IBM Security Systems Division Identitetshanterings id access management i ett Enterprise Network November 2012 Sven-Erik Vestergaard Nordic Security Architect Certified IT Specialist IBM software group svest@dk.ibm.com 2011 IBM Corporation
Agenda Identities in your own enterprise Collaboration with partners Access to Cloud 2
Think of security as a house Some have little security Some have moderate security Some are very secure Problems: Infrastructure nightmare... Each department builds some ID/PW explosion... Registry & Help Desk impacts Many access points... Security problems arise No real security policy... Many inconsistent policies Re-coding security per application... Time/money impact 3
IBM Identity and Access Management Vision 4 Manage Enterprise Identity Context Across All Security Domains
Identity Management helps demonstrate governance within enterprise 1. Empower business owners and analysts to design with simple choice role mining 2. Use role analytics catalog, project based scoping to implement best practices 3. Get effective role structure with validation using SoD simulations and Automatic approval General information > Select users > Select permissions 5 Identity management in an interconnected enterprise Create and maintain roles and access structures to enforce Identity and Access Governance
6
Ability to deliver effective privileged identity control with a secure vault and automated sign-on 1 Configure Privileged Account 2 User s credential is automatically checked out of the vault and used to log user into privileged account. Credential is automatically checked in to vault upon logout Admin ID 3 User activity is logged 7 Built-on proven IBM Identity and Enterprise Single Sign-On capabilities and supports integrated deployment
Risk Based Access Management Firewall Firewall Web App WebSEAL Phone Desktop/Laptop RBA EAS TFIM RBA Runtime - Azn Svc - Attr Collector Svc Unsecure zone DMZ Secure zone 8
Risk Score A risk score is a positive integer value between 0 and 100 that indicates the overall risk (sometimes thought of as a confidence level) of the current request: 0 would indicate no risk, and 100 indicates very risky. If a match (exact, inexact, subnet, regex, location, behavior, custom.. etc) is found for the configured policy attribute, the weight value is added to the total that is used to determine the risk score. The policy attributes will range from static user credential attributes to transactional context based attributes (e.g., User's location, Operating system of the client. Etc), including custom 3rd party attributes. Persistent data is data per user and each user might have several sets of data stored to be matched. Risk score formula. 9
Risk Score (con t) Out of the box we plan to provide the following matchers : Exact: Illustrated in the previous slide, will return true if the attribute exact matches any previous attribute pulled from the persistent store for that user. Network: The network matcher will provide the ability to have a static inclusion / exclusion list of network IP/subnets. If the clients IP matches the inclusion list and doesn t have a match on the exclusion list the matcher returns true. Another feature of this matcher is the administrator can configure a variable on the inclusion list that represents previously registered IPs for the user that are pulled from a persistent store. Location: Used to compare geolocation data. It compares the current location against previously registered location and if the distance is within the configured range then it will return true. See a future slide which provides more details. Behavioral: Calculates the probability that the specific resource is used at the current moment in time. It calculates the probability using a set of algorithms using historical data. JavaScript Rule: This matcher allows for the administrator to write using the javascript language a more complex matcher. 10
Risk Score (con t) Determines if the location of the login session is in the allowable range of the known locations. Configuration: Maximum allowable distance between point in kilometers. How to take the accuracy into account. This is optional the default is midpoint. The diagram below illustrates how the midpoint, closest, and farthest distances are calculated using the accuracy distance. Midpoint Closest Farthest 11
Identity propagation improves control across all security domains Provide applications auditable identities for controlling access and compliance Standards-based run-time security enables ease of integration Jon Client System (browser, rich client mobile) Firewall Proxy/ Intermediary Firewall Web Application Server/Portal Server Existing Application z42 Enterprise Information System jdoe@us.ibm.com <Jd_token> Mapped to j212_saml Mapped to z42_ptkt Authentication Services Authorization Services Security Access Services Identity Services Integrity Services Confidentiality Services Audit Services 12 Enable secure mobile, social and cloud transformations Secure collaboration demands improving auditability of who and what are connecting into the enterprise
Key Management File system Middleware Database Application Key Management Encryption and keys are used everywhere with more products enabled for security Hardware acceleration has made encryption performance acceptable It is important to remember that encrypted data can not be compressed or de-duplicated SmartGRID Disk Storage 13 Array Enterprise Tape Library 3592 Why is this important? If you lose your keys you lose your data so robust key management is required If you lose control of the device the data is secure To erase data or sanitize for end of life just power off Who gets keys determines who has access to data so you can enforce access control by controlling the keys
Privileged user controls key to detecting insider fraud Potential Data Loss Who? What? Where? Who? An internal user What? Oracle data Where? Gmail 14 Threat detection in the post-perimeter world User anomaly detection and application level visibility are critical to identify inside threats
Agenda Identities in your own enterprise Collaboration with partners Cloud 15
Real World of Identities. 16
Distributed identity management in an Identity Federation Identity Information Authentication Information Identity Provider Register and Manage Identity Authenticate Provision Assert Identity Service Provider Guest Account Local Information Identity Mapping Authorize Provide Service 17
Extending Web SSO outside the enterprise Enterprise SSO Desktop Apps SSO Client Workstation Traditional Web SSO CRM Application Internal SSO Portal Service Point of Contact Server FSSO Federated Web SSO SAML, OpenID WS-Federation Third Party Access Partner Third Party SAML Partners using SAML OpenID Partners using OpenID WS-Federation Partners using WS-Federation 18
Agenda Identities in your own enterprise Collaboration with partners Cloud 19
Business Solutions on Cloud - simple use case Business Solutions on Cloud Cloud Service User is redirected to Federation Identity Provider 2 Internet User requests a resource 1 Cloud Service IdP provides SSO service from partner to partner during session 4 IdP provides partners with Trusted ID 3 Identity and Access Management Master User Ref Administrators and managers participate in IdP workflows 5 Partner credentials provisioned from master repository 6 20 20
IBM Questions? 21