Скачать презентацию Integrated Identity Management Leveraging knowledge of people to Скачать презентацию Integrated Identity Management Leveraging knowledge of people to

d7cdb832529fc70c53cacf04e39829f2.ppt

  • Количество слайдов: 24

Integrated Identity Management Leveraging knowledge of people to create business value Jeff Curie Chief Integrated Identity Management Leveraging knowledge of people to create business value Jeff Curie Chief Strategist, Identity Management March 2004 © 2004 IBM Corporation

Identity Management in the Security Model Resource Protection Protect computers and network Resource Protection Identity Management in the Security Model Resource Protection Protect computers and network Resource Protection Control Policy Assurance • Know the connected devices • Prevent malicious network access • Defend against viruses • Respond to attacks Control Protect applications and data • Know the authorized users • Control what users can see and do • Secure transactions and data • Make security transparent to users Policy Assurance Protect privacy and reputation • Support regulatory compliance • Enforce consistent policies • Provide integrated audit trail • Manage security risks 2 © 2004 IBM Corporation

Security Control Layer Industry Statistics “Up to 60% of the access profiles in companies Security Control Layer Industry Statistics “Up to 60% of the access profiles in companies are no longer valid and, in high turnover industries, the percentage can go up to 80 -90%. ” - Christiansen “Automated management of B 2 B processes and increased collaborative capabilities will soon become necessities in most organizations. Simple data exchange with partners and customers is not enough. ” - David Yokelson § “It costs $400 per year to manually manage a single user in a large financial corporation. ” - International Security Forum Report § “Insider security lapses are costing organizations an average of about $250, 000 per incident. ” - FBI/CSI Survey July 2001 § “ 81% of the likely source of attack is from disgruntled employees. ” - Computer Security Issues 3 © 2004 IBM Corporation

There are Teeth in the New Regulations Eli Lilly Settles FTC Charges Concerning Security There are Teeth in the New Regulations Eli Lilly Settles FTC Charges Concerning Security Breach Company Disclosed E-mail Addresses of 669 Subscribers to its Prozac Reminder Service Eli Lilly and Company (Lilly) has agreed to settle Federal Trade Commission charges regarding the unauthorized disclosure of sensitive personal information collected from consumers through its Prozac. com Web site. As part of the settlement, Lilly will take appropriate security measures to protect consumers' privacy. (FTC Press Release) Allstate agrees to $1 M settlement for privacy violations in California By Associated Press Allstate Insurance Co. agreed to pay a $1 million fine as part of a settlement with the California Department of Motor Vehicles, officials said yesterday. March 19, 2003 Victoria’s Secret Settles Privacy Case Company to Provide Restitution to Consumers for Web Site Breach Softbank Offers Compensation Over Leak of Personal Data Executives to Forgo Part of Pay 2004, Associated Press “Regulatory compliance #1 driver for increased security spend in 2004” IDC 2003 “Black Book”: 4 © 2004 IBM Corporation

Security Management Process Complexity § Elapsed turn-on time: up to 7 days per user Security Management Process Complexity § Elapsed turn-on time: up to 7 days per user User Change Users with Accounts § Account turn-off performance: 30 -60% of accounts are invalid § FTE User Admin only handles 300 -500 users Administrators Create Accounts § 40% of Helpdesk spent on Password Resets Policy & Role Examined IT In. Box 5 Request for Access Generated Approval Routing © 2004 IBM Corporation

Why Clients Chose Identity Management Common Pains Addressed by Integrated Identity Management § § Why Clients Chose Identity Management Common Pains Addressed by Integrated Identity Management § § § Our security administration and support costs are too high Single sign-on and unified user experience is a priority for our executives Security for in-house built applications is inadequate and expensive We need to limit access to sensitive or private information in our systems Compliance with regulations and audit requirements drive us to make changes § We cant keep track of all the users that can access our systems § Identity information is spread across multiple stores § We want to get our house in-order to prepare to participate in Web Services 6 © 2004 IBM Corporation

Integrated Identity Management Building Blocks Federated Identity Management Identity Applications Identity Data Infrastructure { Integrated Identity Management Building Blocks Federated Identity Management Identity Applications Identity Data Infrastructure { { User Provisioning Users & Applications Access Control Privacy Control Directory Server Identity Integration User & Resource Information Leveraging Knowledge of People and Processes to Create Business Value 7 © 2004 IBM Corporation

