IBM Security Identity & Access Manager

© 2014 IBM Corporation

IBM Security Systems

1© 2014 IBM Corporation

IBM Security Identity & Access ManagerProduct Overview

Henrik Nelin Certified Security IT-Architect

[email protected]

January 2015

mailto:[email protected]

© 2014 IBM Corporation2


2

Agenda

Overview IBM Security IAM

IBM Security Identity Manager

IBM Security Privileged Identity

Manager

IBM Security Identity Governance

IBM Security Access Manager

IBM Security IAM Cloud

IBM Security Framework



Part of IBM’s comprehensive portfolio of security products



Identity and Access Management (IAM)Securing extended enterprise with Threat-aware Identity and Access Management

Deliver actionable identity intelligence

Safeguardmobile, cloud and social access

Simplify cloud integrations and identity

silos

Prevent advanced

insider threats

• Validate “who is who” especially when users connect from outside the enterprise

• Proactively enforce access policies on web, social and mobile collaboration channels

• Manage and audit privileged access across the enterprise

• Defend applications and data against unauthorized access

• Provide federated access to enable secure online business collaboration

• Unify “Universe of Identities” for efficient directory management

• Streamline identity management across all security domains

• Manage and monitor user entitlements and activities with security intelligence

4



IBM Identity Management Product

IBM Security Identity Manager (ISIM)



Addressing Customer ChallengesIBM Identity Management

Manage users and their access rights

• Securely enroll, manage and terminate user

profiles and access rights throughout lifecycle

• Flag expired accounts and role conflicts

Streamline user access to protected

resources

• Reduce costs and improve user productivity with

password management and single sign-on

• Support strong authentication devices for extra

security

Safeguard access in Cloud / SaaS

environments

• Monitor shared and privileged accounts to

manage risk

• Secure user single sign-on in cloud

environments

Address regulatory mandates

• Produce audit reports to demonstrate

compliance with security regulations

• Monitor, identify and correct security violations



Identity Manager automates, audits, and remediates user access

rights across your IT infrastructure

Identity Manager

Identity

change

(add/del/mod)

HR Systems/

Identity Stores

Approvals

gathered

Accounts

updated

Accounts on 70+ different

types of systems managed.

Plus, In-House Systems &

portals

Databases

OperatingSystems

DatabasesDatabases

OperatingSystemsOperatingSystems

ApplicationsApplications

Networks &

Physical Access

Access

policy

evaluated

Detect and correct local privilege settings

Cost

Complexity

Compliance

Reduce Costs

• Self-service

password reset

• Automated user

provisioning

• Self-service

access request

Manage

Complexity

• Consistent

security policy

• Quickly integrate

new users & apps

Address

Compliance

• Closed-loop

provisioning

• Access rights

audit & reports

• Know the people behind

the accounts and why they

have the access they do

• Fix non-compliant accounts

• Automate user privileges

lifecycle across entire IT

infrastructure

• Match your workflow processes


IBM Security Systems | Technical Sales Enablement

Identity Service Center UI

Request Access

View Access

Approvals -

Manage Activities

The launch page

for all Identity

activities

8



Identity Service Center for business users: Access Request



Simplified policy, workflow, and configuration reduces setup time

Wizards helps users build:

• Approval workflows

• Request for Information Nodes

• Email Nodes

• Adoption Policies

• Recertification Policies

• Identity Feeds

• Service Definitions

No need for programming or scripting for simple configuration options

• Defaults to “simple” configuration

• Toggle to “advanced” option to meet complex needs



Centralized password management - enhances security and reduces help

desk costs

Customer Challenge:

• High Help Desk costs to support employee forgotten password requests

• Need to expire passwords regularly and enforce password format for security

• Account breach may raise awareness of weaknesses

SIM solution:

• Self-service password management across all systems

- Apply targeted or global password rules

- Verify compliance with target systems

• Password synchronization- Propagate and intercept

• Challenge/response questions for forgotten user ids and/or passwords

- User or site defined questions

- Email notification

• Integration with SAM E-SSO - Desktop password reset/unlock at Windows

logon prompt

- Provisioning user access to SAM E-SSO



Account reconciliation – enforcing access policy

Customer Challenge:

• When employees leave or change jobs, their application and system accounts are not terminated

• Dormant and “orphan” accounts result in higher license costs, and expose organization to security breaches

• Compliance audit failure could result

IBM Solution:

• SIM can automatically reconcile “known good” SIM users to accounts on target applications and systems.

• Orphan accounts are recognized and can be automatically suspended.

Benefit: accounts available only for valid users –lower IT admin costs, improved security

Managed

Endpoint(accounts)

SIM

Reconciliation

User repository

with approved privileges



Access recertification - facilitates compliance

Customer challenge

• Compliance – ensuring account access remains updated and valid

IBM Security Identity Governance capabilities

• Attestation: Provides an access validation process to those who can responsibly and accurately make that decision

• 3 types of recertification policies to validate continued need for resources

- Account recertification policies

• Account recertification policies target accounts on specific services

- Access recertification policies

• Access recertification policies target specific accesses (in decipherable terms, i.e. AD group

UK3g8saleww_R = sales pipeline portlet)

- User recertification policies

• A type of certification process that combines recertification of a user's role, account and group

membership into

a single activity



Identity Management On-the-Go!

Identity Manager Mobile

Native Android and iPhone

app/interface

Allows business managers to review

and approve employee requests

• also view history/status

Supports password change, forgotten

password reset

(with challenge/ response)

Support for OAuth authentication

for Android and iOS applications



Adapter portfolio: integration breadth and depth to achieve rapid value

Applications & Messaging

Blackberry Ent. Server

Cognos

Command line-based

applications

Documentum eServer

Google Apps

LDAP-based applications

Lotus Notes/Domino

Microsoft Lync

Microsoft Office365

Microsoft Sharepoint

Novell eDirectory

Novell Groupwise

Oracle E-Business Suite

Oracle PeopleTools

Rational Clearquest

Rational Jazz Server

Remedy

Salesforce.com

SAP GRC

SAP Netweaver

SAP AS Java

DB2/UDB

Oracle

MS SQL Server

Sybase

CA Top Secret

CA ACF2

Cisco UCM

Desktop Password

Reset Assistant

Entrust PKI

IBM Security Access Mgr.

IBM Security Access

Manager for ESSO

RACF zOS

RSA Authentication Mgr.

HP-UX

IBM AIX

IBM i/OS

Red Hat Linux

Solaris

Suse Linux

Windows Local

Approva BizRights

Citrix Pwd Mgr

Cryptovision PKI

ActivIdentity

Lawson

SecurIT R-Man

JD Edwards

Epic

Meditech

Tandem

BMC Remedy

Zimbra Mail

• Quickly integrate with home-grown applications

• Easy wizard-driven templates reduces development time by 75%

• Requires fewer specialized skills

Siebel

Windows AD/

Exchange

Fast, adaptable tooling for custom Adapters

Broad Support for Prepackaged Adapters

Deep support, beyond a ‘check box’, for critical infrastructure and business applications

Applications and Messaging

Partner Offered

Integrations

Databases

Operating SystemsAuthentication and Security

Application adapter

Host adapter

Requires local adapter



Cognos-based reporting system facilitates audit requirements

Full Cognos Reporting capabilities included• Report Administration

- Report scheduling

- Distribution via email (PDF) and URL

• Report customization

• Web-based Report Viewer

• Dashboards

16



Identity Management

IBM Security Privileged Identity Manager (PIM)



IBM Security Privileged Identity Manager

Centrally manage, audit and control shared identities across the enterprise

Key release highlights

Control shared access to sensitive user IDs

– Check-in / check-out using secure credential vault

Track usage of shared identities

– Provide accountability

Automated password management

– Automated checkout of IDs, hide password from

requesting employee, automate password reset to

eliminate password theft

Request, approve and re-validate privileged access

– Reduce risk, enhance compliance

Optional Privileged Session Recorder

– Visual recording of privileged user activities with on

demand search and playback of stored recordings

Optional Application ID governance

– Replace hardcoded and clear text embedded credentials

IBM security solution

Privileged Identity Management (PIM) solution providing

complete identity management and enterprise single sign-on

capabilities for privileged users

Prevent advanced

insider threats

Databases

Admin

ID

Credential

VaultPrivileged SessionRecorder

Pwd

PIM for Apps

IBM Security Privileged Identity Manager



Identity Management

IBM Security Identity Governance (ISIG)



Challenges with Identity Governance today …

Roles

Groups

AccountsActual

Usage

Business

Need

Risk

Privileges

The Problem: “Identity explosion” across the enterprise increasing

security risks, insider threats, and audit exposures

Difficult to tie business activities to enterprise risk

Auditors are unable to review access risk

and compliance without a lot of help from IT

Business users lack insight that help them to

properly certify user accesses and entitlements

Ongoing, automated controls to ensure continued compliance

– Multiple point tools to make it difficult to tie compliance processes to

governance and user provisioning activities



IBM Security Identity Governance and Administration solution:

