Identity Management

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> As I had mentioned before,
00:00
identity and access management
00:00
starts with the identity piece.
00:00
What we want to talk about in this section
00:00
is the two elements of identity management,
00:00
identity proofing, and then provisioning the accounts.
00:00
We'll also, while we're talking about provisioning,
00:00
talk about the importance of deprovisioning
00:00
accounts when they're no longer valid as well.
00:00
Identity proofing, this is a little tricky
00:00
because I don't want you to
00:00
confuse this with authentication on the network.
00:00
We'll talk about that as authentication.
00:00
What we're talking about here is when I first
00:00
get hired for an organization and they say,
00:00
''Welcome on board, Kelly,
00:00
give us your passport, your driver's license,
00:00
fill out this I-9 form so that
00:00
we can ensure that you are who you say you are."
00:00
That's to the HR department,
00:00
this has nothing to do with IT yet.
00:00
My organizational policy is
00:00
>> going to state that I have to
00:00
>> provide these documents to provide proof of identity.
00:00
The HR departments can collect this information,
00:00
they're usually going to enter it into
00:00
a system once they verify that everything is
00:00
in order and this would
00:00
always happen before I'm ever
00:00
granted an account on the network.
00:00
I provide proof of my identity,
00:00
then I'm going to go ahead and get a user account.
00:00
Like I said, that user account could come
00:00
from my role in the organization or my direct identity.
00:00
There are million different ways I could
00:00
have an auto-generated employee number,
00:00
but the idea is,
00:00
this stage is simply about creating an account.
00:00
No rights or permissions,
00:00
no group membership, just
00:00
creating, generating an account.
00:00
Traditionally,
00:00
we may have had network administrators sit
00:00
down with a group of accounts that were approved by HR.
00:00
Now in a small company, that's fine.
00:00
Maybe on a daily basis,
00:00
I add one account, or maybe on a weekly basis.
00:00
But with our organizations as large as they are today,
00:00
we may have tens,
00:00
hundreds of new members at each day, new employees.
00:00
What we want to do is we want to find
00:00
a way to streamline this process.
00:00
Because traditionally, the way this would work
00:00
is we would have a new employee come on board.
00:00
They go through the identity proofing piece,
00:00
HR enters all their information in the HR database,
00:00
and then the IT department is
00:00
contacted and all that information is delivered to IT,
00:00
go ahead and create an account for Kelly Handerhan,
00:00
her hire date is such and such,
00:00
>> and now she has an account in the network.
00:00
>> What we would rather do is eliminate
00:00
that dual effort, and so once
00:00
Kelly Handerhan gets added into the HR database,
00:00
it would be great if
00:00
Active Directory could pull that information
00:00
automatically and generate or provision accounts
00:00
>> based on what's already been entered.
00:00
>> When we talk about provisioning accounts,
00:00
we want this creation of the accounts,
00:00
we would like to do it automatically,
00:00
if at all possible.
00:00
That's the idea that we're going to lay down and talk
00:00
about later is this automatic provisioning of accounts.
00:00
But for now, I just want you to know
00:00
>> for identification,
00:00
>> we have to start with identity proofing and then
00:00
figure out a way that we get our accounts provisioned.
00:00
Also, we would like those accounts
00:00
deprovisioned automatically if possible
00:00
because a concern would be if we're relying on HR
00:00
and IT to communicate with each
00:00
other when a user leaves the company,
00:00
there may be that gap in
00:00
that communication and we may wind up
00:00
>> having employee that was
00:00
>> terminated that still has accounts on the network,
00:00
so it's very important that we figure out
00:00
some way to stream this process.
Up Next