Best of Breed. Future-Proof Your Business with IdM 2.0
-
Upload
axiomatics-ab -
Category
Technology
-
view
734 -
download
1
description
Transcript of Best of Breed. Future-Proof Your Business with IdM 2.0
Identity Management for the 21st Century IT Mission
Presented By:• Paul Grassi: VP of Federal Programs, Sila Solutions Group• Jim Rice: VP of Federal, Layer 7 • Wade Ellery: Director of Sales and Business Development,
Radiant Logic• Gerry Gebel: President, Axiomatics Americas• Phil McQuitty: Director of Systems Engineering, SailPoint• Stephanie McVitty: Account Manager, Compsec
Wednesday: October 23, 2013
2
• Today’s Challenges
• History: How Did We Get Here?
• The Evolution of Access Control
• Building Blocks for Agile Access
• Creating a Framework for Success
• The Ideal ABAC Process
• Use Case Deep Dive
• Next Steps: Are You ABAC-Ready?
Key Discussion Areas
3
Today’s Challenges
4
• We keep trying to solve a legacy problem with a legacy solution
• Made authorization an IT solution, not a business solution
• Bogged down with stovepipes, multiple policies, and poorly defined infrastructure
• Focused on the door – not the data
We have made great progress!Industry deserves credit.
Examples of NSTIC/IDESG, NIST 800-162 Draft, FICAM AAES work; focus on
attributes and confidence scores
• Yet, we’ve done some amazing things
How Did We Get Here?
5
Legacy Problem with Better Solution
Legacy Problem with Legacy Solution
The Evolution of Access Control
PBAC
REUSABLE POLICYCONTEXT AWAREEXTERNALIZED
STANDARDS BASEDBUSINESS DRIVENNON-TECHNICAL
Future Proofed Business Solution
ABAC
FINE GRAINEDATTRIBUTE-DRIVEN
LOCAL POLICYPROPRIETARY ENFORCEMENT
TECHNICAL
eRBACRBACACLIBAC
6
Action Reusable Policy
AgileAccess
Decisions
Agile Access
Decisions
Federated Identity
Federated Attributes
Environment Context
Resource Attributes
Building Blocks for Agile Access
7
POLIC
Y LIFECYC
LE MAN
AGEM
ENTB
USI
NES
S PR
OCES
S EN
GIN
EERIN
G A
ND
OPT
IMIZ
ATIO
N
PROGRAMMATIC AND TECHNICAL MANAGEMENT
Portability, Confidence,and Trusted Attributes
AccessAnywhereMobility/
Cloud
Lifecycle,Governance
and Risk
MissionAgility
ABAC Framework
8
Layer 7 Overview
Applications & Data
Enterprise
…
Outside Partners / Divisions
External Developers
Mobile Apps
Cloud Services
Other Things
Layer 7 API Gateways Provide API Access Control for the New “Open” Enterprise
9
Enterprises are Exposing MoreConnectivity & Security
Challenges for Open Enterprise:
• Protection of applications exposed over internet
• Reuse of information shared across departments, partners, mobile & Cloud
• Ease of integration: reconciling disparate identity, data types, standards, services
• Federated & Delegated Security
• Performance optimization (caching, protocol compression, …)
• Brokering cloud services
• Proxy connections to social, cloud, notification services that enterprises can control
• Cloud interactions
• Central governance of policies and security
Mobile / Tablet Apps
Web Platform Integration Open APIs for Developer Channel
Private Cloud Annexes (Savvis or Datacenter)
Cloud Services
Over the Top TV and Media
(Xbox Live and Smart TV)
Real-time Partner Integration
LoginPassword
This new open, extended enterprise is a hybrid enterprise because it blends inside/outside as well
as private/pubic
10
Layer 7 Policy Approach
API Integration Gateway
API Service Manager
API Identity & Access Broker
API Developer Portal
Health Tracking
Workflow
Performance Global Staging Developer Enrollment
API Docs
Forums
API Explorer
RankingsQuotas
Plans
AnalyticsReporting
Config Migration
Patch ManagementPolicy Migration
Throttling Prioritization Caching
Routing Traffic ControlTransformation
Security
CompositionAuthentication Single Sign OnAPI KeysEntitlements
Token Service OAuth 1.x OAuth 2.0OpenID Connect
11
Layer 7 ABAC Reference Implementation
12
RadiantOne Architecture• Acting as an abstraction layer RadiantOne creates
attribute rich global user profiles spanning multiple identity silos.
