SlideShare ist ein Scribd-Unternehmen logo
1 von 20
Downloaden Sie, um offline zu lesen
IDENTITY AND ACCESS MANAGEMENT 101
Jerod Brennen, CISSP
CTO & Principal Security Consultant, Jacadis
Agenda
•
•
•
•
•
•

The Good, The Bad, & The Ugly
Terminology
Employee Lifecycle
Step-by-Step
Looking Ahead
Resources
The Good, The Bad, & The Ugly
• Good
– Saves time
– Improves accuracy and consistency

• Bad
– RIDICULOUSLY complex
– Never enough money/resources

• Ugly
– When everything works, you’ll be the hero
– If (when) something breaks, you’ll wish you’d saved up more sick days
How Many Acronyms Does It Take…
• IdM = Identity Management
– Manage the accounts

• FIdM = Federated Identity Managment
– Manage identity across autonomous domains

• IAM = Identity & Access Management
– Manage what the accounts can access
More Alphabet Soup
• LDAP – Lightweight Directory Access Protocol
• RBAC – Role Based Access Control
• SSO – Single Sign-On

• Federation
– SAML, SAML 2.0, WS-Federation, Liberty Alliance
Provisioning & Deprovisioning
• Provisioning
– IT giveth…

• Deprovisioning
– … and IT taketh away

• You need to track everything you provision if you ever expect
to deprovision it.
– Computers, phones, badges, app access, software licenses, etc.

• Your auditors will LOVE you for this!
3-Phase Employee Lifecycle
• #1 – Hire
– Autoprovision birthright entitlements, based on role (bear with me…)

• #2 – Transition
– New access replaces old access, right?

• #3 – Termination
– Deprovision, stat!

• #4 – Other?
– On Leave (medical, sabbatical, etc.)
– Terminated with Access
Step One: The Sit-Down
•

Meet with HR
–
–

•

Discuss roles
–
–

•

Dazzle them with your knowledge of RBAC
Remember that employee lifecycle slide?

How will you determine birthright access?
–
–

•

HR system is the system of record
Workforce members = employees + non-employees (decision time!)

Department + Job Code
Step back, take a look at current employees, and execute the smell test

Identify the processes you want to automate
–
–
–
–

Notification of hire/change/termination
Account creation/deletion (in connected systems, NOT system of record)
Access modification
Internal expenses (e.g., mobile devices)
Step Two: The Data Must Flow
•

Identify integration points
– Authentication Stores
• LDAP Directories
• Local Databases

– Commercial Apps
– Homegrown Apps

•

Internal vs. External
– Fewest # auth/auth stores possible
– External = federation

•

http://www.brickshelf.com/cgi-bin/gallery.cgi?i=2703634

How are changes initiated?
– Transactional vs. batch

•

Conceptual diagram of your IAM infrastructure
Step Three: Integrate
• Define integration requirements
– PMO FTW!

• Take a technical inventory
– What do you have?
– What do you need?
– What can you get rid of?

• Start eating the elephant
–
–
–
–
–

HR -> Identity Store
Identity Store -> Active Directory
http://dst121.blogspot.com/2009/10/how-to-eat-elephant.html
Identify Store -> [other LDAP directory]
Identity Store -> [email]
Identity Store -> [that one app that everyone in the company uses]
Intermission: Let’s Talk Tech
•

Components
–
–
–
–
–

Identity Store / Vault / Repository (not the system of record)
LDAP Directory
Entitlements Manager
Web Access Manager (+ Certificate Manager)
Password Manager

Vendors
•
•
•
•
•
•

CA Identity Manager
IBM / Tivoli Identity Manager
Microsoft Forefront Identity Manager
Novell Identity Manager
Oracle Identity Manager / Sun LDAP
RSA / Courion
• RSA = Access Manager & FIdM
• Courion = Provisioning & Passwords

Open Source
•
•
•
•
•

OpenIAM
OpenDS Directory Server
OpenSSO
Shibboleth (SSO)
Gluu
Pictures, or It Didn’t Happen

System of Record

Email

Other LDAP

Identity Provider

LDAP Server

User-Facing Apps

Databases
Password Manager

Entitlements Manager

Web Access Manager
Step Four: Communcation
•

Document the $#!% out of your IAM infrastructure
– Every single integration point
– Link the tech to business processes

•

Review documentation with…
–
–
–
–
–
–

•

Human Resources
LAN Support
System Owners
Application Developers
Production / Change Control
IT Leadership

