Novell Identity Vision: Defining an Identity Fabric Technical ......Technical White Paper SECURITY...

26
Technical White Paper SECURITY AND IDENTITY www.novell.com Novell® Identity Vision: Defining an Identity Fabric Part One in the “Novell Identity” Series

Transcript of Novell Identity Vision: Defining an Identity Fabric Technical ......Technical White Paper SECURITY...

Page 1: Novell Identity Vision: Defining an Identity Fabric Technical ......Technical White Paper SECURITY AND IDENTITY Novell ® Identity Vision: Defining an Identity Fabric Part One in the

Technical White PaperSECURITY AND IDENTITY

www.novell.com

Novell® Identity Vision:Defining an Identity FabricPart One in the “Novell Identity” Series

Page 2: Novell Identity Vision: Defining an Identity Fabric Technical ......Technical White Paper SECURITY AND IDENTITY Novell ® Identity Vision: Defining an Identity Fabric Part One in the

p. 1

Novell Identity Vision: Defining an Identity Fabric

2 . . . . . Defining an Identity Fabric

2 . . . . . The Identity Fabric

4 . . . . . An Architectural View of anIdentity Fabric

20 . . . . . Identity Fabric Benefits

22 . . . . . Recommendations and Next Steps

22 . . . . . Identity Fabric Glossary of Terms

24 . . . . . Frequently Asked Questions

Table of Contents:

Page 3: Novell Identity Vision: Defining an Identity Fabric Technical ......Technical White Paper SECURITY AND IDENTITY Novell ® Identity Vision: Defining an Identity Fabric Part One in the

p. 2

Defining an Identity Fabric

Identity† has become a hot topic on the Web in recent years. It seems that if youwant to be considered a serious voice in the network media, you must have an opin-ion and participate in the identity dialogue. Much of the discussion revolves around themost fundamental of questions: what does“identity” really mean?

Universally accepted definitions of the word“identity” in the networking world have beenelusive, largely because enterprise systemsand subsystems have traditionally dealt withidentity in a piecemeal and partitioned way.This paper attempts to refine the definition of identity terms by specifying the contexts in which they are used. A glossary at the endof the paper assists readers in harmonizingtheir concepts of identity with the vision setforth here.

Novell envisions identity as active, man-ageable, pervasive and vendor agnostic.Just as the network fabric† has become a fundamental part of modern networks, so too must identity have its own domain—an identity fabric†. And just as the networkfabric has the IP packet and IP address, so too must an identity fabric have an active element and addressing scheme. This identity fabric overlays the networkfabric, extending role-based access control(RBAC), policy† and compliance monitoringthroughout a network environment. Whereverthe network fabric is found, there will also bethe identity fabric providing ubiquitous andtransparent identity across the enterprise.

This fabric is the infrastructure that provides a comprehensive mechanism forasserting, using, monitoring and terminatingan identity. Without it, only point solutions

can be deployed, creating silos of func-tionality and information and hamperinguniversal regulatory compliance†, reportingand remediation.

Further, an identity fabric enables the fullintegration of disparate identity-based sys-tems. For example, when business systemsmust be integrated because of a merger oran acquisition, conflicts in the use of identitygenerally arise. Even if the companies usethe same types of business systems, thecontext and use of identity will most likely be different. Either the environments mustcontinue to operate independently (whichhampers compliance reporting and otherthings) or they must be integrated. Deploy-ing an identity fabric over your network fabric is the best way to integrate disparateenvironments and ensure uniform andconsistent identity use.

The Identity Fabric

Overview

Today’s organizations face a number ofissues that are difficult to address without an identity that is active, manageable andpervasive. For instance, businesses arecompelled to comply with a host of govern-ment and industry regulations. As a result,they need to collect compliance records at various policy enforcement points and be able to clearly demonstrate who wasgranted—or denied—access to a variety of systems and information. This level ofcontrol is difficult to achieve in an environ-ment characterized by a variety of discon-nected point products. And the traditionalapproaches to knitting these systemstogether generally result in solutions that are neither agile nor efficient.

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

† See “Identity Fabric Glossaryof Terms,” beginning onpage 22.

Page 4: Novell Identity Vision: Defining an Identity Fabric Technical ......Technical White Paper SECURITY AND IDENTITY Novell ® Identity Vision: Defining an Identity Fabric Part One in the

p. 3

Novell Identity Vision: Defining an Identity Fabric www.novell.com

Specifically, programmers are required towrite code into the process or service thatmakes the policy test and then enforces it.Because these policies are hard coded,changing policy involves changing code.Because the Policy Decision Point (PDP)†

and Policy Enforcement Point (PEP)†

functions are in the same code base (and probably the same address space),errors are harder to find and correct.

This inflexible approach doesn’t just impactregulatory compliance, it degrades yourenterprise security as well. The hard-codedapproach to policy management has led towriting services and processes with root oradministration rights and privileges. The pro-grammer must write the service or processto only provide those functions that the user or agent should be allowed to access.Unfortunately, because the process itself isrunning in root or admin mode, any mistakethe programmer makes will grant more accessto the user or agent than allowed. An outsideagent can then gain control of a machine via a “buffer overrun” hack. With access to a host of rights and privileges, the agentcan compromise resources accessible to the machine, such as lists of credit cardaccount numbers.

Managing authentication†, authorization,audits and administration in today’s environ-ment is challenging, to say the least. The factthat each is managed as a custom-engi-neered and isolated solution makes it difficultfor any organization to leverage identity aspart of an agile, integrated security and com-pliance solution. Clearly, a new approach tomanaging identity is required—one that is atonce more uniform, consistent and effective.

