NEW YORK -- A CISO who spent two years organizing identity and access management for the 15,000 users on his network boiled the whole experience down into a 10-step process he presented at the Security Standard Conference this week.
Turning IAM data into intelligenceSteve Jensen, CISO of Carlson Wagonlit Travel, said that he had four reasons for undertaking the IAM project: meeting regulatory compliance, enhancing security, making security operations more efficient and making it easier for line-of-business departments to deal with the security staff.
He recommended getting an IAM suite that includes auto provisioning, password self-service, Web access management, role management and automatic single sign-on.
His 10-step process was as follows:
1. Create an identity warehouse of the access privileges users already have and federate passwords using directory services if possible to reduce manually input.
2. Buy an enterprise role-management suite to define access rights for users filling specific roles so they can access what they need but not more. This involves getting business managers to help define the roles of their employees and to sign off on them.
3. Define the roles in business terms so managers can understand them and so they are accurate, then map these access groups to a set of application entitlements -- the applications they must have access to.
4. Have business managers attest to the application entitlement by asserting the application rules are correct. In doing this, Jensen says 30% to 35% of access rights were removed because they were unnecessary.
5. Implement a request system for changing users' access rights as needed by requesting available roles. The roles can be granular, allowing, for example, just access to accounts receivable within SAP, he said.
6. Create enterprise roles that span the business and may apply to users in many departments.
7. Go through another attestation process for the enterprise-wide roles. These roles and the access rules that underlie them are valuable for auditors checking whether access rights are limited in accordance with regulations, Jensen said.
8. Adjust the request system to accommodate the enterprise roles so requests don't have to specify all the application entitlements needed for an employee with changing access rights.
9. Segregate roles so no one person can be assigned more than one role that would give them access rights that would cause a conflict of interest.
10. Apply the IAM infrastructure to business partners and customers using a self-service automated process.