Introduction to iam

Introduction to Identity

And Access Management

William El Kaim Oct. 2016 - V 2.1

This Presentation is part of the

Enterprise Architecture Digital Codex

http://www.eacodex.com/Copyright © William El Kaim 2016 2

http://www.eacodex.com/

Plan

Introduction to IAM

• Key Technology Areas

• Directory Technologies

• Identity Administration

• Identity Auditing

• Identity Verification

• Access Management

• IAM Framework And Process

• Conclusion

Copyright © William El Kaim 2016 3

Identity Definition

• Identity is a complicated concept with many nuances, ranging from

philosophical to practical.

• Set of information known about that person.

• In the digital world a person’s identity is typically referred to as their digital identity. A

person can have multiple digital identities.

• Even though digital identities are still predominantly associated with humans,

they will be increasingly associated with non-human entities, such as

services, systems and devices that could be used to act on behalf of people.

• Examples are trusted platforms, next generation mobile phones, Digital Rights

Management (DRM)-based devices, etc.


Today’s challenges

• Redundant efforts in providing and maintaining Identity information about

individuals

• Difficulties in auditing access to systems/applications for each individual

• Providing a unique user ID for applications

• Providing uniqueness of user IDs across the access points

• Providing user authentication for applications

• Providing an authority that can securely authenticate external

resources/partners, and manage identities

Identity and Access Management


What is IAM?

• Discipline aimed at ensuring all users are properly identified, that their

affiliation to the organization is understood and that they have proper access

to information assets

• Identity Management can be defined as the set of processes, tools and

social contracts surrounding the creation, maintenance, utilization and

termination of a digital identity for people or, more generally, for systems and

services to enable secure access to an expanding set of systems and

applications.

• Effective Identity and Access Management (IAM) involves several

interdependent technologies and processes that combine to form a unified

view of identity relevant for employees, contractors, partners and consumers


What is IAM?

• Identity management is not a single product but a set of processes and

supporting technologies for maintaining a person’s complete set of identity

information, spanning multiple business and application contexts.

• Identity management unifies a person’s disparate identity data to improve

data consistency, data accuracy, and data and systems security in an

efficient manner.

• Robust identity management requires both integration of technologies as

well as coordination with the IT and business processes surrounding the

management of user information, access rights, and related policies.

• IAM helps extend business services, improve efficiency and effectiveness,

and allow for better governance and accountability


IAM is a subset of Information Security

• IAM must be founded on:

• A consistent, mature architecture.

• An IAM architecture should be considered a subset of an enterprise information security

architecture (EISA), which can be integrated within the enterprise architecture in several ways.

• A conduit for gathering, translating and communicating business and regulatory needs

from the business to policy teams and IT functional groups

• policies and standards, the access model, procedures and IAM toolset

• Well-defined and mature processes.

• Each perspective has some overlaps with the other two, and an IAM

program must successfully service and integrate all three!

• That’s why it is complex and take around 2 to 5 years to complete


Three Main Processes

• Three main processes are involved in managing identities and their access

assignments to company resources:

1. Identity process

• user life cycle

2. Access model process

• role lifecycle

3. Workflow process

• the lifecycle for the workflow consumed in identity and access model processes.


Drivers and Benefits

• Identity and access management (IAM) is a recognizable discipline that

encompasses a range of enterprise tools and technologies within a distinct

architecture supporting a set of interrelated processes.

• The three main business drivers for IAM solutions are

• Security efficiency (lower costs, improved service)

• Security effectiveness (including regulatory compliance)

• Business agility and productivity.


Security efficiency

• With the growing volume of users, current staffing cannot accommodate the

enterprise's needs.

• Enterprises are looking to simplify administration and provide user self-

service, thus containing (or reducing) administrative costs.

• In addition, user information can be leveraged in many business processes

that provide a consistent and more-secure access control infrastructure.

• Only via automation can enterprises improved their process for access

request turnaround times of 24 hours or less.


Security Effectiveness

• The ability to prove the robustness of the enterprise's access control

infrastructure is an important requirement for maintaining customers, as well

as obtaining them.

• In addition, easing internal and external audit processes is of prime concern

to many enterprises.

• Legislation and other regulations increasingly require enterprises to establish

robust control infrastructures, of which information security is a part.

• IAM facilitates compliance. It enables more-effective access control and

greater transparency — showing who has access to what (and why, as well

as who approved the access) and who accessed what.


IAM Enables Business Agility

• IAM allows greater flexibility and more timely changes to support business

initiatives

• Reorganizations,

• mergers and acquisitions,

• new business partnerships,

• new product and system rollout.

• Security efficiency gains contribute to business productivity.

• Removing IAM from applications allows developers to concentrate on

meeting business aims and objectives.


Synthesis


Implementing IAM: Program Activities

• Span three major phases:

• Planning: This phase is broken down into three parts

• Strategizing, organizing and annual planning.

• Building: This is done via the three perspectives on IAM.

• Running: This phase contains continuous activities

• That is, the identity, access model and workflow processes.

• The last element of an IAM program is governance.

• IAM can make a significant contribution to information security as a governance function,

but IAM is also a function to be governed.


Plan

• Introduction to IAM

Key Technology Areas







• Conclusion


IAM Combines Several Types of Technologies

• Establish an identity data infrastructure.

• This segment encompasses products that form the identity information layer itself:

directories, meta-directories, and virtual directories.

• Administer accounts and privileges

• Products that manage users’ accounts, attributes, and credentials include provisioning,

role management, password management, and privileged user management.

• This category also includes the functional elements of self-service and delegated

administration.

• Control access to IT resources

• Coordinating users’ access to multiple applications is the domain of products like

enterprise single sign-on (E-SSO), Web single sign-on (Web SSO), and federation. It

also includes the emerging area of entitlement management.



• Audit the administrative and access activities

• Organizations require the ability to demonstrate that account administration and access

controls are performing according to policy; identity audit products help with this effort.

• This includes auditing tools that combine and correlate activities and events across the

identity infrastructure, as well as privilege attestation ― tools to aid the act of certifying

that the privileges associated with a user are correct.

• It also includes role management products, which serve a dual role of both codifying

policies and validating their enforcement.



• Identity administration tools

• Focus not only on the administration function

• primarily, the administration of users' multiple identities, attributes and credentials across

heterogeneous environments

• but also the administration of access model constructs such as roles and resource

access control information

• such as access control lists (ACL)

• Access management tools

• Access management tools enforce access control policy (or policies) across

heterogeneous environments.

• They also offer administration capabilities, but their distinctive focus is on authorization.



• Identity auditing tools focus primarily on auditing

• Identity-related event monitoring, reporting status auditing and more.

• Together with identity administration, this class forms the identity management superclass.

