The (IdM) Identity Conundrum

Strategies in identity management

What is identity management?

Important delineation : Two groups of entities

Internal staffCustomers, business partners

Different challenges, different deliverables, may need different solutions

What is identity management?

Identity management is the ability to define and control the security characteristics and credentials of :

many users on many systems spanning a variety of different roles inside and outside the organisationwhile accessing content, applications, and services in a manner which is sensitive to the context of the interaction

What is identity management?

So identity is the abstract representation that links a real person to their capabilities in an IT system

The process of identity management requires a system which: distinguishes a person defines them in terms of their security personas and specifies their access rights within the various contexts which characterise their interaction with the

organisation

What is identity management?

But isn’t that just security administration?True to a degree, BUTFormerly one person, one account, one systemNOW, one person, 20 accounts, 100 systemsAn example

What is identity management?

ExampleMid-Size corporation5,000 staff220,000 userids374 security domains

With this level of complexity it’s not “just” security administration

What is identity management?

So Identity Management is actually the integration of products such as directories, single sign-on, security services applications and provisioning applications into a unified framework for managing user information and access.

It’s about convergence of the multitude of points of authentication, authorisation and administration to provide a more coherent view and management platform for security.

An architectural view of

Identity Management

Authoritative sources

Identity store

Identity

Access policies

Pro

visi

onin

g

Acc

ess

cont

rols

and

pri

vile

ges

Operating systems

Data bases and files

Applications

Web / Information Portals

What is identity management?

Drivers to Identity Management (internal staff)

• Increasing complexity (servers, operating systems, data bases, applications)

• Increasing administration costs

• Declining security quality = rising security risk

• Declining quality of service

Drivers to Identity Management (customers)

• Need to do business regardless of location • Need to identify a web customer as the same customer

using IVR or counter services• Customer single web sign-on in complex

server/database/application environment • Need unified authentication for web portals• Access rights change with the business context• Personalise web content based on identity and current

activity• Interface to CRM applications• Delegated administration for business areas, partners

What value can Identity Management create?

• Identity Management is the philosophy of a centralised security architecture using an identity centric approach

• Single user profile for user identification and marketing purposes

• Stops proliferation of passwords

• Increased customer and employee satisfaction

• Faster deployment of new applications

• Cost reduction through centralised user management, user self service and process optimisation

• Link between business processes, workflow and technology

• Centralised point of control for security and audit processes.

Benefits from Identity Management

Cost reduction– Decreased maintenance of security on a business unit level

– Staff and customer access available more quickly

– Internal costs reduced through cross platform centralised password management and synchronisation

– External help desk costs reduced by improved password management

– Reduction in development costs for web applications – no need to rebuild a bespoke security solution

Benefits from Identity Management

Revenue– Move complete value chains to the digital world

– Provide a mechanism to quickly and efficiently migrate users and applications from acquisitions

– Staff productive more quickly

– Offer 24/7 self service

– Competitive advantage, strategic positioning and corporate brand/image

Benefits from Identity Management

Risk reduction

Only appropriate users have access

Risk of obsolete user accounts reduced

Change of position results in change of permissions

Ability to evaluate regulatory compliance

Ability to audit and track user accounts.

Ability to automatically lock out users

Central point of control for security and audit processes.

Single view of user’s access

Competing technologies

Competing technologies

• We now look at security infrastructure solutions. ERP and CRM feed into Identity Management, but are out of scope for this discussion

– Custom applications– Directory services– Web Access Control (aka Extranet Access Management)– Provisioning

Custom applications

• While not high on most people’s agenda, building custom applications for IM is possible and has been done

• Enables very specific requirements to be built in– Inherently expensive to build and maintain– Requires deep technical skills in some of the target platforms, not normally held

by developers– Usually one way – does not pick up manual changes– Sits on critical path for technology upgrades (e.g. new versions of operating

system or data base)– Most very large organisations have put in a bespoke provisioning application of

some sort• Example : large bank built online access control manager 15 years ago

– Becomes too difficult for complex technology mix

Directory services

• Directory Services terminology is ambiguous, and not used consistently

• A “directory” is a specialised data base used for repetitive high speed access to relatively static data.

• “Directory Services” is a blanket term used to describe the use of directories to service this data to applications. Security credentials are frequently provided to applications in this way.

• Metadirectory” is a term used to describe a directory which is comprised of data synchronised from other directories.

• It is very important to recognise that many people do not understand these concepts, and use the term “Directory Services” or “metadirectory” when they simply mean the desire to use a directory instead of a data base.

