Identity Management Basics

Derek Browne, CISSP, ISSAP

Derek.Browne@Emergis.com

OWASP
May 9, 2007

Copyright © The OWASP Foundation

Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.

The OWASP Foundation

http://www.owasp.org
Agenda

1. Identity Management Overview

2. Concepts
3. Approach to Identity & Access Management
4. Example Scenarios
5. Product Demonstrations…hopefully…

OWASP 2
Identity Management Flavours
ƒ Single Sign On is a goal … not a product

ƒ Web application integration -- Web SSO

ƒ Enterprise SSO (eSSO) involves corporate desktop application

ƒ Some use a server -- TSE, tn3270/5250, SAP, Oracle forms, etc
ƒ Some authenticate locally -- acrobat protected files

ƒ IdM is different than Access Management

ƒ One involves who you are and how that is recorded
ƒ The other involved the policies around how you access resources

ƒ Federation of identities across multiple jurisdictions

ƒ SAML, SXIP, Identity 2.0, OASIS
ƒ Passport (HAHA), Kerberos, Liberty

OWASP 3
Identity Management Overview
Defined:
ƒ Central infrastructure to manage users, roles, and access to
resources
ƒ Concept of “identity” contains all user attributes
ƒ Provisioning capabilities
ƒ Technology ( connectors )
ƒ Approvals Workflow Management
Features:
ƒ Identity provisioning among integrated directories
ƒ Self-registration and management
ƒ Delegation of approvals and workflows
ƒ Password reset capability

Benefits:
ƒ Meet regulatory & audit requirements around controlled access to
resources
ƒ Save costs through efficient workflows for provisioning and
approval
ƒ Asset (business) owners in control, rather than technology group
OWASP 4
Identity Management
Integration
Integrates with:
ƒ Enterprise single-sign-on (and related strong authentication)
ƒ Access Management systems
ƒ Role Engineering / Management systems

Integration Risks:
ƒ Focus on technology may distract from importance of roles and
processes
ƒ Too many roles (or exceptions) may result if access modeling and
identity modeling are not well-planned
ƒ Benefits may not be realized quickly if project scope is not managed
ƒ Not respecting impact on business and applications may have adverse
effects on buy-in and acceptance
ƒ Ineffective processes and workflows may prevent cost savings from
being realized
ƒ Lack of proper knowledge transfer results in a system that the
organization cannot effectively manage

OWASP 5
Identity & Access Management
Methodology
1. Inventory: gather information
about users, access
requirements, and applications
& data

2. Create: future state roadmap,

associating user groups with
access controls, and designing
operational support and
workflow processes

3. Deploy: begin assigning access

to systems and data using new
processes and workflows

4. Optimize: deploy automated

and delegated processes only
after steady state has been
achieved

5. Report: leverage investment

to satisfy reporting
requirements for legislation
and internal controls

OWASP 6
75 percent of deployment effort will be spent on people & process
Agenda

1. Identity Management Overview

2. Concepts
3. Approach to Identity & Access Management
4. Example Scenarios
5. Product Demonstrations

OWASP 7
Identity & Access Management
Basics
Access Management
ƒ Access to data or applications is defined by
ƒ Business policies (segregation of duties)
ƒ Security policies
ƒ Industry regulations and customer requirements
ƒ Access permissions are mapped to roles and rules to be used
when managing identities
Identity Management
ƒ Map roles and rules to specific users to allow appropriate access
ƒ Process to manage and track access to systems andTools
data
exist to facilitate
the mapping and
ƒ Provisioning ongoing management
ƒ Workflow of roles & identities

ƒ Auditability
Single Sign-on & Strong Authentication
ƒ Single sign-on allows access to all resources – strong
authentication is required
OWASP 8
 Identity & Access Management
Systems
1. User connects to Web server
2. Web server has a connector
or “Agent”
ƒ An interface to the Access Manager
ƒ ‘plug-ins’ or APIs
3. Access Manager is Policy
Enforcement Point: “PEP” Agent

ƒ High-volulme system to make

decisions on access requests from the
Web server
ƒ Must be high-availability PMP

4. Identity Manager is the

Policy Management Point: PEP

“PMP”
ƒ Central management of all identity
information from various sources
ƒ Able to define processes and
workflows to manage, maintain, and
audit access to resources.
OWASP 9
Identity Management
Framework
ƒ Directory services repository
is the most critical
component, and is the
primary data store for user-
ID and profile information.

ƒ Provisioning provides a role-

based approach to end-to-
end user lifecycle
management

ƒ Authentication –leverage
existing systems including
Active Directory, Enterprise
Single Sign-on, and RSA
tokens.

ƒ Access Management –
leverage existing access
manager infrastructure

OWASP 10
Leverage existing technologies and processes
Role Based Access Control
Functional roles
& organization
as defined by
HR
Create and manage
within “role
engineering” tool

ROLE
Business
Role
Hierarchy
Permissions
Scenarios
Stored and managed Tasks
in directory
Work profiles
Constraints

“Ned Flanders” er
Us
Resource

Approver Privileges

OWASP 11
Role Engineering – Process

ƒ RBAC is widely supported and solves the Privilege

management problem better than DAC or MAC, etc. but
development of the Role Hierarchy is manual and utilities are
few and not all are effective.

The role engineering process…

 Discovers Orphaned accounts, privileges, roles
 Merges overlapping roles
 Breaks apart overly broad roles: multiple jobs done by the same
organization?
 Defines Role constraints that come from permission constraints
 Creates role hierarchies: junior roles with common bases

…and provides the benefits of…

 Cleanup and streamline privileges and group definitions
 Essential for ongoing privilege management
 Assists with & documents compliance with policies

OWASP 12
Role Engineering – Creating
Roles
ƒ Functional Decomposition
ƒ Matter of pulling apart the existing
processes and relationships
between resources and users and
their jobs
ƒ Understanding the interactions that
constraints that exist on
permissions

ƒ “Scenario-Driven”
ƒ Models the usage of the system
overall
ƒ Goal is to establish RBAC from
concrete Role Hierarchies

OWASP 13
“bottom-up” approach
Role Engineering – Process
ƒ Each IdM tool integrates a set of features to assist

ƒ Bridgestream (SmartRoles)
ƒ Manages dynamic approval processes based on context Identify & Model New
and relationships Scenarios
ƒ Does this by assuming the job of managing roles…all
Define Scenario
roles Permissions &
ƒ Defines Approval Policies to control relationships Constraints

ƒ Eurekify (Sage) Further Refine

 Can provide Query and Discovery functions – Scenario Model
preliminary review of privilege landscape
 Provides audit and compliance reporting on business Define Tasks and
roles Work Profiles
ƒ xoRET
ƒ Initial Attempt at tool for scenario based role Define Roles and
engineering Role Hierarchy

ƒ Ultimately R.E. has so many human factors that there

are key manual efforts required

OWASP 14
Logging & Monitoring is Critical

OWASP 15
OWASP 16
OWASP 17
Agenda

1. Identity Management Overview

2. Concepts
3. Approach
4. Example Scenarios
5. Product Demonstrations

OWASP 18
Applying a Methodology

Implement Develop
Discover Harvest Validate Pilot Refine
Tool Workflow

•Where is role •Identity •Obtain •Validate •Business- •Limited roll- •Iterative

or identity Management information against oriented out of pilot process
information tool (or from existing “master” approach applications
currently equivalent) repositories (SAP) data •Add more
kept? •Consult IS, •Apply granularity to
•Evaluate •Active •Eliminate HR, and “coarse” “roles”
•What are the needs and Directory, conflicts business roles
data assets technology SiteMinder, stakeholders (regulated •Result:
to protect? LDAP, SAP •Complete vs. non-reg) “fine-
•Integration missing •Create grained”
•Who owns with existing •Result: information provisioning •Pilot group Role Based
the data? systems “raw” data as & admin chosen Access
collected by •Result is workflows based on Control
•Who uses •Achieve the tool “coarse” risk or
the data? “quick wins” roles priority

The actual process will not be linear…

OWASP 19
Agenda

1. Identity Management Overview

2. Concepts
3. Approach
4. Example Scenarios
5. Product Demonstrations

OWASP 20
Typical Environments

OWASP 21
Enterprise Single Sign-on

OWASP 22
Enterprise Single Sign-on with IdM

OWASP 23
Access Management

OWASP 24
Access Management with IdM

OWASP 25
 Integrated Identity & Access
Management
IdM
Without
Context

OWASP 26
SAML

Primary concern is Complexity

Built by committee – but so was IPSec
Motivated backers
Seasoned backers
Synchronized clocks for validation
Multitude of Trust relationships
A trusted third party resolves this but not mandatory

OWASP 27
 SAML Data Flow

Sun 2007 OWASP 28

http://developers.sun.com/identity/reference/techart/sso.html
Options - What are the Choices

Key Vendors in this Competitive Analysis is

area include (no being prepared now
ranking) … Criteria being defined…
ƒ Federation
Sun
ƒ Audit capability
Oracle
ƒ Encryption capability
Computer Associates ƒ Workflow flexibility
BMC Software
Novell
Passlogix
Imprivata
RSA
Many others… OWASP 29
Agenda

1. Introductions and Objectives

2. Concepts
3. Approach to Identity & Access Management
4. Example Scenarios
5. Product Demonstration…hopefully…

OWASP 30
Links as of June 1, 2007

Sun
http://www.sun.com/download/index.jsp?cat=Identit
y%20Management&tab=3

Oracle
http://www.oracle.com/technology/products/id_mgmt
/index.html

SXIP
http://www.sxip.com
http://identity20.com

OWASP 31
Derek Browne, CISSP, ISSAP

derek.browne@emergis.com

OWASP 32