SlideShare uma empresa Scribd logo

OWASP Identity Manegement

Flávio Silva
Flávio Silva
1 de 32
Baixar para ler offline
Identity Management Basics Derek Browne, CISSP, ISSAP Derek.Browne@Emergis.com OWASP May 9, 2007 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
Agenda 1. Identity Management Overview 2. Concepts 3. Approach to Identity & Access Management 4. Example Scenarios 5. Product Demonstrations…hopefully… OWASP 2
Identity Management Flavours Single Sign On is a goal … not a product Web application integration -- Web SSO Enterprise SSO (eSSO) involves corporate desktop application Some use a server -- TSE, tn3270/5250, SAP, Oracle forms, etc Some authenticate locally -- acrobat protected files IdM is different than Access Management One involves who you are and how that is recorded The other involved the policies around how you access resources Federation of identities across multiple jurisdictions SAML, SXIP, Identity 2.0, OASIS Passport (HAHA), Kerberos, Liberty OWASP 3
Identity Management Overview Defined: Central infrastructure to manage users, roles, and access to resources Concept of “identity” contains all user attributes Provisioning capabilities Technology ( connectors ) Approvals Workflow Management Features: Identity provisioning among integrated directories Self-registration and management Delegation of approvals and workflows Password reset capability Benefits: Meet regulatory & audit requirements around controlled access to resources Save costs through efficient workflows for provisioning and approval Asset (business) owners in control, rather than technology group OWASP 4
Identity Management Integration Integrates with: Enterprise single-sign-on (and related strong authentication) Access Management systems Role Engineering / Management systems Integration Risks: Focus on technology may distract from importance of roles and processes Too many roles (or exceptions) may result if access modeling and identity modeling are not well-planned Benefits may not be realized quickly if project scope is not managed Not respecting impact on business and applications may have adverse effects on buy-in and acceptance Ineffective processes and workflows may prevent cost savings from being realized Lack of proper knowledge transfer results in a system that the organization cannot effectively manage OWASP 5
Identity & Access Management Methodology 1. Inventory: gather information about users, access requirements, and applications & data 2. Create: future state roadmap, associating user groups with access controls, and designing operational support and workflow processes 3. Deploy: begin assigning access to systems and data using new processes and workflows 4. Optimize: deploy automated and delegated processes only after steady state has been achieved 5. Report: leverage investment to satisfy reporting requirements for legislation and internal controls OWASP 6 75 percent of deployment effort will be spent on people & process
Agenda 1. Identity Management Overview 2. Concepts 3. Approach to Identity & Access Management 4. Example Scenarios 5. Product Demonstrations OWASP 7
Identity & Access Management Basics Access Management Access to data or applications is defined by Business policies (segregation of duties) Security policies Industry regulations and customer requirements Access permissions are mapped to roles and rules to be used when managing identities Identity Management Map roles and rules to specific users to allow appropriate access Process to manage and track access to systems andTools exist to facilitate data the mapping and Provisioning ongoing management Workflow of roles & identities Auditability Single Sign-on & Strong Authentication Single sign-on allows access to all resources – strong authentication is required OWASP 8
Identity & Access Management Systems 1. User connects to Web server 2. Web server has a connector or “Agent” An interface to the Access Manager ‘plug-ins’ or APIs 3. Access Manager is Policy Enforcement Point: “PEP” Agent High-volulme system to make decisions on access requests from the Web server Must be high-availability PMP 4. Identity Manager is the Policy Management Point: PEP “PMP” Central management of all identity information from various sources Able to define processes and workflows to manage, maintain, and audit access to resources. OWASP 9
Identity Management Framework Directory services repository is the most critical component, and is the primary data store for user- ID and profile information. Provisioning provides a role- based approach to end-to- end user lifecycle management Authentication –leverage existing systems including Active Directory, Enterprise Single Sign-on, and RSA tokens. Access Management – leverage existing access manager infrastructure OWASP 10 Leverage existing technologies and processes
Role Based Access Control Functional roles & organization as defined by HR Create and manage within “role engineering” tool ROLE Business Role Hierarchy Permissions Scenarios Stored and managed Tasks in directory Work profiles Constraints “Ned Flanders” er Us Resource Approver Privileges OWASP 11
Role Engineering – Process RBAC is widely supported and solves the Privilege management problem better than DAC or MAC, etc. but development of the Role Hierarchy is manual and utilities are few and not all are effective. The role engineering process… Discovers Orphaned accounts, privileges, roles Merges overlapping roles Breaks apart overly broad roles: multiple jobs done by the same organization? Defines Role constraints that come from permission constraints Creates role hierarchies: junior roles with common bases …and provides the benefits of… Cleanup and streamline privileges and group definitions Essential for ongoing privilege management Assists with & documents compliance with policies OWASP 12
Role Engineering – Creating Roles Functional Decomposition Matter of pulling apart the existing processes and relationships between resources and users and their jobs Understanding the interactions that constraints that exist on permissions “Scenario-Driven” Models the usage of the system overall Goal is to establish RBAC from concrete Role Hierarchies OWASP 13 “bottom-up” approach
Role Engineering – Process Each IdM tool integrates a set of features to assist Bridgestream (SmartRoles) Manages dynamic approval processes based on context Identify & Model New and relationships Scenarios Does this by assuming the job of managing roles…all Define Scenario roles Permissions & Defines Approval Policies to control relationships Constraints Eurekify (Sage) Further Refine Can provide Query and Discovery functions – Scenario Model preliminary review of privilege landscape Provides audit and compliance reporting on business Define Tasks and roles Work Profiles xoRET Initial Attempt at tool for scenario based role Define Roles and engineering Role Hierarchy Ultimately R.E. has so many human factors that there are key manual efforts required OWASP 14
Logging & Monitoring is Critical OWASP 15
OWASP 16
OWASP 17
Agenda 1. Identity Management Overview 2. Concepts 3. Approach 4. Example Scenarios 5. Product Demonstrations OWASP 18
Applying a Methodology Implement Develop Discover Harvest Validate Pilot Refine Tool Workflow •Where is role •Identity •Obtain •Validate •Business- •Limited roll- •Iterative or identity Management information against oriented out of pilot process information tool (or from existing “master” approach applications currently equivalent) repositories (SAP) data •Add more kept? •Consult IS, •Apply granularity to •Evaluate •Active •Eliminate HR, and “coarse” “roles” •What are the needs and Directory, conflicts business roles data assets technology SiteMinder, stakeholders (regulated •Result: to protect? LDAP, SAP •Complete vs. non-reg) “fine- •Integration missing •Create grained” •Who owns with existing •Result: information provisioning •Pilot group Role Based the data? systems “raw” data as & admin chosen Access collected by •Result is workflows based on Control •Who uses •Achieve the tool “coarse” risk or the data? “quick wins” roles priority The actual process will not be linear… OWASP 19
Agenda 1. Identity Management Overview 2. Concepts 3. Approach 4. Example Scenarios 5. Product Demonstrations OWASP 20
Typical Environments OWASP 21
Enterprise Single Sign-on OWASP 22
Enterprise Single Sign-on with IdM OWASP 23
Access Management OWASP 24
Access Management with IdM OWASP 25
Integrated Identity & Access Management IdM Without Context OWASP 26
SAML Primary concern is Complexity Built by committee – but so was IPSec Motivated backers Seasoned backers Synchronized clocks for validation Multitude of Trust relationships A trusted third party resolves this but not mandatory OWASP 27
SAML Data Flow Sun 2007 OWASP 28 http://developers.sun.com/identity/reference/techart/sso.html
Options - What are the Choices Key Vendors in this Competitive Analysis is area include (no being prepared now ranking) … Criteria being defined… Federation Sun Audit capability Oracle Encryption capability Computer Associates Workflow flexibility BMC Software Novell Passlogix Imprivata RSA Many others… OWASP 29
Agenda 1. Introductions and Objectives 2. Concepts 3. Approach to Identity & Access Management 4. Example Scenarios 5. Product Demonstration…hopefully… OWASP 30
Links as of June 1, 2007 Sun http://www.sun.com/download/index.jsp?cat=Identit y%20Management&tab=3 Oracle http://www.oracle.com/technology/products/id_mgmt /index.html SXIP http://www.sxip.com http://identity20.com OWASP 31
Derek Browne, CISSP, ISSAP derek.browne@emergis.com OWASP 32

