The Dbriefs Technology Executive series presents - Deloitte · The Dbriefs Technology Executive...

The Dbriefs Technology Executive series presents:

Federated

Identities: To Trust

or Not to Trust?Kelly Bissell, Principal, Deloitte & Touche LLP

Vikram Kunchala, Senior Manager, Deloitte & Touche LLP

February 3, 2011

Copyright © 2011 Deloitte Development LLC. All rights reserved.

How many business partner users access your

applications OR how many of your organization’s

users access partner applications?

a) 0

b) 5,000

c) 50,000

d) 100,000

e) 1,000,000+

f) Not applicable/ don’t know

Poll question #1


In this session participants will learn about

1. Fundamentals of identity federation including

background, evolution and business drivers

2. Federated identity management business models,

standards and use cases

3. Role of identity federation in user provisioning, including

challenges to implementation

Objectives

Federated Identities -Background


• A set of technical, legal, and operations agreements

that facilitate distributed identification, authentication

and authorization across boundaries (security,

departmental, organizational or platform)

• A model based upon trust in which user identities

and security are individually managed and distributed

by the service providers or member organizations

• The individual organization is responsible for vouching

for the identity of its own users, and the users are able

to transparently interact with other trusted partners

based on this first authentication

BackgroundWhat is federation?


BackgroundEvolution

Information Resources

Platforms

Databases

Systems

Business

Applications

Timeline

Employees

Contractors

Business Partners

Suppliers

Authoritative Sources

BU 1 HR

BU 2 HR

Data Feeds

Approver

IAM System Boundary

Administration

Provisioning

Directory Integration

Directory RepositoryReporting

Engine

User ID Administrator

IAM Connectors

Audit Reports

Requestor

Requestor

Requestor

Requestor

BU 1 Applications and Platforms

AIX

RACF

SAP (ESS,

FI-CO)

BU 1 AD

ACF2

Help Desk

SAP BW

Auditors

Resource Owners

Enter User ID

Administration

Requests

Create, Update,

Retire User IDs

Global Applications and Platforms

Global

Active Directory

Employee

Portal

MS Exchange

BU 1 Applications and Platforms

SAP (FI-CO)

SAP BWBU 2 AD

Supplier

Management

Logistics

Management

Solaris

CRM

RACF

Procurement

CRM

RDBMS

Access Management

Au

th

en

tica

tio

n a

nd

A

uth

oriza

tio

n

Identity Silos, manual user

administration

Enterprise IAM, suites, tightly coupled integration with

managed resources

Federated IAM, loosely coupled

integration, inter-enterprise,

“ecosystem”


Business drivers

Background

Enterprises are challenged with the security impacts of cross-

organizational information and application sharing, which introduces

significant complexity and risk to operations.

At the same time, businesses must collaborate and share critical

information with partners, providing the right people with the right access

to the right information at the right time.

Liability

Manageability

Risk

Consistency

Cost

Usability

Transparency

Availability

Convenience

Cost

Identity theft

Security

breaches

Privacy

Huge

administrative

costs

Insecure and

non-auditable

transactions

Improve user

experience

Simplified sign-on

Connect with

partners

Collaboration

Information flows

Access

Security


Business objectives and features

Background

Business Objectives Access Management features

• Support compliance

• Enforce enterprise risk

management policies

• Control the cost of ongoing

compliance audits

• Centralized policy administration

• Role-based access controls

• Audit reports and audit trails

• Better enforcement of information

security controls



• Improve user experience

• Enable collaboration with business

partners

• Single Sign-On

• Federation

• Protect sensitive digital assets

• Manage user access privileges

• Strong authentication




• Improved end-user experience through Internet single

sign-on (SSO)

• Improved collaboration between business partners

• Reduced cost and time to integrate with business

partners and applications

• Decreased phishing opportunities

• Secure cross-boundary collaboration

• Greater integration with user lifecycle processes

Benefits

Background


Have you considered or implemented identity

federation in your organization?

a) Yes, we have implemented it

b) Currently under consideration

c) Will do so, in the next 1-2 years

d) Pie in the sky – too complex

e) Do not understand how it can be used

f) Not applicable/ don’t know

Poll question #2

Federated Identities –Business Models


Actors

Business Models

• Principal – a person/system who has a digital identity

• Identity Provider (IdP) – responsible for authenticating

the Principal, usually once per session

• Service Provider (SP) – provides services to

authenticated Principals


Interaction

Business Models: Large Telecom Provider

Identity Provider

(STS)

Service Provider

Partner Portal

Principal

User browses corporate travel site (SP)

SP generates a SAML* token

Browser sends SAML token

IdP returns SAML response with

information about user

Browser sends SAML response

Principal is logged in 6

Corporate

Travel

1

3

2

4

5

* Security Assertion Markup Language (SAML)


Identity provider hub

Business Models: Large Retailer

SP A

SP D

SP C

SP B

Assertion

Identity Provider

(IdP)

Authentication

Service

Providers

(SP)

Partner

site

Supply

chain

portal

Corporate

travel

401K &

benefits

Principal

Identity stores


Service provider hub

Business Models: Global Travel Company

Assertion

Service Provider

(SP)

Travel Service

Provider

AuthenticationPrincipal

IDP A

IDP D

IDP C

IDP B

Identity

Providers

(IdP)

