1 / 24

Integrated Identity Management

Integrated Identity Management. Leveraging knowledge of people to create business value. Jeff Curie Chief Strategist, Identity Management. Identity Management in the Security Model. Resource Protection Protect computers and network Know the connected devices

Download Presentation

Integrated Identity Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Integrated Identity Management Leveraging knowledge of people to create business value Jeff Curie Chief Strategist, Identity Management

  2. Identity Management in the Security Model • Resource Protection • Protect computers and network • Know the connected devices • Prevent malicious network access • Defend against viruses • Respond to attacks Resource Protection Control • Control • Protect applications and data • Know the authorized users • Control what users can see and do • Secure transactions and data • Make security transparent to users Policy Assurance • Policy Assurance • Protect privacy and reputation • Support regulatory compliance • Enforce consistent policies • Provide integrated audit trail • Manage security risks

  3. Security Control Layer Industry Statistics - Chris Christiansen “Up to 60% of the access profiles in companies are no longer valid and, in high turnover industries, the percentage can go up to 80-90%.” “Automated management of B2B processes and increased collaborative capabilities will soon become necessities in most organizations. Simple data exchange with partners and customers is not enough.” - David Yokelson • “It costs $400 per year to manually manage a single user in a large financial corporation.” • “Insider security lapses are costing organizations an average of about $250,000 per incident.” • “81% of the likely source of attack is from disgruntled employees.” - International Security Forum Report - FBI/CSI Survey July 2001 - Computer Security Issues

  4. There are Teeth in the New Regulations Eli Lilly Settles FTC Charges Concerning Security Breach Company Disclosed E-mail Addresses of 669 Subscribers to its Prozac Reminder Service Eli Lilly and Company (Lilly) has agreed to settle Federal Trade Commission charges regarding the unauthorized disclosure of sensitive personal information collected from consumers through its Prozac.com Web site. As part of the settlement, Lilly will take appropriate security measures to protect consumers' privacy. (FTC Press Release) Allstate agrees to $1M settlement for privacy violations in California By Associated Press Allstate Insurance Co. agreed to pay a $1 million fine as part of a settlement with the California Department of Motor Vehicles, officials said yesterday. March 19, 2003 Victoria’s Secret Settles Privacy CaseCompany to Provide Restitution to Consumers for Web Site Breach Softbank Offers Compensation Over Leak of Personal Data Executives to Forgo Part of Pay 2004, Associated Press “Regulatory compliance #1 driver for increased security spend in 2004” IDC 2003 “Black Book”:

  5. IT InBox Security Management Process Complexity Request for Access Generated • Elapsed turn-on time: up to 7 days per user • Account turn-off performance: 30-60% of accounts are invalid • FTE User Admin only handles 300-500 users • 40% of Helpdesk spent on Password Resets User Change Users with Accounts Administrators Create Accounts Policy & Role Examined Approval Routing

  6. Why Clients Chose Identity Management Common Pains Addressed by Integrated Identity Management • Our security administration and support costs are too high • Single sign-on and unified user experience is a priority for our executives • Security for in-house built applications is inadequate and expensive • We need to limit access to sensitive or private information in our systems • Compliance with regulations and audit requirements drive us to make changes • We cant keep track of all the users that can access our systems • Identity information is spread across multiple stores • We want to get our house in-order to prepare to participate in Web Services

  7. Federated Identity Management Users & Applications Directory Server { Identity Data Infrastructure Identity Integration User & Resource Information Integrated Identity Management Building Blocks User Provisioning Access Control Privacy Control { Identity Applications Leveraging Knowledge of People and Processes to Create Business Value

  8. Start Where You Must, Expand Over Time Control User and Privilege Information Establish Authoritative Identity Information Identity Ecosystem Enforce Access Controls and Data Disclosure

  9. Today, identity data is fragmented and incomplete • But, identity data is the basis for: • Access decisions • Self-service • Authorization assignment • Personalization Directories Legacy Apps In-house Apps Web Apps Users Operating Systems Data Stores Transaction Processing Security Systems Identity Is the Basis of the Control Layer • Information about People • Employees • Contractors • Partners • Customers • Information about Access • User Account Privileges • Credentials

  10. Provision Access Privacy Directory Integration Common Pains Addressed by Identity Integration • We need to improve the quality of our organization-wide identity data • We need to synchronize data between stores like databases, Peoplesoft, SAP, Microsoft AD and Lotus Notes • We need to reduce the number of people trying to maintain the same data • We need a common store of identity data • We need more feeds into our LDAP directories • We need to aggregate data from multiple sources into one • We need to migrate data to new applications

  11. Provision Access Privacy Directory Integration Users Systems Data Establishing Authoritative Identity Authoritative Identity Source User Cost Center • Customer Challenge: Out-of-sync data elements require synchronization User Mobile Phone Numbers Integrate Authoritative Identity Source for Division B • Customer Challenge: Accurately retain multiple corporate identity sources at minimum cost Authoritative Identity Source for Division A Authoritative Identity Source for Division C Integrate • Customer Challenge: Accelerate deployment of high-ROI Identity Management solutions Integrate

  12. Provision Access Privacy Directory Identity Integration Common Pains Addressed by User Provisioning • We need self-service to reduce/avoid costs in the help desk • We need to see exactly who has what rights • We need a console that can turn off departing users immediately • We need to automate the process of turning people on and off to systems • We need a central system to keep accurate records of all changes to access rights

  13. Provision Access Privacy Directory Identity Integration User Provisioning Business Purpose User Provisioning • Access Control Challenges • Security: Accurate and timely privilege assignment based on “Need to Know” • Security: Accurate and timely off boarding • Cost: Scaling administrative staff to match provisioning activity • Cost: Scaling help desk staff to match password reset request load • Regulatory/Controls: Proving you did it right User AccessesPrivileges Action Data User Security Administrator Resource

  14. Provision Access Privacy Directory Access policy evaluated Approvals gathered Accounts updated Identity Integration Detect and correct local privilege settings Industry’s most comprehensive list of supported agents, and toolkit to create more Operating Systems HR Systems Databases Applications Tivoli Identity Manager Identity change requested Tivoli Identity Manager Identity Stores

  15. Applications Applications Databases Databases Operating Operating Systems Systems Applications Databases Operating Systems IBM and Cisco: Teamed to Reduce Operating Costs Tivoli Identity Manager HR Systems Comprehensive security spanning network, systems and application infrastructure Identity Stores Cisco Secure ACS Cisco 7500 Router Corporate Network From your most trusted partners

  16. Provision Access Privacy Directory Identity Integration Common Pains Addressed by Access Control • We need to reduce help desk costs for our web sites • We need Single Sign On for employees, partners, and suppliers • We need better and cheaper security for in-house applications • We need security for our cross-business unit portal • We need to consolidate multiple access control and authorization solutions • We want a standard module for all our developers to leverage for new and updated applications including web services • We are failing security audits • We need to close security back doors into our operating systems

  17. Provision Access Privacy Directory Identity Integration Tivoli Access Manager • Reusable security component for new systems • Session-level access decisions across multiple system types • Unified access policies across systems • Single sign-on experience in web space Unix System App Server Web App MQ Enforce – who can come in and what they can do Access Manager

  18. WebSphere Portal EcosystemControlling privileges in dependent systems Enterprise Resources CONTENT Portal Server Content Access Manager Home Grown Content Agents Account Control Identity Manager Access Manager Authorization Store • Provisioning Policies • Workflow • Audit trails Corporate HR Systems Business Partner/ Employee Directories ADMINISTRATION

  19. Provision Access Privacy Directory Identity Integration Pain Points Addressed by Privacy Management • We need to demonstrate compliance to industry (HIPAA, GLBA, Calif. SB 1386) or country (Safe Harbor, EU Data Protection Directive, Australian Privacy Act, Japan Privacy Act) privacy regulations without costly audits and manual procedures? • We need to control disclosure of sensitive data (such as social security numbers, health records, or credit card information) without having to re-write my applications? • We need to build and manage privacy rules across my enterprise applications? • Controls based on groups or roles sometimes is not enough to determine appropriate access; I need to determine access based on business purpose or by “minimum need to know”

  20. Provision Access Privacy Directory Identity Integration Privacy Business Purpose Business Purpose Data Owner Disclosure Data Requester Resource • Privacy Management considers data owner: • Choices (E.g. Opt in to marketing email) • Attributes (Age >13, country of residence) • Other factors (Time of day, etc) • Privacy Management authorizes “release of data for a business purpose” • “read for the purpose of fulfilling an order” • “write for purpose of registering political party affiliation” • “delete for purpose of removing from preferred physician list”

  21. How Is Privacy Management Different? Who are you?What groups do you belong to? Are you allowed to access this resource? Audit: who logged in when. • Disclosure Control • While a user may be authorized to login to an application, they may not be able to see certain data. • You can apply policy to a data set BEFORE it is returned to the application (and the user). • Audit the “return path for data” Access Controls Disclosure Controls What data did you see/use ? For what business purpose ? Did the data subject agree? Audit: what data was disclosed, to whom, why, and was it compliant to policy.

  22. Provision Access Privacy Directory Identity Integration Combining the Identity Ecosystem Identity-Driven User Accounts User Provisioning Administer – Changes in users and authorities Users Integrate – Information about users Accounts Enforce – who can come in and what they can do Controls LOB Partner Directory HR NOS White Pages eMail Directory Access Control Identity Integration Charge Centers Telephony Identity-Driven Access and Disclosure Control Synchronize Identity Stores

  23. Federated Identity Management Users & Applications IBM Directory Server { Identity Data Infrastructure IBM Directory Integrator User & Resource Information IBM’s Integrated Identity Management Solution Tivoli Identity Manager Tivoli Access Manager Tivoli Privacy Manager { Identity Applications Leveraging Knowledge of People and Processes to Create Business Value

  24. How do you get started? • Visit http://www.ibm.com/software/itsecurity/en/web10to download informative whitepapers or view additional webcasts on IBM Security & IT Management Solutions • Contact your IBM sales specialist or IBM Business Partner, or call 1-800-IBM-7777 with priority code 104AK002to discuss how IBM can assist you with your identity management needs.

More Related