Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Introduction to iam

2 491 vues

Publié le

Introduction to Identity and Access management, presentation of directory technologies, SSO, federation and IAM frameworks. Quick presentation of the Identity as a Service concept

Publié dans : Technologie

Introduction to iam

  1. 1. Introduction to Identity And Access Management William El Kaim Oct. 2016 - V 2.1
  2. 2. This Presentation is part of the Enterprise Architecture Digital Codex http://www.eacodex.com/Copyright © William El Kaim 2016 2
  3. 3. Plan Introduction to IAM • Key Technology Areas • Directory Technologies • Identity Administration • Identity Auditing • Identity Verification • Access Management • IAM Framework And Process • Conclusion Copyright © William El Kaim 2016 3
  4. 4. Identity Definition • Identity is a complicated concept with many nuances, ranging from philosophical to practical. • Set of information known about that person. • In the digital world a person’s identity is typically referred to as their digital identity. A person can have multiple digital identities. • Even though digital identities are still predominantly associated with humans, they will be increasingly associated with non-human entities, such as services, systems and devices that could be used to act on behalf of people. • Examples are trusted platforms, next generation mobile phones, Digital Rights Management (DRM)-based devices, etc. Copyright © William El Kaim 2016 4
  5. 5. Today’s challenges • Redundant efforts in providing and maintaining Identity information about individuals • Difficulties in auditing access to systems/applications for each individual • Providing a unique user ID for applications • Providing uniqueness of user IDs across the access points • Providing user authentication for applications • Providing an authority that can securely authenticate external resources/partners, and manage identities Identity and Access Management Copyright © William El Kaim 2016 5
  6. 6. What is IAM? • Discipline aimed at ensuring all users are properly identified, that their affiliation to the organization is understood and that they have proper access to information assets • Identity Management can be defined as the set of processes, tools and social contracts surrounding the creation, maintenance, utilization and termination of a digital identity for people or, more generally, for systems and services to enable secure access to an expanding set of systems and applications. • Effective Identity and Access Management (IAM) involves several interdependent technologies and processes that combine to form a unified view of identity relevant for employees, contractors, partners and consumers Copyright © William El Kaim 2016 6
  7. 7. What is IAM? • Identity management is not a single product but a set of processes and supporting technologies for maintaining a person’s complete set of identity information, spanning multiple business and application contexts. • Identity management unifies a person’s disparate identity data to improve data consistency, data accuracy, and data and systems security in an efficient manner. • Robust identity management requires both integration of technologies as well as coordination with the IT and business processes surrounding the management of user information, access rights, and related policies. • IAM helps extend business services, improve efficiency and effectiveness, and allow for better governance and accountability Copyright © William El Kaim 2016 7
  8. 8. IAM is a subset of Information Security • IAM must be founded on: • A consistent, mature architecture. • An IAM architecture should be considered a subset of an enterprise information security architecture (EISA), which can be integrated within the enterprise architecture in several ways. • A conduit for gathering, translating and communicating business and regulatory needs from the business to policy teams and IT functional groups • policies and standards, the access model, procedures and IAM toolset • Well-defined and mature processes. • Each perspective has some overlaps with the other two, and an IAM program must successfully service and integrate all three! • That’s why it is complex and take around 2 to 5 years to complete Copyright © William El Kaim 2016 8
  9. 9. Three Main Processes • Three main processes are involved in managing identities and their access assignments to company resources: 1. Identity process • user life cycle 2. Access model process • role lifecycle 3. Workflow process • the lifecycle for the workflow consumed in identity and access model processes. Copyright © William El Kaim 2016 9
  10. 10. Drivers and Benefits • Identity and access management (IAM) is a recognizable discipline that encompasses a range of enterprise tools and technologies within a distinct architecture supporting a set of interrelated processes. • The three main business drivers for IAM solutions are • Security efficiency (lower costs, improved service) • Security effectiveness (including regulatory compliance) • Business agility and productivity. Copyright © William El Kaim 2016 10
  11. 11. Security efficiency • With the growing volume of users, current staffing cannot accommodate the enterprise's needs. • Enterprises are looking to simplify administration and provide user self- service, thus containing (or reducing) administrative costs. • In addition, user information can be leveraged in many business processes that provide a consistent and more-secure access control infrastructure. • Only via automation can enterprises improved their process for access request turnaround times of 24 hours or less. Copyright © William El Kaim 2016 11
  12. 12. Security Effectiveness • The ability to prove the robustness of the enterprise's access control infrastructure is an important requirement for maintaining customers, as well as obtaining them. • In addition, easing internal and external audit processes is of prime concern to many enterprises. • Legislation and other regulations increasingly require enterprises to establish robust control infrastructures, of which information security is a part. • IAM facilitates compliance. It enables more-effective access control and greater transparency — showing who has access to what (and why, as well as who approved the access) and who accessed what. Copyright © William El Kaim 2016 12
  13. 13. IAM Enables Business Agility • IAM allows greater flexibility and more timely changes to support business initiatives • Reorganizations, • mergers and acquisitions, • new business partnerships, • new product and system rollout. • Security efficiency gains contribute to business productivity. • Removing IAM from applications allows developers to concentrate on meeting business aims and objectives. Copyright © William El Kaim 2016 13
  14. 14. Synthesis Copyright © William El Kaim 2016 14
  15. 15. Implementing IAM: Program Activities • Span three major phases: • Planning: This phase is broken down into three parts • Strategizing, organizing and annual planning. • Building: This is done via the three perspectives on IAM. • Running: This phase contains continuous activities • That is, the identity, access model and workflow processes. • The last element of an IAM program is governance. • IAM can make a significant contribution to information security as a governance function, but IAM is also a function to be governed. Copyright © William El Kaim 2016 15
  16. 16. Plan • Introduction to IAM Key Technology Areas • Directory Technologies • Identity Administration • Identity Auditing • Identity Verification • Access Management • IAM Framework And Process • Conclusion Copyright © William El Kaim 2016 16
  17. 17. IAM Combines Several Types of Technologies • Establish an identity data infrastructure. • This segment encompasses products that form the identity information layer itself: directories, meta-directories, and virtual directories. • Administer accounts and privileges • Products that manage users’ accounts, attributes, and credentials include provisioning, role management, password management, and privileged user management. • This category also includes the functional elements of self-service and delegated administration. • Control access to IT resources • Coordinating users’ access to multiple applications is the domain of products like enterprise single sign-on (E-SSO), Web single sign-on (Web SSO), and federation. It also includes the emerging area of entitlement management. Copyright © William El Kaim 2016 17
  18. 18. IAM Combines Several Types of Technologies • Audit the administrative and access activities • Organizations require the ability to demonstrate that account administration and access controls are performing according to policy; identity audit products help with this effort. • This includes auditing tools that combine and correlate activities and events across the identity infrastructure, as well as privilege attestation ― tools to aid the act of certifying that the privileges associated with a user are correct. • It also includes role management products, which serve a dual role of both codifying policies and validating their enforcement. Copyright © William El Kaim 2016 18
  19. 19. IAM Combines Several Types of Technologies • Identity administration tools • Focus not only on the administration function • primarily, the administration of users' multiple identities, attributes and credentials across heterogeneous environments • but also the administration of access model constructs such as roles and resource access control information • such as access control lists (ACL) • Access management tools • Access management tools enforce access control policy (or policies) across heterogeneous environments. • They also offer administration capabilities, but their distinctive focus is on authorization. Copyright © William El Kaim 2016 19