Recomendados

Oracle Fusion Applications Security - Designing Roles
Oracle Fusion Applications Security - Designing RolesOracle Fusion Applications Security - Designing Roles
Oracle Fusion Applications Security - Designing Roleskmundy
 
What's New in Novell Identity Manager 4.0
What's New in Novell Identity Manager 4.0What's New in Novell Identity Manager 4.0
What's New in Novell Identity Manager 4.0Novell
 
Df2012 securing information_assets_in_saa_s_clouds_3_0
Df2012 securing information_assets_in_saa_s_clouds_3_0Df2012 securing information_assets_in_saa_s_clouds_3_0
Df2012 securing information_assets_in_saa_s_clouds_3_0debbanerjee
 
21st Century SOA
21st Century SOA21st Century SOA
21st Century SOABob Rhubart
 
Excelencia Oracle Practice
Excelencia Oracle PracticeExcelencia Oracle Practice
Excelencia Oracle PracticeRajesh Ramanathan
 
How eBMS can help you
How eBMS can help youHow eBMS can help you
How eBMS can help youBert Myburgh
 
Case Study: ABS OAM
Case Study: ABS OAMCase Study: ABS OAM
Case Study: ABS OAMjayallen77
 
Sql Server 2012 Reporting-Services is Now a SharePoint Service Application
Sql Server 2012 Reporting-Services is Now a SharePoint Service ApplicationSql Server 2012 Reporting-Services is Now a SharePoint Service Application
Sql Server 2012 Reporting-Services is Now a SharePoint Service ApplicationInnoTech
 

