Identity and Access Management Buyer’s Guide(摘录)
2012-12-10 15:53
477 查看
刚刚读了一本SailPoint出的书,名字叫《Identity and Access Management Buyer’s Guide》,其中有个章节是描述如果找到IAM项目的起点(Find Your Starting Point )。
觉得总结的还比较有特点,拿出来共享一下。
gaps after a failed audit or a non-compliance penalty. For others, there may be a requirement to eliminate the inordinate costs and inefficiencies found in current provisioning and access management processes. Maybe the help desk is overwhelmed with trouble
tickets and, as a result, service levels are not where they should be. Or, perhaps the end user community is demanding more autonomy and wanting IT to make their lives easier.
Once you’ve agreed upon your top priorities and goals, you will have a better understanding of what you must achieve first. By focusing on a few “quick win” opportunities, you can help accelerate and build momentum for future phases of your projects.
An incremental approach to project implementation helps you focus, ensuring you tackle high priority applications and user populations that are most affected by your stated objectives. By demonstrating small, quick wins up front, you will build confidence in
the solution, help ensure ongoing adoption, and make it easier to secure funding for additional projects.
repository for user and access information by extracting data from your authoritative source (or sources) and target resources.
Adding user account data to the identity warehouse can be performed by leveraging several different options for connecting to resources: flat file data load, read-only direct connectors, or integration with an existing provisioning solution. Once you have selected
the right method to aggregate your data and the data is centralized, you can move on to step two — the correlation process — which will help you resolve the inconsistencies between the various sources of identity data.
source to identify accounts that do not correlate to users in authoritative sources (e.g., orphan accounts and system/service accounts). Once you’ve identified these high-risk accounts, you can launch remediation actions for all un-owned accounts — remove,
mark as service, or, where possible, correlate to known identities.
identity data by launching a manager or application owner certification for your high-risk applications. Certification reports will clearly highlight detected roles, policy violations, user risk scores and any changes from the previous certification (new users,
new roles, or new entitlements). This information enables your reviewers to quickly focus on areas of potential risk and make
better decisions.
Your data/application owners and people managers should review the access privileges for all users. These initial certifications should be used to establish a reliable baseline of data. It’s not unusual for organizations performing a baseline certification
to find up to 40% of user access privileges are inaccurate or inappropriate and should be revoked.
After revocations are performed, this cleansed data will be utilized by other identity management functions, including ongoing access certifications, policy enforcement, role management, user provisioning, access management, and risk analytics.
as your starting point:
or IT admins can save headaches and money at the same time. A centralized access request management process allows managers and end users to conveniently request new access or
make changes to existing access privileges within the constraints of your pre-defined identity governance models (including policy and roles).
As part of deploying a self-service access request process, you can select from manual or automated access fulfillment processes to implement the resulting changes in connected resources. Often times the fastest way to get started is to leverage manual work
items and help desk tickets, but this step can be combined with the step below for maximum results.
deleted on a regular basis. Once you’ve selected the applications, you can determine the best option to complete the full integration cycle — deploying a new provisioning connector, or leveraging an existing provisioning solution that is already in place.
users and/or their approved delegates can change or reset passwords across target systems. Allowing end users to proactively manage password changes can significantly reduce help desk calls. Most importantly, centralized password management will enable you
to consistently enforce strong password policies, customized for each application.
cloud and web access management up front.
application with one click – with no passwords to remember — and will work across all the devices that today’s workers use to access applications, from PCs or laptops to tablets and smartphones. The resulting solution can sharply lower help desk support calls
and increase user satisfaction.
can restrict access to certain applications based on corporate policies or other risk factors. Instead of letting “bring you own application” (BYOA) scenarios put your organization at risk, you can take immediate steps to gain visibility and proactively manage
the applications your users are accessing to do their jobs.
like access certifications and SoD policies to ensure proper governance is in place. For low-risk personal applications, there may be no formal controls but simply visibility on usage reports. And importantly, organizations need to actively monitor application
usage to eliminate wasted spending on unneeded cloud or web application accounts.
