Government of Canada Directory Services Architecture. Presentation to the Architecture Framework Advisory Committee November 4, 2013

Similar documents
Shared Services Canada (SSC)

Introduction to Identity and Access Management for the engineers. Radovan Semančík April 2014

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

CYBER AND IT SECURITY: CLOUD SECURITY FINAL SESSION. Architecture Framework Advisory Committee November 4, 2014

How to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions

IDENTITY MANAGEMENT AND WEB SECURITY. A Customer s Pragmatic Approach

The Unique Alternative to the Big Four. Identity and Access Management

Enterprise Identity Management Reference Architecture

Oracle Identity Manager (OIM) as Enterprise Security Platform - A Real World Implementation Approach for Success

Single Sign On. SSO & ID Management for Web and Mobile Applications

Identity Management with midpoint. Radovan Semančík FOSDEM, January 2016

Identity Management Basics. OWASP May 9, The OWASP Foundation. Derek Browne, CISSP, ISSAP

Open Source Identity Management

Federated Identity and Single Sign-On using CA API Gateway

The Top 5 Federated Single Sign-On Scenarios

Identity and Access Management Point of View

Copyright 2014 Jaspersoft Corporation. All rights reserved. Printed in the U.S.A. Jaspersoft, the Jaspersoft

Oracle Identity Management Concepts and Architecture. An Oracle White Paper December 2003

WHITEPAPER OpenIDM. Identity lifecycle management for users, devices, & things

OPENIAM ACCESS MANAGER. Web Access Management made Easy

Security management White paper. Develop effective user management to demonstrate compliance efforts and achieve business value.

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Identity and Access Management

Single Sign-On. Security and comfort can be friend. Arnd Langguth. September, 2006

Identity Management Overview. Bill Nelson Vice President of Professional Services

Strategic Identity Management for Industrial Control Systems

Identity and Access Management Policy

IDENTITY INFORMATION MANAGMENT ARCHITECTURE SUMMARY Architecture and Standards Branch Office of the CIO Province of BC People Collaboration Innovation

Shared Services Canada and Cloud Computing Architecture Framework Advisory Committee

Interoperate in Cloud with Federation

Utilizing LDAP for User Profile and Corporate Structure Integration

Integrating Hitachi ID Suite with WebSSO Systems

Microsoft. Course 20463C: Implementing a Data Warehouse with Microsoft SQL Server

COURSE 20463C: IMPLEMENTING A DATA WAREHOUSE WITH MICROSOFT SQL SERVER

Centralized Oracle Database Authentication and Authorization in a Directory

Customizing Identity Management to fit complex ecosystems

Implementing a Data Warehouse with Microsoft SQL Server

STATE OF NEW YORK IT Transformation. Request For Information (RFI) Enterprise Identity and Access Management Consolidated Questions and Responses

Documentation. CloudAnywhere. Page 1

Apache Syncope OpenSource IdM

44 th International Council for Information Technology in Government Administration (ICA) Conference

EXECUTIVE VIEW. EmpowerID KuppingerCole Report. By Peter Cummings October By Peter Cummings

Simplify Identity Management with the CA Identity Suite

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

Implementing a Data Warehouse with Microsoft SQL Server 2014

managing SSO with shared credentials

Identity. Provide. ...to Office 365 & Beyond

LinuxCon North America

Configuring Windows Server 2008 Active Directory

IQS Identity and Access Management

Implementing a Data Warehouse with Microsoft SQL Server

ITKwebcollege.ADMIN-Basics Fundamentals of Microsoft Windows Server

PeopleSoft Enterprise Directory Interface

USER GUIDE. Lightweight Directory Access Protocol (LDAP) Schoolwires Centricity

Workplace Technology Devices: Session 4. Architecture Framework Advisory Committee Meeting April 16, 2014

Implement a Data Warehouse with Microsoft SQL Server 20463C; 5 days

API-Security Gateway Dirk Krafzig

Identity Management Roadmap and Maturity Levels. Martin Kuppinger Kuppinger Cole + Partner mk@kuppingercole.de

