ca_identity_manager

White Paper CA Identity Manager Matthew Gardiner Security Management November 2006 Table of Contents Overview ................................................................................................................................................................................................................3 The Need for Identity and Access Management ..........................................................................................................................................3 Defining Identity Management ........................................................................................................................................................................4 CA’s Identity Management Solution - CA Identity Manager ....................................................................................................................5 CA Identity Manager Architecture ..................................................................................................................................................................6 Scalability and Availability ................................................................................................................................................................................7 Enterprise Scale Manageability ........................................................................................................................................................................8 Secure Architecture ............................................................................................................................................................................................8 Integration Points with the Rest of the CA IAM Suite ................................................................................................................................8 Identity Administration ......................................................................................................................................................................................9 Granular User Access and Provisioning Policies ..........................................................................................................................................9 Customizable Interface......................................................................................................................................................................................11 Password Management and Synchronization..............................................................................................................................................12 IT Integration ......................................................................................................................................................................................................13 Front-End Integration ........................................................................................................................................................................................13 Back-End Provisioning Connectors ................................................................................................................................................................13 Connector Xpress ..............................................................................................................................................................................................13 Identity Audit and Compliance ......................................................................................................................................................................14 Reporting..............................................................................................................................................................................................................14 Strong Authentication ......................................................................................................................................................................................15 Compliance Policies/Segregation of Duties ................................................................................................................................................15 Entitlement Certification ..................................................................................................................................................................................15 Compliance Reporting and SCC Integration ................................................................................................................................................16 Conclusion ..........................................................................................................................................................................................................16 2 Overview In today’s increasingly global business environment, an organization’s critical success factors include being able to move faster than its competitors and do more with less. Even mega-enterprises are expected to be as nimble as a start-up. It is critical that organizations increase the effective use of information technology to meet the threats and opportunities before them. But with increased deployment of IT systems for both internal and external use comes additional complexity. A typical global enterprise can have hundreds of applications, thousands of business partners, tens of thousands of employees and hundreds of thousands of customers. All of these constituencies need to access corporate applications and data and they need to do it securely and in a way that ensures compliance with organizational policies and practices and the latest regulations. This is a non-trivial IT management task. Identity and Access Management (IAM) software has emerged to provide the automation and control needed to scale to today’s business requirements. Leading IAM solutions consist of a variety of modular, yet interrelated offerings, including identity administration, provisioning, single sign-on, access management, federation and identity audit & compliance — with a common goal to help organizations streamline the management of all identities and computing resources used both for internal and external constituencies across the entire enterprise. Identity and Access Management is a core component of CA’s Security Management and Enterprise IT Management (EITM) strategies. EITM leverages CA’s broad IT management product portfolio and common integration platform to help enterprises manage risk and cost, improve service and align IT investments with business imperatives. This technology neutral approach, using cutting edge service oriented architecture (SOA) based components, enables organizations to add capabilities at their own pace. This paper covers why IAM is a critical success factor for today’s enterprises and why CA’s IAM solution provides a compelling solution to meet those needs. Then it delves specifically into CA Identity Manager — CA’s identity administration and provisioning component. You’ll see why Identity Manager has built a market-leading position through a combination of best in class features, quick integration into existing IT environments, unmatched scalability and manageability and the ability to simultaneously support a variety of user constituencies including