Identity and Access ManagementIAM Solution StackIdentity and Access Management describes a set of business processes, products and technologies that are used to identify people, manage credentials, and enforce access to enterprise information assets.
Provisioning and Password ManagementProvisioning of users into disparate systems presents a formidable challenge for most organizations, particularly where manual and homegrown processes have evolved in the absence of a centralized provisioning solution. Comprehensive, reliable automation of user provisioning in a large organization often requires a multi-year effort, but offer substantial business benefits:
Of course, user provisioning takes many different shapes and forms. While rule-based provisioning to enterprise directories and repositories is usually simple to automate, many business critical applications may have requirements for self-service access, complex approval processes, fine-grained entitlements management, and aggregation of identity data from multiple disparate sources. This is why business process modeling is such a critical element of a successful user provisioning project. Not only does it ensure that every provisioning use case is identified and addressed, but it helps to identify commonalities between business processes that can be leveraged to develop repeatable workflows and reduce costs.
But user provisioning is only part of the challenge. In large, heterogeneous I.T. environments, users typically have to remember multiple passwords for different systems. This not only incurs unnecessary operational costs due to increased helpdesk calls resulting from forgotten passwords, but it can lead to security exposures, as users tend to write their passwords on a sheet of paper or store them in an unprotected text file rather than try to remember them all.
Most commercial identity management suites incorporate password management functions that enable client, web or IVR-based self-service password reset or synchronization. Reducing the number of passwords that users have to remember is one of the most highly visible “wins” for any identity management project, although that does not mean it is an easy problem to solve, since the proliferation of disparate passwords is often just as attributable to inconsistent password policies as it is to a diverse I.T. infrastructure. Qubera has developed a formidable range of best practices, frameworks and methodologies to help our customers implement full user and credential management solutions that are designed for adaptability in a fast moving business and technology environment.
Directory ServicesWhether you are using a standard LDAP directory or a Microsoft Active Directory to store user credentials, it is likely to be one of the most critical components of your I.T. infrastructure. Even a minor outage can be critical, resulting in loss of access for large numbers of users and incurring potentially significant losses for your organization. It is therefore critical to ensure that your directory infrastructure is robust, stable and has the ability to scale to business demand.
Larger organizations frequently wrestle with the proliferation of multiple LDAP directory instances, often due to the creation of application-specific directories. This has led to growing adoption of virtual directories, which offer dynamic, runtime aggregation of identity related data from multiple sources—including LDAP directories and RDBMS stores—effectively providing a single directory instance for the enterprise.
Role Based Access Controls (RBAC)RBAC is arguably the most challenging of all IAM disciplines, but when done right, it can deliver enormous business value, both in terms of reduced TCO and enhanced adherence to compliance mandates.
Roles represent aggregated entitlements that are typically shared among individuals with similar organizational functions. Effective role design is a complex discipline that typically requires engagement from business stakeholders, rigid adherence to best practices, robust policies and standards, and a deep understanding of the organizational culture.
A well-conceived RBAC solution is an effective vehicle for reducing costs, alleviating regulatory compliance demands, promoting robust security and realizing end user productivity gains. By maintaining a laser sharp focus on industry best practices and adopting a hybrid methodology that marries top-down modeling of business functions with bottom-up mining of existing user entitlements, Qubera can help our customers develop an RBAC solution that delivers incremental business value without causing organizational disruption.
Entitlements ManagementIn many organizations, application owners have traditionally been responsible for managing fine-grained access to functionality and data. This is typically achieved in a variety of ways; through hardcoded business logic, custom application roles or even by using a local entitlements server.
In an era of increasingly stringent regulatory mandates, localized entitlements management presents numerous challenges. For instance, SoD policies may be driven not by course-grained access to different systems, but to fine-grained access to individual functions within those systems. Unless entitlements are managed centrally, it is difficult and expensive to enforce such policies and flag policy violations.
A centralized entitlements management solution enables runtime enforcement of fine-grained access controls, and provides a single interface for maintaining entitlements across the enterprise. Externalizing entitlements management from individual applications not only enhances regulatory compliance, but reduces development costs, as developers no longer have to be concerned about building custom entitlement handling logic into their applications.
Governance, Risk Management and Compliance (GRC)Developing a robust Identity Governance strategy is not only foundational to the implementation of a successful IAM solution, but is critical to the long-term sustainability of the solution. Identity Governance describes what the concept of “identity” means to an organization, how it is constructed and maintained, and how identity data is leveraged by applications. It covers areas such as:
Although Identity Governance does not necessarily entail a specific technology, it facilitates the design, creation and ongoing maintenance of a robust IAM solution. Qubera offers a range of tools and best practices, supported by the experience of our Identity Management team, to help our customers develop a robust and sustainable Identity Governance strategy.
AuthenticationSingle Sign-On describes the mechanism by which a user may present a single set of credentials to gain access to multiple systems without being prompted to log in again by each one. In its most basic form, SSO involves browser based password authentication.
This is usually sufficient for internally hosted web applications, but most organizations have a need to extend SSO to other enterprise resources, such as the desktop and cloud providers. This has led to the growing adoption of Federated SSO and Enterprise SSO. Federated SSO allows users to securely authenticate across organizational boundaries without the need to administer additional identities and credentials, while Enterprise SSO extends unified authentication to non-web environments such as desktops, client-server and mainframe applications.
Strong authentication is often used to protect an organization’s most sensitive information assets. A strong authentication solution provides multi-factor and risk-based authentication using mechanisms such as digital certificates, one-time credentials, knowledge-based authentication, biometric devices and behavioral profiling, and can integrate seamlessly with whatever SSO solution you currently have in place.
|
|
Copyright © 2009-2012 Qubera Solutions, Inc. All rights reserved. |