• Identity verification tools encompass all aspects of real-time authentication

• Identity proofing (a precursor to provisioning an identity), authentication methods and

their supporting infrastructures, as well as technologies for brokering authentication and

authenticated identities and attributes across heterogeneous environments.

• Together with access management, this class forms the access control superclass.

• Directory technologies are in many ways foundational to the other

technologies.


Plan



Directory Technologies






• Conclusion


Directory: Definition

• A book containing an alphabetical or classified listing of names, addresses,

and other data, such as telephone numbers, of specific persons, groups, or

firms.

• An organizational unit, or container, used to organize folders and files into a

hierarchical structure.

• Hierarchical collection of objects

• Objects can have varying attributes and numbers of the same attributes.

• A directory is not a database.

• Directory servers are typically optimized for a very high ratio of searches to updates.


Directory Service Definition

• A directory service is a software product that stores and organizes

information about user identities and other resources within a network or

domain and that manages users' access to resources.

• A directory service is highly optimized for reads and provides advanced

search possibilities on many different attributes associated with identities and

other objects.

• The data stored in a directory is defined by an extendible and modifiable

schema (data model).



Based on Protocols: X.500 and LDAP

• X.500 provides formal standards for global directory construction and

replication.

• X.500 standards support the construction of large, multiple-location (multiple-server)

directories.

• LDAP v.3 has emerged as the preferred standard for read/write access to

directories.

• However, this is where the standard begins and ends.

• LDAP does not define schema rules, security models or interoperability mechanisms.

• Export format defined and called LDIF



LDAP

• Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral

standard

• A descendent of X.500 OSI Directory Access Protocol, which was deemed

too complex and cumbersome to be implemented on microcomputers

• A data-representation model optimized for arbitrary queries

• Recent versions of LDAP also specify encryption methods, methods for

clients to discover the structure of the system's configuration, as well

interoperability with other services such as Kerberos and SASL.



LDAP defines

• Access Protocol: How to access directory information

• Information Model: Type of information managed by directory

• Naming Model: How information is organized and referenced,

• Functional Model: How to access and update information

• Security Model: How data are accessed and protected

• Duplication Model: How the directory is distributed

• API : To develop client applications,

• Exchange data format named

• Text delimited = LDIF (Lightweight Data Interchange Format)

• XML = DSML (Directory Services Markup Language)



Example – User Identity Classification

• Internal Users

• One party (the employee, internal contractor, etc.) is subservient to another (the

employer). The employer defines the security standards and principles under which the

employee works – with autonomy over governance of those standards and recourse in

the event that they are abused.

• Account Type

• Family-Board: A company Family or Board Member who receives benefits from your

Companies.

• Employee: A person who is directly employed by & paid and/or receives benefits from

Companies.

• Contractor: A worker who works independently or for a company that is contracted by

Companies to provide staff augmentation, and who requires access to Company

information systems.




• Extended Enterprise Users

• A closely related business relationship (franchise) OR an arms-length business

relationship (partner) in which they will provide services to each other or jointly provide

services to a third party customer.

• Account Type

• Franchisee: A person who works for and/or is an owner of a business that is franchised

by a company brand and who requires access to Company information systems.

• Client-Representative: A person works for a company business partner or client and

requires access to Company information systems.

• Vendor: A person who works for a company that supports or supplies a product and/or

services to the company and who requires access to Company information systems.




• Business Users• A retail or marketing relationship in which the company or Client Partner provides good

or services to a customer or consumer.

• Although such agreements do not form the level of trust as that of an employer/employee relationship, some form of recourse is typically available in the event access to those resources is abused.

• A subset of these users may also have access to administration and reporting services through the business application.

• Account Type• Client Customer: A Customer of the company Client who requires access to a Client’s

business application that the company has built and/or hosts. These are indirect company Brand consumers who use the company Client applications and services.

• Company Customer: A customer of Business unit who requires access to a Company business application. These are direct company Brand consumers (e.g. Goldpoints, Radisson) who use applications and services.



White Pages


Local administration teams are in charge of populating and maintaining the consolidated directory

Ownership is identified for user information among operational systems (e.g. HR, Sites). Data flows are ruled by the synchronization tool.

Application = Outlook calendar and white pages application Third party directory

Two current main approaches for providing, updating and displaying user information


Example: LDAP Branches

Branch starting from

dc=carlson,dc=com Description

ou = administration Administrative or application account branch

ou = corporate Corporate people branch

ou = ebusiness E-business branch

ou = extended Extended user branch (franchises, etc.)

ou = people Corporate people data

ou = groups Corporate group data

ou = locations Corporate location data

ou = itaccounts Information technology account data

ou = organizations Corporate organization data

ou = resources Physical asset resource data (e.g. FNP File)

ou = unixservices UNIX OS service and account data



LDAP Structure (DIT)

dc=Domain,dc=com

ou=unixservices

ou=people

ou=groups

ou=locations

ou=itaccounts

ou=organizations

ou=resources

ou=extended

ou=cwt ou=chw

ou=administration ou=ebusiness

ou=people ou=people

ou=clg

ou=people

ou=corporate



DSML

• The Directory Services Markup Language v1.0 (DSMLv1) provides a means

for representing directory structural information as an XML document.

• DSMLv2 goes further, providing a method for expressing directory queries

and updates (and the results of these operations) as XML documents.

• DSMLv2 documents can be used in a variety of ways.

• stored as files in order to be consumed and produced by programs

• transported over HTTP to and from a server that interprets and generates them.

• The design approach for DSMLv2 was to express LDAP requests and responses as

XML document fragments



Microsoft Active Directory

• Active Directory (AD) is the directory service in the Standard, Enterprise and

Datacenter versions of the Windows Server 2003 family.

• The primary function of AD is to authenticate users in a network and

authorize subsequent access requests to Windows-based applications or

other server resources.

• AD not only stores information about network resources but also provides a

consistent way to name, describe, locate, manage and secure this

information as it applies to users and applications.

• AD consists of logical and physical components.

• AD’s logical components organize network resources to match theorganizational

structure.

• AD’s physical components configure and control where and when data replication and

login traffic can occur over the network.




• The basic logical component in AD is the domain, defined by the

administrator as a collection of computers that share a common directory

database, security policies and security relationships.

• For example, in CWT we have separate domain for each region.

• Domains, in turn, can be partitioned into Organizational Units (OUs)

• An OU is a collection of users and computers that have been given certain

administrative rights.

• Multiple domains can be organized into trees.

• A tree is a hierarchical arrangement of domains that have the same Domain Name

System (DNS) name.




• Trees can be grouped into Forests.

• A forest is a group of trees that do not share a common DNS name but do share a

common configuration and schema

• An attribute repository that allows attributes and object classes to be redefined separate from

the AD objects.

