Upload
forgerock
View
854
Download
4
Embed Size (px)
DESCRIPTION
Presented by Jim McDonald, Engagement Manager, Identropy at ForgeRock Open Identity Stack Summit, June 2013
Citation preview
Our Experience
Plan
Build
Run
Identropy’s professional services practice is designed around Plan, Build and Run. Our plan offering called “IAM Kickstart” has been delivering IAM Roadmaps for organizations since 2006.
Exclusive Focus on Identity & Access Management (IAM)
Our roadmaps are focused on GSD (get stuff done)
We leverage a tested methodology that creates custom strategies for each organization
We’ve decided to make our methodology available as part of a “Do it Yourself Kit” at
http://www.identropy.com
Kickstart Program – 7 Step Approach
7 Present Findings
1 P.U.T. Chart
2 Onsite Interviews
3 IAM Capability Assessment
4 Research and Follow-up
5 Architecture and Recommendations
6 Roadmap and Budget Estimates
DELIVERABLES IAM Capability Benchmark
High-Level Architecture
Initiative Roadmap
Editable Project Plan
Executive Presentation
PUT Chart & Pre-work
•PUT Chart•Schedule Interviews / Develop Agenda
•Gather collateral• Recent Audit findings• Governance Structures• Org or IT strategies• Documented IAM Policies
and Procedures•Hold Interviews
• Sample questions• Take Notes (look for quotes)
The PUT Chart
Findings: Assess the Current State
•Define Program drivers (enablement, risk mitigation, compliance?)
•Group Capabilities (see next slide)
•Rate current maturity and desired/goal state
•CMMI or benchmark – you decide
•Rubrics (they’re not just for cubes anymore)
•Other useful slides:
“What is IAM?”
Scope of Assessment
Scope of IAM Program
SWOT
Quotes
Helpful Hint: follow the K.I.S.S. principle
Capability Maturity Assessment Sample
IAM Capability Assessment RubricCapability Scoring Rubric
IAM Governance & Organization
• 5=Formal IAM Governance is serving the needs for visibility for all stakeholders• 4=IAM Governance part of a larger IT Governance Framework and manages with Metrics and SLAs• 3=IAM Governance part of a larger IT Governance Framework and includes formal subcommittees• 2=IAM Governance is formal but is not part of a larger IT Governance Framework• 1=IAM Governance is informal
Identity Data Management
• 5=All accounts, roles centrally provisioned, reconciled• 4=All accounts, roles centrally provisioned• 3=Internal accounts provisioned, roles local in applications• 2=Single registry exists, some provisioning is automated• 1=No single registry of users
User Lifecycle Management
• 5=User lifecycle is managed centrally, request and approval processes are segregated and captured• 4=Most lifecycle processes are centralized, approvals are generally captured• 3=Most lifecycle processes are centralized, approvals are generally out-of band• 2=Identity is created centrally, but remaining lifecycle processes decentralized• 1=Identity Management processes are tribal knowledge
Authentication, Access Control & Federation
• 5=Federated Single Sign On• 4=Single Sign On with strong authentication• 3=Single Sign On, static password• 2=LDAP directory authentication, static password• 1=Local username, local static password
Authorization & Role Management
• 5=Business Roles are defined and leveraged for (de)provisioning and transfers• 4=Business Roles are defined and leveraged for (de)provisioning• 3=Central group management processes and are widely leveraged• 2=Central group management processes exist but are not widely leveraged• 1=Authorization processes are decentralized and not coordinated
Audit, Reporting, & Event Monitoring
• 5=Risk-based recertification cycles exist with quality control measures in place• 4=A risk assessment framework is used to establish appropriate recertification cycles• 3=High risk access is periodically recertified in an automated system• 2=Access recertification tools exists but are lightly used. • 1=Access is not routinely audited or recertified
Summarize Recommendations and Align to Findings
•Executive Summary• Align it to IAM Program drivers
•Architecture Diagram • Show current and future state
•Make sure to design for the future • SaaS• Cloud• Mobile
•Select or short-list products• Use analyst reports from
Gartner or KC• Talk to peers or consultants
10
Enable the BusinessEmploy an IAM Center of Excellence and Deploy Enabling Technologies
Deploy an inclusive IAM Governance framework
Drive greater adoption
Balance security with usabilityEstablish Risk Assessment
Framework and Levels of Assurance
Sample: Executive Recommendation Summary
Sample Recommendations – What to do
Pull together enterprise
identity data into a central identity
repository
Deploy a tool to provide delegated
group management
Replace Custom IAM with packaged
software
Implement coarse-grained policy
enforcement with OpenAM
Bolster application and cloud
provisioning tools
Offer BYOId for loose affiliations and
low risk access
Require strong second factor for certain high-risk
access
Employ an IAM Center of Excellence and Deploy Enabling Technologies
Establish Risk Assessment Framework and Levels of Assurance
Deploy an inclusive IAM Governance framework
Inventory Risk at the Application and Group
level
Adopt existing LOA framework, such as the InCommon Assurance
Program
Apply security controls based on risk
Increase stakeholder involvement through
Technical and Business Advisory Groups
Define Structure and Process for improved decision making and
mission alignment
Sample Reference Architecture Diagram
Develop a Roadmap (timeline)
•Do Now, Do Next, Do Later…& Down the Road
•Develop a resource plan (using internal resources, consultants, or mix)
•Estimate costs• Understand your fiscal calendar• Break-out Capital vs. Expense
• This often favors SaaS or Open Source
• If you need estimates – lean on vendors (consulting and product)
• This is all relevant even if you must do an RFP
IAM Initiative Roadmap
Develop a Deep-dive in the Appendices
What is a key opportunity or pain point?
• Governance• Role Management• Integration Decision
Framework• Project Execution
Tip: dedicate 4-6 slides on a key focus area to drive a particular point home
Perform the Read-out
•Review Detailed deck for IAM Program and closest stakeholders
•Perform executive readout (get to the point in 1 hour)
•Now socialize with the people within your organization who’s support is needed
Thanks and Good Luck!