HVL 2001

Why LDAP & Security Are Critical to Your Success

UBC Certificate in eBusiness Presentation

Wednesday, January 17, 2001

Guy Huntington, President,HVL

HVL 2001

Presentation Goals

• Understand the critical role that trust plays in achieving modern business models

• Relate this to the challenge of creating, managing and authenticating the identity

• Probe into accepting authorizations between system, partners and other enterprises

• Take a look at the role of LDAP vs. Databases• See what kinds of tools are out there to do the job

HVL 2001

It All Starts With Trust

• Trust is the heart of successful ongoing transactions, relationships and business processes

• In the “old days” it was primarily based on someone you had physical proximity to or, taken on faith from someone you knew

• But what about today?

HVL 2001

Trust and E-business• Billions of interactions occurring around the globe,

increasingly with software based systems, where we may never ever see the face behind the transaction or business process

• A large enterprise may have tens or hundred of millions of customers (e.g. Wal*Mart, Coke or Pepsi)

• They may have hundreds of thousands of employees (e.g. United Airlines, McDonalds)

• They may have thousands, tens of thousands or more business partner’s employees interacting with the enterprise (e.g. GM)

HVL 2001

Interactions Are Fast, Varied and Sensitive

• Interactions often require split-second decision-making (several thousand identity lookups and authentications per second)

• Access can be to many traditional “back-office” systems (shipping, account info, manufacturing, sales/marketing, etc.)

• Customers and business partners are drilling to very sensitive information (e.g. data warehouses containing personal account info.)

HVL 2001

Identity Management

• Usually taken for granted

• Identity creation is usually a mixed bag of: – Different people doing the creation– Different ways of doing the creation– Different systems holding the creation

HVL 2001

Take “Fred Johnson”

• Fred Johnson – Facilities• Fred S. Johnson - Parking• Fjohnson – E-mail• F. Johnson HR Manager - Payroll• Fred Johnson Human Resources Manager - HRIS• Fred Johnston (oops…typo!) - Security• F. Johnsonn (another typo) - Networks

HVL 2001

Identity Integrity

• Causes a lot of grief

• Direct cost to the enterprise

• Lost productivity

• Hard to find up to date org charts and basic contact info

• Can cost many tens of millions of dollars annually

HVL 2001

Managing the Identity

• Who creates it?• How do you handle the changes to it?• The numbers can be staggering

– 15-30% identity changes

– 20-30% employee churn in some sectors

– Thousands to millions of users

• You need to somehow both centralize identity reference and at the same time delegate admin to appropriate levels

HVL 2001

Security Lapses

• Time delays for system updates take days, weeks and even months

• Manual processes for updating mean manual errors– Wrong people get taken on and off systems– Identities entered differently don’t match in

systems and access is denied to applications etc

HVL 2001

Authentication

• Now we have an identity, how do we authenticate it to continue the process of trust?

• “How do I know you’re you?”

HVL 2001

Challenges• What if I don’t know you?• What if you’ve been passed from

one or two portals to my e-business website?

• How do you achieve single sign on to reduce the number of passwords, tokens, smartcards and number of times authentication is required?

• The answers affect ease of use, trust and manageability of the business models you’re building!

HVL 2001

Authentication Basics

• What you know

• What you have

• What you are

HVL 2001

Authentication Methods

• Basic authentication

• Certificate authentication

• Form authentication

• Tokens/smart cards authentication

• Biometric authentication

HVL 2001

Basic Authentication

• Uses something you know• Username and password are

the most common• Most common form of

authentication• Can be a lot of

problems/challenges in using it

HVL 2001

Basic Challenges

• Password cracking programs can guess passwords at over 1.5 million guesses per second to minute

• Passwords are difficult to remember and should be changed frequently

HVL 2001

Basic Challenges

• Password lengths are often insecure

• Password storage may be not secure

• Passwords may travel in the clear

HVL 2001

Basic Challenges

• Browsers cache passwords

• Lost password management is very expensive

HVL 2001

Certificate Authentication

• Uses public key infrastructure

• Involves use of trusted third parties called “certificate authorities”

• Certificates use a couple of different types of encryption to assure identity

• Parties exchange certificates and verify each other

HVL 2001

Certificate Challenges

• Managing certificate users can be very demanding, costly and time consuming

• Level of trust may not be appropriate for all your needs

• Encryption use may require accelerator cards on the authenticating servers

• Browser’s cache certificate info

HVL 2001

Form Authentication

• Uses an html form usually embedded in the internet, intranet or extranet interface

• Can use username and password or some other challenge and response

• Advantage to this method is the browser doesn’t cache the challenge and response

