Cloud Identity & Access Governance

Darran Rolls CTO SailPoint Technologies

Managing Identity & Entitlement in a Hybrid Datacenter Environment

Agenda
Understanding Identity & Access Governance (IAG)

What is it? How do you achieve it? Where are we now? What are the issues? How do you collect, mode & understanding the data? How do you integrate IAG for Cloud and Enterprise? What can you do right now?
2

Cloud IAG Today

IAG Modeling for Cloud

Hybrid IAG Deployment

Recommendations

Q&A

Understanding IAG
Three Important Questions

Who currently does have access to what resources?

Actual State
Observation Reconciliation Analysis

Who should have access to what resources?

Desired State
Policy Governance Modeling

How do I manage the on-going process of reconciling the two?

Managed State
Provisioning Change Control Audit 3

Understanding IAG
Business Driven Identity Change Management & Audit

Actual State Consistent

Observation, Reconciliation, Analysis

Policy

Business Process Change

Desired State Repeatable

Audit & Controls Change

Process Governance
Modeling

Policy,

People/HR Change
(Joiners, Movers, Leavers)

State Sustainable Provisioning, Controls Change Control

Audit

Managed

Governance Models

Infrastructure Change

Understanding IAG
Identity Lifecycle Management Emphasis placed on business-centric Governance Models at the
center of the IdM lifecycle
Compliance & Audit Proof Joiners Movers Leavers
Help Desk

Audit

Risk Model

Analytics & Reporting

Business User Self Service

IT Sec

UAR Certification

Biz User
5

Cloud IAG Today

Where are we now? What are the issues?
Cloud IAG for SaaS is very immature!

Deployments are often business-driven initiatives

Owners, admins and users are outside of IT Apps often not deemed as being compliance relevant Under the radar in every sense

Native application administration capabilities often weak

Manual administration with minimal delegation No connection to core Joiner/Mover/Leaver processes Limited audit and controls oversight

Cloud comprises complex application security models

Sophisticated, extensible applications Complex authorization models and processes Groups, roles & profiles, direct permissions

Cloud IAG Today

Example: SalesForce Model

Authentication

Login
Federated, Delegated, Local password

Key Attributes

Role Hierarchy

Standard/Custom Profiles

Public/Private Groups

Sharing Rules
Data Objects, Criteria, Permissions

Entitlements & Data

Field-level Security
Fields, Criteria, Permissions

Cloud IAG Today

Example: SalesForce Additional Configuration
RoleA

Login

RoleB

RoleC

Group

Profile

RoleD

Network Config

Password Policies

Session Config

Static Assignment

Ownership Rules

Static Membership

Field-level Security

Record-type Settings

SSO/IdP Setup

Key Mgmt

SubOrdinates

Admin Permissions

Login Restriction

Object Permissions

Apex Class Access

Log Data

Audit Trail

Audit Trail

Audit Trail

Audit Trail

Cloud IAG Today

Example: SalesForce Direct Permissions
RoleA

Login

RoleB

RoleC

Group

Profile

RoleD

Object Permissions Apex Class Access

Direct
Field-level Security Field-level Security Field-level Security

Cloud IAG Today

Where are we now? What are the issues?
Nimbostratus Cloud Scenario
The Bad Weather Example

10

Nimbostratus Cloud IAG Scenario

The Bad Weather Use Case

1. Regional office purchases accounts from salesforce.com 2. Local admin from the line-of-business uses native Manage Users interface 3. Admin creates new, complex, direct permission assignments at will 4. Admin manually adds new users with no tracking against desired state policies 5. The wrong entitlements get assigned to the wrong person - no one notices 6. New user gets to see private/confidential data 7. That user leaves the company - no Leaver action is taken, user retains his account 8. No ongoing re-certification of access, no reporting and no policy is checked 9. Ex-employee continues to access and share key records and sales data

11

Cloud IAG Today

Where are we now? What are the issues?

