Naresh Era

So could you help me understand more about your background, giving a brief introduction about yourself? Well, my name is Narish Kumar Era. I have 11 years of experience in IT infrastructure management, of which I have 7 plus years of experience in Azure and AWS, you know, cloud operation support and administration. And I have 5 plus years of experience in Azure DevOps and practices. And I have a good amount of experience. I worked for 4 to 5 companies, all of which include LDI Mindtree for four and a half years. Prior to that, I was working with Maniscal Technologies. And prior to that, I was with IBM for a good amount of time. And coming to certifications, I hold a Red Hat certified engineer, Linux Red Hat certified engineer, and I have d e nine hundred from Microsoft. And I'm planning to take certification from Microsoft Azure, like exam 104, which covers governance and practices from the Azure side. So that's pretty much about myself.

Can you provide an example of a complex IAM workflow you have automated? Well, yes. I mean, there are a lot of them, out of which, if I could think of one, is that I have automated the onboarding and offboarding process for employees. So, when a new employee joins the company, the workflow involves creating a new user account, assigning the appropriate roles and permissions based on their job role, and provisioning access to the necessary systems and applications. This process includes setting up multifactor authentication and ensuring compliance with security policies. And when an employee leaves the company, the offboarding process involves revoking access to all systems and applications, deactivating their user account, and ensuring all sensitive data and credentials are properly secured. Apart from that, I have automated this workflow by creating a series of scripts and workflows that integrate with our HR system and IBM platform. This automation ensures that the onboarding and offboarding process are consistent, efficient, and secure while reducing the potential harm of human errors.

Alright, a few IAM protocols and standards that I have commonly used are, some like security SAML, that is Security Assertion Markup Language. It's an XML-based open standard for exchanging authentication and authorization data between parties, particularly between identity provider and a service provider. Next one is open authorization. Open authorization is an open standard for access delegation, commonly used for granting access to the resources on one site to another site without having to share the credentials. Then we have Open ID Connect. Open ID Connect is an authentication layer built on top of OAuth 2.0, providing a way to verify the identity of the end user based on authentication performed by an authorization server. We also have LDAP, that is Lightweight Directory Access Protocol. LDAP is a protocol for accessing and maintaining distributed directory information services over the IP network, commonly used for authentication and authorization. And then we have RADIUS, that is Remote Authentication Dialing User Service. RADIUS is a networking protocol that provides centralized authorization, authentication, and account management for users who connect and use a network service. This is pretty much what I know about IAM protocols and standards that I have commonly used.

To integrate Savvy within an organization's existing systems, the steps would be as follows. First and foremost, the 1st step would be to assess the existing systems. This includes conducting a thorough assessment of the organization's existing systems, including identity and access management solutions, HR systems, directory services, and other applications that manage user access and permissions. Next, we would define the integration requirements. This involves identifying the specific integration requirements such as user provisioning, single sign-on (SSO), role-based access control, and compliance needs. Then, we would conduct a compatibility check to ensure that Savvy is compatible with the organization's existing systems and applications. This may include defining user roles, access policies, and authentication methods based on existing system configurations. The next step would be to test the integration. This involves conducting load testing to ensure that the integration works as expected. This includes testing user provisioning, authentication flows, SSO functionalities, and access control policies to validate the integration. Once the integration has been tested and validated, we would deploy the solution in a phased approach to ensure minimal disruption to the organization's operations. This would also involve providing training and documentation to help fellow engineers understand the integration.

What are the main features of IBM ISIM? Okay. If I could think of it from my head, the main feature is IBM Security Identity Manager. So, this is a basically comprehensive identity and access management solution from IBM. Well, Autoface, the main feature is identity life cycle management. So, it provides a capability for managing the entire life cycle of user entities, including user provisioning, deprovisioning, and role-based access control. It allows organizations to automate the process of creating, modifying, and revoking user access based on pre-defined policies. And the next main feature I could say is self-service dedicated administration. So, it provides self-service capabilities that enable users to perform certain identity management tasks, such as password resets and profile updates, without IT intervention. And then we have access certification and compliance. This is very important. Basically, it allows organizations to be compliant by creating custom workflows. We also have something called reporting and analytics. So, IBM Security Identity Manager includes reporting and analytics capabilities to provide visibility into user access, compliance status, and identity-related activities. Then we also have multifactor authentication. So, it controls MFA and adaptive access controls to enhance security and mitigate risks associated with user access. It enables organizations to enforce strong authentication methods and adaptive access policies based on contextual factors. So, these are the few features of IBM Security Identity Manager.

