security pov

12
the way we do it Identity and Access Management

Upload: gord-reynolds

Post on 17-Aug-2015

251 views

Category:

Documents


5 download

DESCRIPTION

Security PoV

TRANSCRIPT

the way we do itIdentity and AccessManagementContentsBusiness Rationale 2Services 3Benefits of Identity and Access Management 4Our Solution 5Our Approach 6The Capgemini Advantage 7Near-future Developments 8About Us 9Identity and Access Management is a central asset intodays enterprise landscape. It comprises processesand information technologies that are interrelatedand mutually dependent on all business areas. Ifplanned and implemented well, it ultimately helpsstrengthen regulatory compliance, secure operationsand improve operational agility.Capgeminis vision of Adaptive Security(SM)placesIdentity and Access Management technology as thecore component of the Integrated SecurityInfrastructure method.Identity and Access Management 1the way we do it2environment. Simultaneously, theymust do this in a way that provides asafe and secure platform upon whichthey can conduct their business.Organizations have deployedandcontinue to do soa range of(information) systems that arechanging rapidly. They also extendbeyond organizational boundaries.There is increased and complexexchange of data, and more storage ofdata in various places and in differentformats. Data is increasingly dependentand there is more use of centraladministration. Todays diversecommunities of users all need access tothe right information at the right time.Legislators and regulators areincreasing the requirement fororganizations to demonstrate that theyare adequately managing risks to thevalue of their information assets. Thisvalue can be impacted by threats toinformation confidentiality, integrityand availability. Breaches toinformation security can cause directfinancial losses, directly impactcustomers, adversely affect reputationand brand, and even reduce the valueof shareholders equity. In addition,legislative and regulatory pressure iscreating increased demand forindividual traceability andaccountability. For these reasons,organizations need to place Identityand Access Management at the centerof their information security strategies.This paper provides an insight intowhat Identity and Access Managementcomprises, what it can deliver, andwhat Capgemini can offer in thisspace. We also take a look at thefuture with our TechnoVision andnear-future developments.Identity and Access Management fusestechnology and process in a way thatimpacts both the cost base andproductivity of an organization.Business has always been aboutrelationships. Whether theyre withcustomers, employees or partners,relationships are one of the mostvaluable assets in business. Electronicidentities are increasingly used tocreate and maintain theserelationships and therefore are animportant enabler for e-business orpublic services.There is also a close and vitalrelationship between businessprocesses, business functions, theorganizational structure, the identitiesand the resources used. As a result,data requires context-driven accessmanagement to support the interactionbetween different identities. ITdepartments need to be able to adaptaccess management to the ways inwhich systems are actually used.The character of these relationshipshas changed substantially over theyears, making their effectivemanagement essential. First, therelationships now span beyond theorganizational boundary and form thebasis of extended business processesthat connect the organization with itssuppliers and customers. Second,their nature is becoming moredynamic, reflecting the changingbusiness models. Finally, the numberof relationships today is much biggerthan at any time in the past. As aresult, organizations today mustmaintain a network of dynamicrelationships between customers,employees and partners tocontinuously adapt to the changingBusiness RationaleIdentity and Access Management 3the way we do itServicesAn Identity and Access Managementsystem can administer theauthentication and entitlement ofusers to access a resource. It identifiesthe user and the context anddetermines what the user can access.It also determines what the user cando, and protects the information bysignaling when the security has beencompromised. However, an Identityand Access Management system needsto do much more than simply regulateaccess; it must also manage thelifecycle of the user, the resources andthe access. Otherwise, every time acustomer, vendor, or employeechanges status, the process ofupdating access privileges wouldwaste precious man hours and driveup costs. To handle these differentrequirements, an Identity and AccessManagement system is composed ofdifferent services:Service FunctionalityAuthenticate Subject(administrative functions behindidentities i.e. IdentityManagement)I Identity Directory ServiceI Joiners/Movers/Leavers ServicesI Management of the user's identifiersI Identity FederationI White pages/Yellow pagesI Management of (strong) authentication.Access