documentation sample 1

IT Infrastructure Architecture and Solutions

Enterprise Identity and Access Management Design Criteria

_________________________________________

Creation Date: 07/17/2013

Authorization: CIO

Corporate HeadquartersGlobal Organization

Global Organization

Submission/Revision History Revision Author(s) Release Date Comments001 Jerry A.Taylor 07/17/2013 Document creation.

Technical Review HistoryReview Reviewer(s) Date Comments

002Outside Group

GLOBAL ORGANIZATION PROPRIETARY AND CONFIDENTIAL. ALL RIGHTS RESERVED. PRINTED COPIES ARE FOR REFERENCE ONLY.This document contains information that shall not be disclosed to third parties without written consent. This document shall not be duplicated, used or disclosed, in whole or in part, for any purpose other than to evaluate the information herein.

GLOBAL ORGANIZATION, Global Organization , and the GLOBAL ORGANIZATION logo are registered trademarks of Global Organization , Inc. and/or its affiliates in the United States and certain other countries.

All other brand names are registered trademarks of their respective companies.

Enterprise Identity and Access Management Design CriteriaDocumentation Sample 2

Global Organization

Table of Contents

Submission/Revision History-------------------------------------------------------------------------------------2

Technical Review History------------------------------------------------------------------------------------------2

Purpose------------------------------------------------------------------------------------------------------------------4

Scope---------------------------------------------------------------------------------------------------------------------4

Definitions---------------------------------------------------------------------------------------------------------------4

Identity, Access Management and Single Sign-On--------------------------------------------------------9Overview------------------------------------------------------------------------------------------------------------------------------------9

Current Global Organization Enterprise Environment----------------------------------------------------9Active Directory---------------------------------------------------------------------------------------------------------------------------9

Multiple Active Directory Forests---------------------------------------------------------------------------------------------------9ADFS/SAML---------------------------------------------------------------------------------------------------------------------------10Kerberos/NTLM-----------------------------------------------------------------------------------------------------------------------10Public Key Infrastructure/Certificate Authority---------------------------------------------------------------------------------10

Identity Management-----------------------------------------------------------------------------------------------10NetIQ Directory and Resource Administrator------------------------------------------------------------------------------------10Open Source Software----------------------------------------------------------------------------------------------------------------10Global Organization Applications---------------------------------------------------------------------------------------------------11

Access Management-----------------------------------------------------------------------------------------------11Access via Active Directory Security Groups------------------------------------------------------------------------------------11Microsoft Exchange Server-----------------------------------------------------------------------------------------------------------11NetIQ Aegis------------------------------------------------------------------------------------------------------------------------------11Google Mail------------------------------------------------------------------------------------------------------------------------------11Open Source Software----------------------------------------------------------------------------------------------------------------12Wireless Access------------------------------------------------------------------------------------------------------------------------12Global Organization Applications---------------------------------------------------------------------------------------------------12

Requirements---------------------------------------------------------------------------------------------------------12

Solution Models------------------------------------------------------------------------------------------------------13Third-Party Solution--------------------------------------------------------------------------------------------------------------------13Current ADFS/SAML Implementation---------------------------------------------------------------------------------------------14Recommended Implementation Methodology-----------------------------------------------------------------------------------14

References-------------------------------------------------------------------------------------------------------------15

Purpose


Global Organization

The purpose of this document is to provide information on the design criteria and requirements to implement an identity and access management solution with single sign-on for the Global Organization enterprise environment.

Scope This document provides information for a design to implement identity and access management with single sign-on for the Global Organization enterprise environment. The audience for this document is technical and management professionals experienced with enterprise environments.

DefinitionsTable 1 Terms and Acronyms

Term/Acronym DefinitionThe Institute of Electrical and Electronics Engineers Standards Association (IEEE)

The Institute of Electrical and Electronics Engineers Standards Association that develops global standards in a broad range of industries.

International Organization for Standardization (ISO)

An international standard-setting body composed of representatives from various national standards organizations.

International Telecommunication Union (ITU)

A specialized agency of the United Nations that is responsible for issues that concern information and communication technologies.

National Institutes for Standards and Technology (NIST)

A non-regulatory agency of the United States Department of Commerce that sets national standards in the United States.

Federal Information Processing Standards (FIPS)

Publicly announced standardizations developed by the United States federal government for use in computer systems by all non-military government agencies and by government contractors, when properly invoked and tailored on a contract.

Identity management The management of individual principals, their authentication, authorization, and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks.

Digital identity A set of data that uniquely describes a person or a thing (sometimes referred to as subject or entity) and contains information about the subject’s relationships to other entities.

