Introduction to iam
-
Upload
william-el-kaim -
Category
Technology
-
view
199 -
download
0
Transcript of Introduction to iam
Introduction to Identity
And Access Management
William El Kaim Oct. 2016 - V 2.1
This Presentation is part of the
Enterprise Architecture Digital Codex
http://www.eacodex.com/Copyright © William El Kaim 2016 2
Plan
Introduction to IAM
• Key Technology Areas
• Directory Technologies
• Identity Administration
• Identity Auditing
• Identity Verification
• Access Management
• IAM Framework And Process
• Conclusion
Copyright © William El Kaim 2016 3
Identity Definition
• Identity is a complicated concept with many nuances, ranging from
philosophical to practical.
• Set of information known about that person.
• In the digital world a person’s identity is typically referred to as their digital identity. A
person can have multiple digital identities.
• Even though digital identities are still predominantly associated with humans,
they will be increasingly associated with non-human entities, such as
services, systems and devices that could be used to act on behalf of people.
• Examples are trusted platforms, next generation mobile phones, Digital Rights
Management (DRM)-based devices, etc.
Copyright © William El Kaim 2016 4
Today’s challenges
• Redundant efforts in providing and maintaining Identity information about
individuals
• Difficulties in auditing access to systems/applications for each individual
• Providing a unique user ID for applications
• Providing uniqueness of user IDs across the access points
• Providing user authentication for applications
• Providing an authority that can securely authenticate external
resources/partners, and manage identities
Identity and Access Management
Copyright © William El Kaim 2016 5
What is IAM?
• Discipline aimed at ensuring all users are properly identified, that their
affiliation to the organization is understood and that they have proper access
to information assets
• Identity Management can be defined as the set of processes, tools and
social contracts surrounding the creation, maintenance, utilization and
termination of a digital identity for people or, more generally, for systems and
services to enable secure access to an expanding set of systems and
applications.
• Effective Identity and Access Management (IAM) involves several
interdependent technologies and processes that combine to form a unified
view of identity relevant for employees, contractors, partners and consumers
Copyright © William El Kaim 2016 6
What is IAM?
• Identity management is not a single product but a set of processes and
supporting technologies for maintaining a person’s complete set of identity
information, spanning multiple business and application contexts.
• Identity management unifies a person’s disparate identity data to improve
data consistency, data accuracy, and data and systems security in an
efficient manner.
• Robust identity management requires both integration of technologies as
well as coordination with the IT and business processes surrounding the
management of user information, access rights, and related policies.
• IAM helps extend business services, improve efficiency and effectiveness,
and allow for better governance and accountability
Copyright © William El Kaim 2016 7
IAM is a subset of Information Security
• IAM must be founded on:
• A consistent, mature architecture.
• An IAM architecture should be considered a subset of an enterprise information security
architecture (EISA), which can be integrated within the enterprise architecture in several ways.
• A conduit for gathering, translating and communicating business and regulatory needs
from the business to policy teams and IT functional groups
• policies and standards, the access model, procedures and IAM toolset
• Well-defined and mature processes.
• Each perspective has some overlaps with the other two, and an IAM
program must successfully service and integrate all three!
• That’s why it is complex and take around 2 to 5 years to complete
Copyright © William El Kaim 2016 8
Three Main Processes
• Three main processes are involved in managing identities and their access
assignments to company resources:
1. Identity process
• user life cycle
2. Access model process
• role lifecycle
3. Workflow process
• the lifecycle for the workflow consumed in identity and access model processes.
Copyright © William El Kaim 2016 9
Drivers and Benefits
• Identity and access management (IAM) is a recognizable discipline that
encompasses a range of enterprise tools and technologies within a distinct
architecture supporting a set of interrelated processes.
• The three main business drivers for IAM solutions are
• Security efficiency (lower costs, improved service)
• Security effectiveness (including regulatory compliance)
• Business agility and productivity.
Copyright © William El Kaim 2016 10
Security efficiency
• With the growing volume of users, current staffing cannot accommodate the
enterprise's needs.
• Enterprises are looking to simplify administration and provide user self-
service, thus containing (or reducing) administrative costs.
• In addition, user information can be leveraged in many business processes
that provide a consistent and more-secure access control infrastructure.
• Only via automation can enterprises improved their process for access
request turnaround times of 24 hours or less.
Copyright © William El Kaim 2016 11
Security Effectiveness
• The ability to prove the robustness of the enterprise's access control
infrastructure is an important requirement for maintaining customers, as well
as obtaining them.
• In addition, easing internal and external audit processes is of prime concern
to many enterprises.
• Legislation and other regulations increasingly require enterprises to establish
robust control infrastructures, of which information security is a part.
• IAM facilitates compliance. It enables more-effective access control and
greater transparency — showing who has access to what (and why, as well
as who approved the access) and who accessed what.
Copyright © William El Kaim 2016 12
IAM Enables Business Agility
• IAM allows greater flexibility and more timely changes to support business
initiatives
• Reorganizations,
• mergers and acquisitions,
• new business partnerships,
• new product and system rollout.
• Security efficiency gains contribute to business productivity.
• Removing IAM from applications allows developers to concentrate on
meeting business aims and objectives.
Copyright © William El Kaim 2016 13
Synthesis
Copyright © William El Kaim 2016 14
Implementing IAM: Program Activities
• Span three major phases:
• Planning: This phase is broken down into three parts
• Strategizing, organizing and annual planning.
• Building: This is done via the three perspectives on IAM.
• Running: This phase contains continuous activities
• That is, the identity, access model and workflow processes.
• The last element of an IAM program is governance.
• IAM can make a significant contribution to information security as a governance function,
but IAM is also a function to be governed.
Copyright © William El Kaim 2016 15
Plan
• Introduction to IAM
Key Technology Areas
• Directory Technologies
• Identity Administration
• Identity Auditing
• Identity Verification
• Access Management
• IAM Framework And Process
• Conclusion
Copyright © William El Kaim 2016 16
IAM Combines Several Types of Technologies
• Establish an identity data infrastructure.
• This segment encompasses products that form the identity information layer itself:
directories, meta-directories, and virtual directories.
• Administer accounts and privileges
• Products that manage users’ accounts, attributes, and credentials include provisioning,
role management, password management, and privileged user management.
• This category also includes the functional elements of self-service and delegated
administration.
• Control access to IT resources
• Coordinating users’ access to multiple applications is the domain of products like
enterprise single sign-on (E-SSO), Web single sign-on (Web SSO), and federation. It
also includes the emerging area of entitlement management.
Copyright © William El Kaim 2016 17
IAM Combines Several Types of Technologies
• Audit the administrative and access activities
• Organizations require the ability to demonstrate that account administration and access
controls are performing according to policy; identity audit products help with this effort.
• This includes auditing tools that combine and correlate activities and events across the
identity infrastructure, as well as privilege attestation ― tools to aid the act of certifying
that the privileges associated with a user are correct.
• It also includes role management products, which serve a dual role of both codifying
policies and validating their enforcement.
Copyright © William El Kaim 2016 18
IAM Combines Several Types of Technologies
• Identity administration tools
• Focus not only on the administration function
• primarily, the administration of users' multiple identities, attributes and credentials across
heterogeneous environments
• but also the administration of access model constructs such as roles and resource
access control information
• such as access control lists (ACL)
• Access management tools
• Access management tools enforce access control policy (or policies) across
heterogeneous environments.
• They also offer administration capabilities, but their distinctive focus is on authorization.
Copyright © William El Kaim 2016 19
IAM Combines Several Types of Technologies
• Identity auditing tools focus primarily on auditing
• Identity-related event monitoring, reporting status auditing and more.
• Together with identity administration, this class forms the identity management superclass.
