Successfully reported this slideshow.

Best of Breed. Future-Proof Your Business with IdM 2.0

1,466 views

Published on

Times have changed and a new approach to identity and access management is required. Join us in a webinar discussion that builds on the capabilities of cutting-edge IAM technologies with leaders in the industry—companies that integrate the latest standards, cutting-edge technologies, and best practices in the field. In contrast to existing IAM suites, our best-of-breed approach gives you the best of all worlds—seamless integration with the highest standards. Our agile team of experts will guide you through top-notch solutions and out-of-the-box integration based on industry standards.

This webinar, on Oct. 23, 2013, from 2-3:30 p.m. (ET), includes Axiomatics, Layer 7 Technologies, Radiant Logic, SailPoint and Sila Solutions Group. See how “The Best of Breed: Future-Proof Your Business with Identity Management,” can provide you with new IdM solutions based on real-life use case samples.

By attending this webcast, you will learn:

- The challenges of maintaining and securing access to identity information to keep up with organizational changes and high Governance, Risk and Compliance (GRC) standards.

- How to effectively manage multiple user identities across the enterprise, communities and social activities.

- How to aggregate and federate identity data that is spread across the environment to enable SSO to any application.

- How to author, manage and distribute digital authorization policies for consistent and secure access control for your most sensitive data and applications.


Presented by:
Stephanie McVitty - Best of Breed Customer Liaison, Compsec
Paul Grassi - Vice President of Federal Programs, Sila Solutions Group
Jim Rice - Vice President of Federal, Layer 7
Wade Ellery - Director of Sales, Radiant Logic
Phil McQuitty - Director of Systems Engineering, SailPoint
Gerry Gebel - President, Axiomatics Americas