  20. 20. IAM Combines Several Types of Technologies • Identity auditing tools focus primarily on auditing • Identity-related event monitoring, reporting status auditing and more. • Together with identity administration, this class forms the identity management superclass. • Identity verification tools encompass all aspects of real-time authentication • Identity proofing (a precursor to provisioning an identity), authentication methods and their supporting infrastructures, as well as technologies for brokering authentication and authenticated identities and attributes across heterogeneous environments. • Together with access management, this class forms the access control superclass. • Directory technologies are in many ways foundational to the other technologies. Copyright © William El Kaim 2016 20
  21. 21. Plan • Introduction to IAM • Key Technology Areas Directory Technologies • Identity Administration • Identity Auditing • Identity Verification • Access Management • IAM Framework And Process • Conclusion Copyright © William El Kaim 2016 21
  22. 22. Directory: Definition • A book containing an alphabetical or classified listing of names, addresses, and other data, such as telephone numbers, of specific persons, groups, or firms. • An organizational unit, or container, used to organize folders and files into a hierarchical structure. • Hierarchical collection of objects • Objects can have varying attributes and numbers of the same attributes. • A directory is not a database. • Directory servers are typically optimized for a very high ratio of searches to updates. Copyright © William El Kaim 2016 22
  23. 23. Directory Service Definition • A directory service is a software product that stores and organizes information about user identities and other resources within a network or domain and that manages users' access to resources. • A directory service is highly optimized for reads and provides advanced search possibilities on many different attributes associated with identities and other objects. • The data stored in a directory is defined by an extendible and modifiable schema (data model). Copyright © William El Kaim 2016 23
  24. 24. Directory Technologies Based on Protocols: X.500 and LDAP • X.500 provides formal standards for global directory construction and replication. • X.500 standards support the construction of large, multiple-location (multiple-server) directories. • LDAP v.3 has emerged as the preferred standard for read/write access to directories. • However, this is where the standard begins and ends. • LDAP does not define schema rules, security models or interoperability mechanisms. • Export format defined and called LDIF Copyright © William El Kaim 2016 24
  25. 25. Directory Technologies LDAP • Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral standard • A descendent of X.500 OSI Directory Access Protocol, which was deemed too complex and cumbersome to be implemented on microcomputers • A data-representation model optimized for arbitrary queries • Recent versions of LDAP also specify encryption methods, methods for clients to discover the structure of the system's configuration, as well interoperability with other services such as Kerberos and SASL. Copyright © William El Kaim 2016 25
  26. 26. Directory Technologies LDAP defines • Access Protocol: How to access directory information • Information Model: Type of information managed by directory • Naming Model: How information is organized and referenced, • Functional Model: How to access and update information • Security Model: How data are accessed and protected • Duplication Model: How the directory is distributed • API : To develop client applications, • Exchange data format named • Text delimited = LDIF (Lightweight Data Interchange Format) • XML = DSML (Directory Services Markup Language) Copyright © William El Kaim 2016 26
  27. 27. Directory Technologies Example – User Identity Classification • Internal Users • One party (the employee, internal contractor, etc.) is subservient to another (the employer). The employer defines the security standards and principles under which the employee works – with autonomy over governance of those standards and recourse in the event that they are abused. • Account Type • Family-Board: A company Family or Board Member who receives benefits from your Companies. • Employee: A person who is directly employed by & paid and/or receives benefits from Companies. • Contractor: A worker who works independently or for a company that is contracted by Companies to provide staff augmentation, and who requires access to Company information systems. Copyright © William El Kaim 2016 27
  28. 28. Directory Technologies Example – User Identity Classification • Extended Enterprise Users • A closely related business relationship (franchise) OR an arms-length business relationship (partner) in which they will provide services to each other or jointly provide services to a third party customer. • Account Type • Franchisee: A person who works for and/or is an owner of a business that is franchised by a company brand and who requires access to Company information systems. • Client-Representative: A person works for a company business partner or client and requires access to Company information systems. • Vendor: A person who works for a company that supports or supplies a product and/or services to the company and who requires access to Company information systems. Copyright © William El Kaim 2016 28
  29. 29. Directory Technologies Example – User Identity Classification • Business Users • A retail or marketing relationship in which the company or Client Partner provides good or services to a customer or consumer. • Although such agreements do not form the level of trust as that of an employer/employee relationship, some form of recourse is typically available in the event access to those resources is abused. • A subset of these users may also have access to administration and reporting services through the business application. • Account Type • Client Customer: A Customer of the company Client who requires access to a Client’s business application that the company has built and/or hosts. These are indirect company Brand consumers who use the company Client applications and services. • Company Customer: A customer of Business unit who requires access to a Company business application. These are direct company Brand consumers (e.g. Goldpoints, Radisson) who use applications and services. Copyright © William El Kaim 2016 29
  30. 30. Directory Technologies White Pages Copyright © William El Kaim 2016 30 Local administration teams are in charge of populating and maintaining the consolidated directory Ownership is identified for user information among operational systems (e.g. HR, Sites). Data flows are ruled by the synchronization tool. Application = Outlook calendar and white pages application Third party directory Two current main approaches for providing, updating and displaying user information
  31. 31. Directory Technologies Example: LDAP Branches Branch starting from dc=carlson,dc=com Description ou = administration Administrative or application account branch ou = corporate Corporate people branch ou = ebusiness E-business branch ou = extended Extended user branch (franchises, etc.) ou = people Corporate people data ou = groups Corporate group data ou = locations Corporate location data ou = itaccounts Information technology account data ou = organizations Corporate organization data ou = resources Physical asset resource data (e.g. FNP File) ou = unixservices UNIX OS service and account data Copyright © William El Kaim 2016 31
  32. 32. Directory Technologies LDAP Structure (DIT) dc=Domain,dc=com ou=unixservices ou=people ou=groups ou=locations ou=itaccounts ou=organizations ou=resources ou=extended ou=cwt ou=chw ou=administration ou=ebusiness ou=people ou=people ou=clg ou=people ou=corporate Copyright © William El Kaim 2016 32
  33. 33. Directory Technologies DSML • The Directory Services Markup Language v1.0 (DSMLv1) provides a means for representing directory structural information as an XML document. • DSMLv2 goes further, providing a method for expressing directory queries and updates (and the results of these operations) as XML documents. • DSMLv2 documents can be used in a variety of ways. • stored as files in order to be consumed and produced by programs • transported over HTTP to and from a server that interprets and generates them. • The design approach for DSMLv2 was to express LDAP requests and responses as XML document fragments Copyright © William El Kaim 2016 33
  34. 34. Directory Technologies Microsoft Active Directory • Active Directory (AD) is the directory service in the Standard, Enterprise and Datacenter versions of the Windows Server 2003 family. • The primary function of AD is to authenticate users in a network and authorize subsequent access requests to Windows-based applications or other server resources. • AD not only stores information about network resources but also provides a consistent way to name, describe, locate, manage and secure this information as it applies to users and applications. • AD consists of logical and physical components. • AD’s logical components organize network resources to match theorganizational structure. • AD’s physical components configure and control where and when data replication and login traffic can occur over the network. Copyright © William El Kaim 2016 34
  35. 35. Directory Technologies Microsoft Active Directory • The basic logical component in AD is the domain, defined by the administrator as a collection of computers that share a common directory database, security policies and security relationships. • For example, in CWT we have separate domain for each region. • Domains, in turn, can be partitioned into Organizational Units (OUs) • An OU is a collection of users and computers that have been given certain administrative rights. • Multiple domains can be organized into trees. • A tree is a hierarchical arrangement of domains that have the same Domain Name System (DNS) name. Copyright © William El Kaim 2016 35