Link IAM systems to Change Control system
– Notification of ANY and ALL changes
– Want to break IAM? Change a connected system without testing integration points!
Step Five: Audit
•

Trust, but verify

•

Things to audit
–
–
–
–

•

Segregation of duties
Access changes (esp. adminstrative & sensitive data)
Accounts for terminated users (reconcile with HR)
Share access

Security Information and Event Management (SIEM)
– Failed login attempts
– Attempts to access restricted data
– Privilege changes / escalation

•

Automate your auditing toolset
Destined to Fail
•

Most IAM projects fail. Why?
–
–
–

•

Lack of executive sponsorship
Project teams try to do too much at once
Referring to IAM is a ‘project’ in the first place

Mark Dixon’s Ten Best Practices for Identity Management Implementation
–
–
–
–
–
–
–
–
–
–

Set strategy
Secure sponsorship
Plan quick wins
Select project leadership
Define business processes
Select implementation team
Gain commitment from support resources
Provide proper infrastructure
Assure data quality
Conduct post-production turnover
http://blogs.oracle.com/identity/entry/ten_best_practices_for_identity
Questions to Start Asking Now
•

Who’s going to support all this?

•

How can I enforce change control for IAM integration points?

•

How am I going to manage passwords?
–
–

•

How am I going to manage non-employees?
–
–
–

•

Consultants
Contractors
Interns

How am I going to manage RBAC exceptions and segregation of duties?
–

•

Single Sign-On
Password Synchronization

Pareto Principle (80/20 rule)

Identity in the Cloud?
–

Yeah, I said cloud. Drink ‘em if you got ‘em!
Resources
• Vendors
– Let them know you’re digging into IAM solutions & they’ll call you.

• LinkedIn Groups
– Identity and Access Management
• http://www.linkedin.com/groups?gid=66476

– Identity Management Specialists
• http://www.linkedin.com/groups/Identity-Management-Specialists-Group-41311

• Working Groups
– EDUCAUSE (http://www.educause.edu/iam)
– InCommon (http://www.incommon.org/iamonline/)
More Resources
• Internet2 Middleware Initiative
–
–
–
–
–
–
–

http://www.internet2.edu/middleware/index.cfm
MACE (Middleware Architecture Committee for Education)
Shibboleth Federated Single Sign-On Software
Grouper
Comanage: Collaborative Organization Management
MACE-Dir(ectories)
MACE-paccman (Privilege and Access Management)

• Open Source
–
–
–
–

OpenDS - http://www.opends.org/
OpenSSO - http://java.net/projects/opensso/
Shibboleth - http://shibboleth.internet2.edu/
Gluu - http://www.gluu.org/
Even More Resources
•

IdM vs. IAM
–

•

Gartner Identity and Access Management Summit
–

•

http://aws.amazon.com/iam/

Worst Practices: Three Big Identity and Access Management Mistakes
–

•

http://blogs.gartner.com/earl-perkins/2009/08/23/why-there-are-no-iam-magic-quadrants-resisting-the-inevitable/

AWS Identity and Access Management
–

•

http://www.gartner.com/technology/summits/na/identity-access/

Gartner – Why There Are No IAM Magic Quadrants
–

•

http://idm-thoughtplace.blogspot.com/2009/09/idm-vs-iam.html

http://searchsecurity.techtarget.com/tip/Worst-Practices-Three-big-identity-and-access-management-mistakes

Wikipedia
–
–
–

http://en.wikipedia.org/wiki/Identity_management
http://en.wikipedia.org/wiki/Identity_access_management
http://en.wikipedia.org/wiki/Federated_identity_management
Questions?
Jerod Brennen, CISSP
CTO & Principal Security Consultant, Jacadis
LinkedIn: http://www.linkedin.com/in/slandail
Twitter: https://twitter.com/slandail
http://www.jacadis.com
contact@jacadis.com

Más contenido relacionado

Was ist angesagt?

Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016Aujas
 
Identity Access Management 101
Identity Access Management 101Identity Access Management 101
Identity Access Management 101OneLogin
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access managementVandana Verma
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM MaturityJerod Brennen
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptxMoshe Ferber
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMJerod Brennen
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access ManagementSam Bowne
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management IntroductionAidy Tificate
 
Building an Effective Identity Management Strategy
Building an Effective Identity Management StrategyBuilding an Effective Identity Management Strategy
Building an Effective Identity Management StrategyNetIQ
 
Identity and access management
Identity and access managementIdentity and access management
Identity and access managementPiyush Jain
 
Identity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsIdentity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsEryk Budi Pratama
 
Privileged Access Management - 2016
Privileged Access Management - 2016Privileged Access Management - 2016
Privileged Access Management - 2016Lance Peterman
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Identity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsIdentity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsAlain Huet
 
Building a Customer Identity and Access Management (CIAM) Solution
Building a Customer Identity and Access Management (CIAM) SolutionBuilding a Customer Identity and Access Management (CIAM) Solution
Building a Customer Identity and Access Management (CIAM) SolutionWSO2
 
Enterprise Identity and Access Management Use Cases
Enterprise Identity and Access Management Use CasesEnterprise Identity and Access Management Use Cases
Enterprise Identity and Access Management Use CasesWSO2
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)Jack Forbes
 
Intel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT Center
 

Was ist angesagt? (20)

Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016Identity and Access Management Playbook CISO Platform 2016
Identity and Access Management Playbook CISO Platform 2016
 
Identity Access Management 101
Identity Access Management 101Identity Access Management 101
Identity Access Management 101
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access management
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM Maturity
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAM
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access Management
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management Introduction
 
Building an Effective Identity Management Strategy
Building an Effective Identity Management StrategyBuilding an Effective Identity Management Strategy
Building an Effective Identity Management Strategy
 
Identity and access management
Identity and access managementIdentity and access management
Identity and access management
 
Identity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsIdentity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOps
 
Privileged Access Management - 2016
Privileged Access Management - 2016Privileged Access Management - 2016
Privileged Access Management - 2016
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Identity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsIdentity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling concepts
 
Building a Customer Identity and Access Management (CIAM) Solution
Building a Customer Identity and Access Management (CIAM) SolutionBuilding a Customer Identity and Access Management (CIAM) Solution
Building a Customer Identity and Access Management (CIAM) Solution
 
Enterprise Identity and Access Management Use Cases
Enterprise Identity and Access Management Use CasesEnterprise Identity and Access Management Use Cases
Enterprise Identity and Access Management Use Cases
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)
 
Security audit
Security auditSecurity audit
Security audit
 
Intel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management JourneyIntel IT's Identity and Access Management Journey
Intel IT's Identity and Access Management Journey
 

Ähnlich wie Identity and Access Management 101

TACOM 2014: Back To Basics
TACOM 2014: Back To BasicsTACOM 2014: Back To Basics
TACOM 2014: Back To BasicsJoel Cardella
 
The Future of integrated Identity and Access Management
The Future of integrated Identity and Access ManagementThe Future of integrated Identity and Access Management
The Future of integrated Identity and Access ManagementZoho Corporation
 
Securing your esi_piedmont
Securing your esi_piedmontSecuring your esi_piedmont
Securing your esi_piedmontscm24
 
Identity & Access Management
 Project Challenges and Recovery
Identity & Access Management
 Project Challenges and RecoveryIdentity & Access Management
 Project Challenges and Recovery
Identity & Access Management
 Project Challenges and RecoveryHanno Ekdahl
 
[WSO2Con EU 2017] IAM: Catalyst for Digital Transformation
[WSO2Con EU 2017] IAM: Catalyst for Digital Transformation[WSO2Con EU 2017] IAM: Catalyst for Digital Transformation
[WSO2Con EU 2017] IAM: Catalyst for Digital TransformationWSO2
 
Reducing the Chance of an Office 365 Security Breach
Reducing the Chance of an Office 365 Security BreachReducing the Chance of an Office 365 Security Breach
Reducing the Chance of an Office 365 Security BreachQuest
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsCprime
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeThuan Ng
 
Office 365 Security - MacGyver, Ninja or Swat team
Office 365 Security -  MacGyver, Ninja or Swat teamOffice 365 Security -  MacGyver, Ninja or Swat team
Office 365 Security - MacGyver, Ninja or Swat teamAntonioMaio2
 
Information security in office 365 a shared responsibility - antonio maio
Information security in office 365   a shared responsibility - antonio maioInformation security in office 365   a shared responsibility - antonio maio
Information security in office 365 a shared responsibility - antonio maioAntonioMaio2
 
Getting to Know Enterprise Content Management (ECM) and How It Can Help You
Getting to Know Enterprise Content Management (ECM) and How It Can Help YouGetting to Know Enterprise Content Management (ECM) and How It Can Help You
Getting to Know Enterprise Content Management (ECM) and How It Can Help YouInnoTech
 
