Identity and access management for portals

Identity and Access Management for Portals

Christopher Ehrsam

Senior Security Consultant, Prolifics

September 14, 2010

Portal Security Needs

� Portal is a collection of disparate systems integrated “at the glass” into a seamless front end user experience.

� Individual systems brought together in this manner typically have several preexisting and separate security models.

� With tighter integration, system security becomes an issue. Single Sign On is critical to maintaining the seamless end user experience the portal provides.

� Rights management is also a greater issue in portals. Every user will need to be checked for access to critical systems at the role or individual level. Without proper security systems, this will greatly increase administrative overhead. Manual administrative processes will lead to errors, which reduces overall security.

Basic WebSphere and Portal Security Strategies

Securing WebSphere and Portal Applications

&

more

homegrownWebSphere Application Server

Portal Server

Standalone Applications

WebSphereApplication Server

Securing WebSphere and Portal Applications

& more

homegrownWebSphere Application Server

Portal Server

Standalone Applications

WebSphereApplication Server

Managed

Security

Managed

Security

ManagedSecurity

Managed

Security

Managed

Security

Managed

Security

Managed

Security

Managed

Security

ManagedSecurity

Managed

Security

Managed

Security

ManagedSecurity

ManagedSecurity

Managed Security• User Provisioning

• Authentication

• Authorization

Securing WebSphere and Portal Applications

& more

homegrownWebSphere Application Server

Portal Server

Standalone Applications

WebSphereApplication Server

Managed

Security

Managed

Security

ManagedSecurity

Managed

Security

Managed

Security

Managed

Security

Managed

Security

Managed

Security

ManagedSecurity

Managed

Security

Managed

Security

ManagedSecurity

ManagedSecurity

Managed Security• User Provisioning

• Authentication

• Authorization

• common directory• credential vault• J2EE security

• application-based security• app server security

Advanced Security Strategies

Centralize Access

Manage Identities across the Enterprise

Audit, Reporting and Compliance

Secure the Total System– from SOA to Portal

Basic WebSphere & Portal Security

Evolving your Security Strategy

Manage Identities across the Enterprise

Audit, Reporting and Compliance

Secure the Total System

– from SOA to Portal

Basic WebSphere & Portal Security

Centralizing Security with Tivoli Access Manager

&

more

homegrownWebSphere Application Server

Portal Server

Standalone Applications

WebSphereApplication Server

ManagedSecurity

Managed

Security

Managed

Security

Managed

Security

ManagedSecurity

Managed

Security

Managed

Security

Managed

Security

Managed

Security

Managed

Security

ManagedSecurity

Managed

Security

Managed

Security

Tivoli Access Manager

Controlling Access to Standalone Applications

Figure 1. Unified, Policy-Based Security for the Web

BEFORE

� Too many passwords to remember� Multiple admins with multiple access control tools� User and access control information everywhere

= Security policy = User & group info = Audit

Controlling Access to Standalone Applications

Figure 1. Unified, Policy-Based Security for the Web

BEFORE

� Too many passwords to remember� Multiple admins with multiple access control tools� User and access control information everywhere

and other J2EE

� Web single sign-on� Single admin or delegated admins with a single tool� User and security info centralized/ understandable

Singleuser

registry

Singleuser

registry

Unified policy

Unified policy

AFTER

Centralizedaudit

Centralizedaudit

Access Manager Security ServicesAccess Manager Security Services

= Security policy = User & group info = Audit

WebSphere Application

Server

WebSphere Application

Server

SecuritySecurity

WebSphere Portal

WebSphere Portal

SecuritySecurityPortletPortlet

Backing Data

Store/ Appl.

Backing Data

Store/ Appl.WebSEALWebSEAL

PolicyServer

PolicyServer

ACLACLUserUser

� Tight Integration; Higher Security� Sharing user info in LDAP; Web SSO � Access control to portlets and page groups� Portlets can use Access Manager for fine-grained access control� Access Manager GSO service snaps in as WPS credential vault

Controlling Access to WebSphere Portal Server

WebSEALApplication

WebSEAL

WASWAS

WebSphere Portal

Web Svr.PortletPortlet

PortletPortletResource

Resource

A

A Web URL Layer. TAM controls access.

Layers of Authorization

C

C Business Logic Layer. TAM’s Java and .NET support

ResourceResourceB

B Portlet Layer. Customer choice (TAM or Portal control).

Tivoli Access Manager Features

� Single Sign-On�To Back-end Applications

• Basic Authentication

• Forms-Based Authentication

• TAI (WebSphere)

• LTPA (Lotus Application)

�From Portlets• WebSphere Portal Credential Vault stores

user IDs and passwords for back-end systems

• WebSphere Portal Credential Vault can be integrated with TAM GSO Lockbox

�From Windows Operating System (NTLM, SPNEGO/Kerberos)

�From Another WebSEAL Server• Cross-Domain SSO

• eCommunity SSO

�From Another Source• SAML Assertions

• Extensible SSO Interface

• Tivoli Federated Identity Manager for full cross-domain value

� Provide authorization services, with integrated security for WebSphere, Domino, .NET, BEA WLS, Siebel, mySAP, PeopleSoft, . . .

� Deliver robust management tools�Centralized, browser-based, delegated

administration

�Support for multiple registries (Tivoli Directory Svr, Sun ONE, Novell, Domino, AD)

�Single protected object namespace (for multiple, heterogeneous resources)

�Comprehensive, policy-based audit

� Ensure high availability and scalability (via replication/caching/load balancing)

Controlling Access to Desktop and Enterprise Applications

Tivoli Access Manager for Enterprise Single Sign-On

Centralize Access

Audit, Reporting and Compliance

Secure the Total System

– from SOA to Portal

Basic WebSphere & Portal Security

The Core Process Issues of Identity Management

� Provisioning� Is every user account on every resource valid?

� Is user access configured correctly to every resource?

� And does it stay that way?

� Productivity� Are users efficiently gaining access to valid resources?

� Access� Are access policies and data disclosure rules implemented consistently

across every application, data source and operating system?

� Audit� Can I prove all of this to the auditor, for all users, systems and operational

information?

Introducing Tivoli Identity Manager for User Provisioning

� Centrally and quickly validate all user access� Reconcile user access with security policy

� Efficiently setup appropriate user access� Workflow-based provisioning

� Automatically detect and correct inappropriate changes to user access� ‘Closed-loop’ policy management

� Single login across IT resources� Web, Enterprise, Service-Oriented Architecture (SOA)

� Self-service for password resets and account updates� Web-based password management

Tivoli Identity Manager (TIM)

Tivoli Identity Manager

Identitychange

(add/del/mod)

HR Systems/ Identity Stores

Approvals gathered

Access policy

evaluated

Accounts updated

Accounts on 70 different types of systems

managed. Plus, In-House

Systems & portals

Accounts on 70 different types of systems

managed. Plus, In-House

Systems & portals

Operating Systems

Applications

Databases

TIM

IdentityDynamic

Role

StaticRole

ProvisioningPolicy

Workflow Engine•External Links•Custom scripts•Human Approvals•RFI•Life-cycle definition•email

Entitlement change

in AD

Entitlement change

in RACF

Entitlement change

in SAP

R

EC

ON

CI

L

IA

TI

O

N

Detect local

changes and

compare

against policy

– notify

administrator,

roll-back

change or

suspend the

account if

change is out

of policy

Process change via the connector

Automatic assignment based on current identity attributes

Manual assignment based on user request to change

IdentityChange

Via Self-Service

DirectoryIntegrator

Detects Change

Role-Based Provisioning in TIM

Request Driven

Identity Driven

•Corporate

•Accounting

•Payroll

•Sales

•East

•West

•Information Technology

•Security

•Database

•Distributed Systems

Identity Management across the Enterprise

� Standalone Applications� Agentless adapters

� API to implement custom adapters

� Application Server� Provisions the LDAP

� Portal� Provisions LDAP used by TAM and Portal.

� Can provision apps behind portlets that do use Portal credential store or TAM GSO lockbox.

� Tivoli Directory Integrator (TDI, IDI) synchronizes back-end user repositories. Also works as virtual directory layer for TAM EAI interface.

� Desktop and Enterprise Applications� Provisions TAM ESSO

& more

homegrownWebSphere

Application Server

Portal Server

Standalone

Applications

WebSphereApplication Server

Managed

Security

ManagedSecurity

ManagedSecurity

Managed

Security

ManagedSecurity

ManagedSecurity

ManagedSecurity

ManagedSecurity

ManagedSecurity

ManagedSecurity

ManagedSecurity

ManagedSecurity

Managed

Security

Tivoli Access Manager

Tivoli Identity Manager

User

IDs

Architecture

TivoliAccess

Managerfor

e-business(TAMeb)

WebSEALProxy

LDAP

TAMebPolicyServer

Portal Server

Browser

OtherTargets

INTERNET DMZ INTRANET

TivoliIdentityManager

Portal Authentication Example

Centralize Access

Manage Identities across the Enterprise

Secure the Total System

– from SOA to Portal

Basic WebSphere & Portal Security

Regulatory Mandates Require Compliance SolutionsCorporate Governance, Privacy, Cyber Crime and Critical Infrastructure

Regulation Scope Security Requirements

Sarbanes-Oxley Act All U.S. public companies, major globals also impacted

Internal control and audit requirements aided by Identity Management

HIPAA Healthcare providers, insurers, clearinghouses

Requires customer notification, security and privacy safeguards

21 CFR Part 11 FDA regulated companies (20% of US spend), choosing to file electronically

Security requirements for protecting data and access if company files electronically

Basel II Required by EU banks, larger US & Japanese will follow

Operational risk management clause requires security and identity management investments

Gramm-Leach-Bliley Act

US financial institutions Financial institutions must:

1) securely store personal financial information (PFI)

2) Give consumers opt-out

Tivoli Access Manager Provides a Common Audit and

Reporting Service (CARS)

General Authorization EventGeneral Authorization Event Event Details ReportEvent Details Report

Out of the box reports:� Audit Event History by User� Failed Authentication History� Locked Account History� User Password Change History� Server Availability Report

Out of the box reports:� Audit Event History by User� Failed Authentication History� Locked Account History� User Password Change History� Server Availability Report

� Most Active Accessors Report� Authorization Event History by Action� Security Server Audit Event History� Resource Access By Accessor Report� etc…

� Most Active Accessors Report� Authorization Event History by Action� Security Server Audit Event History� Resource Access By Accessor Report� etc…

Tivoli Identity Manager Provides Reporting, Alerts and

Workflow to Enforce Security Policy

Type of Report

Description

Individual

Accounts

List all accounts that belong to a specific

person, OrgUnit or whole system

Accounts by

Role

List all accounts of people in a specific

role

Accounts on

Service

Details of accounts that exist on a

specific service (person, account,

account status, etc

Policies

Governing a Role

Shows all of the policies (and related

resources) that pertain to a specific role

Entitlement by Individual

Show a list of all entitlements that belong to a specific individual

Performed Provisioning

Actions

All provisioning actions that meet specific criteria. Actions such as

add/mod/del/suspend/restore and filtered

by date, status, service, user, etc

Provisioning

actions

performed by

individual

List of provisioning actions performed by

and individual (add/mod/delete, etc) and

filtered by date, status, service, user, etc

Type of Report Description

Approvals/Rejecti

ons

List activities approved or rejected, filtered by

approver, date, resource, status, etc

Pending

Approvals

List all pending approvals, filtered by approver,

date, resource, status, etc

Suspended

Accounts

List all accounts that have been suspended,

filter by userid, username, service, date

Suspended

People

List all users that have been suspended, filter

by user, OU, date

Services List all services filter by resource name, svc

type, owner, OU

Policies List all policies filter by name, wildcard

ACI List all ACI’s filter b y name, context, object, scope, OU

Reconciliation Stats

# accounts processed, # orphans, #accounts, #accounts w/ policy violations, #accounts

modified, #accounts deprovisioned, #accounts

suspended, etc

Non-compliant

accounts

List all non-compliant accounts and reason,

filter by service

Out-of-the-Box Reports Documenting the Corporate Security Policy

Audit Logs and Tracking

TAM ESSO captures logs for:

� Login / logoff

� Password Changes

� Second Factor Authentication

� Failed Login ….

� Customizable events

6:00 Jack Bower logs in into CTU

6:13 President Logan arrives at EMC

6:27 Lisa Ascot logs off from TIM server

6:39 Data Server in LA goes down!!

6:44 John Abruzzi changes his password

Centralize Access

Manage Identities across the Enterprise

Audit, Reporting and Compliance

Basic WebSphere & Portal Security

Customers

Employees

Partners

Products

Enterprise Data

Enterprise Resource Planning (ERP)

Sales Force Automation (ERP)

Call Center (CRM)

Legacy Application

Enterprise Applications

Tax

Health

Credit

Commerce Partners

External Applications

Messaging & Brokering Services

Information & Content Services

Portal Services

Shared Business Services

Service-OrientedDevelopment

of Applications

Service-Oriented Architecture Foundation

Composite Application &

Service Management

EmployeePortal

Customer Self-Service

CollaborativeWorkspace

Portal Applications

Corporate Extranet

ExecutiveDashboard

PartnerPortal

Portal…an onramp to SOA

SOA Security Solution - DataPower XS40

� XML/SOAP Firewall - Filter on any content, metadata or network variables

� Data Validation - Approve incoming/outgoing XML and SOAP at wirespeed

� Field Level XML Security - Encrypt and sign individual message fields, non-repudiation

� XML Web Services Access Control - SAML, LDAP, RADIUS, etc.

� MultiStep & XML/SOAP Routing - Sophisticated multi-stage pipeline

� Web Services Management - Web services proxy, SLM

� Transport Layer Flexibility - SSL acceleration, WebSphere MQ

� Service Virtualization - Mask backend resources

� Configuration & Administration - Ease of use, Integration for Management

Internet

Web ServicesRequestor

IP Firewall Web Services Application Server

XS40 XML Security Gateway Legacy

Application Server

In Conclusion

IBM endorses Prolifics to provide these Security Solutions…

� Overall reduction in IT administration costs

� Ability to manage increasing amounts of risk, mobile workforce, high turnover, …

� Support for meeting regulations and compliance

� Ability to respond to business changes quickly and with flexibility

& more

homegrownWebSphere

Application Server

Portal Server

Standalone Applications

WebSphereApplication Server

Managed

Security

ManagedSecurity

ManagedSecurity

Managed

Security

ManagedSecurity

ManagedSecurity

ManagedSecurity

ManagedSecurity

Managed

Security

Managed

Security

ManagedSecurity

ManagedSecurity

ManagedSecurity

Tivoli Access Manager

Tivoli Identity Manager

User

IDs

DataPower

Questions?Contact: Christopher Ehrsam, Senior Security Architectemail: cehrsam@prolifics.com

Interested in finding out more information about Prolifics’ Security Services and IBM Security software?

Contact: Prolifics Customer Relationship ManagementEmail: solutions4websphere@prolifics.comPhone: (800) 675-5419 or (212) 267-7722