employees, partners and customers. The Need for Identity and Access Management In today’s business and technology environment, user accounts, entitlements, credentials and access can no longer be managed in a one-off, application specific (silo-ed) way. Corporate IT groups often need to support millions of users (both internal and external to the organization) and hundreds of applications. These silos of security are impeding productivity, the integrity of data, compliance and the user experience. All the while, the pace of change continues to accelerate. Employees join, change responsibilities and leave companies at unprecedented rates. Moreover, diverse communities of partners and customers must be supported and there is increasing scrutiny on protecting private information and regulatory compliance. It’s clear that more effectively managing identities is a critical success factor for every IT organization. Though it is possible to continue to manage identities manually or using custom built systems, the best practice is to use IAM software on an enterprise-wide basis and build IAM shared services that are leveraged by existing and future applications in a consistent way. So what exactly are the benefits of Identity and Access Management? In a nutshell, organizations are looking to improve operational execution and control, positively impact user satisfaction and assist in compliance efforts. Let’s examine each of these in sequence: • Improve Operational Execution. Manually managing users or building user management into each application and/or resource is an expensive and time consuming proposition. Between the labor involved in adding users (or taking them away) and inevitable mistakes, ensuring each user has access that is consistent with his/her relationship with the firm, is typically tremendously expensive. By automating many of these functions with a world-class identity and access management solution, an organization’s ability to manage users (regardless of whether they are internal, authorized partner personnel or customers) is dramatically streamlined. An industry analyst recently did a study which predicted that a typical 10,000-employee company could save 14,000 hours of security administration time and 6,600 help desk hours annually by deploying an IAM solution. Seeing payback in a matter of months is certainly a compelling value proposition. Additionally, errors largely become a thing of the past as automation ensures that consistent and accurate accounts are created, modified and revoked on each target system without human intervention. IAM delivers what organizations need — timely and error-free provisioning of accounts, credentials and entitlements. 3 In fact, IAM systems generally put key steps in the process in the hands of the people best able to manage it, as well as providing real time access to applications and data for which they are authorized. • Improve Operational Control. Doing things costeffectively is not enough anymore. Organizations also need to show they are “in control” of who can access corporate data and take part in various material business processes. The job would be hard enough if these resources remained static, but with the proliferation of additional applications, extranets, trading communities and the like, the number of resources requiring management has mushroomed almost as quickly as the number of identities. These controls must apply to all users from average end users to “root” administrators. All told, this creates significant security exposures as mis-configured roles or access rights can provide unauthorized users with access to sensitive information. Control is not just a watchword, it’s a corporate mantra. • Improve User Satisfaction. Doing more with less continues to be a corporate imperative. Forcing users to deal with multiple identities for multiple applications stymies their ability to get things done. There is also a lot to be said about providing positive early impressions for new users by having everything (key applications, voice mail, email, facilities access) ready when they need access. Likewise, if configuration and access is continually bungled by the operations group, that doesn’t provide comfort for anyone. A robust Identity and Access Management infrastructure enables users to access the right resources with consistent credentials and focus on their work, not their access or privileges. • Assist in Compliance Efforts. There is no way around it; both internal and external auditors are a factor in all IT operations. Understanding who has accessed what and being able to document this and how they received access is a critical aspect of proving compliance with any of the regulations in force around the world, including the Sarbanes-Oxley (and other global regulations governing the use of adequate controls), Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) and the EU Data protection Directive (95/46/EC). The key requirement of virtually all IT/security-related regulations involves the creation of strong and reliable internal controls. This means that all users must be uniquely identified, all their access to protected resources must be tightly controlled, access to these resources must be based on a defined security policy and access and security events must be easily and fully auditable. Generally, auditors are not interested in how long or expensive it will be for you to comply with their requests. Achieving compliance efficiently is up to you. Defining Identity Management Identity and Access Management means different things to different people. The broader category of IAM helps organizations to streamline management, establish trusted access to partners, protect investments in existing systems, reduce overall costs, improve overall efficiency and facilitate compliance with regulations. This paper will focus on Identity Management, which can be defined as follows: Identity Management, a subset of IAM, is a set of technologies that automate the processes of creating, modifying and deleting user identities and provisioning access to enterprise resources across diverse user populations including employees, customers and partners. The categories of IAM, its associated functions and the corresponding CA IAM products which deliver on those functions, are shown in Figure 1 below: Figure 1. CA's IAM Solution: The Most Comprehensive IAM Solution. 