gartner for technical professionals tutorial: fundamentals...

© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity."

Heidi Wachs Twitter: @hlwachs

Gartner for Technical Professionals — Tutorial: Fundamentals of User Provisioning and Identity and Access Governance

http://pvs.gartner.com/technology/about/policies/usage_guidelines.jsp

http://pvs.gartner.com/technology/about/ombudsman/omb_guide2.jsp

© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.

Topics to Be Covered

• User account provisioning fundamentals

• Identity and access governance fundamentals

• Deployment best practices

© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. © 2013 Gartner, Inc. and/or its affiliates. All rights reserved.

Gartner for Technical Professionals

User Account Provisioning

Fundamentals


What Is User Provisioning?

User provisioning: The process by which the life cycle of users and their associations to IT entitlements are managed:

Also known as: User account provisioning, provisioning, account management, user management

Provisioning services: An integrated set of tools used to manage the life cycle of users and IT entitlements.


Provisioning Introduction

• Provisioning technologies evolved from directory/metadirectory service technologies.

• Provisioning technologies aimed to:

- Increase user productivity:

• Automation of user account creation — "zero day start"

- Improve security:

• Automated user account deletion — "zero day stop"

• Automated access policy assignment

- Eliminate administrative inefficiencies and costs:

• Access policy automation

• Self-service capabilities


Provisioning Functions

• A provisioning service consists of three primary functions:

- Identity life cycle events:

• Join, move, leave … and "do"

• Hire, change, termination, access request

- Access policy management:

• Automated policy assignment, roles, workflow approvals

- Fulfillment:

• Automated and/or manual user account creation and manipulation on the target


Provisioning Architecture

Authoritative source(s)

Target applications

Entitlement catalog

Provisioning server

Identity repository

End user & administrator

interface


Provisioning: Authoritative Sources

Target applications

Provisioning server


interface


Entitlement catalog

Identity repository


Authoritative Sources

• HRMS is the gold standard of authoritative sources …

- Until it isn't

• Contingent workers, partners, customers (etc.) do not often appear in an HR system:

- Directories

- Databases

- Even the provisioning system can become the de facto authoritative source for some constituents


Provisioning: Target Applications

Target applications

Provisioning server


interface


Entitlement catalog

Identity repository


Target Applications

• Legacy systems were not designed for remote user management:

- This requires some trickery on the part of the provisioning system.

• Beware of target dependencies:

- Provisioning an application may require an account in an operating system, database, and directory to be created.

• Beware of virtual applications:

- A portal may use Active Directory to manage users.

- Provisioning the portal may actually require provisioning AD.



Target applications

Provisioning server


interface

Provisioning: Provisioning Server

Entitlement catalog

Identity repository


Provisioning Servers

• The brains of the operation

• Services include:

- Workflow

- Policy management

- Connector management



Provisioning: Connectors

Target applications

Provisioning server


interface

Entitlement catalog

Identity repository


Connectors

• Broker "conversation" between the provisioning server and the target.

• Connectors are purpose-built for the targets:

- Tied to the APIs of the target.

- This can lead to fragile deployments.

• Connectors can often run in multiple places:

- On a connector server.

- In the cloud.

• Sometimes, however, connectors must run on the target itself.



Target applications

Provisioning server


interface

Provisioning: Identity Repository

Entitlement catalog

Identity repository


Identity Repositories

• Multiple architectures:

- Directory

- Relational database

• Can point to and/or store identity information


Target applications

Provisioning server


interface

Provisioning: Entitlement Catalog


Entitlement catalog

Identity repository


Entitlement Catalogs

• Crucial component for success

• Extensible information store for entitlement data, including:

- Name

- Business meaning

- Technical meaning

- Categorizations

- Information classification

- Regulatory sensitivity


Provisioning: User Interfaces

Target applications

Provisioning server


interface


Entitlement catalog

Identity repository


Users and User Interfaces

• User interfaces were often Web-based, but sometimes required a thick client:

- Especially for workflow design

• User interfaces were traditionally optimized for administrators.

• End users, especially mobile users, were not part of the original planning.


User Provisioning Recap

• Manage user accounts and entitlements in target systems:

- By way of connectors

- Based on access policies (roles and rules)

- Triggered by life cycle events in authoritative systems



Identity and Access Governance

Fundamentals


Provisioning Systems Were Designed for This Guy


But What About Everyone Else?

• Compliance pushed IAM needs to the business and IAG became the "pretty" front end to the provisioning system.


IAG: The Pretty Side of Provisioning

• IAG functions were decoupled from the provisioning infrastructure.

Identity and access governance

Provisioning


What Is IAG?

• Access Certification/Attestation

• Access Request

• Role Life Cycle Management

• Access Policy Management

• Entitlement Catalog

• Identity Risk Scoring and Analytics

• Self-service, Delegated Administration, and Workflow


Access Certification (aka Attestation)

• The ongoing review of people's access (accounts, entitlements, roles) to identify inappropriate access.

• Regulatory requirement in some cases:

- But ideal in all situations

• The single best administrative task to reduce access-related risks.


Access Request

• The process by which:

- End users ask for new access, either for themselves or on behalf of others.

