Upravljanje identitet za zagotavljanja kontrole nad dostopi do podatkov

Uroš Majcen, MRI d.o.o.

Copyright © 2006 Quest Software

Predavanje bo v slovenščini, tekst v angleščini

• Zakaj?

– Prevod

• Material v angleščini • Izrazi • Zaradi verodostojnosti in lažjega razumevanja

Defining Identity Management

• • Novell defines identity management as something that

“allows you to integrate, manage and control your distributed identity information, so you can securely deliver the right resources to the right people —anytime, anywhere.”

Microsoft defines identity management as: combining

“processes, technologies and policies to manage digital identities, and specify how they are used to access resources.”

3

Defining Identity Management

• End user:

“The organization knows who I am and what my role is, and based on that information, automates my access to resources. This enables my ability to get to what I need and to do my job in a timely fashion.”

• Administrator:

“Plus, the organization is able to effectively operate such a solution, so that monitoring, audit and reporting are easily accomplished.”

4

Basic Technology

• • • • • • Identity – The “digital” data that identifies who users on a computer network are Directory – In order to find and share resources on a network, a directory is required. Otherwise, how can you find things?

Credential – The “ticket” issued by the directory to grant the user access to resources. Based on authentication and authorization (we’ll cover that later) Active Directory (AD) – Microsoft’s version of a directory. We’ll cover this more later Meta-directory – A large framework solution that is designed to deliver a comprehensive set of identity management capabilities. Often involves password synchronization Access, authentication, and authorization – Access is the combination of

Authentication

and

Authorization

• First I need to know you are who you say you are – • Then I need to know you are allowed to access what you are trying to access -

Authorization Authentication

Basic Technology

• • • • • • Password synchronization – A software solution that helps reconcile a user’s large variety of passwords and logins (usually requires quite a bit of management and IT intervention) Provisioning – Automatically managing what resources a user can have access to Single sign-on – Reducing the number of passwords you have to manage Federation – A trusted relationship between two independent bodies – it implies managing identities and access from outside your organization Unix – A computing platform. Leading vendors include Sun, HP, and IBM Linux – A flavor of Unix that is open-source (free) major vendors include RedHat and SuSE. The software is free, the value-add offerings are not.

The End User Perspective

• • • • • • • Authentication services Access management Single sign-on/reduced sign-on Password management Provisioning Federation Meta-directory 7

Identity and Access Management in the Real World • Access – The ability to do something – Authentication • Confirming that you are who you say you are – Authorization • Confirming that you have permission to do what you are trying to do The organization knows who you are and based on that information gives you the ability to get or do certain things

A Complex Space

Identity Management

(Administration)

Physical Resources Access Management

(Real-Time Enforcement)

Identity Admin Administer Authenticate Authorize

Authentication Services Enterprise Reduced Sign-On

Alarm/ Alerting

Password Management User Provisioning Role Matrix Management Metadirectory

Accounting

Enterprise Access Management Federated Identity Management

NAC Applications Databases Directories Security Systems Operating Systems

Breaking Identity and Access Management Down • Verifying that who you say you are is correct • Issues a credential or ticket • Relevant in security and compliance • This is what Active Directory does for Windows • Other directories do it for other systems • Companies often run multiple directories – From 15 – 80 in large companies

Authentication Services

Breaking Identity and Access Management Down • One username and password gives you access to everything you need • Streamlines management of the authentication credential or ticket • This is what Active Directory achieves for Windows • In a heterogeneous enterprise the best we can hope for is reduced sign-on

Authentication Services Single Sign-on

Breaking Identity and Access Management Down • Ensuring that users have access to the resources they need • Usually includes the extranet or intranet through a Web browser • Active Directory can deliver this for .NET applications • But there is a lot more than .NET out there

Authentication Services Single Sign-on Access Management

Breaking Identity and Access Management Down • Tracking who did what, when, where, and how • Log and summarize significant authentication and authorization events or changes to identity objects • Critical to compliance and security • Active Directory does not do a good job of this on its own

Authentication Services Single Sign-on Access Management Audit Compliance

Breaking Identity and Access Management Down • Simply managing passwords • Often means enabling end-users to help themselves • Sometimes means password synchronization • Can deliver: – Increased productivity – Reduced operational costs • Password resets account for 40% of helpdesk calls*

Authentication Services Single Sign-on Access Management Audit Compliance Password Management

*source: IDC

Breaking Identity and Access Management Down • The ability to create and delete users • Managing the lifecycle of user identity • Many people do this manually but want to automate • Can help with: – Compliance – Reduced operational costs

Authentication Services Single Sign-on Access Management Audit Compliance Password Management User Provisioning

Breaking Identity and Access Management Down • The management of collections of permissions, which are defined by roles – Ensure that everyone has the right permissions • A major component of compliance – Regulate who has rights – Control over authorizations • Active Directory uses roles and groups but has limited management capabilities

Authentication Services Single Sign-on Access Management Audit Compliance Password Management User Provisioning Role Management

Breaking Identity and Access Management Down • Granting access, authentication, and authorization beyond internal network boundaries between distinct organizations that have established a trusted relationship • Similar to access management but from one company to another • Active Directory has it built in through ADFS for .NET but not for Java/J2EE

