1 / 11

Identity & Access Management

Identity & Access Management. Presenter: Mike Davis Mike.davis@va.gov (760) 632-0294 January 09, 2007. Definitions.

imelda
Télécharger la présentation

Identity & Access Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Identity & Access Management Presenter: Mike Davis Mike.davis@va.gov (760) 632-0294 January 09, 2007

  2. Definitions • IdM: Identity management (IdM) is comprised of the set of business processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities within a legal and policy context. - BurtonGroup™ 2003 • IAM: Identity and access management (IAM) is comprised of the set of services to include authentication, user provisioning (UP), password management, role matrix management, enterprise single sign-on, enterprise access management, federation, virtual and metadirectory services, and auditing. - Gartner

  3. More Definitions • Provisioning: Provisioning of user access control credentials refers to the creation, maintenance, correlation, synchronization and deactivation of user-objects and user-attributes, as they exist in one or more systems, directories or applications, in response to an automated or interactive business processes. Provisioning software may include one or more of the following processes: change propagation, self service workflow, consolidated user administration, delegated user administration, and federated change control. Provisioning is typically a subsystem or function of an identity management system that is particularly useful within organizations where users may be represented by multiple user objects on multiple systems. - EDE IPT • The process of managing attributes and accounts within the scope of a defined business process or interaction. Provisioning an account or service may involve the Creation, modification, deletion, suspension, restoration of a defined set of accounts or attributes. –OASIS SPML

  4. Yet More Definitions • Single Sign-on: (SSO) Any user authentication system permitting users to access multiple data sources through a single point of entry.  Part of an integrated access management framework. • At present, there is no “universal” definition of SSO, no agreement on whether it is really possible and no understanding of what is considered true SSO. - Pistolstar

  5. Identity Mgt Attributes DRAFT (1of 2)

  6. More Identity Mgt Attributes DRAFT (2of 2)

  7. Access Mgt Attributes DRAFT OneVA Identity Management IPT, December 19, 2005 OneVA Enterprise Identity Management White Paper, v1.3, October 12, 2006

  8. Authentication Services • Centralized authentication services reduces complexity • PIV (HSPD12, NIST FIPS PUB 201) • MS NAS (AD Kerberos) • Applications should accept trusted third party credential…applications do not authenticate users directly • Kerberos, X509, SAML • CCOW • Security token services (STS) • SSO is intrinsic • SSO is now expected • SSO is now technically feasible

  9. WS Trust scenario • A client sends a SOAP message (Request) to a SOAP based application Server. • The original client request is intercepted at a SOAP gateway and redirected (based on Policy) to the IP/STS. • The SOAP gateway and STS will use WS-Trust messages to enable interoperable processing of the more fundamental WS-Security protected SOAP message sent between the client and the service.

  10. IDM…Whose Identity is It? • VHA Problem Statement: How does Security IdM portion of IAM fit with traditional ownership of IdM controlled by administrative, demographic, payroll and HR functions. Solution: Need standards for IdM and for IAM. Consistent vocabularies. Clear differentiation of role/ ownership Id data used for different purposes. Oracle Identity Governance Framework is setting the initial definitions in this area prior to vetting in standards organization (TBD). Identity Governance Framework http://www.oracle.com/technology/tech/standards/idm/igf/index.html

  11. IAM Technology Viewpoint Implications • IAM (PIV) transforms future SOA security infrastructures • Centralization reduces complexity of authn/authz administration • Web Services provide the key underlying standards/technology • Application security (end-end) replaces castle and moat paradigm • SSO is assumed/expected • Projects will use existing/closed solutions to avoid risk • Projects will not be able to adapt to coming centralized infrastructure • Project schedules will limit time to innovate in security • Security will continue to lag Assertions Advice Obstacles • Lack of consistent approach (Different goals, views, vendors) • Immature/incomplete industry technology/few solutions • Developer experience/confidence/ in solutions…resistance to change • Implement/innovate/adopt: • SOA Architecture • CCOW, Kerberos SSO/TTP Authn • HL7 RBAC/ASIS XACML • Implement Web Services • Manage globally, enforce locally • Pilot a SOA Security Application

More Related