I’m presenting later today at the New York Tech-Security conference on identity-centric NAC. This is following the same theme as my remarks at Digital ID World. You can download the slides here. Comments welcome as usual.
Archive for September, 2006
Identity-centric NAC
Thursday, September 21st, 2006Digital ID World Final Thoughts
Friday, September 15th, 2006Well that was an interesting three days with a fair amount of typing. Hopefully the session notes were helpful to everyone. There is some good analysis of specific sessions over at Phil Windley’s blog. In all I thought the conference was well done and it was interesting to discuss the nascent blurring of the NAC and Identity space. The hot topic of the conference was not NAC though, but rather the user-centric identity efforts from Microsoft, Higgins, and others.
These initiatives, if you are unfamiliar with them, promise to simplify the user experience of sharing identity information on the Internet. Through a visual representation, users choose the identity profile they wish to share with a given site and can control what information is presented. These identity profiles can either be self-asserted or signed by an identity provider. Think of it as a signed version of your web browser’s auto-fill feature with a selector in advance of submitting the data.
There were a couple presentations on the enterprise applications of this functionality and most of the conversations were clothed in the trappings of web 2.0 virtues like user-centricity and distributed workflow. There were no immediate killer applications that I saw. Interestingly enough, the most compelling reason to imagine that this functionality will hit the enterprise is that consumers will like the user experience at home and will ask for it at work. What then, will user-centric identity mean in an enterprise networking context?
These systems seem to be very much like a PKI at their heart. Identities are signed and can be presented without a challenge / response from some authority each time. This is good and if it can be extended to include information within the signed identity about the role and attributes of the user, then network access decisions can be made without consulting a user directory. Of course role changes, revocation, and other intricacies threaten the simplicity of the system but the overall idea of embedding more information in a certificate is not particularly new. If these user-centric efforts produce something substantially easier to deploy and use, then a signed identity throughout the enterprise is possible and could significantly change network identity management.
Technorati Tags: Digital ID World, higgins, Identity 2.0, Infocards
DIDW: How NAC is Integrating with Identity Management
Wednesday, September 13th, 2006Here are notes on the second NAC session.
Eric Norlin, Moderator
NAC Guys started using Identity in their messaging, he wanted to find out why.
Introductions:
Applied Identity
Juniper
Forescout
Apere
TNT
What do you do:
Applied Identity: Application security is further along, so we’re doing identity based access control in the network
Juniper: In the NAC business. Genesis was the acquisitions of Netscreen and Neoteris. SSL VPNs being used for access control. As these technologies evolved througout the enterprise we looked at policy frameworks
Forescout: Definitely NAC. Clientless approach and discovery, also do ranking abilities, also provide role-based capabilities, provides integration with identity players.
Apere: Bringing Identity and Access Control together. Miniature Tivoli in a box. Medium enterprises don’t have identity management. We wanted to put a version of that in a box.
TNT: Identity is confusing for enterprises, at the network layer no one did this. We bring a clear vision of what assets are doing and who they are interacting with. We now have access control on top of that to define what folks are allowed to do.
Eric: Identity Managment at the Network layer and Identity Management at the Application layer, you seem to be going between the two. What are customers doing from you?
Applied Identity: Control is something we provide, second driver is compliance SOX, etc. Third driver is consolidation of defense in depth from disjointed layers to more coordinated layers. One place for security policy. Deployment cases. 1: Guest worker access (employee, contractor, etc.)
Juniper: First is notion of identity at the user level, then also non-managed devices and controlling what they are able to access, then what rights do they have. The reality of enterprise endpoints, customers tend to want a holistic view across all forms of access.
Forescout: Agrees as far as drivers. One thing to add, depending on market (i.e. Federal may have a different focus). In the enterprise, we see mostly orchestration to provide one management platform for things already in place. I.e. How can I be sure that the AV is all in place. In federal market, more compliance.
Apere: Too many products in the market, what can we do to help this? Did interviews in 2002 talking to customers. Three key issues we heard from is 1. Business enablement 2. IP protection 3. Compliance. 90% of customers we talk to have more than 10 identity stores (7 ADs, couple LDAPs, etc. These systems don’t talk well with one another). Focused on the medium enterprise.
Eric: How is TNT changing based on changes in market?
TNT: Lots of disjointed functions deployed across enterprises. Regulatory pressures are forcing directory discipline. Need controls and visibility after authentication. Fighting attacks at the edge or data center alone is not enough. Need to go to every machine in the network [SJC: This seems architecturally questionable, but perhaps we have different definitions for these terms]
Eric: Security happens when you do Identity well. Why call yourself an Identity company and not just a networking company?
Applied Identity: Wanted a strong association with Identity. Noise level got excessive in the overall security space. Static ACL tables are very error prone.
Juniper: We aren’t an identity management company. What used to be controlling access based on who is evolving into other vectors like device type, etc. We see a huge guest worker opportunity.
Eric: The metaphor seems to be changing. Instead of bigger firewalls and more techniques to protect the network, is this change in metaphor happening?
Forescout: Yes, we are a NAC vendor and are not doing Identity but we see the linkages between the two.
