TECHNOLOGY BRIEF CA Technologies Solutions for Identity, Credential, and Access Management Michael Liou CA Security Management

Transcription

1 TECHNOLOGY BRIEF CA Technologies Solutions for Identity, Credential, and Access Management March 2011 CA Technologies solutions for identity, credential, and access management (ICAM) Michael Liou CA Security Management

2 table of contents EXECUTIVE SUMMARY 3 SECTION 1: Challenge 4 Enabling federal security and privacy ICAM Segment Architecture Use Cases SECTION 2: Opportunity 6 How CA Technologies solutions address ICAM Use Case 1: Create and Maintain Digital Identity Record for Internal User Use Case 2: Create and Maintain Digital Identity Record for External User Use Case 7: Provision and Deprovision User Account for an Application Use Case 10: Grant Logical Access SECTION 3: 15 Benefits SECTION 4: 16 Conclusions SECTION 5: 16 About the author 2

3 executive summary Challenge Virtually all government agencies conduct transactions involving sensitive data whether that be personally identifiable information (PII), electronic health records or other employee or citizen data. As the number of users and systems interacting with this data grows, the threats to this information and the IT infrastructure supporting it multiply as well. Identity, credential and access management (ICAM) plays a critical role in protecting the nation s IT infrastructure and citizens from cyber threats both internal and external. The challenge is that ICAM can be a complex and multifaceted requirement for each agency, supporting numerous organizational scenarios under varying conditions. Opportunity A daunting aspect of ICAM is the breadth of everyday scenarios in which identities, credentials and access decisions play a part. The good news is that robust solutions exist to aid in building not just a multi-layered defense-in-depth strategy, but an effective defense-in-detail infrastructure. This means truly understanding who is trying to access data, confirming the credentials they provide are accurate and enforcing the appropriate level of access for each user. In addressing these ICAM issues, agencies also have the opportunity to build a holistic infrastructure that not only secures sensitive resources, but enables collaboration and efficiency within and amongst agencies. Benefits The intent of the Federal Government s ICAM initiatives and related directives is to construct a consistent and secure IT infrastructure across agencies. If properly implemented, ICAM has the potential to deliver many benefits including improvements in: Security understanding who is attempting to gain access and having the necessary controls to limit that access reduces security risk. Compliance numerous cyber security directives and initiatives facing agencies today carry direct relevance to ICAM issues. Efficiency automated systems improve the cost of managing identity processes while consistency across agencies encourages interoperability and collaboration while also decreasing redundancy. User satisfaction all audiences, including employees, contractors, partners and citizens, can benefit from greater ability to directly interact with agency systems and higher levels of data protection. 3

4 Section 1: Challenge Enabling federal security and privacy In September 2008, the Federal CIO Council created the Identity, Credential, and Access Management Subcommittee (ICAMSC) with the charter of fostering government-wide identity and access management and enabling trust across organizational, operational, physical and network boundaries. Identity management has been highlighted as a critical cyber security issue, as stated by President Obama, The ICAM segment architecture will serve as an important tool for providing awareness to external mission partners and drive the development and implementation of interoperable solutions. 1 The considerable benefits of a consolidated federal approach to Identity, Credential, and Access Management was clearly evident long before the ICAMSC was created. Previously, the Homeland Security Presidential Directive 12 (HSPD-12) 2 and FIPS provided a directive and standard for the implementation of a common identity standard for federal employees and contractors. These requirements continue to be at the forefront of the federal cyber ecurity strategy. The Office of Management and Budget (OMB) Memorandum recently reiterated timelines for each federal agency to name officials responsible for monitoring and reporting on HSPD-12 PIV card adoption and for use in logical access to applications requiring NIST assurance level 3. ICAM segment architecture use cases The scenarios in which ICAM is involved can be complex consisting of a series of distinct identity issues, workflows and related solutions. Further complicating the issue is that these solutions often require interaction with one another. This provides dependencies but also opportunities to use them in conjunction to deliver greater value. Many agencies are struggling to determine a starting point with ICAM and worry that they may not have considered the requirements of other applications and stakeholders. To this end, the ICAMSC has published a Roadmap and Implementation Guidance document 4 which provides detailed guidance for federal agencies investing in ICAM programs. A particularly valuable aspect of that document is the definition of eleven ICAM use cases which describe the as-is state of identity management functions performed by federal agencies, the desired target state and the typical gaps between the two. These use cases are effective in demonstrating how the components of the ICAM segment architecture operate within the real-life context of related operational functions. ICAM use cases 1. Create and Maintain Digital Identity Record for Internal User 2. Create and Maintain Digital Identity Record for External User 3. Perform Background Investigation for Federal Applicant 4. Create, Issue, and Maintain PIV Card 5. Create, Issue, and Maintain PKI Credential 6. Create, Issue, and Maintain Password Token 7. Provision and Deprovision User Account for an Application 8. Grant Physical Access to Employee or Contractor 9. Grant Visitor or Local Access to Federally-Controlled Facility or Site 10. Grant Logical Access 11. Secure Document or Communication with PKI 4

