• No results found

Identity and Access Management Scenario

N/A
N/A
Protected

Academic year: 2021

Share "Identity and Access Management Scenario"

Copied!
18
0
0

Loading.... (view fulltext now)

Full text

(1)
(2)

The Mainframe Era

Security 1.0

Rigid, prescriptive

IAM Tracks Security 3.0

Internal users only

RACF, ACF2, Top Secret (on MVS) User IDs and passwords

Fine-grained authorization

The Internet Era

Security 2.0

Ponderous, reactive

Internal and external users

Access controls on every platform User provisioning

WAM ("RACF for Web applications") Ad hoc strong authentication

The Web 2.0 Era

Security 3.0

Agile, responsive

Contextual identity, PIFs

Processes, controls, architecture

IAM within a "policy enforcement fabric" Fine-tuned authentication

Fine-grained authorization

(3)

IAM Defined

A set of processes and technologies to manage,

across multiple systems:

Users' identities — Each an identifier and a set of

attributes

Users' access — Interactions with information

and other assets

Note: A user (person) can have one or more identities!

(4)

IAM Drivers and Benefits

Security Effectiveness

Business Agility and Productivity

Let business focus on goals

Let apps. focus on business function and service delivery

Improve SLTs Comply With Regulations Contain Costs Manage Risks Respond to Needs

Do more with less Make fewer mistakes Do it more quickly Security Efficiency

Increasing Maturit

y

Better controls Fewer mistakes Better transparency

There are three main business drivers for IAM solutions that manifest as five kinds of benefit — some more applicable for one aspect of the solution than another. The first is security efficiency. With the growing

volume of users, current staffing volume cannot accommodate the enterprise's needs. Enterprises are looking to contain administrative costs. (In addition, user information can be leveraged in many business processes that provide a consistent and more secure access control infrastructure.) Improved service-level targets (SLTs) for access request turnaround times of 24 hours or less are achievable only via automation. The second is security effectiveness. The ability to prove the security of the enterprise's access control infrastructure is an important requirement for maintaining customers, as well as obtaining them. In addition, easing internal and external audit processes is of prime concern to many enterprises. Legislation and other regulations increasingly require firms to establish robust control infrastructures, of which information security is a part. IAM facilitates

(5)

IAM in the Process-Oriented Activity Cycle

Plan

Govern

Enterprise Risk Management ● Regulatory Compliance ● Corporate and Operational Governance

Processes Architecture Controls Communications and Relationship Management Long-Term Vision Roles and Responsibilities Rolling Annual Plan Build Run Etc. Risk and Control Assessment Identity and Access Management Threat and Vulnerability Management

Gartner's Activity Cycle for the security officer provides a blueprint for creating and maintaining security excellence. As information security has matured, the role of the information security officer has become more important and more complex. Gartner's Activity Cycle for security officers provides a map of activities that can help security officers better understand their own roles and help them explain their role to others. The Activity Cycle breaks down three phases of security activity: planning, building and running. The planning phase breaks down into three subcategories of strategizing, organizing and annual planning. The building phase is enabled by Gartner's three "lenses" into information security: controls and policy, security architecture, and security process. Finally, the running phase encompasses continuous activities, such as the following:

• IAM

• Threat and vulnerability management • Risk and control assessment

• Communications and relationship management

(6)

Build: (Idealized) IAM Architecture

Integrated Enterprise Architecture View

Tech nolo gy Arch itect ure Infor mation Arch itecture Business Architecture IAM „Business requirements „IAM governance „IAM policy framework „IAM processes IAM „ Technology requirements „ Principles „ IAM patterns „ IAM services „ IAM bricks Solutions Architecture IAM Tools „Identity Administration „Identity Auditing „Identity Verification „Access Management IAM „Data classification „Application IAM templates

The basics have not changed much over the years; business, information and technology architectures are defined for enterprise-scope issues. The guidance defined in these areas from these viewpoints must be applied to the systems (solutions) that are actually delivered by IT. A viewpoint is made up of domains, which

represent a more detailed breakdown of the elements of that viewpoint. Other models are possible within viewpoints as well, including components or bricks, patterns, and services. However, components may be separated out from any of these three basic viewpoints to create additional viewpoints if the interests of a particular stakeholder would be better-served that way.

