Date post: | 15-Jul-2015 |
Category: |
Technology |
Upload: | ibm-sverige |
View: | 956 times |
Download: | 7 times |
© 2014 IBM Corporation
IBM Security Systems
1© 2014 IBM Corporation
IBM Security Identity & Access ManagerProduct Overview
Henrik Nelin Certified Security IT-Architect
January 2015
© 2014 IBM Corporation2
IBM Security Systems
2
Agenda
Overview IBM Security IAM
IBM Security Identity Manager
IBM Security Privileged Identity
Manager
IBM Security Identity Governance
IBM Security Access Manager
IBM Security IAM Cloud
IBM Security Framework
© 2014 IBM Corporation3
IBM Security Systems
Part of IBM’s comprehensive portfolio of security products
© 2014 IBM Corporation4
IBM Security Systems
Identity and Access Management (IAM)Securing extended enterprise with Threat-aware Identity and Access Management
Deliver actionable identity intelligence
Safeguardmobile, cloud and social access
Simplify cloud integrations and identity
silos
Prevent advanced
insider threats
• Validate “who is who” especially when users connect from outside the enterprise
• Proactively enforce access policies on web, social and mobile collaboration channels
• Manage and audit privileged access across the enterprise
• Defend applications and data against unauthorized access
• Provide federated access to enable secure online business collaboration
• Unify “Universe of Identities” for efficient directory management
• Streamline identity management across all security domains
• Manage and monitor user entitlements and activities with security intelligence
4
© 2014 IBM Corporation5
IBM Security Systems
IBM Identity Management Product
IBM Security Identity Manager (ISIM)
© 2014 IBM Corporation6
IBM Security Systems
Addressing Customer ChallengesIBM Identity Management
Manage users and their access rights
• Securely enroll, manage and terminate user
profiles and access rights throughout lifecycle
• Flag expired accounts and role conflicts
Streamline user access to protected
resources
• Reduce costs and improve user productivity with
password management and single sign-on
• Support strong authentication devices for extra
security
Safeguard access in Cloud / SaaS
environments
• Monitor shared and privileged accounts to
manage risk
• Secure user single sign-on in cloud
environments
Address regulatory mandates
• Produce audit reports to demonstrate
compliance with security regulations
• Monitor, identify and correct security violations
© 2014 IBM Corporation7
IBM Security Systems
Identity Manager automates, audits, and remediates user access
rights across your IT infrastructure
Identity Manager
Identity
change
(add/del/mod)
HR Systems/
Identity Stores
Approvals
gathered
Accounts
updated
Accounts on 70+ different
types of systems managed.
Plus, In-House Systems &
portals
Databases
OperatingSystems
DatabasesDatabases
OperatingSystemsOperatingSystems
ApplicationsApplications
Networks &
Physical Access
Access
policy
evaluated
Detect and correct local privilege settings
Cost
Complexity
Compliance
Reduce Costs
• Self-service
password reset
• Automated user
provisioning
• Self-service
access request
Manage
Complexity
• Consistent
security policy
• Quickly integrate
new users & apps
Address
Compliance
• Closed-loop
provisioning
• Access rights
audit & reports
• Know the people behind
the accounts and why they
have the access they do
• Fix non-compliant accounts
• Automate user privileges
lifecycle across entire IT
infrastructure
• Match your workflow processes
© 2014 IBM Corporation
IBM Security Systems | Technical Sales Enablement
Identity Service Center UI
Request Access
View Access
Approvals -
Manage Activities
The launch page
for all Identity
activities
8
© 2014 IBM Corporation9
IBM Security Systems
Identity Service Center for business users: Access Request
© 2014 IBM Corporation10
IBM Security Systems
Simplified policy, workflow, and configuration reduces setup time
Wizards helps users build:
• Approval workflows
• Request for Information Nodes
• Email Nodes
• Adoption Policies
• Recertification Policies
• Identity Feeds
• Service Definitions
No need for programming or scripting for simple configuration options
• Defaults to “simple” configuration
• Toggle to “advanced” option to meet complex needs
© 2014 IBM Corporation11
IBM Security Systems
Centralized password management - enhances security and reduces help
desk costs
Customer Challenge:
• High Help Desk costs to support employee forgotten password requests
• Need to expire passwords regularly and enforce password format for security
• Account breach may raise awareness of weaknesses
SIM solution:
• Self-service password management across all systems
- Apply targeted or global password rules
- Verify compliance with target systems
• Password synchronization- Propagate and intercept
• Challenge/response questions for forgotten user ids and/or passwords
- User or site defined questions
- Email notification
• Integration with SAM E-SSO - Desktop password reset/unlock at Windows
logon prompt
- Provisioning user access to SAM E-SSO
© 2014 IBM Corporation12
IBM Security Systems
Account reconciliation – enforcing access policy
Customer Challenge:
• When employees leave or change jobs, their application and system accounts are not terminated
• Dormant and “orphan” accounts result in higher license costs, and expose organization to security breaches
• Compliance audit failure could result
IBM Solution:
• SIM can automatically reconcile “known good” SIM users to accounts on target applications and systems.
• Orphan accounts are recognized and can be automatically suspended.
Benefit: accounts available only for valid users –lower IT admin costs, improved security
Managed
Endpoint(accounts)
SIM
Reconciliation
User repository
with approved privileges
© 2014 IBM Corporation13
IBM Security Systems
Access recertification - facilitates compliance
Customer challenge
• Compliance – ensuring account access remains updated and valid
IBM Security Identity Governance capabilities
• Attestation: Provides an access validation process to those who can responsibly and accurately make that decision
• 3 types of recertification policies to validate continued need for resources
- Account recertification policies
• Account recertification policies target accounts on specific services
- Access recertification policies
• Access recertification policies target specific accesses (in decipherable terms, i.e. AD group
UK3g8saleww_R = sales pipeline portlet)
- User recertification policies
• A type of certification process that combines recertification of a user's role, account and group
membership into
a single activity
© 2014 IBM Corporation14
IBM Security Systems
Identity Management On-the-Go!
Identity Manager Mobile
Native Android and iPhone
app/interface
Allows business managers to review
and approve employee requests
• also view history/status
Supports password change, forgotten
password reset
(with challenge/ response)
Support for OAuth authentication
for Android and iOS applications
© 2014 IBM Corporation15
IBM Security Systems
Adapter portfolio: integration breadth and depth to achieve rapid value
Applications & Messaging
Blackberry Ent. Server
Cognos
Command line-based
applications
Documentum eServer
Google Apps
LDAP-based applications
Lotus Notes/Domino
Microsoft Lync
Microsoft Office365
Microsoft Sharepoint
Novell eDirectory
Novell Groupwise
Oracle E-Business Suite
Oracle PeopleTools
Rational Clearquest
Rational Jazz Server
Remedy
Salesforce.com
SAP GRC
SAP Netweaver
SAP AS Java
DB2/UDB
Oracle
MS SQL Server
Sybase
CA Top Secret
CA ACF2
Cisco UCM
Desktop Password
Reset Assistant
Entrust PKI
IBM Security Access Mgr.
IBM Security Access
Manager for ESSO
RACF zOS
RSA Authentication Mgr.
HP-UX
IBM AIX
IBM i/OS
Red Hat Linux
Solaris
Suse Linux
Windows Local
Approva BizRights
Citrix Pwd Mgr
Cryptovision PKI
ActivIdentity
Lawson
SecurIT R-Man
JD Edwards
Epic
Meditech
Tandem
BMC Remedy
Zimbra Mail
• Quickly integrate with home-grown applications
• Easy wizard-driven templates reduces development time by 75%
• Requires fewer specialized skills
Siebel
Windows AD/
Exchange
Fast, adaptable tooling for custom Adapters
Broad Support for Prepackaged Adapters
Deep support, beyond a ‘check box’, for critical infrastructure and business applications
Applications and Messaging
Partner Offered
Integrations
Databases
Operating SystemsAuthentication and Security
Application adapter
Host adapter
Requires local adapter
© 2014 IBM Corporation16
IBM Security Systems
Cognos-based reporting system facilitates audit requirements
Full Cognos Reporting capabilities included• Report Administration
- Report scheduling
- Distribution via email (PDF) and URL
• Report customization
• Web-based Report Viewer
• Dashboards
16
© 2014 IBM Corporation17
IBM Security Systems
Identity Management
IBM Security Privileged Identity Manager (PIM)
© 2014 IBM Corporation18
IBM Security Systems
IBM Security Privileged Identity Manager
Centrally manage, audit and control shared identities across the enterprise
Key release highlights
Control shared access to sensitive user IDs
– Check-in / check-out using secure credential vault
Track usage of shared identities
– Provide accountability
Automated password management
– Automated checkout of IDs, hide password from
requesting employee, automate password reset to
eliminate password theft
Request, approve and re-validate privileged access
– Reduce risk, enhance compliance
Optional Privileged Session Recorder
– Visual recording of privileged user activities with on
demand search and playback of stored recordings
Optional Application ID governance
– Replace hardcoded and clear text embedded credentials
IBM security solution
Privileged Identity Management (PIM) solution providing
complete identity management and enterprise single sign-on
capabilities for privileged users
Prevent advanced
insider threats
Databases
Admin
ID
Credential
VaultPrivileged SessionRecorder
Pwd
PIM for Apps
IBM Security Privileged Identity Manager
© 2014 IBM Corporation19
IBM Security Systems
Identity Management
IBM Security Identity Governance (ISIG)
© 2014 IBM Corporation20
IBM Security Systems
Challenges with Identity Governance today …
Roles
Groups
AccountsActual
Usage
Business
Need
Risk
Privileges
The Problem: “Identity explosion” across the enterprise increasing
security risks, insider threats, and audit exposures
Difficult to tie business activities to enterprise risk
Auditors are unable to review access risk
and compliance without a lot of help from IT
Business users lack insight that help them to
properly certify user accesses and entitlements
Ongoing, automated controls to ensure continued compliance
– Multiple point tools to make it difficult to tie compliance processes to
governance and user provisioning activities
© 2014 IBM Corporation21
IBM Security Systems
IBM Security Identity Governance and Administration solution:
offers integrated governance and user lifecycle management
