The (IdM) Identity Conundrum

1

• The (IdM) Identity Conundrum
• Strategies in identity management

2
What is identity management?

• Important delineation
• Two groups of entities
• Internal staff
• Customers, business partners
• Different challenges, different deliverables, may
  need different solutions

3
What is identity management?

• Identity management is the ability to define and
• control the security characteristics and
  credentials
• of
• many users
• on many systems
• spanning a variety of different roles
• inside and outside the organisation
• while accessing content, applications, and
  services
• in a manner which is sensitive to the context of
  the interaction

4
What is identity management?

• So identity is the abstract representation that
  links a
• real person to their capabilities in an IT system
• The process of identity management requires a
  system which
• distinguishes a person
• defines them in terms of their security personas
• and specifies their access rights
• within the various contexts which characterise
  their interaction with the organisation

5
What is identity management?

• But isnt that just security administration?
• True to a degree, BUT
• Formerly one person, one account, one system
• NOW, one person, 20 accounts, 100 systems
• An example

6
What is identity management?

• Example
• Mid-Size corporation
• 5,000 staff
• 220,000 userids
• 374 security domains
• With this level of complexity its not just
  security administration

7
What is identity management?

• So Identity Management is actually the
  integration of products such as directories,
  single sign-on, security services applications
  and provisioning applications into a unified
  framework for managing user information and
  access.
• Its about convergence of the multitude of points
  of authentication, authorisation and
  administration to provide a more coherent view
  and management platform for security.

8

• An architectural view
• of
• Identity Management

9
What is identity management?
Web / Information Portals
Access policies
Applications
Identity store
Provisioning
Access controls and privileges
Data bases and files
Identity
Authoritative sources
Operating systems
10
Drivers to Identity Management (internal staff)

• Increasing complexity (servers, operating
  systems, data bases, applications)
• Increasing administration costs
• Declining security quality rising security risk
• Declining quality of service

11
Drivers to Identity Management (customers)

• Need to do business regardless of location
• Need to identify a web customer as the same
  customer using IVR or counter services
• Customer single web sign-on in complex
  server/database/application environment
• Need unified authentication for web portals
• Access rights change with the business context
• Personalise web content based on identity and
  current activity
• Interface to CRM applications
• Delegated administration for business areas,
  partners

12
What value can Identity Management create?

• Identity Management is the philosophy of a
  centralised security architecture using an
  identity centric approach
• Single user profile for user identification and
  marketing purposes
• Stops proliferation of passwords
• Increased customer and employee satisfaction
• Faster deployment of new applications
• Cost reduction through centralised user
  management, user self service and process
  optimisation
• Link between business processes, workflow and
  technology
• Centralised point of control for security and
  audit processes.

13
Benefits from Identity Management

• Cost reduction
• Decreased maintenance of security on a business
  unit level
• Staff and customer access available more quickly
• Internal costs reduced through cross platform
  centralised password management and
  synchronisation
• External help desk costs reduced by improved
  password management
• Reduction in development costs for web
  applications no need to rebuild a bespoke
  security solution

14
Benefits from Identity Management

• Revenue
• Move complete value chains to the digital world
• Provide a mechanism to quickly and efficiently
  migrate users and applications from acquisitions
• Staff productive more quickly
• Offer 24/7 self service
• Competitive advantage, strategic positioning and
  corporate brand/image

15
Benefits from Identity Management

• Risk reduction
• Only appropriate users have access
• Risk of obsolete user accounts reduced
• Change of position results in change of
  permissions
• Ability to evaluate regulatory compliance
• Ability to audit and track user accounts.
• Ability to automatically lock out users
• Central point of control for security and audit
  processes.
• Single view of users access

16

• Competing technologies

17
Competing technologies

• We now look at security infrastructure solutions.
  ERP and CRM feed into Identity Management, but
  are out of scope for this discussion
• Custom applications
• Directory services
• Web Access Control (aka Extranet Access
  Management)
• Provisioning

18
Custom applications

• While not high on most peoples agenda, building
  custom applications for IM is possible and has
  been done
• Enables very specific requirements to be built in
• Inherently expensive to build and maintain
• Requires deep technical skills in some of the
  target platforms, not normally held by developers
• Usually one way does not pick up manual changes
• Sits on critical path for technology upgrades
  (e.g. new versions of operating system or data
  base)
• Most very large organisations have put in a
  bespoke provisioning application of some sort
• Example large bank built online access control
  manager 15 years ago
• Becomes too difficult for complex technology mix

19
Directory services

• Directory Services terminology is ambiguous, and
  not used consistently
• A directory is a specialised data base used for
  repetitive high speed access to relatively static
  data.
• Directory Services is a blanket term used to
  describe the use of directories to service this
  data to applications. Security credentials are
  frequently provided to applications in this way.
• Metadirectory is a term used to describe a
  directory which is comprised of data synchronised
  from other directories.
• It is very important to recognise that many
  people do not understand these concepts, and use
  the term Directory Services or metadirectory
  when they simply mean the desire to use a
  directory instead of a data base.