Recomendados

Oracle Fusion Applications Security - Designing Roles
Oracle Fusion Applications Security - Designing RolesOracle Fusion Applications Security - Designing Roles
Oracle Fusion Applications Security - Designing Roleskmundy
 
What's New in Novell Identity Manager 4.0
What's New in Novell Identity Manager 4.0What's New in Novell Identity Manager 4.0
What's New in Novell Identity Manager 4.0Novell
 
Df2012 securing information_assets_in_saa_s_clouds_3_0
Df2012 securing information_assets_in_saa_s_clouds_3_0Df2012 securing information_assets_in_saa_s_clouds_3_0
Df2012 securing information_assets_in_saa_s_clouds_3_0debbanerjee
 
21st Century SOA
21st Century SOA21st Century SOA
21st Century SOABob Rhubart
 
Excelencia Oracle Practice
Excelencia Oracle PracticeExcelencia Oracle Practice
Excelencia Oracle PracticeRajesh Ramanathan
 
How eBMS can help you
How eBMS can help youHow eBMS can help you
How eBMS can help youBert Myburgh
 
Case Study: ABS OAM
Case Study: ABS OAMCase Study: ABS OAM
Case Study: ABS OAMjayallen77
 
Sql Server 2012 Reporting-Services is Now a SharePoint Service Application
Sql Server 2012 Reporting-Services is Now a SharePoint Service ApplicationSql Server 2012 Reporting-Services is Now a SharePoint Service Application
Sql Server 2012 Reporting-Services is Now a SharePoint Service ApplicationInnoTech
 
Дамир Тенишев Exigen Services Business Processes Storehouse
Дамир Тенишев Exigen Services Business Processes StorehouseДамир Тенишев Exigen Services Business Processes Storehouse
Дамир Тенишев Exigen Services Business Processes StorehouseТранслируем.бел
 
Application Compatibility Planning Service
Application Compatibility Planning ServiceApplication Compatibility Planning Service
Application Compatibility Planning ServiceChristopherSilver
 
Hitachi ID Solutions Supporting HIPAA Compliance
Hitachi ID Solutions Supporting HIPAA ComplianceHitachi ID Solutions Supporting HIPAA Compliance
Hitachi ID Solutions Supporting HIPAA ComplianceHitachi ID Systems, Inc.
 
Oracle - Programatica2010
Oracle - Programatica2010Oracle - Programatica2010
Oracle - Programatica2010Agora Group
 
2001 09 ma,ma b2 b process integration tutorial
2001 09 ma,ma b2 b process integration tutorial2001 09 ma,ma b2 b process integration tutorial
2001 09 ma,ma b2 b process integration tutorialMike Marin
 
Understanding Oracle ADF and its role in Oracle Fusion Middleware
Understanding Oracle ADF and its role in Oracle Fusion MiddlewareUnderstanding Oracle ADF and its role in Oracle Fusion Middleware
Understanding Oracle ADF and its role in Oracle Fusion MiddlewareRefundation
 
Sun2 oracle avea's identity management platform transformation
Sun2 oracle avea's identity management platform transformationSun2 oracle avea's identity management platform transformation
Sun2 oracle avea's identity management platform transformationOracleIDM
 
ORACLE FUSION - IBANK
ORACLE FUSION - IBANKORACLE FUSION - IBANK
ORACLE FUSION - IBANKibankuk
 
02 Ms Online Identity Session 1
02 Ms Online Identity Session 102 Ms Online Identity Session 1
02 Ms Online Identity Session 1Sivadon Chaisiri
 
LeverX IQ DMS Overview - SAP DMS Simplified
LeverX IQ DMS Overview - SAP DMS SimplifiedLeverX IQ DMS Overview - SAP DMS Simplified
LeverX IQ DMS Overview - SAP DMS SimplifiedEric Stajda
 
Oracel ADF Introduction
Oracel ADF IntroductionOracel ADF Introduction
Oracel ADF IntroductionHojjat Abedie
 
SAP Netweaver BPM #SITANK 2011
SAP Netweaver BPM #SITANK 2011SAP Netweaver BPM #SITANK 2011
SAP Netweaver BPM #SITANK 2011Abdulbasit Gulsen
 
Biz case-keynote-final copy
Biz case-keynote-final copyBiz case-keynote-final copy
Biz case-keynote-final copyOracleIDM
 
HCLT Brochure: E-Discovery and Document Review Solutions
HCLT Brochure: E-Discovery and Document Review SolutionsHCLT Brochure: E-Discovery and Document Review Solutions
HCLT Brochure: E-Discovery and Document Review SolutionsHCL Technologies
 
Aras Vision and Roadmap with Aras Innovator PLM Software
Aras Vision and Roadmap with Aras Innovator PLM SoftwareAras Vision and Roadmap with Aras Innovator PLM Software
Aras Vision and Roadmap with Aras Innovator PLM SoftwareAras
 
How governance drives your information and security architecture
How governance drives your information and security architectureHow governance drives your information and security architecture
How governance drives your information and security architectureRandy Williams
 
