all contents © 2004 burton group. all rights reserved. identity management discussion group...

All Contents © 2004 Burton Group. All rights reserved.

Identity Management Discussion GroupSeminars on Academic Computing

* EDUCAUSE *Doug Simmons

Principal Consultant

[email protected]

August 10,2004

2Introduction

Burton Group: Who We Are

Burton Group is a planning services company specializing in the in-depth analysis of emerging network infrastructure technologies

Our mission is to empower IT professionals, enabling them to make strategic decisions regarding network technology and allowing them to successfully use that technology to drive business

3Introduction

Speaker• Doug Simmons• Principal Consultant My Background: 20+ years in systems

engineering, systems integration design, systems architecture, development, and project management with Burton Group, IBM, Critical Path/ISOCOR and the Radicati Group.

My Background: 20+ years in systems engineering, systems integration design, systems architecture, development, and project management with Burton Group, IBM, Critical Path/ISOCOR and the Radicati Group.

4Introduction

Discussion Objectives

• Brief Overview of Identity Management Concepts• Business Justification• Design and Deployment Best Practices

5Identity Management

What is Identity Management?

• A set of processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities

• Involves both technology and process• Involves managing both unique identifiers and their attributes,

credentials, and entitlements• Must enable organizations to create a manageable life cycle• Must meet business needs for rapid registration, use, termination• Must scale from internally facing systems to externally facing

applications and processes• Goal state: general-purpose infrastructure and authoritative sources,

clean integration across people, process, and technology

6

Common Profile Info

Address, etc.

Credentials

Credentials

• May have multiple credentials• Different strengths, different apps• Can change w/more frequency

Identity Management

What is (digital) identity?

Unique Identifier

• Represents principles (users, apps, etc.)• Name, number, other identifier, • Unique in some scope• Persistent, long-Lived• May be “pseudonym” or “true name”

App

, Site

, or P

artn

er P

rofil

es

Student Profiles

Faculty, Staff Profiles

• Attributes, entitlements, policies• More transient, fluid information• Often specific to apps or sites

App, Site, or Partner Profiles


The IdM process: managing the identity life cycle

Accounts and Policies

Registration/Creation

Propagation

Maintenance/Management

Termination


The challenge: Interoperability and portability

InternalSystems& Data

Less-knownPartner or xSP

Loosely-coupled,Dynamic exterior

Research partners

Tightly-coupled,Persistent interior

Students, faculty, staff

Unknown

Extranets

The Internet

ID


The challenge

• Today’s identity management systems are ad hocracies, built one application or system at a time

• Apps, databases, OSes lack a scalable, holistic means of managing identity, credentials, policy across boundaries

• Fragmented identity infrastructure: Overlapping repositories, inconsistent policy frameworks, process discontinuities

• Error prone, creates security loopholes, expensive to manage• The disappearing perimeter has put identity on the front burner

• Infrastructure requirements: extend reach and range• Increased scalability, lower costs• Balance of centralized and distributed management• Infrastructure must become more general-purpose and re-usable


Burton Group definition: A set of complementary, converging technologies

• Directory Services• User Management Services• Resource Provisioning• Authentication Services• Web Access Management• Authorization Services• Identity Federation


IdM: technologies that enable secure relationships

Remote Staff

Supplieremployee

Remotestudent

RemoteContractor

Faculty

ResearchPartner

StudentSystems

HRMS

Departments/Schools

Students

Staff

Authentication

Authorization

DirectoryIdentity and Access Management


Core IdM components: Directory Services

• Authoritative identity repository• Contains people, organizational units, groups, roles, etc.

