The Mainframe Era
Security 1.0
Rigid, prescriptiveIAM Tracks Security 3.0
Internal users only
RACF, ACF2, Top Secret (on MVS) User IDs and passwords
Fine-grained authorization
The Internet Era
Security 2.0
Ponderous, reactiveInternal and external users
Access controls on every platform User provisioning
WAM ("RACF for Web applications") Ad hoc strong authentication
The Web 2.0 Era
Security 3.0
Agile, responsiveContextual identity, PIFs
Processes, controls, architecture
IAM within a "policy enforcement fabric" Fine-tuned authentication
Fine-grained authorization
IAM Defined
A set of processes and technologies to manage,
across multiple systems:
•
Users' identities — Each an identifier and a set of
attributes
•
Users' access — Interactions with information
and other assets
Note: A user (person) can have one or more identities!
IAM Drivers and Benefits
Security Effectiveness
Business Agility and Productivity
Let business focus on goals
Let apps. focus on business function and service delivery
Improve SLTs Comply With Regulations Contain Costs Manage Risks Respond to Needs
Do more with less Make fewer mistakes Do it more quickly Security Efficiency
Increasing Maturit
y
Better controls Fewer mistakes Better transparencyThere are three main business drivers for IAM solutions that manifest as five kinds of benefit — some more applicable for one aspect of the solution than another. The first is security efficiency. With the growing
volume of users, current staffing volume cannot accommodate the enterprise's needs. Enterprises are looking to contain administrative costs. (In addition, user information can be leveraged in many business processes that provide a consistent and more secure access control infrastructure.) Improved service-level targets (SLTs) for access request turnaround times of 24 hours or less are achievable only via automation. The second is security effectiveness. The ability to prove the security of the enterprise's access control infrastructure is an important requirement for maintaining customers, as well as obtaining them. In addition, easing internal and external audit processes is of prime concern to many enterprises. Legislation and other regulations increasingly require firms to establish robust control infrastructures, of which information security is a part. IAM facilitates
IAM in the Process-Oriented Activity Cycle
Plan
Govern
Enterprise Risk Management ● Regulatory Compliance ● Corporate and Operational Governance
Processes Architecture Controls Communications and Relationship Management Long-Term Vision Roles and Responsibilities Rolling Annual Plan Build Run Etc. Risk and Control Assessment Identity and Access Management Threat and Vulnerability Management
Gartner's Activity Cycle for the security officer provides a blueprint for creating and maintaining security excellence. As information security has matured, the role of the information security officer has become more important and more complex. Gartner's Activity Cycle for security officers provides a map of activities that can help security officers better understand their own roles and help them explain their role to others. The Activity Cycle breaks down three phases of security activity: planning, building and running. The planning phase breaks down into three subcategories of strategizing, organizing and annual planning. The building phase is enabled by Gartner's three "lenses" into information security: controls and policy, security architecture, and security process. Finally, the running phase encompasses continuous activities, such as the following:
• IAM
• Threat and vulnerability management • Risk and control assessment
• Communications and relationship management
Build: (Idealized) IAM Architecture
Integrated Enterprise Architecture View
Tech nolo gy Arch itect ure Infor mation Arch itecture Business Architecture IAM Business requirements IAM governance IAM policy framework IAM processes IAM Technology requirements Principles IAM patterns IAM services IAM bricks Solutions Architecture IAM Tools Identity Administration Identity Auditing Identity Verification Access Management IAM Data classification Application IAM templates
The basics have not changed much over the years; business, information and technology architectures are defined for enterprise-scope issues. The guidance defined in these areas from these viewpoints must be applied to the systems (solutions) that are actually delivered by IT. A viewpoint is made up of domains, which
represent a more detailed breakdown of the elements of that viewpoint. Other models are possible within viewpoints as well, including components or bricks, patterns, and services. However, components may be separated out from any of these three basic viewpoints to create additional viewpoints if the interests of a particular stakeholder would be better-served that way.
