Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2019 | Introduction to Identity Part 1 | Identiverse | Day 1, June 25

169 views

Published on

(Part 1) The importance of Digital Identity and Access Management continues to grow in the field of cybersecurity. IAM still ensures “the right access to the right people at the right time for the right reasons,” but other issues like new regulations, cyber-espionage, insider threats, IoT, and privacy concerns have made IAM one of the fastest growing segments of IT. Unfortunately, it can also be one of the most confusing to understand.
New technology and new use cases bring with them new terminology and new practices. For identity practitioners who are early in their career, security leaders and executives responsible for identity systems, it can be difficult to even figure out where to start. Every explanation seems to reference a multitude of other practices and dozens of confusing acronyms. Even seasoned professionals can loose track of what's new, especially if it's outside of their immediate area of focus.
This workshop -- provided by IDPro -- will provide a comprehensive (and fun) introductory view of the identity world that will give participants a solid understanding of IAM’s foundations.
Part 1 of this 2-part class begins with the basics like directories, identity proofing, provisioning, authentication (including multi-factor), authorization, as well as federation technologies like SAML, OAuth, and OpenID Connect.
In Part 2, we build on those foundational technologies to explain PKI & digital certificates, privileged access management, identity for IoT, identity assurance, privacy issues, identity standards organizations, and even known attack vectors.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

2019 | Introduction to Identity Part 1 | Identiverse | Day 1, June 25

  1. 1. Intro to Identity
  2. 2. Welcome! 3
  3. 3. Agenda 4
  4. 4. How to approach this session 5© 2019 IDPro • Fly-over Identity-land • Try to provide context for how something fits into the larger whole • You have a week to dig deeper
  5. 5. What we hope to cover 6 • Constituencies served • Admin-time disciplines and technologies • Run-time disciplines and technologies • Putting it all together
  6. 6. What we are NOT going to cover 7© 2019 IDPro • What is identity • What every term "means" • Ask 3 identity professionals you'll get 6 opinions on every topic
  7. 7. Let’s cram some knowledge into your heads 8
  8. 8. About us 9
  9. 9. 10 Pamela Dingle @pamelarosiedee • Director of Identity Standards @Microsoft • Co-founder @WomeninID • 20 years on directories, WAM, federation, architecture • Canadian • Married to an Australian • Living in DC & SF • Checks twitter way too much • I don't mind if you call me Pam • Not my puppy
  10. 10. 11 Ian Glazer @iglazer • Is VP, Product Management, Salesforce • Is Founder and President, IDPro • Was Research VP and Agenda Manager, Gartner/Burton Group • Contributed to SPML and SCIM • Killed identity management (it got better) • Loves commas • Photographs his own socks • Lives in Washington DC
  11. 11. 12 Steve Hutchinson @identityhutch • Call me Hutch • Is Principal Cybersecurity Architect at GE Digital • Is a Board member of IDPro • Was a programmer, network manager, enterprise architect, & security architect for 20 years • Wizard of Woo • Hosts a 4-year-running biweekly cocktail party in my backyard • Lives in Richmond, Virginia
  12. 12. Constituencies we serve 13
  13. 13. Contextualizing what we do 14 • Identity management is often an exercise in not losing the forest for the trees • Keeping a use case in mind really helps • Keeping the individual in mind really helps
  14. 14. 15© 2019 IDPro
  15. 15. Employees 16© 2019 IDPro
  16. 16. Customers 17© 2019 IDPro
  17. 17. B2E: Making Employees Productive 18 • Enable people to be productive when the arrive • Ensure access doesn't linger after people leave • Human Resources is the source of truth (but not always) • "Who has access to what" • Lifecycle: Joiner/Mover/Leaver (powered by HR... hopefully)
  18. 18. B2B: Connecting to Partners 19© 2019 IDPro • Enable access to vetted members of the supply chain • You provide the apps; they provide the identities (hopefully) • Partner's identity system (and hopefully upstream HR system) is the system of record • Lifecycle: Delegated Administration (ideally)
  19. 19. B2C: Digitally Engage 20© 2019 IDPro • Bring the awesome to the people! • 1st step in most digital engagement / user journeys • Privacy implications abound • Lifecycle: Self-Registration (including social sign-up/sign-on)
  20. 20. We are not alone 21© 2019 IDPro Identity PrivacySecurity
  21. 21. Splitting up the world ADMIN- VS RUN-TIME 22
  22. 22. A way to think about identity technology 23© 2019 IDPro • There's a ton of tech and terms • A way to think about this is: • Admin-time: tech involved with user-setup before the user actually uses the services • Run-time: tech involved as the user is using the services
  23. 23. Admin-time 24
  24. 24. Admin-time Technologies 25© 2019 IDPro • Sources of "Truth" • User Repositories and Directories • Identity Governance and Administration • Identity Analytics and Intelligence • Privileged Account Management • Identity Proofing
  25. 25. Sources of "Truth" 26© 2019 IDPro • An authoritative place to go where you can learn about a person • B2E: HR • B2B: the partner's HR, a delegated admin, their federation service • B2C: the individual, their social persona, a government • May have multiple / may require multiple • Assume data quality is not awesome
  26. 26. User Repositories and Directories 27© 2019 IDPro • A place to store information about users • Relational database • LDAP directory, Active Directory, VENDOR NAME Directory, OpenDJ • Web service • Often synchronized with a source of truth to orchestrate Joiner/Mover/Leaver events • Identity systems use a user repository as a source of truth
  27. 27. 28© 2019 IDPro Relational Database Directory
  28. 28. Identity Governance and Administration 29© 2019 IDPro • Tools to manage "who has access to what" • Relies on a source of truth (the who) to govern entitlements (the access) in systems via connectors (the what) IGA is often used on this side of the spectrum
  29. 29. User Provisioning & Lifecycle Management 30© 2019 IDPro • Creates, Maintains, and Removes user accounts in managed systems • Can listen to joiner/mover/leaver events from sources of truth • Can transform and set attributes like first name for personalization and business processes • Can assign entitlements such as group membership, roles, and profiles for authorization purposes
  30. 30. User Provisioning: Continued 31© 2019 IDPro • Can have approval processes associated with creation and changes to user accounts • Relies on connectivity to managed systems • That doesn't have to be fully automated... could be a manual process driven via a help desk ticket • Relevant standard: SCIM (System for Cross Domain Identity Management)
  31. 31. User Provisioning: Continued 32© 2019 IDPro • Doesn't have to be fully automated • Access Request is a perfectly good way to give people access after Day 1 onboarding • Traditionally also set passwords in target systems • Also helped in password reset and lockout use cases
  32. 32. Entitlement Management 33© 2019 IDPro • Applications have privileges such as "create purchase order" • Privileges often get aggregated into entitlements for easier management • Entitlements include groups, technical roles, business roles, profiles, permission sets • Instead of assigning people individual privileges they are often assigned entitlements
  33. 33. 34© 2019 IDPro Hutch Ian Pam Create PO Update PO Read PO Delete PO
  34. 34. 35© 2019 IDPro Hutch Ian Pam Create PO Update PO Read PO Delete PO
  35. 35. Unmanageable 36© 2019 IDPro Hutch Ian Pam Create PO Update PO Read PO Delete PO
  36. 36. Everything is better with abstraction 37© 2019 IDPro Hutch Ian Pam Create PO Update PO Read PO Delete PO Manage POs
  37. 37. Manageable 38© 2019 IDPro Hutch Ian Pam Create PO Update PO Read PO Delete PO Manage POs User Provisioning systems assign these
  38. 38. Entitlement Mgt: Continued 39© 2019 IDPro • Entitlement Management involves the cataloging of assignable entitlements • Adding meaningful descriptions • Adding "owners" • Mapping entitlements to job responsibilities or types of users • "Purchasing clerks get these groups" • "Tier 1 Partners get this profile" • Often necessarily pre-work before doing segregation of duties analysis and enforcement
  39. 39. Role Management 40© 2019 IDPro • Individual entitlements can become hard to manage • They can get aggregated into roles of 2 flavors: • Business roles = job responsibilities • Technical roles = collections of lower level entitlements to enable access • Roles, especially business roles, can be mapped to HR job codes and positions • As well as partner classifications • Entitlements within a role need on-going review • Assignment rules that map roles to people need on-going review
  40. 40. RBAC 41© 2019 IDPro • Role-Based Access Control • Uses roles as the primary means of governing access to systems and resources • Works great in homogenous and hiererachical organizations • Works really really really poorly in matrix organizations • "Role explosion" = more roles than people
  41. 41. Access Certification 42© 2019 IDPro • On-going review of who has access to what • Became popular after SOX • Great tool to prevent people from keeping access they no longer need • But it can become fatiguing • Changes to entitlements can trigger reviews • As can changes to overall user risk
  42. 42. Identity Analytics and Intelligence 43© 2019 IDPro • More than just "who has access to what" reporting • Find commonalities and outliers among user populations • Group commonly assigned entitlements together as candidate roles • Identified over-privileged users • Discovers undocumented high privileged access (HPA) rights assigned to regular, non-privileged, accounts.
  43. 43. Identity Analytics and Intelligence 44© 2019 IDPro • Identity Analytics (IdA) provides a risk-based approach for managing system identities and access. • Centralizes governance, visibility and reporting for access-based risk. • IdA uses dynamic risk scores and advanced analytics to derive key indicators for automating account provisioning, de-provisioning, authentication and privileged access management. • Reduces the identity attack surface by identifying (for remediation) unnecessary, unused and outlier access. • Accurately measures and reports on user, account, entitlement, application, departmental, and organization risk posture.
  44. 44. Privileged Account Management 45© 2019 IDPro • Some user accounts are special e.g. sysadmin, root, etc • Access to accounts like these and account used for service to service integration need management too even though there isn't a single user associated with them • "Check out" access to root • Record actions users take while in a privileged state • Scramble passwords to protect special accounts
  45. 45. Identity Proofing 46© 2019 IDPro • Process of collecting and verifying information about a person for the purpose of providing an account, credential • It is performed before an account is created or the credential is issued or special privilege is granted • It is more lengthy the first time it is created • Chain-of-trust assures all parties involved, that each participating entity followed a vetting process to securely and accurately validate an individuals' identity • Registration happens once Identity Proofing is completed
  46. 46. B2E proofing is structured 47© 2019 IDPro
  47. 47. B2B & B2C proofing coordinates signals 48© 2019 IDPro Environment Relationships Documents
  48. 48. Run-time 49
  49. 49. Run-time Technologies 50© 2019 IDPro Identity and Policy are leveraged to enable resource access & management • Authentication & "Factors" • Single Sign-on • API Security/Delegated Authorization • Cross-domain Authorization • Run-time User Experiences
  50. 50. 51© 2019 IDPro * Authentication != Real-world Identity Linking Source: Oxford Dictionary
  51. 51. Authentication & Factors 52© 2019 IDPro • Active factors challenge the account owner • Passive factors evaluate environment & situation • Behavioral analytics, client/network device posture • Best Practices: • MFA (multi-factor authentication) • Adaptive Authentication
  52. 52. WebAuthn, U2F, FIDO CTAP2 © 2019 IDPro • Three standards work together to enable interoperable creation & use of cryptographically strong non-correlateable local credentials • U2F (aka CTAP1) enables USB authenticators for 2nd Factor auth • FIDO2 (aka CTAP2) enables USB, NFC, BLE authenticators for 1st and 2nd factor auth • WebAuthn enables a web relying party to ask the local hardware to interface with platform authenticators OR CTAP1/2 authenticators
  53. 53. Single Sign-on 54© 2019 IDPro • Leveraging a web session established at one domain to create a web session in another domain • Identity Providers (IDPs) authenticate users then assert identifiers & claims • Relying Parties (RPs or SPs) receive and validate assertions instead of directly authenticating • Negotiated: claims/attributes issued from an authority • Everything occurs on a passive client – a browser • Best practice: standards-based federation
  54. 54. SAML vs OpenIDConnect 55© 2019 IDPro <saml:Assertion ID="_d71a3a8e9fcc45c9e9d248ef7049"> <saml:Issuer>http://idp.example.com</saml:Issuer> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"> 248289761001 </saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2024-01-18T06:21:48Z"/> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2014-07-17T01:01:18Z" NotOnOrAfter="2024-01-18T06:21:48Z"> <saml:AudienceRestriction> <saml:Audience>http://sp.example.com</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2014-07-17T01:01:48Z"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:Password </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute Name="uid"> <saml:AttributeValue>pdingle</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> • Issuer • Audience • Subject • Assertion ID • Token type (bearer) • Validity Window • Authentication Context • Attributes • Signature (not shown)
  55. 55. SAML vs OpenIDConnect 56© 2019 IDPro { "iss": "http://idp.example.com", "sub": "248289761001", "aud": "http://sp.example.com", "jti": "_d71a3a8e9fcc45c9e9d248ef7049", "nonce": "n-0S6_WzA2Mj", "exp": 1311281970, "iat": 1311280970, "nbf": 1311280970, "acr": "phrh", "amr": "face", "uid": "pdingle" } • Issuer • Audience • Subject • Assertion ID • Token type (bearer) • Validity Window • Authentication Context • Attributes • Signature (not shown)
  56. 56. API Security/Delegated Authorization 57© 2019 IDPro • SSO is great for web but what about mobile apps, APIs, scripts? • Active clients need access too, sometimes on behalf of a user • BUT user is not always present while client acts • APIs (aka Resource Servers) don't care who you are only what you are entitled to • Clients have their own identity & credentials
  57. 57. WS-Trust vs OAuth 2.0 58© 2019 IDPro • STS (security token service) • Passive token gumball machine • Delegation via "on behalf of" • XML • Not MFA friendly. at. all. WS-Trust • Flows combine front-channel passive client requests and back-channel direct REST calls • No: Identity, claims, user authN • Yes: Discovery, client authN, dynamic reg, more profiles written all the time • REST(ish) • Covers IOT devices, mobile apps, scripts OAuth 2.0
  58. 58. Cross-Domain Authorization 59© 2019 IDPro • Who makes the decisions in your org and how are those decisions distributed? • Where do your products enforce policy? • Concepts around for decades: • Policy Enforcement Point (PEP) • Policy Decision Point (PDP) • Policy Information Point (PIP) • Policy Administration Point (PAP) • Won't die • Can't quite be replaced or killed • If you use it, you probably hide it • Not user friendly or admin friendly or even computer friendly • Only thing more horrible than using it would be re-inventing it • Won't die XACML
  59. 59. Run-Time User Experience 60© 2019 IDPro • Every time you interrupt your user, you create friction • Too many interruptions lead to fatigue which can have security consequences • Interactions created in product silos can resulting frustrating and non-productive experiences • Do not just look at flows like account recovery or MFA from the admin POV
  60. 60. Discovery 61© 2019 IDPro NASCAR IDP Discovery User Discovery (aka Identifier first)
  61. 61. Consent 62© 2019 IDPro Scopes Terms & Conditions Transactional Approval
  62. 62. Notification 63© 2019 IDPro Security Workflow Error
  63. 63. Profile Management 64© 2019 IDPro Account Switching * authenticated Logout & Single Logout Credential Management
  64. 64. Self Service 65© 2019 IDPro Registration * unauthenticated Account Recovery
  65. 65. Putting all together 66
