Identity and Access Management Buyer’s Guide（摘录）

刚刚读了一本SailPoint出的书，名字叫《Identity and Access Management Buyer’s Guide》，其中有个章节是描述如果找到IAM项目的起点（Find Your Starting Point ）。

觉得总结的还比较有特点，拿出来共享一下。

Find Your Starting Point 

For some organizations, the driving force behind an identity management project is based upon any number of challenges such as compliance, security, operational efficiency and business enablement. For example, there might be an urgent demand to close audit gaps after a failed audit or a non-compliance penalty. For others, there may be a requirement to eliminate the inordinate costs and inefficiencies found in current provisioning and access management processes. Maybe the help desk is overwhelmed with trouble tickets and, as a result, service levels are not where they should be. Or, perhaps the end user community is demanding more autonomy and wanting IT to make their lives easier. 

Once you’ve agreed upon your top priorities and goals, you will have a better understanding of what you must achieve first. By focusing on a few “quick win” opportunities, you can help accelerate and build momentum for future phases of your projects. 

An incremental approach to project implementation helps you focus, ensuring you tackle high priority applications and user populations that are most affected by your stated objectives. By demonstrating small, quick wins up front, you will build confidence in the solution, help ensure ongoing adoption, and make it easier to secure funding for additional projects.

Starting Point: Compliance 

If audit deficiencies and the high cost of compliance are top of mind issues in your organization, then you may want to focus on compliance automation as a first step. Here’s how to get started:

 Step 1 : Gain centralized visibility

The starting point for any compliance project should be to understand the current state of user access within the organization by centralizing your identity data across your high-risk datacenter and cloud applications. This stage involves creating a single repository for user and access information by extracting data from your authoritative source (or sources) and target resources. 

Adding user account data to the identity warehouse can be performed by leveraging several different options for connecting to resources: flat file data load, read-only direct connectors, or integration with an existing provisioning solution. Once you have selected the right method to aggregate your data and the data is centralized, you can move on to step two — the correlation process — which will help you resolve the inconsistencies between the various sources of identity data.

 

Step 2 : Identify and close all orphan/rogue accounts

Finding and eliminating orphan accounts is one of the most effective risk mitigation steps you can take in your compliance project. As part of building an identity warehouse, you can quickly correlate each application account against your authoritative identity source to identify accounts that do not correlate to users in authoritative sources (e.g., orphan accounts and system/service accounts). Once you’ve identified these high-risk accounts, you can launch remediation actions for all un-owned accounts — remove, mark as service, or, where possible, correlate to known identities.

Step 3 : Automate access certifications

Another quick win on the compliance front is to automate the access review process for your critical applications and systems. Once you’ve aggregated and correlated your identity data, you can quickly generate a “data cleanup” certification on the centralized identity data by launching a manager or application owner certification for your high-risk applications. Certification reports will clearly highlight detected roles, policy violations, user risk scores and any changes from the previous certification (new users, new roles, or new entitlements). This information enables your reviewers to quickly focus on areas of potential risk and make 
better decisions.

Your data/application owners and people managers should review the access privileges for all users. These initial certifications should be used to establish a reliable baseline of data. It’s not unusual for organizations performing a baseline certification to find up to 40% of user access privileges are inaccurate or inappropriate and should be revoked. 

After revocations are performed, this cleansed data will be utilized by other identity management functions, including ongoing access certifications, policy enforcement, role management, user provisioning, access management, and risk analytics. 

Starting Point: Provisioning

If your organization struggles with inefficient and/or non-compliant processes for granting new access privileges or making changes to existing access privileges for employees, contractors, and partners, then it may make sense to focus on user provisioning as your starting point:

Step 1 : Self-service access request 

One of the best ways to get started with provisioning is to focus on the business users first. Empowering business users to find and request access without assistance from the help desk 
or IT admins can save headaches and money at the same time. A centralized access request management process allows managers and end users to conveniently request new access or 
make changes to existing access privileges within the constraints of your pre-defined identity governance models (including policy and roles).

As part of deploying a self-service access request process, you can select from manual or automated access fulfillment processes to implement the resulting changes in connected resources. Often times the fastest way to get started is to leverage manual work items and help desk tickets, but this step can be combined with the step below for maximum results.

 Step 2 : Automate access fulfillment

Another quick win for a provisioning deployment is to automate the fulfillment of access requests down to the target resources. You can maximize the cost savings generated by selecting a few high-churn applications where user accounts are created, updated or deleted on a regular basis. Once you’ve selected the applications, you can determine the best option to complete the full integration cycle — deploying a new provisioning connector, or leveraging an existing provisioning solution that is already in place.

Step 3 : Password management

Password management provides a quick path to the success of your IAM project by allowing users to reset their own forgotten passwords and bypassing the help desk. Using the same business-friendly user interface with configurable challenge/response questions, users  and/or their approved delegates can change or reset passwords across target systems. Allowing end users to proactively manage password changes can significantly reduce help desk calls. Most importantly, centralized password management will enable you to consistently enforce strong password policies, customized for each application.

 

Starting Point: Cloud, Web, and Mobile Access Management

If an ever-growing number of cloud, Web, and mobile applications is putting your organization at risk — based on the proliferation of passwords across personal and business applications or lack of governance over cloud applications — you may want to focus on cloud and web access management up front.

Step 1 : Single sign-on for cloud, Web, and mobile apps 

As the number of cloud, Web, and mobile applications increases, many users struggle to remember their usernames and passwords across personal, business, and mixed-use applications. The right access management solution will enable your end users to sign-on to any application with one click – with no passwords to remember — and will work across all the devices that today’s workers use to access applications, from PCs or laptops to tablets and smartphones. The resulting solution can sharply lower help desk support calls and increase user satisfaction.

Step 2 : User App Store for convenience and control 

Today’s empowered workers expect convenient, on-demand access to the applications they need to do their jobs. A corporate App Store can help your organization guide users toward the applications that make sense for them based on their job functions, and it can restrict access to certain applications based on corporate policies or other risk factors. Instead of letting “bring you own application” (BYOA) scenarios put your organization at risk, you can take immediate steps to gain visibility and proactively manage the applications your users are accessing to do their jobs.

Step 3 : Centralized control over enterprise IT and business unit-sponsored apps 

To address security and compliance risks, organizations need to extend appropriate identity controls to cloud, Web, and mobile apps — even those being deployed by business units without IT management or supervision. For high-risk applications, this means applying controls like access certifications and SoD policies to ensure proper governance is in place. For low-risk personal applications, there may be no formal controls but simply visibility on usage reports. And importantly, organizations need to actively monitor application usage to eliminate wasted spending on unneeded cloud or web application accounts.

Key Components of Today’s IAM Solutions