CARA User Interface for Oracle WebCenter
CARA User Interface for Oracle WebCenterCARA User Interface for Oracle WebCenter
CARA User Interface for Oracle WebCentercara4oraclewebcenter
 
Aras Custom Business Process Management
Aras Custom Business Process ManagementAras Custom Business Process Management
Aras Custom Business Process ManagementAras
 
Ca partner day - qualità servizi - roma 1 di 2
Ca partner day - qualità servizi - roma 1 di 2Ca partner day - qualità servizi - roma 1 di 2
Ca partner day - qualità servizi - roma 1 di 2CA Technologies Italia
 
Microsoft Service Manager 2010
Microsoft Service Manager 2010Microsoft Service Manager 2010
Microsoft Service Manager 2010C/D/H Technology Consultants
 
SANS Institute Product Review: Oracle Entitlements Server
SANS Institute Product Review: Oracle Entitlements ServerSANS Institute Product Review: Oracle Entitlements Server
SANS Institute Product Review: Oracle Entitlements ServerOracleIDM
 
IDM Resume _ Kiran
IDM Resume _ KiranIDM Resume _ Kiran
IDM Resume _ KiranKiran Kumar
 

Mais conteúdo relacionado

Mais procurados

Дамир Тенишев Exigen Services Business Processes Storehouse
Дамир Тенишев Exigen Services Business Processes StorehouseДамир Тенишев Exigen Services Business Processes Storehouse
Дамир Тенишев Exigen Services Business Processes StorehouseТранслируем.бел
 
Application Compatibility Planning Service
Application Compatibility Planning ServiceApplication Compatibility Planning Service
Application Compatibility Planning ServiceChristopherSilver
 
Hitachi ID Solutions Supporting HIPAA Compliance
Hitachi ID Solutions Supporting HIPAA ComplianceHitachi ID Solutions Supporting HIPAA Compliance
Hitachi ID Solutions Supporting HIPAA ComplianceHitachi ID Systems, Inc.
 
Oracle - Programatica2010
Oracle - Programatica2010Oracle - Programatica2010
Oracle - Programatica2010Agora Group
 
2001 09 ma,ma b2 b process integration tutorial
2001 09 ma,ma b2 b process integration tutorial2001 09 ma,ma b2 b process integration tutorial
2001 09 ma,ma b2 b process integration tutorialMike Marin
 
Understanding Oracle ADF and its role in Oracle Fusion Middleware
Understanding Oracle ADF and its role in Oracle Fusion MiddlewareUnderstanding Oracle ADF and its role in Oracle Fusion Middleware
Understanding Oracle ADF and its role in Oracle Fusion MiddlewareRefundation
 
Sun2 oracle avea's identity management platform transformation
Sun2 oracle avea's identity management platform transformationSun2 oracle avea's identity management platform transformation
Sun2 oracle avea's identity management platform transformationOracleIDM
 
ORACLE FUSION - IBANK
ORACLE FUSION - IBANKORACLE FUSION - IBANK
ORACLE FUSION - IBANKibankuk
 
02 Ms Online Identity Session 1
02 Ms Online Identity Session 102 Ms Online Identity Session 1
02 Ms Online Identity Session 1Sivadon Chaisiri
 
LeverX IQ DMS Overview - SAP DMS Simplified
LeverX IQ DMS Overview - SAP DMS SimplifiedLeverX IQ DMS Overview - SAP DMS Simplified
LeverX IQ DMS Overview - SAP DMS SimplifiedEric Stajda
 
Oracel ADF Introduction
Oracel ADF IntroductionOracel ADF Introduction
Oracel ADF IntroductionHojjat Abedie
 
SAP Netweaver BPM #SITANK 2011
SAP Netweaver BPM #SITANK 2011SAP Netweaver BPM #SITANK 2011
SAP Netweaver BPM #SITANK 2011Abdulbasit Gulsen
 
Biz case-keynote-final copy
Biz case-keynote-final copyBiz case-keynote-final copy
Biz case-keynote-final copyOracleIDM
 
HCLT Brochure: E-Discovery and Document Review Solutions
HCLT Brochure: E-Discovery and Document Review SolutionsHCLT Brochure: E-Discovery and Document Review Solutions
HCLT Brochure: E-Discovery and Document Review SolutionsHCL Technologies
 
Aras Vision and Roadmap with Aras Innovator PLM Software
Aras Vision and Roadmap with Aras Innovator PLM SoftwareAras Vision and Roadmap with Aras Innovator PLM Software
Aras Vision and Roadmap with Aras Innovator PLM SoftwareAras
 
How governance drives your information and security architecture
How governance drives your information and security architectureHow governance drives your information and security architecture
How governance drives your information and security architectureRandy Williams
 
CARA User Interface for Oracle WebCenter
CARA User Interface for Oracle WebCenterCARA User Interface for Oracle WebCenter
CARA User Interface for Oracle WebCentercara4oraclewebcenter
 
