Identity & Access Management [PDF]

Zitiervorschau

WHY Identity and Access Management is required ?

IAM (Enterprise Identity and Access Management) ►

IAM is a complex process consisting of various policies, procedures, activities, and technologies that require the coordination of many companywide groups such as human resources and IT. Fundamentally, IAM attempts to address three important questions:

►

Who has access to what information?

►

Is the access appropriate for the job being performed?

►

Is the access and activity monitored, logged, and reported appropriately?

Who has access to what information? ►

A robust identity and access management system will help a company not only to manage digital identities, but to manage the access to resources, applications, and information these identities require as well.

Is the access appropriate for the job being performed? ►

This element takes on two facets. First, is this access correct and defined appropriately to support a specific job function? Second, does access to a specific resource conflict with other access rights, thus posing a potential segregation of duties problem?

Is the access and activity monitored, logged, and reported appropriately? ►

In addition to benefiting the user through efficiency gains, IAM processes should be designed in a manner that supports regulatory compliance. One of the larger regulatory realities under Sarbanes-Oxley and other regulations is that access rights must be defined, documented, monitored, logged, and reported appropriately.

Identity Management (IdM) ►

The term refers to the entire set of processes and technologies for maintaining and updating digital identities. Identity lifecycle management includes identity synchronization, provisioning, de-provisioning, and the ongoing management of user attributes, credentials and entitlements. It manages identity’s lifecycle through a combination of processes, organizational structure, and enabling technologies.

Access Management (AM) ►

Access management refers to the processes and technologies used to control and monitor network access. Access management features, such as authentication, authorization, trust and security auditing, are part and parcel of the top ID management systems for both on-premises and cloud-based systems. It primarily focuses on as Authentication and Authorization.

Access Management (AM)

Need of IAM ►

Secure user access plays a key role in the exchange of data and information.

►

In addition, electronic data is becoming ever more valuable for most companies.

►

Modern IAM solutions allow administering users and their access rights flexibly and effectively, enabling multiple ways of cooperation.  

►

To be able to meet current security requirements and react quickly if required, they need to identify and consolidate such data sources and define a data lifecycle.

Need of IAM ►

Keeping the required flow of business data going while simultaneously managing its access has always required administrative attention.

►

The business IT environment is ever evolving, and the difficulties have only become greater with recent disruptive trends like bring-your-own-device (BYOD), cloud computing, mobile apps and an increasingly mobile workforce.

►

A common problem is that privileges are granted as needed when employee duties change but the access level escalation is not revoked when it is no longer required.

Need of IAM ►

Privilege creep creates security risk in two different ways. An employee with privileges beyond what is warranted may access applications and data in an unauthorized and potentially unsafe manner.  

►

if an intruder gains access to the account of a user with excessive privileges, he may automatically be able to do more harm. Data loss or theft can result from either scenario.

►

On the other hand, it might make things much easier for an attacker who manages to compromise an over-privileged employee identity. Poor identity access management also often leads to individuals retaining privileges after they are no longer employees. 

Use Case: 1 ►

The Challenge

►

A large payments services company provides fast, convenient ways to send and receive money around the world, via ATMs and kiosks, in addition to operating more than half a million agent locations in 200 countries.

►

To meet the fast-growing needs of its identity and access management (IAM) efforts at optimal cost, the company asked to build a secure IAM solution to sunset its legacy in-house provisioning solutions, migrate more than 600 applications, and automate application onboarding, lifecycle events management and access reviews.

Use Case: 1 ►

Approach

►

we implemented a file-based system to correlate a vast number accounts to target identities. We maintained dedicated service identities for mapping service accounts and restricted the number of accounts on each. Our custom implementation approach introduced utilities to create new application custom objects, replacing inefficient, manually created objects. Finally, we developed a single platform for user onboarding, request management, provisioning and certification. Our robust framework also accelerated application onboarding.

Use case : 2 ►

TheProblem

►

In 2019 the Arnold Arboretum of Harvard University decided that they needed to move all their files (images, PDFs, etc.) off of the scattered locations in which they were stored and into a central repository where everyone could access them much more easily. One major need was to provide varying levels of access to the central repository depending on people’s roles at the Arboretum. The solution chosen was a digital asset management software called Asset Bank.The Arboretum then reached out to the Identity & Access Management Team (IAM) to integrate Asset Bank with HarvardKey.

Use case : 2 ►

The solution

►

First, Victoria Lin, the Senior Database Administrator at the Arnold Arboretum reached out to their new software vendor. Asset Bank confirmed that they could support a Single Sign On integration and could also use Harvard’s groups to provide access to the various digital assets stored within the system.

►

Victoria talked through the requirements with Jane Hill, Directorof Identity and Access Management Services and the Office of the General Counsel to confirmthe data to be shared was acceptable under existing policies. Finally the Arboretum staff, theIAM team and Asset Bank personnel worked together to finalize the integration. When theAsset Bank system launches, the Arboretum staff will simply log in with their HarvardKey.

Use case : 2 ►

Theresponse sent from HarvardKey to the Asset Bank application will map back to their correct levelof access for items stored in the repository.

►

The vital element for this implementation was to be able to map specific users into groups thatcould then be used to assign them to the right level of access within Asset Bank.

►

The IAMsystem being used to achieve that is the Grouper tool. Daily, the other IAM systems feed dataabout Harvard users and their affiliations into Grouper. Group reads these data points and addspeople into org-based groups, known as reference groups. So the reference groups areautomatically updated whenever people’s data changes.

Use case : 2 ►

TheResult

►

15,000 items have already been migrated into Asset Bank and many more will be added in the coming months. Using HarvardKey not only provides the right access to the right people but it also provides the additional reassurance of having two-step verification as part of the authentication process.

Five Elements of Security ►

Authentication

►

Authorization

►

AAA Services

►

Auditing

►

Accountability

Authentication ►

The process of verifying or testing that the claimed identity is valid is authentication.

►

The most common form of authentication is using a password (this includes the password variations of PINs and passphrases).

►

Authentication verifies the identity of the subject by comparing one or more factors against the database of valid identities (that is, user accounts).

►

Identification and authentication are always used together as a single two-step process. Providing an identity is the first step and providing the authentication factor(s) is the second step. Without both, a subject cannot gain access to a system—neither element alone is useful in terms of security.

Authorization ►

Once a subject is authenticated, access must be authorized.

►

The process of authorization ensures that the requested activity or access to an object is possible given the rights and privileges assigned to the authenticated identity.

►

If the specific action is allowed, the subject is authorized. If the specific action is not allowed, the subject is not authorized.

►

Authorization has a wide range of variations between all or nothing for each object within the environment.

Authorization ►

A user may be able to read a file but not delete it, print a document but not alter the print queue, or log on to a system but not access any resources.

►

Authorization is usually defined using one of the concepts of access control, such as discretionary access control (DAC), mandatory access control (MAC), or role-based access control (RBAC).

AAA Services ►

You may have heard of the concept of AAA services. The three As in this acronym refer to authentication, authorization, and accounting (or sometimes auditing).

►

Authentication proving that you are that identity.

►

Authorization defining the allows and denials of resource and object access for a specific identity.

►

Auditing recording a log of the events and activities related to the system and subjects.

►

Accounting (aka accountability) reviewing log files to check for compliance and violations in order to hold subjects accountable for their actions Although AAA is often referenced in relation to authentication systems, it is in fact a foundation concept of all forms of security. As without any one of these five elements, a security mechanism would be incomplete.

Auditing ►

Auditing, or monitoring, is the programmatic means by which a subject’s actions are tracked and recorded for holding the subject accountable for their actions while authenticated on a system.

►

It is also the process by which unauthorized or abnormal activities are detected on a system.

►

Auditing is recording activities of a subject and its objects as well as recording the activities of core system functions that maintain the operating environment and the security mechanisms.

►

Auditing is needed to detect malicious actions by subjects, attempted intrusions, and system failures and to reconstruct events, provide evidence for prosecution, and produce problem reports and analysis.

Accountability ►

An organization’s security policy can be properly enforced only if accountability is maintained.

►

you can maintain security only if subjects are held accountable for their actions. Effective accountability relies on the capability to prove a subject’s identity and track their activities.

►

Accountability is established by linking a human to the activities of an online identity through the security services and mechanisms of auditing, authorization, authentication, and identification. Thus, human accountability is ultimately dependent on the strength of the authentication process.

►

With only a password as authentication, there is significant room for doubt. Passwords are the least secure form of authentication, with dozens of different methods available to compromise them. 

