Document 237566

Agenda
What is IAM
IAM Components
Why IAM
IAM Marketplace
IAM Implementation
Identity and Access
Management
By Dave Yip
david.yip@arialgroup.com
? Copyright 2005 Arialgroup.
All rights reserved.
2
IAM for Single Application
What is Identity and Access
Management IAM ?
Role Management
Authorization
Biometric?
Smart ID Card?
Digital Certificate?
Administrator
Role
Store
User Management
Session Management
User
Store
Password Management
User
Authentication
User
Appl
Data
Application Functions
User
Directory?
3
Single Sign-On?
? Copyright 2005 Arialgroup.
All rights reserved.
4
? Copyright 2005 Arialgroup.
All rights reserved.
1
When # of applications increases
IAM Architecture
Administrator
Administrator
5
? Copyright 2005 Arialgroup.
All rights reserved.
6
Does not have IAM
Policy Management
Role
Store
Policy
Store
User
Store
User Management
Role Management
Provisioning Data Synchronization
User
Authorization RBAC
User
SSO Authentication Password Services
User
Application
Session Management
Role
Data
User
Data
Application
Role
Data
User
Data
..
Application
Role
Data
User
Data
Password Management
? Copyright 2005 Arialgroup.
All rights reserved.
Has IAM
Identity & Access Management
7
? Copyright 2005 Arialgroup.
All rights reserved.
8
? Copyright 2005 Arialgroup.
All rights reserved.
2
The Goal of IAM
Agenda
Providing the right people with the right
access at the right time.
What is IAM
IAM Components
Why IAM
IAM Marketplace
IAM Implementation
Protect resources by preventing
unauthorized accesses.
9
? Copyright 2005 Arialgroup.
All rights reserved.
IAM Components
IAM Components
Role-based
Rule-based
Attribute-based
Remote Authorization
User
User
User
User Management
Central User Repository
Delegated Admin
Role Management
Provisioning
Password Mgmt
Self-service
Directory
Data Synchronization
Meta-directory
Virtual directory
Administrator
Administrator
Identity Management
11
? Copyright 2005 Arialgroup.
All rights reserved.
12
Policy Management
Role
Store
Policy
Store
User
Store
User Management
Role Management
Provisioning Data Synchronization
Single Sign-On
Session Management
Passwords
Authentication Levels
Application
Session Management
Authorization RBAC
Authorization
SSO Authentication Password Services
Access Management
Authentication
? Copyright 2005 Arialgroup.
All rights reserved.
10
Role
Data
User
Data
Application
Role
Data
User
Data
..
Application
Role
Data
User
Data
Password Management
? Copyright 2005 Arialgroup.
All rights reserved.
3
Other IAM Terms
Agenda
Identity Management IdM or IM
Identity and Access Management
I&AM
Authentication, Authorization,
Accounting and Administration AAA
Extranet Access Management EAM
Portal and personalization Part of
IAM?
13
? Copyright 2005 Arialgroup.
All rights reserved.
What is IAM
IAM Components
Why IAM
IAM Marketplace
IAM Implementation
14
Drivers behind IAM
? Copyright 2005 Arialgroup.
All rights reserved.
IAM Benefits
Convergence of Information Technologies.
Business Benefits
Standards based
Service Oriented Architecture
Agility to respond to changes and opportunities
Capability to drive more revenue from existing relationships
Streamlined processes
Enable user access changes from days to hours
Empower business users and user administrators
Increase in Identities.
Customers, Suppliers, Contractors, Mergers & Acquisitions,
Outsourcing, Globalization
Increase in Business Delivery Channels.
LAN, WAN, Dial-up, Extranet, Internet, Wireless, etc.
Security and Audit Benefits
Rising costs and complexities of identity
management
Need to improve information security
Consistent, automated policy enforcement
Enhanced audit ability
Compliance with regulations
Reduce security administration efforts
Better protected resources
Regulatory Compliance (e.g. SOX, BS 7799)
More opened network, higher skilled intruders, etc.
15
? Copyright 2005 Arialgroup.
All rights reserved.
16
? Copyright 2005 Arialgroup.
All rights reserved.
4
IAM Benefits
Agenda
User Benefits
Higher usability and satisfaction
Self-service for common tasks
Faster, better from organization
What is IAM
IAM Components
Why IAM
IAM Marketplace
IAM Implementation
IT Benefits
Centralized security architecture
Delegated administration
Lower support costs
Faster application development
Agile IT infrastructure
Improved correctness of user information
? Copyright 2005 Arialgroup.
All rights reserved.
17
18
IAM Marketplace
Convergence Trend
Internet Security Stages of Adoption
Growth
BMC acquired Calendra
CA acquired Netegrity
This Year (2004)
Last Year (2003)
Growth
Netegrity acquired Business Layers
Protect
Enable
Anti -Virus
Encryption
Firewall
VPN
Content Filtering
Authentication
Intrusion Detection
Authorization
Authentication
HP acquired Baltimore s SelectAccess and
TrueLogica
IBM acquired Access 360
Sun acquired Waveset
Anti -Virus
Encryption
Firewall
VPN
Content Filtering
Intrusion Detection
Authorization
PKI
PKI
Pioneering
19
Maturing
? Copyright 2005 Arialgroup.
All rights reserved.
? Copyright 2005 Arialgroup.
All rights reserved.
Pioneering
Maturing
20
? Copyright 2005 Arialgroup.
All rights reserved.
5
Access Management
User Management
Client side vs. Server side
Web-based vs. non Web-based (or Legacy)
Role-based and Rule-based
Agent based vs. Proxy based
Session Management approach
21
? Copyright 2005 Arialgroup.
All rights reserved.
Agent vs. Agentless
Event driven vs. Pulling
With or without image of user data
Programming language used for
customization
Provisioning vs. data synchronization
22
Directory and Meta-Directory
IAM Standards
X.500 vs. LDAPv3
Meta-Directory vs. Virtual Directory
Directory Replication
Database engine vs. Native
23
? Copyright 2005 Arialgroup.
All rights reserved.
? Copyright 2005 Arialgroup.
All rights reserved.
Authentication Kerberos, SASL
Authorization XACML, RBAC99
Directory Service DSML, LDAPv3, LDUP
Provisioning SPML
Federated security SAML, Liberty Alliance
Supporting standards TCP/IP, HTTP, XML,
PKI, SSL, Web Service Security, X509v3,
XrML, etc.
24
? Copyright 2005 Arialgroup.
All rights reserved.
6
Agenda
What is IAM
IAM Components
Why IAM
IAM Marketplace
IAM Implementation
25
? Copyright 2005 Arialgroup.
All rights reserved.
High-level IAM Building Blocks
Strong
Authentication
Single
Sign-On
User
Management
Role
Management
Provisioning
? Copyright 2005 Arialgroup.
All rights reserved.
IAM can be divided into two categories: Identity Management and
Access Management.
Access Management comprises Authentication, Single Sign-On,
Session Management, Password Services, Authorization.
User Management comprises user self-service, delegated
administration, user/role management, provisioning, data
synchronization and password management.
IAM has clear benefits in terms of cost savings, services
enablement, reduce risks and productivity improvement.
Recent trend shows a product convergence in the IAM
marketplace.
IAM has become practical and doable today, but selecting the
right product mix could be challenging
Users and Vendors alike are recommended to choose skilled
personnel to participate in IAM implementation projects.
Many stakeholders requires good communication skills
Change of administration approach could be political
Data correctness, ownership and privacy
Need people with skills from both world of IT
infrastructure and system development
Never underestimate the time required to do testing
Never neglect IT requirements (e.g. operational,
deployment, high availability, etc.)
Watch out software compatibility
Customers not only want a resolution to a problem but
also want an answer why the proposed solution is a
better one
? Copyright 2005 Arialgroup.
All rights reserved.
Data
Synchronization
Summary
IAM Implementation
27
Federated
Security
Windows
Single Sign-On
Enterprise
Directory
26
Role-based
Authorization
28
? Copyright 2005 Arialgroup.
All rights reserved.
7