User provisioning in IAM is the process of creating, modifying, and managing users, user accounts, and access rights across an organization. So, I will explain the simple process step by step. The first step is user onboarding, which begins when a new employee joins the organization. This involves creating a new user account in the organization's IAM system and capturing the user's identity information, such as name, email address, job role, and assigning initial access rights based on the role and responsibilities. The second step is role-based access control, where access and permissions are given to the user based on their job function. This may include granting access to specific applications or systems or data based on predefined role definitions. The third step is automated provisioning. Many organizations use automated provisioning tools and workflows to streamline the user provisioning process. Automated provisioning helps ensure consistency and accuracy by automatically provisioning access based on predefined rules and policies. The next step is access request and approval. In some cases, user provisioning may involve access requests and approval workflows. When a user requires additional access beyond their initial provisioning, they can submit access requests, which are then reviewed and approved by designated administrators. The final step is deprovisioning. If an employee leaves the organization or changes their role, deprovisioning involves revoking access rights, disabling user accounts, and ensuring that the user no longer has access to organizational resources. Additionally, there are integration with HR systems and compliance and audit processes involved in user provisioning.

Privileged access management is significant in IAM and it's a critical component. The significance of privileged access management lies in mitigating the risks associated with the unauthorized access, misuse of privileged credentials, and potential security breaches that could result from compromised privileged accounts. Privileged access management helps organizations enforce strict controls, monitor, and audit privileges, and reduce the attack surface by limiting the exposure to critical systems and data. To implement privileged access management, the process involves several steps. The first step is privileged account discovery, which involves identifying and inventorying all the privileged accounts across the organizational IT infrastructure. This includes local and domain administrative accounts, service accounts, and other privileged accounts or identities. The second step is privileged password management, which provides a capability of securely storing, managing, and using privileged passwords. This includes using a secure vault to store privileged credentials, enforcing strong password policies, and automating password rotation to reduce the risk of credential theft and misuse. Another implementation is just in time privilege elevation, which often includes a just in time access scheme allowing users to request temporary elevated privileges for specified tasks with a time limit. Users can request another or extend it as per the usage capabilities. The next step is session monitoring and recording, which enables real-time monitoring and recording of privileged user sessions, providing visibility into user activities and ensuring that all actions are logged for audit and compliance purposes. Finally, privileged delegation and workflow is supported by PAM solutions, which enables the delegation of privileges to specific users or roles, providing granular control over who can perform certain tasks.

Let's explain how IAM reduces security risks within an organization. Yeah. So, majorly, it would reduce the security risk within an organization. So, IBM basically plays a crucial role in reducing the security risks by providing a framework. It provides a framework for managing user identities, controlling access to resources, and enforcing security policies. So, I'm going to tell you a few steps where IAM helps mitigate security risks. So, first one is centralized identity management. Right? IAM centralizes the management of user entities, ensuring that the user accounts are created, modified, and deactivated in a consistent and controlled manner. Then, we have role-based access control. It enables organizations to implement user rights based on the job roles and responsibilities. Then, next, we have single sign-on. So, solutions often include SSO capabilities allowing users to access multiple applications and systems with a single set of credentials. SSO reduces the risk of password-related issues, such as weak passwords or password reuse or phishing attacks. Then, we have multifactor authentication, which provides multiple forms of authentication, like passwords, biometric, and one-time passwords. So, all these things strengthen the security by adding an extra layer of protection. And, we have access governance and compliance. It provides capabilities for access certification, and compliance management. This ensures that access rights are regularly reviewed, certified, and aligned with internal policies and regulatory requirements. Like, reducing the risk of unauthorized access. And, there is privileged access management. Then, we have user behavior analytics, and then integration and visibility. So, these are all the few steps by which we can reduce security risks within an organization using IAM.

