Secure Identity Management Alan Mark Chief Security Strategist [email protected] Novell, Inc.
55
-
date post
20-Jan-2016 -
Category
Documents
-
view
217 -
download
0
Transcript of Secure Identity Management Alan Mark Chief Security Strategist [email protected] Novell, Inc.
Agenda
Identity Management Exposed Account Management Advanced Authentication SecureLogin Services Controlling outbound Access Controlling inbound Access
So many identities
Personica1002
Tracks resume, job openings,offer letters etc.
PeopleSofta1001
New "Regular"Employee
Documents
HR Departm ent Em ployeeT erm ination(T erm )
Notification Process Via E-Mail
(Em T erm )(HR Line 1)
InfoSourcea1008
(W orkForce Data)
Maxim oa1011
(O ld FacilitiesApplicaton)
B IG (Requests byPhone 1-6000(F irst Phase)
Vantive(Help Desk)(HD)
NW Adm in. (Tool that facilitates account
creation, activation etc.)
NDS(Novell D irectory
Services)
G roupW ise
i1001Reg. Employee Inf.
TerminationInf.
InfoSource E-m ailO r
Help Desk(HD)Personnel E-Mail
TerminationInf.
Termination Inf.V ia E-Mail (W eekly Report)
Termination Inf.V ia E-Mail (Daily Notification)
Security Personnel or Access Utah/SJF
Adm inistrators &Managers
Budget Analysts orFinancial Planning
Analysis (FP&A)
Oraclea4001
Request entered intoO racle W ebRequisitions
HardwareRequest
Arc
hib
us D
ata
Syn
c/M
an
ua
l
Request Module for lights, heat, ac,p lum bing, boxes for m ove, furniture
m oves, to ilet p lugs, paper products, SJFkeys, vending requests, equipm ent
service requists
Notification to Que on Web
Call requests to HD forEm ployee Account
T erm ination
Notification to Vantive(Creates Vantive incident)
HD deactivates accountsin Infosource
(No incident is created)
Subscribers T oT erm ination Data
(W eekly Report)FromHum an Resources
Vantive notifies HD foraccount activation/
deactivation
Build ing T echs, CachValley Elect.,
Com puCom , HR &BayQ uality, AccessFor Incidents/W ork
O rders
UNS(Unique Nam e
Search)(Searches NDS,G W & Alliases in SMT P
Agent 86
W estinghouseAccess Control
System
EPI(Security Badgecreation App.)
W orkForce AccessApplication
filled out & approvedby Manager
ID Badge CreatedW ith "AccessRequirements
Number"
Badge created & Bar Coded(Bar Codes are linked to Employee ID,
but said linkage is not being used)
Badge activated with Access R ights
Adm inistrators &Managers
ContingentW orkforceDocuments
Oracle, Equity Edge, Metlife,ADP, Etc.
(401k, Health, Stock etc.)
IS-NDS & G .W .G ateway U tility
T elecom m unications(Telephone # Ext. are
entered into Infosourceby Admins)(Telecom
Personnel sync jack#'sinto Infosource)(Audix# 's& Names entered Man.)
