Recertification Health Check – 6 Steps

The regulatory push toward formal recertification of entitlements and privileges finds many enterprises in new compliance territory. PathMaker Group Chief Architect Jerry Castille shares six critical best practices to ensure strong governance.

1) Identify Target Applications: Collecting an inventory of applications that fall within the scope of a certification campaign’s requirements is the first step in a successful certification process. This inventory will detail application information relevant to the execution of your campaign.

2) Gather Accounts & Grants: For each application identified, I work with your team to determine the optimal approach for the extraction of accounts and group/role memberships from each target. If necessary, we will work with your team to develop a process for the normalization of this data into machine consumable output.

3) Entitlement Definition Workshop: Using our guided workshop format, we will work with your team of application and business process owners to define the set of entitlements within each application that will need to be certified. At the end of these workshops, your team will be enabled to define and maintain an inventory of items within each application that require access certification.

4) Gather Authoritative User Data: At this step of the process, PathMaker works with your organization to identify the individuals that will be included in the certification process. This includes individuals whose access is being certified, individuals approving access, as well as system owners that will be approving accounts that can not be directly associated with a human user (orphan and service accounts.)

5) Import Campaign Data: All of the work up to this point has been to develop a reusable set of processes that can be re-used to facilitate the adoption of a robust enterprise governance product. During this step,  import the data gathered during previous exercises into the PMG Certification Toolkit for analysis. Upon completion, execute your certification campaign.

6) Execute Campaign: Using the parameters defined during our workshop, a good toolkit will produce actionalble analytics for approvers and system owners within your organization. Participants will then “Certify”, “Revoke”, or “Modify” each entitlement that requires their approval. Once an approver completes their certification tasks, the data is imported back into the toolkit.

7) Measure Results: After importing analytics into the toolkit, a report is generated with any entitlements that will need to be revoked or modified. This report can be used by your organization to drive administrative activities required to remove any unnecessary entailments from your user population.

VIDEO – THE 7 TENETS OF SUCCESSFUL IAM (SAILPOINT)

Top Six Things to Consider with an Identity-as-a-Service (IDaaS) Solution – Blog 5 of 6

5. Robust Access Policies and Multi-factor Authentication (MFA)

 

Centrify LogoToday you live with the risks of users accessing many more services outside the corporate network perimeter as well as users carrying many more devices to access these services. Users have too many passwords and the passwords are inherently weak. In fact passwords have become more of an impediment to users than they are protection from hackers and other malevolent individuals and organizations. In short, in many cases, passwords alone cannot be trusted to properly and securely identify users.

Consequently, you need a better solution that incorporates strong authentication and one that delivers a common multi-factor experience across all your apps — SaaS, cloud, mobile, and onpremises. The solution also needs to have access policies that take into account the complete context of the access request and helps to overcome these new security risks. In addition, you need the capability to establish flexible access policies for each app for more granular and adaptive control. For example, if a user is accessing a common app from a trusted device on the corporate network from his home country during business hours ,then simply allow him silent SSO access to the apps. But if that same user is accessing an app outside the corporate network from a device that is not trusted, outside of business hours, and from a foreign country then deny them access — or at least require additional factors of authentication.

Specifically, you need an IDaaS solution that ensures security authentication by combining multi-factor authentication (MFA) and rich, flexible per-app authentication policies.

Multifactor authentication methods should include at least:

• Soft token with one-button authentication to simplify the experience
• One Time Passcode (OTP) over SMS text or email
• Interactive Phone Call to the user’s mobile device and requirement for a confirmation before authentication can proceed
• User configurable security question to act as a second password

Per-app authentication policies should allow, deny or step up authentication based on a rich understanding of the context of the request based on any combination of:

• Time of day, work hours
• Inside/Outside corporate network
• User role or attributes
• Device attributes (type, management status)
• Location of request or location of user’s other devices
• App client attributes
• Custom logic based on specific organizational needs

Top Six Things to Consider with an Identity-as-a-Service (IDaaS) Solution – Blog 4 of 6