IAM Controls Policies and Standards Access Model Procedures Access Management Identity Administration Identity Verification Identity Auditing Tools IAM Processes Workflow Access Model Identity
Build: IAM Controls and
Build/Run: IAM Processes
Business Processes and Controls Information Security Policy Stand a rds (ISO/IEC 2700 0, etc. ) Legislation & Regulations Stand a rd Operating Practices Custom ers & Partners
The benefits of a process-centric approach to IT operations and service management are well-understood. A process-centric approach should be a cornerstone of the security management activity cycle — and hence of IAM. Processes are repeatable and scalable, and they leverage skills. They provide clear accountability, enterprisewide consistency in execution, measurability and a basis for continuous improvement. Three main processes are involved in managing identities and their access assignments to company resources: the identity modeling process, the access modeling process and the workflow process. The identity process maps the necessary roles, rules and so on, using workflow for a specific user, with the end result (for example, the creation of an account/accounts on a target system/systems, with all needed attributes and privilege
Enterprise-Defined Identity (Identifier & Attributes) "Real World" Identity Create Identity Use Identity Retire Identity
Change Identity Report Identity
Monitor Identity
An 'AAAA' View of the Identity Process
Prove Identity Authentication Authentication Identity Verification Administration Administration Administration Identity Administration Authorization Access Management Audit Audit Identity Auditing
It is instructive to relate the identity process to the Gartner "AAAA" functional model of IAM:
• Administration provides a way to view and manage user identities and access. This maps to the create identity, change identity and retire identity processes. (Administration processes make use of the use access model and use workflow processes.)
• Authentication ensures that users are properly identified and that these asserted identities are verified. • Authorization ensures that users can access only what their job function allows them to access within the company. These two functions map to the use identity process — these are real-time access control activities. (This makes use of the use access model process.)
• Audit ensures that the activities associated with user access — that is, real-time enforcement (authentication and authorization) — are logged for day-to-day monitoring, regulatory and investigative purposes. This maps to the report identity and monitor identity processes.
Govern: A Sample RACI Matrix
BU = business unit; CCR = create, change, retire; CRO = chief risk officer; SDLC = software development life cycle
Responsible
(Doer)
Activity
(Process and Subprocess)
Accountable (Overseer) Consulted (Advisor) Informed (Watcher) Identity
Administer (CCR) BUs, IT Ops. InfoSec ― ―
Monitor/Report InfoSec,
BUs, IT Ops. InfoSec Compliance BUs
Review/Attest BUs (Compliance) Compliance (CRO) InfoSec ―
Administer (CCR) BUs, IT Ops. InfoSec ― ―
Monitor/Report InfoSec,
BUs, IT Ops. InfoSec Compliance BUs
Review/Certify BUs Compliance InfoSec ―
Use End Users BUs ― ―
Use BUs, IT Ops.End Users, InfoSec ― ―
IAM Policy InfoSec CRO, InfoSec BUs, Compliance,
AppDev, IT Ops. End Users
IAM SDLC AppDev CIO, InfoSec BUs, Compliance ―
Activity – Here based on notional subprocesses in Gartner IAM process model; in any organization's RACI matrix, activities may be more granular, more business-oriented and specific to that organization
Access Model
(e.g., roles, entitlements,
SOD, … )
Prove HR (employees),etc. InfoSec ― ―
A good way to define what it means to "manage a service" — for example, a particular technical service — is to create a specific responsibility matrix that defines roles and levels of activity by life cycle stage.
Who should be told about this work or these results?
The roles and/or groups to which information or results must be reported after the activity is done
Informed
Who should be involved in the work before deciding?
The roles and/or groups from which input is required before the activity is executed or completed
Consulted
Who is accountable, has authority, can delegate? (This is usually one group)
The roles and/or groups that must ensure the activity is done — overseer Accountable
Who does the work (one person, one group or a combination)?
The roles and/or groups that will perform the activity — executioner
Responsible
What to Ask Definition
IAM Tools: The Complete Picture
IAM
PKI & PKO
LDAP X.500
Shared Account Password Management (SAPM) Card Management
Password Management
Superuser Privilege Management (SUPM)
Identity Management Directory Services Virtual Directories Metadirectories Credential Management Role Management
Resource Access Administration User Provisioning
Content Access Management
OS Access Management Web Access Management
Network Access Control
AD/Unix Integration
Authorization Management
Identity Auditing
SOD Controls Within ERP
Security Information and Event Management (SIEM)
Smart-Token SSO Web SSO Kerberos Enterprise SSO Methods Form Factors
Personal Identity Frameworks Single Sign-On Identity Proofing
Authentication
Federated Identity Management
CMF & DLP
Database Activity Monitoring Network Behavior Analysis
Fraud Detection Authentication Infrastructure IT Service Management Service Desk Transaction Assurance Enterprise DRM Encryption Physical Access Control System (PACS) Virtual Environments Content Monitoring and Filtering and Data
Loss Prevention Access Management Identity Verification Identity Administration Directory Technologies Identity Auditing SSL VPN
Other Monitoring Tools
IAM has several major sets of tools, but customer needs and market realities tend to obscure the differences between these. IAM is a whole that is greater than the sum of its parts. Furthermore, IAM tools link to other security and nonsecurity tools.
