Presentation is loading. Please wait.

Presentation is loading. Please wait.

The (IdM) Identity Conundrum Strategies in identity management.

Published byCynthia Newman Modified over 9 years ago

Similar presentations

Presentation on theme: "The (IdM) Identity Conundrum Strategies in identity management."— Presentation transcript:

1 The (IdM) Identity Conundrum Strategies in identity management

2 What is identity management? Important delineation :  Two groups of entities  Internal staff  Customers, business partners  Different challenges, different deliverables, may need different solutions

3 What is identity management? Identity management is the ability to define and control the security characteristics and credentials of :  many users  on many systems  spanning a variety of different roles  inside and outside the organisation  while accessing content, applications, and services  in a manner which is sensitive to the context of the interaction

4 What is identity management? So identity is the abstract representation that links a real person to their capabilities in an IT system The process of identity management requires a system which:  distinguishes a person  defines them in terms of their security personas  and specifies their access rights  within the various contexts which characterise their interaction with the organisation

5 What is identity management? But isn’t that just security administration?  True to a degree, BUT  Formerly one person, one account, one system  NOW, one person, 20 accounts, 100 systems  An example

6 What is identity management? Example  Mid-Size corporation  5,000 staff  220,000 userids  374 security domains  With this level of complexity it’s not “just” security administration

7 What is identity management? So Identity Management is actually the integration of products such as directories, single sign-on, security services applications and provisioning applications into a unified framework for managing user information and access. It’s about convergence of the multitude of points of authentication, authorisation and administration to provide a more coherent view and management platform for security.

8 An architectural view of Identity Management

9 Authoritativ e sources Identity store Identity Access policies Provisioning Access controls and privileges Operating systems Data bases and files Applications Web / Information Portals What is identity management?

10 Drivers to Identity Management (internal staff) Increasing complexity (servers, operating systems, data bases, applications) Increasing administration costs Declining security quality = rising security risk Declining quality of service

11 Drivers to Identity Management (customers) Need to do business regardless of location Need to identify a web customer as the same customer using IVR or counter services Customer single web sign-on in complex server/database/application environment Need unified authentication for web portals Access rights change with the business context Personalise web content based on identity and current activity Interface to CRM applications Delegated administration for business areas, partners

12 What value can Identity Management create? Identity Management is the philosophy of a centralised security architecture using an identity centric approach Single user profile for user identification and marketing purposes Stops proliferation of passwords Increased customer and employee satisfaction Faster deployment of new applications Cost reduction through centralised user management, user self service and process optimisation Link between business processes, workflow and technology Centralised point of control for security and audit processes.

13 Benefits from Identity Management Cost reduction –Decreased maintenance of security on a business unit level –Staff and customer access available more quickly –Internal costs reduced through cross platform centralised password management and synchronisation –External help desk costs reduced by improved password management –Reduction in development costs for web applications – no need to rebuild a bespoke security solution

14 Benefits from Identity Management Revenue –Move complete value chains to the digital world –Provide a mechanism to quickly and efficiently migrate users and applications from acquisitions –Staff productive more quickly –Offer 24/7 self service –Competitive advantage, strategic positioning and corporate brand/image

15 Benefits from Identity Management Risk reduction  Only appropriate users have access  Risk of obsolete user accounts reduced  Change of position results in change of permissions  Ability to evaluate regulatory compliance  Ability to audit and track user accounts.  Ability to automatically lock out users  Central point of control for security and audit processes.  Single view of user’s access

16 Competing technologies

17 We now look at security infrastructure solutions. ERP and CRM feed into Identity Management, but are out of scope for this discussion – Custom applications – Directory services – Web Access Control (aka Extranet Access Management) – Provisioning

18 Custom applications While not high on most people’s agenda, building custom applications for IM is possible and has been done Enables very specific requirements to be built in – Inherently expensive to build and maintain – Requires deep technical skills in some of the target platforms, not normally held by developers – Usually one way – does not pick up manual changes – Sits on critical path for technology upgrades (e.g. new versions of operating system or data base) – Most very large organisations have put in a bespoke provisioning application of some sort Example : large bank built online access control manager 15 years ago – Becomes too difficult for complex technology mix

19 Directory services Directory Services terminology is ambiguous, and not used consistently A “directory” is a specialised data base used for repetitive high speed access to relatively static data. “Directory Services” is a blanket term used to describe the use of directories to service this data to applications. Security credentials are frequently provided to applications in this way. Metadirectory” is a term used to describe a directory which is comprised of data synchronised from other directories. It is very important to recognise that many people do not understand these concepts, and use the term “Directory Services” or “metadirectory” when they simply mean the desire to use a directory instead of a data base.

