© 2006 IBM Corporation Tivoli LIVE -- Identity Management Hursley Park – 15 th June 2006 Casey...

© 2006 IBM Corporation

Tivoli LIVE -- Identity ManagementHursley Park – 15th June 2006

Casey PlunkettDirector, WW Sales, Tivoli Security

IBM IT Service Management

© 2006 IBM Corporation2 2006 ITSM Partner Summit

Agenda

Identity Management Drivers

Tivoli Identity Management Overview Deployment Proof Points Analysts’ Perspective



Gather business compliance information

Establish Trust and Compliance

Evaluate business compliance Report

Create SecurityControls &Compliancecriteria

Protect Systems

Build and Deploy software packages

Verify install images and request changes

Request Updated install images

Learn aboutvulnerabilities

Windowstools

Windowsexperts

Internettools

Internetexperts

Applicationtools

Applicationexperts

Unixtools

Unixexperts

Databasetools

Databaseexperts

Integrationtools

Integrationexperts

Linuxtools

Linuxexperts

Mainframetools

Mainframeexperts

Networktools

Networkexperts

Storagetools

Storageexperts

Key processes in IT Security ManagementThe activities and processes associated with IT Security Management can be summarized into four patterns that will remain current as technology changes.

Manage Threats

Gather and analyzesecurity related

eventsand symptoms

Correlate events and Initiate Response

Report

Process / Service view of IT Security

Management

Access Management

Privacy Management

Identity Management

Security Controls Definition

Security Compliance

Business Risk Management

Incident Management

Threat Management

Security Event Management

Vulnerability Management

Security Configuration

Security Patch Management

Manage Users

Apply business security controls

Apply resource security controls

Gather security control information



Increased Collaboration

Collaboration

Tru

st

Legend

Isolated Operations

11

Select ‘Trusted Partners’

22

Value Chain Visibility

33

Industry-Centric Value Web44

Cross-Industry Value Coalition

55

Co

st &

co

mp

lexi

ty o

f

Th

reat

s an

d A

dm

inis

trat

ion

Eco-system integration improves market agility but brings with it increased risk

costs in complexity, administration and

vulnerability.

Core Business

Subsidiary/JV

Customer

Partner/Channel

Supplier/Outsourcer



Product Life Cycle Management

Phase I Phase II Phase III Phase IV Phase V

IdeationDefinition/ Feasibility Development Launch

PostLaunch

Assess product,

team and process

performance

Produce and ship product

into marketplace

Fully develop product/

packaging manufacturing process and

business plan

Define concepts based on

new product ideas

Identify new

product ideas

The “sweet spot “occurs when process design, organization/performance management and enabling technologies are integrated and optimized across this value chain

R&DPackaging and Design GraphicsMarketingOperations and ProductionFinance

Engineering Brand Management Sales Management Public Relations/Ads Legal

Key Stakeholders in the PLM Process:



PLM (Summary) Reference Architecture

Adapter InstancesAdapter Instances

Resources and

Relationships(RDF store)

Adapter Registry

Adapter Instances

Workflows

Event Registry

Event Dispatcher

Knowledge Manager

Inference Rules

Inference Engine

Presentation Manager

Adapter Manager(run-time and monitor)

Event Log

Admin Console

WPSportlet portlet portletView

Generator

Content Manager

Log

Adapter Instance Store

instantiates

Workflow Manager

Document Repository

CADTeam

(QuickPlace, Sametime)

Project Schedule

Bill of Materials

PDM Mktg/Adv.

portlet

Key Needs:•ESSO•Provisioning•Directory Integ.•Access Control•Root Control



Can You Answer the following Questions Across Your Core Business Processes?

1. WHO can use our IT systems?

2. WHAT can these people do on our IT systems?

3. Can I easily PROVE to the auditor what these people did?

Tivoli’s Identity and Access Management productsautomates these internal controls



Identity Management Challenges/Opportunities…

How much am I spending on routine password resets? 3-4 times per year, per user and a £14 average cost per call

How long does it take to make new employees/contractors productive? Up to 12 days per user to create and service accounts

How many of my former employees/contractors still have access to sensitive data? 30-60% of accounts are orphans (potential security exposure)

How confident are we that only the right people have access to our Enterprise data? 70% of fraud cases involving customer data are related to an insider attack

How much time is spent on Account Management by User Community?– 10-20% of the LoB community typically provides Account Management

How long does it take to pull together reports for an audit? Can take weeks and some company’s have designated FTE’s for this purpose



Security Compliance

Manager

Identity Manager

Access Manager

PrivacyManager

IBM’s Integrated Identity Management Portfolio

Users & Applications

Federated Identity Manager

Directory Server

Directory IntegratorNeuSecure

Componentized Strategy



Tivoli Identity Manager


Identitychange

requested

Identity Stores

HR Systems

Approvals gathered

Detect and correct local privilege settings

Access policy

evaluated

Accounts updated

Databases

OperatingSystems

Applications


Identitychange

requested

Identitychange

requested

Identity StoresIdentity Stores

HR SystemsHR Systems

Approvals gathered

Approvals gathered

Approvals gathered

Detect and correct local privilege settingsDetect and correct local privilege settings

Access policy

evaluated

Access policy

evaluated

Accounts updatedAccounts updated

DatabasesDatabases

OperatingSystemsOperatingSystems

ApplicationsApplications

Identity Manager provisions accounts

Access Manager provides runtime enforcement

Integrated::Automated provisioning/ de-provisioning from an authoritative source.

Workflow for provisioning requests.

Additional user self-service options for password reset, registration etc.

Single sign-on for Identity and Access combined administration.



ITIM Express 4.6

Request-based provisioning with approval workflow

User self-care and password management Intuitive GUI Recertification of user access rights Installed/Bundled adapters Out-of-the-box reporting Email notification HR Feeds Account reconciliation



Complete Single Sign-on Management

Access C

ontrol

ID

Please enter your ID and password

Login

PasswordC

Flexible Authentication

139576

SECURID

UserDigital Identity Services eMail

EnterpriseMainframe

eHR

Claims

Federated

Web

eExpenses

Portal

iBanking



Tivoli Access Manager Family

Tivoli Access Manager for e-business (TAMeB)

– Web SSO, Centralized Authentication/Authorization/Audit

Tivoli Access Manager for Enterprise Sign-On (TAMES-ESSO)

– Enterprise (or Host) SSO

Tivoli Federated Identity Manager

– Federated SSO, Trust Mgmt/Brokering, Web Services Security Mgmt, Cross-Enterprise Identity Mapping

Tivoli Access Manager for Business Integration (TAMBI)

– WMQ-based Access Control, Data Integrity and Confidentiality

Tivoli Access Manager for Operating Systems (TAMOS)

– Locking down Root in UNIX and LINUX



Tivoli XML Gateway IntegrationCase in point:

Securely implement web services, secure once for many applications, aggregate user interactions and adhere to strong security protection and verification

Solution:

Helps protect SOA implementations addressing XML threats with fine-grain access control. Integrates with Tivoli Security for enterprise SOA deployments and centralized security policy management

XS40 XML Security Gateway

Identity, Security and Directory Services

Centralized Security Policy Management

Data Repository

Policy-driven security gateway for web services

Enterprise Directory

Suppliers

Partners

Users

Liberty

SAML

WS-Federation



Security Compliance Management

OperatingSystems

Applications

Workstations

Databases

IT securityCxO

IT Environment

Business issues:

regulations, standards

IT concernsSlammer,

MSBlaster, OS patchespassword violations

Users

Checking systems and applications

– For vulnerabilities and identifies violations against security policies

Key benefits:

– Helps to secure corporate data and integrity

– Identifies software security vulnerabilities

– Decreases IT costs through automation, centralization, and separation of duties

– Assists in complying with legislative and governmental standards



Vendor integration for faster time-to-valueDesktop SSO ActivCard ActivClient Microsoft Kerberos (SPNEGO) Microsoft NTLM

Directory sync & virtualization Aelita Ent. Directory Manager IBM Tivoli Directory Integrator OctetString Virtual Directory Radiant Logic

Encryption, SSL & VPN Aventail EX-1500 Eracom ProtectServer Orange IBM 4758 IBM 4960 Ingrian Secure Transaction Appliance nCipher nForce Neoteris IVE

Integration and Consulting 3000 trained personnel across Business Partners worldwide

Messaging security IBM WebSphere BI Message Broker IBM WebSphere BI Event Broker IBM WebSphere MQ

Web Server Plug-in Apache IBM HTTP Server IBM WebSphere Edge Server Microsoft IIS Sun ONE Web Server

Web Application Server BEA WebLogic Server IBM WebSphere App. Server

(Any J2EE Platform) Microsoft .NET

Web Portal Server BEA WebLogic Portal (SSO) IBM WebSphere Portal Plumtree Portal* Sun ONE Portal Server (SSO)

XML and Web Services DataPower Digital Evolution / SOA Software Forum Systems Layer 7 SecureSpan Gateway Reactivity XML Firewall VordelSecure

Application Single Sign-On Adexa collaboration products (9) Blockade ESconnect Broadvision One to One Cash-U Pecan Centric Product Innovation (3) Citrix Metaframe / Nfuse XP Documentum Content Server/Webtop Documentum eRoom IBM Content Manager IBM Host on Demand IBM Host Publisher IBM Lotus Domino IBM Lotus iNotes IBM Lotus Quickplace IBM Lotus Sametime IBM Lotus Team Workplace Intelliden R-Series Interwoven TeamSite Kana Platform Kintana Suite (Mercury Interactive) Microsoft Exchange (OWA) Microsoft SharePoint Portal/Services OpenConnect WebConnect Oracle Application server PeopleSoft Enterprise Application PeopleSoft Enterprise PeopleTools Rocksteady Rocknet SAP Enterprise Portal SAP Internet Transaction Server Secur-IT C-Man Secur-IT D-Man Siebel Sourcefire ISM Sun Calendar Server* Sun Messenger Server* Vasco Digipass (via C-Man)

* By request

Platform & Traffic Mgmt. Crossbeam Security Svcs. Switch F5 Networks BIG IP Sanctum AppShield