Aras Custom Business Process Management
Aras Custom Business Process ManagementAras Custom Business Process Management
Aras Custom Business Process ManagementAras
 
Ca partner day - qualità servizi - roma 1 di 2
Ca partner day - qualità servizi - roma 1 di 2Ca partner day - qualità servizi - roma 1 di 2
Ca partner day - qualità servizi - roma 1 di 2CA Technologies Italia
 

Mais procurados (20)

Дамир Тенишев Exigen Services Business Processes Storehouse
Дамир Тенишев Exigen Services Business Processes StorehouseДамир Тенишев Exigen Services Business Processes Storehouse
Дамир Тенишев Exigen Services Business Processes Storehouse
 
Application Compatibility Planning Service
Application Compatibility Planning ServiceApplication Compatibility Planning Service
Application Compatibility Planning Service
 
Hitachi ID Solutions Supporting HIPAA Compliance
Hitachi ID Solutions Supporting HIPAA ComplianceHitachi ID Solutions Supporting HIPAA Compliance
Hitachi ID Solutions Supporting HIPAA Compliance
 
Oracle - Programatica2010
Oracle - Programatica2010Oracle - Programatica2010
Oracle - Programatica2010
 
2001 09 ma,ma b2 b process integration tutorial
2001 09 ma,ma b2 b process integration tutorial2001 09 ma,ma b2 b process integration tutorial
2001 09 ma,ma b2 b process integration tutorial
 
Understanding Oracle ADF and its role in Oracle Fusion Middleware
Understanding Oracle ADF and its role in Oracle Fusion MiddlewareUnderstanding Oracle ADF and its role in Oracle Fusion Middleware
Understanding Oracle ADF and its role in Oracle Fusion Middleware
 
Sun2 oracle avea's identity management platform transformation
Sun2 oracle avea's identity management platform transformationSun2 oracle avea's identity management platform transformation
Sun2 oracle avea's identity management platform transformation
 
ORACLE FUSION - IBANK
ORACLE FUSION - IBANKORACLE FUSION - IBANK
ORACLE FUSION - IBANK
 
02 Ms Online Identity Session 1
02 Ms Online Identity Session 102 Ms Online Identity Session 1
02 Ms Online Identity Session 1
 
LeverX IQ DMS Overview - SAP DMS Simplified
LeverX IQ DMS Overview - SAP DMS SimplifiedLeverX IQ DMS Overview - SAP DMS Simplified
LeverX IQ DMS Overview - SAP DMS Simplified
 
Oracel ADF Introduction
Oracel ADF IntroductionOracel ADF Introduction
Oracel ADF Introduction
 
SAP Netweaver BPM #SITANK 2011
SAP Netweaver BPM #SITANK 2011SAP Netweaver BPM #SITANK 2011
SAP Netweaver BPM #SITANK 2011
 
Biz case-keynote-final copy
Biz case-keynote-final copyBiz case-keynote-final copy
Biz case-keynote-final copy
 
HCLT Brochure: E-Discovery and Document Review Solutions
HCLT Brochure: E-Discovery and Document Review SolutionsHCLT Brochure: E-Discovery and Document Review Solutions
HCLT Brochure: E-Discovery and Document Review Solutions
 
Aras Vision and Roadmap with Aras Innovator PLM Software
Aras Vision and Roadmap with Aras Innovator PLM SoftwareAras Vision and Roadmap with Aras Innovator PLM Software
Aras Vision and Roadmap with Aras Innovator PLM Software
 
How governance drives your information and security architecture
How governance drives your information and security architectureHow governance drives your information and security architecture
How governance drives your information and security architecture
 
CARA User Interface for Oracle WebCenter
CARA User Interface for Oracle WebCenterCARA User Interface for Oracle WebCenter
CARA User Interface for Oracle WebCenter
 
Aras Custom Business Process Management
Aras Custom Business Process ManagementAras Custom Business Process Management
Aras Custom Business Process Management
 
Ca partner day - qualità servizi - roma 1 di 2
Ca partner day - qualità servizi - roma 1 di 2Ca partner day - qualità servizi - roma 1 di 2
Ca partner day - qualità servizi - roma 1 di 2
 
Microsoft Service Manager 2010
Microsoft Service Manager 2010Microsoft Service Manager 2010
Microsoft Service Manager 2010
 

Semelhante a OWASP Identity Manegement

SANS Institute Product Review: Oracle Entitlements Server
SANS Institute Product Review: Oracle Entitlements ServerSANS Institute Product Review: Oracle Entitlements Server
SANS Institute Product Review: Oracle Entitlements ServerOracleIDM
 
IDM Resume _ Kiran
IDM Resume _ KiranIDM Resume _ Kiran
IDM Resume _ KiranKiran Kumar
 
EasySOA: A New Approach to SOA
EasySOA: A New Approach to SOAEasySOA: A New Approach to SOA
EasySOA: A New Approach to SOANuxeo
 
