Streamlining Python Development: A Guide to a Modern Project Setup
Integrated identity management using ibm tivoli security solutions sg246054
1. Front cover
Integrated
Identity Management
ment
using IBM Tivoli Security Solutions
Latest technology in access control and
identity management solutions
Holistically covers security in
e-business projects
Best practices and
experiences
Axel Bücker
Jaime Cordoba Palacios
Michael Grimwade
Loïc Guézo
Mari Heiser
Samantha Letts
Sridhar Muppidi
ibm.com/redbooks
2.
3. International Technical Support Organization
Integrated Identity Management
using IBM Tivoli Security Solutions
May 2004
SG24-6054-00
10. Trademarks
The following terms are trademarks of the International Business Machines Corporation in the United States,
other countries, or both:
AIX® IBM® Redbooks™
CICS® iNotes™ Tivoli Enterprise Console®
DB2 Universal Database™ Lotus Notes® Tivoli Enterprise™
DB2® Lotus® Tivoli®
Domino® MQSeries® TME®
e-business on demand™ Notes® WebSphere®
Eserver® pSeries® z/OS®
Eserver® RACF®
ibm.com® Redbooks (logo) ™
The following terms are trademarks of other companies:
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the
United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun
Microsystems, Inc. in the United States, other countries, or both.
Other company, product, and service names may be trademarks or service marks of others.
viii Integrated Identity Management using IBM Tivoli Security Solutions
12. Figure 1 From left, Axel, Sridhar, Samantha, Jaime, Loïc, and Michael
Axel Bücker is a Certified Consulting Software I/T Specialist at the International
Technical Support Organization, Austin Center. He writes extensively and
teaches IBM classes worldwide on areas of Software Security Architecture and
Network Computing Technologies. He holds a degree in computer science from
the University of Bremen, Germany. He has 17 years of experience in a variety of
areas related to Workstation and Systems Management, Network Computing,
and e-business solutions. Before joining the ITSO in March 2000, Axel was
working for IBM in Germany as a Senior IT Specialist in Software Security
Architecture.
Jaime Cordoba Palacios is a Certified Consulting I/T Specialist with Grupo
PISSA (IBM Business Partner), based in Mexico, D.F. He holds a degree in
electronics engineering, and a degree in Information Security from Instituto
Tecnologico y de Estudios Superiores de Monterrey, Mexico. He has five years
of experience in a variety of areas related to Systems Management, Network
Computing, and Security Solutions. His areas of expertise include IBM Tivoli
Access Manager, IBM Tivoli Risk Manager, IBM Tivoli Identity Manager, LDAP,
e-business infrastructures, and networking. He currently is involved in security
architecture design and implementation and general security consulting
x Integrated Identity Management using IBM Tivoli Security Solutions
13. engagements. He has worked on various customer projects performing network
and security assessments and architecting secure e-business infrastructures.
Michael Grimwade is a Senior IT Architect with IBM Global Services in
Australia. He has eight years of experience in delivering custom e-business
solutions to large organizations. He holds a degree in Information Technology
from the University of Queensland, Australia and has worked at IBM for six
years. His areas of expertise include e-business applications, infrastructure and
security, software architecture and design, and solution delivery methodologies.
Loïc Guezo is an I/T Security Architect in IBM Global Services. He is primarily
involved in security architecture design, implementation, and security consulting
engagements. He has three years of experience within the Security and Privacy
practice in France, and focuses on Tivoli security products. Before joining IBM he
spent nine years in different positions in banking, industrial, and health care
environments, leading IT projects, building, and managing infrastructures. Loïc
holds a degree in Computer Science from Paris XIII University and a Masters
degree in OSS - Security from Ecole Centrale Paris in France.
Mari Heiser is a senior I/T Architect with IBM in the United States, specializing in
security and network architectures. She has 19 years experience in the I/T
industry related to networking, Web infrastructure and enterprise security
solutions. She holds a degree in Education from The Cleveland State University
as well as a degree in Electrical Engineering. Her areas of expertise include
Tivoli Access Manager, Tivoli Identity Manager, LDAP, e-business infrastructures
and networking. During the last few years, she has worked on various customer
projects performing network and security assessments and architecting secure
eBusiness infrastructures. She has written and edited several books relating to
the I/T industry in general and was a contributing author to the IBM Redbook,
Enterprise Security Architecture using IBM Tivoli.
Samantha Letts is an IT Specialist with IBM Australia. She holds a degree in
Commerce, majoring in Business Systems and Management, from the University
of Wollongong, Australia. She has eight years of experience with IBM Australia
software defect support. She has spent the last two years working on Tivoli
products in the security area.
Sridhar Muppidi is a Senior Security Architect working in the Tivoli division of
IBM Software Group. His area of expertise is providing secure and manageable
e-commerce solutions to enterprises and their edge systems, which includes
architecting solutions for customers, working on new product developments, and
standards work. Prior to this, Sridhar was a Security and Directory Architect in
IBM's Global Services group. Sridhar obtained his M.S. and Ph.D. from Texas
A&M University in 1992 and 1996 respectively.