Access control The selective restriction of access to a place or other resource.

Role Based Access Control (RBAC)

Methodology for restricting system access to authorized users based on roles.

Active Directory (AD) A directory service running on the Microsoft Windows operating system.

Forest The top level container of Active Directory infrastructure. A forest can consist of one or more domains and those domains are connected through transitive trust. A forest shares a single schema database and security boundary.

Schema Contains formal definitions of every object class that can be created in an Active Directory forest.


Global Organization

Term/Acronym DefinitionAttribute Data items used to describe the objects that are represented

by the classes that are defined in the schema.

Attribute Instance An occurrence of an attribute that is defined in the schema.

Class A formal description of a discrete, identifiable type of object stored in the directory service.

Directory Information Tree (DIT) The directory itself represented as a tree structure in which the vertices are the directory entries (class instances) and the connecting lines the parent-child relationships between the entries.

Control Access Rights A class that describes an access right not tied to a resource, but an action.

Inheritance The ability to build new object classes from existing object classes.

Object A unit of data storage in the directory service.

Object Identifier (OID) Unique numeric values, issued by various issuing authorities, to uniquely identify data elements, syntaxes, and various other parts of distributed applications. Object Identifiers (OIDs) are found in OSI applications, X.500 Directories, SNMP, and other applications where uniqueness is important.

Security Descriptor Information about the ownership of an object and the permissions that other users have on that object.

.X500 A family of standards developed jointly by the ISO and ITU, formerly known as the CCITT, that specify the naming, data representation, and communications protocols for a directory service.

Domain A logical group of network objects (computers, users, devices) that share the same active directory database.

Trust Trusts are authentication pipelines that must be present in order for users in one domain to access resources in another domain.

Lightweight Directory Access Protocol (LDAP)

An application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.

Internet Protocol (IP) The principal communications protocol in the Internet protocol suite for relaying datagrams across network boundaries. Its routing function enables internetworking, and essentially establishes the Internet.

Internet Protocol address The numerical label assigned to each device (e.g., computer, printer) participating in a computer network that uses the Internet Protocol for communication.

Service Provider A company that provides organizations with consulting, legal, real estate, education, communications, storage, processing, and many other services. Generally used to refer to third party or outsourced suppliers, including telecommunications service providers (TSPs), application service providers (ASPs), storage service providers (SSPs), and Internet service providers (ISPs).


Global Organization

Term/Acronym DefinitionIdentity Provider An authentication module which verifies a Security token as

an alternative to explicitly authenticating a user within a security realm.

Entitlement Authorized permission and access of a system or application.

Web service A method of communication between two electronic devices over the World Wide Web.

Credential Used to control access to information or other resources. The classic combination of a user account number or name and a secret password is a widely-used example of IT credentials.

Password Manager Software that helps a user organize passwords and PIN codes.

Form Filler Software that automatically fills in forms on a user interface, typically used with web service forms.

Single Sign-On (SSO) A property of access control of multiple related, but independent software systems.

Security Token Service A software based identity provider responsible for issuing security tokens, especially software tokens, as part of a claims-based identity system.

Claims-Based Identity A common way for applications to acquire the identity information they need about users inside their organization, in other organizations, and on the Internet.

Multi-factor Authentication An approach to authentication which requires the presentation of two or more authentication factors.

Knowledge factor Something the user knows (e.g., password, PIN, pattern).

Possession factor Something the user has (e.g., ATM card, smart card, mobile phone).

Inherence factor Something the user is (e.g., biometric characteristic, such as a fingerprint).

Hardware token A type of multi-factor authentication security device that may be used to authorize the use of computer services stored on a dedicated hardware device.

Software token A type of multi-factor authentication security device that may be used to authorize the use of computer services stored on a general purpose device.

Simple Object Access Protocol (SOAP)

A protocol specification for exchanging structured information in the implementation of Web Services.

Protocol A system of digital rules for message exchange within or between computers.

Extensible Markup Language (XML)

A language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable.

Security Access Markup Language (SAML)

An XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.


Global Organization

Term/Acronym DefinitionActive Directory Federation Services (ADFS)

A software component developed by Microsoft that can be installed on Windows Server operating systems to provide users with Single Sign-On access to systems and applications located across organizational boundaries.

Federated Identity The linking of a person’s electronic identity and attributes, stored across multiple distinct identity management systems.

Public-key cryptography A system requiring two separate keys, one of which is secret (Private) and one of which is public.

Public Key Infrastructure (PKI) A set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.

Digital Certificate A mathematical scheme for demonstrating the authenticity of a digital message or document. Sometimes known as a digital signature.

Public key certificate An electronic document that uses a digital signature to bind a public key with an identity.

