ebook img

Identity and Access Management: Business Performance Through Connected Intelligence PDF

649 Pages·2013·165.7 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Identity and Access Management: Business Performance Through Connected Intelligence

Identity and Access Management This pageintentionallyleftblank Identity and Access Management Business Performance Through Connected Intelligence Ertem Osmanoglu AMSTERDAM(cid:1)BOSTON(cid:1)HEIDELBERG(cid:1)LONDON NEWYORK(cid:1)OXFORD(cid:1)PARIS(cid:1)SANDIEGO SANFRANCISCO(cid:1)SINGAPORE(cid:1)SYDNEY(cid:1)TOKYO SyngressisanimprintofElsevier Publisher:StevenElliot EditorialProjectManager:BenjaminRearick ProjectManager:MalathiSamayan Designer:MarkRogers SyngressisanimprintofElsevier 225WymanStreet,Waltham,MA02451,USA Copyrightr2014Ernst&Young,LLP.PublishedbyElsevierInc.Allrightsreserved Nopartofthispublicationmaybereproducedortransmittedinanyformorbyanymeans,electronic ormechanical,includingphotocopying,recording,oranyinformationstorageandretrievalsystem,without permissioninwritingfromthepublisher.Detailsonhowtoseekpermission,furtherinformationaboutthe Publisher’spermissionspoliciesandourarrangementswithorganizationssuchastheCopyrightClearance CenterandtheCopyrightLicensingAgency,canbefoundatourwebsite:www.elsevier.com/permissions. ThisbookandtheindividualcontributionscontainedinitareprotectedundercopyrightbythePublisher (otherthanasmaybenotedherein). Notices Knowledgeandbestpracticeinthisfieldareconstantlychanging.Asnewresearchandexperiencebroaden ourunderstanding,changesinresearchmethodsorprofessionalpractices,maybecomenecessary.Practitionersand researchersmustalwaysrelyontheirownexperienceandknowledgeinevaluatingandusinganyinformationor methodsdescribedherein.Inusingsuchinformationormethodstheyshouldbemindfuloftheirownsafetyandthe safetyofothers,includingpartiesforwhomtheyhaveaprofessionalresponsibility. Tothefullestextentofthelaw,neitherthePublishernortheauthors,contributors,oreditors,assumeanyliability foranyinjuryand/ordamagetopersonsorpropertyasamatterofproductsliability,negligenceorotherwise,orfrom anyuseoroperationofanymethods,products,instructions,orideascontainedinthematerialherein. LibraryofCongressCataloging-in-PublicationData Osmanoglu,Ertem. IdentityandAccessManagement:BusinessPerformanceThroughConnectedIntelligence/ErtemOsmanoglu. pagescm. Includesbibliographicalreferencesandindex. ISBN978-0-12-408140-6(pbk.) 1.Computersecurity.2.Computers(cid:1)Accesscontrol.3.Computernetworks(cid:1)Securitymeasures.4.False personation(cid:1)Prevention.I.Title. QA76.9.A25O782013 005.8(cid:1)dc23 2013036149 BritishLibraryCataloguing-in-PublicationData AcataloguerecordforthisbookisavailablefromtheBritishLibrary ForinformationonallSyngresspublications, visitourwebsiteatstore.elsevier.com/Syngress ISBN:978-0-12-408140-6 PrintedandboundintheUnitedStatesofAmerica 14 15 16 13 12 11 10 9 8 7 6 5 4 3 2 1 Contents FOREWORD................................................................................................xiii PREFACE.....................................................................................................xv INTRODUCTION.......................................................................................xvii ACKNOWLEDGMENTS...........................................................................xxiii AUTHOR AND EDITOR BIOGRAPHIES.................................................xxv Section 1 Business Case and Current State CHAPTER 1 Business Requirementsand Business Case Development.........................................................................3 Introduction.....................................................................................3 AnIAMBusinessCase:WhatIsIt,Exactly?WhyIs ItImportant?....................................................................................4 TypesofBusinessCasesforIAM.................................................5 TheRiskandComplianceBusinessCase................................5 TheOperationalEffectivenessorCostSavings DrivenBusinessCase.................................................................6 TheBusinessEnablementDrivenBusinessCase..................7 AStrategicApproachtoDevelopinganIAMBusinessCase......7 Identify,Analyze,andEngageKeyStakeholders...................8 UnderstandDecision-MakingProcessandRoles.................11 ReexamineIAMScope,Requirements,andDefine ProgramObjectives.................................................................11 DevelopAlternativeIAMSolutions.......................................12 IAMStrategyandVision.........................................................12 AnalyzeAlternativesandSelect“ToBe”State...................13 BaselineCurrentCapabilitiesandCosts..............................13 DevelopRiskMitigationStrategy..........................................15 DetailBusinessCaseJustification:CostsandBenefits.....17 DevelopandDescribeHigh-LevelRoadmap........................17 DocumenttheCompellingBusinessCaseReport...............17 v vi Contents Summary........................................................................................19 AppendixA SampleTableofContentsforRequirements......19 AppendixB SampleRequirementsDocument.........................19 CHAPTER 2 IAM Framework,Key Principlesand Definitions...........47 IAMDefined..................................................................................47 IAMFramework............................................................................49 Governance...............................................................................50 IdentityandCredential...........................................................50 Access.......................................................................................51 AuthoritativeSources..............................................................52 