• Identity verification tools encompass all aspects of real-time authentication
• Identity proofing (a precursor to provisioning an identity), authentication methods and
their supporting infrastructures, as well as technologies for brokering authentication and
authenticated identities and attributes across heterogeneous environments.
• Together with access management, this class forms the access control superclass.
• Directory technologies are in many ways foundational to the other
technologies.
Copyright © William El Kaim 2016 20
Plan
• Introduction to IAM
• Key Technology Areas
Directory Technologies
• Identity Administration
• Identity Auditing
• Identity Verification
• Access Management
• IAM Framework And Process
• Conclusion
Copyright © William El Kaim 2016 21
Directory: Definition
• A book containing an alphabetical or classified listing of names, addresses,
and other data, such as telephone numbers, of specific persons, groups, or
firms.
• An organizational unit, or container, used to organize folders and files into a
hierarchical structure.
• Hierarchical collection of objects
• Objects can have varying attributes and numbers of the same attributes.
• A directory is not a database.
• Directory servers are typically optimized for a very high ratio of searches to updates.
Copyright © William El Kaim 2016 22
Directory Service Definition
• A directory service is a software product that stores and organizes
information about user identities and other resources within a network or
domain and that manages users' access to resources.
• A directory service is highly optimized for reads and provides advanced
search possibilities on many different attributes associated with identities and
other objects.
• The data stored in a directory is defined by an extendible and modifiable
schema (data model).
Copyright © William El Kaim 2016 23
Directory Technologies
Based on Protocols: X.500 and LDAP
• X.500 provides formal standards for global directory construction and
replication.
• X.500 standards support the construction of large, multiple-location (multiple-server)
directories.
• LDAP v.3 has emerged as the preferred standard for read/write access to
directories.
• However, this is where the standard begins and ends.
• LDAP does not define schema rules, security models or interoperability mechanisms.
• Export format defined and called LDIF
Copyright © William El Kaim 2016 24
Directory Technologies
LDAP
• Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral
standard
• A descendent of X.500 OSI Directory Access Protocol, which was deemed
too complex and cumbersome to be implemented on microcomputers
• A data-representation model optimized for arbitrary queries
• Recent versions of LDAP also specify encryption methods, methods for
clients to discover the structure of the system's configuration, as well
interoperability with other services such as Kerberos and SASL.
Copyright © William El Kaim 2016 25
Directory Technologies
LDAP defines
• Access Protocol: How to access directory information
• Information Model: Type of information managed by directory
• Naming Model: How information is organized and referenced,
• Functional Model: How to access and update information
• Security Model: How data are accessed and protected
• Duplication Model: How the directory is distributed
• API : To develop client applications,
• Exchange data format named
• Text delimited = LDIF (Lightweight Data Interchange Format)
• XML = DSML (Directory Services Markup Language)
Copyright © William El Kaim 2016 26
Directory Technologies
Example – User Identity Classification
• Internal Users
• One party (the employee, internal contractor, etc.) is subservient to another (the
employer). The employer defines the security standards and principles under which the
employee works – with autonomy over governance of those standards and recourse in
the event that they are abused.
• Account Type
• Family-Board: A company Family or Board Member who receives benefits from your
Companies.
• Employee: A person who is directly employed by & paid and/or receives benefits from
Companies.
• Contractor: A worker who works independently or for a company that is contracted by
Companies to provide staff augmentation, and who requires access to Company
information systems.
Copyright © William El Kaim 2016 27
Directory Technologies
Example – User Identity Classification
• Extended Enterprise Users
• A closely related business relationship (franchise) OR an arms-length business
relationship (partner) in which they will provide services to each other or jointly provide
services to a third party customer.
• Account Type
• Franchisee: A person who works for and/or is an owner of a business that is franchised
by a company brand and who requires access to Company information systems.
• Client-Representative: A person works for a company business partner or client and
requires access to Company information systems.
• Vendor: A person who works for a company that supports or supplies a product and/or
services to the company and who requires access to Company information systems.
Copyright © William El Kaim 2016 28
Directory Technologies
Example – User Identity Classification
• Business Users• A retail or marketing relationship in which the company or Client Partner provides good
or services to a customer or consumer.
• Although such agreements do not form the level of trust as that of an employer/employee relationship, some form of recourse is typically available in the event access to those resources is abused.
• A subset of these users may also have access to administration and reporting services through the business application.
• Account Type• Client Customer: A Customer of the company Client who requires access to a Client’s
business application that the company has built and/or hosts. These are indirect company Brand consumers who use the company Client applications and services.
• Company Customer: A customer of Business unit who requires access to a Company business application. These are direct company Brand consumers (e.g. Goldpoints, Radisson) who use applications and services.
Copyright © William El Kaim 2016 29
Directory Technologies
White Pages
Copyright © William El Kaim 2016 30
Local administration teams are in charge of populating and maintaining the consolidated directory
Ownership is identified for user information among operational systems (e.g. HR, Sites). Data flows are ruled by the synchronization tool.
Application = Outlook calendar and white pages application Third party directory
Two current main approaches for providing, updating and displaying user information
Directory Technologies
Example: LDAP Branches
Branch starting from
dc=carlson,dc=com Description
ou = administration Administrative or application account branch
ou = corporate Corporate people branch
ou = ebusiness E-business branch
ou = extended Extended user branch (franchises, etc.)
ou = people Corporate people data
ou = groups Corporate group data
ou = locations Corporate location data
ou = itaccounts Information technology account data
ou = organizations Corporate organization data
ou = resources Physical asset resource data (e.g. FNP File)
ou = unixservices UNIX OS service and account data
Copyright © William El Kaim 2016 31
Directory Technologies
LDAP Structure (DIT)
dc=Domain,dc=com
ou=unixservices
ou=people
ou=groups
ou=locations
ou=itaccounts
ou=organizations
ou=resources
ou=extended
ou=cwt ou=chw
ou=administration ou=ebusiness
ou=people ou=people
ou=clg
ou=people
ou=corporate
Copyright © William El Kaim 2016 32
Directory Technologies
DSML
• The Directory Services Markup Language v1.0 (DSMLv1) provides a means
for representing directory structural information as an XML document.
• DSMLv2 goes further, providing a method for expressing directory queries
and updates (and the results of these operations) as XML documents.
• DSMLv2 documents can be used in a variety of ways.
• stored as files in order to be consumed and produced by programs
• transported over HTTP to and from a server that interprets and generates them.
• The design approach for DSMLv2 was to express LDAP requests and responses as
XML document fragments
Copyright © William El Kaim 2016 33
Directory Technologies
Microsoft Active Directory
• Active Directory (AD) is the directory service in the Standard, Enterprise and
Datacenter versions of the Windows Server 2003 family.
• The primary function of AD is to authenticate users in a network and
authorize subsequent access requests to Windows-based applications or
other server resources.
• AD not only stores information about network resources but also provides a
consistent way to name, describe, locate, manage and secure this
information as it applies to users and applications.
• AD consists of logical and physical components.
• AD’s logical components organize network resources to match theorganizational
structure.
• AD’s physical components configure and control where and when data replication and
login traffic can occur over the network.
Copyright © William El Kaim 2016 34
Directory Technologies
Microsoft Active Directory
• The basic logical component in AD is the domain, defined by the
administrator as a collection of computers that share a common directory
database, security policies and security relationships.
• For example, in CWT we have separate domain for each region.
• Domains, in turn, can be partitioned into Organizational Units (OUs)
• An OU is a collection of users and computers that have been given certain
administrative rights.
• Multiple domains can be organized into trees.
• A tree is a hierarchical arrangement of domains that have the same Domain Name
System (DNS) name.
Copyright © William El Kaim 2016 35
Directory Technologies
Microsoft Active Directory
• Trees can be grouped into Forests.
• A forest is a group of trees that do not share a common DNS name but do share a
common configuration and schema
• An attribute repository that allows attributes and object classes to be redefined separate from
the AD objects.
• Every domain in a forest can share resources and administrative functions with the other
trees in the forest.
• Every domain trusts every other domain in a forest. The forest is the security boundary
not the domain.
Copyright © William El Kaim 2016 36
Directory Technologies
Ex: Single Forest – OU Model
companynet.biz (root)
amer.company.com emea.company.com auas.company.com
Company A OUCompany A OU company B OU
Company A OU
Domain Domain Domain
Copyright © William El Kaim 2016 37
Directory Technologies
Ex: Single Forest – OU Model
Copyright © William El Kaim 2016 38
Directory Technologies
Today’s Directories challenges
• A unique directory could not fit all needs
• several directories exist
• Not one directory schema could be used to describe identity information
• Several different metamodels (i.e. information managed by the directory) also called DIT
(Directory Information Tree)
• Not all directories could be provisioned the same way (corporate user,
partners, clients, anonymous clients).
• Several provisioning processes
• We need to enforce the uniqueness of all identities
• Increasing risk of providing several user ID for the same people and generating major
issues at the application level and at the integration of systems.
• This will also could have a dramatic impact on our customer retention if we can not
guarantee the uniqueness of their user identities in our systems
Copyright © William El Kaim 2016 39
Directory Technologies
Synchronization Solutions
• Different technologies are available to build an identity synchronization
solutions :
• Meta-Directory technology
• EAI technology
• ETL technology
• The result of the synchronization is consolidated in a directory
• The use of one technology or another depends on organizational, functional
and technical requirements
Copyright © William El Kaim 2016 40
Directory Technologies
Synchronisation Solutions
• Benefits
• Offers optimal access performances
• Allows to enrich with new information the consolidated identity description card
• Simplifies distribution of the consolidated data thru simple LDAP replication mechanisms
• Drawbacks
• Introduces synchronization issues leading to possible data inconsistency
• Requires to set up resynchronization processes and tools
Copyright © William El Kaim 2016 41
Directory Technologies
Virtual Directory
• A virtual directory is a server for a directory protocol such as LDAP, but
unlike a traditional directory server, does not master the data itself in its own
database.
• Instead a virtual directory will dynamically translate requests it receives to
operations in other protocols or data models, such as to a relational
database
• Directory information is drawn in real time, on demand from its native
repositories rather than having to be permanently stored in additional
physical directories.
• This real-time access eliminates the need to synchronize a data store across multiple
“feeder” directories, preventing data latency.
Copyright © William El Kaim 2016 42
Directory Technologies
Virtual Directories Technologies
• A virtual directory is a software product that creates a logical (virtual) view of
an LDAP directory by combining data from multiple repositories.
• A virtual directory can be used to create a single access point for the multiple
user repositories.
• User-provisioning products increasingly are being joined with virtual directory
technology.
Copyright © William El Kaim 2016 43
Directory Technologies
Virtual Directory Solutions
• Benefits
• Provides real-time and secure LDAP access to numerous disparate directories,
databases and other data sources and organizing them in a single virtual directory tree
• Offers fast, flexible and reliable LDAP service satisfying all "quality of service"
requirements from end users as well as providers
• Minimizes data ownership considerations
• Drawbacks
• Introduces a new technology within the IT infrastructure that must be managed and must
support distribution and high availability
• Reduces access performances to data
Copyright © William El Kaim 2016 44
Directory Technologies
LDAP Proxy Solutions
• LDAP Proxy solutions are LDAP access router. Basically, they offer filtering
and routing services based on rules in a transparent way for LDAP clients
applications
• Features:
• Provides filtering and routing LDAP services
• Provides load-balanced and failover access to directory resources
• Manipulates or transform information being passed to and from an LDAP query
according to programmed business logic
• Consolidates LDAP queries through one server to avoid referrals that clients are using
• Virtual Directory and LDAP Proxy solutions are converging. Both solutions
are now sometimes addressed by the same products
Copyright © William El Kaim 2016 45
Directory Technologies
LDAP Proxy Solutions
• Benefits
• Supports rules based routing to leverage existing applications
• Supports automatic failover and load balancing of the LDAP directories
• Minimizes data ownership considerations
• Drawbacks
• Introduces a new technology within the IT infrastructure that must be managed and must
support distribution and high availability
• Reduces access performances to data
Copyright © William El Kaim 2016 46
Directory Technologies
Metadirectories Technologies
• A metadirectory is a software product that synchronizes and (optionally)
aggregates identity data stored in multiple repositories.
• Metadirectories provide a proven and relatively quick-and-easy way to
reduce user administration but lack the sophistication of user-provisioning
products.
• Seems not used anymore for new deployment.
Copyright © William El Kaim 2016 47
Plan
• Introduction to IAM
• Key Technology Areas
• Directory Technologies
Identity Administration
• Identity Auditing
• Identity Verification
• Access Management
• IAM Framework And Process
• Conclusion
Copyright © William El Kaim 2016 48
Identity Administration
Introduction
• Organizations face the challenge of managing the multiple identities of their
employees, business partners and customers across multiple systems
• User-provisioning and password management are the most mature tools in
this space, but alone they are not sufficient for a full-blown identity
administration solution
• They must be augmented by role management and resource access
administration capabilities
Copyright © William El Kaim 2016 49
Identity Administration
User Provisioning
• User Provisioning is the process of granting appropriate user access
privileges to any applications, based on a single reference (the user ID)
• User-provisioning tools
• Provide user life cycle management, primarily for internal users, such as employees and
contractors.
• Can create, change and retire the user identities (accounts or profiles) linked to each
person across a broad range of target systems in response to HR system changes and
self-service and line-management requests, and according to a specified workflow.
• Hence, the tools support all on-boarding and off-boarding activities for the
workforce
• New hires, transfers, promotions, terminations, dismissals and more.
• User-provisioning tools also automatically correlate data from HR, CRM, e-
mail systems and other identity stores.
Copyright © William El Kaim 2016 50
Identity Administration
User provisioning
• A key component of identity and access management is how digital identities
are created.
• The provisioning process provides a powerful tool that takes advantage of
user information contained in the organization's directory infrastructure to
speed up the granting and revoking of user accounts and entitlements for
information resources.
• These resources can include e-mail, telephone service, HR applications,
line-of-business (LOB) and functional applications, intranet and extranet
access, and Helpdesk services.
Copyright © William El Kaim 2016 51
Identity Administration
Provisioning
• Provisioning is more than a security solution in the classic sense of threat mitigation and defense.
• It addresses concerns about giving the appropriate level of access to IT resources to
those who need them
• and revoking access when that requirement is gone. It introduces a structured
environment for user security administration, coordinating account management and
related security policies across the enterprise.
• Workflow is a requirement of most provisioning processes
• Requests for resources are entered online, routed in a predetermined path to reviewers
and approvers, and then finally to the person or system that creates the user account.
Copyright © William El Kaim 2016 52
Identity Administration - The path forward to
improve User Provisioning
• The following recommendations will significantly improve the process of
granting and keeping application access rights accurate over time.
• One single official employee ID number (called UID) should be the official user identity to
any given application.
• One single source of user information. The only repository of data that fully represents
all employees and contractors is the enterprise directory populating all the others
• One single standardized process of granting access rights for applications within and
across each business area or region.
• Several distributed empowered organizations managing application access rights
process end-to-end for all business functions.
