User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.
-
Upload
autumn-nickless -
Category
Documents
-
view
217 -
download
0
Transcript of User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.
![Page 1: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/1.jpg)
User Authentication for Enterprise Applications
November 16, 2005Tom Board, NUIT
![Page 2: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/2.jpg)
2
Thesis• Trustworthy authentication and authorization are
important• Moving the authentication and authorization
functions out of applications will allow rapid deployment of desirable new technologies
• The services needed are largely available today, and will be complete within 18 months
• The work must now shift to the applications and business processes
![Page 3: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/3.jpg)
3
Agenda
• What are the Problems?
• Industry Trends in User Authentication
• What is NUIT Planning?
• How Should Application Administrators and Planners Prepare?
• Transitions
• Wrap-up
![Page 4: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/4.jpg)
4
Agenda
• What are the Problems?
• Industry Trends in User Authentication
• What is NUIT Planning?
• How Should Application Administrators and Planners Prepare?
• Transitions
• Wrap-up
![Page 5: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/5.jpg)
5
What are the Problems?• External: granting & removing access through
auditable processes• Internal/external: accountability using access
records• Internal/external: maintaining trustworthiness of
tokens or credentials• Internal: reducing the cost of implementing new
security methods• Internal: navigating University applications may
be too complicated for users
![Page 6: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/6.jpg)
6
Contexts
• Network: for access control security
• Enterprise applications: for integrity of business functions
• Divisional and school applications: for consistency and ease of management
• User experience: to reduce complexity
![Page 7: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/7.jpg)
7
Agenda
• What are the Problems?
• Industry Trends in User Authentication
• What is NUIT Planning?
• How Should Application Administrators and Planners Prepare?
• Transitions
• Wrap-up
![Page 8: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/8.jpg)
8
Industry Trends in User Authentication
• Defining clear business rules for identity creation and lifecycle management
• Requiring stronger passwords
• Requiring multi-factor authentication for high-value transactions
• Requiring trustworthy administrative processes
![Page 9: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/9.jpg)
9
Business Rules for Identity Lifecycle Management
• Document the necessary and sufficient conditions for identity creation
• Define the lifecycle and the authorizations granted and revoked at each transition
• Grant authorizations in keeping with business goals and to minimize risks
• Log and audit the management processes
![Page 10: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/10.jpg)
10
Stronger Passwords• Password cracking technology is advancing
beyond our ability to remember passwords• Because attacks are automated, risks are
greater and defenses must be stronger• Passwords must become longer and more
complex.• Likely future minimum will be 8 characters with
more syntax requirements• Implementation requires new IdM system
![Page 11: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/11.jpg)
11
Multi-Factor Authentication• Factors: something you …
– Know (passwords)– Have (swipe card, USB token)– Are (thumbprint, handprint, retinal pattern)– Do (typing pattern, walking gait)
• How many factors are needed to be POSITIVE that the attempted access is by the real person?– What is the risk of being wrong?– What is the inconvenience?– Who will decide?
![Page 12: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/12.jpg)
12
The Importance of Trustworthiness• Federal guidelines for electronic signature stress the
security and trustworthiness of token distribution• Federated authentication between security realms is
based upon trust in our authentication assertions, a portion of which is trust in the management of tokens.
• Our practices for identification, distribution and management of authentication tokens must be judged trustworthy
• Policies on protection of tokens must be enforced• Trust is a contract with legal implications
![Page 13: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/13.jpg)
13
Agenda
• What are the Problems?
• Industry Trends in User Authentication
• What is NUIT Planning?
• How Should Application Administrators and Planners Prepare?
• Transitions
• Wrap-up
![Page 14: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/14.jpg)
14
NUIT Plan• Single identity for each person• Four network-wide authentication services but
only one and one-half authorization services• Workflow-based management of identities and
access control• Federated authentication with others• Smartcards, USB tokens, etc.• A key step: remove authentication from
applications and place it in the surrounding service environment
![Page 15: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/15.jpg)
15
Single Identity (NetID)• Why?