AdministrationandIntelligence............................................54 CHAPTER 3 CurrentState andCapability Maturity............................55 IAMCapabilityMaturityFramework.........................................61 Governance...............................................................................61 IdentityandCredential...........................................................65 Access.......................................................................................77 AuthoritativeSources..............................................................79 AdministrationandIntelligence............................................84 SampleWork-ProductsandArtifacts..........................................88 AppendixA SampleCurrentStateAssessmentReport..........89 AppendixB SampleMaturityAssessment—SummaryView..113 CHAPTER 4 Common Challenges and Key Considerations.............117 Theme1 Governance.................................................................117 Theme2 ProgramDelivery.......................................................121 Theme3 SustainCompliance...................................................121 Theme4 IdentityLifecycle........................................................121 Theme5 ControlAccess...........................................................125 Theme6 Operations..................................................................125 Conclusion...................................................................................134 CHAPTER 5 Case Study: Access Reviews.........................................135 Section 2 Future State and Roadmap CHAPTER 6 Future State Definition....................................................141 Introduction.................................................................................141 StagesofIAMFutureStateDefinition.....................................142 FutureStateVisionandGuidingPrinciples.......................142 FutureStateConceptualDesign..........................................146 FutureStateDetailedDesign...............................................148 Conclusion...................................................................................164 Contents vii CHAPTER 7 IAM Roadmapand Strategy...........................................165 DevelopinganIAMRoadmap....................................................165 KeyComponentsofanIAMRoadmap.....................................166 Conclusion...................................................................................175 CHAPTER 8 Identity and Access Intelligence: ARisk-Based Approach...........................................................................177 ARisk-BasedApproachtoIAM................................................177 PeerGroupandOutlierAnalysis..............................................181 SortingMethod.......................................................................182 RegressionMethods..............................................................183 Request/ApprovalandProvisioning Considerations.......................................................................186 ReviewandCertificationConsiderations...........................186 RoleAnalysis...............................................................................187 ResourceAllocationandAnalysis............................................188 AccountandSystemUsageAnalysis..................................189 RiskandFraudSystemsIntegration........................................190 Conclusion...................................................................................191 CHAPTER 9 Enabling Business ThroughCloud-BasedIAM............193 Introduction.................................................................................193 IAMCloudDeploymentModels................................................194 IAMCloudServiceModels........................................................197 IAMCloudSecurityandRiskManagement............................200 Conclusion...................................................................................202 CHAPTER 10 Case Study: Future State—Finding aWay Outof the Labyrinth........................................................203 Section 3 Implementation CHAPTER 11 ImplementationMethodologyand Approach...............211 ImplementationMethods...........................................................211 PlanandDiagnose.................................................................214 DefineandDesign.................................................................218 DevelopandDeliver..............................................................219 AdoptandSustain.................................................................226 Conclusion...................................................................................227 Chapter11Appendix1—IAMImplementationToolkit.........227 Chapter11Appendix1.1 IAMImplementation—Sample ProjectCharter.......................................................................227 viii Contents Chapter11Appendix1.2 IAMImplementation—Sample ProjectPlan.............................................................................248 Chapter11Appendix1.3 IAMImplementation—Sample ImplementationGuide...........................................................249 Chapter11Appendix1.4 IAMImplementation—Sample RunBook.................................................................................308 Chapter11Appendix1.5 IAMImplementation—Sample CommunicationsGovernance..............................................365 Chapter11Appendix1.6 IAMImplementation—Sample IssueTrackingLog................................................................379 Chapter11Appendix1.7 IAMImplementation—Sample WorkstreamStatusTemplate...............................................383 