IBM Security Identity and Access Management - Portfolio

© 2014 IBM Corporation

IBM Security Identity and Access ManagementProducts updates and what is coming

Sven-Erik Vestergaard

Pan-IOT security architecht

IBM Security

[email protected]


IBM Security

2

Agenda

ISAM

ISIM

PIM

Z/Secure


IBM Security

3

IBM Security

Access Manager


IBM Security

5

Federated Registry Support

Allow ISAM to address a federated registry space where different

suffixes are distributed across LDAP servers

Current Registry becomes “Primary registry”

– Management suffix (e.g. secAuthority=Default) is stored here

• This is where all ISAM user/group/policy/GSO meta-data is stored

– Users and groups can also be stored here

Can also define one or more “Federated Registries”

– These only store User and Group objects

– No schema changes required in these registries

– Identified by the suffixes they contain


IBM Security

6

IBM Security

Access Manager

Native Kerberos

Single Sign-On


IBM Security

7

Kerberos SSO

For Windows applications, Kerberos provides the best SSO

– It is supported by Windows services without the need for plug-ins

– It generally causes the least number of integration issues

Kerberos Delegation is required to support this in ISAM

– Allows an intermediate server to request tickets on behalf of an end user

Kerberos Delegation is now supported by non-Windows Kerberos

– Previously it required Windows APIs

ISAM Appliance includes a Kerberos client for native support

– Federated Identity Manager is no longer required for this


IBM Security

8

IBM Security

Access Manager

Trusteer Pinpoint


IBM Security

9

Proposed Architecture

WebSEAL

Filter Framework

Web Engine

Snippet

FilterUpdate

Manager

Trusteer Endpoint

Servers

Poll

Snippet

Delivery

Endpoint

Access

Page

Delivery

Web

Application

Page

Access

Snippet

Files

A new filter will be added to the WebSEAL filter framework;

An update manager which is embedded within the appliance will be used

to monitor updates and retrieve these updates;

Configuration will be contained in:

– WebSEAL configuration file;

– Snippet files;


IBM Security

10

IBM Security

Access Manager

Appliance Monitoring


IBM Security

11

SNMP added for Appliance Monitoring

Systems monitoring is an important part of operations

– Often we may overlook it in pre-sales but customers will not

Customer tools cannot be added to an appliance

– So it needs to provide sufficient capability out-of-the-box

In ISAM 8.0.0.5 an SNMP daemon has been added

– It monitors standard system parameters such as disk, cpu, memory, interfaces,

processes etc.

Currently it doesn’t monitor ISAM-specific functions

– syslog can provide integration for monitoring of this kind


IBM Security

12

ISAM Appliance shown in Tivoli Enterprise Monitoring


IBM Security

13

IBM Security

Access Manager

DataPower


IBM Security

14

Applications

and

Systems

Silos of security are impeding business agility

DEVELOPERSPARTNERSCONSUMERS

EMPLOYEES

WEBMOBILEB2B SOA APIS

CONSUMERS

EMPLOYEES

PARTNERS

CONSULTANTS

DEVELOPERS

API MANAGEMENT

B2BGATEWAY

SOAGATEWAY

WEB ACCESS PROXY

MOBILE GATEWAY

Business

Channels

Users

Security

Solutions


IBM Security

15

MULTI-CHANNEL GATEWAY

Reduce cost and improve security posture with

a converged gateway

Business

Channels

Users DEVELOPERSPARTNERSCONSUMERS

EMPLOYEES

WEBMOBILEB2B SOA APIS

CONSUMERS

EMPLOYEES

PARTNERS

CONSULTANTS

DEVELOPERS

Security

Solutions

Applications

and

Systems


IBM Security

16

Introducing IBM’s multi-channel gateway solution

Leverage the combined capabilities of IBM DataPower Gateway and IBM Security

Access Manager in a single, converged security and integration gateway solution

IBM DataPower Gateway

ISAM for

DataPower

Traffic control &

optimization

Message

securityUser access

security

Key B

en

efi

ts

Reduce

Operating

Costs

Improve

Business

Agility

Improve

Edge

Security

Secure

User

Interactions

Secure

App

Interactions

Single gateway

reduces hardware

footprint and uses

common set of

management and

operational skills

Common security

policy framework

that can be shared

across business

channels

Comprehensive

security at the

message-level,

infrastructure-level,

and user-level

Safeguard mobile,

cloud, and social

access

Protect

applications at the

message-level and

provide optimized

application delivery

Message &

transport bridging


IBM Security

17

ISAM for Mobile & FIM provide advanced authentication, authorization, & federation capabilities

with out-of-the-box integrations

ISAM for Mobile: Addresses the needs for emerging web and mobile security

requirements for strong and multi-factor authentication and dynamic, context based

access policies from multiple data sources including Trusteer Mobile, Pinpoint and

Fiberlink MaaS360

Federated Identity Manager: Provides a robust platform for centrally managing

federated business partner relationships and access to SaaS applications

Federated

Identity

Manager

Federated

single sign on

Identity

mediation

Security token

services

ISAM for

Mobile

Mobile single sign

on

Strong auth & MFA

Context-based

access

Device registration

Policy Enforcement Point

ISAM for

DataPower


IBM Security

18

IBM Security

Identity Manager


IBM Security

19

New Capabilities Across All Products

Identity Manager v6.0.0.4 and v7.0– Simultaneous announcement:

• Same functions, different delivery: V6.0.0.4 is software stack version for installed base; v7.0 is virtual

appliance-only for new customers

– Phase 3: Identity Service Center - business user interface

– Platform/Middleware updates

– Adapter updates including Oracle, Microsoft, UNIX/Linux platform updates

– Customer-sponsored enhancements

Privileged Identity Manager v2.0– Virtual appliance only delivery

– PIM-SIM separation with integration

– PIM for Applications option

– User experience improvement – PIM administration in Service Center UI

– SoftLayer administrative account management support

Identity Governance v5.1– Virtual Appliance Delivery

– Integration from SIG to SIM


IBM Security

20

Identity Service Center – Home screen - updated

(Optional)


IBM Security

21

Introducing SIM Virtual Appliance

SIM is Virtual Appliance only starting with SIM v7

– Positioned as “fresh start”

– Continued SIM 6.0.x software stack maintenance

Same platform as PIM and Access Manager (“Mesa”)

Offers customers a quick-to-deploy and easy-to-maintain

IdM solution

– Pre-installed components & middleware, configured through VA panels.

• External data tier required (DB2 and LDAP) for storing operational data.

• Uses existing, common admin/user web user interfaces

• Supports HA clustering

– Reduces time to value significantly

• Reduces the skills requirements for IT admins. e.g. no WAS admin skills

needed.

• Reduces patch/upgrade effort via single “firmware” update - not individual

component


IBM Security

22

SIM Virtual Appliance – cont.

Target for new Identity Manager installations

Key limitations to note:

– DB2 and Oracle (non SSL) only

– Simplification -> configurability streamlining – no access to WAS

– console, middleware install hidden etc.

• We support customization “best practices” and incorporate into

VA console configuration, but will discourage customization that

makes upgrades difficult

– Role and Policy Modeler not included (transition to SIG/CrossIdeas)

Migration: Existing SIM 5.1 and 6.0 customers will need to migrate

environments – no automated upgrade

– Fresh start: opportunity to rethink customizations and clean up the

deployment

– Tech note describing customization supports/limits to be published

– Migration assistance on 2015 Roadmap


IBM Security

23

SIM 6.0.0.4 SIM VA 7.0

OS / ESX AIX 6.1, 7.1RHEL 5,6 SLES 10,11Solaris 10Windows 2008, 2012

VMware ESXi5.x

DB DB2 9.5, 9.7, 10.1, 10.5Oracle 10g, 11g , 12c

DB2 10.1Oracle 12c

TDS SDS 6.2, 6.3, 6.3.1Sun Directory 6.3, 7.0ODS 11.1

SDS 6.3.1

SDI/TDI TDI 7.1, 7.1.1SDI 7.2

TDI 7.1.1

WAS WAS 7.0 (Without ISC)WAS 8.5, WAS 8.5.5

-- (Inside VA)

Reports Cognos 10.2.1 Cognos 10.2.1

Browser IE 9, 10, 11Firefox 17 ESR, 24 ESR

IE 11Firefox 24 ESR

Identity Manager Virtual Appliance – Component versions


IBM Security

24

PIM 2.0 is Appliance Only

PIM Appliance now includes less “Identity Manager”

– Only what is required to support PIM use cases

It can integrate with an Identity Manager system

– To provide full Enterprise Identity + PIM functionality

New PIM opportunities should be directed towards appliance offering

– Existing software stack customers will continue to receive support and fixes but little to no new PIM

functionality

PIM Licence still includes entitlement for SIM and ESSO

– So can still deploy and integrate these to get more function

• At the cost of additional deployment complexity

24


IBM Security

25

Authenticating applications without password

ss

OAuth 2.0

Token

Authorization given by

a PIM domain admin to

an application instance.

OAuth tokens are set to

one-time use.ss

Instance

Fingerprint

App instance host info,

user info, network, binary

hash and path, etc.

Ensures that the

instance is authentic.

Token request and fingerprinting are done automatically

during registration, using the App ID Toolkit.


IBM Security

26

IAM Deployment Option Road Map

V. APPLIANCE

PIM Greenfield

Identity

Greenfield

Identity Appliance (direction)

Meets requirements

for PIM scenarios

for greenfield

customers

Meets requirements for SIM, PIM or

SIG greenfield customers.

Independent VA deployment

Full IAM suite from a single VA

Enable SIM, PIM, SIG or any combo

Migration for sw stack customers

IAM Software StackUpdate in parallel with VA to provide

customers time to consider VA or cloud

Lighthouse IAMInitial Cloud IAM release

Lower cost and faster deployment

CLOUD

SOFTWARE

Lighthouse (direction)Updated to latest IAM releases

Provide IBM Service Center UI


IBM Security

27

IBM Security

Z/Secure


IBM Security

28

zSecure products that enable integration with QRadar

RACF CA ACF2 CA Top Secretz/OS CICS DB2

Event sources from System z . . .


IBM Security

29

New zSecure Adapters for QRadar SIEM product

Features

Collects and formats information from over 40 different IBM System z SMF record types

- such as, z/OS, RACF, ACF2, Top Secret, DB2, and CICS events (customizable)

Additional SMF record types generated by IBM z/OS® and its sub-systems, for data set

access, z/VM, PDS member updates and deletes, UNIX file activity, FTP, Telnet and

other TCP/IP activity and many others.

Adds enriched descriptive audit information about the user and the resource from the

security database and zSecure system snapshot information

Support for more frequent collection than once a day – job available for use with

scheduling software

Benefits

Extend best practices and comply with regulatory/legal/compliance requirements

Provides a holistic, centralized approach for Security Monitoring and plugs a hole in the

Enterprise Security Monitoring practice

Supports separation of duties – stop the legacy practice of self-policing!

Maximize QRadar capabilities for:

Log management , Anomaly detection, Incident forensics, Configuration

Management, Vulnerability Management, and Risk management


IBM Security

30

Stay Focused Stay Ahead

Questions ?

Technology

IBM Security Identity and Access Management - Portfolio