Monday, December 9, 2013

About Access Controls (Identity and Access Management)

The challenge with organizations, capabilities and projects

Many security solutions provide technical capabilities, but the sad truth is that many customers see these solutions like a project that must be implemented and forgotten.  This is why is hard to sell solutions in the Identity and Access Management space.

What's a capability?
According to the Free Dictionary,  a capability is  "the capacity to be used, treated, or developed for a specific purpose."  In the context of IT infrastructure, an IT capability typically is a triad:
  • People:  members of the organization need to have the cognitive knowledge, skills and experience to launch and operate the capability.
  • Process:  processes govern how the capability is implemented
  • Technology:  the tools that aid in the implementation of a capability. 
Any security capability has to be aligned with Security Policy, and the security policy responds to the business risk factors. Policies are just statements, the implementation of the policies may be simple controls or fully managed capabilities.

IT Capability Fragmentation
Fragmentation happens when capabilities are duplicated (due to lack of knowledge, legacy, politics or status quo) and negatively affects the organization's agility or operational efficiency.

About Security Controls
Security controls can be preventive, corrective or detective controls, and are implemented as administrative, technical or physical controls.  A risk is truly mitigated if controls have been implemented to prevent the event from happening, to correct or recover from the event, and detect the event during or after it happens.

Access Controls
Access controls are the security capabilities that deal with the controls for Authentication, Authorization and Privilege Management and Auditing.

Authentication verifies the user's identity using different factors.  The most common is username and password (single factor).
Authorization determines if a user (or subject) is able to perform an action against an object (or resource).  Controlling what people can do in the context of operating systems, applications, resources, etc. is part of privilege management.
Auditing is the accounting of what a subject (user) actions.

What's a Directory Service?
According to Wikipedia, a directory service is the software system that stores, organizes and provides access to information in a directory.  There are many directories out there, but we will be focusing on Microsoft's Active Directory (AD).

What this blog is about?
The objective of this blog is to build a recipe of background information, use cases, requirements, solutions, step-by-step guides and any other information to leverage the Centrify Server Suite and Active Directory to address the challenges of Unix and Linux administrators in the Identity and Access Management space with deep focus on access controls.  We will attempt to marry the business and security needs with the implementation of these tools.  The ultimate goal is to achieve operational efficiency by reusing existing infrastructure, processes and knowledge. 

Tools and Methodologies
We will use existing resources like the Microsoft Test Lab Guides and the Plan-Do-Check-Adjust methodology.

Acknowledgements and Legal Notices
Active Directory, Forefront Identity Manager, SQL Server, Exchange Server are products and trademarks of Microsoft Corporation
CentOS is a trademark of the CentOS project
Solaris is a trademark of Oracle Corporation
SUSE is a trademark of Novell Corporation
Centrify, Centrifying, DirectControl, DirectAuthorize, DirectAudit, DirectSecure are trademarks of Centrify Corporation

No comments:

Post a Comment