Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
IDENTITY AND ACCESS MANAGEMENT 101
Jerod Brennen, CISSP
CTO & Principal Security Consultant, Jacadis
Agenda
•
•
•
•
•
•

The Good, The Bad, & The Ugly
Terminology
Employee Lifecycle
Step-by-Step
Looking Ahead
Resources
The Good, The Bad, & The Ugly
• Good
– Saves time
– Improves accuracy and consistency

• Bad
– RIDICULOUSLY complex
– Neve...
How Many Acronyms Does It Take…
• IdM = Identity Management
– Manage the accounts

• FIdM = Federated Identity Managment
–...
More Alphabet Soup
• LDAP – Lightweight Directory Access Protocol
• RBAC – Role Based Access Control
• SSO – Single Sign-O...
Provisioning & Deprovisioning
• Provisioning
– IT giveth…

• Deprovisioning
– … and IT taketh away

• You need to track ev...
3-Phase Employee Lifecycle
• #1 – Hire
– Autoprovision birthright entitlements, based on role (bear with me…)

• #2 – Tran...
Step One: The Sit-Down
•

Meet with HR
–
–

•

Discuss roles
–
–

•

Dazzle them with your knowledge of RBAC
Remember that...
Step Two: The Data Must Flow
•

Identify integration points
– Authentication Stores
• LDAP Directories
• Local Databases

...
Step Three: Integrate
• Define integration requirements
– PMO FTW!

• Take a technical inventory
– What do you have?
– Wha...
Intermission: Let’s Talk Tech
•

Components
–
–
–
–
–

Identity Store / Vault / Repository (not the system of record)
LDAP...
Pictures, or It Didn’t Happen

System of Record

Email

Other LDAP

Identity Provider

LDAP Server

User-Facing Apps

Data...
Step Four: Communcation
•

Document the $#!% out of your IAM infrastructure
– Every single integration point
– Link the te...
Step Five: Audit
•

Trust, but verify

•

Things to audit
–
–
–
–

•

Segregation of duties
Access changes (esp. adminstra...
Destined to Fail
•

Most IAM projects fail. Why?
–
–
–

•

Lack of executive sponsorship
Project teams try to do too much ...
Questions to Start Asking Now
•

Who’s going to support all this?

•

How can I enforce change control for IAM integration...
Resources
• Vendors
– Let them know you’re digging into IAM solutions & they’ll call you.

• LinkedIn Groups
– Identity an...
More Resources
• Internet2 Middleware Initiative
–
–
–
–
–
–
–

http://www.internet2.edu/middleware/index.cfm
MACE (Middle...
Even More Resources
•

IdM vs. IAM
–

•

Gartner Identity and Access Management Summit
–

•

http://aws.amazon.com/iam/

W...
Questions?
Jerod Brennen, CISSP
CTO & Principal Security Consultant, Jacadis
LinkedIn: http://www.linkedin.com/in/slandail...
Upcoming SlideShare
Loading in …5
×

Identity and Access Management 101

30,553 views

Published on

Crash course in the fundamentals of identity and access management.

Published in: Technology
  • DOWNLOAD THE BOOK INTO AVAILABLE FORMAT (New Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://redirect.is/fyxsb0u } ......................................................................................................................... Download Full EPUB Ebook here { https://redirect.is/fyxsb0u } ......................................................................................................................... Download Full doc Ebook here { https://redirect.is/fyxsb0u } ......................................................................................................................... Download PDF EBOOK here { https://redirect.is/fyxsb0u } ......................................................................................................................... Download EPUB Ebook here { https://redirect.is/fyxsb0u } ......................................................................................................................... Download doc Ebook here { https://redirect.is/fyxsb0u } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THE can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THE is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBOOK .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, CookBOOK, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, EBOOK, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THE Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THE the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THE Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • My friend sent me a link to to tis site. This awesome company. They wrote my entire research paper for me, and it turned out brilliantly. I highly recommend this service to anyone in my shoes. ⇒ www.HelpWriting.net ⇐.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • You can hardly find a student who enjoys writing a college papers. Among all the other tasks they get assigned in college, writing essays is one of the most difficult assignments. Fortunately for students, there are many offers nowadays which help to make this process easier. The best service which can help you is ⇒ www.WritePaper.info ⇐
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Your customer service is one of the best experiences I have had. Thanks again. ➢➢➢ https://w.url.cn/s/AFqTUhi
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Don't ask yourself if you can afford the "Demolisher" Betting System. Ask yourself if you can afford NOT to! ▲▲▲ http://t.cn/A6zP24pL
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Identity and Access Management 101

  1. 1. IDENTITY AND ACCESS MANAGEMENT 101 Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis
  2. 2. Agenda • • • • • • The Good, The Bad, & The Ugly Terminology Employee Lifecycle Step-by-Step Looking Ahead Resources
  3. 3. The Good, The Bad, & The Ugly • Good – Saves time – Improves accuracy and consistency • Bad – RIDICULOUSLY complex – Never enough money/resources • Ugly – When everything works, you’ll be the hero – If (when) something breaks, you’ll wish you’d saved up more sick days
  4. 4. How Many Acronyms Does It Take… • IdM = Identity Management – Manage the accounts • FIdM = Federated Identity Managment – Manage identity across autonomous domains • IAM = Identity & Access Management – Manage what the accounts can access
  5. 5. More Alphabet Soup • LDAP – Lightweight Directory Access Protocol • RBAC – Role Based Access Control • SSO – Single Sign-On • Federation – SAML, SAML 2.0, WS-Federation, Liberty Alliance
  6. 6. Provisioning & Deprovisioning • Provisioning – IT giveth… • Deprovisioning – … and IT taketh away • You need to track everything you provision if you ever expect to deprovision it. – Computers, phones, badges, app access, software licenses, etc. • Your auditors will LOVE you for this!
  7. 7. 3-Phase Employee Lifecycle • #1 – Hire – Autoprovision birthright entitlements, based on role (bear with me…) • #2 – Transition – New access replaces old access, right? • #3 – Termination – Deprovision, stat! • #4 – Other? – On Leave (medical, sabbatical, etc.) – Terminated with Access
  8. 8. Step One: The Sit-Down • Meet with HR – – • Discuss roles – – • Dazzle them with your knowledge of RBAC Remember that employee lifecycle slide? How will you determine birthright access? – – • HR system is the system of record Workforce members = employees + non-employees (decision time!) Department + Job Code Step back, take a look at current employees, and execute the smell test Identify the processes you want to automate – – – – Notification of hire/change/termination Account creation/deletion (in connected systems, NOT system of record) Access modification Internal expenses (e.g., mobile devices)
  9. 9. Step Two: The Data Must Flow • Identify integration points – Authentication Stores • LDAP Directories • Local Databases – Commercial Apps – Homegrown Apps • Internal vs. External – Fewest # auth/auth stores possible – External = federation • http://www.brickshelf.com/cgi-bin/gallery.cgi?i=2703634 How are changes initiated? – Transactional vs. batch • Conceptual diagram of your IAM infrastructure
  10. 10. Step Three: Integrate • Define integration requirements – PMO FTW! • Take a technical inventory – What do you have? – What do you need? – What can you get rid of? • Start eating the elephant – – – – – HR -> Identity Store Identity Store -> Active Directory http://dst121.blogspot.com/2009/10/how-to-eat-elephant.html Identify Store -> [other LDAP directory] Identity Store -> [email] Identity Store -> [that one app that everyone in the company uses]
  11. 11. Intermission: Let’s Talk Tech • Components – – – – – Identity Store / Vault / Repository (not the system of record) LDAP Directory Entitlements Manager Web Access Manager (+ Certificate Manager) Password Manager Vendors • • • • • • CA Identity Manager IBM / Tivoli Identity Manager Microsoft Forefront Identity Manager Novell Identity Manager Oracle Identity Manager / Sun LDAP RSA / Courion • RSA = Access Manager & FIdM • Courion = Provisioning & Passwords Open Source • • • • • OpenIAM OpenDS Directory Server OpenSSO Shibboleth (SSO) Gluu
  12. 12. Pictures, or It Didn’t Happen System of Record Email Other LDAP Identity Provider LDAP Server User-Facing Apps Databases Password Manager Entitlements Manager Web Access Manager
  13. 13. Step Four: Communcation • Document the $#!% out of your IAM infrastructure – Every single integration point – Link the tech to business processes • Review documentation with… – – – – – – • Human Resources LAN Support System Owners Application Developers Production / Change Control IT Leadership Link IAM systems to Change Control system – Notification of ANY and ALL changes – Want to break IAM? Change a connected system without testing integration points!
  14. 14. Step Five: Audit • Trust, but verify • Things to audit – – – – • Segregation of duties Access changes (esp. adminstrative & sensitive data) Accounts for terminated users (reconcile with HR) Share access Security Information and Event Management (SIEM) – Failed login attempts – Attempts to access restricted data – Privilege changes / escalation • Automate your auditing toolset
  15. 15. Destined to Fail • Most IAM projects fail. Why? – – – • Lack of executive sponsorship Project teams try to do too much at once Referring to IAM is a ‘project’ in the first place Mark Dixon’s Ten Best Practices for Identity Management Implementation – – – – – – – – – – Set strategy Secure sponsorship Plan quick wins Select project leadership Define business processes Select implementation team Gain commitment from support resources Provide proper infrastructure Assure data quality Conduct post-production turnover http://blogs.oracle.com/identity/entry/ten_best_practices_for_identity
  16. 16. Questions to Start Asking Now • Who’s going to support all this? • How can I enforce change control for IAM integration points? • How am I going to manage passwords? – – • How am I going to manage non-employees? – – – • Consultants Contractors Interns How am I going to manage RBAC exceptions and segregation of duties? – • Single Sign-On Password Synchronization Pareto Principle (80/20 rule) Identity in the Cloud? – Yeah, I said cloud. Drink ‘em if you got ‘em!
  17. 17. Resources • Vendors – Let them know you’re digging into IAM solutions & they’ll call you. • LinkedIn Groups – Identity and Access Management • http://www.linkedin.com/groups?gid=66476 – Identity Management Specialists • http://www.linkedin.com/groups/Identity-Management-Specialists-Group-41311 • Working Groups – EDUCAUSE (http://www.educause.edu/iam) – InCommon (http://www.incommon.org/iamonline/)
  18. 18. More Resources • Internet2 Middleware Initiative – – – – – – – http://www.internet2.edu/middleware/index.cfm MACE (Middleware Architecture Committee for Education) Shibboleth Federated Single Sign-On Software Grouper Comanage: Collaborative Organization Management MACE-Dir(ectories) MACE-paccman (Privilege and Access Management) • Open Source – – – – OpenDS - http://www.opends.org/ OpenSSO - http://java.net/projects/opensso/ Shibboleth - http://shibboleth.internet2.edu/ Gluu - http://www.gluu.org/
  19. 19. Even More Resources • IdM vs. IAM – • Gartner Identity and Access Management Summit – • http://aws.amazon.com/iam/ Worst Practices: Three Big Identity and Access Management Mistakes – • http://blogs.gartner.com/earl-perkins/2009/08/23/why-there-are-no-iam-magic-quadrants-resisting-the-inevitable/ AWS Identity and Access Management – • http://www.gartner.com/technology/summits/na/identity-access/ Gartner – Why There Are No IAM Magic Quadrants – • http://idm-thoughtplace.blogspot.com/2009/09/idm-vs-iam.html http://searchsecurity.techtarget.com/tip/Worst-Practices-Three-big-identity-and-access-management-mistakes Wikipedia – – – http://en.wikipedia.org/wiki/Identity_management http://en.wikipedia.org/wiki/Identity_access_management http://en.wikipedia.org/wiki/Federated_identity_management
  20. 20. Questions? Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis LinkedIn: http://www.linkedin.com/in/slandail Twitter: https://twitter.com/slandail http://www.jacadis.com contact@jacadis.com

×