Identity management and governance is an essential discipline in today's increasingly complex IT environments. Organizations must efficiently provide secure and compliant access to large numbers of users across more applications than ever - and at the same time be able to state accurately who has access to which systems and who granted that access. All of this has to be accomplished in a business environment with changes happening at an accelerated pace. Omada Identity Suite helps organizations to meet the access demands of the business and ensure secure, efficient, and compliant identity management and governance.
Many businesses today are operating in a climate of strict compliance and experience an increased need for enterprise effectiveness. However, managing access rights for the employees, consultants, and business partners across complex IT environments with multiple systems, applications, and platforms is a costly and resource intensive task for the IT administration without a comprehensive and scalable identity management solution.
Handled manually, managing identities and access rights is a time-consuming and complex task that is often carried out with a high degree of randomization making it difficult to maintain an overview of 'who has access to what', 'who did what and when', and to track and document activities.
Requesting and approving access to IT systems is a burden to the helpdesk, business users, and IT administrators. The consequences organizations face are reduced effectiveness, high administration costs, security and compliance deficiencies, and the risk of failing audits.
Getting the big picture of who has access to what across the entire IT platform with hundreds of applications and thousands of users is a complicated task. For many organizations, identity and access information is fragmented in application silos. And, with high levels of employees and contractors onboarding, transferring, or off-boarding, it is difficult to keep up with changes to the identity related information.
Lack of control and visibility of identities and access rights makes it difficult to ensure consistent compliance to business policies and legislative regulations, and to keep control of users' access rights to sensitive data and applications.
Identity management solutions improve efficiency, security, and compliance. Automated processes reduce the need for manual tasks, and when access is assigned based on business policies, compliance is improved. With an identity management solution that also facilitates attestation and reporting, organizations gain full control and overview of access rights ensuring that users have correct and valid access.
Depending on the most pressing issue to solve in the organization, it is important to focus on selecting the right approach. If the organization wishes to improve the efficiency the most beneficial approach is to select an identity and access management solution to automate user provisioning and administration processes. If on the other hand, compliance and risk mitigation is the driving factor, the most beneficial approach is to focus on identity governance. Whichever perspective, the first step is to gain control of identity and access data across the entire IT platform.
Figure 1: Automation versus compliance
Depending on the business drivers, organizations can focus either on achieving automation benefits and enforcement of policies first or on achieving compliance and governance.
Identity management delivers a set of business processes that facilitates and provides user provisioning and administration, according to business policies. Governance and compliance processes apply across all identity management processes, ensuring that defined security and compliance policies are automatically adhered to.
Compliant organizations want the ability to control identity and access across multiple domains, and create on-demand reporting on identity intelligence. Yet, comprehensive reporting and analysis is difficult to generate if identity data is scattered across cloud and on-premise systems with lack of overview or insight into authoritative data. When identity data is scattered across several systems it is difficult to define policies and isolate critical systems. Also, tracing access rights of individual employees across all systems becomes a very time consuming task. If reporting is handled differently in each system, the gathered data will be difficult to compare and analyze since it does not contain comparable information or dimensions.
To gain control of identity and access data, the data must first be gathered in one place in a data warehouse, collecting the identity and access related information from systems, directories and databases like Active Directory, SharePoint, MS SQL Server, SAP, and RACF.
Cross system reporting and analysis is enabled by implementing a central data warehouse, that imports identity and access data from the systems and applications used across the enterprise - using specified extensible data collectors. Collecting the identity data in a data warehouse makes the data available for historical preservation, reports, attestation, and validation against policy.
The collection of data provides an opportunity to clean the data in the process. Collecting data and analyzing it discovering duplicate accounts and accounts without owners improves the data quality.
Even without implementing any further identity management or governance processes to the data, simply getting the big picture of identities and access rights will increase security. The collected data can be mined to identify critical systems and uncover security risks. Based on the identity information it is possible to identify the areas to prioritize in the next phase of an identity management program.
In today's increasingly complex IT environments organizations require solutions that ensure continuous compliance across audited IT systems and data. Compliant organizations must be able to demonstrate control and overview of identities and access across scattered cloud and on-premise systems.
CIOs and CISOs are accountable for compliance fulfillment although systems and data are increasingly outsourced. Such outsourcing is not only initiated by the IT organization, but also indirectly by the line of business as they increasingly use cloud applications outside the direct control of the IT organization.
From the outset of developing an identity management strategy it is important to define the business policies. With an identity management solution the policies are strengthened by automated processes and reporting features. Organization will gain the most benefit by initially defining which processes include the most business critical access policies in systems and applications, and proceed by including additional systems when the identity management solution is in place.
Identity and access governance increases security across the enterprise as each account and identity will have current and valid approval that is periodically reviewed and attested.
On-demand reporting on identity intelligence reduces security risks by immediately detecting policy violations and toxic combinations of access rights.
Without a centralized system, handling of processes for onboarding, transferring, and off-boarding employees, dealing with requests for access rights, and adapting access rights to organizational changes is time-consuming and error prone.
Lack of defined and enforced processes related to the identity lifecycle often results in employees not having access rights removed promptly when they leave the organization, and the 'Least Privilege' principle may not be applied consistently.
Organizations can improve the efficiency of the user administration quickly by addressing the identity management challenges in three main areas:
These three areas improve the efficiency of identity management, and at the same time provide an audit trail so it is possible to track each access request made, whether initiated by HR changes, self-service requests, or assigned by a role model.
With a solution that also supports automatic provisioning and de-provisioning to target systems, identity management is highly time- and cost-effective, and automatically enforces a high level of security.
Omada's approach to identity management is designed to improve both compliance and efficiency in the organization, regardless of where in the process the identity management project is initiated. With Omada's step by step approach the identity management solution focuses on and dynamically adapts to business needs as these changes. Organizations may choose to implement a governance solution for one system, but introduce self-management or role lifecycle management in another, letting the most pressing concern drive the project, one step at a time until you have identity management under control.
Figure 2: Omada's approach includes multiple value adding process steps
One of the key benefits of Omada's approach is that all aspects of identity management is part of an iterative process where each element is repeated step by step, system by system, project by project to improve compliance and data quality.
Omada Identity Suite is a flexible, collaborative platform that unifies business and IT related identity needs towards greater compliance and more efficient identity management.
The solution supports a step by step approach which ensures that it is fast to get to a point where every access has current and valid approval. The solution enables easy import of data from relevant systems, processing changes to data. During the process system owners are automatically presented with relevant access information, so improvements to data can be dealt with appropriately and timely. The solution continuously monitors whether the changes have taken place in the actual systems. The result is a complete overview of the quality of data and how it is improved from day one.
Compliant organizations must be able to demonstrate control and overview of identities and access rights across scattered cloud and on-premise systems - either managed in-house or by hosting vendors. With Omada's solution organizations will have the flexibility of outsourcing and taking in cloud applications without compromising compliance and security.
The solution provides deep access intelligence across all connected or non-connected systems, regardless of which fulfillment solution is applied. For example if a hosting partner uses one or several user provisioning tools to manage the hosted systems, Omada's solution will tap into those systems, collect and store relevant data to provide a complete and continuous overview and control of the identity data.
The solution streamlines user administration processes with a self-service access request portal and automated user lifecycle processes for access requests and approvals. Access control is achieved by ensuring current and valid approval of all users, accounts, and access across any system – outsourced or self-managed, on-premise, hosted, or in the cloud.
Automated granting of birth rights and other privileges, when employees onboard the organization or change job roles, eliminates manual routine work.
The solution provides on-demand actual and historical overview of access data for analysis, reporting, attestation, and data clean-up to ensure consistent fulfillment of regulatory compliance requirements.
The solution is built on the Microsoft platform which is well adopted in most IT organizations. Manual provisioning tasks can be created automatically as a ticket in the existing helpdesk system or as a workflow task in the Omada Identity Suite.
The unique architecture enables organizations to achieve true compliance. Not just delivered as a 'rubber stamp' but by providing real deep access intelligence required for complete insight and overview of 'who has access to what and who approved it'.
Gathering of business intelligence is the first step in any identity management project. The gathered data provides the foundation to define policies, processes, and to be able to determine the next step whether the focus is compliance or automation.
Figure 3: The steps to get control of your identity data
Data is collected using a standard connectivity platform detecting changes to all relevant data in a dynamic environment. The powerful extension model allows you to import custom data that can be used to improve processes, and perform attestations on it.
Powerful data collection is the key to generate accurate identity and access data. The capability of collecting data across a heterogeneous system landscape is the first step in providing exact and valuable information on access rights across all systems.
Data is processed and normalized to ensure that the actual access situation is visible regardless of nested groups, loosely coupled object models, and unconnected systems.
The solution offers features to improve the initial quality of data. The data cleaning identifies incomplete or incorrect data, and alerts about invalid data. For example, highlight if certain objects or attributes do not adhere to naming convention or format.