Key concepts of Identity and Access Management ►

To create a secure environment, you need to account for the following components of Identity and Access management Solution: 

►

User identity, authentication, and authorization service: Enables applications deployed to the cloud to externalize the authentication of users to a range of different identity providers.

►

Multifactor authentication: Combats identity theft by adding an additional level of authentication for application users. 

Key concepts of Identity and Access Management ►

Directory services: Hosts the user profiles and associated credentials that are used to access applications. 

►

Reporting: Provides a user-centric view of access to resources or a resource centric view of access by users. 

►

 Audit and compliance: Validate implemented controls against an organization's security policy, industry compliance, and risk policies and to report deviations. 

►

  User access management: Enables cloud providers to manage user identities in cloud-based platforms, applications, and services. 

What IAM terms should I know? ►

Biometric authentication: A security process for authenticating users that relies upon the user’s unique characteristics. Biometric authentication technologies include fingerprint sensors, iris and retina scanning, and facial recognition. 

►

Context-aware network access control: Context-aware network access control is a policy-based method of granting access to network resources according to the current context of the user seeking access. For example, a user attempting to authenticate from an IP address that hasn’t been whitelisted would be blocked. 

►

Credential: An identifier employed by the user to gain access to a network such as the user’s password, public key infrastructure (PKI) certificate, or biometric information (fingerprint, iris scan). 

►

De-provisioning: The process of removing an identity from an ID repository and terminating access privileges. 

►

Digital identity: The ID itself, including the description of the user and his/her/its access privileges. (“Its” because an endpoint, such as a laptop or smartphone, can have its own digital identity.)  

►

Entitlement: The set of attributes that specify the access rights and privileges of an authenticated security principal. 

►

Identity as a Service (IDaaS): Cloud-based IDaaS offers identity and access management functionality to an organization’s systems that reside onpremises and/or in the cloud. 

►

Identity lifecycle management: Identity synchronization: The process of ensuring that multiple identity stores—say, the result of an acquisition— contain consistent data for a given digital ID. 

►

Lightweight Directory Access Protocol (LDAP): LDAP is open standards based protocol for managing and accessing a distributed directory service, such as Microsoft’s AD 

►

Multi-factor authentication (MFA): MFA is when more than just a single factor, such as a user name and password, is required for authentication to a network or system. At least one additional step is also required, such as receiving a code sent via SMS to a smartphone, inserting a smart card or USB stick, or satisfying a biometric authentication requirement, such as a fingerprint scan. 

►

Password reset: In this context, it’s a feature of an ID management system that allows users to re-establish their own passwords, relieving the administrators of the job and cutting support calls. The reset application is often accessed by the user through a browser. The application asks for a secret word or a set of questions to verify the user’s identity. 

►

Privileged account management:  This term refers to managing and auditing accounts and data access based on the privileges of the user. In general terms, because of his or her job or function, a privileged user has been granted administrative access to systems. A privileged user, for example, would be able set up and delete user accounts and roles. 

►

Provisioning: The process of creating identities, defining their access privileges and adding them to an ID repository. 

►

Risk-based authentication (RBA): Risk-based authentication dynamically adjusts authentication requirements based on the user’s situation at the moment authentication is attempted. For example, when users attempt to authenticate from a geographic location or IP address not previously associated with them, those users may face additional authentication requirements. 

►

Security principal: A digital identity with one or more credentials that can be authenticated and authorized to interact with the network.  

►

  Single sign-on (SSO): A type of access control for multiple related but separate systems. With a single username and password, a user can access a system or systems without using different credentials.

►

User behavior analytics (UBA): UBA technologies examine patterns of user behavior and automatically apply algorithms and analysis to detect important anomalies that may indicate potential security threats. UBA differs from other security technologies, which focus on tracking devices or security events. UBA is also sometimes grouped with entity behavior analytics and known as UEBA. 

Uniting Identity and Access Management

►

Identity and Access Management (IAM) is the process of managing who has access to what information over time.

►

This cross-functional activity involves the creation of distinct identities for individuals and systems, as well as the association of system and application-level accounts to these identities.

►

IAM processes are used to initiate, capture, record, and manage the user identities and related access permissions to the organization’s proprietary information.

