IBM Security Identity & Access Manager

© 2014 IBM Corporation
IBM Security Systems
1© 2014 IBM Corporation
IBM Security Identity & Access Manager
Product Overview
Henrik Nelin Certified Security IT-Architect
henrik.nelin@se.ibm.com
January 2015

© 2014 IBM Corporation2
2
Agenda
 Overview IBM Security IAM
 IBM Security Identity Manager
 IBM Security Privileged Identity
Manager
 IBM Security Identity Governance
 IBM Security Access Manager
 IBM Security IAM Cloud
IBM Security Framework

Part of IBM’s comprehensive portfolio of security products

Identity and Access Management (IAM)
Securing extended enterprise with Threat-aware Identity and Access Management
Deliver
actionable identity intelligence
Safeguard
mobile, cloud and social access
Simplify
cloud integrations and identity
silos
Prevent
advanced
insider threats
• Validate “who is who”
especially when users connect from
outside the enterprise
• Proactively enforce access
policies on web, social and mobile
collaboration channels
• Manage and audit privileged
access across the enterprise
• Defend applications and data
against unauthorized access
• Provide federated access to enable
secure online business collaboration
• Unify “Universe of Identities”
for efficient directory management
• Streamline identity management across all
security domains
• Manage and monitor user entitlements
and activities with security intelligence
4

IBM Identity Management Product
IBM Security Identity Manager (ISIM)

Addressing Customer Challenges
IBM Identity Management
Manage users and their access rights
• Securely enroll, manage and terminate user
profiles and access rights throughout lifecycle
• Flag expired accounts and role conflicts
Streamline user access to protected
resources
• Reduce costs and improve user productivity with
password management and single sign-on
• Support strong authentication devices for extra
security
Safeguard access in Cloud / SaaS
environments
• Monitor shared and privileged accounts to
manage risk
• Secure user single sign-on in cloud
environments
Address regulatory mandates
• Produce audit reports to demonstrate
compliance with security regulations
• Monitor, identify and correct security violations

Identity Manager automates, audits, and remediates user access
rights across your IT infrastructure
Identity Manager
Identity
change
(add/del/mod)
HR Systems/
Identity Stores
Approvals
gathered
Accounts
updated
Accounts on 70+ different
types of systems managed.
Plus, In-House Systems &
portals
Databases
Operating
Systems
DatabasesDatabases
Operating
Systems
Operating
Systems
ApplicationsApplications
Networks &
Physical Access
Access
policy
evaluated
Detect and correct local privilege settings
Cost
Complexity
Compliance
Reduce Costs
• Self-service
password reset
• Automated user
provisioning
• Self-service
access request
Manage
Complexity
• Consistent
security policy
• Quickly integrate
new users & apps
Address
Compliance
• Closed-loop
provisioning
• Access rights
audit & reports
• Know the people behind
the accounts and why they
have the access they do
• Fix non-compliant accounts
• Automate user privileges
lifecycle across entire IT
infrastructure
• Match your workflow processes

IBM Security Systems | Technical Sales Enablement
Identity Service Center UI
 Request Access
 View Access
 Approvals -
Manage Activities
 The launch page
for all Identity
activities
8

Identity Service Center for business users: Access Request

Simplified policy, workflow, and configuration reduces setup time
 Wizards helps users build:
• Approval workflows
• Request for Information
Nodes
• Email Nodes
• Adoption Policies
• Recertification Policies
• Identity Feeds
• Service Definitions
 No need for programming or
scripting for simple configuration
options
• Defaults to “simple”
configuration
• Toggle to “advanced”
option to meet complex
needs

Centralized password management - enhances security and reduces help
desk costs
 Customer Challenge:
• High Help Desk costs to support employee
forgotten password requests
• Need to expire passwords regularly and
enforce password format for security
• Account breach may raise awareness of
weaknesses
 SIM solution:
• Self-service password management across all
systems
- Apply targeted or global password rules
- Verify compliance with target systems
• Password synchronization
- Propagate and intercept
• Challenge/response questions for forgotten
user ids and/or passwords
- User or site defined questions
- Email notification
• Integration with SAM E-SSO
- Desktop password reset/unlock at Windows
logon prompt
- Provisioning user access to SAM E-SSO

Account reconciliation – enforcing access policy
 Customer Challenge:
• When employees leave or change jobs, their
application and system accounts are not
terminated
• Dormant and “orphan” accounts result in higher
license costs, and expose organization to
security breaches
• Compliance audit failure could result
 IBM Solution:
• SIM can automatically reconcile “known good”
SIM users to accounts on target applications
and systems.
• Orphan accounts are recognized and can be
automatically suspended.
 Benefit: accounts available only for valid users –
lower IT admin costs, improved security
Managed
Endpoint
(accounts)
SIM
Reconciliation
User repository
with approved privileges

Access recertification - facilitates compliance
Customer challenge
• Compliance – ensuring account access remains updated and valid
IBM Security Identity Governance capabilities
• Attestation: Provides an access validation process to those who can responsibly and
accurately make that decision
• 3 types of recertification policies to validate continued need for resources
- Account recertification policies
• Account recertification policies target accounts on specific services
- Access recertification policies
• Access recertification policies target specific accesses (in decipherable terms, i.e. AD group
UK3g8saleww_R = sales pipeline portlet)
- User recertification policies
• A type of certification process that combines recertification of a user's role, account and group
membership into
a single activity

Identity Management On-the-Go!
Identity Manager Mobile
 Native Android and iPhone
app/interface
 Allows business managers to review
and approve employee requests
• also view history/status
 Supports password change, forgotten
password reset
(with challenge/ response)
 Support for OAuth authentication
for Android and iOS applications

Adapter portfolio: integration breadth and depth to achieve rapid value
Applications & Messaging
Blackberry Ent. Server
Cognos
Command line-based
applications
Documentum eServer
Google Apps
LDAP-based applications
Lotus Notes/Domino
Microsoft Lync
Microsoft Office365
Microsoft Sharepoint
Novell eDirectory
Novell Groupwise
Oracle E-Business Suite
Oracle PeopleTools
Rational Clearquest
Rational Jazz Server
Remedy
Salesforce.com
SAP GRC
SAP Netweaver
SAP AS Java
DB2/UDB
Oracle
MS SQL Server
Sybase
CA Top Secret
CA ACF2
Cisco UCM
Desktop Password
Reset Assistant
Entrust PKI
IBM Security Access Mgr.
IBM Security Access
Manager for ESSO
RACF zOS
RSA Authentication Mgr.
HP-UX
IBM AIX
IBM i/OS
Red Hat Linux
Solaris
Suse Linux
Windows Local
Approva BizRights
Citrix Pwd Mgr
Cryptovision PKI
ActivIdentity
Lawson
SecurIT R-Man
JD Edwards
Epic
Meditech
Tandem
BMC Remedy
Zimbra Mail
• Quickly integrate with
home-grown applications
• Easy wizard-driven
templates reduces
development time by 75%
• Requires fewer specialized
skills
Siebel
Windows AD/
Exchange
Fast, adaptable tooling for
custom Adapters
Broad Support for Prepackaged Adapters
Deep support, beyond a ‘check box’, for critical infrastructure and business applications
Applications and Messaging
Partner
Offered
Integrations
Databases
Operating SystemsAuthentication
and Security
Application adapter
Host adapter
Requires local adapter

Cognos-based reporting system facilitates audit requirements
 Full Cognos Reporting capabilities included
• Report Administration
- Report scheduling
- Distribution via email (PDF) and URL
• Report customization
• Web-based Report Viewer
• Dashboards
16

Identity Management
IBM Security Privileged Identity Manager (PIM)

IBM Security Privileged Identity Manager
Centrally manage, audit and control shared identities across the enterprise
Key release highlights
 Control shared access to sensitive user IDs
– Check-in / check-out using secure credential vault
 Track usage of shared identities
– Provide accountability
 Automated password management
– Automated checkout of IDs, hide password from
requesting employee, automate password reset to
eliminate password theft
 Request, approve and re-validate privileged access
– Reduce risk, enhance compliance
 Optional Privileged Session Recorder
– Visual recording of privileged user activities with on
demand search and playback of stored recordings
 Optional Application ID governance
– Replace hardcoded and clear text embedded credentials
IBM security solution
 Privileged Identity Management (PIM) solution providing
complete identity management and enterprise single sign-on
capabilities for privileged users
Prevent advanced
insider threats
Databases
Admin
ID
Credential
VaultPrivileged
Session
Recorder
Pwd
PIM for Apps
IBM Security
Privileged Identity Manager

Identity Management
IBM Security Identity Governance (ISIG)

Challenges with Identity Governance today …
Roles
Groups
Accounts
Actual
Usage
Business
Need
Risk
Privileges
The Problem: “Identity explosion” across the enterprise increasing
security risks, insider threats, and audit exposures
 Difficult to tie business activities to enterprise risk
 Auditors are unable to review access risk
and compliance without a lot of help from IT
 Business users lack insight that help them to
properly certify user accesses and entitlements
 Ongoing, automated controls to ensure continued compliance
– Multiple point tools to make it difficult to tie compliance processes to
governance and user provisioning activities