Preface xi
14. Thanks to the following people for their contributions to this project:
Yvonne Lyon, editor
International Technical Support Organization, San Jose Center
Ted Ralston, Chris Ehrsam, Becky McKane, Scott Simmons, Robert Larson,
Weibo Yuan, Clyde Zoch, Eric Schultz, Paul Ashley, Rick McCarty, Bill Powell,
IBM US
Paul O'Mahoney, Andrew Jupp
IBM UK
Become a published author
Join us for a two- to six-week residency program! Help write an IBM Redbook
dealing with specific products or solutions, while getting hands-on experience
with leading-edge technologies. You'll team with IBM technical professionals,
Business Partners and/or customers.
Your efforts will help increase product acceptance and customer satisfaction. As
a bonus, you'll develop a network of contacts in IBM development labs, and
increase your productivity and marketability.
Find out more about the residency program, browse the residency index, and
apply online at:
ibm.com/redbooks/residencies.html
Comments welcome
Your comments are important to us!
We want our Redbooks™ to be as helpful as possible. Send us your comments
about this or other Redbooks in one of the following ways:
Use the online Contact us review redbook form found at:
ibm.com/redbooks
Send your comments in an Internet note to:
redbook@us.ibm.com
Mail your comments to:
IBM® Corporation, International Technical Support Organization
Dept. JN9B Building 003 Internal Zip 2834
11400 Burnet Road
Austin, Texas 78758-3493
xii Integrated Identity Management using IBM Tivoli Security Solutions
18. 1.1 Everything is on demand today
When we discuss on demand, we are talking about a new era. Today, people are
used to getting their money, airline tickets, and a host of other things
immediately. On demand is the logical extension of this immediacy across an
enterprise — linking customers as well as suppliers. An enterprise whose
business processes are integrated end to end across the company and with key
partners, suppliers, and customers, can respond with flexibility and speed to the
customer demand, market opportunity, or threat.
On demand is not a marketing idea looking for an opportunity. On demand is a
response to the competitive challenges facing business today. Markets are
tightening, and the opportunity to reach new markets and increase profits within
current budgets sounds like a contradiction. On demand comes alive in an
industry context bringing the innovation needed to capture new value and
generate the productivity gains at a lower cost.
Things are changing — we have accelerating advances in technology, and the
business landscape is changing as well. Volatility is increasing across all areas
— from economies and stock markets to pricing pressures and competitive
threats. There is a much deeper integration of IT with the business today. IT is no
longer a back-room operation. Companies have to be able to manage in the face
of all the pressure — that means responding faster and more accurately, while
bringing down the cost of business by becoming more productive.
Figure 1-1 shows the two strategic imperatives that exist today. The first is
business innovation, and the second is improved productivity and deployment.
The overriding factors to these requirements are increased security and
resiliency.
Optimize the value net 1
Innovate the
Increase Security & Resiliency
Increase business flexibility
business to differentiate
Extract greater value from data and capture new value
Improve the customer experience
Drive business innovation
Optimize today’s IT investments 2
Make better use of
Improve employee productivity
resources to be more
Streamline/simplify processes productive
Figure 1-1 Innovation and productivity are linked to increased security and resiliency
4 Integrated Identity Management using IBM Tivoli Security Solutions
19. Core attributes of e-business on demand™ include: responsiveness, variability,
focus, and resiliency. Responsiveness is sensing and responding in real-time
based on an integrated view of customers, employees, suppliers, partners, and
competitors. Variability is utilizing variable cost structures to do business at high
levels of productivity, cost control, capital efficiency, and financial predictability.
Focus refers to concentrating on core, differentiating tasks, and being capable of
quickly evolving them, as well as leveraging competency of strategic partners to
manage selected tasks. And, e-business on demand requires resiliency,
meaning that enterprises must employ a flexible operating environment that can
manage changes and threats with consistent availability, security, and privacy.
Operating in an on-demand world requires that companies protect information
assets, confidentiality, and data integrity. It also means that steps are taken to
ensure that the IT infrastructure is reliable and available to support business
operations — integrating existing business processes within the company, and
capturing, analyzing, and utilizing information effectively to support business
decision-making. Leveraging the infrastructure means integrating existing
business applications as well, allowing for maximum utilization of existing
computing resources.
1.2 Security management methods and practices
The Internet’s eruption into everyday life as a universal form of communication
happened because of the easy and efficient sharing of information between
users worldwide. Users, for the most part, were unidentified — hidden, if you will,
in cyberspace. But as more information got pushed to the Web, it became
increasingly important for the publishers of this information to know who was
accessing it and to apply security methods to it.
Today, companies are allowing employees, suppliers, prospective and existing
customers, and business partners to access corporate information through the
Internet. As more and more enterprises utilize the ease of the Internet to provide
more services to their employees and partners, as well as customers, the need
to supply a secure and effective e-business environment with trusted user
credentials is essential.
Security management methods and practices are the elements necessary for
any solution deployment — whether it entails a network with no Internet access
or something specific for the Internet. The basic principles that affect all security
decisions are confidentiality, integrity, and availability — the CIA Triad —
which is the basic roadmap containing the goals and objectives that both policies
and systems must blend to achieve a secure solution. These three principles,
which we discuss next, are often considered the most important within the realm
of security, and no less so in an Internet enabled world.
Chapter 1. An introduction to a new reference architecture 5
20. 1.2.1 Confidentiality
What is confidentiality?
Ensuring that information is accessible only to those authorized to have access.
The fundamental goal of any information security program is to assess what is
being protected, as well as the why and how of controlling access. Determining
confidentiality is not simply a matter of deciding whether information is secret or
not. Rather, it is the act of determining the level of access in terms of how and
where the data can be accessed. For information to be useful to the organization,
it can be classified by a degree of confidentiality.
