Transcript First Republic Bank Identity Management Onsite Dialogue

Doug Simmons
Principal Consultant
Identity Management Discussion Group
Seminars on Academic Computing
* EDUCAUSE *
[email protected]
August 10,2004
All Contents © 2004 Burton Group. All rights reserved.
Introduction
Burton Group: Who We Are
Burton Group is a planning services company
specializing in the in-depth analysis of emerging
network infrastructure technologies
Our mission is to empower IT professionals, enabling
them to make strategic decisions regarding network
technology and allowing them to successfully use that
technology to drive business
2
Introduction
Speaker
• Doug Simmons
• Principal Consultant
3
My Background: 20+ years in systems
engineering, systems integration design,
systems architecture, development, and
project management with Burton Group,
IBM, Critical Path/ISOCOR and the
Radicati Group.
Introduction
Discussion Objectives
• Brief Overview of Identity Management Concepts
• Business Justification
• Design and Deployment Best Practices
4
Identity Management
5
What is Identity Management?
• A set of processes, and a supporting infrastructure, for
the creation, maintenance, and use of digital identities
• Involves both technology and process
• Involves managing both unique identifiers and their attributes,
credentials, and entitlements
• Must enable organizations to create a manageable life cycle
• Must meet business needs for rapid registration, use, termination
• Must scale from internally facing systems to externally facing
applications and processes
• Goal state: general-purpose infrastructure and authoritative sources,
clean integration across people, process, and technology
Identity Management
What is (digital) identity?
6
• Represents principles (users, apps, etc.)
• Name, number, other identifier,
• Unique in some scope
• Persistent, long-Lived
• May be “pseudonym” or “true name”
Student Profiles
Credentials
Unique
Identifier
Credentials
Address, etc.
Faculty, Staff Profiles
App, Site, or Partner
Profiles
App, Site, or Partner
Profiles
Common Profile Info
• May have multiple credentials
• Different strengths, different apps
• Can change w/more frequency
• Attributes, entitlements, policies
• More transient, fluid information
• Often specific to apps or sites
Identity Management
7
The IdM process: managing the identity life cycle
Registration/Creation
Propagation
Accounts and
Policies
Termination
Maintenance/Management
Identity Management
8
The challenge: Interoperability and portability
Tightly-coupled,
Persistent interior
Loosely-coupled,
Dynamic exterior
ID
Extranets
Internal
Systems
& Data
Students,
faculty, staff
The Internet
Partner or xSP
Research partners Less-known
Unknown
Identity Management
9
The challenge
• Today’s identity management systems are ad hocracies, built
one application or system at a time
• Apps, databases, OSes lack a scalable, holistic means of managing
identity, credentials, policy across boundaries
• Fragmented identity infrastructure: Overlapping repositories,
inconsistent policy frameworks, process discontinuities
• Error prone, creates security loopholes, expensive to manage
• The disappearing perimeter has put identity on the front burner
• Infrastructure requirements: extend reach and range
• Increased scalability, lower costs
• Balance of centralized and distributed management
• Infrastructure must become more general-purpose and re-usable
Identity Management
Burton Group definition: A set of complementary, converging
technologies
• Directory Services
• User Management Services
• Resource Provisioning
• Authentication Services
• Web Access Management
• Authorization Services
• Identity Federation
10
Identity Management
11
IdM: technologies that enable secure relationships
Remote
student
Staff
Remote
Staff
Remote
Contractor
Research
Partner
Supplier
employee
Identity and
Access
Management
Faculty
Authentication
Student
Systems
Directory
HRMS
Authorization
Departments/
Schools
Students
Identity Management
Core IdM components: Directory Services
• Authoritative identity repository
• Contains people, organizational units, groups, roles, etc.