4. Mobile Access Management

Centrify LogoMobile has become the de facto way to access cloud apps requiring you to ensure security and enable functionality of users devices. This includes deploying appropriate client apps to the right device and ensuring an appropriately streamlined mobile experience. Unfortunately, most existing Identity and Access Management as a Service (IDaaS) solutions fall short when
it comes to mobile support because they were built and architected before it became clear that mobile devices (smart phones and tablets) were going to become the preeminent means to access apps. Instead, they are very web browser centric—i.e. their mobile IDaaS experience just supports web-based apps vs. also supporting rich mobile apps and device security. They also
provide no means to ensure that the user’s mobile device is trusted and secure, and while they may provision a user in the cloud service, they ignore giving the end user the corresponding app on their device.

Consequently, you should look for an IDaaS solution that allows your users to enroll their mobile devices and deliver strong authentication mechanisms (using PKI certificates). The solution should let you apply mobile device-specific group policies to ensure the underlying device is secure (e.g., ensure that a PIN is required to unlock the phone, etc.), detect jailbroken or rooted devices, and allow you to remotely lock, unenroll or wipe a lost or stolen device. Once you associate the device with a user and can trust the device you can leverage the device as an identifying factor for the user in cases where additional factors are required for multifactor and step-up athentication.

The solution should also provide unified app management for both web-based and mobile client apps. This ensures that users are not left with partial access or access defined and managed in separate silos of access management such as separate mobile device management solutions (MDM). Both app and mobile management should share the same roles, identities, management tools, reports and event logs. This unification of mobile and app access management reduces redundant tools, processes and skillsets.

Mobile has quickly become the de facto way to
access apps. Centrify uniquely unifies app and
mobile access management.

Top Six Things to Consider with an Identity-as-a-Service (IDaaS) Solution – Blog 2 of 6

2. Identity Where You Want It

An IDaaS solution also needs to be flexible, providing robust access to corporate identities managed on-premises (e.g., Active Directory or LDAP), a directory service in the cloud for non-AD users such as partners or customers, and when appropriate, a hybrid of the on-premisesand cloud directories. This is in stark contrast to other startup IDaaS vendors who only allowyou to store identity data in their cloud directory. In order to leverage user data stored andmanaged in Active Directory, they first require that a portion of this data be replicated to their cloud and out of your control.

This cloud-only approach may not appeal to some organizations that — rightly or wrongly —
have concerns about losing control of the proverbial keys to the kingdom. Organizations may
also have reservations of creating another silo of identity to manage, unique security or privacy
concerns, or legitimate concerns about the long-term viability of the vendor.

To enable this “identity where you want it,” a well-engineered IDaaS solution should deliver
robust integration with on-premises Active Directory or LDAP, should support cloud-only
deployments consisting of non-Active Directory or LDAP -based user identities, as well as a
hybrid of Active Directory, LDAP, and / or cloud deployment.

Active Directory support should offer built-in integrated windows authentication (IWA) without
separate infrastructure and should automatically load balance and failover without any
additional infrastructure or configuration. Most importantly, it should not replicate Active
Directory data to the cloud where it is out of the organization’s control — even if you choose to
manage some of your users via a cloud model.

The diagram below shows the deployment options an IDaaS solution should support. As you
can see, this hybrid approach gives you the best of both worlds in terms of flexibility.

Contact Us for more information on your IDaaS or Centrify Solutions. 

