Identity and Access Management This pageintentionallyleftblank Identity and Access Management Business Performance Through Connected Intelligence Ertem Osmanoglu AMSTERDAM(cid:1)BOSTON(cid:1)HEIDELBERG(cid:1)LONDON NEWYORK(cid:1)OXFORD(cid:1)PARIS(cid:1)SANDIEGO SANFRANCISCO(cid:1)SINGAPORE(cid:1)SYDNEY(cid:1)TOKYO SyngressisanimprintofElsevier Publisher:StevenElliot EditorialProjectManager:BenjaminRearick ProjectManager:MalathiSamayan Designer:MarkRogers SyngressisanimprintofElsevier 225WymanStreet,Waltham,MA02451,USA Copyrightr2014Ernst&Young,LLP.PublishedbyElsevierInc.Allrightsreserved Nopartofthispublicationmaybereproducedortransmittedinanyformorbyanymeans,electronic ormechanical,includingphotocopying,recording,oranyinformationstorageandretrievalsystem,without permissioninwritingfromthepublisher.Detailsonhowtoseekpermission,furtherinformationaboutthe Publisher’spermissionspoliciesandourarrangementswithorganizationssuchastheCopyrightClearance CenterandtheCopyrightLicensingAgency,canbefoundatourwebsite:www.elsevier.com/permissions. ThisbookandtheindividualcontributionscontainedinitareprotectedundercopyrightbythePublisher (otherthanasmaybenotedherein). Notices Knowledgeandbestpracticeinthisfieldareconstantlychanging.Asnewresearchandexperiencebroaden ourunderstanding,changesinresearchmethodsorprofessionalpractices,maybecomenecessary.Practitionersand researchersmustalwaysrelyontheirownexperienceandknowledgeinevaluatingandusinganyinformationor methodsdescribedherein.Inusingsuchinformationormethodstheyshouldbemindfuloftheirownsafetyandthe safetyofothers,includingpartiesforwhomtheyhaveaprofessionalresponsibility. Tothefullestextentofthelaw,neitherthePublishernortheauthors,contributors,oreditors,assumeanyliability foranyinjuryand/ordamagetopersonsorpropertyasamatterofproductsliability,negligenceorotherwise,orfrom anyuseoroperationofanymethods,products,instructions,orideascontainedinthematerialherein. LibraryofCongressCataloging-in-PublicationData Osmanoglu,Ertem. IdentityandAccessManagement:BusinessPerformanceThroughConnectedIntelligence/ErtemOsmanoglu. pagescm. Includesbibliographicalreferencesandindex. ISBN978-0-12-408140-6(pbk.) 1.Computersecurity.2.Computers(cid:1)Accesscontrol.3.Computernetworks(cid:1)Securitymeasures.4.False personation(cid:1)Prevention.I.Title. QA76.9.A25O782013 005.8(cid:1)dc23 2013036149 BritishLibraryCataloguing-in-PublicationData AcataloguerecordforthisbookisavailablefromtheBritishLibrary ForinformationonallSyngresspublications, visitourwebsiteatstore.elsevier.com/Syngress ISBN:978-0-12-408140-6 PrintedandboundintheUnitedStatesofAmerica 14 15 16 13 12 11 10 9 8 7 6 5 4 3 2 1 Contents FOREWORD................................................................................................xiii PREFACE.....................................................................................................xv INTRODUCTION.......................................................................................xvii ACKNOWLEDGMENTS...........................................................................xxiii AUTHOR AND EDITOR BIOGRAPHIES.................................................xxv Section 1 Business Case and Current State CHAPTER 1 Business Requirementsand Business Case Development.........................................................................3 Introduction.....................................................................................3 AnIAMBusinessCase:WhatIsIt,Exactly?WhyIs ItImportant?....................................................................................4 TypesofBusinessCasesforIAM.................................................5 TheRiskandComplianceBusinessCase................................5 TheOperationalEffectivenessorCostSavings DrivenBusinessCase.................................................................6 TheBusinessEnablementDrivenBusinessCase..................7 AStrategicApproachtoDevelopinganIAMBusinessCase......7 Identify,Analyze,andEngageKeyStakeholders...................8 UnderstandDecision-MakingProcessandRoles.................11 ReexamineIAMScope,Requirements,andDefine ProgramObjectives.................................................................11 DevelopAlternativeIAMSolutions.......................................12 IAMStrategyandVision.........................................................12 AnalyzeAlternativesandSelect“ToBe”State...................13 BaselineCurrentCapabilitiesandCosts..............................13 DevelopRiskMitigationStrategy..........................................15 DetailBusinessCaseJustification:CostsandBenefits.....17 DevelopandDescribeHigh-LevelRoadmap........................17 DocumenttheCompellingBusinessCaseReport...............17 v vi Contents Summary........................................................................................19 AppendixA SampleTableofContentsforRequirements......19 AppendixB SampleRequirementsDocument.........................19 CHAPTER 2 IAM Framework,Key Principlesand Definitions...........47 IAMDefined..................................................................................47 IAMFramework............................................................................49 Governance...............................................................................50 IdentityandCredential...........................................................50 Access.......................................................................................51 AuthoritativeSources..............................................................52 