all contents © 2004 burton group. all rights reserved. identity management discussion group...
Post on 21-Dec-2015
213 views
TRANSCRIPT
All Contents © 2004 Burton Group. All rights reserved.
Identity Management Discussion GroupSeminars on Academic Computing
* EDUCAUSE *Doug Simmons
Principal Consultant
August 10,2004
2Introduction
Burton Group: Who We Are
Burton Group is a planning services company specializing in the in-depth analysis of emerging network infrastructure technologies
Our mission is to empower IT professionals, enabling them to make strategic decisions regarding network technology and allowing them to successfully use that technology to drive business
3Introduction
Speaker• Doug Simmons• Principal Consultant My Background: 20+ years in systems
engineering, systems integration design, systems architecture, development, and project management with Burton Group, IBM, Critical Path/ISOCOR and the Radicati Group.
My Background: 20+ years in systems engineering, systems integration design, systems architecture, development, and project management with Burton Group, IBM, Critical Path/ISOCOR and the Radicati Group.
4Introduction
Discussion Objectives
• Brief Overview of Identity Management Concepts• Business Justification• Design and Deployment Best Practices
5Identity Management
What is Identity Management?
• A set of processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities
• Involves both technology and process• Involves managing both unique identifiers and their attributes,
credentials, and entitlements• Must enable organizations to create a manageable life cycle• Must meet business needs for rapid registration, use, termination• Must scale from internally facing systems to externally facing
applications and processes• Goal state: general-purpose infrastructure and authoritative sources,
clean integration across people, process, and technology
6
Common Profile Info
Address, etc.
Credentials
Credentials
• May have multiple credentials• Different strengths, different apps• Can change w/more frequency
Identity Management
What is (digital) identity?
Unique Identifier
• Represents principles (users, apps, etc.)• Name, number, other identifier, • Unique in some scope• Persistent, long-Lived• May be “pseudonym” or “true name”
App
, Site
, or P
artn
er P
rofil
es
Student Profiles
Faculty, Staff Profiles
• Attributes, entitlements, policies• More transient, fluid information• Often specific to apps or sites
App, Site, or Partner Profiles
7Identity Management
The IdM process: managing the identity life cycle
Accounts and Policies
Registration/Creation
Propagation
Maintenance/Management
Termination
8Identity Management
The challenge: Interoperability and portability
InternalSystems& Data
Less-knownPartner or xSP
Loosely-coupled,Dynamic exterior
Research partners
Tightly-coupled,Persistent interior
Students, faculty, staff
Unknown
Extranets
The Internet
ID
9Identity Management
The challenge
• Today’s identity management systems are ad hocracies, built one application or system at a time
• Apps, databases, OSes lack a scalable, holistic means of managing identity, credentials, policy across boundaries
• Fragmented identity infrastructure: Overlapping repositories, inconsistent policy frameworks, process discontinuities
• Error prone, creates security loopholes, expensive to manage• The disappearing perimeter has put identity on the front burner
• Infrastructure requirements: extend reach and range• Increased scalability, lower costs• Balance of centralized and distributed management• Infrastructure must become more general-purpose and re-usable
10Identity Management
Burton Group definition: A set of complementary, converging technologies
• Directory Services• User Management Services• Resource Provisioning• Authentication Services• Web Access Management• Authorization Services• Identity Federation
11Identity Management
IdM: technologies that enable secure relationships
Remote Staff
Supplieremployee
Remotestudent
RemoteContractor
Faculty
ResearchPartner
StudentSystems
HRMS
Departments/Schools
Students
Staff
Authentication
Authorization
DirectoryIdentity and Access Management
12Identity Management
Core IdM components: Directory Services
• Authoritative identity repository• Contains people, organizational units, groups, roles, etc.
