2. Stay connected to Allidm
Find us on Facebook:
http: //www. facebook.com/allidm
Follow us on Twitter:
http: //twitter.com/aidy_idm
Look for us on LinkedIn:
http: //www. linkedin.com/allidm
Visit our blog:
http://www.allidm.com/blog
3. Disclaimer and Acknowledgments
The contents here are created as a own personal endeavor and
thus does not reflect any official stance of any Identity and
Access Management Vendor on any particular technology
4. Contact Us
On this presentation we’ll talk about some useful topics that
you can use no matter which identity and access management
solution or product you are working on.
If you know one that make a big difference please tell us to
include it in the future
aidy.allidm@gmail.com
5. What’s Identity?
Origin
1560–70; < Late Latin identitās, equivalent to Latin ident (
idem ) repeatedly, again and again, earlier *idem et idem (
idem neuter of īdem the same + et and) + -itās –ity
Definition
the distinguishing character or personality of an individual :
individuality
The set of behavioral or personal characteristics by which an
individual is recognizable as a member of a group
6. Identity
An identity in an identity management system is used
to establish an identity record with attributes
An identity is typically defined by a combination of
Generic attributes, such as firstname, lastname,
address, etc and one or more more specific attributes
that are meaningful to the organization maintaining
the identity details
7. What’s Identity Management?
According to wikipedia this is the definition
Identity management (IdM) describes the management of
individual identities, their authentication, authorization, roles,
and privileges/permissions within or across system and
enterprise boundaries with the goal of increasing security and
productivity while decreasing cost, downtime, and repetitive
tasks.
“Identity Management" and "Identity and Access
Management " (or IAM) are terms that are used
interchangeably under the title of Identity management.
8. Identity and Access Management
The growing number of web-enabled applications and
the changing roles of different user communities
creates challenges for the modern enterprise.
These challenges include
controlling access to network resources
maintaining the consistency of user identity between
different applications
making new applications easy to manage.
9. Why Identity and Access
management is Problem?
Companies typically develop and implement network
applications in individual projects without a common user
repository information.
Each application is deployed with its own provisioning and
identity-management interfaces, and with its own security
systems.
Identity information and security policies are distributed across
many applications, and repositories are controlled by a variety of
internal and external groups.
Administration redundancies can result in inconsistent identity
data across the enterprise, increased operating costs, and an ad
hoc security strategy.
10. Why Identity and Access
management is Problem?
Environments with disparate sources of identity information
have different approaches for organizing user entries, security
practices, access control, and other essential aspects of
information architecture.
Enterprises with affiliate business and consumer relationships
potentially have user populations that reach into the tens or
hundreds of millions.
When new applications are deployed without a common identity
infrastructure, security decisions are often made in an ad hoc
manner by developers and system administrators.
Inconsistent processes for account deactivation
11. Why Identity and Access
management is Problem?
Duplication of identity infrastructure functions across
multiple applications, and random security contribute
to operational inefficiencies across the enterprise.
This duplication of effort increases costs, delays time to
market, and reduces revenues.
12. Why Identity Management?
The number of identities continues to grow.
Identity inside the company
Identify with other partners
Identity on the cloud
Evolution to client/server applications and the
Internet has dramatically increased the number of
identities we have to remember.
13. Multiple Identities
An Identity Management solution needs to cover one or all of the
next identity types for a person
Single Identity
Multiple Identities
In a university, a person might be a staff member and a student at the
same time.
Service or Batch Identities
Identities used to run some nightly process or any other automated
process.
Cloud Identity
14. Why an IAM Solution?
Improve the user productivity
Reduce High support costs
Improve Compromised security
Find Compliance deficiencies
Decrease the Corporate dissatisfaction
15. IAM Solutions on Enterprise
An identity management solutions is typically
integrated in the next system, each with its own
purpose and access requirements
Windows Systems
Unix
Linux
Macintosh
Legacy Systems
16. IAM Solutions on Enterprise
Also, on these systems may run different applications
Enterprise applications
SAP
PeopleSoft
Databases
Oracle
DB2
SQL Server
Sybase
Other Desktop or Web based applications
Home-grown applications
Custom built by outside developers
17. IAM Solutions
The identity problem is not resolved with only one solution or
product, usually when is implemented the enterprise might need to
use a combination of them
IAM Solutions might include
Directory Services
To manage the account attributes and organization structure
Access Management
Single Sign On
To manage the Authentication and Authorization for users
Identity Life-cycle Management
To manage Account Provisioning & De-provisioning
Role Management
To manage RBAC
19. IAM Holes
Password Management
remember so many darn passwords.
Orphan Accounts
From a compliance standpoint, orphan accounts are a
major concern since orphan accounts mean that exemployees and former contractors or suppliers still
have legitimate credentials and access to internal
systems
20. IAM Challenges
Dealing with multiple identities
Dealing with orphan accounts
Managing a lots of manual tasks
Business Processes not well defined
Expectation to make the IdM a data synchronization engine for
application data
Getting all stakeholders to have a common view of area which is
likely to come together and discuss the issues
Lack of leadership and support from sponsors
Deploying too many IdM technologies in a short time period
Lack of consistent architectural vision
21. Industry Standards
Some standards used to implement IAM Solutions Are:
Security Assertion Markup Language (SAML)
Liberty Alliance Identity Web Services Framework (ID-WSF)
Service Provisioning Markup Language (SPML)
Directory Services Markup Language (DSML)
OASIS eXtensible Access Control Markup Language (XACML)
Lightweight Directory Access Protocol (LDAP)
OAUTH
Simple Cloud Identity Management (SCIM)
22. Industry Standards
SAML
Defining and maintaining a standard, XML-based
framework for creating and exchanging security
information between online partners
http://www.oasisopen.org/committees/tc_home.php?wg_abbrev=securit
y
ID-WSF
http://projectliberty.org/resources/specifications.php/?f=
resources/specifications.php
23. Industry Standards
SPML
Providing an XML framework for managing the provisioning and
allocation of identity information and system resources within
and between organizations
http://www.oasisopen.org/committees/tc_home.php?wg_abbrev=provision
DSML
specification to add support for querying and modifying
directories.
http://www.oasisopen.org/committees/tc_home.php?wg_abbrev=dsml
24. Industry Standards
OAuth
An open protocol to allow secure API authorization in a simple
and standard method from desktop and web applications
http://oauth.net/
SCIM
Designed to make managing user identity in cloud based
applications and services easier. The specification suite seeks to
build upon experience with existing schemas and deployments,
placing specific emphasis on simplicity of development and
integration, while applying existing authentication,
authorization, and privacy models.
http://www.simplecloud.info/
25. Road map
The IAM solutions are implemented on phases and
usually is a multi year project.