Authentication Services Single Sign-on Access Management Audit Compliance Password Management User Provisioning Role Management Federation

Breaking Identity and Access Management Down • Synchronizes identity information from one store to another • Often includes many of the other identity management capabilities • MIIS is an example of a meta directory • Usually very complex • Require significant additional management and maintenance

Authentication Services Single Sign-on Access Management Audit Compliance Password Management User Provisioning Role Management Federation Meta Directory

Improve

Efficiency

• • • • Automate identity administration – Provisioning – Self-service password management Consolidate directories and identities into Active Directory

Achieve single sign-on Build on existing investments

Enhance

Security

• • • •

Extend the security of AD to non-Windows systems and applications Enforce uniform security policies across the enterprise

Control and delegate elevated and least-privileged accounts

Establish strong authentication

20

Achieve

Compliance

• • • • • “Prove” compliance through audit, reporting, and alerting tools Assess identity and access management policies

Implement and enforcing strong password policy and authentication

Automate account management through codeless provisioning and role-based administration

Leverage the compliance of Active Directory for non-Windows systems and applications

21

The Challenge of Authentication

• • Windows = true single sign-on – But only to Windows systems and resources Non-Windows applications each require separate IDs and passwords – Who tracks users?

– Password management nightmares • Write them down • Burden on IT for constant resets – Stronger policy means more support calls • Complexity • Length • Expiration interval

A Typical Environment

Unix Unix Applications Mainframe Unix Applications Unix Windows/AD Unix Mainframe

Heterogeneity = Complexity

• • • • The average company has

31 separate directories

(3) The average user in a 10,000-employee organization has

14 separate passwords

(2) A recent survey conducted by RSA Security indicates that

9 out of 10

respondents are frustrated with how many user IDs and passwords they have to manage (1) 58% of companies take

more than 24 hours

to de provision employees (3) 1 “Reduced Sign-on” Burton Group Reference Architecture Technical Position – September 6, 2006 2 International Data Group 3 “Dealing with Directories: Fewer Fuels Faster and More Efficient Operations—Aberdeen Research Brief – June 2007

The Result?

• • • Security sucks Compliance is difficult Every thing is inefficient

Authentication and Access Management

26

Authentication and Access Management

27

Single Sign-on

28

Password Management

29

Provisioning

30

Provisioning

31

Provisioning

32

Provisioning

33

Provisioning

34

Provisioning

35

Provisioning

36

Federation

• • From Windows to .NET

What about Java?

37

Meta-directory

Directory Synchronization

38

The Organizational Perspective

• • • Audit Compliance Reporting 39

What Can You Do About It?

• • • • Nothing Add more infrastructure Address issues individually Call Quest!

The Challenge of Heterogeneity

• • • • • • Compliance/security – NIS Multiple IDs/logins Heterogeneity = complexity – Many directories – Many authentication mechanisms – Many “points” of audit Expensive Cumbersome Inefficient 41

My Proposal - Get to One

• • • One sign on One point-of-management One solution 42

What does Get to One Bring?

• • • • • Increased security – Leverage secure Microsoft tools for non-Windows systems – Active Directory and Group Policy Enhanced compliance – Extend the compliance of Microsoft tools (i.e. AD) to Unix, Linux and Java ROI – Leverage existing tools for the rest of the enterprise Consolidation – One tool/process/staff for all systems Simplification – No additional infrastructure 43

Active Directory as the Foundation

• • • • Authentication Access Single sign-on Federation • • But only for Windows systems.

What about Unix, Linux, Java, etc.?

44

Active Directory

15 minutes Copyright © 2006 Quest Software

Intro to Active Directory

• • In a networked Windows environment, Active Directory is the directory service required to manage users, groups, and computers and offer secure access to network resources.

Active Directory is an integrated component of Windows servers.

Intro to Active Directory cont.

• • If an organization does not have Active Directory or it fails or is otherwise unavailable, then maintaining a networked Windows infrastructure is not possible.

Therefore, Active Directory is critical: – Must be available 7x24x365 – Must be up and running 100% of the time

What is Active Directory?

Active Directory:

•

Organizes

objects, such as computers, printers, applications, and shared data sources in a directory • Provides attribute

information

on these objects • Resources – printers, etc.

• Services – e-mail, etc.

• People – users and groups, accounts • • Controls

access

to the domain, which houses the objects Sets

security

on the objects

How Windows Does it . . .

Gaining Access

Token Access Granted Token

vsmithers

Access Granted Token Username, Password Token Access Granted Questionnaire.com

File Server Organize Exchange Inform IIS/Web Server Access Secure

Active Directory Maturity and Adoption Model

Strategic Enterprise Directory Single Sign-On Migration Delegation, Provisioning Group Policy, Performance,

Identity Management

Availability

AD Management

Time

Active Directory Maturity and Adoption Model

Business Value / ROI

Strategic Enterprise Directory Single Sign-On Migration Delegation, Provisioning Group Policy, Performance,

Identity Management

Availability

AD Management

Time

AD Maturity and Adoption Model

Reliance

Strategic Enterprise Directory Single Sign-On Migration Delegation, Provisioning Group Policy, Performance,

Identity Management

Availability

AD Management

Time

Active Directory as the Model

• • • • Single sign-on for all Windows resources and services One point-of-management One UID and password grants access to all allowed resources Standards-based

ONE sign-on | ONE point of management | ONE solution

54

Why Can’t Someone Extend AD to *NIX?

