The Dbriefs Technology Executive series presents - Deloitte · The Dbriefs Technology Executive...
Transcript of The Dbriefs Technology Executive series presents - Deloitte · The Dbriefs Technology Executive...
The Dbriefs Technology Executive series presents:
Federated
Identities: To Trust
or Not to Trust?Kelly Bissell, Principal, Deloitte & Touche LLP
Vikram Kunchala, Senior Manager, Deloitte & Touche LLP
February 3, 2011
Copyright © 2011 Deloitte Development LLC. All rights reserved.
How many business partner users access your
applications OR how many of your organization’s
users access partner applications?
a) 0
b) 5,000
c) 50,000
d) 100,000
e) 1,000,000+
f) Not applicable/ don’t know
Poll question #1
Copyright © 2011 Deloitte Development LLC. All rights reserved.
In this session participants will learn about
1. Fundamentals of identity federation including
background, evolution and business drivers
2. Federated identity management business models,
standards and use cases
3. Role of identity federation in user provisioning, including
challenges to implementation
Objectives
Copyright © 2011 Deloitte Development LLC. All rights reserved.
• A set of technical, legal, and operations agreements
that facilitate distributed identification, authentication
and authorization across boundaries (security,
departmental, organizational or platform)
• A model based upon trust in which user identities
and security are individually managed and distributed
by the service providers or member organizations
• The individual organization is responsible for vouching
for the identity of its own users, and the users are able
to transparently interact with other trusted partners
based on this first authentication
BackgroundWhat is federation?
Copyright © 2011 Deloitte Development LLC. All rights reserved.
BackgroundEvolution
Information Resources
Platforms
Databases
Systems
Business
Applications
Timeline
Employees
Contractors
Business Partners
Suppliers
Authoritative Sources
BU 1 HR
BU 2 HR
Data Feeds
Approver
IAM System Boundary
Administration
Provisioning
Directory Integration
Directory RepositoryReporting
Engine
User ID Administrator
IAM Connectors
Audit Reports
Requestor
Requestor
Requestor
Requestor
BU 1 Applications and Platforms
AIX
RACF
SAP (ESS,
FI-CO)
BU 1 AD
ACF2
Help Desk
SAP BW
Auditors
Resource Owners
Enter User ID
Administration
Requests
Create, Update,
Retire User IDs
Global Applications and Platforms
Global
Active Directory
Employee
Portal
MS Exchange
BU 1 Applications and Platforms
SAP (FI-CO)
SAP BWBU 2 AD
Supplier
Management
Logistics
Management
Solaris
CRM
RACF
Procurement
CRM
RDBMS
Access Management
Au
th
en
tica
tio
n a
nd
A
uth
oriza
tio
n
Identity Silos, manual user
administration
Enterprise IAM, suites, tightly coupled integration with
managed resources
Federated IAM, loosely coupled
integration, inter-enterprise,
“ecosystem”
Copyright © 2011 Deloitte Development LLC. All rights reserved.
Business drivers
Background
Enterprises are challenged with the security impacts of cross-
organizational information and application sharing, which introduces
significant complexity and risk to operations.
At the same time, businesses must collaborate and share critical
information with partners, providing the right people with the right access
to the right information at the right time.
Liability
Manageability
Risk
Consistency
Cost
Usability
Transparency
Availability
Convenience
Cost
Identity theft
Security
breaches
Privacy
Huge
administrative
costs
Insecure and
non-auditable
transactions
Improve user
experience
Simplified sign-on
Connect with
partners
Collaboration
Information flows
Access
Security
Copyright © 2011 Deloitte Development LLC. All rights reserved.
Business objectives and features
Background
Business Objectives Access Management features
• Support compliance
• Enforce enterprise risk
management policies
• Control the cost of ongoing
compliance audits
• Centralized policy administration
• Role-based access controls
• Audit reports and audit trails
• Better enforcement of information
security controls
• Centralized policy administration
• Role-based access controls
• Improve user experience
• Enable collaboration with business
partners
• Single Sign-On
• Federation
• Protect sensitive digital assets
• Manage user access privileges
• Strong authentication
• Centralized policy administration
• Role-based access controls
Copyright © 2011 Deloitte Development LLC. All rights reserved.
