• Like
  • Save
CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the State of Texas
Upcoming SlideShare
Loading in...5
×
 

CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the State of Texas

on

  • 446 views

Wendy Nather, Research Director, Enterprise Security Practice, 451 Research ...

Wendy Nather, Research Director, Enterprise Security Practice, 451 Research
At first, "identities" just meant employees, and then they meant customers and partners. Then the cloud came along, and all hell broke loose.
But it's always been a lot more complicated in government due to the intersection of roles, context, legal requirements, public information and privacy rights, and a dynamic environment. This is a real-life case study of the migration from a custom-written, ten year old, single sign-on portal with around 60 applications, to a COTS IAM product. Thirty minutes can't do it justice, but it'll be enough to bring some of the pain.

Statistics

Views

Total Views
446
Views on SlideShare
446
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the State of Texas CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the State of Texas Presentation Transcript

    • The  Good,  The  Bad,  and  the  Government:   Wrangling  A6ributes  in  the  State  of  Texas   Wendy  Nather          @451wendy   Research  Director,  Enterprise  Security  Prac=ce  
    • The  backdrop   Custom-­‐wriDen  single  sign-­‐on  portal  (10+  years  old)     Provides  SSO  for  ~60-­‐75  apps     External  user  base  of  ~50,000     Internal  user  base  of  ~800       The  challenge:  drag  it  kicking  and  screaming  into  some  part  of  the  21st   century     2  
    • Other  complica=ng  factors   Family  Educa=onal  Rights  and  Privacy  Act  (FERPA)  compliance         ~1300  school  districts   ~8,000  campuses   ~20  regional  educa=onal  service  centers  (ESCs)         Other  partners/stakeholders:  other  Texas  state  agencies,  higher   educa=on,  contractors  of  all  kinds,  nonprofits,  educators,  cer=fica=on   bodies  …  roughly  2500  different  organiza=ons     3  
    • Mul=ple  roles  and  contexts   TEA  employee  of  some  division  or  cost  center,  at  some  posi=on  level     Contractors  pretending  to  be  TEA  employees     Personnel  at  ESCs,  districts,  campuses     Administrators,  educators,  auditors,  researchers       People  using  different  applica=ons  in  different  capaci=es  on  behalf  of   mul=ple  organiza=ons     Differing  levels  of  delega=on,  both  organiza=onal  and  legal     4  
    • Ge`ng  a  clue   Professor   Plum   in  the   kitchen   with  a  lead   pipe   with  a   candles=ck   in  the   library   with  a  lead   pipe   with  a  rope  
    • Ge`ng  a  clue   Professor   Plum   killing   in  the   kitchen   with  a  lead   pipe   with  a   candles=ck   being  killed   in  the   library   with  a  lead   pipe   with  a  rope  
    • Ge`ng  a  clue   Professor   Plum   killing   in  the   kitchen   with  a  lead   pipe   with  a   candles=ck   in  the   library   with  a  lead   pipe   with  a  rope   being  killed   in  the   kitchen   with  a  lead   pipe   with  a  rope   in  the   library   with  a  lead   pipe   with  a   candles=ck  
    • Ge`ng  a  clue   Professor   Plum   killing   in  the   kitchen   with  a  lead   pipe   with  a   candles=ck   in  the   library   with  a  lead   pipe   with  a  rope   being  killed   in  the   kitchen   with  a  lead   pipe   with  a  rope   in  the   library   with  a  lead   pipe   with  a   candles=ck  
    • Ge`ng  a  clue   Professor   Plum   killing   in  the   kitchen   with  a  lead   pipe   with  a   candles=ck   in  the   library   with  a  lead   pipe   with  a  rope   being  killed   in  the   kitchen   with  a  lead   pipe   with  a  rope   in  the   library   with  a  lead   pipe   with  a   candles=ck  
    • Context  plus  governance  =  …     Iden=ty  authority   Access  authority   Who  you  are  +     Why  you  should  have   access   What  you  may  access     En=tlements  
    • Example   11  
    • Workflow  example   TEA   ESC   District1   User   District2   App   owner   App   owner   Delegate   12  
    • Constraints   Can’t  be  full  federa=on  due  to  compliance  requirements     Principle  of  least  privilege  means  scoping  down  wherever  possible     Separa=on  of  du=es  requires  discrete  roles  and  en=tlements       13  
    • Constraints   Can’t  be  full  federa=on  due  to  compliance  requirements     Principle  of  least  privilege  means  scoping  down  wherever  possible     Separa=on  of  du=es  requires  discrete  roles  and  en=tlements     And  remember  …     Most  of  the  users  don’t  really  want  to  be  there.     14  
    • Constraints   Can’t  be  full  federa=on  due  to  compliance  requirements     Principle  of  least  privilege  means  scoping  down  wherever  possible     Separa=on  of  du=es  requires  discrete  roles  and  en=tlements     And  remember  …     Most  of  the  users  don’t  really  want  to  be  there.   They  are  not  at  all  technical.     15  
    • Constraints   Can’t  be  full  federa=on  due  to  compliance  requirements     Principle  of  least  privilege  means  scoping  down  wherever  possible     Separa=on  of  du=es  requires  discrete  roles  and  en=tlements     And  remember  …     Most  of  the  users  don’t  really  want  to  be  there.   They  are  not  at  all  technical.   And  you  can’t  fire  them.     16  
    • Moral  of  the  story   Need  to  be  granular  with  iden=ty,  authoriza=on  and  en=tlements  for   risk  and  compliance  management       Be  careful  with  RBAC  –  keep  it  out  of  your  code       IAM  is  not  a  project,  it’s  an  ongoing  journey       17  
    • Ques=ons?  Comments?   wendy.nather@451research.com