Fine Grained Authorization: Technical Insights for Using Oracle Entitlements ...
Fine Grained Authorization: Technical Insights for Using Oracle Entitlements ...Fine Grained Authorization: Technical Insights for Using Oracle Entitlements ...
Fine Grained Authorization: Technical Insights for Using Oracle Entitlements ...Subbu Devulapalli
 
Integrating Novell Access Governance Suite with Novell Identity Manager
Integrating Novell Access Governance Suite with Novell Identity ManagerIntegrating Novell Access Governance Suite with Novell Identity Manager
Integrating Novell Access Governance Suite with Novell Identity ManagerNovell
 
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerRole Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerProlifics
 
Sun java-access-manager-siebel-80-final
Sun java-access-manager-siebel-80-finalSun java-access-manager-siebel-80-final
Sun java-access-manager-siebel-80-finalSal Marcus
 
Oracle Cloud Reference Architecture
Oracle Cloud Reference ArchitectureOracle Cloud Reference Architecture
Oracle Cloud Reference ArchitectureBob Rhubart
 
Building a database security program
Building a database security programBuilding a database security program
Building a database security programmatt_presson
 
Platform approach-series-building a-roadmap-finalv1
Platform approach-series-building a-roadmap-finalv1Platform approach-series-building a-roadmap-finalv1
Platform approach-series-building a-roadmap-finalv1OracleIDM
 
20111012 Sap Datasheet Site
20111012 Sap Datasheet Site20111012 Sap Datasheet Site
20111012 Sap Datasheet SiteNicola_Milone
 
Lecture 2 - SOA
Lecture 2 - SOALecture 2 - SOA
Lecture 2 - SOAphanleson
 
Workware systems company presentation web aug 11
Workware systems company presentation web aug 11Workware systems company presentation web aug 11
Workware systems company presentation web aug 11deppster
 
Profiling for SAP - Compliance Management, Access Control and Segregation of ...
Profiling for SAP - Compliance Management, Access Control and Segregation of ...Profiling for SAP - Compliance Management, Access Control and Segregation of ...
Profiling for SAP - Compliance Management, Access Control and Segregation of ...TransWare AG
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Serviceguest536dd0e
 
Übersicht Cloud Control - EM 12c
Übersicht Cloud Control - EM 12cÜbersicht Cloud Control - EM 12c
Übersicht Cloud Control - EM 12cVolker Linz
 
Oracle tech fmw-02-soa-suite-11g-neum-15.04.2010
Oracle tech fmw-02-soa-suite-11g-neum-15.04.2010Oracle tech fmw-02-soa-suite-11g-neum-15.04.2010
Oracle tech fmw-02-soa-suite-11g-neum-15.04.2010Oracle BH
 
Collaborate 2012 - the never ending road of project management presentation c...
Collaborate 2012 - the never ending road of project management presentation c...Collaborate 2012 - the never ending road of project management presentation c...
Collaborate 2012 - the never ending road of project management presentation c...Chain Sys Corporation
 

Semelhante a OWASP Identity Manegement (20)

SANS Institute Product Review: Oracle Entitlements Server
SANS Institute Product Review: Oracle Entitlements ServerSANS Institute Product Review: Oracle Entitlements Server
SANS Institute Product Review: Oracle Entitlements Server
 
IDM Resume _ Kiran
IDM Resume _ KiranIDM Resume _ Kiran
IDM Resume _ Kiran
 
EasySOA: A New Approach to SOA
EasySOA: A New Approach to SOAEasySOA: A New Approach to SOA
EasySOA: A New Approach to SOA
 
Fine Grained Authorization: Technical Insights for Using Oracle Entitlements ...
Fine Grained Authorization: Technical Insights for Using Oracle Entitlements ...Fine Grained Authorization: Technical Insights for Using Oracle Entitlements ...
Fine Grained Authorization: Technical Insights for Using Oracle Entitlements ...
 
Integrating Novell Access Governance Suite with Novell Identity Manager
Integrating Novell Access Governance Suite with Novell Identity ManagerIntegrating Novell Access Governance Suite with Novell Identity Manager
Integrating Novell Access Governance Suite with Novell Identity Manager
 
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerRole Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
 
Sun java-access-manager-siebel-80-final
Sun java-access-manager-siebel-80-finalSun java-access-manager-siebel-80-final
Sun java-access-manager-siebel-80-final
 
Oim Poc1.0
Oim Poc1.0Oim Poc1.0
Oim Poc1.0
 
Oracle Cloud Reference Architecture
Oracle Cloud Reference ArchitectureOracle Cloud Reference Architecture
Oracle Cloud Reference Architecture
 
kowsalyamanickam_resume_OIM
kowsalyamanickam_resume_OIMkowsalyamanickam_resume_OIM
kowsalyamanickam_resume_OIM
 
Building a database security program
Building a database security programBuilding a database security program
Building a database security program
 
Platform approach-series-building a-roadmap-finalv1
Platform approach-series-building a-roadmap-finalv1Platform approach-series-building a-roadmap-finalv1
Platform approach-series-building a-roadmap-finalv1
 