Addressing Identity in the Network Fabric

Novell has long been involved in the develop-ment of networks that make modern businessa reality. Indeed, Novell® NetWare® provideda compelling reason for businesses and their

employees to use networks for collaborationand sharing, and identity has played a vitalrole in all enterprise solutions from Novell.

The complexity of network deployments withtheir crisscrossing wires and messages ischaracterized as a “network fabric.” Althoughnetwork fabrics standardized on IP (InternetProtocol) and TCP (Transmission ControlProtocol), identity is not a part of the networkfabric. Indeed, the world’s network protocolswere designed and deployed without identityin mind: the network fabric was built simply tobe a fast, efficient and for the most part self-healing message delivery system. Successis declared when a message arrives at itsdestination: TCP/IP doesn’t care who sendsor receives the message.

In order to combat crimes such as identityfraud, the network needs some mechanismto provide both ends of a transaction with adefinitive and verifiable statement concerningthe identity of the participating agents. Re-engineering the network fabric to includeidentity would be time consuming and costprohibitive. It would require wholesale rework-ing of global network protocols and thelegislation and government regulations thatsupport and permit the network to interoper-ate today. What is needed, then, is anotherfabric that lays over the top of the existingprotocol stack to provide ubiquitous identity.

Foundation and First Principles of an Identity Fabric

An identity fabric must support a vision andclear definition of identity, one that helpsusers understand how it benefits their busi-nesses and how to use identity to improvesecurity and policy compliance.

For any identity fabric to succeed with the samelevel of adoption and ubiquity as the networkfabric, it must meet the following criteria:

It must provide identity throughout anenvironment.

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

† See “Identity Fabric Glossaryof Terms,” beginning onpage 22.

Page 5: Novell Identity Vision: Defining an Identity Fabric Technical ......Technical White Paper SECURITY AND IDENTITY Novell ® Identity Vision: Defining an Identity Fabric Part One in the

p. 4

Multiple authentication forms and multifactorauthentication must be natively supportedand controlled by explicit policy.It must provide identity in relation to RBAC1

and/or policy stipulations.Any identity it provides must interact withexisting applications, with little or nochanges required to those applications.Components must be self-managing.It must improve security event compliancemonitoring by associating identity withsecurity events.There must be a compelling future upsideto its use.It must be as deployable and as manage-able as the network fabric.

An identity fabric that realizes these principlesenables the authentication, authorization,auditing and administration needed in today’sglobally regulated network.

An Architectural View of an Identity Fabric

Identity Fabric Architecture

The architecture of an identity fabric comprisesfive components2:

The identity service (IS), which enables thecreation of component identitiesThe PDP, a process for policy resolutionServices that consume component identities,such as Web servers, native applicationsand a Secure Sockets Layer (SSL) virtualprivate network (VPN)The network fabric, comprising wires,messages, routers, switches and othercomponents Component identities, the active elementsthat constitute the functioning of an identityfabric

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

1 RBAC: Role Based AccessControl. The specification(NIST and ANSI) characterizeRBAC in three ways: 1) CoreRBAC, 2) Hierarchical RBAC,and 3) Constrained RBAC.Please see http://csrc.nist.gov/rbac/ and http://www.incits.org/ for further information andthe authoritative standard.

2 For a detailed definition of theicons used in the diagrams,please refer to page 6.

Figure 1. Identity fabric conceptualization

Page 6: Novell Identity Vision: Defining an Identity Fabric Technical ......Technical White Paper SECURITY AND IDENTITY Novell ® Identity Vision: Defining an Identity Fabric Part One in the

p. 5

Novell Identity Vision: Defining an Identity Fabric www.novell.com

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

† See “Identity Fabric Glossaryof Terms,” beginning onpage 22.

Supplying Identity Information as Needed

When the network fabric was developedwithin the framework of the seven-layerInternational Organization for Standardization(ISO) model, no one considered the identityof the endpoint or user. To address thisoversight and its subsequent shortcomings,component identities are created as part ofthe identity fabric. These component identities“hover” until needed by services such asthose in the bullet list above.

A single identity fabric may require multipleISes to provide component identities. Further,each IS and process that consumes compo-nent identities will reference one or more PDPsto validate policy enforcement. Because eachcomponent identity† is self-contained, it can

“traverse” the network fabric as needed tosupply identity information to processesrequiring that information. This collection ofcomponent identities—and the infrastructurethat creates, maintains and consumes them—is the identity fabric.

Providing Identity Interoperability

Further, multiple identity fabrics may federateor marshal component identities for identityinteroperability—provided one or more ISesin each federated identity† fabric establishesa trust relationship. Note that if RBAC or otherrole-based mechanisms such as policy-enforced roles are used in the federatedidentity fabrics, the various identity fabricsmust also implement an agreed-uponmapping of the roles. Other rights and per-missions may also need to be mapped.

Figure 2. Identity fabric federation

Page 7: Novell Identity Vision: Defining an Identity Fabric Technical ......Technical White Paper SECURITY AND IDENTITY Novell ® Identity Vision: Defining an Identity Fabric Part One in the

p. 6

Alternately, federation of the componentidentities may be accomplished withoutsharing the roles, rights or permissionsbetween the identity fabrics. Instead, thecomponent identity in each identity fabric is evaluated separately.

Delivering Ubiquitous Identity

Just as a fabric is made of many threads, anidentity fabric is made of many components—but the component identity is the activeelement providing ubiquitous identity. Eachelement in Figure 3 uses one or more com-ponent identities to satisfy policy and provideauthoritative statements concerning roles,entitlement, rights and privileges. The icondepicting a building facade and magnifyingglass represents compliance events that thecompliance monitoring and reporting systemcollects for evaluation.

