Identity Management for the 21st

Century IT Mission

Presented By: • Paul Grassi: VP of Federal Programs, Sila Solutions Group

• Jim Rice: VP of Federal, Layer 7

• Dieter Schuller: VP of Business Development, Radiant Logic

• Gerry Gebel: President, Axiomatics Americas

• Phil McQuitty: Director of Systems Engineering, SailPoint

• Stephanie McVitty: Account Manager, Compsec

Wednesday: August 14, 2013

• Today’s Challenges

• History: How Did We Get Here?

• The Evolution of Access Control

• Building Blocks for Agile Access

• Creating a Framework for Success

• The Ideal ABAC Process

• Use Case Deep Dive

• Next Steps: Are You ABAC-Ready?

Key Discussion Areas

2

Today’s Challenges

3

• We keep trying to solve a legacy problem with a legacy solution

• Made authorization an IT solution, not a business solution

• Bogged down with stovepipes, multiple policies, and poorly defined infrastructure

• Focused on the door – not the data

We have made great progress!

Industry deserves credit. Examples of NSTIC/IDESG, NIST 800-162 Draft,

FICAM AAES work; focus on

attributes and confidence scores

• Yet, we’ve done some amazing things

How Did We Get Here?

4

Legacy Problem with Better Solution

Legacy Problem with Legacy Solution

Legacy Problem with Legacy Solution

The Evolution of Access Control

PBAC

REUSABLE POLICY

CONTEXT AWARE

EXTERNALIZED

STANDARDS BASED

BUSINESS DRIVEN

NON-TECHNICAL

Future Proofed Business Solution

ABAC

FINE GRAINED

ATTRIBUTE-DRIVEN

LOCAL POLICY

PROPRIETARY ENFORCEMENT

TECHNICAL

eRBAC RBAC ACL IBAC

5

Action Reusable

Policy

Agile Access

Decisions

Agile

Access

Decisions

Federated Identity

Federated Attributes

Environment Context

Resource Attributes

Building Blocks for Agile Access

6

PROGRAMMATIC AND TECHNICAL MANAGEMENT

Portability, Confidence, and Trusted Attributes

Access Anywhere Mobility/

Cloud

Lifecycle, Governance

and Risk

Mission Agility

ABAC Framework

7

Layer 7 Overview

8

Applications &

Data

Enterprise

…

Outside Partners /

Divisions

External

Developers

Mobile Apps

Cloud Services

Other Things

Layer 7 API Gateways Provide API Access Control for the New “Open” Enterprise

Enterprises are Exposing More

Connectivity & Security

Challenges for Open

Enterprise:

• Protection of applications

exposed over internet

• Reuse of information shared

across departments,

partners, mobile & Cloud

• Ease of integration:

reconciling disparate

identity, data types,

standards, services

• Federated & Delegated

Security

• Performance optimization

(caching, protocol

compression, …)

• Brokering cloud services

• Proxy connections to social,

cloud, notification services

that enterprises can control

• Cloud interactions

• Central governance of

policies and security

Mobile / Tablet Apps

Web Platform Integration Open APIs for Developer Channel

Private Cloud Annexes

(Savvis or Datacenter)

Cloud Services

Over the Top TV and Media

(Xbox Live and Smart TV)

Real-time Partner

Integration

Login Password

This new open, extended enterprise is a hybrid enterprise

because it blends inside/outside as well as private/pubic

9

Layer 7 Policy Approach

API Integration Gateway

API Service Manager

API Identity & Access Broker

API Developer Portal

Health Tracking

Workflow

Performance Global Staging Developer

Enrollment

API Docs

Forums

API Explorer

Rankings Quotas

Plans

Analytics Reporting

Config Migration

Patch Management Policy Migration

Throttling Prioritization Caching

Routing Traffic Control Transformation

Security

Composition

Authentication Single Sign On API Keys Entitlements

Token Service OAuth 1.x OAuth 2.0 OpenID Connect

10

Layer 7 ABAC Reference Implementation

11

RadiantOne Architecture

• A Federated Identity Service through Model-Driven

Virtualization

• Provides all functions of a complete AAES service

• Abstraction layer

• Platform consists of advanced Virtual Directory Server (VDS),

Identity Correlation and Synchronization (ICS), and Cloud

Federation Service (CFS)