Managing account ownership in a dynamic environment ensures continuous accountability and transparency.
In addition to direct matching, the Omada Identity Suite provides rules and fuzzy logic algorithms to propose the right owner of accounts. Such proposals can be sent for approval in a collaborative attestation scenario.
Enrich your data by structuring physical IT systems and access groups into logical business applications with well described roles, simplifying request and attestation processes for the end user.
Business description of resources and other Metadata in systems makes it easier to attest to access. Classification functionality gives a more consistent and complete understanding of the identity data in order to effectively plan future enhancements.
Based on the gathered and enriched identity and access data, next step is to move on to implementing a governance solution. Omada's step by step approach for identity and access governance integrates seamlessly with both the data gathering and maintenance. Omada's approach to identity governance has three main elements – validation against policy, a comprehensive reporting platform, and attestation of access.
Figure 4: Identity governance
Policies such as separation of duties (SoD) can be defined and the system detects any violations to such policies – in one system or across many systems.
Constraint policies are used to detect toxic combinations of resources assigned to the same person. The solution continuously monitors the environment, proactively detects policy violations, and alerts appropriate managers or system owners.
Graphical dashboards provide the initial overview of data across systems, with details found in a comprehensive set of standard reports. Reports can be customized, and new reports created to further enhance auditing.
Point-in-time reports show data at a specific point in time, log reports show attribute changes for an object, and dashboard reports present the aggregated data.
Attestation of access ensures that approval is current. The Omada Identity Suite uses a survey format with tasks assigned to respondents, ensuring an audit trail and supports escalation to the respondent's manager in case the attestation is not completed within the set time frame.
Attestation surveys are presented in an easy to read format and respondents are only presented with the data that is relevant to them. Attestation surveys can be re-run periodically.
Remediation of detected policy violations is administered seamlessly, using the out of the box built in provisioning processes or any existing provisioning processes or systems the organization has in place.
The solution provides closed loop auditing which automatically presents system owners with information if any system need to be de-provisioned. Based on this information the problematic access can be withdrawn. After this step the solution runs an import that monitors whether the de-provisioning has taken place. The solution supports automatic de-provisioning.
Omada's identity and access management approach is based on the concept that every identity management action is driven by a request. The request can be an HR driven identity lifecycle management change, a manager or end-user that wishes to make changes to existing access or data, a new access requests, or the result of a reconciliation that initiates the access request process.
Figure 5: Identity management steps
Automated HR change requests streamline onboarding, transfers, and off-boarding processes by ensuring a consistent and efficient management of access changes according to organizational changes.
The processes run either fully automated end-to-end from the access request to confirmation or with built-in approval steps. A job title change for an employee will result in an HR driven access request that assigns new business roles and the current access privileges will be revoked automatically in the process.
The Self-Service Access Request Portal allows managers and end users to request new access or modify existing access privileges, within the constraints of pre-defined identity policies and role models, for one or multiple systems - in one process with subsequent approval and either manual or automated provisioning.
The solution provides an efficient and accurate way to view existing access as well as the status of any self-service access requests.
The solution supports delegated admin enabling access requests initiated on behalf of others; for example, provide a manager with the option to request access on behalf of a team member.
A difference between actual state and desired state is detected, a security incidence occurs and a request process is initiated.
The reconciliation capabilities available in the solution examine and compare actual state versus desired state. If a difference is detected the system automatically initiates a predefined process to address the issue. This action is performed for all systems, connected or unconnected to automated processes such as provisioning.
Automate provisioning according to enterprise role and rule calculations by implementing role-based administration of access rights to automate the management of changes to identities, systems, and permissions - fast and in compliance with business policies.
Defining and implementing a role model allows organizations to assign roles automatically to users based on identity parameters.
The Omada access request workflow assigns and directs approval tasks automatically to the approver as a result of the performed calculation. Managers can approve access granted to his direct reports.
Automated detected SoD violations result in an approval task being assigned to a security officer or risk manager for evaluation and subsequent approval or rejection.
Where a role model has been implemented there are typically fewer approval tasks required, because many of the access privileges are typically auto approved.
Access can either be automatically provisioned or de-provisioned on target resources, such as systems/applications and databases or manually provisioned without connectivity to the identity management solution, as it may not be cost-effective to automate all access changes.
Target resources with a high number of users or access changes are primary candidates for automated provisioning. Other candidates are critical target resources that will pose a risk to compliance or security if access is not revoked immediately, for example in the event of a termination of an employment or contract. The automated provisioning ensures policy enforcement and strengthens security
The access request workflow directs and assigns manual provisioning tasks to target resource owners or helpdesk personnel to perform the changes on target resources. Alternatively, a ticket can be automatically created in a helpdesk system for processing of the manual provisioning.
The solution provides closed loop auditing which automatically presents system owners with information if access in their systems need to be de-provisioned. When manual provisioning is configured for a target system, the system owner needs to manually remove problematic access. After this step the solution runs an import that monitors whether the de-provisioning has taken place - irrespective of provisioning method. The solution supports automatic de-provisioning.
The solution provides an audit trail that makes it easy to review who submitted an access request and who approved it. On-demand actual and historical overview of access data is readily available for review.
Omada's suite of products is used by organizations worldwide, in midsized businesses as well as large multinational enterprises to provide business-centric identity management and governance across connected and non-connected systems on heterogeneous platforms.
The flexibility and the business adaptability of the Omada Identity Suite allows a high degree of customization, enabling organizations to meet business specific requirements.
The platform consists of a set of pre-configured business processes that are built on and executed consistently and efficiently via the process, re-certification and policy engines. Data is stored in a business intelligence native identity data warehosue and transactional database that are connected for maxumum integration of both governance and identity management. Reading, cleansing, and re-writing of new roles and permissions are done flexibly via synchronization and data-integration standard interfaces including Microsoft FIM and Enterprice Service Bus (ESB) for identity integration to systems. In additino, the platform uses the widely adopted Microsoft SQL Server Integration Services (SSIS) ensuring the broadest possible support for data import and normalization.
Figure 6: Omada Identity Suite architecture
Below outlines in detail the pre-built business functions in the Omada suite.
The Omada Identity and Access Data Warehouse is at the core of the Omada Identity Suite - centrally storing identity and access data across all systems.
Data is easily gathered from all systems you wish to be in control of – on-premise, cloud-based, hosted, or outsourced – using predefined extensible data collectors for the collection and import of identity and access data from systems, directories, and databases like Active Directory, SharePoint, MS SQL Server, and SAP.
The data warehouse sources user and access data from systems and applications and matches it with authoritative identity data sourced from an HR system or any other authoritative source. The unique technical architecture behind the data warehouse provides high performance and scalability.
Identity data integration and provisioning is handled with standard interfaces including Microsoft FIM for identity integration to systems like Active Directory, e-mail applications, SAP and other packaged and bespoke applications as well as message-based provisioning via enterprise service bus (ESB). The data warehouse is integrated with the flexible and widely adopted Microsoft SQL Server Integration Services (SSIS) ensuring that data can be integrated, cleansed and enriched in a more flexible manner than traditional IAM technologies offer. The database structure and use of true busienss intelligence reporting tools ensure the broadest possible support for data import and normalization and the richest set of reporting and trending flexibility.
Omada is a market leading provider of solutions and services for identity and access management and identity and access governance. Omada enables organizations to achieve sustainable compliance, reduce risk exposure, and maximize efficiency. Omada's solutions efficiently manage and control users' access rights to applications and data - reducing IT costs and resource intensive administration processes.
Established in 2000, Omada has operations in Europe and North America, delivering solutions via a network of skilled partners and system integrators. Omada is recognized as a trusted advisor and has provided advanced identity solutions for organizations with some of the largest and most complex IT infrastructures in the world.
By providing end-to-end professional services, Omada assists organizations in defining identity management and governance strategies, designing roadmaps, and managing projects from initial scope of the project to solution design and successful go-live.
Omada has been named IT Company of the Year by IDG Computer World and identified as an "International Growth Comet" by the prestigious Massachusetts Institute of Technology (MIT).
Omada's extensive work with Microsoft and SAP has earned valuable trust and recognition from these two enterprises. Omada is a Microsoft Gold Certified Partner as well as a key partner in the identity and access management space. Furthermore, Omada is a certified SAP Service Partner. Omada is also the global winner of the 2008, 2009, and 2011 Microsoft Identity and Security Partner of the Year award.
The award winning Omada Identity Suite offers easy integration and provides complete control and visibility of users' access rights and entitlements across heterogeneous systems and applications - on-premise, hosted, or cloud-based.
Omada's innovative solutions are built on the Microsoft platform and empower Microsoft technologies. The Omada Identity Suite is one of the most powerful and flexible identity management and governance solutions on the market. It is the preferred choice by leading organizations worldwide to: