Co p

Managing Enterprise Identity

and Access in 2013

IT Directors

May 14, 2013 Allyn McGillicuddy and Melvin Vaughan

AGENDA • The Changing Landscape for Identity and

Access Management

• Enterprise Identity – Foundational Concepts

• Enterprise Identity Operations Management

• Managing Identity in the Extended Enterprise

– Identity Federation

– Identity as a Service

• Identity Management Compliance and Operations Considerations

IT Directors Community of Practice

Changing Landscape for Enterprise Identity

and Access Management

– In the extended enterprise, business workflow is not confined within the company’s infrastructure • SaaS vendors

• Cloud-based services

– People outside the enterprise are accessing the company’s infrastructure • Customers

• Business allies

• Contractors and temporary workers

• Service providers

– How does this affect the threat landscape?


Today’s Threat Landscape

High-profile, sharing applications represent

lower than expected threat volume

– Social networking, video, and file sharing

applications represent

• 25% of the applications,

• 20% of the bandwidth but only

• 0.4% of the threat logs, primarily exploits

– This is not to say these applications are low risk

– The volume is low when compared to the volume

and frequency of use, and the threats found in the

other applications

Source: Palo Alto Networks, Application Usage and Threat Report, 10th Edition summarizes network traffic assessments performed on > 3,000 networks, encompassing 1,395 applications, 12.6 petabytes of bandwidth, 5,307 unique threats and 264 million threat logs


Exploits Target High-value, Business

Applications and Assets

– Crunchy on the outside:

• Exploits are bypassing the “crunchy” perimeter

security and targeting enterprises’ most valued

assets – their “tender” business applications.

– Tender on the inside:

• Out of 1,395 applications found, 10 were

responsible for 97% of all exploit logs observed

• 9 of them are business critical applications.


– While small in volume, unknown/custom traffic is high in risk, exemplifying the 80%-20% rule

– The highest volume of malware logs (55%) were found in custom or unknown udp

– Yet it represented only 2% of all bandwidth

Conclusion: high value assets are in need of added levels of security

Custom/unknown Applications and

Malware have Low Incidence Rate, but Pose

the Greatest Risk


Access Methods are Evolving

Separate password for each application

Separate password for each IdP*

*IdP = Identity Provider

?

Shared standards are evolving for identity, authentication, and authorization.

User selection Analogy to ATM Networks


Enterprise Identity

• So what is enterprise identity? • Identity is a set of attributes that describes a profile

of an individual, business organization, or software entity.

• The set of attributes for an individual, for example, could include – driver's license

– social security number

– travel preferences

– medical history

– financial data

– Etc.


ENTERPRISE IDENTITY

FOUNDATIONAL CONCEPTS

Identity Management Roles

Service providers

(SP)

Identity Providers

(IdP)

Individuals* with multiple

identity profiles

• Healthcare profile • Employee profile • Investor profile • Social profile • Business profile

Equal and interoperable

identity providers

Control over ownership and

disclosure

Manage privacy and preferences

*A person, a business, a software entity


Evolution of Identity Networks

Organizations can maintain their own customer/employee data while sharing identity data with partners based on their business objectives and customer preferences.


IdM Nomenclature - Identification

• Identification Comparing presented

credentials to a set of

attributes that describes

a profile of an individual,

business organization, or

software entity


IdM Nomenclature - Authentication

• Authentication

Confirming the truth of

an attribute of a datum

or entity. This might

involve confirming the

identity of a person or

software program.

Authentication often

involves verifying the

validity of at least one

form of identification.


• Authentication Attributes

– What you have

– What you know

– What you are

– Where you are

– Combinations

• 2-factor, 3-factor authentication

• Hybrid

• Mutual authentication

• Authentication

IdM Nomenclature - Authentication


Cross-Domain Authentication

Two or more user directory

domains within the same

enterprise are implicitly

connected by two-way, transitive

trusts.

Authentication requests made

from one domain to another are

successfully routed in order to

provide a seamless coexistence

of resources across domains.

Users gain access to resources in

other domains after first being

authenticated in their “home” domain.

MS Active Directory Federation Services (ADFS) Two or more systems use tokens to exchange credentials. ADFS employs the MS claims-based access control and authorization model.

