SlideShare a Scribd company logo

OWASP Identity Manegement

Flávio Silva, profile picture
Flávio Silva

The document provides an overview of identity management basics. It discusses key concepts like single sign-on, enterprise SSO, identity management, access management, and federation of identities. It outlines an identity and access management methodology of inventorying, creating, deploying, and optimizing access. Role-based access control is also summarized, including how roles map to user permissions and are defined through a role engineering process involving functional decomposition and scenario-driven approaches.

1 of 32
Downloaded 17 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Identity Management Basics Derek Browne, CISSP, ISSAP Derek.Browne@Emergis.com OWASP May 9, 2007 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
Agenda 1. Identity Management Overview 2. Concepts 3. Approach to Identity & Access Management 4. Example Scenarios 5. Product Demonstrations…hopefully… OWASP 2
Identity Management Flavours Single Sign On is a goal … not a product Web application integration -- Web SSO Enterprise SSO (eSSO) involves corporate desktop application Some use a server -- TSE, tn3270/5250, SAP, Oracle forms, etc Some authenticate locally -- acrobat protected files IdM is different than Access Management One involves who you are and how that is recorded The other involved the policies around how you access resources Federation of identities across multiple jurisdictions SAML, SXIP, Identity 2.0, OASIS Passport (HAHA), Kerberos, Liberty OWASP 3
Identity Management Overview Defined: Central infrastructure to manage users, roles, and access to resources Concept of “identity” contains all user attributes Provisioning capabilities Technology ( connectors ) Approvals Workflow Management Features: Identity provisioning among integrated directories Self-registration and management Delegation of approvals and workflows Password reset capability Benefits: Meet regulatory & audit requirements around controlled access to resources Save costs through efficient workflows for provisioning and approval Asset (business) owners in control, rather than technology group OWASP 4
Identity Management Integration Integrates with: Enterprise single-sign-on (and related strong authentication) Access Management systems Role Engineering / Management systems Integration Risks: Focus on technology may distract from importance of roles and processes Too many roles (or exceptions) may result if access modeling and identity modeling are not well-planned Benefits may not be realized quickly if project scope is not managed Not respecting impact on business and applications may have adverse effects on buy-in and acceptance Ineffective processes and workflows may prevent cost savings from being realized Lack of proper knowledge transfer results in a system that the organization cannot effectively manage OWASP 5
Identity & Access Management Methodology 1. Inventory: gather information about users, access requirements, and applications & data 2. Create: future state roadmap, associating user groups with access controls, and designing operational support and workflow processes 3. Deploy: begin assigning access to systems and data using new processes and workflows 4. Optimize: deploy automated and delegated processes only after steady state has been achieved 5. Report: leverage investment to satisfy reporting requirements for legislation and internal controls OWASP 6 75 percent of deployment effort will be spent on people & process
Agenda 1. Identity Management Overview 2. Concepts 3. Approach to Identity & Access Management 4. Example Scenarios 5. Product Demonstrations OWASP 7
Identity & Access Management Basics Access Management Access to data or applications is defined by Business policies (segregation of duties) Security policies Industry regulations and customer requirements Access permissions are mapped to roles and rules to be used when managing identities Identity Management Map roles and rules to specific users to allow appropriate access Process to manage and track access to systems andTools exist to facilitate data the mapping and Provisioning ongoing management Workflow of roles & identities Auditability Single Sign-on & Strong Authentication Single sign-on allows access to all resources – strong authentication is required OWASP 8
Identity & Access Management Systems 1. User connects to Web server 2. Web server has a connector or “Agent” An interface to the Access Manager ‘plug-ins’ or APIs 3. Access Manager is Policy Enforcement Point: “PEP” Agent High-volulme system to make decisions on access requests from the Web server Must be high-availability PMP 4. Identity Manager is the Policy Management Point: PEP “PMP” Central management of all identity information from various sources Able to define processes and workflows to manage, maintain, and audit access to resources. OWASP 9
