290 likes | 649 Views
Securing the Enterprise – A Case Study Using Identity Management at MphasiS BPO I T S E R V I C E S | B P O | S O L U T I O N S © Mphasis Confidential Issues Facing the Industry
E N D
Securing the Enterprise – A Case StudyUsing Identity Management at MphasiS BPO I T S E R V I C E S | B P O |S O L U T I O N S © Mphasis Confidential
Issues Facing the Industry • The industry needs to define and adopt functional security standards - as distinct from standards tied to specific technology. These functional security standards should tie back to key business issues like privacy, confidentiality, non-repudiation of transactions, fraud, disaster recovery, and competitive advantage… (Punit Sood – President Mphasis IT Services)
Our Business Priorities for Identity Management • Know your employee • What can they do ? When did they do something ? • Global regulatory compliance • How do we achieve one size fits all ? • Ensure efficient user provisioning – client and internal • Due to outsourcing, remote access to systems is a rule rather than an exception. Boundaries have expanded and with it – threat • Minimize business risk of incomplete termination • Guarantee the termination of all IT accounts for exiting employees • Managing Growth and Scale • Reduce or eliminate manual user management • Change Management • Access to diverse asset classifications • Eliminate overhead and cost of manual audits • Real-time who-has-what information access • Self-service access for customers
Provisioning process Employee On-boarding process (Agents) Oracle Financials ADS, EMAIL & Client Application Admin Transportation QMS HRMS WFM ACD BAM Agent Joins Email from Process Team to Client Initiate Joining formalities Input Quality scores of agent Joining Process Quality Scores Create Agent ID into Oracle Payroll Inputs like Emp. details, leave, Incentive, etc. Email from Process Team to Client Add name to the trip sheet Reschedule Resources Initiate Recruitment Request ACD Activation Creating user ID’s For Applications access Access Card Activation Trip Sheets Recruitment Update MIS Resource Dashboard MIS Getting an agent or a UM on board a new process - provisioning and resourcing FTE = Full Time Employee; an agent
OnePass - The Answer To Our Business Pains • An Identity Management system based on User Provisioning technology would provide the optimal solution to these business problems. • The solution should be delivered in a phased manner , such that each phase would conclusively address at-least one business priority. • Phase1 – Risk Containment • Phase 2 – User Lifecycle Automation • Phase 3 – Compliance Automation
OnePass - Phase 1 • Objective – Risk Containment • Solution Features • Detect , eliminate and prevent orphaned accounts • Automated termination of IT accounts of existing employees • Centralized password reset across connected systems • Basic who-has-what and exception reporting • Technical Solution • Integration with systems for which packaged adapters are available • Active Directory • Exchange • Manual workflow for systems without packaged integrations • Zicom Access Control ( Physical Access) • SIEMENS Biometric Access Control ( Physical Access) • Integration with HR system to detect on-boarding and termination events • Triggers account/badge creation or locking. • Custom integration required since we use a locally manufactured HR system • Reconciliation with Active Directory • Detects account created directly on AD , validates access rules and raises exceptions.
OnePass – Simplified Architecture OnePass Admin Console OnePass Self-Service OnePass Reports Target Systems Email Workforce Management System Badges OnePass Engine Xellerate from THOR Active Dir HR Management System ACD BIOMETRICS B2E PHASE I Enterprise Dir PHASE II
OnePass - Critical Success Factors • Strong Executive Support • Commitment to enhance internal security , driven from our Executive Management Team • Focus on Business issues. • Business value driven implementation plan , instead of a product implementation approach . • In-house expertise. • OnePass was led by the eSecurity Practice of our IT services division, which brings to bear the experience of developing Identity Managment solutions for global customers.
Appendix A • Introduction to User Provisioning • Courtesy Mphasis IT Services/ eSecurity Practice
Benefits • Reduce Staff • Reduce Administrative Costs • Decrease Time to Market • Improve Regulatory Compliance Reporting • Improve Security
Provisioning Simplified • User Provisioning solutions automate the processes for managing user accounts and entitlement across IT systems. • Reduces cost of administration • Reduces errors involved in manual processes • Security policies and rules are built into the automated processes • Accounts and entitlements data consolidated in a central system. Industry Definitions Provisioning services automate the management of IT accounts and permissions across the entire user life cycle, and are not just limited to the initial implementation of granting users access to various applications across the enterprise - Burton Group
Problem Statement • IT solutions – big and small – typically store user and entitlements ‘locally’ • Need to have credentials ( id and password) in each system • Entitlements/Permissions managed separately in each system • Issues. • Administration – Time and Cost • Id, passwords and permissions have to be manually managed on multiple systems • Changes in rights or permissions have to be coordinated across multiple systems • Password reset need to be performed across multiple systems. • Passwords • Users need to remember multiple ids/passwords • Password formats , lifetime etc. vary across systems • Risk • Manual processes are error prone and fail very often • Changes in Permissions typically lag changes in a user’s role . E.g. Transferred users still have access to systems in previous departments.Users have full or partial access after termination. • Compliance • Individual audit activity on every system • Potential for conflicting or inconsistent permissions across systems • Lack of efficient and timely audits impacts ability to comply with regulations.
User Provisioning – Facilities • Single point for administering user access to multiple systems • User Administration includes • Create , modify and delete user accounts • Enable , disable , lock account • Set/reset passwords • Create , modify and delete groups • Add user to /remove from groups • Assign roles , profiles , responsibilities etc. to a user. • Automate the granting ( and revoking ) of accounts and entitlements • Accounts are automatically granted based on ‘access rules’ • if division = Mphasis IT , create account in PBN • If designation = PM , add to ‘Project Admin” group in PBN • Workflow features can be used to automate complex processes • Commonly used for approvals from managers • When integrated with an SOR, provisioning activities are automatically triggered by HR events.