4 Delving a little deeper into identity management, the key functions are: • Password Management. Enables users to manage their own credentials and profiles, including the ability to reset or be reminded of their passwords when forgotten and synchronize credentials between target systems when changed. Also provides automated policies that define password composition rules to prevent identity theft and keep protected resources secure. These functions can also be integrated directly with the Microsoft Windows GINA login environment • Provisioning/Deprovisioning. Assign system and application accounts, resources and privileges to both internal and external users. Encompasses managing access (create, modify, delete) to email, operating systems, ERP, web sites and/or other application resources or data. By enforcing entitlement policies (including such things as segregation of duties and entitlement re-certification) into an enterprise tool, management can have greater confidence that application and resource entitlement policies are under control. • Identity Administration. Centrally administering user identities while automating repeatable administration processes. Includes managing and delegating the creation, deletion and modification of the identities and roles in use by both internal and external users, as well as the workflows associated with approval and notification processes. • Identity Virtualization & Directory. Accessing and managing distributed repositories of user accounts and profiles in a scalable and efficient manner is often a unique challenge. These repositories need to expose user information to the various applications that need to get access to it without having to take-on the impossible task of creating a single, enterprise-wide repository of every user identity and profile attribute. CA Identity Manager provides the following key capabilities: • Decentralized Administration with Centralized Controls. The most critical aspect of managing identities in diverse, global organizations is ensuring the ability to move management out to the business units, business partners and to the users themselves. Yet, this delegated administration capability must adhere to corporate policies to ensure consistency of organizational controls and policies and adherence to regulatory compliance requirements. CA Identity Manager provides a powerful balance between centralization and decentralization. • One Identity Management Infrastructure. True leverage comes from being able to manage all types of identities — employees, contractors, partners, customers, assets, IT resources, applications, roles — both internal and external to the organization via a common and enterprise-class identity management system. There is so much commonality in the problem of managing identities, why do it with separate systems? • Enterprise Scale. The architecture of all of the CA Identity and Access Management solutions lends itself to nonstop operations providing failover, load balancing and robust management capabilities. CA Identity Manager has been proven in the largest enterprises in the world, scaling up to millions of identity records offering delegated administration on a massive scale across tens of thousands of internal and partner organizations. • Flexible Integration with Existing IT Systems and Infrastructure. Time to value is an important part of every identity management project. By providing connectivity to leading operating systems and platforms and supporting open standards like SPML and providing other web services interfaces, CA Identity Manager greatly eases the integration and deployment of provisioning and identity management. For those homegrown applications not supported out of the box, CA offers the graphical Connector Xpress that enables customers to build their own dynamic database connectors easily and quickly without requiring any custom programming. • Standards-based. CA Identity Manager protects existing and future investments by supporting and adopting a wide variety of industry standards, including SPML and relevant Web services standards. This ensures that CA Identity Manager will support and plug into all applicable technology platforms — both internal and external to the organization. • Integration with Broader Enterprise IT Management Platform. Identity and Access Management is but one discipline within a broad set of enterprise IT manage- CA’s Identity Management Solution — CA Identity Manager CA recognizes the challenges faced by organizations in dealing with the complexity of identity and access management issues. In response CA provides the industry’s most comprehensive and integrated IAM solution. CA Identity Manager, the administration and provisioning component of this solution, provides an integrated identity management platform that automates the creation, modification and deletion of internal and external user identities and governs their access to enterprise applications and resources in order to ensure adequate security, while reducing administration costs and enhancing the user experience. 5 Figure 2. Major components of Identity Manager. ment needs. For example, CA Identity Manager can be monitored through integrated security management tools (eTrust Security Command Center) and leverages common components with other CA IT management products. This allows user activities and access violations to be evaluated within the context of other network and application activities to determine the overall significance of any one event or series of events. Identity Manager Server also includes connectivity to the Policy Server. – Policy Server. CA Identity Manager Server communicates with the Policy Server (this is the policy server that is shared by eTrust® SiteMinder®) to enforce the secure delegated administration model and to store management data in the Policy Store. • Policy Store. The policy store is the metadata repository for all CA Identity Manager objects including: roles, tasks, business rules and policies. This provides the necessary information to enforce administrative controls for the provisioning process. • Provisioning Server. The provisioning server contains the core logic of the provisioning system. It communicates to target systems via connectors to add, delete and modify user accounts. • Identity Store. The Identity Store data may reside in eTrust Directory, a relational databases and/or a variety of LDAP-addressable directories. The Identity Store contains provisioning metadata (e.g., user identity attributes, roles, target systems and associated container objects) and target system mapping (the mapping of users to roles and roles to target applications) data. The Identity Store maintains the information necessary to manage the provisioning of users to target systems. The Identity Store can be deployed in the Enterprise Directory if desired. • Audit Store. The Audit Store is the auditing database where all of the CA Identity Manager logging records are sent for storage and future analysis. CA Identity Manager Architecture Drawn from a decade-long heritage of identity management solutions, CA Identity Manager leverages a world-class management interface to provide the critical “front-end” identity administration capabilities (delegated administration, workflow rules, roles, self-service, administration UI), as well as “back-end” provisioning capabilities by providing a broad set of connectors, provisioning policies and open integration. Figure 2 depicts the major components of CA Identity Manager. The components are: • Identity Manager Server. CA Identity Manager Server is a J2EE Enterprise Application that provides secure webbased user interfaces, exposes identity management focused web services and provides the business rules engine (workflow). The exposed interfaces provide for centralized delegated administration of all identity management and provisioning tasks. CA Identity Manager Tasks execute within the business engine and interact with all other components in the system. CA 6 • Connectors. CA Identity Manager interfaces with authoritative sources of identity via the Universal feeds and pre-packaged connectors, which supports provisioning to target systems by integrating with the target system’s standard interfaces. The product’s Connector Xpress can also be used to build custom interfaces to RDBMS-based systems not supported out of the box. CA Identity Manager also provides a