Identity and Access Management: a Functional Model - PowerPoint PPT Presentation

Loading...

PPT – Identity and Access Management: a Functional Model PowerPoint presentation | free to view - id: 710adf-YmZmY



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Identity and Access Management: a Functional Model

Description:

Title: Identity and Access Management Model: A Functional Approach Author: Keith D. Hazelton Last modified by: Keith Hazelton Created Date: 1/31/2005 6:32:03 PM – PowerPoint PPT presentation

Number of Views:376
Avg rating:3.0/5.0
Slides: 99
Provided by: Keit1169
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Identity and Access Management: a Functional Model


1
Identity and Access Managementa Functional Model
  • http//arch.doit.wisc.edu/keith/camp/
  • iamintro-050627-01.ppt
  • Keith Hazelton (hazelton_at_doit.wisc.edu)
  • Sr. IT Architect, University of Wisconsin-Madison
  • Internet2 MACE
  • CAMP Integration, Denver, June 27, 2005

2
Topics
  • What is Identity and Access Management (IAM)?
  • The IAM Stone Age
  • A better vision for IAM
  • Basic IAM functions mapped to NMI/MACE components
  • Integration as a theme

3
Identity and Access Management(IAM) defined
  • What is Identity Management?
  • Identity management is the set of business
    processes, and a supporting infrastructure, for
    the creation, maintenance, and use of digital
    identities. The Burton Group (a research firm
    specializing in IT infrastructure for the
    enterprise)
  • Identity Management in this sense is often called
    Identity and Access Management (IAM)
  • What problems do Identity and Access Management
    address?

4
IAM is
  • Hi! Im Lisa. (Identity)
  • and heres my NetID / password to prove it.
  • (Authentication)
  • I want to do some E-Reserves reading.
  • (Authorization ? Allowing Lisa to use
    the services for which shes authorized)
  • And I want to change my grade in last semesters
    Physics course.
  • (Authorization ? Preventing her from doing
    things shes not supposed to do)

5
IAM is also
  • New hire, Assistant Professor Alice
  • Department wants to give her an email account
    before her appointment begins so they can get her
    off to a running start
  • How does she get into our system and get set up
    with the accounts and services appropriate to
    faculty?

6
What questions are common to these scenarios?
  • Are the people using these services who they
    claim to be?
  • Are they a member of our campus community?
  • Have they been given permission?
  • Is their privacy being protected?
  • Policy/process issues lurk nearby

7
The IAM Stone Age
  • List of functions
  • AuthN Authenticate principals (people, servers)
    seeking access to a service or resource
  • Log Track access to services/resources

8
The IAM Stone Age
  • Every application for itself in performing these
    functions
  • User list, credentials, if youre on the list,
    youre in (AuthN is authorization (AuthZ)
  • As Hobbes might say Stone age IAM nasty,
    brutish short on features

9
Vision of a better way to do IAM
  • IAM as a middleware layer at the service of any
    number of applications
  • Requires an expanded set of basic functions
  • Reflect Track changes to institutional data from
    changes in Systems of Record (SoR) other IdM
    components
  • Join Establish maintain person identity across
    SoR

10
Your Digital Identity and The Join
  • The collection of bits of identity information
    about you in all the relevant IT systems at your
    institution
  • For any given person in your community, do you
    know which entry in each systems data store
    carry bits of their identity?
  • If more than one system can create a person
    record, you have identity fragmentation

11
The pivotal concept of IAM The Join
  • Identity fragmentation cure 1 The Join
  • Use business logic to
  • Establish which records correspond to the same
    person
  • Maintain that identity join in the face of
    changes to data in collected systems

12
Identity Information Access
  • Some direct from the Enterprise Directory via
    reflection from SoR
  • Other bits need to be made reachable by
    identifier crosswalks

Registry ID Sys A ID Sys B ID Sys C ID Sys D ID
3a104e59 fsmith32 86443 freds 864164
8c2f916d abecker1 45209 amyb 752731
13
Identity Information Reachability
Registry ID Sys A ID Sys B ID Sys C ID Sys D ID
3a104e59 fsmith32 86443 freds 864164
8c2f916d abecker1 45209 amyb 752731
  • In System B, to get info from System D
  • Lookup Sys D ID in identifier crosswalk
  • Use whatever means Sys D provides to access info
  • For new apps, leverage join by carrying Registry
    ID as a foreign key--even if not in crosswalk