  36. 36. Directory Technologies Microsoft Active Directory • Trees can be grouped into Forests. • A forest is a group of trees that do not share a common DNS name but do share a common configuration and schema • An attribute repository that allows attributes and object classes to be redefined separate from the AD objects. • Every domain in a forest can share resources and administrative functions with the other trees in the forest. • Every domain trusts every other domain in a forest. The forest is the security boundary not the domain. Copyright © William El Kaim 2016 36
  37. 37. Directory Technologies Ex: Single Forest – OU Model companynet.biz (root) amer.company.com emea.company.com auas.company.com Company A OU Company A OU company B OU Company A OU Domain Domain Domain Copyright © William El Kaim 2016 37
  38. 38. Directory Technologies Ex: Single Forest – OU Model Copyright © William El Kaim 2016 38
  39. 39. Directory Technologies Today’s Directories challenges • A unique directory could not fit all needs • several directories exist • Not one directory schema could be used to describe identity information • Several different metamodels (i.e. information managed by the directory) also called DIT (Directory Information Tree) • Not all directories could be provisioned the same way (corporate user, partners, clients, anonymous clients). • Several provisioning processes • We need to enforce the uniqueness of all identities • Increasing risk of providing several user ID for the same people and generating major issues at the application level and at the integration of systems. • This will also could have a dramatic impact on our customer retention if we can not guarantee the uniqueness of their user identities in our systems Copyright © William El Kaim 2016 39
  40. 40. Directory Technologies Synchronization Solutions • Different technologies are available to build an identity synchronization solutions : • Meta-Directory technology • EAI technology • ETL technology • The result of the synchronization is consolidated in a directory • The use of one technology or another depends on organizational, functional and technical requirements Copyright © William El Kaim 2016 40
  41. 41. Directory Technologies Synchronisation Solutions • Benefits • Offers optimal access performances • Allows to enrich with new information the consolidated identity description card • Simplifies distribution of the consolidated data thru simple LDAP replication mechanisms • Drawbacks • Introduces synchronization issues leading to possible data inconsistency • Requires to set up resynchronization processes and tools Copyright © William El Kaim 2016 41
  42. 42. Directory Technologies Virtual Directory • A virtual directory is a server for a directory protocol such as LDAP, but unlike a traditional directory server, does not master the data itself in its own database. • Instead a virtual directory will dynamically translate requests it receives to operations in other protocols or data models, such as to a relational database • Directory information is drawn in real time, on demand from its native repositories rather than having to be permanently stored in additional physical directories. • This real-time access eliminates the need to synchronize a data store across multiple “feeder” directories, preventing data latency. Copyright © William El Kaim 2016 42
  43. 43. Directory Technologies Virtual Directories Technologies • A virtual directory is a software product that creates a logical (virtual) view of an LDAP directory by combining data from multiple repositories. • A virtual directory can be used to create a single access point for the multiple user repositories. • User-provisioning products increasingly are being joined with virtual directory technology. Copyright © William El Kaim 2016 43
  44. 44. Directory Technologies Virtual Directory Solutions • Benefits • Provides real-time and secure LDAP access to numerous disparate directories, databases and other data sources and organizing them in a single virtual directory tree • Offers fast, flexible and reliable LDAP service satisfying all "quality of service" requirements from end users as well as providers • Minimizes data ownership considerations • Drawbacks • Introduces a new technology within the IT infrastructure that must be managed and must support distribution and high availability • Reduces access performances to data Copyright © William El Kaim 2016 44
  45. 45. Directory Technologies LDAP Proxy Solutions • LDAP Proxy solutions are LDAP access router. Basically, they offer filtering and routing services based on rules in a transparent way for LDAP clients applications • Features: • Provides filtering and routing LDAP services • Provides load-balanced and failover access to directory resources • Manipulates or transform information being passed to and from an LDAP query according to programmed business logic • Consolidates LDAP queries through one server to avoid referrals that clients are using • Virtual Directory and LDAP Proxy solutions are converging. Both solutions are now sometimes addressed by the same products Copyright © William El Kaim 2016 45
  46. 46. Directory Technologies LDAP Proxy Solutions • Benefits • Supports rules based routing to leverage existing applications • Supports automatic failover and load balancing of the LDAP directories • Minimizes data ownership considerations • Drawbacks • Introduces a new technology within the IT infrastructure that must be managed and must support distribution and high availability • Reduces access performances to data Copyright © William El Kaim 2016 46
  47. 47. Directory Technologies Metadirectories Technologies • A metadirectory is a software product that synchronizes and (optionally) aggregates identity data stored in multiple repositories. • Metadirectories provide a proven and relatively quick-and-easy way to reduce user administration but lack the sophistication of user-provisioning products. • Seems not used anymore for new deployment. Copyright © William El Kaim 2016 47
  48. 48. Plan • Introduction to IAM • Key Technology Areas • Directory Technologies Identity Administration • Identity Auditing • Identity Verification • Access Management • IAM Framework And Process • Conclusion Copyright © William El Kaim 2016 48
  49. 49. Identity Administration Introduction • Organizations face the challenge of managing the multiple identities of their employees, business partners and customers across multiple systems • User-provisioning and password management are the most mature tools in this space, but alone they are not sufficient for a full-blown identity administration solution • They must be augmented by role management and resource access administration capabilities Copyright © William El Kaim 2016 49
  50. 50. Identity Administration User Provisioning • User Provisioning is the process of granting appropriate user access privileges to any applications, based on a single reference (the user ID) • User-provisioning tools • Provide user life cycle management, primarily for internal users, such as employees and contractors. • Can create, change and retire the user identities (accounts or profiles) linked to each person across a broad range of target systems in response to HR system changes and self-service and line-management requests, and according to a specified workflow. • Hence, the tools support all on-boarding and off-boarding activities for the workforce • New hires, transfers, promotions, terminations, dismissals and more. • User-provisioning tools also automatically correlate data from HR, CRM, e- mail systems and other identity stores. Copyright © William El Kaim 2016 50
  51. 51. Identity Administration User provisioning • A key component of identity and access management is how digital identities are created. • The provisioning process provides a powerful tool that takes advantage of user information contained in the organization's directory infrastructure to speed up the granting and revoking of user accounts and entitlements for information resources. • These resources can include e-mail, telephone service, HR applications, line-of-business (LOB) and functional applications, intranet and extranet access, and Helpdesk services. Copyright © William El Kaim 2016 51
  52. 52. Identity Administration Provisioning • Provisioning is more than a security solution in the classic sense of threat mitigation and defense. • It addresses concerns about giving the appropriate level of access to IT resources to those who need them • and revoking access when that requirement is gone. It introduces a structured environment for user security administration, coordinating account management and related security policies across the enterprise. • Workflow is a requirement of most provisioning processes • Requests for resources are entered online, routed in a predetermined path to reviewers and approvers, and then finally to the person or system that creates the user account. Copyright © William El Kaim 2016 52
  53. 53. Identity Administration - The path forward to improve User Provisioning • The following recommendations will significantly improve the process of granting and keeping application access rights accurate over time. • One single official employee ID number (called UID) should be the official user identity to any given application. • One single source of user information. The only repository of data that fully represents all employees and contractors is the enterprise directory populating all the others • One single standardized process of granting access rights for applications within and across each business area or region. • Several distributed empowered organizations managing application access rights process end-to-end for all business functions. Copyright © William El Kaim 2016 53