Apere: We launched product two months ago. Biggest problem was analysts are identity or security focused. This highlights the problem. In customers, the networking guy cares about security but the application guy cares about identity. An application guy and the network IT manager don’t play well with one another. We want to make a comprehensive solution that includes both security and identity.
Eric: What is the value of managing Identity at the network layer?
TNT: The balance of power in the enterprise is shifting towards the identity folks since they speak the business language. This power is taken from the networking guy. These trends are causing some of these metaphor changes. By talking about the infrastructure in Identity terms it allows the networking guys to speak the language of the business.
Missed the last 15 minutes.
Technorati Tags: Digital ID World, identity, NAC
DIDW: Higgins Framework
Wednesday, September 13th, 2006Came in a bit late…
Trends:
Productivity is achieved through the integration of people with business process
Need to preserve privacy
Information about individuals is growing in different silos
New framework for IdM that is user-centric
Enables dynamic, automatic capture of people information from disparate information repositories
Facilitate integration with diverse identity management systems
Ease management of identity, profile, reputation and relationship…
IdM has poor tooling for developers. Higgins uses only one API and has plugins to CardSpace, OpenID, RSS, XRI, LDAP, etc. Other connectors can be written since this is open source
For end users, they get consistent user experience using visual “i-cards”, Privacy-enabled claims to share only what is needed (and protect private information)
They also get personal information “link and sync” services
- remembers passwords, fills in forms
- links and syncs your info across silos
- gives you more control over your personal data
End users get an Identity Metasystem
- Identity attribute service to federate this information between multiple systems and silos
They also get privacy and move from attributes to claims. Attribute is bank balance = $100K, claim is bank balance is > 20K. [SJC: Claims seem far more privacy friendly]
For enterprises they get integrated identityt, profile, reputation, and relationship information across and among complex enterprises.
Enterprises also get privcay there as well. Give users the ability to control more of their info. Employee satisfaction.
Implementation. Targets for 1.0
Packages for RPM and Debian: Suse, Red Hat, Debian, Ubuntu
OSX
Windows
Eclipse plugins
Protocols: WS-*, OpenID-H, LDAP, RSS-H
Language bindings
Java, C (core components)
PHP, Python, Ruby (relying party enablement)
Industry Collaboration
Higgins enables Interoperability, Privacy, and a user-centric foundation
Moderation Portion Begins
Phil Becker – moderator
Q: How is this related to eclipse?
A: Started out looking for tooling for identity information and the core data mapping information, CardSpace as a back end. Then started to look at various platforms and how to get CardSpace to work on multiple OSs.
Phil: So you have the developer framework / plugins, open source client piece, and service layer.
Q: Does this achieve CardSpace compatibility? Or CardSpace + extra stuff.
A: Yes, same user experience.
Q: Are there still obstacles on the IP front now that MS has opened up things from an IP front?
A: The MS announcement was great, but there are still some possible IP obstacles.
Q, Audience: What is version 1.0? How do you go from release to getting in front of the end user.
A: We’re working with the platform vendors, good cooperation from Linux folks, we’ll release the CardSpace equivalent client but also the underlying libraries to make your own version of this thing.
Q, Audience: We have 5,000 applications built around identity being in a corporate directory. If we want to move this directory out of the way to put some smarter federation-enabled service in between the app and the directory. What does the enterprise do here?
A: Working to implement plugins for Higgins, allowing consistent view-pulling this information together.
Q, Audience: Trusted chips are on PC motherboards now, how are you going to use them?
A: TPM is definitely something we want to use to acquire data. It would be a context provider like other systems. Token server could also store keys there as well.
Q: IAM, ISVs are both vying for the same customers but things are challenging because you need to pick on IAM vendor which locks you in. Or I could build in a SAML based middleware layer. What I hope is that Higgins gives a path to abstract things from a given IAM, ISV vendor. Does this seem reasonable?
A: It does exactly what you are describing. App developers have to code to specific LDAP, AD, etc. to do authentication. If the app developer supports higgins, then plugins can map this functionality to nearly anything.
Q: What about Jazz in Java?
A: Yes there will be a Jazz module.
Q: Developers may not support it as they don’t do exactly what they want?
A: We think of cardspace as an application we need to support. The best way to test frameworks is to run apps from the top all the way through to see how it works. Testing 2-3 different apps for the 1.0 release. You might also imagine identity management systems based on this technology. Novell is building on top of Higgins, etc.
Q: After 5 years, Liberty is very agnostic and does a lot of what are you trying to do. Why are you reinventing the wheel?
A: This is apples and oranges. Liberty is specifications and protocols, higgins is code and APIs. We plan to work closely with Liberty and WS-*. Higgins plans to reuse Liberty stuff to the extent they can but they are market driven.
Q: Every new app has a user database. Is higgins a good thing for them to use instead of doing their own user management?
A: Yes, use Higgins and the job is easier.
Technorati Tags: identity, Identity 2.0, Infocards, higgins
DIDW: Understanding CardSpace in the Enterprise
Wednesday, September 13th, 2006Patrick Harding, Ping Identity
Discuss where CardSpace might work in Enterprise.
