Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Benefits and Risks of a Single Identity - IBM Connect 2017

1,730 views

Published on

What is valuable about a single identity, why is that something people want and how achievable is it? As people work across multiple systems they encounter an equal number of barriers where they must authenticate or otherwise prove their identity in order to gain access. Ideally we always want to be showing the same information about ourselves regardless of where someone searches or how we are found. In this session we’ll discuss the issues behind both creating a single identity and simplifying authentication. We’ll also review the risks you need to be aware of, the technologies available to you and the importance of good and current personal information.

This is an updated presentation that includes some speaker notes for clarity

Published in: Technology
  • Be the first to comment

Benefits and Risks of a Single Identity - IBM Connect 2017

  1. 1. February 2017 Benefits and Risks of a Single Identity Gabriella Davis Technical Director - IBM Lifetime Champion The Turtle Partnership DEV-1078 IBM Connect 2017 Conference
  2. 2. Who Am I? Admin of all things and especially quite complicated things where the fun is Working with security , healthchecks, single sign on, design and deployment of IBM technologies and things that they talk to Stubborn and relentless problem solver Lives in London about half of the Ame gabriella@turtlepartnership.com twiDer: gabturtle Awarded the first IBM LifeAme Achievement Award for CollaboraAon SoluAons
  3. 3. Roadmap ForThis Session ✤ What is single identity and why would I care? ✤ What technologies are available to me? ✤ What needs to be in place for single identity to work well ✤ The risks of single identity in an IOT and online world
  4. 4. What DoWe Mean By Single Identity? • Identity Management • I am an individual but one that is part of this group • I take my individuality into different systems • I take information about me across different systems • This is the difference between federation and single sign on
  5. 5. Things have gotten a bit more complicated than that.. Multiple systems and standards including SAML, OpenID, OAuth, Facebook Login Users require logins across personal, consumer, and enterprise systems
  6. 6. Individual Identities Across Systems Attributes Within Systems An individual will have separate identities across different systems, where some attributes are shared such as email or name and others might be system specific. As the user moves between systems their individual identity remains the same.
  7. 7. Why Is Having A Single Identity Valuable? Preferences Behaviour & History Patterns BeingPresent how i use the system, how i prefer to work with it, what parts of it i prefer to see / engage with what I do, what i have interacted with in the past, what I reuse or repeat spotting ways in which I reuse or repeat in order to present information to me that I might not be aware of or highlight information that the pattern says I should be interested in just because i’m using system A doesn’t mean someone in system B can’t find and interact with me. I have one identity if signed onto multiple systems.
  8. 8. Key Components of Single Identity
  9. 9. Authentication Authentication is critical to ensure Gab Davis in SystemA is the same as Gab Davis in SystemB and the information that goes with that ‘Gab Davis” is correct
  10. 10. ✤ Hello - have you met my friend? ✤ Is trust transferable? Trust Once you create a way in you are establishing a security level as that of the lowest entry point
  11. 11. ✤ Access rights ✤ Identity data such as name or email ✤ System specific attributes such as your favourite drink Attributes Sparkling Wine
 Flute White Wine Glass Standard Wine Glass Light Red Wine Glass Blod Red Wine Glass
  12. 12. Common Authentication Technologies FEDERATION OAUTH OPENID IWA
  13. 13. Password Synchronisation This ISN’T Single Identity Synchronising passwords across different systems Sametime LDAP Connections LDAP Traveler Authentication Password Synchronisation Tool You’re not the same person, you’re just using the sam password You’re not the same person, you’re just using the same password
  14. 14. Single LDAP Source This Kind-Of Is - At Its Most Basic Authenticating against a single password in a single place Sametime Network Login Connections Mail LDAP Password Technically you are the same person as you authenticate using the same identity but that’s it, there is no other information being held or exchanged.
  15. 15. This Is Closer - but not quite IWA/Kerberos/SPNEGO ✤ The single authentication to Windows has granted access to other systems using the same identity 1 2 3 4 5 ACTIVE DIRECTORY GENERATES TOKEN USER TRIES TO ACCESS A WEBSITE BROWSER SENDS IWA TOKEN TO THE WEB SERVER ALONG WITH USER NAME THE WEB SERVER CONTACTS ACTIVE DIRECTORY TO VALIDATE TOKEN AND RETRIEVE THE USER’S NAME STEPS USER LOGS INTO WINDOWS
  16. 16. Federated Login Is Single Identity Security Assertion Markup Language 16 1 2 3 4 5 USER ATTEMPTS TO LOG IN TO A WEBSITE USER IS REDIRECTED TO IDENTITY PROVIDER IDENTITY PROVIDER REQUESTS AUTHENTICATION OR (IF USER IS LOGGED IN) RETURNS CREDENTIALS USER IS REDIRECTED BACK TO ORIGINAL SITE WITH SAML ASSERTION ATTACHED ORIGINAL SITE USES ITS SAML SERVICE PROVIDER TO CONFIRM SAML ASSERTION AND GRANT ACCESS STEPS ✤ Simple SAML Steps
  17. 17. SAML - Federated Single Identity 17 ✤ IdP - Identity Provider (SSO) ✤ ADFS (Active Directory Federation Services) ✤ can be combined with IWA ✤ TFIM (Tivoli Federated Identity Manager) ✤ SP - Service Provider ✤ IBM Domino (web federated login) ✤ IBM SmartCloud ✤ IBM Notes (requires ID Vault) (notes federated login)
  18. 18. SAML Behaviour ✤ IdP (Identity Providers) use HTTP or SOAP to communicate to SP (Service Providers) via XML based assertions ✤ Assertions have three roles ✤ Authentication ✤ Authorisation ✤ Retrieving Attributes ✤ Many kinds of authentication methods are supported depending on your chosen IdP ✤ Once initially federated no subsequent password or credentials are passed
  19. 19. Federation For Social Systems OAuth / OpenID / Facebook Login! OpenID is identify federation OAuth is authorisation OpenID is built on OAuth
  20. 20. Simplified OAuth Process 1 2 3 4 5 USER ASKS FACEBOOK (THE CONSUMER) TO POST ON THEIR ACTIVITY STREAM FACEBOOK GOES TO CONNECTIONS (THE SERVICE PROVIDER) AND ASKS FOR PERMISSION TO POST THE SERVICE PROVIDER GIVES THE CONSUMER A SECRET KEY TO GIVE TO THE USER AND A URL FOR THE USER TO CLICK ON THE USER CLICKS ON THE URL AND AUTHENTICATES WITH THE SERVICE PROVIDER THE SERVICE PROVIDER , SATISFIED THE SECRET KEY IS GOOD, WILL NOW ALLOW THE CONSUMER ACCESS TO ITS SERVICES STEPS
  21. 21. IBM Products As SAML Service Providers ✤ Verse on premises and cloud ✤ Domino ✤ Notes - both on premises and Smartcloud ✤ Connections ✤ WebSphere
  22. 22. Preparation For Federation
  23. 23. Directories and Data IDENTITY LOCATION HISTORY SYSTEMS
  24. 24. Identity ✤ Directories that are well constructed and maintained ✤ names ✤ data ✤ accounts ✤ Tie directories together with a common key
  25. 25. Systems ✤ Authorisation ✤ Access Levels ✤ Data Security ✤ Identifying shared attributes ✤ Configuring custom attributes in LDAP and the IdP
  26. 26. Location ✤ Different behaviour in different locations ✤ Locations define data ✤ Why are you here? What is your role?
  27. 27. History ✤ What have you done before ✤ Patterns of behaviour ✤ Suggestions based on history, location and identity
  28. 28. Risks
  29. 29. Personas ✤ Do you want to tie everything together? ✤ Do you have the same persona everywhere? ✤ Is the language you use, your opinions, your political views common everywhere ✤ and something you want to share?
  30. 30. Federation ✤ Once all systems are integrated all systems are vulnerable ✤ You are only as protected as your least secure password / authentication model ✤ Understand what services or service providers you have authorised, what information they hold , what their privacy policies are and what their security policies are ✤ Make sure users understand they have to logout
  31. 31. OAuth/OpenID ✤ Theft of credentials ✤ Excessive access and data rights ✤ Theft of data ✤ Brute force guessing of credentials ✤ URL redirects or interceptions through incomplete URL requests ✤ Token interceptions ✤ Puts the user in control - this is not a bad thing
  32. 32. IOT & Identity
  33. 33. Internet OfThings ✤ A physical device with embedded internet connectivity and “always on” status ✤ The beauty of IOT devices is that they are integrated into your life ✤ there’s no individual authentication ✤ They know everything they need to know simply because of their placement or setup ✤ Their true value is in learning about those things we discussed earlier, preferences, behaviour, patterns
  34. 34. RisksWith IOT ✤ Physical devices may now come with built in connectivity as an added feature ✤ Companies who didn’t deploy them for that feature may also not have security policies in place to disable or limit it ✤ Risk assessment happens too late
  35. 35. RisksWith IoT ✤ Privacy ✤ Safety ✤ Data Bleed ✤ Additional operational expenses
  36. 36. Summary
  37. 37. Prepare ✤ Have a good directory and define security policies such as token expiration ✤ Protect At Every Point Of Entry ✤ You don’t put a value on the information but someone else will ✤ Your identity has value ✤ Train users to log out, clean caches and understand what multi system access means ✤ Include risk assessment for IoT in any hardware purchasing and deployment
  38. 38. Lots of Good ✤ More passwords and stronger passwords don’t lead to better security ✤ Avoiding passwords entirely but authenticating based on existing information can be more secure ✤ Users are more likely to engage with systems that have fewer barriers to entry ✤ The more systems know about us, how we work and what we need the better they can serve us ✤ There are enormous volumes of data being produced across systems that can be used to save time, cost and effort
  39. 39. Questions?
  40. 40. Notices and disclaimers Copyright © 2017 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM. U.S. Government Users Restricted Rights — Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM. Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided. IBM products are manufactured from new parts or new and used parts. In some cases, a product may not be new and may have been previously installed. Regardless, our warranty terms apply.” Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation. It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law
  41. 41. Notices and disclaimers continued Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right. IBM, the IBM logo, ibm.com, Aspera®, Bluemix, Blueworks Live, CICS, Clearcase, Cognos®, DOORS®, Emptoris®, Enterprise Document Management System™, FASP®, FileNet®, Global Business Services ®, Global Technology Services ®, IBM ExperienceOne™, IBM SmartCloud®, IBM Social Business®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, Smarter Commerce®, SoDA, SPSS, Sterling Commerce®, StoredIQ, Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.

×