12

RadiantOne Key Capabilities

LDAP Directory

Active Directory

HR Database

employeeNumber=2

samAcountName=Andrew_Fuller

objectClass=user

mail: andrew_fuller@setree1.com

uid=AFuller

title=VP Sales

ClearanceLevel=1

Region=PA

memberOf=Sales

Correlated Identity Virtual View

employeeNumber=2

samAccountName=Andrew_Fuller

objectClass=user

mail: andrew_fuller@setree1.com

departmentNumber=234

uid=AFuller

title=VP Sales

givenName=Andrew

sn=Fuller

departmentNumber=234

EmployeeID=509-34-5855

ClearanceLevel=1

Region=PA

UserID=EMP_Andrew_Fuller

DeptID=Sales234

cn=Sales

objectClass=group

member=Andrew_Fuller

**Based on identities that have:

• ClearanceLevel=1

• title=VP Sales

• Region=PA

Dynamic Groups Virtual View

User Lookup

Attribute

Server

13

Manage

Policy Administration

Point

Decide

Policy Decision Point

Support

Policy Information Point

Policy Retrieval Point

Enforce

Policy Enforcement Point

Axiomatics Architecture

14

Authorization at Any Layer

15

Anywhere Authorization Architecture

16

SailPoint Architecture

Service Desk

Integration

Resource

Connectors Provisioning

Integration

Security &

Activity

Unified Governance Platform

Open Connectivity Foundation

Cloud SaaS

Role Model

Policy Model

Identity Warehouse

Risk Model Workflow

Password

Management

Compliance

Management Single

Sign-On Identity

Analytics

SailPoint ICAM Solutions

Access

Request &

Provisioning

17

Entitlement Giving Attributes

HR

Data

Security

Directory

Attributes

Ownership

Relationships

Modeling

Review Process

Change

Process

Audit Process

System

System

Target

Target

BUSINESS PROCESS

MANAGEMENT

Entitlement

Giving

Attributes

18

Ownership & Responsibility

Change Control

Versioning History

Verification & Review

Analytics & Reporting

Identity &

Access

Governance

The Business Process

of IAM Data Management

Entitlement Giving Attributes…

HR

Data

Security

Directory

Attributes

System

System

Target

Target

Entitlement

Giving

Attributes

19

Benefits

Policy management

and insight available to

all levels of the

organization.

Simple

Change

Management

Maximum

Efficiency

and

Flexibility

Range of

Deployment

Options

Simple and

Effective

Management

Cost

Effective

Scalable

Interoperable

Business-

Friendly

Management

Increased

Access to

Information

Deploy for performance

and architectural needs

while maintaining 100%

conformance with open

standards

Easy to deploy new

policy without

underlying changes to

application

infrastructure.

Eliminate time

consuming and

confusing processes to

gain access to

information.

Benefits of

Our Solution

Increased

Security and

Compliance

Operational Business

20

Access barriers are removed so users can get their jobs done more efficiently.

The Ideal Process

21

High Level Use Cases

Patient can manage record

from authorized personal devices

Doctor can read from office computer Opts-in and authorizes PCP and staff to view

