Identity Management for the 21st
Century IT Mission
Presented By:
• Paul Grassi: VP of Federal Programs, Sila Solutions Gr...
• Today’s Challenges
• History: How Did We Get Here?
• The Evolution of Access Control
• Building Blocks for Agile Access
...
Today’s Challenges
3
• We keep trying to solve a legacy problem
with a legacy solution
• Made authorization an IT solution, not a
business solu...
Legacy Problem with Better Solution
Legacy Problem with Legacy Solution
The Evolution of Access Control
PBAC
REUSABLE POLI...
Action
Reusable
Policy
Agile
Access
Decisions
Agile
Access
Decisions
Federated
Identity
Federated
Attributes
Environment
C...
PROGRAMMATIC AND TECHNICAL MANAGEMENT
Portability,
Confidence,
and Trusted
Attributes
Access
Anywhere
Mobility/
Cloud
Life...
Layer 7 Overview
8
Applications &
Data
Enterprise
…
Outside Partners /
Divisions
External
Developers
Mobile Apps
Cloud Ser...
Enterprises are Exposing More
Connectivity & Security
Challenges for Open
Enterprise:
• Protection of applications
exposed...
Layer 7 Policy Approach
API Integration Gateway
API Service Manager
API Identity & Access Broker
API Developer Portal
Heal...
Layer 7 ABAC Reference Implementation
11
RadiantOne Architecture
• A Federated Identity Service through Model-Driven
Virtualization
• Provides all functions of a c...
RadiantOne Key Capabilities
LDAP Directory
Active Directory
HR Database
employeeNumber=2
samAcountName=Andrew_Fuller
objec...
Manage
Policy Administration
Point
Decide
Policy Decision Point
Support
Policy Information Point
Policy Retrieval Point
En...
Authorization at Any Layer
15
Anywhere Authorization Architecture
16
SailPoint Architecture
Service Desk
Integration
Resource
Connectors
Provisioning
Integration
Security &
Activity
Unified G...
Entitlement Giving Attributes
HR
Data
Security
Directory
Attributes
Ownership
Relationships
Modeling
Review Process
Change...
Ownership &
Responsibility
Change
Control
Versioning
History
Verification &
Review
Analytics &
Reporting
Identity &
Access...
Benefits
Policy management
and insight available to
all levels of the
organization.
Simple
Change
Management
Maximum
Effic...
Access barriers are removed so users can get their jobs done more efficiently.
The Ideal Process
21
High Level Use Cases
Patient can manage record
from authorized personal devices
Doctor can read from office computer
Opts-...
AuthN
Services
Secure
Gateway
Conceptual Architecture
EHR Systems
FederatedIdentityVirtualization
Policy
Administration
R&...
Intercepts
the request
Patient Use Case
Attempts to update personal EHR to
add blood pressure (BP) information
and opt-in ...
Doctor Use Case
Attempts to update patient
EHR from office computer
Intercepts
the request
Allows doctor
access to
patient...
Remaining Use Cases
Use Case Request Layer 7 Axiomatics Radiant Logic EHR
Nurse Rheumatology nurse
requests access to
pati...
Health Care Systems Attribute and Policy Governance
Entitlement
Giving
Attributes
Functional
Application
#1
Functional
App...
• Establish Governance
• Choose your standards
• Determine your attributes and metadata
• Determine your authoritative sou...
Questions?
29
Upcoming SlideShare
Loading in...5
×

Identity Management for the 21st Century IT Mission

2,339

Published on

The 21st century mission is dependent on providing secure and agile access to information across an increasing range of stakeholders, both internal and external to your agency. This comes amidst evolving IT missions, budget challenges, a complete IT compliance landscape and an increased need for rapidly deployable and flexible solutions.

This webinar explores integrated identity management solutions and real life use case examples.

Presented By
• Stephanie McVitty - Account Manager, Compsec
• Paul Grassi - Vice President of Federal Programs, Sila Solutions Group
• Jim Rice - Vice President of Federal, Layer 7
• Dieter Schuller - VP of Sales, Radiant Logic
• Phil McQuitty - Director of Systems Engineering, Sailpoint
• Gerry Gebel - President, Axiomatics Americas

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,339
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
47
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Identity Management for the 21st Century IT Mission

