user authentication for enterprise applications - the future in transitions
DESCRIPTION
User Authentication for Enterprise Applications - The Future in Transitions. Thesis. Well-managed, trustworthy authentication and authorization are important today and will be vital in the future - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: User Authentication for Enterprise Applications - The Future in Transitions](https://reader036.vdocument.in/reader036/viewer/2022062408/5681381b550346895d9fcda5/html5/thumbnails/1.jpg)
User Authentication for Enterprise Applications - The
Future in Transitions
![Page 2: User Authentication for Enterprise Applications - The Future in Transitions](https://reader036.vdocument.in/reader036/viewer/2022062408/5681381b550346895d9fcda5/html5/thumbnails/2.jpg)
2
Thesis• Well-managed, trustworthy authentication and
authorization are important today and will be vital in the future
• Moving the authentication and authorization functions to the Web layer allows rapid deployment of newer tools and technologies
• The services needed are largely available today, and will be complete within 18 months
• The work must now shift to the applications and business processes
![Page 3: User Authentication for Enterprise Applications - The Future in Transitions](https://reader036.vdocument.in/reader036/viewer/2022062408/5681381b550346895d9fcda5/html5/thumbnails/3.jpg)
3
Agenda
• Trends in User Authentication
• NUIT Plan
• How Should Applications Prepare?
• Transitions
• Wrap-up
![Page 4: User Authentication for Enterprise Applications - The Future in Transitions](https://reader036.vdocument.in/reader036/viewer/2022062408/5681381b550346895d9fcda5/html5/thumbnails/4.jpg)
4
Agenda
• Trends in User Authentication
• NUIT Plan
• How Should Applications Prepare?
• Transitions
• Wrap-up
![Page 5: User Authentication for Enterprise Applications - The Future in Transitions](https://reader036.vdocument.in/reader036/viewer/2022062408/5681381b550346895d9fcda5/html5/thumbnails/5.jpg)
5
Trends in User Authentication
• Defining clear business rules for identity creation and lifecycle management
• Requiring stronger passwords
• Requiring multi-factor authentication for high-value transactions
• Moving to universal identity tokens and federated domains
![Page 6: User Authentication for Enterprise Applications - The Future in Transitions](https://reader036.vdocument.in/reader036/viewer/2022062408/5681381b550346895d9fcda5/html5/thumbnails/6.jpg)
6
Business Rules for Identity Lifecycle Management
• Document the necessary and sufficient conditions for identity creation
• Define the lifecycle and especially what authorizations are granted and revoked at each transition
• Grant authorizations in manners that fit business goals and minimize risks
• Log and audit the management processes
![Page 7: User Authentication for Enterprise Applications - The Future in Transitions](https://reader036.vdocument.in/reader036/viewer/2022062408/5681381b550346895d9fcda5/html5/thumbnails/7.jpg)
7
Stronger Passwords
• Password cracking technology is advancing beyond our ability to remember passwords
• Because attacks are automated, risks are greater and defenses must be stronger
• Passwords must become longer and more complex.
![Page 8: User Authentication for Enterprise Applications - The Future in Transitions](https://reader036.vdocument.in/reader036/viewer/2022062408/5681381b550346895d9fcda5/html5/thumbnails/8.jpg)
8
Stronger PasswordsNumber of characters
A..Z A..Z, a..z A..Z, a..z, 0..9, symbols
6 5 mins 6 hrs 8 days
8 58 hrs 21 mons 196 yrs
10 5 yrs 4648 yrs 1.7M yrs
• Assumes 1M password tests per second• Stated figures are 100% surety, 50% would be half, 25% one-quarter, etc.• Source: http://lastbit.com/pswcalc.asp
![Page 9: User Authentication for Enterprise Applications - The Future in Transitions](https://reader036.vdocument.in/reader036/viewer/2022062408/5681381b550346895d9fcda5/html5/thumbnails/9.jpg)
9
Multi-Factor Authentication• Factors: something you …
– Know (passwords)– Have (swipe card, USB token)– Are (thumbprint, handprint, retinal pattern)– Do (typing pattern, walking gait)
• How many factors are needed to be POSITIVE that the attempted access is by the real person?– What is the risk of being wrong?– What is the inconvenience?