  54. 54. 1 2 3456 Identity Administration Ex: User Provisioning Process  Aligned across business functions, entails 6 steps Step 1: Access request submission (User/direct Manager/HR/ Functional representative) Step 2: User information validation against user master data with HR Step 3: Functional review and approval (if needed with local support and training coordinator) Step 4: Technical check from IT side and creation of UID Step 5: Assignment of approved access to the application (back-end) Step 6: Direct notification to users or through application trainer (email)  The enterprise user provisioning process needs to be managed end-to-end to ensure integrity of the user privileges at the enterprise level. Copyright © William El Kaim 2016 54
  55. 55. Identity Administration Deprovisioning • Deprovisioning ensures that accounts are systematically disabled or deleted and entitlements are revoked when employees leave the organization. • Good security practice recommends • that accounts be disabled quickly (to prevent possible attacks by disgruntled ex- employees) • but not deleted until after a suitable time has elapsed, in case it becomes necessary to re-enable (or rename and reassign) the account. • Disabling accounts (rather than deleting) is also helpful for some organizations that need to ensure certain identity attributes such as account name are unique and not reused within a time period that meets policy requirements. Copyright © William El Kaim 2016 55
  56. 56. Identity Administration Role Management for Enterprises • Although user-provisioning tools can consume roles within user life cycle management, they cannot provide role life cycle management. • This is the function of role management tools, which enable organizations to mine, map, manage and report on the complex relationships of business rules, user identities and users' entitlements across a broad range of target systems • Operating systems (OSs), applications and so on. • Role management tools can feed user-provisioning products to ensure that the link is made between business-level roles and associated IT-level roles, and that proper entitlements are provisioned for the user. Copyright © William El Kaim 2016 56
  57. 57. Identity Administration Role Management for Enterprises • Role management is becoming a "must have" rather than a "nice to have" capability for identity administration in larger enterprises • A few user-provisioning vendors already offer role management capability, but most partner with pure-play vendors. • Role mining can meet some identity-auditing needs • Essentially mining access control data to discover correlations between users with similar attributes and access rights (that is, candidate roles) Copyright © William El Kaim 2016 57
  58. 58. Identity Administration Resource Access Administration • Resource access administration (RAA) tools provide resource-centric views of users' access that complement user-provisioning tools' user-centric views. • RAA tools can create, change and retire groups/roles at the target system level and can administer resource access control information, such as access control lists (ACLs). • Thus, the tools can permit/delete explicit access rights for individual users outside the role/group structure in a way that is superior to native administration functions. • Only a few user-provisioning tools provide such capabilities. • Many RAA tools are point solutions for specific platforms • Most are Windows-centric or Windows only. • In the IBM z/OS mainframe space, several vendors offer roughly analogous tools for IBM's RACF. Copyright © William El Kaim 2016 58
  59. 59. Identity Administration Credential Management Introduction • Authentication credentials are a special kind of identity information that requires specialized administration tools. • Password management tools are well-established, but they increasingly are being subsumed within user-provisioning tools. • Card management tools are less mature and are rarely found as anything but stand-alone tools. Copyright © William El Kaim 2016 59
  60. 60. Identity Administration Credential Management Future • In the next few years, several vendors will offer generic credential management tools that manage the lifecycle of multiple kinds of credentials • Like smart cards, certificates, biometric data, proximity cards and more. • Already the case for Microsoft Project Geneva • In the longer term, these will be subsumed with user-provisioning tools • For now, they can be integrated only loosely, as just another target system. • Tools that manage passwords for shared accounts, such as Administrator and root accounts, form a separate and distinct technology. Copyright © William El Kaim 2016 60
  61. 61. Identity Administration - Credential Management - Password Management • Password management tools provide self-service password reset and password synchronization across a broad range of target systems. • These capabilities can reduce help desk call volumes by more than 80%. • All user-provisioning products now integrate these capabilities, which often are deployed in the first phase of a provisioning project, and the implementation of discrete tools is becoming less common. • Representative Vendors and Stand-Alone Products • Avatier, Courion, M-Tech, Proginet Copyright © William El Kaim 2016 61
  62. 62. Identity Administration - Credential Management - Public Key Services • Public-key cryptography, based on public-private key pairs, can be used for functions such as • Data encryption: Provides content access control • Digital signatures: provide transaction assurance and can be exploited for user authentication • By providing data integrity and data origin authentication • A public-key service is a software product that provides: • Lifecycle management for these cryptographic keys • The certificates that bind the public keys to user identities (Public Key Credentials or PKCs) along with software or application programming interface (API) toolkits supporting the cryptographic functions • Most commercial services use a framework stemming from X.509, the "authentication framework" part of the ITU-T's X.500 series of standards for directory services. Copyright © William El Kaim 2016 62
  63. 63. Identity Administration - Credential Management - PKI vs.PKO • Public-key infrastructure (PKI) • A PKI is a stand-alone, public-key service intended for use by one or more applications. • "open“ PKI embraces the issuance of certificates to individuals for authentication and signing across varied applications in the public and private sectors • "closed" PKIs is limited to use by one enterprise or a closed community of business partners, users or devices. • Public-key operation (PKO) • Also called a public-key operations center. • A PKO is a public-key service that addresses the certificate and key management requirements of, and is integrated within, a specific application, appliance or service. • Because PKOs are inherent to a single application, they can only be closed. • Comparison • A PKI is more flexible and offers broader capabilities than a PKO and can be used to support different types of certificates with different levels of trust • A PKO usually is less feature-rich, less flexible and simpler to use than a PKI. Copyright © William El Kaim 2016 63
  64. 64. Identity Administration - Credential Management - Card Management • A card management tool manages the life cycle of smart cards (or smart USB tokens) and credentials stored on the cards: • Issuance/provisioning • Replacement • Retirement/revocation • Credential update • Applet management • The credentials managed are typically PKCs. • Some card management tools can manage other onboard credentials, such as passwords, one-time password (OTP) credentials, biometric data and physical access control system (PACS) data. • A card management tool • is commonly called a card management system (CMS) • When the vendor focuses on USB tokens rather than on the cards themselves it is called a token management system. Copyright © William El Kaim 2016 64
  65. 65. Identity Administration - Credential Management - Shared Account Password Management • Shared accounts are common in many organizations, each available for use by authorized individuals under the appropriate circumstances. • The best practice is to avoid shared accounts: • Most situations that appear to demand this approach can be more elegantly and securely addressed by using personal accounts. • However, every organization will need some types of shared accounts like: • Shared superuser accounts in OSs — such as Administrator in Windows, root in Unix OSs, IBMUSER in z/OS — and similar pre-defined administrator accounts in applications and databases • Administrator-defined user account intended for use by any approved individual in special circumstances. • One example is the "fire call" accounts used by application development, operations or other support staff to resolve critical problems outside normal working hours. Copyright © William El Kaim 2016 65
  66. 66. Identity Administration - Credential Management - Shared Account Password Management • A shared account password management (SAPM) tool • Securely manages passwords for shared accounts across a broad range of target systems. • Allows only authorized users to retrieve the passwords when needed. • Eliminates the risks posed by passwords for shared accounts being shared by multiple users • Improves accountability and supersede fragile manual processes. • Could also manage passwords for service accounts for application-to-application or application-to-database communication • in place of passwords that are hard-coded within the calling applications or are held in plain text in configuration files. • In this use case, SAPM stands for "service account password management," and provides a secure password store, automatic password currency and synchronization, and enable applications to retrieve passwords when required using an API. Copyright © William El Kaim 2016 66
