1 / 35

The (IdM) Identity Conundrum Strategies in identity management

The (IdM) Identity Conundrum Strategies in identity management. What is identity management?. Important delineation : Two groups of entities Internal staff Customers, business partners Different challenges, different deliverables, may need different solutions. What is identity management?.

fitzgerald-spears
Download Presentation

The (IdM) Identity Conundrum Strategies in identity management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The (IdM) Identity Conundrum Strategies in identity management

  2. What is identity management? Important delineation : • Two groups of entities • Internal staff • Customers, business partners • Different challenges, different deliverables, may need different solutions

  3. What is identity management? Identity management is the ability to define and control the security characteristics and credentials of : • many users • on many systems • spanning a variety of different roles • inside and outside the organisation • while accessing content, applications, and services • in a manner which is sensitive to the context of the interaction

  4. What is identity management? So identity is the abstract representation that links a real person to their capabilities in an IT system The process of identity management requires a system which: • distinguishes a person • defines them in terms of their security personas • and specifies their access rights • within the various contexts which characterise their interaction with the organisation

  5. What is identity management? But isn’t that just security administration? • True to a degree, BUT • Formerly one person, one account, one system • NOW, one person, 20 accounts, 100 systems • An example

  6. What is identity management? Example • Mid-Size corporation • 5,000 staff • 220,000 userids • 374 security domains • With this level of complexity it’s not “just” security administration

  7. What is identity management? So Identity Management is actually the integration of products such as directories, single sign-on, security services applications and provisioning applications into a unified framework for managing user information and access. It’s about convergence of the multitude of points of authentication, authorisation and administration to provide a more coherent view and management platform for security.

  8. An architectural view of Identity Management

  9. What is identity management? Web / Information Portals Access policies Applications Identity store Provisioning Access controls and privileges Data bases and files Identity Authoritative sources Operating systems

  10. Drivers to Identity Management (internal staff) • Increasing complexity (servers, operating systems, data bases, applications) • Increasing administration costs • Declining security quality = rising security risk • Declining quality of service

  11. Drivers to Identity Management (customers) • Need to do business regardless of location • Need to identify a web customer as the same customer using IVR or counter services • Customer single web sign-on in complex server/database/application environment • Need unified authentication for web portals • Access rights change with the business context • Personalise web content based on identity and current activity • Interface to CRM applications • Delegated administration for business areas, partners

  12. What value can Identity Management create? • Identity Management is the philosophy of a centralised security architecture using an identity centric approach • Single user profile for user identification and marketing purposes • Stops proliferation of passwords • Increased customer and employee satisfaction • Faster deployment of new applications • Cost reduction through centralised user management, user self service and process optimisation • Link between business processes, workflow and technology • Centralised point of control for security and audit processes.

  13. Benefits from Identity Management Cost reduction • Decreased maintenance of security on a business unit level • Staff and customer access available more quickly • Internal costs reduced through cross platform centralised password management and synchronisation • External help desk costs reduced by improved password management • Reduction in development costs for web applications – no need to rebuild a bespoke security solution

  14. Benefits from Identity Management Revenue • Move complete value chains to the digital world • Provide a mechanism to quickly and efficiently migrate users and applications from acquisitions • Staff productive more quickly • Offer 24/7 self service • Competitive advantage, strategic positioning and corporate brand/image

  15. Benefits from Identity Management Risk reduction • Only appropriate users have access • Risk of obsolete user accounts reduced • Change of position results in change of permissions • Ability to evaluate regulatory compliance • Ability to audit and track user accounts. • Ability to automatically lock out users • Central point of control for security and audit processes. • Single view of user’s access

  16. Competing technologies

  17. Competing technologies • We now look at security infrastructure solutions. ERP and CRM feed into Identity Management, but are out of scope for this discussion • Custom applications • Directory services • Web Access Control (aka Extranet Access Management) • Provisioning

  18. Custom applications • While not high on most people’s agenda, building custom applications for IM is possible and has been done • Enables very specific requirements to be built in • Inherently expensive to build and maintain • Requires deep technical skills in some of the target platforms, not normally held by developers • Usually one way – does not pick up manual changes • Sits on critical path for technology upgrades (e.g. new versions of operating system or data base) • Most very large organisations have put in a bespoke provisioning application of some sort • Example : large bank built online access control manager 15 years ago • Becomes too difficult for complex technology mix

  19. Directory services • Directory Services terminology is ambiguous, and not used consistently • A “directory” is a specialised data base used for repetitive high speed access to relatively static data. • “Directory Services” is a blanket term used to describe the use of directories to service this data to applications. Security credentials are frequently provided to applications in this way. • Metadirectory” is a term used to describe a directory which is comprised of data synchronised from other directories. • It is very important to recognise that many people do not understand these concepts, and use the term “Directory Services” or “metadirectory” when they simply mean the desire to use a directory instead of a data base.

