User Provisioning Best Practices

  • Published on
    29-Nov-2014

  • View
    78

  • Download
    5

Embed Size (px)

DESCRIPTION

This document describes and justies user provisioning best practices in medium to large organizations.It is intended to offer reasoned guidance to IT decision makers when they set security policies and design processes to manage user identities and entitlements across multiple systems and applications

Transcript

User Provisioning Best Practices 2014 Hitachi ID Systems, Inc. All rights reserved.Contents1 Introduction 12 Terminology and Concepts 22.1 What is Identity Management? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22.2 What is Enterprise Identity Management? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22.3 What is Entitlement Management? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 User Lifecycle: Business Challenges 54 Administration Within Application Silos 75 Overview of User Provisioning 86 Human Factors 107 Enforcing Standards 117.1 Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117.1.1 Assigning unique identiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117.1.2 Object Placement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127.1.3 Security Entitlements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137.1.4 Change Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 User and Entitlement Management Processes 168.1 Identity synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168.1.1 When to use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168.1.2 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168.1.3 How to use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168.1.4 Pitfalls to avoid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168.2 Auto-provisioning and automatic deactivation . . . . . . . . . . . . . . . . . . . . . . . . . . 188.2.1 When to use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188.2.2 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188.2.3 How to use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198.2.4 Pitfalls to avoid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198.3 Self-service requests and delegated administration . . . . . . . . . . . . . . . . . . . . . . . 20iUser Provisioning Best Practices8.3.1 When to use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208.3.2 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208.3.3 How to use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208.3.4 Pitfalls to avoid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218.4 Authorization workow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228.4.1 When to use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228.4.2 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228.4.3 How to use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228.4.4 Pitfalls to avoid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238.5 Consolidated reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248.5.1 When to use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248.5.2 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248.5.3 How to use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248.5.4 Pitfalls to avoid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Internal Controls 259.1 Using Roles to Grant Appropriate Entitlements . . . . . . . . . . . . . . . . . . . . . . . . . . 269.2 Enforcing Segregation of Duties Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279.3 Periodically Reviewing and Correcting Entitlements . . . . . . . . . . . . . . . . . . . . . . . 2910 Integrations with Systems and Applications 3111 Summary 33APPENDICES 34A Hitachi ID Identity Manager Overview 35 2014 Hitachi ID Systems, Inc. All rights reserved.User Provisioning Best Practices1 IntroductionThis document describes and justies user provisioning best practices in medium to large organizations.It is intended to offer reasoned guidance to IT decision makers when they set security policies and designprocesses to manage user identities and entitlements across multiple systems and applications.Look for the marks throughout this document to nd best practices. 2014 Hitachi ID Systems, Inc.. All rights reserved. 1User Provisioning Best Practices2 Terminology and Concepts2.1 What is Identity Management?Identity management and access governance refers to a set of technologies and processes used to coher-ently manage information about users in an organization, despite the fact that identity data may be scatteredacross organizational, geographical and application boundaries.Identity management and access governance addresses a basic business problem: information about theidentity of employees, contractors, customers, partners and vendors along with how those users authen-ticate and what they can access is distributed among too many systems and is consequently difcult tomanage.2.2 What is Enterprise Identity Management?Enterprise Identity and Access Management (IAM) is dened as a set of processes and technologies toeffectively and consistently manage modest numbers of users and entitlements across multiple systems. Inthis denition, there are typically signicantly fewer than a million users, but users typically have access tomultiple systems and applications.Typical enterprise identity and access management scenarios include: Password synchronization and self-service password reset. User provisioning, including identity synchronization, auto-provisioning and automatic access deacti-vation, self-service security requests, approvals workow and consolidated reporting. Enterprise single sign-on automatically lling login prompts on client applications. Web single sign-on consolidating authentication and authorization processes across multiple webapplications.Enterprise IAM presents different challenges than identity and access management in Extranet (B2C orB2B) scenarios: 2014 Hitachi ID Systems, Inc.. All rights reserved. 