Content

INTRODUCTION
TO
IAM(IDENTITY AND ACCESS
MANAGEMENT)

-BY
RISHI SHARMA
Identity and Access Management is Everyone’s Responsibility
What is Identity & Access Management (IAM)?
A set of tools & services used to manage access to systems or resources used by personnel as well as
our customers

Why is Managing Access Important?

Controlling access = Controlling risk

How Do We Manage Applications?

Centrally-Managed applications – you ask IT to do it.
• Use one or more centrally-managed IAM services
Business-Managed applications – you ask some in business to do it.
• Applications the business manages locally. The business owns and creates the access to
application. The owner has responsibility for and the timely removal of access when someone
terminates or transfers jobs.

• Who Is Responsible for Managing Access?

Everyone who manages employees or contractors in the organization

2
Identity and Access Management is Everyone’s Responsibility
What Do I Need To Do As A Manager? Common Misperceptions
1. The IAM team can/will manage
1 Request Access For Your Personnel
access on my behalf
• Contact your Role Profile Owner
• Visit the IAM Support Central Site 2. Eventually all applications will be
centrally managed
2 Review Access When Prompted
• High-risk applications reviewed quarterly, all 3. When someone leaves the
others annually company, HR makes sure their
access is terminated
3 Remove Access When People Leave
• Submit requests within 24 hours of a job change
• Go to Workday for full-time employees
• Go to IAM Portal for contract workers

Request, Review, Remove 3

 IAM Program – Strategic Goals Credentials

Identities
Access
Entitlements
Control
Identity & Credentials:
Audit & Compliance
1. Move towards a culturally aware business climate around IAM and enforce the use of a common
identifier for all personnel utilizing Organization assets, both employee and non-employee.
2. Centralize identity flows and the on/off-boarding experience wherever possible to reduce risk, improve
consistency, and minimize cost.
3. Implement a robust privileged user management program to identify, manage, and monitor access of
privileged accounts on the Organization network.
4. Automate the provisioning and de-provisioning of core credentials and roles tied to identity events.

Entitlements and Access Control:

5. Implement a business application on-boarding paradigm (aka “adoption”) that enables targeted
applications to integrate to IAM and minimizes the amount of re-work as the maturity of the overall IAM
solution grows.
6. Target high-risk applications (e.g. SOX/PCI), to be fully integrated to IAM with identity-event-driven
workflow to ensure full lifecycle automation and management (request, grant, review, remove, term,
transfer).
7. Integrate high-risk physical and logical assets into program that have weak IAM controls and present
risk to firm (e.g. local admin, laptops, badging system, etc.).

Audit and Compliance:

8. Enable the business to perform scheduled or ad-hoc access reviews of any group of assets on
Organization across all users and the access they hold (i.e. “Who has access to what ?”).
9. Provide accurate and timely compliance / auditing reports as well as metrics to operational teams,
business areas, and other interested parties.
Application Classification: Functional Service Characteristics

Functional service characteristics are determined based upon maturity level and are cumulative. They will be implemented
for each application where technically feasible.

Highest High Medium Low

Target
Functional Service Functional Service Functional Service Functional Service
Level
Characteristics Characteristics Characteristics Characteristics
 Birthright-based
 Account Lifecycle  Access Request
Event-Driven  Access request and
Account Lifecycle Centralized  User populations
 fulfillment automated  Workflow Routing
Event-Driven  Closed-loop  Single or Reduced Sign- identifiable
Certification  Logs sufficient to
 Certification
Entitlement integrity  On
Privileged Account  Assisted Certifications illustrate IAM
enforced through
usage tracked; Session  Privileged Accounts transactions
programmatic
Recorded; Active
reconciliation inventoried quarterly
Discovery of Privileged
Accounts
Highes
t
4

High
3

Mediu
m
2

Low
1 Evidence required is dependent on Service Characteristics 5
 IAM Capability Overview
Programs: Department Mission:
To align Organization’s identity and access management capabilities
closer to the industry and its peers by reengineering business
Technical
Operations
processes, enabling the business with technology, and introducing
Technical automation wherever possible in a cost-effective and efficient manner.
Developm Business
ent Operations
Identity and
Access
Management