• Improved end-user experience through Internet single
sign-on (SSO)
• Improved collaboration between business partners
• Reduced cost and time to integrate with business
partners and applications
• Decreased phishing opportunities
• Secure cross-boundary collaboration
• Greater integration with user lifecycle processes
Benefits
Background
Copyright © 2011 Deloitte Development LLC. All rights reserved.
Have you considered or implemented identity
federation in your organization?
a) Yes, we have implemented it
b) Currently under consideration
c) Will do so, in the next 1-2 years
d) Pie in the sky – too complex
e) Do not understand how it can be used
f) Not applicable/ don’t know
Poll question #2
Copyright © 2011 Deloitte Development LLC. All rights reserved.
Actors
Business Models
• Principal – a person/system who has a digital identity
• Identity Provider (IdP) – responsible for authenticating
the Principal, usually once per session
• Service Provider (SP) – provides services to
authenticated Principals
Copyright © 2011 Deloitte Development LLC. All rights reserved.
Interaction
Business Models: Large Telecom Provider
Identity Provider
(STS)
Service Provider
Partner Portal
Principal
User browses corporate travel site (SP)
SP generates a SAML* token
Browser sends SAML token
IdP returns SAML response with
information about user
Browser sends SAML response
Principal is logged in 6
Corporate
Travel
1
3
2
4
5
* Security Assertion Markup Language (SAML)
Copyright © 2011 Deloitte Development LLC. All rights reserved.
Identity provider hub
Business Models: Large Retailer
SP A
SP D
SP C
SP B
Assertion
Identity Provider
(IdP)
Authentication
Service
Providers
(SP)
Partner
site
Supply
chain
portal
Corporate
travel
401K &
benefits
Principal
Identity stores
Copyright © 2011 Deloitte Development LLC. All rights reserved.
Service provider hub
Business Models: Global Travel Company
Assertion
Service Provider
(SP)
Travel Service
Provider
AuthenticationPrincipal
IDP A
IDP D
IDP C
IDP B
Identity
Providers
(IdP)
Organization D
Organization C
Organization B
Organization A
Copyright © 2011 Deloitte Development LLC. All rights reserved.
Hybrid model
Business Models: Global Bank
Corporate
Services
IDP & SP
Investment
Management
IDP & SP
Wealth
Management
IDP & SP
Retail &
Commercial
Banking
IDP & SP
Copyright © 2011 Deloitte Development LLC. All rights reserved.
Federation in Cloud Computing
Business Models
• Establishes a site-to-site VPN or similar secure
connectivity with the Cloud Service Provider (CSP)
• Integrates the existing IAM solution with the CSP
platform (IaaS/PaaS) in a less complex manner
• Flexible to use a centralized directory or localized
directory for user authentication
• Leverages widely accepted standards such as Security
Assertion Markup Language (SAML) and WS-
Federation for authentication and authorization
• Provisions using standards such as Security
Provisioning Markup Language (SPML)
• Integration with the CSP may have some technical
challenges
Hybrid Cloud Public Cloud
Users
IaaS / PaaS Provider
Identity & Access
Management
Corporate DirectorySecure Enterprise Network
Users
SaaS Provider
Identity & Access
Management
Corporate Directory
IaaS / PaaS Provider
Amazon
Web Services
Windows
Azure
App. Engine
Cohesive FT Salesforce.com
ILLISTRATIVE ONLY ILLISTRATIVE ONLY
Copyright © 2011 Deloitte Development LLC. All rights reserved.
With which of these groups would you consider
implementing identity federation?
a) BPO vendors (i.e. 401K, healthcare and
payroll provider)
b) Managed service providers (e.g. infrastructure
and platform support)
c) Strategic outsourced vendors
d) All of the above
e) None of the above
f) Do not know/not applicable
Poll question #3
Copyright © 2011 Deloitte Development LLC. All rights reserved.
