2019 SailPoint Identity Insider Magazine - Magazine - Page 7
Obviously, these questions are not meant to be
all-encompassing, but rather are intended to get
the reader thinking about some basic necessities
that are the foundation of whatever type of identity
strategy you want to put forward.
network devices, applications, or their Linux hosts
to AD as well. Far too often, these types of systems
leverage local accounts for authentication and
have no association to a common, managed
identity repository.
Question #1: Where are your
identities?
Unwinding the authentication process can be
tricky, especially for the applications that have
been running for decades. Service accounts
buried in applications or Linux shell scripts, SSH
keys that are years (or decades) old, and trusted
“shared” accounts will all provide both a challenge
and an opportunity. Have no doubt – investing
time to dig through code or document how users
authenticate will have a lasting benefit.
The first consideration needs to be whether
or not you have an accurate inventory of your
identities. An identity is not an account, but rather
a collection of users’ roles and access rights
based on predefined policies. These permissions
are used throughout the enterprise to associate
specific user credentials and rights to a system
account. Too often, identity and account are
used interchangeably, but from a holistic identity
management position, the two are very different.
The best way to envision an identity is as a
container which collects and holds all the users’
access rights across the enterprise. An identity will
contain many user accounts, but there will only
be one, single identity record per user. A typical
enterprise will look at their Active Directory (AD)
as the system-of-record for identities, but AD
also controls and maintains user accounts. This,
admittedly, muddies the water a bit, but separating
the authentication functionality from the
authorization process of AD is critical for success.
Additionally, make sure your efforts include those
infrastructure elements that do not use AD for
authentications. Considerations should be given to
identifying how applications, network devices and
Linux hosts authenticate and determine if central
authentication processes exists which contains
user information of those elements.
Question #2: How does your
authentication work?
Secondly, it’s important to understand the end-toend authentication process within your enterprise.
It’s common to find mature infrastructures,
after decades of managing accounts in a
world of system and device sprawl, lose track
of authoritative systems and account stores.
While the vast majority of organizations have
centralized on Active Directory for their Windows
environments, significantly fewer have integrated
Question #3: How is the business
supporting our identity program?
Finally, in order to fully understand the
accreditation process, you must understand
the business processes around identity and/or
account management. Regardless of the maturity
level of your identity program, the process of
managing credentials is fundamentally core
to your success. While a manual process can
be successful with enough rigor, automation is
necessary to minimize the human errors which
inherently creep into any manual process.
Auditability is key here. Could you randomly
sample 20% of your accounts and have enough
evidence to show each followed the documented
process for account creation? Does the process
start with the HR team at new hire? Does the
direct-line manager initiate the request? Does
the employee request access themselves? What
about lateral moves or promotions? Understanding
the approval process of how user accounts get
created, maintained, and eventually shut down
is honestly the true goal of any identity program.
Add to that the need to prove the process was
followed if you ever have to go through an audit,
and you’ll understand why the workflow of account
maintenance is so critical.
So, there you have it. Three foundational
considerations for anyone building even a basic
identity program. By investing in these three
efforts upfront, you’re guaranteed to be more
successful in the long term.
IDENTIT Y INSIDER SAILPOINT
|
7