Assumption that this will be very helpful in the consumer space.
Federation inside the enterprise is growing. The protocols are mostly over: SAML 2.0 and WS-Federation
Enterprise Federation hubs have enabled 5-10 spokes
Common Enterprise scenarios are : employee SSO to ASP’s, Business partner SSO to enterprise Apps, ASP’s and portals integrating 3rd party services
What is CardSpace
CardSpace is the new identity initiative in Vista: secure visual metaphor for managing identity information
In the enterprise contexst, it is the digital equivalent of your employee badge
Today federation is passive without user control using IdP and Sp with trust via SAML 2.0 Web SSO Proviles, etc.
Microsoft CardSpace, Higgins, SAML 2.0 ECP allow active federation. This allows the user to be involved and opens up new user cases.
Why CardSpace?
- Self-asserted identity information
- Standard Identity and Authenticaiton UI Metaphor
- User can control the flow of information
Scenario 1: Mixing Privacy Domains
Allows federation between work accounts and semi-personal accounts (like 401K accounts)
Scenario 2: IdP Selection / Discovery
Often an employee arrives at a service provider and needs to identify themselves to a 3rd party. I.e. going to your cell phone company and identifying yourself as an employee of a company for specific plans. SAML 2.0 can do this today but not particularly well. Cardspace enables user control into this process.
Scenario 3: Reduce Phishing Risks
Web for authentication is easy to spoof, cardspace can provide a graphically distinct authentication mechanism.
Scenario 4: Strong Authentication
Employees are required to leverage alternate stronger forms of authentication
CardSpace enables a standard UI metaphor for all auth mechanisms
[SJC: This scenarios seem a bit thin and certainly none represent a killer-app to drive adoption. Most of these problems can be solved other ways as the presenter is indicating]
Scenario 5: Role Management
Employees can choose what role they wish to be when accessing an application. Accessing an HR app as a manager, vs an employee, etc.. Simplifies temporary delegation.
[SJC: This is cool though, IT guy logging in as a user, vs. as an admin]
Ashish, Ping Identity
Demo:
Business relationship between enterprise and sales force, webex, 401k, etc.
Not blogging demo, very hard to take notes on this. 
Kim Cameron, Microsoft
-Enterprises are consumer facing
-Many enterprises have relationships with individuals and small businesses
-These are often not central to consumer’s lives, but are still important when important
Think of analysts who have a website and a password, if you are asked to read something you don’t know the password to the site. You don’t normally go there, but when you want to go there, you really want to go there.
Information Card Strengths
Fast acquisition
Intermittent relationships
Risk reduction – anti phishing and information minimalization
With the proliferation of identity pollution there is a concomitant tendency for legislation to affix financial cost to those catastrophes.
With infocard technology you don’t need to store a bunch of information, just the profile. The provider doesn’t need to store the information [SJC: But why wouldn't they? What is their motivation if they gain an economic advantage from having the information]
We don’t yet know all the best practices around infocards but we have some good ideas around how this will work.
Let’s assume more folks start using information cards. if large internet sites enable billions of users, there might be increased pressure to adopt information card for external relationship. Does it make sense for your enterprise to do something different than the enterprise employees might expect (especially in this age of de-perimeterization)
The Identity metasystem model
The identity provider, the user, and the relaying party all are able to trust one another but the user stays involved.
The model of “create a user” is broken and makes no sense. Yet this is what happened in the old domain based model. This gets really unpleasant when there are multiple domains. Federation model implied that these multiple domains could create trust relationships
Then you wind up in this meshed enterprise model which isn’t just several domains but large numbers of domains.
Empowering Users to address this problem
Achieving access control while granting access has been really really hard.
Conclusion was to disappear the user from any involvement – including the buisiness uints
General solutions require increasingly complex policies
I believe in an alternate approach – make it easy enough that users can grant their own access – albeit under adult supervision
Trust is local, and contextual. The resource owner makes the trust decision, though he might delegate. Still a matter of them controlling the access. The business units should be able to make these decisions, not IT which has been impossible as it is too hard. Information Cards can make this much easier.
Conclusions:
Simplification and visualization allow us to devolve control to the owners of resources
Give the benefits of a single user experience at home and in the enterprise.
