Co p

Managing Enterprise Identity and Access in

2013

IT Directors

May 14, 2013 Allyn McGillicuddy and Melvin Vaughan

AGENDA• The Changing Landscape for Identity and

Access Management• Enterprise Identity – Foundational Concepts• Enterprise Identity Operations Management• Managing Identity in the Extended

Enterprise– Identity Federation– Identity as a Service

• Identity Management Compliance and Operations Considerations

IT Directors Community of Practice

Changing Landscape for Enterprise Identity and Access

Management– In the extended enterprise, business workflow

is not confined within the company’s infrastructure• SaaS vendors• Cloud-based services

– People outside the enterprise are accessing the company’s infrastructure• Customers• Business allies• Contractors and temporary workers• Service providers

– How does this affect the threat landscape?IT Directors Community of Practice

Today’s Threat Landscape

High-profile, sharing applications represent lower than expected

threat volume

– Social networking, video, and file sharing applications represent • 25% of the applications, • 20% of the bandwidth but only • 0.4% of the threat logs, primarily exploits

– This is not to say these applications are low risk

– The volume is low when compared to the volume and frequency of use, and the threats found in the other applications

Source: Palo Alto Networks, Application Usage and Threat Report, 10th Editionsummarizes network traffic assessments performed on > 3,000 networks, encompassing 1,395 applications, 12.6 petabytes of bandwidth, 5,307 unique threats and 264 million threat logs


Exploits Target High-value, Business Applications and

Assets

– Crunchy on the outside: • Exploits are bypassing the “crunchy”

perimeter security and targeting enterprises’ most valued assets – their “tender” business applications.

– Tender on the inside: • Out of 1,395 applications found, 10 were

responsible for 97% of all exploit logs observed

• 9 of them are business critical applications.


– While small in volume, unknown/custom traffic is high in risk, exemplifying the 80%-20% rule

– The highest volume of malware logs (55%) were found in custom or unknown udp

– Yet it represented only 2% of all bandwidth

Conclusion: high value assets are in need of added levels of security

Custom/unknown Applications and Malware have Low Incidence Rate,

but Pose the Greatest Risk


Access Methods are Evolving

Separate password for each application

Separate password for each IdP*

*IdP = Identity Provider

?

Shared standards are evolving for identity, authentication, and authorization.

User selectionAnalogy to ATM Networks


Enterprise Identity

• So what is enterprise identity? • Identity is a set of attributes that describes a

profile of an individual, business organization, or software entity. • The set of attributes for an individual, for

example, could include – driver's license – social security number – travel preferences – medical history – financial data– Etc.


ENTERPRISE IDENTITY

FOUNDATIONAL CONCEPTS

Identity Management Roles

Service providers

(SP)

Identity Providers

(IdP)

Individuals* with multiple

identity profiles

• Healthcare profile• Employee profile• Investor profile• Social profile• Business profile

Equal and interoperable

identity providers

Control over ownership and

disclosure

Manage privacy and preferences

*A person, a business, a software entity


Evolution of Identity Networks

Organizations can maintain their own customer/employee data while sharing identity data with partners based on their business objectives and customer preferences.


IdM Nomenclature - Identification

• Identification• Authentication• Authorization• Logon Process• Accounting

Comparing presented credentials to a set of attributes that describes a profile of an individual, business organization, or software entity


IdM Nomenclature - Authentication


Confirming the truth of an attribute of a datum or entity. This might involve confirming the identity of a person or software program. Authentication often involves verifying the validity of at least one form of identification.


• Authentication Attributes

– What you have

– What you know

– What you are

– Where you are

– Combinations • 2-factor, 3-factor

authentication• Hybrid• Mutual authentication


IdM Nomenclature - Authentication


Cross-Domain Authentication

Two or more user directory domains within the same enterprise are implicitly connected by two-way, transitive trusts.

Authentication requests made from one domain to another are successfully routed in order to provide a seamless coexistence of resources across domains.

Users gain access to resources in other domains after first being authenticated in their “home” domain.

MS Active Directory Federation Services (ADFS)Two or more systems use tokens to exchange credentials. ADFS employs the MS claims-based access control and authorization model.

