7/31/2019 4 Darran Rolls
1/22
Cloud Identity & Access
GovernanceManaging Identity & Entitlement in a HybridDatacenter Environment
Darran Rolls
CTO
SailPoint Technologies
7/31/2019 4 Darran Rolls
2/22
2
Agenda
Understanding Identity & Access Governance (IAG) What is it? How do you achieve it?
Cloud IAG Today Where are we now? What are the issues?
IAG Modeling for Cloud How do you collect, mode & understanding the data?
Hybrid IAG Deployment How do you integrate IAG for Cloud and Enterprise?
Recommendations What can you do right now?
Q&A
7/31/2019 4 Darran Rolls
3/22
3
Who currently does have access to what resources?
Who shouldhave access to what resources?
How do I manage the on-going process of reconciling the two?
Actual
StateObservation
Reconciliation
Analysis
Desired
StatePolicy
Governance
Modeling
Managed
StateProvisioning
Change Control
Audit
Understanding IAGThree Important Questions
7/31/2019 4 Darran Rolls
4/22
4
Infrastructure
Change
Audit & Controls
ChangeDesiredStatePolicy,
Governance
Modeling
ActualState
Observation,
Reconciliation,
Analysis
ManagedStateProvisioning,
Change Control
Audit
Governance
Models
Consistent
Policy
Repeatable
Process
Sustainable
Controls
Business Process
Change
People/HR Change(Joiners, Movers, Leavers)
Understanding IAGBusiness Driven Identity Change Management & Audit
7/31/2019 4 Darran Rolls
5/22
5
Emphasis placed on business-centric Governance Models at thecenter of the IdM lifecycle
Audit
IT Sec
Help Desk
Biz User
Risk
Model
Joiners
MoversLeavers
BusinessUserSelf
Service
UAR
Certification
Analytics &Reporting
Compliance
& Audit Proof
Understanding IAGIdentity Lifecycle Management
7/31/2019 4 Darran Rolls
6/22
6
Cloud IAG TodayWhere are we now? What are the issues?
Cloud IAG for SaaS is very immature! Deployments are often business-driven initiatives
Owners, admins and users are outside of IT Apps often not deemed as being compliance relevant Under the radar in every sense
Native application administration capabilities often weak Manual administration with minimal delegation No connection to core Joiner/Mover/Leaver processes Limited audit and controls oversight
Cloud comprises complex application security models Sophisticated, extensible applications Complex authorization models and processes Groups, roles & profiles, direct permissions
?
7/31/2019 4 Darran Rolls
7/22
7
Cloud IAG TodayExample: SalesForce Model
LoginFederated, Delegated, Local passwordAuthentication
Role
HierarchyPublic/Private
GroupsStandard/Custom
ProfilesKey
Attributes
Sharing RulesData Objects, Criteria, Permissions
Field-level SecurityFields, Criteria, Permissions
Entitlements
& Data
7/31/2019 4 Darran Rolls
8/22
8
Cloud IAG TodayExample: SalesForce Additional Configuration
GroupLogin
Profile
Audit
TrailAudit
TrailAudit
TrailLog
DataAudit
Trail
RoleA
RoleB RoleC
RoleD
Static
Membership
Static
Assignment
Sub-
Ordinates
Ownership
Rules
Password
Policies
Session
Config
Network
Config
SSO/IdP
Setup
Key
Mgmt
Field-level
Security
Record-type
Settings
Admin
Permissions
Object
Permissions
Login
Restriction
Apex Class
Access
7/31/2019 4 Darran Rolls
9/22
9
Cloud IAG TodayExample: SalesForce Direct Permissions
RoleA
RoleB RoleC
RoleD
GroupLogin
Profile
Field-level
Security
Object
Permissions
Field-level
Security
Field-level
Security
Apex Class
Access Direct
7/31/2019 4 Darran Rolls
10/22
10
Nimbostratus Cloud ScenarioThe Bad Weather Example
Cloud IAG TodayWhere are we now? What are the issues?
7/31/2019 4 Darran Rolls
11/22
11
1. Regional office purchases accounts from salesforce.com2. Local admin from the line-of-business uses native Manage Users interface3. Admin creates new, complex, direct permission assignments at will4. Admin manually adds new users with no tracking against desired state policies5. The wrong entitlements get assigned to the wrong person - no one notices6. New user gets to see private/confidential data7. That user leaves the company - no Leaver action is taken, user retains his account8. No ongoing re-certification of access, no reporting and no policy is checked9. Ex-employee continues to access and share key records and sales data
Nimbostratus Cloud IAG ScenarioThe Bad Weather Use Case
7/31/2019 4 Darran Rolls
12/22
12
Cloud IAG TodayWhere are we now? What are the issues?
