IdM and Security - ISSA

Download Report

Transcript IdM and Security - ISSA 

IdM & Security
Robert Haaverson
Imanami Corporation
1
Copyright © 2005 Imanami Corporation. All Rights Reserved.
Agenda
•
•
•
•
•
2
What is Identity Management
Where does IdM fit within Security?
How does IdM fit into Security?
Conclusions
More Information
Copyright © 2005 Imanami Corporation. All Rights Reserved.
Audit
Authentication
Authorization
Admin
What is Identity Management?
Access Control
Increasing
Complexity
Search
"Identity Management"
Results 1 - 10 of about 1,110,000 for "Identity Management". (0.34 seconds)
3
Copyright © 2005 Imanami Corporation. All Rights Reserved.
What is Identity Management?
Identity Management (IdM) is defined as the quality
or condition of being the same; absolute or essential
sameness; oneness. Identity is what makes
something or someone the same today as it, she, or
he was yesterday. Importantly, identity can refer to a
thing (e.g. a computer) as well as a person. Things
and people can have different identities when
working with different systems, or can have more
than one identity when working with a single system,
perhaps when working in different roles.
Source: Open Group
4
Copyright © 2005 Imanami Corporation. All Rights Reserved.
META’s View
P/W Mgmt.
Delegated
Admin.
Self-service
User
Provisioning
Workflow
Audit, logging,
reporting
Authentication Servers
(e.g. RADIUS, OS)
Directory
Metadirectory
Authorization Servers
(e.g. RBAC, policy)
Identity
Management
Identity
Infrastructure
SSO
“While simplistic and not entirely accurate, it’s helpful for
planning purposes to think of access and identity management
as separate layers of an identity architecture.” (META Group)
5
Copyright © 2005 Imanami Corporation. All Rights Reserved.
Gartner’s View
Identity Management (Administration)
Access Management (Real-time Enforcement)
Administer
Authenticate
Authorize
Authentication Services
AUDIT
Password Management
User Provisioning
Metadirectory
Enterprise Access Management
Federated Identity Management
6
Copyright © 2005 Imanami Corporation. All Rights Reserved.
Identity Administration
Enterprise Single Sign-on
Burton’s View
~ Burton Group’s Simplified Architecture ~
• IdM reference architecture root template
7
Copyright © 2005 Imanami Corporation. All Rights Reserved.
Deloitte’s View
Federated
Identity
SSO &
Portals
User account
provisioning
Business Value
Identity
roles
Integrated
authoritative
source
Strong
Authentication
Identity
Repository
Access
Management
Source: Deloitte
8
Copyright © 2005 Imanami Corporation. All Rights Reserved.
Vision
Imanami’s View – The IdM Journey
Federated
Identity
Business Value
Integrated
authoritative
source
User account
provisioning
Identity
roles
Identity
Repository
Password
Reset /Sync
Access
Management
Basic Source: Deloitte
9
SSO &
Portals
Copyright © 2005 Imanami Corporation. All Rights Reserved.
Vision
Strong
Authentication
IdM Business Drivers
Enabling
Business
Increasing
Efficiency
Complying
with
Regulation
Basic Source: Computer Associates
10
Copyright © 2005 Imanami Corporation. All Rights Reserved.
Increased
Security
Where does IdM fit?
Blocking Attacks: Network Based
Intrusion Prevention
Intrusion Detection
Firewall
Anti-Spam
Blocking Attacks: Host Based
Intrusion Prevention
Spyware Removal
Personal Firewall
Anti-Virus
Eliminating Security Vulnerabilities
Vulnerability Mgmt
Patch Management
Configuration Mgmt Security Compliance
Safely Supporting Authorized Users
ID & Access Mgmt
File Encryption
PKI
VPN
Tools to Minimize Business Losses
Forensic Tools
Backup
Source: SANS
11
Copyright © 2005 Imanami Corporation. All Rights Reserved.
Compliance
Business Recovery
Where does IdM fit?