offers integrated governance and user lifecycle management

IBM Security Identity Governance and Administration

SIM collects entitlement data from managed resources

SIG allows business to certify access rights, model roles, manage SoD

SIM performs write-back to target systems for closed-loop fulfillment

IBM SIG



22

22

Identity and Access

ManagementAccess

Management

Safeguardmobile, cloud and social access



23

Helping achieve secure transactions and risk-based enforcement

Safeguarding mobile,

cloud and social access

Consumer / Employee

Applications

Manage consistentsecurity policies

Consumers

EmployeesBYOD

Security Team ApplicationTeam

DataApplications

On/Off-premiseResources

Cloud Mobile

Internet

Threat-aware application access across multiple channels

Strong Authentication, SSO, session management for secure B2E, B2B and

B2C use cases

Context-based access and stronger assurance for transactions from partners

and consumers

Transparently enforce security access policies for web and mobile

applications

Enforce security access polices without modifying the applications

Access Management

23



24

ISAM for Web and ISAM for Mobile Packages

ISAM for Web

• Layer 7 Load Balancer

• Web Threat Protection

ISAM for Mobile

• Context based access control

• Device registration/fingerprinting

• Multi-factor Authentication

• API Protection (OAuth)

• Web Reverse Proxy

• Policy Server

• Embedded LDAP

• Distributed Session Cache

ISAM Appliance

• Base Services



25

SSO

Enterprise

Applications/Data

User accesses data from inside the corporate network1

User is only asked for Userid and Password to authenticate2

Corporate Network

User accesses confidential data from outside the corporate network3

User is asked for Userid /Password and OTP based on risk score4 Outside the Corporate NetworkStrong

Authentication

Built-in Risk scoring engine using user attributes and real-time context (e.g. Risk Scoring and Access policy based on Device

registration, Geo-political location, IP reputation, etc. )

Support mobile authentication with built-in One-Time Password (OTP) and ability to integrate with 3rd party strong authentication

vendors, as needed. Example of supported OTPs are MAC OTP (email & SMS), HMAC OTP (TOTP & HOTP using client

generators like Google Authenticator), RSA SecurID Soft and Hard tokens

Offer Software Development Kit (SDK) to integrate with 3rd party authentication factors and collect additional contextual attributes

from the device and user session

ISAM for Mobile

Stronger identity assurance for high risk access

25



Identity Management

IBM Security Identity & Access Management Cloud



IAM Cloud Service – Capabilities overview

•Bluemix

Securing infrastructure & workloads

Secure usage of business applications

Secure service composition & apps

Manage cloud administration & workload access

Integrate identity & access into services & apps

Enable employees to connect securely to SaaS

• Protect applications and workloads

in private Cloud stacks (e.g. FIM)

• Deploy in VMware based on-prem clouds today; add

support for additional hypervisors and cloud platforms

• Support for applications to invoke service API’s on

behalf of a user

• Integration with cloud platforms (i.e. BlueMix) to

externalize identity from applications

• Provide Web and Federated SSO (i.e. SAML) to both

on/off-premises applications

• Provide self-service and portal based

experience/access for enterprise, business and

personal applications

IaaS

SaaS

PaaS

27



Integration



Identity enriched security intelligence:

QRadar Device Support Module for Identity Manager (including PIM vault functions)

• Centrally reports in QRadar, the activities of the SIM admin users

Collect identity attribute info from SIM registry. Use data in conjunction with log events and network flow data in rules to provide “identity context aware’ security intelligence

• Map SIM identities and groups to activities in QRadar-monitored applications. Help correlate enterprise-wide user activities. Generated reports can assist with SIM user recertification or role planning

User ID Mappings: multiple user ids from systems are mapped to a common ID, i.e. SKumar and SureshKumar are the same person - for comprehensive activity correlation

Identity

Repository

Security Identity

Manager Databases

OperatingSystems

DatabasesDatabases

OperatingSystemsOperatingSystems

ApplicationsApplications

Networks &

Physical Access

SIM and QRadar Integration

• Identity mapping data

and user attributes

• SIM Server logs

• Application logs



30

Implementing identity and access management can address these challenges and drive positive results

IT

Business

Decreases risk of internal fraud, data leak,

or operational outage

Streamline Compliance costs by providing

automated compliance reports

Can reduce the time to onboard and de-

provision identities from weeks to minutes

Can significantly reduce Help Desk costs

resulting from password reset calls

Improves end-user experience with Web-

based business applications by enabling

such activities such as single sign-on



31

www.ibm.com/security

© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes

only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use

of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any

warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement

governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in

all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole

discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any

way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United

States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response

to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated

or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure

and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to

be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,

products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE

MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

http://www.ibm.com/security

IBM Security Identity & Access Manager

Technology

Transcript of IBM Security Identity & Access Manager