Front coverIntegratedIdentity Management               mentusing IBM Tivoli Security SolutionsLatest technology in access ...
International Technical Support OrganizationIntegrated Identity Managementusing IBM Tivoli Security SolutionsMay 2004     ...
Note: Before using this information and the product it supports, read the information in “Notices” on page vii.First Editi...
Contents                   Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....
2.4 Business requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31                ...
Industry specific requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164   Product or solution...
vi   Integrated Identity Management using IBM Tivoli Security Solutions
NoticesThis information was developed for products and services offered in the U.S.A.IBM may not offer the products, servi...
TrademarksThe following terms are trademarks of the International Business Machines Corporation in the United States,other...
Preface                 This IBM Redbook provides a solution-oriented overview of using Tivoli® security                 p...
Figure 1 From left, Axel, Sridhar, Samantha, Jaime, Loïc, and Michael                Axel Bücker is a Certified Consulting...
engagements. He has worked on various customer projects performing networkand security assessments and architecting secure...
Thanks to the following people for their contributions to this project:                Yvonne Lyon, editor                ...
Part 1Part       1     Why Integrated                 Identity                 Management                 In this part we ...
2   Integrated Identity Management using IBM Tivoli Security Solutions
1    Chapter 1.    An introduction to a new                  reference architecture                  In the new territory ...
1.1 Everything is on demand today                  When we discuss on demand, we are talking about a new era. Today, peopl...
Core attributes of e-business on demand™ include: responsiveness, variability,        focus, and resiliency. Responsivenes...
1.2.1 Confidentiality                  What is confidentiality?                  Ensuring that information is accessible o...
The principle of availability says that information is obtainable and accessible,           but it does not say that acqui...
Auditing                  Auditing is the process of monitoring and logging activities that occur within the              ...
Identity federation (sharing user authentication and attribute information            between trusted applications)       ...
By taking a life cycle approach to the management of the identity and specific                       attention to access c...
1.5 Integrated identity in the enterprise          There is often confusion regarding an integrated identity management so...
Rule based authorization grants or denies access based on a user’s profile in                 which access decisions are m...
By taking the policy based access approach, you manage information privacy                    and adhere to regulatory or ...
The key objective in any audit environment should be to maximize the                 effectiveness of the system and to mi...
1.5.5 Privacy management          Webster’s defines privacy as “the quality or state of being apart from company or       ...
Unfortunately, up until quite recently, there have not been any software tools                 available for privacy polic...
2    Chapter 2.   What Bank International                 This chapter provides an introduction to the overall structure o...
2.1 Company profile               What Bank International (WBI) is one of the financial institutions established          ...
The geographic distribution of WBI is shown in Figure 2-1 for the continental US                     division and in Figur...
London (C ustom er                                                             Service & Regional                         ...
Each of the regions is responsible for the operations within that region, customer                     service, and staffi...
The following procedures apply to personnel management today:                   When a new employee joins the company, the...
The security infrastructure deployed for the e-business initiative                            The secured e-business initi...
All external access to the WBI network is channelled through the firewalls and                   routers in Paris.        ...
2.2.2 Recently implemented e-business initiative            Most of the business applications have been migrated to an e-b...
3. WebSEAL accepts or denies the login. WebSEAL works as a reverse-proxy                  between the user’s Web browser a...
2.2.4 Secured e-business initiative architecture           The overall IT architecture is being impacted by the new e-busi...
Central            Central IT Center, Paris                                         z/OS                IT Center         ...
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Integrated identity management using ibm tivoli security solutions sg246054
Upcoming SlideShare
Loading in...5
×

Integrated identity management using ibm tivoli security solutions sg246054

1,167

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,167
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Integrated identity management using ibm tivoli security solutions sg246054

  1. 1. Front coverIntegratedIdentity Management mentusing IBM Tivoli Security SolutionsLatest technology in access control andidentity management solutionsHolistically covers security ine-business projectsBest practices andexperiences Axel Bücker Jaime Cordoba Palacios Michael Grimwade Loïc Guézo Mari Heiser Samantha Letts Sridhar Muppidiibm.com/redbooks
  2. 2. International Technical Support OrganizationIntegrated Identity Managementusing IBM Tivoli Security SolutionsMay 2004 SG24-6054-00
  3. 3. Note: Before using this information and the product it supports, read the information in “Notices” on page vii.First Edition (May 2004)This edition applies to Tivoli Access Manager for e-business 5.1, Tivoli Identity Manager 4.5,Tivoli Privacy Manager 1.2, Tivoli Risk Manager 4.2, Tivoli Directory Server 5.2, and TivoliDirectory Integrator 5.2.© Copyright International Business Machines Corporation 2004. All rights reserved.Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADPSchedule Contract with IBM Corp.