Chapter11Appendix1.8 IAMImplementation—Sample InterviewTracker..................................................................385 Chapter11Appendix1.9 IAMImplementation—Sample MeetingNotesTemplate......................................................388 CHAPTER 12 Access Request, Approval, andProvisioning...............391 SystemOverviewandKeyComponents..................................393 RequestSystem......................................................................394 WorkflowSystem...................................................................396 ProvisioningSystem..............................................................398 HRSystem...............................................................................400 IAMDataManagement..............................................................401 Conclusion...................................................................................402 CHAPTER 13 Enforcement......................................................................405 Introduction.................................................................................405 Authentication.............................................................................405 Single-FactorAuthentication................................................407 MultifactorAuthentication...................................................408 AuthenticationImplementationApproaches..........................412 Risk-BasedAdaptiveAuthentication..................................413 SSOSystems...........................................................................415 DirectoryServices..................................................................417 CentralizedVersusDecentralizedAuthentication............418 FederatedIAM.......................................................................419 Authorization...............................................................................423 InitialStageApplicationArchitectures...............................423 CentralizedAuthenticationandCoarse-Grained Authorization..........................................................................425 CentralAuthenticationandFine-GrainedAuthorization.429 ChoosinganApplicationAuthorizationArchitecture.......430 LoggingandMonitoring............................................................433 Conclusion...................................................................................434 Contents ix CHAPTER 14 Access Reviewand Certification...................................437 BenefitsandObjectives.............................................................438 AccessReviewandCertificationProcesses............................438 AccessReviewandCertificationScopeandApproach....438 CommunicatingwithStakeholdersandParticipants........453 CollectingandManagingData.............................................453 ExecutingtheAccessReviewandCertificationProcess.455 ExecutingAccessRemediation............................................457 MonitoringandClosingOut.................................................458 Conclusion...................................................................................458 CHAPTER 15 Privileged Access Management.....................................461 UnderstandingPrivilegedAccess.............................................461 KeyBusinessDrivers..................................................................462 MaliciousUseofPrivilegedAccess.....................................463 PrivilegedAccessManagementProgram................................464 TechnicalEnablersforPrivilegedAccessManagement...467 PasswordVaultingSolutions................................................467 PrivilegeEscalation...............................................................468 PrivilegedAccessLife-CycleManagement........................470 EnforcementThroughAuthenticationandDirectory Services...................................................................................471 Conclusion...................................................................................477 CHAPTER 16 Roles andRules................................................................479 ABriefHistoryofAccessControlModels..........................483 RBACKeyConcepts..............................................................488 RulesandEnforcement..............................................................492 TheRBACModelandtheAccessManagement LifeCycle.....................................................................................498 EnterpriseRoles.....................................................................498 FunctionalRoles.....................................................................501 ITRoles...................................................................................502 ApplingtheRBACModel......................................................503 RBACImplementationConsiderations....................................505 RBACApproachandMethodology......................................505 Planning..................................................................................505 RiskRanking...........................................................................510 RoleAnalysis/RoleMining....................................................510 RoleDefinitionReporting......................................................511 OngoingRoleManagement..................................................512

Description:
Identity and Access Management: Business Performance Through Connected Intelligence provides you with a practical, in-depth walkthrough of how to plan, assess, design, and deploy IAM solutions. This book breaks down IAM into manageable components to ease systemwide implementation. The hands-on, end-
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.