Technorati Tags: Digital ID World, identity, Infocards
DIDW: An Identity-Based Approach to Network Access Control
Wednesday, September 13th, 2006-Special thanks to Roy Chua for taking notes on this session I participated in on Tuesday-
Panel
ESG
- Jon Oltsik – introducing
ConSentry – Jeff Prince
- Secure internal LAN, not rip replace
- Full user visibility and mitigation
- Here – identity key to their closing of businessSanjay Uppal – CEO of Caymas- Identity control appliances
- Have been doing for some time now
- How it all comes together, two important categories coming togetherSean Convery – CTO of Identity Engines- Network identity management platform
- User is center of identity in enterprise
- Bring user directories to the network – to make meaningful decisions
- Works with new devices as well as existing equipmentPaul Sangster – Chief standards officer at Symantec- Security and integrity protection for enterprises
- Co-chair of TNC group
- Working on NAC open standards
Definition of Network Identity
Paul Sangster
- establishing set of attributes with regard to things on network
- From NIC card to laptop to human
- And authorized to get on network
- Identity – ties into integrity and event managementSean Convery- Network ID used to be MAC and IP addresses
- Talked about spreadsheets and IP = user
- Mobility has made MAC and IP more difficult
- Seeing prevalence of user-centric identity
- From simple auth to 802.1XSanjay - Practical and then future
- 2-factor, client certs – one aspect
- Other aspect – integrity of device – combination of multiple ID
- Practical – integrity of device
- User – username, password, token
- Future – combination of twoJeff Prince- Knowing users and machines connecting to network
- Trick (as Sean put) – bind users to IP and MAC
- How to make user-readable, and location-based – bob, using machine X in office 12
- Location is important as wellCisco and MSFT were invited to participate but declined
Jon: implementation is difficult
Many supplicants, devices, EAP strategies
What to help people ease into solution
Jeff Prince
- Been in networking long time
- Things that become pervasive on network – easy to deploy, cost effective, high performance
- Cisco NAC – good vision, impossible to implement
- ConSentry want to execute that vision – e.g. rip out L2 switchesSean Convery- Cisco not quick to release NAC specifications
- Seeing lots of interest in preserving infrastructure built out
- Seeing disparity in making enforcement technologies
- From enterprise – deploying 6, 8, 10 different things – hard
- Need central authoring and policy point
- Trying to put all eggs in one technology basket is troublesome long term
- Particularly due to lack of standardsPaul Sangster- See difficulty in deploying – e.g. AV, desktop FWs – people turning it off
- IT needs centralized point of control – and when joining, want to make sure that the machine is healthy and to do so periodically
- Customers tell them this is very difficult but customers don’t want to take the wrong step – don’t want to step up until see long term future of spaceSanjay Raja- Agree that Cisco and MSFT is not open enough
- Don’t agree with vision of NAC – network admission control
- Customers are asking, after you get admitted, where can you go
- Shouldn’t be limited to just network, but applications as well
- NAC should be access control done in the network, as opposed to, to the networkJon: who supports TNC, and why hasn’t everyone in audience heard of it
Paul Sangster
- Communication – Cisco and MSFT have large PR budget and voices
- TNC – many large companies, focused message is hardJeff Prince- Biggest frustration – CSCO not member
- Own 80% not adhere to standard, neuter standard
- User community put pressure on CSCO to join
- Best way is to drive standards between endpoint and networkSean Convery - Not failure of TNC
- But failure of any architecture for NAC overall
- Have had problems deploying NAC framework at Cisco
- Customers are coming and saying NAC with AV, and firewall and .dat files are good
- Want to know who’s coming on network first, and then along with everything elseSanjay Uppal- Agreed, how to integrate client with network
- Should have defined protocol for not 802.1X but others
- Captive portal and web-based login first, and then do bells and whistles
- Need an open supplicantJon: trying to rally around the open supplicant- MSFT, CSCO, Juniper – proprietary – how to drive open supplicants
- Good grassroots support to date – www.enterprisestrategygroup.com
Question from audience:- Why won’t people stay with MSFT and CSCO and wait until they are done rolling outSanjay Uppal- Most of their customers (e.g. Hormel), waiting for Longhorn or CSCO, a lot to ask for from people with problems today
- Already have problems with identity theft and guest users
- Products on panel will solve that today and don’t have to wait till giants learn to dance
- For entire infrastructure though, advice is to waitPaul Sangster- Normal enterprise risk analysis decision
- Lots of data on cost for enterprise for not being able to enforce decisions about posture (worms, malware etc)
- Don’t want to make bad decision, need future proofing
- Nature of attacks over last 12 months, more focused on enterprises
- Without integrity checking, lots of enterprises have user auth, nothing to stop malware
- Need to have no malware stealing credentialsSean Convery- Agree that solving acute problems today
- Biggest people deploying our product have short-term access problems
- When talking about NAC and are people ready to deploy NAC
- NAC is AAA
- Dialing into POP over SLIP – using AAA NAC back then
- Principle reason we exist – authenticate people on network
- Repository of user identity and not treated as a critical resource on network
- AAA down – lose VPN and wireless
- Moving forward, how do you authorize users to get on networkSanjay Uppal- On aspects of what customers should do from a practical standpoint
- Non-employees getting on network – biggest risk
- Yesterday – SLIP connection – had today, but need combination of identity of user and device as well (e.g. folks in India and Philippines doing contract programming)Jon:- How much marketing money CSCO has? LotsAudience: where’s the vision for centralizing policies throughout the company . Don’t have the people – geeks on parade. Don’t want to call someone to make change in some device. How to go I to a central policy store to make these changes across enterprise-wide.