20 Directory services A directory services solution comprises a set of tools and processes A core directory such as Active Directory, Novell eDirectory, iPlanet Directory synchronisation tool such as DirXML, Sun ONE Meta- Directory, Active Directory Connector Connector to ERP or CRM Object and property mapping tools (probably XML) Optionally front-end self service directory enabled applications

21 Netware SolarisNTOS/390 Access NDS Sybase NIS SECA Sybase Oracle SAM MS- SQL Notes Address Book RACF DB2 DIRECTORY SYNCHRONISATION SERVICES IDENTITY MANAGEMENT DIRECTORY APPLICATIONS DIRECTORIES AND DATABASES OPERATING SYSTEMS IDENTITY STORE

22 Synchronisation policies XML Style sheets DIRECTORY SYNCHRONISATION BUS APPLICATION IDENTITY STORE (DIRECTORY) Directory ERP Directory Data base Data base Directory

23 Directory Services Authentication  User profiles can be stored in a manner which can be accessed by applications to authenticate the user. The term describing it is “Directory Enabled Application”, and the protocol for accessing the directory is LDAP. Access control  If the directory is the native security mechanism for the operating system it controls access to resources (e.g. eDirectory on Netware)  Otherwise there is no active access control. Passive access control can be achieved by directory enabling applications  Group memberships and custom objects can help  CAVEAT! Passive security depends on developers implementing security correctly in the application.

24 Directory Services Provisioning  Directories can be updated as a result of changes in other directories, or changes in the HR system  Key technique is directory synchronisation using products like DirXML  Synchronisation tool maps object types and properties to their equivalent in the target system (e.g. userid=logonid=UID, Last Name=Surname=Name)  Also allows scripting to achieve non-directory functions (e.g. copying files, archiving), or scheduling subsequent events

25 Extranet Access Management Web applications bring new challenges. There are numerous data sources, and new resource types not protected by traditional processing platforms  Native operating system security can’t protect pages, URLs, Objects, methods, applets, servlets  Products include Oblix, Tivoli Identity Manager, RSA ClearTrust, Netegrity SiteMinder. Many more.  Provides a callable security service with support for new resource types, and custom objects  Primarily for browser applications, but some can be called by traditional applications  Particularly relevant for JAVA – JAAS and J2EE  EAMs often use a directory as their identity store

26 Security service Operating systems Application server Browser Data base Web server Identity store

27 Data base Web server Application server Identity store Privilege store Security service

28 Extranet access manager Authentication  User profiles and passwords are stored in the EAM’s identity store and accessed via the EAM’s API. Typically an encrypted cookie is created to provide single signon during the period of interaction. Access control  Many different ways to store permissions  Typically defined by group membership  Can be a simple ACL for a resource  Some products allow business logic to be included in the security credentials (e.g. allow access if account balance > $100,000)  Some products have active security for certain resource types (e.g. page, method). Passive access control always possible by calling security from the application. Can be called from legacy apps.  Group memberships and custom objects can help  CAVEAT! Passive security depends on developers implementing security correctly in the application.