  4. 4. Contents Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix The team that wrote this redbook. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Become a published author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Comments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiiPart 1. Why Integrated Identity Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Chapter 1. An introduction to a new reference architecture . . . . . . . . . . . . 3 1.1 Everything is on demand today . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.2 Security management methods and practices . . . . . . . . . . . . . . . . . . . . . . 5 1.2.1 Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.2.2 Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.2.3 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.2.4 Areas of security implied in the CIA Triad . . . . . . . . . . . . . . . . . . . . . . 7 1.3 Business drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.4 Issues affecting identity integration solutions . . . . . . . . . . . . . . . . . . . . . . . 9 1.5 Integrated identity in the enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 1.5.1 Access control management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 1.5.2 Identity and credential management . . . . . . . . . . . . . . . . . . . . . . . . . 12 1.5.3 Audit management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 1.5.4 Directory management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 1.5.5 Privacy management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 1.6 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Chapter 2. What Bank International. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.1 Company profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.1.1 Geographic distribution of WBI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.1.2 Organization of WBI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2.1.3 HR and personnel procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.2 Current IT architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2.2.1 Overview of the WBI network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.2.2 Recently implemented e-business initiative . . . . . . . . . . . . . . . . . . . 25 2.2.3 Security infrastructure deployed for the e-business initiative . . . . . . 25 2.2.4 Secured e-business initiative architecture. . . . . . . . . . . . . . . . . . . . . 27 2.2.5 Identity management and emerging problems . . . . . . . . . . . . . . . . . 28 2.3 Corporate business vision and objectives . . . . . . . . . . . . . . . . . . . . . . . . . 30© Copyright IBM Corp. 2004. All rights reserved. iii
  5. 5. 2.4 Business requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 2.4.1 Business requirements for phase 1. . . . . . . . . . . . . . . . . . . . . . . . . . 32 2.4.2 Business requirements for phase 2. . . . . . . . . . . . . . . . . . . . . . . . . . 33 2.5 Functional requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 2.5.1 Phase 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 2.5.2 Phase 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 2.6 Risk assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 2.6.1 WBI risk assessment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 2.7 Security design objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 2.7.1 Functional design objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 2.7.2 Non-functional design objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 2.8 Architectural decisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Chapter 3. Applying the reference architecture . . . . . . . . . . . . . . . . . . . . . 53 3.1 Solution design and delivery approach . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 3.1.1 Implementation life-cycle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 3.1.2 Requirements analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 3.1.3 Incremental delivery strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 3.2 WBI solution design. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 3.2.1 Solution overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 3.2.2 Component model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 3.2.3 The operational architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 3.2.4 The security architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 3.2.5 Implementation phases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Chapter 4. Implementing the solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 4.1 Development environment overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 4.1.1 Component model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 4.1.2 Operational model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 4.1.3 Security architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 4.2 Technical implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 4.2.1 Automatic provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 4.2.2 Application subscription . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 4.2.3 Self care . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 4.2.4 Self registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 4.3 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Part 2. Appendixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Appendix A. ISO 17799 compliance mapping . . . . . . . . . . . . . . . . . . . . . 159 Corporate policy and standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Standards, practices, and procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Practical example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 External standards and certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163iv Integrated Identity Management using IBM Tivoli Security Solutions
  6. 6. Industry specific requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Product or solution certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Nationally and internationally recognized standards . . . . . . . . . . . . . . . . . 165 Legal requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165ISO 17799 and integrated identity management . . . . . . . . . . . . . . . . . . . . . . 166 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173How to get IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173Help from IBM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Contents v
  7. 7. vi Integrated Identity Management using IBM Tivoli Security Solutions
  8. 8. NoticesThis information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document in other countries. Consultyour local IBM representative for information on the products and services currently available in your area.Any reference to an IBM product, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product, program, or service thatdoes not infringe any IBM intellectual property right may be used instead. However, it is the usersresponsibility to evaluate and verify the operation of any non-IBM product, program, or service.IBM may have patents or pending patent applications covering subject matter described in this document.The furnishing of this document does not give you any license to these patents. You can send licenseinquiries, in writing, to:IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A.The following paragraph does not apply to the United Kingdom or any other country where such provisionsare inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDESTHIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimerof express or implied warranties in certain transactions, therefore, this statement may not apply to you.This information could include technical inaccuracies or typographical errors. Changes are periodically madeto the information herein; these changes will be incorporated in new editions of the publication. IBM maymake improvements and/or changes in the product(s) and/or the program(s) described in this publication atany time without notice.Any references in this information to non-IBM Web sites are provided for convenience only and do not in anymanner serve as an endorsement of those Web sites. The materials at those Web sites are not part of thematerials for this IBM product and use of those Web sites is at your own risk.IBM may use or distribute any of the information you supply in any way it believes appropriate withoutincurring any obligation to you.Information concerning non-IBM products was obtained from the suppliers of those products, their publishedannouncements or other publicly available sources. IBM has not tested those products and cannot confirmthe accuracy of performance, compatibility or any other claims related to non-IBM products. Questions onthe capabilities of non-IBM products should be addressed to the suppliers of those products.This information contains examples of data and reports used in daily business operations. To illustrate themas completely as possible, the examples include the names of individuals, companies, brands, and products.All of these names are fictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.COPYRIGHT LICENSE:This information contains sample application programs in source language, which illustrates programmingtechniques on various operating platforms. You may copy, modify, and distribute these sample programs inany form without payment to IBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operating platform for which thesample programs are written. These examples have not been thoroughly tested under all conditions. IBM,therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy,modify, and distribute these sample programs in any form without payment to IBM for the purposes ofdeveloping, using, marketing, or distributing application programs conforming to IBMs applicationprogramming interfaces.© Copyright IBM Corp. 2004. All rights reserved. vii
