Identity Management for the 21st Century IT Mission

Presented By:• Paul Grassi: VP of Federal Programs, Sila Solutions Group• Jim Rice: VP of Federal, Layer 7 • Wade Ellery: Director of Sales and Business Development,

Radiant Logic• Gerry Gebel: President, Axiomatics Americas• Phil McQuitty: Director of Systems Engineering, SailPoint• Stephanie McVitty: Account Manager, Compsec

Wednesday: October 23, 2013

2

• Today’s Challenges

• History: How Did We Get Here?

• The Evolution of Access Control

• Building Blocks for Agile Access

• Creating a Framework for Success

• The Ideal ABAC Process

• Use Case Deep Dive

• Next Steps: Are You ABAC-Ready?

Key Discussion Areas

3

Today’s Challenges

4

• We keep trying to solve a legacy problem with a legacy solution

• Made authorization an IT solution, not a business solution

• Bogged down with stovepipes, multiple policies, and poorly defined infrastructure

• Focused on the door – not the data

We have made great progress!Industry deserves credit.

Examples of NSTIC/IDESG, NIST 800-162 Draft, FICAM AAES work; focus on

attributes and confidence scores

• Yet, we’ve done some amazing things

How Did We Get Here?

5

Legacy Problem with Better Solution

Legacy Problem with Legacy Solution

The Evolution of Access Control

PBAC

REUSABLE POLICYCONTEXT AWAREEXTERNALIZED

STANDARDS BASEDBUSINESS DRIVENNON-TECHNICAL

Future Proofed Business Solution

ABAC

FINE GRAINEDATTRIBUTE-DRIVEN

LOCAL POLICYPROPRIETARY ENFORCEMENT

TECHNICAL

eRBACRBACACLIBAC

6

Action Reusable Policy

AgileAccess

Decisions

Agile Access

Decisions

Federated Identity

Federated Attributes

Environment Context

Resource Attributes

Building Blocks for Agile Access

7

POLIC

Y LIFECYC

LE MAN

AGEM

ENTB

USI

NES

S PR

OCES

S EN

GIN

EERIN

G A

ND

OPT

IMIZ

ATIO

N

PROGRAMMATIC AND TECHNICAL MANAGEMENT

Portability, Confidence,and Trusted Attributes

AccessAnywhereMobility/

Cloud

Lifecycle,Governance

and Risk

MissionAgility

ABAC Framework

8

Layer 7 Overview

Applications & Data

Enterprise

…

Outside Partners / Divisions

External Developers

Mobile Apps

Cloud Services

Other Things

Layer 7 API Gateways Provide API Access Control for the New “Open” Enterprise

9

Enterprises are Exposing MoreConnectivity & Security

Challenges for Open Enterprise:

• Protection of applications exposed over internet

• Reuse of information shared across departments, partners, mobile & Cloud

• Ease of integration: reconciling disparate identity, data types, standards, services

• Federated & Delegated Security

• Performance optimization (caching, protocol compression, …)

• Brokering cloud services

• Proxy connections to social, cloud, notification services that enterprises can control

• Cloud interactions

• Central governance of policies and security

Mobile / Tablet Apps

Web Platform Integration Open APIs for Developer Channel

Private Cloud Annexes (Savvis or Datacenter)

Cloud Services

Over the Top TV and Media

(Xbox Live and Smart TV)

Real-time Partner Integration

LoginPassword

This new open, extended enterprise is a hybrid enterprise because it blends inside/outside as well

as private/pubic

10

Layer 7 Policy Approach

API Integration Gateway

API Service Manager

API Identity & Access Broker

API Developer Portal

Health Tracking

Workflow

Performance Global Staging Developer Enrollment

API Docs

Forums

API Explorer

RankingsQuotas

Plans

AnalyticsReporting

Config Migration

Patch ManagementPolicy Migration

Throttling Prioritization Caching

Routing Traffic ControlTransformation

Security

CompositionAuthentication Single Sign OnAPI KeysEntitlements

Token Service OAuth 1.x OAuth 2.0OpenID Connect

11

Layer 7 ABAC Reference Implementation

12

RadiantOne Architecture• Acting as an abstraction layer RadiantOne creates

attribute rich global user profiles spanning multiple identity silos.

