In an IT environment Identity Management means identifying authorized users and their enrollment in a system. This information is used to facilitate business activities such as physical access control, information systems access control, and workflow automation in accordance with business policies.
What is provisioning in an IT environment?
Provisioning is all about controlling user and their access to resources within the system by associating user rights and restrictions with the established identity.
Why do we need Identity and Provisioning Management solution?
Typically in an IT department the primary responsibilities of an IT administrator are as below:
1. Constantly maintain existing user accounts.
2. Create and manage email accounts for new users.
3. Reset forgotten passwords.
4. Provide users with various level of access to applications.
5. Whenever user leaves the company his account needs to be terminated from all places. (Ex. MS Exchange,Active Directory, Third party application)
If all of these primary responsibilities are to be achieved manually then it will result in following:
1. Increased Support Costs.
2. Increased Administration costs.
3. Increased user Creation time.
4. Lower Management Control and cost Transparency.
5. Lower Security and Integration.
All of these factors will cause large business overhead and will lower business agility. To address all of these and many more responsibilities we need to have a very strong Identity and Provisioning Solution.
Major benefits with Identity and Provisioning solution are:
For Customers:
a) Single or one click logon.
b) Simplified resource access.
c) Increased Productivity.
For Administrative Staff:
a) Reduced Administration time.
b) Reduced Helpdesk Workload.
c) Quicker Response Times.
For the Organization:
a) Improved Business Agility.
b) Improved Security.
c) Reduced User Creation Time.
d) Reduced Support Costs.
e) Reduced Administration Costs.
f) Greater Management Control and Cost Transparency.
Discovery Process: What discovery needs to be done before deciding on a Identity and Provisioning Management solution?
Before you go ahead and purchase Identity and Provisioning Management solution you need to do a detailed discovery of your environment, some of the primary questions that you need to answer are:
1. Why you are seeking to implement Identity and Provisioning Management Solution.
2. List "pain points" this solution should resolve.
3. Users: a) What type of users to be managed by the system? (Ex. employees, Contractors....)
b) How many users to be managed by the solution?
c) At what rate does the user base change?
d) Do you use any digital certificate and do you use any security devices that need to be included in this solution?
4. Do you have a detailed architecture of the current environment?
5. Do you plan on securing web resources?
6. Do you need password synchronization?
How to find a correct Identity and Provisioning Solution that matches your custom environment ?
There are 100’s of Identity and Provisioning Solutions available in the market, you need to decide which fits best in your organization based on your requirements. Make a list of your Mandatory requirements, General requirements and optional requirements.
The requirements listed below will assist you in deciding the same.
Mandatory Requirements:
1.User Management and Application Access.
2.Password Management and Password Policies.
3.Secured Role based Access Control.Self Service Task.
4.Approval Management.Centralised System Management.
5.Easy Integration with third party applications.
6.Reduced Help Desk calls.
7.Federated Provisioning.
8.Reporting.
General Requirements:
1.Notification (Email and Mobile Alerts).
2.Compliance Support.
3.Default task and roles.
4.Graphical user interface modification.
5.Web services integration.
Optional Requirements:
1.Configuration Management.
2.External Monitoring (Monitor Workflows and Triggers).
Using the obove requirements as the standards, select an Identity and Provisioning management solution that meets all of the mandatory requirements along with couple of General and Optional requirements.
This way, you will have a very strong, robust and flexible Identity and Provisioning management solution.
In todays post, lets identity what features typically an Identity management tools should have:
1. Centralized and delegated administration.
2. Synchronized Identity information across systems.
3. Automated provisioining and deprovisioning.
4. Role based provisioning.
5. Dynamic Identity syncronization.
6. Incorporated audit trail for compliance.
7. Approvals for provisioning.
If the tool has above features then it can easily do following task :
• Add, Modify, Delete, and Import LDAP Users.
• Create static and dynamic groups.
• Create object categories for security.
• Role based access control using security policies.
• Help Desk to reset passwords with user verification.
• Manage connected systems and its groups for password management.
• Password policy and its validation for connected system.
• High Privileged Account Management for managing service accounts.
In the next post we will focus in detail on following features in identity management.
-Role Mining-Role based provisioning.
-Separation of Duties-Identity Reconciliation.
-Delegated administration
-Automated/semi-automated on-boarding process
-Automated/semi-automated off-boarding process & account cleanups.
..................................................................To be Continued....................................................
6 comments:
Mahesh,
Very good write up on Identity Management and Provisioning. It will very helpful for the technical/sales people to win the situation on client site. It also helps to the IM beginers. If you can provide more information on indistry leading IM providers with their comparison that will be great help.
Thanks,
Pravin Bhole.
(IT Security Architect)
Good work mahesh, it will surely help people to know what is IDM all about.You can also include about audit loggin and reonciliation in "need for IDM". And also use terms like automated provisioning/de-provisioning in benefits which helps to understand much more.
Nice writeup on IM basics. I am sure you will be appending more details to it. Here are few more IM topics that you may want to include / highlight on:
-Role Mining
-Role based provisioning
-Separation of Duties
-Identity Reconciliation
-Delegated administration
-Automated/semi-automated on-boarding process
-Automated/semi-automated off-boarding process & account cleanups
Mahesh,
I got your message at Orkut. Very good overview on Identity Management. It will be good to add some details about the top few vendors and the advantages/ disadvantages by choosing one product over another. Malesh has already provided a good quick list of items that could be on this blog.
keep the good work going.
Regards,
Prithi.
(Lead IT Security Architect, New York.)
Great Work Mahesh, Good Luck with IAM...
Best Regards
-Prasad Tamhankar
Post a Comment