Directory services

• A directory services solution comprises a set of tools and processes

• A core directory such as Active Directory, Novell eDirectory, iPlanet

• Directory synchronisation tool such as DirXML, Sun ONE Meta-Directory, Active Directory Connector

• Connector to ERP or CRM

• Object and property mapping tools (probably XML)

• Optionally front-end self service directory enabled applications

Netware Solaris NT OS/390

Access

NDS

SybaseSybaseSybase

NIS

SECASybase

SybaseSybaseOracle

SAM

MS-SQL

Notes

Notes

Address Book

RACF

DB2

DIRECTORY SYNCHRONISATION SERVICES

IDENTITY MANAGEMENT DIRECTORY

APPLICATIONS

DIRECTORIES AND

DATABASES

OPERATING SYSTEMS

IDENTITY STORE

Synchronisation policies

XML Style sheets

DIRECTORY SYNCHRONISATION BUS

APPLICATION

APPLICATION

APPLICATION

APPLICATION

APPLICATION

APPLICATION

APPLICATION

APPLICATION

APPLICATION

IDENTITY STORE (DIRECTORY)

Directory

ERPDirectory Directory Data

baseDatabase

Directory

Directory Services

Authentication User profiles can be stored in a manner which can be accessed by applications

to authenticate the user. The term describing it is “Directory Enabled Application”, and the protocol for accessing the directory is LDAP.

Access control If the directory is the native security mechanism for the operating system it

controls access to resources (e.g. eDirectory on Netware)

Otherwise there is no active access control. Passive access control can be achieved by directory enabling applications

Group memberships and custom objects can help

CAVEAT! Passive security depends on developers implementing security correctly in the application.

Directory Services

Provisioning

Directories can be updated as a result of changes in other directories, or changes in the HR system

Key technique is directory synchronisation using products like DirXML

Synchronisation tool maps object types and properties to their equivalent in the target system (e.g. userid=logonid=UID, Last Name=Surname=Name)

Also allows scripting to achieve non-directory functions (e.g. copying files, archiving), or scheduling subsequent events

Extranet Access Management

Web applications bring new challenges. There are numerous data sources, and new resource types notprotected by traditional processing platforms Native operating system security can’t protect pages, URLs, Objects, methods,

applets, servlets

Products include Oblix, Tivoli Identity Manager, RSA ClearTrust, Netegrity SiteMinder. Many more.

Provides a callable security service with support for new resource types, and custom objects

Primarily for browser applications, but some can be called by traditional applications

Particularly relevant for JAVA – JAAS and J2EE

EAMs often use a directory as their identity store

Sec

urit

y se

rvic

e

Operating systems

Application server

Browser

Data base

Web server

Iden

tity

sto

re

Data baseData base Data base Data base

Web server Web server

Application serverApplication

serverApplication serverApplication

server

Application serverApplication

serverApplication serverApplication

server

Identity store

Privilege store

Security service

Extranet access manager

Authentication

User profiles and passwords are stored in the EAM’s identity store and accessed via the EAM’s API. Typically an encrypted cookie is created to provide single signon during the period of interaction.

Access control

Many different ways to store permissions

Typically defined by group membership

Can be a simple ACL for a resource

Some products allow business logic to be included in the security credentials (e.g. allow access if account balance > $100,000)

Some products have active security for certain resource types (e.g. page, method). Passive access control always possible by calling security from the application. Can be called from legacy apps.

Group memberships and custom objects can help

CAVEAT! Passive security depends on developers implementing security correctly in the application.

Extranet access manager

Provisioning

Not typically used as a provisioning service. However, can be linked to CRM feed for automatic account creation

Some provisioning products can link into some EAMs (must be purpose written interface)

Provisioning can be direct to the identity/privilege stores via say LDAP

Security provisioning

Proliferation of servers, accounts and passwords is making traditional security administration practices ineffective. There are pure plays provisioning products on the market New users may need 10 or more accounts provided by several different

administrators

Great scope for error (wrong access) and delay

Security administration costs rising because growing infrastructure complexity dramatically increases the number of security admin tasks

Provisioning products automate standard security tasks so they can be carried out without a security administrator’s intervention

Examples include BMC Control-SA, Access 360 (now Tivoli Access Manager), Waveset Provisioning Manager, CA eTrust. Others

Authoritative sources

Identity store

Identity

Access policies

Pro

visi

onin

g

Acc

ess

cont

rols

and

pri

vile

ges

Operating systems

Data bases and files

Applications

Portals

Security provisioning engine(Single Point of Administration)

PeopleSoft Central Security Administration Data Base

GATEWAY GATEWAY GATEWAY

MANAGED SYSTEMS

Provisioning

Authentication NOT interactive security manager

Provisioning solutions play no direct role in authentication

Can facilitate password synchronisation

Access control

NOT interactive security manager

Puts access control settings in place to facilitate access to target

Can perform complex tasks with some intelligent rule processing facilitated by scripting

Can implement role based access control, so complex combinations of access can be assigned to a user based on their position, or specified function within work place (e.g. teller, help desk)

Provisioning

Provisioning Replicates local security credentials in a central repository

Changes to the repository are executed in the managed domain

Changes made in managed domain also applied to repository

Every person added to the role will get correct access

Deleting the central entity deletes all associated accounts

Needs workflow to achieve maximum gains and include online authorisation of requests

Not a panacea

Expect to automate 30-50% of access types

However only limited by your commitment and resources

  

Entity Functional roles Access roles Permissions

CSO

Supervisor

Client maintenance

Unitised redemptions

Quality assurance

eProvisioning