No Software mustnot mean No Controls
Understand the data & Connect the processes
7/31/2019 4 Darran Rolls
13/22
13
Account &
EntitlementData
UsersGroupsRolesProfiles
HR SystemsDirectoriesContractor DBs
Authoritative
Identity Data
System Accounts
Privilege Accounts
Orphan Accounts
Account
Classification
EntitlementsWarehouse
Integrated,Normalized
Data
IAG Modeling Understanding the DataCollecting the Data
Business
Roles
Business
Risk
Business
Policies
Configuration Audit Trail
7/31/2019 4 Darran Rolls
14/22
14
EntitlementModeling
Policy ModelAuditModel
ControlModel
Dynamic Roles & GroupsEntitlement GlossaryRe-factoring / Modeling
JML Process TriggersAccess ReviewsChange Controls
Approval FlowsOwnership & ReviewsTracked Actions & Reporting
Defined SoD RulesChanges TriggersChecks & Balances
Risk
Model
IAG Modeling - Understanding the DataBuilding Unified Governance Models to Capture Understanding
7/31/2019 4 Darran Rolls
15/22
15
RoleA
RoleB RoleC
RoleD
GroupLogin
Profile
Field-level
Security
Object
Permissions
Field-level
Security
Field-level
Security
Apex Class
Access Direct
IAG Modeling - Understanding the DataBuilding Unified Governance Models to Capture Understanding
Map direct permissions Catalog entitlements Assign owners
Define SoD rulesApproval flows Access reviews
Apply risk scoring Self-serviceAudit & Reporting
7/31/2019 4 Darran Rolls
16/22
16
IAG Modeling Connecting the ProcessesIntegrated Lifecycle Management
People/HR Change
HR SystemsDirectoriesContractor DBs
Audit & Controls
Change
RemediationViolationModel Change
Self-Service
Access RequestPassword MgmtAccount Control
7/31/2019 4 Darran Rolls
17/22
17
Altocumulus Cloud ScenarioThe Good Weather Example
Hybrid IAG ModelsHow do you integrate IAG for Cloud & Enterprise?
7/31/2019 4 Darran Rolls
18/22
18
1. Regional office adds account management for SalesForce CRM to corporate IAG system2. Accounts and entitlement assignments are matched to identity records3. Roles, groups & profiles are catalogued and setup ready for self-service access request4. Business policies are defined and scanned against current state detected violations
forwarded to owning business user
5. Joiner and Mover triggers are integrated with HR processes - defined businessprocess steps defined with embedded controls
6. LOB uses common self-service access request to add/change SF entitlements, dynamicapprovals execute, risk score is elevated, audit logs are retained
7. Managers run periodic integrated user access reviews for all employees & contractors8. Leaver events are processed from HR and pushed out to all connected cloud systems9. SalesForce CRM account is disabled and audit records retained for compliance reporting
Altocumulus Cloud IAG ScenarioAlternate Good Weather Use Case
7/31/2019 4 Darran Rolls
19/22
19
Hybrid IAG ModelsHow do you integrate IAG for Cloud & Enterprise? Integrating cloud applications with enterprise IAG controls
Deploy SaaS connectors as part of an IAG program Use remote APIs for user management
(Simple Cloud Identity Management SCIM) *
Map accounts to identities Catalog entitlements Model View Control
Implement an IAG gateway/proxy/agent for IaaS Software agent in the cloud runtime Secure connectivity back to management node Discover user repositories Map accounts to identities Catalog entitlements Model View Control
* (http://www.simplecloud.info)
IAG
IAGProxy
7/31/2019 4 Darran Rolls
20/22
20
Hybrid IAG ModelsIAG for Cloud & Enterprise
7/31/2019 4 Darran Rolls
21/22
21
Recommendations Some SalesForce Specifics
Run the Security Health Check application Use Audit Trail for configuration changes Keep custom profiles to a minimum
Use great care with custom Apex/Visualforce Model the data and integrate the controls processes with enterprise IAG
General Cloud IAG Best Practices Connect SaaS, PaaS and IaaS applications with core IdM systems Model all cloud authorization models within your entitlement warehouse Deploy integrated Joiner-Mover-Leaver processing Plan integrated user access reviews for cloud and enterprise apps Define and enforce policies regardless of where the application executes Promote audit, reporting and analytics for all applications
7/31/2019 4 Darran Rolls
22/22
Q&A
www.sailpoint.com/cloud