• Every domain in a forest can share resources and administrative functions with the other

trees in the forest.

• Every domain trusts every other domain in a forest. The forest is the security boundary

not the domain.



Ex: Single Forest – OU Model

companynet.biz (root)

amer.company.com emea.company.com auas.company.com

Company A OUCompany A OU company B OU

Company A OU

Domain Domain Domain



Ex: Single Forest – OU Model



Today’s Directories challenges

• A unique directory could not fit all needs

• several directories exist

• Not one directory schema could be used to describe identity information

• Several different metamodels (i.e. information managed by the directory) also called DIT

(Directory Information Tree)

• Not all directories could be provisioned the same way (corporate user,

partners, clients, anonymous clients).

• Several provisioning processes

• We need to enforce the uniqueness of all identities

• Increasing risk of providing several user ID for the same people and generating major

issues at the application level and at the integration of systems.

• This will also could have a dramatic impact on our customer retention if we can not

guarantee the uniqueness of their user identities in our systems



Synchronization Solutions

• Different technologies are available to build an identity synchronization

solutions :

• Meta-Directory technology

• EAI technology

• ETL technology

• The result of the synchronization is consolidated in a directory

• The use of one technology or another depends on organizational, functional

and technical requirements



Synchronisation Solutions

• Benefits

• Offers optimal access performances

• Allows to enrich with new information the consolidated identity description card

• Simplifies distribution of the consolidated data thru simple LDAP replication mechanisms

• Drawbacks

• Introduces synchronization issues leading to possible data inconsistency

• Requires to set up resynchronization processes and tools



Virtual Directory

• A virtual directory is a server for a directory protocol such as LDAP, but

unlike a traditional directory server, does not master the data itself in its own

database.

• Instead a virtual directory will dynamically translate requests it receives to

operations in other protocols or data models, such as to a relational

database

• Directory information is drawn in real time, on demand from its native

repositories rather than having to be permanently stored in additional

physical directories.

• This real-time access eliminates the need to synchronize a data store across multiple

“feeder” directories, preventing data latency.



Virtual Directories Technologies

• A virtual directory is a software product that creates a logical (virtual) view of

an LDAP directory by combining data from multiple repositories.

• A virtual directory can be used to create a single access point for the multiple

user repositories.

• User-provisioning products increasingly are being joined with virtual directory

technology.



Virtual Directory Solutions

• Benefits

• Provides real-time and secure LDAP access to numerous disparate directories,

databases and other data sources and organizing them in a single virtual directory tree

• Offers fast, flexible and reliable LDAP service satisfying all "quality of service"

requirements from end users as well as providers

• Minimizes data ownership considerations

• Drawbacks

• Introduces a new technology within the IT infrastructure that must be managed and must

support distribution and high availability

• Reduces access performances to data



LDAP Proxy Solutions

• LDAP Proxy solutions are LDAP access router. Basically, they offer filtering

and routing services based on rules in a transparent way for LDAP clients

applications

• Features:

• Provides filtering and routing LDAP services

• Provides load-balanced and failover access to directory resources

• Manipulates or transform information being passed to and from an LDAP query

according to programmed business logic

• Consolidates LDAP queries through one server to avoid referrals that clients are using

• Virtual Directory and LDAP Proxy solutions are converging. Both solutions

are now sometimes addressed by the same products



LDAP Proxy Solutions

• Benefits

• Supports rules based routing to leverage existing applications

• Supports automatic failover and load balancing of the LDAP directories

• Minimizes data ownership considerations

• Drawbacks

• Introduces a new technology within the IT infrastructure that must be managed and must

support distribution and high availability

• Reduces access performances to data



Metadirectories Technologies

• A metadirectory is a software product that synchronizes and (optionally)

aggregates identity data stored in multiple repositories.

• Metadirectories provide a proven and relatively quick-and-easy way to

reduce user administration but lack the sophistication of user-provisioning

products.

• Seems not used anymore for new deployment.


Plan




Identity Administration





• Conclusion



Introduction

• Organizations face the challenge of managing the multiple identities of their

employees, business partners and customers across multiple systems

• User-provisioning and password management are the most mature tools in

this space, but alone they are not sufficient for a full-blown identity

administration solution

• They must be augmented by role management and resource access

administration capabilities



User Provisioning

• User Provisioning is the process of granting appropriate user access

privileges to any applications, based on a single reference (the user ID)

• User-provisioning tools

• Provide user life cycle management, primarily for internal users, such as employees and

contractors.

• Can create, change and retire the user identities (accounts or profiles) linked to each

person across a broad range of target systems in response to HR system changes and

self-service and line-management requests, and according to a specified workflow.

• Hence, the tools support all on-boarding and off-boarding activities for the

workforce

• New hires, transfers, promotions, terminations, dismissals and more.

• User-provisioning tools also automatically correlate data from HR, CRM, e-

mail systems and other identity stores.



User provisioning

• A key component of identity and access management is how digital identities

are created.

• The provisioning process provides a powerful tool that takes advantage of

user information contained in the organization's directory infrastructure to

speed up the granting and revoking of user accounts and entitlements for

information resources.

• These resources can include e-mail, telephone service, HR applications,

line-of-business (LOB) and functional applications, intranet and extranet

access, and Helpdesk services.



Provisioning

• Provisioning is more than a security solution in the classic sense of threat mitigation and defense.

• It addresses concerns about giving the appropriate level of access to IT resources to

those who need them

• and revoking access when that requirement is gone. It introduces a structured

environment for user security administration, coordinating account management and

related security policies across the enterprise.

• Workflow is a requirement of most provisioning processes

• Requests for resources are entered online, routed in a predetermined path to reviewers

and approvers, and then finally to the person or system that creates the user account.


Identity Administration - The path forward to

improve User Provisioning

• The following recommendations will significantly improve the process of

granting and keeping application access rights accurate over time.

• One single official employee ID number (called UID) should be the official user identity to

any given application.

• One single source of user information. The only repository of data that fully represents

all employees and contractors is the enterprise directory populating all the others

• One single standardized process of granting access rights for applications within and

across each business area or region.

• Several distributed empowered organizations managing application access rights

process end-to-end for all business functions.


12345

6


Ex: User Provisioning Process

Aligned across business functions, entails 6 steps

Step 1: Access request submission (User/direct Manager/HR/ Functional representative)

Step 2: User information validation against user master data with HR

Step 3: Functional review and approval (if needed with local support and training coordinator)

Step 4: Technical check from IT side and creation of UID

Step 5: Assignment of approved access to the application (back-end)

Step 6: Direct notification to users or through application trainer (email)

The enterprise user provisioning process needs to be managed end-to-end to ensure integrity of the user privileges at the enterprise level.