Top Six Things to Consider with an IDaas Solution – Blog 1 of 6

1. Single Sign-On

Single Sign-On (SSO) is the ability to log into an app (cloud-based, on premises, or mobile app)
every time using a single/federated identity. For consumers this identity can be their social
media identity, such as Facebook or Google, while an enterprise identity is typically the user’s
Active Directory ID. Without SSO, users need to remember complex passwords for each app.
Or worse, they use common or easily remembered (i.e. weak) passwords. For users, the result
is a frustratingly fragmented workflow, which can include signing into dozens of different apps
during the workday. For IT, the problems of too many passwords, or insecure passwords, are
obvious—with a costly data breach ranking at the top among concerns. A properly architected
SSO increases both user productivity and corporate app security.
So what should you look for when deploying SSO? At the simplest, a solution should enable
you to improve end-user satisfaction and streamline workflows by providing a single identity
to access all business apps — whether the apps reside in the cloud, or on-premises behind
your firewall. It also needs to unify and deliver access to apps from all end-user platforms—
desktops, laptops and mobile devices.
In a properly architected system, once users authenticate by logging in with their enterprise ID
(e.g., Active Directory) they should enjoy one-click access to cloud, on-premises or mobile apps.
Remote access to on-premises apps should be just as simple as accessing cloud apps: without
requiring VPN hardware or client software. This type of SSO — using standards like SAML — will
not only reduce user frustration and improve productivity but also enhance security. Federated
SSO is better because it does not transmit the user name and password to the app over the
network, but instead sends a time-limited and secured token verifying that the user who
is attempting access is known and trusted. In addition, by eliminating the use of passwords
and their transmission across networks, you can reduce the likelihood of users locking their
accounts and calling the helpdesk, eliminate password risks such as non-compliant and usermanaged passwords, and make it possible to instantly revoke or change a user’s access to apps
without an admin having to reach out to each and every app.

Contact Us for more information on your IDaaS or Centrify Solutions.

 

Start With The End In Mind: Blog #8 – Salvage or Replace an Existing Provisioning System

(Source: SailPoint Technologies, Inc. Identity and Access Management Buyers Guide)

SailPoint logo

Many organizations have a legacy user provisioning solution that no longer meets their needs, doesn’t do what the vendor promised it would, or more importantly, in the case of several products, including Sun Identity Manager and BMC Identity Manager, will no longer be supported in the future. Do you find yourself facing any of the following issues with your existing provisioning solution?

 

  • Your project is behind schedule and over budget
  • You lack the necessary coverage for applications
  • Your provisioning product is being “retired” and must be replaced
  • You have compliance weaknesses related to ineffective off-boarding processes, entitlement creep, SoD violations, and more

Now is the time to address those issues and migrate away from your legacy provisioning platform. Invest in a technology that will address your current provisioning challenges, improve your overall identity and access management strategy, and integrate with what you have in place today. Look for a solution that will provide your organization a smooth transition and allow you to take a non-disruptive, stepwise approach while making the most of your existing investment as you transition to a next-generation solution. The new solution must also be able to balance core user provisioning requirements — add, change, delete user accounts and password management — with user-friendly interfaces and processes that empower business users to request and manage access on their terms. Finally, and most importantly, it must offer an integrated approach to IAM. Governance and compliance should be handled as an integrated activity within your identity infrastructure, not as a separate process.

 

Check back for the conclusion and next steps in the Start With The End In Mind blog series

Visit SailPoint Technologies, Inc. here.

Learn more about PathMaker Group IAM MAP here. 

 

Start With The End In Mind: Blog #6 – Eliminate Audit Deficiencies and Improve Audit Performance

(Source: SailPoint Technologies, Inc. Identity and Access Management Buyers Guide)

Identity management is a focal point for IT audits and one of the areas most commonly flagged for ineffective controls. During many Sarbanes-Oxley (SOX) audits, weak identity controls often receive negative audit findings in the form of control deficiencies or material weaknesses.

Here are some of the most common identity risks auditors are looking for:

  • Orphan accounts: Access that remains active for employees or contractors after termination due to failure to remove privileges
  • Entitlement creep: The accrual of privileges over time through transfers, promotions or other changes in roles resulting in employees with access beyond their job requirements
  • Separation-of-duty (SoD) violations: Inappropriate access resulting in excessive control over business transactions or the ability to perform conflicting duties
  • Poorly managed privileged user accounts: Anonymous accounts that are typically the domain of privileged users are managed using manual processes and are very difficult to audit
  • Lack of visibility into access by job function: Business users struggle to interpret technical IT data to make business decisions about what access is required to perform a specific job function.

