www.novell.com

Secure Identity Management Solutions for One Net

Secure Identity Management Solutions for One Net

Stan LevinePresidentThe Wiring Companystan.levine@thewiringco.com

Creating Trusted Identities

• Enterprise workforce

• Business-to-business

• Business-to-consumer

Trust = Value

• Harnessing the power of the Internet is dependent upon trust

• The higher the level of trust, the more information can flow freely to users—now empowered to work, collaborate, and consume

• User empowerment always reduces cost while increasing the business value of your systems

Trust = Value (cont.)

Web applications that are uniformly protected regardless of whether accessed from inside or outside the firewall

•

User identities that are provisioned and entitled exclusively according to policy-driven identity management process

•

Administrators that have no ability to grant access privileges outside of a provisioning process

•

Trust is achieved through strong processes that manage the “who, what, where, when and how” of access control

Examples of such control include

Common Misunderstandings about Establishing Trust

• Products for access management and user authentication do not by themselves establish or enforce trust

They allow or deny access to known user ID’s, but cannot determine how access rights were provisioned

• Public key infrastructure (PKI) does not establish or enforce trust through authentication

PKI can greatly raise confidence in who the user is, but again cannot determine how access rights were provisioned to that user

• A powerful directory service does not establish or enforce trust

However, a directory service that understands and enforces relationships (such as Novell eDirectory™) is essential for enabling processes that establish trust

Unfortunately, without TrustThere Is No Security

Scenario The match is positive—the user has been 100%

authenticated

Biometric/fingerprints

Biometric/iris scan

User credentials

The users are authenticated. Now, who are they? And, how do you know?

Now, who are they? How did they get into your directory? Who gave them rights to the protected resource? Was it a programmer? A “helpful” administrator? A corrupt insider? An intruder?

The Elephant in the Room

By itself, Access Management is not a security solution The best-known security vendors do not discuss the critical importance of Identity Provisioning in creating real security

As a result, they do not discuss some of the gravest threats to information security

• Insider fraud• Malicious behavior• “Helpful” administrators• Careless programmers• Gullible Help Desks

What Are the Real Threats?

“It’s not hacking that results in the most damaging penetrations to an enterprise’s security system. It is often the work of an employee within the enterprise that causes the most damage. And while many of those incidents are due to employee malice, a great number stem from the manipulation of employees—often without their knowledge—that results in the theft of crucial data.”Rich Mogull, Senior Analyst

GartnerGroup

Gartner estimates that more than 70% of unauthorized access to information systems is committed by employees, as are more than 95% of intrusions that result in significant financial losses. Kristen Noakes-Fry, Research Director

Gartner

Directoryservice

Workforce B2B B2C

Access Authorization Processes

Identity Management

Process

Identity Management Policies

Workforce Partners Customers

Who is the user?

How did he get his ID?

How did she gain access

permissions?Workforce B2B B2C

Userprofiles

Admin or Programmer

The Novell Solution:Access Management with Trust

The “One Net” Difference:Provisioning Trusted Identities

Approaches to identity management that address identity provisioning, but not creating and maintaining trusted identities are inadequate to the task needed to establish one Net

eBusiness Provisioning for• Trusted business partner (B2B) user access • Trusted consumer/patient/citizen (B2C/G2C) access

•

Profile Locking to ensures that access rights are provisioned exclusively via validated identity management processes—Profile Locking addresses “social engineering” compromises to security and other insider threats

•

Workforce Provisioning for dynamically creating trusted identities for enterprise users, in concert with HR and other employee systems

•

Novell offers the strongest platform for building secure identities for all environments that require a high degree of user trust

These include

Workforce Provisioning Using DirXML™

• Workforce (employee, contractor) identity profiles should never be created ad-hoc • Instead, workforce profiles must be derived and integrated from authoritative business processes that are responsible for components of the profile

• Significantly increases the “trust value” of the profile

• This approach

• Permanently eliminates administrative costs

• Ensures that all identity provisioning operations take effect immediately, including hire and termination events

HR ERP

OS

DirMail

DB

DEN

Business-to-Business Identity Provisioning

• Banks, manufacturers, health care providers, defense, and industries all have thousands of business partners, suppliers, and agents• Governments also have these relationships and since 9/11,

have discovered that obstacles to sharing information among agencies/ministries can become catastrophic or scandalous• Each business partner may in turn have dozens of business

units, each with variable numbers of users that require limited access to protected data—such organizations often exhibit large employee turnover, mergers, and/or reorganizations

It is therefore unreasonable for organizations to try to centrally administer the business partner community

