Crash course in the fundamentals of identity and access management.

1. IDENTITY AND ACCESS MANAGEMENT 101
Jerod Brennen, CISSP
CTO & Principal Security Consultant, Jacadis

2. Agenda
•
•
•
•
•
•
The Good, The Bad, & The Ugly
Terminology
Employee Lifecycle
Step-by-Step
Looking Ahead
Resources

3. The Good, The Bad, & The Ugly
• Good
– Saves time
– Improves accuracy and consistency
• Bad
– RIDICULOUSLY complex
– Never enough money/resources
• Ugly
– When everything works, you’ll be the hero
– If (when) something breaks, you’ll wish you’d saved up more sick days

4. How Many Acronyms Does It Take…
• IdM = Identity Management
– Manage the accounts
• FIdM = Federated Identity Managment
– Manage identity across autonomous domains
• IAM = Identity & Access Management
– Manage what the accounts can access

5. More Alphabet Soup
• LDAP – Lightweight Directory Access Protocol
• RBAC – Role Based Access Control
• SSO – Single Sign-On
• Federation
– SAML, SAML 2.0, WS-Federation, Liberty Alliance

6. Provisioning & Deprovisioning
• Provisioning
– IT giveth…
• Deprovisioning
– … and IT taketh away
• You need to track everything you provision if you ever expect
to deprovision it.
– Computers, phones, badges, app access, software licenses, etc.
• Your auditors will LOVE you for this!

7. 3-Phase Employee Lifecycle
• #1 – Hire
– Autoprovision birthright entitlements, based on role (bear with me…)
• #2 – Transition
– New access replaces old access, right?
• #3 – Termination
– Deprovision, stat!
• #4 – Other?
– On Leave (medical, sabbatical, etc.)
– Terminated with Access

8. Step One: The Sit-Down
•
Meet with HR
–
–
•
Discuss roles
–
–
•
Dazzle them with your knowledge of RBAC
Remember that employee lifecycle slide?
How will you determine birthright access?
–
–
•
HR system is the system of record
Workforce members = employees + non-employees (decision time!)
Department + Job Code
Step back, take a look at current employees, and execute the smell test
Identify the processes you want to automate
–
–
–
–
Notification of hire/change/termination
Account creation/deletion (in connected systems, NOT system of record)
Access modification
Internal expenses (e.g., mobile devices)

9. Step Two: The Data Must Flow
•
Identify integration points
– Authentication Stores
• LDAP Directories
• Local Databases
– Commercial Apps
– Homegrown Apps
•
Internal vs. External
– Fewest # auth/auth stores possible
– External = federation
•
http://www.brickshelf.com/cgi-bin/gallery.cgi?i=2703634
How are changes initiated?
– Transactional vs. batch
•
Conceptual diagram of your IAM infrastructure

10. Step Three: Integrate
• Define integration requirements
– PMO FTW!
• Take a technical inventory
– What do you have?
– What do you need?
– What can you get rid of?
• Start eating the elephant
–
–
–
–
–
HR -> Identity Store
Identity Store -> Active Directory
http://dst121.blogspot.com/2009/10/how-to-eat-elephant.html
Identify Store -> [other LDAP directory]
Identity Store -> [email]
Identity Store -> [that one app that everyone in the company uses]

11. Intermission: Let’s Talk Tech
•
Components
–
–
–
–
–
Identity Store / Vault / Repository (not the system of record)
LDAP Directory
Entitlements Manager
Web Access Manager (+ Certificate Manager)
Password Manager
Vendors
•
•
•
•
•
•
CA Identity Manager
IBM / Tivoli Identity Manager
Microsoft Forefront Identity Manager
Novell Identity Manager
Oracle Identity Manager / Sun LDAP
RSA / Courion
• RSA = Access Manager & FIdM
• Courion = Provisioning & Passwords
Open Source
•
•
•
•
•
OpenIAM
OpenDS Directory Server
OpenSSO
Shibboleth (SSO)
Gluu

12. Pictures, or It Didn’t Happen
System of Record
Email
Other LDAP
Identity Provider
LDAP Server
User-Facing Apps
Databases
Password Manager
Entitlements Manager
Web Access Manager

13. Step Four: Communcation
•
Document the $#!% out of your IAM infrastructure
– Every single integration point
– Link the tech to business processes
•
Review documentation with…
–
–
–
–
–
–
•
Human Resources
LAN Support
System Owners
Application Developers
Production / Change Control
IT Leadership
Link IAM systems to Change Control system
– Notification of ANY and ALL changes
– Want to break IAM? Change a connected system without testing integration points!

14. Step Five: Audit
•
Trust, but verify
•
Things to audit
–
–
–
–
•
Segregation of duties
Access changes (esp. adminstrative & sensitive data)
Accounts for terminated users (reconcile with HR)
Share access
Security Information and Event Management (SIEM)
– Failed login attempts
– Attempts to access restricted data
– Privilege changes / escalation
•
Automate your auditing toolset

15. Destined to Fail
•
Most IAM projects fail. Why?
–
–
–
•
Lack of executive sponsorship
Project teams try to do too much at once
Referring to IAM is a ‘project’ in the first place
Mark Dixon’s Ten Best Practices for Identity Management Implementation
–
–
–
–
–
–
–
–
–
–
Set strategy
Secure sponsorship
Plan quick wins
Select project leadership
Define business processes
Select implementation team
Gain commitment from support resources
Provide proper infrastructure
Assure data quality
Conduct post-production turnover
http://blogs.oracle.com/identity/entry/ten_best_practices_for_identity

16. Questions to Start Asking Now
•
Who’s going to support all this?
•
How can I enforce change control for IAM integration points?
•
How am I going to manage passwords?
–
–
•
How am I going to manage non-employees?
–
–
–
•
Consultants
Contractors
Interns
How am I going to manage RBAC exceptions and segregation of duties?
–
•
Single Sign-On
Password Synchronization
Pareto Principle (80/20 rule)
Identity in the Cloud?
–
Yeah, I said cloud. Drink ‘em if you got ‘em!

17. Resources
• Vendors
– Let them know you’re digging into IAM solutions & they’ll call you.
• LinkedIn Groups
– Identity and Access Management
• http://www.linkedin.com/groups?gid=66476
– Identity Management Specialists
• http://www.linkedin.com/groups/Identity-Management-Specialists-Group-41311
• Working Groups
– EDUCAUSE (http://www.educause.edu/iam)
– InCommon (http://www.incommon.org/iamonline/)

18. More Resources
• Internet2 Middleware Initiative
–
–
–
–
–
–
–
http://www.internet2.edu/middleware/index.cfm
MACE (Middleware Architecture Committee for Education)
Shibboleth Federated Single Sign-On Software
Grouper
Comanage: Collaborative Organization Management
MACE-Dir(ectories)
MACE-paccman (Privilege and Access Management)
• Open Source
–
–
–
–
OpenDS - http://www.opends.org/
OpenSSO - http://java.net/projects/opensso/
Shibboleth - http://shibboleth.internet2.edu/
Gluu - http://www.gluu.org/

19. Even More Resources
•
IdM vs. IAM
–
•
Gartner Identity and Access Management Summit
–
•
http://aws.amazon.com/iam/
Worst Practices: Three Big Identity and Access Management Mistakes
–
•
http://blogs.gartner.com/earl-perkins/2009/08/23/why-there-are-no-iam-magic-quadrants-resisting-the-inevitable/
AWS Identity and Access Management
–
•
http://www.gartner.com/technology/summits/na/identity-access/
Gartner – Why There Are No IAM Magic Quadrants
–
•
http://idm-thoughtplace.blogspot.com/2009/09/idm-vs-iam.html
http://searchsecurity.techtarget.com/tip/Worst-Practices-Three-big-identity-and-access-management-mistakes
Wikipedia
–
–
–
http://en.wikipedia.org/wiki/Identity_management
http://en.wikipedia.org/wiki/Identity_access_management
http://en.wikipedia.org/wiki/Federated_identity_management

20. Questions?
Jerod Brennen, CISSP
CTO & Principal Security Consultant, Jacadis
LinkedIn: http://www.linkedin.com/in/slandail
Twitter: https://twitter.com/slandail
http://www.jacadis.com
contact@jacadis.com