Securing the Digital Campus With Identity Management Philippe Trautmann Stuart Sim.
-
Upload
christiana-summers -
Category
Documents
-
view
217 -
download
0
Transcript of Securing the Digital Campus With Identity Management Philippe Trautmann Stuart Sim.
Securing the Digital Campus With Identity Management
Philippe TrautmannStuart Sim
Sun Proprietary/Confidential: Internal Use Only
Agenda1. Overview- Why Identity Management matters- Evolution of Identity Management- Components of a "complete" Identity Management System
2. Technical Overview of Sun's Identity Management Suite- Modules of Sun's Identity Management Suite and their capabilities- Support of Federated Identity standards- SSO support for non Web applications- Sun's Decision to Open Source Access Manager Module (Run Time Authentication and Authorization)- Customer Case Study
3. (Option) An overview of Sun in "Education and Research": 30 minutes4. Q&A
Sun Proprietary/Confidential: Internal Use Only
What Is Identity Management?
"Identity management is the "Identity management is the set of business processes, and set of business processes, and a supporting infrastructure, for a supporting infrastructure, for the creation, maintenance, and the creation, maintenance, and use of digital identities." use of digital identities."
––The Burton GroupThe Burton Group
Sun Proprietary/Confidential: Internal Use Only
Follow a standard workflow for tasksFollow a standard workflow for taskssuch as adding a new faculty membersuch as adding a new faculty memberor deleting student access to course or deleting student access to course materials after a term has completedmaterials after a term has completed
Essential Functions of Identity Management●Provision access _ Establish, change, and remove user accounts and privileges
●Authenticate _ Confirm that users are who they claim to be
●Authorize _ Allow access to services based on business rules for group affiliations and roles
●Protect Privacy and Comply with Regulations
I'm John Doe and here's my IDI'm John Doe and here's my IDand password to prove itand password to prove it
Hide personal data and track usage Hide personal data and track usage patterns for audit trail without patterns for audit trail without tracking private usage information tracking private usage information such as who checked out specific such as who checked out specific books from the librarybooks from the library
All members of the group All members of the group “Prof_Smith_Physics_301”“Prof_Smith_Physics_301”have access to Professor Smith'shave access to Professor Smith'sPhysics 301 online lecture notesPhysics 301 online lecture notes
Sun Proprietary/Confidential: Internal Use Only
Identity Addresses Top Priorities in Education
Top ten business trends in 2004 according to a Chronicle of Higher Education/Gartner survey of selected Chronicle subscribers, December 2003
Security breaches/business disruptions
Operating costs/budgets
Data protection and privacy
Identity Management Can Improve Security, Reduce Costs, and Protect Privacy, the Top Three Business Priorities in Education
Sun Proprietary/Confidential: Internal Use Only
Why Identity Is So Important in Education● More stringent regulations ● Complex identity
requirements & rapidly changing user roles
● Enormous scale● 85% have experienced
security breaches in the last 12 months
● Managing access to licensed digital content
● Federation to support collaborative research
Sun Proprietary/Confidential: Internal Use Only
Higher Education Faces More Regulations1
●External regulations requiring greater protection of personal information
– e.g. Gramm-Leach-Blilely Act, Student andExchange Visitor Information System, HIPAA, and FERPA
●New legislation regarding copyright protection●Threats of lawsuits over intellectual property abuse or identity theft
1 Zastrocky, Yanosky, and Harris, “Higher Education Faces More Regulations,” Gartner, Research Note, December 23, 2003.
Sun Proprietary/Confidential: Internal Use Only
Identity Requirements in Edu are Complex
● Many roles with different access requirements
● Users often have multiple roles● Frequently changing roles● Multi-campus environment● Legacy of multiple fragmented
identity databases
Sun Proprietary/Confidential: Internal Use Only
Security Incidents on the Rise
● Unauthorized access to sensitive institutional data
● Threats or abusive behavior● Altered/vandalized Web site ● Research database hacked
More Than 85% Have Experienced IT Security “Incidents” in the Past 12 Months*
* Based on a Chronicle of Higher Education/Gartner survey of selected Chronicle subscribers, December 2003
Sun Proprietary/Confidential: Internal Use Only
Stages of Implementing
Identity Management
Sun Proprietary/Confidential: Internal Use Only
Stage 1 – Every Application for Itself
● Authentication and logging functionality only
● Every application for itself in performing these functions
● Multiple user names and passwords must be remembered by users
Many Institutions Still Function Without a Centralized Directory Service, Despite the Inefficiencies
Authentication
Authentication
Authentication
Authentication
Authentication
Sun Proprietary/Confidential: Internal Use Only
Stage 2 – Central Authentication Services
● Applications have access to centralized authentication services
● Support for single sign-on – Web Initial Sign-On (Web ISO)
● The beginnings of Federated Identity to simplify collaboration
Enables Web Initial Sign-On for Participating Applications
CentralAuthentication
Service
Sun Proprietary/Confidential: Internal Use Only
Stage 3 – Full Identity Management
●Workflow task automation ●Roles and rules-based authorization●System-wide auditing and reporting●Password self-administration ●Federation of identity information
Research
ERPDigitalLibrary
SIS
e-Learning
Administration Services
Transaction Services
Data Repositories
Sun Proprietary/Confidential: Internal Use Only
Components of “Full” Identity Management*
Component Description
Reflect Track changes to institutional data
Join Establish and maintain identities
Credential Issue digital credentials
Manage Affiliation Manage affiliation and group information
Manage Privileges Manage access privileges and permissions
Manage Passwords Self-service password resets & synchronization
Provision Push identity management info to other systems
Deliver Publish access control information at run time
Authenticate Verify identities
Authorize Allow/deny user access independent of authentication
Log Track usage for audit purposes
Federate Authenticate & authorize based on "trusted" source
* Based primarily on data from a presentation delivered by Keith Hazelton, University of Wisconsin-Madison, Identity Management CAMP, Nov. 15, 2004 and sources from Sun market development.
