oim .pptx
TRANSCRIPT
What is Identity Management?
Provisioning
Single Sign
On
PKIStrong
Authentication
Federation
Directories
Authorization
Secure Remote Access
Password
Management
Web ServicesSecurity
Auditing &
Reporting
RoleManagement
DigitalRights Management
Identity Management
Identity management is the combination of business process and technology used to manage data on IT systems and applications about users. Managed data includes user objects, identity attributes, security entitlements and authentication factors.
IAM technology can be used to initiate, capture, record and manage user identities and their related access permissions in an automated fashion. This ensures that access privileges are granted according to one interpretation of policy and all individuals and services are properly authenticated, authorized and audited.
Definitions
• Identity Management (IDM): IDM is the process by which various components in an identity management system manage the account life cycle for network entities in an organization, and most commonly refers to the management of an organization’s application users
• Provisioning refers to a technology and process based solution for enforcing and managing the creation, read, update, and deletion of user accounts based on a defined security policy. Provisioning is also a means of propagating security policy, for example by setting access rights on management systems based on group memberships and/or role assignments
• Authentication: The process of verifying the identity claimed by an entity based on its credentials • Authorization: Authorization is the process of determining if a user has the right to access a requested resource• Authorization Policies: Declarations that define entitlements of a security principal and any constraints related to that
entitlement• Account Life Cycle : The steps that are taken to provision access for a user to a given system resource• RBAC – Role based access: Providing access to a system resource based on programmatic logic based on roles• Authoritative Resource: System of reference for employment status and position description • Target System Resource: System/application where the automated provisioning will occur• LDAP: The Lightweight Directory Access Protocol is an application protocol for querying and modifying directory
services running over TCP/IP• Single Sign On: is a property of access control of multiple, related, but independent software systems. With this
property a user logs in once and gains access to all systems without being prompted to log in again at each of them. Single sign-off is the reverse property whereby a single action of signing out terminates access to multiple software systems
Midsize-to-large Organization identity sources
• Active Directory• Other directory services• HR systems• Databases• Custom line-of-business (LOB) applications• Third-party Software as a Service (SaaS) Web applications• Local system accounts on Windows, Linux or Unix• Email
Different kinds of users
• Enterprises manage identity data about two broad kinds of users:
• Insiders: including employees and contractors.Insiders spend most of their working hours engaged with the enterprise. They often access multiple internal systems and their identity profiles are relatively complex.
• Outsiders: including customers, partners and vendors.There are normally many more outsiders than insiders. Outsiders generally access only a few systems (e.g., CRM, e-Commerce, retirement benefits, etc.) and access these systems infrequently. Identity profiles about outsiders tend to be less detailed and less accurate than about insiders.
Different kinds of identity data• Just as there are different kinds of users whose identity an
enterprise must manage, there are different kinds of data about these users that must be managed:
• Personal information.This includes names, contact information and demographic data such as gender or date of birth.
• Legal information.This includes information about the legal relationship between the enterprise and the user: social security number, compensation, contract, start date, termination date, etc.
• Login credentials to target systems.On most systems, this is a login ID and password. Identification may also use a PKI certificate and authentication may use tokens or biometrics or a set of personal questions that the user must answer
Key identity challenges
• Identity management presents several challenges in most organizations:• Security:Do user entitlements exactly match their needs? Are policies, such as segregation
of duties rules, violated? Do access rights persist after they are no longer needed?• Consistency:User profile data entered into different systems should be consistent. This
includes name, login ID, contact information, termination date, etc.• The fact that each system has its own user profile management system makes this difficult.• Efficiency:Setting a user to access multiple systems is repetitive. Doing so with the tools
provided with each system is needlessly costly.• Usability:When users access multiple systems, they may be presented with multiple login
IDs, multiple passwords and multiple sign-on screens. This complexity is burdensome to users, who consequently have problems accessing systems and incur productivity and support costs.
• Reliability:User profile data should be reliable -- especially if it is used to control access to sensitive data or resources. That means that the process used to update user information on every system must produce data that is complete, timely and accurate.
• Scalability:Enterprises manage user profile data for large numbers of people. There may be tens of thousands of insiders and hundreds of thousands of outsiders.
• Any identity management system used in this environment must scale to support the data volumes and peak transaction rates produced by large user populations.