  1. 1. Identity Management for the 21st Century IT Mission Presented By: • Paul Grassi: VP of Federal Programs, Sila Solutions Group • Jim Rice: VP of Federal, Layer 7 • Dieter Schuller: VP of Business Development, Radiant Logic • Gerry Gebel: President, Axiomatics Americas • Phil McQuitty: Director of Systems Engineering, SailPoint • Stephanie McVitty: Account Manager, Compsec Wednesday: August 14, 2013
  2. 2. • Today’s Challenges • History: How Did We Get Here? • The Evolution of Access Control • Building Blocks for Agile Access • Creating a Framework for Success • The Ideal ABAC Process • Use Case Deep Dive • Next Steps: Are You ABAC-Ready? Key Discussion Areas 2
  3. 3. Today’s Challenges 3
  4. 4. • We keep trying to solve a legacy problem with a legacy solution • Made authorization an IT solution, not a business solution • Bogged down with stovepipes, multiple policies, and poorly defined infrastructure • Focused on the door – not the data We have made great progress! Industry deserves credit. Examples of NSTIC/IDESG, NIST 800-162 Draft, FICAM AAES work; focus on attributes and confidence scores • Yet, we’ve done some amazing things How Did We Get Here? 4
  5. 5. Legacy Problem with Better Solution Legacy Problem with Legacy Solution The Evolution of Access Control PBAC REUSABLE POLICY CONTEXT AWARE EXTERNALIZED STANDARDS BASED BUSINESS DRIVEN NON-TECHNICAL Future Proofed Business Solution ABAC FINE GRAINED ATTRIBUTE-DRIVEN LOCAL POLICY PROPRIETARY ENFORCEMENT TECHNICAL eRBACRBACACLIBAC 5
  6. 6. Action Reusable Policy Agile Access Decisions Agile Access Decisions Federated Identity Federated Attributes Environment Context Resource Attributes Building Blocks for Agile Access 6
  7. 7. PROGRAMMATIC AND TECHNICAL MANAGEMENT Portability, Confidence, and Trusted Attributes Access Anywhere Mobility/ Cloud Lifecycle, Governance and Risk Mission Agility ABAC Framework 7
  8. 8. Layer 7 Overview 8 Applications & Data Enterprise … Outside Partners / Divisions External Developers Mobile Apps Cloud Services Other Things Layer 7 API Gateways Provide API Access Control for the New “Open” Enterprise
  9. 9. Enterprises are Exposing More Connectivity & Security Challenges for Open Enterprise: • Protection of applications exposed over internet • Reuse of information shared across departments, partners, mobile & Cloud • Ease of integration: reconciling disparate identity, data types, standards, services • Federated & Delegated Security • Performance optimization (caching, protocol compression, …) • Brokering cloud services • Proxy connections to social, cloud, notification services that enterprises can control • Cloud interactions • Central governance of policies and security Mobile / Tablet Apps Web Platform Integration Open APIs for Developer Channel Private Cloud Annexes (Savvis or Datacenter) Cloud Services Over the Top TV and Media (Xbox Live and Smart TV) Real-time Partner Integration Login Password This new open, extended enterprise is a hybrid enterprise because it blends inside/outside as well as private/pubic 9
  10. 10. Layer 7 Policy Approach API Integration Gateway API Service Manager API Identity & Access Broker API Developer Portal Health Tracking Workflow Performance Global Staging Developer Enrollment API Docs Forums API Explorer RankingsQuotas Plans AnalyticsReporting Config Migration Patch Management Policy Migration Throttling Prioritization Caching Routing Traffic ControlTransformation Security Composition Authentication Single Sign OnAPI KeysEntitlements Token Service OAuth 1.x OAuth 2.0 OpenID Connect 10
  11. 11. Layer 7 ABAC Reference Implementation 11
  12. 12. RadiantOne Architecture • A Federated Identity Service through Model-Driven Virtualization • Provides all functions of a complete AAES service • Abstraction layer • Platform consists of advanced Virtual Directory Server (VDS), Identity Correlation and Synchronization (ICS), and Cloud Federation Service (CFS) 12
  13. 13. RadiantOne Key Capabilities LDAP Directory Active Directory HR Database employeeNumber=2 samAcountName=Andrew_Fuller objectClass=user mail: andrew_fuller@setree1.com uid=AFuller title=VP Sales ClearanceLevel=1 Region=PA memberOf=Sales Correlated Identity Virtual View employeeNumber=2 samAccountName=Andrew_Fuller objectClass=user mail: andrew_fuller@setree1.com departmentNumber=234 uid=AFuller title=VP Sales givenName=Andrew sn=Fuller departmentNumber=234 EmployeeID=509-34-5855 ClearanceLevel=1 Region=PA UserID=EMP_Andrew_Fuller DeptID=Sales234 cn=Sales objectClass=group member=Andrew_Fuller **Based on identities that have: • ClearanceLevel=1 • title=VP Sales • Region=PA Dynamic Groups Virtual View User Lookup Attribute Server 13
  14. 14. Manage Policy Administration Point Decide Policy Decision Point Support Policy Information Point Policy Retrieval Point Enforce Policy Enforcement Point Axiomatics Architecture 14
  15. 15. Authorization at Any Layer 15
  16. 16. Anywhere Authorization Architecture 16
  17. 17. SailPoint Architecture Service Desk Integration Resource Connectors Provisioning Integration Security & Activity Unified Governance Platform Open Connectivity Foundation Cloud SaaS Role Model Policy Model Identity Warehouse Risk Model Workflow Password Management Compliance Management Single Sign-On Identity Analytics SailPoint ICAM Solutions Access Request & Provisioning 17
  18. 18. Entitlement Giving Attributes HR Data Security Directory Attributes Ownership Relationships Modeling Review Process Change Process Audit Process System System Target Target BUSINESS PROCESS MANAGEMENT Entitlement Giving Attributes 18