• • • Open source solutions – Limited – Very time-consuming – Still don’t get the job done Unix/Linux is fragmented – Each OS/version requires unique integration with AD Many have tried – Internal projects invariably fall short, run long, and get too expensive 55

Kerberos – The Secret Sauce

• • • • • • Kerberos is what makes Active Directory so good AD is the only viable commercial implementation of Kerberos Provides a secure “ticket” that follows the user wherever he/she goes within a Windows network True single sign-on Compliant Secure 56

Kerberos for Unix?

• • • • Doesn’t exist commercially Unix uses different standards – PAM, NSS, etc.

These standards are not implemented consistently across OSs and versions LDAP alone doesn’t cut it 57

How to Bring Unix/Linux into AD

• • • • • • Native implementation of the Kerberos standard – Uniquely and specifically for each OS/version – Integrated with the native PAM and NSS mechanisms of Unix/Linux Requires no additional infrastructure One identity (Kerberos ticket) applies to Windows, Unix, and Linux Unix/Linux systems actually join the Active Directory domain Integration

not

synchronization Can work well with existing Identity Management solution (such as a meta-directory) 58

Unix/Linux as Part of the AD Domain

59

How Unix Does it (or doesn’t do it) . . .

Now with Unix/Linux Part of the AD Domain

• • • • • • Eliminate multiple UIDs, GIDs, and passwords Leverage AD’s security and compliance for Unix/Linux Transform Windows Group Policy into “Enterprise Group Policy” Reduce the number of moving parts Streamline Unix/Linux operations and management around an already deployed and proven tool – Active Directory Single sign-on is possible 61

How Unix Should do it (with our Help). . .

Windows and Unix Users

User Provisioning and Lifecycle Management

Deprovision (Retire)

- Employment Status Changes - Disable Accounts - Disable Access to Resources - Assign Entitlements to others

Reprovisioning (Promotion)

- Promotions or Transfers - Project Assignments - Information updates

Identity Administration

- Information updates - Group and Distribution List Membership Changes - Self-service

New User is Provisioned (Hire)

- User Account Creation - Mailbox and Home Folders Creation - Group and Distribution List Memberships - Access to Applications Granted - Accounts in Connected Systems Created - E-mail notifications

Roles

Roles AD Architect Sr. Administrator

•

Administrator Role Full control on all objects OU Administrators

• •

Associate Administrator Role Create accounts and groups Reset passwords, unlock accounts Help Desk End User Self-Service Administrative Rights Individuals may need in Active Directory

• •

Self-Service Role Update personal Information Request changes Roles Individuals may have

prod.com

Builtin Central Computers Domain Controllers APAC Users Americas New York Mexico

Access Individuals may need

Rules

Business Rule Examples

Generate Display Name Description cannot be left blank Phone number must contain 1- ### - ### - #### E-mail address = first letter of first name + last [email protected]

www.quest.com/news/

User Provisioning

with Native Tools

AD & Exchange Administrators Unix, Security & Exchange Administrators Help Desk Associates

• Each task done manually • Multiple people may be involved at each step Create user Home folder location Mailbox location Email distribution list Access to resources Access to applications Unix-enable Email user manager Email support

5 Days Error-prone Expensive

User Provisioning

with automation

Help Desk or Lower-level Administrators Automation AutoProvision

• One Administrator creates User • Rules automate and reduce errors for other tasks

Create user

Home folder location Mailbox location Email distribution list Access to resources Access to applications

Unix-enable

Email user manager Email support

5 Days Error Prone Expensive 10 minutes Less Errors Less $$

User Provisioning

with automation and connection to HR systems

Databases

- HR - Other

Applications

- ERP - Financial

Automation AutoProvision

• User created automatically from application • Eliminates errors from administrators

Create user

Home folder location Mailbox location Email distribution list Access to resources Access to applications

Unix-enable

Email user manager Email support

5 Days Error Prone Expensive Automatic No Errors Even Less $

User Provisioning

with Automation

Automation AutoProvision Sun ONE Lotus Notes ADAM

• User created automatically from application • Eliminates errors from administrators

Create user

Home folder location Mailbox location Email distribution list Access to resources Access to applications

Unix-enable Provision Other…

Email user manager Email support

5 Days Error Prone Expensive Automatic No Errors Even Less $

Options…

• One approach is to synchronize passwords for everything.

– User would use the same password for everything.

– Would be setup more on the backend not on the user side.

• Another approach is to collapse passwords for everything.

– User would type the password in one time then not have to for the rest of the session for everything.

– Would be setup more on the user client side. Would need to add software to each client machine.

70

In še za konec

• • Vprašanja?

Hvala za Vaš čas