Presentation is loading. Please wait.

Presentation is loading. Please wait.

Real Time Decisions Are you who you say you are? Do you belong here?

Published byShawn Spencer Modified over 7 years ago

Similar presentations

Presentation on theme: "Real Time Decisions Are you who you say you are? Do you belong here?"— Presentation transcript:

0 Identity & Access Management
A Misnomer Informed, then decisive and protective Eric C Anderson, Sr. Cybersecurity Architect Health Care Service Corporation

1 Real Time Decisions Are you who you say you are? Do you belong here?
Seventeen years ago, a technology executive published a book pushing the value of using a “digital nervous system” — real-time decisions, empowered by real time data. Today, we see the adoption of those principles. Data necessary for decisions is shared real-time, internally and externally, from any device, anywhere in the world. The result of this “Business at The Speed of Thought”, is the need to provide nearly instantaneous access management solutions to ensure that two questions are answered in the affirmative: Are you who you say you are? Do you belong here?

2 Identity Data Reference View
Identity Lifecycle Management Enterprise Identity Lifecycle Mgmt Customer Identity Lifecycle Mgmt Identity Data Consumption The Identity Data space is defined by two distinct functions: Manipulation and management of identity data Provides capability to apply rules, governance, and analytics to access control Relationship between entitlement complexity and volume of identities may differentiate Enterprise ILM from Customer ILM. Data consumption service Allows for consumption of managed identity data to empower access control decisions

3 Identity Lifecycle Management
What Is Identity Lifecycle Management? The process of actively managing an individual relationship as they move from persona to persona. Business Impact Commonalities Both Customer and Enterprise Identity Lifecycle empower the management of persona to persona within the enterprise Customer Customer identity tends to have more identities, simpler entitlements, and less control over device Enterprise Enterprise identity manages fewer identities, with much greater entitlement complexity

4 Identity Data Reference View
Identity Lifecycle Management Enterprise ILM Customer ILM HR API/ WebService API/ WebService Enterprise ILM Customer ILM Identity Data Consumption Core Identity Repository Core Identity Repository Abstraction & Cache Consumption service Abstraction & Cache Consumption service

5 Access Control Business Impact What Is Access Control?
The practice of ensuring that fulfilled access request must result in two questions, answered in the affirmative: “Are you who you say you are?”, “Do you belong here?” Business Impact Decision Service Externalization allows for the centralization of access control policy and decision authority Decouples access decisions from application code, providing improved agility Reduces prioritization conflicts around business features and security requirements Decision Enforcement Upon externalization and standardization of access control information, enforcement agents become fully commoditized Any process that can make a JSON/REST request can enforce the decision

6 Access Control Reference View
Identity Data Identity Data Consumption Access Control Access Decision Access Enforcement The Access Control space is defined by two distinct functions: Access Decision Services access control request for defined resource by defined user Consumes Identity Data service to make access decision based upon centralized access control policies Access Enforcement Consumes and enforces simple allow/reject response

7 Access Control Reference View
Identity Data Identity Data Consumption Core Identity Repository Core Identity Repository Abstraction & Cache Consumption service Abstraction & Cache Consumption service Access Control Access Decision ABAC/XACMLv3 Decision Service Application Layer Access Enforcement SM Policy Server Services Security Gateway API Gateway SM Agent Secured Proxy Services Secure Token Service JSON enabled enforcement points

8 Appendices

9 Use Case 1: Employee Onboarding
Identity Data Identity Lifecycle Management Use Case 1 Internal Hiring Event Peoplesoft record created Request to Enterprise ILM ”Birthright entitlements” identified Explicit requests identified Approvals gained Governance records written Account provisioned to core identity service Abstraction layer picks up new body of entitlements to wrap around core object ILM (Enterprise) Enterprise ILM 1 B-Flex PeopleSoft HR API/ WebService 2 Identity Data Consumption Core Identity Repository 3 Abstraction & Cache Consumption service 4

10 Use Case 4: Prospect -> Member Conversion
Identity Data Identity Lifecycle Management Use Case 4 Prospect -> Customer conversion Business Application identifies conversion Registration request submitted to Customer ILM API Customer ILM Converts identity from prospect to member Appropriate entitlements set Governance records written Record Created in Core Identity Repository Abstraction layer picks up the core identity update ILM (Customer) Customer ILM 2 API/ WebService Business Application 3 1 Core Identity Repository 4 Abstraction & Cache Consumption service 5