  67. 67. Identity Administration IT Service Management Integration • Provisioning an application environment • includes the hardware, software and other technology devices that traditionally are the province of IT service management • Not just end users • In addition, Web services are changing the "who" in "who's accessing the application," so that processes and transactions may need to be uniquely identified. • Enterprises are expanding their views of which objects need a unique identity, thus, need to be managed. • Identity management solutions don't adequately address non user objects. • Configuration, asset and change management solutions don't address the end user. Copyright © William El Kaim 2016 67
  68. 68. Identity Administration IT Service Management Integration • However, there is little technical integration between identity administration and ITSM tools, other than where IAM vendors have their ITSM tools. • Integration between password management tools and service desk tools is fairly common; additionally, some user-provisioning tools can externalize request/approval workflow to service desk tools or other kinds of tools that support BPML. • Nevertheless, the ITSM experience, especially stemming from the IT Infrastructure Library, is leading to a process-oriented approach to identity administration (and IAM in general), especially in Europe. Copyright © William El Kaim 2016 68
  69. 69. Identity Administration Delegated And Self-service Admin. • Delegated Administration • Delegated administration can also occur within an organization, where trusted individuals within different departments manage a subset of an organization's identity store. • Self-Service Administration • For typical users such as employees, there are many user attributes that are not security related; an organization may consider allowing users to modify such attributes Copyright © William El Kaim 2016 69
  70. 70. Plan • Introduction to IAM • Key Technology Areas • Directory Technologies • Identity Administration Identity Auditing • Identity Verification • Access Management • IAM Framework And Process • Conclusion Copyright © William El Kaim 2016 70
  71. 71. Identity Auditing: Introduction • Identity auditing is the process of • Documenting • Reviewing and approving workflow • Identity information and access controls • roles, segregation of duties rules and entitlements • For business applications and associated infrastructure components. • Identity auditing is crucially important to IAM governance in general and to regulatory compliance in particular. Copyright © William El Kaim 2016 71
  72. 72. Identity Auditing Scope • The scope of identity auditing can be illustrated informally by the following questions: 1. Who has access to what? 2. Who should have access to what? • That is, how well does actual access match a predefined policy or access model?) 3. Who reviewed and approved what? • This is referred to as "attestation.“ 4. Who accessed what? • Without automation, producing reports and performing management reviews are laborious and expensive tasks. Copyright © William El Kaim 2016 72
  73. 73. Identity auditing Identity Auditing Tools • Two key identity administration tools provide some identity auditing capabilities: • User-provisioning tools (or stand-alone modules associated with them) for question No. 1 and No. 3 and sometimes No. 2; • Role management tools for No. 1 and sometimes No. 2. • Identity-based network access control (NAC) products have been used for No. 1 and a limited view No. 2. Copyright © William El Kaim 2016 73
  74. 74. Identity auditing Identity Auditing Tools • Other tools with a key functional focus on audit capabilities include: • Security information and event management (SIEM) products, which are increasingly used for No. 4; other monitoring tools also can be useful here. • Segregation of duties (SOD) controls within ERP tools, which identify the (SOD) conflicts within those complex applications, a special case of No. 1. • Finally, specialized identity auditing tools fill the gap between what identity administration tools can provide and these needs. Copyright © William El Kaim 2016 74
  75. 75. Identity Auditing: Specialized Tools • Specialized, identity auditing tools focus on identity-auditing needs — the ability to answer the questions listed above — that are poorly served by identity administration tools. • Reporting on access assigned to users and applications — No. 1: Who has access to what? — will remain an ongoing need in information security and compliance/risk management programs. Copyright © William El Kaim 2016 75
  76. 76. Identity Auditing: SOD Controls within ERP • Largely driven by regulatory compliance requirements, organizations are looking to address SOD issues within their enterprise applications. • These projects typically start with resolving SOD issues in financial transactions usually embodied in ERP applications, such as those offered by SAP and Oracle. • Technology controls to address the problem include: • Identifying and reducing SOD conflicts within ERP application-level functional permissions. • Provisioning support — Preventing new SOD conflicts through integration with user provisioning and role management processes. • Transaction monitoring — Identifying SOD violations by automatically monitoring for transactions that indicate inappropriate behavior. Copyright © William El Kaim 2016 76
  77. 77. Identity Auditing SOD Controls within ERP • SOD tools are becoming mainstream but these tools remain expensive and complex to maintain. • In the longer term: • SOD should become part of a broader control management framework and strategy • Automated SOD analysis should be integrated into the automated provisioning of users and roles within identity management. • Representative Vendors • Approva, LogicalApps (Oracle), SAP (acquisition of Virsa Systems) Copyright © William El Kaim 2016 77
  78. 78. Identity Auditing - Security Information and Event Management (SIEM) • SIEM tools and services deliver two basic capabilities: • Security information management (SIM) • Security event management (SEM) • Security information management (SIM) provides reporting and analysis of data • primarily from host systems and applications, • and secondarily from security devices to support security policy compliance management, internal threat management and regulatory compliance initiatives. • SIM can be used to support the activities of the IT security, internal audit and compliance organizations. • Storage, correlation and reporting of selected host and application data is available from managed security service providers (MSSPs). Copyright © William El Kaim 2016 78
  79. 79. Identity Auditing - Security Information and Event Management (SIEM) • Security event management (SEM) improves security incident response capabilities. • SEM processes near-real-time data from security devices, network devices and systems to provide real-time event management for security operations. • SEM helps IT security operations personnel be more effective in responding to external and internal threats. • Remotely managed SEM functions for firewalls, intrusion defense systems, intrusion prevention systems and related perimeter- and host-monitoring technologies are available from MSSPs. Copyright © William El Kaim 2016 79
  80. 80. Identity Auditing - Security Information and Event Management (SIEM) • A SIEM tool enables an organization • to analyze security event data in real time (for threat management, primarily in network events) • to analyze and report on log data (for security policy compliance monitoring, primarily in host and application events). • SIEM technology • can collect user activity (resource access) data from systems and applications • can be used to track user activity across the network and multiple systems and applications. • This technology provides the ability to associate an individual with a device, network address and the associated network login IDs and subsequent resource access. Copyright © William El Kaim 2016 80
  81. 81. Identity Auditing - Security Information and Event Management (SIEM) • SIM requirements (to support regulatory compliance initiatives) have replaced SEM as the primary driver for SIEM project funding for in-house deployment. • SEM remains the primary driver for outsourcing with MSSPs, although several MSSPs are introducing SEM service offerings to address this market. • This means, fundamentally, that • organizations are placing more emphasis on IAM event monitoring and reporting • SIEM tools remain important within threat and vulnerability management. • Major IAM vendors have made SIEM acquisitions during the past few years. Copyright © William El Kaim 2016 81
  82. 82. Identity Auditing Other Monitoring Tools • Some near-real-time-analysis tools have automated the process of detecting unusual user activity within specific circumstances and domains • That is, they can answer question No. 4: "Who accessed what?“ • Each technology is designed specifically for a particular layer in the application stack • But the technologies have limited or no visibility into related activities in other layers. • More recently, new monitoring tools have been appearing that sit between users and the systems they access, in-line or "on box," and can capture user activity down to the keystroke level. • In addition to traditional alerting and reporting capabilities, these tools generally provide the ability to "replay" user activity. Copyright © William El Kaim 2016 82