• Aggregation, Correlation, Transformation, and Normalization of the user identity provides the foundation for Attribute Based Access Control

Consumers

Consumers

Consumers

13

RadiantOne Key Capabilities

HR Database

LDAP Directory

Active Directory

employeeNumber=2samAcountName=Andrew_FullerobjectClass=usermail: andrew_fuller@setree1.comuid=AFullertitle=VP SalesClearanceLevel=1Region=PAmemberOf=SalesnDepartment=Sales

Correlated Identity Virtual View

employeeNumber=2samAccountName=Andrew_FullerobjectClass=usermail: andrew_fuller@setree1.comdepartmentNumber=234title=Sales, VP

uid=AFullertitle=Vice Pres. SalesgivenName=Andrewsn=FullerdepartmentNumber=234

EmployeeID=509-34-5855ClearanceLevel=1Region=PAUserID=EMP_Andrew_FullerDeptID=Sales234

Correlation ru

les/logic. An existi

ng

single unique identifier not re

quired.

cn=SalesobjectClass=groupmember=Andrew_Fuller

**Based on identities that have:• ClearanceLevel=1• nTitle=VP Sales• Region=PA

Dynamic Groups Virtual View

Com

pute

d A

ttri

bute

Normalized Attribute Values

Federated IdentityAttribute Server

Normalized AttributesAttribute: nDepartmentValues:

AccountingAdministrationBusiness DevelopmentDistributionMarketingProductionResearchSalesShipping

Attribute: nTitleValues:

CEOCIOCISOVP SalesVP Marketing

…

14

ManagePolicy Administration Point

DecidePolicy Decision Point

SupportPolicy Information PointPolicy Retrieval Point

EnforcePolicy Enforcement Point

Axiomatics Architecture

15

Authorization at Any Layer

16

Anywhere Authorization Architecture

SailPoint Architecture

Service Desk

Integration

ResourceConnectors

ProvisioningIntegration

Security & Activity

Unified Governance Platform

Open Connectivity Foundation

Cloud SaaS

RoleModel

Policy Model

IdentityWarehouse

RiskModel Workflow

PasswordManagement

ComplianceManagement

Single Sign-On

IdentityAnalytics

SailPoint ICAM Solutions

Access Request &

Provisioning

17

Entitlement Giving Attributes

HR Data

Security Directory

Attributes

OwnershipRelationships

ModelingReview ProcessChange Process

Audit Process

System

System

Target

Target

BUSINESS PROCESS MANAGEMENT

Entitlement Giving

Attributes

18

Ownership & Responsibility

Change Control

Versioning

History

Verification &

Review

Analytics &

Reporting

Identity & Access

Governance

The Business Process of IAM Data Management

Entitlement Giving Attributes…

HR Data

Security Directory

Attributes

System

System

Target

Target

EntitlementGiving

Attributes

19

Benefits

Policy management and insight available

to all levels of the organization.

Simple Change

Management

Maximum Efficiency

and Flexibility

Range of Deployment Options

Simple and Effective

Management

Cost Effective

Scalable

Interoperable

Business-Friendly

Management

Increased Access to Informatio

n

Deploy for performance and

architectural needs while maintaining

100% conformance with open standards

Easy to deploy new policy without

underlying changes to application infrastructure.

Eliminate time consuming and

confusing processes to gain access to

information.

Benefits of Our Solution

Increased Security

and Complianc

e

Operational Business

20

21

Access barriers are removed so users can get their jobs done more efficiently.

The Ideal Process

22

High Level Use Cases

Patient can manage recordfrom authorized personal devices

Doctor can read from office computerOpts-in and authorizes PCP and staff to view

Claims coordinator can only viewappointmentinformation

Doctor can write toentire record

Nurse can read information pertaining to location; can only write demographic info, symptoms,and vital signs

Receptionist trained in HIPAA data protectioncan only view services performed

Research organization can only read anonymized cardiac clinical data from hospitals and patients that opt-in

1

3

2

4

5

6

Nurse can “break the glass” to access location agnostic information

AuthN Service

s

Secure Gatewa

y

Conceptual Architecture

EHR Systems

Federa

ted Identi

ty V

irtu

aliz

ati

on

Policy Administratio

n

R&D

Insurance

Govern

ance

Pro

vid

er

Vie

wR

&D

V

iew

Insu

ran

ce

Vie

wPa

tien

t V

iew

NPI Regist

ry

Patients

Attribute Sources

Policy Server

Hospit

al

23

24

Intercepts the request

Patient Use Case

Attempts to update personal EHR to add blood pressure (BP) information and opt-in to share info with doctor

