IdM – The Missing Link (part 1) Avi Douglen CISSP [email protected] OWASP 6/9/2009 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Download ReportTranscript IdM – The Missing Link (part 1) Avi Douglen CISSP [email protected] OWASP 6/9/2009 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
IdM – The Missing Link (part 1) Avi Douglen CISSP [email protected] OWASP 6/9/2009 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org OWASP 2 Agenda Background Why IdM Goes WRONG What IdM CAN Do What IdM USUALLY Does What IdM SHOULD Do OWASP 3 BACKGROUND OWASP 4 Some Random IdM Statistics The numbers are very clear… OWASP 5 Some Random IdM Statistics Time to implement enterprise IdM: Vendors: < 6 months Real world: 2-3 years AT LEAST OWASP 6 Some Random IdM Statistics Cost to implement enterprise IdM: Vendors: < $100K Real world: $2-3 million AT LEAST OWASP 7 Some Random IdM Statistics Savings from IdM implementation ~ $ 2.5 million yearly 75% of IT user administration costs > $8 million OWASP 8 Some Random IdM Statistics Success rate for IdM projects 10-15% Success < 5% Success > 60% Still pending (not yet complete, maybe never will be…) Vendors: > 85% Successful implementations OWASP 9 Some Random IdM Statistics Okay, the numbers are not THAT clear… OWASP 10 Background - Definitions Identification – Who are you? Authentication – Prove it! Authorization – What can you do? OWASP 11 Background - Definitions Digital Identity – A set of claims made by one subject about itself in relation to a given system IdM systems deal mostly with enterprise-centric identity systems Not so much user-centric identity OWASP 12 Background – Definition(s) of IdM IdM – Identity Management Manages identity silos for all systems Provides single view of shared user directory Provisioned identities Delegated authentication OWASP 13 Background – Definition(s) of IdM IAM – Identity and Access Management Second generation of IdM Very limited Access Control Not granular or application-sensitive Usually at system level Sometimes provides minimal RBAC features OWASP 14 Background – Definition(s) of IdM “Identity management is… the set of business processes, and a supporting infrastructure, that provides identity-based access control to systems and resources in accordance with established policies” - Burton Group OWASP 15 Sample IdM Vendors Microsoft AD / ADFS MIIS ILM IBM Tivoli Directory Server Tivoli Identity Manager Tivoli Access Manager Novell Identity Manager Access Manager Oracle Too many products to mention… CA Even more… Sun BMC Numerous niche startups… EMC / RSA OWASP WHY IDM GOES WRONG OWASP 17 Challenges - Political Lack of leadership and support from sponsors Getting all stakeholders to have a common view Data ownership quibbles Expectation to make IdM a data synchronization engine for application data Defining an appropriate business process Overlooking change management — expecting everybody to go through the self-learning process OWASP Challenges - Technical Lack of definition of the post-production phase Lack of focus on integration testing Lack of consistent architectural vision Expectations for "over-automation" Deploying too many IdM technologies in too short a time Niche applications – no “best-of-breed” suite Lack of requirements coverage – e.g. CSAC OWASP Security Risks Single point of failure AKA Break one, break all Platform vulnerabilities Integration flaws Rogue developers Over-reliance on automation OWASP 20 WHAT IDM CAN DO OWASP 21 Some IdM Services Identity repository Directory services Provisioning Password synchronization Workflow automation User information selfservice Management of lost passwords Self-service password reset Delegated administration Policy-based access control Enterprise/Legacy single sign-on (SSO) Web single sign-on (WebSSO) Metadata replication / Synchronization Directory virtualization (Virtual directory) Role-based access control (RBAC) Federation OWASP WHAT IDM USUALLY DOES OWASP 23 Top 3 Drivers for IdM 1. Regulatory Compliance 2. Lowered Administration Costs 3. Better user experience 4. Security? OWASP 24 Most Common Features Password reset Password consolidation and management Single Sign-on (SSO) Provisioning Compliance reporting Change request workflow System level access control (RBAC) OWASP 25 Missing Security Benefits Where did “Security” go?? OWASP 26 WHAT IDM SHOULD DO OWASP 27 Possible Security Benefits Immediate de-provisioning And re-provisioning Enterprise wide Password Policy Security policy enforcement OWASP 28 Missing Security Features Separation of Duties Granularity of authorization Scalable application administration Application audit trail OWASP 29 QUESTIONS? [email protected] OWASP 30