  66. 66. The Identity Stack 67© 2019 IDPro Federation Directory Services Credential Management Access Management Identity Audit, Governance, & Intelligence Brokering: Identity, Attribute, & Policy Security Token Services Credential Issuance & Binding Key Management Credential Lifecycle Management Cryptography Boundary Control Policy Administration Coarse-Grained Access Control Fine-Grained Access Control Authentication & Enforcement Authentication & Verification Policy Rules Session Management Integrity, Non-Repudiation, & Confidentiality Metadata & Synchronization ServicesIdentity, Attribute, & Policy Stores Onboarding & Registration Provisioning & Entitlement Management Access Review & Recertification Sponsorship Identity Proofing Identity Lifecycle Management Audit & Reporting Context Awareness Risk Profiling Segregation of Duties Role Management Identity Management Trust Framework
  67. 67. Onboarding a new employee 68© 2019 IDPro Identity Proofing Source of Truth Identity Governance & Administration User Repositories & Directories Role Management Entitlement Management
  68. 68. Onboarding a new employee 69 © 2019 IDPro Federation Directory Services Credential Management Access Management Identity Audit, Governance, & Intelligence Brokering: Identity, Attribute, & Policy Security Token Services Credential Issuance & Binding Key Management Credential Lifecycle Management Cryptography Boundary Control Policy Administration Coarse-Grained Access Control Fine-Grained Access Control Authentication & Enforcement Authentication & Verification Policy Rules Session Management Integrity, Non-Repudiation, & Confidentiality Metadata & Synchronization ServicesIdentity, Attribute, & Policy Stores Onboarding & Registration Provisioning & Entitlement Management Access Review & Recertification Sponsorship Identity Proofing Identity Lifecycle Management Audit & Reporting Context Awareness Risk Profiling Segregation of Duties Role Management Identity Management Trust Framework
  69. 69. Onboarding a new employee 70© 2019 IDPro Federation Directory Services Credential Management Access Management Identity Audit, Governance, & Intelligence Brokering: Identity, Attribute, & Policy Security Token Services Credential Issuance & Binding Key Management Credential Lifecycle Management Cryptography Boundary Control Policy Administration Coarse-Grained Access Control Fine-Grained Access Control Authentication & Enforcement Authentication & Verification Policy Rules Session Management Integrity, Non-Repudiation, & Confidentiality Metadata & Synchronization ServicesIdentity, Attribute, & Policy Stores Onboarding & Registration Provisioning & Entitlement Management Access Review & Recertification Sponsorship Identity Proofing Identity Lifecycle Management Audit & Reporting Context Awareness Risk Profiling Segregation of Duties Role Management Identity Management Trust Framework
  70. 70. User requests access to internal app 71© 2019 IDPro Access Request (IGA) Access Review Role Management User Repositories & Directories Entitlement Management User Provisioning
  71. 71. User requests access to internal app 72 © 2019 IDPro Federation Directory Services Credential Management Access Management Identity Audit, Governance, & Intelligence Brokering: Identity, Attribute, & Policy Security Token Services Credential Issuance & Binding Key Management Credential Lifecycle Management Cryptography Boundary Control Policy Administration Coarse-Grained Access Control Fine-Grained Access Control Authentication & Enforcement Authentication & Verification Policy Rules Session Management Integrity, Non-Repudiation, & Confidentiality Metadata & Synchronization ServicesIdentity, Attribute, & Policy Stores Onboarding & Registration Provisioning & Entitlement Management Access Review & Recertification Sponsorship Identity Proofing Identity Lifecycle Management Audit & Reporting Context Awareness Risk Profiling Segregation of Duties Role Management Identity Management Trust Framework
  72. 72. User requests access to internal app 73© 2019 IDPro Federation Directory Services Credential Management Access Management Identity Audit, Governance, & Intelligence Brokering: Identity, Attribute, & Policy Security Token Services Credential Issuance & Binding Key Management Credential Lifecycle Management Cryptography Boundary Control Policy Administration Coarse-Grained Access Control Fine-Grained Access Control Authentication & Enforcement Authentication & Verification Policy Rules Session Management Integrity, Non-Repudiation, & Confidentiality Metadata & Synchronization ServicesIdentity, Attribute, & Policy Stores Onboarding & Registration Provisioning & Entitlement Management Access Review & Recertification Sponsorship Identity Proofing Identity Lifecycle Management Audit & Reporting Context Awareness Risk Profiling Segregation of Duties Role Management Identity Management Trust Framework
