Identity and Access Management for the Real World By Todd Peterson, IAM evangelist, Dell Software 2nd edition Dell Software Group 5 Polaris Way Aliso Viejo, CA 92656 [email protected] Identity and Access Management for the Real World 2nd edition By Todd Peterson, IAM evangelist, Dell Software Identity and Access Management for the Real World Copyright © 2014 Dell, Inc. ALL RIGHTS RESERVED. This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose without the written permission of Dell, Inc. (“Dell”). Dell, Dell Software, the Dell Software logo and products—as identified in this document—are registered trademarks of Dell, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners. The information in this document is provided in connection with Dell products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell products. EXCEPT AS SET FORTH IN DELL’S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Dell does not make any commitment to update the information contained in this document. About Dell Dell Inc. (NASDAQ: DELL) listens to customers and delivers worldwide innovative technology, business solutions and services they trust and value. For more information, visit www.Dell.com. If you have any questions regarding your potential use of this material, contact: Dell Software 5 Polaris Way Aliso Viejo, CA 92656 www.Dell.com Refer to our Web site for regional and international office information. ISBN: 978-0-615-94167-7 5 Identity and Access Management for the Real World | 2014 Dell. All rights reserved. Identity and Access Management for the Real World | 2014 Dell. All rights reserved. 6 Table of contents Introduction iii Conventions iv Chapter 1: Identity and access management for your world … not someone else’s 1.1 Chapter 2: Access Management – After all, if you can’t get to your stuff, what’s the point? 2.1 Chapter 3: Identity Governance – Governance leads to agility 3.1 Chapter 4: Privileged Account Management for the Real World 4.1 Chapter 5: Look what they’ve done to us now … the explosion of mobility and IAM’s role 5.1 i Identity and Access Management for the Real World | 2014 Dell. All rights reserved. Identity and Access Management for the Real World | 2014 Dell. All rights reserved. ii Introduction Conventions In an ideal world, we'd have the budget and time we need to Throughout this book, we've used a number of get things done. And tomorrow would be predictable. But that's conventions to help highlight important points, simply not the case, especially in the IT universe. provide supporting evidence, or advise you of our obvious bias. Look for the following conventions: As you well know, the world of identity and access management (IAM) is one of constant change, shrinking Real-world example – Stories of real organizations, facing deadlines, minuscule budgets, overtaxed staff and unmerciful real challenges, and really solving their problems (often the names have been changed to protect the innocent) regulations. Unfortunately, the historical approach to IAM involves piecing together “half solutions,” in hope that tomorrow’s solutions will address real-world needs. Facts & figures – Research-based information that supports principles discussed throughout the book This short book evaluates what IAM for the real world would, should and can look like. It delves into the most pressing IAM issues faced by virtually every organization and offers Techie alert – Definitions and terms used in the identity and actionable, affordable and sustainable approaches to the IAM access management industry that may not be familiar to you challenges you face. At Dell, we help you achieve your IAM (Then again they might.) objectives for your real world (not ours), in a way that moves you and your business towards your goals. Useful tip – Information that will help you easily achieve things discussed throughout the book We hope you find value in “Identity and Access Management for the Real World.” Blatant sales pitch – Where we get to why we actually wrote this book. It may be a little biased, but we suspect that the reason you’re reading this book is to find solutions to your challenges. This is where we give them to you. iii Identity and Access Management for the Real World | 2014 Dell. All rights reserved. Identity and Access Management for the Real World | 2014 Dell. All rights reserved. iv Chapter 1 Identity and access management for your world … not someone else’s The words of David Byrne in this mid-80’s anthem perfectly capture the sentiment of many organizations trying to keep up with the ever-changing IT security landscape. The more we try to keep up with the latest threat, or apply security to the latest technology, the more it seems like an elusive destination. While the Talking Heads try to strike an optimistic tone in an increasing complex world, the future is definitely not certain. There’s the proliferation of new operating systems. Then there’s the explosion of an increasingly mobile workforce and new devices outside of the comfortable control “Well, we know where we're goin' of the organization. We have our old friends— stifling regulations such as SOX, HIPAA, PCI, and many more likely to come. And, of course, there’s the next mega trend that But we don't know where we've been everyone seems to be talking about, such as cloud, BYOD, big data, and the Internet And we know what we're knowin' of things. It seems the only constant is change. We long for the days when security was as simple as a password change every 90 But we can't say what we've seen days, following a few complexity rules. User access? That was easy. All you had to do was grant the secure access users needed to do their jobs on a handful of And we're not little children applications and one, maybe two, platforms. And we know what we want But password management, user access and security are far, far more complex in today’s IT reality. The Talking Heads lyrics seem to echo the desire of many IT pros in And the future is certain dealing with these complex issues… “Give us time to work it out.” Give us time to work it out” IAM fundamental concepts There are many major aspects of IT security worth discussing. But we’d like to focus on just one—identity and access management (IAM). IAM is concerned with some fundamental concepts that can be summed up as the four “A”s: Talking Heads, • Authentication – Entails ensuring that the person logging on to a system is who Road to Nowhere, they say they are. This is usually done with usernames and passwords that, when 1985 combined, give you some assurance of the authenticity of the person logging on. • Authorization – Involves the parameters placed around what a user is allowed to do once they are authenticated. Authorization is concerned not with who you are, but why you are logging on and what you are allowed to do. Authorization can be influenced by a range of variables. These can include everything from file and application permission and sharing, to very finely defined access rules based on role, location and even circumstance. • Administration – In order to enable someone to authenticate and to be correctly 1.1 Identity and Access Management for the Real World | 2014 Dell. All rights reserved. Identity and Access Management for the Real World | 2014 Dell. All rights reserved. 1.2 authorized, there are many managerial tasks that must be performed on an applications that add to this complexity in the first place. Most applications also require account, often called “provisioning.” Provisioning can literally be thousands a directory and application-specific ways to satisfy the four “A”s. of tasks designed to achieve a very elusive balance between security and user productivity. Administration also includes role management or defining and Inevitably, each “A” is executed independently on dozens, hundreds or even thousands managing the roles that place the right people (or accounts and identities) in of systems. It’s not uncommon for a single user to have multiple passwords. the right position to be correctly authorized. Finally, administration includes Each password represents another system where authentication, authorization, managing passwords for complexity, frequency of change and ease of reset. administration and audit are performed with no regard for the other systems in the enterprise. Analysts estimate a typical user can have as many as 14 passwords. • Audit – Includes those activities that help “prove” that authentication, authorization and administration are done at a sufficient level of security, Today’s IT security complexity is illustrated very effectively by statistics measured by a set of standards.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages32 Page
-
File Size-