Deprovisioning

• Deprovisioning ensures that accounts are systematically disabled or deleted

and entitlements are revoked when employees leave the organization.

• Good security practice recommends

• that accounts be disabled quickly (to prevent possible attacks by disgruntled ex-

employees)

• but not deleted until after a suitable time has elapsed, in case it becomes necessary to

re-enable (or rename and reassign) the account.

• Disabling accounts (rather than deleting) is also helpful for some

organizations that need to ensure certain identity attributes such as account

name are unique and not reused within a time period that meets policy

requirements.



Role Management for Enterprises

• Although user-provisioning tools can consume roles within user life cycle

management, they cannot provide role life cycle management.

• This is the function of role management tools, which enable organizations to

mine, map, manage and report on the complex relationships of business

rules, user identities and users' entitlements across a broad range of target

systems

• Operating systems (OSs), applications and so on.

• Role management tools can feed user-provisioning products to ensure that

the link is made between business-level roles and associated IT-level roles,

and that proper entitlements are provisioned for the user.



Role Management for Enterprises

• Role management is becoming a "must have" rather than a "nice to have"

capability for identity administration in larger enterprises

• A few user-provisioning vendors already offer role management capability, but most

partner with pure-play vendors.

• Role mining can meet some identity-auditing needs

• Essentially mining access control data to discover correlations between users with

similar attributes and access rights (that is, candidate roles)



Resource Access Administration

• Resource access administration (RAA) tools provide resource-centric views of users' access that complement user-provisioning tools' user-centric views.

• RAA tools can create, change and retire groups/roles at the target system level and can administer resource access control information, such as access control lists (ACLs).

• Thus, the tools can permit/delete explicit access rights for individual users outside the role/group structure in a way that is superior to native administration functions.• Only a few user-provisioning tools provide such capabilities.

• Many RAA tools are point solutions for specific platforms• Most are Windows-centric or Windows only.

• In the IBM z/OS mainframe space, several vendors offer roughly analogous tools for IBM's RACF.



Credential Management Introduction

• Authentication credentials are a special kind of identity information that

requires specialized administration tools.

• Password management tools are well-established, but they increasingly are

being subsumed within user-provisioning tools.

• Card management tools are less mature and are rarely found as anything

but stand-alone tools.



Credential Management Future

• In the next few years, several vendors will offer generic credential

management tools that manage the lifecycle of multiple kinds of credentials

• Like smart cards, certificates, biometric data, proximity cards and more.

• Already the case for Microsoft Project Geneva

• In the longer term, these will be subsumed with user-provisioning tools

• For now, they can be integrated only loosely, as just another target system.

• Tools that manage passwords for shared accounts, such as Administrator

and root accounts, form a separate and distinct technology.


Identity Administration - Credential Management -

Password Management

• Password management tools provide self-service password reset and

password synchronization across a broad range of target systems.

• These capabilities can reduce help desk call volumes by more than 80%.

• All user-provisioning products now integrate these capabilities, which often

are deployed in the first phase of a provisioning project, and the

implementation of discrete tools is becoming less common.

• Representative Vendors and Stand-Alone Products

• Avatier, Courion, M-Tech, Proginet



Public Key Services

• Public-key cryptography, based on public-private key pairs, can be used for functions such as• Data encryption: Provides content access control

• Digital signatures: provide transaction assurance and can be exploited for user authentication

• By providing data integrity and data origin authentication

• A public-key service is a software product that provides:• Lifecycle management for these cryptographic keys

• The certificates that bind the public keys to user identities (Public Key Credentials or PKCs) along with software or application programming interface (API) toolkits supporting the cryptographic functions

• Most commercial services use a framework stemming from X.509, the "authentication framework" part of the ITU-T's X.500 series of standards for directory services.



PKI vs.PKO

• Public-key infrastructure (PKI)• A PKI is a stand-alone, public-key service intended for use by one or more applications.

• "open“ PKI embraces the issuance of certificates to individuals for authentication and signing across varied applications in the public and private sectors

• "closed" PKIs is limited to use by one enterprise or a closed community of business partners, users or devices.

• Public-key operation (PKO)• Also called a public-key operations center.

• A PKO is a public-key service that addresses the certificate and key management requirements of, and is integrated within, a specific application, appliance or service.

• Because PKOs are inherent to a single application, they can only be closed.

• Comparison• A PKI is more flexible and offers broader capabilities than a PKO and can be used to support

different types of certificates with different levels of trust

• A PKO usually is less feature-rich, less flexible and simpler to use than a PKI.



Card Management

• A card management tool manages the life cycle of smart cards (or smart USB tokens) and credentials stored on the cards: • Issuance/provisioning

• Replacement

• Retirement/revocation

• Credential update

• Applet management

• The credentials managed are typically PKCs. • Some card management tools can manage other onboard credentials, such as passwords,

one-time password (OTP) credentials, biometric data and physical access control system (PACS) data.

• A card management tool• is commonly called a card management system (CMS)

• When the vendor focuses on USB tokens rather than on the cards themselves it is called a token management system.



Shared Account Password Management

• Shared accounts are common in many organizations, each available for use

by authorized individuals under the appropriate circumstances.

• The best practice is to avoid shared accounts:

• Most situations that appear to demand this approach can be more elegantly and

securely addressed by using personal accounts.

• However, every organization will need some types of shared accounts like:

• Shared superuser accounts in OSs — such as Administrator in Windows, root in Unix

OSs, IBMUSER in z/OS — and similar pre-defined administrator accounts in

applications and databases

• Administrator-defined user account intended for use by any approved individual in

special circumstances.

• One example is the "fire call" accounts used by application development, operations or other

support staff to resolve critical problems outside normal working hours.



Shared Account Password Management

• A shared account password management (SAPM) tool

• Securely manages passwords for shared accounts across a broad range of target

systems.

• Allows only authorized users to retrieve the passwords when needed.

• Eliminates the risks posed by passwords for shared accounts being shared by multiple

users

• Improves accountability and supersede fragile manual processes.

• Could also manage passwords for service accounts for application-to-application or

application-to-database communication

• in place of passwords that are hard-coded within the calling applications or are held in plain

text in configuration files.

• In this use case, SAPM stands for "service account password management," and provides a

secure password store, automatic password currency and synchronization, and enable

applications to retrieve passwords when required using an API.



IT Service Management Integration

• Provisioning an application environment

• includes the hardware, software and other technology devices that traditionally are the

province of IT service management

• Not just end users

• In addition, Web services are changing the "who" in "who's accessing the application,"

so that processes and transactions may need to be uniquely identified.

• Enterprises are expanding their views of which objects need a unique

identity, thus, need to be managed.