5 Section 2: Opportunity How CA Technologies solutions address ICAM The Federal ICAM Roadmap and Implementation Guidance document provides a useful ICAM conceptual diagram, highlighting several individual components and how they work with one another. Agencies developing ICAM solutions will benefit from taking this same dual perspective: 1. A pragmatic determination of how each use case independently delivers value for your agency and how it can be efficiently addressed through a combination of people, processes and IT technologies. 2. A holistic view of how these use cases or individual ICAM systems interoperate with one another or leverage common infrastructure components. Figure A Security solutions from CA Technologies directly address the items highlighted in the ICAM conceptual diagram and complement Credential Management systems and processes. *Image provided by the ICAM Subcommittee and CIO Council Security Solutions from CA Technologies primarily address the Identity Management, Access Management, Federation and Auditing and Reporting functions depicted in the ICAMSC s conceptual diagram. The remainder of this paper examines how CA Technologies solutions function in the context of key ICAM use cases. Note, this paper is not comprehensive as CA Technologies solutions contribute in some manner to all eleven use cases. In addition, not all CA Technologies solutions which help address ICAM requirements are discussed in this paper. 5

6 Use Case 1: Create and Maintain Digital Identity Record for Internal User Target: the target state vision is for a digital identity to be created or modified once in the authoritative system(s) and for authoritative identity attributes to be linked and shared in an automated fashion with other systems across the enterprise. In this vision, a core identity record is established in a single authoritative repository. CA Technologies solutions: CA Identity Manager, CA Directory CA Identity Manager is a flexible and scalable solution for creating and maintaining identities and related user attributes. This enables administrators to establish and maintain a centralized source of user identity information while also delegating the management of specific attributes to the appropriate level of authority. It can also be accessed directly by end users to update selective aspects of their profile in a self-service approach. The attributes associated with each user profile can be based on custom configured attributes including contact information, physical characteristics, role information, user photo and many other details. CA Identity Manager can be integrated with end points to automatically synchronize user identity information across IT systems as they change. It also has the ability to identify when identity information is updated on an end point and can then make policy-based decisions about whether or not to update the central user profile and then synchronize these changes back out to other systems. This synchronization and provisioning of access associated with identities is discussed in more detail in Use Case 7. As identities are created and maintained on the massive scale required by many agencies, they must be stored in a high performance repository that is capable of handling this volume. CA Directory is a distributed directory which delivers superior levels of availability, reliability, scalability and performance. Independent testing has proven CA Directory s ability to scale to hundreds of millions of users and hundreds of servers in a distributed environment5. As an identity foundation, CA Directory imparts these enterprise class capabilities to each of the ICAM solutions which it supports. Use Case 2: Create and Maintain Digital Identity Record for External User Target: In the target state, many mission-specific external facing applications likely will continue to need to establish a basic record for users in order to grant access; however, it is intended that mission segments will have agreed upon standards for what information is collected to minimize the gathering of unnecessary data and enable greater information sharing where possible. CA Technologies Solutions: CA Siteminder, CA Identity Manager, CA Directory The requirements of creating and maintaining external user identities are similar to those of internal users (described in Use Case 1) in terms of establishing centralized identity stores and leveraging a scalable directory foundation. The difference when dealing with external user populations is that it 6

7 often involves user populations that are orders of magnitude larger than when dealing with internal users. For example, the number of US citizens potentially accessing an online taxpaying application (from tens of millions to over 100 million users) would greatly exceed the number of employees in even the largest agency. In addition, IT interactions between external users and federal agencies are often based on web applications. In addition to leveraging solutions described in Use Case 1, this requires considerations to securely register new users via the web and maintain these identities. CA SiteMinder works with CA Identity Manager to allow users to register new accounts and provides identity administration capabilities to maintain these identities. CA SiteMinder also provides a series of web access management capabilities which are further described in Use Case 10. Use Case 7: Provision and Deprovision User Account for an Application As-is: In the current state, the provisioning and deprovisioning of accounts are typically managed through manual, application-specific work streams. This creates a great administrative burden on application administrators across the large number of applications and associated users within the enterprise. Additionally, some provisioning processes employ paper-based approval workflows that are labor and time intensive. CA Technologies Solutions: CA Identity Manager, CA Role & Compliance Manager Virtually all agencies perform provisioning activities today, yet many are based on manual, paperbased processes and ad hoc coordination between Human Resources, IT staff and security personnel. Automating the workflow and approval processes associated with granting and removing access can significantly improve efficiency while allowing your agency to embed security controls such as segregation of duties, workflow and auditing into provisioning and deprovisioning activities. CA Identity Manager is a proven, enterprise solution for creating, modifying and removing access throughout the lifecycle of users, both internal and external. As new users are created or their entitlements change, the provisioning engine automatically creates accounts on related endpoint systems based on the user s roles or provisioning rules. As this access is granted, CA Identity Manager has the ability to evaluate security policies, such as segregation of duties, to confirm that users do not gain conflicting privileges which could put the agency at risk. CA Identity Manager is highly customizable, enabling automated processes to be configured to mirror the unique requirements of your agency. Provisioning actions can be triggered by a direct feed from an HR system or from the agency s existing service desk system, batch processes or direct input from administrators or the end users themselves. Workflow and delegation actions can be established to require proper approvals before sensitive access is granted or provide alerts at critical points along the process. In addition, when users change functions within the agency or cease to be employed, CA Identity Manager automatically disables or deprovisions a user by either suspending or completely deleting the user s accounts and privileges on end point systems. This prevents a situation where a terminated employee continues to have access after departing and their accounts represent a significant risk to the organization s sensitive data or systems. 7

8 Figure B CA Identity Manager provides a centralized solution for maintaining identity information, automating provisioning processes and auditing related actions. Process automation is critical to achieving the efficiency that reduces costs, time and personnel associated with provisioning and deprovisioning. However, even perfectly automated processes are only as good as the data that is being fed into the process itself. From an identity standpoint, this consists of the role and entitlements information that associates types of users to necessary access. CA Role & Compliance Manager enhances identity management projects through the identification of orphaned or ghost accounts, clean-up of user entitlements and development of accurate role-based access models. CA Role & Compliance Manager is built on a powerful analytics engine which enables optimization of user and entitlements information. This can be initially used to clean-up existing privileges by identifying users with excessive access rights or highlighting other anomalies associated with risky identity profiles. CA Role & Compliance Manager can then be used to identify patterns of access amongst users to suggest potential roles. CA Role & Compliance Manager includes a number of out-of-the-box role discovery methodologies, each with configurable parameters which can be adjusted to meet the needs of your agency. This accurate foundation of role and identity information can then be leveraged by provisioning processes automated by CA Identity Manager and other security processes such as entitlements certification and reporting. This can improve the effectiveness of provisioning actions as well as the experience for end users as they are presented meaningful identity data and business-friendly role descriptions. 8

9 Use Case 10: Grant Logical Access Target: Implementing LACS. A flexible centrally managed agency LACS is required to layer attributes and permissions, and map those to the authentication mechanism to make access decisions for all agency applications, including legacy. CA Technologies Solutions: CA Siteminder, CA Access Control Defense-in-depth is a common approach to logical access control where various controls are implemented to secure each layer of the IT infrastructure. These solutions must first authenticate users and then determine whether or not they are allowed to execute the desired action. One of the most exposed IT areas is the web layer. More and more applications are being ported to or developed for the web, providing users benefit with greater accessibility and convenience yet often presenting a broader risk profile for the organization. CA SiteMinder is an enterprise-class web access management solution providing user authentication, policy-based authorization, single sign-on and auditing. Instead of custom coding ICAM security into each distinct web application, agencies can implement a consistent set of best practice security capabilities across portal, internet and intranet applications. This reduces the cost of developing and maintaining these web applications while delivering a convenient web access experience for employees, contractors, partners and citizens. CA SiteMinder also provides centralized management of web authentication, authorization, auditing and reporting. Flexible access policies can be based on criteria such as user attributes or roles, group membership, location or time of access. These policies can restrict access to resources at various levels of granularity from the web page to the file or to the object level. In addition, CA SiteMinder supports the enforcement of different levels of strong authentication depending on the sensitivity of each application. Given the enterprise-wide nature of ICAM implementations and high traffic requirements of web applications, the scalability and reliability of web access management systems is critical. CA SiteMinder has proven ability to support populations of over 100 million users and high transaction rates 6. This superior performance is supported by robust capabilities such as load balancing, caching, server clustering, failover, replication and many others. 9

