Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Slides:

Advertisements

Similar presentations

Click to edit Master title style HEALTH INFORMATION 1 Identity & Access Management Presenter: Mike Davis (760) January 09, 2007.

Advertisements

Pennsylvania Banner Users Group 2008 Fall Conference Campus Identity Management in a Banner World.

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM

All Contents © 2003 Burton Group. All rights reserved. Identity Management Market Update Prepared for Cal State Universities Mike Neuenschwander senior.

Autenticazione e Gestione delle Identità Giacomo Aimasso – CISM – CISA.

Microsoft Forefront Identity Manager 2010

Katerina Kalimeri, Senior Sales Consultant Oracle Hellas

On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.

Copyright © 2005 Imanami Corporation. All Rights Reserved.1 IdM & Security Robert Haaverson Imanami Corporation.

Virtual techdays INDIA │ august 2010 Managing Active Directory Using Microsoft Forefront Identity Manager: Amol R Bhandarkar │ Tech Specialist –

© Copyright Lumension Security Lumension Security PatchLink Enterprise Reporting™ 6.4 Overview and What’s New.

© Puryear IT, LLC All Rights Reserved. Taking Control of Your User Accounts Identity Management Basics Dustin Puryear Puryear IT, LLC.

Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,

Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Identity and Access Management

Access and Identity Management for Enterprise Portals Rohit Gupta Director, Identity Management Product Management Oracle Corporation.

Identity Management – Why and How Experiences at CU-Boulder Copyright Linda Drake, Director of Development and Integration, University of Colorado, Boulder,

EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.

© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Automates Infrastructure Outsourcing.

Microsoft Identity and Access Solutions Market Trends and Futures

Identity Lifecycle Management Jonny Chambers Senior Technical Specialist Microsoft Ireland

Identity and Access Management Dustin Puryear Sr. Consultant, Puryear IT, LLC

Identity and Access Management Business Ready Security Solutions.

Aegis Identity Software, Inc. presents Trends in Identity and Access Management in Higher Education to US Federations June 20, 2012 Janet Yarbrough – Director.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

CNRI Handle System and its Applications

Rev Jul-o6 Oracle Identity Management Automate Provisioning to Oracle Applications and Beyond Kenny Gilbert Director of Technology Services.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Claims Based Authentication

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Unify and Simplify: Security Management

©2011 Quest Software, Inc. All rights reserved. Patrick Hunter EMEA IDAM Team Lead 7 th February 2012 Creating simple, effective and lasting IDAM solutions.

Case Study: DirXML Implementation at Waste Management Rick Wagner Systems Engineer Novell, Inc.

Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:

UCLA Enterprise Directory Identity Management Infrastructure UC Enrollment Service Technical Conference October 16, 2007 Ying Ma

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Sudha Iyer Principal Product Manager Oracle Corporation.

Tech Ed North America /24/2017 1:59 AM SESSION CODE: SIA327

Identity Solution in Baltic Theory and Practice Viktors Kozlovs Infrastructure Consultant Microsoft Latvia.

1 The World Bank Internet Services Program Rajan Bhardvaj

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

NYCDOE Division of Instructional and Information Technology Oren Hamami Chief Information Security Officer New York City Department of Education.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Windows Role-Based Access Control Longhorn Update

Oracle HFM Implementation Boot Camp

University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.

Attribute Delivery - Level of Assurance Jack Suess, VP of IT

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

The UW-Madison IAM Experience Building our Dream Home Presented by Steve Devoti, Senior IT Architect © 2007 Board of Regents of the University of Wisconsin.

February 24 th, 9am-11am Part 1: Preventing the “Big Lebowski” Justin Stanton, Stuart Ami from Interlink Group, LLC Part 2: Windows Focused Identity Administration.

Information Resource Stewardship A suggested approach for managing the critical information assets of the organization.

TechNet Architectural Design Series Part 5: Identity and Access Management Gary Williams & Colin Brown Microsoft Consulting Services.

Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.

Security Insights: Identity Theft & Management. The Identity Theft Problem What is Identity Theft? Dumpster diving Low tech Phishing/Pharming Targets.

Introducing Novell ® Identity Manager 4 Insert Presenter's Name (16pt) Insert Presenter's Title (14pt) Insert Company/ (14pt)

David Saslav Principal Product Manager Database and Application Server Technologies Oracle Corporation.

Chris Louloudakis Solution Specialist Identity & Access Management Microsoft Corporation SVR302.

CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

Quarterly Customer Meeting Office 365 License Activation and Office 365 Cloud Services Assessment Status April 2014.

L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.

Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.

Identity and Access Management

How to Use Social Media, Identity Management, and Your Campus Portal to Efficiently and Effectively Communicate with Students Sarah Alpert, Senior Project.

Identity and Access Management

Robert Haaverson Imanami Corporation

The Path to IAM Maturity

Is Cloud Identity Management Ready

Presentation transcript:

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP IdM – The Missing Link (part 1) Avi Douglen CISSP 6/9/2009

OWASP 2

3 Agenda  Background  Why IdM Goes WRONG  What IdM CAN Do  What IdM USUALLY Does  What IdM SHOULD Do

OWASP BACKGROUND 4

OWASP Some Random IdM Statistics The numbers are very clear… 5

OWASP Some Random IdM Statistics  Time to implement enterprise IdM:  Vendors: < 6 months  Real world: 2-3 years AT LEAST 6

OWASP Some Random IdM Statistics  Cost to implement enterprise IdM:  Vendors: < $100K  Real world: $2-3 million AT LEAST 7

OWASP Some Random IdM Statistics  Savings from IdM implementation  ~ $ 2.5 million yearly  75% of IT user administration costs  > $8 million 8

OWASP Some Random IdM Statistics  Success rate for IdM projects  10-15% Success  < 5% Success  > 60% Still pending (not yet complete, maybe never will be…)  Vendors: > 85% Successful implementations 9

OWASP Some Random IdM Statistics Okay, the numbers are not THAT clear… 10

OWASP Background - Definitions  Identification – Who are you?  Authentication – Prove it!  Authorization – What can you do? 11

OWASP Background - Definitions  Digital Identity – A set of claims made by one subject about itself in relation to a given system  IdM systems deal mostly with enterprise-centric identity systems  Not so much user-centric identity 12

OWASP Background – Definition(s) of IdM  IdM – Identity Management  Manages identity silos for all systems  Provides single view of shared user directory  Provisioned identities  Delegated authentication 13

OWASP Background – Definition(s) of IdM  IAM – Identity and Access Management  Second generation of IdM  Very limited Access Control  Not granular or application-sensitive  Usually at system level  Sometimes provides minimal RBAC features 14

OWASP Background – Definition(s) of IdM ““Identity management is… the set of business processes, and a supporting infrastructure, that provides identity-based access control to systems and resources in accordance with established policies” - Burton Group 15

OWASP Sample IdM Vendors  Microsoft  AD / ADFS  MIIS  ILM  IBM  Tivoli Directory Server  Tivoli Identity Manager  Tivoli Access Manager  Novell  Identity Manager  Access Manager  EMC / RSA  Oracle  Too many products to mention…  CA  Even more…  Sun  BMC  Numerous niche start- ups…

OWASP WHY IDM GOES WRONG 17

OWASP Challenges - Political  Lack of leadership and support from sponsors  Getting all stakeholders to have a common view  Data ownership quibbles  Expectation to make IdM a data synchronization engine for application data  Defining an appropriate business process  Overlooking change management — expecting everybody to go through the self-learning process

OWASP Challenges - Technical  Lack of definition of the post-production phase  Lack of focus on integration testing  Lack of consistent architectural vision  Expectations for "over-automation"  Deploying too many IdM technologies in too short a time  Niche applications – no “best-of-breed” suite  Lack of requirements coverage – e.g. CSAC

OWASP Security Risks  Single point of failure  AKA Break one, break all  Platform vulnerabilities  Integration flaws  Rogue developers  Over-reliance on automation 20

OWASP WHAT IDM CAN DO 21

OWASP Some IdM Services  Identity repository  Directory services  Provisioning  Password synchronization  Workflow automation  User information self- service  Management of lost passwords  Self-service password reset  Delegated administration  Policy-based access control  Enterprise/Legacy single sign-on (SSO)  Web single sign-on (WebSSO)  Metadata replication / Synchronization  Directory virtualization (Virtual directory)  Role-based access control (RBAC)  Federation

OWASP WHAT IDM USUALLY DOES 23

OWASP Top 3 Drivers for IdM 1.Regulatory Compliance 2.Lowered Administration Costs 3.Better user experience 4.Security? 24

OWASP Most Common Features  Password reset  Password consolidation and management  Single Sign-on (SSO)  Provisioning  Compliance reporting  Change request workflow  System level access control (RBAC) 25

OWASP Missing Security Benefits Where did “Security” go?? 26

OWASP WHAT IDM SHOULD DO 27

OWASP Possible Security Benefits  Immediate de-provisioning  And re-provisioning  Enterprise wide Password Policy  Security policy enforcement 28

OWASP Missing Security Features  Separation of Duties  Granularity of authorization  Scalable application administration  Application audit trail 29

OWASP QUESTIONS? 30