AdministrationandIntelligence............................................54 CHAPTER 3 CurrentState andCapability Maturity............................55 IAMCapabilityMaturityFramework.........................................61 Governance...............................................................................61 IdentityandCredential...........................................................65 Access.......................................................................................77 AuthoritativeSources..............................................................79 AdministrationandIntelligence............................................84 SampleWork-ProductsandArtifacts..........................................88 AppendixA SampleCurrentStateAssessmentReport..........89 AppendixB SampleMaturityAssessment—SummaryView..113 CHAPTER 4 Common Challenges and Key Considerations.............117 Theme1 Governance.................................................................117 Theme2 ProgramDelivery.......................................................121 Theme3 SustainCompliance...................................................121 Theme4 IdentityLifecycle........................................................121 Theme5 ControlAccess...........................................................125 Theme6 Operations..................................................................125 Conclusion...................................................................................134 CHAPTER 5 Case Study: Access Reviews.........................................135 Section 2 Future State and Roadmap CHAPTER 6 Future State Definition....................................................141 Introduction.................................................................................141 StagesofIAMFutureStateDefinition.....................................142 FutureStateVisionandGuidingPrinciples.......................142 FutureStateConceptualDesign..........................................146 FutureStateDetailedDesign...............................................148 Conclusion...................................................................................164 Contents vii CHAPTER 7 IAM Roadmapand Strategy...........................................165 DevelopinganIAMRoadmap....................................................165 KeyComponentsofanIAMRoadmap.....................................166 Conclusion...................................................................................175 CHAPTER 8 Identity and Access Intelligence: ARisk-Based Approach...........................................................................177 ARisk-BasedApproachtoIAM................................................177 PeerGroupandOutlierAnalysis..............................................181 SortingMethod.......................................................................182 RegressionMethods..............................................................183 Request/ApprovalandProvisioning Considerations.......................................................................186 ReviewandCertificationConsiderations...........................186 RoleAnalysis...............................................................................187 ResourceAllocationandAnalysis............................................188 AccountandSystemUsageAnalysis..................................189 RiskandFraudSystemsIntegration........................................190 Conclusion...................................................................................191 CHAPTER 9 Enabling Business ThroughCloud-BasedIAM............193 Introduction.................................................................................193 IAMCloudDeploymentModels................................................194 IAMCloudServiceModels........................................................197 IAMCloudSecurityandRiskManagement............................200 Conclusion...................................................................................202 CHAPTER 10 Case Study: Future State—Finding aWay Outof the Labyrinth........................................................203 Section 3 Implementation CHAPTER 11 ImplementationMethodologyand Approach...............211 ImplementationMethods...........................................................211 PlanandDiagnose.................................................................214 DefineandDesign.................................................................218 DevelopandDeliver..............................................................219 AdoptandSustain.................................................................226 Conclusion...................................................................................227 Chapter11Appendix1—IAMImplementationToolkit.........227 Chapter11Appendix1.1 IAMImplementation—Sample ProjectCharter.......................................................................227 viii Contents Chapter11Appendix1.2 IAMImplementation—Sample ProjectPlan.............................................................................248 Chapter11Appendix1.3 IAMImplementation—Sample ImplementationGuide...........................................................249 Chapter11Appendix1.4 IAMImplementation—Sample RunBook.................................................................................308 Chapter11Appendix1.5 IAMImplementation—Sample CommunicationsGovernance..............................................365 Chapter11Appendix1.6 IAMImplementation—Sample