The (IdM) Identity Conundrum Strategies in identity management
-
Upload
fitzgerald-spears -
Category
Documents
-
view
38 -
download
0
description
Transcript of The (IdM) Identity Conundrum Strategies in identity management
What is identity management?
Important delineation : Two groups of entities
Internal staffCustomers, business partners
Different challenges, different deliverables, may need different solutions
What is identity management?
Identity management is the ability to define and control the security characteristics and credentials of :
many users on many systems spanning a variety of different roles inside and outside the organisationwhile accessing content, applications, and services in a manner which is sensitive to the context of the interaction
What is identity management?
So identity is the abstract representation that links a real person to their capabilities in an IT system
The process of identity management requires a system which: distinguishes a person defines them in terms of their security personas and specifies their access rights within the various contexts which characterise their interaction with the
organisation
What is identity management?
But isn’t that just security administration?True to a degree, BUTFormerly one person, one account, one systemNOW, one person, 20 accounts, 100 systemsAn example
What is identity management?
ExampleMid-Size corporation5,000 staff220,000 userids374 security domains
With this level of complexity it’s not “just” security administration
What is identity management?
So Identity Management is actually the integration of products such as directories, single sign-on, security services applications and provisioning applications into a unified framework for managing user information and access.
It’s about convergence of the multitude of points of authentication, authorisation and administration to provide a more coherent view and management platform for security.
Authoritative sources
Identity store
Identity
Access policies
Pro
visi
onin
g
Acc
ess
cont
rols
and
pri
vile
ges
Operating systems
Data bases and files
Applications
Web / Information Portals
What is identity management?
Drivers to Identity Management (internal staff)
• Increasing complexity (servers, operating systems, data bases, applications)
• Increasing administration costs
• Declining security quality = rising security risk
• Declining quality of service
Drivers to Identity Management (customers)
• Need to do business regardless of location • Need to identify a web customer as the same customer
using IVR or counter services• Customer single web sign-on in complex
server/database/application environment • Need unified authentication for web portals• Access rights change with the business context• Personalise web content based on identity and current
activity• Interface to CRM applications• Delegated administration for business areas, partners
What value can Identity Management create?
• Identity Management is the philosophy of a centralised security architecture using an identity centric approach
• Single user profile for user identification and marketing purposes
• Stops proliferation of passwords
• Increased customer and employee satisfaction
• Faster deployment of new applications
• Cost reduction through centralised user management, user self service and process optimisation
• Link between business processes, workflow and technology
• Centralised point of control for security and audit processes.
Benefits from Identity Management
Cost reduction– Decreased maintenance of security on a business unit level
– Staff and customer access available more quickly
– Internal costs reduced through cross platform centralised password management and synchronisation
– External help desk costs reduced by improved password management
– Reduction in development costs for web applications – no need to rebuild a bespoke security solution
Benefits from Identity Management
Revenue– Move complete value chains to the digital world
– Provide a mechanism to quickly and efficiently migrate users and applications from acquisitions
– Staff productive more quickly
– Offer 24/7 self service
– Competitive advantage, strategic positioning and corporate brand/image
Benefits from Identity Management
Risk reduction
Only appropriate users have access
Risk of obsolete user accounts reduced
Change of position results in change of permissions
Ability to evaluate regulatory compliance
Ability to audit and track user accounts.
Ability to automatically lock out users
Central point of control for security and audit processes.
Single view of user’s access
Competing technologies
• We now look at security infrastructure solutions. ERP and CRM feed into Identity Management, but are out of scope for this discussion
– Custom applications– Directory services– Web Access Control (aka Extranet Access Management)– Provisioning
Custom applications
• While not high on most people’s agenda, building custom applications for IM is possible and has been done
• Enables very specific requirements to be built in– Inherently expensive to build and maintain– Requires deep technical skills in some of the target platforms, not normally held
by developers– Usually one way – does not pick up manual changes– Sits on critical path for technology upgrades (e.g. new versions of operating
system or data base)– Most very large organisations have put in a bespoke provisioning application of
some sort• Example : large bank built online access control manager 15 years ago
– Becomes too difficult for complex technology mix
Directory services
• Directory Services terminology is ambiguous, and not used consistently
• A “directory” is a specialised data base used for repetitive high speed access to relatively static data.
• “Directory Services” is a blanket term used to describe the use of directories to service this data to applications. Security credentials are frequently provided to applications in this way.
• Metadirectory” is a term used to describe a directory which is comprised of data synchronised from other directories.
• It is very important to recognise that many people do not understand these concepts, and use the term “Directory Services” or “metadirectory” when they simply mean the desire to use a directory instead of a data base.
