User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.

Slides:



Advertisements
Similar presentations
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Advertisements

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Identity & Access Management Project Tom Board February 2006.
Lesson 17: Configuring Security Policies
Module 4: Implementing User, Group, and Computer Accounts
1 Authentication Trustworthiness The Next Stage in Identity-Based Access and Security Tom Board, NUIT.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Information Technology Registry Services Security LDAP-based Attributes and Authentication.
Information Security Policies and Standards
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
Understanding Active Directory
May 22, 2002 Joint Operations Group Discussion Overview Describe the UC Davis Security Architecture Describe Authentication Efforts at UC Davis Current.
1 Identity Management and Access Control Status UNITS Forum, June 2006 Tom Board, NUIT Info Systems Architecture.
Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.
Information Resources and Communications University of California, Office of the President Current Identity Management Initiatives at UC & Beyond: UCTrust.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
User Authentication for Enterprise Applications - The Future in Transitions.
Identity and Access Management
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
Understanding Active Directory
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
Microsoft Identity and Access Solutions Market Trends and Futures
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
NERCOMP Managing Campus Affiliates Managing Campus Affiliates Faculty? Student? Faculty? Student? Staff? Criss Laidlaw Director of Administrative.
Rev Jul-o6 Oracle Identity Management Automate Provisioning to Oracle Applications and Beyond Kenny Gilbert Director of Technology Services.
Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Overview of Access and Information Protection
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
©2011 Quest Software, Inc. All rights reserved. Patrick Hunter EMEA IDAM Team Lead 7 th February 2012 Creating simple, effective and lasting IDAM solutions.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Security Planning and Administrative Delegation Lesson 6.
Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.
Module 7 Active Directory and Account Management.
UCLA Enterprise Directory Identity Management Infrastructure UC Enrollment Service Technical Conference October 16, 2007 Ying Ma
Identity Solution in Baltic Theory and Practice Viktors Kozlovs Infrastructure Consultant Microsoft Latvia.
Simplify TeleHealth - Copyright 2012 Emerge.MD inc - Confidential Single Sign On via Active Directory Federation Services 4.6 Release (March 2014) Updates.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Overview: Application Integration, Data Access, and Process Change November 16, 2005 Tom Board, NUIT.
© 2003 The MITRE Corporation. All rights reserved For Internal MITRE Use Addressing ISO-RTO e-MARC Concerns: Clarifications and Ramifications Response.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Information Technology Current Work in System Architecture January 2004 Tom Board Director, NUIT Information Systems Architecture.
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
Federico Guerrini IDA TSP, EMEA Incubation Team From Identity Synchronization to Identity Management.
© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 7 Authentication Methods and Requirements.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
XACML Showcase RSA Conference What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation logic n.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.
Introduction to the PKI Issues at UW Madison Presented to ITC on Friday, 3/18/2005 Tom Jordan Systems Engineer,
Introducing Novell ® Identity Manager 4 Insert Presenter's Name (16pt) Insert Presenter's Title (14pt) Insert Company/ (14pt)
Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.
Chris Louloudakis Solution Specialist Identity & Access Management Microsoft Corporation SVR302.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
MIM/PAM Case Study Dean Guenther IAM Manager Washington State University May 2016 Copyright 2016, Washington State University.
Secure Connected Infrastructure
Identity Management (IdM)
Chapter One: Mastering the Basics of Security
System Management Issues for the Future Real-Time University Environment Tom Board September 22, 2004 Northwestern University Information Technology.
Data and Applications Security Developments and Directions
CompTIA Security+ Study Guide (SY0-401)
Red Flags Rule An Introduction County College of Morris
Identity Infrastructure Fundamentals and Key Capabilities
PASSHE InCommon & Federated Identity Workshop
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
Presentation transcript:

User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT

2 Thesis Trustworthy authentication and authorization are important Moving the authentication and authorization functions out of applications will allow rapid deployment of desirable new technologies The services needed are largely available today, and will be complete within 18 months The work must now shift to the applications and business processes

3 Agenda What are the Problems? Industry Trends in User Authentication What is NUIT Planning? How Should Application Administrators and Planners Prepare? Transitions Wrap-up

4 Agenda What are the Problems? Industry Trends in User Authentication What is NUIT Planning? How Should Application Administrators and Planners Prepare? Transitions Wrap-up

5 What are the Problems? External: granting & removing access through auditable processes Internal/external: accountability using access records Internal/external: maintaining trustworthiness of tokens or credentials Internal: reducing the cost of implementing new security methods Internal: navigating University applications may be too complicated for users

6 Contexts Network: for access control security Enterprise applications: for integrity of business functions Divisional and school applications: for consistency and ease of management User experience: to reduce complexity

7 Agenda What are the Problems? Industry Trends in User Authentication What is NUIT Planning? How Should Application Administrators and Planners Prepare? Transitions Wrap-up

8 Industry Trends in User Authentication Defining clear business rules for identity creation and lifecycle management Requiring stronger passwords Requiring multi-factor authentication for high-value transactions Requiring trustworthy administrative processes

9 Business Rules for Identity Lifecycle Management Document the necessary and sufficient conditions for identity creation Define the lifecycle and the authorizations granted and revoked at each transition Grant authorizations in keeping with business goals and to minimize risks Log and audit the management processes

10 Stronger Passwords Password cracking technology is advancing beyond our ability to remember passwords Because attacks are automated, risks are greater and defenses must be stronger Passwords must become longer and more complex. Likely future minimum will be 8 characters with more syntax requirements Implementation requires new IdM system

11 Multi-Factor Authentication Factors: something you … –Know (passwords) –Have (swipe card, USB token) –Are (thumbprint, handprint, retinal pattern) –Do (typing pattern, walking gait) How many factors are needed to be POSITIVE that the attempted access is by the real person? –What is the risk of being wrong? –What is the inconvenience? –Who will decide?