- Managers and/or administrators review and approve requests via workflow.

- Accounts are created/modified to reflect requested changes.

• Helping the end user determine what to ask for is important:

- The entitlement catalog plays a major role here.


Role Life Cycle Management

• Roles can be a collection of entitlements associated with a:

- Business function within an application(s) (e.g., accounts payable within ERP).

- Job responsibility across multiple applications (e.g., customer manager).

• Tools to:

- Aggregate entitlements into meaningful collections.

- Identify commonly assigned access to similar job functions and people.

- Collaborate on role definitions.


Access Policy Management

• Policies are needed to govern:

- Who is allowed to have which entitlements

- What roles people should have

- Which entitlements are forbidden (including segregation of duty rules)

- Who automatically receives access to which systems (birthright access)


Entitlement Catalogs

• Crucial component for success.

• An extensible information store.

• IAG functions highlighted the need for better catalog data:

- Access certifications perform poorly as risk management tools if reviewers cannot figure out what they are reviewing.

- Access request tools are less effective if people cannot figure out what to request.


Identity Risk Scoring and Analytics

• Ability to evaluate users, roles, and entitlements, and to assign a risk score to them.

• This risk score can be used to:

- Refine reports

- Enhance dashboards

- Trigger access certifications (and even account suspension or deprovisioning)

• Using risk in identity is aspirational for many organizations, but few are mature enough to do so.


IAG Architecture

Target applications

Provisioning server


interface


Entitlement catalog

Identity repository


IAG: Connectors

• At first these were read-only connectors:

- Sped up deployments

- But required a user provisioning tool for fulfillment*

• As IAG vendors have added user provisioning capabilities, these connectors have become read/write.


IAG: Authoritative Sources

• At first, IAG tools "listened" to directory changes

• But as IAG vendors have added user provisioning capabilities, they have added the ability to listen to HR systems


A Bit of Confusion, a Bit of Clarity

• Vendors have added user provisioning capabilities to their IAG tools and IAG capabilities to their user provisioning tools.

• But you still might end up with two tools deployed:

- User provisioning for:

• Approvals

• Fulfillment

- IAG for:

• Access policy and role management

• Access certification


IAG Recap

• Tools to manage user accounts, entitlements, and associated risk by:

- Providing business-friendly user interfaces

- Powered by an entitlement catalog

- Focused (initially) on access certification and access request



Deployment Best Practices


What Should Be My Order of Deployment?

• The order of deployment has changed in the past eight years.

• Ensure that the order matches expectations.


User Provisioning Roles Self-service

(Access Request)

Traditional Order of Deployment


Role-oriented Order of Deployment

Roles User

Provisioning

Self-service (Access Request)


Contemporary Order of Deployment

Access Certification

Access Request

User Provisioning

Roles


Contemporary Order of Deployment

Access Certification

Access Request

Roles

User Provisioning


How Much Should I Automate?

• There are three items up for consideration:

- Life cycle

- Access policy

- Fulfillment

• Each can be independently automated to differing degrees.


• Automated:

- Join

- Move/Change

- Leave

• Manual:

- Do


• Automated:

- Policies

- Roles

- Role membership

• Manual:

- Workflow


Spectrum of automation:

• Email

• Help desk ticket

• External provisioning connector

• Direct connection

• JIT via federation


LOB responsible for triggering life cycle events

Workflow approvals

Emails to system admins. for account

changes


Lights-out provisioning

Approval workflow

Automated user account provisioning


Policy-based entitlement filtering

Self-service access request

Help desk ticket created for manual entry


HR "listener"

Policy-driven eligibility

Provisioning connector


Should I Replace My Existing User Provisioning System's Connectors?

• If they are currently working, then no — not yet.


Should I Replace My Existing User Provisioning System's Connectors?

• For new targets, use the new IAG system's connectors.

• For existing targets, use the existing user provisioning system's connectors:

- Integrate the new IAG system to use the older provisioning system as a connector bus.

- Replace incumbent target connectors only when there is sufficient political capital, resources available, and demonstrable need.



Recommendations


Recommendations

Assess and document use cases.

Understand the purpose and strengths of the various technologies, and align use cases accordingly:

- Deploy the right technology for the right job.

Consider using standards-based technologies wherever possible.


Recommendations

Scope projects realistically.

Deploy IAG and provisioning in parallel.

Automate only when it makes sense:

- High volume/high value

Think outside the box.


Recommended Gartner Research

Mitigate Risk by Implementing Effective Access Certifications Ian Glazer (G00252940)

User Provisioning Heidi Wachs (G00252853)

Decision Point for User Provisioning Lori Robinson (G00227156)

Rethinking User Provisioning Ian Glazer, Lori Robinson (G00214489)

Access Request: Serving the Doers Ian Glazer (G00211928)

Identity and Access Governance Ian Glazer (G00234478)

For more information, stop by Gartner Research Zone.

http://www.gartner.com/document/2531315?ref=QuickSearch&sthkw=G00252940









© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. 66

Get more


research at Catalyst Conference 2014

August 11-14, San Diego, CA

Gartner.com/us/catalyst

Research written for technologists by technologists…

gartner for technical professionals tutorial: fundamentals...

Documents