• Aggregation, Correlation, Transformation, and Normalization of the user identity provides the foundation for Attribute Based Access Control
Consumers
Consumers
Consumers
13
RadiantOne Key Capabilities
HR Database
LDAP Directory
Active Directory
employeeNumber=2samAcountName=Andrew_FullerobjectClass=usermail: [email protected]=AFullertitle=VP SalesClearanceLevel=1Region=PAmemberOf=SalesnDepartment=Sales
Correlated Identity Virtual View
employeeNumber=2samAccountName=Andrew_FullerobjectClass=usermail: [email protected]=234title=Sales, VP
uid=AFullertitle=Vice Pres. SalesgivenName=Andrewsn=FullerdepartmentNumber=234
EmployeeID=509-34-5855ClearanceLevel=1Region=PAUserID=EMP_Andrew_FullerDeptID=Sales234
Correlation ru
les/logic. An existi
ng
single unique identifier not re
quired.
cn=SalesobjectClass=groupmember=Andrew_Fuller
**Based on identities that have:• ClearanceLevel=1• nTitle=VP Sales• Region=PA
Dynamic Groups Virtual View
Com
pute
d A
ttri
bute
Normalized Attribute Values
Federated IdentityAttribute Server
Normalized AttributesAttribute: nDepartmentValues:
AccountingAdministrationBusiness DevelopmentDistributionMarketingProductionResearchSalesShipping
Attribute: nTitleValues:
CEOCIOCISOVP SalesVP Marketing
…
14
ManagePolicy Administration Point
DecidePolicy Decision Point
SupportPolicy Information PointPolicy Retrieval Point
EnforcePolicy Enforcement Point
Axiomatics Architecture
15
Authorization at Any Layer
16
Anywhere Authorization Architecture
SailPoint Architecture
Service Desk
Integration
ResourceConnectors
ProvisioningIntegration
Security & Activity
Unified Governance Platform
Open Connectivity Foundation
Cloud SaaS
RoleModel
Policy Model
IdentityWarehouse
RiskModel Workflow
PasswordManagement
ComplianceManagement
Single Sign-On
IdentityAnalytics
SailPoint ICAM Solutions
Access Request &
Provisioning
17
Entitlement Giving Attributes
HR Data
Security Directory
Attributes
OwnershipRelationships
ModelingReview ProcessChange Process
Audit Process
System
System
Target
Target
BUSINESS PROCESS MANAGEMENT
Entitlement Giving
Attributes
18
Ownership & Responsibility
Change Control
Versioning
History
Verification &
Review
Analytics &
Reporting
Identity & Access
Governance
The Business Process of IAM Data Management
Entitlement Giving Attributes…
HR Data
Security Directory
Attributes
System
System
Target
Target
EntitlementGiving
Attributes
19
Benefits
Policy management and insight available
to all levels of the organization.
Simple Change
Management
Maximum Efficiency
and Flexibility
Range of Deployment Options
Simple and Effective
Management
Cost Effective
Scalable
Interoperable
Business-Friendly
Management
Increased Access to Informatio
n
Deploy for performance and
architectural needs while maintaining
100% conformance with open standards
Easy to deploy new policy without
underlying changes to application infrastructure.
Eliminate time consuming and
confusing processes to gain access to
information.
Benefits of Our Solution
Increased Security
and Complianc
e
Operational Business
20
21
Access barriers are removed so users can get their jobs done more efficiently.