standard based service via SPML that can be used for interfacing with target systems. As identity management deployments mature, multiple dimensions of expansion typically arise: • Expansion to cover the needs of additional business units and geographies • Expansion to support the needs of a growing community of users, both internal users (such as employees/ contractors) and external users (such as partners & customers) • Expansion to provide account and entitlement management in additional applications and systems across the enterprise CA Identity Manager was designed with a focus on the dynamic nature of enterprise class deployments, supporting deployments with a wide range of scale, starting from few thousand identities with a few managed systems and growing to hundreds of thousands of identities with hundreds of managed systems. CA Identity Manager achieves this by leveraging standards based technologies and methodologies for clustering and loadbalancing as well as providing a management model that can be extended to cover highly sophisticated scenarios. The diagram below illustrates a typical clustered, highly available and scalable deployment. In this diagram a basic deployment block is defined. Once two instances of a block are deployed, no single point of failure exists in the system. Over time, when demand grows, additional blocks can be deployed to satisfy the greater need for performance and availability. Scalability and Availability When organizations start to deploy an identity management solution, the first phase is typically focused on addressing one or two high priority, but narrow user management challenges (password resetting, account provisioning on a narrow set of target systems, selfservice…). As such a typical first phase of a deployment will be limited in scope and issues such as scalability and availability will often be left off the table. This is a common mistake. Identity management is an enterprise problem and as such identity management system deployments need to be readily expandable. Organizations that think too narrowly, focusing only on their initial needs, are likely to face significant scaling problems in future phases of their identity management programs. Figure 3. CA Identity Manager Clustered Deployment. 7 Enterprise Scale Manageability A different aspect of enterprise scalability is related to the manageability of the identity management system. CA Identity Manager efficiently addresses manageability concerns such as: • How do you delegate the right level of user administration to the right people or groups inside and outside the organization? • How do you enforce corporate policies while enabling autonomy for the different business units in the organization? • How do you support the service provider model, where a centralized IT group enables the identity management processes, but doesn’t conduct them? The flexible administration and delegation approach of CA Identity Manager enables customers to model their identity management related business processes and automate it via the tool, rather than forcing the particular user administration processes to fit a less flexible tool. CA Identity Manager has also been proven to effectively address a service provider model, whether a centralized business unit providing service to multiple semiautonomous business units, or providing user administration services to multiple separate organizations; all from the same deployment of CA Identity Manager. • Encryption. Protecting identity data both at rest and in motion is critical to security and compliance initiatives. Given this, all CA Identity Manager components communicate via the industry standard SSL protocol. Additional data security measures are implemented in the provisioning engine, which stores passwords and users' answers for knowledge-based authentication questions as encrypted attributes in the directory, protecting the data even from administrators. Organizations can also encrypt any of the attributes within the Policy Store, which resides in any standard directory. Integration Points with the Rest of the CA IAM Suite Like many software categories, organizations can choose Identity and Access Management solutions either standalone or as part of a broader solution. Enterprises generally require that solutions allow them to start small and grow their IAM deployment as business dictates. CA Identity Manager meets that requirement by being a part of the highly integrated and extremely modular CA Identity and Access Management solution. The CA IAM solution was designed to provide value whether other parts of the platform are used or not. But the most leverage will come from adopting more modules of the CA IAM solution. Examples of the value of using CA Identity Manager with other portions of the CA IAM solution are discussed below. • eTrust Access Control. CA Identity Manager when used with eTrust Access Control can manage administrator access at the operating system (UNIX, Linux and Windows) level and control the access of administrators that have “root” privileges on any of the target systems. • eTrust SiteMinder shares the Policy Server with CA Identity Manager, providing two-way integration. User access roles defined in CA Identity Manager are automatically available for role-based access control (RBAC) enforcement via eTrust SiteMinder. CA Identity Manager also uses eTrust SiteMinder’s market leading authentication services and provides single sign-on to any eTrust SiteMinder protected application. eTrust SiteMinder uses roles defined in CA Identity Manager to enforce policies for access management. CA Identity Manager also, of course, manages user accounts, credentials and entitlements which are leveraged in real time by eTrust SiteMinder for authentication and authorization decisions. • eTrust Single Sign-On (SSO) is integrated with CA Identity Manager which enables CA Identity Manager to manage the user’s account in SSO, including setting the SSO password and setting/resetting the target systems passwords. Secure Architecture User and provisioning information is some of the most sensitive data within an enterprise. Given this, CA Identity Manager has been architected to protect that data, using secure authentication, authorization and encryption capabilities. • Authentication. At its core, CA Identity Manager uses eTrust SiteMinder authentication services to protect access to CA Identity Manager. In addition both products share the same Policy Store. Thus CA Identity Manager supports all of the authentication technologies supported by eTrust SiteMinder, including passwords, certificates, Windows logon/authentication, smartcards and one-time password devices. eTrust SiteMinder can point to multiple authentication servers for password validation and provides the benefit of single sign-on with CA Identity Manager and any other protected eTrust SiteMinder Web applications or portals. Other authentication types can be added via eTrust SiteMinder custom authentication agents. • Authorization. CA Identity Manager uses two methods to secure administrative privilege: scoping and delegation. It enables unlimited administrative delegation levels and supports restricting administrative rights based on role membership. 