Business Challenges ►

1. An increasingly distributed workforce 

►

 Organizations can recruit and retain the best talent is to remove the constraints of geographic location and offer a flexible work environment.

►

A remote workforce allows businesses to boost productivity while keeping expenses in check as well as untethering employees from a traditional office setting. However, with employees scattered all over a country or even the world, enterprise IT teams face a much more daunting challenge: maintaining a consistent experience for employees connecting to corporate resources without sacrificing security.

►

 2. Distributed applications 

►

 With the growth of cloud-based and Software as a Service (SaaS) applications, users now have the power to log in to critical business apps like Salesforce, Office365, Concur, and more anytime, from any place, using any device. However, with the increase of distributed applications comes an increase in the complexity of managing user identities for those applications.

►

3. Productive provisioning 

►

Without a centralized IAM system, IT staff must provision access manually. The longer it takes for a user to gain access to crucial business applications, the less productive that user will be. On the flip side, failing to revoke the access rights of employees who have left the organization or transferred to different departments can have serious security consequences. To close this window of exposure and risk, IT staff must de-provision access to corporate data as quickly as possible.  

►

4. Bring your own device (BYOD) 

►

 To manage or not to manage—there really is no choice between the two for today’s enterprises. Employees, contractors, partners, and others are bringing in personal devices and connecting to the corporate network for professional and personal reasons. The challenge with BYOD is not whether outside devices are brought into the enterprise network, but whether IT can react quickly enough to protect the organization’s business assets—without disrupting employee productivity and while offering freedom of choice. Nearly every company has some sort of BYOD policy that allows users to access secure resources from their own devices.

►

5. Password problems 

►

The growth of cloud-based applications means that employees must remember an increasing number of passwords for applications that may cross domains and use numerous different authentication and attribute-sharing standards and protocols. User frustration can mount when an employee spends more and more time managing the resulting lists of passwords which, for some applications, may require changing every 30 days. Plus, when employees have trouble with their passwords, they most often contact IT staff for help, which can quickly and repeatedly drain important resources.  

►

6. Regulatory compliance 

►

Compliance and corporate governance concerns continue to be major drivers of IAM spending. For example, much of the onus to provide the corporate governance data required by Sarbanes- Oxley regulations fall on the IT department. Ensuring support for processes such as determining access privileges for specific employees, tracking management approvals for expanded access, and documenting who has accessed what data and when they did it can go a long way to easing the burden of regulatory compliance and ensuring a smooth audit process.  

IAM Strategy Framework

Cost of IAM Over Time •Higher initial cost of implementing and deploying an I&AM solution compared to maintaining existing processes and tools. •However, over a period of time: •  Maintaining existing tools for managing identities will increase in costs. •  The deployment of I&AM will reduce costs. 

Business Drivers of IAM We can help organizations enable their business for growth and bring digital identities and access rights under control by deploying an IAM solution.

Reduced Information Security Risk ►

A key driver to successful IAM implementation is the improved risk posture that comes from the implementation of better identity and access controls. By knowing who has access to what, and how access is directly relevant to a particular job or function, IAM improves the strength of the organization’s overall control environment.

Reduced IT Operating and Development Costs ►

Ironically, the proliferation of automated systems can negatively impact worker efficiency due to the different sign-on mechanisms used. As a result, workers must remember or carry a variety of credentials that change frequently. For example, a typical employee may have a username and password for their desktop, a different username and password to gain access to other systems, several more usernames and passwords for different desktop and browser applications, and a personal identification number (i.e., PIN) with a one-time use password for remote access.

Improved Operating Efficiencies and Transparency ►

Having a well-defined process for managing access to information can greatly enhance a company’s operating efficiency. Many times, organizations struggle with getting users the access they require to perform their job functions. For instance, requests are forwarded to various members of the IT or administration team who may not know what access or information a user is requesting or has a business need to obtain. Additionally, without a defined process, requests may go unfulfilled or be performed incorrectly, resulting in additional work on the part of the IT or administration team.

IAM vendors •Atos (Evidan) •CA Technologies •Centrify •Covisint •ForgeRock •IBM Security Identity and Access Assurance •I-Spring Innovations •Micro Focus •Microsoft Azure Active Directory •Okta •OneLogin •Optimal idM •Oracle Identity Cloud Service •Ping •SecureAuth

Introduction To LDAP

►

The Lightweight Directory Access Protocol (LDAP) is an open industry standard that has evolved to meet these needs.