While this book does not provide not an in-depth look into the many layers of
security, it is helpful to mention that the concept of confidentiality entails other
aspects, such as information security. These include sensitivity, secrecy, and
privacy. However, confidentiality and integrity are interwoven: Without integrity,
confidentiality cannot be maintained.
1.2.2 Integrity
What is integrity?
Safeguarding the accuracy and completeness of information and processing
methods.
Integrity is the guarantee that the information has not been modified by any
unauthorized mechanism. With data being the primary information asset,
integrity provides the assurance that the data is accurate and reliable. Without
integrity, the costs associated with collecting and maintaining the data cannot be
justified.
As stated above, confidentiality and integrity are dependent on each other. Other
aspects of integrity include accuracy, authenticity, accountability, nonrepudiation,
and validity.
1.2.3 Availability
What is availability?
Ensuring that authorized users have access to information and associated
assets when required.
6 Integrated Identity Management using IBM Tivoli Security Solutions
21. The principle of availability says that information is obtainable and accessible,
but it does not say that acquiring information is immediate and/or instantaneous.
What it does say is that authorized users can be granted timely and
uninterrupted access to information.
Availability is dependent on both confidentiality and integrity. Without the “C” and
“I” there is no “A”. Other areas of availability include accessibility and timeliness.
1.2.4 Areas of security implied in the CIA Triad
As you have seen, the CIA Triad covers a broad spectrum. Some of the other
areas implied and of concern are listed in the following sections.
Privacy
Privacy considers what information can be shared with others (confidentiality),
how that information can be accessed safely (integrity), and how it can be
accessed (availability).
When discussing privacy in an IT world, it can quickly become a balancing act
between individual rights and the rights of the organization. Privacy is an issue
for everyone and must be addressed within the policies, procedures, and
standards that are adopted. If not mandated to do so by law or regulation,
organizations should review the privacy needs of their own information assets or
their clients respectively.
Identification
When you examine the identity process, it actually has three distinct steps. As
the first step, identification assigns every person or asset a distinct name, for
example, user name, account name, application name, and so on.
Authentication
The second step is where we verify that the identity claimed is real and valid. The
most common form of authentication is a password that is checked against a
database and deemed correct or incorrect. Without identification, authentication
is useless. Authentication should be mutually available for all involved and
identified assets.
Authorization
This is the third step in the identification process. Once a user or process has
been identified and authenticated, their ability to access assets is authorized.
This is determined by the rights and privileges assigned to the authenticated
identity. Please note that being identified and authenticated doesn’t automatically
grant authorization.
Chapter 1. An introduction to a new reference architecture 7
22. Auditing
Auditing is the process of monitoring and logging activities that occur within the
IT system. It is not limited to authenticated and authorized users or processes,
but also covers unauthorized or abnormal activities on a system. Auditing per
definition is a passive activity, but on-demand auditing within an IT system
requires intelligent event correlation and automated response behavior.
Accountability
Accountability is the result achieved by the actual auditing of a system.
Accountability includes information about the access, such as date, time,
network address, and other information that could further identify the condition or
event.
Nonrepudiation
Nonrepudiation is the ability to ensure that the originator of a communication or
message is the true sender by guaranteeing authenticity of their digital signature.
This prevents a user from claiming not to have sent a message or performed an
action that caused an event.
1.3 Business drivers
The highly competitive nature of today’s marketplace has caused businesses to
look in many new and challenging directions to compete effectively. Doing more
with less has become the mantra of every level of management. The edicts of
open new markets and find new opportunities have made utilizing the vast
infrastructure of the Internet a sound fiscal decision. But this sound decision also
brings new challenges. As IT is challenged to do more with fewer resources,
managing identities and their access to resources throughout the enterprise is
even more difficult. Typical IT environments have many local administrators
using manual processes to implement user changes across multiple systems
and applications. As identity administration grows more costly, it can inhibit the
development and deployment of new business initiatives.
An integrated identity management solution can help you get users, systems,
and applications online and productive quickly, as well as maintaining dynamic
compliance to increase the resiliency and security of the IT environment, while
helping to reduce costs and maximize return on investment. There are four key
areas of an identity management solution:
Identity lifecycle management (user self-care, enrollment, and provisioning)
Identity control (access and privacy control, single sign-on, and auditing)
8 Integrated Identity Management using IBM Tivoli Security Solutions
23. Identity federation (sharing user authentication and attribute information
between trusted applications)
Identity foundation (directory, directory integration, and workflow)
Identity management is a super-set of older user provisioning systems that
allows for the management of identity and credential information for customers,
partners, suppliers, automated processes, corporate users, and others. As the
world of e-business gains global acceptance, the traditional processes of
corporate user administration are no longer able to cope with the demands of
increased scale and scope expected from them.
As organizations come to depend upon their IT assets to a greater extent than
previously, these assets attract the attention of accounting and reporting
standards. IT data and system assets will increasingly become balance sheet
line items, and therefore be subject to different audit and compliance rules.
Organizations must be able to demonstrate due care, due diligence, improved
security, and compliance with other financial rules. We should realize that any
entity using the IT systems run by an organization must be included in the scope
of identity management if we are to have any chance of achieving these goals.
1.4 Issues affecting identity integration solutions
Undertaking an identity integration project reveals situations that aren’t always
readily apparent. Two major areas of interest when putting together an integrated
identity management approach include: enabling user access (session
management, authorization, authentication, and so on) and user lifecycle
management (user administration, provisioning, and so on). These two areas
stand at the forefront, and each area, again, has many facets of its own. We now
touch upon these briefly.
User access management is the application of security policies and procedures
across an enterprise. Each requester (users, business partners, administrators,
and so on) attempting to access a resource should provide proof of its identity. In
turn, the security policy determines whether that client is permitted to perform an
operation on a requested resource. In security systems, authorization is distinct
from authentication. Authorization determines whether an authenticated client
has the right to perform an operation on a specific resource in a secure domain.
User identity management establishes and manages the identity of the user
throughout its lifecycle. This begins with the initial creation of the user account,
modifications to the account while it is active, and subsequent removal or
disabling of the account. Integrating these activities facilitates the process for
access approval, user provisioning, identity management, and subsequent
reporting/auditing requirements or procedures.
Chapter 1. An introduction to a new reference architecture 9
24. By taking a life cycle approach to the management of the identity and specific
attention to access control from the beginning of the process, an integrated
identity management solution must have the ability to integrate with pre-existing
information sources within the enterprise, such as directories. This allows for
leveraging the existing information in data directories as well as integrating with
other information sources already available.
Integration is the key to effectively managing an individual identity and access.
This holistic lifecycle approach helps to minimize the risk to the enterprise
because it is ordered rather than fragmented. Figure 1-2 illustrates the approach.
Policy
Users
Other - Provisioning
Applications - Password
- ID
- Workflow (Int. and Ext)
- Service Selection
- Roles
Access - Organization
- ACI
Management
Users Provisioning
Authentication / Password Policy LDAP
Business Secure Self Help, Help Desk, Del. Admin
App. - IM
LDAP or
Partners Enforcement
Proxy API Identity Provisioning
Gateway
Server Directory
management
Self Server
- AM
API
Registration
Administrators User, Group lookup
JAAS, JACC, WIM
Provisinoing
Applications Privacy Privacy
Privacy
Enforcement Management
Web Trust
- Portal Server mangement
- App. Server
- Content Server
Message security,
Security Enforcement
Cred. Maping
- Authentication Meta directory
- Cred. Acquisition
Secure Data Access
- Authorization
- Single Sign-On
- Policy Enforcement Authoritative
- Auditing Managed Targets
HR Data Database data Managed Targets
Identity management related components Application components Infrastructure components
Figure 1-2 Integrated identity management reference architecture
10 Integrated Identity Management using IBM Tivoli Security Solutions
25. 1.5 Integrated identity in the enterprise
There is often confusion regarding an integrated identity management solution.
As stated before, identity management is an all-inclusive process and policy
oriented security approach. A truly comprehensive solution requires integration
of several important technologies. Once a user has been identified (password),
they must be authenticated (their identity proven) and accountability is
established. For authorization to occur, permissions and/or roles can be
implemented to allow access to resources.
1.5.1 Access control management
Access control management generally evolves around authentication and
authorization mechanisms. These technologies help warrant that every user has
secure and convenient access to the resources they need (and only the
resources they need) to perform their work or transactions. In order to be most
effective, authentication mechanisms should be placed as close to the edge of
the enterprise network as possible. This allows for the authentication to take
place before any user can gain access to any resources located within the
enterprise production perimeter.
The authentication service has to provide different options of how to verify the
authenticity of the presented secret based on userid and password, X.509
certificate, SecureID token, biometrics, or other means. These options again can
vary depending on the requested resource’s asset value, with stronger
mechanisms for high value assets. This flexibility should be provided within one
security solution, and the management of this security solution needs to support
both centralized and distributed security administration groups, while
maintenance of the Web applications can be done by other individual groups
applying different rules and roles.
Once a requester has been successfully authenticated, a set of related
credentials should be compiled and held available for the remainder of the online
session (within certain time-out parameters). Proper session management is
responsible for the transport and availability of the requester’s credential
information between different tiers in the IT environment, for example, proxy,
application, data, audit, and so on.
When utilizing the security technologies of access management, the overall ease
and convenience to the user is expanded by implementing single sign-on (SSO),
which enables authorized users to access multiple protected resources across
domains, while authenticating only once.
Once the authentication process is completed with user credentials and session
management context created, the authorization service gets involved.
Chapter 1. An introduction to a new reference architecture 11
26. Rule based authorization grants or denies access based on a user’s profile in
which access decisions are made in real time by policy rules. These can either
replace or complement roles. These rules can be fairly simplistic and based on
what position the user holds and what they are requesting.
Role Based Access Control (RBAC) is based on a collection of permissions that
employs job function roles to regulate access to resources. The goal is to enable
user authentication and to enforce target-based, coarse-grained or fine-grained
authorization before forwarding a user’s request alongside with their credentials
to any of the Web application servers. This way, the Web application developers
can stay free of maintaining any security infrastructures.
1.5.2 Identity and credential management
Identity and credential management establishes and manages the identity of the
user throughout the lifecycle of that identity. This begins from the initial
provisioning of the user’s identify — including the defining of access rights and
following a logical workflow to complete the process. Identity management uses
policies to define access rules to resources that the user requires to complete
their jobs and fulfill their roles. Using policies to manage identities provides
consistent and automated updating of identities as users move between
departments and positions in the organization.