Identity Management Framework Directory services repository is the most critical component, and is the primary data store for user- ID and profile information. Provisioning provides a role- based approach to end-to- end user lifecycle management Authentication –leverage existing systems including Active Directory, Enterprise Single Sign-on, and RSA tokens. Access Management – leverage existing access manager infrastructure OWASP 10 Leverage existing technologies and processes
Role Based Access Control Functional roles & organization as defined by HR Create and manage within “role engineering” tool ROLE Business Role Hierarchy Permissions Scenarios Stored and managed Tasks in directory Work profiles Constraints “Ned Flanders” er Us Resource Approver Privileges OWASP 11
Role Engineering – Process RBAC is widely supported and solves the Privilege management problem better than DAC or MAC, etc. but development of the Role Hierarchy is manual and utilities are few and not all are effective. The role engineering process… Discovers Orphaned accounts, privileges, roles Merges overlapping roles Breaks apart overly broad roles: multiple jobs done by the same organization? Defines Role constraints that come from permission constraints Creates role hierarchies: junior roles with common bases …and provides the benefits of… Cleanup and streamline privileges and group definitions Essential for ongoing privilege management Assists with & documents compliance with policies OWASP 12
Role Engineering – Creating Roles Functional Decomposition Matter of pulling apart the existing processes and relationships between resources and users and their jobs Understanding the interactions that constraints that exist on permissions “Scenario-Driven” Models the usage of the system overall Goal is to establish RBAC from concrete Role Hierarchies OWASP 13 “bottom-up” approach
Role Engineering – Process Each IdM tool integrates a set of features to assist Bridgestream (SmartRoles) Manages dynamic approval processes based on context Identify & Model New and relationships Scenarios Does this by assuming the job of managing roles…all Define Scenario roles Permissions & Defines Approval Policies to control relationships Constraints Eurekify (Sage) Further Refine Can provide Query and Discovery functions – Scenario Model preliminary review of privilege landscape Provides audit and compliance reporting on business Define Tasks and roles Work Profiles xoRET Initial Attempt at tool for scenario based role Define Roles and engineering Role Hierarchy Ultimately R.E. has so many human factors that there are key manual efforts required OWASP 14
Logging & Monitoring is Critical OWASP 15
OWASP 16
OWASP 17
Agenda 1. Identity Management Overview 2. Concepts 3. Approach 4. Example Scenarios 5. Product Demonstrations OWASP 18
Applying a Methodology Implement Develop Discover Harvest Validate Pilot Refine Tool Workflow •Where is role •Identity •Obtain •Validate •Business- •Limited roll- •Iterative or identity Management information against oriented out of pilot process information tool (or from existing “master” approach applications currently equivalent) repositories (SAP) data •Add more kept? •Consult IS, •Apply granularity to •Evaluate •Active •Eliminate HR, and “coarse” “roles” •What are the needs and Directory, conflicts business roles data assets technology SiteMinder, stakeholders (regulated •Result: to protect? LDAP, SAP •Complete vs. non-reg) “fine- •Integration missing •Create grained” •Who owns with existing •Result: information provisioning •Pilot group Role Based the data? systems “raw” data as & admin chosen Access collected by •Result is workflows based on Control •Who uses •Achieve the tool “coarse” risk or the data? “quick wins” roles priority The actual process will not be linear… OWASP 19
Agenda 1. Identity Management Overview 2. Concepts 3. Approach 4. Example Scenarios 5. Product Demonstrations OWASP 20
Typical Environments OWASP 21
Enterprise Single Sign-on OWASP 22
Enterprise Single Sign-on with IdM OWASP 23
Access Management OWASP 24
Access Management with IdM OWASP 25
Integrated Identity & Access Management IdM Without Context OWASP 26
SAML Primary concern is Complexity Built by committee – but so was IPSec Motivated backers Seasoned backers Synchronized clocks for validation Multitude of Trust relationships A trusted third party resolves this but not mandatory OWASP 27
SAML Data Flow Sun 2007 OWASP 28 http://developers.sun.com/identity/reference/techart/sso.html
Options - What are the Choices Key Vendors in this Competitive Analysis is area include (no being prepared now ranking) … Criteria being defined… Federation Sun Audit capability Oracle Encryption capability Computer Associates Workflow flexibility BMC Software Novell Passlogix Imprivata RSA Many others… OWASP 29
Agenda 1. Introductions and Objectives 2. Concepts 3. Approach to Identity & Access Management 4. Example Scenarios 5. Product Demonstration…hopefully… OWASP 30
Links as of June 1, 2007 Sun http://www.sun.com/download/index.jsp?cat=Identit y%20Management&tab=3 Oracle http://www.oracle.com/technology/products/id_mgmt /index.html SXIP http://www.sxip.com http://identity20.com OWASP 31
Derek Browne, CISSP, ISSAP derek.browne@emergis.com OWASP 32

