IDENTITY AND ACCESS MANAGEMENT 101 Jerod Brennen, CISSP

CTO & Principal Security Consultant, Jacadis

Agenda

• The Good, The Bad, & The Ugly

• Terminology

• Employee Lifecycle

• Step-by-Step

• Looking Ahead

• Resources

The Good, The Bad, & The Ugly

• Good

– Saves time

– Improves accuracy and consistency

• Bad – RIDICULOUSLY complex

– Never enough money/resources

• Ugly – When everything works, you’ll be the hero

– If (when) something breaks, you’ll wish you’d saved up more sick days

How Many Acronyms Does It Take…

• IdM = Identity Management

– Manage the accounts

• FIdM = Federated Identity Managment

– Manage identity across autonomous domains

• IAM = Identity & Access Management

– Manage what the accounts can access

More Alphabet Soup

• LDAP – Lightweight Directory Access Protocol

• RBAC – Role Based Access Control

• SSO – Single Sign-On

• Federation

– SAML, SAML 2.0, WS-Federation, Liberty Alliance

Provisioning & Deprovisioning

• Provisioning

– IT giveth…

• Deprovisioning

– … and IT taketh away

• You need to track everything you provision if you ever expect to deprovision it.

– Computers, phones, badges, app access, software licenses, etc.

• Your auditors will LOVE you for this!

3-Phase Employee Lifecycle

• #1 – Hire

– Autoprovision birthright entitlements, based on role (bear with me…)

• #2 – Transition

– New access replaces old access, right?

• #3 – Termination – Deprovision, stat!

• #4 – Other? – On Leave (medical, sabbatical, etc.)

– Terminated with Access

Step One: The Sit-Down

• Meet with HR

– HR system is the system of record

– Workforce members = employees + non-employees (decision time!)

• Discuss roles

– Dazzle them with your knowledge of RBAC

– Remember that employee lifecycle slide?

• How will you determine birthright access?

– Department + Job Code

– Step back, take a look at current employees, and execute the smell test

• Identify the processes you want to automate

– Notification of hire/change/termination

– Account creation/deletion (in connected systems, NOT system of record)

– Access modification

– Internal expenses (e.g., mobile devices)

Step Two: The Data Must Flow

• Identify integration points

– Authentication Stores

• LDAP Directories

• Local Databases

– Commercial Apps

– Homegrown Apps

• Internal vs. External

– Fewest # auth/auth stores possible

– External = federation

• How are changes initiated?

– Transactional vs. batch

• Conceptual diagram of your IAM infrastructure

http://www.brickshelf.com/cgi-bin/gallery.cgi?i=2703634

Step Three: Integrate

• Define integration requirements

– PMO FTW!

• Take a technical inventory

– What do you have?

– What do you need?

– What can you get rid of?

• Start eating the elephant

– HR -> Identity Store

– Identity Store -> Active Directory

– Identify Store -> [other LDAP directory]

– Identity Store -> [email]

– Identity Store -> [that one app that everyone in the company uses]

http://dst121.blogspot.com/2009/10/how-to-eat-elephant.html

Intermission: Let’s Talk Tech

• Components – Identity Store / Vault / Repository (not the system of record)

– LDAP Directory

– Entitlements Manager

– Web Access Manager (+ Certificate Manager)

– Password Manager

Vendors Open Source

• CA Identity Manager • IBM / Tivoli Identity Manager • Microsoft Forefront Identity Manager • Novell Identity Manager • Oracle Identity Manager / Sun LDAP • RSA / Courion

• RSA = Access Manager & FIdM • Courion = Provisioning & Passwords

• OpenIAM • OpenDS Directory Server • OpenSSO • Shibboleth (SSO) • Gluu

Pictures, or It Didn’t Happen

System of Record

Identity Provider LDAP Server User-Facing Apps

Email

Other LDAP

Databases

Password Manager

Web Access ManagerEntitlements Manager

Step Four: Communcation

• Document the $#!% out of your IAM infrastructure

– Every single integration point

– Link the tech to business processes

• Review documentation with…

– Human Resources

– LAN Support

– System Owners

– Application Developers

– Production / Change Control

– IT Leadership

• Link IAM systems to Change Control system

– Notification of ANY and ALL changes

– Want to break IAM? Change a connected system without testing integration points!

