Presentation is loading. Please wait.

Presentation is loading. Please wait.

Alan Dekok, CTO Terena 2010 - June 2 Why Identity Management is hard.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Alan Dekok, CTO Terena 2010 - June 2 Why Identity Management is hard."— Presentation transcript:

1 Alan Dekok, CTO Terena 2010 - June 2 Why Identity Management is hard

2 2 Confidential - © Mancala Networks 2010 2 This is your network http://www.flickr.com/photos/teseum/1268565258/

3 3 Confidential - © Mancala Networks 2010 3 This is the network you want http://www.flickr.com/photos/martin_addison/4184287103/

4 4 Confidential - © Mancala Networks 2010 4 Why IDM is hard Secure systems require: Secure systems require: Knowledge Knowledge Inventory, monitoring, etc. Inventory, monitoring, etc. Requirements Requirements Network policies and procedures Network policies and procedures Enforcement Enforcement Firewalls, IDS, etc. Firewalls, IDS, etc. If any piece is missing, the system falls over If any piece is missing, the system falls over And so does your network And so does your network

5 5 Confidential - © Mancala Networks 2010 5 Vendors are warlords Knowledge? Knowledge? Locked up in proprietary systems Locked up in proprietary systems Requirements? Requirements? Need to be expressed in the vendors language Need to be expressed in the vendors language Enforcement? Enforcement? Go ask someone else. Go ask someone else. Your network is a battleground. And you are losing.

6 6 Confidential - © Mancala Networks 2010 6 Vendor Product Integration http://www.flickr.com/photos/13965522@N00/2658439548/

7 7 Confidential - © Mancala Networks 2010 7 What makes IDM hard  Identity management is...  WHO is on your network  WHICH rules apply to them  WHAT they are doing  HOW to stop bad behavior In direct conflict with vendor goals.

8 8 Confidential - © Mancala Networks 2010 8 What you can do about it Own your network. Own your network. Know everything about the network. Know everything about the network. Set global network control Set global network control Enforce it across all sites and services. Enforce it across all sites and services. Demand this from the vendors.

9 9 Confidential - © Mancala Networks 2010 9 Better vendor integration http://www.flickr.com/photos/carbonnyc/2536483214/

10 10 Confidential - © Mancala Networks 2010 10 Without IDM, what happens? No database of MAC / IP? No database of MAC / IP? No idea who is on your network No idea who is on your network No policy capability? No policy capability? No way of expressing what should happen. No way of expressing what should happen. No enforcement of policies? No enforcement of policies? No punishment for bad behavior No punishment for bad behavior Configuring all of this is expensive

11 11 Confidential - © Mancala Networks 2010 11 Similar to driving...  No car registration, anyone can drive!  Versus: licensed drivers and vehicles  No government control, drive anywhere!  Versus: Common policies and requirements  No enforcement, go steal a car!  Versus: Ubiquitous policing and enforcement

12 12 Confidential - © Mancala Networks 2010 12 How to get IDM  Demand access to data  Knowledge is power!  Demand inter-operability  Simpler, cheaper, better  Demand security!  Ignoring security is so 1990’s. It’s your network, not theirs.

13 13 Confidential - © Mancala Networks 2010 13 FreeRADIUS as an example  All data is stored in databases  Policy language to express any security system  Policy enforcement when user logs in  It has taken ~10 years to develop this system No equivalent for DNS or DHCP.

14 14 Confidential - © Mancala Networks 2010 14 IDM Examples Unknown person on the network? Unknown person on the network? Now: They can still do DHCP Now: They can still do DHCP Versus: Maybe kick them off of the network. Versus: Maybe kick them off of the network. Or inform the administrator. Or inform the administrator. User manually enters an IP address? User manually enters an IP address? Now: They can still access network resources Now: They can still access network resources Versus: Deny them access to network resources? Versus: Deny them access to network resources? Maybe kick them off of the network. Maybe kick them off of the network. Or inform the administrator. Or inform the administrator.

15 15 Confidential - © Mancala Networks 2010 15 Network evolution Open networks Open networks Anyone can get access Anyone can get access No policies or enforcement No policies or enforcement Hard shell networks Hard shell networks Login checking for access Login checking for access Minimal policies or enforcement Minimal policies or enforcement Defence in depth Defence in depth Continuous access checking Continuous access checking Detailed policies, extensive enforcement Detailed policies, extensive enforcement For every location, service, switch port,...

16 16 Confidential - © Mancala Networks 2010 16 Barriers to IDM http://www.flickr.com/photos/tcp909/132665279/

17 17 Confidential - © Mancala Networks 2010 17 Open Standards The network is built on open standards The network is built on open standards We need open data formats, too. We need open data formats, too. We need open policy languages We need open policy languages Perl or Python are a start Perl or Python are a start We need integrated systems We need integrated systems Real-time feeds between services Real-time feeds between services

18 18 Confidential - © Mancala Networks 2010 18 Demand freedom  All data is stored in databases  No restrictions on what you can do with it  Complex policies to build any security system  Integration of systems Network Management is Identity Management

19 19 Confidential - © Mancala Networks 2010 19 When everyone works together http://www.flickr.com/photos/maynard/2325890069/

Download ppt "Alan Dekok, CTO Terena 2010 - June 2 Why Identity Management is hard."

Similar presentations

CRM Thomas B. Fleming, Jeffer, Mangels, Butler & Marmaro LLP.

CRM Thomas B. Fleming, Jeffer, Mangels, Butler & Marmaro LLP.
P3, M2,M3,M4.

P3, M2,M3,M4.
IP ADDRESS MANAGEMENT [IPAM]

IP ADDRESS MANAGEMENT [IPAM]
ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.

ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.
Access Control Chapter 3 Part 5 Pages 248 to 252.

Access Control Chapter 3 Part 5 Pages 248 to 252.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.

Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.
AutoMAC: A Tool for Automating Network Moves, Adds, and Changes Christopher J. Tengi Princeton University.

AutoMAC: A Tool for Automating Network Moves, Adds, and Changes Christopher J. Tengi Princeton University.
Advanced Internet Bandwidth and Security Strategies Fred Miller Illinois Wesleyan University.

Advanced Internet Bandwidth and Security Strategies Fred Miller Illinois Wesleyan University.
Copyright Microsoft Corp. 2006 Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.

Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.
Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.

Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
DHCP Server © N. Ganesan, Ph.D.. Reference DHCP Server Issues or leases dynamic IP addresses to clients in a network The lease can be subject to various.

DHCP Server © N. Ganesan, Ph.D.. Reference DHCP Server Issues or leases dynamic IP addresses to clients in a network The lease can be subject to various.
These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)

These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.

1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
Network Security in a Business Setting By: Brian Haumschild.

Network Security in a Business Setting By: Brian Haumschild.
1 ISA Server 2004 Installation & Configuration Overview By Nicholas Quinn.

1 ISA Server 2004 Installation & Configuration Overview By Nicholas Quinn.
CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. Emails. Safe browsing for shopping and online banks. Social media.

CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. s. Safe browsing for shopping and online banks. Social media.
Module 7: Configuring TCP/IP Addressing and Name Resolution.

Module 7: Configuring TCP/IP Addressing and Name Resolution.

Similar presentations

Ads by Google