SAML OASIS-based, browser-oriented, XML-based standard for exchanging authentication credentials over the Internet.

WS- Trust OASIS-based standard that employs web services to exchange security tokens across domains. This can be used for security key exchange.

WS-Trust fails to address some requirements of federation (eg. privacy)


IdM Nomenclature - Authorization

• Authorization

Process of managing access to resources and access rights or privileges; using access control rules to decide whether access requests from already authenticated requesters shall be approved (granted) or disapproved (rejected).


IdM Nomenclature – Logon/Login

• Logon Process

1. Presenting the credentials

required to obtain access

to a computer system or

other restricted area

2. The process by which

individual access to a

computer system or

network is controlled by

evaluating the presented

identity and credentials


IdM Nomenclature - Accounting

• Accounting

Managing information about the relationship of users and the resources they are/are not permitted to access, including

• access history

• account control

• access audits

Employs mechanisms to • synchronize users

• access rules or constraints

• manage/review/report on access to system and/or cloud-enabled resources


Assertion Query

• The “A” in SAML is Assertion – Security Assertion Markup Language

– An assertion is simply 1 or more statements

– An assertion query is a request


samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ForceAuthn="true" AssertionConsumerServiceURL="http://www.example.com/" AttributeConsumingServiceIndex="0" ProviderName="string" ID="abe567de6" Version="2.0" IssueInstant="2005-01-31T12:00:00Z" Destination="http://www.example.com/" Consent="http://www.example.com/" > <saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> [email protected] </saml:NameID> </saml:Subject> </samlp:Authn

In this example, a SAML assertion is being requested pertaining to the supplied subject, ([email protected])

Attribute Definitions

• User Attributes – Each piece of identifying information about a user

– Users have identity attributes, each of which may be stored on one or more target systems.

– The individual claiming an attribute may only grant selective access to its information

• Attributing party – Trusts that the claim of an attribute (such as name, location,

role as an employee, or age) is both • Correct

• Associated with the person or thing presenting the attribute.

• Contextual identity – Digital identity is better understood as a particular

viewpoint within a mutually-agreed relationship than as an objective property.


ENTERPRISE IDENTITY

MANAGEMENT

OPERATIONS MANAGEMENT

Automatic Provisioning

Process to grant users access

to data repositories or grant

authorization to systems,

network applications and

databases based on a unique

user identity.

Creation, maintenance and

deactivation of user objects

and user attributes, as they

exist in one or more systems,

directories or applications, in

response to automated or

interactive business processes

• Examples – Process to monitor an HR

application and automatically

create new users on other

systems and applications when

new employee records appear in

the HR database.

– Automatically deactivate user

objects for users, such as

contractors, whose scheduled

termination date has passed.


Privileged Accounts Management

• Grant administrators only the access rights

required for their jobs

• Base those rights on established and controlled

policy – Policy-based delegation of elevated access privileges

– Secure the process of requesting, approving and issuing

access to those accounts

critical application-to-application (A2A) access

application-to-database (A2D)

separation of duties for privileged access

– Manage policy, rights and activities performed through

privileged access


Privileged Accounts Management

48% of data breaches were caused by privileged misuse - Verizon, Data Breach Investigations Report

“Shared superuser accounts — typically system-defined in operating systems, databases, network devices and elsewhere — present significant risks when the passwords are routinely shared by multiple users”

- Gartner, MarketScope for Shared-Account/Software-Account Password Management

75% of responding DBA’s reported that “Our organizations do not have a means to prevent privileged database users from reading or tampering with human resources, financial or other business application data in the databases

- Oracle DBA Survey


Synchronized Identities Model

• Multiple identity models

or systems are

synchronized

• An authoritative identity

source is built from

multiple identity sources

• The identities are stored

in a reference directory,

such as LDAP

• Synchronization

– Changes to identities

in the authoritative

directory are

propagated to the

reference directory

– Access rights are then

updated


Proxied Authentication

• Uses a middle-tier server for authentication Three types

1. An application user, or an application, authenticates itself with the middle-tier server. – Client identities can be maintained all the way through to

the database.

2. The client's identity and database password are passed through the middle-tier server to the database server for authentication.

3. The client, that is, a global user, is authenticated by the middle-tier server, and passes either a Distinguished name (DN)* or a Certificate through the middle tier for retrieving the client's user name.

*DN is a global name in lieu of the password of the user being proxied

CREATE USER jeff IDENTIFIED GLOBALLY AS 'CN=jeff,OU=americas,O=oracle,L=redwoodshores,ST=ca,C=us'; ALTER USER jeff GRANT CONNECT THROUGH scott AUTHENTICATED USING DISTINGUISHED NAME;

ENTERPRISE IDENTITY

MANAGEMENT

THE EXTENDED ENTERPRISE

The Extended Enterprise

• In the emerging “extended enterprise” business

function workflows often extend beyond the

boundaries of the enterprise

• The “extended enterprise’s security practices

must treat internal and external users in the

same manner


Identity Federation • The technologies, standards and use-cases which serve

to enable the portability of identity information across

otherwise autonomous security domains

• Identity federation goal: enable users of one domain to

securely and seamlessly access data or systems of

another domain without the need for redundant user

administration.

• Scenarios

– User controlled

– user-centric

– enterprise controlled

– B2B

IT Directors Community of Practice IT Directors Community of Practice

Identity Federation Goals

Identity portability

achieved in a

non-proprietary,

standards-based

manner


Cross-domain, web-based – single sign-on

– user account provisioning

– entitlement management

– user attribute exchange

Automatic use cases – user-to-user

– user-to-application

– application-to-application


Federation Types

• Identity-based Federation • Identity based federation - only the SSO functionality of SAML is being required to be

registered in both organizations. If Joe is registered with the IdP and wishes a resource on SP in another organization then that same identity will be registered at the SP. The identity of the Principal is carried in the <subject> of the <assertion> header.

• Attribute-based Federation • Similar to Identity-based Federation, but the type of session and the access right the

user has on the SP is based on attribute information transported in the SAML assertion. While the user name can be used for auditing purposes it is not used for access management purposes. An example is using a Role attribute, for example, "HR Member".

– Attributes are carried in the <AttributeStatement> of a SAML assertion. Attribute Based Access Control (ABAC) is used by Grid Systems, in which the relationship between users and resources is ad hoc.


SSO in a Federation

• A process that is used across multiple IT systems and organizations to authenticate access to a resource for an individual or system

• A user's single authentication ticket, or token, is trusted across multiple IT systems and/or even organizations.

• SSO relates to authentication, only, and does not include authorization.


Federation Termination

Defederation is the process of terminating the validity of a federated identity with

either an IdP or an SP.

Both the IdP and the SP should notify each other of defederation.

However, it appears there is not a structured or standardized

method for defederation.

The distinction must also be made between terminating a

federated session versus terminating a federation relationship

altogether.


Identity Federation Solution Providers

Radiant Logic: Radiant One

Radiant One Federated Identity Platform

Virtual Directory Server

VDS extracts identity and context information out of various application and data silos. It

re-maps the underlying sources and presents the identity data in customized views.

Identity Correlation and Synchronization Server (ICS)

Identifies relationships between identities represented in heterogeneous data sources. ICS

builds a common identity out of multiple systems to create a unified view of identity data,

eliminating user overlaps.

Cloud Federation Service (CFS)

Provides the RadiantOne suite with a complete identity provider (IdP), an authentication

module which verifies a security token once and then uses it for each system it needs to

access for on-premise and cloud-based applications, enabling single sign-on for users.



Ping Identity

PingFederate

Outbound and inbound solutions for single sign-on, federated identity management, mobile identity

security, Tier 1 SSO extends employee, customer and partner identities across domains without

passwords, using standard identity protocols (SAML, WS-Fed, OpenID.) PingFederate translates

customer and partner standard tokens into local tokens. For outbound use cases, PingFederate

authenticates user credentials, regardless of how they authenticate, and translates them into

standard tokens.

PingOne Identity as a Service

PingFederate can be deployed in conjunction with PingOne Cloud Access Services for faster and

more flexible employee access to SaaS applications.



OneLogin

OneLogin focuses primarily on companies that operate in the cloud and integrates with

cloud apps using SAML, WS-Federation, OpenID and web services integration.

The company's cloud-based IAM market now includes 700 enterprise customers in 35

countries, including AAA, Gensler, Netflix, News International, Pandora, Steelcase and PBS.

OneLogin has continued on a path of innovation and growth,

including:

• First iPad app for identity management

• First Federated Cloud Search IAM product that enables secure, real-time search across

public cloud applications such as Box, Google Apps, Salesforce, Yammer and Zendesk

• Pre-integration with 2,800 cloud apps, more than any other IAM vendor

• Open Source SAML Toolkits, now used by over 70 SaaS vendors and over 30 app

vendors to make their apps more secure



PasswordBank Technologies Inc.: PasswordBank Federation

• Federated Single Sign-On allows a user to login once and then access all

authorized cloud and on-premise services across Mac, Linux and

Windows, without the need for a password at each service.

• Enables the Enterprise to maintain full and centralized control over

access to all applications of the organization.

– Two-factor strong authentication,

– Account provisioning and deprovisioning

– Centralized audit repository

• PasswordBank IdentityBroker allows identity-related information to be

shared securely between the Enterprise, Service Providers and Identity

Providers (cloud and on-premise applications).


Identity as a Service

• Authentication

infrastructure hosted by

a third party

• SSO in the cloud

• IDaaS for enterprises’

SaaS applications

• A cloud IDaaS service

provider may – Securely manage cloud

identities for SaaS applications

– Maintain federated trusts

– Manage account

provisioning/deprovisioning

– Host applications

– Provide subscribers with role-

based access to specific

applications

– Provide entire virtualized

desktops through a secure

portal

– Provide Identity auditing


Stateless Identity

• Just-in-time identity data and services

received from authoritative domains

• Similar to Windows Azure Access Control

Services and carried outside the enterprise

• Once authorizations are configured, a user coming

to an application via ACS arrives at the application

“entrance” with not only an authentication token,

but also a set of authorization claims attached to

the token


Authentication Service

• Open API

– Not limited to LDAP and AD

• Called by both internal and external apps

• Performs identification, authentication,

and attribute delivery of all users under

enterprise control


Provisioning Service

• Open API for account synchronization among

internal, SaaS, and partner apps

– Called by both internal and external apps

– Supports deprovisioning

– Enables provisioning workflows loosely coupled

with internal directory and database infrastructure

– Available connectors for many enterprise systems

and apps


SAML to Token Service


A client obtains a SAML 2.0 bearer assertion and makes an HTTP request to the PingFederate OAuth

AS to exchange the SAML assertion for an access token. The AS validates the assertion and returns an

access token. The client uses the token in an API call to the Resource Server to obtain data.

1. Some user-initiated or client-initiated event (for example, a mobile application or a scheduled task) requests access to Software as a Service (SaaS) protected resources from an OAuth client application.

2. The client application obtains a SAML 2.0 bearer assertion from a local Identity Provider (IdP) for example, PingFederate.

3. The client makes an HTTP request to the PingFederate OAuth AS to exchange the SAML assertion for an access token. The AS validates the assertion and returns the access token.

4. The client application adds the access token to its API call to the Resource Server. The Resource Server returns the requested data to the client.

.

Identity Discovery Problem A user interacting with a service provider wants to access to restricted content on a site within a federation:

1. The user, via web browser, connects to the target service provider; and requests to view restricted content.

2. The service provider receives this request, and needs to know information about the person.

3. In the federated world, this means that the user needs to be sent to their home organization's identity provider, which will "vouch" for that person and pass across information about them to the resource provider.

4. The service provider "discovers" which is the user's home institution

5. The service provider redirects the user to their home institution's identity provider.

6. The user authenticates at their identity provider (IdP), which responds to the service provider (SP), letting them know that this user authenticated successfully, and often providing some information about that user.

7. The service provider receives this information, and then either grants or denies access based upon the information it received.

Q: How does the SP figure out which is the user’s “home” IdP?


Identity Discovery Solutions

A user interacting with a SP wants to access restricted content on a site

within a federation.