(7)

IAM Controls Policies and Standards Access Model Procedures Access Management Identity Administration Identity Verification Identity Auditing Tools IAM Processes Workflow Access Model Identity

Build: IAM Controls and

Build/Run: IAM Processes

Business Processes and Controls Information Security Policy Stand a rds (ISO/IEC 2700 0, etc. ) Legislation & Regulations Stand a rd Operating Practices Custom ers & Partners

The benefits of a process-centric approach to IT operations and service management are well-understood. A process-centric approach should be a cornerstone of the security management activity cycle — and hence of IAM. Processes are repeatable and scalable, and they leverage skills. They provide clear accountability, enterprisewide consistency in execution, measurability and a basis for continuous improvement. Three main processes are involved in managing identities and their access assignments to company resources: the identity modeling process, the access modeling process and the workflow process. The identity process maps the necessary roles, rules and so on, using workflow for a specific user, with the end result (for example, the creation of an account/accounts on a target system/systems, with all needed attributes and privilege

(8)

Enterprise-Defined Identity (Identifier & Attributes) "Real World" Identity Create Identity Use Identity Retire Identity

Change Identity Report Identity

Monitor Identity

An 'AAAA' View of the Identity Process

Prove Identity Authentication Authentication Identity Verification Administration Administration Administration Identity Administration Authorization Access Management Audit Audit Identity Auditing

It is instructive to relate the identity process to the Gartner "AAAA" functional model of IAM:

• Administration provides a way to view and manage user identities and access. This maps to the create identity, change identity and retire identity processes. (Administration processes make use of the use access model and use workflow processes.)

• Authentication ensures that users are properly identified and that these asserted identities are verified. • Authorization ensures that users can access only what their job function allows them to access within the company. These two functions map to the use identity process — these are real-time access control activities. (This makes use of the use access model process.)

• Audit ensures that the activities associated with user access — that is, real-time enforcement (authentication and authorization) — are logged for day-to-day monitoring, regulatory and investigative purposes. This maps to the report identity and monitor identity processes.

(9)

Govern: A Sample RACI Matrix

BU = business unit; CCR = create, change, retire; CRO = chief risk officer; SDLC = software development life cycle

Responsible

(Doer)

Activity

(Process and Subprocess)

Accountable (Overseer) Consulted (Advisor) Informed (Watcher) Identity

Administer (CCR) BUs, IT Ops. InfoSec ― ―

Monitor/Report InfoSec,

BUs, IT Ops. InfoSec Compliance BUs

Review/Attest BUs (Compliance) Compliance (CRO) InfoSec ―

Administer (CCR) BUs, IT Ops. InfoSec ― ―

Monitor/Report InfoSec,

BUs, IT Ops. InfoSec Compliance BUs

Review/Certify BUs Compliance InfoSec ―

Use End Users BUs ― ―

Use BUs, IT Ops.End Users, InfoSec ― ―

IAM Policy InfoSec CRO, InfoSec BUs, Compliance,

AppDev, IT Ops. End Users

IAM SDLC AppDev CIO, InfoSec BUs, Compliance ―

Activity – Here based on notional subprocesses in Gartner IAM process model; in any organization's RACI matrix, activities may be more granular, more business-oriented and specific to that organization

Access Model

(e.g., roles, entitlements,

SOD, … )

Prove HR (employees),etc. InfoSec ― ―

A good way to define what it means to "manage a service" — for example, a particular technical service — is to create a specific responsibility matrix that defines roles and levels of activity by life cycle stage.

Who should be told about this work or these results?

The roles and/or groups to which information or results must be reported after the activity is done

Informed

Who should be involved in the work before deciding?

The roles and/or groups from which input is required before the activity is executed or completed

Consulted

Who is accountable, has authority, can delegate? (This is usually one group)

The roles and/or groups that must ensure the activity is done — overseer Accountable

Who does the work (one person, one group or a combination)?