Resource(Entitlement i.e. AccessManagement)I Rule Management, Business Role and ProfileManagement (what is a subject allowed to do with aresource, under what conditions/in what context)I User Self-Services, Delegated Services and AdminI Workflows (management)I Provisioning of user accounts and accessI Management of physical accessI Application Policy Enforcement/ManagementI Single Sign OnI Real-time control of access to objects/resources.MonitoringI Audit and ReportingI Re-Certification (Attestation)I Alarm & Event ManagementBenefits of Identity and AccessManagementIdentity and Access Management fusestechnology and process in a way thatimpacts both the productivity of anorganization and its bottom line. Thisgives an organization three differentways to justify a strong Identity andAccess Management strategy: onefocuses on the cost of avoidance,while the others describe the benefitof this approach:1. Cost of Non-Investment (CONI)I Failure to improve businessfacilitation and service levelsI Inability to improve securitythrough lifecycle management ofjoiners, movers and leaversI Regulatory non-complianceI Inflexible IT infrastructure thatcannot adapt to changing usercommunities and behavior.2. Total Cost of Ownership (TCO) benefitI Reduced operational coststhrough automation andstreamlining of IT administrationprocessesI Reduced lead time and cost ofnew application development.3. Return on Investment (ROI) benefitI Improved productivity and userexperienceI Enables secure (online) businessmodelsI Improved ability to cope withorganizational and businesschangesI Savings on per-user softwarelicenses.4the way we do itIdentity and Access Management 5Our SolutionAccess Management and EnterpriseArchitecture as far as governance, riskmanagement and compliance areconcerned. Our Identity and AccessManagement Framework, which is atthe basis of our solution, providesviews of technical, organizational andbusiness aspects of Identity andAccess Management.The unique aspect of CapgeminisIdentity and Access ManagementFramework is its flexibility.Partitioning of the Identity and AccessManagement landscape into distinctprocess and technology parcelsdelivers flexibility. This provides asolution that allows for phasedimplementation and migration to thenew infrastructure and businessprocesses.Capgeminis vision for Identity andAccess Management sees it working asan Invisible Infostructure1connectingand integrating various technologyand departmental islands. From atechnical perspective, identityinfrastructure consists of user securityand registration functionality that isunderpinned by directory andintegration services, and supported byadvanced administration services.Related business processes andservices then leverage the identityinfrastructure. From an organizationalperspective, Identity and AccessManagement elaborates on andextends the security and riskmanagement organization.It is clear that there is a majordependence between Identity andFigure 1: Identity & Access Framework4. Business OperationsThe use and maintenance of authorizations madeavailable9. Dailyuse1. SecurityRealization3. AuthorizationmanagementPresenting authorizations in a form that thebusiness can understand and can act uponCR catalog roleBR Business rolePSR Process sub roleOSR Organizational roleFSR Functional sub role5. Service & ProvisioningRelease authorizations and/or information/extraresources6. Systems andapplicationsNon-Personal Accounts -, ACL -, ProfileManagement2. Application andInformation systemfunctional designDefining which authorizations are necessary forwhich activities.7. Business ArchitectureOrganizational structure10. Identity services 8. HR- and processregistrationRegistration of:Which activities belong to which roleWhich employee has which role in which contextWhich role is available in what organizationalstructure Which process activities belong to whichorganizational structureDesign Completion ResourcesA1 A1 A1 A2 A2 A2 A3 A3 A3 A4 A4 A4 A5 A5 A5 A6 A6 A6 A7 A7 A7 A8 A8 A8Businessproces 1A1 A1 A1 A2 A2 A2 A3 A3 A3 A4 A4 A4 A5 A5 A5 A6 A6 A6 A7 A7 A7 A9 A9 A9Businessproces 2A8 A8 A8A1 A1 A1 A2 A2 A2 A3 A3 A3 A4 A4 A4 A5 A5 A5 A6 A6 A6 A7 A7 A7 A10 A10 A10HR-procesA9 A9 A9A1 A1 A1 A2 A2 A2 A3 A3 A3 A4 A4 A4 A5 A5 A5AfdelingsprocesA8 A8 A8yFunctional TrackDesign and Implementation of : Security policy Separation of Duty Ownership New IAM processes Role model structure Governance Authoritive sources Application-administrationTechnical TrackDesign and Implementation of : User management tooling IAM-tooling IAM-tooling-governance IAM reporting (Ist/Soll)Execution TrackDesign and Implementation of : Roll out plan Communication plan Migration plan Education / Awareness1 Invisible Infostructure is the end-state of infrastructure as we currently know it, using virtualization, grid and automated management technologies to deliver infrastructural services as acommoditizedpreferably invisibleutility.6We employ a three-stage approach tothe development of an