29 Extranet access manager Provisioning  Not typically used as a provisioning service. However, can be linked to CRM feed for automatic account creation  Some provisioning products can link into some EAMs (must be purpose written interface)  Provisioning can be direct to the identity/privilege stores via say LDAP

30 Security provisioning Proliferation of servers, accounts and passwords is making traditional security administration practices ineffective. There are pure plays provisioning products on the market  New users may need 10 or more accounts provided by several different administrators  Great scope for error (wrong access) and delay  Security administration costs rising because growing infrastructure complexity dramatically increases the number of security admin tasks  Provisioning products automate standard security tasks so they can be carried out without a security administrator’s intervention  Examples include BMC Control-SA, Access 360 (now Tivoli Access Manager), Waveset Provisioning Manager, CA eTrust. Others

31 Authoritativ e sources Identity store Identity Access policies Provisioning Access controls and privileges Operating systems Data bases and files Applications Portals

32 Security provisioning engine (Single Point of Administration) PeopleSoft Central Security Administration Data Base GATEWAY MANAGED SYSTEMS

33 Provisioning Authentication  NOT interactive security manager  Provisioning solutions play no direct role in authentication  Can facilitate password synchronisation Access control  NOT interactive security manager  Puts access control settings in place to facilitate access to target  Can perform complex tasks with some intelligent rule processing facilitated by scripting  Can implement role based access control, so complex combinations of access can be assigned to a user based on their position, or specified function within work place (e.g. teller, help desk)

34 Provisioning  Replicates local security credentials in a central repository  Changes to the repository are executed in the managed domain  Changes made in managed domain also applied to repository  Every person added to the role will get correct access  Deleting the central entity deletes all associated accounts  Needs workflow to achieve maximum gains and include online authorisation of requests  Not a panacea  Expect to automate 30-50% of access types  However only limited by your commitment and resources

35 Entity Functional roles Access roles Permissions      CSO Supervisor Client maintenance Unitised redemptions Quality assurance      eProvisioning

Download ppt "The (IdM) Identity Conundrum Strategies in identity management."

Similar presentations

Service Manager for MSPs

Service Manager for MSPs
Prepared by Dept. of Information Technology & Telecommunication, May 1, 2015 DoITT Identity Management Security, Provisioning, Authentication.

Prepared by Dept. of Information Technology & Telecommunication, May 1, 2015 DoITT Identity Management Security, Provisioning, Authentication.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
© 2006 IBM Corporation IBM Software Group Relevance of Service Orientated Architecture to an Academic Infrastructure Gareth Greenwood, e-learning Evangelist,

© 2006 IBM Corporation IBM Software Group Relevance of Service Orientated Architecture to an Academic Infrastructure Gareth Greenwood, e-learning Evangelist,
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,

Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,
Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.

Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
Identity and Access Management

Identity and Access Management
Access and Identity Management for Enterprise Portals Rohit Gupta Director, Identity Management Product Management Oracle Corporation.

Access and Identity Management for Enterprise Portals Rohit Gupta Director, Identity Management Product Management Oracle Corporation.
Copyright 2005 © Persistent Systems (http://www.persistentsys.com)http://www.persistentsys.com 1 Overview of Persistent’s Custom Connector Offering.

Copyright 2005 © Persistent Systems ( 1 Overview of Persistent’s Custom Connector Offering.
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.

EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
#CONVERGE2014 Session 1304 Managing Telecom Directories in a Distributed or Multi-Vendor Environment David Raanan Starfish Associates.

#CONVERGE2014 Session 1304 Managing Telecom Directories in a Distributed or Multi-Vendor Environment David Raanan Starfish Associates.
© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Automates Infrastructure Outsourcing.

© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Automates Infrastructure Outsourcing.
Identity Lifecycle Management Jonny Chambers Senior Technical Specialist Microsoft Ireland

Identity Lifecycle Management Jonny Chambers Senior Technical Specialist Microsoft Ireland
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
SOA – Development Organization Yogish Pai. 2 IT organization are structured to meet the business needs LOB-IT Aligned to a particular business unit for.

SOA – Development Organization Yogish Pai. 2 IT organization are structured to meet the business needs LOB-IT Aligned to a particular business unit for.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
BASIC NETWORK CONCEPTS (PART 6). Network Operating Systems NNow that you have a general idea of the network topologies, cable types, and network architectures,

BASIC NETWORK CONCEPTS (PART 6). Network Operating Systems NNow that you have a general idea of the network topologies, cable types, and network architectures,

Similar presentations

Ads by Google