Identity and Access Management 101

16,389 views
17,116 views

Published on

Crash course in the fundamentals of identity and access management.

Published in: Technology
1 Comment
9 Likes
Statistics
Notes
No Downloads
Views
Total views
16,389
On SlideShare
0
From Embeds
0
Number of Embeds
4,011
Actions
Shares
0
Downloads
525
Comments
1
Likes
9
Embeds 0
No embeds

No notes for slide

Identity and Access Management 101

  1. 1. IDENTITY AND ACCESS MANAGEMENT 101 Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis
  2. 2. Agenda • • • • • • The Good, The Bad, & The Ugly Terminology Employee Lifecycle Step-by-Step Looking Ahead Resources
  3. 3. The Good, The Bad, & The Ugly • Good – Saves time – Improves accuracy and consistency • Bad – RIDICULOUSLY complex – Never enough money/resources • Ugly – When everything works, you’ll be the hero – If (when) something breaks, you’ll wish you’d saved up more sick days
  4. 4. How Many Acronyms Does It Take… • IdM = Identity Management – Manage the accounts • FIdM = Federated Identity Managment – Manage identity across autonomous domains • IAM = Identity & Access Management – Manage what the accounts can access
  5. 5. More Alphabet Soup • LDAP – Lightweight Directory Access Protocol • RBAC – Role Based Access Control • SSO – Single Sign-On • Federation – SAML, SAML 2.0, WS-Federation, Liberty Alliance
  6. 6. Provisioning & Deprovisioning • Provisioning – IT giveth… • Deprovisioning – … and IT taketh away • You need to track everything you provision if you ever expect to deprovision it. – Computers, phones, badges, app access, software licenses, etc. • Your auditors will LOVE you for this!
  7. 7. 3-Phase Employee Lifecycle • #1 – Hire – Autoprovision birthright entitlements, based on role (bear with me…) • #2 – Transition – New access replaces old access, right? • #3 – Termination – Deprovision, stat! • #4 – Other? – On Leave (medical, sabbatical, etc.) – Terminated with Access
  8. 8. Step One: The Sit-Down • Meet with HR – – • Discuss roles – – • Dazzle them with your knowledge of RBAC Remember that employee lifecycle slide? How will you determine birthright access? – – • HR system is the system of record Workforce members = employees + non-employees (decision time!) Department + Job Code Step back, take a look at current employees, and execute the smell test Identify the processes you want to automate – – – – Notification of hire/change/termination Account creation/deletion (in connected systems, NOT system of record) Access modification Internal expenses (e.g., mobile devices)
  9. 9. Step Two: The Data Must Flow • Identify integration points – Authentication Stores • LDAP Directories • Local Databases – Commercial Apps – Homegrown Apps • Internal vs. External – Fewest # auth/auth stores possible – External = federation • http://www.brickshelf.com/cgi-bin/gallery.cgi?i=2703634 How are changes initiated? – Transactional vs. batch • Conceptual diagram of your IAM infrastructure
  10. 10. Step Three: Integrate • Define integration requirements – PMO FTW! • Take a technical inventory – What do you have? – What do you need? – What can you get rid of? • Start eating the elephant – – – – – HR -> Identity Store Identity Store -> Active Directory http://dst121.blogspot.com/2009/10/how-to-eat-elephant.html Identify Store -> [other LDAP directory] Identity Store -> [email] Identity Store -> [that one app that everyone in the company uses]
  11. 11. Intermission: Let’s Talk Tech • Components – – – – – Identity Store / Vault / Repository (not the system of record) LDAP Directory Entitlements Manager Web Access Manager (+ Certificate Manager) Password Manager Vendors • • • • • • CA Identity Manager IBM / Tivoli Identity Manager Microsoft Forefront Identity Manager Novell Identity Manager Oracle Identity Manager / Sun LDAP RSA / Courion • RSA = Access Manager & FIdM • Courion = Provisioning & Passwords Open Source • • • • • OpenIAM OpenDS Directory Server OpenSSO Shibboleth (SSO) Gluu