8 • Mainframe Security (CA-ACF2 Security, CA-Top Secret Security) allows the creation, modification and deletion of accounts within those mainframe security systems. • eTrust Security Command Center (SCC) aggregates, correlates, analyzes and reports on CA logs for all of the modules in the CA IAM solution, including CA Identity Manager, providing a broader view and end-to-end context on an organization’s security activities. This enables faster remediation of issues and more complete documentation and reporting for internal and external auditors. Additionally, CA Identity Manager is able to interoperate with many other CA products under the Enterprise IT Management (EITM) umbrella. As a result of those systems use of the CA Embedded Entitlements Manager, CA EITM products come with a built in connector to CA Identity Manager, allowing for the creation, modification and deletion of accounts and entitlements in those systems. to their responsibilities, as opposed to the particular individual person, an organization gains tremendous flexibility to transfer privileges if an employee, partner or customer requires new or changed access requirements. For example, a “business analyst” role will have access to specific applications and resources depending both on which organization that analyst is associated with and the functions they are expected to perform. An “engineering manager” will have different access, as will a business customer and a manager of certain partnerships. The point is that roles can effectively map an organization’s functional responsibilities to access requirements to ensure the right people get access to the right resources at the right time. By providing three different role types (admin roles, access roles and provisioning roles) and a flexible rules management system, there are virtually unlimited number of ways roles and rules can be configured to effectively map an organization’s access policies — both now and as the business evolves. Users are not restricted to being associated with one role either, so if the “analyst” mentioned above helps out with user administration, he/she can be assigned that role as well. CA Identity Manager can also leverage roles (or job functions and locations) defined by an organization’s HR group and implemented with the HRMS (Human Resources Management System), providing consistency across both the HR and IT domains. Additionally, roles can be mapped to specific application groups in the target system. For example, a group called “SAP Finance Users” can be established, which would provide authorization to access SAP’s finance functions, but also the separate cash management system and any other relevant systems. Even more granularly, you can define an audit role within the group which has access to view reports, but not change entries in the general ledger system. Identity Administration CA Identity Manager offers unparalleled capabilities to manage the accounts, entitlements and privileges of users, whether they are internal, customers, or partners — controlling access to specific business functions and provisioning accounts on virtually any target system. Historically, identity administration has been manual and thus very resource intensive. In addition many other identity management software products force administrators to change their business processes to fit the tool, as opposed to vice-versa. CA Identity Manager does not expect users to change their business processes, but rather offers the flexibility to support the existing workflows and authorization models by offering granular user access and provisioning policies managed in a flexible and powerful way via unmatched interface flexibility — all in a secure, scalable, extensible, localizable and customizable platform. Each subsequent section will delve deeper into the products identity administration capabilities. Managing CA Identity Manager through Admin Roles Admin roles are used to manage administrator interaction with CA Identity Manager. By defining different admin roles, an organization can very granularly control which administrators control which aspects of the system and delegate responsibilities accordingly for both internal and external administrators. One of the most attractive features of CA Identity Manager is its flexibility. For example, organizations may define their own use of admin roles. Granular User Access and Provisioning Policies The Role of Roles The “Role” is the fundamental building block of many identity management initiatives and with good reason. Roles-based management allows business functions and provisioning to be abstracted from specific individuals. Roles can and should be supplemented by rules and request-based capabilities. By tying the user’s privileges 9 To illuminate the power and flexibility of admin roles, a few of the admin role types that are typically used within CA Identity Manager deployments are: • A help desk administrator views user names and addresses and can reset passwords, among other tasks • An HR administrator creates and modifies user IDs, user names, titles, departments, locations and salary • A manager manages the entitlements, roles and privileges for the employees that report to him/her • An IT manager views title, department and location information and adds provisioning roles to provide application access as dictated by the users’ job function • An external administrator of partner access configures roles and responsibilities for employees of that partner • A customer manages his or her own profile of identity information (known as self-service) Admin roles also define how the system operates, determines responsibilities and what level of approval is required in workflow enabled business processes. So a workflow can be defined to add a new accounting user, including requiring approval for access to the finance system and facilities requests to ensure they have a computer and phone when they start work. Admin roles also support delegated of administration of user management and the granting access to applications. Moving the decision process closer to the business for user moves, adds and changes — as well as business specific application management topics, improves the efficiencies of the IT staff, not burdening them with day to day management tasks for which they have little or no context. For example, an IT staffer can administer provisioning roles and an administrator within the business unit can manage the users in their group. Each admin role contains rules that describe which other administrators can modify, assign, or use the role. This flexible capability allows administration responsibilities to be divvied up in the most efficient manner. Rules Facilitate Identity Administration Given roles are the building blocks of the identity management infrastructure, it can be said that “rules” enable the business logic to make everything happen. CA Identity Manager uses rules to define a set of business changes depending on highly configurable, dynamic attributes. CA Identity Manager has a graphical policy manager in which rules are defined. The rules are incredibly flexible and can be implemented across groups, workflows and roles – ensuring that any set of behaviors can be initiated at any time, based upon any set of conditions. Figure 4. CA Identity Manager Identity Policies. 