14
Identity Information Reachability
Registry ID Sys A ID Sys B ID Sys C ID Sys D ID
3a104e59 fsmith32 86443 freds 864164
8c2f916d abecker1 45209 amyb 752731
  • Key to reachability is less about technology,
    more about shared practice across system owners

15
Identity Fragmentation Cure 2
  • When you cant integrate, federate
  • Federated Identity Access Management
  • Rely on the Identity Management infrastructure of
    one or more institutions or units
  • To authenticate and pass authorization-related
    information to service providers or resource
    hosts
  • Via institution-to-provider agreements
  • Facilitated by common membership in a federation
    (like InCommon)
  • Shibboleth is a way to move the authNZ info
    between parties

16
Vision of a better way to do IAM
  • More in the expanded set of basic functions
  • Credential issue digital credentials to people
    in the community
  • Mng. Affil. Manage affiliation and group
    information
  • Mng. Priv. Manage privileges and permissions at
    system and resource level

17
Managing Roles PrivilegesThe Internet2 way
  • Role-Based Access Control (RBAC) model
  • Users are placed into groups
  • Privileges are assigned to groups
  • Groups can be arranged into hierarchies to
    effectively bestow privileges
  • Signet manages privileges
  • Grouper manages, well, groups

Grouper
Signet
18
Vision of a better way to do IAM
  • More in the expanded set of basic functions
  • Provision Push IAM info out to systems and
    services as required
  • Relay Make access control / authorization
    information available to services and resources
    at run time
  • AuthZ Make the allow deny decision independent
    of AuthN

19
Basic IAM functions mapped to theNMI / MACE
components
Enterprise Directory
Systems of Record
Stdnt
Registry
LDAP
  • Reflect

HR
  • Join

Other
  • Credential

20
Basic IAM functions mapped to theNMI / MACE
components
Apps / Resources
Enterprise Directory
  • AuthN

Systems of Record
  • AuthN
  • Log
  • Reflect
  • Provision
  • Join

WebISO
  • Credential
  • AuthZ
  • Mng.
  • Affil.
  • Mng.
  • Priv.
  • Relay
  • Log

Grouper
Signet
Shibboleth
21
Alternative packaging of basic IdM
Apps / Resources
Enterprise Directory
  • AuthN

Systems of Record
  • AuthN
  • Log
  • Reflect
  • Provision
  • Join

Kerberos
  • Credential
  • AuthZ

LDAP
  • Mng.
  • Affil.
  • Relay
  • Log

Directory Plug-ins
22
Alternative packaging of basic IdM functions
Single System of Record as Enterprise Directory
Student -HR Info System
Registry
LDAP
  • "Join"
  • Reflect
  • Credential

23
Single SoR as Enterprise Directory
  • Who owns the system?
  • Do they see themselves as running shared
    infrastructure?
  • Will any external populations ever become
    internal?
  • What if hospital negotiates a deal?
  • Stress-test alternative packaging by thinking
    through the list of basic IdM functions

24
IAM functions
Reflect Data of interest
Join Identity across SoR
Credential NetID, other
Manage Affil/Groups AuthZ info
Manage Privileges More AuthZ info
Provision Gen. AuthNZ info into app space
Relay AuthZ info to app on request
Authenticate Identity claim
Authorize access decision (allow/deny)
Log usage for audit, accounting,

25
From Construction to Integration
  • Construction
  • Raw materials into systems
  • Integration
  • Subsystems into whole systems
  • Multiple systems into ecosystems
  • Were all moving from construction to integration
  • Lets review state of middleware systems
    readiness for integration

26
Next-up integration services
  • Message queuing (pub-sub, point-to-point)
  • Workflow (business process orchestration)
  • Policy info mgmt
  • Policy decision point
  • Service Oriented Architecture (SOA) as current
    buzz-word for the overall vision
  • The vision will outlast the name

