Securely Yours LLC Identity and Access Management (IAM) IAM in a Cloud Auditing Guidelines IIA Detroit Chapter September 8, 2009
Challenge of growing identities 2
IAM Manages explosion of ID s 3
What does IAM involve New Users (On boarding) Adding users Provisioning Access Existing Users (Entitlement Management) Manage Transfers Verify appropriate access Manage Passwords Manage remote access Manage physical assets (cell phone, laptops etc) Optional Terminated Users (Off boarding) Removing access Deleting Users Acquiring assets back from users
What is the market According to Forrester, February 2008 Identity Management Market Forecast: 2007 To 2014 IAM market will grow from nearly $2.6 billion in 2006 to more than $12.3 billion in 2014 Provisioning accounts for half of IAM market revenues today, but it will account for nearly two-thirds of all IAM revenues by 2014 The IAM market is actually just beginning its trajectory toward broad adoption and deep penetration Trend - migrating from point products to identity suites from products to managed services Vendors will decompose products into service-oriented architecture (SOA)-enabled functions, repackaged in the form of identity-as-aservice (IDaaS).
Ideal IAM solution - streamlined processes Identity & Access Management Governance & Administration Identity On Boarding Entitlement Management Off Boarding Centralized Administration Text Employee Contract Employee BPO JV Consistent Identity Established via Standard Processes Control Optional Role-Based Inter Application SoD Entitlement Provisioning & De-provisioning Appropriate Access Reviews Intra- Application SoD Disable Or Suspend Identity Physical Asset Recovery Automated Access Deprovision Employee Contract Employee BPO JV Delegated Administration Text Supplier Dealer With Support for Lifecycle Events (e.g. Transfers, Leave of Absence) Standard Workflow Enabled Processes Manual Access Deprovision Supplier Dealer Identity and Access Data Administration Architecture
IAM Services Typical implementation of IAM Services Mainframe Linus/Unix AD Managed Resources Organization Network Infrastructure Internet ERP Email Database User Approver User Application Server LDAP Intranet Portal Approver Database 7
IAM Implementation challenges Current budget constraints not allowing organizations to implement tools and technologies Current market conditions is forcing organizations to cut cost but lack of efficient processes prohibit cost cutting Inefficient processes prohibit organizations to be nimble and change as the business needs change, causing further frustration within the organization
Managed Services IAM Services managed by the Managed Service Provider Mainframe Linux/Unix AD Managed Resources Organization Network Infrastructure Internet ERP Email Database User Approver User Application Server LDAP Intranet Portal Approver Database 9
IAM Services managed by the Outsource Service Provider Identity and Access Management SP Client Login URL: www.iam-sp.com Client 1 Enterprise Directory IAM Service Provider Load Balancer LDAP Adapter Mysql Adapter Oracle Adapter Mysql Applications Oracle Applications Client 2 App Server1 App Server2 App Server3 LDAP Adapter Enterprise Directory Web Server Application Server Oracle Identity Manager Mysql Adapter Load Balancer Database Connection Oracle Adapter Mysql Applications Oracle Applications IAM Database
Benefits of the IAM Cloud Minimum or no updates to organization s systems Headache of IAM implementation passed to the service provider Reduced FTE requirements to support Administration Reduced cost structure through Software as a Service (SaaS) approach as much as 25% cost reduction Organization positioned for future enhancement Automated Segregation of Duties (SOD) checks during approval process Ease of Audit compliance as Continuous Control Monitoring becomes reality
Role Of Internal Audit Auditing IAM Environment
Three elements to Audit Client Environment Provider Environment The Cloud
Auditing a Client Environment - Scope Process IAM process from on-boarding to termination Approval process Workflow management Technology Servers managed by IAM Applications managed by IAM Network infrastructure used for IAM Access Control for all servers, applications, network resources and workflow
Auditing a Client Environment - Scope People Segregation of Duties (SOD) Hierarchy of organization for approvals Others Proxy repositories Regulatory reports
Auditing a Provider Environment - Scope Technology IAM servers residing in provider s environment Access control of provider s infrastructure Access Control of client s data Process Security operations process SAS 70 Type II reports Periodic reports from the provider People SOD and privacy
Auditing the cloud - Scope Security of tunnel between provider and client Segregation of clients data with other clients data
Security in a Cloud Internal Auditor 8/09
Questions and Answers Sajay Rai CEO, Securely Yours LLC sajayrai@securelyyoursllc.com www.securelyyoursllc.com 248-723-5224