IBM How can we support the requirement of creating dynamic, flexible and cost effective solution in the IAM area? Sven-Erik Vestergaard Nordic Security Architect IBM Software group svest@dk.ibm.com
Security is becoming a board room discussion Business results Brand image Supply chain Legal exposure Impact of hacktivism Audit risk Sony estimates potential $1B long term impact $171M / 100 customers HSBC data breach discloses 24K private banking customers Epsilon breach impacts 100 national brands TJX estimates $150M class action settlement in release of credit / debit card info Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony Zurich Insurance PLc fined 2.275M ($3.8M) for the loss and exposure of 46K customer records Can this happen to us? 2
Security challenges are impacting innovation External threats Sharp rise in external attacks from non-traditional sources Cyber attacks Organized crime Corporate espionage State-sponsored attacks Social engineering Internal threats Ongoing risk of careless and malicious insider behavior Administrative mistakes Careless inside behavior Internal breaches Disgruntled employee actions Mix of private / corporate data Compliance Growing need to address an increasing number of mandates National regulations Industry standards Local mandates Impacting innovation Mobility Cloud / Virtualization Social Business Business Intelligence 3
Do we need Policy Management to handle the challenges? 4
Policy & Policy Management Policy - What is it? Principle or rule to guide decisions and achieve a desired and rational outcome Contains attributes detailing the 'what', the 'how', the 'where', and the 'when' Published, it becomes the standardized guidelines used by a system to govern its behavior within its environment and transactions 5 Policy Management provides an approach for efficiently and effectively addressing the many risks and requirements inherent in electronic communication: Policy definition (structured way to declare policy constraints) Policy enforcement, according to defined policies Policy monitoring (ability to collect and report Policy Analytics)
Policy Reference Architecture Policy Lifecycle Management Business Policy Business Policy domains for behavior and performance Service Development Lifecycle Situational Business Business Service Level Awareness Process Services Management Policy Lifecycle Service Lifecycle & Governance Policy Architectural Policy & Governance Policy Author Transform Architectural Policy domains for SOA Resources Process Service Information Model Assemble Enforce Operational Policy Deploy Monitor Operational Policy domains that are non-functional Manage Enablers Security Monitor Mediation Service Support & Delivery Policy 6
Policy aligns individual roles with broader business objectives Business layer Capture policy as business statements that describe the intent of the business or specific business level policy (e.g.) Compliance officer requires personal information be protected (e.g.) Business requires that information be available within 3 seconds of request Architecture layer Capture policy as requirements and architectural standards that address resources (e.g.) Limit client credit report access to owning managers (e.g.) A particular provider service must respond within 2 seconds in order to meet business need of end to end 3 second response 7 Operational layer Operational Policy are actionable statements that provide specific runtime actions (e.g.) Configure message security to support digital signature and restricted authorization (e.g.) Mediation layer will reroute traffic to secondary endpoint if primary endpoint does not respond in 2 seconds
Policy Tree Example of deriving policy from business requirements through the various policy layers Business Requirement Comply with all laws and regulations Business Policy Keep consumer data private as called for by EU privacy reg. Architectural Policy Encrypt consumer name, address, phone numbers and social security number when such data is stored Encrypt consumer name, address, phone numbers and social security number when such data is transmitted Operational Policy Access control via userid & password sign on to corporate LDAP directory for any attempt to access private consumer data Encrypt consumer name, address, Phone numbers and social security number in ESB gateway before transmitting 8
Same Architectural Pattern applied across key scenarios Architectural Pattern for Service Policy: Key Scenario: SLA Management Author Store Monitor Author Store Monitor Repository WSRR ALE e.g. Consumer Enforce Provider Consumer Enforce Provider Middleware e.g. Key Scenario: Security Key Scenario: Service Support & Delivery Author Store Monitor Author Store Monitor TSPM / WSRR WSRR DP AMCT Consumer Enforce Provider Consumer Deploy Provider 9
Elements of an Policy Lifecycle Management solution 1 2 3 4 Policy Authoring (Author) Policy Selection Creating instances of standard domains (security, transactions) Predefine some domains and provide tooling for those domains Policy Creation Allowing users to create policy Policy Distribution (Transform) Storage and assignment of policies to resources Transform to an actionable form Pushing updates or notifications of change to PEPs / PDPs Policy administration Lifecycle and governance of policies Making service descriptions and/or associated policies available Tivoli NetView Pushing updates or notifications of change to PEPs / PDPs Policy Enforcement (Enforce) Policy Authoring Policy Decision Points (PDPs) and Policy Enforcement Points client (PEPs) DataPower XS40 Enforcement of policies relating to metadata Enforcement of policies relating to SOA endpoint interactions 1 Policy Policy Tivoli NetView icy Registry Repository 2 Record Alerts Distribute Policy Security Enforcement Enforce Middleware 3 Policies Nortel L7 Module DataPower XS40 Tivoli Access Manager Web service DataPower XS40 WebSphere App Server Tivoli Access Manager Monitor 4 Policies MQ S 10 Policy Monitoring (Monitor) DataPower XS40 Recording decisions made by PDPs and PEPs Monitor, measure, and analyze policies Displaying and reporting on information about policy results Web service client Nortel L7 Module MQ Server Web Services Endpoint
Security Infrastructure Security Services Applications & Services Policy Mgmt IBM Reference Architecture for IT Security Integrated Policy Management Services ws-securitypolicy, XACML, etc. Web Services XML Security Gateway ws-security ws-security Enterprise Service Bus Security. Enforcement Presentation/Application Server Enterprise Information System Web Federated SSO (Point of Contact) Security Enforcement ws-trust, XACML ws-trust, XACML AAA Security Services ws-trust, XACML Audit Events Identity and Access Management Enterprise Enterprise Directory Directory Enterprise Auditing & Compliance 11
So how do you start? Get Ecxecutive sponsorship Get Stakeholders Application assement Policies, start with the most strategic and less complicated (don t boil the ocean) Identify opereation requirements But most important, stay faithful to the new strategiy 12
Questions?? z z z z z z z 13