IdM implementation. Part 2. How to determine what is worth thinking about the implementation of IdM?
In the first part of our series of articles on IdM, we discussed what IdM is. Today there will be a minimum of theory: I will talk about how to understand if your company needs an IdM solution at all - in terms of business, IT, IS, auditing, etc. Under the cut - a few checklists, compiled on the basis of my experience with IdM implementations. They will help you decide whether it is time to choose an IdM solution, or your company can manage with existing processes.
It is necessary to immediately identify in order to avoid confusion: the term “IdM” refers us precisely to the whole complex of access control measures, and “IdM-solution” to the class of systems and hardware.
In some form, you definitely have a set of access control processes. And often it requires a lot of manual work:
')
All this, as a rule, is accompanied by the need not only to look at different consoles, but also to go to the administrators of each system and ask for the right. Sometimes there are complications in the form of difficult relations between departments and claims like: “ Everybody will be here to set tasks for my employee! "And" We do not have time to do your work for you . "
Everything is not always so gloomy, but if you recognize at least one of these situations, you need IdM. Or rather, you need to restore order in the management of user data and rights. For the undecided, I’ll give a checklist of marker situations that indicate the need to think about changing the situation (of course, it can be expanded indefinitely).
If you find out the situations described, mark them as available and are ready to change something, go ahead.
Now it is important to determine which access control processes are most often needed .
The list can be continued indefinitely and arbitrarily detailed and scaled. But no one, except you, who know your company and the environment in which you have to work, will not say exactly what to do is definitely necessary and what is not. We can analyze this together with you and provide development direction and options.
The process of introducing something, including the access control process, is clearly associated with the implementation of standards and “best practices” and risk assessment. In some cases, companies take the standard and try to methodically and consistently, point by point to implement everything that is written in it (and such I have met). At the same time, they are not aware of the fact that for each “requirement” of the standard, it is necessary to analyze and evaluate: whether this requirement will “fall” in the context of your company's business or not, whether following each particular item will cost, like a Boeing’s wing, bringing any benefit.
The burden of deciding whether to implement a set of processes for managing user credentials and user rights lies with the business community. In the process of preparing such a decision for the team (yes, it’s not possible to do without the team) IT and IB specialists should draw up a plan for transition to a new management model, which takes into account all relevant processes, employee roles, technical tools and organizational measures.
Technical means (in particular, IdM solutions, alone or in combination with systems of other classes) can make IT and IB services easier by automating many operations. They provide control over what is happening and the ability to respond to an event in the system as soon as possible, allow you to quickly obtain information on accounts and access rights of employees in one console, help to conduct an audit and get an automatically generated report in the form specified in the system.
IdM-solution - a tool for IT and IB. And at the same time, all employees of the company can use it - in this case, it becomes a service provided by IT and information security services. It will allow users to request to coordinate access, make changes to their profile to update information, access self-service. For managers, HR staff and owners of business systems, reports can be generated on the access and use of systems by company employees. Therefore, the approach to the implementation of IdM solutions and access control processes should be thought out, including from the point of view of convenience and benefits for all employees of the company (and business units, and IT, and information security).
In the next article we will look at how to approach the planning and implementation of access control processes and figure out where in this story the place of the IdM solution.
It is necessary to immediately identify in order to avoid confusion: the term “IdM” refers us precisely to the whole complex of access control measures, and “IdM-solution” to the class of systems and hardware.
In some form, you definitely have a set of access control processes. And often it requires a lot of manual work:
')
- Processing access requests.
- Block access of employees in connection with the dismissal or change of official duties.
- Responding to various incidents related to insufficient or excessive employee access to information systems, resources, and their content.
- Audit of access rights of employees in each of the information systems, etc.
All this, as a rule, is accompanied by the need not only to look at different consoles, but also to go to the administrators of each system and ask for the right. Sometimes there are complications in the form of difficult relations between departments and claims like: “ Everybody will be here to set tasks for my employee! "And" We do not have time to do your work for you . "
Everything is not always so gloomy, but if you recognize at least one of these situations, you need IdM. Or rather, you need to restore order in the management of user data and rights. For the undecided, I’ll give a checklist of marker situations that indicate the need to think about changing the situation (of course, it can be expanded indefinitely).
1. From the point of view of users and business:
- It is not clear how to request access.
- The application form for access for the "non-advanced user" is complicated and incomprehensible.
- The processing of requests related to access is opaque: it is not clear to the contractor who and how determines that the requested access parameters can be provided.
- Deadlines for processing applications can not be determined (that is, they can do it in 5 minutes, or they can do it in 5 days).
- The business owner of the resource is excluded from the decision-making process at the request of users and cannot be responsible for the possible consequences for the business.
- To get any access, you can simply call "admin Vasya" and ask.
- Employees may be temporarily included in projects with different levels of responsibility, they are periodically obliged to perform tasks for absent colleagues, they are given access to the X system. ... At the end of the project, they are denied access.
2. In terms of IT:
- Applications are made in free form and through several channels (mail, ServiceDesk, SED, etc.).
- It is difficult to understand what access the user is asking for (“ as in Peter Ivanovich ,” “ so that the“ Start ”button is displayed ,” “ to work, ” etc.).
- Creating accounts, granting, modifying, and revoking access rights takes a significant portion of the administrator’s working time.