Published in: Technology
  • Be the first to comment

Best of Breed. Future-Proof Your Business with IdM 2.0

  1. 1. Identity Management for the 21st Century IT Mission Presented By: • • • • • • Paul Grassi: VP of Federal Programs, Sila Solutions Group Jim Rice: VP of Federal, Layer 7 Wade Ellery: Director of Sales and Business Development, Radiant Logic Gerry Gebel: President, Axiomatics Americas Phil McQuitty: Director of Systems Engineering, SailPoint Stephanie McVitty: Account Manager, Compsec Wednesday: October 23, 2013
  2. 2. Key Discussion Areas • Today‟s Challenges • History: How Did We Get Here? • The Evolution of Access Control • Building Blocks for Agile Access • Creating a Framework for Success • The Ideal ABAC Process • Use Case Deep Dive • Next Steps: Are You ABAC-Ready? 2
  3. 3. Today’s Challenges 3
  4. 4. How Did We Get Here? • We keep trying to solve a legacy problem with a legacy solution • Made authorization an IT solution, not a business solution • Bogged down with stovepipes, multiple policies, and poorly defined infrastructure • Focused on the door – not the data • Yet, we‟ve done some amazing things We have made great progress! Industry deserves credit. Examples of NSTIC/IDESG, NIST 800-162 Draft, FICAM AAES work; focus on attributes and confidence scores 4
  5. 5. The Evolution of Access Control Future Proofed Business Solution Legacy Problem with Legacy Solution IBAC ACL RBAC eRBAC ABAC PBAC Legacy Problem with Better Solution FINE GRAINED ATTRIBUTE-DRIVEN LOCAL POLICY PROPRIETARY ENFORCEMENT TECHNICAL REUSABLE POLICY CONTEXT AWARE EXTERNALIZED STANDARDS BASED BUSINESS DRIVEN NON-TECHNICAL 5
  6. 6. Building Blocks for Agile Access Federated Identity Federated Attributes Environment Context Resource Attributes Action Reusable Policy Agile Access Decisions Decisions 6
  7. 7. ABAC Framework Mission Agility Lifecycle, Governance and Risk Access Anywhere Mobility/ Cloud Portability, Confidence, and Trusted Attributes PROGRAMMATIC AND TECHNICAL MANAGEMENT 7
  8. 8. Layer 7 Overview Layer 7 API Gateways Provide API Access Control for the New “Open” Enterprise Outside Partners / Divisions Enterprise Applications & Data … External Developers Mobile Apps Other Things Cloud Services 8
  9. 9. Enterprises are Exposing More Connectivity & Security Challenges for Open Enterprise: • Protection of applications exposed over internet • Reuse of information shared across departments, partners, mobile & Cloud This new open, extended enterprise is a hybrid enterprise because it blends inside/outside as well as private/pubic • Ease of integration: reconciling disparate identity, data types, standards, services • Performance optimization (caching, protocol compression, …) • Proxy connections to social, cloud, notification services that enterprises can control • Cloud interactions • Central governance of policies and security Cloud Services Brokering cloud services • Real-time Partner Integration Federated & Delegated Security • Login Password Private Cloud Annexes (Savvis or Datacenter) Mobile / Tablet Apps Web Platform Integration Open APIs for Developer Channel Over the Top TV and Media (Xbox Live and Smart TV) 9
  10. 10. Layer 7 Policy Approach Transformation Routing Traffic Control Composition Authentication Throttling Prioritization Caching Security API Integration Gateway Health Tracking Workflow Performance Global Staging Patch Management Policy Migration API Service Manager Token Service Entitlements API Keys OAuth 1.x OAuth 2.0 Single Sign On OpenID Connect API Identity & Access Broker Config Migration Reporting Developer Enrollment Quotas Plans Rankings API Explorer Analytics API Docs Forums API Developer Portal 10
  11. 11. Layer 7 ABAC Reference Implementation 11
  12. 12. RadiantOne Architecture • Acting as an abstraction layer RadiantOne creates attribute rich global user profiles spanning multiple identity silos. • Aggregation, Correlation, Transformation, and Normalization of the user identity provides the foundation for Attribute Based Access Control Consumers Consumers Consumers 12
  13. 13. RadiantOne Key Capabilities Dynamic Groups Virtual View employeeNumber=2 samAcountName=Andrew_Fuller objectClass=user mail: andrew_fuller@setree1.com uid=AFuller title=VP Sales ClearanceLevel=1 Region=PA memberOf=Sales nDepartment=Sales Computed Attribute Correlated Identity Virtual View cn=Sales objectClass=group member=Andrew_Fuller **Based on identities that have: • ClearanceLevel=1 • nTitle=VP Sales • Region=PA Federated Identity Attribute Server Normalized Attributes Attribute: nDepartment Values: Accounting Administration Business Development Distribution Marketing Production Research Sales Shipping Attribute: nTitle Values: CEO CIO CISO VP Sales VP Marketing … HR Database LDAP Directory Active Directory EmployeeID=509-34-5855 ClearanceLevel=1 Region=PA UserID=EMP_Andrew_Fuller DeptID=Sales234 uid=AFuller title=Vice Pres. Sales givenName=Andrew sn=Fuller departmentNumber=234 employeeNumber=2 samAccountName=Andrew_Fuller objectClass=user mail: andrew_fuller@setree1.com departmentNumber=234 title=Sales, VP 13
  14. 14. Axiomatics Architecture Enforce Policy Enforcement Point Decide Policy Decision Point Support Policy Information Point Policy Retrieval Point Manage Policy Administration Point 14
  15. 15. Authorization at Any Layer 15
  16. 16. Anywhere Authorization Architecture 16
  17. 17. SailPoint Architecture SailPoint ICAM Solutions Compliance Management Access Request & Provisioning Password Management Single Sign-On Identity Analytics Unified Governance Platform Policy Model Role Model Identity Warehouse Risk Model Workflow Open Connectivity Foundation Resource Connectors Provisioning Integration Service Desk Integration Security & Activity Cloud SaaS 17
  18. 18. Entitlement Giving Attributes Target System BUSINESS PROCESS MANAGEMENT Target System Ownership Relationships Modeling Review Process Change Process Audit Process Entitlement Giving Attributes HR Data Security Directory Attributes 18
  19. 19. Entitlement Giving Attributes… Target System The Business Process of IAM Data Management Target System Entitlement Giving Attributes Identity & Access Governance HR Data Security Directory Attributes 19
  20. 20. Benefits Operational Deploy for performance and architectural needs while maintaining 100% conformance with open standards Business Increased Security and Compliance BusinessFriendly Management Interoperable Increased Access to Information Scalable Range of Deployment Options Easy to deploy new policy without underlying changes to application infrastructure. Policy management and insight available to all levels of the organization. Benefits of Our Solution Simple and Effective Management Maximum Efficiency and Flexibility Cost Effective Eliminate time consuming and confusing processes to gain access to information. Simple Change Management 20
