Upload
calvin-day
View
213
Download
0
Embed Size (px)
Citation preview
March 2004 © 2004 IBM Corporation
Integrated Identity Management
Jeff CurieChief Strategist, Identity Management
Leveraging knowledge of people to create business value
2 © 2004 IBM Corporation
Identity Management in the Security Model
Resource ProtectionProtect computers and network
• Know the connected devices• Prevent malicious network access• Defend against viruses• Respond to attacks
Resource ProtectionProtect computers and network
• Know the connected devices• Prevent malicious network access• Defend against viruses• Respond to attacks
Resource Protection
Control
Policy Assurance
ControlProtect applications and data
• Know the authorized users• Control what users can see and do• Secure transactions and data• Make security transparent to users
ControlProtect applications and data
• Know the authorized users• Control what users can see and do• Secure transactions and data• Make security transparent to users
Policy AssuranceProtect privacy and reputation
• Support regulatory compliance• Enforce consistent policies• Provide integrated audit trail• Manage security risks
Policy AssuranceProtect privacy and reputation
• Support regulatory compliance• Enforce consistent policies• Provide integrated audit trail• Manage security risks
3 © 2004 IBM Corporation
“It costs $400 per year to manually manage a single user in a large financial corporation.”
“Insider security lapses are costing organizations an average of about $250,000 per incident.”
“81% of the likely source of attack is from disgruntled employees.”
Security Control Layer Industry Statistics“Up to 60% of the access profiles in companies are no longer valid and, in high turnover industries, the percentage can go up to 80-90%.”
- Chris Christiansen
- David Yokelson
- International Security Forum Report
- FBI/CSI Survey July 2001
- Computer Security Issues
“Automated management of B2B processes and increased collaborative capabilities will soon become necessities in most organizations. Simple data exchange with partners and customers is not enough.”
4 © 2004 IBM Corporation
There are Teeth in the New RegulationsEli Lilly Settles FTC Charges Concerning Security BreachCompany Disclosed E-mail Addresses of 669 Subscribers to its Prozac Reminder ServiceEli Lilly and Company (Lilly) has agreed to settle Federal Trade Commission charges regarding the unauthorized disclosure of sensitive personal information collected from consumers through its Prozac.com Web site. As part of the settlement, Lilly will take appropriate security measures to protect consumers' privacy. (FTC Press Release)
Allstate agrees to $1M settlement for privacy violations in California By Associated PressAllstate Insurance Co. agreed to pay a $1 million fine as part of a settlement with the California Department of Motor Vehicles, officials said yesterday. March 19, 2003
“Regulatory compliance #1 driver for increased security spend in 2004” IDC 2003 “Black Book”:
Softbank Offers Compensation Over Leak of Personal DataExecutives to Forgo Part of Pay2004, Associated Press
Victoria’s Secret Settles Privacy Case Company to Provide Restitution to Consumers for Web Site Breach
5 © 2004 IBM Corporation
Security Management Process Complexity
User Change
Request for Access Generated
Policy & Role Examined
Approval Routing
IT InBox
AdministratorsCreate Accounts
Users with Accounts
Elapsed turn-on time: up to 7 days per user
Account turn-off performance: 30-60% of accounts are invalid
FTE User Admin only handles 300-500 users
40% of Helpdesk spent on Password Resets
6 © 2004 IBM Corporation
Why Clients Chose Identity Management
Common Pains Addressed by Integrated Identity Management
Our security administration and support costs are too high Single sign-on and unified user experience is a priority for our executives Security for in-house built applications is inadequate and expensive We need to limit access to sensitive or private information in our systems Compliance with regulations and audit requirements drive us to make
changes We cant keep track of all the users that can access our systems Identity information is spread across multiple stores We want to get our house in-order to prepare to participate in Web
Services
7 © 2004 IBM Corporation
Identity Integration
Directory ServerIdentity DataInfrastructure {
UserProvisioning
Access Control
PrivacyControl
IdentityApplications {
Integrated Identity Management Building Blocks
Leveraging Knowledge of People and Processes to Create Business Value
User & Resource Information
Users & Applications
Federated Identity Management
8 © 2004 IBM Corporation
Start Where You Must, Expand Over Time
Identity Ecosystem
Esta
blis
h A
utho
ritat
ive
Iden
tity
Info
rmat
ion
Control U
ser and
Privilege Inform
ation
Enforce Access Controls and Data
Disclosure
9 © 2004 IBM Corporation
Identity Is the Basis of the Control Layer
Information about People Employees Contractors Partners Customers
Today, identity data is fragmented and incompleteBut, identity data is the basis for:
• Access decisions• Self-service• Authorization assignment• Personalization
WebApps
In-house Apps
Operating Systems
LegacyApps
Transaction Processing
Data Stores
Security Systems
Directories
Users
Information about Access User Account Privileges Credentials
10 © 2004 IBM Corporation
Common Pains Addressed by Identity Integration
We need to improve the quality of our organization-wide identity data
We need to synchronize data between stores like databases, Peoplesoft, SAP, Microsoft AD and Lotus Notes
We need to reduce the number of people trying to maintain the same data
We need a common store of identity data
We need more feeds into our LDAP directories
We need to aggregate data from multiple sources into one
We need to migrate data to new applications
Integration
Directory
Provision Access Privacy
11 © 2004 IBM Corporation
Establishing Authoritative Identity
Customer Challenge: Out-of-sync data elements require synchronization
AuthoritativeIdentity Source for
Division B
AuthoritativeIdentity Source for
Division C
AuthoritativeIdentity Source for
Division A
Customer Challenge: Accurately retain multiple corporate identity sources at minimum cost
User Mobile Phone
Numbers
User Cost Center
AuthoritativeIdentity Source
Integrate
Integrate
Customer Challenge: Accelerate deployment of high-ROI Identity Management solutions
Integrate
Users Data Systems
Integration
Directory
Provision Access Privacy
12 © 2004 IBM Corporation
Common Pains Addressed by User Provisioning
We need self-service to reduce/avoid costs in the help desk
We need to see exactly who has what rights
We need a console that can turn off departing users immediately
We need to automate the process of turning people on and off to systems
We need a central system to keep accurate records of all changes to access rights
Identity Integration
Directory
Provision Access Privacy
13 © 2004 IBM Corporation
User Provisioning
User Provisioning Business Purpose
Access Control Challenges– Security: Accurate and timely privilege assignment based on “Need to
Know”
– Security: Accurate and timely off boarding
– Cost: Scaling administrative staff to match provisioning activity
– Cost: Scaling help desk staff to match password reset request load
– Regulatory/Controls: Proving you did it right
Data User Action ResourceUser Accesses
Privileges Security Administrator
Identity Integration
Directory
Provision Access Privacy
14 © 2004 IBM Corporation
Identity Stores
Tivoli Identity Manager
Identitychange
requested
HR Systems
Approvals gathered
Detect and correct local privilege settings
Access policy
evaluated
Accounts updated
Industry’s most comprehensive list of supported agents, and toolkit to create more
Industry’s most comprehensive list of supported agents, and toolkit to create more
Applications
OperatingSystems
Databases
Tivoli Identity ManagerIdentity Integration
Directory
Provision Access Privacy
15 © 2004 IBM Corporation
IBM and Cisco: Teamed to Reduce Operating Costs
CiscoSecure ACS
Tivoli Identity Manager
Identity Stores
HR Systems
Databases
OperatingSystems
Applications
DatabasesDatabases
OperatingSystemsOperatingSystems
ApplicationsApplications
CorporateNetwork
Comprehensive security spanning network, systems and application infrastructure
From your most trusted partners
Cisco7500 Router
16 © 2004 IBM Corporation
Common Pains Addressed by Access Control
We need to reduce help desk costs for our web sites
We need Single Sign On for employees, partners, and suppliers
We need better and cheaper security for in-house applications
We need security for our cross-business unit portal