Key Elements and Their Use of the Component Identity

IS: As mentioned previously, thiscomponent enables the creation ofcomponent identities and interactswith other identity fabric components

to provide component identities that conformto policy. The IS uses the services of thePDP to manage its own internal processing,but also interprets policy directly in its workto produce component identities. The IS also provides access to multiple data storesin order to aggregate identity information.While some of the data stores will be identitybased, most will be existing data stores suchas directories, Lightweight Directory AccessProtocol (LDAP)-accessed data stores anddatabases and others.

Identity-based data store: This isa generalization of any data storethat contains identity fabric datastructures such as role attestation†

and entitlement attestations. It also repre-sents data stores that can use componentidentities directly to control access to thedata contained within.

Construction of a component

identity: This symbol representsthe general process of creating a

component identity via an IS.

Component identity: The com-ponent identity can represent allaspects of the identity of a user,

agent, process or resource in the context of any given identity fabric.

PDP: Any time a process musteither allow or deny access tosome resource, the PDP makes thedetermination. The process then

enforces the PDP’s determination—becomingthe PEP. A security information and eventmonitoring (SIEM) system can quickly andeffectively detect compliance issues bycorrelating PDP and PEP events.

Policy, role and entitlement

expressions: This icon representsthe secure and identity-awarestorage of policies, roles and

entitlements. The PDP and ISes use thispolicy storage area.

SSL VPN: An SSL VPN that usescomponent identities to representthe access connection shouldprovide any access requiring

penetration of the firewall.

Proxy: A proxy that controls accessby policy and component identityshould provide access to all appli-cations that are not component-

identity-aware.

Java* agent: Java agents thatextend the Java Authentication andAuthorization Service (JAAS) andJava Authorization for Container

Contracts (JACC) mechanisms to interactwith an identity fabric should provide allaccess to Java processes that are notcomponent-identity-aware.

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

† See “Identity Fabric Glossaryof Terms,” beginning onpage 22.

Page 8: Novell Identity Vision: Defining an Identity Fabric Technical ......Technical White Paper SECURITY AND IDENTITY Novell ® Identity Vision: Defining an Identity Fabric Part One in the

p. 7

Novell Identity Vision: Defining an Identity Fabric www.novell.com

VM agent: Other “managed code”environments may be integratedsimilarly to the Java 2 Platform Enter-prise Edition (J2EE*) environment.

Synchronization: The data storesof today’s various mission-criticalsystems must be synchronized so

that the systems work in harmony. The con-stant mergers and acquisitions of modernbusiness ensure the continued need for datasystem synchronization. And until these sys-tems become component-identity-aware, anexternal mechanism must synchronize them.

Compliance monitoring and

reporting: An identity fabric is verydynamic: component identities flow

throughout the fabric, presenting the neededidentity information so that policy decisionscan be made and enforced. Without an effec-tive compliance monitoring and reportingsystem, the fabric could increase rather thandecrease complexity and make the systemharder to manage. But just as network fab-rics are monitored and controlled to the orga-nization’s benefit, so too can an identity fab-ric be managed and monitored effectively toproduce a fully identity-compliant system.

Figure 3. Identity fabric deployment example

Page 9: Novell Identity Vision: Defining an Identity Fabric Technical ......Technical White Paper SECURITY AND IDENTITY Novell ® Identity Vision: Defining an Identity Fabric Part One in the

p. 8

Core of an Identity Fabric: The Component Identity

The network fabric is not a bunch of wires.Rather, it is made up of the IP packets thatmove through the wires via an addressingscheme. In other words, the IP packet is the active element that makes the networkfabric a reality.

An identity fabric also requires an activeelement that moves between the IS or ownerand the consumer and provides the threadsthat compose an identity fabric. We will callthis persistent element the “component iden-tity.” Any specific identity in an identity fabricmust be the same at point A as at point B;ensuring that they are the same is a functionof the identity-naming scheme.

The component identity is a token (a docu-ment or secure assertion) representing theowner of the component identity. Therefore,the component identity must exist andprovide a declaration of the context(s) in which it can be used.

Defining a Component Identity

Each component identity is constructedaccording to the policy that governs its use. Some component identities will containattributes†, real or derived. For example, to protect privacy, an alias may replace the user’s name while the user’s shippingaddress is authentic. Policy may also dictatethat roles or privileges be included. This kindof information is very sensitive to the contextin which it is used: the role of ADMIN, for ex-ample, would be honored in some contextsbut not in others. Also, some roles or per-missions may be specifically denied in thecomponent identity to prevent them frombeing granted in any form where the compo-nent identity is used. To protect the integrity

of the information the component identitycontains, digital signatures† or other forms of tamper evidence may be used to verifycertain portions of the structure. Componentidentities readily support both static anddynamic separation of duties.

Because any single component identity maybe used in multiple contexts (as specified by the policy governing its construction),there may be multiple expressions of identityin a component identity, such as a series ofalias credentials consisting of USERID andpassword along with a Ticket to Get Tickets(TGT) specific to a Key Distribution Center(KDC) domain.

Novell implementation of the componentidentity is via a Security Assertion MarkupLanguage (SAML) 2.0 assertion, which isused to contain multiple forms of identityexpression and other SAML assertions.

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

† See “Identity Fabric Glossaryof Terms,” beginning onpage 22.

