Transcript VAS & VGP Architecture
Upravljanje identitet za zagotavljanja kontrole nad dostopi do podatkov
Uroš Majcen, MRI d.o.o.
Copyright © 2006 Quest Software
Predavanje bo v slovenščini, tekst v angleščini
• Zakaj?
– Prevod
• Material v angleščini • Izrazi • Zaradi verodostojnosti in lažjega razumevanja
Defining Identity Management
• • Novell defines identity management as something that
“allows you to integrate, manage and control your distributed identity information, so you can securely deliver the right resources to the right people —anytime, anywhere.”
Microsoft defines identity management as: combining
“processes, technologies and policies to manage digital identities, and specify how they are used to access resources.”
3
Defining Identity Management
• End user:
“The organization knows who I am and what my role is, and based on that information, automates my access to resources. This enables my ability to get to what I need and to do my job in a timely fashion.”
• Administrator:
“Plus, the organization is able to effectively operate such a solution, so that monitoring, audit and reporting are easily accomplished.”
4
Basic Technology
• • • • • • Identity – The “digital” data that identifies who users on a computer network are Directory – In order to find and share resources on a network, a directory is required. Otherwise, how can you find things?
Credential – The “ticket” issued by the directory to grant the user access to resources. Based on authentication and authorization (we’ll cover that later) Active Directory (AD) – Microsoft’s version of a directory. We’ll cover this more later Meta-directory – A large framework solution that is designed to deliver a comprehensive set of identity management capabilities. Often involves password synchronization Access, authentication, and authorization – Access is the combination of
Authentication
and
Authorization
• First I need to know you are who you say you are – • Then I need to know you are allowed to access what you are trying to access -
Authorization Authentication
Basic Technology
• • • • • • Password synchronization – A software solution that helps reconcile a user’s large variety of passwords and logins (usually requires quite a bit of management and IT intervention) Provisioning – Automatically managing what resources a user can have access to Single sign-on – Reducing the number of passwords you have to manage Federation – A trusted relationship between two independent bodies – it implies managing identities and access from outside your organization Unix – A computing platform. Leading vendors include Sun, HP, and IBM Linux – A flavor of Unix that is open-source (free) major vendors include RedHat and SuSE. The software is free, the value-add offerings are not.
The End User Perspective
• • • • • • • Authentication services Access management Single sign-on/reduced sign-on Password management Provisioning Federation Meta-directory 7
Identity and Access Management in the Real World • Access – The ability to do something – Authentication • Confirming that you are who you say you are – Authorization • Confirming that you have permission to do what you are trying to do The organization knows who you are and based on that information gives you the ability to get or do certain things
A Complex Space
Identity Management
(Administration)
Physical Resources Access Management
(Real-Time Enforcement)
Identity Admin Administer Authenticate Authorize
Authentication Services Enterprise Reduced Sign-On
Alarm/ Alerting
Password Management User Provisioning Role Matrix Management Metadirectory
Accounting
Enterprise Access Management Federated Identity Management
NAC Applications Databases Directories Security Systems Operating Systems
Breaking Identity and Access Management Down • Verifying that who you say you are is correct • Issues a credential or ticket • Relevant in security and compliance • This is what Active Directory does for Windows • Other directories do it for other systems • Companies often run multiple directories – From 15 – 80 in large companies
Authentication Services
Breaking Identity and Access Management Down • One username and password gives you access to everything you need • Streamlines management of the authentication credential or ticket • This is what Active Directory achieves for Windows • In a heterogeneous enterprise the best we can hope for is reduced sign-on
Authentication Services Single Sign-on
Breaking Identity and Access Management Down • Ensuring that users have access to the resources they need • Usually includes the extranet or intranet through a Web browser • Active Directory can deliver this for .NET applications • But there is a lot more than .NET out there
Authentication Services Single Sign-on Access Management
Breaking Identity and Access Management Down • Tracking who did what, when, where, and how • Log and summarize significant authentication and authorization events or changes to identity objects • Critical to compliance and security • Active Directory does not do a good job of this on its own
Authentication Services Single Sign-on Access Management Audit Compliance
Breaking Identity and Access Management Down • Simply managing passwords • Often means enabling end-users to help themselves • Sometimes means password synchronization • Can deliver: – Increased productivity – Reduced operational costs • Password resets account for 40% of helpdesk calls*
Authentication Services Single Sign-on Access Management Audit Compliance Password Management
*source: IDC
Breaking Identity and Access Management Down • The ability to create and delete users • Managing the lifecycle of user identity • Many people do this manually but want to automate • Can help with: – Compliance – Reduced operational costs
Authentication Services Single Sign-on Access Management Audit Compliance Password Management User Provisioning
Breaking Identity and Access Management Down • The management of collections of permissions, which are defined by roles – Ensure that everyone has the right permissions • A major component of compliance – Regulate who has rights – Control over authorizations • Active Directory uses roles and groups but has limited management capabilities
Authentication Services Single Sign-on Access Management Audit Compliance Password Management User Provisioning Role Management
Breaking Identity and Access Management Down • Granting access, authentication, and authorization beyond internal network boundaries between distinct organizations that have established a trusted relationship • Similar to access management but from one company to another • Active Directory has it built in through ADFS for .NET but not for Java/J2EE
Authentication Services Single Sign-on Access Management Audit Compliance Password Management User Provisioning Role Management Federation
Breaking Identity and Access Management Down • Synchronizes identity information from one store to another • Often includes many of the other identity management capabilities • MIIS is an example of a meta directory • Usually very complex • Require significant additional management and maintenance
Authentication Services Single Sign-on Access Management Audit Compliance Password Management User Provisioning Role Management Federation Meta Directory
Improve
Efficiency
• • • • Automate identity administration – Provisioning – Self-service password management Consolidate directories and identities into Active Directory
Achieve single sign-on Build on existing investments
Enhance
Security
• • • •
Extend the security of AD to non-Windows systems and applications Enforce uniform security policies across the enterprise
Control and delegate elevated and least-privileged accounts
Establish strong authentication
20
Achieve
Compliance
• • • • • “Prove” compliance through audit, reporting, and alerting tools Assess identity and access management policies
Implement and enforcing strong password policy and authentication
Automate account management through codeless provisioning and role-based administration
Leverage the compliance of Active Directory for non-Windows systems and applications
21
The Challenge of Authentication
• • Windows = true single sign-on – But only to Windows systems and resources Non-Windows applications each require separate IDs and passwords – Who tracks users?
