Sun Proprietary/Confidential: Internal Use Only Stuart Sim Chief Architect Global Education &...
-
date post
21-Dec-2015 -
Category
Documents
-
view
220 -
download
0
Transcript of Sun Proprietary/Confidential: Internal Use Only Stuart Sim Chief Architect Global Education &...
Sun Proprietary/Confidential: Internal Use Only
Stuart SimChief ArchitectGlobal Education & Researchhttp://blogs.sun.com/stuart
Identity Management
Sun Proprietary/Confidential: Internal Use Only
What Is Identity Management?
"Identity management is the "Identity management is the set of business processes, and set of business processes, and a supporting infrastructure, for a supporting infrastructure, for the creation, maintenance, and the creation, maintenance, and use of digital identities." use of digital identities."
––The Burton GroupThe Burton Group
Sun Proprietary/Confidential: Internal Use Only
Follow a standard workflow for tasksFollow a standard workflow for taskssuch as adding a new faculty membersuch as adding a new faculty memberor deleting student access to course or deleting student access to course materials after a term has completedmaterials after a term has completed
Essential Functions of Identity Management
●Provision access _ Establish, change, and remove user accounts and privileges
●Authenticate _ Confirm that users are who they claim to be
●Authorize _ Allow access to services based on business rules for group affiliations and roles
●Protect Privacy and Comply with Regulations
I'm John Doe and here's my IDI'm John Doe and here's my IDand password to prove itand password to prove it
Hide personal data and track usage Hide personal data and track usage patterns for audit trail without patterns for audit trail without tracking private usage information tracking private usage information such as who checked out specific such as who checked out specific books from the librarybooks from the library
All members of the group All members of the group “Prof_Smith_Physics_301”“Prof_Smith_Physics_301”have access to Professor Smith'shave access to Professor Smith'sPhysics 301 online lecture notesPhysics 301 online lecture notes
Sun Proprietary/Confidential: Internal Use Only
Identity Addresses Top Priorities in Education
Top ten business trends in 2004 according to a Chronicle of Higher Education/Gartner survey of selected Chronicle subscribers, December 2003
Security breaches/business disruptions
Operating costs/budgets
Data protection and privacy
Identity Management Can Improve Security, Reduce Costs, and Protect Privacy, the Top Three Business Priorities in Education
Sun Proprietary/Confidential: Internal Use Only
Why Identity Is So Important in Education
● More stringent regulations ● Complex identity
requirements & rapidly changing user roles
● Enormous scale● 85% have experienced security
breaches in the last 12 months● Managing access to licensed
digital content ● Federation to support
collaborative research
Sun Proprietary/Confidential: Internal Use Only
Higher Education Faces More Regulations1
●External regulations requiring greater protection of personal information
– e.g. Gramm-Leach-Blilely Act, Student andExchange Visitor Information System, HIPAA, and FERPA
●New legislation regarding copyright protection●Threats of lawsuits over intellectual property abuse or identity theft