Jon – paraphrase – centralized policy instead of policy everywhere
Sean:
- Think we have won’t have centralized policy today, and may never, but some day
- Trying to embrace standards around this area – e.g. XACML around that, SOAP-based interface
- Work on networking problems first, and then start doing it for the applications-side, assert it to the futureJeff:- See solution boiling down to three basic components:
o End point, control piece in switching infrastructure, and IdM infrastructure
o Defining standards – is critical
- Today, ConSentry built controller behind the switches, can’t rip and replace everything
- As people do switch replacement, will see it coming in
- Announced secure switch, embeds full function into wire-speed switchSanjay Uppal- From enterprise, have concern about adding more layers
- Don’t want new policy in AD, RADIUS etc
- There are standards for asking about Identity – not rich, but can work
- No standard way to ask for policy yet
- Also need standards to federate health
- Once standards set – one place to set policy to get management policy (not appliance), and enforcement can be switch or not, think appliance is still important, need client piece as well for integrityPaul Sangster- Centralized place for policies
- Everyone has that, but then you still end up with many centralized stores
- Need MetaDirectory
- Need a PDP that can talk to other PDPs or network
- Can express PDP in some form and push it out (e.g. XACML)Jon:- See standards – e.g. Federation, users have to drive big vendors on TCG and 802.1X
- Will have more IP devices, no vendor at all, including CSCO, MSFT, that will give us what we needAudience:
Qn: focus on LAN and enterprise network, WiFi LANs, services networks etc
Federated model with common security model, tying in all the items, e.g. DS_69 on DSL forum, is important. Standards from wide area, to LAN to core etc.
Is there integrated architecture, for LAN, WAN, Service Provider etc?
Paul Sangster
- Don’t want different infrastructure for all – how to come up with extensible portion across all networks
- Access points for WiFi to talk to RADIUS
- Maybe not needed for LAN over cable
- Backends need common infrastructure – TNC identity all common areas
- Have laid down protocols for bottom layer for some areas already
- Pushing that TNC can cover it all as a high-level infrastructureSean Convery - When we say appliance, means different things to different people
- Goal of IDE is to work with different types of devices
- E.g. FW, switch etc
- Aggregation to get all these things talking
- RADIUS got us on 99% of access decision today
- Some disagreement – position – rich decision made in one place is good, but also want consistent set of entitlements in terms of what you’re allowed on
- But can only do that with standards – so there is limitation
- Even insertion of a device everywhere is close to rip and replaceSanjay Uppal- NAC is not limited to LAN
- Disagreement – their device can check local area network and wide area
- Perimeter is disappearing but they are appearing elsewhere
- It is not just LAN, but also where users are coming in from Jeff Prince- No reason why they can’t span LAN and WAN
- Once solve problems for LAN, then can solve problems for WAN and other places as wellAudience – TNT - Practitioners here – don’t wait. Even TCG/TNC will take time
- There are problems now, and people are buying equipment that the vendors are buying
- Forward thinking folks don’t care and will solve the problem now
- ‘Who is buying the stuff now’
- What position, what problem solvingJeff:- Customers are driven by compliance – PCI compliance in 3 weeks
- Passed audit within 3 weeks
- Regulated folks – HIPAA, PCI, SOX – folks with corporate assets on LAN
- Prove have clamped data need now
- Compliance is not done yet (still real today)Sanjay:- 1. There is a compliance push out there
- No one is making be-all and end-all of compliance solution
- Have one, pass all, no compliance in a box today
- Can implement these much quicker
- 2. Business enablement – e.g. outsourcing, make sure people only get access to specific areas. Not security value-prop, but business value-prop
- 3. Risk management – ID theft, laptops getting stolen, CIOs want to lock down sensitive information, criminal or other records
- Identity-based NAC to deal with thatSean:- Biggest problem – contractors, guests, visitors – that we are solving right now
- Keeps customer excited longer term
- Flexibility of policy
- Organizations have directories all over – really useful information – meaningful access decision
- E.g. Library at university that wanted low QoS for overdue customersPaul:- Apply political approach
- He is a standards person
- TNC – no standard, but people have standards-compliant products?
- Going out and taking RADIUS and using it
- Using EAP and if doing 802.1X, already have it
- TLS, IPsec, doing standards over
- Have to have a common way do the same thing, protocol standards already existJon: 7 minutes left – Lightning Round
Audience: so, who is the buyer?
Jeff:
- Security is champion, but the network ops guys is the one buyingSanjay:- Security guy signoff- app guy if app resource, or networking guy if network resourceSean:- network and security guysPaul:- samePapa Gino’s – audience, Chris Cahalin, Network Manager
Qn: $ spent towards unified standards is $ saved
-TPM already exists on laptops – march 2005 – have been using it
- Facilitates business
- Backs TCG
- Extends end-point analysis, can you trust the response you’re getting
- In deployment today
- Appreciates open standards
Jon: closing thoughts
Paul:
- too many NAC, tell vendors that want one open solution, can start today
- Built on things already deployed
Sean:- Can start today
- Things that you can do that don’t require TPM or OTP
- User names and passwords insufficient is not reason
- Diagnostics etc are more significantSanjay:- Enterprises with business problem today – they have solution
- Audience in IdM space – combination will get thereJeff:- Clear alternatives to CSCO
- Get to secure LAN today with them
- Give them opportunity and show value
DIDW: One Identity at XL – A Success Story
Wednesday, September 13th, 2006Thomas Dunbar – CSO XL Global Services
Publicly traded as XL
Parent of a group of Insurance, Reinsurance & Financial Products
$58B in assets
www.xlcapital.com
Founded in 1986 as an offshore insurance company, 50 employees when you started, but there has been a ton of mergers and acquisitions, each of which has separate naming schemes.
