identity and access management - isaca china hk chapter and access management.pdf · identity and...
TRANSCRIPT
1
Identity and Access Management
By Dave [email protected]
? Copyright 2005 Arialgroup. All rights reserved.
Agenda
What is IAMIAM ComponentsWhy IAMIAM MarketplaceIAM Implementation
2
? Copyright 2005 Arialgroup. All rights reserved.
What is Identity and Access Management IAM ?
3
Biometric? Smart ID Card?
Directory?Single Sign-On?
Digital Certificate?
? Copyright 2005 Arialgroup. All rights reserved.
IAM for Single Application
4
User
User Store
RoleStore
Authentication
Password Management
Session Management
User Management
Authorization
Role Management
Administrator
Application Functions
ApplData
User
User
2
? Copyright 2005 Arialgroup. All rights reserved.
When # of applications increases
5? Copyright 2005 Arialgroup.
All rights reserved.
IAM Architecture
6
Administrator
Administrator
User
User
User
Application
RoleData
User Data
Application
RoleData
User Data
Application
RoleData
User Data
..
Policy Management
Session Management
SS
O
Password Management
User Management
Role Management
Au
then
tication
Au
tho
rization
Passw
ord
Services
RB
AC
Pro
vision
ing
Data S
ynch
ron
ization
User Store
RoleStore
PolicyStore
? Copyright 2005 Arialgroup. All rights reserved.
Does not have IAM
7? Copyright 2005 Arialgroup.
All rights reserved.
Has IAM
8
Identity & Access Management
3
? Copyright 2005 Arialgroup. All rights reserved.
The Goal of IAM
Providing the right people with the right access at the right time.
Protect resources by preventing unauthorized accesses.
9? Copyright 2005 Arialgroup.
All rights reserved.
Agenda
What is IAMIAM ComponentsWhy IAMIAM MarketplaceIAM Implementation
10
? Copyright 2005 Arialgroup. All rights reserved.
IAM Components
11
AuthenticationSingle Sign-OnSession ManagementPasswordsAuthentication Levels
AuthorizationRole-basedRule-basedAttribute-basedRemote Authorization
Access Management
Identity Management
User ManagementDelegated AdminRole ManagementProvisioningPassword MgmtSelf-service
Central User RepositoryDirectoryData SynchronizationMeta-directoryVirtual directory
? Copyright 2005 Arialgroup. All rights reserved.
IAM Components
12
Administrator
Administrator
User
User
User
Application
RoleData
User Data
Application
RoleData
User Data
Application
RoleData
User Data
..
Session Management
SS
OA
uth
enticatio
nP
asswo
rd S
ervices Password Management
User Management
Role Management
Pro
vision
ing
Data S
ynch
ron
ization
User Store
RoleStore
Policy ManagementAu
tho
rization
RB
AC
PolicyStore
4
? Copyright 2005 Arialgroup. All rights reserved.
Other IAM Terms
Identity Management IdM or IMIdentity and Access Management I&AM
Authentication, Authorization, Accounting and Administration AAAExtranet Access Management EAMPortal and personalization Part of IAM?
13? Copyright 2005 Arialgroup.
All rights reserved.
Agenda
What is IAMIAM ComponentsWhy IAMIAM MarketplaceIAM Implementation
14
? Copyright 2005 Arialgroup. All rights reserved.
Drivers behind IAMConvergence of Information Technologies.
Standards basedService Oriented Architecture
Increase in Identities.Customers, Suppliers, Contractors, Mergers & Acquisitions, Outsourcing, Globalization
Increase in Business Delivery Channels.LAN, WAN, Dial-up, Extranet, Internet, Wireless, etc.
Rising costs and complexities of identity managementNeed to improve information security
Regulatory Compliance (e.g. SOX, BS 7799)More opened network, higher skilled intruders, etc.
15? Copyright 2005 Arialgroup.
All rights reserved.