Strong Authentication ActivCard Aladdin Knowledge Systems Daon Engine (Biometrics) Entrust TruePass VeriSign

UNIX Deployment Lockdown HP-UX IBM AIX IBM DB2 IBM HTTP Server IBM WebSphere App. Server Oracle DB Red Hat Linux Sun Solaris SuSE Linux

User repository CA eTrust Directory IBM Tivoli Directory Server Microsoft Active Directory Novell eDirectory Siemens Nixdorf DirX Directory Sun ONE Directory Server Vasco Digipass

Integration factory



Tivoli Identity Management Proof Points…

on demand Solution:– Automate user provisioning, discovery and correction of invalid access

Case Studies:

Saves $500k/year in HR Enrollment process for 20k employees

Products:– IBM Tivoli Identity Manager (TIM)

Up to 40% of user access is invalid – IT must spend weeks manually provisioning and auditing user access to business systems

1 week...

3 weeks…

…to 10 minutes

…to 20 minutes and provisioning costs cut 93%




on demand Solution:– Automate user provisioning, discovery and correction of invalid access

Case Studies:

Deployed Provisioning for 9,000 employees across 80 endpoints,

6 countries and 20 roles within 90 days

5 days to implement Provisioning (TIM Express) across 2,500 users

Products:– IBM Tivoli Identity Manager (TIM) or TIM Express, IDI and TAMeB

Up to 40% of user access is invalid – IT must spend weeks manually provisioning and auditing user access to business systems




on demand Solution:– Single sign-on and self-service for password resets

Case Studies:

Most successful IT project in 25 years – cost justified in 8 months

Orange projects savings of millions of Euros annually (4M Secure SOA users)

Product:–IBM Tivoli Access Manager for Enterprise Single Sign-On– SOA: IBM Tivoli Federated Identity Manager

Up to 50% of help desk calls are for password resets – Every call incurs 14 in IT costs



Process Obtain a list of orphan accounts and determine validity

Compliance and Audit Issue

Link all user accounts to an identity

Business Process Inefficiency

Manual processes, custom scripts

IBM on demand Approach

Automated reconciliation

Proof Point Wall Street Example

Identity Manager


Identitychange

requested

Identity Stores

HR Systems

Approvals gathered

Detect and correct local privilege settings

Access policy

evaluated

Accounts updated

Databases

OperatingSystems

Applications


Identitychange

requested

Identitychange

requested

Identity StoresIdentity Stores

HR SystemsHR Systems

Approvals gathered

Approvals gathered

Approvals gathered

Detect and correct local privilege settingsDetect and correct local privilege settings

Access policy

evaluated

Access policy

evaluated

Accounts updatedAccounts updated

DatabasesDatabases

OperatingSystemsOperatingSystems

ApplicationsApplications

Identify Orphan Accounts

Business Process: User Validation



Process Implement rules for application access consistently

Compliance and Audit Issue

Consistent policy implementation

Business Process Inefficiency

Up to 30% of development costs for security infrastructure. Too many passwords to remember.

IBM on demand Approach

Centralized Application Access Control and SSO across applications.

Proof Point T. Rowe Price – $13.5M reduction in development costs

Access Manager

Business Process: New Business Initiative



Tivoli Identity Management -- Facts of Interest

>1,500 Access Management customers

>500 Provisioning customers

~20% of IdM customers are small & medium businesses

>3,000 professionals trained and certified to deploy IBM Identity

Management solutions worldwide



Tivoli Identity Management -- Facts of Interest

IBM Tivoli Security software is used by:

•15 of the top 20 commercial Banks worldwide

•6 top Healthcare companies worldwide

•4 of the top 5 Telecommunications companies worldwide

•6 of the top 10 Aerospace and Defense companies worldwide•7 of the top 10 Computer and Data Services companies worldwide



IBM Identity Management SolutionsContinue to be Recognized for Leadership

2006 Provisioning Leadership Position – Gartner Magic Quadrant 2005 #1 Provisioning Vendor, Gartner Vendor Selection Tool 2005 Frost & Sullivan Global Market Leadership Award for Identity Management 2005 Frost & Sullivan Market Leader designation for Access Management 2005 #1 Provisioning and Web SSO Vendor, IDC 2005 Web Services Leadership Position, Gartner Magic Quadrant 2004 SYS-CON Best Web Services Security Solution Award



Analyst View: Identity and Access Management Market Share (IDC)

Source: IDC, Worldwide [IAM] Market Forecast 2005-2009, Market Share for Web SSO and User Provisioning in 2004

IBM Tivoli35%

CA34%

Oracle7%

Novell7%

BMC5%

Sun4%

HP4%

RSA3%

Microsoft1%



Frost & Sullivan- Provisioning Market Share- Feb 2006



Frost & Sullivan- Web Access share- Feb 2006



Gartner- Web Services Magic Quadrant

© 2006 IBM Corporation Tivoli LIVE -- Identity Management Hursley Park – 15 th June 2006 Casey...

Documents

Transcript of © 2006 IBM Corporation Tivoli LIVE -- Identity Management Hursley Park – 15 th June 2006 Casey...