20111012 Sap Datasheet Site
20111012 Sap Datasheet Site20111012 Sap Datasheet Site
20111012 Sap Datasheet Site
 
Lecture 2 - SOA
Lecture 2 - SOALecture 2 - SOA
Lecture 2 - SOA
 
Workware systems company presentation web aug 11
Workware systems company presentation web aug 11Workware systems company presentation web aug 11
Workware systems company presentation web aug 11
 
Profiling for SAP - Compliance Management, Access Control and Segregation of ...
Profiling for SAP - Compliance Management, Access Control and Segregation of ...Profiling for SAP - Compliance Management, Access Control and Segregation of ...
Profiling for SAP - Compliance Management, Access Control and Segregation of ...
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Service
 
Übersicht Cloud Control - EM 12c
Übersicht Cloud Control - EM 12cÜbersicht Cloud Control - EM 12c
Übersicht Cloud Control - EM 12c
 
Oracle tech fmw-02-soa-suite-11g-neum-15.04.2010
Oracle tech fmw-02-soa-suite-11g-neum-15.04.2010Oracle tech fmw-02-soa-suite-11g-neum-15.04.2010
Oracle tech fmw-02-soa-suite-11g-neum-15.04.2010
 
Collaborate 2012 - the never ending road of project management presentation c...
Collaborate 2012 - the never ending road of project management presentation c...Collaborate 2012 - the never ending road of project management presentation c...
Collaborate 2012 - the never ending road of project management presentation c...
 