1 Zastrocky, Yanosky, and Harris, “Higher Education Faces More Regulations,” Gartner, Research Note, December 23, 2003.
Sun Proprietary/Confidential: Internal Use Only
Identity Requirements in Education are Complex
● Many roles with different access requirements
● Users often have multiple roles● Frequently changing roles● Multi-campus environment● Legacy of multiple fragmented
identity databases
Sun Proprietary/Confidential: Internal Use Only
Security Incidents on the Rise
● Unauthorized access to sensitive institutional data
● Threats or abusive behavior● Altered/vandalized Web site ● Research database hacked
More Than 85% Have Experienced IT Security “Incidents” in the Past 12 Months*
* Based on a Chronicle of Higher Education/Gartner survey of selected Chronicle subscribers, December 2003
Sun Proprietary/Confidential: Internal Use Only
Implementing Identity Management
Sun Proprietary/Confidential: Internal Use Only
Every Application for Itself
● Authentication and logging functionality only
● Every application for itself in performing these functions
● Multiple user names and passwords must be remembered by users
Many Institutions Still Function Without a Centralized Directory Service, Despite the Inefficiencies
Authentication
Authentication
Authentication
Authentication
Authentication
Sun Proprietary/Confidential: Internal Use Only
Central Authentication Services
● Applications have access to a single trusted authoritative source
● Simplifies User Management through a single source of user credentials
● Open Standards and APIs promotes adoption across the enterprise
Enables Central Identity Management for Participating Applications
CentralAuthentication
Service
Sun Proprietary/Confidential: Internal Use Only
Single Sign On Services
● Applications have access to services without re-authentication once initial session is granted
● Support for multiple implementations – Web Initial Sign-On (Web ISO) – Pubcookie
– CAS● The beginnings of Federated
Identity to simplify collaboration –SAML
–Liberty –Shibboleth
Enables Web and non-Web Sign-On for Participating Applications
SSOAuthentication
Service
Sun Proprietary/Confidential: Internal Use Only
Complete Identity Management
●Workflow task automation ●Roles and rules-based authorization●System-wide auditing and reporting●Password self-administration ●Federation of identity information
Research
ERPDigitalLibrary
SIS
e-Learning
Administration Services
Transaction Services
Data Repositories
Sun Proprietary/Confidential: Internal Use Only
Components of Complete Identity Management
C o m p o n e n t D e s c r i p t i o n
Refl ect T r a c k c h a n g e s t o i n s t i t u t i o n a l d a t a
J o in E s t a b l i s h a n d m a i n t a i n i d e n t i t i e s
Creden tia l I s s u e d i g i t a l c r e d e n t i a l s
M a n a ge Affi lia tio n M a n a g e a ffi l i a t i o n a n d g r o u p i n f o r m a t i o n
M a n a ge P r iv i leges M a n a g e a c c e s s p r i v i l e g e s a n d p e r m i s s i o n s
M a n a ge P a ssw o rds S e l f -s e r v i c e p a s s w o r d r e s e t s & s y n c h r o n i z a t i o n
P ro v isio n P u s h i d e n t i t y m a n a g e m e n t i n f o t o o t h e r s y s t e m s
Del iver P u b l i s h a c c e s s c o n t r o l i n f o r m a t i o n a t r u n t i m e
Au th en tica te V e r i f y i d e n t i t i e s
Au th o r ize A l l o w / d e n y u s e r a c c e s s i n d e p e n d e n t o f a u t h e n t i c a t i o n
Lo g T r a c k u s a g e f o r a u d i t p u r p o s e s
Federa te A u t h e n t i c a t e & a u t h o r i z e b a s e d o n " t r u s t e d " s o u r c e
Sun Proprietary/Confidential: Internal Use Only
Benefits of Full Identity Management Layer
●Enhanced Security and Privacy●Improved user experience●Lower systems integration costs●Improved services scalability●‘Real world’ SOA
Sun Proprietary/Confidential: Internal Use Only
●Complete, integrated, centralized solution– Centralized authentication, authorization and
auditing– Integrated components
●Modular and scalable– Start small with specific components
and extend to a full solution
●Integrate-able– Open standards-based interfaces
allow investment protection
Summary of Identity Solution Requirements
IntegrateableIntegrateableComplete,Complete,Integrated,Integrated,
& Centralized& Centralized
