Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
IDENTITY AND ACCESS MANAGEMENT 101
Jerod Brennen, CISSP
CTO & Principal Security Consultant, Jacadis
Agenda
•
•
•
•
•
•

The Good, The Bad, & The Ugly
Terminology
Employee Lifecycle
Step-by-Step
Looking Ahead
Resources
The Good, The Bad, & The Ugly
• Good
– Saves time
– Improves accuracy and consistency

• Bad
– RIDICULOUSLY complex
– Neve...
How Many Acronyms Does It Take…
• IdM = Identity Management
– Manage the accounts

• FIdM = Federated Identity Managment
–...
More Alphabet Soup
• LDAP – Lightweight Directory Access Protocol
• RBAC – Role Based Access Control
• SSO – Single Sign-O...
Provisioning & Deprovisioning
• Provisioning
– IT giveth…

• Deprovisioning
– … and IT taketh away

• You need to track ev...
3-Phase Employee Lifecycle
• #1 – Hire
– Autoprovision birthright entitlements, based on role (bear with me…)

• #2 – Tran...
Step One: The Sit-Down
•

Meet with HR
–
–

•

Discuss roles
–
–

•

Dazzle them with your knowledge of RBAC
Remember that...
Step Two: The Data Must Flow
•

Identify integration points
– Authentication Stores
• LDAP Directories
• Local Databases

...
Step Three: Integrate
• Define integration requirements
– PMO FTW!

• Take a technical inventory
– What do you have?
– Wha...
Intermission: Let’s Talk Tech
•

Components
–
–
–
–
–

Identity Store / Vault / Repository (not the system of record)
LDAP...
Pictures, or It Didn’t Happen

System of Record

Email

Other LDAP

Identity Provider

LDAP Server

User-Facing Apps

Data...
Step Four: Communcation
•

Document the $#!% out of your IAM infrastructure
– Every single integration point
– Link the te...
Step Five: Audit
•

Trust, but verify

•

Things to audit
–
–
–
–

•

Segregation of duties
Access changes (esp. adminstra...
Destined to Fail
•

Most IAM projects fail. Why?
–
–
–

•

Lack of executive sponsorship
Project teams try to do too much ...
Questions to Start Asking Now
•

Who’s going to support all this?

•

How can I enforce change control for IAM integration...
Resources
• Vendors
– Let them know you’re digging into IAM solutions & they’ll call you.

• LinkedIn Groups
– Identity an...
More Resources
• Internet2 Middleware Initiative
–
–
–
–
–
–
–

http://www.internet2.edu/middleware/index.cfm
MACE (Middle...
Even More Resources
•

IdM vs. IAM
–

•

Gartner Identity and Access Management Summit
–

•

http://aws.amazon.com/iam/

W...
Questions?
Jerod Brennen, CISSP
CTO & Principal Security Consultant, Jacadis
LinkedIn: http://www.linkedin.com/in/slandail...
Upcoming SlideShare
Loading in …5
×

Identity and Access Management 101

28,887 views

Published on

Crash course in the fundamentals of identity and access management.

