Principles of successful IDM implementation. Business Cases
The market for information security systems, namely, IDM solutions, according to the latest trends in the West, is growing at an enormous pace. This trend has been observed in the past few years in countries of Eastern Europe and Russia. IDM solutions today are sought after by large and medium-sized businesses ..
On the Russian IDM market there are both Western and domestic vendors. The most common IDM systems today are Oracle Identity Manager, IBM Security Identity Manager, Microsoft Forefront Identity Manager, CUB, Avanpost. They have a lot in common, but there are some functional features and when choosing a solution, the customer certainly needs to get to know each of them in order to understand which of the systems most fully meets its requirements. What is IDM? This is an account management system. Usually in IDM there are two ways to provide access: on the basis of personnel changes (job access) and through the self-service web portal (individual access). Entities managed by IDM accounts. IDM creates accounts and manages the membership of pre-configured groups.
')
All existing IDM – systems have much broader functionality, and some of them allow you to manage “granular rights”, configure typical access (create groups and link them to resources), and even create new resources.
Until recently, the use of IDM by Russian companies was the prerogative of industry giants, representative offices of western companies and the largest banks. These are companies with a number of thousands of people, a huge "zoo" of information systems, many of which are designed specifically for these companies and are not used anywhere else, and the budget is measured in dozens or even hundreds of millions. Why?
The fact is that the majority of IDM solutions in the Russian market are represented by market leaders, trendsetters, such as Oracle, IBM, Microsoft.
These solutions are designers, they have the ability to customize for any business processes. In fact, Western IDM are platforms. But the cost of licenses of these systems is quite high, and the implementation can last for years. At the same time, if the customer’s business processes change, then the solution should be practically rewritten anew.
Recently, the market situation is changing. Companies with more than 200-500 people want to reduce the risks of illegitimate access to their information resources and use IDM systems to automate the process of providing and controlling access. What has changed?
But the IDM market in Russia is still not as large as in the West (in the US, 4 out of 5 companies with more than 1,000 people use IDM solutions). What needs to be done to make an IDM class product successful in Russia?
TrustVers company is a domestic developer of IDM-solutions successfully implemented, both in large organizations and in companies of up to 1000 people. We have formed several theses, which, in our opinion, can be the key to the successful implementation of IDM in the Russian company.
1. An IDM implementation project should last an average of 3 months. This can be achieved in several ways:
2. IDM should work in conjunction with other systems that provide information security of the company. Rarely in which companies do IDM start to use from scratch. In the overwhelming majority of cases, the company already uses one of the systems of the class ITSM, SIEM, SSO, PKI, ACS. Let's take a closer look at how you can use the class system Identity Management in conjunction with related solutions.
3. IDM solution should be advantageous to use. Unfortunately, due to high expectations, lack of corporate ethics of using regulations for creating applications, inexperience of the integrator, the project for the implementation of an IDM solution does not always bring the company the expected effects. How to achieve the maximum effect from the introduction of IDM?
The acquisition of IDM solutions is a crucial step and for successful implementation and subsequent operation of the system it is necessary to thoroughly understand the functional features of various IDMs, select an experienced integrator and conduct training of specialists. The decision on implementation should be taken collectively, with the participation of business, IT service staff and NIB.
Alexey Pavlov, Presale Manager
LLC "TrustVers"
http://trustverse.ru
On the Russian IDM market there are both Western and domestic vendors. The most common IDM systems today are Oracle Identity Manager, IBM Security Identity Manager, Microsoft Forefront Identity Manager, CUB, Avanpost. They have a lot in common, but there are some functional features and when choosing a solution, the customer certainly needs to get to know each of them in order to understand which of the systems most fully meets its requirements. What is IDM? This is an account management system. Usually in IDM there are two ways to provide access: on the basis of personnel changes (job access) and through the self-service web portal (individual access). Entities managed by IDM accounts. IDM creates accounts and manages the membership of pre-configured groups.
')
All existing IDM – systems have much broader functionality, and some of them allow you to manage “granular rights”, configure typical access (create groups and link them to resources), and even create new resources.
Until recently, the use of IDM by Russian companies was the prerogative of industry giants, representative offices of western companies and the largest banks. These are companies with a number of thousands of people, a huge "zoo" of information systems, many of which are designed specifically for these companies and are not used anywhere else, and the budget is measured in dozens or even hundreds of millions. Why?
The fact is that the majority of IDM solutions in the Russian market are represented by market leaders, trendsetters, such as Oracle, IBM, Microsoft.
These solutions are designers, they have the ability to customize for any business processes. In fact, Western IDM are platforms. But the cost of licenses of these systems is quite high, and the implementation can last for years. At the same time, if the customer’s business processes change, then the solution should be practically rewritten anew.
Recently, the market situation is changing. Companies with more than 200-500 people want to reduce the risks of illegitimate access to their information resources and use IDM systems to automate the process of providing and controlling access. What has changed?
- The competence of integrators, who formed “typical” replicable solutions, increased the competence of their engineers, which led to a reduction in project costs.
- Western companies from the big three have changed the price policy, offering significant discounts, reaching up to 70% of the original cost. This is due, among other things, to the emergence of competitors of domestic vendors with significantly more lucrative offers.
- The complexity and number of information systems used and the qualifications of Russian company employees are increasing.
But the IDM market in Russia is still not as large as in the West (in the US, 4 out of 5 companies with more than 1,000 people use IDM solutions). What needs to be done to make an IDM class product successful in Russia?
TrustVers company is a domestic developer of IDM-solutions successfully implemented, both in large organizations and in companies of up to 1000 people. We have formed several theses, which, in our opinion, can be the key to the successful implementation of IDM in the Russian company.
1. An IDM implementation project should last an average of 3 months. This can be achieved in several ways:
- Connectors to target systems should work out of the box. Any integrator who has implemented Oracle will tell you that most connectors are “doped” at the implementation stage and their replication is conditional, which leads to an increase in the timing and cost of implementation.
- The system must be configured, not programmed, that is, there must be an interface for setting up the system's core. This reduces the flexibility of the system, but allows you to configure it much faster. Need a balance.
- It is desirable to have an analytics module in the IDM system that creates and optimizes the role model based on the current state of information systems and the current IS policy. Principle inventory optimization operation. This will allow to integrate the stage of mandatory pre-project analytics into the system implementation process, which will significantly reduce time costs and automate the process.
2. IDM should work in conjunction with other systems that provide information security of the company. Rarely in which companies do IDM start to use from scratch. In the overwhelming majority of cases, the company already uses one of the systems of the class ITSM, SIEM, SSO, PKI, ACS. Let's take a closer look at how you can use the class system Identity Management in conjunction with related solutions.
- Integration is interesting with ITSM , as with “single entry point”. Employees of the organization create an application to the service desk and, if it is an application for access, it is automatically transmitted to IDM, where it is coordinated, executed (also automatically) and monitored subsequently.
- The integration of KUB with SIEM is organized according to the following scheme: IDM KUB monitors target systems for changes in security settings (changing access rights, creating, deleting accounts, new resources) and compares with the requirements of applications. In the event that the changes occurred directly in the target system, bypassing the application mechanism, IDM notifies the responsible person of the non-compliance, and also sends a report to the SIEM. The advantage of this integration is that the SIEM does not distinguish between events that have occurred to bypass the application system from the agreed ones, so the information security officer receives a “heap” of changes that are difficult to understand.
- Integration with access control . How often do you encounter a situation when employees of the company use other people's data to work in the system? How acceptable is this situation? Each of you can answer this question yourself, but, in most cases, they try to fight this problem. The joint use of IDM and access control will allow you to control user access to the target system, including the domain. Until a person has passed the control system, has not entered the perimeter of the access control system, the account in AD is blocked, as soon as an employee comes to work, he has the opportunity to log in to the domain. Of course, there are many limitations, including loss of pass and remote access, but this can also be realized through IDM (for example, through the application that is issued by the head of the employee who has forgotten the card).
- Manage PKI Infrastructure with IDM. The most popular scenario is the automatic issuance and revocation of a certificate upon admission / dismissal of an employee. But IDM can issue a certificate upon request, for example, when an employee has requested access to a system that requires a security certificate. PKI-IDM can significantly reduce the load on the NIB and IT with regard to the management of certificates, their automatic issuance and revocation, as well as transportation. The second, no less demanded functionality is the use of an ES at the stage of creating and approving an application, including using a qualified ES (eg crypto pro).
- SSO . When a new employee comes to work, on the basis of the data in the personnel system, IDM grants him privileges on the basis of the position, generates a one-time password.
When you first access your computer, the user specifies the domain account name and password. After successful logging in, the user can configure alternative authenticators (smart card, token, one-time password generators, biometric authentication tools, etc.) for later use. In KUB, this procedure is performed by means of the Indeed-Id Enterprise SSO Agent. The full range of authenticators available for use is determined by the settings of Indeed-Id Enterprise SSO. After all the necessary settings have been made, the user can use the selected authenticators to access the domain and all applications. There is no need to remember passwords to the IP.
3. IDM solution should be advantageous to use. Unfortunately, due to high expectations, lack of corporate ethics of using regulations for creating applications, inexperience of the integrator, the project for the implementation of an IDM solution does not always bring the company the expected effects. How to achieve the maximum effect from the introduction of IDM?
- One of the most important factors is usability for business units. The access matrix and the structure of the roles should be clear, their search should be carried out according to several criteria, the possibility of adjusting the application by the coordinators is necessary. At the same time, the procedure for requesting roles should be minimized by adjusting job privileges. Employees should be able to request credentials like colleagues.
- Formalized rules of interaction between automation and information security services, as well as IDM operation. If IT staff acts bypassing the application system, for example, executing verbal requests from employees, the information security officers will be overwhelmed with "inconsistencies" and the work of the information security service will be paralyzed. At the forefront of using IDM is necessary to put an electronic document flow applications. Make IDM a single request for access rights. In some cases, it makes sense to use operators to interpret requests to the KUB, or to appoint those responsible in the divisions so that they create applications for access by their colleagues.
- Participation in the project, fulfillment of obligations to replace employees, the work of non-staff employees requires the formation of a specific set of business roles, consisting of typical privileges in various target systems. Using role sets, combining children into parents, greatly simplifies the procedure for requesting access and simplifies the control and re-certification of authority.
- A detailed study of the functional, advanced training of IDM administrators, training of ordinary personnel to work with the self-service portal will minimize the difficulties of transition to a new solution in any organization.
The acquisition of IDM solutions is a crucial step and for successful implementation and subsequent operation of the system it is necessary to thoroughly understand the functional features of various IDMs, select an experienced integrator and conduct training of specialists. The decision on implementation should be taken collectively, with the participation of business, IT service staff and NIB.
Alexey Pavlov, Presale Manager
LLC "TrustVers"
http://trustverse.ru
Source: https://habr.com/ru/post/217667/
All Articles