1. Identity access
management
Jacques
Folon
!
Partner
Edge
Consulting
!
Maître
de
conférences
Université
de
Liège
Chargé
de
cours
ICHEC
Brussels
Management
School
Professeur
invité
Université
de
Lorraine
(Metz)
ISFSC,
HE
F.Ferrer,
HE
LdB
(Bruxelles)
Institut
Arabe
des
Chefs
d’entreprises
(Tunis)
Institut
Africain
de
Management
(Ouagadougou)
!
2. Retrouvez-‐moi
en
ligne
Jacques.folon@ichec.be
https://www.facebook.com/folon.jacques
http://www.scoop.it/u/jacques-folon
http://www.linkedin.com/in/folon
http://jacquesfolon.tumblr.com/
http://fr.slideshare.net/FOLON
@jacquesfolon
2
4. IAM
1.
2.
3.
4.
5.
6.
7.
8.
9.
C’est
quoi
?
Quel
est
le
contexte
actuel?
IAM
&
cloud
computing
Pourquoi
en
avons
nous
besoin?
To
do
list
IAM
et
vie
privée
IAM
et
contrôle
e-‐discovery
Conclusion
5. 1.
IAM
c’est
quoi
?
Single
Sign
On
Password
Management
Secure
Remote
Access
Fede
ratio
n
Role
based
Managemen
t
Provisioning
Web
Services
Security
iting
&
Aud
ng
eporti
R
Authorization
DRM
Strong ication
nt
Authe
es
ctori
Dire
PKI
Source:
Identity
and
Access
Management:
OverviewRafal
Lukawiecki
-‐
Strategic
Consultant,
Project
Botticelli
Ltd
rafal@projectbotticelli.co.uk
8. Q: What’s posted on this
monitor?
!
a – password to financial application
b – phone messages
c – to-do’s
9. Q: What determines your
employee’s access?
!
!
a – give Alice whatever Wally has
b – roles, attributes, and requests
c – whatever her manager says
10. Q: Who is the most privileged
user in your enterprise?
!
!
a – security administrator
b – CFO
c – the summer intern who is now working
for your competitor
11. Q: How secure is your
identity data?
!
!
a – It is in 18 different secured stores
b – We protect the admin passwords
c – Privacy? We don’t hold credit card
numbers
12. Q: How much are manual
compliance controls costing
your organization?
!
a – nothing, no new headcount
b – don’t ask
c – don’t know
13. Today’s IT Challenges
More Compliant Business
• Increasing regulatory demands
• Increasing privacy concerns
• Business viability concerns
More Agile Business
More Secured Business
• More accessibility for employees,
customers and partners
• Higher level of B2B integrations
• Faster reaction to changing requirements
• Organized crime
• Identity theft
• Intellectual property theft
• Constant global threats
14. State Of Security In Enterprise
• Incomplete
• Multiple point solutions from many vendors
• Disparate technologies that don’t work together
!
• Complex
• Repeated point-to-point integrations
• Mostly manual operations
!
• ‘Non-compliant’
• Difficult to enforce consistent set of policies
• Difficult to measure compliance with those policies
15. Identity Management Values
• Trusted and reliable security
!
• Efficient regulatory compliance
!
• Lower administrative and development costs
!
• Enable online business networks
!
• Better end-user experience
16. IAM
n’est
pas
uniquement
une
tâche
informatique
!
La gestion des identités consiste à gérer le
cycle de vie des personnes (embauche,
promotion, mutation, départ, etc.) au sein de
la société et les impacts induits sur le système
d’information (création de Comptes
utilisateurs, attribution de Profils utilisateurs,
mise en œuvre du contrôle d'accès, etc.).
source
clusif
15
17. IAM
n’est
pas
uniquement
une
tâche
informatique
!
