Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall

It is about: Developing controls to prevent, detect, or correct harmful events. Developing steps to identify and authenticate users, as well as to authorize their access to types of information. 20-2

© 2012 Pearson Education, Inc. Publishing as Prentice Hall IDM is a key component for the safe and secure delivery of online information and services. 20-3

© 2012 Pearson Education, Inc. Publishing as Prentice Hall 20-4 Registration or identification It answers the question “Who are you?” (e.g., username) Authentication It answers the question “How do I know it’s you?” (e.g., passwords, biometrics, swipe card) Authorization It answers the question “What are you allowed to do or see?” and validate that the user has the right to access a specific resource

© 2012 Pearson Education, Inc. Publishing as Prentice Hall IDM Administration Information privacy Security Risk Regulatory compliance 20-5

© 2012 Pearson Education, Inc. Publishing as Prentice Hall IDM Administration Involves user (de)registration of IT systems and management of passwords. It determines the accessibility to types of systems and information. 20-6

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Information Privacy Involves the organizational practices to assure protection of information. 20-7

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Security Involves the organizational practices to assure protection of not only personal data but also of corporate intellectual property. However, it cannot prevent authorized users to use information inappropriately. 20-8

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Risk IDM practices should be based on an assessment of the risk involved to both individuals and organizations. IDM needs should also be linked to the level of risk involved. 20-9

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Regulatory compliance Organizations have legal responsibilities to identify and authenticate users of their data. Organizations are legally required to review key transactions done by employees

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Effective IDM in collaboration with security is the means to balance organizational risk and flexibility needs. Effective IDM helps businesses to make better decisions as they become more mobile, global, digital, and interconnected

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Business needs that require strong IDM Support for a mobile and global workforce Speedier mergers and acquisitions Protection for massive amounts The ability to present a consolidate view of data Improved online customer service Increased collaboration Addressing complex external relationships

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Limited understanding of the business benefits of effective IDM No business benefits No funds available

© 2012 Pearson Education, Inc. Publishing as Prentice Hall A fragmented governance between IT HR The business Legal departments

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Current IDM practices and processes are often manual. Security risks are increasing rapidly. The number and type of devices not provided by the organization and the number of remote users are increasing.

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Approach IDM holistically Focus on business value Adopt standards wherever possible Develop a roadmap Decouple IDM from applications, environments, and companies

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Approach IDM holistically IDM should be an integrated part of an organization’s overall security framework that consists on several layers.

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Compliance – demonstrate policy enforcement aligned to regulations, standards, laws and agreements. Identity and Access – provide controlled and secure access to information, applications and assets to both internal and external users. Information Security – protect and secure data and information assets. Application Security – continuously manage, monitor and audit access to applications. Infrastructure Security – comprehensively manage threats and vulnerabilities across networks, servers and end-points. Physical Security – monitor and control access to buildings and secure areas. IDM is Part of a Holistic Security Framework

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Focus on business value: IDM should be designed to: Help make effective business decisions Reduce cost of providing effective IDM Increase trust both internally and externally Support the development of electronic services and virtual work Enhance productivity and adherence to acceptable- use policies

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Adopt standards wherever possible Enterprise IDM should adhere to open standards in order to facilitate provisioning of cross-enterprise services (Smith 2008)

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Develop a road map Helps with the development of framework, policies, and standards for IDM as well as with the development of processes and infrastructure required to achieve IDM.

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Decoupled IDM from applications, environments, and companies So that IDM can be managed holistically. However, it should also make identities portable across systems, technical environments and devices.

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Identify IDM needs and set policy Address IDM process and governance Integrate IDM with architecture Incorporate traceability and auditability

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Identify IDM needs and set policy There is no standard list of identity attributes, so organizations should develop their own acceptable internal and external authentication, IDM triggers, and the level of access.

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Address IDM process and governance: IDM processes need governance and business ownership of IDM so that right decisions about how the flexibility:risk trade-off can be achieved. The IDM should be viewed as a life cycle to develop and manage an improved process.

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Role-based Provisioning Consume Manage Monitor, Audit and Compliance Register/ Modify/ Deregister Authenticate /Authorize The IDM Life Cycle

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Integrated IDM with architecture: Architecture group Plans and designs how applications and infrastructure will evolve Solve Technical issues Poor system integration and a lack of standards

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Incorporate traceability and auditability – a significant amount of time is spent on monitoring accounts, user activity, and compliance reports. Automation of these process and governance to incorporate them Solution

© 2012 Pearson Education, Inc. Publishing as Prentice Hall IT managers must balance the risks in becoming networked and opening their firewalls to clients with the expected business value delivered. Effective IDM initiatives must be articulated in both business and technical terms. This encourages business leaders to be involved in the process

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Copyright © 2012 Pearson Education, Inc. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall