Identity and access management for portals
-
Upload
christopher-ehrsam -
Category
Internet
-
view
248 -
download
0
Transcript of Identity and access management for portals
![Page 1: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/1.jpg)
Identity and Access Management for Portals
Christopher Ehrsam
Senior Security Consultant, Prolifics
September 14, 2010
![Page 2: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/2.jpg)
Portal Security Needs
� Portal is a collection of disparate systems integrated “at the glass” into a seamless front end user experience.
� Individual systems brought together in this manner typically have several preexisting and separate security models.
� With tighter integration, system security becomes an issue. Single Sign On is critical to maintaining the seamless end user experience the portal provides.
� Rights management is also a greater issue in portals. Every user will need to be checked for access to critical systems at the role or individual level. Without proper security systems, this will greatly increase administrative overhead. Manual administrative processes will lead to errors, which reduces overall security.
![Page 3: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/3.jpg)
Basic WebSphere and Portal Security Strategies
![Page 4: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/4.jpg)
Securing WebSphere and Portal Applications
&
more
homegrownWebSphere Application Server
Portal Server
Standalone Applications
WebSphereApplication Server
![Page 5: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/5.jpg)
Securing WebSphere and Portal Applications
& more
homegrownWebSphere Application Server
Portal Server
Standalone Applications
WebSphereApplication Server
Managed
Security
Managed
Security
ManagedSecurity
Managed
Security
Managed
Security
Managed
Security
Managed
Security
Managed
Security
ManagedSecurity
Managed
Security
Managed
Security
ManagedSecurity
ManagedSecurity
Managed Security• User Provisioning
• Authentication
• Authorization
![Page 6: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/6.jpg)
Securing WebSphere and Portal Applications
& more
homegrownWebSphere Application Server
Portal Server
Standalone Applications
WebSphereApplication Server
Managed
Security
Managed
Security
ManagedSecurity
Managed
Security
Managed
Security
Managed
Security
Managed
Security
Managed
Security
ManagedSecurity
Managed
Security
Managed
Security
ManagedSecurity
ManagedSecurity
Managed Security• User Provisioning
• Authentication
• Authorization
• common directory• credential vault• J2EE security
• application-based security• app server security
![Page 7: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/7.jpg)
Advanced Security Strategies
![Page 8: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/8.jpg)
Centralize Access
Manage Identities across the Enterprise
Audit, Reporting and Compliance
Secure the Total System– from SOA to Portal
Basic WebSphere & Portal Security
Evolving your Security Strategy
![Page 9: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/9.jpg)
Manage Identities across the Enterprise
Audit, Reporting and Compliance
Secure the Total System
– from SOA to Portal
Basic WebSphere & Portal Security
![Page 10: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/10.jpg)
Centralizing Security with Tivoli Access Manager
&
more
homegrownWebSphere Application Server
Portal Server
Standalone Applications
WebSphereApplication Server
ManagedSecurity
Managed
Security
Managed
Security
Managed
Security
ManagedSecurity
Managed
Security
Managed
Security
Managed
Security
Managed
Security
Managed
Security
ManagedSecurity
Managed
Security
Managed
Security
Tivoli Access Manager
![Page 11: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/11.jpg)
Controlling Access to Standalone Applications
Figure 1. Unified, Policy-Based Security for the Web
BEFORE
� Too many passwords to remember� Multiple admins with multiple access control tools� User and access control information everywhere
= Security policy = User & group info = Audit
![Page 12: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/12.jpg)
Controlling Access to Standalone Applications
Figure 1. Unified, Policy-Based Security for the Web
BEFORE
� Too many passwords to remember� Multiple admins with multiple access control tools� User and access control information everywhere
and other J2EE
� Web single sign-on� Single admin or delegated admins with a single tool� User and security info centralized/ understandable
Singleuser
registry
Singleuser
registry
Unified policy
Unified policy
AFTER
Centralizedaudit
Centralizedaudit
Access Manager Security ServicesAccess Manager Security Services
= Security policy = User & group info = Audit
![Page 13: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/13.jpg)
WebSphere Application
Server
WebSphere Application
Server
SecuritySecurity
WebSphere Portal
WebSphere Portal
SecuritySecurityPortletPortlet
Backing Data
Store/ Appl.
Backing Data
Store/ Appl.WebSEALWebSEAL
PolicyServer
PolicyServer
ACLACLUserUser
� Tight Integration; Higher Security� Sharing user info in LDAP; Web SSO � Access control to portlets and page groups� Portlets can use Access Manager for fine-grained access control� Access Manager GSO service snaps in as WPS credential vault
Controlling Access to WebSphere Portal Server
![Page 14: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/14.jpg)
WebSEALApplication
WebSEAL
WASWAS
WebSphere Portal
Web Svr.PortletPortlet
PortletPortletResource
Resource
A
A Web URL Layer. TAM controls access.
Layers of Authorization
C
C Business Logic Layer. TAM’s Java and .NET support
ResourceResourceB
B Portlet Layer. Customer choice (TAM or Portal control).
![Page 15: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/15.jpg)
Tivoli Access Manager Features
� Single Sign-On�To Back-end Applications
• Basic Authentication
• Forms-Based Authentication
• TAI (WebSphere)
• LTPA (Lotus Application)
�From Portlets• WebSphere Portal Credential Vault stores
user IDs and passwords for back-end systems
• WebSphere Portal Credential Vault can be integrated with TAM GSO Lockbox
�From Windows Operating System (NTLM, SPNEGO/Kerberos)
�From Another WebSEAL Server• Cross-Domain SSO
• eCommunity SSO
�From Another Source• SAML Assertions
• Extensible SSO Interface
• Tivoli Federated Identity Manager for full cross-domain value
� Provide authorization services, with integrated security for WebSphere, Domino, .NET, BEA WLS, Siebel, mySAP, PeopleSoft, . . .
� Deliver robust management tools�Centralized, browser-based, delegated
administration
�Support for multiple registries (Tivoli Directory Svr, Sun ONE, Novell, Domino, AD)
�Single protected object namespace (for multiple, heterogeneous resources)
�Comprehensive, policy-based audit
� Ensure high availability and scalability (via replication/caching/load balancing)
![Page 16: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/16.jpg)
Controlling Access to Desktop and Enterprise Applications
Tivoli Access Manager for Enterprise Single Sign-On
![Page 17: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/17.jpg)
Centralize Access
Audit, Reporting and Compliance
Secure the Total System
– from SOA to Portal
Basic WebSphere & Portal Security
![Page 18: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/18.jpg)
The Core Process Issues of Identity Management
� Provisioning� Is every user account on every resource valid?
� Is user access configured correctly to every resource?
� And does it stay that way?
� Productivity� Are users efficiently gaining access to valid resources?
� Access� Are access policies and data disclosure rules implemented consistently
across every application, data source and operating system?
� Audit� Can I prove all of this to the auditor, for all users, systems and operational
information?
![Page 19: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/19.jpg)
Introducing Tivoli Identity Manager for User Provisioning
� Centrally and quickly validate all user access� Reconcile user access with security policy
� Efficiently setup appropriate user access� Workflow-based provisioning
� Automatically detect and correct inappropriate changes to user access� ‘Closed-loop’ policy management
� Single login across IT resources� Web, Enterprise, Service-Oriented Architecture (SOA)
� Self-service for password resets and account updates� Web-based password management
![Page 20: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/20.jpg)
Tivoli Identity Manager (TIM)
Tivoli Identity Manager
Identitychange
(add/del/mod)
HR Systems/ Identity Stores
Approvals gathered
Access policy
evaluated
Accounts updated
Accounts on 70 different types of systems
managed. Plus, In-House
Systems & portals
Accounts on 70 different types of systems
managed. Plus, In-House
Systems & portals
Operating Systems
Applications
Databases
![Page 21: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/21.jpg)
TIM
IdentityDynamic
Role
StaticRole
ProvisioningPolicy
Workflow Engine•External Links•Custom scripts•Human Approvals•RFI•Life-cycle definition•email
Entitlement change
in AD
Entitlement change
in RACF
Entitlement change
in SAP
R
EC
ON
CI
L
IA
TI
O
N
Detect local
changes and
compare
against policy
– notify
administrator,
roll-back
change or
suspend the
account if
change is out
of policy
Process change via the connector
Automatic assignment based on current identity attributes
Manual assignment based on user request to change
IdentityChange
Via Self-Service
DirectoryIntegrator
Detects Change
Role-Based Provisioning in TIM
Request Driven
Identity Driven
•Corporate
•Accounting
•Payroll
•Sales
•East
•West
•Information Technology
•Security
•Database
•Distributed Systems
![Page 22: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/22.jpg)
Identity Management across the Enterprise
� Standalone Applications� Agentless adapters
� API to implement custom adapters
� Application Server� Provisions the LDAP
� Portal� Provisions LDAP used by TAM and Portal.
� Can provision apps behind portlets that do use Portal credential store or TAM GSO lockbox.
� Tivoli Directory Integrator (TDI, IDI) synchronizes back-end user repositories. Also works as virtual directory layer for TAM EAI interface.
� Desktop and Enterprise Applications� Provisions TAM ESSO
& more
homegrownWebSphere
Application Server
Portal Server
Standalone
Applications
WebSphereApplication Server
Managed
Security
ManagedSecurity
ManagedSecurity
Managed
Security
ManagedSecurity
ManagedSecurity
ManagedSecurity
ManagedSecurity
ManagedSecurity
ManagedSecurity
ManagedSecurity
ManagedSecurity
Managed
Security
Tivoli Access Manager
Tivoli Identity Manager
User
IDs
![Page 23: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/23.jpg)
Architecture
TivoliAccess
Managerfor
e-business(TAMeb)
WebSEALProxy
LDAP
TAMebPolicyServer
Portal Server
Browser
OtherTargets
INTERNET DMZ INTRANET
TivoliIdentityManager
![Page 24: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/24.jpg)
Portal Authentication Example
![Page 25: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/25.jpg)
Centralize Access
Manage Identities across the Enterprise
Secure the Total System
– from SOA to Portal
Basic WebSphere & Portal Security
![Page 26: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/26.jpg)
Regulatory Mandates Require Compliance SolutionsCorporate Governance, Privacy, Cyber Crime and Critical Infrastructure
Regulation Scope Security Requirements
Sarbanes-Oxley Act All U.S. public companies, major globals also impacted
Internal control and audit requirements aided by Identity Management
HIPAA Healthcare providers, insurers, clearinghouses
Requires customer notification, security and privacy safeguards
21 CFR Part 11 FDA regulated companies (20% of US spend), choosing to file electronically
Security requirements for protecting data and access if company files electronically
Basel II Required by EU banks, larger US & Japanese will follow
Operational risk management clause requires security and identity management investments
Gramm-Leach-Bliley Act
US financial institutions Financial institutions must:
1) securely store personal financial information (PFI)
2) Give consumers opt-out
![Page 27: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/27.jpg)
Tivoli Access Manager Provides a Common Audit and
Reporting Service (CARS)
General Authorization EventGeneral Authorization Event Event Details ReportEvent Details Report
Out of the box reports:� Audit Event History by User� Failed Authentication History� Locked Account History� User Password Change History� Server Availability Report
Out of the box reports:� Audit Event History by User� Failed Authentication History� Locked Account History� User Password Change History� Server Availability Report
� Most Active Accessors Report� Authorization Event History by Action� Security Server Audit Event History� Resource Access By Accessor Report� etc…
� Most Active Accessors Report� Authorization Event History by Action� Security Server Audit Event History� Resource Access By Accessor Report� etc…
![Page 28: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/28.jpg)
Tivoli Identity Manager Provides Reporting, Alerts and
Workflow to Enforce Security Policy
Type of Report
Description
Individual
Accounts
List all accounts that belong to a specific
person, OrgUnit or whole system
Accounts by
Role
List all accounts of people in a specific
role
Accounts on
Service
Details of accounts that exist on a
specific service (person, account,
account status, etc
Policies
Governing a Role
Shows all of the policies (and related
resources) that pertain to a specific role
Entitlement by Individual
Show a list of all entitlements that belong to a specific individual
Performed Provisioning
Actions
All provisioning actions that meet specific criteria. Actions such as
add/mod/del/suspend/restore and filtered
by date, status, service, user, etc
Provisioning
actions
performed by
individual
List of provisioning actions performed by
and individual (add/mod/delete, etc) and
filtered by date, status, service, user, etc
Type of Report Description
Approvals/Rejecti
ons
List activities approved or rejected, filtered by
approver, date, resource, status, etc
Pending
Approvals
List all pending approvals, filtered by approver,
date, resource, status, etc
Suspended
Accounts
List all accounts that have been suspended,
filter by userid, username, service, date
Suspended
People
List all users that have been suspended, filter
by user, OU, date
Services List all services filter by resource name, svc
type, owner, OU
Policies List all policies filter by name, wildcard
ACI List all ACI’s filter b y name, context, object, scope, OU
Reconciliation Stats
# accounts processed, # orphans, #accounts, #accounts w/ policy violations, #accounts
modified, #accounts deprovisioned, #accounts
suspended, etc
Non-compliant
accounts
List all non-compliant accounts and reason,
filter by service
Out-of-the-Box Reports Documenting the Corporate Security Policy
![Page 29: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/29.jpg)
Audit Logs and Tracking
TAM ESSO captures logs for:
� Login / logoff
� Password Changes
� Second Factor Authentication
� Failed Login ….
� Customizable events
6:00 Jack Bower logs in into CTU
6:13 President Logan arrives at EMC
6:27 Lisa Ascot logs off from TIM server
6:39 Data Server in LA goes down!!
6:44 John Abruzzi changes his password
![Page 30: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/30.jpg)
Centralize Access
Manage Identities across the Enterprise
Audit, Reporting and Compliance
Basic WebSphere & Portal Security
![Page 31: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/31.jpg)
Customers
Employees
Partners
Products
Enterprise Data
Enterprise Resource Planning (ERP)
Sales Force Automation (ERP)
Call Center (CRM)
Legacy Application
Enterprise Applications
Tax
Health
Credit
Commerce Partners
External Applications
Messaging & Brokering Services
Information & Content Services
Portal Services
Shared Business Services
Service-OrientedDevelopment
of Applications
Service-Oriented Architecture Foundation
Composite Application &
Service Management
EmployeePortal
Customer Self-Service
CollaborativeWorkspace
Portal Applications
Corporate Extranet
ExecutiveDashboard
PartnerPortal
Portal…an onramp to SOA
![Page 32: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/32.jpg)
SOA Security Solution - DataPower XS40
� XML/SOAP Firewall - Filter on any content, metadata or network variables
� Data Validation - Approve incoming/outgoing XML and SOAP at wirespeed
� Field Level XML Security - Encrypt and sign individual message fields, non-repudiation
� XML Web Services Access Control - SAML, LDAP, RADIUS, etc.
� MultiStep & XML/SOAP Routing - Sophisticated multi-stage pipeline
� Web Services Management - Web services proxy, SLM
� Transport Layer Flexibility - SSL acceleration, WebSphere MQ
� Service Virtualization - Mask backend resources
� Configuration & Administration - Ease of use, Integration for Management
Internet
Web ServicesRequestor
IP Firewall Web Services Application Server
XS40 XML Security Gateway Legacy
Application Server
![Page 33: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/33.jpg)
In Conclusion
![Page 34: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/34.jpg)
IBM endorses Prolifics to provide these Security Solutions…
� Overall reduction in IT administration costs
� Ability to manage increasing amounts of risk, mobile workforce, high turnover, …
� Support for meeting regulations and compliance
� Ability to respond to business changes quickly and with flexibility
& more
homegrownWebSphere
Application Server
Portal Server
Standalone Applications
WebSphereApplication Server
Managed
Security
ManagedSecurity
ManagedSecurity
Managed
Security
ManagedSecurity
ManagedSecurity
ManagedSecurity
ManagedSecurity
Managed
Security
Managed
Security
ManagedSecurity
ManagedSecurity
ManagedSecurity
Tivoli Access Manager
Tivoli Identity Manager
User
IDs
DataPower
![Page 35: Identity and access management for portals](https://reader034.fdocuments.net/reader034/viewer/2022051708/589d1e7f1a28ab61128b6ff9/html5/thumbnails/35.jpg)
Questions?Contact: Christopher Ehrsam, Senior Security Architectemail: [email protected]
Interested in finding out more information about Prolifics’ Security Services and IBM Security software?
Contact: Prolifics Customer Relationship ManagementEmail: [email protected]: (800) 675-5419 or (212) 267-7722