Blocking Attacks: Network Based
Intrusion Prevention
Intrusion Detection
Firewall
Anti-Spam
Blocking Attacks: Host Based
Intrusion Prevention
Spyware Removal
Personal Firewall
Anti-Virus
Eliminating Security Vulnerabilities
Vulnerability Mgmt
Patch Management
Configuration Mgmt Security Compliance
Safely Supporting Authorized Users
ID & Access Mgmt
File Encryption
Authentication / PKI
VPN
Tools to Minimize Business Losses
Forensic Tools
Backup
Source: SANS
12
Copyright © 2005 Imanami Corporation. All Rights Reserved.
Compliance
Business Recovery
Where does IdM fit?
Blocking Attacks: Network Based
Safely
Supporting Authorized Users
Intrusion Prevention
Intrusion Detection
Firewall
Anti-Spam
Blocking
Attacks:
Host Based
ID & Access
Management
Intrusion Prevention
Spyware Removal
Personal Firewall
Anti-Virus
Verify that the right people are allowed to use a system
Eliminating Security Vulnerabilities
Ensure they perform only those tasks for which they are authorized
Vulnerability Mgmt
Management
Configuration
Security Compliance
AccessPatch
blocked
when employment
isMgmt
terminated
Safely Supporting Authorized Users
ID & Access Mgmt
File Encryption
Authentication / PKI
VPN
Tools to Minimize Business Losses
Forensic Tools
Backup
Source: SANS
13
Copyright © 2005 Imanami Corporation. All Rights Reserved.
Compliance
Business Recovery
Where does IdM fit?
Blocking Attacks: Network Based
Safely
Supporting Authorized Users
Intrusion Prevention
Intrusion Detection
Firewall
Anti-Spam
Blocking
Attacks: Host Based
Authentication
Intrusion Prevention
Spyware Removal
Personal Firewall
Anti-Virus
Verify that the person is whom they claim to be, whether it be via
Eliminating Security Vulnerabilities
one, two or three factor.
Vulnerability Mgmt
Patch Management
Configuration Mgmt Security Compliance
Safely Supporting Authorized Users
ID & Access Mgmt
File Encryption
Authentication / PKI
VPN
Tools to Minimize Business Losses
Forensic Tools
Backup
Source: SANS
14
Copyright © 2005 Imanami Corporation. All Rights Reserved.
Compliance
Business Recovery
Where does IdM fit?
Blocking Attacks: Network Based
Tools
to Minimize Business Losses
Intrusion Prevention
Intrusion Detection
Firewall
Anti-Spam
Blocking
Attacks:Tools
Host Based
Forensic
Intrusion Prevention
Spyware Removal
Personal Firewall
Anti-Virus
When attackers get through enterprises need to find out what they
Eliminating Security Vulnerabilities
accessed, what they damaged, and how they got in.
Vulnerability Mgmt
Patch Management
Configuration Mgmt Security Compliance
Safely Supporting Authorized Users
ID & Access Mgmt
File Encryption
Authentication / PKI
VPN
Tools to Minimize Business Losses
Forensic Tools
Backup
Source: SANS
15
Copyright © 2005 Imanami Corporation. All Rights Reserved.
Compliance
Business Recovery
Where does IdM fit?
Blocking Attacks: Network Based
Tools
to Minimize Business Losses
Intrusion Prevention
Intrusion Detection
Firewall
Anti-Spam
Blocking Attacks:
Host Based
Regulatory
Compliance
Tools
Intrusion Prevention
Spyware Removal
Personal Firewall
Anti-Virus
Gramm-Leach-Biley, FISMA, Sarbanes Oxley, and HIPAA each
Eliminating Security Vulnerabilities
generate enormous documentation burdens for companies,
Vulnerability Mgmtuniversities,
Patch Management
Configurationagencies.
Mgmt Security Compliance
and/or government
Safely Supporting Authorized Users
ID & Access Mgmt
File Encryption
Authentication / PKI
VPN
Tools to Minimize Business Losses
Forensic Tools
Backup
Source: SANS
16
Copyright © 2005 Imanami Corporation. All Rights Reserved.
Compliance
Business Recovery
How does IdM fit into Security?
• Object (user) lifecycle management
– Provisioning
– Change
– Deprovisioning
• Strong Authentication / SSO (RSO) n-1
• Enterprise Access Management
• The Whole Enchilada
17
Copyright © 2005 Imanami Corporation. All Rights Reserved.