OWASP Identity Manegement

  • 1. Identity Management Basics Derek Browne, CISSP, ISSAP Derek.Browne@Emergis.com OWASP May 9, 2007 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • 2. Agenda 1. Identity Management Overview 2. Concepts 3. Approach to Identity & Access Management 4. Example Scenarios 5. Product Demonstrations…hopefully… OWASP 2
  • 3. Identity Management Flavours Single Sign On is a goal … not a product Web application integration -- Web SSO Enterprise SSO (eSSO) involves corporate desktop application Some use a server -- TSE, tn3270/5250, SAP, Oracle forms, etc Some authenticate locally -- acrobat protected files IdM is different than Access Management One involves who you are and how that is recorded The other involved the policies around how you access resources Federation of identities across multiple jurisdictions SAML, SXIP, Identity 2.0, OASIS Passport (HAHA), Kerberos, Liberty OWASP 3
  • 4. Identity Management Overview Defined: Central infrastructure to manage users, roles, and access to resources Concept of “identity” contains all user attributes Provisioning capabilities Technology ( connectors ) Approvals Workflow Management Features: Identity provisioning among integrated directories Self-registration and management Delegation of approvals and workflows Password reset capability Benefits: Meet regulatory & audit requirements around controlled access to resources Save costs through efficient workflows for provisioning and approval Asset (business) owners in control, rather than technology group OWASP 4
  • 5. Identity Management Integration Integrates with: Enterprise single-sign-on (and related strong authentication) Access Management systems Role Engineering / Management systems Integration Risks: Focus on technology may distract from importance of roles and processes Too many roles (or exceptions) may result if access modeling and identity modeling are not well-planned Benefits may not be realized quickly if project scope is not managed Not respecting impact on business and applications may have adverse effects on buy-in and acceptance Ineffective processes and workflows may prevent cost savings from being realized Lack of proper knowledge transfer results in a system that the organization cannot effectively manage OWASP 5
  • 6. Identity & Access Management Methodology 1. Inventory: gather information about users, access requirements, and applications & data 2. Create: future state roadmap, associating user groups with access controls, and designing operational support and workflow processes 3. Deploy: begin assigning access to systems and data using new processes and workflows 4. Optimize: deploy automated and delegated processes only after steady state has been achieved 5. Report: leverage investment to satisfy reporting requirements for legislation and internal controls OWASP 6 75 percent of deployment effort will be spent on people & process
  • 7. Agenda 1. Identity Management Overview 2. Concepts 3. Approach to Identity & Access Management 4. Example Scenarios 5. Product Demonstrations OWASP 7
  • 8. Identity & Access Management Basics Access Management Access to data or applications is defined by Business policies (segregation of duties) Security policies Industry regulations and customer requirements Access permissions are mapped to roles and rules to be used when managing identities Identity Management Map roles and rules to specific users to allow appropriate access Process to manage and track access to systems andTools exist to facilitate data the mapping and Provisioning ongoing management Workflow of roles & identities Auditability Single Sign-on & Strong Authentication Single sign-on allows access to all resources – strong authentication is required OWASP 8
  • 9. Identity & Access Management Systems 1. User connects to Web server 2. Web server has a connector or “Agent” An interface to the Access Manager ‘plug-ins’ or APIs 3. Access Manager is Policy Enforcement Point: “PEP” Agent High-volulme system to make decisions on access requests from the Web server Must be high-availability PMP 4. Identity Manager is the Policy Management Point: PEP “PMP” Central management of all identity information from various sources Able to define processes and workflows to manage, maintain, and audit access to resources. OWASP 9
  • 10. Identity Management Framework Directory services repository is the most critical component, and is the primary data store for user- ID and profile information. Provisioning provides a role- based approach to end-to- end user lifecycle management Authentication –leverage existing systems including Active Directory, Enterprise Single Sign-on, and RSA tokens. Access Management – leverage existing access manager infrastructure OWASP 10 Leverage existing technologies and processes
  • 11. Role Based Access Control Functional roles & organization as defined by HR Create and manage within “role engineering” tool ROLE Business Role Hierarchy Permissions Scenarios Stored and managed Tasks in directory Work profiles Constraints “Ned Flanders” er Us Resource Approver Privileges OWASP 11
  • 12. Role Engineering – Process RBAC is widely supported and solves the Privilege management problem better than DAC or MAC, etc. but development of the Role Hierarchy is manual and utilities are few and not all are effective. The role engineering process… Discovers Orphaned accounts, privileges, roles Merges overlapping roles Breaks apart overly broad roles: multiple jobs done by the same organization? Defines Role constraints that come from permission constraints Creates role hierarchies: junior roles with common bases …and provides the benefits of… Cleanup and streamline privileges and group definitions Essential for ongoing privilege management Assists with & documents compliance with policies OWASP 12
  • 13. Role Engineering – Creating Roles Functional Decomposition Matter of pulling apart the existing processes and relationships between resources and users and their jobs Understanding the interactions that constraints that exist on permissions “Scenario-Driven” Models the usage of the system overall Goal is to establish RBAC from concrete Role Hierarchies OWASP 13 “bottom-up” approach
  • 14. Role Engineering – Process Each IdM tool integrates a set of features to assist Bridgestream (SmartRoles) Manages dynamic approval processes based on context Identify & Model New and relationships Scenarios Does this by assuming the job of managing roles…all Define Scenario roles Permissions & Defines Approval Policies to control relationships Constraints Eurekify (Sage) Further Refine Can provide Query and Discovery functions – Scenario Model preliminary review of privilege landscape Provides audit and compliance reporting on business Define Tasks and roles Work Profiles xoRET Initial Attempt at tool for scenario based role Define Roles and engineering Role Hierarchy Ultimately R.E. has so many human factors that there are key manual efforts required OWASP 14
  • 15. Logging & Monitoring is Critical OWASP 15
  • 16. OWASP 16
  • 17. OWASP 17
  • 18. Agenda 1. Identity Management Overview 2. Concepts 3. Approach 4. Example Scenarios 5. Product Demonstrations OWASP 18
  • 19. Applying a Methodology Implement Develop Discover Harvest Validate Pilot Refine Tool Workflow •Where is role •Identity •Obtain •Validate •Business- •Limited roll- •Iterative or identity Management information against oriented out of pilot process information tool (or from existing “master” approach applications currently equivalent) repositories (SAP) data •Add more kept? •Consult IS, •Apply granularity to •Evaluate •Active •Eliminate HR, and “coarse” “roles” •What are the needs and Directory, conflicts business roles data assets technology SiteMinder, stakeholders (regulated •Result: to protect? LDAP, SAP •Complete vs. non-reg) “fine- •Integration missing •Create grained” •Who owns with existing •Result: information provisioning •Pilot group Role Based the data? systems “raw” data as & admin chosen Access collected by •Result is workflows based on Control •Who uses •Achieve the tool “coarse” risk or the data? “quick wins” roles priority The actual process will not be linear… OWASP 19
  • 20. Agenda 1. Identity Management Overview 2. Concepts 3. Approach 4. Example Scenarios 5. Product Demonstrations OWASP 20
  • 23. Enterprise Single Sign-on with IdM OWASP 23
  • 24. Access Management OWASP 24
  • 25. Access Management with IdM OWASP 25
  • 26. Integrated Identity & Access Management IdM Without Context OWASP 26
  • 27. SAML Primary concern is Complexity Built by committee – but so was IPSec Motivated backers Seasoned backers Synchronized clocks for validation Multitude of Trust relationships A trusted third party resolves this but not mandatory OWASP 27
  • 28. SAML Data Flow Sun 2007 OWASP 28 http://developers.sun.com/identity/reference/techart/sso.html
  • 29. Options - What are the Choices Key Vendors in this Competitive Analysis is area include (no being prepared now ranking) … Criteria being defined… Federation Sun Audit capability Oracle Encryption capability Computer Associates Workflow flexibility BMC Software Novell Passlogix Imprivata RSA Many others… OWASP 29
  • 30. Agenda 1. Introductions and Objectives 2. Concepts 3. Approach to Identity & Access Management 4. Example Scenarios 5. Product Demonstration…hopefully… OWASP 30
  • 31. Links as of June 1, 2007 Sun http://www.sun.com/download/index.jsp?cat=Identit y%20Management&tab=3 Oracle http://www.oracle.com/technology/products/id_mgmt /index.html SXIP http://www.sxip.com http://identity20.com OWASP 31
  • 32. Derek Browne, CISSP, ISSAP derek.browne@emergis.com OWASP 32