Embed Size (px)
Citation preview
Who, What, When, Where and How- Identity Management – Start to Finish
Ramanarao ChamartyAssistant Director, Emerging Technologies
Temple [email protected]
Track 4Tuesday, January 10, 2005
3:30 PM - 4:15 PM
Harborside Ballroom E
Overview• Introduction and Overview –
– Sheri Stahler(Associate Vice President, Temple University)
• Objective• Overview of Identity Management• Temple Motivation• Who, What, When, Where and Why?• Identity Definition• Deployment Strategy – How• Case Study – Temple University• Conclusion
About the Speakers• Sheri Stahler ([email protected]) is the Asso
Associate Vice President, Computer Services at Temple University (http://www.temple.edu)
• Awarded Premier 100 IT Leaders of 2006 by Computerworld
About the Speakers• Ramanarao Chamarty ([email protected]) is
Assistant Director of Emerging Technologies at Computer Services at Temple University (http://www.temple.edu).
• Adjunct Faculty in the Department of Computer and Information Sciences and Department of Management Information Systems.
• Speaker at various conferences which include IOUG-LIVE 2000-2006, Educause 2005,2006 and Collaborate 2006
• Interests include Identity Management, Directories, RDBMS, Etymology and Business Intelligence.
Objective
• Overview of Identity management
• Role in a enterprise computing environment
• Differences over Single Sign On.
What Made Temple Do It – Business Drivers Heterogeneous authentication repositories with no uniform
standards and protocols for user account provisioning, access control and auditing.
Need for automated management of User Identities due to security concerns
Need for a unique Login to facilitate Single Sign On and leveraging Portal Deployment
Improving Regulatory Compliance Improve overall security for our Computing environment Reduce IT Costs in long term Improve and Enhance end user experience Meeting Business Needs
Temple Fact Sheet
6000 + Active Directory Accounts 8000+ Novell Directory Accounts 55,000+ iPlanet LDAP Accounts 1000+ RACF Accounts 500+ Database Accounts(SQL/Oracle) 3000+ Laboratory work stations
What – Identity Management
A comprehensive and efficient approach to manage user identities in a heterogeneous computing environment.
Universities – Identity Management
• Stanford University• University of New Hampshire• West Virginia University• Georgia State university• Santa Clara University• University of California , Santa Barbara• Syracuse University• Temple University
Why - Identity Management1. Low productivity of new employees as they wait to be assigned the
necessary resources to perform their job (2 to 5 days)
2. Risk of terminated employee’s access to corporate resources not being removed timely (1 day)
3. Dissatisfaction of employees, customers, and partners resulting from their need to maintain an excessive number of user IDs to utilize company resources (8 to 12 IDs)
4. Extended web-based application development resulting from the independent design of user ID-based security within applications
5. Inability to evaluate regulatory compliance due to lack of properly identified user populations and their association to resources
6. Weaknesses in security routinely identified during audits as a result of disparate and inefficient administrative processes
Why – Identity Management 1. Do users have more than five user IDs? 2. Are IDs being administered by separate functions and processes? 3. Does it take more than one day to set up a new Employees’ IDs in
order to do their job? 4. Does it take more than one day to remove a user’s access to your
information and services when they leave the company?5. Are you deploying web-based applications in your enterprise?6. Do you have, or plan to have, a portal to access applications, services,
and content on the web?7. Can customers get the information and services they need efficiently?8. Are you able to restrict access to sensitive information?9. How often are security weaknesses identified?10. Do you have a plan to meet regulatory requirements?11. Do you know who has access to all applications, services, and content
available from your company? How about your critical applications?
When – Identity ManagementHave a need for users to have access to computing resource/s by:
1. Date/Time From – Date/Time To2. By Day/s (Mon-Fri and other combinations)
Where – Identity ManagementHave a need for users to have access to computing resource/s by:
1. Country
2. State
3. City
4. Building
5. Floor
6. Room
7. Port
How - AAAA1. Administration:
Establish authoritative source(s) for each identity Build identity-based business processes Establish enterprise wide identity data characteristics
2. Authentication: Establish single identity authentication Enterprise wide authentication process Leverage existing identity management solution
3. Authorization: Establish enterprise wide, role-based access controls Leverage business roles and job requirements Leverage identity management and authentication solution(s)
4. Audit: Secure identity solution from authoritative source to entitlement Focus on Internet, network, hardware, and application/software
Lessons learned from Others1. Initiatives need to:
Be business driven and have committed stakeholder support Span the organization; security solutions have far-reaching business and technology
impact Receive organizational acceptance Anticipate changes in business needs
2. Projects need to: Have dedicated and effective project management Manage activities from an integrated plan Develop formal escalation procedures Communicate frequently to all contributing parties
3. Technology deployment teams need to: Understand the integration effort Develop sustainable and controlled processes Implement testing practices and acceptance criteria Recognize the challenges of legacy application integration efforts Ensure data quality and integrity Understand that undocumented software bugs can be time consuming
Identity Definition – Model 1
User System
jdoe LDAP
doej NDS
U652319 RACF
doe ADS
Single Identity – Multi Login
jdoe
User System
jdoe LDAP
jdoe NDS
jdoe RACF
jdoe ADS
Identity Definition – Model 2
Single Identity – Single Login
jdoe
User System
jdoe LDAP
jdoe NDS
U652319 RACF
jdoe ADS
Identity Definition – Model 3
Hybrid Model
jdoe
Temple Strategy
1. Perform Username and Password Synchronization of all data repositories
2. Enable User Provisioning and Deprovisioning.
3. Enforce a global password policy4. Enable Web Based Single Sign On (WEB –
SSO) 5. Deploy Access Management(authorization)
Policies6. Enable auditing enterprise wide.
Username Synchronization
1. Gather data of existing users on Computer Services managed ADS and NDS domains.
2. Synchronize existing usernames to Accessnet Usernames– ADS-SamAccount = LDAP(AccessnetUsername)– NDS(cn) = LDAP(AccessnetUsername)
3. Create University wide policies and procedures for account creation on each of these centrally administered directories.
4. Grant and Revoke Access to resources to be automated(real time vs batch)
5. Policies and Procedures for account termination.1. Grace period – need input2. Voluntary Vs Involuntary – need input
Password Synchronization
• Synchronize passwords across all directories• Enforce rules for password changes – unidirectional($) vs
multidirectional($$$$)• Establish Password Management Rule Set (strength, recycle,
autolockout, change(30 days, 90 days, 180 days)• Tools/Solution: (Boutique Vendors)
– PSYNC ($$$)– MS Identity Server($$)– SSO Solution Providers($$$$$)– CAS (WEB Only)($)– InHouse (PPPPP$$)
Web - Single Sign On
• There are over 60 applications which use WEB-SSO using LDAP. (https://www.temple.edu/ldap/app.htm)
• Enforce LDAP compliant coding standards to enable authentication and authorization
• Ease of integration into TUportal/ERP• Password management centralized – LDAP
Other than Web SSO
• Single Sign On to – Web Proxy– Radius Dialin– RACF, Mainframes– Desktops(UNIX/LINUX/MS WIN/MAC/OS 390) – Legacy SSO
• Offers automated Authentication,Authorization, Auditing and User Provisioning($$$$$$)
• Tools and Solutions:– CA+Netegrity- eTrust+Siteminder– HeathCast-eXactAccess– Novell – Nsure– Microsoft – MS Identity Information Server– IBM - Tivoli
Action Items – Past Year(2005)
• Create a core technical team• Gather data from ADS and NDS • Perform analysis of data and synchronization Strategy• Create Identity Management Committee• Communication to end users regards to this initiative• Create and enforce new Policies and Procedures• Prepare a functional specifications document• Prepare a requirements document• Arrange vendor demonstrations based on requirements• Select a product which meets Temple’s SSO requirements• Begin to deploy the solution.
Action Items for Deployment
1. Create a Deployment Committees – Interface, Infrastructure, Support/Communication,
Workflow/Policy
2. Requirements Definition – Dec-Jan,20063. Develop and Document a Reference Architecture and
Solutions Design – Feb,20064. Implementation and Integration – March – May 2006
1. Password Synchronization2. User provisoning and Deprovisioning3. Enforcement of password policy for students and Employees4. Implement web applications for enterprise5. Self Service Password Reset
Federated Identity Management – Beyond Enterprise
• Customers would like to access multiple web sites running on remote sites without re-authenticating to each one.
• Employees would like to access third party non-enterprise web portals without registering or re-authenticating(Fidelity, WageWorks, TIAA-CREF)
• Enterprises would like to be able to provision their own users with access to partner and vendor resources automatically.(Shiboleth-Napster)
Identity Management – Beyond Enterprise - How
• IT Infrastructures need to be compatible• Need for Standards
– The Liberty alliance: http://www.projectliberty.org/.– Platform for Privacy Preferences (P3P): http://www.w3.org/P3P/– A standard protocol to provision users:XRPM:
http://www.xrpm.org.– Security Assertions Markup Language (SAML):
http://www.oasis-open.org/
References• http://www.psynch.com• http://www.burtongroup.com• http://www.oracle.com• http://www.ca.com• http://infosecuritymag.techtarget.com
• http://www.deloitte.com• Http://www.novell.com• http://www.ibm.com
Conclusion
• Emerging class of technologies • Widely-deployed technologies with a need for Standards• Promising technologies with significant ROI• Identify your needs and match them with what is out
there• Define a Identity Management Infrastructure