Page 10: Novell Identity Vision: Defining an Identity Fabric Technical ......Technical White Paper SECURITY AND IDENTITY Novell ® Identity Vision: Defining an Identity Fabric Part One in the

p. 9

Novell Identity Vision: Defining an Identity Fabric www.novell.com

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

3 The application will have very simple privileges—onlyenough to allow it to run onthe execution platform. Thefinal resolution of privilegeswill be determined by evalu-ating the several identitiesassociated with the accessrequest to resource “X.”

The Component Identity in Action

So, how can component identities create an identity fabric? They allow for the enforce-ment of policy and the reporting of accessand manipulation actions. Figure 5 demon-strates how a component identity is used.

A user desires access to Resource “X” via an application. In the scenario, the useraccesses the application via “A,” which startsthe application. Scenario policy requires thatall access to controlled resources be provided

via least privileges—which requires that theapplication have an identity so that the appli-cation’s privileges can be established. Theapplication accesses an IS and passes itscredentials and a specific policy or role requestvia “B.”3 The identity service accesses theauthoritative statement of policies and roles via“C” and crafts an identity for the applicationthat adheres to the policy expressions ac-cessed via “C.” The identity service returns thecomponent identity, and the application nowhas an identity that is part of an identity fabric.

Figure 4. Application obtaining an Identity

Figure 5. User and laptop obtaining an identity

Page 11: Novell Identity Vision: Defining an Identity Fabric Technical ......Technical White Paper SECURITY AND IDENTITY Novell ® Identity Vision: Defining an Identity Fabric Part One in the

p. 10

Constructing Identities for All Entities

The application now requests a componentidentity from the user and the user’s equip-ment, in this case the laptop. For the sake of this description we will assume that theuser does not yet have a component identity.The application causes “D” to be processed,which conducts a secure dialogue with theuser to satisfy the policy associated with theapplication’s use. Though the applicationused “B” to access the IS, the user will use“D” to access the same IS, a different IS oreven multiple ISes. Note that the application(which is a resource) has tags associatedwith it that describe the roles and policiesthat must be satisfied before it can be used.These tags are informational only and avail-able to any casual observer.

Thus, “D” is a dialogue that the IS conductsin accordance with the roles and policiesspecified. This dialogue may require that theuser provide more than just a USERID andpassword—challenge information, for exam-ple, such as a mother’s maiden name, hard-ware possession (perhaps a smart card) andlocation (the access attempt must be from aspecific subnet). Also, note that the equip-ment with which the user is accessing theapplication may be interrogated and a com-ponent identity constructed for it as well.There are now three component identitiesrepresented on the diagram—one for theapplication, one for the user and one for the user’s equipment.

Figure 6. User access to controlled resource via identity

Page 12: Novell Identity Vision: Defining an Identity Fabric Technical ......Technical White Paper SECURITY AND IDENTITY Novell ® Identity Vision: Defining an Identity Fabric Part One in the

p. 11

Novell Identity Vision: Defining an Identity Fabric www.novell.com

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

4 Note that PDPs can becascaded to allow layering or hierarchical policyspecification.

Verifying Rights and Privileges

Having obtained the user’s component iden-tities, the application is ready to process therequest to access resource “X.” Before doingso, however, the application must verify thatthe user has the necessary rights and privi-leges to use the application.

Best practice stipulates that a PDP makes thedecision and a PEP enforces it. This practiceseparates the decision making from the deci-sion enforcement so that the system can bemonitored for compliance in real time toquickly identify operational policy failures.

Thus, the application provides the componentidentities to a PDP, which, using authoritativepolicy and role specifications via “H,” deter-mines the rights and privileges the user hasto the application as per the identities androles and policies. Note that “H” can referencedifferent PDPs depending on the domain of the decision to be made. If the PDP tellsthe application (via “E”) to deny access, theapplication could either terminate with anerror or re-invoke “D” to allow the user to tryand acquire a component identity that willsatisfy the PDP.

In any case, the application is not resolvingpolicy. The PDP is managing that function viathe authoritative statement of the policies androles of the enterprise. Both the PDP and theapplication (which is a PEP) emit compliancerecords. The PDP compliance record regis-ters the request and determination accordingto policy, and the PEP compliance recordregisters the action the application takes.

In addition to enabling real-time identificationof operational policy failures, this implementa-

tion offers additional benefits. The applicationneed no longer act using ROOT or ADMINprivileges or work to restrict the use of thoseprivileges: it merely responds to the deter-mination the PDP provides.4

If “E” provides permission to proceed, theapplication accesses Resource “X” via “F,”but note that we can also provide role andpolicy protection even at the resource level.In the scenario, the mechanism protectingResource “X” requires more proof of the pos-session of sufficient rights and permissions.

Again, the application does not concern itself with the validity of the several identitiesthat are necessary to access Resource “X.” It merely accesses Resource “X” via “E,”causing the privilege barrier to be invoked.The barrier requests a determination from thePDP in the context of the access request toResource “X.” It is here that the aggregateprivileges of the multiple component identi-ties are considered to determine rights andprivileges. Thus, if operating under leastprivilege, and the required privileges cannotbe derived from the several componentidentities, access is denied; otherwise,access is allowed.

Assembling a Component Identity

As mentioned previously, the assembly of a component identity is very specific to thecontext(s) in which it may be used. Thesecontexts are in turn specific to the domain inwhich credentials may be known, as well asto required information and procedures thatmust be followed to comply with regulatoryrequirements. Thus, policy must define andconstrain the creation of the componentidentity at each step of the process.