(K1) Single office keys cut(K2) Keys cut w ith Security approval
Facilities Move/Preventive Maintenance/Cushm an & W akefield
Bon Appe'tit
W eb(Browser Access)
Archibus DB(Located in Phoenix AZ )(DB used by BIG)(W ill be
used to house CADdrawings)
Security Approval forK2 (Master Keys)
No Special Approvalfor O ffice Keys
(K1)(Key Info Stored inKeyCode Sybase DB)
K2 Req.Forwarded
T hanksG iving Point (Landscape &G ardening)
PBX
Phone Ext.RetrievedFrom PBX
16411 AuxilliaryPhone System
Extract For16411
Entered
Archer Managem ent(Account Codes, Em p
Status, Pref. Nam e,Adm in Info checked in
InfoSource)(Som em ailstop correctionsm ade to InfoSource)
ARIST O DB(DB used byArcher, m ail
delivery)
O utsourced W ork Flow& W ork O rders for
Contractors w ith BIGw eb queue
W eb(Browser Access For
Incident and W ork O rdercreation in Vantive)
Incidents or W ork Requestsentered via Innerweb
NDSDis. Name, Dep. Name, F irst-Last Name, Phone#,Fax, Job T itle, Mail Stop, Infosource ID , W orkForce ID
CorporateD irectory
i1032 (Mail Stop/Domain, PostOffice,GroupWise User ID 'e-mail name'
Busness phone, Fax#, Full Context)
Preferred Nam e or Legal Nam e(if Preferred is b lank), Business T itle,
Status, Account Code, Manager ID ,W orkforce ID , Regular-T em porary
Identities in the Directory
Simple– White pages– Names in a database
Complex– Identities & Relationships– Roles and responsibilites
Identities in an eDirectoryThe Directory is the key to unified
management of identities and communities
• Digital ID• Management• Single Sign-on
Identity• Business-to-Business • Consumer / Business• Person-to-Person• Enterprise Applications• Communities of interest
Communities
Security in the Directory
The directory provides security, policy and relationship management
Enforces the processes, policies, procedures, and relationships that define and drive the business
policiesrelationships
identitiesDirectory ServicesDirectory
Services
Marketing
Sonja Geir Craig
Directory onNT (secondary)
Live, continuous backup; changes replicated in real-
time
Live, continuous backup; changes replicated in real-
time
Linking Directories
Directory onNetWare (primary)
Directory onSolaris (primary)
Directory onNT (secondary)
Linking Identities
Directory onNetWare (primary)
Directory onSolaris (primary)
User: SonjaName: Sonja JohnsonPhone: 17397Location: PRV-H-133
Name: Johnson, SonjaPhone: +1 801-861-7397Location: PRV-H-133
User: SJohnsonName: Sonja JohnsonPhone: (801) 861-7397Location: Provo, Bldg H, Floor 1,Section 133, USA
Linking Global Identities
The Liberty Conformance and
Interoperability Group is responsible for
defining and supporting a process
of interoperability between systems.
projectliberty.org
Linking identities in applications
Directory Services
SAP
Convergence Creates a New Class of Applications
Digital Signal Processors (DSPs)
Operating Systems
Services
Applications
Physical Network Infrastructure
Hosted TransactionsNew Class of Applications
“Hire an employee”
“Who is the expert on ...”
DIRECTORY
Ap
plicatio
n sh
im
Applicationor
directoryor
database
NDSdatastore
Rules and stylesheets
Rules and stylesheets
DirX
ML
Join engine
DirX
ML
DirXML Architecture
Publisher Publisher
Subscriber Subscriber DirX
ML
Ap
plicatio
n sh
im
Data Shari g
Consolidating Management of Enterprise Data
Multiple directories– HR, PBX, e-mail, ERP, Finance, etc.
Common data between the directories– User data, enterprise data
Authoritative sources must be preserved– One-way data flow
– Bi-directional data flow
– Rules DirXML
solution
is a general purpose
Supporting platforms/interfacesLDAP v3
NDAP
DENActiveX
ADSI
ODBCC/C++
Visual Basic
OS/390
NTNetWare
Solaris
Linux
XMLJavaJava BeansJNDI
Identity- The key to relationships
Offer unique services, privileges and relationships
based upon an identity
• Personalizes the net
• Gives them what they need (but only what they need)
• Empowers individuals to manage important relationships and data
What an identity determines
Who you are Where you are What data you can access How you authenticated
Directory-Linked identities
iClick
PeopleSoft
Personic
NDSInfrastructure
Tree
D irX M L In terface
D irX M L In terface
GroupW ise
D irX M L
Em ployee form sscanned in to
system
PBX
NDSW orkforce
T ree
B.I.GApps
EmployeeAssimilation
Process
TrackApplicantProcess
Self ServiceInform ationforewarded
to PeopleSoft
NDS Customer
Tree
Vantive
D irX M L
D irX M L
NDSAuthentication
Tree
W estingHouse
e-Guide
Oracle/SeibelEtc.
W ITS(Mail Delivery
System )
D irX M L EPI
ManagerSelf
ServiceProcess
Whitepages
PayrollHR
Health careplan
Dental plan Stock planI have a new phone
number
My Company
401k
Changes Are Hard to Manage
Health careplan
Dental plan Stock plan“I have a new phonenumber.”
