Real Time Decisions Are you who you say you are? Do you belong here?

Slides:

Advertisements

Similar presentations

Chapter 1 Overview of Databases and Transaction Processing.

Advertisements

Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,

Ethical, Social and Environmental Responsibilities Unit 3 June 20131Dr Vidya Kumar.

Identity the New Perimeter Adrian Seccombe Surrey University 25 th March 2010.

Validata Release Coordinator Accelerated application delivery through automated end-to-end release management.

A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.

Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.

Introduction to ISA 2004 Dana Epp Microsoft Security MVP.

On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.

Social Engineering Jero-Jewo. Case study Social engineering is the act of manipulating people into performing actions or divulging confidential information.

Realising the Potential of Service Oriented Architecture Kris Horrocks Connected Systems Division Microsoft.

Chapter 7 Database Auditing Models

Cloud Attributes Business Challenges Influence Your IT Solutions Business to IT Conversation Microsoft is Changing too Supporting System Center In House.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

SOA – Development Organization Yogish Pai. 2 IT organization are structured to meet the business needs LOB-IT Aligned to a particular business unit for.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Achieving Agility with WSO2 App Factory S. Uthaiyashankar Director, Cloud Solutions WSO2 Inc. Dimuthu Leelarathne Software Architect WSO2 Inc.

The powerful capabilities of JBoss Middleware as cloud based services on OpenShift. Build applications. Integrate with other systems Orchestrate using.

ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

Case Study: DirXML Implementation at Waste Management Rick Wagner Systems Engineer Novell, Inc.

BI Funcasts The Mac-Guyver Techniques BI - The Mac-Guyver Techniques : Office Sharepoint Excel Services Gunter Staes –

OpenPASS Open Privacy, Access and Security Services “Quis custodiet ipsos custodes?”

Page 1Prepared by Sapient for MITVersion 0.1 – August – September 2004 This document represents a snapshot of an evolving set of documents. For information.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.

Agile, efficient, effective & citizen centric Semantic decisions for improving government Geert Rensen Managing Director Marketing & Strategy.

McGraw-Hill/Irwin © 2008 The McGraw-Hill Companies, All Rights Reserved Chapter 9 Enabling the Organization – Decision Making.

Windows Role-Based Access Control Longhorn Update

PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.

Independent Insight for Service Oriented Practice Summary: Service Reference Architecture and Planning David Sprott.

11 Restricting key use with XACML* for access control * Zack’-a-mul.

Federico Guerrini IDA TSP, EMEA Incubation Team From Identity Synchronization to Identity Management.

ARCH-5: Service Interfaces in Practice Christian Stiller Technical Architect.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Introduction to Azure API Management Microsoft Azure.

The Four Pillars of Identity: A Solution for Online Success Tom Shinder Principle Writer and Knowledge Engineer, SCD iX Solutions Group Microsoft Corporation.

Serving IT up with ITIL By Thane Price. IT is the laboratory’s pit crew  Goal : Make technology transparent while accomplishing valuable internal customer.

WSO2 Identity Server. Small company (called company A) had few services deployed on one app server.

Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.

Data-centric security at Blue Talon

Data-centric security of Blutalon

Containers as a Service with Docker to Extend an Open Platform

Network Infrastructure Services Supporting WAP Clients

ITIL SERVICE LIFECYCLE

Consuming OAuth Services in Alfresco Share

Transforming business

Cisco Data Virtualization

SaaS Application Deep Dive

XACML and the Cloud.

Control system network security issues and recommendations

A Day In The Life of Extended CRM

Microsoft 365 Business Customer Targeting 2/6/18

OGSA-WG Security Use Cases Jan 29, 2004

2018 Real Cisco Dumps IT-Dumps

SAP Dynamic Authorization Management by NextLabs

NextGen Access Control Platform

11/19/2018 4:38 AM Microsoft 365 Business Customer Targeting Janine Brittain - EXEED 2/6/18 © Microsoft Corporation. All rights reserved. MICROSOFT.

Computer Security Distributed System Security

Identity Infrastructure Fundamentals and Key Capabilities

Chapter 8 Developing an Effective Ethics Program

What are IAM Key Processes.

4/9/ :42 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Azure Active Directory

Service Delivery Maturity

Enabling the Organization – Decision Making

Plan and design the solution

Streamlining Processes Across Retail Banking Channels

OU BATTLECARD: Oracle Identity Management Training

Presentation transcript:

Identity & Access Management A Misnomer Informed, then decisive and protective Eric C Anderson, Sr. Cybersecurity Architect Health Care Service Corporation

Real Time Decisions Are you who you say you are? Do you belong here? Seventeen years ago, a technology executive published a book pushing the value of using a “digital nervous system” — real-time decisions, empowered by real time data. Today, we see the adoption of those principles. Data necessary for decisions is shared real-time, internally and externally, from any device, anywhere in the world. The result of this “Business at The Speed of Thought”, is the need to provide nearly instantaneous access management solutions to ensure that two questions are answered in the affirmative: Are you who you say you are? Do you belong here?