11 AC Use Case 1: Protected Application
Identity Data AC Use Case 1 Protected Application User requests application Agent enforces Authentication Policy Server obtains Authentication Authenticates user Requests Coarse Authorization Identity Data Requested Coarse grained authorization decision made Application access granted Fine grained authorization requested Requests fine grained Authorization Identity data requested Fine grained authorization decision made Application Serves resource to browser Identity Data Consumption Core Identity Repository 3a Abstraction & Cache Consumption service 3c 4c Access Control Access Decision ABAC/XACMLv3 Decision Service 3b 4b Access Enforcement SM Policy Server SM Agent 3 2 Application Browser 4 1

12 AC Use Case 1: Protected Service
Identity Data AC Use Case 2 Protected Service Application requests service Security GW enforces authentication Requests authentication from STS STS Obtains Authentication Issues Long term token shared with requestor Security Gateway services request Requests authorization decision based upon request Decision service requests relevant identity data Issues decision based upon identity data and centralized access control policy Issues short term token shared with requestor Decision enforced by Security Gateway Approved request submitted by proxy using short term token Data returned to requestor Identity Data Consumption Core Identity Repository 3a Abstraction & Cache Consumption service 3c 4c Access Control Access Decision ABAC/XACMLv3 Decision Service 3c 5a Access Enforcement Security GW Secure Token Service 6 2 4 7 3b Application 1

Download ppt "Real Time Decisions Are you who you say you are? Do you belong here?"

Similar presentations

Chapter 1 Overview of Databases and Transaction Processing.

Chapter 1 Overview of Databases and Transaction Processing.
Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,

Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,
Ethical, Social and Environmental Responsibilities Unit 3 June 20131Dr Vidya Kumar.

Ethical, Social and Environmental Responsibilities Unit 3 June 20131Dr Vidya Kumar.
Identity the New Perimeter Adrian Seccombe Surrey University 25 th March 2010.

Identity the New Perimeter Adrian Seccombe Surrey University 25 th March 2010.
Validata Release Coordinator Accelerated application delivery through automated end-to-end release management.

Validata Release Coordinator Accelerated application delivery through automated end-to-end release management.
A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.

A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.
Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.

Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.
Introduction to ISA 2004 Dana Epp Microsoft Security MVP.

Introduction to ISA 2004 Dana Epp Microsoft Security MVP.
On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.

On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.
Social Engineering Jero-Jewo. Case study Social engineering is the act of manipulating people into performing actions or divulging confidential information.

Social Engineering Jero-Jewo. Case study Social engineering is the act of manipulating people into performing actions or divulging confidential information.
Realising the Potential of Service Oriented Architecture Kris Horrocks Connected Systems Division Microsoft.

Realising the Potential of Service Oriented Architecture Kris Horrocks Connected Systems Division Microsoft.
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
Cloud Attributes Business Challenges Influence Your IT Solutions Business to IT Conversation Microsoft is Changing too Supporting System Center In House.

Cloud Attributes Business Challenges Influence Your IT Solutions Business to IT Conversation Microsoft is Changing too Supporting System Center In House.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
SOA – Development Organization Yogish Pai. 2 IT organization are structured to meet the business needs LOB-IT Aligned to a particular business unit for.

SOA – Development Organization Yogish Pai. 2 IT organization are structured to meet the business needs LOB-IT Aligned to a particular business unit for.
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Achieving Agility with WSO2 App Factory S. Uthaiyashankar Director, Cloud Solutions WSO2 Inc. Dimuthu Leelarathne Software Architect WSO2 Inc.

Achieving Agility with WSO2 App Factory S. Uthaiyashankar Director, Cloud Solutions WSO2 Inc. Dimuthu Leelarathne Software Architect WSO2 Inc.
The powerful capabilities of JBoss Middleware as cloud based services on OpenShift. Build applications. Integrate with other systems Orchestrate using.

The powerful capabilities of JBoss Middleware as cloud based services on OpenShift. Build applications. Integrate with other systems Orchestrate using.
ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.

ARC312. Security Policy Governance Audit Reporting Analysis Data Quality Directory Logon Mobility Provisioning Development Access Control Authentication.
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

Similar presentations

Ads by Google