www.novell.com secure identity management solutions for one net stan levine president the wiring...
Post on 18-Dec-2015
216 views
TRANSCRIPT
www.novell.com
Secure Identity Management Solutions for One Net
Secure Identity Management Solutions for One Net
Stan LevinePresidentThe Wiring [email protected]
Creating Trusted Identities
• Enterprise workforce
• Business-to-business
• Business-to-consumer
Trust = Value
• Harnessing the power of the Internet is dependent upon trust
• The higher the level of trust, the more information can flow freely to users—now empowered to work, collaborate, and consume
• User empowerment always reduces cost while increasing the business value of your systems
Trust = Value (cont.)
Web applications that are uniformly protected regardless of whether accessed from inside or outside the firewall
•
User identities that are provisioned and entitled exclusively according to policy-driven identity management process
•
Administrators that have no ability to grant access privileges outside of a provisioning process
•
Trust is achieved through strong processes that manage the “who, what, where, when and how” of access control
Examples of such control include
Common Misunderstandings about Establishing Trust
• Products for access management and user authentication do not by themselves establish or enforce trust
They allow or deny access to known user ID’s, but cannot determine how access rights were provisioned
• Public key infrastructure (PKI) does not establish or enforce trust through authentication
PKI can greatly raise confidence in who the user is, but again cannot determine how access rights were provisioned to that user
• A powerful directory service does not establish or enforce trust
However, a directory service that understands and enforces relationships (such as Novell eDirectory™) is essential for enabling processes that establish trust
Unfortunately, without TrustThere Is No Security
Scenario The match is positive—the user has been 100%
authenticated
Biometric/fingerprints
Biometric/iris scan
User credentials
The users are authenticated. Now, who are they? And, how do you know?
Now, who are they? How did they get into your directory? Who gave them rights to the protected resource? Was it a programmer? A “helpful” administrator? A corrupt insider? An intruder?
The Elephant in the Room
By itself, Access Management is not a security solution The best-known security vendors do not discuss the critical importance of Identity Provisioning in creating real security
As a result, they do not discuss some of the gravest threats to information security
• Insider fraud• Malicious behavior• “Helpful” administrators• Careless programmers• Gullible Help Desks
What Are the Real Threats?
“It’s not hacking that results in the most damaging penetrations to an enterprise’s security system. It is often the work of an employee within the enterprise that causes the most damage. And while many of those incidents are due to employee malice, a great number stem from the manipulation of employees—often without their knowledge—that results in the theft of crucial data.”Rich Mogull, Senior Analyst
GartnerGroup
Gartner estimates that more than 70% of unauthorized access to information systems is committed by employees, as are more than 95% of intrusions that result in significant financial losses. Kristen Noakes-Fry, Research Director
Gartner
Directoryservice
Workforce B2B B2C
Access Authorization Processes
Identity Management
Process
Identity Management Policies
Workforce Partners Customers
Who is the user?
How did he get his ID?
How did she gain access
permissions?Workforce B2B B2C
Userprofiles
Admin or Programmer
The Novell Solution:Access Management with Trust
The “One Net” Difference:Provisioning Trusted Identities
Approaches to identity management that address identity provisioning, but not creating and maintaining trusted identities are inadequate to the task needed to establish one Net
eBusiness Provisioning for• Trusted business partner (B2B) user access • Trusted consumer/patient/citizen (B2C/G2C) access
•
Profile Locking to ensures that access rights are provisioned exclusively via validated identity management processes—Profile Locking addresses “social engineering” compromises to security and other insider threats
•
Workforce Provisioning for dynamically creating trusted identities for enterprise users, in concert with HR and other employee systems
•
Novell offers the strongest platform for building secure identities for all environments that require a high degree of user trust
These include
Workforce Provisioning Using DirXML™
• Workforce (employee, contractor) identity profiles should never be created ad-hoc • Instead, workforce profiles must be derived and integrated from authoritative business processes that are responsible for components of the profile
• Significantly increases the “trust value” of the profile
• This approach
• Permanently eliminates administrative costs
• Ensures that all identity provisioning operations take effect immediately, including hire and termination events
HR ERP
OS
DirMail
DB
DEN
Business-to-Business Identity Provisioning
• Banks, manufacturers, health care providers, defense, and industries all have thousands of business partners, suppliers, and agents• Governments also have these relationships and since 9/11,
have discovered that obstacles to sharing information among agencies/ministries can become catastrophic or scandalous• Each business partner may in turn have dozens of business
units, each with variable numbers of users that require limited access to protected data—such organizations often exhibit large employee turnover, mergers, and/or reorganizations
It is therefore unreasonable for organizations to try to centrally administer the business partner community
B2B Delegated Provisioning
• B2B Delegated Provisioning must provide a solution that is platform and vendor independent, requires very little training and no programming skills to deploy • Policies, Forms, and Delegated Authority tasks should be
driven by a highly intuitive graphical user interface
• B2B solution greatly benefits from the unique, integral trust features of Novell eDirectory• Additionally, Novell DirXML allows delegated provisioning
into any application system, regardless of underlying platform, directory, or database requirements
• B2B delegation enables each partner to manage its own users• However, partners must be allowed to provision users
exclusively via strictly defined, restricted, enforced and audited access for applications and resources
Tools for the Job:B2B Provisioning
Identity Services
ControllerProcess
Web Access
Error Handling
Form Builder
Simple forms
Registration and
Enrollment
Roles
Organizations
Policy Builder
DirXML Identity
Provisioning
Partner-enabled
applications
Signatures
(NetWare, NT/W2K/XP, Solaris, AIX, Linux, OS/390, OS/400, etc.)
• PeopleSoft• SAP• Active Directory• E-mail• MQ Series/TIBCO• Other connectivity
• Enterprise information portals• ERP and logistics applications• Legacy and custom applications
What the business
partner sees
NovelleDirectory
Framework for the Job:B2B Provisioning Components
•
•
•
•
Enrollment workflows and status should be 100% customizable
Enrollment workflows and status should be 100% customizable
Any type or number of business or application
roles should be supported
Any type or number of business or application
roles should be supported
Users should be provisioned using profiles
for controlled access to any eligible application,
including legacy and ERP systems
Users should be provisioned using profiles
for controlled access to any eligible application,
including legacy and ERP systems
Demonstration:Example of Trusted B2B Provisioning
Forms Designer
User Registra
tion
Application and Porta
l Management
• No programming required• Accelerated value
– Platform independent– Browser independent– Rapid deployment – Very little training
• Highly secure• 100% policy driven• eProvisioning-ready with DirXML
Business-to-Consumer (B2C) Identity Provisioning
• A B2C provisioning process needs to scale to potentially millions of people • This generally requires a “trusted self-registration” capability
as the problem is well beyond the scope of centralized administration
• The user (customer, patient, citizen, etc.) provides “friendly” but unique credentials (i.e., PIN number, account code, billing, passport and/or other personal information) • The user credentials are then validated against legacy business process (i.e., CRM, billing systems, client matters, security files, etc.) • Information typed in by the user is not to be trusted
• Therefore, one of the critical keys to trusted B2C provisioning is strong and secure connectivity to enterprise systems
• Trusted identities are provisioned by leveraging information managed in legacy business systems
• Critical profile data that is entered directly by consumers cannot be trusted
B2C “Trusted Self Provisioning”
• Credential validation should occur in real time between the B2C self-provisioning process and the authoritative enterprise system
• Integration with corporate databases, ERP, directories and multiple platforms concurrently, including mainframes, is required
• No direct contact should be established between the web application server and the mainframe
• Legacy applications must never exposed to hackers
• Profiles managed in the directory service should be kept in synch with legacy business process systems using DirXML
Identity Services
ControllerProcess
Web Access
LDAP
JDBC
CICS
LDAP
JDBCMessag
e O
pera
tion
s(Q
uery
, U
pd
ate
, etc
.) Error Handling
Inte
gra
tion
Sou
rces
XMLPolicy
DirectoryServices
Legacy and relationaldatabases
Middlewareservices
(i.e., MQ Series)
MQ
Seri
es
TIB
/En
terp
rise
SMTP
E-mailservicesSimple forms
Tools for the Job:B2C Provisioning
DirXML Identity
Provisioning
What the
consumer sees
Notify
Validate
Update
Create
profile
Get credentials
(NetWare, NT/W2K/XP, Solaris, AIX, Linux, OS/390, OS/400, etc.)
Framework for the Job:RA B2C Process Architecture
PIN IDFormPIN IDform
ID/PasswordRecovery
Form
AdditionalInformation
Form
User ID/Password
Form
User recovers ID/password online
User registersonline
Additional information
form
User ID/passwo
rd form
ID/passwordrecovery
form
• Self-service tools are provided for registration, password recovery, and profile editing
Directoryservice
Directoryservice
Registrationserver
User Authentication
repository
User informationcreated/updated
• Users are challenged for enrollment credentials —the user’s profile is constructed primarily from legacy data
Back Office(i.e., OS/390)
Back Office(i.e., OS/390)
MQ SeriesTIB/Enterprise
Customerdatabase
User data validated
• Validation with legacy systems is performed online using MQ Series, TIB/Enterprise, or other enterprise middleware
DirXMLIdentityEngine
Business process events
Synchronization
En
terp
rise
Sh
im
• Novell DirXML Identity Engine is used to maintain the user profile via validated business processes and systems
Ensuring Trust:DirXML-based Integrity Solutions
A DirXML-based integrity solution called Profile Locking can eliminate most opportunities for insider fraud
Capabilities• Works with any Access Management solution from Novell
(iChain®), as well as third-party solutions from Netegrity, IBM, CA, Baltimore, etc.