10 Rules are grouped together into a set of policies to define certain behaviors. You can: • Assign roles and group memberships, allocate resources and modify user profiles. Rules are typically triggered when changes to any users are detected (including creation, modification and/or removal of an identity) • Enforce segregation of duties activities, such as prohibiting check signers from being check approvers or kicking off special workflow processes to act as compensating controls. These also can be triggered when adding a user to ensure conflicting roles are not assigned to the same people • Audit certain users depending on specific attributes, like salary or access to private information To protect the integrity of the system, admin roles govern which administrators can set up or manage specific rules. This ensures the segregation of duties that is critical for compliance purposes. Some of the typical process workflows implemented within CA Identity Manager include: • Provisioning/Deprovisioning. The adding and/or removing of users to the system and defining and/or removing of appropriate roles, including the generation and/or revocation of accounts and access controls on the target systems as required • Approval/Notification. The workflow associated with approving new accounts, roles and entitlements for users • Entitlement Certification. A process of systematically producing, reviewing and approving current entitlements, while keeping accountability and traceability. Enforcing time limits for entitlements on material systems is a best practice for regulatory compliance. When these entitlements are set to expire, the workflow automatically kicks off a process to have the entitlements reauthorized or suspended if the request is not acted upon Additionally, the workflow engine supports advanced approval routing, parallel and serial processing of requests, “m of n” approvals, request or event-triggered tasks, approval request resending and auditor read-only roles. To ease configuration, a Java-based GUI is available to graphically configure the workflows. Requests complement Roles and Rules As powerful and flexible as the roles and rules-based functionality of CA Identity Manager, sometimes it is more effective and streamlined to just deal with entitlement assignment (and revocation) via simple requests. This gives administrators (with the proper authorization) the ability to assign a specific entitlement to a specific user. This hybrid model provides organizations with unmatched flexibility to respond to the needs of the business. Customizable Interface Administrators need management interfaces to reflect their preferences (whether casual users or hardcore security administrators) and fit into their daily routine. Most existing identity management platforms have fixed and inflexible interfaces requiring time consuming and expensive code-level customization in order to be modified. CA Identity Manager embraces current generation web standards to provide a customizable, flexible environment, which can support frequent iterations and is well suited to both internal and external administrators. Easily customizable CSS style sheets provide the structure and layout of the web pages. Additionally, each administration screen is built on the fly using both static and dynamic HTML — providing enhanced security and ensuring the flexibility to customize the pages to fit transparently into their work environments. For those administrators who want to embed identity administration functions into other management tools or Web portals, screens are delivered via popular J2EE application servers. In addition, CA Identity Manager supports leading web services standards, enabling CA Identity Manager functions to be used standalone or integrated directly into any existing web application, including the portal framework of choice. All management functions of CA Identity Manager are exposed by SPML and the web services based interfaces. Templates Accelerate the Time to Value As you can see the role and rule-based identity administration of CA Identity Manager can map to any conceivable business process and environment. But this level of sophistication can be constructed over time. To make initial deployment easier, CA Identity Manager ships with templates providing out of the box roles, rules and policies for adding, deleting, disabling and setting up users and target systems. This allows CA Identity Manager to start providing value quickly and while enabling further refinement and changes over time. Integrated Workflow Workflow processes within CA Identity Manager automate well-defined procedures that companies repeat frequently. The server-based model of CA Identity Manager provides the workflow and approval logic to enable total automation for virtually every task and policy. 11 Figure 5. Customizable Interface of CA Identity Manager. Password Management and Synchronization Password management is a critical security and cost issue within most corporations and thus is a typical starting point for many identity management projects. CA Identity Manager provides robust capabilities to manage user passwords, including reverse password sync/capture, Windows GINA support and integration with the CA SSO product. To manage user passwords, administrators create password policies that define rules and restrictions for governing password expiration, composition and usage. Password self-service offerings are also available to allow users to manage their own passwords (for example, reset or provide a password hint). • Reverse Password Sync/Capture. Enables target systems to be considered the authoritative source for a user’s password and then synchronizes other targets accordingly. Agents exist to capture the passwords from target systems including Active Directory, CA-ACF2, CA-Top Secret, various UNIX flavors and OS/400. • Windows GINA Support. Enables users to integrate CA Identity Manager password services with the Windows login. This adds forgotten password and password change capabilities to the Windows login (which are not part of the base Windows capabilities). • Integration with eTrust Single Sign-On. Native integration allows CA Identity Manager to create and store passwords within the password “vault” of eTrust Single Sign-On. • Password policies: – Password Expiration. Set a maximum number of login failures and define inactive-password policies, that is, the time period after which an unused password expires. Expirations can also be set for user passwords based on time variables, thereby forcing users to periodically reset current passwords – Password Composition. Minimum and maximum lengths of password characters can be defined as well as requiring passwords to include numbers and/or special characters – Password Usage. Other password services include the enforcement of the use of upper and lower case letters within a password, as well as, the use of white spaces • Self-service Registration and Management. Employees, partners and/or customers can register as a new user, create a user name and password, set expirations to that password and change the password whenever they or the user feels it necessary. Support is also included to automatically handle forgotten User ID and password requests by requesting verification of identity via highly flexible question and answer pairs. CA Identity Manager integrates with other data stores to verify information and assign proper privileges to those that are selfregistering. 