Identity Administration and Access
Management Tools
IAM SAPM Card Management Password Management Identity Management Credential Management Role ManagementResource Access Administration User Provisioning
Identity Administration
SUPM
Content Access Management
OS Access Management Web Access Management
Authorization Management
Enterprise DRM Encryption
Access Management
NOTE: IAM > Identity Administration + Access Management
Identity administration — User-provisioning tools are central: They provide the ability to create, modify and delete identities for resources and applications within a company. These tools frequently integrate password management, but they do not yet include other credential management tools, such as card management systems (CMSs) for use with smart cards or public-key credentials. Shared account/service account password management (SAPM) tools focus on controlling usage of passwords for shared "superuser" and similar accounts, as well as application-to-application passwords.
Increasingly, user-provisioning tools are augmented by role management for enterprises (RME) tools that can "mine" roles and manage the role life cycle. Resource access administration tools provide fine-grained administration of user access rights on specific platforms.
Access management — WAM tools are the most-mature system access management technologies, providing administration and authentication (including single sign-on [SSO]), as well as authorization, for multiple Web
Identity Verification
IAM Smart-Token SSO Web SSO Kerberos Enterprise SSO Methods Form FactorsPersonal Identity Frameworks Single Sign-On Identity Proofing
Authentication
Federated Identity Management Authentication Infrastructure
Identity Verification
Identity verification — Identity proofing verifies the claimed identity of an individual before credential issuance or registration, and various services can automate identity proofing for real-time online registration. Authentication verifies the claimed identity of an individual accessing a system using previously issued
credentials. Many different authentication methods, with a variety of form factors, are now available, including knowledge-based authentication (KBA), one-time password (OTP) tokens, smart cards with public-key
Identity Auditing
IAM
Identity
Management Role Management
User Provisioning
Identity Auditing
SOD Controls Within ERP SIEM
Identity Administration
Identity Auditing
Identity auditing — IAM increasingly interfaces with security information and event management (SIEM) for IAM event monitoring and reporting — so much so that we sequester SIEM tools as IAM tools (although they clearly are also important within threat and vulnerability management). Major IAM vendors have made SIEM acquisitions during the past few years. SOD controls within ERP applications or other tools can identify and manage SOD conflicts and violations. Dedicated identity auditing tools focus on identity (and access) monitoring or reporting across multiple targets.
Some identity administration tools — namely, user-provisioning and role management tools — have audit-focused features and benefits. Many user-provisioning tools, for example, support "attestation" —management review and sign-off of user access rights — required by some regulations.
Enabling and Extending IAM
IAM
PKI & PKO
LDAP X.500 Password Management Identity Management Directory Services Virtual Directories Metadirectories Credential Management User Provisioning
Content Access Management
Network Access Control
AD/Unix Integration
Web SSO
Enterprise SSO Methods
Form Factors
Personal Identity Frameworks Single Sign-On Authentication
Federated Identity Management
CMF & DLP
Database Activity Monitoring Network Behavior Analysis
Fraud Detection IT Service Management Service Desk Transaction Assurance Physical Access Control System Virtual Environments Content Monitoring & Filtering and Data Loss Prevention Access Management Identity Verification Identity Administration Directory Technologies Identity Auditing SSL VPN
Other Monitoring Tools
Enabling IAM — Directory services were once seen as the answer to all IAM ills — but the reality fell short. Nevertheless, directories are often used for centralized authentication and authorization, and — along with metadirectories and, more recently, virtual directories — are foundational to IAM architectures.
Extending IAM — Organizations cannot implement IAM in isolation because IAM has many points of contact with other technologies — which may or may not have information security protections in place. Some of these technologies are highly complementary and can round out an IAM solution for a business. Other monitoring and fraud detection tools can add value to identity auditing. Identity administration increasingly interfaces with IT service management (ITSM) for integrated provisioning (and password management with service desk products) and identify verification and access management with Secure Sockets Layer (SSL) virtual private networks (VPNs) and network access control, especially in the emerging area of "identity networking." An organization can reduce fraud and mitigate the risk of unauthorized access by using a variety of fraud detection, data integrity and nonrepudiation technologies (transaction assurance); while such methods are functionally distinct from user authentication, they may be tightly linked at the tools level. Virtual
environments and content monitoring and filtering/data loss prevention tools can enforce mandatory access control in local and remote use cases.
Which IAM Vendors Provide Which Tools?