The Ideal Process
22
High Level Use Cases
Patient can manage recordfrom authorized personal devices
Doctor can read from office computerOpts-in and authorizes PCP and staff to view
Claims coordinator can only viewappointmentinformation
Doctor can write toentire record
Nurse can read information pertaining to location; can only write demographic info, symptoms,and vital signs
Receptionist trained in HIPAA data protectioncan only view services performed
Research organization can only read anonymized cardiac clinical data from hospitals and patients that opt-in
1
3
2
4
5
6
Nurse can “break the glass” to access location agnostic information
AuthN Service
s
Secure Gatewa
y
Conceptual Architecture
EHR Systems
Federa
ted Identi
ty V
irtu
aliz
ati
on
Policy Administratio
n
R&D
Insurance
Govern
ance
Pro
vid
er
Vie
wR
&D
V
iew
Insu
ran
ce
Vie
wPa
tien
t V
iew
NPI Regist
ry
Patients
Attribute Sources
Policy Server
Hospit
al
23
24
Intercepts the request
Patient Use Case
Attempts to update personal EHR to add blood pressure (BP) information and opt-in to share info with doctor
Allows Patient Access to EHR System
Patient EHR
Preferences/Metadata
Signed Opt-In Forms
Permit
Check request validity
Verify patient access using registered deviceVerify accessing own record
Request/receive required attributes (EHR owner, authorized devices)
List of registered devices
Check if authorize
d
Update BP
Authorize doctor to access information
1
2
4
3
25
Doctor Use Case
Attempts to update patient EHR from office computer
Intercepts the request
Allows doctor access to patient EHR
Patient EHRPreferences/Metadata
Signed Opt-In Forms
Permit
Check access from office computer
Check if authorize
d
Verify patient opt-in List of
signed opt-in forms
Hospital Network EHR
Check request validity
1
2
Request/receive required attributes (EHR owner, authorized devices)
3
4
Remaining Use CasesUse Case Request Layer 7 Axiomatics Radiant
LogicEHR
Nurse Rheumatology nurse requests access to patient EHR
•Checks request location/validity
•Checks PDP for authorization
•Validates nurse/patient relationship
•Allows access to specific attributes of patient EHR
Provide nurse and patient attributes to PDP
Allows nurse access to read patient rheumatology attributes of EHR; write diagnostics
“Break Glass”
Nurse requests access to patient cardiac information when patient shows heart attack symptoms
•Checks request validity
•Checks PDP for authorization
•Validates environmental attributes from hospital
•Validates nurse/patient relationship
Provide Hospital, Nurse and Patient attributes to PDP
Allows Nurse access to read Rheumatology and Cardiac attributes of EHR, write diagnostics
Reception Reception requests access to patient services to prepare bill
•Checks request location/validity
•Checks PDP for authorization
•Validates employee HIPAA training
•Validates employee/patient relationship
Provide employee and patient attributes to PDP
Allows help desk access only to services performed
Insurance Insurance claims processor requests access to patient EHR
•Checks request location/validity
•Checks PDP for authorization
•Validate processor employment with insurance company
•Validate covered incident
•Validate insurance/patient relationship
Provide processor, patient, and insurance attributes to PDP
Allows claims processor access only to covered incident information
Research & Developmen
t
Cardiovascular research center requests access to all cardiology patient data
•Authenticates R&D server
•Checks PDP for authorization
•Validate research center and scope
•Provides SQL PEP to filter result set and return anonymous data
Provide employee and research center attributes to PDP
Allows employee access only to anonymized data pertaining to research center scope
26
27
Health Care Systems Attribute and Policy Governance
Entitlement Giving Attributes
Functional
Application #1
Functional
Application #2
doc
doc
Ownership &
Responsibility
Change Control
Provision
Verification &
Review
Analytics
Identities, certified entitlements & risk scores would be used at the PIP and PDP to make
smarter decisions
Axiomatics Policy Server
Axiomatics Policy Auditor
Governance Use Case
28
Considerations
Target Applications
Establish governance that requires new acquisitions (build or buy) to support interoperability standards. Offer transition plans or
alternative access enforcement mechanisms for legacy applications.
Policy Lifecycle
Governance is key, especially if offered as an enterprise service.Use tools to determine if applications can leverage pre-existing
policies.Don’t forget that attribute lifecycle is important in managing policy
lifecycle.
Deployment Models
Centralized enterprise service is preferred, especially if attribute and NLP applies across organizations.
Governance and policy authoring services allow consumers more control
Audit and Application
Owner Control
Link natural language policy to digital policy.Difficult to show traditional ‘who has access to what’.
Need to involve audit and compliance organizations in all phases.
Business Process Changes
Access request and workflow provisioning will be impacted.Need to communicate access restrictions effectively.
Need workflow for redress of incorrect attribute values.
Privacy Explore the usage of zero-knowledge assertions to protect user attributes, yet effectively assist policy evaluation.
29
• Establish Governance
• Choose your standards
• Determine your attributes and metadata
• Determine your authoritative sources
• Create a taxonomy and data dictionary
• Understand your business processes
• Determine the business model
• Decide who will own policy/policy management
• Coordinate with stakeholders across organization, including audit/compliance, privacy, and security operations
• Track performance
Are You Ready?
30
Questions?
31
Contact Us
Paul Grassi VP of Federal [email protected] 703.740.1193
Jim RiceVP of [email protected]
Wade ElleryDirector of [email protected]
Gerry [email protected]
Phil McQuittyDirector of Systems [email protected]