Solution Options

1. Avoid Discovery (IdP-initiated SSO)

Each institution can configure a page (usually their existing library portal page) to

list all resources available to their users along with links to these resources. These

links are constructed such that they send the user

1. to that institution's identity provider*. After the user has successfully

authenticated,

2. directly onto that resource.

Thus, the service provider never has to ``discover'' which institution the user is

from, since the first time they see the user the user has already authenticated.


*But suppose the user starts on the site where the target content is located?


within a federation.

Solution Options

2. Client-less Discovery (SP-Initiated SSO)

The SP asks the user to manually tell them which is their

home organization. This method of discovery comes in

two forms:

1. The user tells the service provider directly; or

2. The SP sends the user to a centrally provided service;

the user tells this service.



*OMG the user has to do this manually every time? Really?



within a federation:

Solution Options

3. Client-mediated Discovery The client is configured to tell the SP what the user’s

home organization is.

1. The user's client tells the service provider where

the person is from; or

2. The user's client is the identity provider; or

3. The user's client proxies the identity provider.


Enterprise Cloud Identity & Access

Management Providers

• Security and risk professionals see IAM as a cost

center and

• Prefer not to build out or expand IAM capabilities

• Cost-effective, SaaS-based IAM solutions that

complement on-premises ones are available


Client-Mediated Discovery

The client is configured to tell the SP what the user’s home organization is.

1. The user's client tells the service provider where the person is from – Enhanced client or proxy (user’s browser plugin)*

– Plugin “listens” for WAYF requests from SP

– Automatically answers

2. The user’s client is the Identity provider (self-issued identity);

3. The client sends this request on to the user's identity provider (it proxies it), receives the response, and in turn sends this response back to the service provider. **


*SAML 2 Specification for ECP ** The SP never needs to know who the IdP is

WAYF

• Where Are You From – You must answer that question when you log into a

web based service using WAYF login.

– WAYF login is a Single Sign-On system* which permits using one single login to access several web-based services. • Creates connections between the login systems at the

connected institutions and external web based services.

• Ensures that users consent to have information about them passed on to the web-based services.

– WAYF login does not store any personally identifiable data.


*Provided by the Danish government in collaboration with many identity and service providers and institutions

Authorization Service

Central authorization repository – Authorization model information used to provide complex access controls

based on data or information or policies including user attributes, user roles /groups, actions taken, access channels, time, resources requested, external data and business rules

– Policies that are stored in an IAM policy store

Frameworks

– Spring Security • Access control framework; released under an Apache 2.0 license

• Used to secure numerous demanding environments including government agencies, military applications and central banks.

– Seam Framework • Programming model with a Security API (an optional Seam feature) that provides

authentication and authorization features for securing access to domain and web page resources, components, and component methods

• Can be used to display/hide web page content based on user privileges

• Includes a comprehensive authorization framework, supporting user roles, persistent and rule-based permissions, and a pluggable permission resolver for easily implementing customized security logic.




Intel Cloud SSO

• Standards-based identity as a service (IDaaS) solution

• Context-aware Strong Authentication

– invokes mobile or hardware assisted, 2-factor authentication based on the target

app, network, time of day, mobile browser and other parameters.

• Connects Identity Stores – Authenticates, provision/de-provisions user access to cloud systems from inside

or outside the corporate firewall, leveraging directory services including Active

Directory, LDAP, Salesforce.com, or Intel Cloud SSO identity stores.




Okta Cloud Identity and

Access Management • Access control to SaaS

applications

• User account provisioning for

SaaS and in-house applications

User access recertification

• User repositories supported

• Multitenancy & protection of

personally identifiable

information

• Auditing and reporting

• Strong authentication support.


• Good integration with strong

authenticators & broad SaaS

application support

• Runs on Amazon Web Services

under the covers

• Many pre-integrated SaaS

business applications

• Extensively supports Integrated

Windows Authentication (IWA)

• Supports inbound SAML for

identity provider (IdP) proxying*

• No support for disabling users

automatically after a period of

inactivity, or for attestation.