  83. 83. Enterprises can use SIEM tools to gain broad visibility across many layers. • Database activity monitoring • Can be used to monitor database administration activity and database user access, especially when native database auditing is not enabled. • Vendors: Application Security, Guardium, IPLocks, Lumigent, Tizor • Content monitoring and filtering (CMF) • Can be used to detect and prevent the inappropriate movement of sensitive data across the network, but detection is limited to what can be discovered via simple data pattern rules • Fraud detection • Can be used to monitor and stop suspect user activity at the access or transaction layer, but its scope is limited to the specific set of applications and business rules with which it interfaces. • Vendors and Products: RSA, VeriSign • … Copyright © William El Kaim 2016 83
  84. 84. Plan • Introduction to IAM • Key Technology Areas • Directory Technologies • Identity Administration • Identity Auditing Identity Verification • Access Management • IAM Framework And Process • Conclusion Copyright © William El Kaim 2016 84
  85. 85. Identity Verification: Introduction • It is critical for an organization to be able to verify, with an appropriate level of confidence, who it is allowing to access its systems. • Balanced with ease of use, because end users overwhelmed by security requirements may behave in ways that can reduce security. • Includes technologies that broker authentication, or authenticated identities, and other identity information among diverse target systems or domains Copyright © William El Kaim 2016 85
  86. 86. Identity Verification Ex: Mapping of Responsibilities Little/no involvement Moderate involvement Significant involvement Copyright © William El Kaim 2016 86
  87. 87. Identity Verification Identity Proofing • Identity proofing is the process by which an organization uniquely identifies a person before "provisioning an identity" to that individual • assigning an identifier (name) and issuing an identity credential, and maybe other identity creation subprocess tasks, such as creating a user account. • Identity-proofing services verify an individual's identity based on "life history" information aggregated from public or proprietary data sources. • The most common use case for these services is to verify the identity of a new registrant in real time where face-to-face proofing is not possible and offline, back-end identity proofing is undesirable — typically in a business-to consumer context. Copyright © William El Kaim 2016 87
  88. 88. Identity Verification: Identity Proofing • These services also might be used as an additional interactive user authentication or transaction verification method • For example, to provide identity verification for self-service password reset, or to verify the identity of an individual before executing a high-value transaction. • Service providers in this category have emerged during the past few years. • Identity-proofing services enable more-secure customer account opening and/or account registration, as well as verification of an identity during high-risk transactions, such as password reset, especially in a non-face-to-face environment. Copyright © William El Kaim 2016 88
  89. 89. Identity Verification: Authentication • Authentication is the process of proving the digital identity of a user or object to a network, application, or resource. Once authenticated, users can access resources based on their entitlements through the process of authorization. • Examples of authentication techniques include: • User names and passwords • Personal identification numbers (PINs) • X.509 digital certificates • One-time passwords • Biometrics (for example, fingerprint or iris scans) Copyright © William El Kaim 2016 89
  90. 90. Comparing Strong and Weak Authentication Techniques • Authentication techniques can range from simple ones where users provide passwords directly to applications or hosts to much more complicated ones that use advanced cryptographic mechanisms to protect user credentials against potentially malicious applications and hosts. • Providing a plaintext password (that is, one that is not encrypted in any way) to an application or host is considered the weakest authentication technique • Stronger authentication techniques protect the authentication credentials so that the host or resource to which the user authenticates does not know what the secret actually is. • Typically, this is done by cryptographically signing data with the secret password that is known only to the user and a trusted third party. Copyright © William El Kaim 2016 90
  91. 91. Identity Verification Authentication Infrastructure • A typical proprietary authentication method requires its own infrastructure components — an authentication server and so on. • Where an organization is using a "portfolio" of authentication methods, a separate authentication server likely is demanded for each method. • To reduce complexity, provide one policy decision point and simplify migrating to new authentication methods, an organization may deploy one of two authentication infrastructure technologies Copyright © William El Kaim 2016 91
  92. 92. Identity Verification Authentication Infrastructure - VAS • Versatile authentication server (VAS) is a single server (software or appliance) that supports multiple open and proprietary authentication methods. • At a minimum, it will support authentication using PKCs and one of the two industry standard OTP authentication methods: • Initiative for Open Authentication (OAUTH) Hash OTP • Europay, MasterCard and Visa Chip Authentication Program. • In addition to providing support for any of the vendor's own proprietary methods, the VAS should have an extensible architecture to enable third- party authentication methods to be "plugged in" as needed. Copyright © William El Kaim 2016 92
  93. 93. Identity Verification Authentication Infrastructure - ITCAS • “In the cloud" authentication service (ITCAS) relies on a managed service provider that absorbs the complexity of managing different infrastructures for different authentication methods, is a viable alternative for some enterprises. • An ITCAS likely will be favored for online consumer security, in which the service provider can offer complementary services, such as fraud detection. • Vendors • RSA, VeriSign (and many third-party service provides, including telcos) Copyright © William El Kaim 2016 93
  94. 94. Identity Verification SSO • Many enterprises are interested in simplifying resource access for employees, customers, partners or other stakeholders. • Single Sign-On is ‘a mechanism whereby a single action of user authentication and authorization can permit a user to access all computers and systems where that user has access permission, without the need to enter multiple passwords’. (Open Group) • SSO at the application level involves establishing a "session" between the client and server that allows the user to keep using the application without providing a password every time they take an action within the application. Copyright © William El Kaim 2016 94
  95. 95. Identity Verification Single Sign-On • Single sign-on (SSO) technologies enable users to authenticate once and automatically be signed on to other target systems. • These technologies include: • Kerberos • Active Directory (AD)/Unix integration tools • ESSO • Bundled. smart-token-based SSO • Web SSO • Secure Sockets Layer (SSL) virtual private networks (VPNs) Copyright © William El Kaim 2016 95
  96. 96. Identity Verification The many flavors of SSO 96 Enterprise SSO Web SSO Federated SSO User community • Employees • Employees • Partners • Customers • Employees • Partners • Customers Application types • Desktop • Browser- based • Browser-based • Browser-based • Web services Architecture and implementat ion • Protected password vault • Credential form fill • HTTP session management • Application security shims • Role or Rule Based Access Control • Single security domain • User accounts required • Identity assertions • Role and attribute exchange • Spans security domains • User accounts not required
  97. 97. Identity Verification Is SSO safe? Yes! Status quo Enterprise SSO Network login • Simple password, or strong password written down • Strong password, only one to remember Application login • Simple password, or password written down • Static, seldom changing • Strong password • Often changing, if desired Number of logins • Many • One Password reuse • “User-synchronized” passwords • None Help desk burden • Lots of password reset calls • Few reset calls Copyright © William El Kaim 2016 97
  98. 98. Identity Verification Federation - Trust • The concept of trust is becoming more important as organizations continue to share resources with their business partners. • The ability to establish trust between independently administered systems is crucial for IT systems to support the required level of data exchange. • Trust enables secure authentication and authorization of digital identities between autonomous information systems with less management overhead. Copyright © William El Kaim 2016 98
  99. 99. Identity Verification Federation - Trust Mechanisms • The mechanisms of trust are complicated because there are many tasks that must happen between independent organizations to make the authentication and subsequent authorization processes useful. • The trusting organization needs to have a secure mechanism to communicate with the trusted organization. • Once the trusting organization has authenticated the foreign digital identity, it must incorporate the entitlement information about that foreign account into the authorization process within the trusting organization. Copyright © William El Kaim 2016 99
  100. 100. Identity Verification Federation • A federation is a special kind of trust relationship established beyond internal network boundaries between distinct organizations. • Federation enables the secure authentication and authorization of digital identities between autonomous information systems based on the principle of trust. • For example, a user from company A can use information available at company B because there is a federated trust relationship between the two companies. Copyright © William El Kaim 2016 100
