assignments 6. Violation of privacy.

ApacheCon NA, Miami 2017

In other words, we need

1. Access certification

2. Approvals 3. Notifications 4. Escalation

5. Deputy

6. ….

ApacheCon NA, Miami 2017

What is Identity Governance?

• Combines with IAM functions to meet audit and compliance obligations.

ApacheCon NA, Miami 2017

Gartner says:

What is Identity Governance?

• Policy-based centralized orchestration of user identity management and access control.

• Helps support enterprise IT security and regulatory compliance.

• Margaret Rouse, WhatIs.com

ApacheCon NA, Miami 2017

WhatIs calls it:

What is Identity Governance?

• High-level business processes, business rules, policies, organizational structures

• Combines with low-level identity management processes like data synchronization, system integration, data formats, data transformation, network protocols

• Radovan Semancik, wiki.evolveum.com

ApacheCon NA, Miami 2017

Radovan says:

What is Identity Governance?

ApacheCon NA, Miami 2017

Role Based Access Control

ApacheCon NA, Miami 2017

18

RBAC and Policy Rules

ApacheCon NA, Miami 2017

19

• Constraints • Actions • Situations

Identity Management and Governance

ApacheCon NA, Miami 2017

20

Architectural Overview

Architectural Overview

Requires • Java version 8

• Java servlet container

• Relational database

Uses • Spring Framework

– component wiring

• Apache Wicket – user interface

• ConnId – common connectors

ApacheCon NA, Miami 2017

(any)

Architectural Overview

ApacheCon NA, Miami 2017

IdM services, security and User-account

mappings

resource and account

management

Common data model, libs and low-level utils

data storage and task management

User interface

components

high-level components

don’t connect with low-level components

1

3

2

4

5

Demo

ApacheCon NA, Miami 2017

Resource / Connectors at Play

1. Google Apps 2. Oracle HCM

3. LDAP

ApacheCon NA, Miami 2017

Demo Environment

Google Apps

connector

HCM connector (peoplesoft)

Open

26

ApacheCon NA, Miami 2017

Use Cases

• UC 1 – Onboarding New Identity, Account activation

• UC2 – Role assignment • UC3 – Self service

• UC4 – Deputy

• UC5 – Account Certification / Recertification •

ApacheCon NA, Miami 2017

27

UC 1 Onboarding new Identity

1. User is imported from HCM

2. Activation link is sent to the user 3. User activate his account 4. Basic roles are assigned to the user after

activation

ApacheCon NA, Miami 2017

28

UC 2 Role assignment

1. Manager assigns roles to onboarded user 2. Manager selects conflicting roles 3. Roles are not assigned because of SoD

violation

ApacheCon NA, Miami 2017

29

UC 3 Self service

1. User selects roles he needs to have assigned

2. Request is send to approval 3. Approval starts

ApacheCon NA, Miami 2017

30

UC 3 Self service

1. User selects roles he needs to have assigned

2. Request is send to approval 3. Approval starts 4. Approval from manager is needed

ApacheCon NA, Miami 2017

31

UC 3 Self service

1. User selects roles he needs to have assigned

2. Request is send to approval 3. Approval starts 4. Approval from manager is needed

5. Approval from security officer is needed

ApacheCon NA, Miami 2017

32

UC 3 Self service

1. User selects roles he needs to have assigned

2. Request is send to approval 3. Approval starts 4. Approval from manager is needed

5. Approval from security officer is needed

6. Approval from application owner is needed

ApacheCon NA, Miami 2017

33

UC 3 Self service 1. User selects roles he needs to have assigned

2. Request is send to approval 3. Approval starts 4. Approval from manager is needed

5. Approval from security officer is needed

6. Approval from application owner is needed

7. App owner is on the vacation – escalation

ApacheCon NA, Miami 2017

34

UC 4 Deputy

1. Manager is going on vacation

2. Manager delegates his work

ApacheCon NA, Miami 2017

35

UC 5 Access certification

1. New campaign for access certification starts

2. Manager decides which accounts are legal

ApacheCon NA, Miami 2017

36

Benefits of Governance Controls

• Advanced role lifecycle management • Audit and reporting interfaces • Enhanced regulatory compliance

• Improved business responsiveness • Privileged account management • Self-service interfaces

ApacheCon NA, Miami 2017

37

Governance simply • Notifications • Recertification

• (Multi-level) approvals • Escalation

• Delegation

• Deputy

• Role lifecycle

• Audit trail ... ApacheCon NA, Miami 2017

38

Questions

ApacheCon NA, Miami 2017

39

Contact

ApacheCon NA, Miami 2017

40

• Katarina Valalikova – @KValalikova

– k.valalikova@evolveum.com

• Shawn McKinney – @shawnmckinney

– smckinney@symas.com