*May limit usefulness for large clients



Symplified Cloud Identity

and Access Management • One of the longest-standing in

the cloud IAM market

• Architecturally stable via its

Identity Router customer-

premises equipment

infrastructure

• Can be deployed as a software or

hardware appliance, or as a cloud

connector

• Broad protocol and endpoint

support

• Partners with Symantec’s VIP

service for strong authentication


• CSC is reseller and provides

system integration

• Does not support implicit or just-

in-time provisioning

• Dashboards and reporting are

fairly immature

• No workflow designer — only an

implicit workflow for access

request management and

approvals

• By design, no support for

hierarchies of multi-tenancy,

which may limit its usefulness at

large clients



Covisint Cloud Identity and

Access Management • Access control to SaaS

applications

• User account provisioning for

SaaS and in-house applications

User access recertification

• User repositories supported

• Multitenancy & protection of

personally identifiable

information

• Auditing and reporting

• Strong authentication support.


• Good integration with strong

authenticators & broad SaaS

application support

• Runs on Amazon Web Services

under the covers

• Many pre-integrated SaaS

business applications

• Extensively supports Integrated

Windows Authentication (IWA)

• Supports inbound SAML for

identity provider (IdP) proxying*

• No support for disabling users

automatically after a period of

inactivity, or for attestation.

*May limit usefulness for large clients

COMPLIANCE and OPERATIONAL

CONSIDERATIONS

ENTERPRISE IDENTITY

Identity Compliance and Privacy

• A user signs-in and out of Identity Provider (IdP) systems or security token services

(STS) via explicit messages or implicitly via a request

• The issued tokens may either represent the principal's primary identity or some

pseudonym appropriate for the scope

• The IdP or STS issues messages to interested and authorized recipients.

• Principals are registered with the attribute/pseudonym services and attributes and

pseudonyms are added and used.

• Authorized services can query attribute/pseudonym services using the provided

identities to obtain authorized information about the identity.

• Such queries can potentially be anonymous which means that the party requesting

the information has an opaque token, and is not aware of the real identity of the

object of the query


Name Mapping and Linking

• In a federated environment, with identity information and other assertions

passing through a network between systems, protecting the user’s privacy

becomes paramount.

• With SSO, it is possible to track the user across several SPs.

• Pseudonyms provide a way to obfuscate the identity of the user across SPs.

• When the IdP delivers the assertions to the SP, the use of pseudonyms

makes it possible to have a different user ID for the same user at each SP

• Persistent Pseudonym - the SP will see the same pseudonym each time the

user accesses the SP.

• Transient Pseudonym - the SP is presented with a different pseudonym

each time a user gains access to the SP.


Single Logoff Operations

• When the user selects logoff in an application, two potential options must be offered. 1. Does the user want to logoff from this specific application,

maintaining the current SSO session, or

2. Does the user want to end their SSO session, closing all individual application sessions?

• Solution for #2 – SP communicates the logoff request to the IdP. The IdP,

based on its session store and information from the metadata, issues a logoff request to all SPs for which an active session is present.

– When the SP receives a logout request, it will close the current session and notify the application, allowing the application to perform required cleanup.


Session Timeout Operations

• With SSO, the user is using the same login for

• several applications, potentially across several systems

• Managing SSO session timeouts by each application is inefficient

• With Single Log Off, applications can, through the IdP, centrally manage a user’s idle time

• Consolidating session timeouts and establishing a consistent session timeout period is another policy that must be considered when a federation forms.


Conclusion Enterprise Identity Management has matured with the expansion of established standards and interoperability approaches. The growing number of enterprise applications accessed by internal employees in collaboration with sales and distribution partners, customers, and other business channels requires new strategies to manage enterprise confidentiality, data security, and privacy. To address these challenges, Enterprise IT executives with limited development, deployment, and infrastructure budgets are differentiating strategic, proprietary systems from utilities that are now widely available outside the enterprise firewalls. Many enterprise strategies include integrating identity federation into their IT vision, strategy, infrastructure, and application support models. Chief Information Officers also recognize the growing importance of understanding the spectrum of identity management capabilities, including how to handle identity-based Web services. Identity federation is now feasible and increasingly required by business partners, affiliates, and customers. With the growing number of cloud and access management solutions, strategic partnerships with solution providers and consultants will be central to a successful outcome.

Technology

Co p