Identity & Access Management

TCS Confidential

Objectives
Understand Identity and Access Management (IAM) system and components Learn how to integrate applications with IAM

TCS Confidential

Agenda
Identity & Access Management (IAM) Overview

Understanding IAM Life Cycle

IAM Integration with Applications

TCS Confidential

Identity & Access Management (IAM) Overview

TCS Confidential

Identity Management
Managing the user identities in the multiple directories and identity stores across an organization

App1
Authentication

App2

App3

App4

Authentication

Authentication

Authentication

Active Directory

Sun One Directory

Oracle Database

SQL Server

User Identity Stores

TCS Confidential 5

Access Management
Managing the access control to various resources in an organization to determine who can access what resources under what conditions

Application 1

Check policy for access Application 2 Response Application User Application 3 Access Control Policy Server Access Control Policies

Policy Admin

TCS Confidential

Need for IAM Solution

Ghost User Accounts I still have accounts in my systems for employees that have been gone for months.

Multiple Directories I have multiple user repositories. I dont know which one has correct data and which one is latest

Auditors Requirements I need to see who created your accounts, when they were modified, what was changed on them and when they were deleted.

Help Desk Overload 25% of my help desk cost is resetting forgotten passwords.

Reports It takes three days to gather a list of all the accounts that each user has.

Employee Productivity It takes seven days for a new employee to get all his or her system accounts set up.

Privilege Creep As employees move from job to job, they keep acquiring new system privileges. They never give any up. How do I fix that?

Escalating Administration Costs There is just no budget to hire more administrators, but we are acquiring a new bank next week.

TCS Confidential

Key Drivers for IAM Solution

Higher levels of information and infrastructure security Rapid growth in business and increase employee strength

Need for fully automated system for user access requests

Reduce User provisioning/de-provisioning latency Enhance User Convenience for user account management Provision of workflows for account access requests Delegation of Administration to Helpdesk (front end team) Cost Containment by effective use of Security Administrators and Helpdesk Team Real time enforcement of standardized security policies across different servers

Centralized Audit Control and monitoring mechanism for user account management
A centralized solution that is scalable and optimal in performance

TCS Confidential

Understanding IAM Life Cycle

TCS Confidential

Identity Life Cycle

4
Retire User -Delete accounts -Remove entitlements

New User -User ID creation -Credential issuance -Entitlements

2
Change User -Promotions -Transfers -Entitlement changes

3
Help Desk -Password reset -New entitlements
TCS Confidential

10

Access Control Functions

Performs administrative tasks Admin Accesses audit logs Access endpoint via Endpoint Mgmt

Endpoint

Users & Groups

Auditor

File System Resets passwords

Access Control Server

Password Manager
Starts or stops Access Control

Applications

Database
TCS Confidential 11

Operator

Role Based Entitlement

Assign privileges to users by assigning roles. A role contains tasks that correspond to application functions in Identity Manager or account templates that correspond to additional accounts. When you assign a role to a user, that user can perform the tasks contained in the role or use the accounts associated with the role.

Admin Role

Provisioning Role

TCS Confidential

12

IAM Automation Challenges

TCS Confidential

13

IAM Benefits
Reduction in administration cost (cost containment) Improvement in User provisioning (productivity savings) Automatic de-provisioning across all repositories once the employee leaves organization. Near real time /Real-Time deployment of user provisioning / de-provisioning based on the role changes (business facilitation) User data synchronization across different operating systems and network domain using single interface Single point of control facilitates efficient audits any kind of violations of enforced policies Reduced cost of ownership of repositories (cost containment) Improved security
TCS Confidential 14

IAM Integration with Applications

TCS Confidential

TCS IAM Deployment

THIS SLIDE SHOULD BE DELETE BEFORE PRESENTING THIS TO NON TCS ENTITY.

TCS Confidential

16

TCS IAM System Overview

User Profiles Identity Mgmt Server Access Control Server

Automated Input

HRMS

Corporate Portal System

Network Authentication System

Project Corporate Servers Messaging System

Customer Knowledge Portal Management

ODC Servers Subsidiary Systems Other Messaging Collaboration System system TCS Confidential 17

Solution Architecture
ERP-HR / EAI / GHD / CRM / .. Automated Input Staging DB (Oracle) Automated Input IAM Admin Failover IAM Admin DR

IAM Admin Primary

TCSe ADS

THIS SLIDE SHOULD BE DELETE BEFORE PRESENTING THIS TO NON TCS ENTITY.

Local

Area

Network

Ultimatix Portal INDIA Domain APAC-ADC

EMEA-ADC Replication Over

NOAM-ADC WAN

SOAM-ADC Corporate Messaging System

Zimbra Mail

Customer Portal

KnowMax

APAC Domain EMEA Domain

TCS Confidential NOAM Domain SOAM Domain Corporate Collaboration

18

Solution Coverage
Ultimatix
Day 1 account creation for new joinee

Infra Domains (INDIA, APAC, NOAM, SOAM, EMEA, TCSe)

Account movement across City / Country as per HR location Local Security policies application as per location change

Messaging System
Same day mailbox creation on email ID selection Mailbox movement as per location / country change Certifier change as per location change

Common
Access revocation on last working day end of office hours
THIS SLIDE SHOULD BE MODIFY BEFORE PRESENTING THIS TO NON TCS ENTITY.
TCS Confidential 19

Supported Native Systems

Microsoft ADS Open LDAP Lotus Notes MS Exchange Oracle Database Microsoft SQL Server Database Oracle Apps

TCS Confidential

20

Integrating IAM with Active Directory

THIS SLIDE SHOULD BE DELETE BEFORE PRESENTING THIS TO NON TCS ENTITY.

TCS Confidential

21

Integrating Lotus Domino Endpoint

THIS SLIDE SHOULD BE DELETE BEFORE PRESENTING THIS TO NON TCS ENTITY.

TCS Confidential

22

Integrating ORACLE Applications Endpoint

THIS SLIDE SHOULD BE DELETE BEFORE PRESENTING THIS TO NON TCS ENTITY.

TCS Confidential

23

Benefits to TCS
Before IAM Solution After IAM Solution

No. of Admin. Provisioning Time Directory Management Data Sync Provisioning Frequency

100 2 hours per directory One at a time Low Low

10 Near Real Time All at the same time High High

Interface

Equal to number of directories

Single

Provisioning Jobs

Equal to number of directories

One

Data Security

Normal Communication
TCS Confidential

SSL Communication
24

What Next?

TCS Confidential

IAM Resources
IAM in Cloud https://wiki.cloudsecurityalliance.org/guidance/index.php/Identity_and_Access_Manage ment CA Identity Manager Book Shelf https://support.ca.com/cadocs/0/CA%20Identity%20Manager%20r12%205%20SP10ENU/Bookshelf_Files/HTML/idocs/index.htm?toc.htm?release-notes.html and Access Control Book Shelf https://support.ca.com/cadocs/0/CA%20Access%20Control%2012%205%205ENU/Bookshelf.html SAP Identity and Access Management System http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/60ea16e0-f039-2a10-78a4b7165e25ecd8 Microsoft Cloud Identity Scenarios and Solutions for Developers http://social.technet.microsoft.com/wiki/contents/articles/cloud-identity-scenarios-andsolutions-for-developers.aspx Oracle Identity Manager http://www.oracle.com/us/products/middleware/identitymanagement/index.html

TCS Confidential

26

Assistance
Please post your queries for this subject on JustAsk Discussion Forum: Ultimatix > Knowledge Management > JustAsk [Category: Software Security Assurance (SSA)]

Latest updates and information on trainings and events for SSA can be found at

Ultimatix > Enterprise Networking > Microblogging > Channel > Directory > SSA (Software Security Assurance)
SSA related information and documents

Ultimatix > Knowledge Management > Security & ORM > Software Security [https://knowmax.ultimatix.net/sites/pegoi/security_orm/Software_Security/default.aspx]
TCS Confidential 27

Thank You

For more information, please visit the SSA site on Knowmax:

https://knowmax.ultimatix.net/sites/peg-oi/security_orm/Software_Security/default.aspx

TCS Confidential