Had 17 IT organizations, wanted consolidation, then shared services, then one IT.
Needed to support the business:
-Organic growth
-Business unit managers is to support new services
Identity issues
- No governance model
- No standards
- No technical or application architectures
- 250 dominio applications
- many exchange organizations
- 6 notes domains
- no common naming standard
- over 40 email domains
- dozens of customer applications requiring authentication
Data – Multiple repositories of user ID
User Experience – Had to logon to 10-12 applications per day
Org Culture – Global user base increases complexity
Applications – Big gaps in security and compliance. 3000 applications, now down to 600 with goals to reduce further.
XL Key business objectives and requirements
- One company without borders
- Increased security – password standards, deprovisioning people
- SARBOX – rights and privileges,
- Increase user satisfaction and productivity – reduce logons, improve IT perception
- Cost measurement / management – Better admin and infrastructure
- Infrastructure Responsive to New business requirements – building block technology with no throwaway work.
Selling IdM at XL
Security, Productivity, User Experience were how we sold it. Sold as a phased approach with investment occurring over time.
Phase 1: Build an identity management foundation
- create a common identity
- establish its authoritative source
- develop a common directory
- identity your authorizations
Phase 2: Build a directory exchange broker (meta directory)
Phase 3: Enable web and windows apps with simplified sign-on
Phase 4: Develop enterprise directory services solution
Single identity store for all Xl employees and non-employees and brokers and partners etc.
Phase 5: Develop enterprise simplified Sign-on (round two after phase 3)
Phase 6: RBAC and Federated IdM
- Advice, don’t start here, build credibility and momentum first
- Roles are complex, not starting there
Roadmap Development Approach
- Risk Avoidance – smaller projects, use proven products
- Rapid Value Realization – immediate value and results
- Pragmatism – use existing skills and technology base
- Cost Containment –
In 2004, Initial account provisioning was created. Peoplesoft is our authoritative source. Feeds into AD, Exchange, ClearTrust, Lotus Notes
Using cleartrust, linked this into Plumtree Domino and other web apps
XL Initial success
134 Apps SSO overnight
86.4 User Sat
Help desk calls reduced 20%
New account provisioning within 5 days before new hire start date
Accounts easily deprovisioned
One common lifelong Identity
Established framework easily leveraged
In 2005, brought in more apps, more cleartrust deployment, etc. this continued through 2006. Other businesses like HR started leveraging the identity infrastructure to provide more applications.
Bringing in Oracle CoreID in 2006, better simplified sign-on, extranet portal / cleartrust integration
2007 plans – Develop approval workflow for user access, delegated admin for power users to manage other users’ rights, improve rights management and provisioning
Post IdM – Auth is AD (consultants and employees) – RSA Secure ID for remote acces, RSA single sign on manager
Authorization – AD, EDS and AD/AM, RSA Cleartrust, Custom Applications
Administration – MIIS, Oracle Virt Dir Eng, Oracle Core ID
Auditing – MIIS, Cleartrust, AD form repository
Mission pieces – User lifecycle management (2007), Feteration System (2008), Roles based access control (2008) (Doing some policies with GPO in AD/AM but looking to do more)
Formula for success – Plan ahead, don’t go it alone, detail the benefits, build momentum, communicate
- Develop a strategy
- Sell but don’t oversell
- Demonstrate business value
- Highlight security and compliance gaps
- Seek industry experts
- Form partnerships
- Goal: SSO
- Sell the ability to lower operation costs and improve user experience, focus on phased approach
- Sell better security through better managed passwords
- Don’t start too big (enterprise Provisioiing) or complex (RBAC)
- Build credibility and gain momentum through low risk / high value tactical components
- user building block mentality
- demonstrate how each piece fits into the company’s long term strategy
- Continuously sell, sell, sell
- Demonstrate success
Technorati Tags: Digital ID World, identity
DIDW: Network Access Control Case Studies
Tuesday, September 12th, 2006Jeff Williams, California State Association of Counties -
Nonprofit advocate for California’s 58 counties.
Represent before lawmakers, agencies and federal government, counties range from 1200 to 10 million people.
Multiple consituencies: Legislators, employees, conties, residents. All want high degree of service and integrity. Very keen on knowing who has access to our network.
State government entities are the 2nd most often targeted in attacks (behind financial services) – Open and easily accessible information is often part of our mission.
Wanted to protect servers and applications from unknown users
Grant appropriate access to specified users/machines
Reporting and auditing for state compliance
IT must be responsive with limited staff
Integrity and credibility of CSAC at risk
Risk to counties’ agenda and well-being
Solution considerations:
Firewalls – identity blind, no machine auth, limited auditing, complex config
Chose instead – identity management and network access control appliance and software
Deployed TNT: Simple implementation, met objectives, unalterable user and computer identity into network traffic, grant or deny access to specific information resources based on identities. Simple tool to configure, set policies, and report all activity. It was installed in one day.