• Identity management solutions don't adequately address non user objects.

• Configuration, asset and change management solutions don't address the end user.



IT Service Management Integration

• However, there is little technical integration between identity administration

and ITSM tools, other than where IAM vendors have their ITSM tools.

• Integration between password management tools and service desk tools is fairly

common; additionally, some user-provisioning tools can externalize request/approval

workflow to service desk tools or other kinds of tools that support BPML.

• Nevertheless, the ITSM experience, especially stemming from the IT

Infrastructure Library, is leading to a process-oriented approach to identity

administration (and IAM in general), especially in Europe.



Delegated And Self-service Admin.

• Delegated Administration

• Delegated administration can also occur within an organization, where trusted

individuals within different departments manage a subset of an organization's identity

store.

• Self-Service Administration

• For typical users such as employees, there are many user attributes that are not security

related; an organization may consider allowing users to modify such attributes


Plan





Identity Auditing




• Conclusion


Identity Auditing: Introduction

• Identity auditing is the process of

• Documenting

• Reviewing and approving workflow

• Identity information and access controls

• roles, segregation of duties rules and entitlements

• For business applications and associated infrastructure components.

• Identity auditing is crucially important to IAM governance in general and to

regulatory compliance in particular.


Identity Auditing Scope

• The scope of identity auditing can be illustrated informally by the following

questions:

1. Who has access to what?

2. Who should have access to what?

• That is, how well does actual access match a predefined policy or access model?)

3. Who reviewed and approved what?

• This is referred to as "attestation.“

4. Who accessed what?

• Without automation, producing reports and performing management reviews

are laborious and expensive tasks.


Identity auditing

Identity Auditing Tools

• Two key identity administration tools provide some identity auditing

capabilities:

• User-provisioning tools (or stand-alone modules associated with them) for question No.

1 and No. 3 and sometimes No. 2;

• Role management tools for No. 1 and sometimes No. 2.

• Identity-based network access control (NAC) products have been used for No. 1 and a

limited view No. 2.


Identity auditing

Identity Auditing Tools

• Other tools with a key functional focus on audit capabilities include:

• Security information and event management (SIEM) products, which are increasingly

used for No. 4; other monitoring tools also can be useful here.

• Segregation of duties (SOD) controls within ERP tools, which identify the (SOD) conflicts

within those complex applications, a special case of No. 1.

• Finally, specialized identity auditing tools fill the gap between what identity administration

tools can provide and these needs.


Identity Auditing: Specialized Tools

• Specialized, identity auditing tools focus on identity-auditing needs — the

ability to answer the questions listed above — that are poorly served by

identity administration tools.

• Reporting on access assigned to users and applications — No. 1: Who has

access to what? — will remain an ongoing need in information security and

compliance/risk management programs.


Identity Auditing:

SOD Controls within ERP

• Largely driven by regulatory compliance requirements, organizations are

looking to address SOD issues within their enterprise applications.

• These projects typically start with resolving SOD issues in financial

transactions usually embodied in ERP applications, such as those offered by

SAP and Oracle.

• Technology controls to address the problem include:

• Identifying and reducing SOD conflicts within ERP application-level functional

permissions.

• Provisioning support — Preventing new SOD conflicts through integration with user

provisioning and role management processes.

• Transaction monitoring — Identifying SOD violations by automatically monitoring for

transactions that indicate inappropriate behavior.


Identity Auditing

SOD Controls within ERP

• SOD tools are becoming mainstream but these tools remain expensive and

complex to maintain.

• In the longer term:

• SOD should become part of a broader control management framework and strategy

• Automated SOD analysis should be integrated into the automated provisioning of users

and roles within identity management.

• Representative Vendors

• Approva, LogicalApps (Oracle), SAP (acquisition of Virsa Systems)


Identity Auditing - Security Information and Event

Management (SIEM)

• SIEM tools and services deliver two basic capabilities:

• Security information management (SIM)

• Security event management (SEM)

• Security information management (SIM) provides reporting and analysis of

data

• primarily from host systems and applications,

• and secondarily from security devices to support security policy compliance

management, internal threat management and regulatory compliance initiatives.

• SIM can be used to support the activities of the IT security, internal audit and

compliance organizations.

• Storage, correlation and reporting of selected host and application data is

available from managed security service providers (MSSPs).



Management (SIEM)

• Security event management (SEM) improves security incident response

capabilities.

• SEM processes near-real-time data from security devices, network devices

and systems to provide real-time event management for security operations.

• SEM helps IT security operations personnel be more effective in responding

to external and internal threats.

• Remotely managed SEM functions for firewalls, intrusion defense systems,

intrusion prevention systems and related perimeter- and host-monitoring

technologies are available from MSSPs.



Management (SIEM)

• A SIEM tool enables an organization

• to analyze security event data in real time (for threat management, primarily in network

events)

• to analyze and report on log data (for security policy compliance monitoring, primarily in

host and application events).

• SIEM technology

• can collect user activity (resource access) data from systems and applications

• can be used to track user activity across the network and multiple systems and

applications.

• This technology provides the ability to associate an individual with a device,

network address and the associated network login IDs and subsequent

resource access.



Management (SIEM)

• SIM requirements (to support regulatory compliance initiatives) have

replaced SEM as the primary driver for SIEM project funding for in-house

deployment.

• SEM remains the primary driver for outsourcing with MSSPs, although

several MSSPs are introducing SEM service offerings to address this

market.

• This means, fundamentally, that

• organizations are placing more emphasis on IAM event monitoring and reporting

• SIEM tools remain important within threat and vulnerability management.

• Major IAM vendors have made SIEM acquisitions during the past few years.


Identity Auditing

Other Monitoring Tools

• Some near-real-time-analysis tools have automated the process of detecting

unusual user activity within specific circumstances and domains

• That is, they can answer question No. 4: "Who accessed what?“

• Each technology is designed specifically for a particular layer in the

application stack

• But the technologies have limited or no visibility into related activities in other layers.

• More recently, new monitoring tools have been appearing that sit between

users and the systems they access, in-line or "on box," and can capture user

activity down to the keystroke level.

• In addition to traditional alerting and reporting capabilities, these tools generally provide

the ability to "replay" user activity.


Enterprises can use SIEM tools to gain broad

visibility across many layers.

• Database activity monitoring• Can be used to monitor database administration activity and database user access,

especially when native database auditing is not enabled.

• Vendors: Application Security, Guardium, IPLocks, Lumigent, Tizor

• Content monitoring and filtering (CMF)• Can be used to detect and prevent the inappropriate movement of sensitive data across

the network, but detection is limited to what can be discovered via simple data pattern rules

• Fraud detection• Can be used to monitor and stop suspect user activity at the access or transaction layer,

but its scope is limited to the specific set of applications and business rules with which it interfaces.