Page 13: Novell Identity Vision: Defining an Identity Fabric Technical ......Technical White Paper SECURITY AND IDENTITY Novell ® Identity Vision: Defining an Identity Fabric Part One in the

p. 12

The following diagrams describe the generalprocesses that should be used in the construc-tion and maintenance of a component identi-ty. Note again the presence of a PDP, whichis used to resolve the expression of policy ateach step, and the separation of policy deci-sions into resolution and enforcement.

Processing a Component Identity Request

A request to create or maintain a componentidentity is received by the Create ComponentIdentity process. Credentials, attributes, SAMLassertions, component identities and othermethods may accompany this request. Policymay require that certain kinds of componentidentities be created from other forms ofsecurity tokens as well as challenge/responseconversations with the intended recipient ofthe component identity. The PDP resolves the policy stating the required informationaccompanying the request.

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

† See “Identity Fabric Glossaryof Terms,” beginning onpage 22.

Figure 7. Component identity assembly, step 1

If all is in order, a partially created component identity is passed along to the next step of the process: Identifiers† and Attribute Management. Policy may require that the componentidentity include certain information—attributes. The information may come from a variety ofidentity vaults, directories and identity stores, to name a few.

Page 14: Novell Identity Vision: Defining an Identity Fabric Technical ......Technical White Paper SECURITY AND IDENTITY Novell ® Identity Vision: Defining an Identity Fabric Part One in the

p. 13

Novell Identity Vision: Defining an Identity Fabric www.novell.com

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

5 Identity attributes can comefrom any source that theidentity service can access.

Policy may also protect some of these repos-itories, and require a component identity toallow access. In any case, policy again dic-tates this step of construction such that theappropriate attributes, encryption mechanisms

and other safeguards are applied to theappropriate information from the appropriatesources. These various attributes and theirexpression are added to the evolving compo-nent identity and passed on to the next step.5

Figure 8. Component identity assembly, step 2

Adding Roles and Permissions

The next step involves determining the roles and permissions to be included in the componentidentity. In some cases a simple expression of a role specification is all that is needed. However,in many existing systems, roles are not supported and rights and permissions must be resolvedbefore the component identity can be used. One of the goals of a component identity is thatthe user (or agent representing the user) can be fully represented by the component identitysuch that an appeal to an identity source other than the component identity is not needed.

If an existing application requires that access rights be calculated from a directory, those rightsmay need to be pre-calculated at this step and stored in the component identity. In othercases, the existing application may traverse the directory structure itself, which may reducethis step to a simple declaration of the location of the directory. Note that the directory speci-fied may be a temporary directory that is populated with the needed information but only for acertain time, after which the information is deleted. This kind of information treatment reducesrisk: it allows existing applications to use authoritative information without exposing the entireauthoritative information store.

Page 15: Novell Identity Vision: Defining an Identity Fabric Technical ......Technical White Paper SECURITY AND IDENTITY Novell ® Identity Vision: Defining an Identity Fabric Part One in the

p. 14

The bottom line is that this step of component identity creation is highly dependent on theapplication systems in use, their sophistication concerning identity processing and the policiesin place to control and protect identity assets. At this point, all of the information to governresource access is added to the component identity, which is then passed on to the next step.

Figure 9. Component identity assembly, step 3

Conforming to Policy

The final step in the creation of a componentidentity is the assembly of all the componentsso that the identity conforms to the structurethat policy dictates. It is at this step that infor-mation in the partially completed componentidentity may be used to access a KDC toobtain a TGT or other form of security token.Some of the attributes previously includedmay be removed because the information,while needed during the creation of the com-ponent identity, is not disclosed outside ofthe process. To facilitate this level of security,the information may be reorganized into multi-ple tokens, or SAML assertions, and certainstructures created so that only the request-ing process can use the final componentidentity, as defined by policy.

Once the component identity is fully assem-bled, it is returned to the requesting process.Policy fully governs every step, and a securityevent monitoring system issues alerts in theevent that the system becomes non-compliant.

Identity Attestations

Identity attestations can make using and main-taining identity information in various identityvaults and directories more efficient. Eachaspect of an identity system governed byidentity attestations becomes self-managingin terms of information freshness, accuracyand security.

A simple example will help to establish thevision and high-level mechanisms. Considera newly hired employee, whom we will name

Page 16: Novell Identity Vision: Defining an Identity Fabric Technical ......Technical White Paper SECURITY AND IDENTITY Novell ® Identity Vision: Defining an Identity Fabric Part One in the

p. 15

Novell Identity Vision: Defining an Identity Fabric www.novell.com

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

† See “Identity Fabric Glossaryof Terms,” beginning onpage 22.

identity applicant because of the initial tasksfacing the new hire. It is one thing to providethe new hire with an account on the networkand e-mail access. It is quite another to givethe new hire the rights and privileges she

needs to do her job. Often, human resources(HR) personnel enter roles, entitlements,rights and privileges into the HR systemaccording to the job title and their under-standing of the new hire’s needs .

Figure 10. Identity applicant request

The new hire must complete several tasks before certain privileges can be granted: for example, policy may require her to complete COBE—Code of Business Ethics training.

The Role of the Identity Application

For maximum efficiency, both the identity applicant and the HR application should point toand consume policy from an identity application. When the hire event occurs, the identityapplication is used to establish attributes, such as name, address, phone and emergencycontacts, and to request role and entitlement assignments. Notice that the roles and entitle-ments are requested rather than assigned. This means the HR application and process stillremains the authoritative source for these attributes. For increased agility and automation, the identity applicant can request additional roles and entitlements as time proceeds. Such arequest will cause the involved processes to repeat.