• Foundation for identity management• Authentication based on identity in directory• Authorization based on user attributes (roles, groups)• Personalization based on user attributes
• Meta-directories sync identity repositories• Identity join synchronizes authoritative sources
• LDAP servers are commodities• Active Directory becoming pervasive• Next step: comprehensive IdM infrastructure…
13Identity Management
Core IdM components: User Management & Provisioning
• Identity admin functions that span products and services• Creation, propagation, maintenance of user accounts, rights• Categorize users by roles, groups, for efficiency, accuracy
• Provisioning systems support workflows that automate process, reduce admin costs, enhance security
• Create, modify, terminate users across multiple apps• Workflow approvals by managers• Centralized admin: push roles, groups, policy• Centralized password management, reset/sync• Centralized, rapid termination of accounts
14Identity Management
Core IdM components: User Management continued
• Delegated admin tools distribute workload (and liability)• Assign subset authority to a designated user or group• Moves responsibility to partner, supplier or other constituent
• Self-service increases satisfaction, data integrity• Users can modify info• Self-service password reset a high priority for many companies• Self-service registration, subscription services can kick off
workflow and provisioning process to speed revenue generation
15Identity Management
Core IdM components: Authentication
• Principle provides sufficient credentials to satisfy challenge, gaining access to a service, application, or system
• Variety of authentication mechanisms• Strength necessary depends on the needs of the application• User name/password, personal identification numbers (PINs)• Tokens (SecurID), digital certificates (PKI)• Biometrics (finger print scans, retinal scans)
• User name/password most common • Will remain so until the cost and complexity of stronger
authentication subsides
16Identity Management
Core IdM components: Web Access Management
• Determining rights, privileges using policy-based systems• Web-based access management products combine
authentication, authorization => Single Sign On (SSO)• Use roles-, group-, rules- based systems for scalability• Integrate with applications/application servers• Identify objects by URL, operate at page, button, field level• Integrate with identity repositories: directory, database• Support multiple authentication systems• Include user management functions• Dynamic enforcement w/variables (location, time)
• Session management after authentication
17Identity Management
Core IdM components: Authorization Services • Control access to apps, services, information resources• Maintain sufficient user and organization information for
discretionary access control• Use multiple flexible, means of policy enforcement
• Roles, groups, rules• Dynamic for high value resources (stored value, transactions)• Static for low value resources (printers, ordinary files)• Affected by variables, such as machine location, time of day,
attribute values in directory or database• Integrate applications with general purpose authorization
systems leveraging common data/policy
18Identity Management
Core IdM components: Identity Federation
• Agreements, standards, technologies that make identity and entitlements portable across autonomous domains
InternalSystems& Data
Loosely-coupled,Federated exterior systems
Loosely or tightly-coupled, Integrated or federated interior systems
Extranets
The Internet
Delegate
Join
Federa
te
Less-knownPartner or xSP Research partnersStudents, faculty, staff
Unknown
19Identity Management
Core IdM components: Identity Federation
• Don’t need prior knowledge of complex system internals or pair-wise mappings between systems
• Define rules that bind autonomous domains to a common method of exchanging identity information
• Provide framework for negotiating agreements, defining interactions
• Map to the federation standards by applying transformations at the boundaries between domains
• Honor each other’s decisions and trust each other’s assertions, but in the context of their own local policies