  12. 12. Pictures, or It Didn’t Happen System of Record Email Other LDAP Identity Provider LDAP Server User-Facing Apps Databases Password Manager Entitlements Manager Web Access Manager
  13. 13. Step Four: Communcation • Document the $#!% out of your IAM infrastructure – Every single integration point – Link the tech to business processes • Review documentation with… – – – – – – • Human Resources LAN Support System Owners Application Developers Production / Change Control IT Leadership Link IAM systems to Change Control system – Notification of ANY and ALL changes – Want to break IAM? Change a connected system without testing integration points!
  14. 14. Step Five: Audit • Trust, but verify • Things to audit – – – – • Segregation of duties Access changes (esp. adminstrative & sensitive data) Accounts for terminated users (reconcile with HR) Share access Security Information and Event Management (SIEM) – Failed login attempts – Attempts to access restricted data – Privilege changes / escalation • Automate your auditing toolset
  15. 15. Destined to Fail • Most IAM projects fail. Why? – – – • Lack of executive sponsorship Project teams try to do too much at once Referring to IAM is a ‘project’ in the first place Mark Dixon’s Ten Best Practices for Identity Management Implementation – – – – – – – – – – Set strategy Secure sponsorship Plan quick wins Select project leadership Define business processes Select implementation team Gain commitment from support resources Provide proper infrastructure Assure data quality Conduct post-production turnover http://blogs.oracle.com/identity/entry/ten_best_practices_for_identity
  16. 16. Questions to Start Asking Now • Who’s going to support all this? • How can I enforce change control for IAM integration points? • How am I going to manage passwords? – – • How am I going to manage non-employees? – – – • Consultants Contractors Interns How am I going to manage RBAC exceptions and segregation of duties? – • Single Sign-On Password Synchronization Pareto Principle (80/20 rule) Identity in the Cloud? – Yeah, I said cloud. Drink ‘em if you got ‘em!
  17. 17. Resources • Vendors – Let them know you’re digging into IAM solutions & they’ll call you. • LinkedIn Groups – Identity and Access Management • http://www.linkedin.com/groups?gid=66476 – Identity Management Specialists • http://www.linkedin.com/groups/Identity-Management-Specialists-Group-41311 • Working Groups – EDUCAUSE (http://www.educause.edu/iam) – InCommon (http://www.incommon.org/iamonline/)
  18. 18. More Resources • Internet2 Middleware Initiative – – – – – – – http://www.internet2.edu/middleware/index.cfm MACE (Middleware Architecture Committee for Education) Shibboleth Federated Single Sign-On Software Grouper Comanage: Collaborative Organization Management MACE-Dir(ectories) MACE-paccman (Privilege and Access Management) • Open Source – – – – OpenDS - http://www.opends.org/ OpenSSO - http://java.net/projects/opensso/ Shibboleth - http://shibboleth.internet2.edu/ Gluu - http://www.gluu.org/
  19. 19. Even More Resources • IdM vs. IAM – • Gartner Identity and Access Management Summit – • http://aws.amazon.com/iam/ Worst Practices: Three Big Identity and Access Management Mistakes – • http://blogs.gartner.com/earl-perkins/2009/08/23/why-there-are-no-iam-magic-quadrants-resisting-the-inevitable/ AWS Identity and Access Management – • http://www.gartner.com/technology/summits/na/identity-access/ Gartner – Why There Are No IAM Magic Quadrants – • http://idm-thoughtplace.blogspot.com/2009/09/idm-vs-iam.html http://searchsecurity.techtarget.com/tip/Worst-Practices-Three-big-identity-and-access-management-mistakes Wikipedia – – – http://en.wikipedia.org/wiki/Identity_management http://en.wikipedia.org/wiki/Identity_access_management http://en.wikipedia.org/wiki/Federated_identity_management
  20. 20. Questions? Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis LinkedIn: http://www.linkedin.com/in/slandail Twitter: https://twitter.com/slandail http://www.jacadis.com contact@jacadis.com

×