Object Life Cycle Management
Hire
• Sally’s first day at work
PeopleSoft
Active Directory
Sally is Provisioned
Exchange
1. Sally entered into Peoplesoft.
2. IdM adds Sally to AD.
Live Communications Server
3. IdM assignsIdM
Sally to groups based on her role.
4. IdM adds Sally to other systems based on
role.
Avaya
Faxination
18
Copyright © 2005 Imanami Corporation. All Rights Reserved.
Object Life Cycle Management
Promotion
• Sally’s second day at work
PeopleSoft
Active Directory
Sally is Changed
1. Sally’s title is changed in Peoplesoft. Exchange
2. IdM updates Sally in AD.
3. IdM assigns adds and removes
Sally
to and from Server
Live
Communications
groups based
on her role.
IdM
4. IdM adds/removes Sally to/from other systems
Avaya
based on role.
Faxination
19
Copyright © 2005 Imanami Corporation. All Rights Reserved.
Object Life Cycle Management
Retire
• Sally’s last day at work
PeopleSoft
Active Directory
Sally is Deprovisioned
1. Sally’s status changed in Peoplesoft. Exchange
2. IdM disables Sally’s account in AD.
Live Communications Server
3. IdM removes Sally from groups.
IdM
4. IdM removes
Sally from other systems.
Avaya
Faxination
20
Copyright © 2005 Imanami Corporation. All Rights Reserved.
Strong Authentication / SSO
Without IdM
• Bill logs in from home
21
1. SecureID Card
Access
2. Username & Password
Access
Copyright © 2005 Imanami Corporation. All Rights Reserved.
Strong Authentication / SSO
With IdM
• Bill logs in from home
1. SecureID Card
22
Copyright © 2005 Imanami Corporation. All Rights Reserved.
Access
Enterprise Access Management
Hire without IdM
• Jim’s first day at work
PeopleSoft
Active Directory
Exchange
Live Communications Server
Avaya
Faxination
23
Copyright © 2005 Imanami Corporation. All Rights Reserved.
Enterprise Access Management
Hire with IdM
• Jim’s first day at work
PeopleSoft
Business Rules
IdM
Active Directory
Exchange
Live Communications Server
Avaya
Faxination
24
Copyright © 2005 Imanami Corporation. All Rights Reserved.
Regulatory Compliance
Accuracy
Auditability
Transparency
Compliance
25
Copyright © 2005 Imanami Corporation. All Rights Reserved.
Cost
Time
Errors
Trends of IdM in Security
•
•
•
26
RSA has more announcements of identity based approaches of agile
and integrated security.
There is an upcoming paradigm shift, where identity will allow security
across dynamic distributed systems.
So as security functions become packaged as appliances that can all
be integrated and managed with federated protocols that allow
centralized policies to create security and auditability, "security" is
relentlessly morphing into "management by identity.“
- Phil Becker, Editor, Digital ID World
Copyright © 2005 Imanami Corporation. All Rights Reserved.
Realizing the Potential of Digital Identity
•
27
Deployment considerations, lessons learned:
– Begin by cleaning your own identity house
• Start looking at how you use identity, authoritative sources,
processes
• You still need LDAP directory, meta-directory, and provisioning
• One tool or one suite won’t solve all your IdM problems
– 80% politics and business, 20% technology
• Your mileage may vary, but build in time to get stakeholders on
board
– Carefully scope the problem you’re trying to solve
• Manage expectations: Don’t try to solve all problems at once
• Pick projects with early demonstrable results; it’s a long journey,
with small steps
• Build momentum (and political capital) for next phase(s)
– All of these are 100% independent of product selection
Copyright © 2005 Imanami Corporation. All Rights Reserved.
Contact
Robert Haaverson, CEO
Imanami Corporation
925-371-3000
[email protected]
Resources
Digital ID World, May 9-12 Hyatt Embarcadero, San Francisco
Digital ID World Magazine – http://www.digitalidworld.com
Burton Group – http://www.butongroup.com
Open Group – http://www.opengroup.com
Sans What Works – http://www.sans.org/whatworks
28
Copyright © 2005 Imanami Corporation. All Rights Reserved.