Allows Patient Access to EHR System

Patient EHR

Preferences/Metadata

Signed Opt-In Forms

Permit

Check request validity

Verify patient access using registered deviceVerify accessing own record

Request/receive required attributes (EHR owner, authorized devices)

List of registered devices

Check if authorize

d

Update BP

Authorize doctor to access information

1

2

4

3

25

Doctor Use Case

Attempts to update patient EHR from office computer

Intercepts the request

Allows doctor access to patient EHR

Patient EHRPreferences/Metadata

Signed Opt-In Forms

Permit

Check access from office computer

Check if authorize

d

Verify patient opt-in List of

signed opt-in forms

Hospital Network EHR

Check request validity

1

2

Request/receive required attributes (EHR owner, authorized devices)

3

4

Remaining Use CasesUse Case Request Layer 7 Axiomatics Radiant

LogicEHR

Nurse Rheumatology nurse requests access to patient EHR

•Checks request location/validity

•Checks PDP for authorization

•Validates nurse/patient relationship

•Allows access to specific attributes of patient EHR

Provide nurse and patient attributes to PDP

Allows nurse access to read patient rheumatology attributes of EHR; write diagnostics

“Break Glass”

Nurse requests access to patient cardiac information when patient shows heart attack symptoms

•Checks request validity

•Checks PDP for authorization

•Validates environmental attributes from hospital

•Validates nurse/patient relationship

Provide Hospital, Nurse and Patient attributes to PDP

Allows Nurse access to read Rheumatology and Cardiac attributes of EHR, write diagnostics

Reception Reception requests access to patient services to prepare bill

•Checks request location/validity

•Checks PDP for authorization

•Validates employee HIPAA training

•Validates employee/patient relationship

Provide employee and patient attributes to PDP

Allows help desk access only to services performed

Insurance Insurance claims processor requests access to patient EHR

•Checks request location/validity

•Checks PDP for authorization

•Validate processor employment with insurance company

•Validate covered incident

•Validate insurance/patient relationship

Provide processor, patient, and insurance attributes to PDP

Allows claims processor access only to covered incident information

Research & Developmen

t

Cardiovascular research center requests access to all cardiology patient data

•Authenticates R&D server

•Checks PDP for authorization

•Validate research center and scope

•Provides SQL PEP to filter result set and return anonymous data

Provide employee and research center attributes to PDP

Allows employee access only to anonymized data pertaining to research center scope

26

27

Health Care Systems Attribute and Policy Governance

Entitlement Giving Attributes

Functional

Application #1

Functional

Application #2

doc

doc

Ownership &

Responsibility

Change Control

Provision

Verification &

Review

Analytics

Identities, certified entitlements & risk scores would be used at the PIP and PDP to make

smarter decisions

Axiomatics Policy Server

Axiomatics Policy Auditor

Governance Use Case

28

Considerations

Target Applications

Establish governance that requires new acquisitions (build or buy) to support interoperability standards. Offer transition plans or

alternative access enforcement mechanisms for legacy applications.

Policy Lifecycle

Governance is key, especially if offered as an enterprise service.Use tools to determine if applications can leverage pre-existing

policies.Don’t forget that attribute lifecycle is important in managing policy

lifecycle.

Deployment Models

Centralized enterprise service is preferred, especially if attribute and NLP applies across organizations.

Governance and policy authoring services allow consumers more control

Audit and Application

Owner Control

Link natural language policy to digital policy.Difficult to show traditional ‘who has access to what’.

Need to involve audit and compliance organizations in all phases.

Business Process Changes

Access request and workflow provisioning will be impacted.Need to communicate access restrictions effectively.

Need workflow for redress of incorrect attribute values.

Privacy Explore the usage of zero-knowledge assertions to protect user attributes, yet effectively assist policy evaluation.

29

• Establish Governance

• Choose your standards

• Determine your attributes and metadata

• Determine your authoritative sources

• Create a taxonomy and data dictionary

• Understand your business processes

• Determine the business model

• Decide who will own policy/policy management

• Coordinate with stakeholders across organization, including audit/compliance, privacy, and security operations

• Track performance

Are You Ready?

30

Questions?

31

Contact Us

Paul Grassi VP of Federal Programspgrassi@silasg.com 703.740.1193

Jim RiceVP of Federaljrice@gov.layer7.com240.394.9591

Wade ElleryDirector of Saleswellery@radiantlogic.com415.798.5654

Gerry GebelPresidentggebel@axiomatics.com801.556.9994

Phil McQuittyDirector of Systems Engineeringphil.mcquitty@sailpoint.com703.626.9997