B2B Delegated Provisioning

• B2B Delegated Provisioning must provide a solution that is platform and vendor independent, requires very little training and no programming skills to deploy • Policies, Forms, and Delegated Authority tasks should be

driven by a highly intuitive graphical user interface

• B2B solution greatly benefits from the unique, integral trust features of Novell eDirectory• Additionally, Novell DirXML allows delegated provisioning

into any application system, regardless of underlying platform, directory, or database requirements

• B2B delegation enables each partner to manage its own users• However, partners must be allowed to provision users

exclusively via strictly defined, restricted, enforced and audited access for applications and resources

Tools for the Job:B2B Provisioning

Identity Services

ControllerProcess

Web Access

Error Handling

Form Builder

Simple forms

Registration and

Enrollment

Roles

Organizations

Policy Builder

DirXML Identity

Provisioning

Partner-enabled

applications

Signatures

(NetWare, NT/W2K/XP, Solaris, AIX, Linux, OS/390, OS/400, etc.)

• PeopleSoft• SAP• Active Directory• E-mail• MQ Series/TIBCO• Other connectivity

• Enterprise information portals• ERP and logistics applications• Legacy and custom applications

What the business

partner sees

NovelleDirectory

Framework for the Job:B2B Provisioning Components

•

•

•

•

Enrollment workflows and status should be 100% customizable

Enrollment workflows and status should be 100% customizable

Any type or number of business or application

roles should be supported

Any type or number of business or application

roles should be supported

Users should be provisioned using profiles

for controlled access to any eligible application,

including legacy and ERP systems

Users should be provisioned using profiles

for controlled access to any eligible application,

including legacy and ERP systems

Demonstration:Example of Trusted B2B Provisioning

Forms Designer

User Registra

tion

Application and Porta

l Management

• No programming required• Accelerated value

– Platform independent– Browser independent– Rapid deployment – Very little training

• Highly secure• 100% policy driven• eProvisioning-ready with DirXML

Business-to-Consumer (B2C) Identity Provisioning

• A B2C provisioning process needs to scale to potentially millions of people • This generally requires a “trusted self-registration” capability

as the problem is well beyond the scope of centralized administration

• The user (customer, patient, citizen, etc.) provides “friendly” but unique credentials (i.e., PIN number, account code, billing, passport and/or other personal information) • The user credentials are then validated against legacy business process (i.e., CRM, billing systems, client matters, security files, etc.) • Information typed in by the user is not to be trusted

• Therefore, one of the critical keys to trusted B2C provisioning is strong and secure connectivity to enterprise systems

• Trusted identities are provisioned by leveraging information managed in legacy business systems

• Critical profile data that is entered directly by consumers cannot be trusted

B2C “Trusted Self Provisioning”

• Credential validation should occur in real time between the B2C self-provisioning process and the authoritative enterprise system

• Integration with corporate databases, ERP, directories and multiple platforms concurrently, including mainframes, is required

• No direct contact should be established between the web application server and the mainframe

• Legacy applications must never exposed to hackers

• Profiles managed in the directory service should be kept in synch with legacy business process systems using DirXML

Identity Services

ControllerProcess

Web Access

LDAP

JDBC

CICS

LDAP

JDBCMessag

e O

pera

tion

s(Q

uery

, U

pd

ate

, etc

.) Error Handling

Inte

gra

tion

Sou

rces

XMLPolicy

DirectoryServices

Legacy and relationaldatabases

Middlewareservices

(i.e., MQ Series)

MQ

Seri

es

TIB

/En

terp

rise

SMTP

E-mailservicesSimple forms

Tools for the Job:B2C Provisioning

DirXML Identity

Provisioning

What the

consumer sees

Notify

Validate

Update

Create

profile

Get credentials

(NetWare, NT/W2K/XP, Solaris, AIX, Linux, OS/390, OS/400, etc.)

Framework for the Job:RA B2C Process Architecture

PIN IDFormPIN IDform

ID/PasswordRecovery

Form

AdditionalInformation

Form

User ID/Password

Form

User recovers ID/password online

User registersonline

Additional information

form

User ID/passwo

rd form

ID/passwordrecovery

form

• Self-service tools are provided for registration, password recovery, and profile editing

Directoryservice

Directoryservice

Registrationserver

User Authentication

repository

User informationcreated/updated

• Users are challenged for enrollment credentials —the user’s profile is constructed primarily from legacy data

Back Office(i.e., OS/390)

Back Office(i.e., OS/390)

MQ SeriesTIB/Enterprise

Customerdatabase

User data validated

• Validation with legacy systems is performed online using MQ Series, TIB/Enterprise, or other enterprise middleware

DirXMLIdentityEngine

Business process events

Synchronization

En

terp

rise

Sh

im

• Novell DirXML Identity Engine is used to maintain the user profile via validated business processes and systems

Ensuring Trust:DirXML-based Integrity Solutions

A DirXML-based integrity solution called Profile Locking can eliminate most opportunities for insider fraud

Capabilities• Works with any Access Management solution from Novell

(iChain®), as well as third-party solutions from Netegrity, IBM, CA, Baltimore, etc.