Sun Proprietary/Confidential: Internal Use Only
Benefits of Full Identity Management Layer
●Enhanced Security and Privacy●Improved scalability and reduced cost/complexity●Improved user experience●Federation
Sun Proprietary/Confidential: Internal Use Only
● Complete, integrated, centralized solution– Centralized authentication, authorization and
auditing– Integrated components
● Modular and scalable– Start small with specific components
and extend to a full solution
● Integrate-able– Open standards-based interfaces
allow investment protection
Summary of Identity Solution Requirements
IntegrateableIntegrateableComplete,Complete,Integrated,Integrated,
& Centralized& Centralized
Modular&
Scalable
Sun Proprietary/Confidential: Internal Use Only
Why Sun For Identity Management
● Complete solution● Integrated yet modular● Best-in-class provisioning & workflow● Connectors for third party applications
in Edu● Experience in Federated Identity
Sun Proprietary/Confidential: Internal Use Only
Identity Manager Partial Customer List • 15 New references in Q2!
• Universidad de Oviedo, Spain • Universidad Rovira i Virgili, Spain • University of Salford, UK• Université Catholique de Louvain, Belgium• Schulen ans Netz, Germany• Western Michigan University, USA• University of California Santa Cruz, USA• University of Victoria, Canada• Notre Dame University. Australia
Identity Management: A New Imperative in Higher Education
Sun Proprietary/Confidential: Internal Use Only
Backup Slides
Sun Proprietary/Confidential: Internal Use Only
Agenda
● What is Identity Management?● Why Identity Is Important in Education● Stages of Implementing Identity Management● Identity Solution Requirements in Education● Sun’s Comprehensive Identity Management Offering● Why Sun?● Customer Examples
Sun Proprietary/Confidential: Internal Use Only
Federation Requirements
● Federation is necessitated by collaborative research and other inter-institution collaboration
● There are 2 implementation approaches:– The Liberty Alliance Project – An alliance of more than 150 companies,
non-profit and government organizations developing an open standard for federated network identity (http://www.projectliberty.org/)
– Shibboleth – An open source implementation of federated identity information that has gained a lot of momentum in education
● Shibboleth and Liberty are working on interoperability through SAML 2.0, expected in 12-15 months
Federation Enables Sharing Identity Information Outside the Firewall While Protecting Privacy
Sun Proprietary/Confidential: Internal Use Only
Federation in Java System Access Manager
● Supports Federation using Liberty specification
● Interoperability with Shibboleth through SAML 2.0 (expected in 12-15 months)
Standards-based Approach Allows Integration With Shibboleth
Java SystemJava SystemAccess ManagerAccess Manager
Shibboleth Shibboleth Server Server
Applications
Applications SAML 2.0
Firewall
Sun Proprietary/Confidential: Internal Use Only
Integrate-able Identity Management
● Provides broad cross-platform compatibility– Protects customers’ existing investments– Provides increased flexibility
● Supports standards at EVERY touch point
Sun Proprietary/Confidential: Internal Use Only
Integrated, End-to-End Identity Management
IdentityManager
AccessManager
DirectoryServer EE
User User Provisioning Provisioning
Password Management Password Management
Synchronization Services Synchronization Services
Web-Based Web-Based Administration Administration
Audit & Reporting Audit & Reporting
Web Single-Sign-On Web Single-Sign-On
Access Control Access Control
Federation Federation
Directory Services Directory Services
Security/Failover Security/Failover
AD Synchronization AD Synchronization
Sun Proprietary/Confidential: Internal Use Only
Identity Management Is More than Just Implementing an Enterprise Directory•Enterprise directory can provide:
> Enterprise security — Single common repository for all authentication and access control rules
> Efficiency in application development — Leverage the enterprise directory to simplify development
> Simplified collaboration — Federated identity sharing
Identity management adds: > Enhanced user experience — Single sign-on and faster
access to applications> Reduced help desk cost — Online password reset> Workflow efficiency — Automated tasks such as adding
access to course materials when users register for specific classes> Support for regulatory requirements — More complete
tracking and audit trail features
Sun Proprietary/Confidential: Internal Use Only
SolarisTM Operating System for x86 Platforms: Come Join Us!• Building on a leading platform• Offering customers true choice and true value• Investing in partnerships
LET'S GROW TOGETHER