Non-repudiation A service that provides proof of the integrity and origin of data, both in an unforgeable relationship, which can be verified by any third party at any time.

Digital Signature A mathematical scheme for demonstrating the authenticity of a digital message or document

Kerberos A computer network authentication protocol which works on the basis of “tickets” to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.

NT LAN Manager (NTLM) A legacy suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users.

Generic Security Services Application Program Interface (GSSAPI)

An application programming interface for programs to access security services.

Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO)

A “pseudo mechanism” that is used to negotiate one of a number of possible real mechanisms. SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports.

Secure Socket Layers (SSL) Provides communication security across a network connection via cryptographic protocols.

WS-Security An extension to SOAP to apply security to web services. The protocol specifies how integrity and confidentiality can be enforced on messages and allows the communication of various security token formats, such as SAML, Kerberos, and X.509. Its main focus is the use of XML Signature and XML Encryption to provide end-to-end security.

Provisioning A methodology for providing users access to access to data repositories or grant authorization to systems, network applications and databases based on a unique user identity; and, appropriate for their use of hardware resources, such as computers, mobile phones and pagers.


Global Organization

Term/Acronym DefinitionRegulatory compliance Conforming to a rule, such as a specification, policy, standard

or law.

Network Access Control An approach to computer network security that attempts to unify endpoint security technology (such as antivirus, host intrusion prevention, and vulnerability assessment), user or system authentication and network security enforcement.

802.1x An IEEE port-based Network Access Control standard.

Extensible Authentication Protocol (EAP)

An authentication framework frequently used in wireless networks and Point-to-Point connections.

Mobile Device Management (MDM)

A software application that secures, monitors, manages and supports mobile devices deployed across mobile operators, service providers and enterprises

Smart Card Any pocket-sized card with embedded integrated s that can provide identification, authentication, data storage and application processing.

Microsoft Exchange Server A mail server, calendaring software and contact manager developed by Microsoft.

Wi-Fi Alliance A trade association that promotes Wi-Fi technology and certifies Wi-Fi products if they conform to certain standards of interoperability.

Wi-Fi Protected Access II (WPA2) A security protocol and security certification program developed by the Wi-Fi Alliance to secure wireless computer networks.

Protected Extensible Authentication Protocol (PEAP)

An authentication protocol frequently used in wireless networks.

Remote Access Dial In User Service (RADIUS)

A networking protocol that provides centralized Authentication, Authorization, and Accounting management for computers that connect and use a network service.


Global Organization

Identity, Access Management and Single Sign-OnThe following sections detail the recommendations for implementation of an identity and access management solution offering single sign-on capabilities into the Global Organization enterprise.

OverviewIdentity and access management is defined as a shared platform and consistent processes for managing information about users: who they are, how they are authenticated and what they can access.

Enterprise Identity and Access Management (IAM) is defined as a set of processes and technologies to effectively and consistently manage modest numbers of users and entitlements across multiple systems. In this definition, there are typically significantly fewer than a million users, but users typically have access to multiple systems and applications.

Enterprise identity and access management scenarios should include:

Password synchronization and self-service password reset.

User provisioning, including identity synchronization, auto-provisioning and automatic access deactivation, self-service security requests, approvals workflow and consolidated reporting.

Enterprise single sign-on – automatically filling login prompts on client applications.

Web single sign-on – consolidating authentication and authorization processes across multiple web applications.

The figure below illustrates the basic concepts of identity and access management:

Figure 1 Identity and Access Management concepts

Current Global Organization Enterprise EnvironmentThe following sections detail the current Global Organization system and application environment.

Active DirectoryThe following sections detail information concerning Global Organization’s Active Directory forest implementation.

Multiple Active Directory ForestsGlobal Organization has multiple Active Directory forests deployed to support operations. In order to meet compliance with Federal and Global Organization customer security requirements, Global Organization has deployed Active Directory forests which have no trust relationships with other Active Directory forests. The lack of trust relationship prevents users in one forest from using their credentials to access resources in another forest.


Global Organization


Global Organization

ADFS/SAMLGlobal Organization has implemented Active Directory Federation Services (ADFS) and Security Access Markup Language (SAML) version 2 to provide users with Single Sign-On access to systems and applications located across organizational boundaries. It uses a claims-based access control authorization model to maintain application security and implement federated identity. Although SAML 2.0 is the industry standard, not all application vendors have developed support models to allow utilization; and, legacy applications within the Global Organization environment may not be capable of support.

