1 / 33

Who, What, When, Where and How- Identity Management – Start to Finish

Learn the fundamentals of identity management and its role in enterprise computing. Explore case studies and deployment strategies.

angelahicks
Download Presentation

Who, What, When, Where and How- Identity Management – Start to Finish

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Who, What, When, Where and How- Identity Management – Start to Finish Track 4Tuesday, January 10, 20053:30 PM - 4:15 PM Harborside Ballroom E Ramanarao Chamarty Assistant Director, Emerging Technologies Temple University r.c@temple.edu r.c@temple.edu

  2. Overview • Introduction and Overview – • Sheri Stahler(Associate Vice President, Temple University) • Objective • Overview of Identity Management • Temple Motivation • Who, What, When, Where and Why? • Identity Definition • Deployment Strategy – How • Case Study – Temple University • Conclusion r.c@temple.edu

  3. About the Speakers • Sheri Stahler (sheri.stahler@temple.edu) is the Asso Associate Vice President, Computer Services at Temple University (http://www.temple.edu) • Awarded Premier 100 IT Leaders of 2006 by Computerworld r.c@temple.edu

  4. About the Speakers • Ramanarao Chamarty (rchamart@temple.edu) is Assistant Director of Emerging Technologies at Computer Services at Temple University (http://www.temple.edu). • Adjunct Faculty in the Department of Computer and Information Sciences and Department of Management Information Systems. • Speaker at various conferences which include IOUG-LIVE 2000-2006, Educause 2005,2006 and Collaborate 2006 • Interests include Identity Management, Directories, RDBMS, Etymology and Business Intelligence. r.c@temple.edu

  5. Objective • Overview of Identity management • Role in a enterprise computing environment • Differences over Single Sign On. r.c@temple.edu

  6. Identity Management r.c@temple.edu

  7. What Made Temple Do It – Business Drivers • Heterogeneous authentication repositories with no uniform standards and protocols for user account provisioning, access control and auditing. • Need for automated management of User Identities due to security concerns • Need for a unique Login to facilitate Single Sign On and leveraging Portal Deployment • Improving Regulatory Compliance • Improve overall security for our Computing environment • Reduce IT Costs in long term • Improve and Enhance end user experience • Meeting Business Needs r.c@temple.edu

  8. Temple Fact Sheet • 6000 + Active Directory Accounts • 8000+ Novell Directory Accounts • 55,000+ iPlanet LDAP Accounts • 1000+ RACF Accounts • 500+ Database Accounts(SQL/Oracle) • 3000+ Laboratory work stations r.c@temple.edu

  9. What – Identity Management A comprehensive and efficient approach to manage user identities in a heterogeneous computing environment. r.c@temple.edu

  10. Universities – Identity Management • Stanford University • University of New Hampshire • West Virginia University • Georgia State university • Santa Clara University • University of California , Santa Barbara • Syracuse University • Temple University r.c@temple.edu

  11. Why - Identity Management • Low productivity of new employees as they wait to be assigned the necessary resources to perform their job (2 to 5 days) • Risk of terminated employee’s access to corporate resources not being removed timely (1 day) • Dissatisfaction of employees, customers, and partners resulting from their need to maintain an excessive number of user IDs to utilize company resources (8 to 12 IDs) • Extended web-based application development resulting from the independent design of user ID-based security within applications • Inability to evaluate regulatory compliance due to lack of properly identified user populations and their association to resources • Weaknesses in security routinely identified during audits as a result of disparate and inefficient administrative processes r.c@temple.edu

  12. Why – Identity Management • Do users have more than five user IDs? • Are IDs being administered by separate functions and processes? • Does it take more than one day to set up a new Employees’ IDs in order to do their job? • Does it take more than one day to remove a user’s access to your information and services when they leave the company? • Are you deploying web-based applications in your enterprise? • Do you have, or plan to have, a portal to access applications, services, and content on the web? • Can customers get the information and services they need efficiently? • Are you able to restrict access to sensitive information? • How often are security weaknesses identified? • Do you have a plan to meet regulatory requirements? • Do you know who has access to all applications, services, and content available from your company? How about your critical applications? r.c@temple.edu

  13. When – Identity Management Have a need for users to have access to computing resource/s by: • Date/Time From – Date/Time To • By Day/s (Mon-Fri and other combinations) r.c@temple.edu

  14. Where – Identity Management Have a need for users to have access to computing resource/s by: • Country • State • City • Building • Floor • Room • Port r.c@temple.edu

  15. How - AAAA • Administration: • Establish authoritative source(s) for each identity • Build identity-based business processes • Establish enterprise wide identity data characteristics • Authentication: • Establish single identity authentication • Enterprise wide authentication process • Leverage existing identity management solution • Authorization: • Establish enterprise wide, role-based access controls • Leverage business roles and job requirements • Leverage identity management and authentication solution(s) • Audit: • Secure identity solution from authoritative source to entitlement • Focus on Internet, network, hardware, and application/software r.c@temple.edu

