march 2004 © 2004 ibm corporation integrated identity management jeff curie chief strategist,...

March 2004 © 2004 IBM Corporation

Integrated Identity Management

Jeff CurieChief Strategist, Identity Management

Leveraging knowledge of people to create business value

2 © 2004 IBM Corporation

Identity Management in the Security Model

Resource ProtectionProtect computers and network

• Know the connected devices• Prevent malicious network access• Defend against viruses• Respond to attacks

Resource ProtectionProtect computers and network

• Know the connected devices• Prevent malicious network access• Defend against viruses• Respond to attacks

Resource Protection

Control

Policy Assurance

ControlProtect applications and data

• Know the authorized users• Control what users can see and do• Secure transactions and data• Make security transparent to users

ControlProtect applications and data

• Know the authorized users• Control what users can see and do• Secure transactions and data• Make security transparent to users

Policy AssuranceProtect privacy and reputation

• Support regulatory compliance• Enforce consistent policies• Provide integrated audit trail• Manage security risks

Policy AssuranceProtect privacy and reputation

• Support regulatory compliance• Enforce consistent policies• Provide integrated audit trail• Manage security risks


“It costs $400 per year to manually manage a single user in a large financial corporation.”

“Insider security lapses are costing organizations an average of about $250,000 per incident.”

“81% of the likely source of attack is from disgruntled employees.”

Security Control Layer Industry Statistics“Up to 60% of the access profiles in companies are no longer valid and, in high turnover industries, the percentage can go up to 80-90%.”

- Chris Christiansen

- David Yokelson

- International Security Forum Report

- FBI/CSI Survey July 2001

- Computer Security Issues

“Automated management of B2B processes and increased collaborative capabilities will soon become necessities in most organizations. Simple data exchange with partners and customers is not enough.”


There are Teeth in the New RegulationsEli Lilly Settles FTC Charges Concerning Security BreachCompany Disclosed E-mail Addresses of 669 Subscribers to its Prozac Reminder ServiceEli Lilly and Company (Lilly) has agreed to settle Federal Trade Commission charges regarding the unauthorized disclosure of sensitive personal information collected from consumers through its Prozac.com Web site. As part of the settlement, Lilly will take appropriate security measures to protect consumers' privacy. (FTC Press Release)

Allstate agrees to $1M settlement for privacy violations in California By Associated PressAllstate Insurance Co. agreed to pay a $1 million fine as part of a settlement with the California Department of Motor Vehicles, officials said yesterday. March 19, 2003

“Regulatory compliance #1 driver for increased security spend in 2004” IDC 2003 “Black Book”:

Softbank Offers Compensation Over Leak of Personal DataExecutives to Forgo Part of Pay2004, Associated Press

Victoria’s Secret Settles Privacy Case Company to Provide Restitution to Consumers for Web Site Breach


Security Management Process Complexity

User Change

Request for Access Generated

Policy & Role Examined

Approval Routing

IT InBox

AdministratorsCreate Accounts

Users with Accounts

Elapsed turn-on time: up to 7 days per user

Account turn-off performance: 30-60% of accounts are invalid

FTE User Admin only handles 300-500 users

40% of Helpdesk spent on Password Resets


Why Clients Chose Identity Management

Common Pains Addressed by Integrated Identity Management

Our security administration and support costs are too high Single sign-on and unified user experience is a priority for our executives Security for in-house built applications is inadequate and expensive We need to limit access to sensitive or private information in our systems Compliance with regulations and audit requirements drive us to make

changes We cant keep track of all the users that can access our systems Identity information is spread across multiple stores We want to get our house in-order to prepare to participate in Web

Services


Identity Integration

Directory ServerIdentity DataInfrastructure {

UserProvisioning

Access Control

PrivacyControl

IdentityApplications {

Integrated Identity Management Building Blocks

Leveraging Knowledge of People and Processes to Create Business Value

User & Resource Information

Users & Applications

Federated Identity Management


Start Where You Must, Expand Over Time

Identity Ecosystem

Esta

blis

h A

utho

ritat

ive

Iden

tity

Info

rmat

ion

Control U

ser and

Privilege Inform

ation

Enforce Access Controls and Data

Disclosure


Identity Is the Basis of the Control Layer

Information about People Employees Contractors Partners Customers

Today, identity data is fragmented and incompleteBut, identity data is the basis for:

• Access decisions• Self-service• Authorization assignment• Personalization

WebApps

In-house Apps

Operating Systems

LegacyApps

Transaction Processing

Data Stores

Security Systems

Directories

Users

Information about Access User Account Privileges Credentials


Common Pains Addressed by Identity Integration

We need to improve the quality of our organization-wide identity data

We need to synchronize data between stores like databases, Peoplesoft, SAP, Microsoft AD and Lotus Notes

We need to reduce the number of people trying to maintain the same data

We need a common store of identity data

We need more feeds into our LDAP directories

We need to aggregate data from multiple sources into one

We need to migrate data to new applications

Integration

Directory

Provision Access Privacy


Establishing Authoritative Identity

Customer Challenge: Out-of-sync data elements require synchronization

AuthoritativeIdentity Source for

Division B


Division C


Division A

Customer Challenge: Accurately retain multiple corporate identity sources at minimum cost

User Mobile Phone

Numbers

User Cost Center

AuthoritativeIdentity Source

Integrate

Integrate

Customer Challenge: Accelerate deployment of high-ROI Identity Management solutions