Copyright © William El Kaim 2016 53
12345
6
Identity Administration
Ex: User Provisioning Process
Aligned across business functions, entails 6 steps
Step 1: Access request submission (User/direct Manager/HR/ Functional representative)
Step 2: User information validation against user master data with HR
Step 3: Functional review and approval (if needed with local support and training coordinator)
Step 4: Technical check from IT side and creation of UID
Step 5: Assignment of approved access to the application (back-end)
Step 6: Direct notification to users or through application trainer (email)
The enterprise user provisioning process needs to be managed end-to-end to ensure integrity of the user privileges at the enterprise level.
Copyright © William El Kaim 2016 54
Identity Administration
Deprovisioning
• Deprovisioning ensures that accounts are systematically disabled or deleted
and entitlements are revoked when employees leave the organization.
• Good security practice recommends
• that accounts be disabled quickly (to prevent possible attacks by disgruntled ex-
employees)
• but not deleted until after a suitable time has elapsed, in case it becomes necessary to
re-enable (or rename and reassign) the account.
• Disabling accounts (rather than deleting) is also helpful for some
organizations that need to ensure certain identity attributes such as account
name are unique and not reused within a time period that meets policy
requirements.
Copyright © William El Kaim 2016 55
Identity Administration
Role Management for Enterprises
• Although user-provisioning tools can consume roles within user life cycle
management, they cannot provide role life cycle management.
• This is the function of role management tools, which enable organizations to
mine, map, manage and report on the complex relationships of business
rules, user identities and users' entitlements across a broad range of target
systems
• Operating systems (OSs), applications and so on.
• Role management tools can feed user-provisioning products to ensure that
the link is made between business-level roles and associated IT-level roles,
and that proper entitlements are provisioned for the user.
Copyright © William El Kaim 2016 56
Identity Administration
Role Management for Enterprises
• Role management is becoming a "must have" rather than a "nice to have"
capability for identity administration in larger enterprises
• A few user-provisioning vendors already offer role management capability, but most
partner with pure-play vendors.
• Role mining can meet some identity-auditing needs
• Essentially mining access control data to discover correlations between users with
similar attributes and access rights (that is, candidate roles)
Copyright © William El Kaim 2016 57
Identity Administration
Resource Access Administration
• Resource access administration (RAA) tools provide resource-centric views of users' access that complement user-provisioning tools' user-centric views.
• RAA tools can create, change and retire groups/roles at the target system level and can administer resource access control information, such as access control lists (ACLs).
• Thus, the tools can permit/delete explicit access rights for individual users outside the role/group structure in a way that is superior to native administration functions.• Only a few user-provisioning tools provide such capabilities.
• Many RAA tools are point solutions for specific platforms• Most are Windows-centric or Windows only.
• In the IBM z/OS mainframe space, several vendors offer roughly analogous tools for IBM's RACF.
Copyright © William El Kaim 2016 58
Identity Administration
Credential Management Introduction
• Authentication credentials are a special kind of identity information that
requires specialized administration tools.
• Password management tools are well-established, but they increasingly are
being subsumed within user-provisioning tools.
• Card management tools are less mature and are rarely found as anything
but stand-alone tools.
Copyright © William El Kaim 2016 59
Identity Administration
Credential Management Future
• In the next few years, several vendors will offer generic credential
management tools that manage the lifecycle of multiple kinds of credentials
• Like smart cards, certificates, biometric data, proximity cards and more.
• Already the case for Microsoft Project Geneva
• In the longer term, these will be subsumed with user-provisioning tools
• For now, they can be integrated only loosely, as just another target system.
• Tools that manage passwords for shared accounts, such as Administrator
and root accounts, form a separate and distinct technology.
Copyright © William El Kaim 2016 60
Identity Administration - Credential Management -
Password Management
• Password management tools provide self-service password reset and
password synchronization across a broad range of target systems.
• These capabilities can reduce help desk call volumes by more than 80%.
• All user-provisioning products now integrate these capabilities, which often
are deployed in the first phase of a provisioning project, and the
implementation of discrete tools is becoming less common.
• Representative Vendors and Stand-Alone Products
• Avatier, Courion, M-Tech, Proginet
Copyright © William El Kaim 2016 61
Identity Administration - Credential Management -
Public Key Services
• Public-key cryptography, based on public-private key pairs, can be used for functions such as• Data encryption: Provides content access control
• Digital signatures: provide transaction assurance and can be exploited for user authentication
• By providing data integrity and data origin authentication
• A public-key service is a software product that provides:• Lifecycle management for these cryptographic keys
• The certificates that bind the public keys to user identities (Public Key Credentials or PKCs) along with software or application programming interface (API) toolkits supporting the cryptographic functions
• Most commercial services use a framework stemming from X.509, the "authentication framework" part of the ITU-T's X.500 series of standards for directory services.
Copyright © William El Kaim 2016 62
Identity Administration - Credential Management -
PKI vs.PKO
• Public-key infrastructure (PKI)• A PKI is a stand-alone, public-key service intended for use by one or more applications.
• "open“ PKI embraces the issuance of certificates to individuals for authentication and signing across varied applications in the public and private sectors
• "closed" PKIs is limited to use by one enterprise or a closed community of business partners, users or devices.
• Public-key operation (PKO)• Also called a public-key operations center.
• A PKO is a public-key service that addresses the certificate and key management requirements of, and is integrated within, a specific application, appliance or service.
• Because PKOs are inherent to a single application, they can only be closed.
• Comparison• A PKI is more flexible and offers broader capabilities than a PKO and can be used to support
different types of certificates with different levels of trust
• A PKO usually is less feature-rich, less flexible and simpler to use than a PKI.
Copyright © William El Kaim 2016 63
Identity Administration - Credential Management -
Card Management
• A card management tool manages the life cycle of smart cards (or smart USB tokens) and credentials stored on the cards: • Issuance/provisioning
• Replacement
• Retirement/revocation
• Credential update
• Applet management
• The credentials managed are typically PKCs. • Some card management tools can manage other onboard credentials, such as passwords,
one-time password (OTP) credentials, biometric data and physical access control system (PACS) data.
• A card management tool• is commonly called a card management system (CMS)
• When the vendor focuses on USB tokens rather than on the cards themselves it is called a token management system.
Copyright © William El Kaim 2016 64
Identity Administration - Credential Management -
Shared Account Password Management
• Shared accounts are common in many organizations, each available for use
by authorized individuals under the appropriate circumstances.
• The best practice is to avoid shared accounts:
• Most situations that appear to demand this approach can be more elegantly and
securely addressed by using personal accounts.
• However, every organization will need some types of shared accounts like:
• Shared superuser accounts in OSs — such as Administrator in Windows, root in Unix
OSs, IBMUSER in z/OS — and similar pre-defined administrator accounts in
applications and databases
• Administrator-defined user account intended for use by any approved individual in
special circumstances.
• One example is the "fire call" accounts used by application development, operations or other
support staff to resolve critical problems outside normal working hours.
Copyright © William El Kaim 2016 65
Identity Administration - Credential Management -
Shared Account Password Management
• A shared account password management (SAPM) tool
• Securely manages passwords for shared accounts across a broad range of target
systems.
• Allows only authorized users to retrieve the passwords when needed.
• Eliminates the risks posed by passwords for shared accounts being shared by multiple
users
• Improves accountability and supersede fragile manual processes.
• Could also manage passwords for service accounts for application-to-application or
application-to-database communication
• in place of passwords that are hard-coded within the calling applications or are held in plain
text in configuration files.
• In this use case, SAPM stands for "service account password management," and provides a
secure password store, automatic password currency and synchronization, and enable
applications to retrieve passwords when required using an API.
Copyright © William El Kaim 2016 66
Identity Administration
IT Service Management Integration
• Provisioning an application environment
• includes the hardware, software and other technology devices that traditionally are the
province of IT service management
• Not just end users
• In addition, Web services are changing the "who" in "who's accessing the application,"
so that processes and transactions may need to be uniquely identified.
• Enterprises are expanding their views of which objects need a unique
identity, thus, need to be managed.