  101. 101. Identity Verification Federation - Identity Federation • Federated Identity allows customers, partners and end-users to use applications/services without having to constantly authenticate or identify themselves to the services within their federation. • This applies both within the corporation and across the Internet. • Federation enables identities to be shared and propagated between different systems • Allows individuals to “log-in” once to access resources on networks of different enterprises • No need for central storage of personal information • Organization authenticates its respective users and vouches for their access to third party organization’s services • This idea is popular because it can remove/simplify requirement for administration of many different accounts. Copyright © William El Kaim 2016 101
  102. 102. Identity Verification Federated Identity Management • Federation can be viewed as an extension of identity management principles beyond the borders of the enterprise. • The goals of federation extend well beyond merely increasing convenience for users of resources to minimizing the costs of and management requirements for identity in the connected world. • Federated identity management offers a standards-based means of achieving these goals by • Enabling one organization (the identity provider) to provide information about a managed identity • To another organization (the identity consumer, service or resource provider). • Each organization included in the "community of trust" tracks the identities of individuals who are most central Copyright © William El Kaim 2016 102
  103. 103. Identity Verification Federated Identity Management • Once the individuals have been authenticated by their own organizations, these individuals can access other organizations' resources without reauthentication being required. • Federated identity management is positioned to provide a foundation for consumer and business identification and eventually personal identity frameworks (PIFs) supporting e-business and other applications. Copyright © William El Kaim 2016 103
  104. 104. Identity Verification Federated Identity Management • Benefits • Secure integration with partners • Reduce administration cost • Deliver improved end user experience • Features • Seamless SSO and Identity Sharing • Multi-protocol gateway – SAML, Liberty, WS-Federation • Service Provider or Identity Provider • Flexible deployment configurations • Standalone for use with pre-existing web-access management solution • Protocol SDK for custom applications Copyright © William El Kaim 2016 104
  105. 105. Identity Verification Personal Identity Frameworks • PIF developers have created hype around terms such as "user centric identity," "Identity 2.0" and the "Identity Metasystem.“ • These terms attach to a set of architectural constructs and technical product components that • Augment rather than replace IAM architectures • Are intended to provide users with control of their identity attributes when registering and accessing online services. • Client identity selectors, Web site integration components and service definition and discovery components are common among different developers' PIF implementations. Copyright © William El Kaim 2016 105
  106. 106. Identity Verification Personal Identity Frameworks • PIFs can: • Reduce users' data entry burdens when registering and revisiting service providers, and can increase users' willingness to provide personal information because it is more convenient to do so. • Provide RSOs for business contexts (sets of related services) where credentials can be shared. • Provide a common user experience for selecting the appropriate digital identities (each an identifier and a set of attributes) and providing them to service providers • Provide a standard development framework for developers that can be abstracted from and can make use of disparate identity protocols and identity repositories. Copyright © William El Kaim 2016 106
  107. 107. Plan • Introduction to IAM • Key Technology Areas • Directory Technologies • Identity Administration • Identity Auditing • Identity Verification Access Management • IAM Framework And Process • Conclusion Copyright © William El Kaim 2016 107
  108. 108. Access Management Definition Copyright © William El Kaim 2016 108 Perimeter Security Establishes a barrier to keep malicious attacks from affecting the productivity of the organization Access Security Provides regulated access to the business resources users need to perform their duties
  109. 109. Access Management Introduction • Organizations must control access to systems and content so that end users can contribute to business productivity and profitability without compromising security. • Centralizing policy administration and decision points improves consistency and ease of management Copyright © William El Kaim 2016 109
  110. 110. Access Management Key Technologies • WAM tools provide centralized administration, authentication and authorization services for multiple, Web-based applications, internal or external to the organization. • These tools also can provide some non-Web resource access controls. WAM tools increasingly support simple, standards-based identity federation and Web services access control models. • OS Access Management • These tools are to OSs what WAM tools are for Web applications — that is, they provide centralized administration, authentication and authorization services for multiple OS instances. • Products typically focus on Windows, or Unix and Linux OSs, but rarely both. Copyright © William El Kaim 2016 110
  111. 111. Access Management OS Access Management • Superuser Privilege Management (SUPM) • Superuser privilege management tools permit individual users partial superuserprivileges or temporary full superuser privileges as needed. • Some OS access management tools, including the z/OS ESMs, embed SUPM capabilities. Copyright © William El Kaim 2016 111
  112. 112. Access Management Authorization Management • Authorization is the process of determining whether a digital identity is allowed to perform a requested action. • Authorization occurs after authentication, and maps attributes associated with the digital identity (such as group memberships) to access permissions on resources to identify which resources the digital identity can access. • Different platforms use different mechanisms for storing authorization information. • Access Control List • Security Group • Roles • Rules Copyright © William El Kaim 2016 112
  113. 113. Access Management - Authorization Techniques - Access Control Lists • The most common authorization mechanism is known as an access control list (ACL), which is a list of digital identities along with a set of actions that they may perform on the resource (also known as permissions). • Actions are typically defined relative to the type of object the ACL protects. • For example, a printer might allow actions such as “print” or “delete job” while a file might allow actions such as “read” and “write.” Copyright © William El Kaim 2016 113
  114. 114. Access Management - Authorization Techniques - Security Groups • Operating systems that support large numbers of users typically support security groups, which constitute a special type of digital identity. • Using security groups reduces the management complexity of dealing with thousands of users in a large network. • Security groups simplify management because an ACL can have a few entries specifying which groups have a specific level of access to an object. • With careful group design, the ACL should be relatively static. You can easily change authorization policy for many objects at a time by manipulating the members of a group maintained by a centralized authority, such as a directory. • Nesting groups within each other increases the flexibility of the group model for managing authorization. Copyright © William El Kaim 2016 114
  115. 115. Access Management - Authorization Techniques - Roles (RBAC) • Many applications use the term role to refer to a user classification. • Roles can also be based on dynamic, run-time decisions that provide more flexibility. • Roles are used to build business-driven logic to grant access rights, which is almost impossible to configure with ACL-type mechanisms. • Roles can be defined either globally, such as by group memberships in a directory, or with application code that determines role membership based on a dynamic query. Copyright © William El Kaim 2016 115
  116. 116. Access Management Authorization Management • Authorization traditionally is handled by an ACS specific to a platform, application, network component and device, with little or no compatibility among them. • This "siloed" and fractured approach to authorization is disjointed from the centralized approach that organizations previously have taken for administration and (to a degree) authentication. • Emerging authorization management tools provide a more consistent approach. • These tools can administer fine-grained authorization policies make policy decisions and, optionally, enforce these policies across a range of disparate target systems. • Enforcement is better kept at the platform, application, network and device levels to avoid a performance bottleneck. Copyright © William El Kaim 2016 116
  117. 117. Access Management Authorization Management • There is not yet one kind of authorization management tool; rather, there are a few complementary kinds, each appropriate to different data and application types. • This is the GRAAL of IAM … Copyright © William El Kaim 2016 117