Program Services:
Technical Operations: Technical Development: Business Operations:
• Level 1 team to support the • Design, Development, and • Role and Entitlement Engineering
primary On/OffBoarding Deployment of in-house, COTS, and the support of existing RBAC
processes for core credentials and cloud-based solutions models.
and logical assets. supporting the overall IAM • Enterprise Business Support for
• Primary support for provisioning program. existing services as well as new
and de-provisioning of any IAM- • Technical leadership on all projects.
integrated applications (~80+) existing as well as new IAM • Oversight of Quarterly and Yearly
• Level 2-3 core engineering projects. reviews of end-user and
support for Unix, AS400, • SME of all existing and new IAM privileged accounts.
Mainframe, and Active Directory. products, services, and tools. • IAM solution on-boarding and
• RSA/MFA & VPN support • External IS project support deployment.
including SecurID hard/soft token wherever IAM SME experience is • User Acceptance Testing
deployment. needed. oversight and coordination with
• Project-based core technical • Ownership and design of IAM- Testing COE.
support specific to both small deployed architecture supporting • Program communications,
(new app) and large (Blue, all Organization internal and including metrics and reporting.
Orange) projects. external customers.

6
General IAM Services / Technical Portfolio

IAM – Current Services

Component Description Component Description Component Description

Unix User Store for UNIX Managing the lifecycle of PA Credential

Unix LDAP Authentication and Lifecycle user access (Joiner, Management Solution
(Temporary) replicated with GE Unix Management Mover, Leaver, for Vaulting and
LDAP Converter, Rehire) Privileged Managing Access
Identity Control for Windows
Unix User Store for UNIX User interface to request Management and *NIX OS Server
Authentication/ Pre- Access access to systems for Shared Accounts and
Unix LDAP
populated with existing Requests both normal and *NIX Super User
(Permanent)
Synchrony Financials Privileged Access (PA) Accounts
employees
Add, modify, remove Base Infrastructure
Critical care of core user accounts on target RSA Setup for Future
AS400, AD, assets for account applications through an SecurID / Integration with IAM for
Access
Mainframe provisioning, PA mgmt., (Resource Adapter/RA) RADIUS User Creation, Self
Provisioning
and Role Mgmt. or Admin notification (Permanent Service Features and
(Virtual Resource Production integration with Active
SSO LDAP Infrastructure Adapter/VRA)
for SSO Authentication, Environment) Directory and Ongoing
SSO LDAP User Migrations
and VPN user Manage the lifecycle of
configuration Role Lifecycle Roles (Role Profiles/RP
Management and System Access
Infrastructure to provide Profiles/SAP)
Single Sign On /
SSO
Authorizations Review user access to
Access applications, as well as
Review privileged access, on a
Ping Federation infrastructure periodic basis.
Federation & for External Federation
CA Federation partners – SAML2.0

7
Identity and Access Management Portal

8
IAM Portal Overview
 The IAM Portal is the Identity & Access Management tool for Provisioning and Certifications

 The main benefits include:

 Automated access provisioning / deprovisioning

 Requestor workflow transparency (“track my requests”)

 Enhanced certification / attestation processes

 Closed loop remediation

 “SoD” prevention & detection

 Centralized password reset

 Contingent Worker creation / management

 Delegation

 VPN management

 Distribution List management

9
Application Onboarding Onto Portal
The application onboarding focuses on integrating business managed applications classified as IAM
1 & 2 onto the IAM Portal for centralized access management. In addition, applications will be
enabled with Single-Sign-On, Privileged Access, and Logging capabilities.
 Full Automation (wherever
possible)
 Eliminates manual provisioning errors
 Nightly aggregations ensure the user
base remains in sync and current
 Terminations and removals are
processed immediately
 Centralized Certifications
 Application access is certified
within IAM Portal using current data
 Multi-level review starting with user
managers
 Ability to delegate individual roles
or users to another certifier
 Transparency
 Current user access (roles /
entitlements)
 User attributes (manager, dept., job
function, etc.)
 Ad hoc reporting & metrics

10
IAM Portal High Level Architecture (How it Works)

IAM Portal
Auto Provisioning
CW Lifecycle
Management Manager

(Employees) CSV
Access Compliance
Provisioning Manager
Man
ual
VPN, DL, Delegation, etc.