• Identity management solutions don't adequately address non user objects.
• Configuration, asset and change management solutions don't address the end user.
Copyright © William El Kaim 2016 67
Identity Administration
IT Service Management Integration
• However, there is little technical integration between identity administration
and ITSM tools, other than where IAM vendors have their ITSM tools.
• Integration between password management tools and service desk tools is fairly
common; additionally, some user-provisioning tools can externalize request/approval
workflow to service desk tools or other kinds of tools that support BPML.
• Nevertheless, the ITSM experience, especially stemming from the IT
Infrastructure Library, is leading to a process-oriented approach to identity
administration (and IAM in general), especially in Europe.
Copyright © William El Kaim 2016 68
Identity Administration
Delegated And Self-service Admin.
• Delegated Administration
• Delegated administration can also occur within an organization, where trusted
individuals within different departments manage a subset of an organization's identity
store.
• Self-Service Administration
• For typical users such as employees, there are many user attributes that are not security
related; an organization may consider allowing users to modify such attributes
Copyright © William El Kaim 2016 69
Plan
• Introduction to IAM
• Key Technology Areas
• Directory Technologies
• Identity Administration
Identity Auditing
• Identity Verification
• Access Management
• IAM Framework And Process
• Conclusion
Copyright © William El Kaim 2016 70
Identity Auditing: Introduction
• Identity auditing is the process of
• Documenting
• Reviewing and approving workflow
• Identity information and access controls
• roles, segregation of duties rules and entitlements
• For business applications and associated infrastructure components.
• Identity auditing is crucially important to IAM governance in general and to
regulatory compliance in particular.
Copyright © William El Kaim 2016 71
Identity Auditing Scope
• The scope of identity auditing can be illustrated informally by the following
questions:
1. Who has access to what?
2. Who should have access to what?
• That is, how well does actual access match a predefined policy or access model?)
3. Who reviewed and approved what?
• This is referred to as "attestation.“
4. Who accessed what?
• Without automation, producing reports and performing management reviews
are laborious and expensive tasks.
Copyright © William El Kaim 2016 72
Identity auditing
Identity Auditing Tools
• Two key identity administration tools provide some identity auditing
capabilities:
• User-provisioning tools (or stand-alone modules associated with them) for question No.
1 and No. 3 and sometimes No. 2;
• Role management tools for No. 1 and sometimes No. 2.
• Identity-based network access control (NAC) products have been used for No. 1 and a
limited view No. 2.
Copyright © William El Kaim 2016 73
Identity auditing
Identity Auditing Tools
• Other tools with a key functional focus on audit capabilities include:
• Security information and event management (SIEM) products, which are increasingly
used for No. 4; other monitoring tools also can be useful here.
• Segregation of duties (SOD) controls within ERP tools, which identify the (SOD) conflicts
within those complex applications, a special case of No. 1.
• Finally, specialized identity auditing tools fill the gap between what identity administration
tools can provide and these needs.
Copyright © William El Kaim 2016 74
Identity Auditing: Specialized Tools
• Specialized, identity auditing tools focus on identity-auditing needs — the
ability to answer the questions listed above — that are poorly served by
identity administration tools.
• Reporting on access assigned to users and applications — No. 1: Who has
access to what? — will remain an ongoing need in information security and
compliance/risk management programs.
Copyright © William El Kaim 2016 75
Identity Auditing:
SOD Controls within ERP
• Largely driven by regulatory compliance requirements, organizations are
looking to address SOD issues within their enterprise applications.
• These projects typically start with resolving SOD issues in financial
transactions usually embodied in ERP applications, such as those offered by
SAP and Oracle.
• Technology controls to address the problem include:
• Identifying and reducing SOD conflicts within ERP application-level functional
permissions.
• Provisioning support — Preventing new SOD conflicts through integration with user
provisioning and role management processes.
• Transaction monitoring — Identifying SOD violations by automatically monitoring for
transactions that indicate inappropriate behavior.
Copyright © William El Kaim 2016 76
Identity Auditing
SOD Controls within ERP
• SOD tools are becoming mainstream but these tools remain expensive and
complex to maintain.
• In the longer term:
• SOD should become part of a broader control management framework and strategy
• Automated SOD analysis should be integrated into the automated provisioning of users
and roles within identity management.
• Representative Vendors
• Approva, LogicalApps (Oracle), SAP (acquisition of Virsa Systems)
Copyright © William El Kaim 2016 77
Identity Auditing - Security Information and Event
Management (SIEM)
• SIEM tools and services deliver two basic capabilities:
• Security information management (SIM)
• Security event management (SEM)
• Security information management (SIM) provides reporting and analysis of
data
• primarily from host systems and applications,
• and secondarily from security devices to support security policy compliance
management, internal threat management and regulatory compliance initiatives.
• SIM can be used to support the activities of the IT security, internal audit and
compliance organizations.
• Storage, correlation and reporting of selected host and application data is
available from managed security service providers (MSSPs).
Copyright © William El Kaim 2016 78
Identity Auditing - Security Information and Event
Management (SIEM)
• Security event management (SEM) improves security incident response
capabilities.
• SEM processes near-real-time data from security devices, network devices
and systems to provide real-time event management for security operations.
• SEM helps IT security operations personnel be more effective in responding
to external and internal threats.
• Remotely managed SEM functions for firewalls, intrusion defense systems,
intrusion prevention systems and related perimeter- and host-monitoring
technologies are available from MSSPs.
Copyright © William El Kaim 2016 79
Identity Auditing - Security Information and Event
Management (SIEM)
• A SIEM tool enables an organization
• to analyze security event data in real time (for threat management, primarily in network
events)
• to analyze and report on log data (for security policy compliance monitoring, primarily in
host and application events).
• SIEM technology
• can collect user activity (resource access) data from systems and applications
• can be used to track user activity across the network and multiple systems and
applications.
• This technology provides the ability to associate an individual with a device,
network address and the associated network login IDs and subsequent
resource access.
Copyright © William El Kaim 2016 80
Identity Auditing - Security Information and Event
Management (SIEM)
• SIM requirements (to support regulatory compliance initiatives) have
replaced SEM as the primary driver for SIEM project funding for in-house
deployment.
• SEM remains the primary driver for outsourcing with MSSPs, although
several MSSPs are introducing SEM service offerings to address this
market.
• This means, fundamentally, that
• organizations are placing more emphasis on IAM event monitoring and reporting
• SIEM tools remain important within threat and vulnerability management.
• Major IAM vendors have made SIEM acquisitions during the past few years.
Copyright © William El Kaim 2016 81
Identity Auditing
Other Monitoring Tools
• Some near-real-time-analysis tools have automated the process of detecting
unusual user activity within specific circumstances and domains
• That is, they can answer question No. 4: "Who accessed what?“
• Each technology is designed specifically for a particular layer in the
application stack
• But the technologies have limited or no visibility into related activities in other layers.
• More recently, new monitoring tools have been appearing that sit between
users and the systems they access, in-line or "on box," and can capture user
activity down to the keystroke level.
• In addition to traditional alerting and reporting capabilities, these tools generally provide
the ability to "replay" user activity.
Copyright © William El Kaim 2016 82
Enterprises can use SIEM tools to gain broad
visibility across many layers.
• Database activity monitoring• Can be used to monitor database administration activity and database user access,
especially when native database auditing is not enabled.
• Vendors: Application Security, Guardium, IPLocks, Lumigent, Tizor
• Content monitoring and filtering (CMF)• Can be used to detect and prevent the inappropriate movement of sensitive data across
the network, but detection is limited to what can be discovered via simple data pattern rules
• Fraud detection• Can be used to monitor and stop suspect user activity at the access or transaction layer,
but its scope is limited to the specific set of applications and business rules with which it interfaces.