Modular&
Scalable
Sun Proprietary/Confidential: Internal Use Only
Sun’s Identity Management Product Family
● Comprehensive software solution that include:
> Directory Services> Access Control, Single
Sign-on, Federation> Provisioning and
Meta-Directory Services
• Open and integrate-able to reduce integration cost and complexity
Sun Java SystemDirectory Server
Enterprise Edition
Sun Java SystemIdentity Manager
Sun Java System
Access Manager
Sun Proprietary/Confidential: Internal Use Only
Sun Java System Directory Server
● Most widely deployed LDAP-based directory server – over 1.5 billion licenses sold
● Built-in security – prevents DoS attacks, controls access, intercepts unauthorized operations
● Password synchronization with Active Directory
Secure, highly available, and scalable directory services
Sun Java SystemDirectory Server
Enterprise EditionSun Java SystemIdentity Manager
Sun Java SystemAccess Manager
Sun Proprietary/Confidential: Internal Use Only
Sun Java System Access Manager●Provide consistent, strong security
for all campus IT services
●Reduce complexity and operational costs
● Improve regulatory compliance
Alumni
Web Services
Directories
Databases
Business Applications
Faculty
Students
Federation Federation
Access Manager
SingleSingleSign-onSign-on
Web Access Control Web Access Control ●Role and rule-basedRole and rule-based
access controlaccess control●CentralizedCentralized
authenticationauthenticationservicesservices
●Real-time auditsReal-time audits
Custom Systems
Sun Proprietary/Confidential: Internal Use Only
Sun Java System Identity Manager
Databases
Directories
Mainframes
Databases
BusinessApplications
OperatingSystems
BusinessApplications
App Server
Admin
Delegated Admin
End User Self-Service
Provisioning Provisioning
IdentityIdentitySynchronizationSynchronization
PasswordPasswordManagementManagement
Identity Manager
● Automated user provisioning● Secure, automated password management● User self-service and delegated administration● Automated data synchronization ● Comprehensive auditing and reporting
Manage Identity Profiles and Permissions Throughout the Identity Lifecycle
Sun Proprietary/Confidential: Internal Use Only
Provisioning Today:Fragmented, Manual, and Insecure
Human Resources System
Library Management System
Facilities/Purchasing
Help Desk
Faculty
Other AssetsStudent Information
System
PeopleSoft Financials
Exchange and Active Directory
Chargeable Assets• Mobile phone/service• Conference call account• Credit card
• Office space• Phone• Laptop
Students Researchers
Alumni
●Where are my risks?Where are my risks?●Who has access?Who has access?●What recurring charges am What recurring charges am
I still paying for?I still paying for?●How much does all of this How much does all of this
cost?cost?
Sun Proprietary/Confidential: Internal Use Only
Provisioning with Sun:Streamlined, Automated and Secure
Approving Manager
●Reduced riskReduced risk●Complete view of Complete view of
user’s identity user’s identity ●Efficient, automated Efficient, automated
operationsoperations
FormerStudents
FacultyStudents Researchers
Alumni
Other AssetsStudent Information
System
PeopleSoft Financials
Exchange and Active Directory
Chargeable Assets• Mobile phone/service• Conference call account• Credit card
• Office space• Phone• Laptop
Sun Proprietary/Confidential: Internal Use Only
How Sun's Product Offering Stacks Up
I d e n t i t y M a n a g e m e n t C o m p o n e n t S u n P r o d u c t O ff e r i n g
Refl ect D i r e c t o r y S e r v e r
Jo in I d e n t i t y M a n a g e r
M anage Affi l iation ” ”
M anage P r ivileges ” ”
M anage P assw ords ” ”
P rovision ” ”
Credential A c c e s s M a n a g e r
Del iver ” ”
Authenticate ” ”
Autho rize ” ”
Log ” ”
Federate ” ”
Sun Proprietary/Confidential: Internal Use Only
Identity Management Is More than Enterprise Directory
•Enterprise directory can provide:> Enterprise security — Single common repository for all
authentication and access control rules> Efficiency in application development — Leverage the
enterprise directory to simplify development> Simplified collaboration — Federated identity sharing
•Identity management adds: > Enhanced user experience — Single sign-on and faster
access to applications> Reduced help desk cost — Online password reset> Workflow efficiency — Automated tasks such as adding
