how to govern and maintain compliance using open source ......oracle hcm 3. ldap apachecon na, miami...
TRANSCRIPT
How to Govern and Maintain Compliance Using Open Source
Identity Management Components
May 17, 2017
ApacheCon NA, Miami
Introductions
ApacheCon NA, Miami 2017
2
• Katarina Valalikova – @KValalikova
• Shawn McKinney – @shawnmckinney
Session Objective
Learn about identity governance and demo common use cases w/ open source infrastructure.
ApacheCon NA, Miami 2017
3
Session Agenda
ApacheCon NA, Miami 2017
4
• Terminology
• Benefits • Scenarios • Solution
• Demo
• Questions
Image from: HTTP://EVENTS.LINUXFOUNDATION.ORG/EVENTS/APACHECON-NORTH-AMERICA
Terminology
ApacheCon NA, Miami 2017
5
Terminology
ApacheCon NA, Miami 2017
6
Terminology
ApacheCon NA, Miami 2017
7
Terminology
ApacheCon NA, Miami 2017
8
Terminology
ApacheCon NA, Miami 2017
9
Terminology
ApacheCon NA, Miami 2017
10
What can possibly go wrong here?
1. Too many accounts 2. Too few accounts 3. Don’t know many accounts
ApacheCon NA, Miami 2017
What can possibly go wrong here?
1. Improper account retention policies 2. Violation of principle of least privileges 3. Sharing credentials instead of accounts
4. No account approval process. 5. Non-determinant assignments 6. Violation of privacy.
ApacheCon NA, Miami 2017
In other words, we need
1. Access certification
2. Approvals 3. Notifications 4. Escalation
5. Deputy
6. ….
ApacheCon NA, Miami 2017
What is Identity Governance?
• Combines with IAM functions to meet audit and compliance obligations.
ApacheCon NA, Miami 2017
Gartner says:
What is Identity Governance?
• Policy-based centralized orchestration of user identity management and access control.
• Helps support enterprise IT security and regulatory compliance.
• Margaret Rouse, WhatIs.com
ApacheCon NA, Miami 2017
WhatIs calls it:
What is Identity Governance?
• High-level business processes, business rules, policies, organizational structures
• Combines with low-level identity management processes like data synchronization, system integration, data formats, data transformation, network protocols
• Radovan Semancik, wiki.evolveum.com
ApacheCon NA, Miami 2017
Radovan says:
What is Identity Governance?
ApacheCon NA, Miami 2017
Role Based Access Control
ApacheCon NA, Miami 2017
18
RBAC and Policy Rules
ApacheCon NA, Miami 2017
19
• Constraints • Actions • Situations
Identity Management and Governance
ApacheCon NA, Miami 2017
20
Architectural Overview
Architectural Overview
Requires • Java version 8
• Java servlet container
• Relational database
Uses • Spring Framework
– component wiring
• Apache Wicket – user interface
• ConnId – common connectors
ApacheCon NA, Miami 2017
(any)
Architectural Overview
ApacheCon NA, Miami 2017
IdM services, security and User-account
mappings
resource and account
management
Common data model, libs and low-level utils
data storage and task management
User interface
components
high-level components
don’t connect with low-level components
1
3
2
4
5
Demo
ApacheCon NA, Miami 2017
Resource / Connectors at Play
1. Google Apps 2. Oracle HCM
3. LDAP
ApacheCon NA, Miami 2017
Demo Environment
Google Apps
connector
HCM connector (peoplesoft)
Open
26
ApacheCon NA, Miami 2017
Use Cases
• UC 1 – Onboarding New Identity, Account activation
• UC2 – Role assignment • UC3 – Self service
• UC4 – Deputy
• UC5 – Account Certification / Recertification •
ApacheCon NA, Miami 2017
27
UC 1 Onboarding new Identity
1. User is imported from HCM
2. Activation link is sent to the user 3. User activate his account 4. Basic roles are assigned to the user after
activation
ApacheCon NA, Miami 2017
28
UC 2 Role assignment
1. Manager assigns roles to onboarded user 2. Manager selects conflicting roles 3. Roles are not assigned because of SoD
violation
ApacheCon NA, Miami 2017
29
UC 3 Self service
1. User selects roles he needs to have assigned
2. Request is send to approval 3. Approval starts
ApacheCon NA, Miami 2017
30
UC 3 Self service
1. User selects roles he needs to have assigned
2. Request is send to approval 3. Approval starts 4. Approval from manager is needed
ApacheCon NA, Miami 2017
31
UC 3 Self service
1. User selects roles he needs to have assigned
2. Request is send to approval 3. Approval starts 4. Approval from manager is needed
5. Approval from security officer is needed
ApacheCon NA, Miami 2017
32
UC 3 Self service
1. User selects roles he needs to have assigned
2. Request is send to approval 3. Approval starts 4. Approval from manager is needed
5. Approval from security officer is needed
6. Approval from application owner is needed
ApacheCon NA, Miami 2017
33
UC 3 Self service 1. User selects roles he needs to have assigned
2. Request is send to approval 3. Approval starts 4. Approval from manager is needed
5. Approval from security officer is needed
6. Approval from application owner is needed
7. App owner is on the vacation – escalation
ApacheCon NA, Miami 2017
34
UC 4 Deputy
1. Manager is going on vacation
2. Manager delegates his work
ApacheCon NA, Miami 2017
35
UC 5 Access certification
1. New campaign for access certification starts
2. Manager decides which accounts are legal
ApacheCon NA, Miami 2017
36
Benefits of Governance Controls
• Advanced role lifecycle management • Audit and reporting interfaces • Enhanced regulatory compliance
• Improved business responsiveness • Privileged account management • Self-service interfaces
ApacheCon NA, Miami 2017
37
Governance simply • Notifications • Recertification
• (Multi-level) approvals • Escalation
• Delegation
• Deputy
• Role lifecycle
• Audit trail ... ApacheCon NA, Miami 2017
38
Questions
ApacheCon NA, Miami 2017
39
Contact
ApacheCon NA, Miami 2017
40
• Katarina Valalikova – @KValalikova
• Shawn McKinney – @shawnmckinney