• Cette gestion des identités doit pouvoir être
faite d'un point de vue fonctionnel par des
non-informaticiens (exemple : Ressources
Humaines, Maîtrise d’ouvrage, l’utilisateur
lui-même)
• et
• d'un point de vue technique par des
informaticiens (exemple : administrateur,
Maîtrise d’œuvre).
source
clusif
16
18. La solution de gestion d’identités doit être une solution globale sur la
base d’une infrastructure centralisée avec une gestion fonctionnelle
distribuée et qui intègre les fonctionnalités suivantes :
!
• la gestion du référentiel central des utilisateurs (alimentation à partir
de référentiels utilisateurs sources),
• la gestion du référentiel central des ressources concernées par la
gestion des droits d’accès,
• la gestion des habilitations (gestion des Profils, Rôles, gestion des
utilisateurs, workflow),
• le provisioning (synchronisation des référentiels cibles de sécurité),
• l’administration décentralisée,
• l’auto-administration (gestion par les utilisateurs des mots de passe et
des données privées),
• l’audit et le reporting,
• le contrôle d’accès (authentification, autorisation).
source
clusif
17
19. Définition
• What
is
Identity
Management
?
“Identity
management
is
the
set
of
business
processes,
and
a
supporting
infrastructure,
for
the
creation,
maintenance,
and
use
of
digital
identities.”
The
Burton
Group
(a
research
firm
specializing
in
IT
infrastructure
for
the
enterprise)
• Identity
Management
in
this
sense
is
sometimes
called
“Identity
and
Access
Management”
(IAM)
20. Identity and Access Management is the process for managing the
lifecycle of digital identities and access for people, systems and
services. This includes:!
User Management – management of large, changing user
populations along with delegated- and self-service
administration.
Access Management – allows applications to authenticate
users and allow access to resources based upon policy.
Provisioning and De-Provisioning – automates account
propagation across applications and systems.
Audit and Reporting – review access privileges, validate
changes, and manage accountability.
CA!
IAM : J. Tony Goulding CISSP, ITIL CA t ony.goulding@ca.com!
19
21. IAM
c’est
par
exemple…
• “Bonjour
je
suis
Julie,
une
étudiante
d’INFOSAFE.”
(Identité)
• “Ceci
est
mon
mot
de
passe.”
(Authentification)
• “Je
veux
accéder
à
la
plateforme”
(Authorisation
accordée)
• “Je
veux
améliorer
la
note
de
mon
examen.”
(Autorisation
refusée)
22. Mais
c’est
aussi…
• Un
nouveau
professeur
• Donc
une
adresse
email,
à
donner
dès
que
possible
• Un
mot
de
passe
sur
ICHEC
Campus
• Un
mot
de
passe
Intranet
• Un
mot
de
passe
IE
Campus
• Définir
les
autres
services
auxquel
il
a
accès
23. Quelles
sont
les
questions
à
se
poser??
• Les
personnes
sont-‐elles
ce
qu’elles
disent
être?
• Sont-‐elles
des
membres
réels
de
notre
communauté
?
• Ont-‐elles
reçu
les
autorisations
nécessaires
?
• Le
respect
de
leurs
données
personnelles
est-‐il
mis
en
place?
24. Exemples
de
questions
– Quel
mot
type
de
mot
de
passe
donner?
– Quelles
sont
les
activités
autorisées?
– Quelles
sont
les
activités
interdites?
– A
quelle
catégorie
de
personne
cette
nouvelle
identité
doit-‐elle
être
attachée?
– A
quel
moment
du
processus
d’entrée
les
autorisations
doivent-‐elles
être
données?
– Quelles
modalités
de
contrôle
sont
mises
en
place?
Peut-‐on
prouver
tout
cela
à
un
auditeur
?
25. Le
triple
A
de
l’IAM
Authentication!
WHO ARE YOU?
Authorization / Access Control!
WHAT CAN YOU DO?
Audit!
WHAT HAVE YOU DONE?
24
30. Entre
l’identité
virtuelle
et
...
Dans ce contexte, l’amoncellement de parcelles laissées plus ou
moins à l’abandon dessine un portrait par petites touches. Un peu
comme les tableaux pointillistes : de manière unitaire, aucune des
traces n’est réellement significative. Mais le tableau général, lui,
représente le sujet dans son ensemble. À la vue de tous et pas
forcément sous un angle souhaité…
29
http://www.buschini.com/2009/12/04/identite-‐traditionnelle-‐versus-‐identite-‐numerique/
31. • Internet
est
basé
sur
des
communications
anonymes
• Les
entreprises
participent
à
de
nombreux
réseaux
générant
de
multiples
identités
• Les
systèmes
internes
ont
parfois
des
systèmes
d’identifiants
différents
• Les
utilisateurs
sont
les
maillons
faibles
de
la
sécurité
• La
criminalité
informatique
augmente
• La
mise
en
place
de
contrôles
impose
l’identification
• La
gestion
des
traces
est
indispensables
• La
protection
de
la
vie
privée
impose
des
contrôles
Welcome
to
a
digital
world
34. Explosion
of
IDs
#
of
Digital
IDs
Business
Automation
Partners
(B2B)
Company
(B2E)
Customers
(B2C)
Mobility
Internet
Client
Server
Mainframe
ns
io
pp
A
t
ca
li
Time
Pre
1980’s
1980’s
1990’s
2000’s
Source:
Identity
and
Access
Management:
OverviewRafal
Lukawiecki
-‐
Strategic
Consultant,
Project
Botticelli
Ltd
rafal@projectbotticelli.co.uk
35. The
Disconnected
Reality
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
Enterprise Directory
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
•
“Identity
Chaos”
–
–
–
–
–
–
–
–
Nombreux
utilisateurs
et
applications
Nombreuses
ID
Plusieurs
identité
par
utilisateur
Plusieurs
log
in
et
mots
de
passe
Multiple
repositories
of
identity
information
Multiple
user
IDs,
multiple
passwords
Management
décentralisé
Conflits
business
<-‐>
IT
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
Source:
Identity
and
Access
Management:
OverviewRafal
Lukawiecki
-‐
Strategic
Consultant,
Project
Botticelli
Ltd
rafal@projectbotticelli.co.uk
HR
Finance
Office
!
Infra
!
Application
!
External app
! In-House
Application
employee
Application
36. Multiple
Contexts
Customer
satisfaction
&
customer
intimacy
Cost
competitiveness
Reach,
personalization
Your
SUPPLIERS
Your
CUSTOMERS
Collaboration
Outsourcing
Faster
business
cycles;
process
automation
Value
chain
Your
COMPANY
and
your
EMPLOYEES
M&A
Mobile/global
workforce
Flexible/temp
workforce
Your
REMOTE
and
VIRTUAL
EMPLOYEES
Your
PARTNERS
Source:
Identity
and
Access
Management:
OverviewRafal
Lukawiecki
-‐
Strategic
Consultant,
Project
Botticelli
Ltd
rafal@projectbotticelli.co.uk
37. Trends
Impacting
Identity
Rising Tide of Regulation and Compliance
SOX, HIPAA, GLB, Basel II, 21 CFR Part 11, …
•$15.5 billion spend on compliance (analyst estimate)
Deeper Line of Business Automation and Integration
One half of all enterprises have SOA under development
•Web services spending growing 45%
Increasing Threat Landscape
Identity
theft
costs
banks
and
credit
card
issuers
$1.2
billion
in
1
yr
•$250 billion lost from exposure of confidential info
Maintenance Costs Dominate IT Budget
On average employees need access to 16 apps and systems
•Companies spend $20-30 per user per year for PW resets
Data
Sources:
Gartner,
AMR
Research,
IDC,
eMarketer,
U.S.
