ISO/IEC 27001 Control 5.16: Identity management
Control
The full life cycle of identities should be managed.
Necessity of MidPoint
MidPoint is necessary to implement this control properly.
MidPoint features and capabilities are essential for efficient implementation of this control. While it is theoretically possible to implement this control without a comprehensive IGA platform in place, the implementation is likely to be inefficient, costly, slow and unreliable in the long run. MidPoint can make implementation of this control efficient and reliable.
Implementation Overview
MidPoint platform with all of its features is designed to support identity management and all its aspects.
Implementation Details
MidPoint can manage complete identity lifecycle, including both human and non-human identities. MidPoint provides common identity model, a data language to describe properties of various identity types using a common data structures. Data stored in various source and target systems are mapped to the common model using flexible mappings and expressions, maintaining identity data fresh and consistent across all the systems. Common identity data are stored in midPoint identity repository - a database containing all the identities, as well as roles, policies and all related configuration. Especially midPoint features related to identity lifecycle management and synchronization are essential for implementation of this control at scale. Inbound synchronization from HR system (or similar data source) is the usual method to make sure access is de-provisioned in a timely manner, as required by the control. MidPoint is a natural choice for aggregation and management of user attributes, organizational and group membership, supporting processes for change of information relating to identities. Synchronization mechanisms can be used for that purpose, with reconciliation providing reliable (yet heavyweight) mechanism and live synchronization providing lightweight almost-realtime alternative. Proper identity management mechanisms are applied to avoid use of shared identities. Synchronization and correlation can be used to make sure the identities are not duplicated, with option for manual and human-assisted smart correlation. MidPoint can make sure that "unique identification of individuals and systems", as required by the control, is applied consistently and comprehensively. When an unique identifier cannot be found due to naming conflict, iteration mechanism is used to find suitable unique identifier. Special-purpose sequencing mechanism is used for cases where iteration would not be efficient, e.g. for systems that have large identity populations identified by sequential identifiers. Once identities are correlated and identifiers are assigned, projection links are maintained to track ownership of accounts, entitlements and other resource objects. Provisioning capabilities are used to automatically create and maintain accounts for users on target systems (resources). Identity connectors based on ConnId framework are used for automatic (on-line) provisioning. The connectors carry out basic operations (create, read, update, delete) as well as provide information about resource schema - names and types of attributes used by the resource. MidPoint seamlessly utilizes resource schema on all levels of the platform, from low-level data type mapping to high-level presentation of data in user interface. Resource wizard can be used for user-friendly set-up of identity connector configuration, connecting midPoint to a new resource. Manual and semi-manual resources can be used where automatic identity connector is not available, managing provisioning requests as manual tickets in IT service management (ITSM) system. MidPoint is designed to fully address de-provisioning of access, as required by the control. MidPoint automatically maintains consistency between policy (roles and rules) and reality (accounts in target systems). Each access (account) needs a valid reason to exist, such as assignment of role or application, using role-based access control (RBAC) in conjunction with application inventory and other policies. In a situation that there is no valid reason for access to exist, midPoint de-provisions the access, disabling or deleting the account. When needed, policy enforcement can be fine-tuned using projection policy mechanism, which is useful especially in gradual deployment and migration scenarios. Provisioning dependencies can be configured to make sure accounts that depend on each other are provisioned and de-provisioned in correct order. Activation mechanism (activation schema) can be used to control whether the identity is active on inactive, using set of status variables and activation dates. This mechanism can be used to set a termination date on which identity is deactivated, manually deactivate the identity, or provide policies based on activation dates (e.g. keep disabled accounts of former employees temporarily, automatically deleting them after the grace period elapses). Archetypes can be used to distinguish individual identity types, such as employees, contractors, students and customers, which can also be reflected to the resources, supporting many types of accounts. Non-human identities (NHI) can be managed as well, using similar mechanisms. When identity duplication is discovered ex-post, identity merging mechanisms can be used to unify duplicated identities into a single identity. Personas can be used to represent different aspects of a physical identity, e.g. separating access to regular employee persona from privileged administration persona. Individual personas are linked to primary objects representing the person, to be able to hold the person accountable for actions performed with this specific identity as required by this control. Apart from the basic identity data, midPoint is designed to manage entitlements as well, such as account privileges or group memberships on target resources. Entitlements are usually mapped to RBAC roles, which can be requested, driven through approval process and automatically provisioned. Access certification and micro-certifications can be used to reduce access by removing unnecessary roles. MidPoint contains integral documentation mechanism, which allows maintenance of documentation for roles, policies, configuration and practices to be stored together with relevant objects in midPoint. Integral documentation can be used to automatically generate core identity management documentation from real configuration. MidPoint organization structure mechanism provide additional, yet essential information for identity management, such as information about functional organizational structures, teams, projects and locations. Generic synchronization mechanism can be used to automatically synchronize organizational structures with external sources/targets. The same synchronization mechanism can be applied to application inventory information. Flexible reporting and dashboarding mechanism can be used to create comprehensive reports and provide insights based on identity data. Audit trail is used to record all identity-related events and configuration changes, which includes all significant events concerning the use and management of user identities as required by the control. Audit records related to specific objects can be processed in a way similar to virtual time machine, re-creating object history, presenting an object in a state as it was in the past. Essential information about objects and their important properties are also recorded in efficient form as meta-data for objects, assignments and individual values.
Implementation Notes
-
This is the primary control supporting deployment of midPoint in organizations. Almost all midPoint features are more or less related to this control.
-
Requirements of this control reach beyond the scope of IGA, mostly to systems that act as a source of information for midPoint. E.g. the control asks for confirming of business requirements for an identity, verifying it and establishing an identity. When dealing with employee identities, this requirements is satisfied by the usual HR practices and processes. MidPoint is taking processed information from the HR systems, assuming that the requirements are already satisfied.
-
Application inventory provides "unique identification of systems", it can also be used for partial management of non-human identities (service accounts).
-
MidPoint includes experimental support for asynchronous resources, as an alternative approach to identity management based on synchronization and reconciliation.
Rationale
The main functionality of midPoint is focusing on the identity management and supporting the whole life cycle of identities with proper documentation of each step and logs. Customers can create procedures for providing and revoking access to information with proper verification and approval.
Documentation
Version | Title | Description |
---|---|---|
Development | Information Classification and Clearances | Management of user clearances |
4.8 | Information Classification and Clearances | Management of user clearances |
Related Features
-
Information classification (planned)
-
Policy (concept) (planned)