  73. 73. User accesses internal app 74© 2019 IDPro Single Sign-On Authentication Coarse-Grained Authorization Identity Analytics Application Access Fine-Grained Authorization Policy Store User Repositories & Directories
  74. 74. User accesses internal app 75 © 2019 IDPro Federation Directory Services Credential Management Access Management Identity Audit, Governance, & Intelligence Brokering: Identity, Attribute, & Policy Security Token Services Credential Issuance & Binding Key Management Credential Lifecycle Management Cryptography Boundary Control Policy Administration Coarse-Grained Access Control Fine-Grained Access Control Authentication & Enforcement Authentication & Verification Policy Rules Session Management Integrity, Non-Repudiation, & Confidentiality Metadata & Synchronization ServicesIdentity, Attribute, & Policy Stores Onboarding & Registration Provisioning & Entitlement Management Access Review & Recertification Sponsorship Identity Proofing Identity Lifecycle Management Audit & Reporting Context Awareness Risk Profiling Segregation of Duties Role Management Identity Management Trust Framework
  75. 75. User accesses internal app 76© 2019 IDPro Federation Directory Services Credential Management Access Management Identity Audit, Governance, & Intelligence Brokering: Identity, Attribute, & Policy Security Token Services Credential Issuance & Binding Key Management Credential Lifecycle Management Cryptography Boundary Control Policy Administration Coarse-Grained Access Control Fine-Grained Access Control Authentication & Enforcement Authentication & Verification Policy Rules Session Management Integrity, Non-Repudiation, & Confidentiality Metadata & Synchronization ServicesIdentity, Attribute, & Policy Stores Onboarding & Registration Provisioning & Entitlement Management Access Review & Recertification Sponsorship Identity Proofing Identity Lifecycle Management Audit & Reporting Context Awareness Risk Profiling Segregation of Duties Role Management Identity Management Trust Framework
  76. 76. User accesses SaaS app 77© 2019 IDPro SasS Application Access Federation Service Secure Token Service Entitlement Management SaaS Application Access User Provisioning User Authentication User Repositories & Directories
  77. 77. User accesses SaaS app 78 © 2019 IDPro Federation Directory Services Credential Management Access Management Identity Audit, Governance, & Intelligence Brokering: Identity, Attribute, & Policy Security Token Services Credential Issuance & Binding Key Management Credential Lifecycle Management Cryptography Boundary Control Policy Administration Coarse-Grained Access Control Fine-Grained Access Control Authentication & Enforcement Authentication & Verification Policy Rules Session Management Integrity, Non-Repudiation, & Confidentiality Metadata & Synchronization ServicesIdentity, Attribute, & Policy Stores Onboarding & Registration Provisioning & Entitlement Management Access Review & Recertification Sponsorship Identity Proofing Identity Lifecycle Management Audit & Reporting Context Awareness Risk Profiling Segregation of Duties Role Management Identity Management Trust Framework
  78. 78. User accesses SaaS app 79 © 2019 IDPro Federation Directory Services Credential Management Access Management Identity Audit, Governance, & Intelligence Brokering: Identity, Attribute, & Policy Security Token Services Credential Issuance & Binding Key Management Credential Lifecycle Management Cryptography Boundary Control Policy Administration Coarse-Grained Access Control Fine-Grained Access Control Authentication & Enforcement Authentication & Verification Policy Rules Session Management Integrity, Non-Repudiation, & Confidentiality Metadata & Synchronization ServicesIdentity, Attribute, & Policy Stores Onboarding & Registration Provisioning & Entitlement Management Access Review & Recertification Sponsorship Identity Proofing Identity Lifecycle Management Audit & Reporting Context Awareness Risk Profiling Segregation of Duties Role Management Identity Management Trust Framework
  79. 79. Thank you! 80© 2019 IDPro

×