Secure Identity Management Alan Mark Chief Security Strategist Novell, Inc.

Agenda  Identity Management Exposed  Account Management  Advanced Authentication  SecureLogin Services  Controlling outbound Access  Controlling inbound Access

So many identities

Identities in the Directory  Simple –White pages –Names in a database  Complex –Identities & Relationships –Roles and responsibilites

Identities in an eDirectory The Directory is the key to unified management of identities and communities Digital ID Management Single Sign-on Identity Business-to-Business Consumer / Business Person-to-Person Enterprise Applications Communities of interest Communities

Security in the Directory The directory provides security, policy and relationship management Enforces the processes, policies, procedures, and relationships that define and drive the business policies relationships identities Directory Services Directory Services

Directory on NT (secondary) Live, continuous backup; changes replicated in real-time Linking Directories Directory on NetWare (primary) Directory on Solaris (primary)

Directory on NT (secondary) Linking Identities Directory on NetWare (primary) Directory on Solaris (primary) User: Sonja Name: Sonja Johnson Phone: Location: PRV-H-133 Name: Johnson, Sonja Phone: Location: PRV-H-133 User: SJohnson Name: Sonja Johnson Phone: (801) Location: Provo, Bldg H, Floor 1, Section 133, USA

Linking Global Identities The Liberty Conformance and Interoperability Group is responsible for defining and supporting a process of interoperability between systems. projectliberty.org

Linking identities in applications Directory Services SAP

Convergence Creates a New Class of Applications Digital Signal Processors (DSPs) Operating Systems Services Applications Physical Network Infrastructure Hosted Transactions New Class of Applications “Hire an employee” “Who is the expert on...” DIRECTORYDIRECTORY

Application shim Application or directory or database NDS datastore Rules and stylesheets DirXML Join engine DirXML DirXML Architecture Publisher Subscriber DirXML Application shim

Data Shari g Consolidating Management of Enterprise Data  Multiple directories –HR, PBX, , ERP, Finance, etc.  Common data between the directories –User data, enterprise data  Authoritative sources must be preserved –One-way data flow –Bi-directional data flow –Rules DirXML solution is a general purpose

Supporting platforms/interfaces LDAP v3 NDAP DEN ActiveX ADSI ODBC C/C++ Visual Basic OS/390 NT NetWare Solaris Linux XML Java Java Beans JNDI

Identity- The key to relationships Offer unique services, privileges and relationships based upon an identity Personalizes the net Gives them what they need (but only what they need) Empowers individuals to manage important relationships and data

What an identity determines  Who you are  Where you are  What data you can access  How you authenticated

Directory-Linked identities

White pages PayrollHR Health care plan Dental planStock plan I have a new phone number My Company 401k Changes Are Hard to Manage

Health care plan Dental planStock plan “I have a new phone number.” 401k Using XML to link systems DirXML DirXML manages the changing data inside and outside the firewall White pages PayrollHR My Company

Account Management NDS eDirectory Accounts Account Management Sync RACF, ACF2, Top Secret Solaris Tru64 VMS HP-UX AS/400 AIX MVS On Sparc & Intel Linux Free-BSD NDS AD NT Domains

NAM 3.0 A cross-platform account management system –Management of user accounts in heterogeneous platform environments –Based on Novell eDirectory™ –Provides both central and distributed user account management –Facilitates user authentication across platforms with a single user ID and password

Account Management 3.0 Facts  - A new product. Not based on Account Management Aimed at enterprise-level engagements. - Based on a new paradigm. - Considers goals and strengths of both central IS and platform Administrators. - - Not named “Account Manager”!

Two Problems To Solve  User Account Provisioning – How to automate the process of grants, management and revoking the right accounts to the right systems at the right time, and giving the administrators of those systems ultimate control over the provisioning process on their respective systems?  Password Management – How do you provide a mechanism where the user has the same password for all systems, no matter how he attaches to or uses those systems?

One Product solves both problems Novell’s Account Management Solution solves both the Account Management and Password Management problems for a wide variety of Operating Systems. builds on the scalability of eDirectory, the cross-platform history of prior versions of Account Management and NDS Authentication Services, the extensibility of DirXML

Account Management NT2000 Linux Solaris (x86) HP UX AIXTru64 OS/ 390 AS/ 400 VMS App x Solaris (sparc) Free BSD eDirectory NetWare…NT/2000 Solaris (Sparc) LinuxAIX Account Management leverages eDirectory identities across a large variety of platforms, independent of Directory storage location.

Account Management NDS eDirectory Accounts Account Management Sync RACF, ACF2, Top Secret Solaris Tru64 VMS HP-UX AS/400 AIX MVS On Sparc & Intel Linux Free-BSD NDS AD NT Domains

Password Sync NDS eDirectory NDS ASAM Password Sync RACF, ACF2, Top Secret Solaris Tru64 VMS hp-ux AS/400 AIX MVS On Sparc & Intel Linux Free-BSD NDS AD NT Domains NFA Pwd

Account Provisioning to a Target By permitting a collaborative unit such as a container or a group to a target system, you automate the management of all users that may be associated with the collaborative unit in the future. OS/390 LPAR 1 AIX Mail Server Atlanta NT Domain AIX RACF, ACF2, Top Secret MVS NT Domain