Implementing a Data Warehouse with Microsoft SQL Server

Global Headquarters: 5 Speen Street Framingham, MA USA P F

The Primer: Nuts and Bolts of Federated Identity Management

Business-Driven, Compliant Identity Management

Research. Identity and Access Management Defined

Automated User Provisioning

Quest One Identity Solution. Simplifying Identity and Access Management

Getting Started with Multitenancy SAP BI 4.1

White paper December Addressing single sign-on inside, outside, and between organizations

Sun Infrastructure Solution for Network Identity Seamlessly extend secure access to your enterprise fast, with reduced deployment time and cost

Windows Server 2003 Active Directory: Perspective

Select the right solution for identity and access governance

Can I customize my identity management deployment without extensive coding and services?

Course 10777A: Implementing a Data Warehouse with Microsoft SQL Server 2012

An Oracle White Paper Dec Oracle Access Management Security Token Service

IDIM CORPORATE PROVISIONING ARCHITECTURE Architecture and Standards Branch Office of the CIO Province of BC People Collaboration Innovation

Unifying framework for Identity management

Building an identity repository is at the heart of identity and access management.

SaaS at Pfizer. Challenges, Solutions, Recommendations. Worldwide Business Technology

Implementing a Data Warehouse with Microsoft SQL Server 2012

White Paper. What is an Identity Provider, and Why Should My Organization Become One?

Physical/Logical Access Interoperability Working Group

Identity Governance Evolution

Presentation to House Committee on Technology: HHS System Identity & Access Management

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Approaches to Enterprise Identity Management: Best of Breed vs. Suites

Encore Software Solutions (V3) Identity Lifecycle Management and Federated Security Suite (ILM/FSS) Overview and Technical Requirements

Extend and Enhance AD FS

Aurora Hosted Services Hosted AD, Identity Management & ADFS

Oracle Identity Management: Integration with Windows. An Oracle White Paper December. 2004

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Manage Oracle Database Users and Roles Centrally in Active Directory or Sun Directory. Overview August 2008

The Four "A's" of Information Security

Stephen Hess. Jim Livingston. Program Name. IAM Executive Sponsors. Identity & Access Management Program Charter Dated 3 Jun 15

Implementing a Data Warehouse with Microsoft SQL Server 2012

Role Based Identity and Access Management Basic Infrastructure for New Citizen Services and Lean Internal Administration

PASS4TEST 専 門 IT 認 証 試 験 問 題 集 提 供 者

Business and Process Requirements Business Requirements mapped to downstream Process Requirements. IAM UC Davis

can I customize my identity management deployment without extensive coding and services?

Arisant s Identity Management (IdM) for K-12 Education

Integrated Identity and Access Management Architectural Patterns

CA Single Sign-On Migration Guide

Transcription:

Government of Canada Directory Services Architecture Presentation to the Architecture Framework Advisory Committee November 4, 2013 1

Agenda TIME TOPICS PRESENTERS 9:00 9:15 Opening Remarks Objective for Today s Meeting Benoît Long, Chair Wade Daley, Vice-Chair 9:15 9:45 Directory Services Architecture Presentation Gail Eagen, Director General 9:45 10:00 Health Break 10:00 11:45 Discussion 11:45 12:00 Closing Remarks Next Meeting: December 2013 or January 2014 (early) Gail Eagen, Lead Benoît Long, Moderator All Chair 2

Government of Canada: Identity Credential Access Management Problem Statement* The Government of Canada (GC) does not properly manage the identity information of employees and consultants, resulting in: increased cost through duplication of directories and authentication mechanisms across all the departments; slow provisioning of users, which decreases productivity; unreliable de-provisioning of users, which increases security risk; inability to share enterprise identity attributes (such as security clearances) inhibits the sharing of information or access to buildings for meetings between GC departments and agencies; a prerequisite component that needs to be in place for Shared Services Canada (SSC) to enable enterprise IT service delivery; a prerequisite component to deliver an enterprise identity credential access management (ICAM) service; and directory services are not well understood, and the GC does not have an agreed upon lexicon, taxonomy or common terminology to describe directory services. *N.B.: from Treasury Board Secretariat of Canada (TBS) 3

Directory Services is Foundational A directory is a strategic component of ICAM; however, the directory in itself is at the very heart of IT service delivery. Directory objects and artifacts include people, and credential attributes required for ICAM as well as many other objects and attributes required to operate an IT service. IT Service Delivery Logistics ICAM Directory Services 4

Directory Service: The Information Hub of the IT Service Users Servers Clients Applications Directory Network Devices Email Servers Directory Lookups Firewall Services 5

Many Different Objects with Multiple Attributes Many different objects All aspects of the IT service platform Many attributes per object Different naming conventions for objects and attributes Different processes, policies 6

Directories: Variety of Implementations/Complex/Mission Critical Different schema Different object naming conventions Different attribute naming conventions Different vendor technology Critical to keep the lights on (KTLO) for general IT service delivery Complex legacy implementations Different processes, logistics and policies 7

GC Directory: Current State No enterprise directory = No enterprise services No data centre (DC), workplace technology devices, ICAM and network infrastructure directory, etc. Most directories provide a departmental view. The Government Electronic Directory Service (GEDS) and the Pay Modernization initiative (PayMod) are exceptions. Distributed directories mostly by department multiple objects (attributes) Designed for departmental-based service Applications Credentials People Policies DC & Network Assets Network Assets DC Assets People Security Attributes PayMod (Pay attributes) Network Assets DC Assets Applications Credentials People GEDS (people attributes) Dept. A Dept. B Dept. C Dept. D Dept. N Network Assets DC Assets Security Attributes People DC Applications Assets Credentials Security Attributes Network Assets People x 43 partner departments/agencies Over 200 directories Mostly Microsoft Active Directory, with lightweight directory access protocol (LDAP), Oracle, Novell and X.500 Different objects, elements, naming conventions, vendors and schema Different processes, policies and logistics 8

Enterprise Directory Service Approach: Option 1 Big Bang Approach Directories End State Depth of Data (Number of Users) Directories Current State Breadth of Data (Number of Attributes Synchronized) 9

Enterprise Directory Service Approach: Option 2 An Incremental Opportunity-based Approach Depth of Data (Number of Users) Phase 5 Next Incremental Change Phase 4 Next Incremental Change Phase 3 Next Incremental Change (ICAM) Phase 2 More People, Attributes and Services (Next Incremental Change GCNet) Phase 1 Small Subset of People, Attributes and Services (Email Transformation Initiative) Breadth of Data (Number of Attributes Synchronized) 10

Questions Engaging Discussion 1. Can or has an enterprise directory been done before across multiple platforms and/or across multiple organizations? 2. What IT standards could be applied to fulfill the enterprise directory and the directory synchronization services described in the preceding presentation? 3. Are you aware of a state-of-the-art enterprise directories data model (conceptual and logical)? 4. Are there any lessons learned or recommended strategies to apply in reconciling various data sources that contain conflicting information to essentially clean up the various source systems over time? 11

Questions Engaging Discussion 5. What technologies or best practices can be applied to solve the problem of identical name collisions and name confusion across a diverse enterprise organization such as the GC? 6. What are the primary advantages and disadvantages of maintaining continued vendor diversity in the area of enterprise directory services across multiple GC organizations? 7. Would you recommend a big bang or an incremental approach to the development of a GC enterprise directory service? 12