Access approval, user provisioning, and compliance reporting are extremely
important for managing the integrated identity. Processes for approvals must be
followed to ensure that access rights are appropriate for each user in question.
When reprovisioning the users, there is a logical flow and sequence of steps that
must tie into the non-IT segments of the workflow.
One example is to periodically validate that personnel are still valid and
authorized users. This ensures the security of accounts by eliminating those
accounts of personnel who no longer work for the company or whose
responsibilities have changed. Another example is to frequently check the active
user accounts and access permissions and cross-reference them to the existing
provisioning policies for users and roles. This ensures that users only have
access to systems they are entitled to. Any access rights manually granted
without proper policy-based indication (for example, by your friendly
administrator) can be automatically revoked and audited.
Integrated identity management also enforces access control across the
extended enterprise. By using the identity information and combining it with
policies to enforce access, greater consistency exists across the enterprise. If
the access rights are enforced by policy and are based on specific information in
the identity data, the need is removed for explicit access definitions. This allows
for a more consistent and centralized approach to managing the enterprise.
12 Integrated Identity Management using IBM Tivoli Security Solutions
27. By taking the policy based access approach, you manage information privacy
and adhere to regulatory or corporate requirements in an integrated and
automated fashion — having the ability to specifically identify the information that
must be kept private and safe guarding that privacy.
1.5.3 Audit management
Audit management is a crucial part of any solution. Unfortunately, many
organizations learn this the hard way—after a security event has occurred. As
part of the integrated identity solution, planning what events need to be audited
or monitored and to what level is a crucial step.
Auditing and monitoring are the foundation to sustaining accountability. The
National Computer Security Center (NCSC) has approved the following
definition: “An audit trail is a chronological record of system activities that is
sufficient to enable the reconstruction, reviewing, and examination of the
sequence of environments and activities surrounding or leading to an operation,
a procedure or an event in a transaction from its inception to its final results.”1
With this definition in mind, the necessary requirements for tracking various
activities should be carefully planned and agreed upon to minimize disruptions to
the business process. This includes both internal as well as external access to
resources. Logging events such as unauthorized or abnormal activities,
attempted intrusions and systems failures helps to reconstruct the events that
occur and provide evidence for legal purposes and analysis reports to track and
correct vulnerabilities.
Unfortunately, when logging is used to monitor a system or events, so much data
is collected that important information can and does get buried. Being able to sort
through the data and reduce it to something usable is an art that requires
attention to detail. Tools are available to record and report on events and should
be employed to reduce the volume of information gathered into a usable and
understandable format.
Key points to observe in building an audit system include these:
Management should agree with the audit requirements.
The scope of audit/monitoring should be agreed to and controlled.
Logs should be read-only and access to them limited to read-only.
Necessary resources for performing the checks should be identified and
made available.
The need for special or additional resources should be identified and agreed
upon.
All procedures, requirements and responsibilities should be documented.
1 National Computer Security Center, Glossary of Computer Security Terms, NCSC-TG-004-88, October 1988
Chapter 1. An introduction to a new reference architecture 13
28. The key objective in any audit environment should be to maximize the
effectiveness of the system and to minimize interference not only to the system,
but the audit process itself. That means protection of the tools and records as
well as the IT systems involved.
1.5.4 Directory management
Increasingly, enterprises are seeking to improve operational efficiencies and
expand their businesses by opening their internal systems to a broader
community of their systems, employees, customers, and suppliers. A consistent
and reliable identity infrastructure enables enterprises to expose their internal
processes to their supply chain, their customers, and to the growing mass of
automated machine-to-machine transactions. A common identity repository is a
key enabler for security and application infrastructure in an enterprise.
A centralized repository is meant to consolidate all user and resource definitions
into only one data source. Most companies, while expanding their business, also
increase the number of applications and platforms, usually each one with its own
format and place for defining the enabled users. The final result is that user
credentials are stored in a number of different and disjointed places. This means
that the same person might have different un-synchronized accounts for different
applications. In large companies the number of these accounts may reach
double or even triple digit numbers. This situation presents a number of
problems, including:
High costs for user management: Expenses increase proportionally to the
number of repositories.
Security: Policies, standards, and guidelines cannot be enforced consistently
across the enterprise.
Data integrity: Inconsistent information is possible across the enterprise.
Risks: There are higher risks related to human errors, malicious attacks, and
system failures.
Growth: Availability and scalability of the systems
These problems can be faced and mostly solved by consolidating the disjointed
data sources in only one manageable, available, and scalable repository. This is
one of the basic concepts to implement an integrated identity solution. Managing
and consolidating information allows for the definition of an authoritative source
of user identities, and to establish clear and uniform processes to manage user
definitions.
14 Integrated Identity Management using IBM Tivoli Security Solutions
29. 1.5.5 Privacy management
Webster’s defines privacy as “the quality or state of being apart from company or
observation”. In an IT world, privacy is the right of an individual to decide when,
how, and to what extent information about them is communicated to others.
When an individual gives their private data to an enterprise, the enterprise should
consider itself the custodian of the data, and let the individual, as the owner of
the data, decide how it should be used.
Why consider privacy in an integrated identity project? If security is the protection
of information, privacy is the act of complying with how the individual wants that
information distributed. An example of this would be: A department within an
enterprise has customers that have consented to receiving e-mail updates.
Does this mean that you can send them e-mail about products from other
departments? Are you allowed to share their information with other departments
or business partners? Without policies governing these situations and governing
what information may be shared, there is no clear-cut answer to either question.
Formulating an enterprise privacy strategy is imperative in today’s global
corporation. There are a number of risks faced if a privacy policy is not enforced.
The risks include but are not limited to the following situations:
Erosion of Reputation and/or Brand: Privacy violation is being reported as
one of the key inhibitors to the growth of on-line business. Business
relationships are built on trust. Organizations that demonstrate good privacy
practices can build trust and grow their business. Organizations with poor
privacy practices alienate their customers.
Legislative Reproof: In response to various privacy violations and consumer
complaints, many countries have enacted legislation to protect privacy. The
core of the legislation is generally based on the Organization of Economic
Co-operation and Development privacy guideline (http://www.oecd.org).
When many of the current member countries were first considering privacy
legislation, the OECD was concerned that the creation of so diverse and
disparate privacy regulations would impede the flow of information between
countries. Actual enactment of the legislation has varied significantly. In the
EU, Canada, and Australia, regulations that cross industry sectors have been
enacted. The United States has taken a sectorial approach enacting separate
regulations for health care, finance, and protection of children’s data. Asia, as
a whole, is not as far along in the creation or implementation of guidelines.
The notable exceptions to this are Japan, Hong Kong, and Taiwan.
Lawsuits: Lawsuits against organizations that violate privacy regulations or
promises are becoming more common. A quick search of the United States
Federal Trade Commission (FTC) Web site, for example, will find a number of
companies that have both been charged by the FTC on privacy violations and
that are under a class action lawsuit from their customers.
Chapter 1. An introduction to a new reference architecture 15
30. Unfortunately, up until quite recently, there have not been any software tools
available for privacy policy enforcement. Enterprises have had two choices:
Do nothing and pray that they don’t violate too many regulations and they don’t
annoy too many of their customers. Or, try to implement their privacy policy
across their application environment. This usually means coding privacy policy
into applications.
Enterprises are finding that implementing a privacy policy across their application
environment is a daunting task. Each application that accesses private data has
to be enhanced to include the privacy policy. This is an expensive and slow
process. With an integrated identity approach, policies and guidelines may be
implemented across the board, thus offering less confusion and greater control.
1.6 Conclusion
Clearly, many obstacles exist, but there are best practices that organizations can
follow to mitigate risk, optimize investment, and achieve results, and ultimately
balance user experience with greater productivity and cost savings, allied to
increased IT security. An integrated identity solution offers a method of
overcoming the obstacles and offering a greater return on investment from the
enterprise by consolidating resources and utilizing them effectively.
The introduced reference architecture for integrated identity management should
be regarded as a measurement for optimized integration where all identity
management related components should fully leverage and utilize one and the
same infrastructure (see Figure 1-2 on page 10).
16 Integrated Identity Management using IBM Tivoli Security Solutions
32. 2.1 Company profile
What Bank International (WBI) is one of the financial institutions established
throughout the continental United States and Europe. It has been in business for
more than 30 years and now operates over 10 sites, providing common financial
services, such as account management, credit card supply, and cash checking,
as well as trading or other specialized services for high value customers.
The following sections describe:
The geographic distribution of WBI
The company organization
HR and personnel procedures
Note: The following sections describe the company information relevant to our
context and are not intended to be a complete description of the company.
2.1.1 Geographic distribution of WBI
WBI sites are distributed trough the continental United States and western
Europe. The corporate head office is located in London, UK.
WBI further operates the following four regional centers:
RU Regional center Europe (London, UK) and the peripheral IT data center
RW Regional center West (San Francisco, California)
RC Regional center Central (Paris, Texas) and the central IT data center
RE Regional center East (New York, New York)
These regional centers service the basic IT needs of the sites in their respective
region (including first-level user support and user administration). They also
provide Customer Service Center services for the region (such as on-line
account informations or trading operations).
The corporate IT staff is located in Paris, Texas, within the US IT data center
(which contains the core IT infrastructure). Members of this team are developers,
engineers, and project managers for the corporate information systems.
A second, historical, IT data center is located in London, UK, due to a merger in
the early 1990s.
The other WBI sites are distributed throughout the regions.
18 Integrated Identity Management using IBM Tivoli Security Solutions
33. The geographic distribution of WBI is shown in Figure 2-1 for the continental US
division and in Figure 2-2 for the European division.
New York (Customer
Service & Regional
Center East)
Seattle
Detroit
San Francisco
(Customer Service & Denver
Regional Center
West) St Louis
Raleigh
Paris (Customer
Service & Regional
Center Central)
Los Angeles
Paris, TX
IT Center
Figure 2-1 Geographic distribution of WBI sites for the continental US
Chapter 2. What Bank International 19
34. London (C ustom er
Service & Regional
Center Europe)
Paris
London, UK
IT Center
Rom e
Figure 2-2 Geographic distribution of WBI sites for the European division
2.1.2 Organization of WBI
The company is split into five key areas: the four regions and a core services
department, as depicted in Figure 2-3.
E x e c u tiv e
R e g io n R e g io n R e g io n R e g io n C o re
W est C e n tra l E ast E u ro p e S e rvic e s
Figure 2-3 Key areas for WBI company
20 Integrated Identity Management using IBM Tivoli Security Solutions
35. Each of the regions is responsible for the operations within that region, customer
service, and staffing. All the regions have the same structure. The organization
chart for Region West is shown in Figure 2-4.