Kerberos/NTLMSystems and applications which use the user’s Active Directory credentials to grant access to resources use either the Kerberos or NT LAN Manager (NTLM) protocols. NTLM does not support any recent cryptographic methods, such as AES or SHA-256; and, Kerberos has replaced NTLM as the default authentication protocol in Active Directory. 1

Public Key Infrastructure/Certificate AuthorityGlobal Organization does not have an Enterprise Certificate Authority implemented. Global Organization has implemented a limited Active Directory Certificate Authority, which requires certificate requester explicitly supply all identifying information about themselves and the type of certificate that is wanted in the certificate request. The administrator has to explicitly distribute the stand-alone CA's certificate to the domain user's trusted root store or users must perform that task themselves.

Identity ManagementThe following sections detail how identities are managed in the current Global Organization system and application environment.

NetIQ Directory and Resource AdministratorAccount properties and values for Active Directory objects (e.g. user’s accounts, computer objects, printers, etc.) are managed with the NetIQ Directory and Resource Administrator (DRA). The NetIQ DRA solution has been deployed throughout the Global Organization environment globally. 2

Open Source SoftwareIdentity creation on Open Source Software is on an ad hoc basis by the system administrators for those systems. A project has been initiated to implement a management solution that will include implementing the utilization Active Directory credentials and authentication to grant access to Open Source Software systems and applications.

1 See Kerberos Explained in the document for additional information.2 See NetIQ Account and Resource Management SYS-ADR-NIQ-MGT in this document for additional information.


Global Organization

Global Organization ApplicationsGlobal Organization applications include; but are not limited to the following3:

SAP

ADP

SharePoint

Service Now

Success Factors

WebEx

Global Organization Business Connect

Gentrify

Citrix

Access ManagementThe following sections detail how users are granted access to resources in the current Global Organization system and application environment.

Access via Active Directory Security GroupsApplications and systems using Active Directory credentials and authentication (Kerberos or NTLM) should use membership in Active Directory security groups to grant access to resources. Membership in security groups is controlled by the NetIQ DRA solution.

Microsoft Exchange ServerGlobal Organization has Microsoft Exchange Server deployed in the environment to meet client requirements for messaging systems which Google mail does not meet. Mail-enabled Active Directory user objects and membership in Active Directory security groups is used to control access to Exchange server mailboxes.

NetIQ AegisNetIQ Aegis is a process automation tool which shall be used for user account provisioning. NetIQ Aegis integrates tightly with the NetIQ Directory and Resource Administrator solution currently deployed in the Global Organization production environment.

Google MailUsers access Google Mail by providing their Active Directory credentials (username and password) into a HTML form.

3 Not all applications are supported by the Global Organization Call Center; thus this list should not be considered all inclusive of all applications deployed in the Global Organization production environment.


Global Organization

Open Source SoftwareAccess management on Open Source Software is on an ad hoc basis by the system administrators for those systems. A project has been initiated to implement a management solution that will include implementing the utilization Active Directory credentials and authentication to grant access to Open Source Software systems and applications.

Wireless AccessAccess to the wireless access networks is granted via WPA2-AES with PEAP using RADIUS (as an unknown user) to authenticate the user against Active Directory.

Global Organization ApplicationsGlobal Organization applications include; but are not limited to the following:

SAP

ADP

SharePoint

Service Now

Success Factors

WebEx

Global Organization Business Connect

Gentrify

Citrix

Requirements The following sections details the requirements for implementation of an identity and access management solution offering single sign-on capabilities into the Global Organization enterprise.

The implemented solution must meet the following requirements:

Stake holders in technical and business areas must be identified.

Executive-level sponsorship must be secured to broker agreements between stake holders.

Solution must support multiple Active Directory forests with no trust relationships.

Solution must support NTLM/Kerberos/SAML/Certificate/Web Cookie authentication protocols.

Solution must support potential multiple authoritative identity sources for enterprise IDs (partners, clients, external service providers, etc.).

Solution must offer auditing and reporting of enterprise identity access and utilization.

Solution flexible enough to provide SSO service to future applications.

Solution must support multiple-factor authentication.

Solution must support application to application authentication.

Solution must offer redundancy to avoid single point of failure during maintenance windows.


Global Organization

Solution must allow segregation of administrative staff to meet compliance with Federal regulatory requirements, such as DOD, ITAR, etc. for business units doing work with the Federal government.

Solution will need to offer seamless, multiple method password changes.

Solution must support the IEEE standard 802.1x for integration with Cisco ISE.

Solution must support the Tangoe MDM solution.

Solution must provide an access management component.

Solution must employ full-time resources from the engineering, application and operations technical teams from the start of implementation.

The figure below illustrates the required components of an enterprise identity and access management solution:

Figure 2 Identity and Access Management Required Components

Solution ModelsThe following sections detail proposed solution models and a recommended implementation methodology.