![Page 10: User Authentication for Enterprise Applications - The Future in Transitions](https://reader036.vdocument.in/reader036/viewer/2022062408/5681381b550346895d9fcda5/html5/thumbnails/10.jpg)
10
Universal Identity and Federation• If multi-factor authentication is needed then
everyone should have two or more factors available
• Certification attests to the level of confidence which a third party puts into the association of a factor to a particular person
• Federation is not giving another institution access to our authentication services, it is based upon trust in our assertions of authentication. That trust is built upon their knowledge of our identification and management practices
![Page 11: User Authentication for Enterprise Applications - The Future in Transitions](https://reader036.vdocument.in/reader036/viewer/2022062408/5681381b550346895d9fcda5/html5/thumbnails/11.jpg)
11
Agenda
• Trends in User Authentication
• NUIT Plan
• How Should Applications Prepare?
• Transitions
• Wrap-up
![Page 12: User Authentication for Enterprise Applications - The Future in Transitions](https://reader036.vdocument.in/reader036/viewer/2022062408/5681381b550346895d9fcda5/html5/thumbnails/12.jpg)
12
NUIT Plan• Single identity for each person• Remove authentication from applications and
place it in the surrounding service environment• Four network-wide authentication services but
only one and one-half authorization services• Workflow-based identity management• Federated authentication • Smartcards, USB tokens, etc.
![Page 13: User Authentication for Enterprise Applications - The Future in Transitions](https://reader036.vdocument.in/reader036/viewer/2022062408/5681381b550346895d9fcda5/html5/thumbnails/13.jpg)
13
Four Services
• LDAP 3.x: authentication and authorization attributes
• MSFT Active Directory: authentication and some authorization attributes
• MIT Kerberos 5: authentication
• Web SSO: authentication and coarse-grained access control through LDAP authorization attributes
![Page 14: User Authentication for Enterprise Applications - The Future in Transitions](https://reader036.vdocument.in/reader036/viewer/2022062408/5681381b550346895d9fcda5/html5/thumbnails/14.jpg)
14
Agenda
• Trends in User Authentication
• NUIT Plan
• How Should Applications Prepare?
• Transitions
• Wrap-up
![Page 15: User Authentication for Enterprise Applications - The Future in Transitions](https://reader036.vdocument.in/reader036/viewer/2022062408/5681381b550346895d9fcda5/html5/thumbnails/15.jpg)
15
How Should Applications Prepare?
• Move user authentication into the Web server
• Use identity management workflow to control access to the application
• Use institutional roles or other attributes for coarse-grained access control
• Optional: Employ first-access provisioning to simplify management of user profiles within the application
![Page 16: User Authentication for Enterprise Applications - The Future in Transitions](https://reader036.vdocument.in/reader036/viewer/2022062408/5681381b550346895d9fcda5/html5/thumbnails/16.jpg)
16
Authenticating at the Web Server
• Applications must give up internal passwords and programming logic to check NetID passwords
• Moving this function to the Web server level allows new functions (Web SSO) to be deployed without wide-spread effects
• If the application is invoked, then the user was successfully authenticated
![Page 17: User Authentication for Enterprise Applications - The Future in Transitions](https://reader036.vdocument.in/reader036/viewer/2022062408/5681381b550346895d9fcda5/html5/thumbnails/17.jpg)
17
Approve Access Through IdM
• The Identity Management (IdM) system must know if a NetID has been granted access to an enterprise application.
• Using IdM-based workflow to request, authorize, approve and grant access can support this easily.
• The IdM system can enforce business rules subject to entitlements granted.