Identity andAccess Management infrastructure.This begins with careful planning,which then transitions intopreparation, followed by the finalimplementation of the solution.In the planning stage, we focus onunderstanding and capturing thehigh-level business (functional) andtechnical context. This is achieved byutilizing a combination of focusedinterviews and facilitated sessionswith key stakeholders. From thisinformation, we can identify benefitsand concerns and provide thejustification for the expenditure.The preparation stage identifies theparticulars of the technical solutionand relevant user processes. We refinethe understanding of the currenttechnical landscape and develop atechnical solution blueprint. Productsare considered based on therequirements. Finally, a roadmapcomprising the initiatives required toimplement the blueprint is developed.In parallel, we model the relevant userand business processes to ensurecohesion with the technical solution.This allows us to streamline theadministration processes to gainoperational efficiencies. Finally, wedevelop user training andcommunication modules to ensure asmooth rollout.The implementation stage realizes thecomponents of the technical solution,such as directory integration andconsolidation, provisioning,authorization, authentication servicesand application integration. This stagealso puts in place the operationalprocesses for the governance ofIdentity and Access Management.Our experience has taught us thatsecurity technologies are not pointsolutions. They require carefulplanning and should be considered asthe strategic component of anIntegrated Security Infrastructure.There is no one size fits all solutionas the needs and characteristics ofeach organization vary widely. Thechosen model must fit with thecharacteristics of the organization.Identification and authentication havemore focus in the educational sector.Think about e-exams. Is the persontaking the exam really the student theexam is intended for? Access is thesame for all students. In other sectorsit is different. For example, in thehealth sector logging (audit basedaccess control) is more important. Afirst aid team needs instant access, butneeds to justify their access. In thefinance sector, least-privilege,compliance & separation of duties areimportant factors.Our ApproachIdentity and Access Management 7the way we do itIt is crucial to be able to identity whatthe current situation is and to haveknowledge of the various approachesin use. One must also be able totranslate demands into technical,functional and organizational elementsin order to develop a consistent, safe,effective and efficient strategy forIdentity and Access Management.Our advantage in the field of Identityand Access Management is built onour experience, our capabilities andstrategic alliances.We have considerable experience withvarious types of Identity and AccessManagement engagements rangingfrom organization strategy, solutionarchitecture and business changeconsultancy assignments, through tothe implementation and integration oftechnical solutions. These engagementshave been carried out in diversecommercial and public environments.Capgeminis expertise embraces bothcommercial and public security. Wehave, for example, proven capabilitiesin iris identification at borders, mobiledigital fingerprinting supportingpolice departments on the front line,and automatic number platerecognition, video identification andintegration of physical and logicalaccess. These are all examples ofIdentity and Access Management.Our consultants and engineers withvast expertise in this area arenetworked globally via our Identityand Access Management Center ofCompetence, actively sharingknowledge and experience. Tomaintain our advantage, we conductregular market surveys and internalproduct research studies. Capgeminialso closely follows the developmentof relevant emerging standards such asthose developed by OASIS and ourexperts have access to research byanalysts such as Gartner, IDC, Burtonand the Open Group. We oftenpresent aspects of Architecture andSecurity to and from these groups.Our ability to deliver Identity andAccess Management solutions isfurther strengthened by our strongalliances with leading Identity andAccess Management vendors such asIBM, Microsoft, Sun, CA, SAP, Oracleand BMC. The scope and nature ofour alliance activities ensure that wemaintain impartiality in consultancyassignments, while leveragingmaximum advantage on systemsintegration assignments.The Capgemini AdvantageThe Intelligence GridA recognition of the importance ofcollaborative behavior in response tothis complex environment promptedCapgeminis launch of a new approachto Public Security technology in 2006.We called this concept the IntelligenceGridan innovative concept thatimproves internal efficiencies andopens up enhanced avenues ofcollaboration. Founded on the soundprinciples of Service-OrientedArchitecture, the Intelligence Gridapproach allows the smoothinteroperability of Public Securitysystems, enabling