  9. 9. TrademarksThe following terms are trademarks of the International Business Machines Corporation in the United States,other countries, or both: AIX® IBM® Redbooks™ CICS® iNotes™ Tivoli Enterprise Console® DB2 Universal Database™ Lotus Notes® Tivoli Enterprise™ DB2® Lotus® Tivoli® Domino® MQSeries® TME® e-business on demand™ Notes® WebSphere® Eserver® pSeries® z/OS® Eserver® RACF® ibm.com® Redbooks (logo) ™The following terms are trademarks of other companies:Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in theUnited States, other countries, or both.Java and all Java-based trademarks and logos are trademarks or registered trademarks of SunMicrosystems, Inc. in the United States, other countries, or both.Other company, product, and service names may be trademarks or service marks of others.viii Integrated Identity Management using IBM Tivoli Security Solutions
  10. 10. Preface This IBM Redbook provides a solution-oriented overview of using Tivoli® security products to provide an implementation for integrated identity management based on real-life customer experience. When defining functional requirements for e-business related projects, you have to take into consideration a serious amount of security related tasks and disciplines. These disciplines are authentication and credential acquisition, use of directory infrastructures, session management, multiple tiers of single sign-on, authorization, administration, users and policy, accountability, and availability. Together they stand for the integrated identity management approach, an approach that should be regarded a holistic way of tying security requirements into your projects. First we introduce a new reference architecture for building an integrated identity management solution in Chapter 1, “An introduction to a new reference architecture” on page 3. Then we use a typical customer environment to build a real-life example where we can methodically develop a solution design and approach for our new integrated identity management reference architecture.The team that wrote this redbook This redbook was produced by a team of specialists from around the world working at the International Technical Support Organization, Austin Center.© Copyright IBM Corp. 2004. All rights reserved. ix
  11. 11. Figure 1 From left, Axel, Sridhar, Samantha, Jaime, Loïc, and Michael Axel Bücker is a Certified Consulting Software I/T Specialist at the International Technical Support Organization, Austin Center. He writes extensively and teaches IBM classes worldwide on areas of Software Security Architecture and Network Computing Technologies. He holds a degree in computer science from the University of Bremen, Germany. He has 17 years of experience in a variety of areas related to Workstation and Systems Management, Network Computing, and e-business solutions. Before joining the ITSO in March 2000, Axel was working for IBM in Germany as a Senior IT Specialist in Software Security Architecture. Jaime Cordoba Palacios is a Certified Consulting I/T Specialist with Grupo PISSA (IBM Business Partner), based in Mexico, D.F. He holds a degree in electronics engineering, and a degree in Information Security from Instituto Tecnologico y de Estudios Superiores de Monterrey, Mexico. He has five years of experience in a variety of areas related to Systems Management, Network Computing, and Security Solutions. His areas of expertise include IBM Tivoli Access Manager, IBM Tivoli Risk Manager, IBM Tivoli Identity Manager, LDAP, e-business infrastructures, and networking. He currently is involved in security architecture design and implementation and general security consultingx Integrated Identity Management using IBM Tivoli Security Solutions
  12. 12. engagements. He has worked on various customer projects performing networkand security assessments and architecting secure e-business infrastructures.Michael Grimwade is a Senior IT Architect with IBM Global Services inAustralia. He has eight years of experience in delivering custom e-businesssolutions to large organizations. He holds a degree in Information Technologyfrom the University of Queensland, Australia and has worked at IBM for sixyears. His areas of expertise include e-business applications, infrastructure andsecurity, software architecture and design, and solution delivery methodologies.Loïc Guezo is an I/T Security Architect in IBM Global Services. He is primarilyinvolved in security architecture design, implementation, and security consultingengagements. He has three years of experience within the Security and Privacypractice in France, and focuses on Tivoli security products. Before joining IBM hespent nine years in different positions in banking, industrial, and health careenvironments, leading IT projects, building, and managing infrastructures. Loïcholds a degree in Computer Science from Paris XIII University and a Mastersdegree in OSS - Security from Ecole Centrale Paris in France.Mari Heiser is a senior I/T Architect with IBM in the United States, specializing insecurity and network architectures. She has 19 years experience in the I/Tindustry related to networking, Web infrastructure and enterprise securitysolutions. She holds a degree in Education from The Cleveland State Universityas well as a degree in Electrical Engineering. Her areas of expertise includeTivoli Access Manager, Tivoli Identity Manager, LDAP, e-business infrastructuresand networking. During the last few years, she has worked on various customerprojects performing network and security assessments and architecting secureeBusiness infrastructures. She has written and edited several books relating tothe I/T industry in general and was a contributing author to the IBM Redbook,Enterprise Security Architecture using IBM Tivoli.Samantha Letts is an IT Specialist with IBM Australia. She holds a degree inCommerce, majoring in Business Systems and Management, from the Universityof Wollongong, Australia. She has eight years of experience with IBM Australiasoftware defect support. She has spent the last two years working on Tivoliproducts in the security area.Sridhar Muppidi is a Senior Security Architect working in the Tivoli division ofIBM Software Group. His area of expertise is providing secure and manageablee-commerce solutions to enterprises and their edge systems, which includesarchitecting solutions for customers, working on new product developments, andstandards work. Prior to this, Sridhar was a Security and Directory Architect inIBMs Global Services group. Sridhar obtained his M.S. and Ph.D. from TexasA&M University in 1992 and 1996 respectively. Preface xi
  13. 13. Thanks to the following people for their contributions to this project: Yvonne Lyon, editor International Technical Support Organization, San Jose Center Ted Ralston, Chris Ehrsam, Becky McKane, Scott Simmons, Robert Larson, Weibo Yuan, Clyde Zoch, Eric Schultz, Paul Ashley, Rick McCarty, Bill Powell, IBM US Paul OMahoney, Andrew Jupp IBM UKBecome a published author Join us for a two- to six-week residency program! Help write an IBM Redbook dealing with specific products or solutions, while getting hands-on experience with leading-edge technologies. Youll team with IBM technical professionals, Business Partners and/or customers. Your efforts will help increase product acceptance and customer satisfaction. As a bonus, youll develop a network of contacts in IBM development labs, and increase your productivity and marketability. Find out more about the residency program, browse the residency index, and apply online at: ibm.com/redbooks/residencies.htmlComments welcome Your comments are important to us! We want our Redbooks™ to be as helpful as possible. Send us your comments about this or other Redbooks in one of the following ways: Use the online Contact us review redbook form found at: ibm.com/redbooks Send your comments in an Internet note to: redbook@us.ibm.com Mail your comments to: IBM® Corporation, International Technical Support Organization Dept. JN9B Building 003 Internal Zip 2834 11400 Burnet Road Austin, Texas 78758-3493xii Integrated Identity Management using IBM Tivoli Security Solutions
  14. 14. Part 1Part 1 Why Integrated Identity Management In this part we provide an introduction as to why an integrated identity management approach for applying security within IT environments is the right thing to do. Enterprise security cannot be tackled by implementing bits and pieces in segregated portions of the infrastructure; it has to be built on a solid foundation of policies and standards. It should provide a seamless security infrastructure layer that other components, such as authentication proxies and applications, for example, can leverage.© Copyright IBM Corp. 2004. All rights reserved. 1
  15. 15. 2 Integrated Identity Management using IBM Tivoli Security Solutions
  16. 16. 1 Chapter 1. An introduction to a new reference architecture In the new territory of the on demand Internet economy, strategic partnerships are an important way to reduce development and marketing costs, increase sales figures, and seize new business opportunities. An enterprise whose business processes — integrated end-to-end across the company and with key partners, suppliers, and customers — can respond with flexibility and speed to any customer demand, market opportunity, or threat has the clear competitive advantage. By combining a challenging business environment with the efficiency of Web-based collaboration and strong security to protect proprietary information on other network resources, the enterprise is poised to respond to the competitive challenges facing them in today’s marketplace. However, with that, companies must be able to trust the electronic identities that access their Web sites from external locations. Identity management is a comprehensive, process oriented, and policy driven security approach that helps organizations consolidate identity data and automate the deployment across the enterprise. In this chapter we discuss how integrated identity management enables organizations to share trusted identities through strong authentication and single sign-on (SSO) functionality. We also outline methods of identifying the key components of an integrated identity management architecture.© Copyright IBM Corp. 2004 3
  17. 17. 1.1 Everything is on demand today When we discuss on demand, we are talking about a new era. Today, people are used to getting their money, airline tickets, and a host of other things immediately. On demand is the logical extension of this immediacy across an enterprise — linking customers as well as suppliers. An enterprise whose business processes are integrated end to end across the company and with key partners, suppliers, and customers, can respond with flexibility and speed to the customer demand, market opportunity, or threat. On demand is not a marketing idea looking for an opportunity. On demand is a response to the competitive challenges facing business today. Markets are tightening, and the opportunity to reach new markets and increase profits within current budgets sounds like a contradiction. On demand comes alive in an industry context bringing the innovation needed to capture new value and generate the productivity gains at a lower cost. Things are changing — we have accelerating advances in technology, and the business landscape is changing as well. Volatility is increasing across all areas — from economies and stock markets to pricing pressures and competitive threats. There is a much deeper integration of IT with the business today. IT is no longer a back-room operation. Companies have to be able to manage in the face of all the pressure — that means responding faster and more accurately, while bringing down the cost of business by becoming more productive. Figure 1-1 shows the two strategic imperatives that exist today. The first is business innovation, and the second is improved productivity and deployment. The overriding factors to these requirements are increased security and resiliency. Optimize the value net 1 Innovate the Increase Security & Resiliency Increase business flexibility business to differentiate Extract greater value from data and capture new value Improve the customer experience Drive business innovation Optimize today’s IT investments 2 Make better use of Improve employee productivity resources to be more Streamline/simplify processes productive Figure 1-1 Innovation and productivity are linked to increased security and resiliency4 Integrated Identity Management using IBM Tivoli Security Solutions
  18. 18. Core attributes of e-business on demand™ include: responsiveness, variability, focus, and resiliency. Responsiveness is sensing and responding in real-time based on an integrated view of customers, employees, suppliers, partners, and competitors. Variability is utilizing variable cost structures to do business at high levels of productivity, cost control, capital efficiency, and financial predictability. Focus refers to concentrating on core, differentiating tasks, and being capable of quickly evolving them, as well as leveraging competency of strategic partners to manage selected tasks. And, e-business on demand requires resiliency, meaning that enterprises must employ a flexible operating environment that can manage changes and threats with consistent availability, security, and privacy. Operating in an on-demand world requires that companies protect information assets, confidentiality, and data integrity. It also means that steps are taken to ensure that the IT infrastructure is reliable and available to support business operations — integrating existing business processes within the company, and capturing, analyzing, and utilizing information effectively to support business decision-making. Leveraging the infrastructure means integrating existing business applications as well, allowing for maximum utilization of existing computing resources.1.2 Security management methods and practices The Internet’s eruption into everyday life as a universal form of communication happened because of the easy and efficient sharing of information between users worldwide. Users, for the most part, were unidentified — hidden, if you will, in cyberspace. But as more information got pushed to the Web, it became increasingly important for the publishers of this information to know who was accessing it and to apply security methods to it. Today, companies are allowing employees, suppliers, prospective and existing customers, and business partners to access corporate information through the Internet. As more and more enterprises utilize the ease of the Internet to provide more services to their employees and partners, as well as customers, the need to supply a secure and effective e-business environment with trusted user credentials is essential. Security management methods and practices are the elements necessary for any solution deployment — whether it entails a network with no Internet access or something specific for the Internet. The basic principles that affect all security decisions are confidentiality, integrity, and availability — the CIA Triad — which is the basic roadmap containing the goals and objectives that both policies and systems must blend to achieve a secure solution. These three principles, which we discuss next, are often considered the most important within the realm of security, and no less so in an Internet enabled world. Chapter 1. An introduction to a new reference architecture 5
  19. 19. 1.2.1 Confidentiality What is confidentiality? Ensuring that information is accessible only to those authorized to have access. The fundamental goal of any information security program is to assess what is being protected, as well as the why and how of controlling access. Determining confidentiality is not simply a matter of deciding whether information is secret or not. Rather, it is the act of determining the level of access in terms of how and where the data can be accessed. For information to be useful to the organization, it can be classified by a degree of confidentiality. While this book does not provide not an in-depth look into the many layers of security, it is helpful to mention that the concept of confidentiality entails other aspects, such as information security. These include sensitivity, secrecy, and privacy. However, confidentiality and integrity are interwoven: Without integrity, confidentiality cannot be maintained.1.2.2 Integrity What is integrity? Safeguarding the accuracy and completeness of information and processing methods. Integrity is the guarantee that the information has not been modified by any unauthorized mechanism. With data being the primary information asset, integrity provides the assurance that the data is accurate and reliable. Without integrity, the costs associated with collecting and maintaining the data cannot be justified. As stated above, confidentiality and integrity are dependent on each other. Other aspects of integrity include accuracy, authenticity, accountability, nonrepudiation, and validity.1.2.3 Availability What is availability? Ensuring that authorized users have access to information and associated assets when required.6 Integrated Identity Management using IBM Tivoli Security Solutions
  20. 20. The principle of availability says that information is obtainable and accessible, but it does not say that acquiring information is immediate and/or instantaneous. What it does say is that authorized users can be granted timely and uninterrupted access to information. Availability is dependent on both confidentiality and integrity. Without the “C” and “I” there is no “A”. Other areas of availability include accessibility and timeliness.1.2.4 Areas of security implied in the CIA Triad As you have seen, the CIA Triad covers a broad spectrum. Some of the other areas implied and of concern are listed in the following sections. Privacy Privacy considers what information can be shared with others (confidentiality), how that information can be accessed safely (integrity), and how it can be accessed (availability). When discussing privacy in an IT world, it can quickly become a balancing act between individual rights and the rights of the organization. Privacy is an issue for everyone and must be addressed within the policies, procedures, and standards that are adopted. If not mandated to do so by law or regulation, organizations should review the privacy needs of their own information assets or their clients respectively. Identification When you examine the identity process, it actually has three distinct steps. As the first step, identification assigns every person or asset a distinct name, for example, user name, account name, application name, and so on. Authentication The second step is where we verify that the identity claimed is real and valid. The most common form of authentication is a password that is checked against a database and deemed correct or incorrect. Without identification, authentication is useless. Authentication should be mutually available for all involved and identified assets. Authorization This is the third step in the identification process. Once a user or process has been identified and authenticated, their ability to access assets is authorized. This is determined by the rights and privileges assigned to the authenticated identity. Please note that being identified and authenticated doesn’t automatically grant authorization. Chapter 1. An introduction to a new reference architecture 7