12 IT Integration A key factor in the ease of deployment of identity management systems is how easily the system integrates into the organization’s IT environment. CA Identity Manager provides out of the box, standards-based and custom integration capabilities exactly for this purpose. Additionally, CA’s flexible, built on the fly HTML administration interface allows components of CA Identity Manager to be integrated into other Web applications and portals of the customer’s choosing. Generally connectors provide the ability to administer accounts, groups, policies, profiles and/or resources on the target systems, offering a single point for all user administration. Each connector is built specifically for the application and uses the native application interfaces to provide the most extensive level of integration possible. The major categories of connectors include: • ERP Systems (SAP, PeopleSoft, Oracle, Siebel etc.) • Groupware applications (Lotus Notes/Domino, Microsoft Exchange) • Hosts/Servers (Windows, Linux, Active Directory, HP-UX, IBM AIX, Sun Solaris, AS/400, Novell NDS) • Authentication Servers (RSA SecurID, ActivIdentity CMS) • Databases (Oracle, Microsoft SQL Server, MySQL) • Standards (LDAP, ODBC) Integrating with the mainframe is a particular area of strength for CA Identity Manager. Connectors are available for IBM RACF, CA-ACF2 and CA-Top Secret, which provide very granular capabilities to administer accounts and resources within these mainframe security environments. Administrators can use CA Identity Manager to register directories, explore them for objects to manage and correlate their accounts with global users, as well as, policy-based creation and management of accounts and resource rules, password changes and account activations and role synchronization. Front-End Integration Every IT administrator has his or her own process for how to get the job done. The role of Identity and Access Management solutions is not to force that process to change, but to automate it in a way that makes sense for the administrator and the organization. CA Identity Manager provides a number of integration points for its management and administrative interfaces. For those administrators that want to use the product’s native interface, a description of the flexibility and customization available with the interface is above. But for those that want to embed the management of CA Identity Manager into their existing applications or embrace standards, there are many options. Firstly CA Identity Manager provides the Task Execution Web Service (TEWS) interface, which allows a remote thirdparty client application to submit identity management requests to CA Identity Manager for execution. All CA Identity Manager tasks that can be accomplished through the user interface of CA Identity Manager is exposed via TEWS. In addition the product provides WSDL files which specify the metadata that the client application needs to use to prepare and submit a task request. Those looking for a standards-based option will find very robust support of Service Provisioning Markup Language (SPML), which facilitates provisioning requests between clients and servers both internal and external to the organization. As an open standard, SPML provides communication with other provisioning systems, enabling businesses to continue using and integrating existing systems. Connector Xpress Organizations typically have many homegrown applications, many of which are critical to include in the centralized provisioning and identity management environment. Historically, customers needed to do a significant amount of custom coding to build the interfaces for these applications to the provisioning system. Not only was this time consuming and expensive, but also added significant maintenance requirements as the application would change and thus the connector would also need to change. CA has addressed this issue by providing Connector Xpress as a key capability in CA Identity Manager. Connector Xpress provides an easy to use, graphical interface to build custom connector code without requiring any programming. Now integration is within the reach of business analysts, not just technically astute programmers. A screen shot of the Connector Xpress can be seen in Figure 6. Back-End Provisioning Connectors CA Identity Manager provides out of the box integration with many of the leading hosts/servers, applications, databases, authentication systems and mainframe applications. By providing these pre-built connectors, customers can dramatically decrease the time to value of implementing the system since the heavy lifting of understanding the interfaces and maintaining the integration is done for you. 13 Figure 6. Connector Xpress. Identity Audit and Compliance CA Identity Manager aids organizations in a number of ways with their regulatory compliance initiatives. By encoding entitlement policies (including such things as segregation of duties and entitlement certification) into an enterprise tool and enforcing the associated business processes with workflow, management can have greater confidence that application and resource entitlement policies are under control. CA Identity Manager functions that assist in compliance efforts include reporting, strong authentication, entitlement certification, compliance reporting and eTrust Security Command Center (CA’s Security Information Management tool) integration. analysis and reporting on access, activity, intrusion and audit information to fulfill many of these reporting requirements. CA Identity Manager also offers predefined reports, including Roles and Members (displays the roles and associated members), Tasks and Roles (displays all tasks and the roles they are associated with), User Roles and User Profiles, among others. External Reporting Tools CA Identity Manager can feed any RDBMS, which allows the support of any external reporting tool that can query the audit database using standard SQL. This includes the CleverPath Reporter tool, which creates, generates, enables the reviewing and scheduling of reports. CleverPath Reporter provides a WYSIWYG editor and a viewer that can generate the reports either in the CleverPath interface or export reports to a variety of formats, including HTML, Excel, or RTF. CleverPath Reporter also provides a sophisticated scheduler to run reports at the times you specify or periodically (daily or weekly). The CleverPath Portal also has an option to publish reports to a centralized Web portal and let authorized users view and download the reports. In addition, CA Identity Manager is integrated with eTrust Security Command Center (SCC) for security analysis & reporting. CA Identity Manager logs can be fed to the SCC to get more flexible capabilities, including many more Reporting IT auditors, both internal and external, need to know who has done what and when. CA Identity Manager logs all events relating to every activity, including user creation, role assignment and provisioning actions. CA Identity Manager stores log events in leading relational databases from Oracle or Microsoft, allowing commercial reporting solutions to present the auditing information in any format required. Compliance, privacy breaches, more detailed audits and increasing security threats have all pushed auditing and reporting to the forefront of product feature sets. CA Identity Manager supports granular information collection, 14 predefined report templates and a sophisticated custom reporting capability (including correlating CA Identity Manager audit information with other audit sources, both CA and third party). The following predefined templates are available for SCC: • Policy summary: Summary of all identity policies • Roles summary: Role definition details, the role administrators, owners and members • Role tasks: Tasks in a role • User summary: Details of roles and attributes 1. A deliberate fraud requires collusion of two or more persons. 