• Foundation for identity management• Authentication based on identity in directory• Authorization based on user attributes (roles, groups)• Personalization based on user attributes

• Meta-directories sync identity repositories• Identity join synchronizes authoritative sources

• LDAP servers are commodities• Active Directory becoming pervasive• Next step: comprehensive IdM infrastructure…


Core IdM components: User Management & Provisioning

• Identity admin functions that span products and services• Creation, propagation, maintenance of user accounts, rights• Categorize users by roles, groups, for efficiency, accuracy

• Provisioning systems support workflows that automate process, reduce admin costs, enhance security

• Create, modify, terminate users across multiple apps• Workflow approvals by managers• Centralized admin: push roles, groups, policy• Centralized password management, reset/sync• Centralized, rapid termination of accounts


Core IdM components: User Management continued

• Delegated admin tools distribute workload (and liability)• Assign subset authority to a designated user or group• Moves responsibility to partner, supplier or other constituent

• Self-service increases satisfaction, data integrity• Users can modify info• Self-service password reset a high priority for many companies• Self-service registration, subscription services can kick off

workflow and provisioning process to speed revenue generation


Core IdM components: Authentication

• Principle provides sufficient credentials to satisfy challenge, gaining access to a service, application, or system

• Variety of authentication mechanisms• Strength necessary depends on the needs of the application• User name/password, personal identification numbers (PINs)• Tokens (SecurID), digital certificates (PKI)• Biometrics (finger print scans, retinal scans)

• User name/password most common • Will remain so until the cost and complexity of stronger

authentication subsides


Core IdM components: Web Access Management

• Determining rights, privileges using policy-based systems• Web-based access management products combine

authentication, authorization => Single Sign On (SSO)• Use roles-, group-, rules- based systems for scalability• Integrate with applications/application servers• Identify objects by URL, operate at page, button, field level• Integrate with identity repositories: directory, database• Support multiple authentication systems• Include user management functions• Dynamic enforcement w/variables (location, time)

• Session management after authentication


Core IdM components: Authorization Services • Control access to apps, services, information resources• Maintain sufficient user and organization information for

discretionary access control• Use multiple flexible, means of policy enforcement

• Roles, groups, rules• Dynamic for high value resources (stored value, transactions)• Static for low value resources (printers, ordinary files)• Affected by variables, such as machine location, time of day,

attribute values in directory or database• Integrate applications with general purpose authorization

systems leveraging common data/policy


Core IdM components: Identity Federation

• Agreements, standards, technologies that make identity and entitlements portable across autonomous domains

InternalSystems& Data

Loosely-coupled,Federated exterior systems

Loosely or tightly-coupled, Integrated or federated interior systems

Extranets

The Internet

Delegate

Join

Federa

te

Less-knownPartner or xSP Research partnersStudents, faculty, staff

Unknown


Core IdM components: Identity Federation

• Don’t need prior knowledge of complex system internals or pair-wise mappings between systems

• Define rules that bind autonomous domains to a common method of exchanging identity information

• Provide framework for negotiating agreements, defining interactions

• Map to the federation standards by applying transformations at the boundaries between domains

• Honor each other’s decisions and trust each other’s assertions, but in the context of their own local policies


Federation - Shibboleth

ProtectedResource

1. I want to accessyour protected resource

2. Where are you from?

4. Tell me if this person isa legitimate student

Rouge UniversityCrimsonCollege

3. Crimson College

Enterprise Directory

5. This person is alegitimate student


AttributeAuthority

HandleService

OriginSite

TargetSite

SHIRE

ResourceManager

SHAR I

WAYFHandle

1

2

3

5

6

7

8910

11

WAM(web SSO)

4

EnterpriseDirectory

Web-enabledProtectedResource


7/1/2004 12/31/2006

Q3’04+ Shibboleth 1.2 and OpenSAML released - Adopt SAML 2.0 terminology, architecture - Increased compatibility with SAML 1.1 products - Increased software modularity+ Early prototyping of management tools+ Application focus on information services providers+ InCommon federation rollout

Q4’04+ Shibboleth 1.3 released - Support browser artifact profile - Improved Java application support+ Early versions of management tools+ Improved system documentation+ Many expected production rollouts

1/1/2005

2005+ Shibboleth 2.0 and OpenSAML 2.0 released - Migration to SAML 2.0 standard - Support for SAML WS-Federation features as deemed practical - Possible web services features added+ Maturation of management tools+ Increased decentralization of development, research and direction setting