SharePoint 2013 ECM & Methodology
SharePoint 2013 ECM & Methodology SharePoint 2013 ECM & Methodology
SharePoint 2013 ECM & Methodology Sonny Thai
 
Shadow IT Risk and Reward
Shadow IT Risk and RewardShadow IT Risk and Reward
Shadow IT Risk and RewardChris Haddad
 
Mitigating Risk in a Complex Hybrid Directory Environment
Mitigating Risk in a Complex Hybrid Directory EnvironmentMitigating Risk in a Complex Hybrid Directory Environment
Mitigating Risk in a Complex Hybrid Directory EnvironmentQuest
 
How to Deliver Closed-Loop Compliance
How to Deliver Closed-Loop ComplianceHow to Deliver Closed-Loop Compliance
How to Deliver Closed-Loop ComplianceForgeRock
 
The Keys To A Successful Identity And Access Management Program: How Does You...
The Keys To A Successful Identity And Access Management Program: How Does You...The Keys To A Successful Identity And Access Management Program: How Does You...
The Keys To A Successful Identity And Access Management Program: How Does You...Dell World
 
Implementing security and controls in people soft best practices - may 2017
Implementing security and controls in people soft   best practices - may 2017Implementing security and controls in people soft   best practices - may 2017
Implementing security and controls in people soft best practices - may 2017Smart ERP Solutions, Inc.
 
Transforming IT - ITaaS Onboarding
Transforming IT - ITaaS   OnboardingTransforming IT - ITaaS   Onboarding
Transforming IT - ITaaS OnboardingJerry Jermann
 
The “Other” 5 Things You Need to Care About in Active Directory
The “Other” 5 Things You Need to Care About in Active DirectoryThe “Other” 5 Things You Need to Care About in Active Directory
The “Other” 5 Things You Need to Care About in Active DirectoryScriptLogic
 

Ähnlich wie Identity and Access Management 101 (20)

TACOM 2014: Back To Basics
TACOM 2014: Back To BasicsTACOM 2014: Back To Basics
TACOM 2014: Back To Basics
 
The Future of integrated Identity and Access Management
The Future of integrated Identity and Access ManagementThe Future of integrated Identity and Access Management
The Future of integrated Identity and Access Management
 
Securing your esi_piedmont
Securing your esi_piedmontSecuring your esi_piedmont
Securing your esi_piedmont
 
Identity & Access Management
 Project Challenges and Recovery
Identity & Access Management
 Project Challenges and RecoveryIdentity & Access Management
 Project Challenges and Recovery
Identity & Access Management
 Project Challenges and Recovery
 
[WSO2Con EU 2017] IAM: Catalyst for Digital Transformation
[WSO2Con EU 2017] IAM: Catalyst for Digital Transformation[WSO2Con EU 2017] IAM: Catalyst for Digital Transformation
[WSO2Con EU 2017] IAM: Catalyst for Digital Transformation
 
Reducing the Chance of an Office 365 Security Breach
Reducing the Chance of an Office 365 Security BreachReducing the Chance of an Office 365 Security Breach
Reducing the Chance of an Office 365 Security Breach
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More Safe
 
Office 365 Security - MacGyver, Ninja or Swat team
Office 365 Security -  MacGyver, Ninja or Swat teamOffice 365 Security -  MacGyver, Ninja or Swat team
Office 365 Security - MacGyver, Ninja or Swat team
 
Information security in office 365 a shared responsibility - antonio maio
Information security in office 365   a shared responsibility - antonio maioInformation security in office 365   a shared responsibility - antonio maio
Information security in office 365 a shared responsibility - antonio maio
 
Getting to Know Enterprise Content Management (ECM) and How It Can Help You
Getting to Know Enterprise Content Management (ECM) and How It Can Help YouGetting to Know Enterprise Content Management (ECM) and How It Can Help You
Getting to Know Enterprise Content Management (ECM) and How It Can Help You
 
SharePoint 2013 ECM & Methodology
SharePoint 2013 ECM & Methodology SharePoint 2013 ECM & Methodology
SharePoint 2013 ECM & Methodology
 
Shadow IT Risk and Reward
Shadow IT Risk and RewardShadow IT Risk and Reward
Shadow IT Risk and Reward
 
Mitigating Risk in a Complex Hybrid Directory Environment
Mitigating Risk in a Complex Hybrid Directory EnvironmentMitigating Risk in a Complex Hybrid Directory Environment
Mitigating Risk in a Complex Hybrid Directory Environment
 
How to Deliver Closed-Loop Compliance
How to Deliver Closed-Loop ComplianceHow to Deliver Closed-Loop Compliance
How to Deliver Closed-Loop Compliance
 
The Keys To A Successful Identity And Access Management Program: How Does You...
The Keys To A Successful Identity And Access Management Program: How Does You...The Keys To A Successful Identity And Access Management Program: How Does You...
The Keys To A Successful Identity And Access Management Program: How Does You...
 
Implementing security and controls in people soft best practices - may 2017
Implementing security and controls in people soft   best practices - may 2017Implementing security and controls in people soft   best practices - may 2017
Implementing security and controls in people soft best practices - may 2017
 
Transforming IT - ITaaS Onboarding
Transforming IT - ITaaS   OnboardingTransforming IT - ITaaS   Onboarding
Transforming IT - ITaaS Onboarding
 
The “Other” 5 Things You Need to Care About in Active Directory
The “Other” 5 Things You Need to Care About in Active DirectoryThe “Other” 5 Things You Need to Care About in Active Directory
The “Other” 5 Things You Need to Care About in Active Directory
 
Introduction to Identity Management
Introduction to Identity ManagementIntroduction to Identity Management
Introduction to Identity Management
 

Mehr von Jerod Brennen

Embedding Security in the SDLC
Embedding Security in the SDLCEmbedding Security in the SDLC
Embedding Security in the SDLCJerod Brennen
 
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)Jerod Brennen
 
Automating Security Testing with the OWTF
Automating Security Testing with the OWTFAutomating Security Testing with the OWTF
Automating Security Testing with the OWTFJerod Brennen
 
Assess all the things
Assess all the thingsAssess all the things
Assess all the thingsJerod Brennen
 
What you need to know about OSINT
What you need to know about OSINTWhat you need to know about OSINT
What you need to know about OSINTJerod Brennen
 
Running Your Apps Through the "Gauntlt"
Running Your Apps Through the "Gauntlt"Running Your Apps Through the "Gauntlt"
Running Your Apps Through the "Gauntlt"Jerod Brennen
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security FrameworkJerod Brennen
 
Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Jerod Brennen
 
Integrating security into the application development process
Integrating security into the application development processIntegrating security into the application development process
Integrating security into the application development processJerod Brennen
 
Bridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapBridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapJerod Brennen
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsJerod Brennen
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationJerod Brennen
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101Jerod Brennen
 

Mehr von Jerod Brennen (13)

Embedding Security in the SDLC
Embedding Security in the SDLCEmbedding Security in the SDLC
Embedding Security in the SDLC
 
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
Stealing Domain Admin (or How I Learned to Stop Worrying and Love the CSSF)
 
Automating Security Testing with the OWTF
Automating Security Testing with the OWTFAutomating Security Testing with the OWTF
Automating Security Testing with the OWTF
 
Assess all the things
Assess all the thingsAssess all the things
Assess all the things
 
What you need to know about OSINT
What you need to know about OSINTWhat you need to know about OSINT
What you need to know about OSINT
 
Running Your Apps Through the "Gauntlt"
Running Your Apps Through the "Gauntlt"Running Your Apps Through the "Gauntlt"
Running Your Apps Through the "Gauntlt"
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security Framework
 
Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!
 
Integrating security into the application development process
Integrating security into the application development processIntegrating security into the application development process
Integrating security into the application development process
 
Bridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapBridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit Gap
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and Mitigation
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101
 

Último

GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxNeo4j
 
Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updateadam112203
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechProduct School
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...DianaGray10
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxKaustubhBhavsar6
 
UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2DianaGray10
 
How to release an Open Source Dataweave Library
How to release an Open Source Dataweave LibraryHow to release an Open Source Dataweave Library
How to release an Open Source Dataweave Libraryshyamraj55
 
Graphene Quantum Dots-Based Composites for Biomedical Applications
Graphene Quantum Dots-Based Composites for  Biomedical ApplicationsGraphene Quantum Dots-Based Composites for  Biomedical Applications
Graphene Quantum Dots-Based Composites for Biomedical Applicationsnooralam814309
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInThousandEyes
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationKnoldus Inc.
 
March Patch Tuesday
March Patch TuesdayMarch Patch Tuesday
March Patch TuesdayIvanti
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosErol GIRAUDY
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameKapil Thakar
 
From the origin to the future of Open Source model and business
From the origin to the future of  Open Source model and businessFrom the origin to the future of  Open Source model and business
From the origin to the future of Open Source model and businessFrancesco Corti
 
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTxtailishbaloch
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingFrancesco Corti
 
AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024Brian Pichman
 

Último (20)

GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
 
Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 update
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptx
 
UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2
 
How to release an Open Source Dataweave Library
How to release an Open Source Dataweave LibraryHow to release an Open Source Dataweave Library
How to release an Open Source Dataweave Library
 
Graphene Quantum Dots-Based Composites for Biomedical Applications
Graphene Quantum Dots-Based Composites for  Biomedical ApplicationsGraphene Quantum Dots-Based Composites for  Biomedical Applications
Graphene Quantum Dots-Based Composites for Biomedical Applications
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its application
 
March Patch Tuesday
March Patch TuesdayMarch Patch Tuesday
March Patch Tuesday
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenarios
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First Frame
 
From the origin to the future of Open Source model and business
From the origin to the future of  Open Source model and businessFrom the origin to the future of  Open Source model and business
From the origin to the future of Open Source model and business
 
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is going
 
AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024
 

Identity and Access Management 101

  • 1. IDENTITY AND ACCESS MANAGEMENT 101 Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis
  • 2. Agenda • • • • • • The Good, The Bad, & The Ugly Terminology Employee Lifecycle Step-by-Step Looking Ahead Resources
  • 3. The Good, The Bad, & The Ugly • Good – Saves time – Improves accuracy and consistency • Bad – RIDICULOUSLY complex – Never enough money/resources • Ugly – When everything works, you’ll be the hero – If (when) something breaks, you’ll wish you’d saved up more sick days
  • 4. How Many Acronyms Does It Take… • IdM = Identity Management – Manage the accounts • FIdM = Federated Identity Managment – Manage identity across autonomous domains • IAM = Identity & Access Management – Manage what the accounts can access
  • 5. More Alphabet Soup • LDAP – Lightweight Directory Access Protocol • RBAC – Role Based Access Control • SSO – Single Sign-On • Federation – SAML, SAML 2.0, WS-Federation, Liberty Alliance
  • 6. Provisioning & Deprovisioning • Provisioning – IT giveth… • Deprovisioning – … and IT taketh away • You need to track everything you provision if you ever expect to deprovision it. – Computers, phones, badges, app access, software licenses, etc. • Your auditors will LOVE you for this!
  • 7. 3-Phase Employee Lifecycle • #1 – Hire – Autoprovision birthright entitlements, based on role (bear with me…) • #2 – Transition – New access replaces old access, right? • #3 – Termination – Deprovision, stat! • #4 – Other? – On Leave (medical, sabbatical, etc.) – Terminated with Access
  • 8. Step One: The Sit-Down • Meet with HR – – • Discuss roles – – • Dazzle them with your knowledge of RBAC Remember that employee lifecycle slide? How will you determine birthright access? – – • HR system is the system of record Workforce members = employees + non-employees (decision time!) Department + Job Code Step back, take a look at current employees, and execute the smell test Identify the processes you want to automate – – – – Notification of hire/change/termination Account creation/deletion (in connected systems, NOT system of record) Access modification Internal expenses (e.g., mobile devices)
  • 9. Step Two: The Data Must Flow • Identify integration points – Authentication Stores • LDAP Directories • Local Databases – Commercial Apps – Homegrown Apps • Internal vs. External – Fewest # auth/auth stores possible – External = federation • http://www.brickshelf.com/cgi-bin/gallery.cgi?i=2703634 How are changes initiated? – Transactional vs. batch • Conceptual diagram of your IAM infrastructure
  • 10. Step Three: Integrate • Define integration requirements – PMO FTW! • Take a technical inventory – What do you have? – What do you need? – What can you get rid of? • Start eating the elephant – – – – – HR -> Identity Store Identity Store -> Active Directory http://dst121.blogspot.com/2009/10/how-to-eat-elephant.html Identify Store -> [other LDAP directory] Identity Store -> [email] Identity Store -> [that one app that everyone in the company uses]
  • 11. Intermission: Let’s Talk Tech • Components – – – – – Identity Store / Vault / Repository (not the system of record) LDAP Directory Entitlements Manager Web Access Manager (+ Certificate Manager) Password Manager Vendors • • • • • • CA Identity Manager IBM / Tivoli Identity Manager Microsoft Forefront Identity Manager Novell Identity Manager Oracle Identity Manager / Sun LDAP RSA / Courion • RSA = Access Manager & FIdM • Courion = Provisioning & Passwords Open Source • • • • • OpenIAM OpenDS Directory Server OpenSSO Shibboleth (SSO) Gluu
  • 12. Pictures, or It Didn’t Happen System of Record Email Other LDAP Identity Provider LDAP Server User-Facing Apps Databases Password Manager Entitlements Manager Web Access Manager
  • 13. Step Four: Communcation • Document the $#!% out of your IAM infrastructure – Every single integration point – Link the tech to business processes • Review documentation with… – – – – – – • Human Resources LAN Support System Owners Application Developers Production / Change Control IT Leadership Link IAM systems to Change Control system – Notification of ANY and ALL changes – Want to break IAM? Change a connected system without testing integration points!
  • 14. Step Five: Audit • Trust, but verify • Things to audit – – – – • Segregation of duties Access changes (esp. adminstrative & sensitive data) Accounts for terminated users (reconcile with HR) Share access Security Information and Event Management (SIEM) – Failed login attempts – Attempts to access restricted data – Privilege changes / escalation • Automate your auditing toolset
  • 15. Destined to Fail • Most IAM projects fail. Why? – – – • Lack of executive sponsorship Project teams try to do too much at once Referring to IAM is a ‘project’ in the first place Mark Dixon’s Ten Best Practices for Identity Management Implementation – – – – – – – – – – Set strategy Secure sponsorship Plan quick wins Select project leadership Define business processes Select implementation team Gain commitment from support resources Provide proper infrastructure Assure data quality Conduct post-production turnover http://blogs.oracle.com/identity/entry/ten_best_practices_for_identity
  • 16. Questions to Start Asking Now • Who’s going to support all this? • How can I enforce change control for IAM integration points? • How am I going to manage passwords? – – • How am I going to manage non-employees? – – – • Consultants Contractors Interns How am I going to manage RBAC exceptions and segregation of duties? – • Single Sign-On Password Synchronization Pareto Principle (80/20 rule) Identity in the Cloud? – Yeah, I said cloud. Drink ‘em if you got ‘em!
  • 17. Resources • Vendors – Let them know you’re digging into IAM solutions & they’ll call you. • LinkedIn Groups – Identity and Access Management • http://www.linkedin.com/groups?gid=66476 – Identity Management Specialists • http://www.linkedin.com/groups/Identity-Management-Specialists-Group-41311 • Working Groups – EDUCAUSE (http://www.educause.edu/iam) – InCommon (http://www.incommon.org/iamonline/)
  • 18. More Resources • Internet2 Middleware Initiative – – – – – – – http://www.internet2.edu/middleware/index.cfm MACE (Middleware Architecture Committee for Education) Shibboleth Federated Single Sign-On Software Grouper Comanage: Collaborative Organization Management MACE-Dir(ectories) MACE-paccman (Privilege and Access Management) • Open Source – – – – OpenDS - http://www.opends.org/ OpenSSO - http://java.net/projects/opensso/ Shibboleth - http://shibboleth.internet2.edu/ Gluu - http://www.gluu.org/
  • 19. Even More Resources • IdM vs. IAM – • Gartner Identity and Access Management Summit – • http://aws.amazon.com/iam/ Worst Practices: Three Big Identity and Access Management Mistakes – • http://blogs.gartner.com/earl-perkins/2009/08/23/why-there-are-no-iam-magic-quadrants-resisting-the-inevitable/ AWS Identity and Access Management – • http://www.gartner.com/technology/summits/na/identity-access/ Gartner – Why There Are No IAM Magic Quadrants – • http://idm-thoughtplace.blogspot.com/2009/09/idm-vs-iam.html http://searchsecurity.techtarget.com/tip/Worst-Practices-Three-big-identity-and-access-management-mistakes Wikipedia – – – http://en.wikipedia.org/wiki/Identity_management http://en.wikipedia.org/wiki/Identity_access_management http://en.wikipedia.org/wiki/Federated_identity_management
  • 20. Questions? Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis LinkedIn: http://www.linkedin.com/in/slandail Twitter: https://twitter.com/slandail http://www.jacadis.com contact@jacadis.com