Identity and Access

Management
Dustin Puryear
Sr. Consultant, Puryear IT, LLC
dustin@puryear-it.com
http://www.puryear-it.com/

Objectives
Find a common background for
discussing IAM
Discuss problems and opportunities in
the field
Introduce terminology
Highlight a possible future direction

Session Agenda

Todays Problems
Making It All Better
Now What?
Viva La Resistance!
Puryear IT

This Presentation
This presentation was written with
audit/compliance in mind.
Contact dustin@puryear-it.com to
have Dustin Puryear present this
topic to your organization or
company.

Todays Problems

Who am I? Who are you?

Networks use multiple identity
systems
The Internet is no better
Users get confused with all of these
IDs
Management and audit has difficulty
keeping track of all these IDs
The bad guys are quite happy

So many IDs!
Person

Active Directory
Account

Online HR Info
Account

PeopleSoft User
Account

Multiple Contexts
Remote Employees

Employees

Customers

Suppliers

Partners

Trends
Regulation and Compliance
SOX, HIPAA, GLB

Increasing Threats
Identity theft
Exposure of confidential info

Maintenance Costs
The average employee needs access to 16
applications
Companies spend an estimated $20-30
user/year for password resets

The Real Impact

End-users

Administrators

Audit/Compliance

Too many IDs

Too many passwords
Must wait for access to
applications
Too many IDs
Too many end-user requests
Difficult or unreliable ways to
syncs all the accounts
Orphaned accounts
Limited or no audit capability
Where are the audit trails?

Making It All Better

Identity and Access Management

Password
Management

Role
Management

User
Provisioning

IAM

Authorization

Directories

Audits &
Reporting

The Benefits of IAM

Save money
Improve operational efficiency
Reduce time to deliver applications
and services
Enhance security
Enhance regulatory compliance
Give more power to audit

Lets Define IAM Terms

Authentication (AuthN)
Verify that a person is who they claim to be
This is where multi-factor authentication comes
into play
Identification and authentication are related but
not the same

Authorization (AuthZ)
Deciding what resources can be accessed/used
by a user

Accounting
Charges you for what you do

IAM is a Foundation
Identity Management

Administration

Account Provisioning &

Deprovisioning
Synchronisation
User Management
Password Management
Workflow
Delegation

Audit and Reporting

Access Management

AuthN
AuthZ

Now What?

Implement IAM!
Start Slow!
Define your Single Source of Truth
(SSOT)
Unfortunately, there may be more than
one, if that makes sense..

Implement the big wins

User provisioning to Active Directory
Password resets

But How?
SSOT
Work with your team, IT, and
management to determine the true
source of user information
User Provisioning to AD
Its already happening!
Solutions

Microsoft ILM
CA eTrust Admin
Sun IM

The Results!
User provisioning can be automated
Password resets can be delegated to
the helpdesk
And the big one:
You can now audit both the user
provisioning and password resets

The Next Step

Extend User Provisioning

To PeopleSoft
Lawson
Oracle
Custom/in-house applications

Begin consolidating user directories

Can you point some or all of your
applications at AD or LDAP?

Authorization
This is the hard one!
Applications define their AuthZ rules
differently
Try to consolidate to an AD/LDAP
authz landscape
Tackle this one application at a time!

The Power is Yours

You can now audit/review:

Who has what accounts?

Why do they have those accounts?
Who approved those accounts?
Are there any orphaned accounts?
Who has access to what?
For how long have they had that access?

And there is more..

You can control access to your webenabled applications using a Web
Access Manager (WAM)
Dont forget about SSO!
What about federated identities and
your partners and suppliers?

Viva La Resistance!

IT Resistence
Sometimes IT resist a formalized IAM
process because:
We are too busy
We cant afford it
We dont want to give up control!

We are Too Busy

This is a common response
IT is too busy..
Because they are resetting passwords all
day
Working too hard to create accounts
Learning too late that orphaned accounts
are being misused/attacked

We Cant Afford It
There are small and big solutions to
this problem
If you are an AD-only shop with
minimal applications, then you can
start small
Larger enterprises have no choice,
they cant afford not to!

We Dont Want to Give Up

Control!
This is usually the root of the
disagreement.
They are responsible for IT
They dont want problems in IAM to
reflect poorly on them
They are used to the control, even if
its not necessary

A Compromise
Take control without giving up
control!
A middle-ground:
IAM solutions can be used to explore
user directories/databases
Reports can be generated
IT can still do the provisioning itself

Summary

Summary
Its becoming impossible to manage
all of these accounts and rights by
hand
You can automate controls
You can automate audit reports
You can control THE PROCESS!

Who We Are?
Puryear IT is THE IAM specialist in
Louisiana
We help small and large companies,
ranging from 100 users to well over
20,000+ users
We are vendor-agnostic, and have worked
with everyone, including:
Microsoft
CA
Sun

We Can Help IT to..

Help you tackle your IAM needs
Integrate Linux, UNIX, and J2EE into
Active Directory
Build out AAA solutions
Deploy Microsoft ILM, Sun IM, Novell
IM, and CA IM
Deploy small and large solutions

We Can Help Audit/Compliance to..

Build an automated user account and
access rights tracking solution
Log changes to user accounts and
access rights
Ensure passwords are changed as
policies and regulations require
Help you communicate your needs to
IT
Automate your manual tasks

Doing IAM Right

Puryear uses a methodical approach
to:

Identify organization pain points

Identify organization audit requirements
Work with IT and audit to prioritize needs
Develop an initial pilot deployment
Roll out the final solution
Help you manage and extend the
solution

Dustin Puryear
Sr. Consultant, Puryear IT, LLC
dustin@puryear-it.com
http://www.puryear-it.com/