Identity and access management

Written By Jitser Sevenant

🪪 IAM

Once I got a question form a CISO how our offboarding and onboarding was setup and documented. We had basic implementation of automated onboarding / offboarding but no documentation and no general plan. After a couple of meetings with the infrastructure manager and the CISO we decided to start with a basic IAM model based on the security priorities indicated by the CISO.

First, this design and implementation was a team effort, and I took the lead.

✏️design

At the start we started looking and figuring out what the current situation was. With that knowledge, we got to work figuring out where we want to end up.

The said, the start and end scenario were set, and all the involved parties were known.

I always try to mirror the HR structure to the technical structure. This allows me to implement a logical user design grounded in the business structure. This is important when combining all the services into one standardized identity Framework.

We want to know who you are, what you need and what you are privileged to do. These last 2 are not always aligned.

For the governance design, we need to know what the business needs and who needs to do what. This is important to design user identities, user roles, group users in logical units and create a global structure that is aligned with the business.

When the first meetings were over, we knew the business, what applications were needed and what our gap was.

  • I started to redesign the structure for MS AD and MS Entra.

  • We wrote and made many framework iterations based on the feedback, tech stack and set security criteria.

  • Created privileged user logic based on privileges and duties.

  • We did a market search for software/vendors based on our budget and requirements.

  • Third parties were notified of the coming changes.

🛠️ implementation

For implementation we decided to the following:

  • Devolutions

    • PIM, connection management, PKI

  • MS AD (source of truth)

  • Network access

    • Fortinet Zero Trust

    • Cisco ISE

  • Entra for modern authentication

    • PIM

  • No IG software (for now)

Every application would be onboarded to the new logic one by one.

  • Meeting with all involved parties including shopfloor personnel.

  • Create new RBAC models based on the involved identities, id source and app limitations.

  • Creation of dedicated service accounts / managed identities

  • Setup test accounts with involved users

  • Educate the first adopters and create documentation based on feedback.

  • Plan switchover and involve all users / third parties

  • Follow-up and manual creations for first line / FAQ for users if needed.

  • Clean-up and handover to first line.

📃Documentation

Documentation was done by using confluence, excel, powerapps with lists, visio and word.

Confluence contained detailed information about the new framework, procedures and FAQ pages that could be implemented into Jira.

Excel was used for the user and group design with a RBAC table that automatically generated powershell commands for deployment. (This due to lack of IG software)

PowerPoint was used to inform and educate the involved parties.

Word was used for permanent documents like the written out IAM framework.

PowerApps were used to visualize several SharePoint lists that were used for third party identity governance. This includes automations that would mimic a basic identity governance system.

Visio was used to document processes and framework visualisations.

Jitser Sevenant
Previous

Network design🌐