Claims

coordinator

can only view

appointment

information

Doctor can write to

entire record

Nurse can read

information

pertaining to

location; can only

write demographic

info, symptoms,

and vital signs

Receptionist trained in HIPAA data protection

can only view services performed

Research organization can only read

anonymized cardiac clinical data from

hospitals and patients that opt-in

1

3

2

4

5

6

Nurse can “break the glass” to

access location agnostic

information

22

AuthN

Services

Secure Gateway

Conceptual Architecture

EHR Systems

Fe

de

rate

d Id

en

tity

Vir

tua

liza

tio

n

Policy Administration

R&D

Insurance

G

ove

rna

nce

Pro

vid

er

Vie

w

R&

D

Vie

w

Insu

ran

ce

Vie

w

Pa

tie

nt V

iew

NPI Registry

Patients

Attribute Sources

Policy Server

Hospital

23

Intercepts

the request

Patient Use Case

Attempts to update personal EHR to

add blood pressure (BP) information

and opt-in to share info with doctor

Allows Patient

Access to EHR

System Patient EHR

Preferences/Metadata

Signed Opt-In Forms

Permit

Check

request

validity

Verify patient access

using registered device

Verify accessing own

record

Request/receive required attributes

(EHR owner, authorized devices)

List of

registered

devices

Check if

authorized

Update BP

Authorize doctor to access information

1

2

4

3

24

Doctor Use Case

Attempts to update patient

EHR from office computer

Intercepts

the request

Allows doctor

access to

patient EHR

Patient EHR Preferences/Metadata

Signed Opt-In Forms

Permit

Check

access from

office

computer

Check if

authorized

Verify patient opt-in List of

signed

opt-in

forms

Hospital Network EHR

Check

request

validity

1

2

Request/receive required attributes

(EHR owner, authorized devices)

3

4

25

Remaining Use Cases Use Case Request Layer 7 Axiomatics Radiant Logic EHR

Nurse Rheumatology nurse

requests access to

patient EHR

•Checks request

location/validity

•Checks PDP for

authorization

•Validates nurse/patient

relationship

•Allows access to specific

attributes of patient EHR

Provide nurse

and patient

attributes to

PDP

Allows nurse access to

read patient

rheumatology

attributes of EHR; write

diagnostics

“Break Glass” Nurse requests access

to patient cardiac

information when

patient shows heart

attack symptoms

•Checks request

validity

•Checks PDP for

authorization

•Validates environmental

attributes from hospital

•Validates nurse/patient

relationship

Provide

Hospital, Nurse

and Patient

attributes to

PDP

Allows Nurse access to

read Rheumatology

and Cardiac attributes

of EHR, write

diagnostics

Reception Reception requests

access to patient

services to prepare bill

•Checks request

location/validity

•Checks PDP for

authorization

•Validates employee

HIPAA training

•Validates

employee/patient

relationship

Provide

employee and

patient

attributes to

PDP

Allows help desk

access only to services

performed

Insurance Insurance claims

processor requests

access to patient EHR

•Checks request

location/validity

•Checks PDP for

authorization

•Validate processor

employment with

insurance company

•Validate covered incident

•Validate

insurance/patient

relationship

Provide

processor,

patient, and

insurance

attributes to

PDP

Allows claims

processor access only

to covered incident

information

Research &

Development

Cardiovascular

research center

requests access to all

cardiology patient data

•Authenticates

R&D server

•Checks PDP for

authorization

•Validate research center

and scope

•Provides SQL PEP to

filter result set and return

anonymous data

Provide

employee and

research center

attributes to

PDP

Allows employee

access only to

anonymized data

pertaining to research

center scope

26

Health Care Systems Attribute and Policy Governance

Entitlement

Giving

Attributes

Functional

Application

#1

Functional

Application

#2

doc

doc

Ownership & Responsibility

Change Control

Provision

Verification & Review

Analytics

Identities, certified entitlements & risk scores would be

used at the PIP and PDP to make smarter decisions

Axiomatics Policy Server

Axiomatics Policy Auditor

Governance Use Case

27

• Establish Governance

• Choose your standards

• Determine your attributes and metadata

• Determine your authoritative sources

• Create a taxonomy and data dictionary

• Understand your business processes

• Determine the business model

• Decide who will own policy/policy management

• Coordinate with stakeholders across organization, including

audit/compliance, privacy, and security operations

• Track performance

Are You Ready?

28

Questions?

29