IAM BenefitsBusiness Benefits
Agility to respond to changes and opportunitiesCapability to drive more revenue from existing relationshipsStreamlined processesEnable user access changes from days to hoursEmpower business users and user administrators
Security and Audit BenefitsConsistent, automated policy enforcementEnhanced audit abilityCompliance with regulationsReduce security administration effortsBetter protected resources
16
5
? Copyright 2005 Arialgroup. All rights reserved.
IAM BenefitsUser Benefits
Higher usability and satisfactionSelf-service for common tasksFaster, better from organization
IT BenefitsCentralized security architectureDelegated administrationLower support costsFaster application developmentAgile IT infrastructureImproved correctness of user information
17? Copyright 2005 Arialgroup.
All rights reserved.
Agenda
What is IAMIAM ComponentsWhy IAMIAM MarketplaceIAM Implementation
18
? Copyright 2005 Arialgroup. All rights reserved.
IAM Marketplace
19
Anti -Virus
FirewallVPN
Content Filtering
Growth
Intrusion DetectionAuthentication
Authorization
PKI
Pioneering Maturing
Encryption
Anti -Virus
FirewallVPN
Content Filtering
Growth
Intrusion DetectionAuthentication
Authorization
PKI
Pioneering Maturing
Encryption
Last Year (2003) This Year (2004)
ProtectEnable
Internet Security Stages of Adoption
? Copyright 2005 Arialgroup. All rights reserved.
Convergence Trend
BMC acquired CalendraCA acquired Netegrity
Netegrity acquired Business Layers
HP acquired Baltimore s SelectAccess and TrueLogicaIBM acquired Access 360Sun acquired Waveset
20
6
? Copyright 2005 Arialgroup. All rights reserved.
Access Management
Client side vs. Server sideWeb-based vs. non Web-based (or Legacy)Role-based and Rule-basedAgent based vs. Proxy basedSession Management approach
21? Copyright 2005 Arialgroup.
All rights reserved.
User Management
Agent vs. AgentlessEvent driven vs. PullingWith or without image of user dataProgramming language used for customizationProvisioning vs. data synchronization
22
? Copyright 2005 Arialgroup. All rights reserved.
Directory and Meta-Directory
X.500 vs. LDAPv3Meta-Directory vs. Virtual DirectoryDirectory ReplicationDatabase engine vs. Native
23? Copyright 2005 Arialgroup.
All rights reserved.
IAM Standards
Authentication Kerberos, SASLAuthorization XACML, RBAC99Directory Service DSML, LDAPv3, LDUPProvisioning SPMLFederated security SAML, Liberty AllianceSupporting standards TCP/IP, HTTP, XML, PKI, SSL, Web Service Security, X509v3, XrML, etc.
24
7
? Copyright 2005 Arialgroup. All rights reserved.
Agenda
What is IAMIAM ComponentsWhy IAMIAM MarketplaceIAM Implementation
25? Copyright 2005 Arialgroup.
All rights reserved.
High-level IAM Building Blocks
26
EnterpriseDirectory
Single Sign-On
User Management
StrongAuthentication
WindowsSingle Sign-On
DataSynchronization
RoleManagement
Role-basedAuthorization
Provisioning
FederatedSecurity
? Copyright 2005 Arialgroup. All rights reserved.
IAM ImplementationMany stakeholders requires good communication skillsChange of administration approach could be politicalData correctness, ownership and privacyNeed people with skills from both world of IT infrastructure and system developmentNever underestimate the time required to do testingNever neglect IT requirements (e.g. operational, deployment, high availability, etc.)Watch out software compatibilityCustomers not only want a resolution to a problem but also want an answer why the proposed solution is a better one
27? Copyright 2005 Arialgroup.
All rights reserved.
SummaryIAM can be divided into two categories: Identity Management and Access Management.Access Management comprises Authentication, Single Sign-On, Session Management, Password Services, Authorization.User Management comprises user self-service, delegated administration, user/role management, provisioning, data synchronization and password management.IAM has clear benefits in terms of cost savings, services enablement, reduce risks and productivity improvement.Recent trend shows a product convergence in the IAM marketplace.IAM has become practical and doable today, but selecting the right product mix could be challenging Users and Vendors alike are recommended to choose skilled personnel to participate in IAM implementation projects.
28