  20. Directory services • A directory services solution comprises a set of tools and processes • A core directory such as Active Directory, Novell eDirectory, iPlanet • Directory synchronisation tool such as DirXML, Sun ONE Meta-Directory, Active Directory Connector • Connector to ERP or CRM • Object and property mapping tools (probably XML) • Optionally front-end self service directory enabled applications

  21. APPLICATIONS IDENTITY MANAGEMENT DIRECTORY IDENTITY STORE DIRECTORY SYNCHRONISATION SERVICES Access NDS Sybase Sybase Sybase SECA Sybase Sybase Sybase Oracle MS-SQL Notes DB2 DIRECTORIES AND DATABASES Address Book NIS SAM Notes RACF OPERATING SYSTEMS Netware Solaris NT OS/390

  22. APPLICATION APPLICATION APPLICATION APPLICATION APPLICATION APPLICATION APPLICATION APPLICATION APPLICATION IDENTITY STORE (DIRECTORY) XML Style sheets DIRECTORY SYNCHRONISATION BUS Synchronisation policies Directory Directory Directory Data base Data base Directory ERP

  23. Directory Services Authentication • User profiles can be stored in a manner which can be accessed by applications to authenticate the user. The term describing it is “Directory Enabled Application”, and the protocol for accessing the directory is LDAP. Access control • If the directory is the native security mechanism for the operating system it controls access to resources (e.g. eDirectory on Netware) • Otherwise there is no active access control. Passive access control can be achieved by directory enabling applications • Group memberships and custom objects can help • CAVEAT! Passive security depends on developers implementing security correctly in the application.

  24. Directory Services Provisioning • Directories can be updated as a result of changes in other directories, or changes in the HR system • Key technique is directory synchronisation using products like DirXML • Synchronisation tool maps object types and properties to their equivalent in the target system (e.g. userid=logonid=UID, Last Name=Surname=Name) • Also allows scripting to achieve non-directory functions (e.g. copying files, archiving), or scheduling subsequent events

  25. Extranet Access Management Web applications bring new challenges. There are numerous data sources, and new resource types not protected by traditional processing platforms • Native operating system security can’t protect pages, URLs, Objects, methods, applets, servlets • Products include Oblix, Tivoli Identity Manager, RSA ClearTrust, Netegrity SiteMinder. Many more. • Provides a callable security service with support for new resource types, and custom objects • Primarily for browser applications, but some can be called by traditional applications • Particularly relevant for JAVA – JAAS and J2EE • EAMs often use a directory as their identity store

  26. Browser Web server Security service Identity store Application server Data base Operating systems

  27. Application server Application server Application server Application server Application server Application server Application server Application server Web server Web server Security service Privilege store Identity store Data base Data base Data base Data base

  28. Extranet access manager Authentication • User profiles and passwords are stored in the EAM’s identity store and accessed via the EAM’s API. Typically an encrypted cookie is created to provide single signon during the period of interaction. Access control • Many different ways to store permissions • Typically defined by group membership • Can be a simple ACL for a resource • Some products allow business logic to be included in the security credentials (e.g. allow access if account balance > $100,000) • Some products have active security for certain resource types (e.g. page, method). Passive access control always possible by calling security from the application. Can be called from legacy apps. • Group memberships and custom objects can help • CAVEAT! Passive security depends on developers implementing security correctly in the application.

  29. Extranet access manager Provisioning • Not typically used as a provisioning service. However, can be linked to CRM feed for automatic account creation • Some provisioning products can link into some EAMs (must be purpose written interface) • Provisioning can be direct to the identity/privilege stores via say LDAP

  30. Security provisioning Proliferation of servers, accounts and passwords is making traditional security administration practices ineffective. There are pure plays provisioning products on the market • New users may need 10 or more accounts provided by several different administrators • Great scope for error (wrong access) and delay • Security administration costs rising because growing infrastructure complexity dramatically increases the number of security admin tasks • Provisioning products automate standard security tasks so they can be carried out without a security administrator’s intervention • Examples include BMC Control-SA, Access 360 (now Tivoli Access Manager), Waveset Provisioning Manager, CA eTrust. Others

  31. Access policies Portals Applications Identity store Provisioning Access controls and privileges Data bases and files Identity Authoritative sources Operating systems

  32. Security provisioning engine (Single Point of Administration) PeopleSoft Central Security Administration Data Base GATEWAY GATEWAY GATEWAY MANAGED SYSTEMS

  33. Provisioning Authentication • NOT interactive security manager • Provisioning solutions play no direct role in authentication • Can facilitate password synchronisation Access control • NOT interactive security manager • Puts access control settings in place to facilitate access to target • Can perform complex tasks with some intelligent rule processing facilitated by scripting • Can implement role based access control, so complex combinations of access can be assigned to a user based on their position, or specified function within work place (e.g. teller, help desk)

  34. Provisioning Provisioning • Replicates local security credentials in a central repository • Changes to the repository are executed in the managed domain • Changes made in managed domain also applied to repository • Every person added to the role will get correct access • Deleting the central entity deletes all associated accounts • Needs workflow to achieve maximum gains and include online authorisation of requests • Not a panacea • Expect to automate 30-50% of access types • However only limited by your commitment and resources

  35. Client maintenance  Supervisor Unitised redemptions    Quality assurance Entity Functional roles Access roles Permissions     CSO eProvisioning

More Related