• Standards provide interoperability between various
security domains
• Four most widely used standards are:
– Security Assertion Markup Language (SAML)
– WS* (WS Star) specifications
– Liberty Alliance protocols (ID-FF)
– OpenID
StandardsOverview
Copyright © 2011 Deloitte Development LLC. All rights reserved.
Which one should I use?
Standards
• SAML is the widely used protocol for browser-based federation
• SAML is used if an account does not exist on the Service Provider
(SAAS) to enable dynamic user provisioning
• Liberty Alliance Standards are used when
• When account linkage is required and account exists on both the
Identity Provider (IDP) and Service Provider (SP)
• When a global logout is required across IDP and SP
• WS* specifications focus on enabling identity-based web services
• WS* specifications are broad for consumer- facing identity enabled
services
• OpenID is an up and coming protocol for Web 2.0 services, but is not
considered to be very secure
Copyright © 2011 Deloitte Development LLC. All rights reserved.
• External cross domain single sign-on
• Internal cross domain single sign-on
• Federated identity provisioning
• Federated attribute exchange
• Web services federation
UsageCommon use cases
Copyright © 2011 Deloitte Development LLC. All rights reserved.
• Securing outsourced services, providers and platforms-
both inbound and outbound
• Combining user account provisioning with federation to
manage outsourced vendors
• Use of federation as the first step in integration
infrastructure, platforms and applications during
mergers and acquisitions
• Leveraging investments in existing infrastructure by
deploying virtual directories with federation
UsageFederated identity in organizations
Copyright © 2011 Deloitte Development LLC. All rights reserved.
• Federation is based on a “circle of trust”
• Trusting your partner’s security policies and controls
• Not a technology issue as much as a cultural issue
• Whom do I trust and what can I share?
• More time is spent on legal contracts and agreements
• You are only as strong as the weakest link in your circle
To trust or not to trust
Challenges
Copyright © 2011 Deloitte Development LLC. All rights reserved.
• Is it for me?
– What are the business benefits? Adding revenue, compliance
• Start small with internal deployment
• Establish trust with your most trusted partners
• Spend time on legal contracts and agreements
• Establish clear liability and responsibility
• Adopt a standards-based solution
How do I get started?
Challenges
Copyright © 2011 Deloitte Development LLC. All rights reserved.
Which do you see as the most significant barrier
to deploying federation?
a) Already use federation
b) Seems too complex to setup and deploy
c) Not needed in my business
d) I do not know how to begin
e) Not applicable/ don’t know
Poll question #4
Copyright © 2011 Deloitte Development LLC. All rights reserved.
Top three things to remember
1. Federation is not a technology issue
2. Enable federation with your most trusted partners
3. Technologies and standards have matured for
organizations to federate with each other such as the
Cloud
Summary
Join us March 3rd at 2 PM ET as our Technology Executives series presents:
Almost Enterprise Applications: What Can Next-Generation Cloud Computing Do for Your Business?
Copyright © 2011 Deloitte Development LLC. All rights reserved.
Thank you for joining
today’s webcast.
To request CPE credit,
click the link below.
Copyright © 2011 Deloitte Development LLC. All rights reserved.
Kelly Bissell
Principal, Deloitte & Touche LLP
+1 404-220-1187
Vikram Kunchala
Senior Manager, Deloitte & Touche LLP
+1 713-982-2807
Contact info
Copyright © 2011 Deloitte Development LLC. All rights reserved.
This presentation contains general information only and is based on the experiences and
research of Deloitte practitioners. Deloitte is not, by means of this presentation, rendering
business, financial, investment, or other professional advice or services. This presentation is not a
substitute for such professional advice or services, nor should it be used as a basis for any
decision or action that may affect your business. Before making any decision or taking any action
that may affect your business, you should consult a qualified professional advisor. Deloitte, its
affiliates, and related entities shall not be responsible for any loss sustained by any person who
relies on this presentation.
Copyright © 2011 Deloitte Development LLC. All rights reserved.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by
guarantee, and its network of member firms, each of which is a legally separate and independent entity.
Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche
Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description
of the legal structure of Deloitte LLP and its subsidiaries