If you’ve failed an audit due to weakness around any of these identity risks, we have good news. The right identity and access management solution will improve your visibility into risky or noncompliant areas and automate your processes for managing these risks. An enterprise-wide view of your identity data can help you to effectively analyze risk, make more informed decisions and implement the appropriate controls in an automated and more sustainable fashion. Further, aligning user access with job functions through an enterprise role model can strengthen user access controls by providing valuable business context around how specific sets of access map to the underlying business function being performed by an individual. The result? Less chances of negative audit findings or failing another audit. More chances of seeing audit performance improve over time.

Check back for blog #7, Lower the Cost of Compliance

Visit SailPoint Technologies, Inc. here.

Learn more about PathMaker Group IAM MAP here. 

How Do I Know When To Upgrade My IAM Environment?

Pathmaker Group Executive Team

Deciding if you should upgrade your identity and access management environment can be a daunting task. Although there are many variables and decision-making points involved, the “if” decision usually falls into one of two camps:

  1. The software is nearing its’ support end-of-life.
  2. There is a need to utilize new services available in the latest release.

Let’s take a look at the first camp. The end-of-life of a particular software product is tied directly to its vendor’s support. This is a very important consideration due to the potential worst case scenario. Imagine software currently running in production where its support has been deprecated by the vendor. Then when a major issue occurs, technical staff reaches out to the vendor with an explanation of the problem, only to hear “sorry, we can’t help you”.  Unless in-house staff can diagnose and find a solution to the problem, there could be a very real long-lasting disruption of service. The old adage “if it ain’t broke, don’t fix it” is not always the best mantra to follow with your identity and access management software. Although it is not critical to constantly upgrade to the latest and greatest release, it is recommended to be several steps ahead of a product’s end-of-life. This is due to not only the potential issue above, but also because vendors include critical items, such as security fixes and performance enhancements, as part of their newest releases.

How about the second camp? Let’s take a company that is utilizing a single sign-on software product or version that is a few years old. Granted, the solution is working well, however, there is now a need to integrate mobile and social technologies for their customer base. Seeing as their current software version does not support this, but the newest version does, the obvious choice would be to upgrade. Or, as a second illustration, a company may have created a custom connector, but that connector now ships out-of-the-box with the newest version. By upgrading, they would no longer have the overhead of updating and maintaining their code.

Get Information on the PathMaker Group IAM Maturity Advisory here. 

Start With The End In Mind: Blog #3 – Increase Business User Productivity

(Source: SailPoint Technologies, Inc. Identity and Access Management Buyers Guide)

sailpointweblogoWhether you’re using identity management for internal users (employees and contractors) or external users (partners, agents, customers), you want to implement technologies that reduce the burden of accessing business services. Having the right identity and access management strategy can reduce internal costs and improve productivity, but it can also contribute to revenue growth and profitability, as more and more “users” are business partners, agents or customers. As IT becomes more “consumerized,” all types of users expect quick, convenient access. And that access is no longer limited to logging in from a corporate laptop or PC — today’s workers want access anytime, anywhere, via any device. Every minute that a user has to spend retrieving a lost password or having the help desk reset a password is an unproductive minute — and when you multiply the growing number of applications by the amount of time wasted, the high price of inconvenience becomes pretty clear.

“I can’t keep up with the incoming requests for managing user access across the organization. There’s got to be a better way!”

“Our business users have to remember so many passwords, they’re writing them on yellow sticky notes in plain view.”

Here are some questions you should consider as you plan your strategy to ensure your IAM solution delivers convenience and improves user adoption and productivity:

  • Do you make it as simple as possible for new users to register and begin using your business services — even if they have no prior relationship with your organization?
  • Can users request new access from a self-service tool without having to call the help desk?
  • Do you provide simple password reset capabilities for users who have forgotten their username and passwords?
  • Do you offer users a streamlined and personalized single sign-on experience for all the applications, regardless of where they are hosted or how employees access them — via a desktop, laptop or mobile device?
  • Do you use risk-based authentication to ensure that low-risk transactions are as easy as possible, but high-risk transactions require more assurance?

Check back for blog #4, Manage Access Across On-premises and Cloud Applications

Visit SailPoint Technologies, Inc. here.

Learn more about PathMaker Group IAM MAP here.