IBM Security Identity Governance and Administration
SIM collects entitlement data from managed resources
SIG allows business to certify access rights, model roles, manage SoD
SIM performs write-back to target systems for closed-loop fulfillment
IBM SIG
© 2014 IBM Corporation
IBM Security Systems
22
22
Identity and Access
ManagementAccess
Management
Safeguardmobile, cloud and social access
© 2014 IBM Corporation
IBM Security Systems
23
Helping achieve secure transactions and risk-based enforcement
Safeguarding mobile,
cloud and social access
Consumer / Employee
Applications
Manage consistentsecurity policies
Consumers
EmployeesBYOD
Security Team ApplicationTeam
DataApplications
On/Off-premiseResources
Cloud Mobile
Internet
Threat-aware application access across multiple channels
Strong Authentication, SSO, session management for secure B2E, B2B and
B2C use cases
Context-based access and stronger assurance for transactions from partners
and consumers
Transparently enforce security access policies for web and mobile
applications
Enforce security access polices without modifying the applications
Access Management
23
© 2014 IBM Corporation
IBM Security Systems
24
ISAM for Web and ISAM for Mobile Packages
ISAM for Web
• Layer 7 Load Balancer
• Web Threat Protection
ISAM for Mobile
• Context based access control
• Device registration/fingerprinting
• Multi-factor Authentication
• API Protection (OAuth)
• Web Reverse Proxy
• Policy Server
• Embedded LDAP
• Distributed Session Cache
ISAM Appliance
• Base Services
© 2014 IBM Corporation
IBM Security Systems
25
SSO
Enterprise
Applications/Data
User accesses data from inside the corporate network1
User is only asked for Userid and Password to authenticate2
Corporate Network
User accesses confidential data from outside the corporate network3
User is asked for Userid /Password and OTP based on risk score4 Outside the Corporate NetworkStrong
Authentication
Built-in Risk scoring engine using user attributes and real-time context (e.g. Risk Scoring and Access policy based on Device
registration, Geo-political location, IP reputation, etc. )
Support mobile authentication with built-in One-Time Password (OTP) and ability to integrate with 3rd party strong authentication
vendors, as needed. Example of supported OTPs are MAC OTP (email & SMS), HMAC OTP (TOTP & HOTP using client
generators like Google Authenticator), RSA SecurID Soft and Hard tokens
Offer Software Development Kit (SDK) to integrate with 3rd party authentication factors and collect additional contextual attributes
from the device and user session
ISAM for Mobile
Stronger identity assurance for high risk access
25
© 2014 IBM Corporation26
IBM Security Systems
Identity Management
IBM Security Identity & Access Management Cloud
© 2014 IBM Corporation27
IBM Security Systems
IAM Cloud Service – Capabilities overview
•Bluemix
Securing infrastructure & workloads
Secure usage of business applications
Secure service composition & apps
Manage cloud administration & workload access
Integrate identity & access into services & apps
Enable employees to connect securely to SaaS
• Protect applications and workloads
in private Cloud stacks (e.g. FIM)
• Deploy in VMware based on-prem clouds today; add
support for additional hypervisors and cloud platforms
• Support for applications to invoke service API’s on
behalf of a user
• Integration with cloud platforms (i.e. BlueMix) to
externalize identity from applications
• Provide Web and Federated SSO (i.e. SAML) to both
on/off-premises applications
• Provide self-service and portal based
experience/access for enterprise, business and
personal applications
IaaS
SaaS
PaaS
27
© 2014 IBM Corporation28
IBM Security Systems
Integration
© 2014 IBM Corporation29
IBM Security Systems
Identity enriched security intelligence:
QRadar Device Support Module for Identity Manager (including PIM vault functions)
• Centrally reports in QRadar, the activities of the SIM admin users
Collect identity attribute info from SIM registry. Use data in conjunction with log events and network flow data in rules to provide “identity context aware’ security intelligence
• Map SIM identities and groups to activities in QRadar-monitored applications. Help correlate enterprise-wide user activities. Generated reports can assist with SIM user recertification or role planning
User ID Mappings: multiple user ids from systems are mapped to a common ID, i.e. SKumar and SureshKumar are the same person - for comprehensive activity correlation
Identity
Repository
Security Identity
Manager Databases
OperatingSystems
DatabasesDatabases
OperatingSystemsOperatingSystems
ApplicationsApplications
Networks &
Physical Access
SIM and QRadar Integration
• Identity mapping data
and user attributes
• SIM Server logs
• Application logs
© 2014 IBM Corporation30
IBM Security Systems
30
Implementing identity and access management can address these challenges and drive positive results
IT
Business
Decreases risk of internal fraud, data leak,
or operational outage
Streamline Compliance costs by providing
automated compliance reports
Can reduce the time to onboard and de-
provision identities from weeks to minutes
Can significantly reduce Help Desk costs
resulting from password reset calls
Improves end-user experience with Web-
based business applications by enabling
such activities such as single sign-on
© 2014 IBM Corporation
IBM Security Systems
31
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.