So how will you implement a zero-trust architecture within an IEM framework? Alright. Yes. Definitely, we can implement a zero-trust architecture within an IEM framework. But, I'm thinking the approach they have to implementing zero-trust architecture with an IEM framework involves adopting the security model that assumes no implicit trust regardless of whether the user is inside or outside the organization's network parameters. So, basically, zero trust focuses on verifying and securing every access request, minimizing attack surfaces, and enforcing security access controls. Let's go step by step. We have two minutes. So we have something called the identity-centric approach. Zero trust starts with strong identity verification. Implement multifactor authentication for all users, including employees, partners, and third-party vendors. This ensures access is granted only after successful identity verification. Second, we would be the principle of least privilege. We enforce the principle of least privilege, ensuring users have access only to the resources necessary to perform their specific roles and responsibilities. To implement RBAC and ABAC. ABAC is attribute-based access control to granularly manage access rights. Then we have microsegmentation. Microsegmentation is network segmentation that isolates critical systems and data, limiting lateral movement within the network to reduce the impact of a potential breach. We have continuous monitoring and analytics. We need to implement user behavior analytics and continuous monitoring to detect anomalies, activities, and potential security threats. This includes monitoring access patterns, user activities, and data usage to identify deviations from normal. Then we have secure access management, or Sam. This solution allows you to manage and securely access applications, systems, and data. We also need to implement secure remote access. Within the increasing trend of remote work, secure remote access is crucial. So, implementing SecureVPN, virtual desktop infrastructure, and Secure Access Service Edge solutions ensures secure access for remote users. And then we have Application-Centric Security. When implementing application-level security controls, such as application firewalls, data encryption, and security coding practices, will help. We also have continuous education and awareness programs that need to run within the organization.

Can you discuss a project where you enabled single sign-on for a suite of applications? Well, yes, I'd be happy to explain that because I have done multiple projects where the requirement is such. So, I'll explain it with an example. Imagine you have a scenario where an organization wants to streamline access to a suite of cloud-based applications, which includes a CRM application, an ERM, and a document management system. So, I'll explain the steps. The first one would be access and planning. The project begins with an assessment of the existing applications, like understanding the existing applications and their authentication mechanisms and the requirements for SSO. So, the team identifies the applications that will be integrated with the SSO solution and defines the scope of the project. And secondly, we have SSO solution selection. The team evaluates SSO solutions that are compatible with the suite of applications and align with the organization's security and usability requirements. Then, we have integration and configuration. The chosen SSO solution is integrated with the suite of applications. This involves configuring the SSO solution to establish trust relationships with each application, enabling seamless authentication and user provisioning. Then, we have user identity management. This defines user identities and access policies with the SSO solution. This may involve mapping user attributes, roles, and permissions to ensure consistent access controls across the suite of applications. Then, we have testing and validation. Once rigorous testing is conducted to ensure the SSO works seamlessly across the suite of applications, we have rollout and user training. Once the SSO solution is successfully integrated and tested, the rollout plan is executed. Users are informed about the new SSO capabilities, and trainings are provided to ensure they understand how to access the suite of applications using SSO. And then, we have monitoring and support. After the rollout, the project team monitors the SSO solution to ensure its stability and performance. And, there is ongoing maintenance. After the initial rollout, some maintenance is needed to ensure the plans are correct.

Have you ever had to mentor or train team members on best practices? How did you approach it? Well, I've been part of a team. I personally did mentor, but I did have an opportunity to work on a collaborative effort like mentoring the entire team. We, as a team, worked amongst ourselves. So I can tell you the basic approaches, like, how it works actually. The first step is to assist the team's knowledge and skills, understand existing knowledge and skills of the team members regarding best practices, identifying areas of improvement or guidance. And then once I get to know that information, I'll define the learning objective. Clearly define the learning objective for the training. This includes understanding best practices for user provisioning, access control, authentication methods, compliance requirements, and security principles. And then the next step is to provide context and relevance. So explain the importance of best practices in the context of security, compliance, and user experience. This helps team members understand how best practices contribute to the organization's overall security posture and operational efficiency. We use real-time examples to help understand the team members better. We have to explain case studies or real-world scenarios, real-time scenarios, to help them understand in a better way. Then we also ensure that we have to provide interactive training sessions. We have to encourage the team members to be interactive, providing workshops and group discussions, hands-on exercises, which will reinforce learning. And then we can demonstrate best practices tools and technologies if applicable, like at the moment. If your project permits or the company permits, then we demonstrate best practices tools and technologies that teams will be working with. If possible, provide a practical demonstration of best practices solutions. We should always be open to questions and feedback. So a good, healthy environment is needed to encourage questions. Teams should come up with questions. In case anything anywhere or any person needs improvement, there should be a transparent treatment provided. And we have to provide all the resources and references to the team just to ensure that they're following the best of the practices in the latest time. And there's something called role-based training. So based on the roles, you have to provide the training to the team members. For example, system administrators may require different training compared to security analysts or compliance officers.