• Imposes no front-end processing or performance degradation• Does not require client-side X.509 certificates

• Simple interface for associating digital signatures with registration policies

• Works with any directory-managed X.509 certificate authority (IBM, Entrust, Novell PKIS included)

• Employs server-side digital signatures to verify how a user obtained permissions and enables or disables ACL attributes and/or memberships accordingly

Today, only Novell provides a solution for trusted identity management, thanks to a combination of innovative DirXML technology and PKI-based digital signatures

What Is Different about DirXML Profile Locking?

DirXML Profile Locking enables trusted components of user’s profile to be digitally signed and associated with a valid provisioning process

• If a “trusted” attribute is changed, DirXML Profile Locking instantly detects and evaluates the change and, if necessary, resets the user’s ACL, placing his ID into a workflow state—all in real timeThe profile evaluation occurs in the background using Novell

DirXML; applications do not experience any performance degradation

• No “active policies,” “active rules” or “exit programs” need to be executed by the access management solution

DirXML Profile Locking runs on NetWare®, NT/W2K/XP, Solaris, and Linux platforms—wherever DirXML runs

Legacy

User

Enroller

Enforcing Integrity with ProfileLock “Enrollment Signatures”

NovelleDirectory

ExternalApplications

DirXMLIdentity

Provisioning

B2BProvisioning

WorkforceProvisioning

B2CProvisioning

Enrollment

signatures

Profile Locking Architecture: Schematic Diagram

Communities

Extranet

MySuppliers

MyPartner

User

Applications

Supplier registration

Private Key

Registration authority

XML Policy

Public Key

Attributes

Supplierregistration

Create signatures

Provisioningprocess

Communities

Extranet

MySuppliers

MyPartner

User

Applications

Supplier application

Private Key

Registration authority

XML Policy

Public Key

Profile Locking Architecture: Schematic Diagram

DirXMLProfileLock

Verify signatures

Attributes

Communities

Extranet

MySuppliers

MyPartner

User

Applications

Supplier registration

Registration authority

Communities

Extranet

MySuppliers

MyPartner

User

Applications

Supplier registration

Registration authority

Private Key

XML Policy

Public Key

Supplierregistration

Create signatures

Provisioningprocess

Profile Locking Architecture: Schematic Diagram

Access ManagerACLcheck

Communities

Extranet

MySuppliers

MyPartner

User

Applications

Supplier registration

Private Key

Registration authority

XML Policy

Public Key

DirXMLProfileLock

Supplierregistration

Create signatures

Provisioningprocess

AttributesVerify

signatures

Enrolled

Rejected

Status

This is all the Access

Management system does!

Profile Locking Architecture: Schematic Diagram

Trust = Value

• For an Internet-enabled business strategy to be successful, employees, partners, and consumers must be granted access

to the right amount of information and functionality

• Therefore, to be both successful and secure on the Internet requires that we understand how to make information accessible according to whom and how much we can measurably trust

• Trust = Value

• Strong Identity Management provides the foundation of trust that all other components of application security rely upon, including authentication and access management

• For an Internet strategy to be secure requires that organizations can measure their knowledge of all the people and organizations that will consume their services or collaborate using their data

Novell One NetIdentity and Trust Solutions Landscape

eDirectory

• Community management• Policy management• Permissions• Single sign-on credentials• Public Key Infrastructure

Identity Management• Directory services• Trust Services

Identity Management• Directory services• Trust Services

AccessManagement

• Authentication• Authorization• Personalization• Web single sign-on

Access Management• Authentication• Authorization• Personalization

Access Management• Authentication• Authorization• Personalization

eBusinessProvisioning

• Registration• Enrollment• Certificate services

B2BServices

B2CServices

• Self-registration• Host-based validation

• Delegated administration

ProfileLock •Trust services

HRMS

LAN(Notes, AD,

etc.)

ERP

RDBMS

Middle-ware

DirXML

Enterpriseresources

IBM Hosts

Workforce Provisioning• Enterprise integration• Workflow

Workforce Provisioning• Enterprise integration• Workflow

MetricsManagement

• Requirements• Policy enforcement• Security events• Audit metrics

Risk Management• Community services• Metrics• Profile validation

Risk Management• Community services• Metrics• Profile validation