• Imposes no front-end processing or performance degradation• Does not require client-side X.509 certificates
• Simple interface for associating digital signatures with registration policies
• Works with any directory-managed X.509 certificate authority (IBM, Entrust, Novell PKIS included)
• Employs server-side digital signatures to verify how a user obtained permissions and enables or disables ACL attributes and/or memberships accordingly
Today, only Novell provides a solution for trusted identity management, thanks to a combination of innovative DirXML technology and PKI-based digital signatures
What Is Different about DirXML Profile Locking?
DirXML Profile Locking enables trusted components of user’s profile to be digitally signed and associated with a valid provisioning process
• If a “trusted” attribute is changed, DirXML Profile Locking instantly detects and evaluates the change and, if necessary, resets the user’s ACL, placing his ID into a workflow state—all in real timeThe profile evaluation occurs in the background using Novell
DirXML; applications do not experience any performance degradation
• No “active policies,” “active rules” or “exit programs” need to be executed by the access management solution
DirXML Profile Locking runs on NetWare®, NT/W2K/XP, Solaris, and Linux platforms—wherever DirXML runs
Legacy
User
Enroller
Enforcing Integrity with ProfileLock “Enrollment Signatures”
NovelleDirectory
ExternalApplications
DirXMLIdentity
Provisioning
B2BProvisioning
WorkforceProvisioning
B2CProvisioning
Enrollment
signatures
Profile Locking Architecture: Schematic Diagram
Communities
Extranet
MySuppliers
MyPartner
User
Applications
Supplier registration
Private Key
Registration authority
XML Policy
Public Key
Attributes
Supplierregistration
Create signatures
Provisioningprocess
Communities
Extranet
MySuppliers
MyPartner
User
Applications
Supplier application
Private Key
Registration authority
XML Policy
Public Key
Profile Locking Architecture: Schematic Diagram
DirXMLProfileLock
Verify signatures
Attributes
Communities
Extranet
MySuppliers
MyPartner
User
Applications
Supplier registration
Registration authority
Communities
Extranet
MySuppliers
MyPartner
User
Applications
Supplier registration
Registration authority
Private Key
XML Policy
Public Key
Supplierregistration
Create signatures
Provisioningprocess
Profile Locking Architecture: Schematic Diagram
Access ManagerACLcheck
Communities
Extranet
MySuppliers
MyPartner
User
Applications
Supplier registration
Private Key
Registration authority
XML Policy
Public Key
DirXMLProfileLock
Supplierregistration
Create signatures
Provisioningprocess
AttributesVerify
signatures
Enrolled
Rejected
Status
This is all the Access
Management system does!
Profile Locking Architecture: Schematic Diagram
Trust = Value
• For an Internet-enabled business strategy to be successful, employees, partners, and consumers must be granted access
to the right amount of information and functionality
• Therefore, to be both successful and secure on the Internet requires that we understand how to make information accessible according to whom and how much we can measurably trust
• Trust = Value
• Strong Identity Management provides the foundation of trust that all other components of application security rely upon, including authentication and access management
• For an Internet strategy to be secure requires that organizations can measure their knowledge of all the people and organizations that will consume their services or collaborate using their data
Novell One NetIdentity and Trust Solutions Landscape
eDirectory
• Community management• Policy management• Permissions• Single sign-on credentials• Public Key Infrastructure
Identity Management• Directory services• Trust Services
Identity Management• Directory services• Trust Services
AccessManagement
• Authentication• Authorization• Personalization• Web single sign-on
Access Management• Authentication• Authorization• Personalization
Access Management• Authentication• Authorization• Personalization
eBusinessProvisioning
• Registration• Enrollment• Certificate services
B2BServices
B2CServices
• Self-registration• Host-based validation
• Delegated administration
ProfileLock •Trust services
HRMS
LAN(Notes, AD,
etc.)
ERP
RDBMS
Middle-ware
DirXML
Enterpriseresources
IBM Hosts
Workforce Provisioning• Enterprise integration• Workflow
Workforce Provisioning• Enterprise integration• Workflow
MetricsManagement
• Requirements• Policy enforcement• Security events• Audit metrics
Risk Management• Community services• Metrics• Profile validation
Risk Management• Community services• Metrics• Profile validation