Reporting & Metrics

11
Application Certifications and Attestations

12
User Access Management is an On-going Process throughout the entire User’s lifecycle

13
Attestation Landscape – How do we determine “who has access to
what” in an application ?

Centrally Managed Apps Business Managed Apps

Connected Manual Manual

1. IAM team manually

IAM
automatically
creates or modifies Business Owner works with IT
the access needed Owner to get a file of “who
creates or
modifies the
2. IAM team would has access to what” for loading
access
needed
load the file of “who to the Excel Template
has access to
what”
Automated Attestations Manual Attestations

• Evidence of Certification performed by Manager (new model) or RPO

• Metrics: Revocations vs. Keeps, Time to Revoke, Time to Complete, etc.
• Must complete process – only acceptable bar is 100% completion, every time

Attestation principles are the same whether Centralized or Business Managed

14
 IAM Attestations: The Attestation Lifecycle
Assess
• Certification Type & Scope: Regular, or targeted sub-
group
Assess • Frequency: SOX/PCI and Privileged Access = Quarterly,
all others Annually

Remedia
Define

Define
• Retrieve access information into Attestation Templates
Gover • Educate on Review & Remediation
n
te
• Provide Training; Kick-off review cycle

Review
• Conduct user access reviews: Manager-based
Review • Continuous Progress Reports weekly up to ELT
• RPO support & assistance to Business where needed
• 4 week cycle for reviews

Govern
• Establish enterprise standards/principles Remediate
• • Remediate user access where noted within 48 hours after
Requirements & Controls for review
• closure of review
Set Roles & Responsibilities for user access review
• Ticket/Closure or Evidence of remediation required for
• Perform Quality Assurance / Spot Checking
Audit
• Secure Sign-off’s from IT and Business Owners • Additional access pulls might be required to provide
evidence of removals

15
Privileged Identity Management

16
Who Are Privileged Access Users

Users who have access to do the following activities are considered to have
privileged access:

• Provision users
• Reboot servers
• System level administration access
• System administrator level access within an application security module
that allows individuals to override the controls of the application
• IDs provided as part of third party software solutions used to complete
installation of the software.
• IDs that are used to run applications.
• Administrators with the ability to grant access or elevate privileges on an
in scope device

17
PA Program: Objectives

Account
Governance Monitoring Operational
Administration

Account
Definition of Risk Staffing Model
Administration Reporting Criteria
Criteria
Procedures
Roles and
Responsibility
Exception & Enforcement
PA Metrics Criteria Alert Configuration
Violation Procedures

Standard Operating
Procedures
PA Awareness Policy, Standard and
Tool Configuration
Training Procedures
Data Feed Inventory

PA Account Roles and

Reporting
Inventory Responsibility Technology On-
boarding Procedures

PA Account Compliance PA Logging

Metrics
Reduction Strategy Validation Efforts Validation

18
 PA Program: Summary

What needs to be done What is Needed

• Dedicated PA monitoring team • More robust Nix monitoring

• Daily alert reconciliation • Automation between IAM and Splunk
• Password vaulting for NPA accounts • Real Time Monitoring
• Updated PA policies and Job Aid • IAM quarterly PA reviews
• Manual quarterly PA review • Restricting of service account logon
• Alert tracking workflow • Management of service accounts
• Violation tracking data form • Removal of PA from personal ids
• Continuously working with teams to tune • Ability to discover PA accounts
alerts • Solution for root/super user access
• Manual IAM Feeds • Session recording
• Developed training for PA users • Access to IAM data to verify user access
• CDI/SSO lookup tools
• File level monitoring (Windows)

Challenges

• Technology not in place

• Immaturity of IAM platform
• Incorporation of PA requirements within IAM

19
PIM Tool Rollout Strategy
Privileged Identity Management (PIM)
Project Overview:
Release to Production and deployment of Enterprise Random Password
Manager Include deployment to Applications, Databases, Appliances and Devices
across Production environments that use non-personal accounts. ERPM will provide
Privileged Identity Management (PIM) with the means to randomize and manage
passwords for non-personal accounts on target systems

High-level Deployment Plan

 Deployment of all in-scope Applications, Databases, Appliances and Devices in
subsequent phases
 Migrate Class PXX/SOX
 Migration of accounts, LDAP and Local accounts
 Migrate Unix/Linux accounts
 IAM Portal and Help Desk Integrations with PIM Tool
 Develop End User support models for Implementation and Ongoing BAU

Impact
 Technology:
 Platforms, Appliances, Mainframe, AS 400,Unix (Solaris &
RHEL),Windows Database, Accounts: Shared Service
 People:
 Enterprise Architecture, Security, Architecture, Security Ops,
 Infrastructure Teams: Compute and Build teams, Servers Admins, DB &
Run teams, Networking, Mainframe/AS 400Application Teams

20