• Foundation for identity management
• Authentication based on identity in directory
• Authorization based on user attributes (roles, groups)
• Personalization based on user attributes
• Meta-directories sync identity repositories
• Identity join synchronizes authoritative sources
• LDAP servers are commodities
• Active Directory becoming pervasive
• Next step: comprehensive IdM infrastructure…
12
Identity Management
Core IdM components: User Management & Provisioning
• Identity admin functions that span products and services
• Creation, propagation, maintenance of user accounts, rights
• Categorize users by roles, groups, for efficiency, accuracy
• Provisioning systems support workflows that automate
process, reduce admin costs, enhance security
• Create, modify, terminate users across multiple apps
• Workflow approvals by managers
• Centralized admin: push roles, groups, policy
• Centralized password management, reset/sync
• Centralized, rapid termination of accounts
13
Identity Management
14
Core IdM components: User Management continued
• Delegated admin tools distribute workload (and liability)
• Assign subset authority to a designated user or group
• Moves responsibility to partner, supplier or other constituent
• Self-service increases satisfaction, data integrity
• Users can modify info
• Self-service password reset a high priority for many companies
• Self-service registration, subscription services can kick off
workflow and provisioning process to speed revenue
generation
Identity Management
15
Core IdM components: Authentication
• Principle provides sufficient credentials to satisfy challenge,
gaining access to a service, application, or system
• Variety of authentication mechanisms
•
•
•
•
Strength necessary depends on the needs of the application
User name/password, personal identification numbers (PINs)
Tokens (SecurID), digital certificates (PKI)
Biometrics (finger print scans, retinal scans)
• User name/password most common
• Will remain so until the cost and complexity of stronger
authentication subsides
Identity Management
Core IdM components: Web Access Management
• Determining rights, privileges using policy-based systems
• Web-based access management products combine
authentication, authorization => Single Sign On (SSO)
• Use roles-, group-, rules- based systems for scalability
• Integrate with applications/application servers
• Identify objects by URL, operate at page, button, field level
• Integrate with identity repositories: directory, database
• Support multiple authentication systems
• Include user management functions
• Dynamic enforcement w/variables (location, time)
• Session management after authentication
16
Identity Management
Core IdM components: Authorization Services
• Control access to apps, services, information resources
• Maintain sufficient user and organization information for
discretionary access control
• Use multiple flexible, means of policy enforcement
• Roles, groups, rules
• Dynamic for high value resources (stored value, transactions)
• Static for low value resources (printers, ordinary files)
