IdM implementation. Part 1: What is IdM and what functionality does it apply to?
... It all started with the marketing department. These lovely people thought and decided that we (specialists of presale and services) should write a number of articles "on various interesting topics." As usual, they came up with the themes themselves, based on the “market needs” they see. (At the same time, if you look at them from our perspective, the themes were, to put it mildly, “not very” ...)
Our team responsible for the development of the Solar inRights user access and account management system came up with the idea of ​​missionary work (no matter how loud it sounds): if we write an appeal “to hail and peace”, then let it be a useful tool for making weighted making. Therefore, it was decided to create a complete cycle of materials, which will help to clearly understand what actions and procedures accompany the implementation of IdM solutions.
We will try to avoid incomprehensible terminology and explain everything. If something is unclear or causes questions, you can always ask them in the comments. We are open for your suggestions - what aspects to pay special attention to.
')
At the initial stage, we see the following division by topics:
The list and number of topics may vary depending on the interest of the audience and the inspiration of the authors :)
So, get to the point!
Talking about IdM should start with an explanation of what account management and user rights are and what access control is.
Let's figure it out. First of all, it is worth understanding where the name of the class of IdM solutions came from. This is short for “ Id entity M anagement ”, i.e. "Account management". Referring to Wikipedia (yes, it is to her, this is the first link in Google):
"Account management (eng. Identity management, abbr. IdM, sometimes IDM) - a set of approaches, practices, technologies and special software for managing user credentials, access control systems (ACS) to improve the security and performance of information systems while reducing costs, optimizing downtime and reducing the number of repetitive tasks. ” ( Source )
This is an excerpt from an article in Russian, which, however, is limited to this paragraph, except for references to articles on identification, authentication, authorization, and access control. The definition is not as bad as one would expect. What is worth paying attention to in the above passage? Let me emphasize italics for the accent:
"Credential Management (eng. Identity management, abbr. IdM, sometimes IDM) is a set of approaches, practices, technologies and special software for managing user credentials, access control systems (ACS), to improve the security and performance of information systems while reducing costs , optimizing downtime and reducing the number of repetitive tasks. ”
Those. we see that the essence of managing credentials and access is not reduced simply to a single system, which will be a kind of button “to make it good”. This is a complex that includes:
Well, we figured it out. But still:
We come to the most interesting part. It is interesting because it is difficult to find an exact indication of what is related to access control and credentials, and that is no longer relevant. Identity Management is a very broad and, if you please, “loaded” and “unlimited” term, which includes a lot of concepts. In practice, we are systematically confronted with the fact that each organization has its own approach to access control and its own ideas about what to relate to IdM topics and what does not.
I remember the parable of three blind men trying to describe an elephant: one of them went to the elephant from behind, felt his tail and said that the elephant is like a rope; the second approached the front, felt the trunk and said that the elephant is like a snake; the third one approached from the side, felt his foot and said that the elephant resembled a pillar or column. The bottom line is that each individually had incomplete information and therefore could not realize the elephant as a whole, before that without colliding with the elephant and not having a clue about what it is.
There is a similar story with IdM - there are too many different functions and capabilities to be fully systemically aware. Sometimes there are completely unexpected topics that no one thought about before starting to work with a solution. IT and IT professionals need to understand not only the technical component of access control and credentials, but also what are the requirements for IdM-related processes in each particular company. It should be borne in mind that every year the infrastructure landscape becomes more complicated, and before that effective methods for managing access and accounting data (manual management of access groups, directory services, attempts to play role models on paper, user profiles, etc.) are no longer able to meet the needs business. Therefore, over time, they will be replaced by modern means of managing identity, authentication, authorization (jointly - access control) and audit systems.
When we start talking about the implementation of some IdM solution, company representatives are often surprised to discover that even before launching the actual implementation process, you need to fully understand:
It is worth remembering that there are several levels of access control:
All of them influence how the management of user data and rights will be.
Communicating with colleagues who have already experienced the introduction of IdM solutions, I tried to figure out what was new in connection with the introduction and development of IdM IT and IT specialists of the customer companies. During the interviews, it turned out that they had to revise approaches to access control, make changes to existing business processes, changes have occurred in a number of information systems, etc.
I cite all of this here, not to discourage anyone from contacting IdM solutions, but to make everyone understand the scope of work, and to avoid deceived expectations such as: “And we thought that with the introduction of IdM, you can immediately relax ... ".
Implementing IdM is not a story about how integrator engineers deployed your chosen solution, and “everything was all right at once.”
This is a story about how the process of transformation and maturity of IT and IS services creates an entire access control system with goals and objectives, user accounts and user rights that are clear to all participants of the process, which includes a list of processes and procedures, physical, technical and administrative measures, as well as the IdM solution itself or the IGA platform.
We will talk in a series of articles in the most detailed way about how to take a balanced and competent approach to the creation of such a system.
As an announcement, I’ll give you what we will tell in the next article:
In addition, it is useful, in my opinion, to read the article of our colleague from Solar Security on how IdM works in conjunction with ITSM.
Our team responsible for the development of the Solar inRights user access and account management system came up with the idea of ​​missionary work (no matter how loud it sounds): if we write an appeal “to hail and peace”, then let it be a useful tool for making weighted making. Therefore, it was decided to create a complete cycle of materials, which will help to clearly understand what actions and procedures accompany the implementation of IdM solutions.
We will try to avoid incomprehensible terminology and explain everything. If something is unclear or causes questions, you can always ask them in the comments. We are open for your suggestions - what aspects to pay special attention to.
')
At the initial stage, we see the following division by topics:
- What is IdM?
- How to determine what to think about the introduction of IdM?
- We realized that IdM is needed - what next?
- About finance ...
- We have a contract. How will work begin?