IAM LDAP X.500 SAPM Card Management Password Management SUPM IDENTITY MANAGEMENT Directory Services Virtual Directories Metadirectories Credential Management Role ManagementResource Access Administration User Provisioning
Content Access Management
OS Access Management Web Access Management
AD/Unix Integration
Authorization Management
Identity Auditing
SOD Controls Within ERP
Security Information & Event Management (SIEM)
Smart Token SSO
Web SSO Kerberos
Enterprise SSO methods
form factors
Personal Identity Frameworks Single Sign-On Identity Proofing
Authentication
Federated Identity Management Authentication Infrastructure Enterprise DRM Encryption Access Management Identity Verification Identity Administration Directory Technologies Identity Auditing Infrastructure vendors… (etc.) … cannot (yet) provide a "complete" IAM solution! Smart-Token SSO Enterprise SSO IAM LDAP X.500 SAPM Card Management Password Management SUPM IDENTITY MANAGEMENT Directory Services Virtual Directories Metadirectories Credential Management Role Management
Resource Access Administration User Provisioning
Content Access Management OS Access Management Web Access Management AD/Unix Integration
Authorization Management
Identity Auditing
SOD Controls Within ERP
Security Information & Event Management (SIEM)
Web SSO Kerberos Methods
Form Factors
Personal Identity Frameworks Single Sign-On Identity Proofing
Authentication
Federated Identity Management Authentication Infrastructure Enterprise DRM Encryption Access Management Identity Verification Identity Administration Directory Technologies Identity Auditing
As we noted earlier, any organization looking to build a complete IAM solution will likely need more than one tool from each set. However, while we've seen considerable acquisition activity during the past several years as major infrastructure vendors have built up portfolios of IAM tools, which comprise at least user-provisioning and WAM tools — none of these can provide a "complete" solution.
On this slide, only those tools in rectangles with solid colors are available from all these vendors. Where the color fades to gray, only some of the vendors offer those tools. And where the rectangle is only gray, none of these vendors offer those tools. Often, these additional tools are available only from pure-play vendors — although some vendors offer tools from more than one set. For example, ActivIdentity offers both
Strategic Foundations 3-5 Years
Technology Adoption: Five-Year Planning Period (2007-2012)
Enterprise Investment and Deployment
Tactical Deployment 6 Months-2 Years Baseline
0-6 Months
Over the Horizon
• IAM within "security service bus" Retirement • Discrete IAM processes • Passwords for higher-risk use cases Containment/Migration
• Passwords for medium-risk use cases
• Application-embedded authorization
Moving IAM to Security 3.0: Processes
and Controls
Strategic Mainstream • Federation • Role management • Stronger authentication "for all" • Authorization management • Identity auditing Tactical Mainstream • User provisioning • Enterprise SSO• Web access management
Emerging
• Personal identity frameworks
• Versatile authentication infrastructures
• IAM services (SOA)
• IAM/NAC integration
The life cycle model defines deployment standards based on the following criteria:
• Retirement technology and architecture elements — Applications and development/deployment technologies that are no longer needed or obsolete in support of mission-critical business processes.
• Containment technology and service elements — Applications and technologies needed to maintain "mission critical" business processes that cannot be replaced or re-engineered. These elements should be targeted at minimal investment for maintenance of processes only.
• Mainstream technology and processes — Applications, development/deployment technologies and processes to be used by the enterprise to support tactical business processes along with infrastructure elements identified as strategic foundations to meet the five-year security vision.
• Emerging technology and processes — Typically, early adoption/leading-edge technologies that may be used for opportunistic deployment and early movement toward processes supported by workflow and technology integration.
Security Service Bus
Access Model Store
The Future — IAM Within a Policy
Enforcement Fabric
Identity Stores Other Policy Stores Federation "Platinum" Quotas Discounts Group Identity Role Attributes Authentication Strength Identity ProofingBehaviors Asset ValueContent Type Transaction State Process State Response Time SLTs Uptime Location Device State (Patch, Antivirus)
Time Device Type
Policy Decision-Making Context Contextual Policy
Role Store
Business Policy
Operational Policy
Network Policy
Information Security Policy
SOA Fabr ic Ap p lia nc es W e b Serv ic es Jav a EE an d .N ET Apps. UP l e g a c y C o nn ecto rs
IAM tools decomposed into discrete services within the security bus (IAM workflow Î BPM?) • WS-Fed • SAML • Liberty-ID • SPML • SAML • WSDL • XACML • SAML • WS-Trust • WS-Policy • Kerberos • X.509 • HOTP • AD/ADAM • LDAP • DBMS
IAM's most important evolution — to serve as a key enabler of business change — has yet to be realized. IAM will fulfill this role as it evolves to a set of real-time security services — externalized from and consumable by applications, configured via policy, and enforced for compliance. IAM will become an integral part of
Recommendations
9
Recognize IAM for the business issue that it is
9
Establish an IAM architecture
- Within your security architecture
- Integrated with your enterprise architecture