• Vendors and Products: RSA, VeriSign
• …
Copyright © William El Kaim 2016 83
Plan
• Introduction to IAM
• Key Technology Areas
• Directory Technologies
• Identity Administration
• Identity Auditing
Identity Verification
• Access Management
• IAM Framework And Process
• Conclusion
Copyright © William El Kaim 2016 84
Identity Verification: Introduction
• It is critical for an organization to be able to verify, with an appropriate level
of confidence, who it is allowing to access its systems.
• Balanced with ease of use, because end users overwhelmed by security requirements
may behave in ways that can reduce security.
• Includes technologies that broker authentication, or authenticated identities,
and other identity information among diverse target systems or domains
Copyright © William El Kaim 2016 85
Identity Verification
Ex: Mapping of Responsibilities
Little/no involvement
Moderateinvolvement
Significant involvement
Copyright © William El Kaim 2016 86
Identity Verification
Identity Proofing
• Identity proofing is the process by which an organization uniquely identifies a
person before "provisioning an identity" to that individual
• assigning an identifier (name) and issuing an identity credential, and maybe other
identity creation subprocess tasks, such as creating a user account.
• Identity-proofing services verify an individual's identity based on "life history"
information aggregated from public or proprietary data sources.
• The most common use case for these services is to verify the identity of a
new registrant in real time where face-to-face proofing is not possible and
offline, back-end identity proofing is undesirable — typically in a business-to
consumer context.
Copyright © William El Kaim 2016 87
Identity Verification: Identity Proofing
• These services also might be used as an additional interactive user
authentication or transaction verification method
• For example, to provide identity verification for self-service password reset, or to verify
the identity of an individual before executing a high-value transaction.
• Service providers in this category have emerged during the past few years.
• Identity-proofing services enable more-secure customer account opening and/or account
registration, as well as verification of an identity during high-risk transactions, such as
password reset, especially in a non-face-to-face environment.
Copyright © William El Kaim 2016 88
Identity Verification: Authentication
• Authentication is the process of proving the digital identity of a user or object
to a network, application, or resource. Once authenticated, users can access
resources based on their entitlements through the process of authorization.
• Examples of authentication techniques include:
• User names and passwords
• Personal identification numbers (PINs)
• X.509 digital certificates
• One-time passwords
• Biometrics (for example, fingerprint or iris scans)
Copyright © William El Kaim 2016 89
Comparing Strong and Weak Authentication
Techniques
• Authentication techniques can range from simple ones where users provide
passwords directly to applications or hosts to much more complicated ones
that use advanced cryptographic mechanisms to protect user credentials
against potentially malicious applications and hosts.
• Providing a plaintext password (that is, one that is not encrypted in any way)
to an application or host is considered the weakest authentication technique
• Stronger authentication techniques protect the authentication credentials so
that the host or resource to which the user authenticates does not know what
the secret actually is.
• Typically, this is done by cryptographically signing data with the secret password that is
known only to the user and a trusted third party.
Copyright © William El Kaim 2016 90
Identity Verification
Authentication Infrastructure
• A typical proprietary authentication method requires its own infrastructure
components — an authentication server and so on.
• Where an organization is using a "portfolio" of authentication methods, a
separate authentication server likely is demanded for each method.
• To reduce complexity, provide one policy decision point and simplify
migrating to new authentication methods, an organization may deploy one of
two authentication infrastructure technologies
Copyright © William El Kaim 2016 91
Identity Verification
Authentication Infrastructure - VAS
• Versatile authentication server (VAS) is a single server (software or
appliance) that supports multiple open and proprietary authentication
methods.
• At a minimum, it will support authentication using PKCs and one of the two
industry standard OTP authentication methods:
• Initiative for Open Authentication (OAUTH) Hash OTP
• Europay, MasterCard and Visa Chip Authentication Program.
• In addition to providing support for any of the vendor's own proprietary
methods, the VAS should have an extensible architecture to enable third-
party authentication methods to be "plugged in" as needed.
Copyright © William El Kaim 2016 92
Identity Verification
Authentication Infrastructure - ITCAS
• “In the cloud" authentication service (ITCAS) relies on a managed service
provider that absorbs the complexity of managing different infrastructures for
different authentication methods, is a viable alternative for some enterprises.
• An ITCAS likely will be favored for online consumer security, in which the
service provider can offer complementary services, such as fraud detection.
• Vendors
• RSA, VeriSign (and many third-party service provides, including telcos)
Copyright © William El Kaim 2016 93
Identity Verification
SSO
• Many enterprises are interested in simplifying resource access for
employees, customers, partners or other stakeholders.
• Single Sign-On is ‘a mechanism whereby a single action of user
authentication and authorization can permit a user to access all computers
and systems where that user has access permission, without the need to
enter multiple passwords’. (Open Group)
• SSO at the application level involves establishing a "session" between the
client and server that allows the user to keep using the application without
providing a password every time they take an action within the application.
Copyright © William El Kaim 2016 94
Identity Verification
Single Sign-On
• Single sign-on (SSO) technologies enable users to authenticate once and
automatically be signed on to other target systems.
• These technologies include:
• Kerberos
• Active Directory (AD)/Unix integration tools
• ESSO
• Bundled. smart-token-based SSO
• Web SSO
• Secure Sockets Layer (SSL) virtual private networks (VPNs)
Copyright © William El Kaim 2016 95
Identity Verification
The many flavors of SSO
96
Enterprise SSO Web SSOFederated
SSO
User community
• Employees
• Employees
• Partners
• Customers
• Employees
• Partners
• Customers
Application types
• Desktop
• Browser-based
• Browser-based• Browser-based
• Web services
Architecture and
implementation
• Protected password vault
• Credential form fill
• HTTP session management
• Application security shims
• Role or Rule Based Access Control
• Single security domain
• User accounts required
• Identity assertions
• Role and attribute exchange
• Spans security domains
• User accounts not required
Identity Verification
Is SSO safe? Yes!
Status quo Enterprise SSO
Network login• Simple password, or
strong password written down
• Strong password, only one to remember
Application login
• Simple password, or password written down
• Static, seldom changing
• Strong password
• Often changing, if desired
Number of logins • Many • One
Password reuse• “User-synchronized”
passwords• None
Help desk burden• Lots of password
reset calls• Few reset calls
Copyright © William El Kaim 2016 97
Identity Verification
Federation - Trust
• The concept of trust is becoming more important as organizations continue
to share resources with their business partners.
• The ability to establish trust between independently administered systems is
crucial for IT systems to support the required level of data exchange.
• Trust enables secure authentication and authorization of digital identities
between autonomous information systems with less management overhead.
Copyright © William El Kaim 2016 98
Identity Verification
Federation - Trust Mechanisms
• The mechanisms of trust are complicated because there are many tasks that
must happen between independent organizations to make the authentication
and subsequent authorization processes useful.
• The trusting organization needs to have a secure mechanism to
communicate with the trusted organization.
• Once the trusting organization has authenticated the foreign digital identity, it
must incorporate the entitlement information about that foreign account into
the authorization process within the trusting organization.
Copyright © William El Kaim 2016 99
Identity Verification
Federation
• A federation is a special kind of trust relationship established beyond internal
network boundaries between distinct organizations.
• Federation enables the secure authentication and authorization of digital
identities between autonomous information systems based on the principle
of trust.
• For example, a user from company A can use information available at
company B because there is a federated trust relationship between the two
companies.
Copyright © William El Kaim 2016 100
Identity Verification
Federation - Identity Federation
• Federated Identity allows customers, partners and end-users to use
applications/services without having to constantly authenticate or identify
themselves to the services within their federation.
• This applies both within the corporation and across the Internet.