10 Figure C CA SiteMinder enables users to securely interact with web applications by authenticating users and enforcing appropriate policybased access. While not as accessible to general populations as the web layer, the operating system layer is perhaps the most critical area of vulnerability of the IT infrastructure. Insiders and privileged users with access at the host level often have the ability to compromise the sensitive data and systems which are running on a given server. CA Access Control is a host access control solution which authenticates privileged users and enforces policy-based authorization across physical and virtualized server environments. The challenge with operating systems is they often have all-powerful superuser accounts (such as root on UNIX) which are frequently shared among administrators. Any user with the superuser password can perform virtually any operation on a machine including copying data, starting/stopping services, installing software and even deleting audit logs. The risk presented by these accounts is intensified by virtue of their shared account usage if multiple users have the superuser password and are logging in via this account, there is no accountability for the individual user. CA Access Control provides the critical layer of security protection across server platforms, enabling fine-grained access control, policy-based management and the secure auditing essential for safeguarding electronic assets. Access policies can be designed to regulate access to server resources, programs, files and processes using a variety of criteria including the true user identity, login method, network attributes and many more. In addition, CA Access Control Privileged User Password Management helps provide accountability for access that is commonly performed via shared accounts by managing how users check-in and check-out passwords as needed. 10

11 Figure D CA Access Control enforces appropriate host-level access across physical and virtual environments based on fine-grained access policies. Gap: Need for enhanced role and attribute data to perform situational access control. The use of attributes for LACS decisions. Agencies should determine how to enable contextual (risk adaptive) role or attribute based access control based on established policy and rule sets and for real-time situational access control. CA Technologies Solutions: CA Arcot Webfort, CA Arcot Riskfort Username and password is the most common authentication method in use today. This is sufficient for some systems, but for applications, websites or operating systems containing sensitive or private data, basic username and password authentication is often unacceptable as defined by NIST requirements or for levels of assurance. CA Arcot Webfort is a flexible authentication server which allows you to secure your users and systems with a variety of effective, cost efficient multi-factor authentication methods. CA Arcot Webfort supports authentication types beyond username and password including security Q&A, OTP via SMS, or voice, OATH tokens, ArcotID, ArcotOTP or a combination of these. It also provides centralized authentication policy creation, management and enforcement for many applications and security systems including CA SiteMinder. CA Arcot Webfort can be deployed quickly and with the low total cost of ownership of a cloud-based model or as an on-premise solution. 11

12 Figure E CA Arcot WebFort enables efficient, centralized deployment of various strong authentication methods to increase the security of logical access. As stated in Use Case 10, a single method for authentication is not always sufficient at times contextual awareness is required to determine the level of sensitivity and thus, level of security control that must be enacted. CA Arcot Riskfort delivers risk-based, adaptive authentication by evaluating the level of security risk posed by logins or transactions before enforcing the appropriate level of authentication strength. For example, a data center has employees typically logging into a web application containing citizens personally identifiable information during business hours. In the event a login is attempted at midnight from an IP address outside the United States, CA Arcot Riskfort analytics would identify a heightened risk. The aggregate risk score can be created based on a number of criteria including defined access rules, location, transaction patterns, device fingerprints or other criteria consumed by the self-learning analytics engine. Based on this score, the user may be prompted to provide additional authentication or blocked from logging in. 12

13 Target: Enabling Federation. The target state will require agreement on versions, technologies, formats, and oversight mechanisms to transfer and trust identities and credentials across agency boundaries and with external entities. Establishing Trusted Identity Providers and similar mechanisms will enable service providers to make access decisions based on defined levels of trust. CA Solutions: CA Federation Manager Collaboration between agencies or even internally between agency divisions is becoming an increasingly common, and critical, requirement to federal operations. As users gain access to or securely authenticate with a single agency, they should be able to seamlessly access necessary resources on another trusted agency s infrastructure. CA Federation Manager is a standards-based identity federation solution that allows your agency to act as an identity provider, service provider or both in support of federated transactions. CA Federation Manager provides end-to-end administration to efficiently set up, test, deploy and manage federation partnerships. Federation is supported out-of-the-box via a number of standards including Security Assertion Markup Language (SAML) and WS-Federation. Once a relationship is established between partners, CA Federation Manager provides users with single sign-on and single logoff across federated security domains. Figure F CA Federation Manager provides standards-based identity federation for use by identity providers, service providers or both parties in a federated transaction. 13

14 Section 3: Benefits The most obvious objectives of ICAM are increasing security and data privacy. These goals are readily apparent in the desired target state of having LACS systems enforce the appropriate interaction with various web, host and mainframe IT systems. On the identity side, security begins with a trusted understanding of who each user is whether that is accomplished at a basic level through username and password or a stronger, advanced authentication method. Security is enhanced by continuing to manage the lifecycle of user identities to the point of removing access through automated deprovisioning. Properly implemented, these identity and LACS systems can combine to significantly reduce the risk of unknown, mistaken or improper access to sensitive infrastructure. Automating ICAM processes and controls also has the potential to offer significant benefits in terms of IT efficiency. The ability to establish an authoritative digital identity and automatically synchronize attributes among relevant systems can reduce redundancy and confusion. In addition, automating formerly manual identity processes, such as provisioning when users are created or modified as well as deleting account access, can minimize the cost and administrative overhead of maintaining appropriate user entitlements. Finally, enhanced ICAM processes serve the agency s internal security and IT organization while providing benefit to end users themselves. Intelligently providing security as needed for example, in risk-based strong authentication provides employees and citizens with the level of comfort that their interactions are protected and their data secure. Users have come to expect the convenience and confidence similar to the online banking experience which provides secure single sign-on across applications. Providing this experience across the Federal Government by leveraging a federated identity model can help to encourage greater collaboration. Your agency s approach to ICAM or the short- and long-term importance of each of the ICAM use cases will vary depending on your unique needs. Just as there is no single solution, there is no single benefit properly planned and implemented, ICAM solutions will provide a range of benefits across layers of your IT infrastructure and for each of the participating constituents. 14

15 Section 4: Conclusions Security breaches, originating from both internal and external sources, are increasing in frequency and severity. One needs only look as far as WikiLeaks or any number of other security events to see how the Federal ICAM strategy plays a strong role in safeguarding IT infrastructure, protecting confidential data and reducing risk. When current events do not serve as a weekly reminder, increasing regulatory pressures or Federal directives requiring security compliance provide another. The intent of these security mandates is not for the sake of legislation alone. It makes good sense that, at the most basic level, in order to protect data and key systems, you must understand two things: 1) Who is the person attempting to gain access, and 2) Should they be allowed to execute that access? While relatively simple questions, even a basic transaction such as a Federal employee logging into an agency s web portal can involve multiple decision points and require distinct controls which must be enacted. The good news is that the ICAMSC has developed a comprehensive and best practice approach to meeting the business needs associated with these identity and access issues. Furthermore, proven solutions exist which can empower your agency to successfully meet the security needs of the various use cases you may encounter. By combining an understanding of the scenarios which require identity and access security with the proper processes and controls, your agency can develop a secure, efficient and collaborative IT infrastructure and positive experience for users. Section 5: About the author Michael Liou is a Senior Principal Product Marketing Manager at CA Technologies, where he is responsible for the security product go-to-market strategy for the Public Sector. He has spent over 10 years in the software industry, with experience in solution consulting and most recently, leading product management at an enterprise mobile application software company. Michael has a Bachelor of Science in Operations Research and Industrial Engineering from Cornell University and is a Certified Information Systems Security Professional (CISSP). To learn more about CA Technologies Security solutions and how they can help you agency address ICAM or other security initiatives, please visit ca.com/us/products/industry-solutions/public-sector/ Security.aspx. 15

16 CA Technologies is an IT management software and solutions company with expertise across all IT environments from mainframe and distributed, to virtual and cloud. CA Technologies manages and secures IT environments and enables customers to deliver more flexible IT services. CA Technologies innovative products and services provide the insight and control essential for IT organizations to power business agility. The majority of the Global Fortune 500 rely on CA Technologies to manage their evolving IT ecosystems. For additional information, visit CA Technologies at ca.com. 1 FY2010 Budget, 2 Homeland Security Presidential Directive 12, 3 Federal Information Processing Standard 201-1, 4 idmanagement.gov/documents/ficam_roadmap_implementation_guidance.pdf 5 ca.com/files/industryresearch/wam-solution-hmu-test-us_ pdf 6 ca.com/files/industryresearch/wam-solution-hmu-test-us_ pdf Copyright 2011 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. CA assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law, CA provides this document as is without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or noninfringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill, or lost data, even if CA is expressly advised in advance of the possibility of such damages. CS0899_0311