• No results found

IBM Security Systems Division

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "IBM Security Systems Division"

Copied!
21
0
0

Loading.... (view fulltext now)

Download now ( 21 Page )

Full text

(1)

Identitetshanterings – id access management i ett Enterprise

Network

November 2012

IBM Security Systems Division

© 2011 IBM Corporation

November 2012

(2)

Agenda

• Identities in your own enterprise

• Collaboration with partners

© 2012 IBM Corporation 2

(3)

Identitetshanterings – id access management i ett Enterprise Network

Think of security as a house

3

Problems:

Some have

little security

Some have

moderate security

Some are very

secure



Infrastructure nightmare . . . Each department builds some



ID/PW explosion . . . Registry & Help Desk impacts



Many access points . . . Security problems arise



No real security policy . . . Many inconsistent policies

(4)

IBM Identity and Access Management Vision

© 2012 IBM Corporation 4

(5)

Identity Management helps demonstrate governance within enterprise

1. Empower business owners and analysts to design with simple

choice role mining

2. Use role analytics catalog, project based scoping to implement best practices

3. Get effective role structure with validation using SoD simulations

and Automatic approval

Identitetshanterings – id access management i ett Enterprise Network

5

General information > Select users > Select permissions

General information > Select users > Select permissions

General information > Select users > Select permissions

Identity management in an interconnected enterprise

(6)
(7)

Ability to deliver effective privileged identity control with a secure vault and automated sign-on Admin ID Admin ID

User’s credential is automatically

checked out of the vault and used to log user into privileged account.

Credential is automatically checked in to

Configure Privileged Account

1

2

7

User activity is logged

Built-on proven IBM Identity and Enterprise Single Sign-On capabilities and supports integrated deployment

Credential is automatically checked in to vault upon logout

(8)

Risk Based Access Management

Firewall Firewall Web App WebSEAL TFIM RBA Runtime - Azn Svc - Attr Collector Svc RBA EAS Phone © 2012 IBM Corporation 8

Unsecure zone DMZ Secure zone

- Attr Collector Svc

(9)

Risk Score

A risk score is a positive integer value between 0 and 100 that indicates the overall risk (sometimes thought of as a confidence level) of the current request: 0 would indicate no risk, and 100 indicates very risky.

If a match (exact, inexact, subnet, regex, location, behavior, custom.. etc) is found for the configured policy attribute, the weight value is added to the total that is used to determine the risk score.

– The policy attributes will range from static user credential attributes to transactional context based attributes (e.g., User's location, Operating system of the client. Etc), including custom 3rd party attributes.

Identitetshanterings – id access management i ett Enterprise Network

9

including custom 3rd party attributes.

Persistent data is data per user and each user might have several sets of data stored to be matched.

(10)

Risk Score (con’t)

Out of the box we plan to provide the following ‘matchers’: • Exact:

Illustrated in the previous slide, will return true if the attribute exact matches any previous attribute pulled from the persistent store for that user.

• Network:

The network matcher will provide the ability to have a static inclusion / exclusion list of network IP/subnets. If the clients IP matches the inclusion list and doesn’t have a match on the exclusion list the matcher returns true.

Another feature of this matcher is the administrator can configure a variable on the inclusion list that represents previously registered IPs for the user that are pulled from a persistent store.

• Location:

Used to compare geolocation data. It compares the current location against previously registered location and if the distance is within the configured range then it will return true. See a future slide which provides more details.

© 2012 IBM Corporation 10

within the configured range then it will return true. See a future slide which provides more details.

• Behavioral:

Calculates the probability that the specific resource is used at the current moment in time. It calculates the probability using a set of algorithms using historical data.

• JavaScript Rule:

(11)

Risk Score (con’t)

Determines if the location of the login session is in the allowable range of the known locations.

Configuration:

• Maximum allowable distance between point in kilometers.

• How to take the accuracy into account. This is optional the default is midpoint. The diagram below illustrates how the ‘midpoint’, ‘closest’, and ‘farthest’ distances are calculated using the accuracy distance.

Identitetshanterings – id access management i ett Enterprise Network

11

Midpoint

Closest

(12)

Client System (browser, rich client mobile)

Proxy/ Intermediary Web Application Server/Portal Server Existing Application Jon Enterprise Information System z42 F ir e w a ll F ir e w a ll



Provide applications auditable identities for controlling access and compliance



Standards-based run-time security enables ease of integration

© 2012 IBM Corporation 12

Authentication Services Authentication

Services Security Access Services Identity

Services Identity Services

[email protected] <Jd_token> Mapped to j212_saml Mapped toz42_ptkt

Authorization Services Authorization Services Audit Services Audit Services Integrity Services Integrity Services Confidentiality Services Confidentiality Services

Enable secure mobile, social and cloud transformations

(13)

Key Management

Encryption and keys are used everywhere with more products enabled for security

• Hardware acceleration has made

encryption performance acceptable

• It is important to remember that encrypted data can not be

compressed or de-duplicated Key Management File system Middleware Database Application SmartGRID

Identitetshanterings – id access management i ett Enterprise Network

© 2012 IBM Corporation 13

Why is this important?

• If you lose your keys you lose your data – so robust key management is required

• If you lose control of the device the data is secure

• To erase data or sanitize for end of life just power off

• Who gets keys determines who

has access to data – so you can enforce access control by

controlling the keys

(14)

Privileged user controls key to detecting insider fraud

Who?

An internal user Potential Data Loss

Who? What? Where?

What? © 2012 IBM Corporation 14 What? Oracle data Where? Gmail

Threat detection in the post-perimeter world

(15)

Agenda

Identities in your own enterprise

• Collaboration with partners

Identitetshanterings – id access management i ett Enterprise Network

15

(16)

Real World of Identities…….

(17)

Distributed identity management in an Identity Federation

Identity Provider

Authenticate

Register and Manage

Identity

Provision Assert Identity

Authentication Information Identity

Information

17

Service Provider

Authorize Provide

Service Guest

Account

Provision Assert Identity

Local

(18)

Partner

CRM Application Portal

Service

Traditional Web SSO

(19)

Agenda

Identities in your own enterprise

Collaboration with partners

Identitetshanterings – id access management i ett Enterprise Network

19

(20)

Business Solutions on Cloud - simple use case

Business Solutions on Cloud

IdP provides SSO service from partner to partner during session Cloud Service 4 User requests a resource

In

te

rn

e

t

1 © 2012 IBM Corporation 20 20 Cloud Service

(21)

IBM

IBM

21

References

Download now ( PDF - 21 Page - 1.98 MB )

Related documents

Get Success in Passing Your Certification Exam at first attempt!

20.A client has installed IBM Tivoli Federated Identity Manager V6.2.2 (TFIM) and is establishing a SAML 1.1 Single Sign-On (SSO) configuration with a service provider (SP)..

Working with Indicee Elements

Embed Indicee Elements into your Web Content 3 Single Sign-On (SSO) using SAML 3.. Configure an Identity Provider for SSO

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

Solution in detail: Identity federation SAP NetWeaver Single Sign-On Identity Federation Secure Login Enterprise SSO Web Access Mgmt Secure Communication.. What is

IBM Security Access Manager for Enterprise Single Sign-On Version 8.2 with IMS Server Interim Fix 4 and AccessAgent Fix Pack 22 Security Target

In GINA mode, a user logs on to the IBM Security Access Manager for Enterprise Single Sign-On (ISAM E-SSO) GINA using his ISAM E-SSO username and password, whereupon the

101660055 Vietnamese Home Cooking by Charles Phan Recipes and Excerpt

xxvi Preface xxviii Introduction Soup 5 Pork Stock 6 Chicken Stock 7 Beef Stock.. 8 Pho Gá: Chicken

GRF-3300 RF Training Kits

• All students are guided step by step through the experiments with clear and concise instructions experiments with clear and concise instructions • All of the experimental results

summer training report at sharekhan ltd.

In this training we were told about Sharekhan Company, history of Sharekhan, organization structure, products, Sharekhan research reports, trading techniques,

TRACK your personal treatment & progress diary

You may find it helpful to think about how you feel each day and note down feelings you think may be connected to your treatment plan; the TRACK diary can help you to