Identity and Access Management - ISACA China HK Chapter and access management.pdf · Identity and Access Management By Dave Yip ... Access Management Identity Management User Management

1

Identity and Access Management

By Dave [email protected]

? Copyright 2005 Arialgroup. All rights reserved.

Agenda

What is IAMIAM ComponentsWhy IAMIAM MarketplaceIAM Implementation

2

? Copyright 2005 Arialgroup. All rights reserved.

What is Identity and Access Management IAM ?

3

Biometric? Smart ID Card?

Directory?Single Sign-On?

Digital Certificate?

? Copyright 2005 Arialgroup. All rights reserved.

IAM for Single Application

4

User

User Store

RoleStore

Authentication

Password Management

Session Management

User Management

Authorization

Role Management

Administrator

Application Functions

ApplData

User

User

2

? Copyright 2005 Arialgroup. All rights reserved.

When # of applications increases

5? Copyright 2005 Arialgroup.

All rights reserved.

IAM Architecture

6

Administrator

Administrator

User

User

User

Application

RoleData

User Data

Application

RoleData

User Data

Application

RoleData

User Data

..

Policy Management

Session Management

SS

O

Password Management

User Management

Role Management

Au

then

tication

Au

tho

rization

Passw

ord

Services

RB

AC

Pro

vision

ing

Data S

ynch

ron

ization

User Store

RoleStore

PolicyStore

? Copyright 2005 Arialgroup. All rights reserved.

Does not have IAM

7? Copyright 2005 Arialgroup.

All rights reserved.

Has IAM

8

Identity & Access Management

3

? Copyright 2005 Arialgroup. All rights reserved.

The Goal of IAM

Providing the right people with the right access at the right time.

Protect resources by preventing unauthorized accesses.

9? Copyright 2005 Arialgroup.

All rights reserved.

Agenda

What is IAMIAM ComponentsWhy IAMIAM MarketplaceIAM Implementation

10

? Copyright 2005 Arialgroup. All rights reserved.

IAM Components

11

AuthenticationSingle Sign-OnSession ManagementPasswordsAuthentication Levels

AuthorizationRole-basedRule-basedAttribute-basedRemote Authorization

Access Management

Identity Management

User ManagementDelegated AdminRole ManagementProvisioningPassword MgmtSelf-service

Central User RepositoryDirectoryData SynchronizationMeta-directoryVirtual directory

? Copyright 2005 Arialgroup. All rights reserved.

IAM Components

12

Administrator

Administrator

User

User

User

Application

RoleData

User Data

Application

RoleData

User Data

Application

RoleData

User Data

..

Session Management

SS

OA

uth

enticatio

nP

asswo

rd S

ervices Password Management

User Management

Role Management

Pro

vision

ing

Data S

ynch

ron

ization

User Store

RoleStore

Policy ManagementAu

tho

rization

RB

AC

PolicyStore

4

? Copyright 2005 Arialgroup. All rights reserved.

Other IAM Terms

Identity Management IdM or IMIdentity and Access Management I&AM

Authentication, Authorization, Accounting and Administration AAAExtranet Access Management EAMPortal and personalization Part of IAM?

13? Copyright 2005 Arialgroup.

All rights reserved.

Agenda

What is IAMIAM ComponentsWhy IAMIAM MarketplaceIAM Implementation

14

? Copyright 2005 Arialgroup. All rights reserved.

Drivers behind IAMConvergence of Information Technologies.

Standards basedService Oriented Architecture

Increase in Identities.Customers, Suppliers, Contractors, Mergers & Acquisitions, Outsourcing, Globalization

Increase in Business Delivery Channels.LAN, WAN, Dial-up, Extranet, Internet, Wireless, etc.

Rising costs and complexities of identity managementNeed to improve information security

Regulatory Compliance (e.g. SOX, BS 7799)More opened network, higher skilled intruders, etc.

15? Copyright 2005 Arialgroup.

All rights reserved.

IAM BenefitsBusiness Benefits

Agility to respond to changes and opportunitiesCapability to drive more revenue from existing relationshipsStreamlined processesEnable user access changes from days to hoursEmpower business users and user administrators

Security and Audit BenefitsConsistent, automated policy enforcementEnhanced audit abilityCompliance with regulationsReduce security administration effortsBetter protected resources

16

5

? Copyright 2005 Arialgroup. All rights reserved.

IAM BenefitsUser Benefits

Higher usability and satisfactionSelf-service for common tasksFaster, better from organization

IT BenefitsCentralized security architectureDelegated administrationLower support costsFaster application developmentAgile IT infrastructureImproved correctness of user information

17? Copyright 2005 Arialgroup.

All rights reserved.

Agenda

What is IAMIAM ComponentsWhy IAMIAM MarketplaceIAM Implementation

18

? Copyright 2005 Arialgroup. All rights reserved.

IAM Marketplace

19

Anti -Virus

FirewallVPN

Content Filtering

Growth

Intrusion DetectionAuthentication

Authorization

PKI

Pioneering Maturing

Encryption

Anti -Virus

FirewallVPN

Content Filtering

Growth

Intrusion DetectionAuthentication

Authorization

PKI

Pioneering Maturing

Encryption

Last Year (2003) This Year (2004)

ProtectEnable

Internet Security Stages of Adoption

? Copyright 2005 Arialgroup. All rights reserved.

Convergence Trend

BMC acquired CalendraCA acquired Netegrity

Netegrity acquired Business Layers

HP acquired Baltimore s SelectAccess and TrueLogicaIBM acquired Access 360Sun acquired Waveset

20

6

? Copyright 2005 Arialgroup. All rights reserved.

Access Management

Client side vs. Server sideWeb-based vs. non Web-based (or Legacy)Role-based and Rule-basedAgent based vs. Proxy basedSession Management approach

21? Copyright 2005 Arialgroup.

All rights reserved.

User Management

Agent vs. AgentlessEvent driven vs. PullingWith or without image of user dataProgramming language used for customizationProvisioning vs. data synchronization

22

? Copyright 2005 Arialgroup. All rights reserved.

Directory and Meta-Directory

X.500 vs. LDAPv3Meta-Directory vs. Virtual DirectoryDirectory ReplicationDatabase engine vs. Native

23? Copyright 2005 Arialgroup.

All rights reserved.

IAM Standards

Authentication Kerberos, SASLAuthorization XACML, RBAC99Directory Service DSML, LDAPv3, LDUPProvisioning SPMLFederated security SAML, Liberty AllianceSupporting standards TCP/IP, HTTP, XML, PKI, SSL, Web Service Security, X509v3, XrML, etc.

24

7

? Copyright 2005 Arialgroup. All rights reserved.

Agenda

What is IAMIAM ComponentsWhy IAMIAM MarketplaceIAM Implementation

25? Copyright 2005 Arialgroup.

All rights reserved.

High-level IAM Building Blocks

26

EnterpriseDirectory

Single Sign-On

User Management

StrongAuthentication

WindowsSingle Sign-On

DataSynchronization

RoleManagement

Role-basedAuthorization

Provisioning

FederatedSecurity

? Copyright 2005 Arialgroup. All rights reserved.

IAM ImplementationMany stakeholders requires good communication skillsChange of administration approach could be politicalData correctness, ownership and privacyNeed people with skills from both world of IT infrastructure and system developmentNever underestimate the time required to do testingNever neglect IT requirements (e.g. operational, deployment, high availability, etc.)Watch out software compatibilityCustomers not only want a resolution to a problem but also want an answer why the proposed solution is a better one

27? Copyright 2005 Arialgroup.

All rights reserved.

SummaryIAM can be divided into two categories: Identity Management and Access Management.Access Management comprises Authentication, Single Sign-On, Session Management, Password Services, Authorization.User Management comprises user self-service, delegated administration, user/role management, provisioning, data synchronization and password management.IAM has clear benefits in terms of cost savings, services enablement, reduce risks and productivity improvement.Recent trend shows a product convergence in the IAM marketplace.IAM has become practical and doable today, but selecting the right product mix could be challenging Users and Vendors alike are recommended to choose skilled personnel to participate in IAM implementation projects.

28