  118. 118. Access Management Content Access Management • Content access management (CAM) embraces technologies that provide protection to structured and unstructured data within or outside the confines of a system that provides access management capabilities namely Encryption and Enterprise digital rights management (EDRM) • Encryption • Encryption can be applied to data at rest within organizations' networks or on notebook PCs, or to data in motion. • File encryption is typically the least expensive way to protect documents from unauthorized insiders, including system administrators. • EDRM • Applied to enterprise messaging, documents and other intellectual property to protect against intellectual property loss and inappropriate or unintended disclosure of proprietary or confidential enterprise information. Copyright © William El Kaim 2016 118
  119. 119. Access Management Network Access Control Challenges • Anywhere access to business applications and data • Expanding access to more users and device types cost- effectively • Prevent downtime and business loss from security breaches • Meet or exceed security, privacy and regulatory concerns Mobile PDA Partner Machine Corporate Laptop Home Computer Copyright © William El Kaim 2016 119
  120. 120. Access Management NAC Customer Problems Endpoint security, identification, and integrity validation Centralized access control to all IT resources Hardened Appliance Control over how information and applications can be used Internet Mobile PDA Home Computer Partners Firewa ll File Servers Web or App Servers Web Services Local Users Access Gateway Advanced Access Control Corporate Laptop Email Servers Desktops & Phones Firewa ll Consistent user experience Consistent user experience • Bandwidth • Latency • Device idiosyncrasies Cannot access from behind firewalls Access from widely varying devices Minimize re- authentication on re-connect Need access to all internal IT resources Copyright © William El Kaim 2016 120
  121. 121. Access Management NAC Customer Problems • NAC is a mix of hardware and software technologies that dynamically control client systems' access to networks based on their compliance with policy. • Current challenges: • Complexity: competing architectures and non-interoperable solutions • Fragmentation: too many islands of policy • Upfront costs exceed benefits • Insufficient connection with business needs Copyright © William El Kaim 2016 121
  122. 122. Plan • Introduction to IAM • Key Technology Areas • Directory Technologies • Identity Administration • Identity Auditing • Identity Verification • Access Management • IAM Framework And Process • Conclusion Copyright © William El Kaim 2016 122
  123. 123. IAM Frameworks and Processes IAM Functional View • Administration provides a way to view and manage user identities and access. • Authentication ensures that users are properly identified and that these identities are verified to IT resources. • Authorization ensures that users can access only what their job functions allow them to access within the company (see Note 1). • Auditing ensures that the activities associated with user access are logged for day-to-day • Administration and real-time enforcement (authentication and authorization) • Monitoring, regulatory and investigative purposes. Copyright © William El Kaim 2016 123
  124. 124. IAM Frameworks and Processes IAM Functional View Copyright © William El Kaim 2016 124
  125. 125. IAM Frameworks and Processes IAM Functional View Applications q Windows Clients q Middle-Tier Services q Mainframe Applications q Web Applications q Web Services Access Management q Authentication Techniques q Authorization Methods q Trust q Federation q Audit Identity Management q Provisioning q Deprovisioning q Self-Service q Delegated Administration q Credential Management Directory Services q Identity Data Stores q Identity Integration Services Data Ownership q Data Stewardship q Account Management q RBAC q Auditing Governance q Executive Sponsor q Security Administration q Security Policy q Security Guidelines q Security Standards Copyright © William El Kaim 2016 125
  126. 126. Ex: Enterprise Services Framework  Leveragability  Sustainability  Consistency  Simplification Enterprise Services Provides Resulting in..  Regulatory Compliance  Optimized Business Operations  Reduce Administrative Cost  Enhanced Security Posture Client Registration Self-Service Delegated Administration Federation Authentication Authorization Business Rules and Policy Auditing and Reporting Consolidated Identity Data Identity Access Drive Resulting in... Identity and Access Management Framework Copyright © William El Kaim 2016 126
  127. 127. Ex: IAM Framework Identity Lifecycle Management: Managing (create, modify, delete) user accounts and user profiles that are linked to each person across the IT environment via a combination of user roles and business rules, through the employment lifecycle. Enterprise Directory services: Providing global and consistent views of the company organization and the people working within. Including the capability to abstract and automatically correlate data from HR, customer relationship management, and other “identity stores” Identity & Access control enforcement: Covering the technology, tools, and mechanisms to execute IS security policies and business rules to access IT system/application related data. Audit & tracking: Covering the technology, tools, and processes supporting legal and regulatory requirements in terms of audit, log and tracking. User Master Data: the common data related to personal information (e.g. first name, surname, email, User ID) referenced across multiple systems. Authorization: the set of data elements a specific security principal (user, application, process) can access and the actions that can be taken on those data elements. Authentication: the process of determining whether someone or something is, who or what they declare themselves to be for access to protected resources can efficiently be granted or denied. Log- on is the user action of authenticating to a system. Audit & Trackin g Identity Lifecycle Management Identity & Access control enforcement Enterprise Directory Reconciliation: a comparison between « what is » against « what should be ». Reconciliation ensures consistency of information across various systems. Copyright © William El Kaim 2016 127
  128. 128. Plan • Introduction to IAM • Key Technology Areas • Directory Technologies • Identity Administration • Identity Auditing • Identity Verification • Access Management • IAM Framework And Process Conclusion Copyright © William El Kaim 2016 128
  129. 129. Benefits of IAM • Visibility of end-to-end cycle for user account creation, modification, termination • Ability to properly (un)validate every user • Improve user experience through self-service, password reset, SSO • Achieve compliance via policy enforcement, automated user entitlement reviews (audit) • Reduce administrative effort and cost • Ability to expand business model through Federation • Increase application time-to-market by leveraging enterprise authentication services • Flexible and scalable to meet global requirements Copyright © William El Kaim 2016 129
  130. 130. IAM Technologies Defined Copyright © William El Kaim 2016 130
  131. 131. Conclusion No Unique Framework Vision Copyright © William El Kaim 2016 131
  132. 132. Federated Identity Management • Federation is a sort of perimeter mechanism that sits at the edge of the network and shares identity information with other federation mechanisms where a trust relationship exists. • The Federation technology creates or gathers the trust assertions that must be made when an internal user wishes to access an external resource or vice versa. • Very active and many companies migrating to it due to • Cloud and SaaS • Internet Applications • Merger/Acquisition • New collaboration mode Copyright © William El Kaim 2016 132
  133. 133. The Rise of IDaaS • By 2020, 40% of Identity and Access Management (IAM) purchases will use the identity and access management as a service (IDaaS) delivery model — up from less than 20% in 2016. • A vendor in the IDaaS market delivers a predominantly cloud-based service in a multitenant or dedicated and hosted delivery model. • The service brokers a set of functionality across multiple IAM functions to target systems on customers' premises and in the cloud. • Identity and governance administration (IGA), access enforcement, and analytics functions. Copyright © William El Kaim 2016 133
  134. 134. IDaaS Market Split Between Two Styles of Offerings • Web-centric IDaaS • Supports web and mobile architected application targets in the cloud or on customers' premises. • Web-centric IDaaS providers generally have strengths in multifactor authentication and SSO. Offerings tend to support the basic user administration, self-service and identity synchronization aspects of IGA, but lack legacy application connector support, and customizable multilevel approval workflow and governance features, such as access certification, role mining and role life cycle management, and segregation of duties violation detection. • Web-centric IDaaS usually deploys rapidly because the services are designed to be multitenant, and customization and legacy integration requirements are not the primary design goals. • Legacy, full-featured IDaaS • Offers services that were developed to support web applications on-premises and in the cloud, as well as legacy applications. • More IGA connectors are available for legacy applications, and customizable approval workflows are supported. • Most of these vendors also provide governance features, such as access certification, role mining and role life cycle management, and detection of segregation of duties violations. Copyright © William El Kaim 2016 134
  135. 135. Cloud Security Landscape Copyright © William El Kaim 2016 135
  136. 136. Twitter http://www.twitter.com/welkaim SlideShare http://www.slideshare.net/welkaim EA Digital Codex http://www.eacodex.com/ Linkedin http://fr.linkedin.com/in/williamelkaim Claudine O'Sullivan Copyright © William El Kaim 2016 136