Identity Management Network - ISACA Melbourne€¦ · BMC BMC launches a comprehensive Identity and...

Identity Management Network http://www.identitymanagement.net.au

The Universe of Identity Management

Guy Lupo (cissp) [email protected] www.securitydev.com

10.4.2005 www.identitymanagement.net.au 2

So What is Identity Management ?

•  Is it technology ? •  Is it Policy ? •  Is it business ? •  Who is responsible? •  What constitutes an

IDM solution ? •  How do I create

a business case ? •  Who are the

stakeholders ? •  More ……


Agenda

•  From account administration to Identity Management

•  Identity Management Building blocks

•  Identity Authority four domains

•  Looking at the big picture •  The Identity Management Network

•  Identity management News feed


From

Account Administration To Identity Management


The need to manage identities drives the 2005 market space :

Internal Application

Online Business

Regulations

Organized Crime

Business Intelligence

Fraud Insider

Control & Governance of Identities is essential for today’s business environment

Standards

Business Growth


Recent perception of Identities were as a collection of accounts, and IT technologies

Complex policy for ALICE_IA If ALICE_IA account , then allow A,B,C Block 1,2,3 If between 9-11 and ALICE_IA then Allow A,B

FW/VPN

Alice

Complex policy for ALICE_PM If ALICE_PM account , then allow C,D,E Block 1,2,6,7,8 If between 9-11 and ALICE_PM then Allow all

Internal Auditor ALICE_IA

Program Manager ALICE_PM

Switch Roles

1. Login ALICE_IA

2. Logout ALICE_IA

3. login ALICE_PM

Previous year focus was how to govern multiple accounts and their associated management challenges


Identity Management was perceived as Account Administration

•  Focus on the Administration and not on the governance

•  IDM solution were a collection of Automation, Synchronization tools & Scripts

•  Value adds were on cost of self service

•  No Authoritative source for authentication

The challenge : how to maintain control and enforce policies in this complex IT environment


What is the difference between Identity Administration and Management ?

•  Identity Administration (Technical) –  Account life cycle, Authentication, Credentials,

passwords, reports, vulnerabilities

•  Identity Management (Business strategic, Governance & Processes) –  Roles & Responsibilities, Authoritative source, trust,

Risk , Compliance , Security, Cost , Efficiency & effectiveness

Identity Management is the framework to control People’s Identities , Roles & Responsibilities,

Resources


Shift of priorities

•  Transition to business model driven by growing business requirements and need to manage identities.

IDM

technologies

Helpdesk costs Internal

management

Cost

Regulation

Risk

Security

… External Identities

Identities federation

Physical

IDM

Collection of technologies

Business looking for supporting technology

Identity management solutions


Identity Management – Organizational view

HR Finance Sales Legal Procurement

Processes

Policy

Ass

uran

ce

IT

Roles & Responsibilities

Company Resources

CEO CIO CFO COO $$ Public Store

Stakeholders IT

Money

Information

+ = Business Objectives

$$$$$

Business

+People


The challenge

•  Prioritizing business drivers in different environments –  Online business –  Personalized government services –  High turnover of employees –  Corporate competitive : Employees access to information –  Globalization and need for remote access –  Regulations and compliance –  Merger & Acquisitions –  Business partnership and sharing of information

•  How to plan roadmap, audit, architecture etc… •  Where technology aligns and fits to the big picture ?

Management of Identities effects the business in all area : Internal, external, physical, B2B, Authority


The pain Organization & Government

•  Main request : Clarity

Requirements Description “Need to know what others are

doing” Sharing of Best Practices in similar sectors

“Need to know in simple terms where each piece of technology fits in the big IDM map””

Easy way to map technology relevancy to business requirements

“Need a consolidated newsletter”

One comprehensive newsletter with relevant news from the region

“Need clarity and a shared language to describe IDM issues”

The requirement is to have a unified identity management language and to categorize the issues such that a clear roadmap can be constructed.


The pain Vendors/Integrators/Consulting firms

•  Main Request : Increase awareness, create a taxonomy to describe the universe of Identity management

Requirements Description Shorten sales cycle for IDM solution Faster answers to tenders by having a

pre-defined language to describe identity management.

Spend fewer $ on educating each customer as part of the sales cycle

Customer awareness levels are low and each sales cycle requires education and awareness activities.

Better awareness A lot of effort is invested in identifying the right people, understanding their needs and then offering the right solution.

A language to describe identity management as a business solution rather than a technological one.

A map, framework or methodology to align identity management technology with the business issues.


The pain – Auditing community

• Work in progress ……


IDM Building Blocks


Identity Management Building block

•  Business Objectives –  Business targets determine IDM

investments –  Business defines the risk –  Risk profile influence the identity

controls

•  People –  Have roles & responsibilities –  Need to use resources to perform

their job –  Resource usage should be controlled –  Risk to people & risk from people

•  Technologies –  Need to align with people and

business

IDM facilitate the alignment of People, IT, Business


Identity Authority

Four Domains


Authoritative Source

•  Critical success factor for the alignment is the source of identity information

•  An authoritative source is required to be : –  Up to date –  Synchronized with all relevant sub-authority identity sources –  Aligned with the business processes –  Available, Secured –  Trusted –  Compliant

The IDM Authority is the starting point


Identity Management Authority four domains

•  Internal –  Employees, passwords, accounts, access, Authorization, …

•  External –  non employees, customers, online services, and more..

•  Physical –  doors, access, cards, biometrics

•  Federated –  B2B –  Trust between organization –  Delegation of authority

More than 50% of each domain are the same IDM basics


Looking at the big

picture


The Universe of Identity Management – Draft3

Technologies

Processes

Domain Authority


Risk – What can go wrong !

•  Fraud Internal/External (e.g. Enron, Worldcom…) •  Information Leaking (Choicepoint) •  Breach of privacy (spam) •  Identity Theft •  Illegal Access •  Illegal entry •  Impersonation •  Non repudiation •  Reputation •  Disaster recovery •  Incompliance & Financial implication •  Manual Authorization The risk from people and the risk to people


Authoritative Source highlights

•  Multiple Identity stores •  Redundant information •  Outsourcing •  Off-shoring •  Identity information syndication •  Identification of External vs. Internal vs. Federated •  Lack of synchronization between physical and IT •  Conflict of business interests due to regulation

–  HIPAA marketing vs. core business •  Role & Responsibilities •  Authorization

Trusted Identity Authority The key is planning a roadmap


•  Access Control •  Authentication •  Excessive rights •  Ghost accounts •  Inactive Accounts •  Separation of Duties •  Rotation of Duties •  phishing & Pharming •  Spam •  Aggregation of Identity Data •  Audit & Monitoring •  Physical •  Stolen Tokens, Smart Card •  Password management

Security highlights

Who has access to what ?

Who did what ?

Who can authorize ?


Cost Effective highlights

•  Self Service for Identity information •  Consolidation of Identity Stores •  Reduced Sign on •  Discovery phase & Cleanup of accounts •  Roles & Responsibilities •  Licensing management •  Workflows •  Automatic Provisioning •  Compliance & Audit •  B2B capabilities •  Reduction of Risk (Capital Allocation – Basel II)

Only one business case is enough to kick start a project


Compliance

•  Privacy Regulation all around the world •  Financial regulations

–  Sarbanes Oxley –  GLBA –  Basel II –  CLERP 9

•  Healthcare –  HIPAA –  FDA

•  Homeland Security •  Patriot Act •  Data Protection – Europe

Integrity, Transparency, Interoperability


Administration & Revocation

•  Administration model –  Centralized –  Delegated

•  Self Service Administration •  Delegation via Workflows •  PKI-Based Administration •  Federated Administration •  Administration control & Governance

•  Revocation verification model –  Real time –  Revocation lists


Monitoring & Measure

•  Integrity assurance •  Compliance •  Change management (access rights) •  Abuse •  Internal usage •  Authorization •  Cost effectiveness •  Usage


Standards & Methodologies & Frameworks

•  Access Control Strategies –  RBAC- Role based Access control –  Location based –  Groups

•  Standards & frameworks –  Cobit –  ITIL –  ISO 17799


Identity Management Planning & Strategy


IDM Thumb rule !

Identity Management Project •  80% of the project is around Strategic

Planning –  Discovery : find out what you already

have –  Planning : how to leverage your

existing assets •  20% of the project is

–  Implementation –  Measure & Review

Spending •  20% of the spending goes

over planning •  80% of the spending goes

over implementation


More than 50% of each domain are the same IDM basics

Identity Management roadmap is critical


Highlight of IDM project planning risks

•  Usage of external resources and knowledge should fit the organization business objectives

•  Identification of the stakeholders is critical •  IDM projects are lengthy, plan should be flexible to

consider change of people, technologies, priorities •  Documentation of “know how” •  Adopting a vendor methodology doesn’t mean you have

to buy all the product from one place Always keep in mind that you enable people

to do their job better and they enable the business to do better


Market Drivers Now & Before


Main Market drivers 2005

•  Cost & Alignment –  Leverage Existing investment in Directories –  Internal Identity management is recognized as a need and as a first

step in the roadmaps •  Risks

–  Identity Theft –  Breech of privacy –  Fraud , Insider threats

•  Security –  2 Factor authentication –  Phishing –  Web Access Control

•  Compliance –  Accountability & Audit capabilities –  Automated compliance monitoring


Recent News &

Analysis


Acquisitions & Partnership Map - Highlights

Vendor

Action

Internal

External

Federation

Physical

Authority

BMC Acquires Calendra (Workflow/Directory management)

X X

BMC Acquires OpenNetwork (Web Access Mgmt) X X

Oracle Buy Oblix (provisioning product) X X

Quest Acquire Vintela (Java extension to Microsoft) X

CA Acquires Netegrity X

CA Acquires software to perform account cleanups X

Sun & Nec partner to improve solution in Identity Management space

X

Entrust & Trustgenix alliance designed to strengthen the security of federated identity management relationships

X X


Technologies Map - Highlights

Vendor

Action

Internal

External

Federation

Physical

Authority

BMC BMC launches a comprehensive Identity and Configuration Management Database as well as integrating a directory manager with an open API.

X X

Sun provide open source of Web authentication and single sign-on technologies as part of a project it is calling OpenSSO

X

RSA RSA Security Inc. will release its new software versions, RSA® Certificate Manager 6.6 and RSA® Registration Manager 6.6

X

Novell Novell Announces – Identity Driven computing , support to application developers

X

HP HP rolls out improved identity suite (compliance, federation , auditing)

X X


Industrial map - Highlights

Vendor

Action

Internal

External

Federation

Physical

Authority

Government The Government's hurriedly announced reconsideration of a national identification card has potentially set it on a collision course with Federal Privacy Commissioner Karen Curtis.

X X X

Maritime & Transport Unions

Perform background checks for every worker as part of increase security

X

National Australia Group UK (NAG UK)

Implement IBM Tivoli to enhance web based services

X X


Technologies

Jul 2005: -  BMC launches a comprehensive Identity and Configuration Management Database as well as

integrating a directory manager with an open API. -  BQT Solutions will integrate its biometric authentication smart card solution with Optimiser's real

time digital management technology -  QuoVadis Trustlink software enables legally binding online identity and electronic signature

solutions for international organizations. -  Sun will provide open source components of its Web authentication and single sign-on

technologies as part of a project it is calling OpenSSO. -  Gemplus provides “3 Mobile” (Australia) with its 3G OTA services enabling better mobile network

coverage •  DS3 introduces authentication server on Sun’s Solaris10 operating system & Sun fire •  Red Hat launches its open-source software stack outside the US. •  RSA Security Inc. announced its RSA® BSAFE® Data Security Manager to be a middleware

solution for software developers.

Sep 2005: -  RSA Security Inc. will release its new software versions, RSA® Certificate Manager 6.6 and

RSA® Registration Manager 6.6 2006: -  Seagate Technology will incorporate the Hardware-Based Full Disc Encryption (FDE) technology

into notebook PC hard-disk drives


The Network


Identity Management Network

•  Founded 2005 –  Security Development, Guy Lupo

•  Mission –  Create and constantly maintain an open, clear channel of

communication between organisations, government, vendors, integrators, consultants in the identity management sector

•  Execution –  Web portal www.identitymanagement.net.au (BETA) –  Identity Management Index –  Identity Management Summit - March 2006 –  On-going networking events for the network members

A place to start with Identity Management


Network Entities

Org A

Org B

Org C

Sponsor A

Sponsor B

Sponsor C

A B C

Associations

Organizations.

Government.

Vendors

Integrators

Security Governance Physical

D

Business Lobby

Universe Map

Events

IDM e-news

Networking

Key IDM

Professionals


Thanks You !

•  Guy Lupo (cissp) SecurityDev Security Products Marketing Services [email protected] www.securitydev.com 0432031031

ISSA Australia-New Zealand National Director [email protected]

Date post:	29-Sep-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

Identity Management Network - ISACA Melbourne€¦ · BMC BMC launches a comprehensive Identity and...

Documents