#RSAsummit
Who is Advancive
Pasadena, CA
Bangalore, India
Established in May 2009
Headquartered in Southern California, with additional delivery center in
Bangalore and serving clients globally Consulting and systems integration firm with core competency in Identity &
Access Management Solutions Design & Implementation
Serving clients in several key verticals, such as Financial, Healthcare, Telecom, High-Tech and Manufacturing
Enterprise Identity Life Cycle Management Defined
Hire Onboard Transfer Terminate
ILM Stages
Request & Approval
Fulfillment
Enforcement
Review & Certification
Accounts Entitlements
Resources Special Permissions
Privileged Rights The process of requesting and
approving access (new, transfer, termination) to a target system, application, or resource for a user (person, system or applications)
Request & Approval
The process of identifying the
Review & Certification
The process of granting or removing access on a target system or application to a user (person, service, or application).
Fulfillment
The process of enforcing coarse and fine-grained access decisions
Enforcement Joiners
Movers Leavers
#RSAsummit
Enterprise Identity Life Cycle Management Defined
• People, processes and technology required to manage digital identities and their access to enterprise resources
• Typically covers an entire spectrum of identities within
organization: employees, contractors, customers, partners, etc
• Manages identities throughout the entire relationship with the organization: acquisition, modification, termination
Case Study: Multinational Banking Institution
• Over 15,000 users worldwide
• Major branches in North America, Europe and Asia
• Highly manual, complex ILM processes that differ from region to region
• Some level of automation via several in-house built tools
#RSAsummit
Analysis: Organizational Readiness
• We bought the tool, now what do we do?
• Enterprise security (project owner) fully onboard
– However clear lack of communication or buy-in from other major
stakeholders, especially HR and application owners
• Requirements were poorly defined, the team had trouble articulating AS-IS and TO-BE system requirements
– Significant portion of project budget was spent on helping the client
Analysis: Organizational Readiness
• The client was not prepared to streamline or adjust existing business processes with expectation that the tool will be able to solve existing problems
#RSAsummit
Analysis: Project Execution
• Scope creep. As the project progressed, new requirements were constantly added without much thought given to
criticality or prioritization
• Best practices and recommendations were frequently discarded, because “that’s not going to work for us”
Analysis: Project Execution
• Client’s original intent to avoid any customization was quickly abandoned in order to implement “complex requirement X”
• Inadequate skillset of resources assigned by client to the
project, as well as poor understanding of product capabilities and limitations
#RSAsummit
Analysis: Identity Lifecycle Process
• No good idea of where user identities were coming from or who was
responsible for managing them
– Especially true for non-employee identities, such as contractors and temp workers
• No standards governing quality of identity data
• Lack of global unique identifier across different types of users
– Some contingent workers did not have unique identifier at all. Those that did would sometimes conflict with employee IDs
• Mainly manual user onboarding and access request process that differs
Analysis: Identity Lifecycle Process
• Review and removal of access for people changing job functions or
business units (transfers) has not been performed
• Removal of access for terminated people was ad-hoc and inconsistent
• No clear understanding or process definition for terminating or extending
access for contingent workers
• No standard account naming convention across applications and lack of
#RSAsummit
Lessons Learned: Governance & Delivery
• Ensure strong executive project sponsorship with authority to affect change
• Communication, communication, communication
• Engage IT AND business stakeholders early in the process
• Do your homework BEFORE jumping on product implementation
– Define existing state, future state and a clear roadmap
Lessons Learned: Governance & Delivery
• Build IAM architecture
– IAM Governance (oversight, policies and procedures, processes and compliance)
– Identity Architecture
– Access Architecture
– Authoritative Sources
• Business process reengineering is as much part of the process. Not all
manual processes can be effectively automated NOR SHOULD THEY BE
#RSAsummit
Lessons Learned: Governance & Delivery
• Follow best practices, even if it means changing certain business processes. It may cause some pain now, but will make life easier down the road
• Take the IAM project as an opportunity to streamline and simplify processes and technology architecture
Lessons Learned: Identity Lifecycle Management
• Establish an authoritative source of identity data for ALL in-scope users
• Establish identity data governance framework. Understand user
on-boarding and off-on-boarding processes and establish data and process ownership
• Standardize identity lifecycle and access provisioning/de-provisioning
process across different locations and business units
• Focus on lifecycle process automation using authoritative source
#RSAsummit
Lessons Learned: Identity Lifecycle Management
• Create globally unique identifiers for ALL classes of users
• Provisioned accounts follow standard naming conventions and maintain account correlation attributes
Key Contacts
Advancive Technology Solutions Headquarters
201 South Lake Avenue | Suite 703 | Pasadena, CA 91101 |
www.advancivetech.com
Art Poghosyan, Managing Director
E: [email protected] T: 213.915.4142
Alex Gudanis, CTO
E: [email protected] T: 714.388.5565
