Identity Management Network http://www.identitymanagement.net.au
The Universe of Identity Management
Guy Lupo (cissp) [email protected] www.securitydev.com
10.4.2005 www.identitymanagement.net.au 2
So What is Identity Management ?
• Is it technology ? • Is it Policy ? • Is it business ? • Who is responsible? • What constitutes an
IDM solution ? • How do I create
a business case ? • Who are the
stakeholders ? • More ……
10.4.2005 www.identitymanagement.net.au 3
Agenda
• From account administration to Identity Management
• Identity Management Building blocks
• Identity Authority four domains
• Looking at the big picture • The Identity Management Network
• Identity management News feed
10.4.2005 www.identitymanagement.net.au 4
From
Account Administration To Identity Management
10.4.2005 www.identitymanagement.net.au 5
The need to manage identities drives the 2005 market space :
Internal Application
Online Business
Regulations
Organized Crime
Business Intelligence
Fraud Insider
Control & Governance of Identities is essential for today’s business environment
Standards
Business Growth
10.4.2005 www.identitymanagement.net.au 6
Recent perception of Identities were as a collection of accounts, and IT technologies
Complex policy for ALICE_IA If ALICE_IA account , then allow A,B,C Block 1,2,3 If between 9-11 and ALICE_IA then Allow A,B
FW/VPN
Alice
Complex policy for ALICE_PM If ALICE_PM account , then allow C,D,E Block 1,2,6,7,8 If between 9-11 and ALICE_PM then Allow all
Internal Auditor ALICE_IA
Program Manager ALICE_PM
Switch Roles
1. Login ALICE_IA
2. Logout ALICE_IA
3. login ALICE_PM
Previous year focus was how to govern multiple accounts and their associated management challenges
10.4.2005 www.identitymanagement.net.au 7
Identity Management was perceived as Account Administration
• Focus on the Administration and not on the governance
• IDM solution were a collection of Automation, Synchronization tools & Scripts
• Value adds were on cost of self service
• No Authoritative source for authentication
The challenge : how to maintain control and enforce policies in this complex IT environment
10.4.2005 www.identitymanagement.net.au 8
What is the difference between Identity Administration and Management ?
• Identity Administration (Technical) – Account life cycle, Authentication, Credentials,
passwords, reports, vulnerabilities
• Identity Management (Business strategic, Governance & Processes) – Roles & Responsibilities, Authoritative source, trust,
Risk , Compliance , Security, Cost , Efficiency & effectiveness
Identity Management is the framework to control People’s Identities , Roles & Responsibilities,
Resources
10.4.2005 www.identitymanagement.net.au 9
Shift of priorities
• Transition to business model driven by growing business requirements and need to manage identities.
IDM
technologies
Helpdesk costs Internal
management
Cost
Regulation
Risk
Security
… External Identities
Identities federation
Physical
IDM
Collection of technologies
Business looking for supporting technology
Identity management solutions
10.4.2005 www.identitymanagement.net.au 10
Identity Management – Organizational view
HR Finance Sales Legal Procurement
Processes
Policy
Ass
uran
ce
IT
Roles & Responsibilities
Company Resources
CEO CIO CFO COO $$ Public Store
Stakeholders IT
Money
Information
+ = Business Objectives
$$$$$
Business
+People
10.4.2005 www.identitymanagement.net.au 11
The challenge
• Prioritizing business drivers in different environments – Online business – Personalized government services – High turnover of employees – Corporate competitive : Employees access to information – Globalization and need for remote access – Regulations and compliance – Merger & Acquisitions – Business partnership and sharing of information
• How to plan roadmap, audit, architecture etc… • Where technology aligns and fits to the big picture ?
Management of Identities effects the business in all area : Internal, external, physical, B2B, Authority
10.4.2005 www.identitymanagement.net.au 12
The pain Organization & Government
• Main request : Clarity
Requirements Description “Need to know what others are
doing” Sharing of Best Practices in similar sectors
“Need to know in simple terms where each piece of technology fits in the big IDM map””
Easy way to map technology relevancy to business requirements
“Need a consolidated newsletter”
One comprehensive newsletter with relevant news from the region
“Need clarity and a shared language to describe IDM issues”
The requirement is to have a unified identity management language and to categorize the issues such that a clear roadmap can be constructed.
10.4.2005 www.identitymanagement.net.au 13
The pain Vendors/Integrators/Consulting firms
• Main Request : Increase awareness, create a taxonomy to describe the universe of Identity management
Requirements Description Shorten sales cycle for IDM solution Faster answers to tenders by having a
pre-defined language to describe identity management.
Spend fewer $ on educating each customer as part of the sales cycle
Customer awareness levels are low and each sales cycle requires education and awareness activities.
Better awareness A lot of effort is invested in identifying the right people, understanding their needs and then offering the right solution.
A language to describe identity management as a business solution rather than a technological one.
A map, framework or methodology to align identity management technology with the business issues.
10.4.2005 www.identitymanagement.net.au 14
The pain – Auditing community
• Work in progress ……
10.4.2005 www.identitymanagement.net.au 15
IDM Building Blocks
10.4.2005 www.identitymanagement.net.au 16
Identity Management Building block
• Business Objectives – Business targets determine IDM
investments – Business defines the risk – Risk profile influence the identity
controls
• People – Have roles & responsibilities – Need to use resources to perform
their job – Resource usage should be controlled – Risk to people & risk from people
• Technologies – Need to align with people and
business
IDM facilitate the alignment of People, IT, Business
10.4.2005 www.identitymanagement.net.au 17
Identity Authority
Four Domains
10.4.2005 www.identitymanagement.net.au 18
Authoritative Source
• Critical success factor for the alignment is the source of identity information
• An authoritative source is required to be : – Up to date – Synchronized with all relevant sub-authority identity sources – Aligned with the business processes – Available, Secured – Trusted – Compliant
The IDM Authority is the starting point
10.4.2005 www.identitymanagement.net.au 19
Identity Management Authority four domains
• Internal – Employees, passwords, accounts, access, Authorization, …
• External – non employees, customers, online services, and more..
• Physical – doors, access, cards, biometrics
• Federated – B2B – Trust between organization – Delegation of authority
More than 50% of each domain are the same IDM basics
10.4.2005 www.identitymanagement.net.au 20
Looking at the big
picture
10.4.2005 www.identitymanagement.net.au 21
The Universe of Identity Management – Draft3
Technologies
Processes
Domain Authority
10.4.2005 www.identitymanagement.net.au 22
Risk – What can go wrong !
• Fraud Internal/External (e.g. Enron, Worldcom…) • Information Leaking (Choicepoint) • Breach of privacy (spam) • Identity Theft • Illegal Access • Illegal entry • Impersonation • Non repudiation • Reputation • Disaster recovery • Incompliance & Financial implication • Manual Authorization The risk from people and the risk to people
10.4.2005 www.identitymanagement.net.au 23
Authoritative Source highlights
• Multiple Identity stores • Redundant information • Outsourcing • Off-shoring • Identity information syndication • Identification of External vs. Internal vs. Federated • Lack of synchronization between physical and IT • Conflict of business interests due to regulation
– HIPAA marketing vs. core business • Role & Responsibilities • Authorization
Trusted Identity Authority The key is planning a roadmap
10.4.2005 www.identitymanagement.net.au 24
• Access Control • Authentication • Excessive rights • Ghost accounts • Inactive Accounts • Separation of Duties • Rotation of Duties • phishing & Pharming • Spam • Aggregation of Identity Data • Audit & Monitoring • Physical • Stolen Tokens, Smart Card • Password management
Security highlights
Who has access to what ?
Who did what ?
Who can authorize ?
10.4.2005 www.identitymanagement.net.au 25
Cost Effective highlights
• Self Service for Identity information • Consolidation of Identity Stores • Reduced Sign on • Discovery phase & Cleanup of accounts • Roles & Responsibilities • Licensing management • Workflows • Automatic Provisioning • Compliance & Audit • B2B capabilities • Reduction of Risk (Capital Allocation – Basel II)
Only one business case is enough to kick start a project
10.4.2005 www.identitymanagement.net.au 26
Compliance
• Privacy Regulation all around the world • Financial regulations
– Sarbanes Oxley – GLBA – Basel II – CLERP 9
• Healthcare – HIPAA – FDA
• Homeland Security • Patriot Act • Data Protection – Europe
Integrity, Transparency, Interoperability
10.4.2005 www.identitymanagement.net.au 27
Administration & Revocation
• Administration model – Centralized – Delegated
• Self Service Administration • Delegation via Workflows • PKI-Based Administration • Federated Administration • Administration control & Governance
• Revocation verification model – Real time – Revocation lists
10.4.2005 www.identitymanagement.net.au 28
Monitoring & Measure
• Integrity assurance • Compliance • Change management (access rights) • Abuse • Internal usage • Authorization • Cost effectiveness • Usage
10.4.2005 www.identitymanagement.net.au 29
Standards & Methodologies & Frameworks
• Access Control Strategies – RBAC- Role based Access control – Location based – Groups
• Standards & frameworks – Cobit – ITIL – ISO 17799
10.4.2005 www.identitymanagement.net.au 30
Identity Management Planning & Strategy
10.4.2005 www.identitymanagement.net.au 31
IDM Thumb rule !
Identity Management Project • 80% of the project is around Strategic
Planning – Discovery : find out what you already
have – Planning : how to leverage your
existing assets • 20% of the project is
– Implementation – Measure & Review
Spending • 20% of the spending goes
over planning • 80% of the spending goes
over implementation
10.4.2005 www.identitymanagement.net.au 32
More than 50% of each domain are the same IDM basics
Identity Management roadmap is critical
10.4.2005 www.identitymanagement.net.au 33
Highlight of IDM project planning risks
• Usage of external resources and knowledge should fit the organization business objectives
• Identification of the stakeholders is critical • IDM projects are lengthy, plan should be flexible to
consider change of people, technologies, priorities • Documentation of “know how” • Adopting a vendor methodology doesn’t mean you have
to buy all the product from one place Always keep in mind that you enable people
to do their job better and they enable the business to do better
10.4.2005 www.identitymanagement.net.au 34
Market Drivers Now & Before
10.4.2005 www.identitymanagement.net.au 35
Main Market drivers 2005
• Cost & Alignment – Leverage Existing investment in Directories – Internal Identity management is recognized as a need and as a first
step in the roadmaps • Risks
– Identity Theft – Breech of privacy – Fraud , Insider threats
• Security – 2 Factor authentication – Phishing – Web Access Control
• Compliance – Accountability & Audit capabilities – Automated compliance monitoring
10.4.2005 www.identitymanagement.net.au 36
Recent News &
Analysis
10.4.2005 www.identitymanagement.net.au 37
Acquisitions & Partnership Map - Highlights
Vendor
Action
Internal
External
Federation
Physical
Authority
BMC Acquires Calendra (Workflow/Directory management)
X X
BMC Acquires OpenNetwork (Web Access Mgmt) X X
Oracle Buy Oblix (provisioning product) X X
Quest Acquire Vintela (Java extension to Microsoft) X
CA Acquires Netegrity X
CA Acquires software to perform account cleanups X
Sun & Nec partner to improve solution in Identity Management space
X
Entrust & Trustgenix alliance designed to strengthen the security of federated identity management relationships
X X
10.4.2005 www.identitymanagement.net.au 38
Technologies Map - Highlights
Vendor
Action
Internal
External
Federation
Physical
Authority
BMC BMC launches a comprehensive Identity and Configuration Management Database as well as integrating a directory manager with an open API.
X X
Sun provide open source of Web authentication and single sign-on technologies as part of a project it is calling OpenSSO
X
RSA RSA Security Inc. will release its new software versions, RSA® Certificate Manager 6.6 and RSA® Registration Manager 6.6
X
Novell Novell Announces – Identity Driven computing , support to application developers
X
HP HP rolls out improved identity suite (compliance, federation , auditing)
X X
10.4.2005 www.identitymanagement.net.au 39
Industrial map - Highlights
Vendor
Action
Internal
External
Federation
Physical
Authority
Government The Government's hurriedly announced reconsideration of a national identification card has potentially set it on a collision course with Federal Privacy Commissioner Karen Curtis.
X X X
Maritime & Transport Unions
Perform background checks for every worker as part of increase security
X
National Australia Group UK (NAG UK)
Implement IBM Tivoli to enhance web based services
X X
10.4.2005 www.identitymanagement.net.au 40
Technologies
Jul 2005: - BMC launches a comprehensive Identity and Configuration Management Database as well as
integrating a directory manager with an open API. - BQT Solutions will integrate its biometric authentication smart card solution with Optimiser's real
time digital management technology - QuoVadis Trustlink software enables legally binding online identity and electronic signature
solutions for international organizations. - Sun will provide open source components of its Web authentication and single sign-on
technologies as part of a project it is calling OpenSSO. - Gemplus provides “3 Mobile” (Australia) with its 3G OTA services enabling better mobile network
coverage • DS3 introduces authentication server on Sun’s Solaris10 operating system & Sun fire • Red Hat launches its open-source software stack outside the US. • RSA Security Inc. announced its RSA® BSAFE® Data Security Manager to be a middleware
solution for software developers.
Sep 2005: - RSA Security Inc. will release its new software versions, RSA® Certificate Manager 6.6 and
RSA® Registration Manager 6.6 2006: - Seagate Technology will incorporate the Hardware-Based Full Disc Encryption (FDE) technology
into notebook PC hard-disk drives
10.4.2005 www.identitymanagement.net.au 41
The Network
10.4.2005 www.identitymanagement.net.au 42
Identity Management Network
• Founded 2005 – Security Development, Guy Lupo
• Mission – Create and constantly maintain an open, clear channel of
communication between organisations, government, vendors, integrators, consultants in the identity management sector
• Execution – Web portal www.identitymanagement.net.au (BETA) – Identity Management Index – Identity Management Summit - March 2006 – On-going networking events for the network members
A place to start with Identity Management
10.4.2005 www.identitymanagement.net.au 43
Network Entities
Org A
Org B
Org C
Sponsor A
Sponsor B
Sponsor C
A B C
Associations
Organizations.
Government.
Vendors
Integrators
Security Governance Physical
D
Business Lobby
Universe Map
Events
IDM e-news
Networking
Key IDM
Professionals
10.4.2005 www.identitymanagement.net.au 44
Thanks You !
• Guy Lupo (cissp) SecurityDev Security Products Marketing Services [email protected] www.securitydev.com 0432031031
ISSA Australia-New Zealand National Director [email protected]