Identity Ecosystem d an ion t er Us ma ol for ntr In Co Identity Ecosystem d an ion t er Us ma ol for ntr In Co lege ivi Pr Es ta Id blis en tit h A y I ut nf ho or rit m at at iv io e n Start Where You Must, Expand Over Time Enforce Access Controls and Data Disclosure 8 © 2004 IBM Corporation

Identity Is the Basis of the Control Layer Today, identity data is fragmented and Identity Is the Basis of the Control Layer Today, identity data is fragmented and incomplete But, identity data is the basis for: • • Access decisions Self-service Authorization assignment Personalization Information about People § § Information about Access § User Account Privileges § Credentials Employees Contractors Partners Customers Web Apps Operating Systems Legacy Apps Users Data Stores 9 In-house Apps Directories Security Systems Transaction Processing © 2004 IBM Corporation

Common Pains Addressed by Identity Integration Provision Access Privacy Directory Integration § We need Common Pains Addressed by Identity Integration Provision Access Privacy Directory Integration § We need to improve the quality of our organization-wide identity data § We need to synchronize data between stores like databases, Peoplesoft, SAP, Microsoft AD and Lotus Notes § We need to reduce the number of people trying to maintain the same data § We need a common store of identity data § We need more feeds into our LDAP directories § We need to aggregate data from multiple sources into one § We need to migrate data to new applications 10 © 2004 IBM Corporation

Establishing Authoritative Identity Provision Access Privacy Directory § Customer Challenge: Out-of-sync data elements require Establishing Authoritative Identity Provision Access Privacy Directory § Customer Challenge: Out-of-sync data elements require synchronization Authoritative Identity Source Integration User Cost Center User Mobile Phone Numbers Authoritative Identity Source for Division B Authoritative Identity Source for Integrate Identity Source for Division A Division C Integrate § Customer Challenge: Accurately retain multiple corporate identity sources at minimum cost § Customer Challenge: Accelerate deployment of high-ROI Identity Management solutions Integrate Users 11 Data Systems © 2004 IBM Corporation

Common Pains Addressed by User Provisioning Access Provision Privacy Directory Identity Integration § We Common Pains Addressed by User Provisioning Access Provision Privacy Directory Identity Integration § We need self-service to reduce/avoid costs in the help desk § We need to see exactly who has what rights § We need a console that can turn off departing users immediately § We need to automate the process of turning people on and off to systems § We need a central system to keep accurate records of all changes to access rights 12 © 2004 IBM Corporation

User Provisioning Business Purpose Access Provision Privacy Directory Identity Integration User Provisioning Data User User Provisioning Business Purpose Access Provision Privacy Directory Identity Integration User Provisioning Data User Action Resource User Accesses Privileges Security Administrator § Access Control Challenges – – Security: Accurate and timely off boarding – Cost: Scaling administrative staff to match provisioning activity – Cost: Scaling help desk staff to match password reset request load – 13 Security: Accurate and timely privilege assignment based on “Need to Know” Regulatory/Controls: Proving you did it right © 2004 IBM Corporation

Provision Tivoli Identity Manager Access Privacy Directory Identity Integration Identity change requested Access policy Provision Tivoli Identity Manager Access Privacy Directory Identity Integration Identity change requested Access policy evaluated Accounts updated Approvals gathered Detect and correct local privilege settings Tivoli Identity Manager HR Systems Industry’s most comprehensive list of supported agents, and toolkit to create more Operating Systems Databases Identity Stores 14 Applications © 2004 IBM Corporation

IBM and Cisco: Teamed to Reduce Operating Costs Comprehensive security spanning network, systems and IBM and Cisco: Teamed to Reduce Operating Costs Comprehensive security spanning network, systems and application infrastructure HR Systems Tivoli Identity Manager Identity Stores Applications Databases Operating Systems Cisco Secure ACS Cisco 7500 Router Corporate Network From your most trusted partners 15 © 2004 IBM Corporation

Common Pains Addressed by Access Control Provision Access Privacy Directory Identity Integration § We Common Pains Addressed by Access Control Provision Access Privacy Directory Identity Integration § We need to reduce help desk costs for our web sites § We need Single Sign On for employees, partners, and suppliers § We need better and cheaper security for in-house applications § We need security for our cross-business unit portal § We need to consolidate multiple access control and authorization solutions § We want a standard module for all our developers to leverage for new and updated applications including web services § We are failing security audits § We need to close security back doors into our operating systems 16 © 2004 IBM Corporation