觉得总结的还比较有特点,拿出来共享一下。
Find Your Starting Point
For some organizations, the driving force behind an identity management project is based upon any number of challenges such as compliance, security, operational efficiency and business enablement. For example, there might be an urgent demand to close auditgaps after a failed audit or a non-compliance penalty. For others, there may be a requirement to eliminate the inordinate costs and inefficiencies found in current provisioning and access management processes. Maybe the help desk is overwhelmed with trouble
tickets and, as a result, service levels are not where they should be. Or, perhaps the end user community is demanding more autonomy and wanting IT to make their lives easier.
Once you’ve agreed upon your top priorities and goals, you will have a better understanding of what you must achieve first. By focusing on a few “quick win” opportunities, you can help accelerate and build momentum for future phases of your projects.
An incremental approach to project implementation helps you focus, ensuring you tackle high priority applications and user populations that are most affected by your stated objectives. By demonstrating small, quick wins up front, you will build confidence in
the solution, help ensure ongoing adoption, and make it easier to secure funding for additional projects.
Starting Point: Compliance
If audit deficiencies and the high cost of compliance are top of mind issues in your organization, then you may want to focus on compliance automation as a first step. Here’s how to get started:Step 1 : Gain centralized visibility
The starting point for any compliance project should be to understand the current state of user access within the organization by centralizing your identity data across your high-risk datacenter and cloud applications. This stage involves creating a singlerepository for user and access information by extracting data from your authoritative source (or sources) and target resources.
Adding user account data to the identity warehouse can be performed by leveraging several different options for connecting to resources: flat file data load, read-only direct connectors, or integration with an existing provisioning solution. Once you have selected
the right method to aggregate your data and the data is centralized, you can move on to step two — the correlation process — which will help you resolve the inconsistencies between the various sources of identity data.
Step 2 : Identify and close all orphan/rogue accounts
Finding and eliminating orphan accounts is one of the most effective risk mitigation steps you can take in your compliance project. As part of building an identity warehouse, you can quickly correlate each application account against your authoritative identitysource to identify accounts that do not correlate to users in authoritative sources (e.g., orphan accounts and system/service accounts). Once you’ve identified these high-risk accounts, you can launch remediation actions for all un-owned accounts — remove,
mark as service, or, where possible, correlate to known identities.
Step 3 : Automate access certifications
Another quick win on the compliance front is to automate the access review process for your critical applications and systems. Once you’ve aggregated and correlated your identity data, you can quickly generate a “data cleanup” certification on the centralizedidentity data by launching a manager or application owner certification for your high-risk applications. Certification reports will clearly highlight detected roles, policy violations, user risk scores and any changes from the previous certification (new users,
new roles, or new entitlements). This information enables your reviewers to quickly focus on areas of potential risk and make
better decisions.
Your data/application owners and people managers should review the access privileges for all users. These initial certifications should be used to establish a reliable baseline of data. It’s not unusual for organizations performing a baseline certification
to find up to 40% of user access privileges are inaccurate or inappropriate and should be revoked.
After revocations are performed, this cleansed data will be utilized by other identity management functions, including ongoing access certifications, policy enforcement, role management, user provisioning, access management, and risk analytics.
Starting Point: Provisioning
If your organization struggles with inefficient and/or non-compliant processes for granting new access privileges or making changes to existing access privileges for employees, contractors, and partners, then it may make sense to focus on user provisioningas your starting point:
Step 1 : Self-service access request
One of the best ways to get started with provisioning is to focus on the business users first. Empowering business users to find and request access without assistance from the help deskor IT admins can save headaches and money at the same time. A centralized access request management process allows managers and end users to conveniently request new access or
make changes to existing access privileges within the constraints of your pre-defined identity governance models (including policy and roles).
As part of deploying a self-service access request process, you can select from manual or automated access fulfillment processes to implement the resulting changes in connected resources. Often times the fastest way to get started is to leverage manual work
items and help desk tickets, but this step can be combined with the step below for maximum results.