Department.
of
Justice
39. Pain
Points
IT
Admin
Too
many
user
stores
and
account
admin
requests
Unsafe
sync
scripts
Developer
Redundant
code
in
each
app
Rework
code
too
often
End
User
Too
many
passwords
Long
waits
for
access
to
apps,
resources
Security/
Compliance
Too
many
orphaned
accounts
Limited
auditing
ability
Source:
Identity
and
Access
Management:
OverviewRafal
Lukawiecki
-‐
Strategic
Consultant,
Project
Botticelli
Ltd
rafal@projectbotticelli.co.uk
Business
Owner
Too
expensive
to
reach
new
partners,
channels
Need
for
control
41. Cloud
Computing:
Definition
• No
Unique
Definition
or
General
Consensus
about
what
Cloud
Computing
is
…
• Different
Perspectives
&
Focuses
(Platform,
SW,
Service
Levels…)
!
• Flavours:
– Computing
and
IT
Resources
Accessible
Online
– Dynamically
Scalable
Computing
Power
– Virtualization
of
Resources
– Access
to
(potentially)
Composable
&
Interchangeable
Services
– Abstraction
of
IT
Infrastructure
!
No
need
to
understand
its
implementation:
use
Services
&
their
APIs
– Some
current
players,
at
the
Infrastructure
&
Service
Level:
SalesfoRce.com,
Google
Apps,
Amazon,
Yahoo,
Microsoft,
IBM,
HP,
etc.
The
Future
of
Identity
in
the
Cloud:
Requirements,
Risks
&
OpportunitiesMarco Casassa Mont marco.casassa-mont@hp.com HP Labs Systems Security Lab Bristol, UK - EEMA
e-‐Identity
Conference,
2009
42. Cloud
Computing:
Implications
• Enterprise:
Paradigm
Shift
from
“Close
&
Controlled”
IT
Infrastructures
and
Services
to
Externally
Provided
Services
and
IT
Infrastructures
!
• Private
User:
Paradigm
Shift
from
Accessing
Static
Set
of
Services
to
Dynamic
&
Composable
Services
!
• General
Issues:
–
Potential
Loss
of
Control
(on
Data,
Infrastructure,
Processes,
etc.)
–
Data
&
Confidential
Information
Stored
in
The
Clouds
–
Management
of
Identities
and
Access
(IAM)
in
the
Cloud
–
Compliance
to
Security
Practice
and
Legislation
–
Privacy
Management
(Control,
Consent,
Revocation,
etc.)
–
New
Threat
Environments
–
Reliability
and
Longevity
of
Cloud
&
Service
Providers
The
Future
of
Identity
in
the
Cloud:
Requirements,
Risks
&
OpportunitiesMarco Casassa Mont marco.casassa-mont@hp.com HP Labs Systems Security Lab Bristol, UK - EEMA
e-‐Identity
Conference,
2009
43. Identity
in
the
Cloud:
Enterprise
Case
IAM
Capabilities
and
Services
Can
be
Outsourced
in
The
Cloud
…
Identity
&
Credentials
Service
Data
&
Confidential
Information
Identity
&
Business
Apps/Service
Authentication
Authorization
Audit
Identity
&
Credentials
Enterprise
Employee
User
Account
Provisioning/
De-‐provisioning
Credentials
Cloud
Data
Provider
#1
&
Confidential
User
Account
On
Demand
Information
Provisioning/
Printing
CPUs
De-‐provisioning
Service
Identity
&
Authentication
CRM
Credentials
Authorization
Service
Data
Office
Audit
Identity
&
Storage
Apps
Credentials
Data
Service
&
Confidential
Identity
&
Cloud
Information
…
Credentials
Provider
#2
Authentication
Authorization
Audit
User
Account
Provisioning/
De-‐provisioning
Authentication
Authorization
Audit
Identity
&
Credentials
Service
User
Account
Provisioning/
Service De-‐provisioning
Service
3
…
…
Internal
Cloud
Data
&
Confidential
Backup
ILM
Information Service
Service
…
The
Internet
The
Future
of
Identity
in
the
Cloud:
Requirements,
Risks
&
OpportunitiesMarco Casassa Mont marco.casassa-mont@hp.com HP Labs Systems Security Lab Bristol, UK - EEMA
e-‐Identity
Conference,
2009
44. Identity
in
the
Cloud:
Enterprise
Case
Issues
and
Risks
[1/2]
!
