Identity and Access Management 101
-
Upload
jerod-brennen -
Category
Technology
-
view
6.972 -
download
3
description
Transcript of Identity and Access Management 101
IDENTITY AND ACCESS MANAGEMENT 101 Jerod Brennen, CISSP
CTO & Principal Security Consultant, Jacadis
Agenda
• The Good, The Bad, & The Ugly
• Terminology
• Employee Lifecycle
• Step-by-Step
• Looking Ahead
• Resources
The Good, The Bad, & The Ugly
• Good
– Saves time
– Improves accuracy and consistency
• Bad – RIDICULOUSLY complex
– Never enough money/resources
• Ugly – When everything works, you’ll be the hero
– If (when) something breaks, you’ll wish you’d saved up more sick days
How Many Acronyms Does It Take…
• IdM = Identity Management
– Manage the accounts
• FIdM = Federated Identity Managment
– Manage identity across autonomous domains
• IAM = Identity & Access Management
– Manage what the accounts can access
More Alphabet Soup
• LDAP – Lightweight Directory Access Protocol
• RBAC – Role Based Access Control
• SSO – Single Sign-On
• Federation
– SAML, SAML 2.0, WS-Federation, Liberty Alliance
Provisioning & Deprovisioning
• Provisioning
– IT giveth…
• Deprovisioning
– … and IT taketh away
• You need to track everything you provision if you ever expect to deprovision it.
– Computers, phones, badges, app access, software licenses, etc.
• Your auditors will LOVE you for this!
3-Phase Employee Lifecycle
• #1 – Hire
– Autoprovision birthright entitlements, based on role (bear with me…)
• #2 – Transition
– New access replaces old access, right?
• #3 – Termination – Deprovision, stat!
• #4 – Other? – On Leave (medical, sabbatical, etc.)
– Terminated with Access
Step One: The Sit-Down
• Meet with HR
– HR system is the system of record
– Workforce members = employees + non-employees (decision time!)
• Discuss roles
– Dazzle them with your knowledge of RBAC
– Remember that employee lifecycle slide?
• How will you determine birthright access?
– Department + Job Code
– Step back, take a look at current employees, and execute the smell test
• Identify the processes you want to automate
– Notification of hire/change/termination
– Account creation/deletion (in connected systems, NOT system of record)
– Access modification
– Internal expenses (e.g., mobile devices)
Step Two: The Data Must Flow
• Identify integration points
– Authentication Stores
• LDAP Directories
• Local Databases
– Commercial Apps
– Homegrown Apps
• Internal vs. External
– Fewest # auth/auth stores possible
– External = federation
• How are changes initiated?
– Transactional vs. batch
• Conceptual diagram of your IAM infrastructure
http://www.brickshelf.com/cgi-bin/gallery.cgi?i=2703634
Step Three: Integrate
• Define integration requirements
– PMO FTW!
• Take a technical inventory
– What do you have?
– What do you need?
– What can you get rid of?
• Start eating the elephant
– HR -> Identity Store
– Identity Store -> Active Directory
– Identify Store -> [other LDAP directory]
– Identity Store -> [email]
– Identity Store -> [that one app that everyone in the company uses]
http://dst121.blogspot.com/2009/10/how-to-eat-elephant.html
Intermission: Let’s Talk Tech
• Components – Identity Store / Vault / Repository (not the system of record)
– LDAP Directory
– Entitlements Manager
– Web Access Manager (+ Certificate Manager)
– Password Manager
Vendors Open Source
• CA Identity Manager • IBM / Tivoli Identity Manager • Microsoft Forefront Identity Manager • Novell Identity Manager • Oracle Identity Manager / Sun LDAP • RSA / Courion
• RSA = Access Manager & FIdM • Courion = Provisioning & Passwords
• OpenIAM • OpenDS Directory Server • OpenSSO • Shibboleth (SSO) • Gluu
Pictures, or It Didn’t Happen
System of Record
Identity Provider LDAP Server User-Facing Apps
Other LDAP
Databases
Password Manager
Web Access ManagerEntitlements Manager
Step Four: Communcation
• Document the $#!% out of your IAM infrastructure
– Every single integration point
– Link the tech to business processes
• Review documentation with…
– Human Resources
– LAN Support
– System Owners
– Application Developers
– Production / Change Control
– IT Leadership
• Link IAM systems to Change Control system
– Notification of ANY and ALL changes
– Want to break IAM? Change a connected system without testing integration points!
Step Five: Audit
• Trust, but verify
• Things to audit
– Segregation of duties
– Access changes (esp. adminstrative & sensitive data)
– Accounts for terminated users (reconcile with HR)
– Share access
• Security Information and Event Management (SIEM)
– Failed login attempts
– Attempts to access restricted data
– Privilege changes / escalation
• Automate your auditing toolset
Destined to Fail
• Most IAM projects fail. Why? – Lack of executive sponsorship
– Project teams try to do too much at once
– Referring to IAM is a ‘project’ in the first place
• Mark Dixon’s Ten Best Practices for Identity Management Implementation – Set strategy
– Secure sponsorship
– Plan quick wins
– Select project leadership
– Define business processes
– Select implementation team
– Gain commitment from support resources
– Provide proper infrastructure
– Assure data quality
– Conduct post-production turnover
http://blogs.oracle.com/identity/entry/ten_best_practices_for_identity
Questions to Start Asking Now
• Who’s going to support all this?
• How can I enforce change control for IAM integration points?
• How am I going to manage passwords?
– Single Sign-On
– Password Synchronization
• How am I going to manage non-employees? – Consultants
– Contractors
– Interns
• How am I going to manage RBAC exceptions and segregation of duties?
– Pareto Principle (80/20 rule)
• Identity in the Cloud? – Yeah, I said cloud. Drink ‘em if you got ‘em!
Resources
• Vendors
– Let them know you’re digging into IAM solutions & they’ll call you.
• LinkedIn Groups – Identity and Access Management
• http://www.linkedin.com/groups?gid=66476
– Identity Management Specialists • http://www.linkedin.com/groups/Identity-Management-Specialists-Group-41311
• Working Groups
– EDUCAUSE (http://www.educause.edu/iam)
– InCommon (http://www.incommon.org/iamonline/)
More Resources
• Internet2 Middleware Initiative – http://www.internet2.edu/middleware/index.cfm
– MACE (Middleware Architecture Committee for Education)
– Shibboleth Federated Single Sign-On Software
– Grouper
– Comanage: Collaborative Organization Management
– MACE-Dir(ectories)
– MACE-paccman (Privilege and Access Management)
• Open Source – OpenDS - http://www.opends.org/
– OpenSSO - http://java.net/projects/opensso/
– Shibboleth - http://shibboleth.internet2.edu/
– Gluu - http://www.gluu.org/
Even More Resources
• IdM vs. IAM – http://idm-thoughtplace.blogspot.com/2009/09/idm-vs-iam.html
• Gartner Identity and Access Management Summit – http://www.gartner.com/technology/summits/na/identity-access/
• Gartner – Why There Are No IAM Magic Quadrants – http://blogs.gartner.com/earl-perkins/2009/08/23/why-there-are-no-iam-magic-quadrants-resisting-the-inevitable/
• AWS Identity and Access Management – http://aws.amazon.com/iam/
• Worst Practices: Three Big Identity and Access Management Mistakes – http://searchsecurity.techtarget.com/tip/Worst-Practices-Three-big-identity-and-access-management-mistakes
• Wikipedia – http://en.wikipedia.org/wiki/Identity_management
– http://en.wikipedia.org/wiki/Identity_access_management
– http://en.wikipedia.org/wiki/Federated_identity_management
Questions?
Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis
LinkedIn: http://www.linkedin.com/in/slandail
Twitter: https://twitter.com/slandail
http://www.jacadis.com