User Provisioning – Facilities • Detect and eliminate ‘rouge’ accounts • Reconciliation is a feature by which the provisioning system can scan a target system for account and compare these with its internal user database ( or an enterprise directory). This comparision is based on possibly complex matching rules. • Once an account is matched with a user , it can be checked for compliance with ‘access policies’ and accepted or locked. • Unmatched accounts can be flagged for administrator action , can be locked or deleted etc. • Reconciliation also allows administrative flexibility • An IT admin can create an account using the Weblogic Console because she could not access the provisioning system during to planned downtime. Reconciliation will result in the account being automatically acquired by the provisioning system next time it connects to the Weblogic system. • Self Service for users • User can use the web self service facilities to • Reset passwords across all or selected systems • View and update their profile and accounts ( if allowed) • Request access to new accounts • Approve requests for accounts. • Report on entitlements across systems • Who-has-what reporting from the provisioning system reduces or eliminates the need to audit individual systems.
Business Benefits of Provisioning Solutions • Risk Management • Detect and disable unauthorized access • Know who can do what • Ensure that access matches policy • Compliance • Demonstrates control measures required by regulations. • Operational Efficiency • Eliminate manual effort of account administration • Reduce audit time and costs • Get users productive faster • Quality Of Experience • Self service for passwords, profile updates etc. • Cost Containment • Reduce overall labor required to manage accounts • Self-service and delegation features reduce helpdesk costs
Implementing Provisioning Systems • Understand the Business Case • High level analysis • HR lifecycle process ( onboarding , termination , transfers etc.) • processes related to managing user accounts on key IT systems • audit and compliance controls for key IT systems • Understand the real costs • Solution development and deployment • Process re-engineering and training • User data scrubbing • Ongoing cost of integrating IT systems • Prioritize business benefits expected from provisioning • IT support cost savings from automation and self service • Audit cost savings • Compliance obligations • Create a Business Value Roadmap • Balance investment , feature delivered and systems integrated • Demonstrate tangible value at every stage.
User Provisioning Systems – Typical Architecture Self Service UI Admin Client Design Client API Layer Workflow Internal Store Users, Groups Roles Resources Audit Rules & Policy Connector Connector Connector API User Database ERP System LDAP
User Provisioning in an Enterprise IdM Architecture Business Applications Enterprise Security Services Portals Authentication Sales Applications Authorization Finance Applications Audit Directory-based Applications Application User Stores White Pages Portal Organization Chart Doc Mgt BI Self-Service Consumers (Applications) Systems of Record Employees Consultant, Contractor Partners 3rd Party Biometrics Strong Auth Universal Key/ Id Credential Store Filtering, Failover , Load Balancing Provisioning Bus To target systems Identity Administration & Workflow Identity Access Services Enterprise Directory Directory Synchronization Services Managed Targets & Authoritative Sources of Attributes Exchange Active Directory PBX Physical Access
Getting Started • Understand your Business Pains • Which is the burning issues ? Which benefit is most attractive? • Select the right Id Management component to start with • SSO, Enterprise Directories, Directory Integration , Provisioning, Auditing etc. • Invest in a Pilot/POC, • The gap between brochure-ware and reality will be enlightening. • Cultivate strong executive support • Invest effort in educating management , have the patience for this ‘wisdom’ to take root.
Appendix – B • Identity Management ‘Good Practices’ used for OnePass
Good Practices Adopted • Perform a POC • Phase 1 is a limited pilot for 300 users • Based on the success of the pilot , we will acquire the remainder of the licenses for MphasiS. • Only custom integration is to Ramco HRMS , which cannot be avoided. • Other custom integration ( for Avaya and Physical access ) will be performed in a point release.
Good Practices Adopted • Start with an Architecture/Roadmap. • Accommodate future components like ESB , Master ID, Enterprise Directory. • Focus on Business Value • Each Phase is designed to deliver a key business benefit • Phase1 – Risk Containment • Phase 2 – User Lifecycle Automation • Phase 3 – Compliance Automation
Good Practices Adopted Targets and User Stores Data Scrubbing ERP HRMS AD Data Administrators Staging Area DQ Queries Work List Data Quality Index • Address Data Quality Up Front • While we had an early metric of data quality, the cleanup work was delayed , resulting in a 2 to 3 week overrun • Reusable utilities developed for use in future phases
Good Practices Adopted Integration Factory 1 2 3 4 5 6 7 8 9 10 Core Provisioning Provisioning Value 1 Provisioning Value 2 Provisioning Value 3 1 2 3 4 5 6 7 8 9 10 Data Quality Phase 1 Phase 2 Phase 3 • Separate technology and business tracks • Separation of skills , focus on business process and value Target Systems Target Systems
Summary - Good Practices Adopted • Perform a POC • Phase 1 is a limited pilot for 300 users • After the POC we ordered an additional 5000 licenses • Start with an Architecture/Roadmap. • Accommodate future components like ESB , Master ID, Enterprise Directory. • Focus on Business Value • Each Phase is designed to deliver a key business benefit • Phase1 – Risk Containment • Phase 2 – User Lifecycle Automation • Phase 3 – Compliance Automation • Separate technology and business tracks • Separation of skills , focus on business process • Assess data quality and start cleanup early • While we had an early metric of data quality