The State of California

Transcription

1 The State of California CIO Academy Identity Access Management Denise Blair, Chief Information n Officer California Department of Mental Health for Executives February 27, 2008

2 Agenda Introduction Denise Blair Identity Access Management (IAM) Top Questions Denise Blair State of CA IAM Initiative Status Lee Macklin EDD State of CA IAM Case Study Dale Jablonsky IAM Panel Discussion Denise Blair Panelist Members: Russell Jones - Principal/Enterprise Risk Services Deloitte John Bennett Security Specialist Oracle Steven Greenspan - Director of Eng. & Ops. IdM Northrop Grumman Dale Jablonsky Chief Information Officer EDD Q & A 2 2

3 Goals Identify Top IAM Questions every CIO needs to be able to answer to their Executives Update on the state of Identity Access Management at The State of CA Share State of CA Case Study on EDD s IAM Initiative Share Industry Insight on the Identity Access Management Provide resources to show you how begin your IAM initiativei i i 3 3

4 Top pq Questions 1. Does your IAM initiative/project have a "champion" within a line of business (or lines of business)? 2. Does the IAM initiative/project have a clear correlation to a "hot button" operational or compliance issue (e.g. access controls/sod; better customer service through self service, etc..)? 3. Has an IAM strategy and implementation roadmap been developed and if so, does the strategy/roadmap indicate clear, vetted input from the lines of business, human resources, risk management, and internal audit? 4 4

5 Top Questions 4. Is the driver behind the IAM initiative/project someone in one of the lines of business/corporate functions (e.g. HR) or a software vendor? 5. Is the person that you have put in charge of running the IAM initiative/project skilled in cross-functional initiatives? Do they have a track record of working well with liasons from the lines of business/corporate functions? 6. Is the IAM initiative/project aligned with your enterprise architecture (e.g. SOA) and architectural governance processes? 5 5

6 Top Questions 7. Is the IAM initiative/project aligned with (or supports) strategic/tactical c c enterprise e initiatives (e.g. major ERP deployment/upgrade, enterprise portal, etc..) 8. Has the selected IAM technology been through a vetting process which included input (in the form of business/functional requirements) from the lines of business/corporate functions? 9. Is the selected IAM technology a niche player/point solution? How long have they been in business and does their vision/strategic roadmap line up with your vision/strategic roadmap? 6 6

7 The State of California CIO Academy Identity Management Office of State CIO Perspectivce February 20, 2008 Lee Macklin, Acting Director California Enterprise Architecture t r Programr Office of State CIO

8 Actively Working On Establishing SOA Infrastructure DTS RFI Drafting Common Language for SOA & Identity Management Multi-department effort Shared Services Processes & Policies Department projects Federated Identity Management Progress toward State model Citizens, Medical Providers 8 8

9 SOA Reference Architecture Users Access Points Service Management Enterprise Service Bus Service Registry Web Services Platform Network Browsers Voice User Channel PC PDA Cell Phone IPhone IVR Interface Portals / Websites Web Applications ASP JSP HTML CSS Orchestrated Web Services Service Discovery Service Transformations Service Mediation, Routing, Logging, Auditing Identity Policy Enforcement Single Sign-On Atomic Composite Data Access Federated Voice/XML Mainframe UNIX Windows.NET Java J2EE COBOL CICS Firewalls Routers XML Accelerators Proxy Servers TCP/IP User Interactions Business Process Messaging Management Authentication Business Logic/Rules System Administration Network Administration Polic Security, cy, Process, M Operations Monitoring, Re, & Governa eporting, Usa ance age Tracking 9 9

10 Identity Management & SOA Users State Employee Individual Business Partner Phone Web Call Center Voice Portal Web Portal Security Infrastructure Security Policies Authentication Authorization Provisioning Enterprise SOA Infrastructure Web Service Management Web Service Monitoring and Reporting FTB DHCS DMV Service Providers OSHPD CDCR DMH DOT LA County Business Partner EDD CalRHIO DCA Web Services Verify SSN Meds Eligibility County Employee Etc. Smart Clients Auditing Identity Providers Address Change Virtual Directory Service Individuals County Employees Prof License Verification Web Service Security Attributes State Employees Medical Providers Vital Statistics 10 10

11 Web Services Security Key Elements according to Federal Guide to Securing Web Services (NIST , August 2007) Confidentiality of Web service messages using XML Encryption (W3C standard) Integrity of Web service messages using XML Signature (W3C) and X.509 certificates (IETF) Web service authentication and authorization SAML, XACML (OASIS standards) Web Services Security (OASIS standard) End-to-end SOAP messaging security Security for Universal Description, Discovery, and Integration ti (UDDI) (OASIS standard) d) 11 11

12 Authentication Levels Assurance levels according to Federal E-Authentication Guide (NIST ) Level 1 Basic UserId and Password, Challenge-Response protocol Level l2 Single Factor ( Remote Provider ) XML Encryption, Shared secrets, Identity Provider, SAML Level 3 Multi-factor ( Proof of Sender ) XML Signature, Identity Provider, SAML Software (digitally signed, encrypted X.509 certificate/pki) Hardware tokens or One time passwords Level 4 Hardware (physical) tokens only Typically smart cards with hbio information i 12 12

13 Challenges Service Providers have different authentication policies Users are defined differently across organizations Many standards,,p protocols, and frameworks to choose from Lack of enterprise perspective for project management and dfunding Restrictions on viewing/sharing information across organizations. Governance model details need additional work 13 13

14 Questions

15 The State of California CIO Academy Identity Access Management EDD Case Study February 27, 2008 Dale Jablonsky Chief Information n Offices Employment Development Department

16 Roadmap to Identity Management 1. Identity Management Requirements Workshop 2. Identity Management Product Selection 3. Identity Management Implementation Strategy 16 16

17 Identity Management Workshop Identity Management Background and Introduction EDD Baseline Environment Use Cases Key Requirements Conceptual Architecture Potential Vendors Recommendations &Next tsteps 17 17

18 Identity Management Introduction Identity Data Services Provisioning i Services Authentication Services Access Policy Enforcement Infrastructure Federated Identity Services Management and Audit Services 18 18

19 EDD Baseline Environment 1. Account Lifecycle Management 2. Applications, Authentication and Authorization 19 19

20 EDD Baseline Environment 1. Account Lifecycle Management Citizens/Clients (Individuals) State Employees/Contractors Employers (G2B) Agents Government Partners (G2G) Federal Agencies State Agencies Local Government Agencies 20 20

21 EDD Baseline Environment 2. Applications, Authentication and Authorization Citizens/Clients (Individuals) State Employees/Contractors Employers (G2B) Government Partners (G2G) Federal Agencies State Agencies Local Government Agencies 21 21

22 UI & DI Benefits Use Cases Child Support Services & Benefit Offsets EDD Access to DMV (anti-fraud) EDD Access to SSA EDD Employee Account Provisioning Local Gov t Access to Workforce Investment Employer Registration EDD Application Access (Tax, Claims, Jobs, etc.) 22 22

23 Unique Identifiers Key Requirements Consistent Management of Identity Data Federation with other Government entities Authorization by Roles Workflow Routing Audit Reporting Directory Integration Delegated Administration Self-service Administration 23 23

24 EDD Identity Management Conceptual Architecture 24 24

25 Potential Vendors Provisioning Oracle IBM Role Engineering Bridgestream Eurekify 25 25

26 Recommendations & Next Steps Make it a Department Initiative Select Vendor(s) Detail Design and Deployment Strategy Evangelize & Educate other State Agencies Determine the role of the DMV (Real ID Act) Propose & Adopt formal Identity Management Governance Develop Identity Management Taxonomy Begin a Discovery Phase 26 26

27 Identity Management Product Selection Identity Management Selection Criteria Architecture Philosophy Product Suites vs. Point Products Best of Breed Identity Management Suites 27 27

28 Identity Management Selection Criteria Directory Services Authentication Access Management User Provisioning Password Management Delegated Administration Virtual Directory Meta-Directory Enterprise Single Sign On (SSO) Audit 28 28

29 Identity Management Suites vs. Point Products How much Integration do you want to sign up for? Integration is not just a one-time event, it is perpetual! Integration points must be managed during engineering, break/fix, upgrades and expansion (in other words, forever) He more integration, the less IT Productivity 29 29

30 Point Products Example Novell Directory & Meta Directory MaXware Virtual Directory RSA Authentication & Access Mgmt. Blockade User Provisioning ii i & Password Mgmt. Entrust Audit & Delegated Admin

31 Identity Management Environment Integration ECM System ERP System CRM System Custom Application System 1 Custom Application System N 31 31

32 Best of Breed Identity Management Suites Oracle IBM CA Sun BMC HP Microsoft 32 32

33 Identity Management Implementation Strategy EDD/DTS Selected Oracle for Individual Identity Management EDD will retain IBM for Business Identity Management FI$CAL will determine State EE Identity Management Active membership on Statewide SOAG Governance where Identity Management is primary focus DOL Grant of $600, for Identity Management Pilot Identity Management is Incorporated into all EDD RFP s Identity Management bake-off 33 33

34 Implementation Strategy DOL Grant 1. Enterprise Identity Management System 2. Web Applications Access Management: Authentication, Authorization, & SSO 3. SOA Web Services Authentication Services 4. CardSpace Identity Solution for Web Sites 5. Enterprise Identity Federation System for Claimants 6. Virtual LDAP Directory System 34 34

35 Strategy Incorporating into EDD RFP s UI Modernization RFP Call Center Network, Platform & Application Upgrade (CalNet II) Individual access to personal data using IVR Continued dclaims Redesign Individual id access to personal data using Internet Tax Automated Collection Enhancement System (ACES) RFP Business access to personal data using Internet DI Automation RFP Mdi Medical lprovider access to Health data using Internet 35 35

36 The State of California CIO Academy Identity Access Management Panel Diacussion February 27, 2008 Dni Denise Blir Blair Moderator

37 Panel Members Russell Jones Principal/Enterprise Risk Services Deloitte John Bennett Security Specialist Steven Greenspan Director of Eng. & Ops. IdM Dale Jablonsky Chief Information Officer Oracle Northrop Grumman EDD 37 37

38 Questions 38 38