CERN IT Department CH-1211 Genève 23 Switzerland t Identity Management Alberto Pace CERN, Information Technology Department

Slides:



Advertisements
Similar presentations
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Advertisements

CERN, Information Technology Department
ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Privileged Identity Management Enterprise Password Vault
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.
Grid Security. Typical Grid Scenario Users Resources.
Password?. Project CLASP: Common Login and Access rights across Services Plan
Security Controls – What Works
Password?. Project CLASP: Common Login and Access rights across Services Plan
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Active Directory: Final Solution to Enterprise System Integration
Web Services, SOA and Security May 11, 2009 Michael Burnett.
Public Key Infrastructure at the University of Pittsburgh Robert F. Pack, Vice Provost Academic Planning and Resources Management March 27, 2000 CNI Spring.
Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Nu Project Management Office A web based tool to Manage Projects.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Identity and Access Management
Database Administration Chapter 16. Need for Databases  Data is used by different people, in different departments, for different reasons  Interpretation.
Understanding Active Directory
Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Ideas for 2011 Prepare must be done work items –Warranty –Software maintenance –Commitments.
Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS CERN Single Sign-On Summer 2012 Updates Emmanuel.
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
U.S. Department of Agriculture eGovernment Program August 14, 2003 eAuthentication Agency Application Pre-Design Meeting eGovernment Program.
Developing Applications for SSO Justen Stepka Authentisoft, LLC
Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.
IAM REFERENCE ARCHITECTURE BRICKS EMBEDED ARCHITECTS COMMUNITY OF PRACTICE MARCH 5, 2015.
Auditing Information Systems (AIS)
U.S. Department of Agriculture eGovernment Program July 15, 2003 eAuthentication Initiative Pre-Implementation Status eGovernment Program.
Sudha Iyer Principal Product Manager Oracle Corporation.
Oracle 10g Database Administrator: Implementation and Administration Chapter 2 Tools and Architecture.
PS Security By Deviprasad. Agenda Components of PS Security Security Model User Profiles Roles Permission List. Dynamic Roles Static Roles Building Roles/Rules.
Identity Solution in Baltic Theory and Practice Viktors Kozlovs Infrastructure Consultant Microsoft Latvia.
ArcGIS Server for Administrators
Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin
Password? CLASP Project FOCUS Meeting, 12 October 2000 Denise Heagerty, IT/IS.
Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004.
Single Sign-On in the Danish Educational Sector Per Thorboll Deputy director UNI-C.
Information Technology Current Work in System Architecture January 2004 Tom Board Director, NUIT Information Systems Architecture.
Permissions Lesson 13. Skills Matrix Security Modes Maintaining data integrity involves creating users, controlling their access and limiting their ability.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Privilege Management Chapter 22.
Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
CERN - IT Department CH-1211 Genève 23 Switzerland t Operating systems and Information Services OIS Proposed Drupal Service Definition IT-OIS.
CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
SAP R/3 User Administration1. 2 User administration in a productive environment is an ongoing process of creating, deleting, changing, and monitoring.
MIM/PAM Case Study Dean Guenther IAM Manager Washington State University May 2016 Copyright 2016, Washington State University.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS The new Account Management Identity, Authentication,
Identity and Access Management
Secure Connected Infrastructure
Stop Those Prying Eyes Getting to Your Data
Training for developers of X-Road interfaces
Chapter One: Mastering the Basics of Security
Radius, LDAP, Radius used in Authenticating Users
What Is Sharepoint? Mohsen Ashkboos
ESA Single Sign On (SSO) and Federated Identity Management
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
iSecurity Password-Reset Training
Presentation transcript:

CERN IT Department CH-1211 Genève 23 Switzerland t Identity Management Alberto Pace CERN, Information Technology Department

CERN IT Department CH-1211 Genève 23 Switzerland t Internet Services 2 Computer Security The present of computer security –Bugs, Vulnerabilities, Known exploits, Patches –Desktop Management tools, anti-virus, anti- spam, firewalls, proxies, Demilitarized zones, Network access protection, … No longer enough. Two additional aspects: –Social Engineering / Human factor Require corporate training plan, understand the human factor and ensure that personal motivation and productivity is preserved –Identity (and Access) Management Discussed now

CERN IT Department CH-1211 Genève 23 Switzerland t Internet Services 3 Definition Identity Management (IM) –Set of flows and information which are (legally) sufficient and allow to identify the persons who have access to an information system –This includes All data on the persons All workflows, processes and procedures to Create/Read/Update/Delete records of persons, accounts, groups, organizational unit, … All tools used for this purpose

CERN IT Department CH-1211 Genève 23 Switzerland t Internet Services 4 More definitions Identity and Access Management (IAM) Access Management –The information describing what end-user can do on the corporate computing resources. It is the association of a right (use, read, modify, delete, open, execute, …), a subject (person, account, computer, group, …) and a resource (file, computer, printer, room, information system, …) –The association can be time-dependent, or location-dependent –Resources can be physical (room, a door, a terminal, …) or a computing resource (an application, a table in a database, a file, …)