!
•
Potential
Proliferation
of
Required
Identities
&
Credentials
to
Access
Services
!
!
!
Misbehaviours
when
handling
credentials
(writing
down,
reusing,
sharing,
etc.)
!
•
Complexity
in
correctly
“enabling”
Information
Flows
across
boundaries
!
Security
Threats
(Enterprise
!
Cloud
&
Service
Providers,
Service
Provider
!
Service
Provider,
…_
!
•
Propagation
of
Identity
and
Personal
Information
across
Multiple
Clouds/Services
!
Privacy
issues
(e.g.
compliance
to
multiple
Legislations,
Importance
of
Location,
etc.)
!
Exposure
of
business
sensitive
information
(employees’
identities,
roles,
organisational
structures,
enterprise
apps/services,
etc.)
!
How
to
effectively
Control
this
Data?
!
•
Delegation
of
IAM
and
Data
Management
Processes
to
Cloud
and
Service
Providers
!
How
to
get
Assurance
that
these
Processes
and
Security
Practice
are
Consistent
with
Enterprise
Policies?
-‐
Recurrent
problem
for
all
Stakeholders:
Enterprise,
Cloud
and
Service
Providers
…
!
Consistency
and
Integrity
of
User
Accounts
&
Information
across
various
Clouds/Services
!
How
to
deal
with
overall
Compliance
and
Governance
issues?
The
Future
of
Identity
in
the
Cloud:
Requirements,
Risks
&
OpportunitiesMarco Casassa Mont marco.casassa-mont@hp.com HP Labs Systems Security Lab Bristol, UK - EEMA
e-‐Identity
Conference,
2009
45. Identity
in
the
Cloud:
Enterprise
Case
Issues
and
Risks
[2/2]
!
!
•
Migration
of
Services
between
Cloud
and
Service
Providers
!
!
!
!
!
Management
of
Data
Lifecycle
!
•
Threats
and
Attacks
in
the
Clouds
and
Cloud
Services
!
Cloud
and
Service
Providers
can
be
the
“weakest
links”
in
Security
&
Privacy
!
Reliance
on
good
security
practice
of
Third
Parties
The
Future
of
Identity
in
the
Cloud:
Requirements,
Risks
&
OpportunitiesMarco Casassa Mont marco.casassa-mont@hp.com HP Labs Systems Security Lab Bristol, UK - EEMA
e-‐Identity
Conference,
2009
46. 4.Pourquoi
en
avons
nous
besoin?
•Sécurité
•Compliance
•Réduction
des
coûts
•Support
pour
l’audit
•Contrôle
d’accès
48. Economies
possibles
• Directory
Synchronization
“Improved
updating
of
user
data:
$185
per
user/year”
“Improved
list
management:
$800
per
list”
-‐
Giga
Information
Group
• Password
Management
“Password
reset
costs
range
from
$51
(best
case)
to
$147
(worst
case)
for
labor
alone.”
–
Gartner
• User
Provisioning
“Improved
IT
efficiency:
$70,000
per
year
per
1,000
managed
users”
“Reduced
help
desk
costs:
$75
per
user
per
year”
-‐
Giga
Information
Group
49. Can
We
Just
Ignore
It
All?
