4 darran rolls

7/31/2019 4 Darran Rolls

1/22

Cloud Identity & Access

GovernanceManaging Identity & Entitlement in a HybridDatacenter Environment

Darran Rolls

CTO

SailPoint Technologies


2/22

2

Agenda

Understanding Identity & Access Governance (IAG) What is it? How do you achieve it?

Cloud IAG Today Where are we now? What are the issues?

IAG Modeling for Cloud How do you collect, mode & understanding the data?

Hybrid IAG Deployment How do you integrate IAG for Cloud and Enterprise?

Recommendations What can you do right now?

Q&A


3/22

3

Who currently does have access to what resources?

Who shouldhave access to what resources?

How do I manage the on-going process of reconciling the two?

Actual

StateObservation

Reconciliation

Analysis

Desired

StatePolicy

Governance

Modeling

Managed

StateProvisioning

Change Control

Audit

Understanding IAGThree Important Questions


4/22

4

Infrastructure

Change

Audit & Controls

ChangeDesiredStatePolicy,

Governance

Modeling

ActualState

Observation,

Reconciliation,

Analysis

ManagedStateProvisioning,

Change Control

Audit

Governance

Models

Consistent

Policy

Repeatable

Process

Sustainable

Controls

Business Process

Change

People/HR Change(Joiners, Movers, Leavers)

Understanding IAGBusiness Driven Identity Change Management & Audit


5/22

5

Emphasis placed on business-centric Governance Models at thecenter of the IdM lifecycle

Audit

IT Sec

Help Desk

Biz User

Risk

Model

Joiners

MoversLeavers

BusinessUserSelf

Service

UAR

Certification

Analytics &Reporting

Compliance

& Audit Proof

Understanding IAGIdentity Lifecycle Management


6/22

6

Cloud IAG TodayWhere are we now? What are the issues?

Cloud IAG for SaaS is very immature! Deployments are often business-driven initiatives

Owners, admins and users are outside of IT Apps often not deemed as being compliance relevant Under the radar in every sense

Native application administration capabilities often weak Manual administration with minimal delegation No connection to core Joiner/Mover/Leaver processes Limited audit and controls oversight

Cloud comprises complex application security models Sophisticated, extensible applications Complex authorization models and processes Groups, roles & profiles, direct permissions

?


7/22

7

Cloud IAG TodayExample: SalesForce Model

LoginFederated, Delegated, Local passwordAuthentication

Role

HierarchyPublic/Private

GroupsStandard/Custom

ProfilesKey

Attributes

Sharing RulesData Objects, Criteria, Permissions

Field-level SecurityFields, Criteria, Permissions

Entitlements

& Data


8/22

8

Cloud IAG TodayExample: SalesForce Additional Configuration

GroupLogin

Profile

Audit

TrailAudit

TrailAudit

TrailLog

DataAudit

Trail

RoleA

RoleB RoleC

RoleD

Static

Membership

Static

Assignment

Sub-

Ordinates

Ownership

Rules

Password

Policies

Session

Config

Network

Config

SSO/IdP

Setup

Key

Mgmt

Field-level

Security

Record-type

Settings

Admin

Permissions

Object

Permissions

Login

Restriction

Apex Class

Access


9/22

9

Cloud IAG TodayExample: SalesForce Direct Permissions

RoleA

RoleB RoleC

RoleD

GroupLogin

Profile

Field-level

Security

Object

Permissions

Field-level

Security

Field-level

Security

Apex Class

Access Direct


10/22

10

Nimbostratus Cloud ScenarioThe Bad Weather Example



11/22

11

1. Regional office purchases accounts from salesforce.com2. Local admin from the line-of-business uses native Manage Users interface3. Admin creates new, complex, direct permission assignments at will4. Admin manually adds new users with no tracking against desired state policies5. The wrong entitlements get assigned to the wrong person - no one notices6. New user gets to see private/confidential data7. That user leaves the company - no Leaver action is taken, user retains his account8. No ongoing re-certification of access, no reporting and no policy is checked9. Ex-employee continues to access and share key records and sales data

