Identity Management for the 21st
Century IT Mission
Presented By: • Paul Grassi: VP of Federal Programs, Sila Solutions Group
• Jim Rice: VP of Federal, Layer 7
• Dieter Schuller: VP of Business Development, Radiant Logic
• Gerry Gebel: President, Axiomatics Americas
• Phil McQuitty: Director of Systems Engineering, SailPoint
• Stephanie McVitty: Account Manager, Compsec
Wednesday: August 14, 2013
• Today’s Challenges
• History: How Did We Get Here?
• The Evolution of Access Control
• Building Blocks for Agile Access
• Creating a Framework for Success
• The Ideal ABAC Process
• Use Case Deep Dive
• Next Steps: Are You ABAC-Ready?
Key Discussion Areas
2
Today’s Challenges
3
• We keep trying to solve a legacy problem with a legacy solution
• Made authorization an IT solution, not a business solution
• Bogged down with stovepipes, multiple policies, and poorly defined infrastructure
• Focused on the door – not the data
We have made great progress!
Industry deserves credit. Examples of NSTIC/IDESG, NIST 800-162 Draft,
FICAM AAES work; focus on
attributes and confidence scores
• Yet, we’ve done some amazing things
How Did We Get Here?
4
Legacy Problem with Better Solution
Legacy Problem with Legacy Solution
Legacy Problem with Legacy Solution
The Evolution of Access Control
PBAC
REUSABLE POLICY
CONTEXT AWARE
EXTERNALIZED
STANDARDS BASED
BUSINESS DRIVEN
NON-TECHNICAL
Future Proofed Business Solution
ABAC
FINE GRAINED
ATTRIBUTE-DRIVEN
LOCAL POLICY
PROPRIETARY ENFORCEMENT
TECHNICAL
eRBAC RBAC ACL IBAC
5
Action Reusable
Policy
Agile Access
Decisions
Agile
Access
Decisions
Federated Identity
Federated Attributes
Environment Context
Resource Attributes
Building Blocks for Agile Access
6
PROGRAMMATIC AND TECHNICAL MANAGEMENT
Portability, Confidence, and Trusted Attributes
Access Anywhere Mobility/
Cloud
Lifecycle, Governance
and Risk
Mission Agility
ABAC Framework
7
Layer 7 Overview
8
Applications &
Data
Enterprise
…
Outside Partners /
Divisions
External
Developers
Mobile Apps
Cloud Services
Other Things
Layer 7 API Gateways Provide API Access Control for the New “Open” Enterprise
Enterprises are Exposing More
Connectivity & Security
Challenges for Open
Enterprise:
• Protection of applications
exposed over internet
• Reuse of information shared
across departments,
partners, mobile & Cloud
• Ease of integration:
reconciling disparate
identity, data types,
standards, services
• Federated & Delegated
Security
• Performance optimization
(caching, protocol
compression, …)
• Brokering cloud services
• Proxy connections to social,
cloud, notification services
that enterprises can control
• Cloud interactions
• Central governance of
policies and security
Mobile / Tablet Apps
Web Platform Integration Open APIs for Developer Channel
Private Cloud Annexes
(Savvis or Datacenter)
Cloud Services
Over the Top TV and Media
(Xbox Live and Smart TV)
Real-time Partner
Integration
Login Password
This new open, extended enterprise is a hybrid enterprise
because it blends inside/outside as well as private/pubic
9
Layer 7 Policy Approach
API Integration Gateway
API Service Manager
API Identity & Access Broker
API Developer Portal
Health Tracking
Workflow
Performance Global Staging Developer
Enrollment
API Docs
Forums
API Explorer
Rankings Quotas
Plans
Analytics Reporting
Config Migration
Patch Management Policy Migration
Throttling Prioritization Caching
Routing Traffic Control Transformation
Security
Composition
Authentication Single Sign On API Keys Entitlements
Token Service OAuth 1.x OAuth 2.0 OpenID Connect
10
Layer 7 ABAC Reference Implementation
11
RadiantOne Architecture
• A Federated Identity Service through Model-Driven
Virtualization
• Provides all functions of a complete AAES service
• Abstraction layer
• Platform consists of advanced Virtual Directory Server (VDS),
Identity Correlation and Synchronization (ICS), and Cloud
Federation Service (CFS)
12
RadiantOne Key Capabilities
LDAP Directory
Active Directory
HR Database
employeeNumber=2
samAcountName=Andrew_Fuller
objectClass=user
mail: [email protected]
uid=AFuller
title=VP Sales
ClearanceLevel=1
Region=PA
memberOf=Sales
Correlated Identity Virtual View
employeeNumber=2
samAccountName=Andrew_Fuller
objectClass=user
mail: [email protected]
departmentNumber=234
uid=AFuller
title=VP Sales
givenName=Andrew
sn=Fuller
departmentNumber=234
EmployeeID=509-34-5855
ClearanceLevel=1
Region=PA
UserID=EMP_Andrew_Fuller
DeptID=Sales234
cn=Sales
objectClass=group
member=Andrew_Fuller
**Based on identities that have:
• ClearanceLevel=1
• title=VP Sales
• Region=PA
Dynamic Groups Virtual View
User Lookup
Attribute
Server
13
Manage
Policy Administration
Point
Decide
Policy Decision Point
Support
Policy Information Point
Policy Retrieval Point
Enforce
Policy Enforcement Point
Axiomatics Architecture
14
Authorization at Any Layer
15
Anywhere Authorization Architecture
16
SailPoint Architecture
Service Desk
Integration
Resource
Connectors Provisioning
Integration
Security &
Activity
Unified Governance Platform
Open Connectivity Foundation
Cloud SaaS
Role Model
Policy Model
Identity Warehouse
Risk Model Workflow
Password
Management
Compliance
Management Single
Sign-On Identity
Analytics
SailPoint ICAM Solutions
Access
Request &
Provisioning
17
Entitlement Giving Attributes
HR
Data
Security
Directory
Attributes
Ownership
Relationships
Modeling
Review Process
Change
Process
Audit Process
System
System
Target
Target
BUSINESS PROCESS
MANAGEMENT
Entitlement
Giving
Attributes
18
Ownership & Responsibility
Change Control
Versioning History
Verification & Review
Analytics & Reporting
Identity &
Access
Governance
The Business Process
of IAM Data Management
Entitlement Giving Attributes…
HR
Data
Security
Directory
Attributes
System
System
Target
Target
Entitlement
Giving
Attributes
19
Benefits
Policy management
and insight available to
all levels of the
organization.
Simple
Change
Management
Maximum
Efficiency
and
Flexibility
Range of
Deployment
Options
Simple and
Effective
Management
Cost
Effective
Scalable
Interoperable
Business-
Friendly
Management
Increased
Access to
Information
Deploy for performance
and architectural needs
while maintaining 100%
conformance with open
standards
Easy to deploy new
policy without
underlying changes to
application
infrastructure.
Eliminate time
consuming and
confusing processes to
gain access to
information.
Benefits of
Our Solution
Increased
Security and
Compliance
Operational Business
20
Access barriers are removed so users can get their jobs done more efficiently.
The Ideal Process
21
High Level Use Cases
Patient can manage record
from authorized personal devices
Doctor can read from office computer Opts-in and authorizes PCP and staff to view
Claims
coordinator
can only view
appointment
information
Doctor can write to
entire record
Nurse can read
information
pertaining to
location; can only
write demographic
info, symptoms,
and vital signs
Receptionist trained in HIPAA data protection
can only view services performed
Research organization can only read
anonymized cardiac clinical data from
hospitals and patients that opt-in
1
3
2
4
5
6
Nurse can “break the glass” to
access location agnostic
information
22
AuthN
Services
Secure Gateway
Conceptual Architecture
EHR Systems
Fe
de
rate
d Id
en
tity
Vir
tua
liza
tio
n
Policy Administration
R&D
Insurance
G
ove
rna
nce
Pro
vid
er
Vie
w
R&
D
Vie
w
Insu
ran
ce
Vie
w
Pa
tie
nt V
iew
NPI Registry
Patients
Attribute Sources
Policy Server
Hospital
23
Intercepts
the request
Patient Use Case
Attempts to update personal EHR to
add blood pressure (BP) information
and opt-in to share info with doctor
Allows Patient
Access to EHR
System Patient EHR
Preferences/Metadata
Signed Opt-In Forms
Permit
Check
request
validity
Verify patient access
using registered device
Verify accessing own
record
Request/receive required attributes
(EHR owner, authorized devices)
List of
registered
devices
Check if
authorized
Update BP
Authorize doctor to access information
1
2
4
3
24
Doctor Use Case
Attempts to update patient
EHR from office computer
Intercepts
the request
Allows doctor
access to
patient EHR
Patient EHR Preferences/Metadata
Signed Opt-In Forms
Permit
Check
access from
office
computer
Check if
authorized
Verify patient opt-in List of
signed
opt-in
forms
Hospital Network EHR
Check
request
validity
1
2
Request/receive required attributes
(EHR owner, authorized devices)
3
4
25
Remaining Use Cases Use Case Request Layer 7 Axiomatics Radiant Logic EHR
Nurse Rheumatology nurse
requests access to
patient EHR
•Checks request
location/validity
•Checks PDP for
authorization
•Validates nurse/patient
relationship
•Allows access to specific
attributes of patient EHR
Provide nurse
and patient
attributes to
PDP
Allows nurse access to
read patient
rheumatology
attributes of EHR; write
diagnostics
“Break Glass” Nurse requests access
to patient cardiac
information when
patient shows heart
attack symptoms
•Checks request
validity
•Checks PDP for
authorization
•Validates environmental
attributes from hospital
•Validates nurse/patient
relationship
Provide
Hospital, Nurse
and Patient
attributes to
PDP
Allows Nurse access to
read Rheumatology
and Cardiac attributes
of EHR, write
diagnostics
Reception Reception requests
access to patient
services to prepare bill
•Checks request
location/validity
•Checks PDP for
authorization
•Validates employee
HIPAA training
•Validates
employee/patient
relationship
Provide
employee and
patient
attributes to
PDP
Allows help desk
access only to services
performed
Insurance Insurance claims
processor requests
access to patient EHR
•Checks request
location/validity
•Checks PDP for
authorization
•Validate processor
employment with
insurance company
•Validate covered incident
•Validate
insurance/patient
relationship
Provide
processor,
patient, and
insurance
attributes to
PDP
Allows claims
processor access only
to covered incident
information
Research &
Development
Cardiovascular
research center
requests access to all
cardiology patient data
•Authenticates
R&D server
•Checks PDP for
authorization
•Validate research center
and scope
•Provides SQL PEP to
filter result set and return
anonymous data
Provide
employee and
research center
attributes to
PDP
Allows employee
access only to
anonymized data
pertaining to research
center scope
26
Health Care Systems Attribute and Policy Governance
Entitlement
Giving
Attributes
Functional
Application
#1
Functional
Application
#2
doc
doc
Ownership & Responsibility
Change Control
Provision
Verification & Review
Analytics
Identities, certified entitlements & risk scores would be
used at the PIP and PDP to make smarter decisions
Axiomatics Policy Server
Axiomatics Policy Auditor
Governance Use Case
27
• Establish Governance
• Choose your standards
• Determine your attributes and metadata
• Determine your authoritative sources
• Create a taxonomy and data dictionary
• Understand your business processes
• Determine the business model
• Decide who will own policy/policy management
• Coordinate with stakeholders across organization, including
audit/compliance, privacy, and security operations
• Track performance
Are You Ready?
28
Questions?
29