• Today,
average
corporate
user
spends
16
minutes
a
day
logging
on
• A
typical
home
user
maintains
12-‐18
identities
• Number
of
phishing
sites
grew
over
1600%
over
the
past
year
• Corporate
IT
Ops
manage
an
average
of
73
applications
and
46
suppliers,
often
with
individual
directories
• Regulators
are
becoming
stricter
about
compliance
and
auditing
• Orphaned
accounts
and
identities
lead
to
security
problems
Source:
Microsoft’s
internal
research
and
Anti-‐phishing
Working
Group
50. IAM
Benefits
Benefits today
(Tactical)
Save money and improve operational
efficiency
Improved time to deliver applications and
service
Benefits to take you
forward
(Strategic)
New ways of working
Improved time to market
Enhance Security
Regulatory Compliance and Audit
Closer Supplier, Customer,
Partner and Employee relationships
Source:
Identity
and
Access
Management:
OverviewRafal
Lukawiecki
-‐
Strategic
Consultant,
Project
Botticelli
Ltd
rafal@projectbotticelli.co.uk
51. 5.
IAM
to
do
list
• Création
et
suppression
automatique
de
comptes
• Gestion
des
traces
• Archivage
(durée??)
• Vie
privée
• Compliance
• Sécurité
<>
risques
• De
plus
en
plus
d’utilisateurs
• E-‐business
66. • Que
peut-‐on
contrôler?
• Limites?
• Correspondance
privée
• Saisies
sur
salaire
• Sanctions
réelles
• Communiquer
les
sanctions?
67. • Sécurité
organisationnelle
– Département
sécurité
– Consultant
en
sécurité
– Procédure
de
sécurité
– Disaster
recovery
68. • Sécurité
technique
–
–
–
–
–
–
Risk
analysis
Back-‐up
Procédure
contre
incendie,
vol,
etc.
Sécurisation
de
l’accès
au
réseau
IT
Système
d’authentification
(identity
management)
Loggin
and
password
efficaces
69. • Sécurité
juridique
– Contrats
d’emplois
et
information
– Contrats
avec
les
sous-‐
contractants
– Code
de
conduite
– Contrôle
des
employés
– Respect
complet
de
la
réglementation
72. Definition
of
e-‐discovery
• Electronic
discovery
(or
e-‐discovery)
refers
to
discovery
in
civil
litigation
which
deals
with
information
in
electronic
format
also
referred
to
as
Electronically
Stored
Information
(ESI).
• It
means
the
collection,
preparation,
review
and
production
of
electronic
documents
in
litigation
discovery.
• Any
process
in
which
electronic
data
is
sought,
located,
secured,
and
searched
with
the
intent
of
using
it
as
evidence
in
a
civil
or
criminal
legal
case
• This
includes
e-‐mail,
attachments,
and
other
data
stored
on
a
computer,
network,
backup
or
other
storage
media.
e-‐
Discovery
includes
metadata.
73. Recommandations
Organizations
should
update
and/or
create
information
management
policies
and
procedures
that
include:
– e-‐mail
retention
policies,
On
an
individual
level,
employees
tend
to
keep
information
on
their
hard
drives
“just
in
case”
they
might
need
it.
– Work
with
users
to
rationalize
their
storage
requirements
and
decrease
their
storage
budget.
– off-‐line
and
off-‐site
data
storage
retention
policies,
– controls
defining
which
users
have
access
to
which
systems
andunder
what
circumstances,
– instructions
for
how
and
where
users
can
store
data,
and
•
backup
and
recovery
procedures.
– Assessments
or
surveys
should
be
done
to
identify
business
functions,
data
repositories,
and
the
systems
that
support
them.
– Legal
must
be
consulted.
Organizations
and
their
legal
teams
should
work
together
to
create
and/or
update
their
data
retention
policies
and
procedures
for
managing
litigation
holds.
74. 9.
Conclusion
• IAM
n’est
pas
uniquement
une
question
informatique
les
aspects
juridiques
et
de
gestion
sont
essentiels
• Attention
aux
aspects
compliance
• Plus
de
sécurité
nécessaire
– Cloud
computing
– Virtualisation
– Data
privacy
– archivage
• Transparence
• E-‐discovery
75. L’IAM
est
aussi
une
opportunité
Repenser
la
sécurité
Limiter
les
risques
Réduire
les
coûts
Repréciser
les
rôles
et
responsabilités
• Appréhender
les
risques
futurs
•
•
•
•