Step 2 : Automate access fulfillment
Another quick win for a provisioning deployment is to automate the fulfillment of access requests down to the target resources. You can maximize the cost savings generated by selecting a few high-churn applications where user accounts are created, updated ordeleted on a regular basis. Once you’ve selected the applications, you can determine the best option to complete the full integration cycle — deploying a new provisioning connector, or leveraging an existing provisioning solution that is already in place.
Step 3 : Password management
Password management provides a quick path to the success of your IAM project by allowing users to reset their own forgotten passwords and bypassing the help desk. Using the same business-friendly user interface with configurable challenge/response questions,users and/or their approved delegates can change or reset passwords across target systems. Allowing end users to proactively manage password changes can significantly reduce help desk calls. Most importantly, centralized password management will enable you
to consistently enforce strong password policies, customized for each application.
Starting Point: Cloud, Web, and Mobile Access Management
If an ever-growing number of cloud, Web, and mobile applications is putting your organization at risk — based on the proliferation of passwords across personal and business applications or lack of governance over cloud applications — you may want to focus oncloud and web access management up front.
Step 1 : Single sign-on for cloud, Web, and mobile apps
As the number of cloud, Web, and mobile applications increases, many users struggle to remember their usernames and passwords across personal, business, and mixed-use applications. The right access management solution will enable your end users to sign-on to anyapplication with one click – with no passwords to remember — and will work across all the devices that today’s workers use to access applications, from PCs or laptops to tablets and smartphones. The resulting solution can sharply lower help desk support calls
and increase user satisfaction.
Step 2 : User App Store for convenience and control
Today’s empowered workers expect convenient, on-demand access to the applications they need to do their jobs. A corporate App Store can help your organization guide users toward the applications that make sense for them based on their job functions, and itcan restrict access to certain applications based on corporate policies or other risk factors. Instead of letting “bring you own application” (BYOA) scenarios put your organization at risk, you can take immediate steps to gain visibility and proactively manage
the applications your users are accessing to do their jobs.
Step 3 : Centralized control over enterprise IT and business unit-sponsored apps
To address security and compliance risks, organizations need to extend appropriate identity controls to cloud, Web, and mobile apps — even those being deployed by business units without IT management or supervision. For high-risk applications, this means applying controlslike access certifications and SoD policies to ensure proper governance is in place. For low-risk personal applications, there may be no formal controls but simply visibility on usage reports. And importantly, organizations need to actively monitor application
usage to eliminate wasted spending on unneeded cloud or web application accounts.
Key Components of Today’s IAM Solutions
![](http://img.my.csdn.net/uploads/201212/10/1355127460_3402.png)
相关文章推荐
- Designing an IAM Framework with Oracle Identity and Access Management Suite[文摘]
- AWS IAM (Identity and Access Management) 使用笔记
- [Cloud Computing]Mechanisms: Identity and Access Management
- Oracle LDAP解决方案 - Oracle Identity and Access Management Suite
- Optimizing Data Access and Messaging - SQL Azure Connection Management
- OSWorkflow: A guide for Java developers and architects to integrating, open-source Business Process Management (Paperback)
- ApacheDS 2.0__Basic User Guide 1.4.5 - Enable and disable anonymous access (基础用户指导手册)
- DotNetNuke 5 User's Guide Get Your Website Up and Running读书摘录1
- The Semantic Web : A Guide to the Future of XML, Web Services, and Knowledge Management
- DotNetNuke 5 User's Guide Get Your Website Up and Running读书摘录2
- Simplifying user-logs management and access in YARN
- Oracle Identity Management: Governance, Risk, and Compliance Architecture, Third Edition
- Implementing NAP and NAC Security Technologies: The Complete Guide to Network Access Control
- Celery-4.1 用户指南: Monitoring and Management Guide
- DotNetNuke 5 User's Guide Get Your Website Up and Running读书摘录3
- MCITP Developer: Microsoft SQL Server 2005 Data Access Design and Optimization Study Guide
- NDK/JNI Develop guide(6) access the instance variables and static variables
- WebSphere Portal Transfer with XMLAccess, Release Builder and Site Management
- The Definitive C++ Book Guide and List
- Android-Styles and Themes [From API Guide]