Your COMPANY andyour EMPLOYEES
Your SUPPLIERS
Your PARTNERSYour REMOTE andVIRTUAL EMPLOYEES
Your CUSTOMERS
Customer satisfaction & customer intimacyCost competitivenessReach, personalization
CollaborationOutsourcingFaster business cycles; process automationValue chain
M&AMobile/global workforceFlexible/temp workforce
Multiple Contexts
The Disconnected Reality
• “Identity Chaos” – Lots of users and systems required to do business– Multiple repositories of identity information; Multiple user IDs, multiple passwords– Decentralized management, ad hoc data sharing
Enterprise Directory
HRSystem
InfraApplication
LotusNotes Apps
In-HouseApplication
COTSApplication
NOS
In-HouseApplication
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authorization•Identity Data
•Authentication
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
BusinessOwnerEnd UserIT Admin Developer Security/ Compliance
Too expensive to reach new partners, channels
Need for control
Too many passwords
Long waits for access to apps, resources
Too many user stores and account admin requests
Unsafe sync scripts
Pain Points
Redundant code in each app
Rework code too often
Too many orphaned accounts
Limited auditing ability
Identity IntegrationHRSystem
InfraApplication
LotusNotes Apps
In-HouseApplication
COTSApplication
Student Admin
In-HouseApplication
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authorization•Identity Data
•Authentication
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
Identi
ty Inte
gra
tion S
erv
er
Enterprise Directory
IAM Benefits
Benefits to take you forward (Strategic)
Benefits today(Tactical)
Save money and improve operational efficiency
Improved time to deliver applications and service
Enhance Security
Regulatory Compliance and Audit
New ways of working
Improved time to market
Closer Supplier, Customer, Partner and Employee relationships
What is IDM ?Identity and Access as a Service
End Users
Policy Managers
Apps & Services
DBAs
Self-Service
DelegatedAdministration
Identity & RoleLifecycle Management
IdentityAnalytics
Authentication &Authorization
Monitoring
FraudPrevention
Workflow
RBAC & SoD
Benefits Trusted and reliable security
Efficient regulatory compliance
Lower administrative and dev costs
Enable online business networks
Better end-user experience
New Hire
Step TwoManager submits forms &
phone calls for access
· Facilities/Security· Telecom· MIS
Step ThreeHelpdesk receives forms &
assigns to appropriate department
· LAN· App SQL· BAIS· Facitlities
DatabaseStorage GroupActive Directory
Account
Step FourSystem admin per resource creates accounts & access
· AD Account· Application access· Telecom· Facilities· Desktop set up· Security badge
Step OneEmployee is entered into PeopleSoft HR system
· Payroll· Benefits· Job Data
Step FiveSystem Administrators
& Physical access support teams notify the employee’s manager of the completed
items.Manager approves & notifies new hire
Account Life CycleWhat are we capturing??Manual-New Hire-Employee Provisioning Process
Account Life CycleWhat about removal of access?
Manual – Employee De-Provisioning ProcessStep Three
Helpdesk receives forms & assigns to appropriate
department
· LAN· App SQL· BAIS· Facitlities
DatabaseStorage GroupActive Directory
Account
Step FourSystem admin per resource removes accounts & access
· AD Account· Application access· Telecom· Facilities· Desktop set up· Security badge
Step OneHR is notified of the
employee termination
· Payroll· Benefits· Job Data
Step FiveSystem Administrators
& Physical access support teams notify the employee’s manager of the completed
items.Manager is notified
Leaves the City of Boston
Step TwoManager submits forms &
phone calls for access termination
· Facilities/Security· Telecom· MIS
Relevant technologies: the solutions
Several types of technologies are available to manage user identity data across the enterprise. In general, these systems focus on streamlining the identity management process and managing data consistently across multiple systems.
• Directories• The cornerstone of many identity management and access governance infrastructures is
a corporate directory.• Major platform vendors make inexpensive, robust and scalable directory products. These
include:• Microsoft Active Directory.• Novell eDirectory (built on top of NDS).• Sun ONE Directory (formerly Netscape and then iPlanet LDAP).• IBM Directory (formerly Tivoli Directory).• Oracle Internet Directory (OID).
• Meta Directories• Meta directories are engines that synchronize data about users between different
systems. Most modern IAG systems include what amounts to a meta directory, though it may not be labeled as such.
Web access management / Web single sign-on• A Web access management (WebAM) / Web single sign-on (WebSSO)
system is middleware used to manage authentication and authorization of users accessing one or more web-enabled applications. Is supports single sign-on across systems and applications which do not natively support federation.
• Password management• Password synchronization is any process or technology that helps
users to maintain a single password, subject to a single security policy, across multiple systems.
• Enterprise single sign-on• Enterprise single sign-on (E-SSO) systems do just that: users sign into
the E-SSO application, which stores every user's login ID and password to every supported application. Users launch various applications through the E-SSO client software, which opens the appropriate client program and sends keystrokes to that program simulating the user typing his own login ID and password.
Conclusions
• Identity management is a class of technologies intended to streamline the management of user identity information both inside and outside an enterprise. It includes:
• Directories, especially those using LDAP.• Password management.• Enteprise single sign-on.• Web access management and web single sign-on.• User provisioning.• Federation.