Enterprise Identity and Access Management

When it comes to employee identity and access management operational efficiency, security, BYOD, multiple passwords , massive number of help desk calls, toxic access combination, over entitlements and unmonitored privileged access are some of the pains that most organisations struggle with.

What is more concerning is that employees write down their passwords on sticky notes, system admins share passwords and so forth. Insider threat is thrive in this kind of environment and an external breach is nigh.

Make use of the Open Digital Identity Platform (ODIP) for enterprise deployment to reduce risk and liabilities, improve operational efficiency and meet your SLAs.

 

Powered by Gluu, Apache Syncope and midPoint.

Identity Life cycle management & Provisioning

Employee Identities need to be provisioned to downstream applications such as Active Directory, physical access systems, mailbox systems as soon as the hire date is effected from an HR system. Connectors are mostly used while systems that cant be connected out-of-the box can be provisioned to using ticketing systems. Administrators and Line Managers can delegate their access rights and activities to others or support staff on the ODIP platform.

Provisioning is based on policy and passwords are managed via a central identity capability to ensure consistency based on enterprise wide policy. An identity can be linked to all accounts across the entire enterprise landscape removing the occurrence of rouge and orphaned accounts.

Role Life cycle management

Typically access to enterprise systems is driven by models such as RBAC. RBAC is mapped to an employee’s organizational position, business unit and function. These are modeled as roles in an IDM system. Roles can be created and retired based on policy. Role engineering is sometimes a difficult thing to do in a complex environment. Poor role engineering and modeling can lead to “role explosion” where roles are more than the number of users. Roles can contain other roles to engender an inheritance model at a business level. Access policy can also be built on top of roles to enable features such as Segregation of Duties (SoDs) and attribute access controls. Roles can also be mutually exclusive.

The ODIP platform provides these features’ to ensure “only the right employees or turn key staff have the right access at the right time”.

Directory Services

Most organisations suffer from the directory n+ problem due to the proliferation of disparate and siloed user repositories. These are difficult to manage and often lead to loss of integrity due to lack of data ownership, data custodian, data classification strategies and synchronisation capabilities.

The ODIP platform directory service provides storage, synchronisation, proxy and virtualisation capabilities for identity data.

  • It is comprehensive, scalable and reliable
  • Provides internet and industry-standard LDAP, XML and RESTful views of existing enterprise identity information without synchronising or moving data from its native locations

Organizational Structure & Policy Enforcement

In ODIP you can arrange your business in an organisational structure based business units, divisions, departments, workgroups, projects, teams, domains and so forth.

The object model allows for multi-inheritance structure that allows a department to be under one or two parents (business units). Since the org object can have roles, access policies tied to it also acts a policy enforcement. We can attach access policies, roles, password policies to individual org objects also leveraging the inheritance model. This makes for a powerful tool to use within your organisation.

Modeled Access Control

Models such as RABC, ABAC and contextual access controls can be configured on the ODIP platform. Context is based on the following:

  • Time and place of authentication and authorisation to access organisation services
  • The device used to access an organisation’s services exposed over the internet. This is particularly an a concern in a BYOD environment
  • Historical access data patterns that can be used to identify risk.

Approvals and Workflow

Access requests are typically approved by Line Managers then system owners further on. Approvals can be escalated or reassigned when necessary inline with policy and operational efficiency. ODIP approval workflows allows for this and notifications can scheduled for reminders and so forth. Notifications can be integrated with enterprise notification services to send out SMSs or emails or any other channels based on employee preferences.

Self Service

With the ODIP self service capability, employees can:

  • Request discretionary access
  • Manage their passwords by voluntarily changing them or resetting them by way of MFA in the event they forget them
  • Manage their own profile data like updating their surname in the event of marriage and so forth

Delegations & Impersonations

Delegated access is an important aspect of business operational efficiency. For instance if a line manager goes on leave, they can temporarily delegate their duties to other managers or support staff.

Delegation has some shortcomings around which identity and context is tied to the transaction downstream when a user is acting on the behalf of someone else. Also there is no control on what a user can do when accessing system in a delegated manner. Impersonation allows these controls to be put in place. An impersonator and impersonatee are both participant in a transaction particularly if at login, the impersonatee approves the impersonation session. The session assurance can further be secured with a 2FA step up authentication. ODIP provides these functionalities.

Access Reviews

The capabilities built on to the enterprise ODIP Platform, allows real-time, contextual, and consistent security to protect even the most carefree employee.

Privileged Account Management

Employees that hold keys to the kingdom need to be monitored and reported on. Perhaps you have 3rd parties running your network devices on your PCI environment, how do you manage and monitor their access? How do you ensure nonrepudiation controls? A PAM solution can: 

  • Monitory user access
  • Provide a video like evidence of a user session
  • Password vault and life cycle management

BOYD

The capabilities built on to the enterprise ODIP Platform, allows real-time, contextual, and consistent security to protect even the most carefree employee.

Audit and Reporting

Identity related activities are audited for compliance and non-repudiation. Changes to an employee’s access, profile data and even access per session are all recorded. The where, when and how is persisted to a database.

Reports can be scheduled and shared with relevant organisation business units. How many logins, how many employees have access to a certain system or who approved what discretionary access are all requirements that are met by the ODIP platform.

Single Sign On

Organisations have a plethora of applications of different types, thick clients and web.

Single sign on enables an employee to login once and be able to access these systems without supplying a password again. Desktop to web SSO is a typical scenario that is usually at the top of the agenda. ODIP enables this, together with the integration of AD, ADFS and Kerberos tokens.

We specialize in cyber-security solutions across different industry verticals. Our core value proposition is our ability to deliver robust, transformative and visionary identity platforms to enable and secure your digital transformation strategies.

Address

55, Spaces Broadacres, Willow Wood Office Park Cnr 3rd Ave &, Cedar Rd, Broadacres Park, 2021

}

Business Hours

Mon – Fri  9 am – 5 pm

Phone

Office: +27 (0) 11 065 9362
+27 (0)71 602 7492
+27 (0)72 727 8371

Email

info@icurity.co.za