Upload
christopher-ehrsam
View
248
Download
0
Embed Size (px)
Citation preview
Identity and Access Management for Portals
Christopher Ehrsam
Senior Security Consultant, Prolifics
September 14, 2010
Portal Security Needs
� Portal is a collection of disparate systems integrated “at the glass” into a seamless front end user experience.
� Individual systems brought together in this manner typically have several preexisting and separate security models.
� With tighter integration, system security becomes an issue. Single Sign On is critical to maintaining the seamless end user experience the portal provides.
� Rights management is also a greater issue in portals. Every user will need to be checked for access to critical systems at the role or individual level. Without proper security systems, this will greatly increase administrative overhead. Manual administrative processes will lead to errors, which reduces overall security.
Basic WebSphere and Portal Security Strategies
Securing WebSphere and Portal Applications
&
more
homegrownWebSphere Application Server
Portal Server
Standalone Applications
WebSphereApplication Server
Securing WebSphere and Portal Applications
& more
homegrownWebSphere Application Server
Portal Server
Standalone Applications
WebSphereApplication Server
Managed
Security
Managed
Security
ManagedSecurity
Managed
Security
Managed
Security
Managed
Security
Managed
Security
Managed
Security
ManagedSecurity
Managed
Security
Managed
Security
ManagedSecurity
ManagedSecurity
Managed Security• User Provisioning
• Authentication
• Authorization
Securing WebSphere and Portal Applications
& more
homegrownWebSphere Application Server
Portal Server
Standalone Applications
WebSphereApplication Server
Managed
Security
Managed
Security
ManagedSecurity
Managed
Security
Managed
Security
Managed
Security
Managed
Security
Managed
Security
ManagedSecurity
Managed
Security
Managed
Security
ManagedSecurity
ManagedSecurity
Managed Security• User Provisioning
• Authentication
• Authorization
• common directory• credential vault• J2EE security
• application-based security• app server security
Advanced Security Strategies
Centralize Access
Manage Identities across the Enterprise
Audit, Reporting and Compliance
Secure the Total System– from SOA to Portal
Basic WebSphere & Portal Security
Evolving your Security Strategy
Manage Identities across the Enterprise
Audit, Reporting and Compliance
Secure the Total System
– from SOA to Portal
Basic WebSphere & Portal Security
Centralizing Security with Tivoli Access Manager
&
more
homegrownWebSphere Application Server
Portal Server
Standalone Applications
WebSphereApplication Server
ManagedSecurity
Managed
Security
Managed
Security
Managed
Security
ManagedSecurity
Managed
Security
Managed
Security
Managed
Security
Managed
Security
Managed
Security
ManagedSecurity
Managed
Security
Managed
Security
Tivoli Access Manager
Controlling Access to Standalone Applications
Figure 1. Unified, Policy-Based Security for the Web
BEFORE
� Too many passwords to remember� Multiple admins with multiple access control tools� User and access control information everywhere
= Security policy = User & group info = Audit
Controlling Access to Standalone Applications
Figure 1. Unified, Policy-Based Security for the Web
BEFORE
� Too many passwords to remember� Multiple admins with multiple access control tools� User and access control information everywhere
and other J2EE
� Web single sign-on� Single admin or delegated admins with a single tool� User and security info centralized/ understandable
Singleuser
registry
Singleuser
registry
Unified policy
Unified policy
AFTER
Centralizedaudit
Centralizedaudit
Access Manager Security ServicesAccess Manager Security Services
= Security policy = User & group info = Audit
WebSphere Application
Server
WebSphere Application
Server
SecuritySecurity
WebSphere Portal
WebSphere Portal
SecuritySecurityPortletPortlet
Backing Data
Store/ Appl.
Backing Data
Store/ Appl.WebSEALWebSEAL
PolicyServer
PolicyServer
ACLACLUserUser
� Tight Integration; Higher Security� Sharing user info in LDAP; Web SSO � Access control to portlets and page groups� Portlets can use Access Manager for fine-grained access control� Access Manager GSO service snaps in as WPS credential vault
Controlling Access to WebSphere Portal Server
WebSEALApplication
WebSEAL
WASWAS
WebSphere Portal
Web Svr.PortletPortlet
PortletPortletResource
Resource
A
A Web URL Layer. TAM controls access.
Layers of Authorization
C
C Business Logic Layer. TAM’s Java and .NET support
ResourceResourceB
B Portlet Layer. Customer choice (TAM or Portal control).
Tivoli Access Manager Features
� Single Sign-On�To Back-end Applications
• Basic Authentication
• Forms-Based Authentication
• TAI (WebSphere)
• LTPA (Lotus Application)
�From Portlets• WebSphere Portal Credential Vault stores
user IDs and passwords for back-end systems
• WebSphere Portal Credential Vault can be integrated with TAM GSO Lockbox
�From Windows Operating System (NTLM, SPNEGO/Kerberos)
�From Another WebSEAL Server• Cross-Domain SSO
• eCommunity SSO
�From Another Source• SAML Assertions
• Extensible SSO Interface
• Tivoli Federated Identity Manager for full cross-domain value
� Provide authorization services, with integrated security for WebSphere, Domino, .NET, BEA WLS, Siebel, mySAP, PeopleSoft, . . .