CERN IT Department CH-1211 Genève 23 Switzerland t Internet Services 5 IAM Architecture The AAA Rule. Three components, independent Authentication –Unequivocal identification of the person who is trying to connect. –Several technologies exist with various security levels (username / password, certificate, token, smartcard + pin code, biometry, …) Authorization –Verification that the connected user has the permission to access a given resource –On small system there is often the confusion between authorization and authentication Accounting –List of actions (who, when, what, where) that enables traceability of all changes and transactions rollback

CERN IT Department CH-1211 Genève 23 Switzerland t Internet Services 6 More on IAM Architecture Role Based Access Control (RBAC) –Grant permissions (authorizations) to groups instead of person –Manage authorizations by defining membership to groups Separations of functions –granting permissions to groups (Role creation) –group membership management (Role assignment) RBAC should remain a simplification –Keep the number of roles to a minimum

CERN IT Department CH-1211 Genève 23 Switzerland t Internet Services 7 Motivations for Identity Management Legal obligation –In many areas traceability is required –Sarbanes Oxley Act (SOX) in the US –8th EU Privacy Directive + national laws in Europe Cost reduction –Reduce multiple authentication mechanism to a single one. –Offload qualified staff from administrative tasks (user registration, password changes, granting permissions, …) Increased Security –Simplification of procedures, increased opportunity –Centralized global overview of authorizations / accounting

CERN IT Department CH-1211 Genève 23 Switzerland t Internet Services 8 Aware of legal constraints Laws are different in each country Laws depend on the type of institute –Public funded, Government, Privately owned, International Organization, … Laws depend on the sector of activity –Archiving, traceability, retention of log files and evidences Not easy to find the good compromise between security / accounting / traceability and respect of privacy / personal life

CERN IT Department CH-1211 Genève 23 Switzerland t Internet Services 9 IAM Architecture components (1/6) The Identity Management Database –(web) application for person and account registration, used by the administration to create identities –Multiple workflows and information validation depending on the type of data: Example: last name, passport info modifications require a workflow with validation/approval by the administration. Example: password change, change of preferred language is available in self service to end-user The public part of the database must be accessible –Directories, LDAP, …

Internet Services 10 IM Database IM Database Identity Management (Administration) IAM Architecture

CERN IT Department CH-1211 Genève 23 Switzerland t Internet Services 11 IAM Architecture components (2/6) Automate account creation –What are the “administrative” requirements to be “known” to the information system Do not confuse with: “authorized” to use service “xyz” –“administrative” means that you have all information in the IAM database, you can define rules, you can implement a workflow. If you can’t answer this question, you can’t automate –Putting an administrative person to “manually handle” the answer to that question won’t solve the problem in large organizations

Internet Services 12 IM Database IM Database Account Database Account Database Identity Management (Administration) IAM Architecture Automated procedures Accounts

CERN IT Department CH-1211 Genève 23 Switzerland t Internet Services 13 IAM Architecture components (3/6) Authentication Service –You can have multiple technologies (Kerberos, PKI, Biometry, …), and multiple instances of the same technology, all generated from the same IM database Ideally: Single-Sign-On (SSO) services –Authentication portal for web-based applications –Kerberos services for Windows and/or AFS users –Certification authority for grid users –aware of group memberships (described later)

Internet Services 14 Authenticated end-user IM Database IM Database Account Database Account Database Identity Management (Administration) IAM Architecture Authentication Automated procedures Accounts

CERN IT Department CH-1211 Genève 23 Switzerland t Internet Services 15 IAM Architecture components (4/6) Service-specific interfaces to manage Authorizations –This is typically platform and service dependent –Allows assignment of permissions to groups or accounts or persons –Authorization can be made once to a specific group and managed using group membership

Internet Services 16 Authenticated and authorized end-user receiving services IM Database IM Database Account Database Account Database Identity Management (Administration) IAM Architecture Authorization management Authentication Access granted Automated procedures Accounts

CERN IT Department CH-1211 Genève 23 Switzerland t Internet Services 17 IAM Architecture components (5/6) E-Group management (RBAC) –Indirect way to manage authorizations –(web) application to manage group memberships –Must foresee groups with manually managed memberships and groups with membership generated from arbitrary SQL queries in the IAM database –Must support nesting of groups

Internet Services 18 Authenticated and authorized end-user receiving services IM Database IM Database Account Database Account Database Resource owner or Service manager Authorizes using User Accounts Default E-groups Custom E-groups Identity Management (Administration) IAM Architecture Unique account Unique set of groups / roles (for all services) Global E-Group management Global E-Group management Authorization management Authentication Group membership Access granted Custom Groups membership management Automated procedures Default E-groups Accounts

CERN IT Department CH-1211 Genève 23 Switzerland t Internet Services 19 IAM Architecture components (6/6) Accounting –Entirely service specific –What you account is the result of your “risk analysis” for that service to understand how far you may want to rollback your transactions. –Good accounting have large cost (eg: backups, archiving) –Not discussed further

CERN IT Department CH-1211 Genève 23 Switzerland t Internet Services 20 Experience at CERN CERN has an HR database with many records (persons) 23 possible status –Staff, fellow, student, associate, enterprise, external, … Heavy rules and procedures to create accounts –Multiple accounts across multiple services Mail, Web, Windows, Unix, EDMS, Administration, Indico, Document Server, Remedy, Landb, Oracle, … –Multiple accounts per person –Being migrated towards a unique identity management system with one unique “CERN account”, valid for all services

Internet Services 21 Authenticated and authorized end-user receiving services Mail Services Mail Services HR Database HR Database Account Database Account Database Mailing List Database Mailing List Database UNIX Services UNIX Services Windows Services Windows Services Indico Services Indico Services Administrative Services Administrative Services Document Management Document Management Web Services Web Services Resource owner Authorizes Authorization Group/Role Membership Management Identity Management CERN Yesterday / Today

Internet Services 22 Authenticated and authorized end-user receiving services Mail Services Mail Services HR Database HR Database Account Database Account Database Mailing List Database Mailing List Database UNIX Services UNIX Services Windows Services Windows Services Indico Services Indico Services Administrative Services Administrative Services Document Management Document Management Web Services Web Services Resource owner Authorizes Authorization Group/Role Membership Management Identity Management CERN Plan Unique account For all services Authorization is done by the resource owner Authorization is done by the resource owner Global E-Group management Global E-Group management E-group Integration with HR E-group Integration with HR Custom E-groups Managed by resource owner

Internet Services 23 Authenticated and authorized end-user receiving services HR Database HR Database Account Database Account Database Resource owner or Service manager Authorizes using User Accounts Default E-groups Custom E-groups Identity Management (Made by CERN Administration) CERN Plan Unique account Unique set of groups / roles (for all services) Global E-Group management Global E-Group management Computing Services at CERN: Mail, Web, Windows, Unix, EDMS, Administration, Indico, Document Server Remedy, Oracle, … Authorization management Authentication Group membership Access granted Custom Groups membership management Automated procedures Default E-groups Accounts

CERN IT Department CH-1211 Genève 23 Switzerland t Internet Services 24 CERN Plan summary Central account management Only one account across services –synchronize UNIX and Windows accounts Multiple login-id per person possible but many services will accept only the “primary” one Use Groups for defining access control to resources –No more: “close Windows Account, keep Mail account, block UNIX account” –But: “block Windows access, allow Mail access, block AIS access”.

Internet Services 25 Single Sign On Example Do it yourself demo: Open a Windows hosted site: – –Click login, check user information Open a Linux hosted site: – –Check various pages Go back to first site –Click logout –go back to the second site Username / Password SSO using Windows Credentials SSO using Grid Certificate

Internet Services 26 Example Predefined Group (role) from central identity management (several roles are pre-defined) Predefined Group (role) from central identity management (several roles are pre-defined) Custom Group managed by the resource owner Predefined persons from central identity management (ALL persons are pre-defined) Predefined persons from central identity management (ALL persons are pre-defined)

Internet Services 27 Managing custom group example

CERN IT Department CH-1211 Genève 23 Switzerland t Internet Services 28 Errors to avoid Legal Organizational Factors –Lack of management support, of project management / leadership –No clear and up to date communication Inform user of constraints and benefits –RBAC with too many roles Technical –Incorrect estimation of quality of existing data –Implement an exception on each new demand –Lost mastering of technical solutions

CERN IT Department CH-1211 Genève 23 Switzerland t Internet Services 29 Integrating the big picture … Global identity management a requirement for HEP computing and Grid activities through the “International Grid Trust Federation” ( Coordination is done through the regional Policy Management Authorities –Asia Pacific Grid PMA –European Grid PMA –The Americas Grid PMA CERN efforts in identity management integrate directly in the global grid services

CERN IT Department CH-1211 Genève 23 Switzerland t Internet Services 30 CERN IM and Grid Certificates The CERN Certification Authority is online and part to the CERN Identity management – Identity validation is done using the SSO service (which also recognizes grid certificates) Offers grid certificates to authorized users Recognizes gridpma certificates and allows mapping to the CERN accounts

Internet Services 31 Authenticated and authorized end-user receiving services IM Databases IM Databases Grid Certificates Resource owner or Service manager Authorizes using User Accounts (Certificate Subjects) VO or local E-groups Distributed Identity Management The big picture Global E-Group / VO management Global E-Group / VO management Global Computing Services Authorization management Authentication Group / VO membership Access control Automated procedures persons Local Groups membership management

CERN IT Department CH-1211 Genève 23 Switzerland t Internet Services 32 Summary / Conclusion Identity Management is a strategy to simplify complex computing infrastructures and is an essential component of a secure computing environment Security in focus –Complexity and security don’t go together Cost reduction available as a side benefit Necessary to resist to pressure of having –“Custom” solution for “special” users –Exception lists

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.