• Vendors and Products: RSA, VeriSign

• …


Plan






Identity Verification



• Conclusion


Identity Verification: Introduction

• It is critical for an organization to be able to verify, with an appropriate level

of confidence, who it is allowing to access its systems.

• Balanced with ease of use, because end users overwhelmed by security requirements

may behave in ways that can reduce security.

• Includes technologies that broker authentication, or authenticated identities,

and other identity information among diverse target systems or domains



Ex: Mapping of Responsibilities

Little/no involvement

Moderateinvolvement

Significant involvement



Identity Proofing

• Identity proofing is the process by which an organization uniquely identifies a

person before "provisioning an identity" to that individual

• assigning an identifier (name) and issuing an identity credential, and maybe other

identity creation subprocess tasks, such as creating a user account.

• Identity-proofing services verify an individual's identity based on "life history"

information aggregated from public or proprietary data sources.

• The most common use case for these services is to verify the identity of a

new registrant in real time where face-to-face proofing is not possible and

offline, back-end identity proofing is undesirable — typically in a business-to

consumer context.


Identity Verification: Identity Proofing

• These services also might be used as an additional interactive user

authentication or transaction verification method

• For example, to provide identity verification for self-service password reset, or to verify

the identity of an individual before executing a high-value transaction.

• Service providers in this category have emerged during the past few years.

• Identity-proofing services enable more-secure customer account opening and/or account

registration, as well as verification of an identity during high-risk transactions, such as

password reset, especially in a non-face-to-face environment.


Identity Verification: Authentication

• Authentication is the process of proving the digital identity of a user or object

to a network, application, or resource. Once authenticated, users can access

resources based on their entitlements through the process of authorization.

• Examples of authentication techniques include:

• User names and passwords

• Personal identification numbers (PINs)

• X.509 digital certificates

• One-time passwords

• Biometrics (for example, fingerprint or iris scans)


Comparing Strong and Weak Authentication

Techniques

• Authentication techniques can range from simple ones where users provide

passwords directly to applications or hosts to much more complicated ones

that use advanced cryptographic mechanisms to protect user credentials

against potentially malicious applications and hosts.

• Providing a plaintext password (that is, one that is not encrypted in any way)

to an application or host is considered the weakest authentication technique

• Stronger authentication techniques protect the authentication credentials so

that the host or resource to which the user authenticates does not know what

the secret actually is.

• Typically, this is done by cryptographically signing data with the secret password that is

known only to the user and a trusted third party.



Authentication Infrastructure

• A typical proprietary authentication method requires its own infrastructure

components — an authentication server and so on.

• Where an organization is using a "portfolio" of authentication methods, a

separate authentication server likely is demanded for each method.

• To reduce complexity, provide one policy decision point and simplify

migrating to new authentication methods, an organization may deploy one of

two authentication infrastructure technologies



Authentication Infrastructure - VAS

• Versatile authentication server (VAS) is a single server (software or

appliance) that supports multiple open and proprietary authentication

methods.

• At a minimum, it will support authentication using PKCs and one of the two

industry standard OTP authentication methods:

• Initiative for Open Authentication (OAUTH) Hash OTP

• Europay, MasterCard and Visa Chip Authentication Program.

• In addition to providing support for any of the vendor's own proprietary

methods, the VAS should have an extensible architecture to enable third-

party authentication methods to be "plugged in" as needed.



Authentication Infrastructure - ITCAS

• “In the cloud" authentication service (ITCAS) relies on a managed service

provider that absorbs the complexity of managing different infrastructures for

different authentication methods, is a viable alternative for some enterprises.

• An ITCAS likely will be favored for online consumer security, in which the

service provider can offer complementary services, such as fraud detection.

• Vendors

• RSA, VeriSign (and many third-party service provides, including telcos)



SSO

• Many enterprises are interested in simplifying resource access for

employees, customers, partners or other stakeholders.

• Single Sign-On is ‘a mechanism whereby a single action of user

authentication and authorization can permit a user to access all computers

and systems where that user has access permission, without the need to

enter multiple passwords’. (Open Group)

• SSO at the application level involves establishing a "session" between the

client and server that allows the user to keep using the application without

providing a password every time they take an action within the application.



Single Sign-On

• Single sign-on (SSO) technologies enable users to authenticate once and

automatically be signed on to other target systems.

• These technologies include:

• Kerberos

• Active Directory (AD)/Unix integration tools

• ESSO

• Bundled. smart-token-based SSO

• Web SSO

• Secure Sockets Layer (SSL) virtual private networks (VPNs)



The many flavors of SSO

96

Enterprise SSO Web SSOFederated

SSO

User community

• Employees

• Employees

• Partners

• Customers

• Employees

• Partners

• Customers

Application types

• Desktop

• Browser-based

• Browser-based• Browser-based

• Web services

Architecture and

implementation

• Protected password vault

• Credential form fill

• HTTP session management

• Application security shims

• Role or Rule Based Access Control

• Single security domain

• User accounts required

• Identity assertions

• Role and attribute exchange

• Spans security domains

• User accounts not required


Is SSO safe? Yes!

Status quo Enterprise SSO

Network login• Simple password, or

strong password written down

• Strong password, only one to remember

Application login

• Simple password, or password written down

• Static, seldom changing

• Strong password

• Often changing, if desired

Number of logins • Many • One

Password reuse• “User-synchronized”

passwords• None

Help desk burden• Lots of password

reset calls• Few reset calls



Federation - Trust

• The concept of trust is becoming more important as organizations continue

to share resources with their business partners.

• The ability to establish trust between independently administered systems is

crucial for IT systems to support the required level of data exchange.

• Trust enables secure authentication and authorization of digital identities

between autonomous information systems with less management overhead.



Federation - Trust Mechanisms

• The mechanisms of trust are complicated because there are many tasks that

must happen between independent organizations to make the authentication

and subsequent authorization processes useful.

• The trusting organization needs to have a secure mechanism to

communicate with the trusted organization.

• Once the trusting organization has authenticated the foreign digital identity, it

must incorporate the entitlement information about that foreign account into

the authorization process within the trusting organization.



Federation

• A federation is a special kind of trust relationship established beyond internal

network boundaries between distinct organizations.

• Federation enables the secure authentication and authorization of digital

identities between autonomous information systems based on the principle

of trust.

• For example, a user from company A can use information available at

company B because there is a federated trust relationship between the two

companies.



Federation - Identity Federation

• Federated Identity allows customers, partners and end-users to use

applications/services without having to constantly authenticate or identify

themselves to the services within their federation.

• This applies both within the corporation and across the Internet.