Step Five: Audit

• Trust, but verify

• Things to audit

– Segregation of duties

– Access changes (esp. adminstrative & sensitive data)

– Accounts for terminated users (reconcile with HR)

– Share access

• Security Information and Event Management (SIEM)

– Failed login attempts

– Attempts to access restricted data

– Privilege changes / escalation

• Automate your auditing toolset

Destined to Fail

• Most IAM projects fail. Why? – Lack of executive sponsorship

– Project teams try to do too much at once

– Referring to IAM is a ‘project’ in the first place

• Mark Dixon’s Ten Best Practices for Identity Management Implementation – Set strategy

– Secure sponsorship

– Plan quick wins

– Select project leadership

– Define business processes

– Select implementation team

– Gain commitment from support resources

– Provide proper infrastructure

– Assure data quality

– Conduct post-production turnover

http://blogs.oracle.com/identity/entry/ten_best_practices_for_identity

Questions to Start Asking Now

• Who’s going to support all this?

• How can I enforce change control for IAM integration points?

• How am I going to manage passwords?

– Single Sign-On

– Password Synchronization

• How am I going to manage non-employees? – Consultants

– Contractors

– Interns

• How am I going to manage RBAC exceptions and segregation of duties?

– Pareto Principle (80/20 rule)

• Identity in the Cloud? – Yeah, I said cloud. Drink ‘em if you got ‘em!

Resources

• Vendors

– Let them know you’re digging into IAM solutions & they’ll call you.

• LinkedIn Groups – Identity and Access Management

• http://www.linkedin.com/groups?gid=66476

– Identity Management Specialists • http://www.linkedin.com/groups/Identity-Management-Specialists-Group-41311

• Working Groups

– EDUCAUSE (http://www.educause.edu/iam)

– InCommon (http://www.incommon.org/iamonline/)

More Resources

• Internet2 Middleware Initiative – http://www.internet2.edu/middleware/index.cfm

– MACE (Middleware Architecture Committee for Education)

– Shibboleth Federated Single Sign-On Software

– Grouper

– Comanage: Collaborative Organization Management

– MACE-Dir(ectories)

– MACE-paccman (Privilege and Access Management)

• Open Source – OpenDS - http://www.opends.org/

– OpenSSO - http://java.net/projects/opensso/

– Shibboleth - http://shibboleth.internet2.edu/

– Gluu - http://www.gluu.org/

Even More Resources

• IdM vs. IAM – http://idm-thoughtplace.blogspot.com/2009/09/idm-vs-iam.html

• Gartner Identity and Access Management Summit – http://www.gartner.com/technology/summits/na/identity-access/

• Gartner – Why There Are No IAM Magic Quadrants – http://blogs.gartner.com/earl-perkins/2009/08/23/why-there-are-no-iam-magic-quadrants-resisting-the-inevitable/

• AWS Identity and Access Management – http://aws.amazon.com/iam/

• Worst Practices: Three Big Identity and Access Management Mistakes – http://searchsecurity.techtarget.com/tip/Worst-Practices-Three-big-identity-and-access-management-mistakes

• Wikipedia – http://en.wikipedia.org/wiki/Identity_management

– http://en.wikipedia.org/wiki/Identity_access_management

– http://en.wikipedia.org/wiki/Federated_identity_management

Questions?

Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis

LinkedIn: http://www.linkedin.com/in/slandail

Twitter: https://twitter.com/slandail

http://www.jacadis.com

contact@jacadis.com