Annex 13

How Does Identity Management Differ from Directory Services Directory Service Defined Wikipedia A directory service is a shared information infrastructure for locating, managing, administering, and organizing common items and network resources, which can include volumes, folders, files, printers, users, groups, devices, telephone numbers and other objects. A directory service is an important component of a NOS (Network Operating System). In the more complex cases [the] directory service is the central information repository for [the IT] Service Delivery Platform. For example, looking up "computers" using a directory service might yield a list of available computers and information for accessing them. The directory is the enabling technology that allows us to associate all of the objects we manage; the user is just one of many. It is not enough to know your identity and authenticate you at log on. Every time you access a resource on the network, that resource has to know your identity and be able to look up attributes and values associated with it. This means that all objects must exist in a common directory or in directories that trust each other. 14

How Does Identity Management Differ from Directory Services Identity Management Defined Wikipedia Identity management (IdM) describes the management of individual principals, their authentication, authorization, and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks. Identity management systems, products, applications and platforms manage identifying and ancillary data about entities that include individuals, computerrelated hardware and applications. Technologies, services and terms related to identity management include [Directory Services], Service Providers, Identity Providers, Web Services, Access control, Digital Identities, Password Managers, Single Sign-on, Security Tokens, Security Token Services (STS), Workflows, OpenID, WS-Security, WS-Trust, SAML 2.0, OAuth and RBAC [Role-Based Access Control]. It covers issues such as how users are given an identity, the protection of that identity and the technologies supporting that protection (e.g., network protocols, digital certificates, passwords, etc.). 15

Directory Terminology In computer science, an object is a location in memory that has a value and that is referenced by an identifier. An object can be a variable, function, or data structure. Objects fall into two broad categories: resources (e.g., printers) and security principles (user or computer accounts and groups). A principal in computer security is an entity that can be authenticated by a computer system or network. Principals can be individual people, computers, services, computational entities, such as processes and threads, or any group of such things. They need to be identified and authenticated before they can be assigned rights and privileges over resources in a network. A principal typically has an associated identifier (such as a security identifier) that allows it to be referenced for identification or assignment of properties and permissions. 16

GC ICAM Components* Identity Management Background investigation On-boarding Authoritative attributes Lifecycle management of identity and attributes Credential Management Sponsorship Enrolment Creation of credentials at multiple levels of assurance Issuance Lifecycle management of credentials Access Management Resource management Privilege management Policy management Logical access Physical access *N.B.: from TBS One identity with many attributes linked to two to three credentials and many resources. 17

GC ICAM Identity Management* Identity Management Background investigation On-boarding Authoritative attributes Lifecycle management of identity and attributes background investigation New Screening Identity Repository on-boarding Blackberry Enterprise Telecom PBX New Digital Identity Lifecycle Management Create authoritative attributes Official Languages Database Network Access Databases (e.g. Active Directory) Facilities Databases Contractor Contractor Databases DBs Departmental Departmental HR HR Databases DBs Provision pay record Pay Databases People Repositories *N.B.: from TBS 18

Proposed Interim Solution for Email Transformation Initiative SSC wants to reduce the number of directories it operates. Where directories are completely integrated into a vendor product (such as an Email Transformation Initiative (ETI) proprietary directory), these directories would be provisioned from a general-purpose SSC foundational directory. It is acknowledged that SSC cannot reduce this number to one. Hence, the GC Enterprise Directory Service project: has a short-term focus only while the GC does not have a more comprehensive identity management solution in production. If approved, this project will work proactively along with TBS (Chief Information Officer Branch) to ensure that GC ICAM can consume these services as it matures. The GC ICAM directory synchronization service will support standard interfaces and can be used by any SSC partner or client application maintaining identity data. For example, the ETI service can synchronize identity elements of its own proprietary directory with the SSC foundational directory service. 19

Enterprise Directory Relationships* Internal Applications External Applications Internal Applications Enterprise Directory Certificate Certification Authority (CA) Certificate e-business Directory (Employees, Partners) Windows Network Directory Account Info Sync Identity Adds, Deletes Directory Services Identity Adds, Deletes Sync Email Address, Other Info Email Address Sync Identity Adds, Deletes Phone Number Messaging Directory Infrastructure Directory *N.B.: Burton Group Other Databases HR Directory (PeopleSoft, SAP) PBX (Telecom) 20

Current GC Enterprise Directory Environment Internal applications External Applications Internal applications Internal Internal CAs Internal CA CA PKI X.509 Certificates ICM / FINDS X.500 Directory (Employees ) Windows Network Directories (Active Directories) No Enterprise Directory Service No Directory Synchronization Partner Messaging Directories (Exchange) Partner Infrastructure Directories (Exchange) New* GC Screening Identity Repository HR Directories (PeopleSoft, SAP) GEDS 21

Proposed GC Enterprise Directory Service Internal Applications External Applications Internal Applications NEW GC Enterprise Directory (GC ICAM) PKI X.509 Certificates Internal Internal CAs Internal CA CA PKI X.509 Certificates ICM / FINDS X.500 Directory (Employees ) Windows Network Directories (Active Directories) Account Info Sync Identity Adds, Deletes Directory Synchronization Service Identity Adds, Deletes Sync Email Address, Other info Email Address Sync Identity Adds, Deletes Phone Number ETI Messaging Directory Infrastructure Directory This Project New GC Screening Identity Repository Departmental Feeds GEDS 22

Directory Synchronization and Automation Synchronizes existing application directories with an SSC enterprise-directory service and is maintained via central and standardized business processes Allows consuming services to enable automated provisioning and to have automated employee and contractor lifecycle management Provides required data to application directories that need it Enables automated provisioning and maintenance Also enables automated de-provisioning of employees and contractors in support of proper identity lifecycle management across all SSC services Critical for the SSC transformational agenda Allows the provider to have one view of end-user information across all of the SSC services provided to GC partner departments/agents and clients 23

Enterprise Directory Data Characteristics The plan for the GC enterprise directory contains the following data characteristics: Data is from an authoritative source. Data has been referenced and audited against third-party sources. Third-party sources, such as the Regional Pay System (RPS) and Internal Credential Management (ICM), can be queried for the existence of an active employee record within a particular department to augment the existing identity lifecycle processes as an SSC value add. For example, if an employee has retired or changed from one department to another on a deployment, he or she will no longer be paid by the previous department in RPS, hence providing a flag to departments that this employee no longer works there and should be properly de-provisioned. An employee data level of assurance for each record is established. 24

Enterprise Directory Service Dimensions The enterprise directory service can be thought of as three dimensional, as: the depth is the number of objects for which there is data; the breadth is the number of attributes for each object; and multiplying these gives us the total number of pieces of data being managed and audited. The last dimension is the number of directory services that we support to publish/expose the data. SSC is to expand the service to include all federal government users, while gradually introducing additional functions/access protocols. 25

Enterprise Directory Service Components The enterprise directory service must be more than a technology service. There must be a set of defined service interfaces to allow suppliers and clients to interact with the system. The directory must contain a set of well-understood and enforced directory policies. There must be directory procedures in order to implement and enforce policies. There must be strong governance to ensure a high value to the GC. 26

Business Benefits to Shared Services Canada Demonstrated business efficiency Reduced data administration effort by application specialists, with improved data integrity and accuracy Reduced costs for SSC overall Minimal lag between initial data change by the data or attribute authority and reflection in application Improved security posture based on a shared information architecture Automatic revocation of services helps achieve Management of Information Technology Security compliance. 27

Enterprise Directory Services Framework End Users Directory Clients (SSC and GC-wide Applications) Directory Access and Synchronization Service Consumers Beneficiaries (Access and Credential Management Service Providers) Standardized Access (LDAP, XML, WS*, SAML, etc.) Content Providers Supply Interfaces Directory Services Publishing, Distribution, Conversion Enablers (Digital Identity Lifecycle Management) Reference, Extract, Transform, Normalize, Validate, Load Audit and Reference Data Department-specific Feeds Content Providers (Identity Data Authorities) 28

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information