Integrate

Users Data Systems

Integration

Directory



Common Pains Addressed by User Provisioning

We need self-service to reduce/avoid costs in the help desk

We need to see exactly who has what rights

We need a console that can turn off departing users immediately

We need to automate the process of turning people on and off to systems

We need a central system to keep accurate records of all changes to access rights


Directory



User Provisioning

User Provisioning Business Purpose

Access Control Challenges– Security: Accurate and timely privilege assignment based on “Need to

Know”

– Security: Accurate and timely off boarding

– Cost: Scaling administrative staff to match provisioning activity

– Cost: Scaling help desk staff to match password reset request load

– Regulatory/Controls: Proving you did it right

Data User Action ResourceUser Accesses

Privileges Security Administrator


Directory



Identity Stores

Tivoli Identity Manager

Identitychange

requested

HR Systems

Approvals gathered

Detect and correct local privilege settings

Access policy

evaluated

Accounts updated

Industry’s most comprehensive list of supported agents, and toolkit to create more

Industry’s most comprehensive list of supported agents, and toolkit to create more

Applications

OperatingSystems

Databases

Tivoli Identity ManagerIdentity Integration

Directory



IBM and Cisco: Teamed to Reduce Operating Costs

CiscoSecure ACS


Identity Stores

HR Systems

Databases

OperatingSystems

Applications

DatabasesDatabases

OperatingSystemsOperatingSystems

ApplicationsApplications

CorporateNetwork

Comprehensive security spanning network, systems and application infrastructure

From your most trusted partners

Cisco7500 Router


Common Pains Addressed by Access Control

We need to reduce help desk costs for our web sites

We need Single Sign On for employees, partners, and suppliers

We need better and cheaper security for in-house applications

We need security for our cross-business unit portal

We need to consolidate multiple access control and authorization solutions

We want a standard module for all our developers to leverage for new and updated applications including web services

We are failing security audits

We need to close security back doors into our operating systems


Directory



Tivoli Access Manager

Reusable security component for new systems Session-level access decisions across multiple system types Unified access policies across systems Single sign-on experience in web space

MQ

Web App

App Server

Unix System

Access Manager

Enforce – who can come in and what they

can do


Directory



WebSphere Portal EcosystemControlling privileges in dependent systems

• Provisioning Policies • Workflow• Audit trails

Enterprise Resources

Portal Server

Agents

Access Manager

Authorization Store

Account Control

Content

Content

CorporateHR Systems

Business Partner/ Employee Directories

CONTENT

ADMINISTRATION

Access

Man

ag

er

Home Grown

IdentityManager


Pain Points Addressed by Privacy Management

We need to demonstrate compliance to industry (HIPAA, GLBA, Calif. SB 1386) or country (Safe Harbor, EU Data Protection Directive, Australian Privacy Act, Japan Privacy Act) privacy regulations without costly audits and manual procedures?

We need to control disclosure of sensitive data (such as social security numbers, health records, or credit card information) without having to re-write my applications?

We need to build and manage privacy rules across my enterprise applications?

Controls based on groups or roles sometimes is not enough to determine appropriate access; I need to determine access based on business purpose or by “minimum need to know”


Directory



Privacy Business Purpose

Privacy Management considers data owner:– Choices (E.g. Opt in to marketing email)

– Attributes (Age >13, country of residence)

– Other factors (Time of day, etc) Privacy Management authorizes “release of data for a business purpose”

– “read for the purpose of fulfilling an order”

– “write for purpose of registering political party affiliation”

– “delete for purpose of removing from preferred physician list”

Data Requester

Disclosure

Resource

Data Owner

Business Purpose


Directory



How Is Privacy Management Different?

Disclosure Control– While a user may be authorized to login to an application, they may not be able to see certain data.

– You can apply policy to a data set BEFORE it is returned to the application (and the user).

– Audit the “return path for data”

Access Controls

Who are you?What groups do you belong to? Are you allowed to access this resource?Audit: who logged in when.

Disclosure Controls

What data did you see/use ?For what business purpose ?Did the data subject agree?Audit: what data was disclosed, to whom, why, and was it compliant to policy.


Combining the Identity Ecosystem

Synchronize Identity Stores

NOS

White Pages

Charge CentersTelephony

HR LOB Partner

Directory


eMail Directory

User Provisioning

Identity-Driven User Accounts

Identity-Driven Access and Disclosure Control

Access Control

Users

Accounts

Controls

Enforce – who can come in and what they can do

Administer – Changes in users

and authorities

Integrate – Information about

users


Directory



IBM Directory Integrator

IBM Directory ServerIdentity DataInfrastructure {


Tivoli Access Manager

Tivoli PrivacyManager

IdentityApplications {

IBM’s Integrated Identity Management Solution

Leveraging Knowledge of People and Processes to Create Business Value

User & Resource Information

Users & Applications

Federated Identity Management


How do you get started?

Visit http://www.ibm.com/software/itsecurity/en/web10 to download informative whitepapers or view additional webcasts on IBM Security & IT Management Solutions

Contact your IBM sales specialist or IBM Business Partner, or call 1-800-IBM-7777 with priority code 104AK002 to discuss how IBM can assist you with your identity management needs.

march 2004 © 2004 ibm corporation integrated identity management jeff curie chief strategist,...

Documents