copyright © 2005 imanami corporation. all rights reserved.1 idm & security robert haaverson...
Post on 19-Dec-2015
217 views
TRANSCRIPT
Copyright © 2005 Imanami Corporation. All Rights Reserved.1
IdM & SecurityRobert Haaverson
Imanami Corporation
2 Copyright © 2005 Imanami Corporation. All Rights Reserved.
Agenda
• What is Identity Management
• Where does IdM fit within Security?
• How does IdM fit into Security?
• Conclusions
• More Information
3 Copyright © 2005 Imanami Corporation. All Rights Reserved.
Results 1 - 10 of about 1,110,000 for "Identity Management". (0.34 seconds)
"Identity Management"Search
What is Identity Management?
Traditional D
efinitio
n
Traditional D
efinitio
n
Increasing Increasing ComplexityComplexityIncreasing Increasing ComplexityComplexity
Authentication
Authorization
Access Control
Current T
rend
Current T
rend
Au
dit
Au
dit
Ad
min
Ad
min
4 Copyright © 2005 Imanami Corporation. All Rights Reserved.
What is Identity Management?
Identity Management (IdM) is defined as the quality or condition of being the same; absolute or essential sameness; oneness. Identity is what makes something or someone the same today as it, she, or he was yesterday. Importantly, identity can refer to a thing (e.g. a computer) as well as a person. Things and people can have different identities when working with different systems, or can have more than one identity when working with a single system, perhaps when working in different roles.
Source: Open Group
5 Copyright © 2005 Imanami Corporation. All Rights Reserved.
META’s View
“While simplistic and not entirely accurate, it’s helpful for planning purposes to think of access and identity management as separate layers of an identity architecture.” (META Group)
Identity Management
Identity Infrastructure
User Provisioning
Delegated Admin.
Audit, logging, reporting
Self-serviceP/W Mgmt.
Workflow
DirectoryMetadirectoryAuthentication Servers
(e.g. RADIUS, OS)SSO
Authorization Servers(e.g. RBAC, policy)
6 Copyright © 2005 Imanami Corporation. All Rights Reserved.
Gartner’s ViewA
UD
IT
Iden
tity Ad
min
istration
Administer Authenticate Authorize
Authentication Services
Enterprise Single Sign-on
Password Management
User Provisioning
Metadirectory
Enterprise Access Management
Federated Identity Management
Access Management (Real-time Enforcement)Identity Management (Administration)
7 Copyright © 2005 Imanami Corporation. All Rights Reserved.
Burton’s View~ Burton Group’s Simplified Architecture ~
• IdM reference architecture root template
8 Copyright © 2005 Imanami Corporation. All Rights Reserved.
Deloitte’s View
IdentityRepository
Integrated authoritative
source
Identityroles
User accountprovisioning
StrongAuthentication
SSO &Portals
FederatedIdentity
AccessManagement
Bu
sin
ess
Val
ue
VisionSource: Deloitte
9 Copyright © 2005 Imanami Corporation. All Rights Reserved.
Imanami’s View – The IdM Journey
IdentityRepository
Integrated authoritativesource Identity
roles
User accountprovisioning
StrongAuthentication
SSO &Portals
FederatedIdentity
AccessManagement
PasswordReset /Sync
Bu
sin
ess
Val
ue
VisionBasic Source: Deloitte
10 Copyright © 2005 Imanami Corporation. All Rights Reserved.
IdM Business Drivers
Basic Source: Computer Associates
IncreasingEfficiency
EnablingBusiness
Complyingwith
Regulation
IncreasedSecurity
11 Copyright © 2005 Imanami Corporation. All Rights Reserved.
Source: SANS
Blocking Attacks: Network BasedIntrusion Prevention Intrusion Detection Firewall Anti-Spam
Where does IdM fit?
Blocking Attacks: Host BasedIntrusion Prevention Spyware Removal Personal Firewall Anti-Virus
Eliminating Security VulnerabilitiesVulnerability Mgmt Patch Management Configuration Mgmt Security Compliance
Safely Supporting Authorized UsersID & Access Mgmt File Encryption PKI VPN
Tools to Minimize Business LossesForensic Tools Backup Compliance Business Recovery
12 Copyright © 2005 Imanami Corporation. All Rights Reserved.
Source: SANS
Blocking Attacks: Network BasedIntrusion Prevention Intrusion Detection Firewall Anti-Spam
Where does IdM fit?
Blocking Attacks: Host BasedIntrusion Prevention Spyware Removal Personal Firewall Anti-Virus
Eliminating Security VulnerabilitiesVulnerability Mgmt Patch Management Configuration Mgmt Security Compliance
Safely Supporting Authorized UsersID & Access Mgmt File Encryption Authentication / PKI VPN
Tools to Minimize Business LossesForensic Tools Backup Compliance Business Recovery
13 Copyright © 2005 Imanami Corporation. All Rights Reserved.
Source: SANS
Blocking Attacks: Network BasedIntrusion Prevention Intrusion Detection Firewall Anti-Spam
Where does IdM fit?
Blocking Attacks: Host BasedIntrusion Prevention Spyware Removal Personal Firewall Anti-Virus
Eliminating Security VulnerabilitiesVulnerability Mgmt Patch Management Configuration Mgmt Security Compliance
Safely Supporting Authorized UsersID & Access Mgmt File Encryption Authentication / PKI VPN
Tools to Minimize Business LossesForensic Tools Backup Compliance Business Recovery
Safely Supporting Authorized UsersSafely Supporting Authorized Users
ID & Access Management
Verify that the right people are allowed to use a systemEnsure they perform only those tasks for which they are authorized
Access blocked when employment is terminated
14 Copyright © 2005 Imanami Corporation. All Rights Reserved.
Source: SANS
Blocking Attacks: Network BasedIntrusion Prevention Intrusion Detection Firewall Anti-Spam
Where does IdM fit?
Blocking Attacks: Host BasedIntrusion Prevention Spyware Removal Personal Firewall Anti-Virus
Eliminating Security VulnerabilitiesVulnerability Mgmt Patch Management Configuration Mgmt Security Compliance
Safely Supporting Authorized UsersID & Access Mgmt File Encryption Authentication / PKI VPN
Tools to Minimize Business LossesForensic Tools Backup Compliance Business Recovery
Safely Supporting Authorized UsersSafely Supporting Authorized Users
Authentication
Verify that the person is whom they claim to be, whether it be viaone, two or three factor.
15 Copyright © 2005 Imanami Corporation. All Rights Reserved.
Source: SANS
Blocking Attacks: Network BasedIntrusion Prevention Intrusion Detection Firewall Anti-Spam
Where does IdM fit?
Blocking Attacks: Host BasedIntrusion Prevention Spyware Removal Personal Firewall Anti-Virus
Eliminating Security VulnerabilitiesVulnerability Mgmt Patch Management Configuration Mgmt Security Compliance
Safely Supporting Authorized UsersID & Access Mgmt File Encryption Authentication / PKI VPN
Tools to Minimize Business LossesForensic Tools Backup Compliance Business Recovery
Tools to Minimize Business LossesTools to Minimize Business Losses
Forensic Tools
When attackers get through enterprises need to find out what they accessed, what they damaged, and how they got in.
16 Copyright © 2005 Imanami Corporation. All Rights Reserved.
Source: SANS
Blocking Attacks: Network BasedIntrusion Prevention Intrusion Detection Firewall Anti-Spam
Where does IdM fit?
Blocking Attacks: Host BasedIntrusion Prevention Spyware Removal Personal Firewall Anti-Virus
Eliminating Security VulnerabilitiesVulnerability Mgmt Patch Management Configuration Mgmt Security Compliance
Safely Supporting Authorized UsersID & Access Mgmt File Encryption Authentication / PKI VPN
Tools to Minimize Business LossesForensic Tools Backup Compliance Business Recovery
Tools to Minimize Business LossesTools to Minimize Business Losses
Regulatory Compliance Tools
Gramm-Leach-Biley, FISMA, Sarbanes Oxley, and HIPAA eachgenerate enormous documentation burdens for companies,
universities, and/or government agencies.
17 Copyright © 2005 Imanami Corporation. All Rights Reserved.
How does IdM fit into Security?
• Object (user) lifecycle management– Provisioning – Change– Deprovisioning
• Strong Authentication / SSO (RSO) n-1
• Enterprise Access Management
• The Whole Enchilada
18 Copyright © 2005 Imanami Corporation. All Rights Reserved.
Object Life Cycle ManagementHire
• Sally’s first day at work
PeopleSoft Active Directory
Exchange
Live Communications Server
Avaya
Faxination
IdM
Sally is Provisioned1. Sally entered into Peoplesoft.2. IdM adds Sally to AD.3. IdM assigns Sally to groups based on her role.4. IdM adds Sally to other systems based on role.