2006+ Technical focus likely to move to web services and middleware integration+ Personalized tools for managing privacy and access control to target resources+ Application focus on grids, networks and DRM+ Increased commercialization of support and technology+ Increased interaction among education, government and commercial federations

1/1/2006

Interne2/MACE Shibboleth Roadmap - 7/2004

23Summary

Putting the pieces together


Key Vendors

Authentication Access management User management

Directory services

PKI/Other/Specialized

Web access mgmt Provisioning Identity andpolicy admin

Directory Repositories/LDAP Meta-directoryVirtual directory

Verisign, Entrust,Microsoft, RSA, Others…

Netegrity, IBM, Oblix,RSA, Entrust, Novell,Sun, HP, Aventail, Others…

Sun Novell Microsoft Critical Path IBM Oracle Siemens Others…

Calendra MaxWareRadiant Logic

Octetstring

IBM BMCNetegrity/Bus. Layers, Novell, HP, Sun/Waveset, Thor, Others…

Oblix, Sun,Calendra, IBM, Netegrity,Novell Others…

Sun Novell MaxWareMicrosoft Critical Path IBM Siemens Others…


What are your IdM challenges?

-Tactical

-Long Term

26IdM Business Case

Justifications can be broken down into five overarching areas

1. Improved user experience2. Cost savings 3. Security: Lifecycle identity administration

• Audience: IT administrative, HR, Student Administration

4. Security: Policy enforcement• Audience: Resource owners

5. Competitive advantage

27Improving the End-User Experience

Justification 1: “Improving end-user experience” provides

• Reduced Sign-On (sometimes called “single sign-on”)• Improved quality of experience (QoE) for all types of end

users• Simplified, personalized access• Automated password reset and other user grantable

services

28Improving the End-User Experience

What is the “improving end-user experience” business case?

• Improved efficiency of users • User self-service allows to personalize their own

experience• Minimization of errors• University image• Clear business processes • Consolidation of application interfacing (single face)

29Cost Savings

Justification 2: “cost savings” provide• Hard dollar savings

• Help desk password resets easily measured (specific number?)• Duplicate administration responsibilities• Eliminating redundant software and solutions• Canceling cell phone, other paid services after employee termination

• Soft dollar savings• User productivity

• Training to use duplicate facilities• 15 minutes per user per day used for authentication• Bad addresses in directories waste time finding phone numbers, e-mail

addresses• “Hidden administrative” costs

• Many directories means many administrators usually taking time out of their real job

30Cost Savings

Meta-directory

Appliances

Access management

Virtual directory

Provisioning

Password managementAuthentication

Overlap without integration causes consternation and cost

• Counterintuitive and counter-economic

31Cost Savings

Technologies: Directory services benefits (cont.)

32Security – Life Cycle Identity Management

Justification 3: “Security – Life cycle identity management” provides

• Elimination of the potential for errors, omissions and redundancies in identity data across systems

• Accuracy and completeness of identity information• Better management of identity lifecycle• Dissemination of assets, services and accounts• The right resources to the right people at the right time• Logging and audit capabilities of information assets and

resources• Connect ID access with application access

33Security – Life Cycle Identity Management

What is the “Security – life cycle identity management” business case?

• Fragmented identity management infrastructure results in high costs of operations, inability to scale, redundancy and inefficiency

• Dormant and orphan accounts represent security risks• Need over-arching management capabilities providing

auditability and accountability• Business climate demands delegated and self-service

account administration • Basis for a new class of solution, brought about by

vendors with differing backgrounds and capabilities

34Security – Policy Enforcement

Justification 4: “Security – Policy enforcement” provides

• Response to heightened government oversight and regulations (e.g., FERPA, HIPAA, GLBA, etc.)

• Minimization of security risks associated with dormant or orphaned accounts

• Cost avoidance in security administration• Optimization of security functions with less burdensome

administration activities• More secure access to sensitive resources and

applications both internal and external to the organization• Centralized authorization framework across multiple

applications

35Security – Policy Enforcement

What is the “Security – policy enforcement” business case?

