IdM – The Missing Link (part 1) Avi Douglen CISSP [email protected] OWASP 6/9/2009 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Download
Report
Transcript IdM – The Missing Link (part 1) Avi Douglen CISSP [email protected] OWASP 6/9/2009 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
IdM – The Missing Link
(part 1)
Avi Douglen
CISSP
[email protected]
OWASP
6/9/2009
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
OWASP
2
Agenda
Background
Why IdM Goes WRONG
What IdM CAN Do
What IdM USUALLY Does
What IdM SHOULD Do
OWASP
3
BACKGROUND
OWASP
4
Some Random IdM Statistics
The numbers are very clear…
OWASP
5
Some Random IdM Statistics
Time to implement enterprise IdM:
Vendors: < 6 months
Real world: 2-3 years AT LEAST
OWASP
6
Some Random IdM Statistics
Cost to implement enterprise IdM:
Vendors: < $100K
Real world: $2-3 million AT LEAST
OWASP
7
Some Random IdM Statistics
Savings from IdM implementation
~ $ 2.5 million yearly
75% of IT user administration costs
> $8 million
OWASP
8
Some Random IdM Statistics
Success rate for IdM projects
10-15% Success
< 5% Success
> 60% Still pending (not yet complete,
maybe never will be…)
Vendors: > 85% Successful
implementations
OWASP
9
Some Random IdM Statistics
Okay, the numbers are not THAT
clear…
OWASP
10
Background - Definitions
Identification – Who are you?
Authentication – Prove it!
Authorization – What can you do?
OWASP
11
Background - Definitions
Digital Identity – A set of claims
made by one subject about itself in
relation to a given system
IdM systems deal mostly with
enterprise-centric identity systems
Not so much user-centric identity
OWASP
12
Background – Definition(s) of IdM
IdM – Identity Management
Manages identity silos for all systems
Provides single view of shared user
directory
Provisioned identities
Delegated authentication
OWASP
13
Background – Definition(s) of IdM
IAM – Identity and Access
Management
Second generation of IdM
Very limited Access Control
Not granular or application-sensitive
Usually at system level
Sometimes provides minimal RBAC
features
OWASP
14
Background – Definition(s) of IdM
“Identity management is…
the set of business processes,
and a supporting infrastructure,
that provides identity-based access control
to systems and resources in accordance
with established policies”
- Burton Group
OWASP
15
Sample IdM Vendors
Microsoft
AD / ADFS
MIIS
ILM
IBM
Tivoli Directory Server
Tivoli Identity Manager
Tivoli Access Manager
Novell
Identity Manager
Access Manager
Oracle
Too many products to
mention…
CA
Even more…
Sun
BMC
Numerous niche startups…
EMC / RSA
OWASP
WHY IDM GOES WRONG
OWASP
17
Challenges - Political
Lack of leadership and support from sponsors
Getting all stakeholders to have a common view
Data ownership quibbles
Expectation to make IdM a data synchronization
engine for application data
Defining an appropriate business process
Overlooking change management — expecting
everybody to go through the self-learning
process
OWASP
Challenges - Technical
Lack of definition of the post-production
phase
Lack of focus on integration testing
Lack of consistent architectural vision
Expectations for "over-automation"
Deploying too many IdM technologies in too
short a time
Niche applications – no “best-of-breed” suite
Lack of requirements coverage – e.g. CSAC
OWASP
Security Risks
Single point of failure
AKA Break one, break all
Platform vulnerabilities
Integration flaws
Rogue developers
Over-reliance on automation
OWASP
20
WHAT IDM CAN DO
OWASP
21
Some IdM Services
Identity repository
Directory services
Provisioning
Password synchronization
Workflow automation
User information selfservice
Management of lost
passwords
Self-service password
reset
Delegated administration
Policy-based access
control
Enterprise/Legacy single
sign-on (SSO)
Web single sign-on
(WebSSO)
Metadata replication /
Synchronization
Directory virtualization
(Virtual directory)
Role-based access control
(RBAC)
Federation
OWASP
WHAT IDM USUALLY DOES
OWASP
23
Top 3 Drivers for IdM
1. Regulatory Compliance
2. Lowered Administration Costs
3. Better user experience
4. Security?
OWASP
24
Most Common Features
Password reset
Password consolidation and
management
Single Sign-on (SSO)
Provisioning
Compliance reporting
Change request workflow
System level access control (RBAC)
OWASP
25
Missing Security Benefits
Where did “Security” go??
OWASP
26
WHAT IDM SHOULD DO
OWASP
27
Possible Security Benefits
Immediate de-provisioning
And re-provisioning
Enterprise wide Password Policy
Security policy enforcement
OWASP
28
Missing Security Features
Separation of Duties
Granularity of authorization
Scalable application
administration
Application audit trail
OWASP
29
QUESTIONS?
[email protected]
OWASP
30