Really liked the reporting capabilities. See status at a glance
Results:
-Identity enabled infrastructure provided full view of user and endpoint behavior
-Led to rapid, straightforward and effective access control policy decision
-Protected the critical state information records from data breaches
-Ensured confidentiality of communication within state government and counties
-Provided full audit to address regulations
Q&A:
What is the scale of this deployment?
We represent the counties from a legislative standpoint but they didn’t deploy this. We deployed this for our employees only.
** Second Case Study
Roman Lessnow (sp) – Security Manager Wellstar (Atlanta, GA)
600,000 customers
10,000 employees
Fve hospitals
Urgent care centers
etc.
Implemented Information Technology Infrastructure Library (ITIL)
Very small IT staff, wanted network plug and play, granular access control, transparent user experience
We use LDAP, needs to work with that. Novell E-Directory, moving to LDAP
Environment:
Windows, Linux, HPUX, 475 devices with SSH/Telnet, also looking to control devices, pumps, monitors and other SSH or telnet supported devices for vendor access
Wanted authorization based. More access internally than remote. Needed to set the policy directly and enforce it on the engines within the device.
Easy management: Vendor logs in to update one of their devices onsite, we want to check that there system is clean before they are granted access.
View log data, etc.
Chose Caymas Appliance. Plocies can be updated real time, users cannot view / discover unauthorized resoruces, full log and audit, no user training required.
We provide the vendor access, meet the requirements of our mobile employees, deal with a heterogeneous environment, etc.
Can do policies via LDAP or locally on the box.
Technorati Tags: Digital ID World, identity, NAC
DIDW: Using Virtual Directories for Compliance
Tuesday, September 12th, 2006Jeff Anderson – Fifth Third Bank
Came into session a bit late…
Challenges:
- Regulatory issues, Sarbox, etc.
- Financial services specific issues, Patriot act, financial mondernization act
- Identy silos are more than just enterprise directory and AD. Silos for me are every place that provides identity services (databases, applications etc.). This also includes third party services
Solution overview:
- IDM stack that we deployed: at top are the applications themselves, perhaps they are silos themselves but they need to access others. Below that is the application access layer (SOA, directory connectors, etc.). Below that is the enterprise directory (LDAP) and the virtual directory. Below that is the provisioning system
- Enterprise directory is Sun, Virtual directory is radiant
- Directory hardware, use Sun hardware on E25Ks. Since it is virtual, we don’t need to specify that this is the only source.
- Each of the three tier 1 data centers has an instance of this sun hardware.
- Virtual directory services sit on the same hardware as the LDAP store.
- Virtual directory overview: At top is virtual directory engine (core). Below that you have RDBS connectors to applications directories and databases.
- What it means to us: Virtual directory allows us to abstract the data. This allows the applications to ask one place for data without needing to understand the back end. 4 use cases:
- Directory Joins – virtual directories can join two objects into one logical system
- Protocol masking / external joins – two examples to discuss later. This has more to do with what happens when the back end system isn’t a directory but we want to use it like a directory.
- Schema transformation – legacy systems have naming inconsistencies. Virt directory allows us to make them consistent
- External data masking – when dealing with security controls we can access systems without fine grained access control by allowing the virtual directory to enforce what you are able to see.
Synchronization vs. Virtualization
- Synchronize when source of authority was unstable, unresponsive, etc.
- Virtualization for everything else.
It doesn’t matter when you move or access the data. What matters in virtualization is that you choose a product that lets you switch between the two when you need to. What happens when the back end directory changes? These are important questions to ask your vendor.
What did we do at the bank?
Identity management programs were selected to be early users of the virtual system: B2B single sign-on was the first.
Big diagram of transaction, download slides to see in detail.
Cleartrust was deployed prior to identity management effort and as the first customer of the identity service.
Why not just move the data??? Why deploy virtual directory?
Three reasons:
- Time – lots have to change to move an identity store
- Cost – startup costs are high
- Regulatory Controls – If you are leaving the data in the system you have now, it has already gone through the controls. If you move the data, you have renewed requirements for audit. If you pass audit now, leave the data where it is and save yourself cost.
When you deploy a directory you’ll define the view, this is the data store, this is how you access it, the access rules, etc. Four things happen: bind request comes from SSO. Searches the entitlements to see if it is a valid user. Search for requested user. Binds as user checking the credentials.
Cleartrust for cross-silo authentication is made easier by virtual directory. I.e. using websphere for J2EE apps, need to secure the app. The app is secured through cleartrust. Challenge is when the employees don’t exist in the external directory store. Websphere doesn’t let you split what you do for console logins vs. anything else.
Lessons learned:
- Virtualization of the identity to leave it where the data resides is a powerful tool that avoids regulatory issues. Any approved data source can be used for SSO, for example.
- Remove application sequencing dependencies: since you don’t need to move identity stores, that is different than application work. No mid silo applications with a need to do things at the same time. The time different apps operate can be decoupled.
- Real-time access instead of synchronization is possible with low overhead. No large hit in access times.