The bottom line is that the identity application accesses the identity service and requests thatattributes be set and roles and entitlements requested. The next step is invoked by sendingattestation notifications to the several attesters who will approve and establish the roles andentitlements being requested.

Establishing Roles via Component Identities

Each attester has his own attested identity† record. The asserted attestations allow him to provide attestations to others within certain contexts, such as within a certain department.Each attester’s component identity establishes the roles necessary for that person to provideattestations for outstanding requests.

Page 17: Novell Identity Vision: Defining an Identity Fabric Technical ......Technical White Paper SECURITY AND IDENTITY Novell ® Identity Vision: Defining an Identity Fabric Part One in the

p. 16

Figure 11. Identity attestation(s)

In this scenario, each attester’s componentidentity provides the rights necessary toaccess the identity applicant’s record andapprove or deny roles and entitlementsassociated with the individual’s attester role.Note from Figure 11 that an attester mayattest to the validity of attributes (for exam-ple, the validity of a shipping address) andmay approve or deny role and entitlementassignments via attestation. Policy mayrequire that multiple attestations be providedfor approval of a role or entitlement. Anyovert denial of approval by an attester orfailure to comply with policy statement willresult in the role or entitlement not beinghonored by any part of an identity fabric. At any time, an attester can reevaluate

any attestation to extend the approval as well as change a denial to an approval orvice versa.

It is important to note that these attestationsare stored as identity components in one ormore identity stores. As a part of an attesta-tion, each identity component has a time-to-live stipulation associated with it. The identityfabric becomes self-managing as it imple-ments roles, entitlement and attributes asattestation. The mechanisms that create acomponent identity access and use theseidentity components.

Page 18: Novell Identity Vision: Defining an Identity Fabric Technical ......Technical White Paper SECURITY AND IDENTITY Novell ® Identity Vision: Defining an Identity Fabric Part One in the

p. 17

Novell Identity Vision: Defining an Identity Fabric www.novell.com

Figure 12. Identity applicant attestation

Providing Personal Attestations

As attestations are changed or created, theidentity applicant receives notification of thechange in status. Some of these changes willrequire her to respond in some way. In ourscenario of a new hire, the identity applicantaccesses the identity application, which startsan interaction with a Certificate Authority (CA).The CA provides the identity applicant withone or more key pairs that allow her to pro-vide personal attestations. In this case the

identity applicant approves (or denies) theuser agreement, which is stored as an attes-tation in an identity component. Of course,the identity applicant can now provide otherattestations—such as for COBE, HarassmentCertification and Insider Trading Certification,to name a few.

Page 19: Novell Identity Vision: Defining an Identity Fabric Technical ......Technical White Paper SECURITY AND IDENTITY Novell ® Identity Vision: Defining an Identity Fabric Part One in the

p. 18

And, of course, the time to live associatedwith trainings and certifications such as COBEwill require that the user re-attest to her com-pliance once a year or as policy dictates.

The final result is a self-managing identitymanagement system through which man-agers—or others with a component identitythat provides them with the necessary roles orrights and permissions—can make or requestchanges to the status or entitlements of anindividual or group of identity components.Attesters then review and approve or denythe changes and requests, and the identityapplicant, if necessary, completes the process

by accepting or rejecting the change to theidentity components. Automated processesmonitor identity components for time-to-liveexpiration and trigger events that request the renewal of the attestation in a timelymanner. And each use or access of an iden-tity component results in policy resolutionand enforcement.

Integrating the Component Identity

within Existing Applications

Most existing applications provide access tocontrolled resources by obtaining a USERIDand password from the user. That information

Figure 13. Attested identity maintenance

Page 20: Novell Identity Vision: Defining an Identity Fabric Technical ......Technical White Paper SECURITY AND IDENTITY Novell ® Identity Vision: Defining an Identity Fabric Part One in the

p. 19

Novell Identity Vision: Defining an Identity Fabric www.novell.com

is used in a BIND request to an LDAP store,and if the BIND is successful, the applicationallows access to the controlled resource. Oneof the problems with this model is that manyexisting applications were deployed using avariety of LDAP stores as their authenticationsource. Thus, the user’s information (or atleast the USERID and password) must bereplicated throughout all of the LDAP storesso that the user will have a consistent pres-ence. Another problem is that the user isrequired to log in every time a different appli-cation is accessed. While many single sign-onproducts attempt to solve this from the clientpoint of view, an identity fabric eliminates thisissue at an infrastructure level.

LDAP Proxy Interception

If an identity fabric is present, existing appli-cations are supported by deploying a proxy

that intercepts all user requests to all existingapplications. When the user attempts toaccess an application, the proxy checks to see if it already has a valid componentidentity for the user, and if so, whether or not that component identity satisfies accesspolicy (via the PDP). If the component identitydoes not exist or does not satisfy policy, theproxy invokes the identity service, which inturn conducts a dialogue with the user toobtain the necessary information to createthe component identity.

There is an important point to note here: whilethe existing application may require only aUSERID and password to access the con-trolled resource, an identity fabric allows a fine-grained authentication model to be specifiedby policy. Note also that the attributes loadedinto the component identity may be used asalias attributes if the policy so dictates.