- Periodically it is necessary to process massive requests from users for access (audit, new functionality in the system, etc.).
- In some cases, it is difficult for the administrator to understand who has granted access to the user and on what basis.
- The administrator does not always understand the principle on which the application was approved.
3. In terms of information security:
- Access to some systems is limited (in the literal sense: there is no access even to reading, and it is impossible to get quickly reliable and complete information).
- An audit of access rights and attempts to restore order is not carried out because of the complexity and length of the process or is carried out for an immensely long time (the information collected at the beginning of the audit has time to become outdated by the time it ends).
- There are no clear procedures and rules for processing applications (information on requests comes, but there is no understanding whether to grant access or not).
- There is no access matrix or role model, and I really want them to be at least in some areas. (Role-based access is conveniently provided if it is clear what minimum an employee needs to perform their duties. However, this does not cancel the granting of more powers in systems in parallel with roles. Again, this is a story about putting things in order.)
- The management and control procedures are there, they are even registered in the documents, but not executed.
4. Incidents:
- In case of incidents related to the rights of users in information systems, there is no complete picture of what is happening, there is no information about the status of rights at the time of the incident (and in general at any time past with the current role model or access matrix).
- There is no evidence to agree on the granting or withdrawal of access rights from employees.
- It is not possible to identify unauthorized (uncoordinated) changes in employee access rights.
5. Audit and compliance:
- Regulatory requirements and standards highlight the need for access control.
- Auditors make instructions to eliminate inconsistencies (for example, there are unlocked accounts for a long time not working in the company of employees), but there is no tool for correction.
- An internal audit is conducted, among other things, to control compliance with the requirements (internal, regulators, standards, etc.), but discrepancies are found each time, since no management processes.
If you find out the situations described, mark them as available and are ready to change something, go ahead.
Now it is important to determine which access control processes are most often needed .
1. Processes associated with the rotation of personnel:
- The process of entering the work of a new employee (organization of the workplace, creating accounts in information systems, issuing passwords, providing primary access and access, according to the role model).
- The process of dismissing an employee (blocking / revoking / restricting access, blocking accounts, etc.).
- Transfer of an employee to another position (promotion, transfer to another department, holding company or branch).
- Absence of an employee in the workplace (vacation, sick leave, business trip, etc.).
- Updating information about employees (change of name, change of position, telephone number, office, etc.)
2. Processes related to employee access to information resources and systems
- The process of providing access (user request, coordination, execution, control).
- The process of revoking access (by request, by policy, by transfer, by dismissal, by system decommissioning, etc.).
- The process of revising access rights (when transferring, when dismissing, on a schedule, etc.).
- Access rights audit process
3. Processes associated with providing services to users.
- Application process (in what form, by what procedure, etc.).
- The process of approval of the application (by whom, in what sequence, in what time, etc.).
- The processing of discrepancies (" Access was, and then it was gone. I could do it yesterday ... ", " Petrov has the button active, but I don’t, they requested the same access ... ", etc.).
- The process of controlling the provision of requested and agreed access rights (user satisfaction).
4. Incident Response and Risk Processing Processes
- The process of obtaining information about employee access at the time of the incident
- The process of researching employee access rights (SoD conflicts, changing role models and access matrixes, etc.)
5. Audit related processes
- Audit process for compliance with requirements (internal standards and policies, regulators, international standards, etc.)
- The audit process for research or other purposes.
The list can be continued indefinitely and arbitrarily detailed and scaled. But no one, except you, who know your company and the environment in which you have to work, will not say exactly what to do is definitely necessary and what is not. We can analyze this together with you and provide development direction and options.
The process of introducing something, including the access control process, is clearly associated with the implementation of standards and “best practices” and risk assessment. In some cases, companies take the standard and try to methodically and consistently, point by point to implement everything that is written in it (and such I have met). At the same time, they are not aware of the fact that for each “requirement” of the standard, it is necessary to analyze and evaluate: whether this requirement will “fall” in the context of your company's business or not, whether following each particular item will cost, like a Boeing’s wing, bringing any benefit.
The burden of deciding whether to implement a set of processes for managing user credentials and user rights lies with the business community. In the process of preparing such a decision for the team (yes, it’s not possible to do without the team) IT and IB specialists should draw up a plan for transition to a new management model, which takes into account all relevant processes, employee roles, technical tools and organizational measures.
Technical means (in particular, IdM solutions, alone or in combination with systems of other classes) can make IT and IB services easier by automating many operations. They provide control over what is happening and the ability to respond to an event in the system as soon as possible, allow you to quickly obtain information on accounts and access rights of employees in one console, help to conduct an audit and get an automatically generated report in the form specified in the system.
IdM-solution - a tool for IT and IB. And at the same time, all employees of the company can use it - in this case, it becomes a service provided by IT and information security services. It will allow users to request to coordinate access, make changes to their profile to update information, access self-service. For managers, HR staff and owners of business systems, reports can be generated on the access and use of systems by company employees. Therefore, the approach to the implementation of IdM solutions and access control processes should be thought out, including from the point of view of convenience and benefits for all employees of the company (and business units, and IT, and information security).
In the next article we will look at how to approach the planning and implementation of access control processes and figure out where in this story the place of the IdM solution.
UPD. Read on:
Source: https://habr.com/ru/post/340960/
All Articles