Upload
ibm-sverige
View
567
Download
3
Tags:
Embed Size (px)
Citation preview
© 2014 IBM Corporation
IBM Security Identity and Access ManagementProducts updates and what is coming
Sven-Erik Vestergaard
Pan-IOT security architecht
IBM Security
© 2014 IBM Corporation
IBM Security
2
Agenda
ISAM
ISIM
PIM
Z/Secure
© 2014 IBM Corporation
IBM Security
3
IBM Security
Access Manager
© 2014 IBM Corporation
IBM Security
5
Federated Registry Support
Allow ISAM to address a federated registry space where different
suffixes are distributed across LDAP servers
Current Registry becomes “Primary registry”
– Management suffix (e.g. secAuthority=Default) is stored here
• This is where all ISAM user/group/policy/GSO meta-data is stored
– Users and groups can also be stored here
Can also define one or more “Federated Registries”
– These only store User and Group objects
– No schema changes required in these registries
– Identified by the suffixes they contain
© 2014 IBM Corporation
IBM Security
6
IBM Security
Access Manager
Native Kerberos
Single Sign-On
© 2014 IBM Corporation
IBM Security
7
Kerberos SSO
For Windows applications, Kerberos provides the best SSO
– It is supported by Windows services without the need for plug-ins
– It generally causes the least number of integration issues
Kerberos Delegation is required to support this in ISAM
– Allows an intermediate server to request tickets on behalf of an end user
Kerberos Delegation is now supported by non-Windows Kerberos
– Previously it required Windows APIs
ISAM Appliance includes a Kerberos client for native support
– Federated Identity Manager is no longer required for this
© 2014 IBM Corporation
IBM Security
8
IBM Security
Access Manager
Trusteer Pinpoint
© 2014 IBM Corporation
IBM Security
9
Proposed Architecture
WebSEAL
Filter Framework
Web Engine
Snippet
FilterUpdate
Manager
Trusteer Endpoint
Servers
Poll
Snippet
Delivery
Endpoint
Access
Page
Delivery
Web
Application
Page
Access
Snippet
Files
A new filter will be added to the WebSEAL filter framework;
An update manager which is embedded within the appliance will be used
to monitor updates and retrieve these updates;
Configuration will be contained in:
– WebSEAL configuration file;
– Snippet files;
© 2014 IBM Corporation
IBM Security
10
IBM Security
Access Manager
Appliance Monitoring
© 2014 IBM Corporation
IBM Security
11
SNMP added for Appliance Monitoring
Systems monitoring is an important part of operations
– Often we may overlook it in pre-sales but customers will not
Customer tools cannot be added to an appliance
– So it needs to provide sufficient capability out-of-the-box
In ISAM 8.0.0.5 an SNMP daemon has been added
– It monitors standard system parameters such as disk, cpu, memory, interfaces,
processes etc.
Currently it doesn’t monitor ISAM-specific functions
– syslog can provide integration for monitoring of this kind
© 2014 IBM Corporation
IBM Security
12
ISAM Appliance shown in Tivoli Enterprise Monitoring
© 2014 IBM Corporation
IBM Security
13
IBM Security
Access Manager
DataPower
© 2014 IBM Corporation
IBM Security
14
Applications
and
Systems
Silos of security are impeding business agility
DEVELOPERSPARTNERSCONSUMERS
EMPLOYEES
WEBMOBILEB2B SOA APIS
CONSUMERS
EMPLOYEES
PARTNERS
CONSULTANTS
DEVELOPERS
API MANAGEMENT
B2BGATEWAY
SOAGATEWAY
WEB ACCESS PROXY
MOBILE GATEWAY
Business
Channels
Users
Security
Solutions
© 2014 IBM Corporation
IBM Security
15
MULTI-CHANNEL GATEWAY
Reduce cost and improve security posture with
a converged gateway
Business
Channels
Users DEVELOPERSPARTNERSCONSUMERS
EMPLOYEES
WEBMOBILEB2B SOA APIS
CONSUMERS
EMPLOYEES
PARTNERS
CONSULTANTS
DEVELOPERS
Security
Solutions
Applications
and
Systems
© 2014 IBM Corporation
IBM Security
16
Introducing IBM’s multi-channel gateway solution
Leverage the combined capabilities of IBM DataPower Gateway and IBM Security
Access Manager in a single, converged security and integration gateway solution
IBM DataPower Gateway
ISAM for
DataPower
Traffic control &
optimization
Message
securityUser access
security
Key B
en
efi
ts
Reduce
Operating
Costs
Improve
Business
Agility
Improve
Edge
Security
Secure
User
Interactions
Secure
App
Interactions
Single gateway
reduces hardware
footprint and uses
common set of
management and
operational skills
Common security
policy framework
that can be shared
across business
channels
Comprehensive
security at the
message-level,
infrastructure-level,
and user-level
Safeguard mobile,
cloud, and social
access
Protect
applications at the
message-level and
provide optimized
application delivery
Message &
transport bridging
© 2014 IBM Corporation
IBM Security
17
ISAM for Mobile & FIM provide advanced authentication, authorization, & federation capabilities
with out-of-the-box integrations
ISAM for Mobile: Addresses the needs for emerging web and mobile security
requirements for strong and multi-factor authentication and dynamic, context based
access policies from multiple data sources including Trusteer Mobile, Pinpoint and
Fiberlink MaaS360
Federated Identity Manager: Provides a robust platform for centrally managing
federated business partner relationships and access to SaaS applications
Federated
Identity
Manager
Federated
single sign on
Identity
mediation
Security token
services
ISAM for
Mobile
Mobile single sign
on
Strong auth & MFA
Context-based
access
Device registration
Policy Enforcement Point
ISAM for
DataPower
© 2014 IBM Corporation
IBM Security
18
IBM Security
Identity Manager
© 2014 IBM Corporation
IBM Security
19
New Capabilities Across All Products
Identity Manager v6.0.0.4 and v7.0– Simultaneous announcement:
• Same functions, different delivery: V6.0.0.4 is software stack version for installed base; v7.0 is virtual
appliance-only for new customers
– Phase 3: Identity Service Center - business user interface
– Platform/Middleware updates
– Adapter updates including Oracle, Microsoft, UNIX/Linux platform updates
– Customer-sponsored enhancements
Privileged Identity Manager v2.0– Virtual appliance only delivery
– PIM-SIM separation with integration
– PIM for Applications option
– User experience improvement – PIM administration in Service Center UI
– SoftLayer administrative account management support
Identity Governance v5.1– Virtual Appliance Delivery
– Integration from SIG to SIM
© 2014 IBM Corporation
IBM Security
20
Identity Service Center – Home screen - updated
(Optional)
© 2014 IBM Corporation
IBM Security
21
Introducing SIM Virtual Appliance
SIM is Virtual Appliance only starting with SIM v7
– Positioned as “fresh start”
– Continued SIM 6.0.x software stack maintenance
Same platform as PIM and Access Manager (“Mesa”)
Offers customers a quick-to-deploy and easy-to-maintain
IdM solution
– Pre-installed components & middleware, configured through VA panels.
• External data tier required (DB2 and LDAP) for storing operational data.
• Uses existing, common admin/user web user interfaces
• Supports HA clustering
– Reduces time to value significantly
• Reduces the skills requirements for IT admins. e.g. no WAS admin skills
needed.
• Reduces patch/upgrade effort via single “firmware” update - not individual
component
© 2014 IBM Corporation
IBM Security
22
SIM Virtual Appliance – cont.
Target for new Identity Manager installations
Key limitations to note:
– DB2 and Oracle (non SSL) only
– Simplification -> configurability streamlining – no access to WAS
– console, middleware install hidden etc.
• We support customization “best practices” and incorporate into
VA console configuration, but will discourage customization that
makes upgrades difficult
– Role and Policy Modeler not included (transition to SIG/CrossIdeas)
Migration: Existing SIM 5.1 and 6.0 customers will need to migrate
environments – no automated upgrade
– Fresh start: opportunity to rethink customizations and clean up the
deployment
– Tech note describing customization supports/limits to be published
– Migration assistance on 2015 Roadmap
© 2014 IBM Corporation
IBM Security
23
SIM 6.0.0.4 SIM VA 7.0
OS / ESX AIX 6.1, 7.1RHEL 5,6 SLES 10,11Solaris 10Windows 2008, 2012
VMware ESXi5.x
DB DB2 9.5, 9.7, 10.1, 10.5Oracle 10g, 11g , 12c
DB2 10.1Oracle 12c
TDS SDS 6.2, 6.3, 6.3.1Sun Directory 6.3, 7.0ODS 11.1
SDS 6.3.1
SDI/TDI TDI 7.1, 7.1.1SDI 7.2
TDI 7.1.1
WAS WAS 7.0 (Without ISC)WAS 8.5, WAS 8.5.5
-- (Inside VA)
Reports Cognos 10.2.1 Cognos 10.2.1
Browser IE 9, 10, 11Firefox 17 ESR, 24 ESR
IE 11Firefox 24 ESR
Identity Manager Virtual Appliance – Component versions
© 2014 IBM Corporation
IBM Security
24
PIM 2.0 is Appliance Only
PIM Appliance now includes less “Identity Manager”
– Only what is required to support PIM use cases
It can integrate with an Identity Manager system
– To provide full Enterprise Identity + PIM functionality
New PIM opportunities should be directed towards appliance offering
– Existing software stack customers will continue to receive support and fixes but little to no new PIM
functionality
PIM Licence still includes entitlement for SIM and ESSO
– So can still deploy and integrate these to get more function
• At the cost of additional deployment complexity
24
© 2014 IBM Corporation
IBM Security
25
Authenticating applications without password
ss
OAuth 2.0
Token
Authorization given by
a PIM domain admin to
an application instance.
OAuth tokens are set to
one-time use.ss
Instance
Fingerprint
App instance host info,
user info, network, binary
hash and path, etc.
Ensures that the
instance is authentic.
Token request and fingerprinting are done automatically
during registration, using the App ID Toolkit.
© 2014 IBM Corporation
IBM Security
26
IAM Deployment Option Road Map
V. APPLIANCE
PIM Greenfield
Identity
Greenfield
Identity Appliance (direction)
Meets requirements
for PIM scenarios
for greenfield
customers
Meets requirements for SIM, PIM or
SIG greenfield customers.
Independent VA deployment
Full IAM suite from a single VA
Enable SIM, PIM, SIG or any combo
Migration for sw stack customers
IAM Software StackUpdate in parallel with VA to provide
customers time to consider VA or cloud
Lighthouse IAMInitial Cloud IAM release
Lower cost and faster deployment
CLOUD
SOFTWARE
Lighthouse (direction)Updated to latest IAM releases
Provide IBM Service Center UI
© 2014 IBM Corporation
IBM Security
27
IBM Security
Z/Secure
© 2014 IBM Corporation
IBM Security
28
zSecure products that enable integration with QRadar
RACF CA ACF2 CA Top Secretz/OS CICS DB2
Event sources from System z . . .
© 2014 IBM Corporation
IBM Security
29
New zSecure Adapters for QRadar SIEM product
Features
Collects and formats information from over 40 different IBM System z SMF record types
- such as, z/OS, RACF, ACF2, Top Secret, DB2, and CICS events (customizable)
Additional SMF record types generated by IBM z/OS® and its sub-systems, for data set
access, z/VM, PDS member updates and deletes, UNIX file activity, FTP, Telnet and
other TCP/IP activity and many others.
Adds enriched descriptive audit information about the user and the resource from the
security database and zSecure system snapshot information
Support for more frequent collection than once a day – job available for use with
scheduling software
Benefits
Extend best practices and comply with regulatory/legal/compliance requirements
Provides a holistic, centralized approach for Security Monitoring and plugs a hole in the
Enterprise Security Monitoring practice
Supports separation of duties – stop the legacy practice of self-policing!
Maximize QRadar capabilities for:
Log management , Anomaly detection, Incident forensics, Configuration
Management, Vulnerability Management, and Risk management
© 2014 IBM Corporation
IBM Security
30
Stay Focused Stay Ahead
Questions ?