cis13: the good, the bad, and the government: wrangling attributes in the state of texas
DESCRIPTION
Wendy Nather, Research Director, Enterprise Security Practice, 451 Research At first, "identities" just meant employees, and then they meant customers and partners. Then the cloud came along, and all hell broke loose. But it's always been a lot more complicated in government due to the intersection of roles, context, legal requirements, public information and privacy rights, and a dynamic environment. This is a real-life case study of the migration from a custom-written, ten year old, single sign-on portal with around 60 applications, to a COTS IAM product. Thirty minutes can't do it justice, but it'll be enough to bring some of the pain.TRANSCRIPT
![Page 1: CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the State of Texas](https://reader034.vdocuments.site/reader034/viewer/2022051611/54b5bc964a7959ef6b8b4868/html5/thumbnails/1.jpg)
The Good, The Bad, and the Government: Wrangling A6ributes in the State of Texas
Wendy Nather @451wendy Research Director, Enterprise Security Prac=ce
![Page 2: CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the State of Texas](https://reader034.vdocuments.site/reader034/viewer/2022051611/54b5bc964a7959ef6b8b4868/html5/thumbnails/2.jpg)
The backdrop
Custom-‐wriDen single sign-‐on portal (10+ years old) Provides SSO for ~60-‐75 apps External user base of ~50,000 Internal user base of ~800 The challenge: drag it kicking and screaming into some part of the 21st century
2
![Page 3: CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the State of Texas](https://reader034.vdocuments.site/reader034/viewer/2022051611/54b5bc964a7959ef6b8b4868/html5/thumbnails/3.jpg)
Other complica=ng factors
Family Educa=onal Rights and Privacy Act (FERPA) compliance ~1300 school districts ~8,000 campuses ~20 regional educa=onal service centers (ESCs) Other partners/stakeholders: other Texas state agencies, higher educa=on, contractors of all kinds, nonprofits, educators, cer=fica=on bodies … roughly 2500 different organiza=ons
3
![Page 4: CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the State of Texas](https://reader034.vdocuments.site/reader034/viewer/2022051611/54b5bc964a7959ef6b8b4868/html5/thumbnails/4.jpg)
Mul=ple roles and contexts
TEA employee of some division or cost center, at some posi=on level Contractors pretending to be TEA employees Personnel at ESCs, districts, campuses Administrators, educators, auditors, researchers People using different applica=ons in different capaci=es on behalf of mul=ple organiza=ons Differing levels of delega=on, both organiza=onal and legal
4
![Page 5: CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the State of Texas](https://reader034.vdocuments.site/reader034/viewer/2022051611/54b5bc964a7959ef6b8b4868/html5/thumbnails/5.jpg)
Ge`ng a clue
Professor Plum
in the kitchen
with a lead pipe
with a candles=ck
in the library
with a lead pipe
with a rope
![Page 6: CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the State of Texas](https://reader034.vdocuments.site/reader034/viewer/2022051611/54b5bc964a7959ef6b8b4868/html5/thumbnails/6.jpg)
Ge`ng a clue
Professor Plum
killing in the kitchen
with a lead pipe
with a candles=ck
being killed in the library
with a lead pipe
with a rope
![Page 7: CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the State of Texas](https://reader034.vdocuments.site/reader034/viewer/2022051611/54b5bc964a7959ef6b8b4868/html5/thumbnails/7.jpg)
Ge`ng a clue
Professor Plum
killing
in the kitchen
with a lead pipe
with a candles=ck
in the library
with a lead pipe
with a rope
being killed
in the kitchen
with a lead pipe
with a rope
in the library
with a lead pipe
with a candles=ck
![Page 8: CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the State of Texas](https://reader034.vdocuments.site/reader034/viewer/2022051611/54b5bc964a7959ef6b8b4868/html5/thumbnails/8.jpg)
Ge`ng a clue
Professor Plum
killing
in the kitchen
with a lead pipe
with a candles=ck
in the library
with a lead pipe
with a rope
being killed
in the kitchen
with a lead pipe
with a rope
in the library
with a lead pipe
with a candles=ck
![Page 9: CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the State of Texas](https://reader034.vdocuments.site/reader034/viewer/2022051611/54b5bc964a7959ef6b8b4868/html5/thumbnails/9.jpg)
Ge`ng a clue
Professor Plum
killing
in the kitchen
with a lead pipe
with a candles=ck
in the library
with a lead pipe
with a rope
being killed
in the kitchen
with a lead pipe
with a rope
in the library
with a lead pipe
with a candles=ck
![Page 10: CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the State of Texas](https://reader034.vdocuments.site/reader034/viewer/2022051611/54b5bc964a7959ef6b8b4868/html5/thumbnails/10.jpg)
Context plus governance = …
Iden=ty authority Access authority
Who you are + Why you should have
access What you may access
En=tlements
![Page 11: CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the State of Texas](https://reader034.vdocuments.site/reader034/viewer/2022051611/54b5bc964a7959ef6b8b4868/html5/thumbnails/11.jpg)
Example
11
![Page 12: CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the State of Texas](https://reader034.vdocuments.site/reader034/viewer/2022051611/54b5bc964a7959ef6b8b4868/html5/thumbnails/12.jpg)
Workflow example
TEA
ESC
District1
User
District2
App owner
App owner
Delegate
12
![Page 13: CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the State of Texas](https://reader034.vdocuments.site/reader034/viewer/2022051611/54b5bc964a7959ef6b8b4868/html5/thumbnails/13.jpg)
Constraints
Can’t be full federa=on due to compliance requirements Principle of least privilege means scoping down wherever possible Separa=on of du=es requires discrete roles and en=tlements
13
![Page 14: CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the State of Texas](https://reader034.vdocuments.site/reader034/viewer/2022051611/54b5bc964a7959ef6b8b4868/html5/thumbnails/14.jpg)
Constraints
Can’t be full federa=on due to compliance requirements Principle of least privilege means scoping down wherever possible Separa=on of du=es requires discrete roles and en=tlements And remember … Most of the users don’t really want to be there.
14
![Page 15: CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the State of Texas](https://reader034.vdocuments.site/reader034/viewer/2022051611/54b5bc964a7959ef6b8b4868/html5/thumbnails/15.jpg)
Constraints
Can’t be full federa=on due to compliance requirements Principle of least privilege means scoping down wherever possible Separa=on of du=es requires discrete roles and en=tlements And remember … Most of the users don’t really want to be there. They are not at all technical.
15
![Page 16: CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the State of Texas](https://reader034.vdocuments.site/reader034/viewer/2022051611/54b5bc964a7959ef6b8b4868/html5/thumbnails/16.jpg)
Constraints
Can’t be full federa=on due to compliance requirements Principle of least privilege means scoping down wherever possible Separa=on of du=es requires discrete roles and en=tlements And remember … Most of the users don’t really want to be there. They are not at all technical. And you can’t fire them.
16
![Page 17: CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the State of Texas](https://reader034.vdocuments.site/reader034/viewer/2022051611/54b5bc964a7959ef6b8b4868/html5/thumbnails/17.jpg)
Moral of the story
Need to be granular with iden=ty, authoriza=on and en=tlements for risk and compliance management Be careful with RBAC – keep it out of your code IAM is not a project, it’s an ongoing journey
17
![Page 18: CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the State of Texas](https://reader034.vdocuments.site/reader034/viewer/2022051611/54b5bc964a7959ef6b8b4868/html5/thumbnails/18.jpg)
Ques=ons? Comments? [email protected]