The 21st century mission is dependent on providing secure and agile access to information across an increasing range of stakeholders, both internal and external to your agency. This comes amidst evolving IT missions, budget challenges, a complete IT compliance landscape and an increased need for rapidly deployable and flexible solutions.
This webinar explores integrated identity management solutions and real life use case examples.
Presented By
• Stephanie McVitty - Account Manager, Compsec
• Paul Grassi - Vice President of Federal Programs, Sila Solutions Group
• Jim Rice - Vice President of Federal, Layer 7
• Dieter Schuller - VP of Sales, Radiant Logic
• Phil McQuitty - Director of Systems Engineering, Sailpoint
• Gerry Gebel - President, Axiomatics Americas
WordPress Websites for Engineers: Elevate Your Brand
Identity Management for the 21st Century IT Mission
1. Identity Management for the 21st
Century IT Mission
Presented By:
• Paul Grassi: VP of Federal Programs, Sila Solutions Group
• Jim Rice: VP of Federal, Layer 7
• Dieter Schuller: VP of Business Development, Radiant Logic
• Gerry Gebel: President, Axiomatics Americas
• Phil McQuitty: Director of Systems Engineering, SailPoint
• Stephanie McVitty: Account Manager, Compsec
Wednesday: August 14, 2013
2. • Today’s Challenges
• History: How Did We Get Here?
• The Evolution of Access Control
• Building Blocks for Agile Access
• Creating a Framework for Success
• The Ideal ABAC Process
• Use Case Deep Dive
• Next Steps: Are You ABAC-Ready?
Key Discussion Areas
2
4. • We keep trying to solve a legacy problem
with a legacy solution
• Made authorization an IT solution, not a
business solution
• Bogged down with stovepipes, multiple
policies, and poorly defined infrastructure
• Focused on the door – not the data
We have made great progress!
Industry deserves credit.
Examples of NSTIC/IDESG, NIST 800-162 Draft,
FICAM AAES work; focus on
attributes and confidence scores
• Yet, we’ve done some amazing things
How Did We Get Here?
4
5. Legacy Problem with Better Solution
Legacy Problem with Legacy Solution
The Evolution of Access Control
PBAC
REUSABLE POLICY
CONTEXT AWARE
EXTERNALIZED
STANDARDS BASED
BUSINESS DRIVEN
NON-TECHNICAL
Future Proofed Business Solution
ABAC
FINE GRAINED
ATTRIBUTE-DRIVEN
LOCAL POLICY
PROPRIETARY ENFORCEMENT
TECHNICAL
eRBACRBACACLIBAC
5
7. PROGRAMMATIC AND TECHNICAL MANAGEMENT
Portability,
Confidence,
and Trusted
Attributes
Access
Anywhere
Mobility/
Cloud
Lifecycle,
Governance
and Risk
Mission
Agility
ABAC Framework
7
8. Layer 7 Overview
8
Applications &
Data
Enterprise
…
Outside Partners /
Divisions
External
Developers
Mobile Apps
Cloud Services
Other Things
Layer 7 API Gateways Provide API Access Control for the New “Open” Enterprise
9. Enterprises are Exposing More
Connectivity & Security
Challenges for Open
Enterprise:
• Protection of applications
exposed over internet
• Reuse of information shared
across departments,
partners, mobile & Cloud
• Ease of integration:
reconciling disparate
identity, data types,
standards, services
• Federated & Delegated
Security
• Performance optimization
(caching, protocol
compression, …)
• Brokering cloud services
• Proxy connections to social,
cloud, notification services
that enterprises can control
• Cloud interactions
• Central governance of
policies and security
Mobile / Tablet Apps
Web Platform Integration Open APIs for Developer Channel
Private Cloud Annexes
(Savvis or Datacenter)
Cloud Services
Over the Top TV and Media
(Xbox Live and Smart TV)
Real-time Partner
Integration
Login
Password
This new open, extended enterprise is a hybrid enterprise
because it blends inside/outside as well as private/pubic
9
10. Layer 7 Policy Approach
API Integration Gateway
API Service Manager
API Identity & Access Broker
API Developer Portal
Health Tracking
Workflow
Performance Global Staging Developer
Enrollment
API Docs
Forums
API Explorer
RankingsQuotas
Plans
AnalyticsReporting
Config Migration
Patch Management Policy Migration
Throttling Prioritization Caching
Routing Traffic ControlTransformation
Security
Composition
Authentication Single Sign OnAPI KeysEntitlements
Token Service OAuth 1.x OAuth 2.0 OpenID Connect
10
12. RadiantOne Architecture
• A Federated Identity Service through Model-Driven
Virtualization
• Provides all functions of a complete AAES service
• Abstraction layer
• Platform consists of advanced Virtual Directory Server (VDS),
Identity Correlation and Synchronization (ICS), and Cloud
Federation Service (CFS)
12
20. Benefits
Policy management
and insight available to
all levels of the
organization.
Simple
Change
Management
Maximum
Efficiency
and
Flexibility
Range of
Deployment
Options
Simple and
Effective
Management
Cost
Effective
Scalable
Interoperable
Business-
Friendly
Management
Increased
Access to
Information
Deploy for performance
and architectural needs
while maintaining 100%
conformance with open
standards
Easy to deploy new
policy without
underlying changes to
application
infrastructure.
Eliminate time
consuming and
confusing processes to
gain access to
information.
Benefits of
Our Solution
Increased
Security and
Compliance
Operational Business
20
21. Access barriers are removed so users can get their jobs done more efficiently.
The Ideal Process
21
22. High Level Use Cases
Patient can manage record
from authorized personal devices
Doctor can read from office computer
Opts-in and authorizes PCP and staff to view
Claims
coordinator
can only view
appointment
information
Doctor can write to
entire record
Nurse can read
information
pertaining to
location; can only
write demographic
info, symptoms,
and vital signs
Receptionist trained in HIPAA data protection
can only view services performed
Research organization can only read
anonymized cardiac clinical data from
hospitals and patients that opt-in
1
3
2
4
5
6
Nurse can “break the glass” to
access location agnostic
information
22
24. Intercepts
the request
Patient Use Case
Attempts to update personal EHR to
add blood pressure (BP) information
and opt-in to share info with doctor
Allows Patient
Access to EHR
System
Patient EHR
Preferences
/Metadata
Signed Opt-
In Forms
Permit
Check
request
validity
Verify patient access
using registered device
Verify accessing own
record
Request/receive required attributes
(EHR owner, authorized devices)
List of
registered
devices
Check if
authorized
Update BP
Authorize doctor to access information
1
2
4
3
24
25. Doctor Use Case
Attempts to update patient
EHR from office computer
Intercepts
the request
Allows doctor
access to
patient EHR
Patient EHR
Preferences
/Metadata
Signed Opt-
In Forms
Permit
Check
access from
office
computer
Check if
authorized
Verify patient opt-in
List of
signed
opt-in
forms
Hospital
Network EHR
Check
request
validity
1
2
Request/receive required attributes
(EHR owner, authorized devices)
3
4
25
26. Remaining Use Cases
Use Case Request Layer 7 Axiomatics Radiant Logic EHR
Nurse Rheumatology nurse
requests access to
patient EHR
•Checks request
location/validity
•Checks PDP for
authorization
•Validates nurse/patient
relationship
•Allows access to specific
attributes of patient EHR
Provide nurse
and patient
attributes to
PDP
Allows nurse access to
read patient
rheumatology
attributes of EHR; write
diagnostics
“Break Glass” Nurse requests access
to patient cardiac
information when
patient shows heart
attack symptoms
•Checks request
validity
•Checks PDP for
authorization
•Validates environmental
attributes from hospital
•Validates nurse/patient
relationship
Provide
Hospital, Nurse
and Patient
attributes to
PDP
Allows Nurse access to
read Rheumatology
and Cardiac attributes
of EHR, write
diagnostics
Reception Reception requests
access to patient
services to prepare bill
•Checks request
location/validity
•Checks PDP for
authorization
•Validates employee
HIPAA training
•Validates
employee/patient
relationship
Provide
employee and
patient
attributes to
PDP
Allows help desk
access only to services
performed
Insurance Insurance claims
processor requests
access to patient EHR
•Checks request
location/validity
•Checks PDP for
authorization
•Validate processor
employment with
insurance company
•Validate covered incident
•Validate
insurance/patient
relationship
Provide
processor,
patient, and
insurance
attributes to
PDP
Allows claims
processor access only
to covered incident
information
Research &
Development
Cardiovascular
research center
requests access to all
cardiology patient data
•Authenticates
R&D server
•Checks PDP for
authorization
•Validate research center
and scope
•Provides SQL PEP to
filter result set and return
anonymous data
Provide
employee and
research center
attributes to
PDP
Allows employee
access only to
anonymized data
pertaining to research
center scope
26
27. Health Care Systems Attribute and Policy Governance
Entitlement
Giving
Attributes
Functional
Application
#1
Functional
Application
#2
doc
doc
Ownership &
Responsibility
Change
Control
Provision
Verification &
Review
Analytics
Identities, certified entitlements & risk scores would be
used at the PIP and PDP to make smarter decisions
Axiomatics Policy Server
Axiomatics Policy Auditor
Governance Use Case
27
28. • Establish Governance
• Choose your standards
• Determine your attributes and metadata
• Determine your authoritative sources
• Create a taxonomy and data dictionary
• Understand your business processes
• Determine the business model
• Decide who will own policy/policy management
• Coordinate with stakeholders across organization, including
audit/compliance, privacy, and security operations
• Track performance
Are You Ready?
28