More Related Content

PPTX
Oracle Fusion Applications Security - Designing Roles
kmundy
 
PDF
What's New in Novell Identity Manager 4.0
Novell
 
PPTX
Df2012 securing information_assets_in_saa_s_clouds_3_0
debbanerjee
 
PDF
21st Century SOA
Bob Rhubart
 
PPTX
Excelencia Oracle Practice
Rajesh Ramanathan
 
PPTX
How eBMS can help you
Bert Myburgh
 
PDF
Case Study: ABS OAM
jayallen77
 
PPTX
Sql Server 2012 Reporting-Services is Now a SharePoint Service Application
InnoTech
 
Oracle Fusion Applications Security - Designing Roles
kmundy
 
What's New in Novell Identity Manager 4.0
Novell
 
Df2012 securing information_assets_in_saa_s_clouds_3_0
debbanerjee
 
21st Century SOA
Bob Rhubart
 
Excelencia Oracle Practice
Rajesh Ramanathan
 
How eBMS can help you
Bert Myburgh
 
Case Study: ABS OAM
jayallen77
 
Sql Server 2012 Reporting-Services is Now a SharePoint Service Application
InnoTech
 

What's hot (20)

PDF
Дамир Тенишев Exigen Services Business Processes Storehouse
Транслируем.бел
 
PDF
Application Compatibility Planning Service
ChristopherSilver
 
PDF
Hitachi ID Solutions Supporting HIPAA Compliance
Hitachi ID Systems, Inc.
 
PDF
Oracle - Programatica2010
Agora Group
 
PDF
2001 09 ma,ma b2 b process integration tutorial
Mike Marin
 
PDF
Understanding Oracle ADF and its role in Oracle Fusion Middleware
Refundation
 
PDF
Sun2 oracle avea's identity management platform transformation
OracleIDM
 
PPT
ORACLE FUSION - IBANK
ibankuk
 
PDF
02 Ms Online Identity Session 1
Sivadon Chaisiri
 
PDF
LeverX IQ DMS Overview - SAP DMS Simplified
Eric Stajda
 
PPTX
Oracel ADF Introduction
Hojjat Abedie
 
PDF
SAP Netweaver BPM #SITANK 2011
Abdulbasit Gulsen
 
PPTX
Biz case-keynote-final copy
OracleIDM
 
PDF
HCLT Brochure: E-Discovery and Document Review Solutions
HCL Technologies
 
PDF
Aras Vision and Roadmap with Aras Innovator PLM Software
Aras
 
PPTX
How governance drives your information and security architecture
Randy Williams
 
PPT
CARA User Interface for Oracle WebCenter
cara4oraclewebcenter
 
PDF
Aras Custom Business Process Management
Aras
 
PDF
Ca partner day - qualità servizi - roma 1 di 2
CA Technologies Italia
 
PDF
Microsoft Service Manager 2010
C/D/H Technology Consultants
 
Дамир Тенишев Exigen Services Business Processes Storehouse
Транслируем.бел
 
Application Compatibility Planning Service
ChristopherSilver
 
Hitachi ID Solutions Supporting HIPAA Compliance
Hitachi ID Systems, Inc.
 
Oracle - Programatica2010
Agora Group
 
2001 09 ma,ma b2 b process integration tutorial
Mike Marin
 
Understanding Oracle ADF and its role in Oracle Fusion Middleware
Refundation
 
Sun2 oracle avea's identity management platform transformation
OracleIDM
 
ORACLE FUSION - IBANK
ibankuk
 
02 Ms Online Identity Session 1
Sivadon Chaisiri
 
LeverX IQ DMS Overview - SAP DMS Simplified
Eric Stajda
 
Oracel ADF Introduction
Hojjat Abedie
 
SAP Netweaver BPM #SITANK 2011
Abdulbasit Gulsen
 
Biz case-keynote-final copy
OracleIDM
 
HCLT Brochure: E-Discovery and Document Review Solutions
HCL Technologies
 
Aras Vision and Roadmap with Aras Innovator PLM Software
Aras
 
How governance drives your information and security architecture
Randy Williams
 
CARA User Interface for Oracle WebCenter
cara4oraclewebcenter
 
Aras Custom Business Process Management
Aras
 
Ca partner day - qualità servizi - roma 1 di 2
CA Technologies Italia
 
Microsoft Service Manager 2010
C/D/H Technology Consultants
 
Ad

Similar to OWASP Identity Manegement (20)

PPTX
SANS Institute Product Review: Oracle Entitlements Server
OracleIDM
 
PDF
IDM Resume _ Kiran
Kiran Kumar
 
PDF
EasySOA: A New Approach to SOA
Nuxeo
 
PDF
Fine Grained Authorization: Technical Insights for Using Oracle Entitlements ...
Subbu Devulapalli
 
PDF
Integrating Novell Access Governance Suite with Novell Identity Manager
Novell
 
PPTX
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Prolifics
 
PDF
Sun java-access-manager-siebel-80-final
Sal Marcuz
 
PPT
Oim Poc1.0
Mohamed Atef
 
PDF
Oracle Cloud Reference Architecture
Bob Rhubart
 
DOC
kowsalyamanickam_resume_OIM
Kowsalya Manickam
 
PPTX
Building a database security program
matt_presson
 
PDF
Platform approach-series-building a-roadmap-finalv1
OracleIDM
 
PDF
20111012 Sap Datasheet Site
Nicola_Milone
 
PPTX
Lecture 2 - SOA
phanleson
 
PDF
Workware systems company presentation web aug 11
deppster
 
PDF
Profiling for SAP - Compliance Management, Access Control and Segregation of ...
TransWare AG
 
PPT
Security As A Service
guest536dd0e
 
PDF
Übersicht Cloud Control - EM 12c
Volker Linz
 
PDF
Oracle tech fmw-02-soa-suite-11g-neum-15.04.2010
Oracle BH
 
PPTX
Collaborate 2012 - the never ending road of project management presentation c...
Chain Sys Corporation
 
SANS Institute Product Review: Oracle Entitlements Server
OracleIDM
 
IDM Resume _ Kiran
Kiran Kumar
 
EasySOA: A New Approach to SOA
Nuxeo
 
Fine Grained Authorization: Technical Insights for Using Oracle Entitlements ...
Subbu Devulapalli
 
Integrating Novell Access Governance Suite with Novell Identity Manager
Novell
 
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Prolifics
 
Sun java-access-manager-siebel-80-final
Sal Marcuz
 
Oim Poc1.0
Mohamed Atef
 
Oracle Cloud Reference Architecture
Bob Rhubart
 
kowsalyamanickam_resume_OIM
Kowsalya Manickam
 
Building a database security program
matt_presson
 
Platform approach-series-building a-roadmap-finalv1
OracleIDM
 
20111012 Sap Datasheet Site
Nicola_Milone
 
Lecture 2 - SOA
phanleson
 
Workware systems company presentation web aug 11
deppster
 
Profiling for SAP - Compliance Management, Access Control and Segregation of ...
TransWare AG
 
Security As A Service
guest536dd0e
 
Übersicht Cloud Control - EM 12c
Volker Linz
 
Oracle tech fmw-02-soa-suite-11g-neum-15.04.2010
Oracle BH
 
Collaborate 2012 - the never ending road of project management presentation c...
Chain Sys Corporation
 
Ad

OWASP Identity Manegement

  • 1. Identity Management Basics Derek Browne, CISSP, ISSAP Derek.Browne@Emergis.com OWASP May 9, 2007 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org
  • 2. Agenda 1. Identity Management Overview 2. Concepts 3. Approach to Identity & Access Management 4. Example Scenarios 5. Product Demonstrations…hopefully… OWASP 2
  • 3. Identity Management Flavours Single Sign On is a goal … not a product Web application integration -- Web SSO Enterprise SSO (eSSO) involves corporate desktop application Some use a server -- TSE, tn3270/5250, SAP, Oracle forms, etc Some authenticate locally -- acrobat protected files IdM is different than Access Management One involves who you are and how that is recorded The other involved the policies around how you access resources Federation of identities across multiple jurisdictions SAML, SXIP, Identity 2.0, OASIS Passport (HAHA), Kerberos, Liberty OWASP 3
  • 4. Identity Management Overview Defined: Central infrastructure to manage users, roles, and access to resources Concept of “identity” contains all user attributes Provisioning capabilities Technology ( connectors ) Approvals Workflow Management Features: Identity provisioning among integrated directories Self-registration and management Delegation of approvals and workflows Password reset capability Benefits: Meet regulatory & audit requirements around controlled access to resources Save costs through efficient workflows for provisioning and approval Asset (business) owners in control, rather than technology group OWASP 4
  • 5. Identity Management Integration Integrates with: Enterprise single-sign-on (and related strong authentication) Access Management systems Role Engineering / Management systems Integration Risks: Focus on technology may distract from importance of roles and processes Too many roles (or exceptions) may result if access modeling and identity modeling are not well-planned Benefits may not be realized quickly if project scope is not managed Not respecting impact on business and applications may have adverse effects on buy-in and acceptance Ineffective processes and workflows may prevent cost savings from being realized Lack of proper knowledge transfer results in a system that the organization cannot effectively manage OWASP 5
  • 6. Identity & Access Management Methodology 1. Inventory: gather information about users, access requirements, and applications & data 2. Create: future state roadmap, associating user groups with access controls, and designing operational support and workflow processes 3. Deploy: begin assigning access to systems and data using new processes and workflows 4. Optimize: deploy automated and delegated processes only after steady state has been achieved 5. Report: leverage investment to satisfy reporting requirements for legislation and internal controls OWASP 6 75 percent of deployment effort will be spent on people & process
  • 7. Agenda 1. Identity Management Overview 2. Concepts 3. Approach to Identity & Access Management 4. Example Scenarios 5. Product Demonstrations OWASP 7
  • 8. Identity & Access Management Basics Access Management Access to data or applications is defined by Business policies (segregation of duties) Security policies Industry regulations and customer requirements Access permissions are mapped to roles and rules to be used when managing identities Identity Management Map roles and rules to specific users to allow appropriate access Process to manage and track access to systems andTools exist to facilitate data the mapping and Provisioning ongoing management Workflow of roles & identities Auditability Single Sign-on & Strong Authentication Single sign-on allows access to all resources – strong authentication is required OWASP 8
  • 9. Identity & Access Management Systems 1. User connects to Web server 2. Web server has a connector or “Agent” An interface to the Access Manager ‘plug-ins’ or APIs 3. Access Manager is Policy Enforcement Point: “PEP” Agent High-volulme system to make decisions on access requests from the Web server Must be high-availability PMP 4. Identity Manager is the Policy Management Point: PEP “PMP” Central management of all identity information from various sources Able to define processes and workflows to manage, maintain, and audit access to resources. OWASP 9
  • 10. Identity Management Framework Directory services repository is the most critical component, and is the primary data store for user- ID and profile information. Provisioning provides a role- based approach to end-to- end user lifecycle management Authentication –leverage existing systems including Active Directory, Enterprise Single Sign-on, and RSA tokens. Access Management – leverage existing access manager infrastructure OWASP 10 Leverage existing technologies and processes