Sally is Provisioned1. Sally entered into Peoplesoft.2. IdM adds Sally to AD.3. IdM assigns Sally to groups based on her role.4. IdM adds Sally to other systems based on role.
19 Copyright © 2005 Imanami Corporation. All Rights Reserved.
Object Life Cycle Management Promotion
• Sally’s second day at work
PeopleSoft Active Directory
Exchange
Live Communications Server
Avaya
Faxination
IdM
Sally is Changed1. Sally’s title is changed in Peoplesoft.2. IdM updates Sally in AD.3. IdM assigns adds and removes Sally to and from
groups based on her role.4. IdM adds/removes Sally to/from other systems
based on role.
Sally is Changed1. Sally’s title is changed in Peoplesoft.2. IdM updates Sally in AD.3. IdM assigns adds and removes Sally to and from
groups based on her role.4. IdM adds/removes Sally to/from other systems
based on role.
20 Copyright © 2005 Imanami Corporation. All Rights Reserved.
Object Life Cycle Management Retire
• Sally’s last day at work
PeopleSoft Active Directory
Exchange
Live Communications Server
Avaya
Faxination
IdM
Sally is Deprovisioned1. Sally’s status changed in Peoplesoft.2. IdM disables Sally’s account in AD.3. IdM removes Sally from groups.4. IdM removes Sally from other systems.
Sally is Deprovisioned1. Sally’s status changed in Peoplesoft.2. IdM disables Sally’s account in AD.3. IdM removes Sally from groups.4. IdM removes Sally from other systems.
21 Copyright © 2005 Imanami Corporation. All Rights Reserved.
Strong Authentication / SSOWithout IdM
• Bill logs in from home
1. SecureID Card
2. Username & Password
Access
Access
22 Copyright © 2005 Imanami Corporation. All Rights Reserved.
Strong Authentication / SSOWith IdM
• Bill logs in from home
1. SecureID Card Access
Access
23 Copyright © 2005 Imanami Corporation. All Rights Reserved.
Enterprise Access ManagementHire without IdM
• Jim’s first day at work
PeopleSoft Active Directory
Exchange
Live Communications Server
Avaya
Faxination
24 Copyright © 2005 Imanami Corporation. All Rights Reserved.
Enterprise Access ManagementHire with IdM
• Jim’s first day at work
PeopleSoft Active Directory
Exchange
Live Communications Server
Avaya
Faxination
IdMB
usiness Rules
25 Copyright © 2005 Imanami Corporation. All Rights Reserved.
Regulatory Compliance
Accuracy
Auditability
Transparency
Compliance
Cost
Time
Errors
26 Copyright © 2005 Imanami Corporation. All Rights Reserved.
Trends of IdM in Security
• RSA has more announcements of identity based approaches of agile and integrated security.
• There is an upcoming paradigm shift, where identity will allow security across dynamic distributed systems.
• So as security functions become packaged as appliances that can all be integrated and managed with federated protocols that allow centralized policies to create security and auditability, "security" is relentlessly morphing into "management by identity.“
- Phil Becker, Editor, Digital ID World
27 Copyright © 2005 Imanami Corporation. All Rights Reserved.
Realizing the Potential of Digital Identity
• Deployment considerations, lessons learned:
– Begin by cleaning your own identity house
• Start looking at how you use identity, authoritative sources, processes
• You still need LDAP directory, meta-directory, and provisioning
• One tool or one suite won’t solve all your IdM problems
– 80% politics and business, 20% technology
• Your mileage may vary, but build in time to get stakeholders on board
– Carefully scope the problem you’re trying to solve
• Manage expectations: Don’t try to solve all problems at once
• Pick projects with early demonstrable results; it’s a long journey, with small steps
• Build momentum (and political capital) for next phase(s)
– All of these are 100% independent of product selection
Copyright © 2005 Imanami Corporation. All Rights Reserved.28
Robert Haaverson, CEOImanami [email protected]
Contact
ResourcesDigital ID World, May 9-12 Hyatt Embarcadero, San FranciscoDigital ID World Magazine – http://www.digitalidworld.comBurton Group – http://www.butongroup.comOpen Group – http://www.opengroup.comSans What Works – http://www.sans.org/whatworks