HVL 2001

Tokens • You’ve probably seen or used some tokens many times

• This can include driver’s license and social security card

• It can also include key fobs with digitally changing numbers

HVL 2001

Token Challenges

• Can be forged or hacked

• People lose them

• Management of the whole process can be daunting

• People get sick of having to carry around so many tokens (just check your wallet for the number of loyalty cards you carry)

HVL 2001

Smart Cards• Use chip technology• Includes debit cards to financial

and medical information cards• Widely used in Europe• Gaining momentum in

N.America• Lots and lots of politics

involved in setting global standards

• Often use multi-factor authentication

HVL 2001

Smart Card Challenges

• Can be hacked (although it can be harder to do)

• A lot of behind the scenes fighting over standards for potentially billions and trillions of dollars in transactions

• Need plant and equipment to deploy

HVL 2001

Biometric Authentication

• “James Bond” comes of age

• Includes– Finger recognition– Fingerprint scans– Hand geometry– Face geometry– Signature recognition– Iris and retina recognition– Voice recognition

HVL 2001

Biometric Authentication

• Price points are dropping quickly below $150, $100 and even much less

• Becoming embedded in chips placed in cell phones, palm pilots and soon watches

• Often used with smart cards and/or other authentication methods such as passwords

HVL 2001

Biometric Challenges

• Can have trouble with people having hangovers, colds, etc

• Still a little pricey for widespread adoption

• Device required to conduct the enrollment and reading

HVL 2001

So What Do You Use?

• Probably combinations of all of these!• You need to think in terms of layers of trust• Let’s move on to authorization and then

come back to view the challenges in providing single sign on, integrating different authentication methods and accepting other parties authentications/authorizations

HVL 2001

Authorization• This is the second step of

the triple A’s (authentication, authorization and auditing)

• How do you authorize?• How do you integrate

authorization mechanisms across an enterprise and between enterprises?

• It isn’t always easy

HVL 2001

Daily Sales Report

• Sales rep can view only their own reports

• Managers can view all direct reports “reports” and their summaries but not other areas

• Regional managers can view all reports below them, rolled up summaries but not outside their area

• VP, CEO and CFO can view all reports and summaries

HVL 2001

Daily Sales Report

• Special exemptions for some identities– Individuals, roles, groups,

geography

• Special exemptions for some reports– Specific reports, groups of reports

• Special exemptions based on time– Hourly, daily, weekly, monthly,

seasonally, yearly

HVL 2001

Granularity• Your infrastructure needs to

provide flexibility for different combinations of granularity at both the identity and resource/application level

• Some of this logic is already in your ERP’s, HRMS’s, data warehouses, CRM’s and the rest of your systems

• How do you knit this together both internally and externally?

HVL 2001

The Devil Is in the Details

– Potential show stopper stuff for B2B’s and large internal reengineering

– You’re crossing multiple systems, with little or no authentication and authorization standards

– The information and rules are stored in specific formats, logic and databases each with their own generally inflexible standards

– You’re also crossing over a lot of political power centers within the enterprise

HVL 2001

Databases

• Many of the systems requiring authentication/authorization integration use databases/data warehouses

• There’s challenges with using database only solutions

HVL 2001

Advantages of Databases

• Maintain state of the transaction• Excellent for fast writes

– Wal*Mart updates the DSS at approx 8.4 million updates per minute

• Great for routine and complex querying– Wal*Mart queries DSS at over 100,000

complex queries a week

• Flexible

HVL 2001

Disadvantages of Databases

• Lack standards when it comes to how information is stored

• Not optimized for fast reads

• Generally relational not hierarchical

HVL 2001

Infrastructure “Glue”

• Need to bind together/coordinate the identity management, authentication and authorization components of all the systems

• Has to work exceedingly fast• Databases are not the best choice in either cost or

performance for this application• Databases may hold the authoritative source of the

information e.g. ERP, HRMS• That’s why directories come into play

HVL 2001

Directories

• Optimized for fast reads not writes

• Excellent for stateless/semi-stateless environments

• Scale relatively easily for replication and fail over

• Operate to standards

HVL 2001

LDAP

• Lightweight Directory Application Protocol

• IETF standard• Built with the internet in mind• Offspring of x.500• Provides enough standards to be

attractive as a coordinating vehicle for identity management, authentication, authorization and auditing

HVL 2001

Putting It All Together• LDAP directory acts as the

coordinating hub for your authentication, identity management, authorization and auditing systems

• Can be Master, Child or both for authoritative source of information

• Store digital certificates, username, password(s), challenge phrases, biometric point info., etc.

• Also store summary info from the CRM or portal info on your business partners

HVL 2001

You Want:

• To provide a central integration point• Something that scales• Enhance not reduce existing security• To provide end user ease of use• To quickly integrate systems required

by the existing and emerging business models

HVL 2001

Single Sign On (SSO)

• Need some tools to work with the directory and your systems

• Can be quite complex without the tools

HVL 2001

SSO Challenges• Coordinate the identity management• Delegate the identity management where

warranted• Coordinate authentication• Security compatible with things like

TLS/SSL, IPSec, digital certificates, etc.• Pre and Post authorization features to

hand off to ERP’s, NOS’s, CRM’s, data warehouses, portals and all your other many systems

HVL 2001

SSO Challenges

• Maintain state to identify session beginning and endings– Timing out the user

• Store authentication and authorization levels to which the identity is approved to prevent reauthentication unless desired– Involves the use of encrypted cookies and

application servers– Work within a domain and across multiple

domains

HVL 2001

SSO Challenges

• How are you going to handle managing the authorization rules for who gets to see what when?

• You need tools allowing you to delegate this where required– e.g. extranet, portal, departmental level

• How do you integrate your auditing systems with the ERP’s, NOS’s, firewalls, CRM’s, facilities and all your other systems?

HVL 2001

Infrastructure Tools

• Without tools, this kind of work is exceedingly complicated, fraught with peril, expensive and time consuming

• Tools must allow you to scale very quickly• Easy to use• Flexible to allow to you tailor your authentication,

identity management, authorization and auditing just the way you want it and not to someone else’s preconceived idea of what they should be

HVL 2001

That’s Where Oblix and Others Comes Into Play

• Oblix

• Netegrity

• IBM

• Entrust

• others

HVL 2001

Features to Look For• Deploys relatively quickly

• Delegate identity and authorization rule management to whatever level if granularity makes sense

• Solid identity management

• Gives you great flexibility in post authentication, authorization and post authorization actions

HVL 2001

Features to Look For• Flexible in granularity for determining

protection of resources/applications

• Flexible in determining auditing requirements to different levels of resources/applications

• Scales easily without performance loss

• Works with most NOS’s, directories, ERP’s, portals, etc.

HVL 2001

Making and Saving Money!

• Your business models will likely be taking advantage of globalization, new economies of scale, new distribution channels, one to one and one to many marketing, etc.

• Take a second and think about your models…

HVL 2001

Making and Saving Money!

• They’re all heavily dependent on building and passing trust through system integration

• This infrastructure technology I’ve talked about is imperative to achieving your business models

• Without it, you’re in danger of wafting onto dangerous shoals and lacking the competitive edge to deliver your business models anywhere in the world, anytime, anywhere with a high degree of trust and low operating costs

HVL 2001

Know Thy Identity!

• Customer

• Business Partner

• Employee

HVL 2001

Thanks for Having Me!

• This ends the formal part of the presentation• I hope I’ve been able to open your eyes as to why

you really need to know and use this infrastructure technology

• Appended to this presentation are some URL’s for the presentation itself and other useful resources you may want to pursue

• Contact me at 604-921-6797 or guy@hvl.net

HVL 2001

URL’s - Presentation

• This presentation is available for html and download viewing at http://www.hvl.net/ebusiness.htm

• Also other presentations there on SSO, Password Management, etc.

HVL 2001

URL’s - Authentication

• Authentication Resources– Password portal - http://www.passwordportal.net/– Certificates – Security Magazine Jan. 2001 –

“Implementing PKI” - http://www.scmagazine.com/index2.html

– Smart Cards – Card Technology.com - http://cardtech.faulknergray.com/

– Biometrics – Biometric Consortium - http://www.biometrics.org/

HVL 2001

URL’s – Security/Encryption

• Security and Encryption– A good read – “Secrets and Lies – Digital Security in a

Networked World” – Bruce Schneier (Amazon.com link - http://www.amazon.com/exec/obidos/ASIN/0471253111/qid=979693943/sr=2-1/ref=sc_b_1/107-1804127-2028529)

– TLS – IETF Working Group - http://www.ietf.cnri.reston.va.us/html.charters/tls-charter.html

HVL 2001

URL’s – Securing e-Business Vendors

• Infrastructure Vendors– Oblix – www.oblix.com– Netegrity - http://www.netegrity.com/– IBM/Tivoli - http://www.tivoli.com/– Entrust - http://www.entrust.com/

HVL 2001

URL’s - XML/Authentication Standards

• A good read – Nand Mulchandani’s paper “Industry Must Embrace Combination of Open Web Access Standards for True Interoperability” -http://www.oblix.com/pointofentry/xml/index.html