access to course materials when users register for specific classes> Support for regulatory requirements — More complete
tracking and audit trail features
Sun Proprietary/Confidential: Internal Use Only
Identity Management Implementation● Adopt Best Practices
– Identify and Recruit Systems Stakeholders– Model the Data– Consider Design Patterns– Stage the Implementation
Sun Proprietary/Confidential: Internal Use Only
Identity Management at Salford
● Identity solution requirements:– Assign a single ID to each person– Eliminate multiple directories (and maintenance)– Automatically provision & allow use of appropriate services– Adjust or remove access as roles change– Provide mappings between systems
● The solution:– Directory Server– Identity Manager Provisioning Module– Identity Manager Meta Directory Module– Identity Manager Password Management Module– Resource adapters for Active Directory, MS Outlook, Blackboard, SAP– Shibboleth connector for Athens
Identity Management
Stuart SimChief ArchitectGlobal Education & Research http://blogs.sun.com/stuart
Sun Proprietary/Confidential: Internal Use Only
Backup Slides
Sun Proprietary/Confidential: Internal Use Only
Why Sun For Identity Management
● Complete solution● Integrated yet modular● Best-in-class provisioning & workflow● Connectors for third party applications in Edu● Experience in Federated Identity
Sun Proprietary/Confidential: Internal Use Only
Identity Manager Partial Customer List • 15 New references in Q2!
• Universidad de Oviedo, Spain • Universidad Rovira i Virgili, Spain • University of Salford, UK• Université Catholique de Louvain, Belgium• Schulen ans Netz, Germany• Western Michigan University, USA• University of California Santa Cruz, USA• University of Victoria, Canada• Notre Dame University. Australia
Sun Proprietary/Confidential: Internal Use Only
Agenda
● What is Identity Management?● Why Identity Is Important in Education● Stages of Implementing Identity Management● Identity Solution Requirements in Education● Sun’s Comprehensive Identity Management Offering● Why Sun?● Customer Examples
Sun Proprietary/Confidential: Internal Use Only
Federation Requirements
● Federation is necessitated by collaborative research and other inter-institution collaboration
● There are 2 implementation approaches:– The Liberty Alliance Project – An alliance of more than 150 companies,
non-profit and government organizations developing an open standard for federated network identity (http: /www.projectliberty.org/)
– Shibboleth – An open source implementation of federated identity information that has gained a lot of momentum in education
● Shibboleth and Liberty are working on interoperability through SAML 2.0, expected in 12-15 months
Federation Enables Sharing Identity Information Outside the Firewall While Protecting Privacy
Sun Proprietary/Confidential: Internal Use Only
Federation in Java System Access Manager
● Supports Federation using Liberty specification
● Interoperability with Shibboleth through SAML 2.0 (expected in 12-15 months)
Standards-based Approach Allows Integration With Shibboleth
Java SystemJava SystemAccess ManagerAccess Manager
Shibboleth Shibboleth Server Server
Applications
Applications SAML 2.0
Firewall
Sun Proprietary/Confidential: Internal Use Only
Integrate-able Identity Management
● Provides broad cross-platform compatibility– Protects customers’ existing investments– Provides increased flexibility
● Supports standards at EVERY touch point
Sun Proprietary/Confidential: Internal Use Only
Integrated, End-to-End Identity Management
IdentityManager
AccessManager
DirectoryServer EE
User User Provisioning Provisioning
Password Management Password Management
Synchronization Services Synchronization Services
Web-Based Web-Based Administration Administration
Audit & Reporting Audit & Reporting
Web Single-Sign-On Web Single-Sign-On
Access Control Access Control
Federation Federation
Directory Services Directory Services
Security/Failover Security/Failover
AD Synchronization AD Synchronization
Sun Proprietary/Confidential: Internal Use Only
SolarisTM Operating System for x86 Platforms: Come Join Us!• Building on a leading platform• Offering customers true choice and true value• Investing in partnerships
LET'S GROW TOGETHER