Technorati Tags: Digital ID World, identity
DIDW: The Impact of URL-based Identity
Tuesday, September 12th, 2006Moderator Joris Evers – CNET
Johannes Ernst – Netmesh Inc. (JE2)
Created original Lid URL based identity scheme. URL’s can point to things. Make something simple that can be easily implemented
David Accordan (sp) – Verisign
Brought into this from an Open ID perspective and things URL based schemes make it easy to represent yourself online.
Brad ?? 6 apart – wanted users to roam around and perform identity. Developed Open ID
Drummond Reed – Cordance
chair of XRI – can be used as user centric identity. Worked on inames
Dick Hardt – Sxip Identity
produced Sxip protocol to provide unique identifier to a site, and across sites. Saw some of the openID stuff and thought that information could be linked to make the info more portable.
JE2 – Lots of smart people, lots of things that aren’t going to go away anytime soon. URL folks, WS* folks, Liberty folks, etc. Need to reconcile these worlds in order for any value to be received. LID, OpenID, and SXIP are all coming together from a protocol standpoint.
JE – Is this really a sea change?
DH – Lots of convergence work from SXIP being brought into OpenID 2.0
DR – Yes lots of convergence, a year ago we would have had four different stories.
JE – For an enterprise, where will they see the most benefit?
DH – Your traditional enterprise won’t adopt this right away. Early adopters have very acute pain. Where it might make sense is how to integrate with their own end users. A bit early for enterprises.
JE – Favorite case study for URL based identity
B? – Having to remember passwords for dozens of sites is a pain. Now with OpenID he can use one sign-in for his wiki and get into another set of wikis. Concerns around educating users that it can be secure.
DA – Since they are easy to implement, there can be a wide range of security at their identity provider vs. your identity being in a large silo. You can setup your controls in one place.
JE2 – Sarbanes compliance will not come from OpenID. 2 places it helps. First, interacting with blogger-type folks. Second, within the enterprise, the early adopters can use this. Homepages for employees at a company, very easy to extend that url to identify a user with that same URL.
DA – users understand URLs which makes URL based identity more obvious.
B? – Bootstrapping identity on the Internet can’t be done with PKI.
DR – Clickable identity but you wanted to control the spam you receive in the case of Blogs.
JE – How do you tie this in with existing enterprise identity systems
DH – Identifier is designed to be expressed outside the enterprise. You can map the URL for OpenID to your internal directory store
JE2 – Lots of users in enterprises with data owned by the enterprise. Good links between the data the company owns and the data that the user owns (i.e. IM handles, cell phone numbers, etc.) This lets the users decide who can see what data and they can update it.
JE – What do I need to deploy this in enterprises?
DH – OpenID 2.0 is still under design.
B? – OpenID 1.1 is out and should be upward compatible. All livejournal blogs have this now.
JE2 – Each company represented on panel has their own tech but much of it is interoperable.
DA – Bounty program to encourage development of OpenID 1.1.
JE – Ease of implementation is mature enough or not?
JE2 – We have deployed them today.
B? – No enterprise work yet because no one has needed it yet.
JE2 – Open source licenses are quite liberal within Apache Heraldry License.
DA – OpenID can fit in with the Higgins framework.
DH – Possibilities to work with liberty as well. Lots of different libraries for programming languages are done or underway.
B? – Approach where you get to decide how to authenticate to us is good. We’ll hang our data onto whatever ID you provide.
DR – If you are in an enterprise looking at this, watch for expectations of users to increase around using OpenID. Folks like the way this works.
JE2 – Pieces of technology stack are missing. Nothing prevents a site from setting up and spamming identities. No reputation is in place.
DA – Because there is no way to mandate reputation it allows business models around providing this since authentication comes first. No requirement to trust one meta provider.
B? – All email that is out there has no identity association
JE – How do you make the world better in the next 5 years? Where is your business?
DH – I see user centric identity will enable apps that we haven’t dreamed of in five years. Lots of things that you can do in real life that you can’t do on the net. Evolution from web as static pages to web as applications was one evolution, this will extend beyond that and create richer applications. How do I make money? That’s a good question.
DR – Business is in the services, in the applications that enable the services. Applications that his enables will change your business.
B? – I don’t care about biz, I want the web to suck less.
DA – Infrastructure needs to be built out, once you have it then the new apps can be built. [SJC: If you build it, they will come?]
JE2 – Goal of our business is to help enterprises make things work in this world.
Question – Rakesh from Sun – This user centric stuff is interesting, identity touches everything. NAC will be interesting. How do you take it from being server centric to being network enabled. Users can setup identity 2.0 representation of themselves and define what shares. This all should work with the current model through linkages.
DH – You’ve touched on an area of disagreement. Sxip’s view is that for most things the user can decide what to push to a server. Others have a view of a profile that they set access control. That is problematic as each request is contextual based on what is being asked.
DR – This will not displace the enterprise identity constructs that are being used today. It is about empowering the users to represent themselves on the network in a way that they control.
My session is next, so I stopped taking notes here. More Q&A occurred.
Technorati Tags: Digital ID World, identity