Nimbostratus Cloud IAG ScenarioThe Bad Weather Use Case


12/22

12


No Software mustnot mean No Controls

Understand the data & Connect the processes


13/22

13

Account &

EntitlementData

UsersGroupsRolesProfiles

HR SystemsDirectoriesContractor DBs

Authoritative

Identity Data

System Accounts

Privilege Accounts

Orphan Accounts

Account

Classification

EntitlementsWarehouse

Integrated,Normalized

Data

IAG Modeling Understanding the DataCollecting the Data

Business

Roles

Business

Risk

Business

Policies

Configuration Audit Trail


14/22

14

EntitlementModeling

Policy ModelAuditModel

ControlModel

Dynamic Roles & GroupsEntitlement GlossaryRe-factoring / Modeling

JML Process TriggersAccess ReviewsChange Controls

Approval FlowsOwnership & ReviewsTracked Actions & Reporting

Defined SoD RulesChanges TriggersChecks & Balances

Risk

Model

IAG Modeling - Understanding the DataBuilding Unified Governance Models to Capture Understanding


15/22

15

RoleA

RoleB RoleC

RoleD

GroupLogin

Profile

Field-level

Security

Object

Permissions

Field-level

Security

Field-level

Security

Apex Class

Access Direct

IAG Modeling - Understanding the DataBuilding Unified Governance Models to Capture Understanding

Map direct permissions Catalog entitlements Assign owners

Define SoD rulesApproval flows Access reviews

Apply risk scoring Self-serviceAudit & Reporting


16/22

16

IAG Modeling Connecting the ProcessesIntegrated Lifecycle Management

People/HR Change

HR SystemsDirectoriesContractor DBs

Audit & Controls

Change

RemediationViolationModel Change

Self-Service

Access RequestPassword MgmtAccount Control


17/22

17

Altocumulus Cloud ScenarioThe Good Weather Example

Hybrid IAG ModelsHow do you integrate IAG for Cloud & Enterprise?


18/22

18

1. Regional office adds account management for SalesForce CRM to corporate IAG system2. Accounts and entitlement assignments are matched to identity records3. Roles, groups & profiles are catalogued and setup ready for self-service access request4. Business policies are defined and scanned against current state detected violations

forwarded to owning business user

5. Joiner and Mover triggers are integrated with HR processes - defined businessprocess steps defined with embedded controls

6. LOB uses common self-service access request to add/change SF entitlements, dynamicapprovals execute, risk score is elevated, audit logs are retained

7. Managers run periodic integrated user access reviews for all employees & contractors8. Leaver events are processed from HR and pushed out to all connected cloud systems9. SalesForce CRM account is disabled and audit records retained for compliance reporting

Altocumulus Cloud IAG ScenarioAlternate Good Weather Use Case


19/22

19

Hybrid IAG ModelsHow do you integrate IAG for Cloud & Enterprise? Integrating cloud applications with enterprise IAG controls

Deploy SaaS connectors as part of an IAG program Use remote APIs for user management

(Simple Cloud Identity Management SCIM) *

Map accounts to identities Catalog entitlements Model View Control

Implement an IAG gateway/proxy/agent for IaaS Software agent in the cloud runtime Secure connectivity back to management node Discover user repositories Map accounts to identities Catalog entitlements Model View Control

* (http://www.simplecloud.info)

IAG

IAGProxy


20/22

20

Hybrid IAG ModelsIAG for Cloud & Enterprise


21/22

21

Recommendations Some SalesForce Specifics

Run the Security Health Check application Use Audit Trail for configuration changes Keep custom profiles to a minimum

Use great care with custom Apex/Visualforce Model the data and integrate the controls processes with enterprise IAG

General Cloud IAG Best Practices Connect SaaS, PaaS and IaaS applications with core IdM systems Model all cloud authorization models within your entitlement warehouse Deploy integrated Joiner-Mover-Leaver processing Plan integrated user access reviews for cloud and enterprise apps Define and enforce policies regardless of where the application executes Promote audit, reporting and analytics for all applications


22/22

Q&A

www.sailpoint.com/cloud

[email protected]

4 darran rolls

Documents