27
Middleware -- Application Integration
  • ERPs
  • SAKAI
  • uPortal

28
IAM and Application Integration
29
Inter-institutional integration
  • Virtual Organization (VOs)
  • Federations
  • League of Federations
  • The Interfederation Interoperability Working
    Group (IIWG). yes, its real

30
Q A
31
Exceedingly Brief Intro to Shibboleth
Federations
  • Tom Barton, University of Chicago

32
Mike Neumans Issues
  1. Walk-ins
  2. Administrative permits denies (whitelist,
    blacklist, any individually granted or revoked
    access)
  3. Multiple IdPs within a single campus

33
Alternatives to IP Address Based Access
Restriction
  • User-based access restriction
  • Each service provider manages credentials for all
    of its users
  • One big credential database of all users used by
    all service providers
  • Each user has a home organization whose
    credential database can, by magic, be used by
    each service provider
  • ???

34
Federated Identities
  • Federated identities is option C on previous
    slide
  • A hierarchical approach to decompose the problem
    into manageable pieces
  • Analogous to the problem that IAM addresses, and
    rests upon IAM infrastructure
  • Federating technology is the magic part of
    option C
  • Identity federation (noun) is a set of service
    providers, identity providers, and other context
    in which the magic happens

35
Federating Technologies
  • SAML implementations
  • Security Assertion Markup Language
  • Shibboleth
  • Bodington/Guanxi
  • AthensIM
  • SourceID
  • SAMUEL
  • MS ADFS
  • Other proprietary
  • Liberty Identity Federation implementations
  • SourceID
  • Lasso
  • Proprietary
  • Others
  • MS Inter-Forest Trust

36
Shibboleth
Athenticate at home org Authorize at resource
without knowing users identity
37
Shibboleth Underpinnings
  • Elements of shibboleth infrastructure must
    identify and authenticate each other
  • Home org or Identity Provider (IdP) pieces
  • Resource or Service Provider (SP) pieces
  • Attribute assertions about authenticated
    principals are sent from IdPs to SPs
  • For it all to work, IdPs and SPs must agree about
    which attributes and values are tossed around,
    and their semantics

38
Federation Value Proposition
  • Set of cooperating IdPs and SPs forms a community
    needing agreement on
  • Trust Fabric
  • X.509 certs
  • IdP and SP identifiers other metadata
  • Community standard for attribute semantics
  • Community standards for IdP and SP operational
    practices
  • Strength of authentication
  • Confidentiality
  • For N IdPs and M SPs, which is easier?
  • NM agreements
  • NM agreements

39
Federations
  • Might support trust fabric maintenance
  • Operate a metadata distribution service
  • Might be the locus for attribute standards
  • Might be the locus for minimum but sufficient
    IdP and SP operational practice standards
  • Are not a party to the transactions between IdPs
    and SPs
  • Are not involved with entitling access to
    resources

40
The Research and EducationFederation Space
Indiana
Slippery slope - Med Centers, etc
41
(No Transcript)
42
As for Lisa
  • Sez who?
  • What Lisas username and password are?
  • What she should be able to do?
  • What she should be prevented from doing?
  • Scaling to the other 40,000 just like her on
    campus

43
As for Professor Alice
  • What accounts and services should faculty members
    be given?
  • At what point in the hiring process should these
    be activated?
  • Methods need to scale to 20,000 faculty and staff
  • In all of these, a full IAM infrastructure would
    provide the technical part of a solution

44
Policy issues re credential function NetID
  • When to assign, activate (as early as possible)
  • Who gets them? Applicants? Prospects?
  • Guest NetIDs (temporary, identity-less)
  • Reassignment (never except)
  • Who can handle them? Argument for WebISO.

45
Basic IAM functions mapped to theNMI / MACE
components
Apps / Resources
Enterprise Directory
  • AuthN

Systems of Record
  • AuthN
  • Log
  • Reflect
  • Provision
  • Join

WebISO
  • Credential
  • AuthZ
  • Mng.
  • Affil.
  • Mng.
  • Priv.
  • Deliver
  • Log

Grouper
Signet
Shibboleth
46
IAM functions big pictures
Manage Grps
Log
AuthZ
Reflect
Provide/run-time
Join
Credential
Manage Privs
Provide/provision
(AuthN)
47
Topics
  • What is Identity Management (IdM)?
  • The IdM Stone Age
  • A better vision for IdM
  • An aside on the value of affiliation / group /
    privilege management services
  • Basic IdM functions mapped to NMI/MACE components
  • Demands on IT and how IdM services help

48
  • What is Identity Management (IdM)?
  • Identity management is the set of business
    processes, and a supporting infrastructure, for
    the creation, maintenance, and use of digital
    identities. The Burton Group (a research firm
    specializing in IT infrastructure for the
    enterprise)
  • Identity Management in this sense is sometimes
    called Identity and Access Management
  • What problems does Identity Management solve?

49
Identity Management is
  • Hi! Im Lisa. (Identity)
  • and heres my NetID / password to prove it.
  • (Authentication)
  • I want to open the Portal to check my email.
  • (Authorization ? Allowing Lisa to use
    the services for which shes authorized)
  • And I want to change my grade in last semesters
    Physics course.
  • (Authorization ? Preventing her from doing
    things shes not supposed to do)

50
Identity Management is also
  • New hire, Assistant Professor Alice
  • Department wants to give her an email account
    before her appointment begins so they can get her
    off to a running start
  • How does she get into our system and get set up
    with the accounts and services appropriate to
    faculty?

51
What questions are common to these scenarios?
  • Are the people using these services who they
    claim to be?
  • Are they a member of our campus community?
  • Have they been given permission?
  • Is their privacy being protected?

52
As for Lisa
  • Sez who?
  • What Lisas username and password are?
  • What she should be able to do?
  • What she should be prevented from doing?
  • Scaling to the other 40,000 just like her on
    campus

53
As for Professor Alice
  • What accounts and services should faculty members
    be given?
  • At what point in the hiring process should these
    be activated?
  • Methods need to scale to 20,000 faculty and staff

54
The IdM Stone Age
  • List of functions
  • AuthN Authenticate principals (people, servers)
    seeking access to a service or resource
  • Log Track access to services/resources

55
The IdM Stone Age
  • Every application for itself in performing these
    functions
  • User list, credentials, if youre on the list,
    youre in (AuthN is authorization (AuthZ)
  • As Hobbes might say Stone age IdM nasty,
    brutish short on features

56
Vision of a better way to do IdM
  • IdM as a middleware layer at the service of any
    number of applications
  • Requires an expanded set of basic functions
  • Reflect Track changes to institutional data from
    changes in Systems of Record (SoR) other IdM
    components
  • Join Establish maintain person identity across
    SoR

57
Your Digital Identity and The Join
  • The collection of bits of identity information
    about you in all the relevant IT systems at your
    institution
  • For any given person in your community, do you
    know which entry in each systems data store
    carry bits of their identity?
  • If more than one system can create a person
    record, you have identity fragmentation

58
The pivotal concept of IdM The Join
  • Identity fragmentation cure 1 The Join
  • Use business logic to
  • Establish which records correspond to the same
    person
  • Maintain that identity join in the face of
    changes to data in collected systems
  • Once cross-system identity is forged, assign a
    unique person identifier (often a registry ID)

59
Identity Fragmentation Cure 2
  • When you cant integrate, federate
  • Federated Identity Management means
  • Relying on the Identity Management infrastructure
    of one or more institutions or units
  • To authenticate and pass authorization-related
    information to service providers or resource
    hosting institutions or enterprises
  • Via institution-to-provider agreements
  • Facilitated by common membership in a federation
    (like InCommon)

60
Vision of a better way to do IdM
  • More in the expanded set of basic functions
  • Credential issue digital credentials to people
    in the community
  • Mng. Affil. Manage affiliation and group
    information
  • Mng. Priv. Manage privileges and permissions at
    system and resource level
  • Provision Push IdM info out to systems and
    services as required
  • Deliver Make access control / authorization
    information available to services and resources
    at run time
  • AuthZ Make the allow deny decision independent
    of AuthN

61
Policy issues re credential function NetID
  • When to assign, activate (as early as possible)
  • Who gets them? Applicants? Prospects?
  • Guest NetIDs (temporary, identity-less)
  • Reassignment (never except)
  • Who can handle them? Argument for WebISO.

62
A closer look at managing affiliations, groups
and privileges
  • How does this help the harried IT staff?

63
Authorization, the early years
  • IdM value realized only when access to services
    information enabled
  • Authorization support is the keystone
  • Crude beginnings If you can log in, you get it
    all
  • Call to serve non-traditional audiences breaks
    this model
  • Applicants
  • Collaborative program students

64
Authorization, the early years
  • First refinement on Log in, get it all
  • Add service flags to the enterprise directory as
    additional identity information
  • Lisa Eligible for email
  • Fred Eligible for student health services
  • Sam Enrolled in Molecular Biology 432
  • The horrendous scaling problem

65
Authorization, the early years
  • Bringing in groups to deal with the scaling
    problem
  • Here groups are being used to carry affiliations
    or roles

66
  • Thanks to jbarkley_at_nist.gov

67

68

69

70
Groups and affiliation management software?
  • Middleware Architecture Committee for Education
    (MACE) in Internet2 sponsoring the Grouper
    project
  • Infrastructure at University of Chicago
  • User interface at Bristol University in UK
  • upport from NSF Middleware Initiative (NMI)
  • http//middleware.internet2.edu/dir/groups

71
Role- and Privilege-based AuthZ
  • Privileges are what you can do
  • Roles are who you are, which can be the used for
    policy-based privileges
  • Both are viable, complementary for authorization

72
Roles (cf. eduPersonIsMemberOf)
  • Inter-realm, specific privileges vary in
    different contexts
  • e.g. Instructor can submit grades at one
  • site, readonly at another
  • Eligibilility (can have) instead of authorization
    (can do)
  • e.g. Faculty/Staff /Students get free email
  • from specific provider

73
Privileges (cf. eduPersonEntitlement)
  • Permissions should be same across service
    providers
  • Service providers do not need to know rules
    behind authorization
  • e.g. Building access regardless of why -- has
  • office in building, taking class in
    building,
  • authorized by building manager

74
Privilege Management Feature Summary
By authority of the Dean grantor
principal investigators role (group)
who have completed training prerequisite
can approve purchases function
in the School of Medicine scope
for research projects up to 100,000 limits
until January 1, 2006 condition
75
Privilege Management software?
  • Project Signet of Internet2 MACE
  • Development based at Stanford
  • upport from NSF Middleware Initiative
  • http//middleware.internet2.edu/signet

76
Basic IdM functions mapped to theNMI / MACE
components
Enterprise Directory
Systems of Record
Stdnt
Registry
LDAP
  • Reflect

HR
  • Join

Other
  • Credential

77
A successful enterprise directoryattracts data
  • People start to see the value in reflecting data
    there
  • App. owners start asking to put person-level
    specifics
  • Service config
  • Customization
  • Personalization
  • What about non-person data?
  • Why do we never see data warehouse and
    directory in the same book or white paper?

78
Basic IdM functions mapped to theNMI / MACE
components
Apps / Resources
Enterprise Directory
  • AuthN

Systems of Record
  • AuthN
  • Log
  • Reflect
  • Provision
  • Join

WebISO
  • Credential
  • AuthZ
  • Mng.
  • Affil.
  • Mng.
  • Priv.
  • Deliver
  • Log

Grouper
Signet
Shibboleth
79
Provisioning
Apps / Resources
Enterprise Directory
  • AuthN

Systems of Record
  • AuthN
  • Log
  • Reflect
  • Provision
  • Join

WebISO
  • Credential
  • AuthZ
  • Mng.
  • Affil.
  • Mng.
  • Priv.
  • Deliver
  • Log

Grouper
Signet
Shibboleth
80
Two modes of app/IdM integration
  • Domesticated applications
  • Provide them the full set of IdM functions
  • Applications with attitude (comes in the box)
  • Meet them more than halfway by provisioning

81
Provisioning
  • Getting identity information where it needs to be
  • For Apps with Attitude, this often means
    exporting reformatted information to them in a
    form they understand
  • Using either App-provided APIs or tricks to write
    to their internal store
  • Change happens, so this is an ongoing process

82
Provisioning Service Pluses
  • Provisioning decisions governed by runtime
    configuration, not buried in code somewhere
  • Single engine for all consumers has obvious
    economy
  • Config is basis for healing consumers with broken
    reflection
  • Config could be basis of change management
    compare as is provisioning rule to a what if rule

83
Same IdM functions, different packaging
  • Your IdM infrastructure (existing or planned) may
    have different boxes lines
  • But somewhere, somehow this set of IdM functions
    is getting done
  • Gives us all a way to compare our solutions by
    looking at various packagings of the IdM functions

84
IdM functions
Reflect Data of interest
Join Identity across SoR
Credential NetID, other
Manage Affil/Groups AuthZ info
Manage Privileges More AuthZ info
Provision For apps w attitude
Deliver Get AuthZ info to app
Authenticate Check identity claim
Authorize Make allow/deny decision
Log Track usage for audit

85
What is IT being asked to do?
  • Automatic creation and deletion of computer
    accounts
  • Personnel records access for legal compliance
  • One stop for university services (portal)
    integrated with course management systems

86
What else is IT being asked to do?
  • Student record access for life
  • Submission and/or maintenance of information
    online
  • Privacy protection

87
More on the To Do list
  • Stay in compliance with a growing list of policy
    mandates
  • Increase the level of security protections in the
    face of a steady stream of new threats

88
More on the To Do list
  • Serve new populations (alumni, applicants,)
  • More requests for new services and new
    combinations of services
  • Increased interest in eBusiness
  • There is an Identity Management aspect to each
    and every one of these items

89
How full IdM layer helps
  • Improves scalability IdM process automation
  • Reduces complexity of IT ecosystem
  • Complexity as friction (wasted resources)
  • Improved user experience
  • Functional specialization App developer can
    concentrate on app-specific functionality

90
Q A
Reflect Data of interest
Join Identity across SoR
Credential NetID, other
Manage Affil/Groups AuthZ info
Manage Privileges More AuthZ info
Provision For apps w attitude
Deliver Get AuthZ info to app
Authenticate Check identity claim
Authorize Make allow/deny decision
Log Track usage for audit

91
Appendix IdM and the rise of policy concerns
  • New systems and applications have come in two
    primary ways
  • A campus unit approaches a central IT group to
    build a new application
  • Some Request for Proposal (RFP) process leads to
    a new system

92
1) A campus unit approaches a Central IT group to
build a new application
  • If the IT group encountered policy issues
  • It had no standard place to turn for answers
  • Technologists either made policy decisions
  • Or they referred the issue back to the requestor
  • Or, sometimes, the project stalled

93
2) RFP process leads to purchase of a new system
  • If the new system affected business process
    and/or policies
  • The campus struggled to create a forum to address
    the issues
  • Or the effect was not noticed until after go-live
  • Or implementors did their best to work around the
    problems
  • Or, sometimes, the project stalled

94
Responding to requestsA new approach at
UW-Madison
  • Campus leaders are defining new ways of
    channeling and responding to requests
  • Groups like the AuthNZ Coordinating Team (ACT)
    anticipate policy issues and sort through the
    concerns
  • They route findings and recommendations to the
    CIO office
  • The CIO Office take the issue to an appropriate
    campus body

95

96
Responding to requestsA new approach
  • The Identity Management Leadership Group (IMLG)
    will provide leadership on IdM issues when
    responding to
  • Submission and/or maintenance of information
    online
  • Privacy protection
  • Increased compliance demands
  • Increased security threats

97
Why a new group?
  • Technology is now more robust and services are
    considered foundational to the institution
  • Broader scope, e.g., new populations
  • New policy issues and more of them
  • Need for flexibility and quick turn-around time

98
One key resource to help you start building the
IdM infrastructure
  • Enterprise Directory Implementation Roadmap
  • http//www.nmi-edit.org/roadmap/
    directories.html
  • Parallel project planning paths
  • Technology/Architecture
  • Policy/Management
About PowerShow.com