Very few organizations do identity management as effectively as they could.
They have trouble developing effective methods for provisioning new users, de-provisioning old users, updating access privileges as users move around the organization, and automating the user change and configuration processes.
This presentation by identity and access management (IAM) experts, Adrian Lane, CTO and analyst at Securosis, and Rick Wagner, director of product management at NetIQ covered key elements of building a strong IAM strategy and the leading industry practices behind those strategies.
Originally presented as a UBM TechWeb DarkReading webinar the on-demand version will be available at: http://bit.ly/UUABIz until July 1st 2013.
2. Today’s Presenters
Erik Sherman
Moderator
Adrian Lane
Analyst & CTO
Securosis
Rick Wagner
Director
Product Management
Identity and Access Governance
NetIQ
13. What’s changed?
• External cloud services forever alters
IAM – forces changes
• Both customers & employees using
internal & external resources
• Constant pressure to do more with less
has IT ops looking for streamlined
solutions
• These changes make it very difficult to
manage identity & authorization across
the enterprise
14. Which is another way to
say you have more to do,
in a more complex
environment, so you’d
better automate!
15. Exactly Opposite
• Need to distribute policy decisions & enforcement
• Need to centralize management
19. Authorization and Access
Management
Policy Decision
Policy Decision Policy
Policy
Point
Point Enforcement Point
Enforcement Point
(PDP)
(PDP) (PEP)
(PEP)
Determines the Rules
Determines the Rules Enforces the Rules
Enforces the Rules
22. Replication & Synchronization
Document Management Partner Services Off-site Backup
Remote
Web Services HR Financial Systems
In-house
Directory Services
23. Federation
Software as a Service
Approved User Un-approved user
Remote
Internal User
Federation
Extensions
In-house
Directory Services
24. Hybrids
SAML
Identity As A Service XACML
IaaS Provider Cloud
SPML
Vendor API
SCIM
Web Services HR Financial Systems
Federation
Extensions
In-house
Directory Services
25. Interfaces
Identity / Attribute Providers Identity / Attribute Providers
Central Broker
Proxy or Repository
Service Providers
Service Providers
27. Key Identity Management
Questions
• How do we manage user accounts across
multiple internal/external apps?
• Do we replicate directory services?
• How do we deal with cloud provider identity
management & interfaces?
• How do we link internal & external functions?
28. Key Access
Management Questions
• How do we integrate with internal apps? Cloud
apps? Mobile apps?
• How do we enforce policy?
• Do we have granular controls?
• Where do authorization maps reside?
• Who initiates authorization requests?
31. Recommendations
• Centralized management framework
• Leverage models that work for cloud and local
• No one ‘right’ strategy for all customers
• Select model that maximizes automation
• Understand that management and storage is likely
shared responsibility
32. IAM Recommendations
• Use Federated Identity to authenticate locally and
authorize remotely
• Define authoritative sources for policies – often HR
instead of standard directory services
• Determine if providers supports roles and
attributes
33. Adrian Lane
Securosis, L.L.C.
alane@securosis.com Twitter: AdrianLane
34. Building an IAM
Management Strategy
Using NetIQ Identity & Access Governance
Products
Rick Wagner
Director, Product Management
rwagner@netiq.com
With the client server model – we worried about single-central place to manage identities and provilges Our biggest problem was password resets.
Cloud and mobile have forced a re-examination of identity and authorization. Even if you’re not in the cloud the products you use are evolving to use new concepts to promote efficiency But most of you are in the cloud if you like it or not. Mobile devices permeate every enterprise. Cloud services are too cheap and too compelling Constant budgetary pressures both push us to better/faster/cheaper solutions, and force us to automate more and more mundane tasks. The problem is these changes – in order to make IAM more efficient and effective – also make it more complex
Reduced Sign-on (RSO). The use of an account and/or credential synchronization tool to minimize the number of credentials (usually username and password) a user has to remember; most of these solutions result in some form of security compromise. Single Sign On (SSO). The ability to pass Identity and Attributes to a cloud service, securely, using secure standards such as SAML and Oauth Federation. The connection of one Identity repository to another. Persona. Identity plus the particular Attributes that provide context to the environment the Entity is operating within. A Persona may be an aggregation of an individual Identity together with an Organizational Identity and Organization Attributes (e.g. a corporate Persona, Fred Smith as CEO of ACME Corp., or a Personal Computer belonging to ACME Corp.). Attributes. Facets of an Identity
Cloud as a forcing functions – cloud services forced a fundamental rethink on how we propagate identity. Federation of identity is really the first step in this process.
Also fundamental to this shift is the separation of policy and enforcement PDP Internal for private apps, may be cloud for consumer/public apps PEP is typically in the cloud provider, no matter if it is a public facing or private app. Authorization and Access Management is the process by which the entitlement rules are translated (via the Authorization layer) into Access Management rules. In most cloud based systems, the Authorization layer is likely to be a “Policy Decision Point” ( PDP) or the point that evaluates and issues authorization decisions, and the Access Management layer, the “Policy Enforcement Point” ( PEP), the point that enforces the PDP's decision.
Automation is more important than
Quite literally trucking your existing directory services in house, and externally to the cloud. Makes things the same – but security of the directory, propagation delays and incompatibility with cloud and mobile services are all problems. IaaS is OK – PaaS maybe not -- Management is more difficult depending upon synchronization capabilities.
One way to manage access to a SaaS application is to rely on federated identity. Basically existing directory does a bulk of the work SAML extends identity and – in some cases – provisioning to the cloud. Here’s how it works: Implement federation extensions to the internal directory server. Disable username/password login with the SaaS provider. When a user logs in, they are issued a federation (e.g. SAML) token. This token is accepted by the SaaS application to log the user in. The user is unable to log in to the SaaS application unless they are logged into the organization’s network, since that’s the only way to get the federation token.
Quite literally trucking your existing directory services in house, and externally to the cloud. Makes things the same – but security of the directory, propagation delays and incompatibility with cloud and mobile services are all problems. IaaS is OK – PaaS maybe not -- Management is more difficult depending upon synchronization capabilities.
There are three basic architectures for interfacing to Identity and Attribute providers: A “hub-and-spoke” model where Identity and Attributes are centrally managed (coordinated) by the hub, which then interacts with the cloud service(s) or cloud application(s) The free-form model where the cloud service and/or application can be configured to accept Identities and Attributes from multiple sources The hybrid solution, where the components are distributed, potentially using other cloud services. Each model has its merits, and the choice will be based on the number of factors, including: Where the customers for the service have their identity The capability of the cloud service chosen The capability of the enterprise to provide assertion-based Identity and Attributes .
The enterprise must understand the choices in identity standards, what problems each solves and how, and finally the level of maturity of the standard. These are the most-commonly used standards and align with what’s on the exam. This is part of the reason that the identity as a service model is being adopted – cheaper to let someone else glue all the bits together.
Identity and Access Management are separate but related concerns Identity management is related to provisioning accounts, this includes registration in the system (such as directory), propagation (synchronization or replication), managing attributes, de-provisioning (deactivation), and audit reporting. The provisioning process provides accounts that are used by the Access management system. The access management system adjudicates access control decisions such as authentication and authorization.
Identity and Access Management are separate but related concerns Identity management is related to provisioning accounts, this includes registration in the system (such as directory), propagation (synchronization or replication), managing attributes, de-provisioning (deactivation), and audit reporting. The provisioning process provides accounts that are used by the Access management system. The access management system adjudicates access control decisions such as authentication and authorization.