401k
Using XML to link systems
DirXML
DirXML manages the changing data inside and outside the firewall
Whitepages
PayrollHR
My Company
Account Management
NDS eDirectory
Accounts
AccountManagement Sync
RACF, ACF2, Top Secret
Solaris
Tru64
VMS
HP-UX AS/400AIXMVS
On Sparc & Intel
Linux
Free-BSD
NDSADNT Domains
NAM 3.0
A cross-platform account management system– Management of user accounts in heterogeneous
platform environments
– Based on Novell eDirectory™
– Provides both central and distributed user account management
– Facilitates user authentication across platforms with a single user ID and password
Account Management 3.0 Facts
- A new product. Not based on Account Management 2.1.- Aimed at enterprise-level engagements.- Based on a new paradigm.- Considers goals and strengths of both central IS and platform Administrators.-- Not named “Account Manager”!
Two Problems To Solve
User Account Provisioning – How to automate the process of grants, management and revoking the right accounts to the right systems at the right time, and giving the administrators of those systems ultimate control over the provisioning process on their respective systems?
Password Management – How do you provide a mechanism where the user has the same password for all systems, no matter how he attaches to or uses those systems?
One Product solves both problems
Novell’s Account Management Solution solves both the Account Management and Password Management problems for a wide variety of Operating Systems.
•builds on the scalability of eDirectory, •the cross-platform history of prior versions of Account Management and NDS Authentication Services, •the extensibility of DirXML
Account Management
Account Management
NT 2000 LinuxSolaris(x86)
HPUX
AIXTru64OS/390
AS/400
VMSApp
xSolaris(sparc)
FreeBSD
eDirectory
NetWare …NT/2000Solaris(Sparc)
Linux AIX
Account Management leverages eDirectory identities across a large variety of platforms, independent of Directory storage
location.
Account Management
NDS eDirectory
Accounts
AccountManagement Sync
RACF, ACF2, Top Secret
Solaris
Tru64
VMS
HP-UX AS/400AIXMVS
On Sparc & Intel
Linux
Free-BSD
NDSADNT Domains
Password Sync
NDS eDirectory
NDS ASAMPassword Sync
RACF, ACF2, Top Secret
Solaris
Tru64
VMS
hp-ux AS/400AIXMVS
On Sparc & Intel
Linux
Free-BSD
NDSADNT Domains
NFA Pwd
Account Provisioning to a Target
By permitting a collaborative unit such as a container or a group to a target system, you automate the management of all users that may be associated with the collaborative unit in the future.
OS/390 LPAR 1
AIX Mail Server
Atlanta NT DomainAIX
RACF, ACF2, Top SecretMVS
NT Domain
AM-Outbound
RACFOS/390
eDirectory
AM PlatformServicesReceiver
AM Manager
AMJournal
MutuallyAuthenticated SSL
DirXMLAM Receiver Scripts
Novell Account Management
NAM 3.0 is a cross-platform account management system, that
– Allows life cycle management of user accounts in heterogeneous platform environments
– Is based on Novell eDirectory– Provides both central and distributed user
account management– Facilitates user authentication across platforms
with a single user ID and password
Advanced Authentication Associate clearance levels
depending on how the user authenticates
Set security labels on volumes, directory attributes, and single sign-on applications
Login by - password - token - biometric - combo
Clearance levels - pwd - pwd+token - pwd+token+bio - token - token+bio - bio
Graded Authentication
TokenRequired
FingerprintRequired
Graded Authentication (cont.)
