1 / 71

Upravljanje identitet za zagotavljanja kontrole nad dostopi do podatkov

Upravljanje identitet za zagotavljanja kontrole nad dostopi do podatkov. Uroš Majcen, MRI d.o.o. Predavanje bo v slovenščini, tekst v angleščini. Zakaj? Prevod Material v angleščini Izrazi Zaradi verodostojnosti in lažjega razumevanja. Defining Identity Management.

temira
Télécharger la présentation

Upravljanje identitet za zagotavljanja kontrole nad dostopi do podatkov

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Upravljanje identitet za zagotavljanja kontrole nad dostopi do podatkov Uroš Majcen, MRI d.o.o.

  2. Predavanje bo v slovenščini, tekst v angleščini • Zakaj? • Prevod • Material v angleščini • Izrazi • Zaradi verodostojnosti in lažjega razumevanja

  3. Defining Identity Management • Novell defines identity management as something that “allows you to integrate, manage and control your distributed identity information, so you can securely deliver the right resources to the right people—anytime, anywhere.” • Microsoft defines identity management as: combining “processes, technologies and policies to manage digital identities, and specify how they are used to access resources.”

  4. Defining Identity Management • End user: “The organization knows who I am and what my role is, and based on that information, automates my access to resources. This enables my ability to get to what I need and to do my job in a timely fashion.” • Administrator: “Plus, the organization is able to effectively operate such a solution, so that monitoring, audit and reporting are easily accomplished.”

  5. Basic Technology • Identity • The “digital” data that identifies who users on a computer network are • Directory • In order to find and share resources on a network, a directory is required. Otherwise, how can you find things? • Credential • The “ticket” issued by the directory to grant the user access to resources. Based on authentication and authorization (we’ll cover that later) • Active Directory (AD) • Microsoft’s version of a directory. We’ll cover this more later • Meta-directory • A large framework solution that is designed to deliver a comprehensive set of identity management capabilities. Often involves password synchronization • Access, authentication, and authorization • Access is the combination of Authentication and Authorization • First I need to know you are who you say you are – Authentication • Then I need to know you are allowed to access what you are trying to access - Authorization

  6. Basic Technology • Password synchronization • A software solution that helps reconcile a user’s large variety of passwords and logins (usually requires quite a bit of management and IT intervention) • Provisioning • Automatically managing what resources a user can have access to • Single sign-on • Reducing the number of passwords you have to manage • Federation • A trusted relationship between two independent bodies – it implies managing identities and access from outside your organization • Unix • A computing platform. Leading vendors include Sun, HP, and IBM • Linux • A flavor of Unix that is open-source (free) major vendors include RedHat and SuSE. The software is free, the value-add offerings are not.

  7. The End User Perspective • Authentication services • Access management • Single sign-on/reduced sign-on • Password management • Provisioning • Federation • Meta-directory

  8. Identity and Access Management in the Real World • Access • The ability to do something • Authentication • Confirming that you are who you say you are • Authorization • Confirming that you have permission to do what you are trying to do The organization knows who you are and based on that information gives you the ability to get or do certain things

  9. Access Management(Real-Time Enforcement) Identity Management(Administration) Administer Authenticate Authorize Alarm/ Alerting Authentication Services Enterprise Reduced Sign-On Identity Admin NAC Password Management Audit/Compliance User Provisioning Role Matrix Management Accounting (ITSM) Metadirectory Enterprise Access Management Federated Identity Management Applications Databases Directories Physical Resources SecuritySystems Operating Systems A Complex Space

  10. Breaking Identity and Access Management Down Authentication Services • Verifying that who you say you are is correct • Issues a credential or ticket • Relevant in security and compliance • This is what Active Directory does for Windows • Other directories do it for other systems • Companies often run multiple directories • From 15 – 80 in large companies

  11. Single Sign-on Breaking Identity and Access Management Down Authentication Services • One username and password gives you access to everything you need • Streamlines management of the authentication credential or ticket • This is what Active Directory achieves for Windows • In a heterogeneous enterprise the best we can hope for is reduced sign-on

  12. Single Sign-on Access Management Breaking Identity and Access Management Down Authentication Services • Ensuring that users have access to the resources they need • Usually includes the extranet or intranet through a Web browser • Active Directory can deliver this for .NET applications • But there is a lot more than .NET out there

  13. Single Sign-on Access Management Audit Compliance Breaking Identity and Access Management Down Authentication Services • Tracking who did what, when, where, and how • Log and summarize significant authentication and authorization events or changes to identity objects • Critical to compliance and security • Active Directory does not do a good job of this on its own

  14. Single Sign-on Access Management Audit Compliance Password Management Breaking Identity and Access Management Down Authentication Services • Simply managing passwords • Often means enabling end-users to help themselves • Sometimes means password synchronization • Can deliver: • Increased productivity • Reduced operational costs • Password resets account for 40% of helpdesk calls* *source: IDC

  15. Single Sign-on Access Management Audit Compliance User Provisioning Breaking Identity and Access Management Down Authentication Services • The ability to create and delete users • Managing the lifecycle of user identity • Many people do this manually but want to automate • Can help with: • Compliance • Reduced operational costs Password Management

  16. Single Sign-on Access Management Audit Compliance User Provisioning Role Management Breaking Identity and Access Management Down Authentication Services • The management of collections of permissions, which are defined by roles • Ensure that everyone has the right permissions • A major component of compliance • Regulate who has rights • Control over authorizations • Active Directory uses roles and groups but has limited management capabilities Password Management

  17. Single Sign-on Access Management Audit Compliance User Provisioning Role Management Federation Breaking Identity and Access Management Down Authentication Services • Granting access, authentication, and authorization beyond internal network boundaries between distinct organizations that have established a trusted relationship • Similar to access management but from one company to another • Active Directory has it built in through ADFS for .NET but not for Java/J2EE Password Management

  18. Single Sign-on Access Management Audit Compliance User Provisioning Role Management Federation Meta Directory Breaking Identity and Access Management Down Authentication Services • Synchronizes identity information from one store to another • Often includes many of the other identity management capabilities • MIIS is an example of a meta directory • Usually very complex • Require significant additional management and maintenance Password Management

  19. Improve Efficiency • Automate identity administration • Provisioning • Self-service password management • Consolidate directories and identities into Active Directory • Achieve single sign-on • Build on existing investments

  20. Enhance Security 20 • Extend the security of AD to non-Windows systems and applications • Enforce uniform security policies across the enterprise • Control and delegate elevated and least-privileged accounts • Establish strong authentication

  21. Achieve Compliance 21 • “Prove” compliance through audit, reporting, and alerting tools • Assess identity and access management policies • Implement and enforcing strong password policy and authentication • Automate account management through codeless provisioning and role-based administration • Leverage the compliance of Active Directory for non-Windows systems and applications

  22. The Challenge of Authentication • Windows = true single sign-on • But only to Windows systems and resources • Non-Windows applications each require separate IDs and passwords • Who tracks users? • Password management nightmares • Write them down • Burden on IT for constant resets • Stronger policy means more support calls • Complexity • Length • Expiration interval

  23. Unix Unix Unix Windows/AD Unix Unix Applications Applications Mainframe Mainframe A Typical Environment

  24. Heterogeneity = Complexity The average company has 31separate directories(3) The average user in a 10,000-employee organization has 14 separate passwords(2) A recent survey conducted by RSA Security indicates that 9 out of 10 respondents are frustrated with how many user IDs and passwords they have to manage (1) 58% of companies take more than 24 hours to de-provision employees (3) 1 “Reduced Sign-on” Burton Group Reference Architecture Technical Position – September 6, 2006 2 International Data Group 3 “Dealing with Directories: Fewer Fuels Faster and More Efficient Operations—Aberdeen Research Brief – June 2007

  25. The Result? • Security sucks • Compliance is difficult • Every thing is inefficient

  26. Authentication and Access Management

  27. Authentication and Access Management

  28. Single Sign-on

  29. Password Management

  30. Provisioning

  31. Provisioning

  32. Provisioning

  33. Provisioning

  34. Provisioning

  35. Provisioning

  36. Provisioning

  37. Federation • From Windows to .NET • What about Java?

  38. Meta-directory Directory Synchronization

  39. The Organizational Perspective • Audit • Compliance • Reporting

  40. What Can You Do About It? • Nothing • Add more infrastructure • Address issues individually • Call Quest!

  41. The Challenge of Heterogeneity • Compliance/security • NIS • Multiple IDs/logins • Heterogeneity = complexity • Many directories • Many authentication mechanisms • Many “points” of audit • Expensive • Cumbersome • Inefficient

  42. My Proposal - Get to One • One sign on • One point-of-management • One solution

  43. What does Get to One Bring? • Increased security • Leverage secure Microsoft tools for non-Windows systems • Active Directory and Group Policy • Enhanced compliance • Extend the compliance of Microsoft tools (i.e. AD) to Unix, Linux and Java • ROI • Leverage existing tools for the rest of the enterprise • Consolidation • One tool/process/staff for all systems • Simplification • No additional infrastructure

  44. Active Directory as the Foundation • Authentication • Access • Single sign-on • Federation • But only for Windows systems. • What about Unix, Linux, Java, etc.?

  45. Active Directory 15 minutes

  46. Intro to Active Directory • In a networked Windows environment, Active Directory is the directory service required to manage users, groups, and computers and offer secure access to network resources. • Active Directory is an integrated component of Windows servers.

  47. Intro to Active Directory cont. • If an organization does not have Active Directory or it fails or is otherwise unavailable, then maintaining a networked Windows infrastructure is not possible. • Therefore, Active Directory is critical: • Must be available 7x24x365 • Must be up and running 100% of the time

  48. What is Active Directory? Active Directory: • Organizes objects, such as computers, printers, applications, and shared data sources in a directory • Provides attribute information on these objects • Resources – printers, etc. • Services – e-mail, etc. • People – users and groups, accounts • Controls access to the domain, which houses the objects • Sets security on the objects

  49. How Windows Does it . . .

  50. Questionnaire.com File Server IIS/WebServer Exchange vsmithers Gaining Access Username, Password Token Access Granted Token Token Access Granted Access Granted Token Inform Secure Organize Access

More Related