Tivoli Access Manager Provision Access Privacy Directory Identity Integration § Reusable security component for Tivoli Access Manager Provision Access Privacy Directory Identity Integration § Reusable security component for new systems § Session-level access decisions across multiple system types § Unified access policies across systems § Single sign-on experience in web space Unix System App Server Web App MQ Enforce – who can come in and what they can do 17 Access Manager © 2004 IBM Corporation

Web. Sphere Portal Ecosystem Controlling privileges in dependent systems CONTENT Enterprise Resources Portal Server Web. Sphere Portal Ecosystem Controlling privileges in dependent systems CONTENT Enterprise Resources Portal Server Content Access Manager Home Grown Content Agents Access Manager Authorization Store Corporate HR Systems Business Partner/ Employee Directories 18 Identity Manager Account Control • Provisioning Policies • Workflow • Audit trails ADMINISTRATION © 2004 IBM Corporation

Pain Points Addressed by Privacy Management Provision Access Privacy Directory Identity Integration § We Pain Points Addressed by Privacy Management Provision Access Privacy Directory Identity Integration § We need to demonstrate compliance to industry (HIPAA, GLBA, Calif. SB 1386) or country (Safe Harbor, EU Data Protection Directive, Australian Privacy Act, Japan Privacy Act) privacy regulations without costly audits and manual procedures? § We need to control disclosure of sensitive data (such as social security numbers, health records, or credit card information) without having to re-write my applications? § We need to build and manage privacy rules across my enterprise applications? § Controls based on groups or roles sometimes is not enough to determine appropriate access; I need to determine access based on business purpose or by “minimum need to know” 19 © 2004 IBM Corporation

Privacy Business Purpose Data Owner Provision Access Privacy Directory Business Purpose Identity Integration Disclosure Privacy Business Purpose Data Owner Provision Access Privacy Directory Business Purpose Identity Integration Disclosure Data Requester Resource § Privacy Management considers data owner: – Choices (E. g. Opt in to marketing email) – Attributes (Age >13, country of residence) – Other factors (Time of day, etc) § Privacy Management authorizes “release of data for a business purpose” – “read for the purpose of fulfilling an order” – “write for purpose of registering political party affiliation” – “delete for purpose of removing from preferred physician list” 20 © 2004 IBM Corporation

How Is Privacy Management Different? Who are you? What groups do you belong to? How Is Privacy Management Different? Who are you? What groups do you belong to? Are you allowed to access this resource? Audit: who logged in when. Access Controls Disclosure Controls What data did you see/use ? For what business purpose ? Did the data subject agree? Audit: what data was disclosed, to whom, why, and was it compliant to policy. § Disclosure Control – While a user may be authorized to login to an application, they may not be able to see certain data. – the 21 You can apply policy to a data set BEFORE it is returned to application (and the user). – Audit the “return path for data” © 2004 IBM Corporation

Combining the Identity Ecosystem Provision Identity-Driven User Accounts User Provisioning Administer – Access Privacy Combining the Identity Ecosystem Provision Identity-Driven User Accounts User Provisioning Administer – Access Privacy Directory Identity Integration Changes in users and authorities rs e Us s nt u co Integrate – Ac Information about users LOB Partner Directory HR Charge Centers can come in and what they can do e. Mail Directory Identity Integration Synchronize Identity Stores 22 Controls NOS White Pages Telephony Enforce – who Access Control Identity-Driven Access and Disclosure Control © 2004 IBM Corporation

IBM’s Integrated Identity Management Solution Federated Identity Management Identity Applications Identity Data Infrastructure { IBM’s Integrated Identity Management Solution Federated Identity Management Identity Applications Identity Data Infrastructure { { Users & Applications Tivoli Identity Manager Tivoli Access Manager Tivoli Privacy Manager IBM Directory Server IBM Directory Integrator User & Resource Information Leveraging Knowledge of People and Processes to Create Business Value 23 © 2004 IBM Corporation

How do you get started? § Visit http: //www. ibm. com/software/itsecurity/en/web 10 to download How do you get started? § Visit http: //www. ibm. com/software/itsecurity/en/web 10 to download informative whitepapers or view additional webcasts on IBM Security & IT Management Solutions § Contact your IBM sales specialist or IBM Business Partner, or call 1 -800 -IBM-7777 with priority code 104 AK 002 to discuss how IBM can assist you with your identity management needs. 24 © 2004 IBM Corporation