� Deliver robust management tools�Centralized, browser-based, delegated
administration
�Support for multiple registries (Tivoli Directory Svr, Sun ONE, Novell, Domino, AD)
�Single protected object namespace (for multiple, heterogeneous resources)
�Comprehensive, policy-based audit
� Ensure high availability and scalability (via replication/caching/load balancing)
Controlling Access to Desktop and Enterprise Applications
Tivoli Access Manager for Enterprise Single Sign-On
Centralize Access
Audit, Reporting and Compliance
Secure the Total System
– from SOA to Portal
Basic WebSphere & Portal Security
The Core Process Issues of Identity Management
� Provisioning� Is every user account on every resource valid?
� Is user access configured correctly to every resource?
� And does it stay that way?
� Productivity� Are users efficiently gaining access to valid resources?
� Access� Are access policies and data disclosure rules implemented consistently
across every application, data source and operating system?
� Audit� Can I prove all of this to the auditor, for all users, systems and operational
information?
Introducing Tivoli Identity Manager for User Provisioning
� Centrally and quickly validate all user access� Reconcile user access with security policy
� Efficiently setup appropriate user access� Workflow-based provisioning
� Automatically detect and correct inappropriate changes to user access� ‘Closed-loop’ policy management
� Single login across IT resources� Web, Enterprise, Service-Oriented Architecture (SOA)
� Self-service for password resets and account updates� Web-based password management
Tivoli Identity Manager (TIM)
Tivoli Identity Manager
Identitychange
(add/del/mod)
HR Systems/ Identity Stores
Approvals gathered
Access policy
evaluated
Accounts updated
Accounts on 70 different types of systems
managed. Plus, In-House
Systems & portals
Accounts on 70 different types of systems
managed. Plus, In-House
Systems & portals
Operating Systems
Applications
Databases
TIM
IdentityDynamic
Role
StaticRole
ProvisioningPolicy
Workflow Engine•External Links•Custom scripts•Human Approvals•RFI•Life-cycle definition•email
Entitlement change
in AD
Entitlement change
in RACF
Entitlement change
in SAP
R
EC
ON
CI
L
IA
TI
O
N
Detect local
changes and
compare
against policy
– notify
administrator,
roll-back
change or
suspend the
account if
change is out
of policy
Process change via the connector
Automatic assignment based on current identity attributes
Manual assignment based on user request to change
IdentityChange
Via Self-Service
DirectoryIntegrator
Detects Change
Role-Based Provisioning in TIM
Request Driven
Identity Driven
•Corporate
•Accounting
•Payroll
•Sales
•East
•West
•Information Technology
•Security
•Database
•Distributed Systems
Identity Management across the Enterprise
� Standalone Applications� Agentless adapters
� API to implement custom adapters
� Application Server� Provisions the LDAP
� Portal� Provisions LDAP used by TAM and Portal.
� Can provision apps behind portlets that do use Portal credential store or TAM GSO lockbox.
� Tivoli Directory Integrator (TDI, IDI) synchronizes back-end user repositories. Also works as virtual directory layer for TAM EAI interface.
� Desktop and Enterprise Applications� Provisions TAM ESSO
& more
homegrownWebSphere
Application Server
Portal Server
Standalone
Applications
WebSphereApplication Server
Managed
Security
ManagedSecurity
ManagedSecurity
Managed
Security
ManagedSecurity
ManagedSecurity
ManagedSecurity
ManagedSecurity
ManagedSecurity
ManagedSecurity
ManagedSecurity
ManagedSecurity
Managed
Security
Tivoli Access Manager
Tivoli Identity Manager
User
IDs
Architecture
TivoliAccess
Managerfor
e-business(TAMeb)
WebSEALProxy
LDAP
TAMebPolicyServer
Portal Server
Browser
OtherTargets
INTERNET DMZ INTRANET
TivoliIdentityManager
Portal Authentication Example
Centralize Access
Manage Identities across the Enterprise
Secure the Total System
– from SOA to Portal
Basic WebSphere & Portal Security
Regulatory Mandates Require Compliance SolutionsCorporate Governance, Privacy, Cyber Crime and Critical Infrastructure
Regulation Scope Security Requirements
Sarbanes-Oxley Act All U.S. public companies, major globals also impacted
Internal control and audit requirements aided by Identity Management
HIPAA Healthcare providers, insurers, clearinghouses
Requires customer notification, security and privacy safeguards
21 CFR Part 11 FDA regulated companies (20% of US spend), choosing to file electronically
Security requirements for protecting data and access if company files electronically
Basel II Required by EU banks, larger US & Japanese will follow
Operational risk management clause requires security and identity management investments
Gramm-Leach-Bliley Act
US financial institutions Financial institutions must:
1) securely store personal financial information (PFI)
2) Give consumers opt-out
Tivoli Access Manager Provides a Common Audit and
Reporting Service (CARS)
General Authorization EventGeneral Authorization Event Event Details ReportEvent Details Report
Out of the box reports:� Audit Event History by User� Failed Authentication History� Locked Account History� User Password Change History� Server Availability Report
Out of the box reports:� Audit Event History by User� Failed Authentication History� Locked Account History� User Password Change History� Server Availability Report
� Most Active Accessors Report� Authorization Event History by Action� Security Server Audit Event History� Resource Access By Accessor Report� etc…
� Most Active Accessors Report� Authorization Event History by Action� Security Server Audit Event History� Resource Access By Accessor Report� etc…
Tivoli Identity Manager Provides Reporting, Alerts and
Workflow to Enforce Security Policy
Type of Report
Description
Individual
Accounts
List all accounts that belong to a specific
person, OrgUnit or whole system
Accounts by
Role
List all accounts of people in a specific
role
Accounts on
Service
Details of accounts that exist on a
specific service (person, account,
account status, etc
Policies
Governing a Role
Shows all of the policies (and related
resources) that pertain to a specific role
Entitlement by Individual
Show a list of all entitlements that belong to a specific individual
Performed Provisioning
Actions
All provisioning actions that meet specific criteria. Actions such as
add/mod/del/suspend/restore and filtered
by date, status, service, user, etc
Provisioning
actions
performed by
individual
List of provisioning actions performed by
and individual (add/mod/delete, etc) and
filtered by date, status, service, user, etc
Type of Report Description
Approvals/Rejecti
ons
List activities approved or rejected, filtered by
approver, date, resource, status, etc
Pending
Approvals
List all pending approvals, filtered by approver,
date, resource, status, etc
Suspended
Accounts
List all accounts that have been suspended,
filter by userid, username, service, date
Suspended
People
List all users that have been suspended, filter
by user, OU, date
Services List all services filter by resource name, svc
type, owner, OU
Policies List all policies filter by name, wildcard
ACI List all ACI’s filter b y name, context, object, scope, OU
Reconciliation Stats
# accounts processed, # orphans, #accounts, #accounts w/ policy violations, #accounts
modified, #accounts deprovisioned, #accounts
suspended, etc
Non-compliant
accounts
List all non-compliant accounts and reason,
filter by service
Out-of-the-Box Reports Documenting the Corporate Security Policy
Audit Logs and Tracking
TAM ESSO captures logs for:
� Login / logoff
� Password Changes
� Second Factor Authentication
� Failed Login ….
� Customizable events
6:00 Jack Bower logs in into CTU
6:13 President Logan arrives at EMC
6:27 Lisa Ascot logs off from TIM server
6:39 Data Server in LA goes down!!
6:44 John Abruzzi changes his password
Centralize Access
Manage Identities across the Enterprise
Audit, Reporting and Compliance
Basic WebSphere & Portal Security
Customers
Employees
Partners
Products
Enterprise Data
Enterprise Resource Planning (ERP)
Sales Force Automation (ERP)
Call Center (CRM)
Legacy Application
Enterprise Applications
Tax
Health
Credit
Commerce Partners
External Applications
Messaging & Brokering Services
Information & Content Services
Portal Services
Shared Business Services
Service-OrientedDevelopment
of Applications
Service-Oriented Architecture Foundation
Composite Application &
Service Management
EmployeePortal
Customer Self-Service
CollaborativeWorkspace
Portal Applications
Corporate Extranet
ExecutiveDashboard
PartnerPortal
Portal…an onramp to SOA
SOA Security Solution - DataPower XS40
� XML/SOAP Firewall - Filter on any content, metadata or network variables
� Data Validation - Approve incoming/outgoing XML and SOAP at wirespeed
� Field Level XML Security - Encrypt and sign individual message fields, non-repudiation
� XML Web Services Access Control - SAML, LDAP, RADIUS, etc.
� MultiStep & XML/SOAP Routing - Sophisticated multi-stage pipeline
� Web Services Management - Web services proxy, SLM
� Transport Layer Flexibility - SSL acceleration, WebSphere MQ
� Service Virtualization - Mask backend resources
� Configuration & Administration - Ease of use, Integration for Management
Internet
Web ServicesRequestor
IP Firewall Web Services Application Server
XS40 XML Security Gateway Legacy
Application Server
In Conclusion
IBM endorses Prolifics to provide these Security Solutions…
� Overall reduction in IT administration costs
� Ability to manage increasing amounts of risk, mobile workforce, high turnover, …
� Support for meeting regulations and compliance
� Ability to respond to business changes quickly and with flexibility
& more
homegrownWebSphere
Application Server
Portal Server
Standalone Applications
WebSphereApplication Server
Managed
Security
ManagedSecurity
ManagedSecurity
Managed
Security
ManagedSecurity
ManagedSecurity
ManagedSecurity
ManagedSecurity
Managed
Security
Managed
Security
ManagedSecurity
ManagedSecurity
ManagedSecurity
Tivoli Access Manager
Tivoli Identity Manager
User
IDs
DataPower
Questions?Contact: Christopher Ehrsam, Senior Security Architectemail: [email protected]
Interested in finding out more information about Prolifics’ Security Services and IBM Security software?
Contact: Prolifics Customer Relationship ManagementEmail: [email protected]: (800) 675-5419 or (212) 267-7722