IssueTrackingLog................................................................379 Chapter11Appendix1.7 IAMImplementation—Sample WorkstreamStatusTemplate...............................................383 Chapter11Appendix1.8 IAMImplementation—Sample InterviewTracker..................................................................385 Chapter11Appendix1.9 IAMImplementation—Sample MeetingNotesTemplate......................................................388 CHAPTER 12 Access Request, Approval, andProvisioning...............391 SystemOverviewandKeyComponents..................................393 RequestSystem......................................................................394 WorkflowSystem...................................................................396 ProvisioningSystem..............................................................398 HRSystem...............................................................................400 IAMDataManagement..............................................................401 Conclusion...................................................................................402 CHAPTER 13 Enforcement......................................................................405 Introduction.................................................................................405 Authentication.............................................................................405 Single-FactorAuthentication................................................407 MultifactorAuthentication...................................................408 AuthenticationImplementationApproaches..........................412 Risk-BasedAdaptiveAuthentication..................................413 SSOSystems...........................................................................415 DirectoryServices..................................................................417 CentralizedVersusDecentralizedAuthentication............418 FederatedIAM.......................................................................419 Authorization...............................................................................423 InitialStageApplicationArchitectures...............................423 CentralizedAuthenticationandCoarse-Grained Authorization..........................................................................425 CentralAuthenticationandFine-GrainedAuthorization.429 ChoosinganApplicationAuthorizationArchitecture.......430 LoggingandMonitoring............................................................433 Conclusion...................................................................................434 Contents ix CHAPTER 14 Access Reviewand Certification...................................437 BenefitsandObjectives.............................................................438 AccessReviewandCertificationProcesses............................438 AccessReviewandCertificationScopeandApproach....438 CommunicatingwithStakeholdersandParticipants........453 CollectingandManagingData.............................................453 ExecutingtheAccessReviewandCertificationProcess.455 ExecutingAccessRemediation............................................457 MonitoringandClosingOut.................................................458 Conclusion...................................................................................458 CHAPTER 15 Privileged Access Management.....................................461 UnderstandingPrivilegedAccess.............................................461 KeyBusinessDrivers..................................................................462 MaliciousUseofPrivilegedAccess.....................................463 PrivilegedAccessManagementProgram................................464 TechnicalEnablersforPrivilegedAccessManagement...467 PasswordVaultingSolutions................................................467 PrivilegeEscalation...............................................................468 PrivilegedAccessLife-CycleManagement........................470 EnforcementThroughAuthenticationandDirectory Services...................................................................................471 Conclusion...................................................................................477 CHAPTER 16 Roles andRules................................................................479 ABriefHistoryofAccessControlModels..........................483 RBACKeyConcepts..............................................................488 RulesandEnforcement..............................................................492 TheRBACModelandtheAccessManagement LifeCycle.....................................................................................498 EnterpriseRoles.....................................................................498 FunctionalRoles.....................................................................501 ITRoles...................................................................................502 ApplingtheRBACModel......................................................503 RBACImplementationConsiderations....................................505 RBACApproachandMethodology......................................505 Planning..................................................................................505 RiskRanking...........................................................................510 RoleAnalysis/RoleMining....................................................510 RoleDefinitionReporting......................................................511 OngoingRoleManagement..................................................512
Description: