Securing the enterprise a case study using identity management at mphasis bpo
Download
1 / 26

I T S E R V I C E S B P O S O L U T I O N S - PowerPoint PPT Presentation


  • 231 Views
  • Uploaded on

Securing the Enterprise – A Case Study Using Identity Management at MphasiS BPO I T S E R V I C E S | B P O | S O L U T I O N S © Mphasis Confidential Issues Facing the Industry

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'I T S E R V I C E S B P O S O L U T I O N S' - emily


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Securing the enterprise a case study using identity management at mphasis bpo l.jpg

Securing the Enterprise – A Case StudyUsing Identity Management at MphasiS BPO

I T S E R V I C E S | B P O |S O L U T I O N S

© Mphasis

Confidential


Issues facing the industry l.jpg
Issues Facing the Industry

  • The industry needs to define and adopt functional security standards - as distinct from standards tied to specific technology. These functional security standards should tie back to key business issues like privacy, confidentiality, non-repudiation of transactions, fraud, disaster recovery, and competitive advantage…

    (Punit Sood – President Mphasis IT Services)


Our business priorities for identity management l.jpg
Our Business Priorities for Identity Management

  • Know your employee

    • What can they do ? When did they do something ?

  • Global regulatory compliance

    • How do we achieve one size fits all ?

  • Ensure efficient user provisioning – client and internal

    • Due to outsourcing, remote access to systems is a rule rather than an exception. Boundaries have expanded and with it – threat

  • Minimize business risk of incomplete termination

    • Guarantee the termination of all IT accounts for exiting employees

  • Managing Growth and Scale

    • Reduce or eliminate manual user management

    • Change Management

    • Access to diverse asset classifications

  • Eliminate overhead and cost of manual audits

    • Real-time who-has-what information access

    • Self-service access for customers


Slide4 l.jpg

Provisioning process

Employee On-boarding process (Agents)

Oracle

Financials

ADS, EMAIL

& Client

Application

Admin

Transportation

QMS

HRMS

WFM

ACD

BAM

Agent

Joins

Email from

Process

Team to Client

Initiate Joining

formalities

Input

Quality

scores

of agent

Joining

Process

Quality Scores

Create Agent ID

into Oracle

Payroll Inputs like

Emp. details, leave,

Incentive, etc.

Email from

Process

Team to Client

Add name to the

trip sheet

Reschedule

Resources

Initiate Recruitment

Request

ACD Activation

Creating

user ID’s

For

Applications

access

Access Card

Activation

Trip Sheets

Recruitment

Update MIS

Resource

Dashboard

MIS

Getting an agent or a UM on board a new process - provisioning and resourcing

FTE = Full Time Employee; an agent



Onepass the answer to our business pains l.jpg
OnePass - The Answer To Our Business Pains

  • An Identity Management system based on User Provisioning technology would provide the optimal solution to these business problems.

  • The solution should be delivered in a phased manner , such that each phase would conclusively address at-least one business priority.

    • Phase1 – Risk Containment

    • Phase 2 – User Lifecycle Automation

    • Phase 3 – Compliance Automation


Onepass phase 1 l.jpg
OnePass - Phase 1

  • Objective – Risk Containment

  • Solution Features

    • Detect , eliminate and prevent orphaned accounts

    • Automated termination of IT accounts of existing employees

    • Centralized password reset across connected systems

    • Basic who-has-what and exception reporting

  • Technical Solution

    • Integration with systems for which packaged adapters are available

      • Active Directory

      • Exchange

    • Manual workflow for systems without packaged integrations

      • Zicom Access Control ( Physical Access)

      • SIEMENS Biometric Access Control ( Physical Access)

    • Integration with HR system to detect on-boarding and termination events

      • Triggers account/badge creation or locking.

      • Custom integration required since we use a locally manufactured HR system

    • Reconciliation with Active Directory

      • Detects account created directly on AD , validates access rules and raises exceptions.


Onepass simplified architecture l.jpg
OnePass – Simplified Architecture

OnePass Admin Console

OnePass Self-Service

OnePass Reports

Target Systems

Email

Workforce Management System

Badges

OnePass Engine

Xellerate from THOR

Active Dir

HR Management System

ACD

BIOMETRICS

B2E

PHASE I

Enterprise Dir

PHASE II


Onepass critical success factors l.jpg
OnePass - Critical Success Factors

  • Strong Executive Support

    • Commitment to enhance internal security , driven from our Executive Management Team

  • Focus on Business issues.

    • Business value driven implementation plan , instead of a product implementation approach .

  • In-house expertise.

    • OnePass was led by the eSecurity Practice of our IT services division, which brings to bear the experience of developing Identity Managment solutions for global customers.


Appendix a l.jpg
Appendix A

  • Introduction to User Provisioning

    • Courtesy Mphasis IT Services/ eSecurity Practice


Benefits l.jpg
Benefits

  • Reduce Staff

  • Reduce Administrative Costs

  • Decrease Time to Market

  • Improve Regulatory Compliance Reporting

  • Improve Security


Provisioning simplified l.jpg
Provisioning Simplified

  • User Provisioning solutions automate the processes for managing user accounts and entitlement across IT systems.

    • Reduces cost of administration

    • Reduces errors involved in manual processes

    • Security policies and rules are built into the automated processes

    • Accounts and entitlements data consolidated in a central system.

Industry Definitions

Provisioning services automate the management of IT accounts and permissions across the entire user life cycle, and are not just limited to the initial implementation of granting users access to various applications across the enterprise

- Burton Group


Problem statement l.jpg
Problem Statement

  • IT solutions – big and small – typically store user and entitlements ‘locally’

    • Need to have credentials ( id and password) in each system

    • Entitlements/Permissions managed separately in each system

  • Issues.

    • Administration – Time and Cost

      • Id, passwords and permissions have to be manually managed on multiple systems

      • Changes in rights or permissions have to be coordinated across multiple systems

      • Password reset need to be performed across multiple systems.

    • Passwords

      • Users need to remember multiple ids/passwords

      • Password formats , lifetime etc. vary across systems

    • Risk

      • Manual processes are error prone and fail very often

      • Changes in Permissions typically lag changes in a user’s role . E.g. Transferred users still have access to systems in previous departments.Users have full or partial access after termination.

    • Compliance

      • Individual audit activity on every system

      • Potential for conflicting or inconsistent permissions across systems

      • Lack of efficient and timely audits impacts ability to comply with regulations.


User provisioning facilities l.jpg
User Provisioning – Facilities

  • Single point for administering user access to multiple systems

    • User Administration includes

      • Create , modify and delete user accounts

      • Enable , disable , lock account

      • Set/reset passwords

      • Create , modify and delete groups

      • Add user to /remove from groups

      • Assign roles , profiles , responsibilities etc. to a user.

  • Automate the granting ( and revoking ) of accounts and entitlements

    • Accounts are automatically granted based on ‘access rules’

      • if division = Mphasis IT , create account in PBN

      • If designation = PM , add to ‘Project Admin” group in PBN

    • Workflow features can be used to automate complex processes

      • Commonly used for approvals from managers

    • When integrated with an SOR, provisioning activities are automatically triggered by HR events.


User provisioning facilities15 l.jpg
User Provisioning – Facilities

  • Detect and eliminate ‘rouge’ accounts

    • Reconciliation is a feature by which the provisioning system can scan a target system for account and compare these with its internal user database ( or an enterprise directory). This comparision is based on possibly complex matching rules.

      • Once an account is matched with a user , it can be checked for compliance with ‘access policies’ and accepted or locked.

      • Unmatched accounts can be flagged for administrator action , can be locked or deleted etc.

    • Reconciliation also allows administrative flexibility

      • An IT admin can create an account using the Weblogic Console because she could not access the provisioning system during to planned downtime. Reconciliation will result in the account being automatically acquired by the provisioning system next time it connects to the Weblogic system.

  • Self Service for users

    • User can use the web self service facilities to

      • Reset passwords across all or selected systems

      • View and update their profile and accounts ( if allowed)

      • Request access to new accounts

      • Approve requests for accounts.

  • Report on entitlements across systems

    • Who-has-what reporting from the provisioning system reduces or eliminates the need to audit individual systems.


Business benefits of provisioning solutions l.jpg
Business Benefits of Provisioning Solutions

  • Risk Management

    • Detect and disable unauthorized access

    • Know who can do what

    • Ensure that access matches policy

  • Compliance

    • Demonstrates control measures required by regulations.

  • Operational Efficiency

    • Eliminate manual effort of account administration

    • Reduce audit time and costs

    • Get users productive faster

  • Quality Of Experience

    • Self service for passwords, profile updates etc.

  • Cost Containment

    • Reduce overall labor required to manage accounts

    • Self-service and delegation features reduce helpdesk costs


Implementing provisioning systems l.jpg
Implementing Provisioning Systems

  • Understand the Business Case

    • High level analysis

      • HR lifecycle process ( onboarding , termination , transfers etc.)

      • processes related to managing user accounts on key IT systems

      • audit and compliance controls for key IT systems

    • Understand the real costs

      • Solution development and deployment

      • Process re-engineering and training

      • User data scrubbing

      • Ongoing cost of integrating IT systems

    • Prioritize business benefits expected from provisioning

      • IT support cost savings from automation and self service

      • Audit cost savings

      • Compliance obligations

    • Create a Business Value Roadmap

      • Balance investment , feature delivered and systems integrated

      • Demonstrate tangible value at every stage.


User provisioning systems typical architecture l.jpg
User Provisioning Systems – Typical Architecture

Self Service UI

Admin Client

Design Client

API Layer

Workflow

Internal Store

Users, Groups Roles Resources Audit

Rules & Policy

Connector

Connector

Connector

API

User Database

ERP System

LDAP


User provisioning in an enterprise idm architecture l.jpg
User Provisioning in an Enterprise IdM Architecture

Business Applications

Enterprise Security Services

Portals

Authentication

Sales Applications

Authorization

Finance Applications

Audit

Directory-based Applications

Application User Stores

White Pages

Portal

Organization Chart

Doc Mgt

BI

Self-Service

Consumers (Applications)

Systems of Record

Employees

Consultant, Contractor

Partners

3rd Party

Biometrics

Strong Auth

Universal

Key/ Id

Credential Store

Filtering, Failover , Load Balancing

Provisioning Bus

To target systems

Identity Administration & Workflow

Identity Access Services

Enterprise Directory

Directory Synchronization Services

Managed Targets &

Authoritative Sources of Attributes

Exchange

Active Directory

PBX

Physical Access


Getting started l.jpg
Getting Started

  • Understand your Business Pains

    • Which is the burning issues ? Which benefit is most attractive?

  • Select the right Id Management component to start with

    • SSO, Enterprise Directories, Directory Integration , Provisioning, Auditing etc.

  • Invest in a Pilot/POC,

    • The gap between brochure-ware and reality will be enlightening.

  • Cultivate strong executive support

    • Invest effort in educating management , have the patience for this ‘wisdom’ to take root.


Appendix b l.jpg
Appendix – B

  • Identity Management ‘Good Practices’ used for OnePass


Good practices adopted l.jpg
Good Practices Adopted

  • Perform a POC

    • Phase 1 is a limited pilot for 300 users

    • Based on the success of the pilot , we will acquire the remainder of the licenses for MphasiS.

    • Only custom integration is to Ramco HRMS , which cannot be avoided.

    • Other custom integration ( for Avaya and Physical access ) will be performed in a point release.


Good practices adopted23 l.jpg
Good Practices Adopted

  • Start with an Architecture/Roadmap.

    • Accommodate future components like ESB , Master ID, Enterprise Directory.

  • Focus on Business Value

    • Each Phase is designed to deliver a key business benefit

      • Phase1 – Risk Containment

      • Phase 2 – User Lifecycle Automation

      • Phase 3 – Compliance Automation


Good practices adopted24 l.jpg
Good Practices Adopted

Targets and User Stores

Data Scrubbing

ERP

HRMS

AD

Data Administrators

Staging Area

DQ

Queries

Work

List

Data Quality Index

  • Address Data Quality Up Front

    • While we had an early metric of data quality, the cleanup work was delayed , resulting in a 2 to 3 week overrun

    • Reusable utilities developed for use in future phases


Good practices adopted25 l.jpg
Good Practices Adopted

Integration

Factory

1

2

3

4

5

6

7

8

9

10

Core

Provisioning

Provisioning

Value 1

Provisioning

Value 2

Provisioning

Value 3

1

2

3

4

5

6

7

8

9

10

Data

Quality

Phase 1

Phase 2

Phase 3

  • Separate technology and business tracks

    • Separation of skills , focus on business process and value

Target Systems

Target Systems


Summary good practices adopted l.jpg
Summary - Good Practices Adopted

  • Perform a POC

    • Phase 1 is a limited pilot for 300 users

    • After the POC we ordered an additional 5000 licenses

  • Start with an Architecture/Roadmap.

    • Accommodate future components like ESB , Master ID, Enterprise Directory.

  • Focus on Business Value

    • Each Phase is designed to deliver a key business benefit

      • Phase1 – Risk Containment

      • Phase 2 – User Lifecycle Automation

      • Phase 3 – Compliance Automation

  • Separate technology and business tracks

    • Separation of skills , focus on business process

  • Assess data quality and start cleanup early

    • While we had an early metric of data quality


ad