Alan Dekok, CTO Terena 2010 - June 2 Why Identity Management is hard.

Slides:



Advertisements
Similar presentations
CRM Thomas B. Fleming, Jeffer, Mangels, Butler & Marmaro LLP.
Advertisements

P3, M2,M3,M4.
IP ADDRESS MANAGEMENT [IPAM]
ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.
Access Control Chapter 3 Part 5 Pages 248 to 252.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.
AutoMAC: A Tool for Automating Network Moves, Adds, and Changes Christopher J. Tengi Princeton University.
Advanced Internet Bandwidth and Security Strategies Fred Miller Illinois Wesleyan University.
Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.
Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
DHCP Server © N. Ganesan, Ph.D.. Reference DHCP Server Issues or leases dynamic IP addresses to clients in a network The lease can be subject to various.
These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
Network Security in a Business Setting By: Brian Haumschild.
1 ISA Server 2004 Installation & Configuration Overview By Nicholas Quinn.
CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. s. Safe browsing for shopping and online banks. Social media.
Module 7: Configuring TCP/IP Addressing and Name Resolution.
Internet Packet eXchange Protocol (IPX) Network Documentation
Introduction to Information and Computer Science Security Lecture b This material (Comp4_Unit8b) was developed by Oregon Health and Science University,
Virtual Local Area Networks. Should I V-LAN? 1. Security V-LANs can restrict access to network resources.
systemhound © Raxco Software Belgium systemhound PC inventory software.
HIPAA COMPLIANCE WITH DELL
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
Web Policy Zeitgeist Panel SWPW 2005 – Galway, Ireland Piero Bonatti, November 7th, 2005.
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
IT security By Tilly Gerlack.
DATABASE ADMINISTRATION WHAT IS IT?. THE GIST Database administrators are responsible for creating and maintaining the databases that form the core of.
Mac Set up and printer installation Vaibhav Pandit A&S IT 11/29/2007.
Module 3: Designing IP Addressing. Module Overview Designing an IPv4 Addressing Scheme Designing DHCP Implementation Designing DHCP Configuration Options.
Week 7 Objectives Installing a DHCP Server Role Configuring DHCP Scopes Managing a DHCP Database Securing and Monitoring DHCP.
InstantGMP: Electronic Batch Records System for GMP Manufacturing InstantGMP™ Inventory Control Module for GMP Manufacturing.
September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard.
Week #3: Configuring and Troubleshooting DHCP
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution Six Steps To A Common Open Networking Ecosystem Common.
240-Current Research Easily Extensible Systems, Octave, Input Formats, SOA.
Secure Systems Research Group - FAU SW Development methodology using patterns and model checking 8/13/2009 Maha B Abbey PhD Candidate.
Module 4: Configuring and Troubleshooting DHCP
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Kamran Didcote.
Operating Systems Proj.. Background A firewall is an information technology (IT) security device which is configured to permit, deny or proxy data connections.
Security fundamentals Topic 2 Establishing and maintaining baseline security.
Network Components By Kagan Strayer. Network Components This presentation will cover various network components and their functions. The components that.
Access Control / Authenticity Michael Sheppard 11/10/10.
Case study: Data Provider setup Sergey Sukhonosov National Oceanographic Data Centre, Russia Expert training on the Ocean Data Portal technology, Buenos.
CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really.
Security-Enhanced Linux Eric Harney CPSC 481. What is SELinux? ● Developed by NSA – Released in 2000 ● Adds additional security capabilities to Linux.
IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.
1 Objectives Discuss the basics of Dynamic Host Configuration Protocol (DHCP) Describe the components and processes of DHCP Install DHCP in a Windows Server.
Brianne Stewart.   A wireless network is any computer network that is not connected with a cable  Many homes use this type of internet access  Less.
Hardware and software that can provide a good level of security In this presentation I am going to provide advices on hardware and software that needs.
8 – Protecting Data and Security
Copyright Joel Rosenblatt 2010
Palo Alto Networks Certified Network Security Engineer (PCNSE) 7 Exam
User-group-based Security Policy for Service Layer
Security+ All-In-One Edition Chapter 1 – General Security Concepts
Configuring ALSMS Remote Navigation
Data Validation & Security.
Configuring Windows Firewall with Advanced Security
Secure Software Confidentiality Integrity Data Security Authentication
Killtest Palo Alto Networks PCNSE7 Exam
Introduction to Networking
Security of a Local Area Network
CIS 332 Education for Service-- snaptutorial.com
Shibboleth and uApprove at University of Michigan
Network hardening Chapter 14.
Presentation transcript:

