IBM Security Identity and Access Management - Products updates and what is coming

1. © 2014 IBM Corporation
IBM Security Identity and Access Management
Products updates and what is coming
Sven-Erik Vestergaard
Pan-IOT security architecht
IBM Security
svest@dk.ibm.com

2. © 2014 IBM Corporation
IBM Security
2
Agenda
 ISAM
 ISIM
 PIM
 Z/Secure

3. © 2014 IBM Corporation
IBM Security
3
IBM Security
Access Manager

4. © 2014 IBM Corporation
IBM Security
5
Federated Registry Support
 Allow ISAM to address a federated registry space where different
suffixes are distributed across LDAP servers
 Current Registry becomes “Primary registry”
– Management suffix (e.g. secAuthority=Default) is stored here
• This is where all ISAM user/group/policy/GSO meta-data is stored
– Users and groups can also be stored here
 Can also define one or more “Federated Registries”
– These only store User and Group objects
– No schema changes required in these registries
– Identified by the suffixes they contain

5. © 2014 IBM Corporation
IBM Security
6
IBM Security
Access Manager
Native Kerberos
Single Sign-On

6. © 2014 IBM Corporation
IBM Security
7
Kerberos SSO
 For Windows applications, Kerberos provides the best SSO
– It is supported by Windows services without the need for plug-ins
– It generally causes the least number of integration issues
 Kerberos Delegation is required to support this in ISAM
– Allows an intermediate server to request tickets on behalf of an end user
 Kerberos Delegation is now supported by non-Windows Kerberos
– Previously it required Windows APIs
 ISAM Appliance includes a Kerberos client for native support
– Federated Identity Manager is no longer required for this

7. © 2014 IBM Corporation
IBM Security
8
IBM Security
Access Manager
Trusteer Pinpoint

8. © 2014 IBM Corporation
IBM Security
9
Proposed Architecture
WebSEAL
Filter Framework
Web Engine
Snippet
Filter
Update
Manager
Trusteer Endpoint
Servers
Poll
Snippet
Delivery
Endpoint
Access
Page
Delivery
Web
Application
Page
Access
Snippet
Files
 A new filter will be added to the WebSEAL filter framework;
 An update manager which is embedded within the appliance will be used
to monitor updates and retrieve these updates;
 Configuration will be contained in:
– WebSEAL configuration file;
– Snippet files;

9. © 2014 IBM Corporation
IBM Security
10
IBM Security
Access Manager
Appliance Monitoring

10. © 2014 IBM Corporation
IBM Security
11
SNMP added for Appliance Monitoring
 Systems monitoring is an important part of operations
– Often we may overlook it in pre-sales but customers will not
 Customer tools cannot be added to an appliance
– So it needs to provide sufficient capability out-of-the-box
 In ISAM 8.0.0.5 an SNMP daemon has been added
– It monitors standard system parameters such as disk, cpu, memory, interfaces,
processes etc.
 Currently it doesn’t monitor ISAM-specific functions
– syslog can provide integration for monitoring of this kind

11. © 2014 IBM Corporation
IBM Security
12
ISAM Appliance shown in Tivoli Enterprise Monitoring

12. © 2014 IBM Corporation
IBM Security
13
IBM Security
Access Manager
DataPower

13. © 2014 IBM Corporation
IBM Security
14
Applications
and
Systems
Silos of security are impeding business agility
DEVELOPERSPARTNERS
CONSUMERS
EMPLOYEES
WEBMOBILEB2B SOA APIS
CONSUMERS
EMPLOYEES
PARTNERS
CONSULTANTS
DEVELOPERS
API
MANAGEMENT
B2B
GATEWAY
SOA
GATEWAY
WEB ACCESS
PROXY
MOBILE
GATEWAY
Business
Channels
Users
Security
Solutions

14. © 2014 IBM Corporation
IBM Security
15
MULTI-CHANNEL GATEWAY
Reduce cost and improve security posture with
a converged gateway
Business
Channels
Users DEVELOPERSPARTNERS
CONSUMERS
EMPLOYEES
WEBMOBILEB2B SOA APIS
CONSUMERS
EMPLOYEES
PARTNERS
CONSULTANTS
DEVELOPERS
Security
Solutions
Applications
and
Systems