  19. 19. Ownership & Responsibility Change Control Versioning History Verification & Review Analytics & Reporting Identity & Access Governance The Business Process of IAM Data Management Entitlement Giving Attributes… HR Data Security Directory Attributes System System Target Target Entitlement Giving Attributes 19
  20. 20. Benefits Policy management and insight available to all levels of the organization. Simple Change Management Maximum Efficiency and Flexibility Range of Deployment Options Simple and Effective Management Cost Effective Scalable Interoperable Business- Friendly Management Increased Access to Information Deploy for performance and architectural needs while maintaining 100% conformance with open standards Easy to deploy new policy without underlying changes to application infrastructure. Eliminate time consuming and confusing processes to gain access to information. Benefits of Our Solution Increased Security and Compliance Operational Business 20
  21. 21. Access barriers are removed so users can get their jobs done more efficiently. The Ideal Process 21
  22. 22. High Level Use Cases Patient can manage record from authorized personal devices Doctor can read from office computer Opts-in and authorizes PCP and staff to view Claims coordinator can only view appointment information Doctor can write to entire record Nurse can read information pertaining to location; can only write demographic info, symptoms, and vital signs Receptionist trained in HIPAA data protection can only view services performed Research organization can only read anonymized cardiac clinical data from hospitals and patients that opt-in 1 3 2 4 5 6 Nurse can “break the glass” to access location agnostic information 22
  23. 23. AuthN Services Secure Gateway Conceptual Architecture EHR Systems FederatedIdentityVirtualization Policy Administration R&D Insurance Governance ProviderViewR&DViewInsuranceViewPatientView NPI Registry Patients Attribute Sources Policy Server Hospital 23
  24. 24. Intercepts the request Patient Use Case Attempts to update personal EHR to add blood pressure (BP) information and opt-in to share info with doctor Allows Patient Access to EHR System Patient EHR Preferences /Metadata Signed Opt- In Forms Permit Check request validity Verify patient access using registered device Verify accessing own record Request/receive required attributes (EHR owner, authorized devices) List of registered devices Check if authorized Update BP Authorize doctor to access information 1 2 4 3 24
  25. 25. Doctor Use Case Attempts to update patient EHR from office computer Intercepts the request Allows doctor access to patient EHR Patient EHR Preferences /Metadata Signed Opt- In Forms Permit Check access from office computer Check if authorized Verify patient opt-in List of signed opt-in forms Hospital Network EHR Check request validity 1 2 Request/receive required attributes (EHR owner, authorized devices) 3 4 25
  26. 26. Remaining Use Cases Use Case Request Layer 7 Axiomatics Radiant Logic EHR Nurse Rheumatology nurse requests access to patient EHR •Checks request location/validity •Checks PDP for authorization •Validates nurse/patient relationship •Allows access to specific attributes of patient EHR Provide nurse and patient attributes to PDP Allows nurse access to read patient rheumatology attributes of EHR; write diagnostics “Break Glass” Nurse requests access to patient cardiac information when patient shows heart attack symptoms •Checks request validity •Checks PDP for authorization •Validates environmental attributes from hospital •Validates nurse/patient relationship Provide Hospital, Nurse and Patient attributes to PDP Allows Nurse access to read Rheumatology and Cardiac attributes of EHR, write diagnostics Reception Reception requests access to patient services to prepare bill •Checks request location/validity •Checks PDP for authorization •Validates employee HIPAA training •Validates employee/patient relationship Provide employee and patient attributes to PDP Allows help desk access only to services performed Insurance Insurance claims processor requests access to patient EHR •Checks request location/validity •Checks PDP for authorization •Validate processor employment with insurance company •Validate covered incident •Validate insurance/patient relationship Provide processor, patient, and insurance attributes to PDP Allows claims processor access only to covered incident information Research & Development Cardiovascular research center requests access to all cardiology patient data •Authenticates R&D server •Checks PDP for authorization •Validate research center and scope •Provides SQL PEP to filter result set and return anonymous data Provide employee and research center attributes to PDP Allows employee access only to anonymized data pertaining to research center scope 26
  27. 27. Health Care Systems Attribute and Policy Governance Entitlement Giving Attributes Functional Application #1 Functional Application #2 doc doc Ownership & Responsibility Change Control Provision Verification & Review Analytics Identities, certified entitlements & risk scores would be used at the PIP and PDP to make smarter decisions Axiomatics Policy Server Axiomatics Policy Auditor Governance Use Case 27
  28. 28. • Establish Governance • Choose your standards • Determine your attributes and metadata • Determine your authoritative sources • Create a taxonomy and data dictionary • Understand your business processes • Determine the business model • Decide who will own policy/policy management • Coordinate with stakeholders across organization, including audit/compliance, privacy, and security operations • Track performance Are You Ready? 28
  29. 29. Questions? 29
  1. Gostou de algum slide específico?

    Recortar slides é uma maneira fácil de colecionar informações para acessar mais tarde.

×