– Tied to authoritative sources– Single token allows rapid action to allow,
modify, or revoke access or permissions– Common authentication infrastructure
simplifies user experience (portal, SSO)
• What about aggregated risk?– Use multi-factor authentication selectively– Educate users – it’s not just e-mail now
![Page 16: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/16.jpg)
16
Four Services
• LDAP 3.x: authentication and authorization attributes
• MSFT Active Directory: authentication and some authorization attributes
• MIT Kerberos 5: authentication
• Web SSO: authentication and coarse-grained access control through LDAP authorization attributes
![Page 17: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/17.jpg)
17
Web SSO (Single Sign-On)
• More correctly: Web Access Management
• Presents a challenge for an authentication token and caches the resulting level of authentication in a session cookie
• Extension: access policies are used to describe the authentication level needed for each URL
![Page 18: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/18.jpg)
18Web Access Mgmt
W e b s e rve r"s him "
0 app.no r thwe s te rn.e du /*1 app.no r thwe s te rn.e du /re po r ts /*2 app.no r thwe s te rn.e du /m o dify/*3 app.no r thwe s te rn.e du /m o dify/bankac c o unts /*
W AM P o lic ie s
W AMs e rve r
c he c k c o o kie
c hal le nge
1 = p as s w o r d
2 = p h y s ic a l to k en
3 = s u p er v is o r p h y s ic a l to k en
C he c k U R L po lic ie s
Applic at io n
c ookie
W e b Se rve r
app.no r thwe s te rn.e du / ....
![Page 19: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/19.jpg)
19Timeline*
* This timeline is for illustrative purposes only and should not be used in planning – please consult with an experienced professional. The views expressed are those of the author and not those of NUIT. No warranty expressed or implied. YMMV. All bets are off.
2006 2007Task Jan-Mar Apr-Jun Jul-Sep Oct-Dec Jan-Mar Apr-Jun Jul-Sep
Ph ase 1
S ign contrac tsH RIS 8.9 Im plem enta tion
Im plem ent W A MD eploy W A M
P repare S N A PP repare B us iness R ules
P repare feedsIns ta ll IdM
IdM process feedsP ara lle l opera tions
C utover to IdMS E S 8.9 Im plem enta tion
Financial S ystem Im plem ntatio n
![Page 20: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/20.jpg)
20
Agenda
• What are the Problems?
• Industry Trends in User Authentication
• What is NUIT Planning?
• How Should Application Administrators and Planners Prepare?
• Transitions
• Wrap-up
![Page 21: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/21.jpg)
21
How Should Applications Prepare?
• Move user authentication into the Web server – application invocation implies successful authentication
• Use identity management workflow to control access to the application
• Use attributes for coarse-grained access control• Optional: Define institutional roles that can drive
coarse-grained (and fine-grained) access control• Optional: Employ first-access provisioning to
simplify management of application user profiles
![Page 22: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/22.jpg)
22
Authenticating at the Web Server
• Applications must give up internal passwords and programming logic to check NetID passwords
• Moving this function to the Web server level allows new functions (Web SSO) to be deployed without wide-spread effects
• If the application is invoked, then the user was successfully authenticated
![Page 23: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/23.jpg)
23
Approve Access Through IdM
• The Identity Management (IdM) system must know if a NetID has been granted access to an enterprise application.
• Using IdM-based workflow to request, authorize, approve and grant access can support this easily.
• The IdM system can enforce business rules subject to entitlements granted.