IBM Security Identity Governance and Administration solution:
offers integrated governance and user lifecycle management
IBM Security Identity Governance and Administration
 SIM collects entitlement data from managed resources
 SIG allows business to certify access rights, model roles, manage SoD
 SIM performs write-back to target systems for closed-loop fulfillment
IBM SIG

22
22
Identity and Access
Management
Access
Management
Safeguard
mobile, cloud and social access

23
Helping achieve secure transactions and risk-based enforcement
Safeguarding mobile,
cloud and social access
Consumer / Employee
Applications
Manage consistent
security policies
Consumers
Employees
BYOD
Security Team Application
Team
DataApplications
On/Off-premise
Resources
Cloud Mobile
Internet
Threat-aware application access across multiple channels
Strong Authentication, SSO, session management for secure B2E, B2B and
B2C use cases
Context-based access and stronger assurance for transactions from partners
and consumers
Transparently enforce security access policies for web and mobile
applications
Enforce security access polices without modifying the applications
Access Management
23

24
ISAM for Web and ISAM for Mobile Packages
ISAM for Web
• Layer 7 Load Balancer
• Web Threat Protection
ISAM for Mobile
• Context based access control
• Device registration/fingerprinting
• Multi-factor Authentication
• API Protection (OAuth)
• Web Reverse Proxy
• Policy Server
• Embedded LDAP
• Distributed Session Cache
ISAM Appliance
• Base Services

25
SSO
Enterprise
Applications/Data
User accesses data from inside
the corporate network1
User is only asked for Userid and
Password to authenticate2
Corporate Network
User accesses confidential data from
outside the corporate network3
User is asked for Userid /Password and
OTP based on risk score4 Outside the Corporate NetworkStrong
Authentication
 Built-in Risk scoring engine using user attributes and real-time context (e.g. Risk Scoring and Access policy based on Device
registration, Geo-political location, IP reputation, etc. )
 Support mobile authentication with built-in One-Time Password (OTP) and ability to integrate with 3rd party strong authentication
vendors, as needed. Example of supported OTPs are MAC OTP (email & SMS), HMAC OTP (TOTP & HOTP using client
generators like Google Authenticator), RSA SecurID Soft and Hard tokens
 Offer Software Development Kit (SDK) to integrate with 3rd party authentication factors and collect additional contextual attributes
from the device and user session
ISAM for Mobile
Stronger identity assurance for high risk access
25

Identity Management
IBM Security Identity & Access Management Cloud

IAM Cloud Service – Capabilities overview
•Bluemix
Securing infrastructure
& workloads
Secure usage of
business applications
Secure service
composition & apps
Manage cloud administration & workload access
Integrate identity & access into services & apps
Enable employees to connect securely to SaaS
• Protect applications and workloads
in private Cloud stacks (e.g. FIM)
• Deploy in VMware based on-prem clouds today; add
support for additional hypervisors and cloud platforms
• Support for applications to invoke service API’s on
behalf of a user
• Integration with cloud platforms (i.e. BlueMix) to
externalize identity from applications
• Provide Web and Federated SSO (i.e. SAML) to both
on/off-premises applications
• Provide self-service and portal based
experience/access for enterprise, business and
personal applications
IaaS
SaaS
PaaS
27

Integration

Identity enriched security intelligence:
 QRadar Device Support Module for
Identity Manager (including PIM vault
functions)
• Centrally reports in QRadar, the activities of
the SIM admin users
 Collect identity attribute info from SIM
registry. Use data in conjunction with log
events and network flow data in rules to
provide “identity context aware’ security
intelligence
• Map SIM identities and groups to activities
in QRadar-monitored applications. Help
correlate enterprise-wide user activities.
Generated reports can assist with SIM user
recertification or role planning
 User ID Mappings: multiple user ids from
systems are mapped to a common ID, i.e.
SKumar and SureshKumar are the same
person - for comprehensive activity
correlation
Identity
Repository
Security Identity
Manager
Databases
Operating
Systems
DatabasesDatabases
Operating
Systems
Operating
Systems
ApplicationsApplications
Networks &
Physical Access
SIM and QRadar Integration
• Identity mapping data
and user attributes
• SIM Server logs
• Application logs

30
Implementing identity and access management can address these
challenges and drive positive results
IT
Business
Decreases risk of internal fraud, data leak,
or operational outage
Streamline Compliance costs by providing
automated compliance reports
Can reduce the time to onboard and de-
provision identities from weeks to minutes
Can significantly reduce Help Desk costs
resulting from password reset calls
Improves end-user experience with Web-
based business applications by enabling
such activities such as single sign-on

31
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

IBM Security Identity & Access Manager

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie IBM Security Identity & Access Manager

Ähnlich wie IBM Security Identity & Access Manager (20)

Mehr von IBM Sverige

Mehr von IBM Sverige (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

IBM Security Identity & Access Manager