Figure 14. Use of component identity in an existing environment

Page 21: Novell Identity Vision: Defining an Identity Fabric Technical ......Technical White Paper SECURITY AND IDENTITY Novell ® Identity Vision: Defining an Identity Fabric Part One in the

p. 20

Returning now to the process outlined inFigure 14, the component identity is returnedto the proxy, which again validates it againstpolicy associated with the existing applica-tion. If all is well, the proxy allows the user toaccess the application, but when the existingapplication requests the USERID and pass-word, it provides the information for the userwithout the user being involved. The existingapplication performs the LDAP BIND request,but rather than performing the BIND to theprevious LDAP store, the BIND is performedagainst an LDAP proxy. The proxy then usesthe information in the component identity tovalidate the BIND, and if necessary providesattributes that the previous LDAP store wouldhave provided. No changes are required toexisting applications to use the LDAP proxy.Generally, each existing application has aconfiguration file that specifies the location ofthe LDAP store. By simply changing the con-figuration file to reference the LDAP proxy,the existing application is connected into an identity fabric and is managed by a richtapestry of identity and policy mechanisms.

Connecting Java Environments to the Identity Fabric

The Java execution environment is quitepopular in modern systems and is easilyconnected to an identity fabric by includingJava agents in the application server provid-ing connectivity into an identity fabric. Evenmore identity functionality can be obtained by enhancing the JAAS and JACC mecha-nisms to allow dynamic roles and the use ofcomponent identities. Little or no changesare required of the existing application,depending on how the application server is connected to an identity fabric.

Identity Fabric Benefits

Proper implementation of an identity fabricprovides the following benefits:

Root/administration Privileges

Using an identity fabric allows a service orprocess to be written with only those rightsand privileges necessary to allow the pro-gram to enter a run state. Thereafter, allaccess to restricted resources is grantedbecause of the aggregation of the compo-nent identities from the user or agent, theequipment being used and other components.A buffer overflow in this case does notprovide an intruder with privileged access.

Separation of PDP and PEP

Using component identities, access requestsand temporal characteristics6, a PDP caninterpret authoritative policy to determine thedisposition of an access request. This dispo-sition is then passed back to the requestingprocess, which, now acting as a PEP, enforcesthe disposition. As noted earlier, a compliancerecord from the PDP and one or more from thePEP are used to make and enforce policy.These compliance records can be correlatedeasily by a SIEM system to get a quick indi-cation of system function and determineregulatory compliance. If the PDP resolves to “block” and the PEP permits “allow,” thenthere is something amiss and an alarm canbe posted to the monitoring console andpersonnel dispatched to resolve the issue.Without the separation of the PDP and PEP, this kind of check and balance cannot be achieved.

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

6 Temporal characteristicsinclude information such as time of day, day of weekand access location.

Page 22: Novell Identity Vision: Defining an Identity Fabric Technical ......Technical White Paper SECURITY AND IDENTITY Novell ® Identity Vision: Defining an Identity Fabric Part One in the

p. 21

Novell Identity Vision: Defining an Identity Fabric www.novell.com

Authentication, Authorization, Audit and Administration

An identity fabric enables a holistic approachto authentication (the identity service),authorization (the PDP and PEP), auditing(compliance record collection and analysis)and administration (all admin tasks requirecomponent identities to provide the neces-sary administration rights and privileges).

Regulatory Compliance

As policies are evaluated and dispositionsdetermined, the system can be immediatelytested for initial compliance. Other event cor-relations that involve more elaborate testingof disparate events can also provide data for compliance evaluation.

And, of course, the archived compliancerecords can be evaluated forensically to testother metrics of compliance.

Policy-based Decisions and Enforcement

Policy expression under the control of author-ized policy administrators guides all policydecisions, dispositions and enforcement.Component identity is used to provide or denyaccess to the processes and repositoriesnecessary to author and maintain policy for the environment.

Open Source Integration

Because the active element of an identityfabric is the component identity and becausethese component identities can be composedof various components (SAML assertions andKerberos TGT), a host of process componentscan contribute to and process within an iden-tity fabric. Open source projects such asBandit™ (www.Bandit-project.org) and Higgins(www.eclipse.org/higgins/) are examples.

Identity As a Service

An identity fabric becomes the means bywhich identity functions such as authentica-tion, authorization and provisioning can beoffered as Web services and made availablevia a hosted or service provider model. Oncean identity fabric is implemented as a com-prehensive layer of standards and openprotocols, identity becomes the threads thatweave together applications and businessprocesses, which in turn enable a trueservices-oriented architecture.

Standards Based

Standards used in an identity fabric include:

Bandit projectHiggins projectSAMLLiberty AllianceWS*

These standards ensure interoperabilityacross the identity fabric.

Page 23: Novell Identity Vision: Defining an Identity Fabric Technical ......Technical White Paper SECURITY AND IDENTITY Novell ® Identity Vision: Defining an Identity Fabric Part One in the

p. 22

Recommendations and Next Steps

In order for identity to be more than a pointsolution in any organization, an identity fabricmust overlay the network fabric. An identityfabric includes an active element and addres-sing scheme to normalize identity at everynetwork juncture. The result is a cohesiveview of identity throughout an environmentcomplete with RBAC, policy and compliance.

While RBAC is suitable for some environments,others will benefit from a more generalmechanism referred to as policy-enforcedroles. (Please reference Novell AccessManager white papers for more technicalinformation. Other Novell literature providesdetails for implementation and deploymentof your own identity fabric.)

As the global discussion concerning identitycontinues, many of the benefits of consistent,transparent and ubiquitous identity can behad today. Thoughtful deployments of anidentity fabric using component identities will provide organizations with the following:

Seamless control of identity despite themany platform and identity consumersA reliable mechanism for using environment-wide roles, allowing organizations to realize the cost effectiveness of RBACCentralized identity management andmonitoringIdentity-based access controlIdentity-based compliance reporting

Such an identity fabric establishes policy andidentity as tools for competitive advantageand regulatory compliance.