  21. 21. The Ideal Process Access barriers are removed so users can get their jobs done more efficiently. 21
  22. 22. High Level Use Cases Doctor can read from office computer Opts-in and authorizes PCP and staff to view Patient can manage record from authorized personal devices 1 2 Doctor can write to entire record Nurse can read information pertaining to location; can only write demographic info, symptoms, and vital signs 3 6 Nurse can “break the glass” to access location agnostic information Claims coordinator can only view appointment information Receptionist trained in HIPAA data protection 4 can only view services performed Research organization can only read anonymized cardiac clinical data from hospitals and patients that opt-in 5 22
  23. 23. Conceptual Architecture Attribute Sources Secure Gateway NPI Registry R&D Hospital Governance R&D View Insurance View EHR Systems Patient View Policy Server Provider View Policy Administration Federated Identity Virtualization AuthN Services Insurance Patients 23
  24. 24. Patient Use Case 2 Request/receive required attributes (EHR owner, authorized devices) Check if authorized 1 Intercepts the request Verify patient access using registered device Verify accessing own record Permit 3 List of registered devices Check request validity Preferences /Metadata Update BP Allows Patient Access to EHR System Patient EHR 4 Attempts to update personal EHR to add blood pressure (BP) information and opt-in to share info with doctor Signed OptIn Forms Authorize doctor to access information 24
  25. 25. Doctor Use Case 2 Request/receive required attributes (EHR owner, authorized devices) Permit Verify patient opt-in Check if authorized Check request validity 1 Intercepts the request Check access from office computer 3 Patient EHR Allows doctor access to patient EHR Hospital Network EHR List of signed opt-in forms Preferences /Metadata Signed OptIn Forms 4 Attempts to update patient EHR from office computer 25
  26. 26. Remaining Use Cases Use Case Layer 7 Axiomatics Rheumatology nurse requests access to patient EHR •Checks request location/validity •Checks PDP for authorization •Validates nurse/patient relationship •Allows access to specific attributes of patient EHR Provide nurse and patient attributes to PDP Allows nurse access to read patient rheumatology attributes of EHR; write diagnostics “Break Glass” Nurse requests access to patient cardiac information when patient shows heart attack symptoms •Checks request validity •Checks PDP for authorization •Validates environmental attributes from hospital •Validates nurse/patient relationship Provide Hospital, Nurse and Patient attributes to PDP Allows Nurse access to read Rheumatology and Cardiac attributes of EHR, write diagnostics Reception Reception requests access to patient services to prepare bill •Checks request location/validity •Checks PDP for authorization •Validates employee HIPAA training •Validates employee/patient relationship Provide employee and patient attributes to PDP Allows help desk access only to services performed Insurance Insurance claims processor requests access to patient EHR •Checks request location/validity •Checks PDP for authorization •Validate processor employment with insurance company •Validate covered incident •Validate insurance/patient relationship Provide processor, patient, and insurance attributes to PDP Allows claims processor access only to covered incident information Research & Development Cardiovascular research center requests access to all cardiology patient data •Authenticates R&D server •Checks PDP for authorization •Validate research center and scope •Provides SQL PEP to filter result set and return anonymous data Provide employee and research center attributes to PDP Allows employee access only to anonymized data pertaining to research center scope Nurse Request Radiant Logic EHR 26
  27. 27. Governance Use Case Health Care Systems Attribute and Policy Governance Axiomatics Policy Auditor doc doc Functional Application #1 Functional Application #2 Entitlement Giving Attributes Axiomatics Policy Server Identities, certified entitlements & risk scores would be used at the PIP and PDP to make smarter decisions 27
  28. 28. Considerations Target Applications Establish governance that requires new acquisitions (build or buy) to support interoperability standards. Offer transition plans or alternative access enforcement mechanisms for legacy applications. Policy Lifecycle Governance is key, especially if offered as an enterprise service. Use tools to determine if applications can leverage pre-existing policies. Don‟t forget that attribute lifecycle is important in managing policy lifecycle. Deployment Models Centralized enterprise service is preferred, especially if attribute and NLP applies across organizations. Governance and policy authoring services allow consumers more control Audit and Application Owner Control Link natural language policy to digital policy. Difficult to show traditional „who has access to what‟. Need to involve audit and compliance organizations in all phases. Business Process Changes Access request and workflow provisioning will be impacted. Need to communicate access restrictions effectively. Need workflow for redress of incorrect attribute values. Privacy Explore the usage of zero-knowledge assertions to protect user attributes, yet effectively assist policy evaluation. 28
  29. 29. Are You Ready? • Establish Governance • Choose your standards • Determine your attributes and metadata • Determine your authoritative sources • Create a taxonomy and data dictionary • Understand your business processes • Determine the business model • Decide who will own policy/policy management • Coordinate with stakeholders across organization, including audit/compliance, privacy, and security operations • Track performance 29
  30. 30. Questions? 30
  31. 31. Contact Us Paul Grassi VP of Federal Programs pgrassi@silasg.com 703.740.1193 Jim Rice VP of Federal jrice@gov.layer7.com 240.394.9591 Gerry Gebel President ggebel@axiomatics.com 801.556.9994 Wade Ellery Director of Sales wellery@radiantlogic.com 415.798.5654 Phil McQuitty Director of Systems Engineering phil.mcquitty@sailpoint.com 703.626.9997 31

×