2User Provisioning Best PracticesCharacteristic Enterprise IAM (typical) Extranet IAM (typical)Number of users under 1 million over 1 millionNumber of systems anddirectories2 10,000 1 2Users dened before IAMsystem is deployedThousands Frequently only new usersLogin ID reconciliation Existing accounts may havedifferent IDs on differentsystems.Single, consistent ID per user.Data quality Orphan and dormant accountsare common. Datainconsistencies betweensystems.Single or few objects per user.Consistent data. Dormantaccounts often a problem.User diversity Many users have uniquerequirements.Users t into just a fewcategories.In short, Enterprise IAM has fewer but more complex users. Extranet IAM has more users and highertransaction rates, but less complexity.2.3 What is Entitlement Management?The Burton Group denes an entitlement as:An entitlement is the object in a systems security model that can be granted or associated toa user account to enable that account to perform (or in some cases prevent the performanceof) some set of actions in that system. It was commonly accepted that this denition of enti-tlement referred to the highest-order grantable object in a systems security model, such as anActive Directory group membership or SAP role and not lower-order objects such as single-lepermission setting.Denition by Ian Glazer, in Access Certication and Entitlement Management v1, September 9, 2009.http://www.gartner.com/technology/research.jsp (login required)Entitlement management refers to a set of technologies and processes used to coherently manage securityrights across an organization. The objectives are to reduce the cost of administration, to improve serviceand to ensure that users get exactly the security rights they need.These objectives are attained by creating a set of robust, consistent processes to grant and revoke entitle-ments across multiple systems and applications:1. Create and regularly update a consolidated database of entitlements.2. Dene roles, so that entitlements can be assigned to users in sets that are easier for business usersto understand. 2014 Hitachi ID Systems, Inc.. All rights reserved. 3User Provisioning Best Practices3. Enable self-service requests and approvals, so that decisions about entitlements can be made bybusiness users with contextual knowledge, rather than by IT staff.4. Synchronize entitlements between systems, where appropriate.5. Periodically invite business stake-holders to review entitlements and roles assigned to users andidentify no-longer-appropriate ones for further examination and removal. 2014 Hitachi ID Systems, Inc.. All rights reserved. 4User Provisioning Best Practices3 User Lifecycle: Business ChallengesAs organizations deploy an ever wider array of IT infrastructure, managing that infrastructure and in partic-ular managing users, their identity proles and their security privileges on those systems becomes increas-ingly challenging.Figure 1 illustrates some of the challenges faced by organizations that must manage many users acrossmany systems.Slow:too much paper,too many people.Expensive:too many administratorsdoing redundant work.Role changes:add/remove rights.Policies:enforced?Audit:are privileges appropriate?Org. relationships:track and maintain.Reliable:notication of terminations.Fast:response by sysadmins.Complete:deactivation of all IDs.Passwords:too many, too weak,often forgotten.Access:Why cant I access thatapplication / folder / etc.Figure 1: User Lifecycle Management ChallengesIn the gure, there are business challenges at each phase of the user lifecycle:1. Onboarding new users:(a) Delays and productivity:New users need to get productive quickly. Any delays in setting up access rights for new userscost money, in terms of lost productivity.(b) Requests and approvals:IT workers need to be certain that newly created accounts are appropriate. This usually meansa paper process for requesting, reviewing and approving security changes, such as the creationof new accounts. This approval process may be hard to use, may require excessive effort on theparts of both requesters and authorizers and may introduce delays.(c) Redundant administration:Users typically require access rights that span multiple systems. A new user may need a net-work login, an e-mail mailbox, rewall access and login rights to multiple applications. Theseaccounts are typically created by different administrators, using different tools. This duplicationis expensive and time consuming. 2014 Hitachi ID Systems, Inc.. All rights reserved. 5User Provisioning Best Practices2. Managing change:Users often change roles and responsibilities within an organization. They may also change identityattributes (e.g., changes to a users surname, contact information, department, manager, etc.). Suchchanges trigger IT work, to adjust user identity proles and security rights.Organizations face the same challenges in managing existing users that they face when creating newones:(a) Delays:Reassigned users waste time waiting for IT to catch up with their requirements.(b) Change requests:Can be awkward to submit and may take time to approve.(c) Redundant administration:Similar changes are often required on different systems.3. IT support:In the context of routine use of systems, users often encounter problems that require technical support:(a) Forgotten passwords.(b) Intruder lockouts.(c) Access denied errors.Collectively, these problems typically represent a large part of an IT help desks call volume. Thismeans both direct cost (support staff) and indirect cost (lost user productivity).4. Termination:All users leave even...

Recommended

View more >