  16. Lessons learned from Others • Initiatives need to: • Be business driven and have committed stakeholder support • Span the organization; security solutions have far-reaching business and technology impact • Receive organizational acceptance • Anticipate changes in business needs • Projects need to: • Have dedicated and effective project management • Manage activities from an integrated plan • Develop formal escalation procedures • Communicate frequently to all contributing parties • Technology deployment teams need to: • Understand the integration effort • Develop sustainable and controlled processes • Implement testing practices and acceptance criteria • Recognize the challenges of legacy application integration efforts • Ensure data quality and integrity • Understand that undocumented software bugs can be time consuming r.c@temple.edu

  17. Identity Definition – Model 1 Single Identity – Multi Login r.c@temple.edu

  18. Identity Definition – Model 2 Single Identity – Single Login r.c@temple.edu

  19. Identity Definition – Model 3 Hybrid Model r.c@temple.edu

  20. Temple Strategy • Perform Username and Password Synchronization of all data repositories • Enable User Provisioning and Deprovisioning. • Enforce a global password policy • Enable Web Based Single Sign On (WEB – SSO) • Deploy Access Management(authorization) Policies • Enable auditing enterprise wide. r.c@temple.edu

  21. Username Synchronization • Gather data of existing users on Computer Services managed ADS and NDS domains. • Synchronize existing usernames to Accessnet Usernames • ADS-SamAccount = LDAP(AccessnetUsername) • NDS(cn) = LDAP(AccessnetUsername) • Create University wide policies and procedures for account creation on each of these centrally administered directories. • Grant and Revoke Access to resources to be automated(real time vs batch) • Policies and Procedures for account termination. • Grace period – need input • Voluntary Vs Involuntary – need input r.c@temple.edu

  22. Password Synchronization • Synchronize passwords across all directories • Enforce rules for password changes – unidirectional($) vs multidirectional($$$$) • Establish Password Management Rule Set (strength, recycle, autolockout, change(30 days, 90 days, 180 days) • Tools/Solution: (Boutique Vendors) • PSYNC ($$$) • MS Identity Server($$) • SSO Solution Providers($$$$$) • CAS (WEB Only)($) • InHouse (PPPPP$$) r.c@temple.edu

  23. Web - Single Sign On • There are over 60 applicationswhich use WEB-SSO using LDAP. (https://www.temple.edu/ldap/app.htm) • Enforce LDAP compliant coding standards to enable authentication and authorization • Ease of integration into TUportal/ERP • Password management centralized – LDAP r.c@temple.edu

  24. Other than Web SSO • Single Sign On to • Web Proxy • Radius Dialin • RACF, Mainframes • Desktops(UNIX/LINUX/MS WIN/MAC/OS 390) – Legacy SSO • Offers automated Authentication,Authorization, Auditing and User Provisioning($$$$$$) • Tools and Solutions: • CA+Netegrity- eTrust+Siteminder • HeathCast-eXactAccess • Novell – Nsure • Microsoft – MS Identity Information Server • IBM - Tivoli r.c@temple.edu

  25. Action Items – Past Year(2005) • Create a core technical team • Gather data from ADS and NDS • Perform analysis of data and synchronization Strategy • Create Identity Management Committee • Communication to end users regards to this initiative • Create and enforce new Policies and Procedures • Prepare a functional specifications document • Prepare a requirements document • Arrange vendor demonstrations based on requirements • Select a product which meets Temple’s SSO requirements • Begin to deploy the solution. r.c@temple.edu

  26. Action Items for Deployment • Create a Deployment Committees • Interface, Infrastructure, Support/Communication, Workflow/Policy • Requirements Definition – Dec-Jan,2006 • Develop and Document a Reference Architecture and Solutions Design – Feb,2006 • Implementation and Integration – March – May 2006 • Password Synchronization • User provisoning and Deprovisioning • Enforcement of password policy for students and Employees • Implement web applications for enterprise • Self Service Password Reset r.c@temple.edu

  27. Identity Management – Challenges r.c@temple.edu

  28. Federated Identity Management – Beyond Enterprise • Customers would like to access multiple web sites running on remote sites without re-authenticating to each one. • Employees would like to access third party non-enterprise web portals without registering or re-authenticating(Fidelity, WageWorks, TIAA-CREF) • Enterprises would like to be able to provision their own users with access to partner and vendor resources automatically.(Shiboleth-Napster) r.c@temple.edu

  29. Identity Management – Beyond Enterprise - How • IT Infrastructures need to be compatible • Need for Standards • The Liberty alliance: http://www.projectliberty.org/. • Platform for Privacy Preferences (P3P): http://www.w3.org/P3P/ • A standard protocol to provision users:XRPM: http://www.xrpm.org. • Security Assertions Markup Language (SAML): http://www.oasis-open.org/ r.c@temple.edu

  30. References • http://www.psynch.com • http://www.burtongroup.com • http://www.oracle.com • http://www.ca.com • http://infosecuritymag.techtarget.com • http://www.deloitte.com • Http://www.novell.com • http://www.ibm.com r.c@temple.edu

  31. Conclusion • Emerging class of technologies • Widely-deployed technologies with a need for Standards • Promising technologies with significant ROI • Identify your needs and match them with what is out there • Define a Identity Management Infrastructure r.c@temple.edu

  32. Question and Comments r.c@temple.edu

  33. Thank you r.c@temple.edu

More Related