![Page 18: User Authentication for Enterprise Applications - The Future in Transitions](https://reader036.vdocument.in/reader036/viewer/2022062408/5681381b550346895d9fcda5/html5/thumbnails/18.jpg)
18
Coarse-Grained Access Control
• Through Web SSO and access rules, any NetID attribute can be used to allow or deny access to an application Web page.– Role: “faculty”, “employee”– Entitlement: “access to HRIS”
• Session environment can also be used– IP address– Level of authentication
![Page 19: User Authentication for Enterprise Applications - The Future in Transitions](https://reader036.vdocument.in/reader036/viewer/2022062408/5681381b550346895d9fcda5/html5/thumbnails/19.jpg)
19
First-Access Provisioning• Avoid provisioning user profiles within the
application until the user attempts access.• Recognizing no user profile exists:
– Invoke an IdM workflow to request access– Create a place-holder profile and allow
access– Automatically create a profile from attribute
information (institutional roles)
• Result: savings in administrative time
![Page 20: User Authentication for Enterprise Applications - The Future in Transitions](https://reader036.vdocument.in/reader036/viewer/2022062408/5681381b550346895d9fcda5/html5/thumbnails/20.jpg)
20
Agenda
• Trends in User Authentication
• NUIT Plan
• How Should Applications Prepare?
• Transitions
• Wrap-up
![Page 21: User Authentication for Enterprise Applications - The Future in Transitions](https://reader036.vdocument.in/reader036/viewer/2022062408/5681381b550346895d9fcda5/html5/thumbnails/21.jpg)
21Step
1
U s e rp ro file s
D a ta b a s e
Ses
sion
set
-up
Pro
cess
ing
A p p lic atio n
A d min is t ra to r
E -m ail &w o rk flo w
Aut
hent
icat
ion
& A
utho
riza
tion
ID &
Rol
eM
aint
enan
ce
![Page 22: User Authentication for Enterprise Applications - The Future in Transitions](https://reader036.vdocument.in/reader036/viewer/2022062408/5681381b550346895d9fcda5/html5/thumbnails/22.jpg)
22Step
2
U s e rp ro file s
D a ta b a s e
Ses
sion
set
-up
Pro
cess
ing
LD A P Re g is t ry
Id e n t ity M a n a g e me n tS y s te m
A p p lic atio n
A d min is t ra to r
E -m ail &w o rk flo w
Aut
hent
icat
ion
& A
utho
riza
tion
ID &
Rol
eM
aint
enan
ce
A u th o rity
![Page 23: User Authentication for Enterprise Applications - The Future in Transitions](https://reader036.vdocument.in/reader036/viewer/2022062408/5681381b550346895d9fcda5/html5/thumbnails/23.jpg)
23Step
3
U s e rp ro file s
D a ta b a s e
Ses
sion
set
-up
Pro
cess
ing
LD A P Re g is t ry
Id e n t ity M a n a g e me n tS y s te m
A p p lic atio nW e b S e rv e r
A d min is t ra to r
E -m ail &w o rk flo w
A u th o rity
Aut
hent
icat
ion
Aut
hori
zati
on
ID &
Rol
eM
aint
enan
ce
![Page 24: User Authentication for Enterprise Applications - The Future in Transitions](https://reader036.vdocument.in/reader036/viewer/2022062408/5681381b550346895d9fcda5/html5/thumbnails/24.jpg)
24Step
4
U s e rp ro file s
D a ta b a s e
Ses
sion
set
-up
Pro
cess
ing
LD A P Re g is t ry
Id e n t ity M a n a g e me n tS y s te m
A p p lic atio nW e b S e rv e r
A c c e s s p o lic yd a ta b a s e
W e b S S O
A c c e s s Co n t ro lS y s te m
A d min is t ra to r
E -m ail &w o rk flo w
c ookie
A u th o rity
Aut
hent
icat
ion
Aut
hori
zati
on
ID &
Rol
eM
aint
enan
ce
![Page 25: User Authentication for Enterprise Applications - The Future in Transitions](https://reader036.vdocument.in/reader036/viewer/2022062408/5681381b550346895d9fcda5/html5/thumbnails/25.jpg)
25Step
5
U s e rp ro file s
D a ta b a s e
Ses
sion
set
-up
Pro
cess
ing
