260 likes | 395 Views
Building and Implementing An Identity Management Roadmap. John Taylor Manager, IT Security & Service Continuity Phil Hall Security Consultant Apologies : Russell McClimont IT Security Services Manager, eCommerce Security. Presentation Overview. Strategic Overview
E N D
Building and Implementing An Identity Management Roadmap John Taylor Manager, IT Security & Service Continuity Phil Hall Security Consultant Apologies : Russell McClimont IT Security Services Manager, eCommerce Security
Presentation Overview • Strategic Overview • Architectural building blocks and identity management overview • Creating the identity management roadmap • Business requirements, principles/blueprint and technical positions • Project implementation • A couple of examples
Architectural Building Blocks • Removed
Information Security Framework • Removed
Identity Management – Strategic Overview • Removed
Identity Management – Strategic Overview Business Issues Faced • High administration cost • Inefficient management of user repositories • Numerous authentication points • Various passwords • Disconnect between external and internal facing systems for user access • Security built within each application
Identity Management – Strategic Overview • Removed
Identity Management – Strategic Overview Direction • Move towards reduced sign-on through the linkage of Web based protocols- Tivoli Access Manager and Tivoli Identity Manager (‘legacy’ based and non web based systems). • Centralised user management through corporate Meta Directory services. • User self registration and ‘access’ management for majority of the environment through the use of Tivoli Identity Manager. • Centralised authentication and authorisation services to leverage off existing investments. • Work flow management through Tivoli Identity Manager.
Key Components - Overview • Must have a formal identity management architecture. Roadmap is a migration strategy for realising this architecture • Clearly define what identity management is and is not • Essential to ‘ring-fence’ architecture and roadmap • Directories - always a tricky area to address • Vendors have a view that suits their product suite • A discrete set of related services • Business objectives and / or issues that identity management services will address • Investment in a set of complimentary technologies that are consistent with overall IT Architecture / Strategy. Minimise duplication! • Four key components, these are….
Principles & Blueprints • Identity Management guiding principles • E.g. “Provisioning of IT access will be based on a mix of automatic provisioning of basic services and self-service registration” • Limited in number, no more than 20 • Must compliment general IT principles and security principles • Architecture blueprints • Reflect guiding principles • Models of identity management architecture • Describes identity management architecture in terms of discrete, yet related services • Products are not referred to, keep it generic
Technical Positions & Migration Strategy • Technical Choices and Decisions • Describe identity management services in terms of a series of possible options and chosen technology / solution • A series of technical positions based on “fitness for purpose” • Migration strategy • Describes activities essential to achieving identity management architecture • Describes each activity in terms of relationship with other activities and time.. But it is not a project plan! • Activities are grouped together to form work streams • Must consider external factors, e.g. other projects • Should demonstrate a timely return on investment • Maximise strategic direction, minimise use of tactical solutions • Consider budgets and resource levels / experience
Getting Support from the Business • Map identity management services to business objectives • Link to IT and Security architectures • Demonstrate structured approach to architecture and roadmap development… we know what we are doing! • Document Business objectives, issues and requirements • Baseline ‘as is’ and perform gap analysis • Document principles, blueprints, technical positions and migration strategy • Demonstrate value in short term and at regular intervals thereafter • Simple high impact solutions, e.g. integrated login, password synchronization • Integrate individual solutions to provide comprehensive infrastructure • Simplify delivery of a critical IT project using an identity management service
Map business objective to identity management service • Removed
Map the identity management product to the identity management service – business requirement. • Removed
Identity Management Implementation Flow • Removed
Migration of ‘Existing’ WAM System • IAG acquired CGU in 2002. • IAG had existing web access management system using Directory Smart as underlying architecture. CGU installed Access Manager. • Gap analysis process against roadmap requirements. • Chose to migrate Directory Smart to Access Manager.
Requirements • Complete delivery by December 2004. • Maintain client self help and single sign-on functionality as provided by Directory Smart. • On going new integration activities to be performed with Access Manager. • Compliance with IT Security Architectural principles and strategy.
Issues • Develop a migration strategy for 40+ applications. • Architectural differences – proxy Vs agent based. • Avoiding additional authentication points. • Introducing a new administration tool to the help desk. • Maintaining existing Q&A functionality.
Achievements • Phase 1 is complete - Access Manager is being used to handle the gatekeeper service for all applications. • Automated account provisioning for intranet clients supplied by HR source (SAP) through IDI connectors. • Password reset service provided by Identity Manager. • Access Manager providing authentication service to Identity Manager interface.
Integrated Single Sign-On Process 5. Webseal Session ID & Creds Cached 1. Initial request 6. Request + iv_user, tag pwd attribute ITAM WebSEAL DSmart 2. Post Endpoint Application 8. Post DS cookie & caller url etc. 3. Authentication 9. Post cookie 10. Request with client cookie 4. Check user. Extract pwd 7. Check user. ITAM IDS DSMART IDS
TIM Password Synchronisation Requirements • Deliver same sign-on services for non web applications • Support for core system repositories – ACF2, RACF, TAM IDS & various Windows domain controllers (AD, 2000, NT) • Reduce help desk workload by simplifying password management • Reduce risk of exposure by strengthening and standardising password policies
Issues • Impact of password policy change – bringing endpoint systems in line, & client educational process • Scalability of domain account synchronisation solution – local agents or agent server • Limitations of RACF agent
Achievements • Reduced password reset tasks for the help desk • Stronger password policy for core systems • Consolidation of three separate passwords to one – domain, intranet & mainframe.
RACF 2 RACF Agent RACF 2 Set Q&A RACF 2 TSC Password Reset ITIM ACF2 Agent ACF2 3 5 Domains Lost Password NT Agent Windows NT SAM HR Feed W2003 Agent IDI Sync Reverse PW sync Windows 2003 AD Provisioning Password Change Password Sync TAM Agent HR Feed IDI Sync Reverse PW sync Password Sync TAM Directory SAP Directory OID Directory
Next Steps • Phase two of the TAM migration exercise – applications ported from Directory Smart • Spengo – Integrated Sign-On for Active Directory clients • Roll out password synchronisation service to the organisation • Rollout of account provisioning service to the organisation • Rationalising disparate source HR feeds through IDI/TIM • Association of existing ‘un-owned’ accounts to an enterprise identity – reduce the number of orphans • Automated provisioning & termination cycle for basic access…..