Region
West
Banking IT
Customer
Services Center
Card Account Broker Tech
HelpDesk HR
Services Services Services Support
Los
Seattle CSC
Angeles
Figure 2-4 Organization chart for Region West
The core services department acts on a company-wide scale. Core Services
include support services for the IT data centers (development, applications Help
Desk, and systems administration), HR, sales, and finance. The organization
chart for Core Services is shown in Figure 2-5.
Core
Services
Sales Support Finance
IT Data
Partners Marketing HR Accts BO Trade GA
Center
Systems HelpDesk IT Dev
Figure 2-5 Core Services organization chart
2.1.3 HR and personnel procedures
Personnel is managed locally within each region for the regions, and by the Core
Services HR team in Paris for all Core Services staff.
Chapter 2. What Bank International 21
36. The following procedures apply to personnel management today:
When a new employee joins the company, the employee is added to the
authoritative HR system. An e-mail is sent to the new employee’s manager
indicating when the person is starting to work and giving their HR details. The
manager determines what types of access each person needs and sends
e-mails to the appropriate support teams to create accounts on the systems
(for example, the LAN team creates the NT domain account, and the
back-office application teams create the intranet application accounts as well
as z/OS® RACF® if needed). When access is granted, an e-mail is sent back
to the user’s e-mail account giving account details, including passwords. As
the support teams are small, there are often delays of a few days when
creating each account.
When an employee requires additional resource access, the request has to
be approved by their manager, who then involves the appropriate support
team, via e-mail, to execute the request. As with new accounts, the support
teams grant the additional access.
When employees forget a password, or have an account locked due to invalid
passwords, they have to call the help desk (either at the regional or central
level). The help desk can reset NT (LAN) and z/OS RACF passwords and
accounts, but some specific application resets need to be referred to the
respective support team.
When employees leave the company, they are removed from HR, and
normally their set of accounts is deleted. However, this is not applied
consistently, and there are no control mechanisms in place to ensure proper
removal or inactivation.
Each employee has a jobcode to describe the job role. Some of these are
common across the regions, such as Manager and CSC operator. Some jobs
are specific to a team, such as Intranet application administrator. These job
roles and jobcodes are managed by the central HR team. They rarely change.
When new employees join the company, there is some manual provisioning that
must be performed, such as real estate set aside for them, including desk
locations, phone connection, and filing cabinets. This is normally carried out by
the new employee manager sending an e-mail to the local office manager, who
arranges everything.
2.2 Current IT architecture
In this section, we describe the current IT environment at WBI. We cover:
An overview of the WBI network
The recently implemented e-business initiative
22 Integrated Identity Management using IBM Tivoli Security Solutions
37. The security infrastructure deployed for the e-business initiative
The secured e-business initiative architecture
Identity management and emerging problems
2.2.1 Overview of the WBI network
WBI’s central IT data center has implemented a back-end datastore, which is
based on DB2® running on z/OS. They are using an MQ Series infrastructure for
asynchronous transactions between the central IT data center, the CSCs, the
European and regional data centers.
WBI uses Lotus® iNotes™ as an e-mail system. This application is available for
each employee.
High-level network diagrams of WBI’s network are shown in Figure 2-6 (for the
continental United States) and Figure 2-7 (for Europe).
New York
Seattle
Detroit
San Francisco Denver
St Louis
Raleigh
T3 (45Mbps) T1 (1.54Mbps)
Los Angeles
Internet
T3 (45Mbps)
Paris, TX T3 (45Mbps)
to Europe
IT Center
Figure 2-6 High-level network diagram for the continental United States
Chapter 2. What Bank International 23
38. All external access to the WBI network is channelled through the firewalls and
routers in Paris.
Corporate access to the Internet is provided through a secure and highly
available Internet Access Point, managed by the IT Center.
All links are leased from a telecommunication operator. This service provider
ensures reliability and redundancy as agreed in the service level agreement.
London, U K
IT C e n te r
P a ris
T 3 (4 5 M b p s )
to C e n tra l
Rom e
Figure 2-7 High-level network diagram for the European division
Internet access for European employees is provided by the IT data center in
region Central, through the corporate Internet Access Point.
The applications and infrastructure used in Europe is similar to those in the US.
They are planned to be standardized globally in the future.
24 Integrated Identity Management using IBM Tivoli Security Solutions
39. 2.2.2 Recently implemented e-business initiative
Most of the business applications have been migrated to an e-business
environment, and at least Web based access interfaces are provided to nearly all
back-end applications. The implementation is based on a WebSphere® Portal
and WebSphere Application Server (J2EE applications) solution.
The communication with the back-end databases and applications leverages the
high-speed network connectivity described previously.
The implementation of IBM Tivoli Access Manager was the first important step
for improving security, and for providing an access control infrastructure that is
independent of the application layer.
The targeted Integrated Identity Management Solution has to provision accounts
to operating systems (Windows® NT and 2000, AIX®, and z/OS), LDAP, the
e-mail system, the portal applications, and the IBM Tivoli Access Manager
components, while adhering to existing security policies and procedures.
2.2.3 Security infrastructure deployed for the e-business initiative
In the past, WBI experienced many unauthorized access attempts to critical
business data.
This is why WBI has decided to use a centralized access control mechanism.