2. Increases the likelihood that innocent errors will be found. At the most basic level control of segregation of duties means that no single individual should have control over two or more phases of a material transaction or operation. CA Identity Manager enforces these requirements through compliance policies that prevent users from having certain overlapping privileges. At a minimum CA Identity Manager initiates an auditable process where requests for potentially conflicting duties must be approved as appropriate to ensure that neither financial controls nor private data is put at risk. For example, you can prohibit users that issue checks from approving checks or make sure that employees responsible for depositing cash don’t have access to bank statements. Strong Authentication Compliance initiatives often require strong authentication to ensure that only properly authorized people gain access to the critical identity information and entitlement processes. CA Identity Manager can be used to manage physical authentication credentials, in addition to passwords, across their entire life cycle (issuance, authorization, revocation). In addition by using eTrust SiteMinder authentication services to support different authentication methods, including passwords, certificates, Windows logon/authentication and one-time password devices, administrator access to CA Identity Manager can more strongly be assured. Entitlement Certification Entitlement certification requires that business managers periodically review and approve the roles of the users they manage. Using the certification tasks of CA Identity Manager, administrators can identify users that require certification, specify the certification period, notify users that they have pending certifications, allow managers to certify or remove privileges and disable privileges for users that have not been certified, replacing time-consuming inefficient paper-based processes. The certifying request is presented to business users in a simple form they can understand. The interface to configure entitlement certification policies is shown in Figure 7. Compliance Policies/Segregation of Duties The automated control of segregation of duty policies provides two benefits within the context of the IT controls that are often required for compliance: Figure 7. Entitlement Certification. 15 The comprehensive certification functionality of CA Identity Manager leverages the workflow and delegated administration capabilities, while presenting non-IT personnel with less technical, security specific information and reports to provide the historical evidence needed for audit purposes. When deciding which solution is correct for your organization, keep in mind the most critical factors that determine success in an identity management initiative. • Flexibility. The solution must be able to support your existing business processes with roles, rules and request-based identity administration and provisioning, not the other way around. The solution should not require expensive services to complete relatively minor additions or changes. • Simple Integration. You have neither the time nor the money to overhaul your entire IT infrastructure to provide centralized identity administration. It is critical that the solution provide pre-built connectors for most of your applications and the ability to integrate on both the front and back-end with other applications quickly and easily. • Scalability, Manageability and Availability. If your applications stop, so does your business. Thus you need to make sure that any identity administration and provisioning offering provides the availability and scalability that will provide the user experience that your internal and external users demand. • Extensibility and Modularity. You also want a solution that will grow with you. By either supporting new applications or integrating with other web portals and applications. Your identity administration and provisioning solution needs to not only be the solution for today, but also for tomorrow. • Part of a Comprehensive IAM Solution. Identity administration and provisioning is but one part of a broad Identity and Access Management solution. You want to make sure that you can both leverage your existing investments and seamlessly add new capabilities as your business needs dictate and as your IAM evolves to be truly enterprise in scale. CA Identity Manager has been chosen by customers both large and small to provide the flexible, secure and extensible identity administration and provisioning functionality to their employees, partners and customers. CA looks forward to working with you to determine how CA Identity Manager can meet these needs for you. Compliance Reporting and SCC Integration Reporting is a key aspect of compliance, as auditors want to see documentation of the controls in place and the auditing of those controls to make sure they are effective. CA Identity Manager includes reports that show the compliance status of users, to pinpoint which users are violating the organization’s business policies. For more robust correlation, analysis and reporting for compliance purposes, CA Identity Manager is integrated with the eTrust Security Command Center (SCC), which provides the ability to take corrective action and investigate security incidents through a centralized command and control center. Conclusion Given the corporate imperatives to improve operational control, ensure user satisfaction and assist in compliance efforts, organizations need to embrace Identity and Access Management software as a key part of their IT infrastructure to ensure the scalability of processes to support a user base which can commonly reach thousands of partners, tens of thousands of employees and millions of customers. Ensuring error-free and secure provisioning and management of critical identity and private profile information goes a long way towards achieving those corporate imperatives. CA Identity Manager is a market-leading identity administration and provisioning product that enables the centralized management of all user identities and automates the creation, modification, suspension or deletion of user accounts on IT systems. It meets the needs of all of the varied constituencies (employees, partners, customers) in a flexible, scalable and secure manner, while ensuring compliance with applicable regulations. CA Identity Manager reduces your management costs, increases security and provides better service to both your internal and external users. As a part of CA’s broader IAM solution, CA Identity Manager can provide the foundation for enforcing enterprise-wide access and provisioning policies. 16 Copyright © 2006 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. To the extent permitted by applicable law, CA provides this document “As Is” without warranty of any kind, including, without limitation, any implied warranties of merchantability or fitness for a particular purpose, or non-infringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages. MP310231106