|
Focus Areas »
Enterprise Security
 |
Enterprise Security |
Identity management includes all aspects of obtaining, maintaining, securing, and controlling access privileges to, and the content of, personal data. This personal data can include contextual, enterprise-specific individual information, such as permissions and rules governing access to certain corporate resources, an individual’s hire date, or a customer’s purchase history, as well as global, non-enterprise personal data, such as birth date, home address, or emergency contact information. Both types of data present enterprise risks. Organizations must manage these risks according to accepted business practices and legislative mandate. Identity management can help meet this goal. A comprehensive identity management solution offers
User Provisioning
User provisioning is the set of activities within the broad scope of identity management that addresses the administration and management of contextual, enterprise-specific identity information. An effective provisioning solution gives the enterprise a single interface to correctly and completely grant an individual the appropriate permissions to access enterprise resources. For instance, a bank teller should be allowed to access the demand deposit application for a certain segment of the bank’s customer population, while a customer should only be allowed to access the demand deposit application for her own accounts.
A comprehensive provisioning solution should be broad and flexible enough to cover all applications, platforms, and interfaces that a company might need to manage, or that an individual might need to use. An effective provisioning solution should also provide the equally crucial function of deprovisioning.
That is, when an individual’s relationship to an organization changes, the solution must allow the appropriate form of disconnect (rule-based, simple deletion, suspension, or transfer to another individual for audit or evaluation) for each relevant application and/or platform across the enterprise. Increasingly, enterprises are focusing their resources on delivering specific value-added activities while outsourcing non-critical operations to third parties. This approach naturally generates a federation of (possibly competing) enterprises contributing to the creation of a set of products and/or services. As a result, a provisioning solution should permit grants and revocations of access privileges not only within an enterprise but also across enterprise boundaries, ideally using an open, standards-based approach to cross-enterprise integration, collaboration, and management.
Sarbanes-Oxley has significant meaning for corporations that must ensure security, reliability, and efficiency
to consumers and investors. In an age when bad publicity erodes consumer and investor confidence,
the risk of not moving aggressively will likely translate into reduced profitability and an expensive public
relations recovery program. ...Provisioning is one IT solution which can make compliance with Sarbanes-
Oxley easier, faster, and more reliable. Provisioning manages user access, simplifies processes, and
improves internal quality.
Profile Management
Beyond defining enterprise-specific (or federation-specific) contextual attributes, the enterprise needs to effectively manage other global personal data. A brokering approach should be used to enforce the accuracy and consistency of profile data across an enterprise and provide self-service functionality to individuals who want to maintain control over sensitive personal information. It should also automate the synchronization of this data across an enterprise’s resources, further ensuring that all data is up to date and relevant. And since an individual might occupy multiple roles across a set of federated enterprises, the brokering solution should accommodate the policies in force within each enterprise.
Access Management
To protect the privacy of user information, standards-based access control mechanisms must be in place to manage appropriate levels of access based on roles and relationships with the organization. Access management helps organizations manage secure access to Web-based resources within the enterprise or across business-to-business (B2B) value chains. It should provide a comprehensive set of capabilities for managing identities and for enforcing authorized access to network services and resources.
Password Management
The more systems and applications that users have access to, the more important password policies become. Enforcing consistent, strong password policies across the enterprise is essential to providing high levels of security. Password management should be a centralized and highly secure function. Ideally, it should be automated and provide an easy-to-use self-service interface to the individual, in order to reduce the burden on the help desk (password problems are the #1 reason for calls to help desks).
Directory Management
Directory management is a key underpinning to providing an enterprise identity infrastructure that enables regulatory compliance. Enterprises that use intranets or the Internet to provide services to customers, employees, and business partners face the challenge of managing identity information for a multitude of users. LDAP directory architectures are the best practice for simplifying deployment of secure applications, customer/partner portals, and e-commerce operations.
Audit and Reporting
For the purposes of regulatory compliance and audit, the enterprise should have access to a forensically durable logging and auditing component. Some identity management solutions take no measures to preserve the integrity of log records; as a result, any individual with database administrator skills can alter or destroy log records. We are not suggesting a transaction log record, but rather a log indicating which authority granted or revoked each individual’s right to access certain classes of information, how rules were developed or altered, and what delegation or recall of administrative capabilities is required within the enterprise or across the federation. Without this capability, the organization will be unable to verify the auditability of its critical IT systems.
All of the above capabilities should be standards-compliant to the extent that such standards are viable. A few examples include the Secure Assertion Markup Language (SAML), the Service Provisioning Markup Language (SPML), and the Liberty Alliance Project initiative supporting a federated identity management model.
Identity Management Solution Stack
End-to-End Identity Management
Crescent Enterprise Solutions utilizes award winning suite of products designed to meet the most challenging identity management requirements.
- Sun Java™ System Identity Manager lets the enterprise automate processes to guarantee that individuals have access only to those systems they need, and that once that access is no longer needed, it is withdrawn. It also provides a secure, centralized system for password management. Through automation and self-service, Java System Identity Manager eliminates the #1 source of costly help desk calls and, at the same time, enhances service and security.
- Sun Java System Access Manager is a security foundation that helps organizations manage secure access to Web applications both within the enterprise and across business-to-business (B2B) value chains. It provides open, standards-based authentication and policy-based authentication and authorization with a unified framework.
- Sun Java System Directory Server Enterprise Edition provides secure, highly available, scalable directory services for storing and managing accurate and reliable identity data. It increases security by serving as a front end to prevent denial of service (DoS) attacks and access by unauthorized users. Security is further improved through the ability to deny or allow access based on IP address, group membership, and other criteria.
- Identity audit and reporting capabilities are available in both Java System Identity Manager and Java System Access Manager. These capabilities maintain a forensically durable record of who has access to what. Deployed in the correct context of policy, these products can reinforce the integrity and auditability of each enterprise’s business processes dealing with personal data.
Our Services
Effective, secure identity management is the foundation for all network and Web-based services. In today’s complex business environments, identity management for your company, partners, suppliers, and customers can be complex and costly. Sun’s identity management products help you to manage access control, user provisioning, user passwords, and data synchronization, as well as auditing and reporting to improve operational efficiency while lowering risks. To complement these products, Crescent offers a comprehensive portfolio of identity management services that help enable you to implement an end-to-end software solution or integrate specific products into your current environment. To help you make the most of your identity
management investment, Sun provides consulting services, training, technical support, and maintenance. Sun works closely with you to document technology, business, and policy requirements, then recommends an action plan. Because Sun products are based on open standards, and because Sun offers broad experience and proven consulting frameworks, the company is well-positioned to provide expertise to a range of customer environments. The result is a solution that minimizes risks and maximizes your investment.
Solution Benefits
- Reduces complexity and delivers cost savings as a result of end-to-end assessment and implementation planning
- Addresses both new installations and integration within an existing environment
- Offers an end-to-end portfolio that helps eliminate the need to coordinate services with multiple vendors
- Leverages CES Identity Management intellectual capital
- Delivers integrated consulting, IT Talent Management and support services.
- Reduces security risks and lowers administrative costs
|
|
