IBM Tivoli Security Solutions. Oleg Bascurov IBM Tivoli Technical Sales

Transcription

1 IBM Tivoli Security Solutions Oleg Bascurov IBM Tivoli Technical Sales

2 IBM Tivoli Security Management 2 Authentication Authorization Access Control Non-Repudiation Data Classification Auditing PKI Integration Security Policy Management Application Level Security Framework Single Sign-On Global Revocation Risk Management Intrusion Detection Network Security, Firewalls Cryptography Open standards... and more...

3 3 Identity Management Benutzer, Systeme und Applikationen Konfigurierbare Freigabeprozesse Web Self-Care Identity- Management Herkömmliches Vorgehen! Userverwaltung in verschiedenen Systemen! Rechte und Rollen werden Applikationsabhängig implementiert! IT-Prozesse passen nicht zu Business- Prozessen Empfohlenes Vorgehen! Zentrale Userbeantragung per Webformular! Rechte- und Rollenprofile werden zentral verwaltet! IT implementiert Businessprozesse

4 MANAGING USERS 7 issues 4 Complex management of users (many roles, many applications, many devices) Single management console for all Productivity issues due to delays Web based automated workflow Huge inefficiencies and opportunities for human error Set up each user once and then propagate Expensive helpdesks due to password reset and access queries Users manage own passwords/personal details with SINGLE PASSWORD Manual & labour intensive process Automated and efficient process User accountability and audit can be difficultimpossible Audit centrally for all user activity, easily Different skills and processes needed for each operating system/application One console for managing all. Delegated administration for maximum efficiency Students Employees Admins Partners OS/390 RACF MQSeries Applications Databases OS Directories HR Systems Others Policy Director LDAP Delays Costly help desk Password Changes Errors with corporate policy Repeated data entry Hard to audit Manual approvals Lack of central control Manual process Backlog delays Lost requests Repeated data entry Hard to audit/track Scalability problems High admin costs Poor validation Access delays Hard to audit/track Impossible to implement /police corporate security policy No management information about user activity No integration with other IT/Business Processes Huge inefficiencies

5 Identity Management Defined 5 Users Collect Process Provision Leverage Web Interfaces Workflow Provisioning Engine LDAP Employees Students Partners Admins Human Res. Database Help Desk Self Self-Registr Self Self-Help Direct Admin Import Approvals Notification Validation Default Def. Reconciliate User Definitions Access Control Reports Billing Access Rep. SSO Audit Org Charts Data Mining White Pages Others. OS NOS DIRs Security-Rep DB Web-Apps Apps

6 IBM Tivoli Identity Manager 6 Users Admins " Single point of managing users and access " Automated provisioning of resources " Self-care account and password resets " Web Delegated Administration " Auditing & Reporting Mechanisms Resources Applications Employees Web Delegated Admin Auditing Databases Students Web Self- Service Workflow Automated Access Mgmt Operating Systems Web Password Reset Identity Manager Partners Reporting Directories

7 IBM Tivoli Identity Manager v1.1 - Architecture 7 Client Client Client - User - Administrator (Approver, Manager) - Security Administrator Identity Manager Web Interface Workflow Read/Write Access Identity Manager Management Server Read-only Access User Profiles / Security Profiles Tivoli User Administration / Tivoli Security Manager / Tivoli Management Framework Database Synchronization LDAP Endpoint Directory Server (LDAP) User Registry (Users, Groups, Roles) Endpoints Toolkit Apps UNIX Linux Windows NT / 2000 Novell AS/400 S/390 Notes SAP Oracle

8 MANAGING USERS Fixing the issues 8 Complex management of users (many roles, many applications, many devices) Single management console for all Productivity issues due to delays Web based automated workflow Huge inefficiencies and opportunities for human error Set up each user once and then propagate Expensive helpdesks due to password reset and access queries Users manage own passwords/personal details with SINGLE PASSWORD Manual & labour intensive process Automated and efficient (WORKFLOW) User accountability and audit can be difficultimpossible Audit centrally for all user activity, easily Different skills and processes needed for each operating system/application One console for managing all. Delegated administration for maximum efficiency Customers Partners Suppliers Employees Web Password Resets \Web Delegated Admin Web Self Service Workflow Manage All Users Centrally User Provisioning Auditing Reporting Identity Manager OS/390 RACF MQSeries Applications Databases OS Directories HR Systems Others LDAP

9 Biggest Security Concern: Access Control 9 Access Control 202 Viruses 52 VPNs 44 Privacy/Encryption Firewalls Remote User Access Education Monitoring Abuses 18 Other 77 # Respondents Siehe auch: Spiegel April 2002, PC-Welt April 2002 source: survey of 553 IT Managers, Network Computing Research, published in 3/20/00 Internet Week

10 Zugriffskontrolle in der Anwendung 10 Systeme und Applikationen, z.b. Web-Applikationen Mehrere Plattformen und Regelwerke Stationär und mobil (WEB/WAP) Anwendungssicherheit Herkömmliches Vorgehen! Security-Code in jeder einzelnen Applikation! Viele verteilte Datenbanken mit Benutzerdaten! Gemeinsame Rollen über mehrere Applikationen nicht darstellbar Empfohlenes Vorgehen! Gemeinsame Zugriffskontrolle für alle Applikationen! Zentrales Userverzeichnis! Berechtigungsänderungen für Rollen wirken unmittelbar in allen Applikationen

11 Benefits of Common Security Services 11 Old Way # Security coded into each application # Update user access policy? Multiple places! # Individual sign-on to each application With Access Manager # Common security services, separate from application - Open standard-based authorization framework # Consistent, delegatable admin # Single sign-on for web apps

12 Standard-based authorization framework 12 Tivoli Access Manager Authorization API Open Group Authorization API (Generic Application Interface for Authorization Frameworks) International Organization for Standardization (ISO) model for authorization

13 Broad scope Policy Server User ACL 13 Client Browser Websphere App. Server Java Appl. OS User OS User MQ Appl. Security Layer Reverse Proxy WebSEAL AM for WAS AM for WAS PDPermission AM for OS AM for MQ Series Protected Resource Web Resource servlets EJBs Protected Resource UNIX Resources Queued Message

14 Access Manager for e-business User Policy Server ACL 1 2 Internet DMZ AM Rev.Proxy Private Network Support multiple means of identity (uid/pwd, X.509, etc.) Keep the information flow confidential Provide authorization services (Web + application) and Single Sign-on Enable: Centralized, delegatable administration Comprehensive, policy-based audit Ensure high availability and scalability Manage risk actively analyze security alerts

15 Access Manager for Operating Systems 15 Access Manager Server User Request User Mode Kernel Mode Access Manager Database AMOS Processes LDAP Server AMOS Kernel Interception Native OS Services Replicated Access Manager Database Credential Cache User Registry $ Finer-grained authorization for UNIX systems, via an interceptor $ Essentially locks down UNIX Servers $ Addresses the "root" problem $ Runs on: AIX HP-UX Solaris Red Hat Linux SuSE Linux

16 Identity & Access Management 16 Users Employees Business Logic Create, Delete, & Modify User Info Web Delegated Admin Web Password Reset Tivoli Identity Manager System/Application Definitions Resource Provisioning Users & Access Control Policies Resources Applications, Databases HR/Admins Web Self- Service LDAP OS/NOS NOS s, Directories Customers Partners Suppliers HR Systems Workflow Tivoli AM for e-bize Tivoli AM for OS OS/390 Web / Java Resources UNIX / Linux Security Engine (lockdown)

17 Risikomanagement 17 Management von existierenden Sicherheitskomponenten durch Ereignis-Monitoring Zentrales Management senkt Betriebskosten Auditing und Reporting Risiko- Management Herkömmliches Vorgehen! Manuelles Kontrollieren der Router, Firewall und IDS Logdateien! Administratoren werden erst nach einem Schaden aktiv! Nur einzelne Systeme werden auf Ihre Sicherheit hin untersucht Empfohlenes Vorgehen! Automatische Erfassung aller Ereignisse in Echtzeit! Automatische Abwehrmechanismen auf Basis eines Regelwerks! Ganzheitliche Sicht auf die IT- Sicherheit im Unternehmen

18 The Problem: Multiple Point Products - No Consolidation 18 No Integration No Control No Security Content Violations Denial of Service Attacks Unauthorized Accesses CGI Vulnerabilities GUI GUI GUI GUI Firewall Monitoring IDS Monitoring Access/Policy Monitoring Web Server Monitoring $ Many sources of alarms, alerts $ Single problem can generate hundreds of events $ Poor operator productivity because of multiple consoles $ Staff can t t zero in on the critical, relevant problems

19 Risk Manager - consolidation & correlation 19 Application Server Intrusion Detection WEB Server FireWall Router Vulnerabilities Antivirus Firewall IDS WEB Routers OS Network IDS SNMP Console Tivoli Risk Manager Console

20 Risk Manager Goal: Present 1 Event per Attack 20 After correlation... crisp, actionable information

21 21 Risk Manager - sensors CheckPoint FW-1 Cisco PIX Firewall IBM Firewall ISS RealSecure Network Engine Cisco Secure IDS Tivoli Network IDS Symantec Norton AntiVirus for Desktops McAfee VirusScan Tivoli Risk Manager ISS RealSecure System Agent Tivoli Host IDS for Windows, AIX and SUN Servers % Argus PitBull % ClickNet Entercept % Gillian G-Server % Lockstep WebAgain % NFR Secure ID % Zone Labs Zone Alarm % Other Partners IBM Research Network and Web Scanners Cisco Routers Tivoli Web IDS for Policy Director, WebSphere, Microsoft IIS,Domino, Apache, Netscape Web Servers

22 Risk Manager - reporting 22

23 Summary 23 Access Manager e-business Access Management Web/Appl Servers, MQSeries, Java applications, etc. Tivoli Security Mgmt Identity Manager Enterprise Identity Management Windows UNIX OS/390 Threat Management AS/400 Other Risk Manager Firewall Intrusion Detection Vulnerability Assessment Anti-Virus

24 IBM Tivoli Provides the World s Leading Security Software 24 Winner, Mindcraft Performance Benchmark (NEW!) Winner, Gartner Leadership Quadrant (NEW!) Winner, 2002 Crossroads A-List Award (NEW!) Winner, Frost & Sullivan Market Excellence Award Winner, Information Security Excellence Award Winner, VARBusiness Annual Report Card

25 Vielen Dank für Ihre Aufmerksamkeit Weitere Informationen: