© 2013 IBM Corporation 1 IBM Security Systems Simplifying Identity Silos and Cloud Integrations December 2013 Rajeev Saxena Product Manager David Druker Executive Security Architect IBM Security Systems
Sep 14, 2014
© 2013 IBM Corporation1
IBM Security Systems
Simplifying Identity Silos and Cloud Integrations
December 2013
Rajeev SaxenaProduct Manager
David Druker Executive Security Architect
IBM Security Systems
© 2013 IBM Corporation
IBM Security Systems
2
Defining the security perimeter is increasingly difficult…
People
Data
Applications
Infrastructure
Employees Attackers Outsourcers Customers
SystemsApplications
Web Applications
Web2.0
MobileApplications
Structured Unstructured At Rest In Motion
Consultants Partners Suppliers
EXAMPLE 1
Employees
Unstructured
Web2.0
EXAMPLE 2
SystemsApplications
Outsourcers
Structured
EXAMPLE 3
In Motion
Mobile Applications
Customers
Defense approach is shifting from ‘Secure the perimeter’ to ‘Think like an attacker’
© 2013 IBM Corporation
IBM Security Systems
3
Intelligentidentity and access
assurance
Safeguard mobile,cloud and social
interactions
Simplify identitysilos and cloud
integrations
Prevent insider threat and
identity fraud
• Validate “who is who” when users connect from outside the enterprise
• Enforce proactive access policies on cloud, social and mobile collaboration channels
• Manage shared accessinside the enterprise
• Defend applications and access against targeted web attacks and vulnerabilities
• Provide visibility into all available identities within the enterprise
• Unify “Universe of Identities” for security management
• Enable identity management for the line of business
• Enhance user activity monitoring and security intelligence across security domains
Threat-Aware Identity and Access ManagementCapabilities to help organizations secure enterprise identity as a new perimeter
© 2013 IBM Corporation
IBM Security Systems
4
“Untangle” identity silos to support business growth and increase efficiency
Reduce costs of integrating and maintaining multiple identity stores
Enable identity expansion into Cloud and Social environments
Simplify identity silos and cloud integrationsKey requirements
Capture user insight for audit, compliance and reporting
© 2013 IBM Corporation
IBM Security Systems
5
Simplify identity silosand cloud integrations
NEW
Universal directory to transform identity silos and to support “virtual directory”-like deployments
Scalable directory backbone leveraging existing infrastructure for enterprise-wide Identity and Access Management
Simplified sourcing of identities and attributes for enterprise applications, Cloud/SaaS integrations
Intelligent White Pages search with social networking feature to enable intuitive identity store browsing
In-depth user insight with out of the box reports and IBM SIEM QRadar integration
White Pages Search
Federated Directory Services*
User Management
in CloudFederate
Cache
Virtualize
IBM SecurityDirectory Server and Integrator
IBM Introducing New Directory Services
© 2013 IBM Corporation
IBM Security Systems
6
IBM Solutions for Key ScenariosSimplify identity silosand cloud integrations
• Federated Directory Service to bridge identity silos
• White Pages Application ready for social business
• Using SCIM for User On/Off-boarding with Cloud Environments
• Ease of use with new installer and other Directory enhancements
IAM Analytics & Security Intelligence
Federated Service
Access
Search
Directories, Databases, Files, SAP, Web Services, Applications
Federation Management
© 2013 IBM Corporation
IBM Security Systems
7
“Untangle” identity silos to support business expansionSimplify identity silosand cloud integrations
Migrate or co-exist
Join multiple directories
Enrich withdata from
other sources
Federate authentication back to original source
Selective“writes” of
changes to theoriginal source
FDS is a hybrid architecture that provides distributed authentication and data integration
© 2013 IBM Corporation
IBM Security Systems
8
Federated Directory Service – Simple to deploy, configure & useSimplify identity silosand cloud integrations
Enriched OOTB integration assets for endpoint connectivity
Data sources could be anything like v3 compliant LDAP, Data Bases, Flat Files etc.
Brand new GUI for simplified User Experience
Speed and performance of the centralized view of data is not constrained by the slowest data source
© 2013 IBM Corporation
IBM Security Systems
9
White pages Application ready for social businessSimplify identity silosand cloud integrations
Based on IBM Profiles.
Profiles is configured to a FDS instance to pull information from multiple repositories
Federated Service
© 2013 IBM Corporation
IBM Security Systems
10
Using SCIM for User On/Off-boarding with Cloud EnvironmentsSimplify identity silosand cloud integrations
REST/JSON interface for user & group management(irrespective of repository). Implementation is based on SDI and provides both a service as well as a connector (to connect to other
SCIM systems)
SCIM Connector
SaaS
Repository
SCIM Enabled Targets
IBM Security Identity Manager
IBM Security Identity Manager
SCIM Servic
e
EnterpriseRepository
SaaS
REST / JSON
SDS
IBM Security Identity Manager
IBM Security Identity Manager White PagesWhite Pages OthersOthers
IBM Security Access Manager
IBM Security Access Manager
© 2013 IBM Corporation
IBM Security Systems
11
Demo: FDS enables ISAM to Authenticate Against Multiple DirectoriesSimplify identity silosand cloud integrations
Federated Service
IBM Security Access Manager Reverse Proxy
Application
Active Directory 1
Active Directory 2
User Sync
Application
© 2013 IBM Corporation
IBM Security Systems
12
Directory Services to help Distributed CollaborationGovernment entity to grow quickly to 800K application users
Improved solution designand integration allowedthe environment to growfrom 40,000 users to
Simplify identity silosand cloud integrations
800,000+users
© 2013 IBM Corporation
IBM Security Systems
13
Key Themes
Safeguard mobile, cloud and social interactions
Prevent insider threat and identity fraud
Simplify identity silos and directory integrations
Deliver Intelligent Identity and Access assurance
IBM Identity and Access Management Key Themes
© 2013 IBM Corporation14
IBM Security Systems
www.ibm.com/security
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages
arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the
applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in
these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are
trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered,
destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper
access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.