We need to consolidate multiple access control and authorization solutions
We want a standard module for all our developers to leverage for new and updated applications including web services
We are failing security audits
We need to close security back doors into our operating systems
Identity Integration
Directory
Provision Access Privacy
17 © 2004 IBM Corporation
Tivoli Access Manager
Reusable security component for new systems Session-level access decisions across multiple system types Unified access policies across systems Single sign-on experience in web space
MQ
Web App
App Server
Unix System
Access Manager
Enforce – who can come in and what they
can do
Identity Integration
Directory
Provision Access Privacy
18 © 2004 IBM Corporation
WebSphere Portal EcosystemControlling privileges in dependent systems
• Provisioning Policies • Workflow• Audit trails
Enterprise Resources
Portal Server
Agents
Access Manager
Authorization Store
Account Control
Content
Content
CorporateHR Systems
Business Partner/ Employee Directories
CONTENT
ADMINISTRATION
Access
Man
ag
er
Home Grown
IdentityManager
19 © 2004 IBM Corporation
Pain Points Addressed by Privacy Management
We need to demonstrate compliance to industry (HIPAA, GLBA, Calif. SB 1386) or country (Safe Harbor, EU Data Protection Directive, Australian Privacy Act, Japan Privacy Act) privacy regulations without costly audits and manual procedures?
We need to control disclosure of sensitive data (such as social security numbers, health records, or credit card information) without having to re-write my applications?
We need to build and manage privacy rules across my enterprise applications?
Controls based on groups or roles sometimes is not enough to determine appropriate access; I need to determine access based on business purpose or by “minimum need to know”
Identity Integration
Directory
Provision Access Privacy
20 © 2004 IBM Corporation
Privacy Business Purpose
Privacy Management considers data owner:– Choices (E.g. Opt in to marketing email)
– Attributes (Age >13, country of residence)
– Other factors (Time of day, etc) Privacy Management authorizes “release of data for a business purpose”
– “read for the purpose of fulfilling an order”
– “write for purpose of registering political party affiliation”
– “delete for purpose of removing from preferred physician list”
Data Requester
Disclosure
Resource
Data Owner
Business Purpose
Identity Integration
Directory
Provision Access Privacy
21 © 2004 IBM Corporation
How Is Privacy Management Different?
Disclosure Control– While a user may be authorized to login to an application, they may not be able to see certain data.
– You can apply policy to a data set BEFORE it is returned to the application (and the user).
– Audit the “return path for data”
Access Controls
Who are you?What groups do you belong to? Are you allowed to access this resource?Audit: who logged in when.
Disclosure Controls
What data did you see/use ?For what business purpose ?Did the data subject agree?Audit: what data was disclosed, to whom, why, and was it compliant to policy.
22 © 2004 IBM Corporation
Combining the Identity Ecosystem
Synchronize Identity Stores
NOS
White Pages
Charge CentersTelephony
HR LOB Partner
Directory
Identity Integration
eMail Directory
User Provisioning
Identity-Driven User Accounts
Identity-Driven Access and Disclosure Control
Access Control
Users
Accounts
Controls
Enforce – who can come in and what they can do
Administer – Changes in users
and authorities
Integrate – Information about
users
Identity Integration
Directory
Provision Access Privacy
23 © 2004 IBM Corporation
IBM Directory Integrator
IBM Directory ServerIdentity DataInfrastructure {
Tivoli Identity Manager
Tivoli Access Manager
Tivoli PrivacyManager
IdentityApplications {
IBM’s Integrated Identity Management Solution
Leveraging Knowledge of People and Processes to Create Business Value
User & Resource Information
Users & Applications
Federated Identity Management
24 © 2004 IBM Corporation
How do you get started?
Visit http://www.ibm.com/software/itsecurity/en/web10 to download informative whitepapers or view additional webcasts on IBM Security & IT Management Solutions
Contact your IBM sales specialist or IBM Business Partner, or call 1-800-IBM-7777 with priority code 104AK002 to discuss how IBM can assist you with your identity management needs.