Alan Dekok, CTO Terena June 2 Why Identity Management is hard

2 Confidential - © Mancala Networks This is your network

3 Confidential - © Mancala Networks This is the network you want

4 Confidential - © Mancala Networks Why IDM is hard Secure systems require: Secure systems require: Knowledge Knowledge Inventory, monitoring, etc. Inventory, monitoring, etc. Requirements Requirements Network policies and procedures Network policies and procedures Enforcement Enforcement Firewalls, IDS, etc. Firewalls, IDS, etc. If any piece is missing, the system falls over If any piece is missing, the system falls over And so does your network And so does your network

5 Confidential - © Mancala Networks Vendors are warlords Knowledge? Knowledge? Locked up in proprietary systems Locked up in proprietary systems Requirements? Requirements? Need to be expressed in the vendors language Need to be expressed in the vendors language Enforcement? Enforcement? Go ask someone else. Go ask someone else. Your network is a battleground. And you are losing.

6 Confidential - © Mancala Networks Vendor Product Integration

7 Confidential - © Mancala Networks What makes IDM hard  Identity management is...  WHO is on your network  WHICH rules apply to them  WHAT they are doing  HOW to stop bad behavior In direct conflict with vendor goals.

8 Confidential - © Mancala Networks What you can do about it Own your network. Own your network. Know everything about the network. Know everything about the network. Set global network control Set global network control Enforce it across all sites and services. Enforce it across all sites and services. Demand this from the vendors.

9 Confidential - © Mancala Networks Better vendor integration

10 Confidential - © Mancala Networks Without IDM, what happens? No database of MAC / IP? No database of MAC / IP? No idea who is on your network No idea who is on your network No policy capability? No policy capability? No way of expressing what should happen. No way of expressing what should happen. No enforcement of policies? No enforcement of policies? No punishment for bad behavior No punishment for bad behavior Configuring all of this is expensive

11 Confidential - © Mancala Networks Similar to driving...  No car registration, anyone can drive!  Versus: licensed drivers and vehicles  No government control, drive anywhere!  Versus: Common policies and requirements  No enforcement, go steal a car!  Versus: Ubiquitous policing and enforcement

12 Confidential - © Mancala Networks How to get IDM  Demand access to data  Knowledge is power!  Demand inter-operability  Simpler, cheaper, better  Demand security!  Ignoring security is so 1990’s. It’s your network, not theirs.

13 Confidential - © Mancala Networks FreeRADIUS as an example  All data is stored in databases  Policy language to express any security system  Policy enforcement when user logs in  It has taken ~10 years to develop this system No equivalent for DNS or DHCP.

14 Confidential - © Mancala Networks IDM Examples Unknown person on the network? Unknown person on the network? Now: They can still do DHCP Now: They can still do DHCP Versus: Maybe kick them off of the network. Versus: Maybe kick them off of the network. Or inform the administrator. Or inform the administrator. User manually enters an IP address? User manually enters an IP address? Now: They can still access network resources Now: They can still access network resources Versus: Deny them access to network resources? Versus: Deny them access to network resources? Maybe kick them off of the network. Maybe kick them off of the network. Or inform the administrator. Or inform the administrator.

15 Confidential - © Mancala Networks Network evolution Open networks Open networks Anyone can get access Anyone can get access No policies or enforcement No policies or enforcement Hard shell networks Hard shell networks Login checking for access Login checking for access Minimal policies or enforcement Minimal policies or enforcement Defence in depth Defence in depth Continuous access checking Continuous access checking Detailed policies, extensive enforcement Detailed policies, extensive enforcement For every location, service, switch port,...

16 Confidential - © Mancala Networks Barriers to IDM

17 Confidential - © Mancala Networks Open Standards The network is built on open standards The network is built on open standards We need open data formats, too. We need open data formats, too. We need open policy languages We need open policy languages Perl or Python are a start Perl or Python are a start We need integrated systems We need integrated systems Real-time feeds between services Real-time feeds between services

18 Confidential - © Mancala Networks Demand freedom  All data is stored in databases  No restrictions on what you can do with it  Complex policies to build any security system  Integration of systems Network Management is Identity Management

19 Confidential - © Mancala Networks When everyone works together

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.