– Password management nightmares • Write them down • Burden on IT for constant resets – Stronger policy means more support calls • Complexity • Length • Expiration interval
A Typical Environment
Unix Unix Applications Mainframe Unix Applications Unix Windows/AD Unix Mainframe
Heterogeneity = Complexity
• • • • The average company has
31 separate directories
(3) The average user in a 10,000-employee organization has
14 separate passwords
(2) A recent survey conducted by RSA Security indicates that
9 out of 10
respondents are frustrated with how many user IDs and passwords they have to manage (1) 58% of companies take
more than 24 hours
to de provision employees (3) 1 “Reduced Sign-on” Burton Group Reference Architecture Technical Position – September 6, 2006 2 International Data Group 3 “Dealing with Directories: Fewer Fuels Faster and More Efficient Operations—Aberdeen Research Brief – June 2007
The Result?
• • • Security sucks Compliance is difficult Every thing is inefficient
Authentication and Access Management
26
Authentication and Access Management
27
Single Sign-on
28
Password Management
29
Provisioning
30
Provisioning
31
Provisioning
32
Provisioning
33
Provisioning
34
Provisioning
35
Provisioning
36
Federation
• • From Windows to .NET
What about Java?
37
Meta-directory
Directory Synchronization
38
The Organizational Perspective
• • • Audit Compliance Reporting 39
What Can You Do About It?
• • • • Nothing Add more infrastructure Address issues individually Call Quest!
The Challenge of Heterogeneity
• • • • • • Compliance/security – NIS Multiple IDs/logins Heterogeneity = complexity – Many directories – Many authentication mechanisms – Many “points” of audit Expensive Cumbersome Inefficient 41
My Proposal - Get to One
• • • One sign on One point-of-management One solution 42
What does Get to One Bring?
• • • • • Increased security – Leverage secure Microsoft tools for non-Windows systems – Active Directory and Group Policy Enhanced compliance – Extend the compliance of Microsoft tools (i.e. AD) to Unix, Linux and Java ROI – Leverage existing tools for the rest of the enterprise Consolidation – One tool/process/staff for all systems Simplification – No additional infrastructure 43
Active Directory as the Foundation
• • • • Authentication Access Single sign-on Federation • • But only for Windows systems.
What about Unix, Linux, Java, etc.?
44
Active Directory
15 minutes Copyright © 2006 Quest Software
Intro to Active Directory
• • In a networked Windows environment, Active Directory is the directory service required to manage users, groups, and computers and offer secure access to network resources.
Active Directory is an integrated component of Windows servers.
Intro to Active Directory cont.
• • If an organization does not have Active Directory or it fails or is otherwise unavailable, then maintaining a networked Windows infrastructure is not possible.
Therefore, Active Directory is critical: – Must be available 7x24x365 – Must be up and running 100% of the time
What is Active Directory?
Active Directory:
•
Organizes
objects, such as computers, printers, applications, and shared data sources in a directory • Provides attribute
information
on these objects • Resources – printers, etc.
• Services – e-mail, etc.
• People – users and groups, accounts • • Controls
access
to the domain, which houses the objects Sets
security
on the objects
How Windows Does it . . .
Gaining Access
Token Access Granted Token
vsmithers
Access Granted Token Username, Password Token Access Granted Questionnaire.com
File Server Organize Exchange Inform IIS/Web Server Access Secure
Active Directory Maturity and Adoption Model
Strategic Enterprise Directory Single Sign-On Migration Delegation, Provisioning Group Policy, Performance,
Identity Management
Availability
AD Management
Time
Active Directory Maturity and Adoption Model
Business Value / ROI
Strategic Enterprise Directory Single Sign-On Migration Delegation, Provisioning Group Policy, Performance,
Identity Management
Availability
AD Management
Time
AD Maturity and Adoption Model
Reliance
Strategic Enterprise Directory Single Sign-On Migration Delegation, Provisioning Group Policy, Performance,
Identity Management
Availability
AD Management
Time
Active Directory as the Model
• • • • Single sign-on for all Windows resources and services One point-of-management One UID and password grants access to all allowed resources Standards-based
ONE sign-on | ONE point of management | ONE solution
54
Why Can’t Someone Extend AD to *NIX?