  • 11. Role Based Access Control Functional roles & organization as defined by HR Create and manage within “role engineering” tool ROLE Business Role Hierarchy Permissions Scenarios Stored and managed Tasks in directory Work profiles Constraints “Ned Flanders” er Us Resource Approver Privileges OWASP 11
  • 12. Role Engineering – Process RBAC is widely supported and solves the Privilege management problem better than DAC or MAC, etc. but development of the Role Hierarchy is manual and utilities are few and not all are effective. The role engineering process… Discovers Orphaned accounts, privileges, roles Merges overlapping roles Breaks apart overly broad roles: multiple jobs done by the same organization? Defines Role constraints that come from permission constraints Creates role hierarchies: junior roles with common bases …and provides the benefits of… Cleanup and streamline privileges and group definitions Essential for ongoing privilege management Assists with & documents compliance with policies OWASP 12
  • 13. Role Engineering – Creating Roles Functional Decomposition Matter of pulling apart the existing processes and relationships between resources and users and their jobs Understanding the interactions that constraints that exist on permissions “Scenario-Driven” Models the usage of the system overall Goal is to establish RBAC from concrete Role Hierarchies OWASP 13 “bottom-up” approach
  • 14. Role Engineering – Process Each IdM tool integrates a set of features to assist Bridgestream (SmartRoles) Manages dynamic approval processes based on context Identify & Model New and relationships Scenarios Does this by assuming the job of managing roles…all Define Scenario roles Permissions & Defines Approval Policies to control relationships Constraints Eurekify (Sage) Further Refine Can provide Query and Discovery functions – Scenario Model preliminary review of privilege landscape Provides audit and compliance reporting on business Define Tasks and roles Work Profiles xoRET Initial Attempt at tool for scenario based role Define Roles and engineering Role Hierarchy Ultimately R.E. has so many human factors that there are key manual efforts required OWASP 14
  • 15. Logging & Monitoring is Critical OWASP 15
  • 16. OWASP 16
  • 17. OWASP 17
  • 18. Agenda 1. Identity Management Overview 2. Concepts 3. Approach 4. Example Scenarios 5. Product Demonstrations OWASP 18
  • 19. Applying a Methodology Implement Develop Discover Harvest Validate Pilot Refine Tool Workflow •Where is role •Identity •Obtain •Validate •Business- •Limited roll- •Iterative or identity Management information against oriented out of pilot process information tool (or from existing “master” approach applications currently equivalent) repositories (SAP) data •Add more kept? •Consult IS, •Apply granularity to •Evaluate •Active •Eliminate HR, and “coarse” “roles” •What are the needs and Directory, conflicts business roles data assets technology SiteMinder, stakeholders (regulated •Result: to protect? LDAP, SAP •Complete vs. non-reg) “fine- •Integration missing •Create grained” •Who owns with existing •Result: information provisioning •Pilot group Role Based the data? systems “raw” data as & admin chosen Access collected by •Result is workflows based on Control •Who uses •Achieve the tool “coarse” risk or the data? “quick wins” roles priority The actual process will not be linear… OWASP 19
  • 20. Agenda 1. Identity Management Overview 2. Concepts 3. Approach 4. Example Scenarios 5. Product Demonstrations OWASP 20
  • 23. Enterprise Single Sign-on with IdM OWASP 23
  • 24. Access Management OWASP 24
  • 25. Access Management with IdM OWASP 25
  • 26. Integrated Identity & Access Management IdM Without Context OWASP 26
  • 27. SAML Primary concern is Complexity Built by committee – but so was IPSec Motivated backers Seasoned backers Synchronized clocks for validation Multitude of Trust relationships A trusted third party resolves this but not mandatory OWASP 27
  • 28. SAML Data Flow Sun 2007 OWASP 28 http://developers.sun.com/identity/reference/techart/sso.html
  • 29. Options - What are the Choices Key Vendors in this Competitive Analysis is area include (no being prepared now ranking) … Criteria being defined… Federation Sun Audit capability Oracle Encryption capability Computer Associates Workflow flexibility BMC Software Novell Passlogix Imprivata RSA Many others… OWASP 29
  • 30. Agenda 1. Introductions and Objectives 2. Concepts 3. Approach to Identity & Access Management 4. Example Scenarios 5. Product Demonstration…hopefully… OWASP 30
  • 31. Links as of June 1, 2007 Sun http://www.sun.com/download/index.jsp?cat=Identit y%20Management&tab=3 Oracle http://www.oracle.com/technology/products/id_mgmt /index.html SXIP http://www.sxip.com http://identity20.com OWASP 31
  • 32. Derek Browne, CISSP, ISSAP derek.browne@emergis.com OWASP 32