SAMLOASIS-based, browser-oriented, XML-based standard for exchanging authentication credentials over the Internet.

WS- TrustOASIS-based standard that employs web services to exchange security tokens across domains. This can be used for security key exchange.

WS-Trust fails to address some requirements of federation (eg. privacy)


IdM Nomenclature - Authorization


Process of managing access to resources and access rights or privileges; using access control rules to decide whether access requests from already authenticated requesters shall be approved (granted) or disapproved (rejected).


IdM Nomenclature – Logon/Login


1. Presenting the credentials required to obtain access to a computer system or other restricted area

2. The process by which individual access to a computer system or network is controlled by evaluating the presented identity and credentials


IdM Nomenclature - Accounting


Managing information about the relationship of users and the resources they are/are not permitted to access, including • access history• account control• access audits

Employs mechanisms to • synchronize users • access rules or constraints• manage/review/report on

access to system and/or cloud-enabled resources


Assertion Query• The “A” in SAML is Assertion

– Security Assertion Markup Language– An assertion is simply 1 or more statements– An assertion query is a request


samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ForceAuthn="true"AssertionConsumerServiceURL="http://www.example.com/" AttributeConsumingServiceIndex="0" ProviderName="string" ID="abe567de6" Version="2.0" IssueInstant="2005-01-31T12:00:00Z" Destination="http://www.example.com/" Consent="http://www.example.com/" ><saml:Subjectxmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> [email protected] </saml:NameID></saml:Subject></samlp:Authn

In this example, a SAML assertion is being requested pertaining to the supplied subject, ([email protected])

Attribute Definitions• User Attributes

– Each piece of identifying information about a user – Users have identity attributes, each of which may be stored

on one or more target systems.– The individual claiming an attribute may only grant selective

access to its information

• Attributing party – Trusts that the claim of an attribute (such as name, location,

role as an employee, or age) is both• Correct• Associated with the person or thing presenting the attribute.

• Contextual identity– Digital identity is better understood as a particular viewpoint

within a mutually-agreed relationship than as an objective property.


ENTERPRISE IDENTITY MANAGEMENT

OPERATIONS MANAGEMENT

Automatic Provisioning

Process to grant users access to data repositories or grant authorization to systems, network applications and databases based on a unique user identity.

Creation, maintenance and deactivation of user objects and user attributes, as they exist in one or more systems, directories or applications, in response to automated or interactive business processes

• Examples– Process to monitor an HR

application and automatically

create new users on other

systems and applications

when new employee records

appear in the HR database.

– Automatically deactivate user

objects for users, such as

contractors, whose scheduled

termination date has passed.


Privileged Accounts Management

• Grant administrators only the access rights required for their jobs

• Base those rights on established and controlled policy– Policy-based delegation of elevated access

privileges– Secure the process of requesting, approving and

issuing access to those accounts critical application-to-application (A2A) access application-to-database (A2D) separation of duties for privileged access

– Manage policy, rights and activities performed through privileged access


Privileged Accounts Management

48% of data breaches were caused by privileged misuse- Verizon, Data Breach Investigations Report

“Shared superuser accounts — typically system-defined in operating systems, databases, network devices and elsewhere — present significant risks when the passwords are routinely shared by multiple users”

- Gartner, MarketScope for Shared-Account/Software-Account Password Management

75% of responding DBA’s reported that “Our organizations do not have a means to prevent privileged database users from reading or tampering with human resources, financial or other business application data in the databases

- Oracle DBA SurveyIT Directors Community of Practice

Synchronized Identities Model

• Multiple identity models or systems are synchronized

• An authoritative identity source is built from multiple identity sources

• The identities are stored in a reference directory, such as LDAP

• Synchronization– Changes to

identities in the authoritative directory are propagated to the reference directory

– Access rights are then updated


Proxied Authentication• Uses a middle-tier server for authentication

Three types1. An application user, or an application, authenticates

itself with the middle-tier server. – Client identities can be maintained all the way through to the

database.

2. The client's identity and database password are passed through the middle-tier server to the database server for authentication.