• Federation enables identities to be shared and propagated between different
systems
• Allows individuals to “log-in” once to access resources on networks of different
enterprises
• No need for central storage of personal information
• Organization authenticates its respective users and vouches for their access to third
party organization’s services
• This idea is popular because it can remove/simplify requirement for
administration of many different accounts.
Copyright © William El Kaim 2016 101
Identity Verification
Federated Identity Management
• Federation can be viewed as an extension of identity management principles
beyond the borders of the enterprise.
• The goals of federation extend well beyond merely increasing convenience for users of
resources to minimizing the costs of and management requirements for identity in the
connected world.
• Federated identity management offers a standards-based means of
achieving these goals by
• Enabling one organization (the identity provider) to provide information about a managed
identity
• To another organization (the identity consumer, service or resource provider).
• Each organization included in the "community of trust" tracks the identities of individuals
who are most central
Copyright © William El Kaim 2016 102
Identity Verification
Federated Identity Management
• Once the individuals have been authenticated by their own organizations,
these individuals can access other organizations' resources without
reauthentication being required.
• Federated identity management is positioned to provide a foundation for
consumer and business identification and eventually personal identity
frameworks (PIFs) supporting e-business and other applications.
Copyright © William El Kaim 2016 103
Identity Verification
Federated Identity Management
• Benefits
• Secure integration with partners
• Reduce administration cost
• Deliver improved end user experience
• Features
• Seamless SSO and Identity Sharing
• Multi-protocol gateway – SAML, Liberty, WS-Federation
• Service Provider or Identity Provider
• Flexible deployment configurations
• Standalone for use with pre-existing web-access management solution
• Protocol SDK for custom applications
Copyright © William El Kaim 2016 104
Identity Verification
Personal Identity Frameworks
• PIF developers have created hype around terms such as "user centric
identity," "Identity 2.0" and the "Identity Metasystem.“
• These terms attach to a set of architectural constructs and technical product
components that
• Augment rather than replace IAM architectures
• Are intended to provide users with control of their identity attributes when registering and
accessing online services.
• Client identity selectors, Web site integration components and service
definition and discovery components are common among different
developers' PIF implementations.
Copyright © William El Kaim 2016 105
Identity Verification
Personal Identity Frameworks
• PIFs can:
• Reduce users' data entry burdens when registering and revisiting service providers, and
can increase users' willingness to provide personal information because it is more
convenient to do so.
• Provide RSOs for business contexts (sets of related services) where credentials can be
shared.
• Provide a common user experience for selecting the appropriate digital identities (each
an identifier and a set of attributes) and providing them to service providers
• Provide a standard development framework for developers that can be abstracted from
and can make use of disparate identity protocols and identity repositories.
Copyright © William El Kaim 2016 106
Plan
• Introduction to IAM
• Key Technology Areas
• Directory Technologies
• Identity Administration
• Identity Auditing
• Identity Verification
Access Management
• IAM Framework And Process
• Conclusion
Copyright © William El Kaim 2016 107
Access Management
Definition
Copyright © William El Kaim 2016 108
Perimeter SecurityEstablishes a barrier to keep malicious attacks from affecting the productivity of the organization
Access SecurityProvides regulated access to the business resources users need to perform their duties
Access Management
Introduction
• Organizations must control access to systems and content so that end users
can contribute to business productivity and profitability without compromising
security.
• Centralizing policy administration and decision points improves consistency
and ease of management
Copyright © William El Kaim 2016 109
Access Management
Key Technologies
• WAM tools provide centralized administration, authentication and
authorization services for multiple, Web-based applications, internal or
external to the organization.
• These tools also can provide some non-Web resource access controls. WAM tools
increasingly support simple, standards-based identity federation and Web services
access control models.
• OS Access Management
• These tools are to OSs what WAM tools are for Web applications — that is, they provide
centralized administration, authentication and authorization services for multiple OS
instances.
• Products typically focus on Windows, or Unix and Linux OSs, but rarely both.
Copyright © William El Kaim 2016 110
Access Management
OS Access Management
• Superuser Privilege Management (SUPM)
• Superuser privilege management tools permit individual users partial
superuserprivileges or temporary full superuser privileges as needed.
• Some OS access management tools, including the z/OS ESMs, embed SUPM
capabilities.
Copyright © William El Kaim 2016 111
Access Management
Authorization Management
• Authorization is the process of determining whether a digital identity is
allowed to perform a requested action.
• Authorization occurs after authentication, and maps attributes associated
with the digital identity (such as group memberships) to access permissions
on resources to identify which resources the digital identity can access.
• Different platforms use different mechanisms for storing authorization
information.
• Access Control List
• Security Group
• Roles
• Rules
Copyright © William El Kaim 2016 112
Access Management - Authorization Techniques -
Access Control Lists
• The most common authorization mechanism is known as an access control
list (ACL), which is a list of digital identities along with a set of actions that
they may perform on the resource (also known as permissions).
• Actions are typically defined relative to the type of object the ACL protects.
• For example, a printer might allow actions such as “print” or “delete job” while a file might
allow actions such as “read” and “write.”
Copyright © William El Kaim 2016 113
Access Management - Authorization Techniques -
Security Groups
• Operating systems that support large numbers of users typically support
security groups, which constitute a special type of digital identity.
• Using security groups reduces the management complexity of dealing with
thousands of users in a large network.
• Security groups simplify management because an ACL can have a few entries
specifying which groups have a specific level of access to an object.
• With careful group design, the ACL should be relatively static. You can easily change
authorization policy for many objects at a time by manipulating the members of a group
maintained by a centralized authority, such as a directory.
• Nesting groups within each other increases the flexibility of the group model for
managing authorization.
Copyright © William El Kaim 2016 114
Access Management - Authorization Techniques -
Roles (RBAC)
• Many applications use the term role to refer to a user classification.
• Roles can also be based on dynamic, run-time decisions that provide more
flexibility.
• Roles are used to build business-driven logic to grant access rights, which is
almost impossible to configure with ACL-type mechanisms.
• Roles can be defined either globally, such as by group memberships in a
directory, or with application code that determines role membership based on
a dynamic query.
Copyright © William El Kaim 2016 115
Access Management
Authorization Management
• Authorization traditionally is handled by an ACS specific to a platform,
application, network component and device, with little or no compatibility
among them.
• This "siloed" and fractured approach to authorization is disjointed from the
centralized approach that organizations previously have taken for
administration and (to a degree) authentication.
• Emerging authorization management tools provide a more consistent
approach.
• These tools can administer fine-grained authorization policies make policy decisions
and, optionally, enforce these policies across a range of disparate target systems.
• Enforcement is better kept at the platform, application, network and device levels to
avoid a performance bottleneck.
Copyright © William El Kaim 2016 116
Access Management
Authorization Management
• There is not yet one kind of authorization management tool; rather, there are
a few complementary kinds, each appropriate to different data and
application types.
• This is the GRAAL of IAM …
Copyright © William El Kaim 2016 117
Access Management
Content Access Management
• Content access management (CAM) embraces technologies that provide
protection to structured and unstructured data within or outside the confines
of a system that provides access management capabilities namely
Encryption and Enterprise digital rights management (EDRM)
• Encryption
• Encryption can be applied to data at rest within organizations' networks or on notebook
PCs, or to data in motion.
• File encryption is typically the least expensive way to protect documents from
unauthorized insiders, including system administrators.
• EDRM
• Applied to enterprise messaging, documents and other intellectual property to protect
against intellectual property loss and inappropriate or unintended disclosure of
proprietary or confidential enterprise information.