This mechanism enforces authentication and authorization of users before they
actually access the applications and related data via their Web browsers.
This solution is based on IBM Tivoli Access Manager for e-business and uses
the WebSEAL component to enforce access control.
A typical user access looks like this:
1. The user logs on to the Windows domain specifying their Windows user ID
and password.
2. The user starts their Web browser and then accesses a portal page for
applications. Because WBI has decided to use the SPNEGO1 Windows SSO
mechanism, users have no need to log on to the corporate portal. The
presented Kerberos credential is used for access control decisions by
WebSEAL in the regional center the site belongs to.
1
SPNEGO stands for Security Provider NEGOtiation authentication protocol. For more information
on Tivoli Access Manager for e-business SPNEGO support, consult the IBM Tivoli Access Manager
WebSEAL Administrator’s Guide Version 5.1, SC32-1359.
Chapter 2. What Bank International 25
40. 3. WebSEAL accepts or denies the login. WebSEAL works as a reverse-proxy
between the user’s Web browser and the application hosting Web server,
controlling whether a user can access the requested resource or not.
WebSEAL’s access control decisions are based on the information maintained
within the Access Manager Policy Server and an LDAP repository. The Policy
Server stores access control information used by WebSEAL, and other Access
Manager authorization services, in an authorization database, which is
distributed as a database replica to all defined WebSEAL and other authorization
servers. Dialogs between WebSEAL and the Policy Server components are
implemented using an Access Manager Proxy Policy Server component.
The LDAP server stores the user credential information assessed at the time of
the user’s login. For each region, a Proxy Policy Server is located in the Regional
Center management zone, and WebSEAL and LDAP replica servers are made
available in a specific production zone to each regional center. The LDAP master
and the Access Manager Policy Server is located in the management zone in the
central IT center in Paris, TX. An overview of where the components are placed
within the overall architecture can be found in Figure 2-8 on page 28.
Today, only the Web applications are secured by WebSEAL using Web user
accounts, but there are other types of accounts necessary to run standard
operations, such as Windows NT® and 2000, AIX, and z/OS. These accounts
can only rely on the native operating system security. That is why WBI puts the
employees under an obligation to follow additional security policies to strengthen
the levels of security, such as periodical password changes, and other password
policies for all types of accounts. They are looking to add Tivoli Access Manager
for Operating Systems into their security infrastructure at a later point in time.
At the time of implementing this security solution, WBI has started to provide new
Web based customer services (balance of a customer’s account, personal
trading operations, special campaign information, and so on) via the Internet. A
customer’s access to their data is controlled by WebSEAL also.
Note: If you want to find out more about the different base components
involved in the initial WBI rollout, please refer to the redbook Enterprise
Security Architecture using IBM Tivoli Security Solutions, SG24-6014-01.
26 Integrated Identity Management using IBM Tivoli Security Solutions
41. 2.2.4 Secured e-business initiative architecture
The overall IT architecture is being impacted by the new e-business
infrastructure and by other organizational changes. For the mid-term future it has
been decided to close the European IT data center and to apply best practices
and methodology for architecting a secure infrastructure by segregating assets
into different Level of Trust zones.
Note: The redbook, Enterprise Security Architecture using IBM Tivoli Security
Solutions, SG24-6014-01, introduces the Method for Architecting Secure
Solutions (MASS) as a methodology for developing a design for a security
implementation. It provides a detailed example of developing a security
architecture using MASS. This method provides a proven approach to
creating high-quality security architectures and includes Identity Management
aspects as part of the full scope.
This new infrastructure will drastically alter the network topology and firewalls
configuration. But as we focus on Integrated Identity Management, our purpose
is to depict the possible future WBI architecture. The WBI architecture is shown
in Figure 2-8. For details on the implementation, refer to 4.2, “Technical
implementation” on page 126.
The target architecture will federate legacy systems in only one IT data center in
the Central Region. The architecture permits the segregation of the data (DB2 on
z/OS) and the Identity Management zone in the Central IT Center as well as in
regional centers, for systems management zones, production zones, and user
corporate networks.
A specific DMZ is dedicated to Internet customer access. This ensures
performance and appropriate security measures for uncontrolled access.
Ultimately, production and management zones in the regional centers will also be
segregated by a firewall.
A dedicated management zone is introduced to respond to other new emerging
problems in the area of identity management, described in the following section.
This zone is located in the central IT Center.
Chapter 2. What Bank International 27
42. Central Central IT Center, Paris z/OS
IT Center (DB2,MQSeries)
Web Portal I BM
Server F
AIX I
R
E
FIREWALL
W
A
L LDAP
L Master
F F Identity
LDAP
LDAP Access Management
I I LDAP
replicas
replicas Manager Server
R R replicas
E WebSEAL E Policy
W W Server Management zone
A A
L L
L L F IR E WALL
4 Regional centers F
I Access
LDAP R Manager
Replica E Proxy
W Policy
A Server
WebSEAL L
L
Production Zone Management Zone
F IR E WALL
Internet DMZ
WBI sites
application data flow
access control flow Windows Domain
Intranet
Identity mgt flow
Figure 2-8 Entire WBI architecture
2.2.5 Identity management and emerging problems
Emerging problems are related to user administration and identity management.
Before we describe the emerging problems in detail, we give an overview of the
current user management.
28 Integrated Identity Management using IBM Tivoli Security Solutions