The document provides an overview of identity management basics. It discusses key concepts like single sign-on, enterprise SSO, identity management, access management, and federation of identities. It outlines an identity and access management methodology of inventorying, creating, deploying, and optimizing access. Role-based access control is also summarized, including how roles map to user permissions and are defined through a role engineering process involving functional decomposition and scenario-driven approaches.
This session will go into detail about the major features in Novell Identity Manager 4.0. It will give you the opportunity to get involved in a detailed discussion on the major new features in Identity Manager with the product management team. Hear more on the latest enhancements including role mapping administrator, advanced reporting capabilities, details of the embedded/preconfigured identity vault, single sign-on, resource model, REST services for custom user interface development, and much more. You will walk away with a solid understanding of the functionalities and business benefits provided by the new features.
Speaker: Bob Bentley Product Manager
Novell, Inc.
Kamal Narayan Product Manager
Novell, Inc.
This session will go into detail about the major features in Novell Identity Manager 4.0. It will give you the opportunity to get involved in a detailed discussion on the major new features in Identity Manager with the product management team. Hear more on the latest enhancements including role mapping administrator, advanced reporting capabilities, details of the embedded/preconfigured identity vault, single sign-on, resource model, REST services for custom user interface development, and much more. You will walk away with a solid understanding of the functionalities and business benefits provided by the new features.
Speaker: Bob Bentley Product Manager
Novell, Inc.
Kamal Narayan Product Manager
Novell, Inc.
A Service designed to provide IT Departments with an understanding of the Application Compatibility and Remediation needs that their organization faces prior to the Client Migration along with a Discovery of their Environment
The HIPAA Challenge:
Regulatory compliance with the Health Insurance Portability and Accountability Act (HIPAA) has created significant challenges for healthcare providers and payers. While insurance portability is a uniquely American issue, HIPAA includes requirements for patient privacy protection. Privacy protection is also a requirement in most other, non US jurisdictions.
http://hitachi-id.com/
2001 09 ma,ma b2 b process integration tutorialMike Marin
“XML-based standards for B2B Process Integration
”. Tutorial about WfMC standards in the area of workflow and B2B, presented by Martin Ader, and Mike Marin.
HCLT Brochure: E-Discovery and Document Review SolutionsHCL Technologies
http://www.hcltech.com/search/apachesolr_search/business-services~ More on Business Services
With the number of litigations expected to increase due to the economy, corporations and law firms are increasingly concerned with cost effective high-quality electronic d`iscovery (“e-discovery”) solutions. With 70% of the total cost of a litigation attributed to the document review fees, corporations and law firms must select innovative document review solutions to stay in budget. Simple Solutions’ e-Discovery and Document Review Services provides corporations and law firms with high quality, cost-effective document review services that gives them the cost certainty needed to stay in budget.
e-Discovery companies are leveraging cloud computing and deployment of Software as a Service (SaaS) platforms with focus on back office services to improve legal compliance service levels.
Download our e-Discovery and Document Review Solutions Brochure to understand how HCL focuses on creating efficient and cost effective document review solutions by marrying e-discovery.
How governance drives your information and security architectureRandy Williams
As SharePoint becomes an increasingly business-critical application, effective governance planning and enforcement is necessary for SharePoint success. But what happens if your information architecture doesn't currently reflect your organizational needs? What if security management has already spiraled out of control? And how can you administer multiple farms, web applications, and site collections through a single pane of glass? In this session, we'll showcase how organizations can leverage DocAve to regain control over SharePoint information and security management. From SPTechCon 2012 - San Francisco
In May, C/D/H presented to a group of IT professionals on behalf of Microsoft..
Attendees learned about Microsoft’s Service Manager 2010, an integrated platform for orchestrating people, process and technology.
This slide deck illustrates how Service Manager can help you adapt to new business requirements while reducing cost, lowering time to resolution, and aligning IT to the business.
For more infomation about C/D/H or Microsoft Service Manager, contact (248) 546-1800 or (616) 776-1600.
A Service designed to provide IT Departments with an understanding of the Application Compatibility and Remediation needs that their organization faces prior to the Client Migration along with a Discovery of their Environment
The HIPAA Challenge:
Regulatory compliance with the Health Insurance Portability and Accountability Act (HIPAA) has created significant challenges for healthcare providers and payers. While insurance portability is a uniquely American issue, HIPAA includes requirements for patient privacy protection. Privacy protection is also a requirement in most other, non US jurisdictions.
http://hitachi-id.com/
2001 09 ma,ma b2 b process integration tutorialMike Marin
“XML-based standards for B2B Process Integration
”. Tutorial about WfMC standards in the area of workflow and B2B, presented by Martin Ader, and Mike Marin.
HCLT Brochure: E-Discovery and Document Review SolutionsHCL Technologies
http://www.hcltech.com/search/apachesolr_search/business-services~ More on Business Services
With the number of litigations expected to increase due to the economy, corporations and law firms are increasingly concerned with cost effective high-quality electronic d`iscovery (“e-discovery”) solutions. With 70% of the total cost of a litigation attributed to the document review fees, corporations and law firms must select innovative document review solutions to stay in budget. Simple Solutions’ e-Discovery and Document Review Services provides corporations and law firms with high quality, cost-effective document review services that gives them the cost certainty needed to stay in budget.
e-Discovery companies are leveraging cloud computing and deployment of Software as a Service (SaaS) platforms with focus on back office services to improve legal compliance service levels.
Download our e-Discovery and Document Review Solutions Brochure to understand how HCL focuses on creating efficient and cost effective document review solutions by marrying e-discovery.
How governance drives your information and security architectureRandy Williams
As SharePoint becomes an increasingly business-critical application, effective governance planning and enforcement is necessary for SharePoint success. But what happens if your information architecture doesn't currently reflect your organizational needs? What if security management has already spiraled out of control? And how can you administer multiple farms, web applications, and site collections through a single pane of glass? In this session, we'll showcase how organizations can leverage DocAve to regain control over SharePoint information and security management. From SPTechCon 2012 - San Francisco
In May, C/D/H presented to a group of IT professionals on behalf of Microsoft..
Attendees learned about Microsoft’s Service Manager 2010, an integrated platform for orchestrating people, process and technology.
This slide deck illustrates how Service Manager can help you adapt to new business requirements while reducing cost, lowering time to resolution, and aligning IT to the business.
For more infomation about C/D/H or Microsoft Service Manager, contact (248) 546-1800 or (616) 776-1600.
Fine Grained Authorization: Technical Insights for Using Oracle Entitlements ...Subbu Devulapalli
This document is Oracle Entitlements Server (OES) technical white paper. It gives an overview of OES product and how it applies to Fine Grained Authorization and Access Control.
Visit my Blog (http://finegrainedauthorization.blogspot.com/) to stay in touch with cool stuff happening in area of Identity Management/Authorization and OES. You can find more information at OES Product Page (http://www.oracle.com/technetwork/middleware/oes/overview/index.html)
Integrating Novell Access Governance Suite with Novell Identity ManagerNovell
This session will discuss the reasons and methods for integrating Novell Access Governance Suite with your existing Novell Identity Manager implementation. You will learn how to implement the integration and what benefits you will realize from doing so.
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerProlifics
IBM Pulse 2012 presentation by Alex Ivkin (Prolifics) and Grey Thrasher (IBM)
Synthesizing the business view of IT resources with the technical implementation of Role Based Access Control remains one of the toughest challenges in Identity Management today. We will walk through a real-world use case to understand how organizations can utilize the new IBM Role and Policy Modeler (RaPM) tool to discover essential business relationships and map them to IT access permissions, creating the schema for a comprehensive RBAC system. We will explain how the design criteria provided by RaPM has enabled the foundation of a comprehensive Identity and Role Lifecycle Management structure. The follow-on implementation of an RBAC system in the Identity Provisioning platform, IBM Tivoli Identity Manager, will be explored, as well as how this organization is automating access privileges, simplifying internal security controls and reducing the complexity of audit and compliance enforcement.
Cloud initiatives are beginning to dominate enterprise IT roadmaps. Successful adoption of Cloud and the subsequent governance challenges warrant a Cloud reference architecture that is applied consistently across the enterprise. This presentation will answer questions such as what exactly a Cloud is, why you need it, what changes it will bring to the enterprise, and what the key capabilities of a Cloud infrastructure are - using Oracle's Cloud Reference Architecture, which is part of the IT Strategies from Oracle (ITSO) Cloud Enterprise Technology Strategy (ETS).
This presentation was given at the BSidesMemphis 2012 and DerbyCon 2012 information security conferences. It lays out the process that a person should follow to implement a database security program specific to their organization.
Profiling for SAP - Compliance Management, Access Control and Segregation of ...TransWare AG
Complex ERP systems are potentially susceptible to segregation of duties (SoD) issues. By means of Profiling for SAP®, the desired responsibilities of SAP® users can be counterchecked against the real usage of SAP®
Der Vortrag gibt einen Überblick über den EM 12c (Cloud Control) aus der MW Sicht und stellt neben den Cloud Management Strategie die Neuerungen im Vergleich zu EM 11g dar.
3. Identity Management Flavours
Single Sign On is a goal … not a product
Web application integration -- Web SSO
Enterprise SSO (eSSO) involves corporate desktop application
Some use a server -- TSE, tn3270/5250, SAP, Oracle forms, etc
Some authenticate locally -- acrobat protected files
IdM is different than Access Management
One involves who you are and how that is recorded
The other involved the policies around how you access resources
Federation of identities across multiple jurisdictions
SAML, SXIP, Identity 2.0, OASIS
Passport (HAHA), Kerberos, Liberty
OWASP 3
4. Identity Management Overview
Defined:
Central infrastructure to manage users, roles, and access to
resources
Concept of “identity” contains all user attributes
Provisioning capabilities
Technology ( connectors )
Approvals Workflow Management
Features:
Identity provisioning among integrated directories
Self-registration and management
Delegation of approvals and workflows
Password reset capability
Benefits:
Meet regulatory & audit requirements around controlled access to
resources
Save costs through efficient workflows for provisioning and
approval
Asset (business) owners in control, rather than technology group
OWASP 4
5. Identity Management
Integration
Integrates with:
Enterprise single-sign-on (and related strong authentication)
Access Management systems
Role Engineering / Management systems
Integration Risks:
Focus on technology may distract from importance of roles and
processes
Too many roles (or exceptions) may result if access modeling and
identity modeling are not well-planned
Benefits may not be realized quickly if project scope is not managed
Not respecting impact on business and applications may have adverse
effects on buy-in and acceptance
Ineffective processes and workflows may prevent cost savings from
being realized
Lack of proper knowledge transfer results in a system that the
organization cannot effectively manage
OWASP 5
6. Identity & Access Management
Methodology
1. Inventory: gather information
about users, access
requirements, and applications
& data
2. Create: future state roadmap,
associating user groups with
access controls, and designing
operational support and
workflow processes
3. Deploy: begin assigning access
to systems and data using new
processes and workflows
4. Optimize: deploy automated
and delegated processes only
after steady state has been
achieved
5. Report: leverage investment
to satisfy reporting
requirements for legislation
and internal controls
OWASP 6
75 percent of deployment effort will be spent on people & process
8. Identity & Access Management
Basics
Access Management
Access to data or applications is defined by
Business policies (segregation of duties)
Security policies
Industry regulations and customer requirements
Access permissions are mapped to roles and rules to be used
when managing identities
Identity Management
Map roles and rules to specific users to allow appropriate access
Process to manage and track access to systems andTools exist to facilitate
data
the mapping and
Provisioning ongoing management
Workflow of roles & identities
Auditability
Single Sign-on & Strong Authentication
Single sign-on allows access to all resources – strong
authentication is required
OWASP 8
9. Identity & Access Management
Systems
1. User connects to Web server
2. Web server has a connector
or “Agent”
An interface to the Access Manager
‘plug-ins’ or APIs
3. Access Manager is Policy
Enforcement Point: “PEP” Agent
High-volulme system to make
decisions on access requests from the
Web server
Must be high-availability PMP
4. Identity Manager is the
Policy Management Point: PEP
“PMP”
Central management of all identity
information from various sources
Able to define processes and
workflows to manage, maintain, and
audit access to resources.
OWASP 9
10. Identity Management
Framework
Directory services repository
is the most critical
component, and is the
primary data store for user-
ID and profile information.
Provisioning provides a role-
based approach to end-to-
end user lifecycle
management
Authentication –leverage
existing systems including
Active Directory, Enterprise
Single Sign-on, and RSA
tokens.
Access Management –
leverage existing access
manager infrastructure
OWASP 10
Leverage existing technologies and processes
11. Role Based Access Control
Functional roles
& organization
as defined by
HR
Create and manage
within “role
engineering” tool
ROLE
Business
Role
Hierarchy
Permissions
Scenarios
Stored and managed Tasks
in directory
Work profiles
Constraints
“Ned Flanders” er
Us
Resource
Approver Privileges
OWASP 11
12. Role Engineering – Process
RBAC is widely supported and solves the Privilege
management problem better than DAC or MAC, etc. but
development of the Role Hierarchy is manual and utilities are
few and not all are effective.
The role engineering process…
Discovers Orphaned accounts, privileges, roles
Merges overlapping roles
Breaks apart overly broad roles: multiple jobs done by the same
organization?
Defines Role constraints that come from permission constraints
Creates role hierarchies: junior roles with common bases
…and provides the benefits of…
Cleanup and streamline privileges and group definitions
Essential for ongoing privilege management
Assists with & documents compliance with policies
OWASP 12
13. Role Engineering – Creating
Roles
Functional Decomposition
Matter of pulling apart the existing
processes and relationships
between resources and users and
their jobs
Understanding the interactions that
constraints that exist on
permissions
“Scenario-Driven”
Models the usage of the system
overall
Goal is to establish RBAC from
concrete Role Hierarchies
OWASP 13
“bottom-up” approach
14. Role Engineering – Process
Each IdM tool integrates a set of features to assist
Bridgestream (SmartRoles)
Manages dynamic approval processes based on context Identify & Model New
and relationships Scenarios
Does this by assuming the job of managing roles…all
Define Scenario
roles Permissions &
Defines Approval Policies to control relationships Constraints
Eurekify (Sage) Further Refine
Can provide Query and Discovery functions – Scenario Model
preliminary review of privilege landscape
Provides audit and compliance reporting on business Define Tasks and
roles Work Profiles
xoRET
Initial Attempt at tool for scenario based role Define Roles and
engineering Role Hierarchy
Ultimately R.E. has so many human factors that there
are key manual efforts required
OWASP 14
19. Applying a Methodology
Implement Develop
Discover Harvest Validate Pilot Refine
Tool Workflow
•Where is role •Identity •Obtain •Validate •Business- •Limited roll- •Iterative
or identity Management information against oriented out of pilot process
information tool (or from existing “master” approach applications
currently equivalent) repositories (SAP) data •Add more
kept? •Consult IS, •Apply granularity to
•Evaluate •Active •Eliminate HR, and “coarse” “roles”
•What are the needs and Directory, conflicts business roles
data assets technology SiteMinder, stakeholders (regulated •Result:
to protect? LDAP, SAP •Complete vs. non-reg) “fine-
•Integration missing •Create grained”
•Who owns with existing •Result: information provisioning •Pilot group Role Based
the data? systems “raw” data as & admin chosen Access
collected by •Result is workflows based on Control
•Who uses •Achieve the tool “coarse” risk or
the data? “quick wins” roles priority
The actual process will not be linear…
OWASP 19
27. SAML
Primary concern is Complexity
Built by committee – but so was IPSec
Motivated backers
Seasoned backers
Synchronized clocks for validation
Multitude of Trust relationships
A trusted third party resolves this but not mandatory
OWASP 27
28. SAML Data Flow
Sun 2007 OWASP 28
http://developers.sun.com/identity/reference/techart/sso.html
29. Options - What are the Choices
Key Vendors in this Competitive Analysis is
area include (no being prepared now
ranking) … Criteria being defined…
Federation
Sun
Audit capability
Oracle
Encryption capability
Computer Associates Workflow flexibility
BMC Software
Novell
Passlogix
Imprivata
RSA
Many others… OWASP 29
30. Agenda
1. Introductions and Objectives
2. Concepts
3. Approach to Identity & Access Management
4. Example Scenarios
5. Product Demonstration…hopefully…
OWASP 30
31. Links as of June 1, 2007
Sun
http://www.sun.com/download/index.jsp?cat=Identit
y%20Management&tab=3
Oracle
http://www.oracle.com/technology/products/id_mgmt
/index.html
SXIP
http://www.sxip.com
http://identity20.com
OWASP 31