20Identity Management
Federation - Shibboleth
ProtectedResource
1. I want to accessyour protected resource
2. Where are you from?
4. Tell me if this person isa legitimate student
Rouge UniversityCrimsonCollege
3. Crimson College
Enterprise Directory
5. This person is alegitimate student
21Identity Management
AttributeAuthority
HandleService
OriginSite
TargetSite
SHIRE
ResourceManager
SHAR I
WAYFHandle
1
2
3
5
6
7
8910
11
WAM(web SSO)
4
EnterpriseDirectory
Web-enabledProtectedResource
22Identity Management
7/1/2004 12/31/2006
Q3’04+ Shibboleth 1.2 and OpenSAML released - Adopt SAML 2.0 terminology, architecture - Increased compatibility with SAML 1.1 products - Increased software modularity+ Early prototyping of management tools+ Application focus on information services providers+ InCommon federation rollout
Q4’04+ Shibboleth 1.3 released - Support browser artifact profile - Improved Java application support+ Early versions of management tools+ Improved system documentation+ Many expected production rollouts
1/1/2005
2005+ Shibboleth 2.0 and OpenSAML 2.0 released - Migration to SAML 2.0 standard - Support for SAML WS-Federation features as deemed practical - Possible web services features added+ Maturation of management tools+ Increased decentralization of development, research and direction setting
2006+ Technical focus likely to move to web services and middleware integration+ Personalized tools for managing privacy and access control to target resources+ Application focus on grids, networks and DRM+ Increased commercialization of support and technology+ Increased interaction among education, government and commercial federations
1/1/2006
Interne2/MACE Shibboleth Roadmap - 7/2004
23Summary
Putting the pieces together
24Identity Management
Key Vendors
Authentication Access management User management
Directory services
PKI/Other/Specialized
Web access mgmt Provisioning Identity andpolicy admin
Directory Repositories/LDAP Meta-directoryVirtual directory
Verisign, Entrust,Microsoft, RSA, Others…
Netegrity, IBM, Oblix,RSA, Entrust, Novell,Sun, HP, Aventail, Others…
Sun Novell Microsoft Critical Path IBM Oracle Siemens Others…
Calendra MaxWareRadiant Logic
Octetstring
IBM BMCNetegrity/Bus. Layers, Novell, HP, Sun/Waveset, Thor, Others…
Oblix, Sun,Calendra, IBM, Netegrity,Novell Others…
Sun Novell MaxWareMicrosoft Critical Path IBM Siemens Others…
25Identity Management
What are your IdM challenges?
-Tactical
-Long Term
26IdM Business Case
Justifications can be broken down into five overarching areas
1. Improved user experience2. Cost savings 3. Security: Lifecycle identity administration
• Audience: IT administrative, HR, Student Administration
4. Security: Policy enforcement• Audience: Resource owners
5. Competitive advantage
27Improving the End-User Experience
Justification 1: “Improving end-user experience” provides
• Reduced Sign-On (sometimes called “single sign-on”)• Improved quality of experience (QoE) for all types of end
users• Simplified, personalized access• Automated password reset and other user grantable
services
28Improving the End-User Experience
What is the “improving end-user experience” business case?
• Improved efficiency of users • User self-service allows to personalize their own
experience• Minimization of errors• University image• Clear business processes • Consolidation of application interfacing (single face)
29Cost Savings
Justification 2: “cost savings” provide• Hard dollar savings
• Help desk password resets easily measured (specific number?)• Duplicate administration responsibilities• Eliminating redundant software and solutions• Canceling cell phone, other paid services after employee termination
• Soft dollar savings• User productivity
• Training to use duplicate facilities• 15 minutes per user per day used for authentication• Bad addresses in directories waste time finding phone numbers, e-mail
addresses• “Hidden administrative” costs
• Many directories means many administrators usually taking time out of their real job
30Cost Savings
Meta-directory
Appliances
Access management
Virtual directory
Provisioning
Password managementAuthentication
Overlap without integration causes consternation and cost
• Counterintuitive and counter-economic
31Cost Savings
Technologies: Directory services benefits (cont.)
32Security – Life Cycle Identity Management
Justification 3: “Security – Life cycle identity management” provides
• Elimination of the potential for errors, omissions and redundancies in identity data across systems
• Accuracy and completeness of identity information• Better management of identity lifecycle• Dissemination of assets, services and accounts• The right resources to the right people at the right time• Logging and audit capabilities of information assets and
resources• Connect ID access with application access
33Security – Life Cycle Identity Management
What is the “Security – life cycle identity management” business case?
• Fragmented identity management infrastructure results in high costs of operations, inability to scale, redundancy and inefficiency
• Dormant and orphan accounts represent security risks• Need over-arching management capabilities providing
auditability and accountability• Business climate demands delegated and self-service
account administration • Basis for a new class of solution, brought about by
vendors with differing backgrounds and capabilities
34Security – Policy Enforcement
Justification 4: “Security – Policy enforcement” provides
• Response to heightened government oversight and regulations (e.g., FERPA, HIPAA, GLBA, etc.)
• Minimization of security risks associated with dormant or orphaned accounts
• Cost avoidance in security administration• Optimization of security functions with less burdensome
administration activities• More secure access to sensitive resources and
applications both internal and external to the organization• Centralized authorization framework across multiple
applications
35Security – Policy Enforcement
What is the “Security – policy enforcement” business case?
• Promote compliance to regulatory requirements• Protection of university resources and information assets• Protection of intellectual property• Support internal audits and risk assessments• Determine, through policy, who can access systems that
support business processes and what they can do• Provide stronger authorization based upon the value
or sensitivity of the information• Provide risk and liability management
36Competitive Advantage
Justification 5: “competitive advantage” provides
• Framework for rapid deployment of internal and external applications
• Standards to minimize administrative overhead • Reduction and consolidation of existing resources and
personnel• Support and protection of intellectual property• Flexible infrastructure promoting quicker time to market
for product changes and enhancements
37Competitive Advantage
What is the business case?
• Fragmented identity management infrastructure results in high costs of operations, inability to scale, redundancy and inefficiency
• Business climate demands delegated and self-service account administration
• Basis for school’s image and public or business relationships in autonomous lines of business or research
• Flexible IdM infrastructure facilitates faster introduction of new products and services
38Identity Management
What are your business drivers?
-SSO
-Cost savings
-Streamlined lifecycle management
-Consistent university-wide policies
-Competitive advantage
-Others?
39Design & Deployment Best Practices
• Directory services• Most organizations have multiple, fragmented directories• Important first step: Consolidation creates authoritative sources• Directory vendors moving up the food chain to create IdM suites
• Provisioning• Many in-house scripts or programs, but packaged software is here• But today provisioning systems aren’t interoperable• Provisioning can also be hard to deploy• Political battles, ownership issues, large-scale integration• Help desk incidents (password reset) provide strong case for ROI
40Design & Deployment Best Practices
• Identity administration• Self service and delegated admin are important tools• But delegated admin is ultimately limited in scalability: if we all delegate
our problems to each other, then we still have problems• Standards emerging for security assertions and federation (e.g.,
Shibboleth)
• Access management• Roles are better, but design can be a political, technical quagmire• Granular role definitions are more complex, costly to deploy• Ultimately access policies must become portable as well• But political, technical issues make interoperability much harder
41Design & Deployment Best Practices
• Most of these technologies come from different vendors• Overlap between products and approaches• Burden of full integration is often on you, the customer
• Consolidation across these functional categories has already begun, and the market will drive further consolidation over the next year to 18 months
• Vendors succumbing to “platformania”• IBM, Sun, HP, Novell
• But the need is clear and the market is driving a solution• Hence the focus on interoperability and federation
42Summary
Methodology
1) Define the business case2) Assemble the teams – core team, extended team3) Establish current identity management and directory services
architecture baseline4) Determine architecture requirements5) Perform gap analysis6) Develop “target” identity management
and directory services architecture7) Develop migration strategy8) Establish an architectural review process9) Begin Deployment
43Summary
What are the gotchas?
• Getting your data in order (GI->GO?; CRUD!)• Interoperability vs. interchangeability• Build vs. buy• Extending and customizing schema• Business process definition• Politics and data ownership• Data replication topology• Access control policies• Measuring and demonstrating success• Too much, too fast
44Summary
LDAPdirectories
Messag-ing
PBX / CTIVoIP
Identity-baseduniversity access
Advanced businessinfrastructure
Basic businessinfra-structure
Enabling technology network/basic network infrastructure (network, servers, routers, OS, transport services)
Security/PKI
Manage-ment
Objectservices
Data-bases
Webservices
businessprocess
integrationMeta Directory services
Identi
tyman
agem
ent
Acces
s/ au
thoriz
ation
Authen
ticati
onRes
ource
provis
ioning
businessapplications
Business processes are really important!
Employees
Employees
Legal/public
authorities
Legal/public
authorities
Faculty, Staff
Faculty, StaffSuppliers
Suppliers
Partners
Partners
Students
Students
45Next Steps
Questions and open discussion