• Federation enables identities to be shared and propagated between different

systems

• Allows individuals to “log-in” once to access resources on networks of different

enterprises

• No need for central storage of personal information

• Organization authenticates its respective users and vouches for their access to third

party organization’s services

• This idea is popular because it can remove/simplify requirement for

administration of many different accounts.



Federated Identity Management

• Federation can be viewed as an extension of identity management principles

beyond the borders of the enterprise.

• The goals of federation extend well beyond merely increasing convenience for users of

resources to minimizing the costs of and management requirements for identity in the

connected world.

• Federated identity management offers a standards-based means of

achieving these goals by

• Enabling one organization (the identity provider) to provide information about a managed

identity

• To another organization (the identity consumer, service or resource provider).

• Each organization included in the "community of trust" tracks the identities of individuals

who are most central




• Once the individuals have been authenticated by their own organizations,

these individuals can access other organizations' resources without

reauthentication being required.

• Federated identity management is positioned to provide a foundation for

consumer and business identification and eventually personal identity

frameworks (PIFs) supporting e-business and other applications.




• Benefits

• Secure integration with partners

• Reduce administration cost

• Deliver improved end user experience

• Features

• Seamless SSO and Identity Sharing

• Multi-protocol gateway – SAML, Liberty, WS-Federation

• Service Provider or Identity Provider

• Flexible deployment configurations

• Standalone for use with pre-existing web-access management solution

• Protocol SDK for custom applications



Personal Identity Frameworks

• PIF developers have created hype around terms such as "user centric

identity," "Identity 2.0" and the "Identity Metasystem.“

• These terms attach to a set of architectural constructs and technical product

components that

• Augment rather than replace IAM architectures

• Are intended to provide users with control of their identity attributes when registering and

accessing online services.

• Client identity selectors, Web site integration components and service

definition and discovery components are common among different

developers' PIF implementations.



Personal Identity Frameworks

• PIFs can:

• Reduce users' data entry burdens when registering and revisiting service providers, and

can increase users' willingness to provide personal information because it is more

convenient to do so.

• Provide RSOs for business contexts (sets of related services) where credentials can be

shared.

• Provide a common user experience for selecting the appropriate digital identities (each

an identifier and a set of attributes) and providing them to service providers

• Provide a standard development framework for developers that can be abstracted from

and can make use of disparate identity protocols and identity repositories.


Plan







Access Management


• Conclusion


Access Management

Definition


Perimeter SecurityEstablishes a barrier to keep malicious attacks from affecting the productivity of the organization

Access SecurityProvides regulated access to the business resources users need to perform their duties

Access Management

Introduction

• Organizations must control access to systems and content so that end users

can contribute to business productivity and profitability without compromising

security.

• Centralizing policy administration and decision points improves consistency

and ease of management


Access Management

Key Technologies

• WAM tools provide centralized administration, authentication and

authorization services for multiple, Web-based applications, internal or

external to the organization.

• These tools also can provide some non-Web resource access controls. WAM tools

increasingly support simple, standards-based identity federation and Web services

access control models.

• OS Access Management

• These tools are to OSs what WAM tools are for Web applications — that is, they provide

centralized administration, authentication and authorization services for multiple OS

instances.

• Products typically focus on Windows, or Unix and Linux OSs, but rarely both.


Access Management

OS Access Management

• Superuser Privilege Management (SUPM)

• Superuser privilege management tools permit individual users partial

superuserprivileges or temporary full superuser privileges as needed.

• Some OS access management tools, including the z/OS ESMs, embed SUPM

capabilities.


Access Management

Authorization Management

• Authorization is the process of determining whether a digital identity is

allowed to perform a requested action.

• Authorization occurs after authentication, and maps attributes associated

with the digital identity (such as group memberships) to access permissions

on resources to identify which resources the digital identity can access.

• Different platforms use different mechanisms for storing authorization

information.

• Access Control List

• Security Group

• Roles

• Rules


Access Management - Authorization Techniques -

Access Control Lists

• The most common authorization mechanism is known as an access control

list (ACL), which is a list of digital identities along with a set of actions that

they may perform on the resource (also known as permissions).

• Actions are typically defined relative to the type of object the ACL protects.

• For example, a printer might allow actions such as “print” or “delete job” while a file might

allow actions such as “read” and “write.”



Security Groups

• Operating systems that support large numbers of users typically support

security groups, which constitute a special type of digital identity.

• Using security groups reduces the management complexity of dealing with

thousands of users in a large network.

• Security groups simplify management because an ACL can have a few entries

specifying which groups have a specific level of access to an object.

• With careful group design, the ACL should be relatively static. You can easily change

authorization policy for many objects at a time by manipulating the members of a group

maintained by a centralized authority, such as a directory.

• Nesting groups within each other increases the flexibility of the group model for

managing authorization.



Roles (RBAC)

• Many applications use the term role to refer to a user classification.

• Roles can also be based on dynamic, run-time decisions that provide more

flexibility.

• Roles are used to build business-driven logic to grant access rights, which is

almost impossible to configure with ACL-type mechanisms.

• Roles can be defined either globally, such as by group memberships in a

directory, or with application code that determines role membership based on

a dynamic query.


Access Management


• Authorization traditionally is handled by an ACS specific to a platform,

application, network component and device, with little or no compatibility

among them.

• This "siloed" and fractured approach to authorization is disjointed from the

centralized approach that organizations previously have taken for

administration and (to a degree) authentication.

• Emerging authorization management tools provide a more consistent

approach.

• These tools can administer fine-grained authorization policies make policy decisions

and, optionally, enforce these policies across a range of disparate target systems.

• Enforcement is better kept at the platform, application, network and device levels to

avoid a performance bottleneck.


Access Management


• There is not yet one kind of authorization management tool; rather, there are

a few complementary kinds, each appropriate to different data and

application types.

• This is the GRAAL of IAM …


Access Management

Content Access Management

• Content access management (CAM) embraces technologies that provide

protection to structured and unstructured data within or outside the confines

of a system that provides access management capabilities namely

Encryption and Enterprise digital rights management (EDRM)

• Encryption

• Encryption can be applied to data at rest within organizations' networks or on notebook

PCs, or to data in motion.

• File encryption is typically the least expensive way to protect documents from

unauthorized insiders, including system administrators.

• EDRM

• Applied to enterprise messaging, documents and other intellectual property to protect

against intellectual property loss and inappropriate or unintended disclosure of

proprietary or confidential enterprise information.