Identity Data Reference View Identity Lifecycle Management Enterprise Identity Lifecycle Mgmt Customer Identity Lifecycle Mgmt Identity Data Consumption The Identity Data space is defined by two distinct functions: Manipulation and management of identity data Provides capability to apply rules, governance, and analytics to access control Relationship between entitlement complexity and volume of identities may differentiate Enterprise ILM from Customer ILM. Data consumption service Allows for consumption of managed identity data to empower access control decisions

Identity Lifecycle Management What Is Identity Lifecycle Management? The process of actively managing an individual relationship as they move from persona to persona. Business Impact Commonalities Both Customer and Enterprise Identity Lifecycle empower the management of persona to persona within the enterprise Customer Customer identity tends to have more identities, simpler entitlements, and less control over device Enterprise Enterprise identity manages fewer identities, with much greater entitlement complexity

Identity Data Reference View Identity Lifecycle Management Enterprise ILM Customer ILM HR API/ WebService API/ WebService Enterprise ILM Customer ILM Identity Data Consumption Core Identity Repository Core Identity Repository Abstraction & Cache Consumption service Abstraction & Cache Consumption service

Access Control Business Impact What Is Access Control? The practice of ensuring that fulfilled access request must result in two questions, answered in the affirmative: “Are you who you say you are?”, “Do you belong here?” Business Impact Decision Service Externalization allows for the centralization of access control policy and decision authority Decouples access decisions from application code, providing improved agility Reduces prioritization conflicts around business features and security requirements Decision Enforcement Upon externalization and standardization of access control information, enforcement agents become fully commoditized Any process that can make a JSON/REST request can enforce the decision

Access Control Reference View Identity Data Identity Data Consumption Access Control Access Decision Access Enforcement The Access Control space is defined by two distinct functions: Access Decision Services access control request for defined resource by defined user Consumes Identity Data service to make access decision based upon centralized access control policies Access Enforcement Consumes and enforces simple allow/reject response

Access Control Reference View Identity Data Identity Data Consumption Core Identity Repository Core Identity Repository Abstraction & Cache Consumption service Abstraction & Cache Consumption service Access Control Access Decision ABAC/XACMLv3 Decision Service Application Layer Access Enforcement SM Policy Server Services Security Gateway API Gateway SM Agent Secured Proxy Services Secure Token Service JSON enabled enforcement points

Appendices

Use Case 1: Employee Onboarding Identity Data Identity Lifecycle Management Use Case 1 Internal Hiring Event Peoplesoft record created Request to Enterprise ILM ”Birthright entitlements” identified Explicit requests identified Approvals gained Governance records written Account provisioned to core identity service Abstraction layer picks up new body of entitlements to wrap around core object ILM (Enterprise) Enterprise ILM 1 B-Flex PeopleSoft HR API/ WebService 2 Identity Data Consumption Core Identity Repository 3 Abstraction & Cache Consumption service 4

Use Case 4: Prospect -> Member Conversion Identity Data Identity Lifecycle Management Use Case 4 Prospect -> Customer conversion Business Application identifies conversion Registration request submitted to Customer ILM API Customer ILM Converts identity from prospect to member Appropriate entitlements set Governance records written Record Created in Core Identity Repository Abstraction layer picks up the core identity update ILM (Customer) Customer ILM 2 API/ WebService Business Application 3 1 Core Identity Repository 4 Abstraction & Cache Consumption service 5

AC Use Case 1: Protected Application Identity Data AC Use Case 1 Protected Application User requests application Agent enforces Authentication Policy Server obtains Authentication Authenticates user Requests Coarse Authorization Identity Data Requested Coarse grained authorization decision made Application access granted Fine grained authorization requested Requests fine grained Authorization Identity data requested Fine grained authorization decision made Application Serves resource to browser Identity Data Consumption Core Identity Repository 3a Abstraction & Cache Consumption service 3c 4c Access Control Access Decision ABAC/XACMLv3 Decision Service 3b 4b Access Enforcement SM Policy Server SM Agent 3 2 Application Browser 4 1

AC Use Case 1: Protected Service Identity Data AC Use Case 2 Protected Service Application requests service Security GW enforces authentication Requests authentication from STS STS Obtains Authentication Issues Long term token shared with requestor Security Gateway services request Requests authorization decision based upon request Decision service requests relevant identity data Issues decision based upon identity data and centralized access control policy Issues short term token shared with requestor Decision enforced by Security Gateway Approved request submitted by proxy using short term token Data returned to requestor Identity Data Consumption Core Identity Repository 3a Abstraction & Cache Consumption service 3c 4c Access Control Access Decision ABAC/XACMLv3 Decision Service 3c 5a Access Enforcement Security GW Secure Token Service 6 2 4 7 3b Application 1