  21. 21. Auditing Auditing is the process of monitoring and logging activities that occur within the IT system. It is not limited to authenticated and authorized users or processes, but also covers unauthorized or abnormal activities on a system. Auditing per definition is a passive activity, but on-demand auditing within an IT system requires intelligent event correlation and automated response behavior. Accountability Accountability is the result achieved by the actual auditing of a system. Accountability includes information about the access, such as date, time, network address, and other information that could further identify the condition or event. Nonrepudiation Nonrepudiation is the ability to ensure that the originator of a communication or message is the true sender by guaranteeing authenticity of their digital signature. This prevents a user from claiming not to have sent a message or performed an action that caused an event.1.3 Business drivers The highly competitive nature of today’s marketplace has caused businesses to look in many new and challenging directions to compete effectively. Doing more with less has become the mantra of every level of management. The edicts of open new markets and find new opportunities have made utilizing the vast infrastructure of the Internet a sound fiscal decision. But this sound decision also brings new challenges. As IT is challenged to do more with fewer resources, managing identities and their access to resources throughout the enterprise is even more difficult. Typical IT environments have many local administrators using manual processes to implement user changes across multiple systems and applications. As identity administration grows more costly, it can inhibit the development and deployment of new business initiatives. An integrated identity management solution can help you get users, systems, and applications online and productive quickly, as well as maintaining dynamic compliance to increase the resiliency and security of the IT environment, while helping to reduce costs and maximize return on investment. There are four key areas of an identity management solution: Identity lifecycle management (user self-care, enrollment, and provisioning) Identity control (access and privacy control, single sign-on, and auditing)8 Integrated Identity Management using IBM Tivoli Security Solutions
  22. 22. Identity federation (sharing user authentication and attribute information between trusted applications) Identity foundation (directory, directory integration, and workflow) Identity management is a super-set of older user provisioning systems that allows for the management of identity and credential information for customers, partners, suppliers, automated processes, corporate users, and others. As the world of e-business gains global acceptance, the traditional processes of corporate user administration are no longer able to cope with the demands of increased scale and scope expected from them. As organizations come to depend upon their IT assets to a greater extent than previously, these assets attract the attention of accounting and reporting standards. IT data and system assets will increasingly become balance sheet line items, and therefore be subject to different audit and compliance rules. Organizations must be able to demonstrate due care, due diligence, improved security, and compliance with other financial rules. We should realize that any entity using the IT systems run by an organization must be included in the scope of identity management if we are to have any chance of achieving these goals.1.4 Issues affecting identity integration solutions Undertaking an identity integration project reveals situations that aren’t always readily apparent. Two major areas of interest when putting together an integrated identity management approach include: enabling user access (session management, authorization, authentication, and so on) and user lifecycle management (user administration, provisioning, and so on). These two areas stand at the forefront, and each area, again, has many facets of its own. We now touch upon these briefly. User access management is the application of security policies and procedures across an enterprise. Each requester (users, business partners, administrators, and so on) attempting to access a resource should provide proof of its identity. In turn, the security policy determines whether that client is permitted to perform an operation on a requested resource. In security systems, authorization is distinct from authentication. Authorization determines whether an authenticated client has the right to perform an operation on a specific resource in a secure domain. User identity management establishes and manages the identity of the user throughout its lifecycle. This begins with the initial creation of the user account, modifications to the account while it is active, and subsequent removal or disabling of the account. Integrating these activities facilitates the process for access approval, user provisioning, identity management, and subsequent reporting/auditing requirements or procedures. Chapter 1. An introduction to a new reference architecture 9
  23. 23. By taking a life cycle approach to the management of the identity and specific attention to access control from the beginning of the process, an integrated identity management solution must have the ability to integrate with pre-existing information sources within the enterprise, such as directories. This allows for leveraging the existing information in data directories as well as integrating with other information sources already available. Integration is the key to effectively managing an individual identity and access. This holistic lifecycle approach helps to minimize the risk to the enterprise because it is ordered rather than fragmented. Figure 1-2 illustrates the approach. Policy Users Other - Provisioning Applications - Password - ID - Workflow (Int. and Ext) - Service Selection - Roles Access - Organization - ACI Management Users Provisioning Authentication / Password Policy LDAP Business Secure Self Help, Help Desk, Del. Admin App. - IM LDAP or Partners Enforcement Proxy API Identity Provisioning Gateway Server Directory management Self Server - AM API Registration Administrators User, Group lookup JAAS, JACC, WIM Provisinoing Applications Privacy Privacy Privacy Enforcement Management Web Trust - Portal Server mangement - App. Server - Content Server Message security, Security Enforcement Cred. Maping - Authentication Meta directory - Cred. Acquisition Secure Data Access - Authorization - Single Sign-On - Policy Enforcement Authoritative - Auditing Managed Targets HR Data Database data Managed Targets Identity management related components Application components Infrastructure componentsFigure 1-2 Integrated identity management reference architecture10 Integrated Identity Management using IBM Tivoli Security Solutions
  24. 24. 1.5 Integrated identity in the enterprise There is often confusion regarding an integrated identity management solution. As stated before, identity management is an all-inclusive process and policy oriented security approach. A truly comprehensive solution requires integration of several important technologies. Once a user has been identified (password), they must be authenticated (their identity proven) and accountability is established. For authorization to occur, permissions and/or roles can be implemented to allow access to resources.1.5.1 Access control management Access control management generally evolves around authentication and authorization mechanisms. These technologies help warrant that every user has secure and convenient access to the resources they need (and only the resources they need) to perform their work or transactions. In order to be most effective, authentication mechanisms should be placed as close to the edge of the enterprise network as possible. This allows for the authentication to take place before any user can gain access to any resources located within the enterprise production perimeter. The authentication service has to provide different options of how to verify the authenticity of the presented secret based on userid and password, X.509 certificate, SecureID token, biometrics, or other means. These options again can vary depending on the requested resource’s asset value, with stronger mechanisms for high value assets. This flexibility should be provided within one security solution, and the management of this security solution needs to support both centralized and distributed security administration groups, while maintenance of the Web applications can be done by other individual groups applying different rules and roles. Once a requester has been successfully authenticated, a set of related credentials should be compiled and held available for the remainder of the online session (within certain time-out parameters). Proper session management is responsible for the transport and availability of the requester’s credential information between different tiers in the IT environment, for example, proxy, application, data, audit, and so on. When utilizing the security technologies of access management, the overall ease and convenience to the user is expanded by implementing single sign-on (SSO), which enables authorized users to access multiple protected resources across domains, while authenticating only once. Once the authentication process is completed with user credentials and session management context created, the authorization service gets involved. Chapter 1. An introduction to a new reference architecture 11