Access Management

Network Access Control Challenges

• Anywhere access to business applications and data

• Expanding access to more users and device types cost-effectively

• Prevent downtime and business loss from security breaches

• Meet or exceed security, privacyand regulatory concerns

Mobile PDA

Partner Machine

Corporate Laptop

Home Computer


Access Management

NAC Customer Problems

Endpoint security, identification, and integrity validation

Centralized access control to all IT resources

Hardened Appliance

Control over how information and applications can be used

Internet

Mobile PDA

Home Computer

Partners

Fir

ew

all

File Servers

Web or App Servers

Web ServicesLocal Users

AccessGateway

AdvancedAccess Control

Corporate Laptop

Email Servers

Desktops & Phones

Fir

ew

all

Consistent user experience

Consistent user experience

• Bandwidth• Latency• Device

idiosyncrasies

Cannot access from behind firewalls

Access from widely varying devices

Minimize re-authentication on re-connect

Need access to all internal IT resources


Access Management

NAC Customer Problems

• NAC is a mix of hardware and software technologies that dynamically control

client systems' access to networks based on their compliance with policy.

• Current challenges:

• Complexity: competing architectures and non-interoperable solutions

• Fragmentation: too many islands of policy

• Upfront costs exceed benefits

• Insufficient connection with business needs


Plan









• Conclusion


IAM Frameworks and Processes

IAM Functional View

• Administration provides a way to view and manage user identities and

access.

• Authentication ensures that users are properly identified and that these

identities are verified to IT resources.

• Authorization ensures that users can access only what their job functions

allow them to access within the company (see Note 1).

• Auditing ensures that the activities associated with user access are logged

for day-to-day

• Administration and real-time enforcement (authentication and authorization)

• Monitoring, regulatory and investigative purposes.



IAM Functional View



IAM Functional View

Applications

q Windows Clients

q Middle-Tier Services

q Mainframe Applications

q Web Applications

q Web Services

Access Management

q Authentication Techniques

q Authorization Methods

q Trust

q Federation

q Audit

Identity Management

q Provisioning

q Deprovisioning

q Self-Service

q Delegated Administration

q Credential Management

Directory Servicesq Identity Data Stores

q Identity Integration Services

Data Ownershipq Data Stewardship

q Account Management

q RBAC

q Auditing

Governanceq Executive Sponsor

q Security Administration

q Security Policy

q Security Guidelines

q Security Standards


Ex: Enterprise Services Framework

Leveragability

Sustainability

Consistency

Simplification

Enterprise Services

Provides

Resulting in..

Regulatory Compliance

Optimized Business Operations

Reduce Administrative Cost

Enhanced Security Posture

Client Registration

Self-Service

Delegated

Administration

Federation

Authentication

Authorization

Business Rules and Policy

Auditing and Reporting

Consolidated Identity Data

Identity Access

Drive

Resulting in...

Identity and Access Management Framework


Ex: IAM Framework

Identity Lifecycle

Management: Managing

(create, modify, delete) user

accounts and user profiles

that are linked to each person

across the IT environment via

a combination of user roles

and business rules, through

the employment lifecycle.

Enterprise Directory services:

Providing global and consistent views

of the company organization and the

people working within.

Including the capability to abstract and

automatically correlate data from HR,

customer relationship management,

and other “identity stores”

Identity & Access control

enforcement: Covering the

technology, tools, and

mechanisms to execute IS

security policies and business

rules to access IT

system/application related data.

Audit & tracking: Covering the

technology, tools, and processes

supporting legal and regulatory

requirements in terms of audit, log

and tracking. User Master Data: the common

data related to personal

information (e.g. first name,

surname, email, User ID)

referenced across multiple

systems.

Authorization: the

set of data

elements a

specific security

principal (user,

application,

process) can

access and the

actions that can

be taken on those

data elements.

Authentication: the

process of determining

whether someone or

something is, who or what

they declare themselves to

be for access to protected

resources can efficiently

be granted or denied. Log-

on is the user action of

authenticating to a system.

Audit &

Trackin

g

Identity

Lifecycle

Management

Identity &

Access control

enforcement

Enterprise

Directory

Reconciliation: a comparison

between « what is » against

« what should be ». Reconciliation

ensures consistency of information

across various systems.


Plan









Conclusion


Benefits of IAM

• Visibility of end-to-end cycle for user account creation, modification, termination

• Ability to properly (un)validate every user

• Improve user experience through self-service, password reset, SSO

• Achieve compliance via policy enforcement, automated user entitlement reviews (audit)

• Reduce administrative effort and cost

• Ability to expand business model through Federation

• Increase application time-to-market by leveraging enterprise authentication services

• Flexible and scalable to meet global requirements


IAM Technologies Defined


Conclusion

No Unique Framework Vision



• Federation is a sort of perimeter mechanism that sits at the edge of the

network and shares identity information with other federation mechanisms

where a trust relationship exists.

• The Federation technology creates or gathers the trust assertions that must

be made when an internal user wishes to access an external resource or

vice versa.

• Very active and many companies migrating to it due to

• Cloud and SaaS

• Internet Applications

• Merger/Acquisition

• New collaboration mode


The Rise of IDaaS

• By 2020, 40% of Identity and Access Management (IAM) purchases will use the identity and access management as a service (IDaaS) delivery model — up from less than 20% in 2016.

• A vendor in the IDaaS market delivers a predominantly cloud-based service in a multitenant or dedicated and hosted delivery model.

• The service brokers a set of functionality across multiple IAM functions to target systems on customers' premises and in the cloud.• Identity and governance administration (IGA),

access enforcement, and analytics functions.


IDaaS Market Split Between Two Styles of Offerings

• Web-centric IDaaS • Supports web and mobile architected application targets in the cloud or on customers'

premises.

• Web-centric IDaaS providers generally have strengths in multifactor authentication and SSO. Offerings tend to support the basic user administration, self-service and identity synchronization aspects of IGA, but lack legacy application connector support, and customizable multilevel approval workflow and governance features, such as access certification, role mining and role life cycle management, and segregation of duties violation detection.

• Web-centric IDaaS usually deploys rapidly because the services are designed to be multitenant, and customization and legacy integration requirements are not the primary design goals.

• Legacy, full-featured IDaaS• Offers services that were developed to support web applications on-premises and in the cloud,

as well as legacy applications.

• More IGA connectors are available for legacy applications, and customizable approval workflows are supported.

• Most of these vendors also provide governance features, such as access certification, role mining and role life cycle management, and detection of segregation of duties violations.


Cloud Security Landscape


Twitter

http://www.twitter.com/welkaim

SlideShare

http://www.slideshare.net/welkaim

EA Digital Codex


Linkedin

http://fr.linkedin.com/in/williamelkaim

Claudine O'SullivanCopyright © William El Kaim 2016 136




http://fr.linkedin.com/in/williamelkaim

http://www.claudineosullivan.com/

Introduction to iam

Technology

Transcript of Introduction to iam