Identity Fabric Glossary of Terms

Attestation: A legal statement that isadmissible in a court of law without anaffidavit (http://en.wikipedia.org/wiki/Attestation_clause).

Attested Identity: A digital identity whereinspecific attributes have been digitally attestedto by a digital attester. An attested identityhas more efficacy than a digital identitybecause specific groupings of attributes canbe verified independent of the identity store.Also, authentication policy can be declaredsuch that the digital attestation of specificattributes must have policy-specified charac-teristics before being trusted.

Attribute: A measurable characteristic ofsomething.

Authenticated Identity: The result ofsuccessful authentication.

Authentication Policy: A stated policy thatprovides assurance of authenticity within the parameters of the policy.

Authentication: The process of establishingthe validity of decision point input (DPI)according to policy that expresses therequirements of authenticity.

Compliance Assurance: Policies, processesand regulatory compliance logs designed toassure compliance with specified regulations.

Computing Context: The intersection ofcomputing models (kernel, drivers and job-scheduling characterization) that permits any specified computing process to usecomputing resources.

Page 24: Novell Identity Vision: Defining an Identity Fabric Technical ......Technical White Paper SECURITY AND IDENTITY Novell ® Identity Vision: Defining an Identity Fabric Part One in the

p. 23

Novell Identity Vision: Defining an Identity Fabric www.novell.com

Component Identity: A token representingits owner that is created via policy constraints.

Digital Attestation: A statement verified via aspecific policy that asserts the authenticity ofdigital information. The verifiable statement isusually a digitally signed document containingthe digital information being attested.

Digital Attester: One who provides digitalattestation.

Digital Identity: A grouping of associatedattributes representing a participant.

Digital Signature: A digital document treatedvia public key cryptography such that theinformation in the digitally signed document is tamper evident and associated with thesigning entity. (http://en.wikipedia.org/wiki/Digital_signatures or http://en.wikipedia.org/wiki/Digital_Signature_Standard)

DPI (Decision Point Input): Attribute and/ordata that is provided to the Policy DecisionPoint (PDP).

DPO (Decision Point Output): Attribute,data or disposition resulting from the evalua-tion of the policy in the Policy Decision Point.

Environment Constraints: Specification ofrequired environmental conditions, such aslocation, time, date, time-relationship andphysical network attachment.

Federated Identity: The association of dis-parate identifiers between disparate partiesvia commonly agreed upon authenticationpolicy and attribute naming schemes.

Identity fabric: A fabric providing ubiquitousidentity wherever the network is present; it overlays the network fabric.

Identifier: An attribute useful in distinguishingsomething.

Identity: A grouping of associated attributesrepresenting a participant.

Network Fabric: The physical layer media(such as routers, switches and cabling) thatallow IP packets to be distributed accordingto P address.

Policy: An expressive statement that allowsthe testing of decision point input by a policydecision point, resulting in the ability toproduce decision point output and definerelationships between identities.

Policy Decision Context: The intersection of the policy decision point and policy en-forcement point that creates and transformsidentities and describes their interactions in a conversation.

Policy Decision Point (PDP): The processresponsible for evaluating decision pointinput according to an expressive policy state-ment and providing decision point output.

Policy Enforcement Point (PEP): Theprocess responsible for enforcing a decisionpoint output.

Regulatory Compliance Log: Data repos-itories participating in processing activitiesinvolved in compliance. They are tamperevident and contain log information concern-ing configuration and operation of compliance-relevant processes.

Regulatory Compliance: Processes andprocedures designed to show compliancewith regulations.

Page 25: Novell Identity Vision: Defining an Identity Fabric Technical ......Technical White Paper SECURITY AND IDENTITY Novell ® Identity Vision: Defining an Identity Fabric Part One in the

p. 24

Secret: Input that is protected from disclo-sure and can be validated against attributesto establish authenticity.

Tamper Evident: Used to describe docu-ments whose changes are readily detectable.The original values of the document may beirretrievably lost and the exact effect of thetampering unclear, but the fact that the docu-ment has been tampered with is evident(http://en.wikipedia.org/wiki/Tamper-evident).

Verifiable Anonymity: Methods and datastructures enabling the association of anidentity with attributes, such that the ownerof the attributes remains anonymous whilethe association of the attributes with theidentity is validated.

Frequently Asked Questions

Q1. Is an identity fabric a Novell-only offering?

No, many vendors and Open Source projectscan mix to provide a viable identity fabric.

Q2. Can an identity fabric cover the entireInternet?

Because of the need for trust context, asingle identity fabric will probably never be a reality. But many identity fabrics can bedeployed to provide a consistent and highlyusable identity experience for users andenterprises alike.

Q3. Can multiple identity fabrics beconnected?

Yes, the sharing of component identitiesbetween multiple identity fabrics is inherentin the vision and design.

Page 26: Novell Identity Vision: Defining an Identity Fabric Technical ......Technical White Paper SECURITY AND IDENTITY Novell ® Identity Vision: Defining an Identity Fabric Part One in the

462-002038-001 | 01/07 | © 2006 Novell, Inc. All rights reserved. Novell, the Novell logo, the N logo and NetWare are registeredtrademarks, and Bandit is a trademark of Novell, Inc. in the United States and other countries.

*All third-party trademarks are the property of their respective owners.

Contact your local NovellSolutions Provider, or call Novell at:

1 888 321 4272 U.S./Canada1 801 861 4272 Worldwide1 801 861 8473 Facsimile

Novell, Inc.404 Wyman Street Waltham, MA 02451 USA

www.novell.com