LD A P Re g is t ry
Id e n t ity M a n a g e me n tS y s te m
A p p lic atio nW e b S e rv e r
A c c e s s p o lic yd a ta b a s e
W e b S S O
A c c e s s Co n t ro lS y s te m
A d min is t ra to r
E -m ail &w o rk flo w
c ookie
A u th o rity
Aut
hent
icat
ion
Aut
hori
zati
on
ID &
Rol
eM
aint
enan
ce
![Page 26: User Authentication for Enterprise Applications - The Future in Transitions](https://reader036.vdocument.in/reader036/viewer/2022062408/5681381b550346895d9fcda5/html5/thumbnails/26.jpg)
26Step
6
U s e rp ro file s
D a ta b a s e
Ses
sion
set
-up
Pro
cess
ing
LD A P Re g is t ry
Id e n t ity M a n a g e me n tS y s te m
A p p lic atio nW e b S e rv e r
A c c e s s p o lic yd a ta b a s e
W e b S S O
A c c e s s Co n t ro lS y s te m
A d min is t ra to r
E -m ail &w o rk flo w
c ookie
A u th o rity
Aut
hent
icat
ion
Aut
hori
zati
on
ID &
Rol
eM
aint
enan
ce
![Page 27: User Authentication for Enterprise Applications - The Future in Transitions](https://reader036.vdocument.in/reader036/viewer/2022062408/5681381b550346895d9fcda5/html5/thumbnails/27.jpg)
27Step
7
U s e rp ro file s
D a ta b a s e
Ses
sion
set
-up
Pro
cess
ing
LD A P Re g is t ry
Id e n t ity M a n a g e me n tS y s te m
A p p lic atio nW e b S e rv e r
A c c e s s p o lic yd a ta b a s e
W e b S S O
A c c e s s Co n t ro lS y s te m
Ro le e n g in e
A d min is t ra to r
E -m ail &w o rk flo w
c ookie
A u th o rity
Aut
hent
icat
ion
Aut
hori
zati
on
![Page 28: User Authentication for Enterprise Applications - The Future in Transitions](https://reader036.vdocument.in/reader036/viewer/2022062408/5681381b550346895d9fcda5/html5/thumbnails/28.jpg)
28Step
8
U s e rp ro file s
D a ta b a s e
Ses
sion
set
-up
Pro
cess
ing
LD A P Re g is t ry
Id e n t ity M a n a g e me n tS y s te m
A p p lic atio nW e b S e rv e r
A c c e s s p o lic yd a ta b a s e
W e b S S O
A c c e s s Co n t ro lS y s te m
Ro le e n g in e
A d min is t ra to r
E -m ail &w o rk flo w
c ookie
A u th o rity
Aut
hent
icat
ion
Aut
hori
zati
on
Fir
st-a
cces
spr
ovis
ioni
ng
![Page 29: User Authentication for Enterprise Applications - The Future in Transitions](https://reader036.vdocument.in/reader036/viewer/2022062408/5681381b550346895d9fcda5/html5/thumbnails/29.jpg)
29Step
9
U s e rp ro file s
D a ta b a s e
Ses
sion
set
-up
Pro
cess
ing
LD A P Re g is t ry
Id e n t ity M a n a g e me n tS y s te m
A p p lic atio nW e b S e rv e r
A c c e s s p o lic yd a ta b a s e
W e b S S O
A c c e s s Co n t ro lS y s te m
Ro le e n g in e
A d min is t ra to r
E -m ail &w o rk flo w
c ookie
A u th o rity
Aut
hent
icat
ion
Aut
hori
zati
on
Fir
st-a
cces
spr
ovis
ioni
ng
S m a rt c a rd
C a rdm a na ge m e nt
![Page 30: User Authentication for Enterprise Applications - The Future in Transitions](https://reader036.vdocument.in/reader036/viewer/2022062408/5681381b550346895d9fcda5/html5/thumbnails/30.jpg)
30
Agenda
• Trends in User Authentication
• NUIT Plan
• How Should Applications Prepare?
• Transitions
• Wrap-up
![Page 31: User Authentication for Enterprise Applications - The Future in Transitions](https://reader036.vdocument.in/reader036/viewer/2022062408/5681381b550346895d9fcda5/html5/thumbnails/31.jpg)
31
Wrap-Up• “Abstraction” frees the application from
any particular authentication technology• Identity workflow orders the approval
process, allows audit controls, and flags the user’s identity for other business rules
• First-access provisioning saves time and effort for the application administrator
• Just as secure, with just as much control, just using different tools