Copyright © William El Kaim 2016 118
Access Management
Network Access Control Challenges
• Anywhere access to business applications and data
• Expanding access to more users and device types cost-effectively
• Prevent downtime and business loss from security breaches
• Meet or exceed security, privacyand regulatory concerns
Mobile PDA
Partner Machine
Corporate Laptop
Home Computer
Copyright © William El Kaim 2016 119
Access Management
NAC Customer Problems
Endpoint security, identification, and integrity validation
Centralized access control to all IT resources
Hardened Appliance
Control over how information and applications can be used
Internet
Mobile PDA
Home Computer
Partners
Fir
ew
all
File Servers
Web or App Servers
Web ServicesLocal Users
AccessGateway
AdvancedAccess Control
Corporate Laptop
Email Servers
Desktops & Phones
Fir
ew
all
Consistent user experience
Consistent user experience
• Bandwidth• Latency• Device
idiosyncrasies
Cannot access from behind firewalls
Access from widely varying devices
Minimize re-authentication on re-connect
Need access to all internal IT resources
Copyright © William El Kaim 2016 120
Access Management
NAC Customer Problems
• NAC is a mix of hardware and software technologies that dynamically control
client systems' access to networks based on their compliance with policy.
• Current challenges:
• Complexity: competing architectures and non-interoperable solutions
• Fragmentation: too many islands of policy
• Upfront costs exceed benefits
• Insufficient connection with business needs
Copyright © William El Kaim 2016 121
Plan
• Introduction to IAM
• Key Technology Areas
• Directory Technologies
• Identity Administration
• Identity Auditing
• Identity Verification
• Access Management
• IAM Framework And Process
• Conclusion
Copyright © William El Kaim 2016 122
IAM Frameworks and Processes
IAM Functional View
• Administration provides a way to view and manage user identities and
access.
• Authentication ensures that users are properly identified and that these
identities are verified to IT resources.
• Authorization ensures that users can access only what their job functions
allow them to access within the company (see Note 1).
• Auditing ensures that the activities associated with user access are logged
for day-to-day
• Administration and real-time enforcement (authentication and authorization)
• Monitoring, regulatory and investigative purposes.
Copyright © William El Kaim 2016 123
IAM Frameworks and Processes
IAM Functional View
Copyright © William El Kaim 2016 124
IAM Frameworks and Processes
IAM Functional View
Applications
q Windows Clients
q Middle-Tier Services
q Mainframe Applications
q Web Applications
q Web Services
Access Management
q Authentication Techniques
q Authorization Methods
q Trust
q Federation
q Audit
Identity Management
q Provisioning
q Deprovisioning
q Self-Service
q Delegated Administration
q Credential Management
Directory Servicesq Identity Data Stores
q Identity Integration Services
Data Ownershipq Data Stewardship
q Account Management
q RBAC
q Auditing
Governanceq Executive Sponsor
q Security Administration
q Security Policy
q Security Guidelines
q Security Standards
Copyright © William El Kaim 2016 125
Ex: Enterprise Services Framework
Leveragability
Sustainability
Consistency
Simplification
Enterprise Services
Provides
Resulting in..
Regulatory Compliance
Optimized Business Operations
Reduce Administrative Cost
Enhanced Security Posture
Client Registration
Self-Service
Delegated
Administration
Federation
Authentication
Authorization
Business Rules and Policy
Auditing and Reporting
Consolidated Identity Data
Identity Access
Drive
Resulting in...
Identity and Access Management Framework
Copyright © William El Kaim 2016 126
Ex: IAM Framework
Identity Lifecycle
Management: Managing
(create, modify, delete) user
accounts and user profiles
that are linked to each person
across the IT environment via
a combination of user roles
and business rules, through
the employment lifecycle.
Enterprise Directory services:
Providing global and consistent views
of the company organization and the
people working within.
Including the capability to abstract and
automatically correlate data from HR,
customer relationship management,
and other “identity stores”
Identity & Access control
enforcement: Covering the
technology, tools, and
mechanisms to execute IS
security policies and business
rules to access IT
system/application related data.
Audit & tracking: Covering the
technology, tools, and processes
supporting legal and regulatory
requirements in terms of audit, log
and tracking. User Master Data: the common
data related to personal
information (e.g. first name,
surname, email, User ID)
referenced across multiple
systems.
Authorization: the
set of data
elements a
specific security
principal (user,
application,
process) can
access and the
actions that can
be taken on those
data elements.
Authentication: the
process of determining
whether someone or
something is, who or what
they declare themselves to
be for access to protected
resources can efficiently
be granted or denied. Log-
on is the user action of
authenticating to a system.
Audit &
Trackin
g
Identity
Lifecycle
Management
Identity &
Access control
enforcement
Enterprise
Directory
Reconciliation: a comparison
between « what is » against
« what should be ». Reconciliation
ensures consistency of information
across various systems.
Copyright © William El Kaim 2016 127
Plan
• Introduction to IAM
• Key Technology Areas
• Directory Technologies
• Identity Administration
• Identity Auditing
• Identity Verification
• Access Management
• IAM Framework And Process
Conclusion
Copyright © William El Kaim 2016 128
Benefits of IAM
• Visibility of end-to-end cycle for user account creation, modification, termination
• Ability to properly (un)validate every user
• Improve user experience through self-service, password reset, SSO
• Achieve compliance via policy enforcement, automated user entitlement reviews (audit)
• Reduce administrative effort and cost
• Ability to expand business model through Federation
• Increase application time-to-market by leveraging enterprise authentication services
• Flexible and scalable to meet global requirements
Copyright © William El Kaim 2016 129
IAM Technologies Defined
Copyright © William El Kaim 2016 130
Conclusion
No Unique Framework Vision
Copyright © William El Kaim 2016 131
Federated Identity Management
• Federation is a sort of perimeter mechanism that sits at the edge of the
network and shares identity information with other federation mechanisms
where a trust relationship exists.
• The Federation technology creates or gathers the trust assertions that must
be made when an internal user wishes to access an external resource or
vice versa.
• Very active and many companies migrating to it due to
• Cloud and SaaS
• Internet Applications
• Merger/Acquisition
• New collaboration mode
Copyright © William El Kaim 2016 132
The Rise of IDaaS
• By 2020, 40% of Identity and Access Management (IAM) purchases will use the identity and access management as a service (IDaaS) delivery model — up from less than 20% in 2016.
• A vendor in the IDaaS market delivers a predominantly cloud-based service in a multitenant or dedicated and hosted delivery model.
• The service brokers a set of functionality across multiple IAM functions to target systems on customers' premises and in the cloud.• Identity and governance administration (IGA),
access enforcement, and analytics functions.
Copyright © William El Kaim 2016 133
IDaaS Market Split Between Two Styles of Offerings
• Web-centric IDaaS • Supports web and mobile architected application targets in the cloud or on customers'
premises.
• Web-centric IDaaS providers generally have strengths in multifactor authentication and SSO. Offerings tend to support the basic user administration, self-service and identity synchronization aspects of IGA, but lack legacy application connector support, and customizable multilevel approval workflow and governance features, such as access certification, role mining and role life cycle management, and segregation of duties violation detection.
• Web-centric IDaaS usually deploys rapidly because the services are designed to be multitenant, and customization and legacy integration requirements are not the primary design goals.
• Legacy, full-featured IDaaS• Offers services that were developed to support web applications on-premises and in the cloud,
as well as legacy applications.
• More IGA connectors are available for legacy applications, and customizable approval workflows are supported.
• Most of these vendors also provide governance features, such as access certification, role mining and role life cycle management, and detection of segregation of duties violations.
Copyright © William El Kaim 2016 134
Cloud Security Landscape
Copyright © William El Kaim 2016 135
http://www.twitter.com/welkaim
SlideShare
http://www.slideshare.net/welkaim
EA Digital Codex
http://www.eacodex.com/
http://fr.linkedin.com/in/williamelkaim
Claudine O'SullivanCopyright © William El Kaim 2016 136