- Preparation for implementation.
- Work in the process of implementation itself (several days in the life of the implementation engineer).
- Translation of the system "in production" and related procedures.
- "We built, built and finally built ...". What's next?
The list and number of topics may vary depending on the interest of the audience and the inspiration of the authors :)
So, get to the point!
Part 1. What is IdM?
Talking about IdM should start with an explanation of what account management and user rights are and what access control is.
Let's figure it out. First of all, it is worth understanding where the name of the class of IdM solutions came from. This is short for “ Id entity M anagement ”, i.e. "Account management". Referring to Wikipedia (yes, it is to her, this is the first link in Google):
"Account management (eng. Identity management, abbr. IdM, sometimes IDM) - a set of approaches, practices, technologies and special software for managing user credentials, access control systems (ACS) to improve the security and performance of information systems while reducing costs, optimizing downtime and reducing the number of repetitive tasks. ” ( Source )
This is an excerpt from an article in Russian, which, however, is limited to this paragraph, except for references to articles on identification, authentication, authorization, and access control. The definition is not as bad as one would expect. What is worth paying attention to in the above passage? Let me emphasize italics for the accent:
"Credential Management (eng. Identity management, abbr. IdM, sometimes IDM) is a set of approaches, practices, technologies and special software for managing user credentials, access control systems (ACS), to improve the security and performance of information systems while reducing costs , optimizing downtime and reducing the number of repetitive tasks. ”
Those. we see that the essence of managing credentials and access is not reduced simply to a single system, which will be a kind of button “to make it good”. This is a complex that includes:
- definition of the objectives of the above activities,
- concretization of the approach to the achievement of the chosen goals and the solution of the tasks set,
- building processes and procedures
- distribution of roles in the business structure,
- choosing a solution that will manage the credentials and rights of users,
- and also, closer to completion - the actual process of implementing an IdM solution.
Well, we figured it out. But still:
- What exactly does account management include?
- What procedures and processes relate to this activity?
We come to the most interesting part. It is interesting because it is difficult to find an exact indication of what is related to access control and credentials, and that is no longer relevant. Identity Management is a very broad and, if you please, “loaded” and “unlimited” term, which includes a lot of concepts. In practice, we are systematically confronted with the fact that each organization has its own approach to access control and its own ideas about what to relate to IdM topics and what does not.
I remember the parable of three blind men trying to describe an elephant: one of them went to the elephant from behind, felt his tail and said that the elephant is like a rope; the second approached the front, felt the trunk and said that the elephant is like a snake; the third one approached from the side, felt his foot and said that the elephant resembled a pillar or column. The bottom line is that each individually had incomplete information and therefore could not realize the elephant as a whole, before that without colliding with the elephant and not having a clue about what it is.
There is a similar story with IdM - there are too many different functions and capabilities to be fully systemically aware. Sometimes there are completely unexpected topics that no one thought about before starting to work with a solution. IT and IT professionals need to understand not only the technical component of access control and credentials, but also what are the requirements for IdM-related processes in each particular company. It should be borne in mind that every year the infrastructure landscape becomes more complicated, and before that effective methods for managing access and accounting data (manual management of access groups, directory services, attempts to play role models on paper, user profiles, etc.) are no longer able to meet the needs business. Therefore, over time, they will be replaced by modern means of managing identity, authentication, authorization (jointly - access control) and audit systems.
When we start talking about the implementation of some IdM solution, company representatives are often surprised to discover that even before launching the actual implementation process, you need to fully understand:
- What are the personnel processes in the company?
- Who and how decides where each user should have access.
- What are the roles.
- What services should be available to each of the users.
- How to synchronize data updates in various business systems.
- What procedures should be applied.
- What kind of audit should be carried out in the system, etc.?
It is worth remembering that there are several levels of access control:
- Administrative (policies and procedures, control and training of personnel).
- Physical (perimeter security, separation of work areas, data backup).
- Technical (delimitation of logical and physical access to systems, review of network architecture, data security, auditing).
All of them influence how the management of user data and rights will be.
Communicating with colleagues who have already experienced the introduction of IdM solutions, I tried to figure out what was new in connection with the introduction and development of IdM IT and IT specialists of the customer companies. During the interviews, it turned out that they had to revise approaches to access control, make changes to existing business processes, changes have occurred in a number of information systems, etc.
I cite all of this here, not to discourage anyone from contacting IdM solutions, but to make everyone understand the scope of work, and to avoid deceived expectations such as: “And we thought that with the introduction of IdM, you can immediately relax ... ".
Implementing IdM is not a story about how integrator engineers deployed your chosen solution, and “everything was all right at once.”
This is a story about how the process of transformation and maturity of IT and IS services creates an entire access control system with goals and objectives, user accounts and user rights that are clear to all participants of the process, which includes a list of processes and procedures, physical, technical and administrative measures, as well as the IdM solution itself or the IGA platform.
We will talk in a series of articles in the most detailed way about how to take a balanced and competent approach to the creation of such a system.
As an announcement, I’ll give you what we will tell in the next article:
- How to understand that a particular company is already worth introducing IdM? Frequent situations and problem stories.
- Possible options for the implementation of employee access control processes and the use of IdM solutions.
- About audit and compliance.
In addition, it is useful, in my opinion, to read the article of our colleague from Solar Security on how IdM works in conjunction with ITSM.
UPD. Read on:
- Part 2. How to determine what is worth thinking about the implementation of IdM?
- Part 3.1. It is clear that IdM is needed - what next? Goals, objectives, stakeholders.
- Part 3.2. How to build an access model?
- Part 3.3. Procedures and technical tools - from basic to IdM.
- Part 3.4. To whom to go for the solution of problems?
Source: https://habr.com/ru/post/339758/
All Articles