• • • Open source solutions – Limited – Very time-consuming – Still don’t get the job done Unix/Linux is fragmented – Each OS/version requires unique integration with AD Many have tried – Internal projects invariably fall short, run long, and get too expensive 55
Kerberos – The Secret Sauce
• • • • • • Kerberos is what makes Active Directory so good AD is the only viable commercial implementation of Kerberos Provides a secure “ticket” that follows the user wherever he/she goes within a Windows network True single sign-on Compliant Secure 56
Kerberos for Unix?
• • • • Doesn’t exist commercially Unix uses different standards – PAM, NSS, etc.
These standards are not implemented consistently across OSs and versions LDAP alone doesn’t cut it 57
How to Bring Unix/Linux into AD
• • • • • • Native implementation of the Kerberos standard – Uniquely and specifically for each OS/version – Integrated with the native PAM and NSS mechanisms of Unix/Linux Requires no additional infrastructure One identity (Kerberos ticket) applies to Windows, Unix, and Linux Unix/Linux systems actually join the Active Directory domain Integration
not
synchronization Can work well with existing Identity Management solution (such as a meta-directory) 58
Unix/Linux as Part of the AD Domain
59
How Unix Does it (or doesn’t do it) . . .
Now with Unix/Linux Part of the AD Domain
• • • • • • Eliminate multiple UIDs, GIDs, and passwords Leverage AD’s security and compliance for Unix/Linux Transform Windows Group Policy into “Enterprise Group Policy” Reduce the number of moving parts Streamline Unix/Linux operations and management around an already deployed and proven tool – Active Directory Single sign-on is possible 61
How Unix Should do it (with our Help). . .
Windows and Unix Users
User Provisioning and Lifecycle Management
Deprovision (Retire)
- Employment Status Changes - Disable Accounts - Disable Access to Resources - Assign Entitlements to others
Reprovisioning (Promotion)
- Promotions or Transfers - Project Assignments - Information updates
Identity Administration
- Information updates - Group and Distribution List Membership Changes - Self-service
New User is Provisioned (Hire)
- User Account Creation - Mailbox and Home Folders Creation - Group and Distribution List Memberships - Access to Applications Granted - Accounts in Connected Systems Created - E-mail notifications
Roles
Roles AD Architect Sr. Administrator
•
Administrator Role Full control on all objects OU Administrators
• •
Associate Administrator Role Create accounts and groups Reset passwords, unlock accounts Help Desk End User Self-Service Administrative Rights Individuals may need in Active Directory
• •
Self-Service Role Update personal Information Request changes Roles Individuals may have
prod.com
Builtin Central Computers Domain Controllers APAC Users Americas New York Mexico
Access Individuals may need
Rules
Business Rule Examples
Generate Display Name Description cannot be left blank Phone number must contain 1- ### - ### - #### E-mail address = first letter of first name + last [email protected]
www.quest.com/news/
User Provisioning
with Native Tools
AD & Exchange Administrators Unix, Security & Exchange Administrators Help Desk Associates
• Each task done manually • Multiple people may be involved at each step Create user Home folder location Mailbox location Email distribution list Access to resources Access to applications Unix-enable Email user manager Email support
5 Days Error-prone Expensive
User Provisioning
with automation
Help Desk or Lower-level Administrators Automation AutoProvision
• One Administrator creates User • Rules automate and reduce errors for other tasks
Create user
Home folder location Mailbox location Email distribution list Access to resources Access to applications
Unix-enable
Email user manager Email support
5 Days Error Prone Expensive 10 minutes Less Errors Less $$
User Provisioning
with automation and connection to HR systems
Databases
- HR - Other
Applications
- ERP - Financial
Automation AutoProvision
• User created automatically from application • Eliminates errors from administrators
Create user
Home folder location Mailbox location Email distribution list Access to resources Access to applications
Unix-enable
Email user manager Email support
5 Days Error Prone Expensive Automatic No Errors Even Less $
User Provisioning
with Automation
Automation AutoProvision Sun ONE Lotus Notes ADAM
• User created automatically from application • Eliminates errors from administrators
Create user
Home folder location Mailbox location Email distribution list Access to resources Access to applications
Unix-enable Provision Other…
Email user manager Email support
5 Days Error Prone Expensive Automatic No Errors Even Less $
Options…
• One approach is to synchronize passwords for everything.
– User would use the same password for everything.
– Would be setup more on the backend not on the user side.
• Another approach is to collapse passwords for everything.
– User would type the password in one time then not have to for the rest of the session for everything.
– Would be setup more on the user client side. Would need to add software to each client machine.
70
In še za konec
• • Vprašanja?
Hvala za Vaš čas