Organization D

Organization C

Organization B

Organization A


Hybrid model

Business Models: Global Bank

Corporate

Services

IDP & SP

Investment

Management

IDP & SP

Wealth

Management

IDP & SP

Retail &

Commercial

Banking

IDP & SP


Federation in Cloud Computing

Business Models

• Establishes a site-to-site VPN or similar secure

connectivity with the Cloud Service Provider (CSP)

• Integrates the existing IAM solution with the CSP

platform (IaaS/PaaS) in a less complex manner

• Flexible to use a centralized directory or localized

directory for user authentication

• Leverages widely accepted standards such as Security

Assertion Markup Language (SAML) and WS-

Federation for authentication and authorization

• Provisions using standards such as Security

Provisioning Markup Language (SPML)

• Integration with the CSP may have some technical

challenges

Hybrid Cloud Public Cloud

Users

IaaS / PaaS Provider

Identity & Access

Management

Corporate DirectorySecure Enterprise Network

Users

SaaS Provider

Identity & Access

Management

Corporate Directory

IaaS / PaaS Provider

Amazon

Web Services

Windows

Azure

Google

App. Engine

Cohesive FT Salesforce.com

ILLISTRATIVE ONLY ILLISTRATIVE ONLY


With which of these groups would you consider

implementing identity federation?

a) BPO vendors (i.e. 401K, healthcare and

payroll provider)

b) Managed service providers (e.g. infrastructure

and platform support)

c) Strategic outsourced vendors

d) All of the above

e) None of the above

f) Do not know/not applicable

Poll question #3

Federated Identities –Standards


• Standards provide interoperability between various

security domains

• Four most widely used standards are:

– Security Assertion Markup Language (SAML)

– WS* (WS Star) specifications

– Liberty Alliance protocols (ID-FF)

– OpenID

StandardsOverview


Which one should I use?

Standards

• SAML is the widely used protocol for browser-based federation

• SAML is used if an account does not exist on the Service Provider

(SAAS) to enable dynamic user provisioning

• Liberty Alliance Standards are used when

• When account linkage is required and account exists on both the

Identity Provider (IDP) and Service Provider (SP)

• When a global logout is required across IDP and SP

• WS* specifications focus on enabling identity-based web services

• WS* specifications are broad for consumer- facing identity enabled

services

• OpenID is an up and coming protocol for Web 2.0 services, but is not

considered to be very secure

Federated Identities –Usage


• External cross domain single sign-on

• Internal cross domain single sign-on

• Federated identity provisioning

• Federated attribute exchange

• Web services federation

UsageCommon use cases


• Securing outsourced services, providers and platforms-

both inbound and outbound

• Combining user account provisioning with federation to

manage outsourced vendors

• Use of federation as the first step in integration

infrastructure, platforms and applications during

mergers and acquisitions

• Leveraging investments in existing infrastructure by

deploying virtual directories with federation

UsageFederated identity in organizations

Federated Identities –Challenges


• Federation is based on a “circle of trust”

• Trusting your partner’s security policies and controls

• Not a technology issue as much as a cultural issue

• Whom do I trust and what can I share?

• More time is spent on legal contracts and agreements

• You are only as strong as the weakest link in your circle

To trust or not to trust

Challenges


• Is it for me?

– What are the business benefits? Adding revenue, compliance

• Start small with internal deployment

• Establish trust with your most trusted partners

• Spend time on legal contracts and agreements

• Establish clear liability and responsibility

• Adopt a standards-based solution

How do I get started?

Challenges


Which do you see as the most significant barrier

to deploying federation?

a) Already use federation

b) Seems too complex to setup and deploy

c) Not needed in my business

d) I do not know how to begin

e) Not applicable/ don’t know

Poll question #4


Top three things to remember

1. Federation is not a technology issue

2. Enable federation with your most trusted partners

3. Technologies and standards have matured for

organizations to federate with each other such as the

Cloud

Summary

Question and Answer

Join us March 3rd at 2 PM ET as our Technology Executives series presents:

Almost Enterprise Applications: What Can Next-Generation Cloud Computing Do for Your Business?


Thank you for joining

today’s webcast.

To request CPE credit,

click the link below.


Kelly Bissell

Principal, Deloitte & Touche LLP

[email protected]

+1 404-220-1187

Vikram Kunchala

Senior Manager, Deloitte & Touche LLP

[email protected]

+1 713-982-2807

Contact info

mailto:[email protected]

mailto:[email protected]


This presentation contains general information only and is based on the experiences and

research of Deloitte practitioners. Deloitte is not, by means of this presentation, rendering

business, financial, investment, or other professional advice or services. This presentation is not a

substitute for such professional advice or services, nor should it be used as a basis for any

decision or action that may affect your business. Before making any decision or taking any action

that may affect your business, you should consult a qualified professional advisor. Deloitte, its

affiliates, and related entities shall not be responsible for any loss sustained by any person who

relies on this presentation.


About Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by

guarantee, and its network of member firms, each of which is a legally separate and independent entity.

Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche

Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description

of the legal structure of Deloitte LLP and its subsidiaries

The Dbriefs Technology Executive series presents - Deloitte · The Dbriefs Technology Executive...

Documents

Transcript of The Dbriefs Technology Executive series presents - Deloitte · The Dbriefs Technology Executive...