No Software must not mean No Controls

Understand the data & Connect the processes

12

IAG Modeling Understanding the Data

Collecting the Data
Business Policies

Business Roles

Business Risk

Integrated, Normalized Data System Accounts

Entitlements Warehouse
Account Classification

Users
Account & Entitlement Data Authoritative Identity Data

Groups Roles Profiles

Privilege Accounts

Orphan Accounts

HR Systems Directories
Configuration Audit Trail

Contractor DBs
13

IAG Modeling - Understanding the Data

Building Unified Governance Models to Capture Understanding
JML Process Triggers Access Reviews Change Controls Dynamic Roles & Groups Entitlement Glossary Re-factoring / Modeling

Control Model
Risk Model

Entitlement Modeling

Audit Model
Approval Flows Ownership & Reviews Tracked Actions & Reporting

Policy Model
Defined SoD Rules Changes Triggers Checks & Balances
14

IAG Modeling - Understanding the Data

Building Unified Governance Models to Capture Understanding
RoleA

Login

RoleB

RoleC

Group

Profile

RoleD

Audit & Reporting Approval flows Map direct permissions

Apply risk scoring Define SoD rules

Self-service Access reviews Assign owners

Catalog entitlements

Object Permissions Apex Class Access

Direct
Field-level Security Field-level Security Field-level Security

15

IAG Modeling Connecting the Processes

Integrated Lifecycle Management
Access Request Password Mgmt Account Control

Self-Service

Remediation Violation Model Change

Audit & Controls Change

HR Systems Directories Contractor DBs

People/HR Change

16

Hybrid IAG Models

How do you integrate IAG for Cloud & Enterprise?
Altocumulus Cloud Scenario
The Good Weather Example

17

Altocumulus Cloud IAG Scenario

Alternate Good Weather Use Case

1. Regional office adds account management for SalesForce CRM to corporate IAG system 2. Accounts and entitlement assignments are matched to identity records 3. Roles, groups & profiles are catalogued and setup ready for self-service access request 4. Business policies are defined and scanned against current state detected violations
forwarded to owning business user

5. Joiner and Mover triggers are integrated with HR processes - defined business
process steps defined with embedded controls

6. LOB uses common self-service access request to add/change SF entitlements, dynamic

approvals execute, risk score is elevated, audit logs are retained

7. Managers run periodic integrated user access reviews for all employees & contractors 8. Leaver events are processed from HR and pushed out to all connected cloud systems 9. SalesForce CRM account is disabled and audit records retained for compliance reporting 18

Hybrid IAG Models

How do you integrate IAG for Cloud & Enterprise?
Integrating cloud applications with enterprise IAG controls

Deploy SaaS connectors as part of an IAG program

Use remote APIs for user management
(Simple Cloud Identity Management SCIM) *

Map accounts to identities Catalog entitlements Model View Control

IAG

Implement an IAG gateway/proxy/agent for IaaS

Software agent in the cloud runtime Secure connectivity back to management node Discover user repositories Map accounts to identities Catalog entitlements

IAG

Proxy

Model View Control * (http://www.simplecloud.info)

19

Hybrid IAG Models

IAG for Cloud & Enterprise

20

Recommendations
Some SalesForce Specifics

Run the Security Health Check application Use Audit Trail for configuration changes Keep custom profiles to a minimum Use great care with custom Apex/Visualforce Model the data and integrate the controls processes with enterprise IAG

General Cloud IAG Best Practices

Connect SaaS, PaaS and IaaS applications with core IdM systems Model all cloud authorization models within your entitlement warehouse Deploy integrated Joiner-Mover-Leaver processing Plan integrated user access reviews for cloud and enterprise apps Define and enforce policies regardless of where the application executes Promote audit, reporting and analytics for all applications

21

Q&A
Darran.rolls@sailpoint.com
www.sailpoint.com/cloud