3. The client, that is, a global user, is authenticated by the middle-tier server, and passes either a Distinguished name (DN)* or a Certificate through the middle tier for retrieving the client's user name.

*DN is a global name in lieu of the password of the user being proxied

CREATE USER jeff IDENTIFIED GLOBALLY AS 'CN=jeff,OU=americas,O=oracle,L=redwoodshores,ST=ca,C=us';ALTER USER jeff GRANT CONNECT THROUGH scott AUTHENTICATED USING DISTINGUISHED NAME;

ENTERPRISE IDENTITY MANAGEMENT

THE EXTENDED ENTERPRISE

The Extended Enterprise

• In the emerging “extended enterprise” business function workflows often extend beyond the boundaries of the enterprise

• The “extended enterprise’s security practices must treat internal and external users in the same manner


Identity Federation• The technologies, standards and use-cases which

serve to enable the portability of identity information across otherwise autonomous security domains

• Identity federation goal: enable users of one domain to securely and seamlessly access data or systems of another domain without the need for redundant user administration.

• Scenarios– User controlled– user-centric– enterprise controlled – B2B

IT Directors Community of PracticeIT Directors Community of Practice

Identity Federation Goals

Identity portability

achieved in a

non-proprietary,

standards-based

manner


Cross-domain, web-based – single sign-on– user account provisioning– entitlement management – user attribute exchange

Automatic use cases– user-to-user– user-to-application– application-to-application


Federation Types

• Identity-based Federation• Identity based federation - only the SSO functionality of SAML is being required to be

registered in both organizations. If Joe is registered with the IdP and wishes a resource on SP in another organization then that same identity will be registered at the SP. The identity of the Principal is carried in the <subject> of the <assertion> header.

• Attribute-based Federation• Similar to Identity-based Federation, but the type of session and the access right the

user has on the SP is based on attribute information transported in the SAML assertion. While the user name can be used for auditing purposes it is not used for access management purposes. An example is using a Role attribute, for example, "HR Member". – Attributes are carried in the <AttributeStatement> of a SAML assertion.

Attribute Based Access Control (ABAC) is used by Grid Systems, in which the relationship between users and resources is ad hoc.


SSO in a Federation

• A process that is used across multiple IT systems and organizations to authenticate access to a resource for an individual or system

• A user's single authentication ticket, or token, is trusted across multiple IT systems and/or even organizations.

• SSO relates to authentication, only, and does not include authorization.


Federation Termination

Defederationis the process of terminating the validity of a federated identity with either an IdP or an SP.

Both the IdP and the SP should notify each other of defederation. However, it appears there is not a structured or standardized method for defederation.

The distinction must also be made between terminating a federated session versus terminating a federation relationship altogether.


Identity Federation Solution Providers

Radiant Logic: Radiant One

Radiant One Federated Identity PlatformVirtual Directory Server

VDS extracts identity and context information out of various application and

data silos. It re-maps the underlying sources and presents the identity data in

customized views.

Identity Correlation and Synchronization Server (ICS)

Identifies relationships between identities represented in heterogeneous data

sources. ICS builds a common identity out of multiple systems to create a

unified view of identity data, eliminating user overlaps.

Cloud Federation Service (CFS)

Provides the RadiantOne suite with a complete identity provider (IdP), an

authentication module which verifies a security token once and then uses it for

each system it needs to access for on-premise and cloud-based applications,

enabling single sign-on for users.IT Directors Community of PracticeIT Directors Community of Practice


Ping Identity

PingFederate

Outbound and inbound solutions for single sign-on, federated identity management,

mobile identity security, Tier 1 SSO extends employee, customer and partner identities

across domains without passwords, using standard identity protocols (SAML, WS-Fed,

OpenID.) PingFederate translates customer and partner standard tokens into local

tokens. For outbound use cases, PingFederate authenticates user credentials,

regardless of how they authenticate, and translates them into standard tokens.

PingOne Identity as a Service PingFederate can be deployed in conjunction with PingOne Cloud Access Services for

faster and more flexible employee access to SaaS applications.



OneLoginOneLogin focuses primarily on companies that operate in the cloud and

integrates with cloud apps using SAML, WS-Federation, OpenID and web

services integration.

The company's cloud-based IAM market now includes 700 enterprise

customers in 35 countries, including AAA, Gensler, Netflix, News International,

Pandora, Steelcase and PBS.

OneLogin has continued on a path of innovation and growth,

including:• First iPad app for identity management• First Federated Cloud Search IAM product that enables secure, real-time

search across public cloud applications such as Box, Google Apps, Salesforce, Yammer and Zendesk

• Pre-integration with 2,800 cloud apps, more than any other IAM vendor• Open Source SAML Toolkits, now used by over 70 SaaS vendors and over

30 app vendors to make their apps more secureIT Directors Community of PracticeIT Directors Community of Practice


PasswordBank Technologies Inc.: PasswordBank

Federation• Federated Single Sign-On allows a user to login once and then

access all authorized cloud and on-premise services across Mac, Linux and Windows, without the need for a password at each service.

• Enables the Enterprise to maintain full and centralized control over access to all applications of the organization. – Two-factor strong authentication, – Account provisioning and deprovisioning – Centralized audit repository

• PasswordBank IdentityBroker allows identity-related information to be shared securely between the Enterprise, Service Providers and Identity Providers (cloud and on-premise applications).


Identity as a Service

• Authentication infrastructure hosted by a third party

• SSO in the cloud• IDaaS for enterprises’

SaaS applications

• A cloud IDaaS service provider may – Securely manage cloud

identities for SaaS applications

– Maintain federated trusts– Manage account

provisioning/deprovisioning

– Host applications– Provide subscribers with

role-based access to specific applications

– Provide entire virtualized desktops through a secure portal

– Provide Identity auditingIT Directors Community of Practice

Stateless Identity

• Just-in-time identity data and services received from authoritative domains

• Similar to Windows Azure Access Control Services and carried outside the enterprise

• Once authorizations are configured, a user coming to an application via ACS arrives at the application “entrance” with not only an authentication token, but also a set of authorization claims attached to the token


Authentication Service

• Open API – Not limited to LDAP and AD

• Called by both internal and external apps

• Performs identification, authentication, and attribute delivery of all users under enterprise control


Provisioning Service

• Open API for account synchronization among internal, SaaS, and partner apps – Called by both internal and external apps– Supports deprovisioning– Enables provisioning workflows loosely

coupled with internal directory and database infrastructure

– Available connectors for many enterprise systems and apps


SAML to Token Service


A client obtains a SAML 2.0 bearer assertion and makes an HTTP request to the PingFederate OAuth AS to exchange the SAML assertion for an access token. The AS validates the assertion and returns an access token. The client uses the token in an API call to the Resource Server to obtain data.

1. Some user-initiated or client-initiated event (for example, a mobile application or a scheduled task) requests access to Software as a Service (SaaS) protected resources from an OAuth client application.

2. The client application obtains a SAML 2.0 bearer assertion from a local Identity Provider (IdP) for example, PingFederate.

3. The client makes an HTTP request to the PingFederate OAuth AS to exchange the SAML assertion for an access token. The AS validates the assertion and returns the access token.

4. The client application adds the access token to its API call to the Resource Server. The Resource Server returns the requested data to the client.

.

Identity Discovery Problem

A user interacting with a service provider wants to access to restricted content on a site within a federation:

1. The user, via web browser, connects to the target service provider; and requests to view restricted content.

2. The service provider receives this request, and needs to know information about the person.

3. In the federated world, this means that the user needs to be sent to their home organization's identity provider, which will "vouch" for that person and pass across information about them to the resource provider.

4. The service provider "discovers" which is the user's home institution5. The service provider redirects the user to their home institution's identity provider.6. The user authenticates at their identity provider (IdP), which responds to the service

provider (SP), letting them know that this user authenticated successfully, and often providing some information about that user.

7. The service provider receives this information, and then either grants or denies access based upon the information it received.

Q: How does the SP figure out which is the user’s “home” IdP?


Identity Discovery Solutions

A user interacting with a SP wants to access restricted content on a site within a federation.

Solution Options

1. Avoid Discovery (IdP-initiated SSO)Each institution can configure a page (usually their existing library portal page) to list all resources available to their users along with links to these resources. These links are constructed such that they send the user

1. to that institution's identity provider*. After the user has successfully authenticated,

2. directly onto that resource. Thus, the service provider never has to ``discover'' which institution the user is from, since the first time they see the user the user has already authenticated.


*But suppose the user starts on the site where the target content is located?

A user interacting with a SP wants to access restricted content on a site within a federation.

Solution Options

2. Client-less Discovery (SP-Initiated SSO)

The SP asks the user to manually tell them which is their home organization. This method of discovery comes in two forms:

1. The user tells the service provider directly; or2. The SP sends the user to a centrally provided

service; the user tells this service.



*OMG the user has to do this manually every time? Really?


A user interacting with a SP wants to access restricted content on a site within a federation:

Solution Options

3. Client-mediated DiscoveryThe client is configured to tell the SP what the user’s home organization is.

1. The user's client tells the service provider where the person is from; or

2. The user's client is the identity provider; or3. The user's client proxies the identity

provider.


Enterprise Cloud Identity & Access Management Providers

• Security and risk professionals see IAM as a cost center and

• Prefer not to build out or expand IAM capabilities

• Cost-effective, SaaS-based IAM solutions that complement on-premises ones are available


Client-Mediated Discovery

The client is configured to tell the SP what the user’s home organization is.

1. The user's client tells the service provider where the person is from– Enhanced client or proxy (user’s browser plugin)* – Plugin “listens” for WAYF requests from SP– Automatically answers

2. The user’s client is the Identity provider (self-issued identity);

3. The client sends this request on to the user's identity provider (it proxies it), receives the response, and in turn sends this response back to the service provider. **


*SAML 2 Specification for ECP ** The SP never needs to know who the IdP is

WAYF

• Where Are You From– You must answer that question when you log into a

web based service using WAYF login.– WAYF login is a Single Sign-On system* which permits

using one single login to access several web-based services.• Creates connections between the login systems at the

connected institutions and external web based services.• Ensures that users consent to have information about them

passed on to the web-based services.

– WAYF login does not store any personally identifiable data.


*Provided by the Danish government in collaboration with many identity and service providers and institutions

Authorization ServiceCentral authorization repository

– Authorization model information used to provide complex access controls based on data or information or policies including user attributes, user roles /groups, actions taken, access channels, time, resources requested, external data and business rules

– Policies that are stored in an IAM policy store

Frameworks– Spring Security

• Access control framework; released under an Apache 2.0 license• Used to secure numerous demanding environments including government

agencies, military applications and central banks.

– Seam Framework • Programming model with a Security API (an optional Seam feature) that

provides authentication and authorization features for securing access to domain and web page resources, components, and component methods

• Can be used to display/hide web page content based on user privileges• Includes a comprehensive authorization framework, supporting user roles,

persistent and rule-based permissions, and a pluggable permission resolver for easily implementing customized security logic.



Intel Cloud SSO• Standards-based identity as a service (IDaaS) solution• Context-aware Strong Authentication

– invokes mobile or hardware assisted, 2-factor authentication based on the target app, network, time of day, mobile browser and other parameters.

• Connects Identity Stores– Authenticates, provision/de-provisions user access to cloud systems

from inside or outside the corporate firewall, leveraging directory services including Active Directory, LDAP, Salesforce.com, or Intel Cloud SSO identity stores.



Okta Cloud Identity and Access Management• Access control to SaaS

applications• User account provisioning

for SaaS and in-house applications User access recertification

• User repositories supported• Multitenancy & protection of

personally identifiable information

• Auditing and reporting• Strong authentication

support.


• Good integration with strong authenticators & broad SaaS application support

• Runs on Amazon Web Services under the covers

• Many pre-integrated SaaS business applications

• Extensively supports Integrated Windows Authentication (IWA)

• Supports inbound SAML for identity provider (IdP) proxying*

• No support for disabling users automatically after a period of inactivity, or for attestation.

*May limit usefulness for large clients


Symplified Cloud Identity and Access Management• One of the longest-standing

in the cloud IAM market• Architecturally stable via its

Identity Router customer-premises equipment infrastructure

• Can be deployed as a software or hardware appliance, or as a cloud connector

• Broad protocol and endpoint support

• Partners with Symantec’s VIP service for strong authentication IT Directors Community of PracticeIT Directors Community of Practice

• CSC is reseller and provides system integration

• Does not support implicit or just-in-time provisioning

• Dashboards and reporting are fairly immature

• No workflow designer — only an implicit workflow for access request management and approvals

• By design, no support for hierarchies of multi-tenancy, which may limit its usefulness at large clients


Covisint Cloud Identity and Access Management• Access control to SaaS

applications• User account provisioning

for SaaS and in-house applications User access recertification

• User repositories supported• Multitenancy & protection of

personally identifiable information

• Auditing and reporting• Strong authentication

support.IT Directors Community of PracticeIT Directors Community of Practice

• Good integration with strong authenticators & broad SaaS application support

• Runs on Amazon Web Services under the covers

• Many pre-integrated SaaS business applications

• Extensively supports Integrated Windows Authentication (IWA)

• Supports inbound SAML for identity provider (IdP) proxying*

• No support for disabling users automatically after a period of inactivity, or for attestation.

*May limit usefulness for large clients

COMPLIANCE and OPERATIONAL CONSIDERATIONS

ENTERPRISE IDENTITY

Identity Compliance and Privacy

• A user signs-in and out of Identity Provider (IdP) systems or security token services (STS) via explicit messages or implicitly via a request

• The issued tokens may either represent the principal's primary identity or some pseudonym appropriate for the scope

• The IdP or STS issues messages to interested and authorized recipients.

• Principals are registered with the attribute/pseudonym services and attributes and pseudonyms are added and used.

• Authorized services can query attribute/pseudonym services using the provided identities to obtain authorized information about the identity.

• Such queries can potentially be anonymous which means that the party requesting the information has an opaque token, and is not aware of the real identity of the object of the query


Name Mapping and Linking

• In a federated environment, with identity information and other assertions passing through a network between systems, protecting the user’s privacy becomes paramount.

• With SSO, it is possible to track the user across several SPs.• Pseudonyms provide a way to obfuscate the identity of the user

across SPs. • When the IdP delivers the assertions to the SP, the use of

pseudonyms makes it possible to have a different user ID for the same user at each SP

• Persistent Pseudonym - the SP will see the same pseudonym each time the user accesses the SP.

• Transient Pseudonym - the SP is presented with a different pseudonym each time a user gains access to the SP.


Single Logoff Operations• When the user selects logoff in an application, two potential

options must be offered. 1. Does the user want to logoff from this specific application,

maintaining the current SSO session, or2. Does the user want to end their SSO session, closing all

individual application sessions?

• Solution for #2– SP communicates the logoff request to the IdP. The IdP,

based on its session store and information from the metadata, issues a logoff request to all SPs for which an active session is present.

– When the SP receives a logout request, it will close the current session and notify the application, allowing the application to perform required cleanup.


Session Timeout Operations

• With SSO, the user is using the same login for • several applications, potentially across several

systems• Managing SSO session timeouts by each

application is inefficient• With Single Log Off, applications can, through the

IdP, centrally manage a user’s idle time • Consolidating session timeouts and establishing a

consistent session timeout period is another policy that must be considered when a federation forms.


ConclusionEnterprise Identity Management has matured with the expansion of established standards and interoperability approaches. The growing number of enterprise applications accessed by internal employees in collaboration with sales partners, distribution partners, customers, and other business channels.

Enterprise IT executives with limited development, deployment, and infrastructure budgets are differentiating strategic, proprietary systems from utilities that are now widely available outside the enterprise firewalls. Many enterprise strategies include integrating identity federation into their IT vision, strategy, infrastructure, and application support models.

CIOs also recognize the growing importance of understanding the whole spectrum of identity management capabilities, including how to handle identity-based Web services. Implementing identity federations is now feasible and increasingly mandated by business partners, affiliates, and customers. With the growing number of cloud and access management solutions, strategic partnerships with solution providers and consultants will be central to a successful outcome.

Documents

Co p