![Page 24: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/24.jpg)
24
Remove Access Through IdM• What business rules are appropriate (or
required) when an identity changes status?– Move between departments– Move between divisions/schools– Graduation, withdrawal, no registration– Termination
• Possible actions:– Continue services indefinitely or for a defined number
of days– Suspend access and (a) notify individual, and/or (b)
notify supervisor, and/or (c) notify service manager– Suspend without notices
![Page 25: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/25.jpg)
25
Coarse-Grained Access Control
• Through Web SSO and access rules, any NetID attribute can be used to allow or deny access to an application Web page.– Role: “faculty”, “employee”– Entitlement: “access to HRIS”
• Session environment can also be used– IP address– Level of authentication
![Page 26: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/26.jpg)
26
Fine-Grained Access Control• Fine-grained access control is based upon user
profile information unique to the application or interpreted by the application at execution time.– “Can view salaries”– “Can change salaries”– “Can authorize checks up to $100,000”
• Fine-grained access controls could be determined from institutional roles – or not– Examples: “department assistant” implies
• “Can view salaries”• “Can administer grant funds within department”
![Page 27: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/27.jpg)
27Coarse vs. Fine Controls
U s e rp ro file s
D a ta b a s e
Ses
sion
set
-up
Pro
cess
ing
LD A P Re g is t ry
Id e n t ity M a n a g e me n tS y s te m
A p p lic atio n
A c c e s s p o lic yd a ta b a s e
W e b S S O
A c c e s s Co n t ro lS y s te m
A d min is t ra to r
A u th o rity
Acc
ess
Con
trol
Lay
erC o a rs e -G ra ine d
C o ntro lsF ine -G ra ine dC o ntro ls
![Page 28: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/28.jpg)
28
First-Access Provisioning• Avoid provisioning user profiles within the
application until the user attempts access– Eliminate unnecessary local user profiles
• Recognizing no user profile exists:– Invoke an IdM workflow to request access– Create a place-holder profile and allow limited access
by default– Automatically create a profile from attribute
information (institutional roles)
• Result: savings in administrative time
![Page 29: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/29.jpg)
29
Agenda
• What are the Problems?
• Industry Trends in User Authentication
• What is NUIT Planning?
• How Should Application Administrators and Planners Prepare?
• Transitions
• Wrap-up
![Page 30: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/30.jpg)
301. Typical “silo” application
U s e rp ro file s
D a ta b a s e
Ses
sion
set
-up
Pro
cess
ing
A p p lic atio n
A d min is t ra to r
E -m ail &w o rk flo w
Aut
hent
icat
ion
& A
utho
riza
tion
ID &
Rol
eM
aint
enan
ce
![Page 31: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/31.jpg)
312. Convert to NetID authentication
U s e rp ro file s
D a ta b a s e
Ses
sion
set
-up
Pro
cess
ing
LD A P Re g is t ry
Id e n t ity M a n a g e me n tS y s te m
A p p lic atio n
A d min is t ra to r
E -m ail &w o rk flo w
Aut
hent
icat
ion
& A
utho
riza
tion
ID &
Rol
eM
aint
enan
ce
A u th o rity
![Page 32: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/32.jpg)
323. Move authentication to Web server
U s e rp ro file s
D a ta b a s e
Ses
sion
set
-up
Pro
cess
ing
LD A P Re g is t ry
Id e n t ity M a n a g e me n tS y s te m
A p p lic atio nW e b S e rv e r
A d min is t ra to r
E -m ail &w o rk flo w
A u th o rity
Aut
hent
icat
ion
Aut
hori
zati
on
ID &
Rol
eM
aint
enan
ce
![Page 33: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/33.jpg)
334. Web Access Management (SSO)
U s e rp ro file s
D a ta b a s e
Ses
sion
set
-up
Pro
cess
ing
LD A P Re g is t ry
Id e n t ity M a n a g e me n tS y s te m
A p p lic atio nW e b S e rv e r
A c c e s s p o lic yd a ta b a s e
W e b S S O
A c c e s s Co n t ro lS y s te m
A d min is t ra to r
E -m ail &w o rk flo w
c ookie
A u th o rity
Aut
hent
icat
ion
Aut
hori
zati
on
ID &
Rol
eM
aint
enan
ce
![Page 34: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/34.jpg)
345. Coarse-grained authorization
U s e rp ro file s
D a ta b a s e
Ses
sion
set
-up
Pro
cess
ing
LD A P Re g is t ry
Id e n t ity M a n a g e me n tS y s te m
A p p lic atio nW e b S e rv e r
A c c e s s p o lic yd a ta b a s e
W e b S S O
A c c e s s Co n t ro lS y s te m
A d min is t ra to r
E -m ail &w o rk flo w
c ookie
A u th o rity
Aut
hent
icat
ion
Aut
hori
zati
on
ID &
Rol
eM
aint
enan
ce
![Page 35: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/35.jpg)
356. Request access using IdM workflow
U s e rp ro file s
D a ta b a s e
Ses
sion
set
-up
Pro
cess
ing
LD A P Re g is t ry
Id e n t ity M a n a g e me n tS y s te m
A p p lic atio nW e b S e rv e r
A c c e s s p o lic yd a ta b a s e
W e b S S O
A c c e s s Co n t ro lS y s te m
A d min is t ra to r
E -m ail &w o rk flo w
c ookie
A u th o rity
Aut
hent
icat
ion
Aut
hori
zati
on
ID &
Rol
eM
aint
enan
ce
![Page 36: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/36.jpg)
367. Institutional roles drive provisioning
U s e rp ro file s
D a ta b a s e
Ses
sion
set
-up
Pro
cess
ing
LD A P Re g is t ry
Id e n t ity M a n a g e me n tS y s te m
A p p lic atio nW e b S e rv e r
A c c e s s p o lic yd a ta b a s e
W e b S S O
A c c e s s Co n t ro lS y s te m
Ro le e n g in e
A d min is t ra to r
E -m ail &w o rk flo w
c ookie
A u th o rity
Aut
hent
icat
ion
Aut
hori
zati
on
![Page 37: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/37.jpg)
37Step
8
U s e rp ro file s
D a ta b a s e
Ses
sion
set
-up
Pro
cess
ing
LD A P Re g is t ry
Id e n t ity M a n a g e me n tS y s te m
A p p lic atio nW e b S e rv e r
A c c e s s p o lic yd a ta b a s e
W e b S S O
A c c e s s Co n t ro lS y s te m
Ro le e n g in e
A d min is t ra to r
E -m ail &w o rk flo w
c ookie
A u th o rity
Aut
hent
icat
ion
Aut
hori
zati
on
Fir
st-a
cces
spr
ovis
ioni
ng
![Page 38: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/38.jpg)
389. Smart card authentication
U s e rp ro file s
D a ta b a s e
Ses
sion
set
-up
Pro
cess
ing
LD A P Re g is t ry
Id e n t ity M a n a g e me n tS y s te m
A p p lic atio nW e b S e rv e r
A c c e s s p o lic yd a ta b a s e
W e b S S O
A c c e s s Co n t ro lS y s te m
Ro le e n g in e
A d min is t ra to r
E -m ail &w o rk flo w
c ookie
A u th o rity
Aut
hent
icat
ion
Aut
hori
zati
on
Fir
st-a
cces
spr
ovis
ioni
ng
S m a rt c a rd
C a rdm a na ge m e nt
![Page 39: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/39.jpg)
39
Agenda
• What are the Problems?
• Industry Trends in User Authentication
• What is NUIT Planning?
• How Should Application Administrators and Planners Prepare?
• Transitions
• Wrap-up
![Page 40: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/40.jpg)
40
Wrap-Up• Seek to free the application from any
particular authentication technology• IdM workflow can govern the approval
process, provide audit controls, and flag the user’s identity for other business rules
• First-access provisioning saves time and effort for the application administrator
• “Just as secure, with just as much control, just using different tools”
![Page 41: User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649cb55503460f94978ee0/html5/thumbnails/41.jpg)
41
Questions?
QA&