TokenRequired
FingerprintRequired
NMAS Partners
Identities in hard-to-reach places
Most users have too many IDs and passwords to remember
Remembering Passwords
Difficult, so people write them down Forgotten passwords result in
– User and Admin frustration – Help desk calls– Compromised security
Storing passwords
Secure storage of user credentials (login names, passwords)
Allow admins to reset but not see passwords
Sync to desktop/laptop Directory-based policies
for password strength
Login Experience
Authenticate to directory
ApplicationApplicationServerServer
DirectoryDirectoryServicesServices
ClientClientWorkstationWorkstation
Launch Application
Credential Challenge
Recieve Secret
(ID/Password)
Request Secret
(ID/Password)
Provide Credentials
Application Starts
Login ID:
Password:
Only some of the supported apps…
Novell SecureLogin
ACT
AOL IM
Citrix
Entrust
Eudora
Goldmine
ICQ
JUNO
Lotus NotesLotus OrganizerMeeting MakerMicrosoft Internet Gaming Zone Microsoft FrontPage
Microsoft Money 98/99MSN MessengerQuicken
Siebel SalesYahoo! MessengerVisual SourceSafeWindows LogonMS SQL
Microsoft OutlookNovell GroupWise®PeopleSoft
Oracle
SoftFront Track for Win
Clarify
QuickBooks ProRumba 6
Attachmate Extra! 6.3Attachmate Extra! 6.5Reflection 7
HostExplorer
PCOM 4.3, 5.0
Internet Explorer WebInternet Explorer Pop-up
Netscape WebNetscape Pop-up
NeoPlanet Web
Opera Web
AOL
Earthlink
Mindspring
MSN
ProdigyWorldnet
Novell Single Sign-on Reviews
InfoWorld: “Finding a security product that can cut costs, simplify users' lives, and improve system security is rare; Novell SSO 2.0 does all of these well. And we wouldn't be surprised if it made your floors shiny and your desserts tasty.”
Network World:“For users, NSSO eliminates the hassles of remembering multiple passwords and reduces the security risks associated with writing them down. For network administrators and help desk personnel, NSSO will reduce the number of calls from users who have forgotten their passwords.”http://www.nwfusion.com/reviews/2001/0115rev.html
http://www.infoworld.com/articles/es/xml/00/10/02/001002esnsso.xml
Authentication from the inside-out
Security ServerSecurity Server
Web server
Authenticateto Directory
cache
data
Directory
The Business Problems
Employee productivity is impacted by free use of the public Internet
Increasing utilization of finite bandwidth Finding the balance between access
requirements and security Providing secure remote access at a
manageable cost Multiple network identities increase cost of
IT management
Novell BorderManager
Control, accelerate and monitor your users’ Internet activities
Safeguard your network against undesirable Internet content
VPN services, an industry-certified firewall, and a scalable content filtering service
Access Rules
Web Surfing Policies
Where you can surf depends on who you are/where you are
Intranet Internet
Sales.myco.com
Finance.myco.com Whitehouse.com
CNN.com
Novell BorderManager 3.7
ICSA Firewall certifiedNew content filtering solution from SurfControl
– 40X as many URL’s in the database as CyberPatrol– More categories– Actively updated– SurfControl is the market leader for content filtering
by a wide margin
VPN client for Windows Me (LAN client only)Virus pattern filtering at proxy, with auto update
Is There a Problem?
Who Is Causing the Problem?
Authentication from the outside-in
DirectoryDirectory
AIXAIX
DMZ
NetWareNetWare
NT/2000NT/2000
SolarisSolaris LinuxLinux
HP-UXHP-UX
OS/390OS/390
Tru64 UNIXTru64 UNIX
Employees
Partners
Suppliers
cache
Web serversWeb servers
Authenticateto Directory
data
Securely Linking B-to-Everything
iChain
•Joining...•world’s most scalable and widely used directory •fast caching system
•adding...•web Single Sign-on•secure access to and protection of data and applications•flexibility of building customer communities
Employees Partner
s
Customers
iChain
iChain Internet Caching Server• Authentication & quick web page access through reverse proxy service
iChain Authorization Server• Access control & digital communities
Web-based Single Sign-on• Implemented on iChain ICS, managed via Authorization Server
iChain Community Server• Web-based application displaying personalized community content
eDirectory 8.5+• Central repository for profile, policies, rules, etc.
Digital Communities
0
10
20
30
40
50
60
70
80
90
1st Qtr 2nd Qtr 3rd Qtr 4th Qtr
Content for suppliers:Suppliers:
Suppliers Community
Content for dealers:Dealers:
Dealers Community
Model: 550 Maranello Top speed: 199 mphPower output: 480 HPEngine: V12, 334 cu. in.Delivery time: 4 weeksInvoice: $239,000
Forecast by modelPartne
rs
Security Identity Management
Identity provisioning between apps Identity provisioning between OSs Advanced authentication Single Sign-on to web and other apps Access control to external web services Access control to internal web services
Security Identity Management Identity provisioning between apps (DirXML) Identity provisioning between OSs (NAM) Advanced authentication (NMAS) Single Sign-on to web and other apps
(SecureLogin) Access control to external web services
(BorderManager) Access control to internal web services (iChain)