• Affected by variables, such as machine location, time of day,
attribute values in directory or database
• Integrate applications with general purpose authorization
systems leveraging common data/policy
17
Identity Management
18
Core IdM components: Identity Federation
• Agreements, standards, technologies that make identity and
entitlements portable across autonomous domains
Loosely or tightly-coupled, Integrated or
federated interior systems
Loosely-coupled,
Federated exterior systems
Extranets
Internal
Systems
& Data
Students,
faculty, staff
The Internet
Partner or xSP
Research partners Less-known
Unknown
Identity Management
19
Core IdM components: Identity Federation
• Don’t need prior knowledge of complex system internals or
pair-wise mappings between systems
• Define rules that bind autonomous domains to a common
method of exchanging identity information
• Provide framework for negotiating agreements, defining
interactions
• Map to the federation standards by applying transformations
at the boundaries between domains
• Honor each other’s decisions and trust each other’s
assertions, but in the context of their own local policies
Identity Management
20
Federation - Shibboleth
4. Tell me if this person is
a legitimate student
Crimson
College
Rouge University
1. I want to access
your protected resource
2. Where are you from?
3. Crimson College
5. This person is a
legitimate student
Enterprise Directory
Protected
Resource
Identity Management
Target
Site
21
Origin
Site
1
SHIRE
5
2
Handle
SHAR
Resource
Manager
10
WAYF
6
7
Handle
Service
3
WAM
(web
SSO)
Attribute
Authority
I
8
9
11
Web-enabled
Protected
Resource
4
Enterprise
Directory
Identity Management
22
Interne2/MACE Shibboleth Roadmap - 7/2004
Q3’04
+ Shibboleth 1.2 and OpenSAML released
- Adopt SAML 2.0 terminology, architecture
- Increased compatibility with SAML 1.1 products
- Increased software modularity
+ Early prototyping of management tools
+ Application focus on information services providers
+ InCommon federation rollout
2005
+ Shibboleth 2.0 and OpenSAML 2.0 released
- Migration to SAML 2.0 standard
- Support for SAML WS-Federation features as deemed practical
- Possible web services features added
+ Maturation of management tools
+ Increased decentralization of development, research
and direction setting
1/1/2005
7/1/2004
1/1/2006
12/31/2006
Q4’04
+ Shibboleth 1.3 released
- Support browser artifact profile
- Improved Java application support
+ Early versions of management tools
+ Improved system documentation
+ Many expected production rollouts
2006
+ Technical focus likely to move to web services and
middleware integration
+ Personalized tools for managing privacy and access
control to target resources
+ Application focus on grids, networks and DRM
+ Increased commercialization of support and technology
+ Increased interaction among education, government and
commercial federations
Summary
Putting the pieces together
23
Identity Management
24
Key Vendors
Authentication
PKI/Other/
Specialized
Verisign, Entrust,
Microsoft, RSA,
Others…
Virtual directory
Calendra MaxWare
Radiant Logic
Octetstring
Access management
Web access mgmt
User management
Provisioning
IBM
BMC
Netegrity, IBM, Oblix, Netegrity/Bus.
RSA, Entrust, Novell, Layers, Novell, HP,
Sun/Waveset, Thor,
Sun, HP, Aventail,
Others…
Others…
Directory services
Directory Repositories/LDAP
Sun Novell Microsoft Critical Path
IBM Oracle Siemens Others…
Identity and
policy admin
Oblix, Sun,
Calendra, IBM,
Netegrity,
Novell Others…
Meta-directory
Sun Novell MaxWare
Microsoft Critical Path
IBM Siemens Others…
Identity Management
What are your IdM challenges?
-Tactical
-Long Term
25
IdM Business Case
Justifications can be broken down into five overarching areas
1. Improved user experience
2. Cost savings
3. Security: Lifecycle identity administration
•
Audience: IT administrative, HR, Student Administration
4. Security: Policy enforcement
•
Audience: Resource owners
5. Competitive advantage
26
Improving the End-User Experience
Justification 1: “Improving end-user experience” provides
• Reduced Sign-On (sometimes called “single sign-on”)
• Improved quality of experience (QoE) for all types of end
users
• Simplified, personalized access
• Automated password reset and other user grantable
services
27
Improving the End-User Experience
What is the “improving end-user experience” business case?
• Improved efficiency of users
• User self-service allows to personalize their own
experience
• Minimization of errors
• University image
• Clear business processes
• Consolidation of application interfacing (single face)
28
Cost Savings
Justification 2: “cost savings” provide
• Hard dollar savings
•
•
•
•
Help desk password resets easily measured (specific number?)
Duplicate administration responsibilities
Eliminating redundant software and solutions
Canceling cell phone, other paid services after employee termination
• Soft dollar savings
• User productivity
• Training to use duplicate facilities
• 15 minutes per user per day used for authentication
• Bad addresses in directories waste time finding phone numbers, e-mail
addresses
• “Hidden administrative” costs
• Many directories means many administrators usually taking time out of their
real job
29
Cost Savings
30
Overlap without integration causes consternation and cost
• Counterintuitive and counter-economic
Authentication
Password management
Access management
Provisioning Meta-directory
Appliances
Virtual directory
Cost Savings
Technologies: Directory services benefits (cont.)
31
Security – Life Cycle Identity Management
Justification 3: “Security – Life cycle identity management”
provides
• Elimination of the potential for errors, omissions and
redundancies in identity data across systems
• Accuracy and completeness of identity information
• Better management of identity lifecycle
• Dissemination of assets, services and accounts
• The right resources to the right people at the right time
• Logging and audit capabilities of information assets and
resources
• Connect ID access with application access
32
Security – Life Cycle Identity Management
What is the “Security – life cycle identity management”
business case?
• Fragmented identity management infrastructure results
in high costs of operations, inability to scale, redundancy
and inefficiency
• Dormant and orphan accounts represent security risks
• Need over-arching management capabilities providing
auditability and accountability
• Business climate demands delegated and self-service
account administration
• Basis for a new class of solution, brought about by
vendors with differing backgrounds and capabilities
33
Security – Policy Enforcement
34
Justification 4: “Security – Policy enforcement” provides
• Response to heightened government oversight and
regulations (e.g., FERPA, HIPAA, GLBA, etc.)