Directory services
• A directory services solution comprises a set of tools and processes
• A core directory such as Active Directory, Novell eDirectory, iPlanet
• Directory synchronisation tool such as DirXML, Sun ONE Meta-Directory, Active Directory Connector
• Connector to ERP or CRM
• Object and property mapping tools (probably XML)
• Optionally front-end self service directory enabled applications
Netware Solaris NT OS/390
Access
NDS
SybaseSybaseSybase
NIS
SECASybase
SybaseSybaseOracle
SAM
MS-SQL
Notes
Notes
Address Book
RACF
DB2
DIRECTORY SYNCHRONISATION SERVICES
IDENTITY MANAGEMENT DIRECTORY
APPLICATIONS
DIRECTORIES AND
DATABASES
OPERATING SYSTEMS
IDENTITY STORE
Synchronisation policies
XML Style sheets
DIRECTORY SYNCHRONISATION BUS
APPLICATION
APPLICATION
APPLICATION
APPLICATION
APPLICATION
APPLICATION
APPLICATION
APPLICATION
APPLICATION
IDENTITY STORE (DIRECTORY)
Directory
ERPDirectory Directory Data
baseDatabase
Directory
Directory Services
Authentication User profiles can be stored in a manner which can be accessed by applications
to authenticate the user. The term describing it is “Directory Enabled Application”, and the protocol for accessing the directory is LDAP.
Access control If the directory is the native security mechanism for the operating system it
controls access to resources (e.g. eDirectory on Netware)
Otherwise there is no active access control. Passive access control can be achieved by directory enabling applications
Group memberships and custom objects can help
CAVEAT! Passive security depends on developers implementing security correctly in the application.
Directory Services
Provisioning
Directories can be updated as a result of changes in other directories, or changes in the HR system
Key technique is directory synchronisation using products like DirXML
Synchronisation tool maps object types and properties to their equivalent in the target system (e.g. userid=logonid=UID, Last Name=Surname=Name)
Also allows scripting to achieve non-directory functions (e.g. copying files, archiving), or scheduling subsequent events
Extranet Access Management
Web applications bring new challenges. There are numerous data sources, and new resource types notprotected by traditional processing platforms Native operating system security can’t protect pages, URLs, Objects, methods,
applets, servlets
Products include Oblix, Tivoli Identity Manager, RSA ClearTrust, Netegrity SiteMinder. Many more.
Provides a callable security service with support for new resource types, and custom objects
Primarily for browser applications, but some can be called by traditional applications
Particularly relevant for JAVA – JAAS and J2EE
EAMs often use a directory as their identity store
Sec
urit
y se
rvic
e
Operating systems
Application server
Browser
Data base
Web server
Iden
tity
sto
re
Data baseData base Data base Data base
Web server Web server
Application serverApplication
serverApplication serverApplication
server
Application serverApplication
serverApplication serverApplication
server
Identity store
Privilege store
Security service
Extranet access manager
Authentication
User profiles and passwords are stored in the EAM’s identity store and accessed via the EAM’s API. Typically an encrypted cookie is created to provide single signon during the period of interaction.
Access control
Many different ways to store permissions
Typically defined by group membership
Can be a simple ACL for a resource
Some products allow business logic to be included in the security credentials (e.g. allow access if account balance > $100,000)
Some products have active security for certain resource types (e.g. page, method). Passive access control always possible by calling security from the application. Can be called from legacy apps.
Group memberships and custom objects can help
CAVEAT! Passive security depends on developers implementing security correctly in the application.
Extranet access manager
Provisioning
Not typically used as a provisioning service. However, can be linked to CRM feed for automatic account creation
Some provisioning products can link into some EAMs (must be purpose written interface)
Provisioning can be direct to the identity/privilege stores via say LDAP
Security provisioning
Proliferation of servers, accounts and passwords is making traditional security administration practices ineffective. There are pure plays provisioning products on the market New users may need 10 or more accounts provided by several different
administrators
Great scope for error (wrong access) and delay
Security administration costs rising because growing infrastructure complexity dramatically increases the number of security admin tasks
Provisioning products automate standard security tasks so they can be carried out without a security administrator’s intervention
Examples include BMC Control-SA, Access 360 (now Tivoli Access Manager), Waveset Provisioning Manager, CA eTrust. Others
Authoritative sources
Identity store
Identity
Access policies
Pro
visi
onin
g
Acc
ess
cont
rols
and
pri
vile
ges
Operating systems
Data bases and files
Applications
Portals
Security provisioning engine(Single Point of Administration)
PeopleSoft Central Security Administration Data Base
GATEWAY GATEWAY GATEWAY
MANAGED SYSTEMS
Provisioning
Authentication NOT interactive security manager
Provisioning solutions play no direct role in authentication
Can facilitate password synchronisation
Access control
NOT interactive security manager
Puts access control settings in place to facilitate access to target
Can perform complex tasks with some intelligent rule processing facilitated by scripting
Can implement role based access control, so complex combinations of access can be assigned to a user based on their position, or specified function within work place (e.g. teller, help desk)
Provisioning
Provisioning Replicates local security credentials in a central repository
Changes to the repository are executed in the managed domain
Changes made in managed domain also applied to repository
Every person added to the role will get correct access
Deleting the central entity deletes all associated accounts
Needs workflow to achieve maximum gains and include online authorisation of requests
Not a panacea
Expect to automate 30-50% of access types
However only limited by your commitment and resources