15. © 2014 IBM Corporation
IBM Security
16
Introducing IBM’s multi-channel gateway solution
Leverage the combined capabilities of IBM DataPower Gateway and IBM Security
Access Manager in a single, converged security and integration gateway solution
IBM DataPower Gateway
ISAM for
DataPower
Traffic control &
optimization
Message
security
User access
security
KeyBenefits
Reduce
Operating
Costs
Improve
Business
Agility
Improve
Edge
Security
Secure
User
Interactions
Secure
App
Interactions
Single gateway
reduces hardware
footprint and uses
common set of
management and
operational skills
Common security
policy framework
that can be shared
across business
channels
Comprehensive
security at the
message-level,
infrastructure-level,
and user-level
Safeguard mobile,
cloud, and social
access
Protect
applications at the
message-level and
provide optimized
application delivery
Message &
transport bridging

16. © 2014 IBM Corporation
IBM Security
17
ISAM for Mobile & FIM provide advanced authentication, authorization, & federation capabilities
with out-of-the-box integrations
 ISAM for Mobile: Addresses the needs for emerging web and mobile security
requirements for strong and multi-factor authentication and dynamic, context based
access policies from multiple data sources including Trusteer Mobile, Pinpoint and
Fiberlink MaaS360
 Federated Identity Manager: Provides a robust platform for centrally managing
federated business partner relationships and access to SaaS applications
Federated
Identity
Manager
Federated
single sign on
Identity
mediation
Security token
services
ISAM for
Mobile
 Mobile single sign
on
 Strong auth & MFA
 Context-based
access
 Device registration
Policy Enforcement Point
ISAM for
DataPower

17. © 2014 IBM Corporation
IBM Security
18
IBM Security
Identity Manager

18. © 2014 IBM Corporation
IBM Security
19
New Capabilities Across All Products
 Identity Manager v6.0.0.4 and v7.0
– Simultaneous announcement:
• Same functions, different delivery: V6.0.0.4 is software stack version for installed base; v7.0 is virtual
appliance-only for new customers
– Phase 3: Identity Service Center - business user interface
– Platform/Middleware updates
– Adapter updates including Oracle, Microsoft, UNIX/Linux platform updates
– Customer-sponsored enhancements
 Privileged Identity Manager v2.0
– Virtual appliance only delivery
– PIM-SIM separation with integration
– PIM for Applications option
– User experience improvement – PIM administration in Service Center UI
– SoftLayer administrative account management support
 Identity Governance v5.1
– Virtual Appliance Delivery
– Integration from SIG to SIM

19. © 2014 IBM Corporation
IBM Security
20
Identity Service Center – Home screen - updated
(Optional)

20. © 2014 IBM Corporation
IBM Security
21
Introducing SIM Virtual Appliance
 SIM is Virtual Appliance only starting with SIM v7
– Positioned as “fresh start”
– Continued SIM 6.0.x software stack maintenance
 Same platform as PIM and Access Manager (“Mesa”)
 Offers customers a quick-to-deploy and easy-to-maintain
IdM solution
– Pre-installed components & middleware, configured through VA panels.
• External data tier required (DB2 and LDAP) for storing operational data.
• Uses existing, common admin/user web user interfaces
• Supports HA clustering
– Reduces time to value significantly
• Reduces the skills requirements for IT admins. e.g. no WAS admin skills
needed.
• Reduces patch/upgrade effort via single “firmware” update - not individual
component

21. © 2014 IBM Corporation
IBM Security
22
SIM Virtual Appliance – cont.
 Target for new Identity Manager installations
 Key limitations to note:
– DB2 and Oracle (non SSL) only
– Simplification -> configurability streamlining – no access to WAS
– console, middleware install hidden etc.
• We support customization “best practices” and incorporate into
VA console configuration, but will discourage customization that
makes upgrades difficult
– Role and Policy Modeler not included (transition to SIG/CrossIdeas)
 Migration: Existing SIM 5.1 and 6.0 customers will need to migrate
environments – no automated upgrade
– Fresh start: opportunity to rethink customizations and clean up the
deployment
– Tech note describing customization supports/limits to be published
– Migration assistance on 2015 Roadmap

22. © 2014 IBM Corporation
IBM Security
23
SIM 6.0.0.4 SIM VA 7.0
OS / ESX AIX 6.1, 7.1
RHEL 5,6 SLES 10,11
Solaris 10
Windows 2008, 2012
VMware ESXi5.x
DB DB2 9.5, 9.7, 10.1, 10.5
Oracle 10g, 11g , 12c
DB2 10.1
Oracle 12c
TDS SDS 6.2, 6.3, 6.3.1
Sun Directory 6.3, 7.0
ODS 11.1
SDS 6.3.1
SDI/TDI TDI 7.1, 7.1.1
SDI 7.2
TDI 7.1.1
WAS WAS 7.0 (Without ISC)
WAS 8.5, WAS 8.5.5
-- (Inside VA)
Reports Cognos 10.2.1 Cognos 10.2.1
Browser IE 9, 10, 11
Firefox 17 ESR, 24 ESR
IE 11
Firefox 24 ESR
Identity Manager Virtual Appliance – Component versions

23. © 2014 IBM Corporation
IBM Security
24
PIM 2.0 is Appliance Only
 PIM Appliance now includes less “Identity Manager”
– Only what is required to support PIM use cases
 It can integrate with an Identity Manager system
– To provide full Enterprise Identity + PIM functionality
 New PIM opportunities should be directed towards appliance offering
– Existing software stack customers will continue to receive support and fixes but little to no new PIM
functionality
 PIM Licence still includes entitlement for SIM and ESSO
– So can still deploy and integrate these to get more function
• At the cost of additional deployment complexity
24

24. © 2014 IBM Corporation
IBM Security
25
Authenticating applications without password
ss
OAuth 2.0
Token
Authorization given by
a PIM domain admin to
an application instance.
OAuth tokens are set to
one-time use.
ss
Instance
Fingerprint
App instance host info,
user info, network, binary
hash and path, etc.
Ensures that the
instance is authentic.
Token request and fingerprinting are done automatically
during registration, using the App ID Toolkit.

25. © 2014 IBM Corporation
IBM Security
26
IAM Deployment Option Road Map
V. APPLIANCE
PIM Greenfield
Identity
Greenfield
Identity Appliance (direction)
Meets requirements
for PIM scenarios
for greenfield
customers
Meets requirements for SIM, PIM or
SIG greenfield customers.
Independent VA deployment
Full IAM suite from a single VA
Enable SIM, PIM, SIG or any combo
Migration for sw stack customers
IAM Software Stack
Update in parallel with VA to provide
customers time to consider VA or cloud
Lighthouse IAM
Initial Cloud IAM release
Lower cost and faster deployment
CLOUD
SOFTWARE
Lighthouse (direction)
Updated to latest IAM releases
Provide IBM Service Center UI

26. © 2014 IBM Corporation
IBM Security
27
IBM Security
Z/Secure

27. © 2014 IBM Corporation
IBM Security
28
zSecure products that enable integration with
QRadar
RACF CA ACF2 CA Top Secretz/OS CICS DB2
Event sources from System z . . .

28. © 2014 IBM Corporation
IBM Security
29
New zSecure Adapters for QRadar SIEM product
 Features
 Collects and formats information from over 40 different IBM System z SMF record types
- such as, z/OS, RACF, ACF2, Top Secret, DB2, and CICS events (customizable)
 Additional SMF record types generated by IBM z/OS® and its sub-systems, for data set
access, z/VM, PDS member updates and deletes, UNIX file activity, FTP, Telnet and
other TCP/IP activity and many others.
 Adds enriched descriptive audit information about the user and the resource from the
security database and zSecure system snapshot information
 Support for more frequent collection than once a day – job available for use with
scheduling software
 Benefits
 Extend best practices and comply with regulatory/legal/compliance requirements
 Provides a holistic, centralized approach for Security Monitoring and plugs a hole in the
Enterprise Security Monitoring practice
 Supports separation of duties – stop the legacy practice of self-policing!
 Maximize QRadar capabilities for:
Log management , Anomaly detection, Incident forensics, Configuration
Management, Vulnerability Management, and Risk management

29. © 2014 IBM Corporation
IBM Security
30
Stay Focused Stay Ahead
Questions ?