►

LDAP defines a standard method for accessing and updating information in a directory.

►

LDAP has gained wide acceptance as the directory access method of the Internet and is therefore also becoming strategic within corporate intranets.

►

It is being supported by a growing number of software vendors and is being incorporated into a growing number of applications.

Architecture

►

Distributed applications might interact with computers on the same local area network, within a corporate intranet, within extranets linking up partners and suppliers, or anywhere on the worldwide Internet.

►

Information describing the various users, applications, files, printers, and other resources accessible from a network is often collected into a special database that is sometimes called a directory.

Directories ►

A directory is a listing of information about objects arranged in some order that gives details about each object.

►

Common examples are a city telephone directory and a library card catalog. For a telephone directory, the objects listed are people; the names are arranged alphabetically, and the details given about each person are address and telephone number.

Directory versus Database  ►

A directory is often described as a database, but it is a specialized database that has characteristics that set it apart from general-purpose relational databases.

►

One special characteristic of directories is that they are accessed (read or searched) much more often than they are updated (written).

►

directories are meant to store relatively static information and are optimized for that purpose, they are not appropriate for storing information that changes rapidly.

Directory versus Database  ►

For example, the number of jobs currently in a print queue probably should not be stored in the directory entry for a printer because that information would have to be updated frequently to be accurate.

►

Instead, the directory entry for the printer can contain the network address of a print server. The print server can be queried to get the current queue length if desired. The information in the directory (the print server address) is static, whereas the number of jobs in the print queue is dynamic. 

Directory versus Database  ►

Another difference between directories and general-purpose relational databases is that most directory implementations still do not support transactions.

►

For example, a directory specialized for customer contact information might be limited to storing only personal information such as names, addresses, and phone numbers. If a directory is extensible, it can be configured to store a variety of types of information making it more useful to a variety of programs.

Distributed Directories

Advantages of using a Directory

Directory Components

LDAP defines operations for accessing and modifying directory entries such as:

►

Binding and unbinding

►

Searching for entries meeting user-specified criteria

►

Adding an entry

►

Deleting an entry

►

Modifying an entry

►

Modifying the distinguished name or relative distinguished name of an entry (move)

►

Comparing an entry

The Informational Model

LDAP Attribute

LDIF ►

LDAP supports the LDAP Data Interchange Format (LDIF) that can be seen as a convenient, yet necessary, data management mechanism.

►

Example Basic form of an LDIF entry dn: : : ... 

►

dn: o=ibm.com objectclass: top objectclass: organization o: ibm.com

The Naming Model

Directory Security

•

Authentication: Assurance that the opposite party (machine or person) really is who he/she/it claims to be. 

•

Integrity: Assurance that the information that arrives is really the same as what was sent.

•

Confidentiality: Protection of information disclosure by means of data encryption to those who are not intended to receive it. 

•

Authorization: Assurance that a party is really allowed to do what he/she/it is requesting to do. This is basically achieved by assigning access controls, like read, write, or delete, to user IDs or common names.

►

No authentication 

►

Basic authentication  

►

SASL 

►

SSL and TLS

Replication

►

Replication is a technique used by directory servers to improve performance, availability, and reliability. The replication process keeps the data in multiple directory servers synchronized.

Benefits •

Redundancy of information - Replicas back up the content of their supplier servers.

•

Faster searches - Search requests can be spread among several different servers, instead of a single server. This improves the response time for the request completion.

•

Security and content filtering - Replicas can contain subsets of the data in a supplier server.

Replication Topologies ►

Simple replication:

►

Cascading replication:

►

Peer-to-peer replication:

►

Gateway replication:

Simple Replication The basic relationship in replication is that of a master server and its replica server. The master server can contain a directory or a subtree of a directory.

Cascading Replication ►

A master server replicates to a set of read-only (forwarding) servers that in turn replicate to other servers. Such a topology off-loads replication work from the master server.

Peer-to-Peer Replication  ►

This is referred to as peer replication. You can use the information and example provided here to know more about it. Peer replication can improve performance, availability, and reliability.

Gateway Replication  ►

A gateway server must be a master server, that is, writable. It acts as a peer server within its own replication site. That is, it can receive and replicate client updates and receive updates from the other peer-master servers within the replication site.