Copyright © 2005 Imanami Corporation. All Rights Reserved.1 IdM & Security Robert Haaverson Imanami Corporation

Copyright © 2005 Imanami Corporation. All Rights Reserved.1

IdM & SecurityRobert Haaverson

Imanami Corporation

2 Copyright © 2005 Imanami Corporation. All Rights Reserved.

Agenda

• What is Identity Management

• Where does IdM fit within Security?

• How does IdM fit into Security?

• Conclusions

• More Information


Results 1 - 10 of about 1,110,000 for "Identity Management". (0.34 seconds)

"Identity Management"Search

What is Identity Management?

Traditional D

efinitio

n

Traditional D

efinitio

n

Increasing Increasing ComplexityComplexityIncreasing Increasing ComplexityComplexity

Authentication

Authorization

Access Control

Current T

rend

Current T

rend

Au

dit

Au

dit

Ad

min

Ad

min

http://www.google.com/url?sa=X&oi=dict&q=http://dictionary.reference.com/search%3Fq%3Didentity%26r%3D67

http://www.google.com/url?sa=X&oi=dict&q=http://dictionary.reference.com/search%3Fq%3Dmanagement%26r%3D67

http://www.google.com/webhp?hl=en


What is Identity Management?

Identity Management (IdM) is defined as the quality or condition of being the same; absolute or essential sameness; oneness. Identity is what makes something or someone the same today as it, she, or he was yesterday. Importantly, identity can refer to a thing (e.g. a computer) as well as a person. Things and people can have different identities when working with different systems, or can have more than one identity when working with a single system, perhaps when working in different roles.

Source: Open Group


META’s View

“While simplistic and not entirely accurate, it’s helpful for planning purposes to think of access and identity management as separate layers of an identity architecture.” (META Group)

Identity Management

Identity Infrastructure

User Provisioning

Delegated Admin.

Audit, logging, reporting

Self-serviceP/W Mgmt.

Workflow

DirectoryMetadirectoryAuthentication Servers

(e.g. RADIUS, OS)SSO

Authorization Servers(e.g. RBAC, policy)


Gartner’s ViewA

UD

IT

Iden

tity Ad

min

istration

Administer Authenticate Authorize

Authentication Services

Enterprise Single Sign-on

Password Management

User Provisioning

Metadirectory

Enterprise Access Management

Federated Identity Management

Access Management (Real-time Enforcement)Identity Management (Administration)


Burton’s View~ Burton Group’s Simplified Architecture ~

• IdM reference architecture root template


Deloitte’s View

IdentityRepository

Integrated authoritative

source

Identityroles

User accountprovisioning

StrongAuthentication

SSO &Portals

FederatedIdentity

AccessManagement

Bu

sin

ess

Val

ue

VisionSource: Deloitte


Imanami’s View – The IdM Journey

IdentityRepository

Integrated authoritativesource Identity

roles

User accountprovisioning

StrongAuthentication

SSO &Portals

FederatedIdentity

AccessManagement

PasswordReset /Sync

Bu

sin

ess

Val

ue

VisionBasic Source: Deloitte


IdM Business Drivers

Basic Source: Computer Associates

IncreasingEfficiency

EnablingBusiness

Complyingwith

Regulation

IncreasedSecurity


Source: SANS

Blocking Attacks: Network BasedIntrusion Prevention Intrusion Detection Firewall Anti-Spam

Where does IdM fit?

Blocking Attacks: Host BasedIntrusion Prevention Spyware Removal Personal Firewall Anti-Virus

Eliminating Security VulnerabilitiesVulnerability Mgmt Patch Management Configuration Mgmt Security Compliance

Safely Supporting Authorized UsersID & Access Mgmt File Encryption PKI VPN

Tools to Minimize Business LossesForensic Tools Backup Compliance Business Recovery


Source: SANS


Where does IdM fit?



Safely Supporting Authorized UsersID & Access Mgmt File Encryption Authentication / PKI VPN



Source: SANS


Where does IdM fit?





Safely Supporting Authorized UsersSafely Supporting Authorized Users

ID & Access Management

Verify that the right people are allowed to use a systemEnsure they perform only those tasks for which they are authorized

Access blocked when employment is terminated


Source: SANS


Where does IdM fit?





Safely Supporting Authorized UsersSafely Supporting Authorized Users

Authentication

Verify that the person is whom they claim to be, whether it be viaone, two or three factor.


Source: SANS


Where does IdM fit?





Tools to Minimize Business LossesTools to Minimize Business Losses

Forensic Tools

When attackers get through enterprises need to find out what they accessed, what they damaged, and how they got in.


Source: SANS


Where does IdM fit?





Tools to Minimize Business LossesTools to Minimize Business Losses

Regulatory Compliance Tools

Gramm-Leach-Biley, FISMA, Sarbanes Oxley, and HIPAA eachgenerate enormous documentation burdens for companies,

universities, and/or government agencies.


How does IdM fit into Security?

• Object (user) lifecycle management– Provisioning – Change– Deprovisioning

• Strong Authentication / SSO (RSO) n-1

• Enterprise Access Management

• The Whole Enchilada


Object Life Cycle ManagementHire

• Sally’s first day at work

PeopleSoft Active Directory

Exchange

Live Communications Server

Avaya

Faxination

IdM

Sally is Provisioned1. Sally entered into Peoplesoft.2. IdM adds Sally to AD.3. IdM assigns Sally to groups based on her role.4. IdM adds Sally to other systems based on role.

Sally is Provisioned1. Sally entered into Peoplesoft.2. IdM adds Sally to AD.3. IdM assigns Sally to groups based on her role.4. IdM adds Sally to other systems based on role.


Object Life Cycle Management Promotion

• Sally’s second day at work


Exchange


Avaya

Faxination

IdM

Sally is Changed1. Sally’s title is changed in Peoplesoft.2. IdM updates Sally in AD.3. IdM assigns adds and removes Sally to and from

groups based on her role.4. IdM adds/removes Sally to/from other systems

based on role.

Sally is Changed1. Sally’s title is changed in Peoplesoft.2. IdM updates Sally in AD.3. IdM assigns adds and removes Sally to and from

groups based on her role.4. IdM adds/removes Sally to/from other systems

based on role.


Object Life Cycle Management Retire

• Sally’s last day at work


Exchange


Avaya

Faxination

IdM

Sally is Deprovisioned1. Sally’s status changed in Peoplesoft.2. IdM disables Sally’s account in AD.3. IdM removes Sally from groups.4. IdM removes Sally from other systems.

Sally is Deprovisioned1. Sally’s status changed in Peoplesoft.2. IdM disables Sally’s account in AD.3. IdM removes Sally from groups.4. IdM removes Sally from other systems.


Strong Authentication / SSOWithout IdM

• Bill logs in from home

1. SecureID Card

2. Username & Password

Access

Access


Strong Authentication / SSOWith IdM

• Bill logs in from home

1. SecureID Card Access

Access


Enterprise Access ManagementHire without IdM

• Jim’s first day at work


Exchange


Avaya

Faxination


Enterprise Access ManagementHire with IdM

• Jim’s first day at work


Exchange


Avaya

Faxination

IdMB

usiness Rules


Regulatory Compliance

Accuracy

Auditability

Transparency

Compliance

Cost

Time

Errors


Trends of IdM in Security

• RSA has more announcements of identity based approaches of agile and integrated security.

• There is an upcoming paradigm shift, where identity will allow security across dynamic distributed systems.

• So as security functions become packaged as appliances that can all be integrated and managed with federated protocols that allow centralized policies to create security and auditability, "security" is relentlessly morphing into "management by identity.“

- Phil Becker, Editor, Digital ID World


Realizing the Potential of Digital Identity

• Deployment considerations, lessons learned:

– Begin by cleaning your own identity house

• Start looking at how you use identity, authoritative sources, processes

• You still need LDAP directory, meta-directory, and provisioning

• One tool or one suite won’t solve all your IdM problems

– 80% politics and business, 20% technology

• Your mileage may vary, but build in time to get stakeholders on board

– Carefully scope the problem you’re trying to solve

• Manage expectations: Don’t try to solve all problems at once

• Pick projects with early demonstrable results; it’s a long journey, with small steps

• Build momentum (and political capital) for next phase(s)

– All of these are 100% independent of product selection

Copyright © 2005 Imanami Corporation. All Rights Reserved.28

Robert Haaverson, CEOImanami [email protected]

Contact

ResourcesDigital ID World, May 9-12 Hyatt Embarcadero, San FranciscoDigital ID World Magazine – http://www.digitalidworld.comBurton Group – http://www.butongroup.comOpen Group – http://www.opengroup.comSans What Works – http://www.sans.org/whatworks

http://www.butongroup.com/

Documents

Copyright © 2005 Imanami Corporation. All Rights Reserved.1 IdM & Security Robert Haaverson Imanami Corporation