  25. 25. Rule based authorization grants or denies access based on a user’s profile in which access decisions are made in real time by policy rules. These can either replace or complement roles. These rules can be fairly simplistic and based on what position the user holds and what they are requesting. Role Based Access Control (RBAC) is based on a collection of permissions that employs job function roles to regulate access to resources. The goal is to enable user authentication and to enforce target-based, coarse-grained or fine-grained authorization before forwarding a user’s request alongside with their credentials to any of the Web application servers. This way, the Web application developers can stay free of maintaining any security infrastructures.1.5.2 Identity and credential management Identity and credential management establishes and manages the identity of the user throughout the lifecycle of that identity. This begins from the initial provisioning of the user’s identify — including the defining of access rights and following a logical workflow to complete the process. Identity management uses policies to define access rules to resources that the user requires to complete their jobs and fulfill their roles. Using policies to manage identities provides consistent and automated updating of identities as users move between departments and positions in the organization. Access approval, user provisioning, and compliance reporting are extremely important for managing the integrated identity. Processes for approvals must be followed to ensure that access rights are appropriate for each user in question. When reprovisioning the users, there is a logical flow and sequence of steps that must tie into the non-IT segments of the workflow. One example is to periodically validate that personnel are still valid and authorized users. This ensures the security of accounts by eliminating those accounts of personnel who no longer work for the company or whose responsibilities have changed. Another example is to frequently check the active user accounts and access permissions and cross-reference them to the existing provisioning policies for users and roles. This ensures that users only have access to systems they are entitled to. Any access rights manually granted without proper policy-based indication (for example, by your friendly administrator) can be automatically revoked and audited. Integrated identity management also enforces access control across the extended enterprise. By using the identity information and combining it with policies to enforce access, greater consistency exists across the enterprise. If the access rights are enforced by policy and are based on specific information in the identity data, the need is removed for explicit access definitions. This allows for a more consistent and centralized approach to managing the enterprise.12 Integrated Identity Management using IBM Tivoli Security Solutions
  26. 26. By taking the policy based access approach, you manage information privacy and adhere to regulatory or corporate requirements in an integrated and automated fashion — having the ability to specifically identify the information that must be kept private and safe guarding that privacy.1.5.3 Audit management Audit management is a crucial part of any solution. Unfortunately, many organizations learn this the hard way—after a security event has occurred. As part of the integrated identity solution, planning what events need to be audited or monitored and to what level is a crucial step. Auditing and monitoring are the foundation to sustaining accountability. The National Computer Security Center (NCSC) has approved the following definition: “An audit trail is a chronological record of system activities that is sufficient to enable the reconstruction, reviewing, and examination of the sequence of environments and activities surrounding or leading to an operation, a procedure or an event in a transaction from its inception to its final results.”1 With this definition in mind, the necessary requirements for tracking various activities should be carefully planned and agreed upon to minimize disruptions to the business process. This includes both internal as well as external access to resources. Logging events such as unauthorized or abnormal activities, attempted intrusions and systems failures helps to reconstruct the events that occur and provide evidence for legal purposes and analysis reports to track and correct vulnerabilities. Unfortunately, when logging is used to monitor a system or events, so much data is collected that important information can and does get buried. Being able to sort through the data and reduce it to something usable is an art that requires attention to detail. Tools are available to record and report on events and should be employed to reduce the volume of information gathered into a usable and understandable format. Key points to observe in building an audit system include these: Management should agree with the audit requirements. The scope of audit/monitoring should be agreed to and controlled. Logs should be read-only and access to them limited to read-only. Necessary resources for performing the checks should be identified and made available. The need for special or additional resources should be identified and agreed upon. All procedures, requirements and responsibilities should be documented.1 National Computer Security Center, Glossary of Computer Security Terms, NCSC-TG-004-88, October 1988 Chapter 1. An introduction to a new reference architecture 13
  27. 27. The key objective in any audit environment should be to maximize the effectiveness of the system and to minimize interference not only to the system, but the audit process itself. That means protection of the tools and records as well as the IT systems involved.1.5.4 Directory management Increasingly, enterprises are seeking to improve operational efficiencies and expand their businesses by opening their internal systems to a broader community of their systems, employees, customers, and suppliers. A consistent and reliable identity infrastructure enables enterprises to expose their internal processes to their supply chain, their customers, and to the growing mass of automated machine-to-machine transactions. A common identity repository is a key enabler for security and application infrastructure in an enterprise. A centralized repository is meant to consolidate all user and resource definitions into only one data source. Most companies, while expanding their business, also increase the number of applications and platforms, usually each one with its own format and place for defining the enabled users. The final result is that user credentials are stored in a number of different and disjointed places. This means that the same person might have different un-synchronized accounts for different applications. In large companies the number of these accounts may reach double or even triple digit numbers. This situation presents a number of problems, including: High costs for user management: Expenses increase proportionally to the number of repositories. Security: Policies, standards, and guidelines cannot be enforced consistently across the enterprise. Data integrity: Inconsistent information is possible across the enterprise. Risks: There are higher risks related to human errors, malicious attacks, and system failures. Growth: Availability and scalability of the systems These problems can be faced and mostly solved by consolidating the disjointed data sources in only one manageable, available, and scalable repository. This is one of the basic concepts to implement an integrated identity solution. Managing and consolidating information allows for the definition of an authoritative source of user identities, and to establish clear and uniform processes to manage user definitions.14 Integrated Identity Management using IBM Tivoli Security Solutions
  28. 28. 1.5.5 Privacy management Webster’s defines privacy as “the quality or state of being apart from company or observation”. In an IT world, privacy is the right of an individual to decide when, how, and to what extent information about them is communicated to others. When an individual gives their private data to an enterprise, the enterprise should consider itself the custodian of the data, and let the individual, as the owner of the data, decide how it should be used. Why consider privacy in an integrated identity project? If security is the protection of information, privacy is the act of complying with how the individual wants that information distributed. An example of this would be: A department within an enterprise has customers that have consented to receiving e-mail updates. Does this mean that you can send them e-mail about products from other departments? Are you allowed to share their information with other departments or business partners? Without policies governing these situations and governing what information may be shared, there is no clear-cut answer to either question. Formulating an enterprise privacy strategy is imperative in today’s global corporation. There are a number of risks faced if a privacy policy is not enforced. The risks include but are not limited to the following situations: Erosion of Reputation and/or Brand: Privacy violation is being reported as one of the key inhibitors to the growth of on-line business. Business relationships are built on trust. Organizations that demonstrate good privacy practices can build trust and grow their business. Organizations with poor privacy practices alienate their customers. Legislative Reproof: In response to various privacy violations and consumer complaints, many countries have enacted legislation to protect privacy. The core of the legislation is generally based on the Organization of Economic Co-operation and Development privacy guideline (http://www.oecd.org). When many of the current member countries were first considering privacy legislation, the OECD was concerned that the creation of so diverse and disparate privacy regulations would impede the flow of information between countries. Actual enactment of the legislation has varied significantly. In the EU, Canada, and Australia, regulations that cross industry sectors have been enacted. The United States has taken a sectorial approach enacting separate regulations for health care, finance, and protection of children’s data. Asia, as a whole, is not as far along in the creation or implementation of guidelines. The notable exceptions to this are Japan, Hong Kong, and Taiwan. Lawsuits: Lawsuits against organizations that violate privacy regulations or promises are becoming more common. A quick search of the United States Federal Trade Commission (FTC) Web site, for example, will find a number of companies that have both been charged by the FTC on privacy violations and that are under a class action lawsuit from their customers. Chapter 1. An introduction to a new reference architecture 15
  29. 29. Unfortunately, up until quite recently, there have not been any software tools available for privacy policy enforcement. Enterprises have had two choices: Do nothing and pray that they don’t violate too many regulations and they don’t annoy too many of their customers. Or, try to implement their privacy policy across their application environment. This usually means coding privacy policy into applications. Enterprises are finding that implementing a privacy policy across their application environment is a daunting task. Each application that accesses private data has to be enhanced to include the privacy policy. This is an expensive and slow process. With an integrated identity approach, policies and guidelines may be implemented across the board, thus offering less confusion and greater control.1.6 Conclusion Clearly, many obstacles exist, but there are best practices that organizations can follow to mitigate risk, optimize investment, and achieve results, and ultimately balance user experience with greater productivity and cost savings, allied to increased IT security. An integrated identity solution offers a method of overcoming the obstacles and offering a greater return on investment from the enterprise by consolidating resources and utilizing them effectively. The introduced reference architecture for integrated identity management should be regarded as a measurement for optimized integration where all identity management related components should fully leverage and utilize one and the same infrastructure (see Figure 1-2 on page 10).16 Integrated Identity Management using IBM Tivoli Security Solutions
  30. 30. 2 Chapter 2. What Bank International This chapter provides an introduction to the overall structure of our hypothetical corporation, What Bank International (WBI), including its profile, current IT architecture, and infrastructure, as well as its medium-term business vision and objectives. We also describe the business requirements, functional requirements, security design objectives, and architectural decisions for an Integrated Identity Management solution. Note: All names and references for company and other business institutions used in this chapter are fictional. Any similarity with a real company or institution is coincidental.© Copyright IBM Corp. 2004. All rights reserved. 17
  31. 31. 2.1 Company profile What Bank International (WBI) is one of the financial institutions established throughout the continental United States and Europe. It has been in business for more than 30 years and now operates over 10 sites, providing common financial services, such as account management, credit card supply, and cash checking, as well as trading or other specialized services for high value customers. The following sections describe: The geographic distribution of WBI The company organization HR and personnel procedures Note: The following sections describe the company information relevant to our context and are not intended to be a complete description of the company.2.1.1 Geographic distribution of WBI WBI sites are distributed trough the continental United States and western Europe. The corporate head office is located in London, UK. WBI further operates the following four regional centers: RU Regional center Europe (London, UK) and the peripheral IT data center RW Regional center West (San Francisco, California) RC Regional center Central (Paris, Texas) and the central IT data center RE Regional center East (New York, New York) These regional centers service the basic IT needs of the sites in their respective region (including first-level user support and user administration). They also provide Customer Service Center services for the region (such as on-line account informations or trading operations). The corporate IT staff is located in Paris, Texas, within the US IT data center (which contains the core IT infrastructure). Members of this team are developers, engineers, and project managers for the corporate information systems. A second, historical, IT data center is located in London, UK, due to a merger in the early 1990s. The other WBI sites are distributed throughout the regions.18 Integrated Identity Management using IBM Tivoli Security Solutions
  32. 32. The geographic distribution of WBI is shown in Figure 2-1 for the continental US division and in Figure 2-2 for the European division. New York (Customer Service & Regional Center East) Seattle Detroit San Francisco (Customer Service & Denver Regional Center West) St Louis Raleigh Paris (Customer Service & Regional Center Central) Los Angeles Paris, TX IT CenterFigure 2-1 Geographic distribution of WBI sites for the continental US Chapter 2. What Bank International 19
  33. 33. London (C ustom er Service & Regional Center Europe) Paris London, UK IT Center Rom eFigure 2-2 Geographic distribution of WBI sites for the European division2.1.2 Organization of WBI The company is split into five key areas: the four regions and a core services department, as depicted in Figure 2-3. E x e c u tiv e R e g io n R e g io n R e g io n R e g io n C o re W est C e n tra l E ast E u ro p e S e rvic e sFigure 2-3 Key areas for WBI company20 Integrated Identity Management using IBM Tivoli Security Solutions
  34. 34. Each of the regions is responsible for the operations within that region, customer service, and staffing. All the regions have the same structure. The organization chart for Region West is shown in Figure 2-4. Region West Banking IT Customer Services Center Card Account Broker Tech HelpDesk HR Services Services Services Support Los Seattle CSC AngelesFigure 2-4 Organization chart for Region West The core services department acts on a company-wide scale. Core Services include support services for the IT data centers (development, applications Help Desk, and systems administration), HR, sales, and finance. The organization chart for Core Services is shown in Figure 2-5. Core Services Sales Support Finance IT Data Partners Marketing HR Accts BO Trade GA Center Systems HelpDesk IT DevFigure 2-5 Core Services organization chart2.1.3 HR and personnel procedures Personnel is managed locally within each region for the regions, and by the Core Services HR team in Paris for all Core Services staff. Chapter 2. What Bank International 21
  35. 35. The following procedures apply to personnel management today: When a new employee joins the company, the employee is added to the authoritative HR system. An e-mail is sent to the new employee’s manager indicating when the person is starting to work and giving their HR details. The manager determines what types of access each person needs and sends e-mails to the appropriate support teams to create accounts on the systems (for example, the LAN team creates the NT domain account, and the back-office application teams create the intranet application accounts as well as z/OS® RACF® if needed). When access is granted, an e-mail is sent back to the user’s e-mail account giving account details, including passwords. As the support teams are small, there are often delays of a few days when creating each account. When an employee requires additional resource access, the request has to be approved by their manager, who then involves the appropriate support team, via e-mail, to execute the request. As with new accounts, the support teams grant the additional access. When employees forget a password, or have an account locked due to invalid passwords, they have to call the help desk (either at the regional or central level). The help desk can reset NT (LAN) and z/OS RACF passwords and accounts, but some specific application resets need to be referred to the respective support team. When employees leave the company, they are removed from HR, and normally their set of accounts is deleted. However, this is not applied consistently, and there are no control mechanisms in place to ensure proper removal or inactivation. Each employee has a jobcode to describe the job role. Some of these are common across the regions, such as Manager and CSC operator. Some jobs are specific to a team, such as Intranet application administrator. These job roles and jobcodes are managed by the central HR team. They rarely change. When new employees join the company, there is some manual provisioning that must be performed, such as real estate set aside for them, including desk locations, phone connection, and filing cabinets. This is normally carried out by the new employee manager sending an e-mail to the local office manager, who arranges everything.2.2 Current IT architecture In this section, we describe the current IT environment at WBI. We cover: An overview of the WBI network The recently implemented e-business initiative22 Integrated Identity Management using IBM Tivoli Security Solutions