• Promote compliance to regulatory requirements• Protection of university resources and information assets• Protection of intellectual property• Support internal audits and risk assessments• Determine, through policy, who can access systems that

support business processes and what they can do• Provide stronger authorization based upon the value

or sensitivity of the information• Provide risk and liability management

36Competitive Advantage

Justification 5: “competitive advantage” provides

• Framework for rapid deployment of internal and external applications

• Standards to minimize administrative overhead • Reduction and consolidation of existing resources and

personnel• Support and protection of intellectual property• Flexible infrastructure promoting quicker time to market

for product changes and enhancements

37Competitive Advantage

What is the business case?

• Fragmented identity management infrastructure results in high costs of operations, inability to scale, redundancy and inefficiency

• Business climate demands delegated and self-service account administration

• Basis for school’s image and public or business relationships in autonomous lines of business or research

• Flexible IdM infrastructure facilitates faster introduction of new products and services


What are your business drivers?

-SSO

-Cost savings

-Streamlined lifecycle management

-Consistent university-wide policies

-Competitive advantage

-Others?

39Design & Deployment Best Practices

• Directory services• Most organizations have multiple, fragmented directories• Important first step: Consolidation creates authoritative sources• Directory vendors moving up the food chain to create IdM suites

• Provisioning• Many in-house scripts or programs, but packaged software is here• But today provisioning systems aren’t interoperable• Provisioning can also be hard to deploy• Political battles, ownership issues, large-scale integration• Help desk incidents (password reset) provide strong case for ROI


• Identity administration• Self service and delegated admin are important tools• But delegated admin is ultimately limited in scalability: if we all delegate

our problems to each other, then we still have problems• Standards emerging for security assertions and federation (e.g.,

Shibboleth)

• Access management• Roles are better, but design can be a political, technical quagmire• Granular role definitions are more complex, costly to deploy• Ultimately access policies must become portable as well• But political, technical issues make interoperability much harder


• Most of these technologies come from different vendors• Overlap between products and approaches• Burden of full integration is often on you, the customer

• Consolidation across these functional categories has already begun, and the market will drive further consolidation over the next year to 18 months

• Vendors succumbing to “platformania”• IBM, Sun, HP, Novell

• But the need is clear and the market is driving a solution• Hence the focus on interoperability and federation

42Summary

Methodology

1) Define the business case2) Assemble the teams – core team, extended team3) Establish current identity management and directory services

architecture baseline4) Determine architecture requirements5) Perform gap analysis6) Develop “target” identity management

and directory services architecture7) Develop migration strategy8) Establish an architectural review process9) Begin Deployment

43Summary

What are the gotchas?

• Getting your data in order (GI->GO?; CRUD!)• Interoperability vs. interchangeability• Build vs. buy• Extending and customizing schema• Business process definition• Politics and data ownership• Data replication topology• Access control policies• Measuring and demonstrating success• Too much, too fast

44Summary

LDAPdirectories

Messag-ing

PBX / CTIVoIP

Identity-baseduniversity access

Advanced businessinfrastructure

Basic businessinfra-structure

Enabling technology network/basic network infrastructure (network, servers, routers, OS, transport services)

Security/PKI

Manage-ment

Objectservices

Data-bases

Webservices

businessprocess

integrationMeta Directory services

Identi

tyman

agem

ent

Acces

s/ au

thoriz

ation

Authen

ticati

onRes

ource

provis

ioning

businessapplications

Business processes are really important!

Employees

Employees

Legal/public

authorities

Legal/public

authorities

Faculty, Staff

Faculty, StaffSuppliers

Suppliers

Partners

Partners

Students

Students

45Next Steps

Questions and open discussion

all contents © 2004 burton group. all rights reserved. identity management discussion group...

Documents

digital identity

technology slide

business slide

project management

identity life cycle

introduction burton

internet id slide

systems engineering