AM-Outbound RACF OS/390 eDirectory AM Platform Services Receiver AM Manager AM Journal MutuallyAuthenticated SSL DirXML AM Receiver Scripts

Novell Account Management  NAM 3.0 is a cross-platform account management system, that –Allows life cycle management of user accounts in heterogeneous platform environments –Is based on Novell eDirectory –Provides both central and distributed user account management –Facilitates user authentication across platforms with a single user ID and password

Advanced Authentication  Associate clearance levels depending on how the user authenticates  Set security labels on volumes, directory attributes, and single sign- on applications Login by - password - token - biometric - combo Clearance levels - pwd - pwd+token - pwd+token+bio - token - token+bio - bio

Graded Authentication Token Required Fingerprint Required

Graded Authentication (cont.) Token Required Fingerprint Required

NMAS Partners

Identities in hard-to-reach places Most users have too many IDs and passwords to remember

Remembering Passwords  Difficult, so people write them down  Forgotten passwords result in –User and Admin frustration –Help desk calls –Compromised security

Storing passwords  Secure storage of user credentials (login names, passwords)  Allow admins to reset but not see passwords  Sync to desktop/laptop  Directory-based policies for password strength

Login Experience Authenticate to directory ApplicationServer DirectoryServices ClientWorkstation Launch Application Credential Challenge Recieve Secret (ID/Password) Request Secret (ID/Password) Provide Credentials Application Starts Login ID: Password:

Only some of the supported apps… Novell SecureLogin ACT AOL IM Citrix Entrust Eudora Goldmine ICQ JUNO Lotus Notes Lotus Organizer Meeting Maker Microsoft Internet Gaming Zone Microsoft FrontPage Microsoft Money 98/99 MSN Messenger Quicken Siebel Sales Yahoo! Messenger Visual SourceSafe Windows Logon MS SQL Microsoft Outlook Novell GroupWise® PeopleSoft Oracle SoftFront Track for Win Clarify QuickBooks Pro Rumba 6 Attachmate Extra! 6.3 Attachmate Extra! 6.5 Reflection 7 HostExplorer PCOM 4.3, 5.0 Internet Explorer Web Internet Explorer Pop-up Netscape Web Netscape Pop-up NeoPlanet Web Opera Web AOL Earthlink Mindspring MSN Prodigy Worldnet

Novell Single Sign-on Reviews InfoWorld: “Finding a security product that can cut costs, simplify users' lives, and improve system security is rare; Novell SSO 2.0 does all of these well. And we wouldn't be surprised if it made your floors shiny and your desserts tasty.” Network World: “For users, NSSO eliminates the hassles of remembering multiple passwords and reduces the security risks associated with writing them down. For network administrators and help desk personnel, NSSO will reduce the number of calls from users who have forgotten their passwords.”

Authentication from the inside-out Security Server Web server Authenticate to Directory cache data Directory

The Business Problems  Employee productivity is impacted by free use of the public Internet  Increasing utilization of finite bandwidth  Finding the balance between access requirements and security  Providing secure remote access at a manageable cost  Multiple network identities increase cost of IT management

Novell BorderManager  Control, accelerate and monitor your users’ Internet activities  Safeguard your network against undesirable Internet content  VPN services, an industry- certified firewall, and a scalable content filtering service

Access Rules

Web Surfing Policies Where you can surf depends on who you are/where you are Intranet Internet Sales.myco.com Finance.myco.com Whitehouse.com CNN.com

Novell BorderManager 3.7  ICSA Firewall certified  New content filtering solution from SurfControl –40X as many URL’s in the database as CyberPatrol –More categories –Actively updated –SurfControl is the market leader for content filtering by a wide margin  VPN client for Windows Me (LAN client only)  Virus pattern filtering at proxy, with auto update

Is There a Problem?

Who Is Causing the Problem?

Authentication from the outside-in Directory AIX DMZ NetWare NT/2000 SolarisLinux HP-UX OS/390 Tru64 UNIX Employees Partners Suppliers cache Web servers Authenticate to Directory data

Securely Linking B-to-Everything iChain Joining... world’s most scalable and widely used directory fast caching system adding... web Single Sign-on secure access to and protection of data and applications flexibility of building customer communities Employees Partners Customers

iChain  iChain Internet Caching Server Authentication & quick web page access through reverse proxy service  iChain Authorization Server Access control & digital communities  Web-based Single Sign-on Implemented on iChain ICS, managed via Authorization Server  iChain Community Server Web-based application displaying personalized community content  eDirectory 8.5+ Central repository for profile, policies, rules, etc.

Digital Communities Content for suppliers: Suppliers: Suppliers Community Content for dealers: Dealers: Dealers Community Model: 550 Maranello Top speed: 199 mph Power output: 480 HP Engine: V12, 334 cu. in. Delivery time: 4 weeks Invoice: $239,000 Forecast by model Partners

Security Identity Management  Identity provisioning between apps  Identity provisioning between OSs  Advanced authentication  Single Sign-on to web and other apps  Access control to external web services  Access control to internal web services

Security Identity Management  Identity provisioning between apps (DirXML)  Identity provisioning between OSs (NAM)  Advanced authentication (NMAS)  Single Sign-on to web and other apps (SecureLogin)  Access control to external web services (BorderManager)  Access control to internal web services (iChain)