  36. 36. The security infrastructure deployed for the e-business initiative The secured e-business initiative architecture Identity management and emerging problems2.2.1 Overview of the WBI network WBI’s central IT data center has implemented a back-end datastore, which is based on DB2® running on z/OS. They are using an MQ Series infrastructure for asynchronous transactions between the central IT data center, the CSCs, the European and regional data centers. WBI uses Lotus® iNotes™ as an e-mail system. This application is available for each employee. High-level network diagrams of WBI’s network are shown in Figure 2-6 (for the continental United States) and Figure 2-7 (for Europe). New York Seattle Detroit San Francisco Denver St Louis Raleigh T3 (45Mbps) T1 (1.54Mbps) Los Angeles Internet T3 (45Mbps) Paris, TX T3 (45Mbps) to Europe IT CenterFigure 2-6 High-level network diagram for the continental United States Chapter 2. What Bank International 23
  37. 37. All external access to the WBI network is channelled through the firewalls and routers in Paris. Corporate access to the Internet is provided through a secure and highly available Internet Access Point, managed by the IT Center. All links are leased from a telecommunication operator. This service provider ensures reliability and redundancy as agreed in the service level agreement. London, U K IT C e n te r P a ris T 3 (4 5 M b p s ) to C e n tra l Rom eFigure 2-7 High-level network diagram for the European division Internet access for European employees is provided by the IT data center in region Central, through the corporate Internet Access Point. The applications and infrastructure used in Europe is similar to those in the US. They are planned to be standardized globally in the future.24 Integrated Identity Management using IBM Tivoli Security Solutions
  38. 38. 2.2.2 Recently implemented e-business initiative Most of the business applications have been migrated to an e-business environment, and at least Web based access interfaces are provided to nearly all back-end applications. The implementation is based on a WebSphere® Portal and WebSphere Application Server (J2EE applications) solution. The communication with the back-end databases and applications leverages the high-speed network connectivity described previously. The implementation of IBM Tivoli Access Manager was the first important step for improving security, and for providing an access control infrastructure that is independent of the application layer. The targeted Integrated Identity Management Solution has to provision accounts to operating systems (Windows® NT and 2000, AIX®, and z/OS), LDAP, the e-mail system, the portal applications, and the IBM Tivoli Access Manager components, while adhering to existing security policies and procedures.2.2.3 Security infrastructure deployed for the e-business initiative In the past, WBI experienced many unauthorized access attempts to critical business data. This is why WBI has decided to use a centralized access control mechanism. This mechanism enforces authentication and authorization of users before they actually access the applications and related data via their Web browsers. This solution is based on IBM Tivoli Access Manager for e-business and uses the WebSEAL component to enforce access control. A typical user access looks like this: 1. The user logs on to the Windows domain specifying their Windows user ID and password. 2. The user starts their Web browser and then accesses a portal page for applications. Because WBI has decided to use the SPNEGO1 Windows SSO mechanism, users have no need to log on to the corporate portal. The presented Kerberos credential is used for access control decisions by WebSEAL in the regional center the site belongs to. 1 SPNEGO stands for Security Provider NEGOtiation authentication protocol. For more information on Tivoli Access Manager for e-business SPNEGO support, consult the IBM Tivoli Access Manager WebSEAL Administrator’s Guide Version 5.1, SC32-1359. Chapter 2. What Bank International 25
  39. 39. 3. WebSEAL accepts or denies the login. WebSEAL works as a reverse-proxy between the user’s Web browser and the application hosting Web server, controlling whether a user can access the requested resource or not. WebSEAL’s access control decisions are based on the information maintained within the Access Manager Policy Server and an LDAP repository. The Policy Server stores access control information used by WebSEAL, and other Access Manager authorization services, in an authorization database, which is distributed as a database replica to all defined WebSEAL and other authorization servers. Dialogs between WebSEAL and the Policy Server components are implemented using an Access Manager Proxy Policy Server component. The LDAP server stores the user credential information assessed at the time of the user’s login. For each region, a Proxy Policy Server is located in the Regional Center management zone, and WebSEAL and LDAP replica servers are made available in a specific production zone to each regional center. The LDAP master and the Access Manager Policy Server is located in the management zone in the central IT center in Paris, TX. An overview of where the components are placed within the overall architecture can be found in Figure 2-8 on page 28. Today, only the Web applications are secured by WebSEAL using Web user accounts, but there are other types of accounts necessary to run standard operations, such as Windows NT® and 2000, AIX, and z/OS. These accounts can only rely on the native operating system security. That is why WBI puts the employees under an obligation to follow additional security policies to strengthen the levels of security, such as periodical password changes, and other password policies for all types of accounts. They are looking to add Tivoli Access Manager for Operating Systems into their security infrastructure at a later point in time. At the time of implementing this security solution, WBI has started to provide new Web based customer services (balance of a customer’s account, personal trading operations, special campaign information, and so on) via the Internet. A customer’s access to their data is controlled by WebSEAL also. Note: If you want to find out more about the different base components involved in the initial WBI rollout, please refer to the redbook Enterprise Security Architecture using IBM Tivoli Security Solutions, SG24-6014-01.26 Integrated Identity Management using IBM Tivoli Security Solutions
  40. 40. 2.2.4 Secured e-business initiative architecture The overall IT architecture is being impacted by the new e-business infrastructure and by other organizational changes. For the mid-term future it has been decided to close the European IT data center and to apply best practices and methodology for architecting a secure infrastructure by segregating assets into different Level of Trust zones. Note: The redbook, Enterprise Security Architecture using IBM Tivoli Security Solutions, SG24-6014-01, introduces the Method for Architecting Secure Solutions (MASS) as a methodology for developing a design for a security implementation. It provides a detailed example of developing a security architecture using MASS. This method provides a proven approach to creating high-quality security architectures and includes Identity Management aspects as part of the full scope. This new infrastructure will drastically alter the network topology and firewalls configuration. But as we focus on Integrated Identity Management, our purpose is to depict the possible future WBI architecture. The WBI architecture is shown in Figure 2-8. For details on the implementation, refer to 4.2, “Technical implementation” on page 126. The target architecture will federate legacy systems in only one IT data center in the Central Region. The architecture permits the segregation of the data (DB2 on z/OS) and the Identity Management zone in the Central IT Center as well as in regional centers, for systems management zones, production zones, and user corporate networks. A specific DMZ is dedicated to Internet customer access. This ensures performance and appropriate security measures for uncontrolled access. Ultimately, production and management zones in the regional centers will also be segregated by a firewall. A dedicated management zone is introduced to respond to other new emerging problems in the area of identity management, described in the following section. This zone is located in the central IT Center. Chapter 2. What Bank International 27
  41. 41. Central Central IT Center, Paris z/OS IT Center (DB2,MQSeries) Web Portal I BM Server F AIX I R E FIREWALL W A L LDAP L Master F F Identity LDAP LDAP Access Management I I LDAP replicas replicas Manager Server R R replicas E WebSEAL E Policy W W Server Management zone A A L L L L F IR E WALL 4 Regional centers F I Access LDAP R Manager Replica E Proxy W Policy A Server WebSEAL L L Production Zone Management Zone F IR E WALL Internet DMZ WBI sites application data flow access control flow Windows Domain Intranet Identity mgt flowFigure 2-8 Entire WBI architecture2.2.5 Identity management and emerging problems Emerging problems are related to user administration and identity management. Before we describe the emerging problems in detail, we give an overview of the current user management.28 Integrated Identity Management using IBM Tivoli Security Solutions

×