Identity and Access Management (IAM)

5 Identity and Access Management (IAM) Rudolf Wildgruber 5.1 Challenges Today’s business environment is a challenging one for identity and access manage- ment in the enterprise. Business relationships are growing more complex, blurring the line between internal and external business processes. They are also more dynamic, requiring greater flexibility and responsiveness in the enterprise’s business practices, policies and processes. Companies are under pressure to open up their IT infrastruc- ture to an ever-increasing number of users, both inside and outside the company and to ensure the highest productivity and privacy for these users, all while controlling IT administrative costs and leveraging existing investments wherever possible. Now more than ever, granting the right people the right access to the right resources at the right time is an essential element of enterprise security as companies strive to protect their corporate data and systems and remain innovative, productive, responsive, compliant and cost-effective business entities. In the conventional IT infrastructure used in most big companies today, there is a one- to-one correspondence between a function or resource available to users and the IT application/system that provides that function. Consequently, user management, access management, password management and auditing are carried out on a per-IT system basis. IT staff must administer users and their access rights on each IT system in the network, usually by manual administration. Users get one account and one pass- word for each IT system they need to use. Each IT system has its own audit or moni- toring function to track changes to users and their access rights on that system. This structure has negative consequences for identity and access management: Decentralized user management and provisioning means that identity and access data is duplicated across IT systems and usually becomes inconsistent over time, making it difficult to find correct and up-to-date information and to de-provision users. One password per IT application means that users must remember a lot of different passwords, one for each system they need to use. Password proliferation leads to more help desk and hotline calls, lost productivity as users wait for password resets and increased IT administration costs. Manual administration is expensive and leads to delays in provisioning and de- provisioning users, which decreases productivity, jeopardizes security and leads to data inconsistencies. 70 5 Identity and Access Management (IAM) Decentralized auditing and monitoring makes it difficult to track changes to users and their access rights. There is no way to tell what a single user’s total access rights are across the enterprise, making it difficult to audit for regulatory purposes. Overcoming the present limitations requires an enterprise-wide, cross-platform, cen- tralized and automated user management, provisioning and access management sys- tem, which controls access to IT resources based on business roles, policies and pro- cesses. The system must provide ways to align itself with business processes and off- load routine administrative functions and decisions from IT staff to users and their managers so that decisions about what users really need are made by the people who know best. Identity and access management (IAM) technology has evolved to a well- defined market category and has reached the depth and breadth to offer an effective way to satisfy these requirements. 5.2 Use Cases Identity and access management (IAM) is an integrated solution that makes user and access management transparent across the different systems that make up the enter- prise’s IT infrastructure. The Burton Group defines IAM as “the services, technolo- gies, products and standards that enable the use of digital identities”. Identity manage- ment addresses the need to administer users and security policies across the IT infra- structure, while access management addresses the real-time enforcement of the secu- rity policies in force for each user of the enterprise IT infrastructure. A directory server is most commonly used as the data repository for identity and access manage- ment solutions. Here are some real-life scenarios that illustrate how IAM works. 5.2.1 Making a New Employee Productive Quickly Figure 5.1 illustrates how the IAM system works when a new employee is hired: The personnel department enters the master data for the new employee into the human resources (HR) system and the master data is automatically synchronized with the IAM system’s identity store. The IAM system automatically assigns the appropriate privileges to the employee based on the rule-based security policies (called provisioning rules) established and saved in the identity store. An identity administrator optionally assigns individual privileges to the employee. According to the employee’s privileges, the IAM system automatically determines the IT systems that the employee needs to have access to and the access rights for these systems. The IAM provisioning system automatically generates accounts in the IT systems and sets the access rights. For example, the IAM system generates an account for Intranet and Extranet access, a mailbox as well as accounts for other enterprise IT systems. 71 I Concepts and Trends Figure 5.1 Making a new employee productive quickly The IAM provisioning system also sets the employee’s access rights in the central web access management system for the portals s/he will use. The new employee has now access to the relevant IT systems with the access rights defined in the privileges assigned to him/her. 5.2.2 Changing an Employee’s Job Function In this use case, an employee is switching from the Sales department to the Marketing department effective February 1st. S/he is currently authorized to perform sales activi- ties in the sales portal, but will need to use the marketing portal as of February 1st. The IAM system handles the required access rights changes as follows (see Figure 5.2). The personnel department enters the change in department into the HR system and the change is synchronized with the IAM system via a “department” user attribute. Figure 5.2 Changing an employee’s job function 72 5 Identity and Access Management (IAM) The IAM system records the departmental change in the entry for the employee in the identity store (in the “department” user attribute) and automatically deter- mines the employee’s access rights based on the new value. The IAM system revokes the access rights associated with the privilege “Sales”. The IAM provisions the access rights associated with the “Marketing” privilege. The Marketing portal is made available to the employee and the Sales portal is no longer accessible to the employee. 5.2.3 Changing a User Password Figure 5.3 illustrates what happens in the IAM system when a password that can be used for several applications is changed: A user changes his/her password on first logging in to a Windows system. The IAM system discovers the password change and saves it in the entry for the employee in the identity store. The IAM system synchronizes the changed password on the employee portal. The changed password is available to authenticate against the employee portal. Figure 5.3 Changing a user password 5.2.4 Authorizing an Order In this use case, a sales employee needs access to an analyst report and this access must be authorized. The IAM system handles this case using a request workflow (see Figure 5.4). The sales employee orders the report. The IAM system runs a request workflow that handles the authorization process and automatically forwards the request to Sales management. Once Sales management has authorized the request, the IAM system provisions the changes in access rights in the Sales portal. 73 I Concepts and Trends Figure 5.4 Authorizing an order The IAM system informs the Sales employee via e-mail that access to the analyst report has been granted. The employee then obtains the analyst report from the Sales portal. 5.2.5 Web Single Sign-On In this use case, sales employee Mr. Maier wants to generate his monthly order income report, enter a new customer contact and report recent travel expenses. The IAM systems support these tasks with web single sign-on (see Figure 5.5). The sales employee Mr. Maier accesses the employee portal. The employee portal requests Mr. Maier to authenticate with user name and pass- word. The web access management system creates a session for Mr. Maier. Mr. Maier opens the order income application. The web access management sys- tem grants access and supplies the session information to the order income appli- cation in the background. Mr. Maier fills in the report parameters and generates the report. Figure 5.5 One-step authentication for accessing multiple applications 74 5 Identity and Access Management (IAM) Mr. Maier now opens the CRM application. The web access management system grants access and supplies the session information to the application in the back- ground. Mr. Maier creates a new customer record. Mr. Maier now opens the travel management application. The web access manage- ment system grants access and supplies the session information to the application in the background. Mr. Maier enters travel details and costs. Mr.