• Minimization of security risks associated with dormant
or orphaned accounts
• Cost avoidance in security administration
• Optimization of security functions with less burdensome
administration activities
• More secure access to sensitive resources and
applications both internal and external to the organization
• Centralized authorization framework across multiple
applications
Security – Policy Enforcement
35
What is the “Security – policy enforcement” business case?
• Promote compliance to regulatory requirements
• Protection of university resources and information assets
• Protection of intellectual property
• Support internal audits and risk assessments
• Determine, through policy, who can access systems that
support business processes and what they can do
• Provide stronger authorization based upon the value
or sensitivity of the information
• Provide risk and liability management
Competitive Advantage
Justification 5: “competitive advantage” provides
• Framework for rapid deployment of internal and external
applications
• Standards to minimize administrative overhead
• Reduction and consolidation of existing resources and
personnel
• Support and protection of intellectual property
• Flexible infrastructure promoting quicker time to market
for product changes and enhancements
36
Competitive Advantage
What is the business case?
• Fragmented identity management infrastructure results
in high costs of operations, inability to scale, redundancy
and inefficiency
• Business climate demands delegated and self-service
account administration
• Basis for school’s image and public or business
relationships in autonomous lines of business or
research
• Flexible IdM infrastructure facilitates faster introduction
of new products and services
37
Identity Management
What are your business drivers?
-SSO
-Cost savings
-Streamlined lifecycle management
-Consistent university-wide policies
-Competitive advantage
-Others?
38
Design & Deployment Best Practices
• Directory services
• Most organizations have multiple, fragmented directories
• Important first step: Consolidation creates authoritative sources
• Directory vendors moving up the food chain to create IdM suites
• Provisioning
•
•
•
•
•
Many in-house scripts or programs, but packaged software is here
But today provisioning systems aren’t interoperable
Provisioning can also be hard to deploy
Political battles, ownership issues, large-scale integration
Help desk incidents (password reset) provide strong case for ROI
39
Design & Deployment Best Practices
40
• Identity administration
• Self service and delegated admin are important tools
• But delegated admin is ultimately limited in scalability: if we all delegate
our problems to each other, then we still have problems
• Standards emerging for security assertions and federation (e.g.,
Shibboleth)
• Access management
•
•
•
•
Roles are better, but design can be a political, technical quagmire
Granular role definitions are more complex, costly to deploy
Ultimately access policies must become portable as well
But political, technical issues make interoperability much harder
Design & Deployment Best Practices
• Most of these technologies come from different vendors
• Overlap between products and approaches
• Burden of full integration is often on you, the customer
• Consolidation across these functional categories has
already begun, and the market will drive further
consolidation over the next year to 18 months
• Vendors succumbing to “platformania”
• IBM, Sun, HP, Novell
• But the need is clear and the market is driving a solution
• Hence the focus on interoperability and federation
41
Summary
Methodology
1) Define the business case
2) Assemble the teams – core team, extended team
3) Establish current identity management and directory services
architecture baseline
4) Determine architecture requirements
5) Perform gap analysis
6) Develop “target” identity management
and directory services architecture
7) Develop migration strategy
8) Establish an architectural review process
9) Begin Deployment
42
Summary
What are the gotchas?
• Getting your data in order (GI->GO?; CRUD!)
• Interoperability vs. interchangeability
• Build vs. buy
• Extending and customizing schema
• Business process definition
• Politics and data ownership
• Data replication topology
• Access control policies
• Measuring and demonstrating success
• Too much, too fast
43
Summary
44
Business processes are really important!
Identity-based
university access
business
applications
Advanced
business
infrastructure
business
process
integration
Meta Directory services
Basic business
infrastructure
Databases
LDAP
directories
Messaging
PBX / CTI
VoIP
Security
/PKI
Management
Enabling technology network/basic network infrastructure
(network, servers, routers, OS, transport services)
Object
services
Web
services
Next Steps
Questions and open discussion
45