12 The Importance of Trustworthiness Federal guidelines for electronic signature stress the security and trustworthiness of token distribution Federated authentication between security realms is based upon trust in our authentication assertions, a portion of which is trust in the management of tokens. Our practices for identification, distribution and management of authentication tokens must be judged trustworthy Policies on protection of tokens must be enforced Trust is a contract with legal implications

13 Agenda What are the Problems? Industry Trends in User Authentication What is NUIT Planning? How Should Application Administrators and Planners Prepare? Transitions Wrap-up

14 NUIT Plan Single identity for each person Four network-wide authentication services but only one and one-half authorization services Workflow-based management of identities and access control Federated authentication with others Smartcards, USB tokens, etc. A key step: remove authentication from applications and place it in the surrounding service environment

15 Single Identity (NetID) Why? –Tied to authoritative sources –Single token allows rapid action to allow, modify, or revoke access or permissions –Common authentication infrastructure simplifies user experience (portal, SSO) What about aggregated risk? –Use multi-factor authentication selectively –Educate users – it’s not just now

16 Four Services LDAP 3.x: authentication and authorization attributes MSFT Active Directory: authentication and some authorization attributes MIT Kerberos 5: authentication Web SSO: authentication and coarse- grained access control through LDAP authorization attributes

17 Web SSO (Single Sign-On) More correctly: Web Access Management Presents a challenge for an authentication token and caches the resulting level of authentication in a session cookie Extension: access policies are used to describe the authentication level needed for each URL

18 Web Access Mgmt

19 Timeline* * This timeline is for illustrative purposes only and should not be used in planning – please consult with an experienced professional. The views expressed are those of the author and not those of NUIT. No warranty expressed or implied. YMMV. All bets are off.

20 Agenda What are the Problems? Industry Trends in User Authentication What is NUIT Planning? How Should Application Administrators and Planners Prepare? Transitions Wrap-up

21 How Should Applications Prepare? Move user authentication into the Web server – application invocation implies successful authentication Use identity management workflow to control access to the application Use attributes for coarse-grained access control Optional: Define institutional roles that can drive coarse-grained (and fine-grained) access control Optional: Employ first-access provisioning to simplify management of application user profiles

22 Authenticating at the Web Server Applications must give up internal passwords and programming logic to check NetID passwords Moving this function to the Web server level allows new functions (Web SSO) to be deployed without wide-spread effects If the application is invoked, then the user was successfully authenticated

23 Approve Access Through IdM The Identity Management (IdM) system must know if a NetID has been granted access to an enterprise application. Using IdM-based workflow to request, authorize, approve and grant access can support this easily. The IdM system can enforce business rules subject to entitlements granted.

24 Remove Access Through IdM What business rules are appropriate (or required) when an identity changes status? –Move between departments –Move between divisions/schools –Graduation, withdrawal, no registration –Termination Possible actions: –Continue services indefinitely or for a defined number of days –Suspend access and (a) notify individual, and/or (b) notify supervisor, and/or (c) notify service manager –Suspend without notices

25 Coarse-Grained Access Control Through Web SSO and access rules, any NetID attribute can be used to allow or deny access to an application Web page. –Role: “faculty”, “employee” –Entitlement: “access to HRIS” Session environment can also be used –IP address –Level of authentication

26 Fine-Grained Access Control Fine-grained access control is based upon user profile information unique to the application or interpreted by the application at execution time. –“Can view salaries” –“Can change salaries” –“Can authorize checks up to $100,000” Fine-grained access controls could be determined from institutional roles – or not –Examples: “department assistant” implies “Can view salaries” “Can administer grant funds within department”

27 Coarse vs. Fine Controls

28 First-Access Provisioning Avoid provisioning user profiles within the application until the user attempts access –Eliminate unnecessary local user profiles Recognizing no user profile exists: –Invoke an IdM workflow to request access –Create a place-holder profile and allow limited access by default –Automatically create a profile from attribute information (institutional roles) Result: savings in administrative time

29 Agenda What are the Problems? Industry Trends in User Authentication What is NUIT Planning? How Should Application Administrators and Planners Prepare? Transitions Wrap-up

30 1. Typical “silo” application

31 2. Convert to NetID authentication

32 3. Move authentication to Web server

33 4. Web Access Management (SSO)

34 5. Coarse-grained authorization

35 6. Request access using IdM workflow

36 7. Institutional roles drive provisioning

37 Step 8

38 9. Smart card authentication

39 Agenda What are the Problems? Industry Trends in User Authentication What is NUIT Planning? How Should Application Administrators and Planners Prepare? Transitions Wrap-up

40 Wrap-Up Seek to free the application from any particular authentication technology IdM workflow can govern the approval process, provide audit controls, and flag the user’s identity for other business rules First-access provisioning saves time and effort for the application administrator “Just as secure, with just as much control, just using different tools”

41 Questions? Q A &