Académique Documents
Professionnel Documents
Culture Documents
Agenda
Understanding Identity & Access Governance (IAG)
What is it? How do you achieve it? Where are we now? What are the issues? How do you collect, mode & understanding the data? How do you integrate IAG for Cloud and Enterprise? What can you do right now?
2
Recommendations
Q&A
Understanding IAG
Three Important Questions
Understanding IAG
Business Driven Identity Change Management & Audit
Policy
Process Governance
Modeling
Policy,
People/HR Change
(Joiners, Movers, Leavers)
Managed
Governance Models
Infrastructure Change
Understanding IAG
Identity Lifecycle Management Emphasis placed on business-centric Governance Models at the
center of the IdM lifecycle
Compliance & Audit Proof Joiners Movers Leavers
Help Desk
Audit
Risk Model
IT Sec
UAR Certification
Biz User
5
Authentication
Login
Federated, Delegated, Local password
Key Attributes
Role Hierarchy
Standard/Custom Profiles
Public/Private Groups
Sharing Rules
Data Objects, Criteria, Permissions
Field-level Security
Fields, Criteria, Permissions
Login
RoleB
RoleC
Group
Profile
RoleD
Network Config
Password Policies
Session Config
Static Assignment
Ownership Rules
Static Membership
Field-level Security
Record-type Settings
SSO/IdP Setup
Key Mgmt
SubOrdinates
Admin Permissions
Login Restriction
Object Permissions
Log Data
Audit Trail
Audit Trail
Audit Trail
Audit Trail
Login
RoleB
RoleC
Group
Profile
RoleD
Direct
Field-level Security Field-level Security Field-level Security
10
1. Regional office purchases accounts from salesforce.com 2. Local admin from the line-of-business uses native Manage Users interface 3. Admin creates new, complex, direct permission assignments at will 4. Admin manually adds new users with no tracking against desired state policies 5. The wrong entitlements get assigned to the wrong person - no one notices 6. New user gets to see private/confidential data 7. That user leaves the company - no Leaver action is taken, user retains his account 8. No ongoing re-certification of access, no reporting and no policy is checked 9. Ex-employee continues to access and share key records and sales data
11
Business Roles
Business Risk
Entitlements Warehouse
Account Classification
Users
Account & Entitlement Data Authoritative Identity Data
Privilege Accounts
Orphan Accounts
HR Systems Directories
Configuration Audit Trail
Contractor DBs
13
Control Model
Risk Model
Entitlement Modeling
Audit Model
Approval Flows Ownership & Reviews Tracked Actions & Reporting
Policy Model
Defined SoD Rules Changes Triggers Checks & Balances
14
Login
RoleB
RoleC
Group
Profile
RoleD
Catalog entitlements
Direct
Field-level Security Field-level Security Field-level Security
15
Self-Service
People/HR Change
16
17
1. Regional office adds account management for SalesForce CRM to corporate IAG system 2. Accounts and entitlement assignments are matched to identity records 3. Roles, groups & profiles are catalogued and setup ready for self-service access request 4. Business policies are defined and scanned against current state detected violations
forwarded to owning business user
5. Joiner and Mover triggers are integrated with HR processes - defined business
process steps defined with embedded controls
7. Managers run periodic integrated user access reviews for all employees & contractors 8. Leaver events are processed from HR and pushed out to all connected cloud systems 9. SalesForce CRM account is disabled and audit records retained for compliance reporting 18
IAG
IAG
Proxy
20
Recommendations
Some SalesForce Specifics
Run the Security Health Check application Use Audit Trail for configuration changes Keep custom profiles to a minimum Use great care with custom Apex/Visualforce Model the data and integrate the controls processes with enterprise IAG
Connect SaaS, PaaS and IaaS applications with core IdM systems Model all cloud authorization models within your entitlement warehouse Deploy integrated Joiner-Mover-Leaver processing Plan integrated user access reviews for cloud and enterprise apps Define and enforce policies regardless of where the application executes Promote audit, reporting and analytics for all applications
21
Q&A
Darran.rolls@sailpoint.com
www.sailpoint.com/cloud