the active andefficient collaboration needed betweendifferent government agencies as wellas different governments.Capgemini Public Security recognizesIdentity and Access Management asthe core of the Intelligence Grid.Near-Future DevelopmentsI Trend analysis and (real-time)monitoringI Integration of physical & logicalidentities and access.With the evolution of Web 2.0, whichis focused on the enablement ofunstructured collaboration, it will beharder to associate an identity to apredefined role. It will become morecritical for enterprises to secure theirinformation through management ofapplication policies. The system needsto be more responsive to autonomoussystem users in heterogeneousenvironments. Management ofapplication policies has to beidentified in a hierarchy structure thatis defined at the enterprise level, whileat the same time delegating granularpolicy definitions at the business unitlevel. Management of these policiescan be addressed through effectiveIdentity and Access Management andits consistent security services andbusiness rules.Another development around Web 2.0is user centricity. Service-specificidentities are managed transparently.On the one hand, a user can create asmany identities as he or she wishesand has full control over his or herprivacy (e.g., pseudonyms). Identitiesand attributes become independentfrom identity providers, and can befreely moved between providers. Onthe other hand, life-long personalidentities store more personal dataabout someone, including biometric(non-changeable) aspects. Because ofthis, identity information (financial,medical, biometric, etc.) needs specialattention, and privacy friendly servicediscovery and search techniques areexpected to emerge in the near future.Capgemini is deeply rooted in the fastchanging business and IT environment,and is constantly upgradingcapabilities to stay current with thelatest innovation in the marketplace.In many cases, we have taken a thoughtleadership role to lead the way. Thereare various new developments whereIdentity and Access Management playsan important function:I Web 2.0I MashupsI FederationI Trust(ed brokers)I Data classification, Data leakage andDeperimeterizationI RightshoreI Shared services, one-authoritativesourceI Service OrientationI Identity fraud/theft and PrivacyprotectionI User Centricity and Lifelongpersonal identityI Lifecycle ManagementFigure 2 Education / AwarenessIT-centricBusinessAlignedEcosystemIntegratedFederationBusinessProcessAlignmentRole BasedAccess ControlDelegatedAdministrationIntegratedIdentityRule BasedAccess ControlAdvancedSelf ServiceContext BasedAccess ControlUser CentricIdentityReactive Managed AgileMindsetExecution8the way we do itThe Open Group JerichoForumCapgemini is a founder and memberof the Jericho Project Research Group(as part of The Open Group). Itfocuses on defining new securityarchitectures and a security roadmapfor implementing networks withoutperimeters. In order to design andbuild a de-perimeterized networksolution, a combination of at least thefollowing modules is needed: securecommunications, inherently-securecomputer protocols, endpoint security,adequate authentication andauthorization of all the entities,accounting, trust brokering services,and automatic data classification onmultiple security levels. It placesIdentity and Access Management as amajor cluster.TechnoVision 2012Our TechnoVision 2012 provides aclear picture of the informationtechnologies that are the most relevantto users and sheds some light on howthese technologies and their evolutionwill impact business. It places Identityand Access Management in variousclusters:User Management as part of theYOU ExperienceReal-Time Business Process Controland Composite Applications as partof Process-on-the-FlyIdentity and Access Management isessential in order to be able toThrive on Data. This includesMastered Data Management (DataGovernance)Software-as-a-Service as part of theSector-as-a-ServiceDeperimeterized Jericho styleSecurity and Identity as part of theInvisible InfostructureAnd the virtual Service Orientationcluster.About UsCapgemini, one of theworlds foremostproviders of consulting,technology and outsourcing services,enables its clients to transform andperform through technologies.Capgemini provides its clients withinsights and capabilities that boost theirfreedom to achieve superior resultsthrough a unique way of working - theCollaborative Business Experience -and through a global delivery modelcalled Rightshore, which aims to offerthe right resources in the right location atcompetitive cost. Present in 36 countries,Capgemini reported 2007 globalrevenues of EUR 8.7 billion and employsover 86,000 people worldwide.More information about our services,offices and research is available atwww.capgemini.comAbout CapgeminiIdentity and Access Management 9Copyright 2008 Capgemini. All rights reserved.For more information contact:Gord ReynoldsUtility Practice LeaderGlobal Smart Energy [email protected]+1-416-732-2200www.capgemini.com