Third-Party SolutionA third-party software solution should offer a centralized technical identity data from multiple sources transformed into rich, business-relevant information allowing enforcement of role-based access across the diverse enterprise applications within Global Organization. An integrated solution would prioritize compliance and security efforts by assess the risk of each person, application and system resource, and allow detection and prevention of policy violations. By centralizing identity management into a central identity warehouse repository, governance would be achieved by enabling provisioning of user accounts and orchestration of changes to user access across multiple systems. Role modeling and risk analysis would locate and identify risks associated with inappropriate or excessive access privileges. Administrative overhead associated with compliance reporting would be reduced by enterprise governance, access request, and provisioning policies within the governance platform.


Global Organization

User frustration and administrative overhead would also be reduced by a decrease in the number of identities and passwords required to access resources within the Global Organization environment; and, the associated amount of time required by the diverse number of technical teams responsible for troubleshooting access management of those resources.

Current ADFS/SAML ImplementationGlobal Organization has implemented Active Directory Federation Services (ADFS) and Security Access Markup Language (SAML) version 2 to provide users with Single Sign-On access to systems and applications located across organizational boundaries.

However, not all Active Directory forests in the Global Organization environment have ADFS and SAML implemented and additional systems and configuration would need to be implemented. A large number of legacy systems in the environment are not SAML-capable and users would continue to be required to input credentials into those solutions. In addition, Global Organization has encountered vendors with SAML solutions which only function when all users are contained within a single domain.

Extensive modification of the current ADFS and SAML infrastructure could be required to implement the existing solution into all Global Organization Active Directory forests and domains.

Recommended Implementation MethodologyIt is recommended that a multi-phased approach be used for the project implementation. Each application deployed into the Global Organization production environment should have the method of identity and access and security controls documented; and, then be tested on a case-by-case basis. It is required that all new applications and systems to be introduced into the environment be compliant with the selected identity and access management solution.


Global Organization

ReferencesNetIQ Account and Resource Management SYS-ADR-NIQ-MGT

https://docs.google.com/a/Global Organization.com/viewer?a=v&pid=sites&srcid=amFiaWwuY29tfGl0LWVuZ2luZWVyaW5nLW1lZGlhLWxpYnJhcnl8Z3g6NDE0YzNmNDQxNDZjMDRiYw

Homeland Security Presidential Directive 12 (HSPD-12)

http://hspd12.usda.gov/about.html

RFC 3478 Extensible Authentication Protocol (EAP)

https://tools.ietf.org/html/rfc3748

Active Directory Trust Types

http://technet.microsoft.com/en-us/library/cc775736(v=ws.10).aspx

Active Directory Federation Services


Kerberos Explained

http://technet.microsoft.com/en-us/library/bb742516.aspx

Kerberos Authentication Technical Reference


NTLM Authentication in Windows

http://support.microsoft.com/kb/102716

Understanding Federation Designs

http://technet.microsoft.com/en-us/library/cc753352.aspx

The ABCs of Identity Management

http://www.csoonline.com/article/205053/the-abcs-of-identity-management

Defense Systems Intelligence Agency Identity and Access Management

http://www.disa.mil/Services/Enterprise-Services/Identity-and-Access-Management


http://www.disa.mil/Services/Enterprise-Services/Identity-and-Access-Management

http://www.csoonline.com/article/205053/the-abcs-of-identity-management

http://technet.microsoft.com/en-us/library/cc753352.aspx

http://support.microsoft.com/kb/102716


http://technet.microsoft.com/en-us/library/bb742516.aspx



https://tools.ietf.org/html/rfc3748

http://hspd12.usda.gov/about.html

https://docs.google.com/a/jabil.com/viewer?a=v&pid=sites&srcid=amFiaWwuY29tfGl0LWVuZ2luZWVyaW5nLW1lZGlhLWxpYnJhcnl8Z3g6NDE0YzNmNDQxNDZjMDRiYw



Global Organization

Strengthen Access Control with Enterprise Identity-Management Architecture

http://msdn.microsoft.com/en-us/library/bb447668.aspx

SANS - Adding Enterprise Access Management to Identity Management

http://www.sans.org/reading_room/analysts_program/foxt-identity-mgt-web.pdf

What identity management strategies should enterprises deploy for cloud environments?

http://www.computerweekly.com/opinion/What-identity-management-strategies-should-enterprises-deploy-for-cloud-environments




http://www.sans.org/reading_room/analysts_program/foxt-identity-mgt-web.pdf

http://msdn.microsoft.com/en-us/library/bb447668.aspx

documentation sample 1

Documents