20
Directory services

• A directory services solution comprises a set of
  tools and processes
• A core directory such as Active Directory, Novell
  eDirectory, iPlanet
• Directory synchronisation tool such as DirXML,
  Sun ONE Meta-Directory, Active Directory
  Connector
• Connector to ERP or CRM
• Object and property mapping tools (probably XML)
• Optionally front-end self service directory
  enabled applications

21
APPLICATIONS
IDENTITY MANAGEMENT DIRECTORY
IDENTITY STORE
DIRECTORY SYNCHRONISATION SERVICES
Access NDS
Sybase Sybase Sybase
SECA Sybase
Sybase Sybase Oracle
MS-SQL
Notes
DB2
DIRECTORIES AND DATABASES
Address Book
NIS
SAM
Notes
RACF
Netware
Solaris
NT
OS/390
OPERATING SYSTEMS
22
IDENTITY STORE (DIRECTORY)
XML Style sheets
DIRECTORY SYNCHRONISATION BUS
Synchronisation policies
Directory
Directory
Directory
Data base
Data base
Directory
ERP
23
Directory Services

• Authentication
• User profiles can be stored in a manner which can
  be accessed by applications to authenticate the
  user. The term describing it is Directory
  Enabled Application, and the protocol for
  accessing the directory is LDAP.
• Access control
• If the directory is the native security mechanism
  for the operating system it controls access to
  resources (e.g. eDirectory on Netware)
• Otherwise there is no active access control.
  Passive access control can be achieved by
  directory enabling applications
• Group memberships and custom objects can help
• CAVEAT! Passive security depends on developers
  implementing security correctly in the
  application.

24
Directory Services

• Provisioning
• Directories can be updated as a result of changes
  in other directories, or changes in the HR system
• Key technique is directory synchronisation using
  products like DirXML
• Synchronisation tool maps object types and
  properties to their equivalent in the target
  system (e.g. useridlogonidUID, Last
  NameSurnameName)
• Also allows scripting to achieve non-directory
  functions (e.g. copying files, archiving), or
  scheduling subsequent events

25
Extranet Access Management

• Web applications bring new challenges. There are
• numerous data sources, and new resource types not
• protected by traditional processing platforms
• Native operating system security cant protect
  pages, URLs, Objects, methods, applets, servlets
• Products include Oblix, Tivoli Identity Manager,
  RSA ClearTrust, Netegrity SiteMinder. Many more.
• Provides a callable security service with support
  for new resource types, and custom objects
• Primarily for browser applications, but some can
  be called by traditional applications
• Particularly relevant for JAVA JAAS and J2EE
• EAMs often use a directory as their identity store

26
Browser
Web server
Security service
Identity store
Application server
Data base
Operating systems
27
Web server
Web server
Security service
Privilege store
Identity store
Data base
Data base
Data base
Data base
28
Extranet access manager

• Authentication
• User profiles and passwords are stored in the
  EAMs identity store and accessed via the EAMs
  API. Typically an encrypted cookie is created to
  provide single signon during the period of
  interaction.
• Access control
• Many different ways to store permissions
• Typically defined by group membership
• Can be a simple ACL for a resource
• Some products allow business logic to be included
  in the security credentials (e.g. allow access if
  account balance gt 100,000)
• Some products have active security for certain
  resource types (e.g. page, method). Passive
  access control always possible by calling
  security from the application. Can be called from
  legacy apps.
• Group memberships and custom objects can help
• CAVEAT! Passive security depends on developers
  implementing security correctly in the
  application.

29
Extranet access manager

• Provisioning
• Not typically used as a provisioning service.
  However, can be linked to CRM feed for automatic
  account creation
• Some provisioning products can link into some
  EAMs (must be purpose written interface)
• Provisioning can be direct to the
  identity/privilege stores via say LDAP

30
Security provisioning

• Proliferation of servers, accounts and passwords
  is making
• traditional security administration practices
  ineffective. There
• are pure plays provisioning products on the
  market
• New users may need 10 or more accounts provided
  by several different administrators
• Great scope for error (wrong access) and delay
• Security administration costs rising because
  growing infrastructure complexity dramatically
  increases the number of security admin tasks
• Provisioning products automate standard security
  tasks so they can be carried out without a
  security administrators intervention
• Examples include BMC Control-SA, Access 360 (now
  Tivoli Access Manager), Waveset Provisioning
  Manager, CA eTrust. Others

31
Access policies
Portals
Applications
Identity store
Provisioning
Access controls and privileges
Data bases and files
Identity
Authoritative sources
Operating systems
32
MANAGED SYSTEMS
33
Provisioning

• Authentication
• NOT interactive security manager
• Provisioning solutions play no direct role in
  authentication
• Can facilitate password synchronisation
• Access control
• NOT interactive security manager
• Puts access control settings in place to
  facilitate access to target
• Can perform complex tasks with some intelligent
  rule processing facilitated by scripting
• Can implement role based access control, so
  complex combinations of access can be assigned to
  a user based on their position, or specified
  function within work place (e.g. teller, help
  desk)

34
Provisioning

• Provisioning
• Replicates local security credentials in a
  central repository
• Changes to the repository are executed in the
  managed domain
• Changes made in managed domain also applied to
  repository
• Every person added to the role will get correct
  access
• Deleting the central entity deletes all
  associated accounts
• Needs workflow to achieve maximum gains and
  include online authorisation of requests
• Not a panacea
• Expect to automate 30-50 of access types
• However only limited by your commitment and
  resources

35
   
Entity
Functional roles Access roles Permissions
?????????????????
?????????????????
?????????????????
?????????????????
CSO
eProvisioning