The roles and/or groups that will perform the activity — executioner

Responsible

What to Ask Definition

(10)

IAM Tools: The Complete Picture

IAM

PKI & PKO

LDAP X.500

Shared Account Password Management (SAPM) Card Management

Password Management

Superuser Privilege Management (SUPM)

Identity Management Directory Services Virtual Directories Metadirectories Credential Management Role Management

Resource Access Administration User Provisioning

Content Access Management

OS Access Management Web Access Management

Network Access Control

AD/Unix Integration

Authorization Management

Identity Auditing

SOD Controls Within ERP

Security Information and Event Management (SIEM)

Smart-Token SSO Web SSO Kerberos Enterprise SSO Methods Form Factors

Personal Identity Frameworks Single Sign-On Identity Proofing

Authentication

Federated Identity Management

CMF & DLP

Database Activity Monitoring Network Behavior Analysis

Fraud Detection Authentication Infrastructure IT Service Management Service Desk Transaction Assurance Enterprise DRM Encryption Physical Access Control System (PACS) Virtual Environments Content Monitoring and Filtering and Data

Loss Prevention Access Management Identity Verification Identity Administration Directory Technologies Identity Auditing SSL VPN

Other Monitoring Tools

IAM has several major sets of tools, but customer needs and market realities tend to obscure the differences between these. IAM is a whole that is greater than the sum of its parts. Furthermore, IAM tools link to other security and nonsecurity tools.

(11)

Identity Administration and Access

Management Tools

IAM SAPM Card Management Password Management Identity Management Credential Management Role Management

Resource Access Administration User Provisioning

Identity Administration

SUPM

Content Access Management

OS Access Management Web Access Management

Authorization Management

Enterprise DRM Encryption

Access Management

NOTE: IAM > Identity Administration + Access Management

Identity administration — User-provisioning tools are central: They provide the ability to create, modify and delete identities for resources and applications within a company. These tools frequently integrate password management, but they do not yet include other credential management tools, such as card management systems (CMSs) for use with smart cards or public-key credentials. Shared account/service account password management (SAPM) tools focus on controlling usage of passwords for shared "superuser" and similar accounts, as well as application-to-application passwords.

Increasingly, user-provisioning tools are augmented by role management for enterprises (RME) tools that can "mine" roles and manage the role life cycle. Resource access administration tools provide fine-grained administration of user access rights on specific platforms.

Access management — WAM tools are the most-mature system access management technologies, providing administration and authentication (including single sign-on [SSO]), as well as authorization, for multiple Web

(12)

Identity Verification

IAM Smart-Token SSO Web SSO Kerberos Enterprise SSO Methods Form Factors

Personal Identity Frameworks Single Sign-On Identity Proofing

Authentication

Federated Identity Management Authentication Infrastructure

Identity Verification

Identity verification — Identity proofing verifies the claimed identity of an individual before credential issuance or registration, and various services can automate identity proofing for real-time online registration. Authentication verifies the claimed identity of an individual accessing a system using previously issued

credentials. Many different authentication methods, with a variety of form factors, are now available, including knowledge-based authentication (KBA), one-time password (OTP) tokens, smart cards with public-key

(13)

Identity Auditing

IAM

Identity

Management Role Management

User Provisioning

Identity Auditing

SOD Controls Within ERP SIEM

Identity Administration

Identity Auditing

Identity auditing — IAM increasingly interfaces with security information and event management (SIEM) for IAM event monitoring and reporting — so much so that we sequester SIEM tools as IAM tools (although they clearly are also important within threat and vulnerability management). Major IAM vendors have made SIEM acquisitions during the past few years. SOD controls within ERP applications or other tools can identify and manage SOD conflicts and violations. Dedicated identity auditing tools focus on identity (and access) monitoring or reporting across multiple targets.

Some identity administration tools — namely, user-provisioning and role management tools — have audit-focused features and benefits. Many user-provisioning tools, for example, support "attestation" —management review and sign-off of user access rights — required by some regulations.

(14)

Enabling and Extending IAM

IAM

PKI & PKO

LDAP X.500 Password Management Identity Management Directory Services Virtual Directories Metadirectories Credential Management User Provisioning

Content Access Management

Network Access Control

AD/Unix Integration

Web SSO

Enterprise SSO Methods

Form Factors

Personal Identity Frameworks Single Sign-On Authentication

Federated Identity Management

CMF & DLP

Database Activity Monitoring Network Behavior Analysis

Fraud Detection IT Service Management Service Desk Transaction Assurance Physical Access Control System Virtual Environments Content Monitoring & Filtering and Data Loss Prevention Access Management Identity Verification Identity Administration Directory Technologies Identity Auditing SSL VPN

Other Monitoring Tools

Enabling IAM — Directory services were once seen as the answer to all IAM ills — but the reality fell short. Nevertheless, directories are often used for centralized authentication and authorization, and — along with metadirectories and, more recently, virtual directories — are foundational to IAM architectures.

Extending IAM — Organizations cannot implement IAM in isolation because IAM has many points of contact with other technologies — which may or may not have information security protections in place. Some of these technologies are highly complementary and can round out an IAM solution for a business. Other monitoring and fraud detection tools can add value to identity auditing. Identity administration increasingly interfaces with IT service management (ITSM) for integrated provisioning (and password management with service desk products) and identify verification and access management with Secure Sockets Layer (SSL) virtual private networks (VPNs) and network access control, especially in the emerging area of "identity networking." An organization can reduce fraud and mitigate the risk of unauthorized access by using a variety of fraud detection, data integrity and nonrepudiation technologies (transaction assurance); while such methods are functionally distinct from user authentication, they may be tightly linked at the tools level. Virtual

environments and content monitoring and filtering/data loss prevention tools can enforce mandatory access control in local and remote use cases.

(15)

Which IAM Vendors Provide Which Tools?

IAM LDAP X.500 SAPM Card Management Password Management SUPM IDENTITY MANAGEMENT Directory Services Virtual Directories Metadirectories Credential Management Role Management

Resource Access Administration User Provisioning

Content Access Management

OS Access Management Web Access Management

AD/Unix Integration

Authorization Management

Identity Auditing

SOD Controls Within ERP

Security Information & Event Management (SIEM)

Smart Token SSO

Web SSO Kerberos

Enterprise SSO methods

form factors

Personal Identity Frameworks Single Sign-On Identity Proofing

Authentication

Federated Identity Management Authentication Infrastructure Enterprise DRM Encryption Access Management Identity Verification Identity Administration Directory Technologies Identity Auditing Infrastructure vendors… (etc.) … cannot (yet) provide a "complete" IAM solution! Smart-Token SSO Enterprise SSO IAM LDAP X.500 SAPM Card Management Password Management SUPM IDENTITY MANAGEMENT Directory Services Virtual Directories Metadirectories Credential Management Role Management

Resource Access Administration User Provisioning

Content Access Management OS Access Management Web Access Management AD/Unix Integration

Authorization Management

Identity Auditing

SOD Controls Within ERP

Security Information & Event Management (SIEM)

Web SSO Kerberos Methods

Form Factors

Personal Identity Frameworks Single Sign-On Identity Proofing

Authentication

Federated Identity Management Authentication Infrastructure Enterprise DRM Encryption Access Management Identity Verification Identity Administration Directory Technologies Identity Auditing

As we noted earlier, any organization looking to build a complete IAM solution will likely need more than one tool from each set. However, while we've seen considerable acquisition activity during the past several years as major infrastructure vendors have built up portfolios of IAM tools, which comprise at least user-provisioning and WAM tools — none of these can provide a "complete" solution.

On this slide, only those tools in rectangles with solid colors are available from all these vendors. Where the color fades to gray, only some of the vendors offer those tools. And where the rectangle is only gray, none of these vendors offer those tools. Often, these additional tools are available only from pure-play vendors — although some vendors offer tools from more than one set. For example, ActivIdentity offers both

(16)

Strategic Foundations 3-5 Years

Technology Adoption: Five-Year Planning Period (2007-2012)

Enterprise Investment and Deployment

Tactical Deployment 6 Months-2 Years Baseline

0-6 Months

Over the Horizon

• IAM within "security service bus" Retirement • Discrete IAM processes • Passwords for higher-risk use cases Containment/Migration

• Passwords for medium-risk use cases

• Application-embedded authorization

Moving IAM to Security 3.0: Processes

and Controls

Strategic Mainstream • Federation • Role management • Stronger authentication "for all" • Authorization management • Identity auditing Tactical Mainstream • User provisioning • Enterprise SSO

• Web access management

Emerging

• Personal identity frameworks

• Versatile authentication infrastructures

• IAM services (SOA)

• IAM/NAC integration

The life cycle model defines deployment standards based on the following criteria:

• Retirement technology and architecture elements — Applications and development/deployment technologies that are no longer needed or obsolete in support of mission-critical business processes.

• Containment technology and service elements — Applications and technologies needed to maintain "mission critical" business processes that cannot be replaced or re-engineered. These elements should be targeted at minimal investment for maintenance of processes only.

• Mainstream technology and processes — Applications, development/deployment technologies and processes to be used by the enterprise to support tactical business processes along with infrastructure elements identified as strategic foundations to meet the five-year security vision.

• Emerging technology and processes — Typically, early adoption/leading-edge technologies that may be used for opportunistic deployment and early movement toward processes supported by workflow and technology integration.

(17)

Security Service Bus

Access Model Store

The Future — IAM Within a Policy

Enforcement Fabric

Identity Stores Other Policy Stores Federation "Platinum" Quotas Discounts Group Identity Role Attributes Authentication Strength Identity Proofing

Behaviors Asset ValueContent Type Transaction State Process State Response Time SLTs Uptime Location Device State (Patch, Antivirus)

Time Device Type

Policy Decision-Making Context Contextual Policy

Role Store

Business Policy

Operational Policy

Network Policy

Information Security Policy

SOA Fabr ic Ap p lia nc es W e b Serv ic es Jav a EE an d .N ET Apps. UP l e g a c y C o nn ecto rs

IAM tools decomposed into discrete services within the security bus (IAM workflow Î BPM?) • WS-Fed • SAML • Liberty-ID • SPML • SAML • WSDL • XACML • SAML • WS-Trust • WS-Policy • Kerberos • X.509 • HOTP • AD/ADAM • LDAP • DBMS

IAM's most important evolution — to serve as a key enabler of business change — has yet to be realized. IAM will fulfill this role as it evolves to a set of real-time security services — externalized from and consumable by applications, configured via policy, and enforced for compliance. IAM will become an integral part of

(18)

Recommendations

9

Recognize IAM for the business issue that it is

9

Establish an IAM architecture

- Within your security architecture

- Integrated with your enterprise architecture

9

Establish IAM processes

9

Establish IAM controls

9

Establish IAM governance (RACI matrix)

9

Implement an appropriate portfolio of IAM tools

9

Look for integration points with other information security

technologies, IT service management and so on

9

Plan for IAM as a set of externalized real-time security

References

Related documents

FP729 Hollowood Chemists Ltd Taylor’s Pharmacy t/a Taylor’s Pharmacy 210 West End Road ST HELENS WA11 0AN.. FCR14 Imaan Ltd Liverpool Road Pharmacy 79 Liverpool Road ST HELENS

Plastic strain profiles along a vertical line drawn on the outer surface of the specimen (dotted black line) at four different stages of the progress of the Lu¨ders bands in a

12 Celem artykułu jest porównanie metod wprowadzania tekstu przy użyciu klawiatury QWERTY, techniki Swype, pisma odręcznego oraz poleceń głosowych w urządzeniach

Nowadays, users of carsharing, ridesharing, and singular and shared ride-hailing services often need to be customers of more than one service to cover all their transport

The ForgeRock Identity Platform’s Identity Management solution, built from the OpenIDM project, is an identity administration and provisioning solution focused on

• Remedy IT Service Management (ITSM) Suite (Help Desk, Asset Management, Change Management) implemented and configurable to meet Enterprise needs.. • Remedy ITSM configured

Having discussed the theories on second language learning, language acquisition and how the theories influenced in the crafting of EFAL in grade 11, it is important

IBM identity management provides identity lifecycle management (user self-care, enrollment and provisioning), identity control (access and privacy control, single sign-on and