Published in: Technology

Identity and Access Management 101

  1. 1. IDENTITY AND ACCESS MANAGEMENT 101 Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis
  2. 2. Agenda • • • • • • The Good, The Bad, & The Ugly Terminology Employee Lifecycle Step-by-Step Looking Ahead Resources
  3. 3. The Good, The Bad, & The Ugly • Good – Saves time – Improves accuracy and consistency • Bad – RIDICULOUSLY complex – Never enough money/resources • Ugly – When everything works, you’ll be the hero – If (when) something breaks, you’ll wish you’d saved up more sick days
  4. 4. How Many Acronyms Does It Take… • IdM = Identity Management – Manage the accounts • FIdM = Federated Identity Managment – Manage identity across autonomous domains • IAM = Identity & Access Management – Manage what the accounts can access
  5. 5. More Alphabet Soup • LDAP – Lightweight Directory Access Protocol • RBAC – Role Based Access Control • SSO – Single Sign-On • Federation – SAML, SAML 2.0, WS-Federation, Liberty Alliance
  6. 6. Provisioning & Deprovisioning • Provisioning – IT giveth… • Deprovisioning – … and IT taketh away • You need to track everything you provision if you ever expect to deprovision it. – Computers, phones, badges, app access, software licenses, etc. • Your auditors will LOVE you for this!
  7. 7. 3-Phase Employee Lifecycle • #1 – Hire – Autoprovision birthright entitlements, based on role (bear with me…) • #2 – Transition – New access replaces old access, right? • #3 – Termination – Deprovision, stat! • #4 – Other? – On Leave (medical, sabbatical, etc.) – Terminated with Access
  8. 8. Step One: The Sit-Down • Meet with HR – – • Discuss roles – – • Dazzle them with your knowledge of RBAC Remember that employee lifecycle slide? How will you determine birthright access? – – • HR system is the system of record Workforce members = employees + non-employees (decision time!) Department + Job Code Step back, take a look at current employees, and execute the smell test Identify the processes you want to automate – – – – Notification of hire/change/termination Account creation/deletion (in connected systems, NOT system of record) Access modification Internal expenses (e.g., mobile devices)
  9. 9. Step Two: The Data Must Flow • Identify integration points – Authentication Stores • LDAP Directories • Local Databases – Commercial Apps – Homegrown Apps • Internal vs. External – Fewest # auth/auth stores possible – External = federation • http://www.brickshelf.com/cgi-bin/gallery.cgi?i=2703634 How are changes initiated? – Transactional vs. batch • Conceptual diagram of your IAM infrastructure
  10. 10. Step Three: Integrate • Define integration requirements – PMO FTW! • Take a technical inventory – What do you have? – What do you need? – What can you get rid of? • Start eating the elephant – – – – – HR -> Identity Store Identity Store -> Active Directory http://dst121.blogspot.com/2009/10/how-to-eat-elephant.html Identify Store -> [other LDAP directory] Identity Store -> [email] Identity Store -> [that one app that everyone in the company uses]
  11. 11. Intermission: Let’s Talk Tech • Components – – – – – Identity Store / Vault / Repository (not the system of record) LDAP Directory Entitlements Manager Web Access Manager (+ Certificate Manager) Password Manager Vendors • • • • • • CA Identity Manager IBM / Tivoli Identity Manager Microsoft Forefront Identity Manager Novell Identity Manager Oracle Identity Manager / Sun LDAP RSA / Courion • RSA = Access Manager & FIdM • Courion = Provisioning & Passwords Open Source • • • • • OpenIAM OpenDS Directory Server OpenSSO Shibboleth (SSO) Gluu
  12. 12. Pictures, or It Didn’t Happen System of Record Email Other LDAP Identity Provider LDAP Server User-Facing Apps Databases Password Manager Entitlements Manager Web Access Manager
  13. 13. Step Four: Communcation • Document the $#!% out of your IAM infrastructure – Every single integration point – Link the tech to business processes • Review documentation with… – – – – – – • Human Resources LAN Support System Owners Application Developers Production / Change Control IT Leadership Link IAM systems to Change Control system – Notification of ANY and ALL changes – Want to break IAM? Change a connected system without testing integration points!
  14. 14. Step Five: Audit • Trust, but verify • Things to audit – – – – • Segregation of duties Access changes (esp. adminstrative & sensitive data) Accounts for terminated users (reconcile with HR) Share access Security Information and Event Management (SIEM) – Failed login attempts – Attempts to access restricted data – Privilege changes / escalation • Automate your auditing toolset
  15. 15. Destined to Fail • Most IAM projects fail. Why? – – – • Lack of executive sponsorship Project teams try to do too much at once Referring to IAM is a ‘project’ in the first place Mark Dixon’s Ten Best Practices for Identity Management Implementation – – – – – – – – – – Set strategy Secure sponsorship Plan quick wins Select project leadership Define business processes Select implementation team Gain commitment from support resources Provide proper infrastructure Assure data quality Conduct post-production turnover http://blogs.oracle.com/identity/entry/ten_best_practices_for_identity
  16. 16. Questions to Start Asking Now • Who’s going to support all this? • How can I enforce change control for IAM integration points? • How am I going to manage passwords? – – • How am I going to manage non-employees? – – – • Consultants Contractors Interns How am I going to manage RBAC exceptions and segregation of duties? – • Single Sign-On Password Synchronization Pareto Principle (80/20 rule) Identity in the Cloud? – Yeah, I said cloud. Drink ‘em if you got ‘em!
  17. 17. Resources • Vendors – Let them know you’re digging into IAM solutions & they’ll call you. • LinkedIn Groups – Identity and Access Management • http://www.linkedin.com/groups?gid=66476 – Identity Management Specialists • http://www.linkedin.com/groups/Identity-Management-Specialists-Group-41311 • Working Groups – EDUCAUSE (http://www.educause.edu/iam) – InCommon (http://www.incommon.org/iamonline/)
  18. 18. More Resources • Internet2 Middleware Initiative – – – – – – – http://www.internet2.edu/middleware/index.cfm MACE (Middleware Architecture Committee for Education) Shibboleth Federated Single Sign-On Software Grouper Comanage: Collaborative Organization Management MACE-Dir(ectories) MACE-paccman (Privilege and Access Management) • Open Source – – – – OpenDS - http://www.opends.org/ OpenSSO - http://java.net/projects/opensso/ Shibboleth - http://shibboleth.internet2.edu/ Gluu - http://www.gluu.org/
  19. 19. Even More Resources • IdM vs. IAM – • Gartner Identity and Access Management Summit – • http://aws.amazon.com/iam/ Worst Practices: Three Big Identity and Access Management Mistakes – • http://blogs.gartner.com/earl-perkins/2009/08/23/why-there-are-no-iam-magic-quadrants-resisting-the-inevitable/ AWS Identity and Access Management – • http://www.gartner.com/technology/summits/na/identity-access/ Gartner – Why There Are No IAM Magic Quadrants – • http://idm-thoughtplace.blogspot.com/2009/09/idm-vs-iam.html http://searchsecurity.techtarget.com/tip/Worst-Practices-Three-big-identity-and-access-management-mistakes Wikipedia – – – http://en.wikipedia.org/wiki/Identity_management http://en.wikipedia.org/wiki/Identity_access_management http://en.wikipedia.org/wiki/Federated_identity_management
  20. 20. Questions? Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis LinkedIn: http://www.linkedin.com/in/slandail Twitter: https://twitter.com/slandail http://www.jacadis.com contact@jacadis.com

×