Presentation is loading. Please wait.

Presentation is loading. Please wait.

User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.

Similar presentations


Presentation on theme: "User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT."— Presentation transcript:

1 User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT

2 2 Thesis Trustworthy authentication and authorization are important Moving the authentication and authorization functions out of applications will allow rapid deployment of desirable new technologies The services needed are largely available today, and will be complete within 18 months The work must now shift to the applications and business processes

3 3 Agenda What are the Problems? Industry Trends in User Authentication What is NUIT Planning? How Should Application Administrators and Planners Prepare? Transitions Wrap-up

4 4 Agenda What are the Problems? Industry Trends in User Authentication What is NUIT Planning? How Should Application Administrators and Planners Prepare? Transitions Wrap-up

5 5 What are the Problems? External: granting & removing access through auditable processes Internal/external: accountability using access records Internal/external: maintaining trustworthiness of tokens or credentials Internal: reducing the cost of implementing new security methods Internal: navigating University applications may be too complicated for users

6 6 Contexts Network: for access control security Enterprise applications: for integrity of business functions Divisional and school applications: for consistency and ease of management User experience: to reduce complexity

7 7 Agenda What are the Problems? Industry Trends in User Authentication What is NUIT Planning? How Should Application Administrators and Planners Prepare? Transitions Wrap-up

8 8 Industry Trends in User Authentication Defining clear business rules for identity creation and lifecycle management Requiring stronger passwords Requiring multi-factor authentication for high-value transactions Requiring trustworthy administrative processes

9 9 Business Rules for Identity Lifecycle Management Document the necessary and sufficient conditions for identity creation Define the lifecycle and the authorizations granted and revoked at each transition Grant authorizations in keeping with business goals and to minimize risks Log and audit the management processes

10 10 Stronger Passwords Password cracking technology is advancing beyond our ability to remember passwords Because attacks are automated, risks are greater and defenses must be stronger Passwords must become longer and more complex. Likely future minimum will be 8 characters with more syntax requirements Implementation requires new IdM system

11 11 Multi-Factor Authentication Factors: something you … –Know (passwords) –Have (swipe card, USB token) –Are (thumbprint, handprint, retinal pattern) –Do (typing pattern, walking gait) How many factors are needed to be POSITIVE that the attempted access is by the real person? –What is the risk of being wrong? –What is the inconvenience? –Who will decide?

12 12 The Importance of Trustworthiness Federal guidelines for electronic signature stress the security and trustworthiness of token distribution Federated authentication between security realms is based upon trust in our authentication assertions, a portion of which is trust in the management of tokens. Our practices for identification, distribution and management of authentication tokens must be judged trustworthy Policies on protection of tokens must be enforced Trust is a contract with legal implications

13 13 Agenda What are the Problems? Industry Trends in User Authentication What is NUIT Planning? How Should Application Administrators and Planners Prepare? Transitions Wrap-up

14 14 NUIT Plan Single identity for each person Four network-wide authentication services but only one and one-half authorization services Workflow-based management of identities and access control Federated authentication with others Smartcards, USB tokens, etc. A key step: remove authentication from applications and place it in the surrounding service environment

15 15 Single Identity (NetID) Why? –Tied to authoritative sources –Single token allows rapid action to allow, modify, or revoke access or permissions –Common authentication infrastructure simplifies user experience (portal, SSO) What about aggregated risk? –Use multi-factor authentication selectively –Educate users – it’s not just now

16 16 Four Services LDAP 3.x: authentication and authorization attributes MSFT Active Directory: authentication and some authorization attributes MIT Kerberos 5: authentication Web SSO: authentication and coarse- grained access control through LDAP authorization attributes

17 17 Web SSO (Single Sign-On) More correctly: Web Access Management Presents a challenge for an authentication token and caches the resulting level of authentication in a session cookie Extension: access policies are used to describe the authentication level needed for each URL

18 18 Web Access Mgmt

19 19 Timeline* * This timeline is for illustrative purposes only and should not be used in planning – please consult with an experienced professional. The views expressed are those of the author and not those of NUIT. No warranty expressed or implied. YMMV. All bets are off.

20 20 Agenda What are the Problems? Industry Trends in User Authentication What is NUIT Planning? How Should Application Administrators and Planners Prepare? Transitions Wrap-up

21 21 How Should Applications Prepare? Move user authentication into the Web server – application invocation implies successful authentication Use identity management workflow to control access to the application Use attributes for coarse-grained access control Optional: Define institutional roles that can drive coarse-grained (and fine-grained) access control Optional: Employ first-access provisioning to simplify management of application user profiles

22 22 Authenticating at the Web Server Applications must give up internal passwords and programming logic to check NetID passwords Moving this function to the Web server level allows new functions (Web SSO) to be deployed without wide-spread effects If the application is invoked, then the user was successfully authenticated

23 23 Approve Access Through IdM The Identity Management (IdM) system must know if a NetID has been granted access to an enterprise application. Using IdM-based workflow to request, authorize, approve and grant access can support this easily. The IdM system can enforce business rules subject to entitlements granted.

24 24 Remove Access Through IdM What business rules are appropriate (or required) when an identity changes status? –Move between departments –Move between divisions/schools –Graduation, withdrawal, no registration –Termination Possible actions: –Continue services indefinitely or for a defined number of days –Suspend access and (a) notify individual, and/or (b) notify supervisor, and/or (c) notify service manager –Suspend without notices

25 25 Coarse-Grained Access Control Through Web SSO and access rules, any NetID attribute can be used to allow or deny access to an application Web page. –Role: “faculty”, “employee” –Entitlement: “access to HRIS” Session environment can also be used –IP address –Level of authentication

26 26 Fine-Grained Access Control Fine-grained access control is based upon user profile information unique to the application or interpreted by the application at execution time. –“Can view salaries” –“Can change salaries” –“Can authorize checks up to $100,000” Fine-grained access controls could be determined from institutional roles – or not –Examples: “department assistant” implies “Can view salaries” “Can administer grant funds within department”

27 27 Coarse vs. Fine Controls

28 28 First-Access Provisioning Avoid provisioning user profiles within the application until the user attempts access –Eliminate unnecessary local user profiles Recognizing no user profile exists: –Invoke an IdM workflow to request access –Create a place-holder profile and allow limited access by default –Automatically create a profile from attribute information (institutional roles) Result: savings in administrative time

29 29 Agenda What are the Problems? Industry Trends in User Authentication What is NUIT Planning? How Should Application Administrators and Planners Prepare? Transitions Wrap-up

30 30 1. Typical “silo” application

31 31 2. Convert to NetID authentication

32 32 3. Move authentication to Web server

33 33 4. Web Access Management (SSO)

34 34 5. Coarse-grained authorization

35 35 6. Request access using IdM workflow

36 36 7. Institutional roles drive provisioning

37 37 Step 8

38 38 9. Smart card authentication

39 39 Agenda What are the Problems? Industry Trends in User Authentication What is NUIT Planning? How Should Application Administrators and Planners Prepare? Transitions Wrap-up

40 40 Wrap-Up Seek to free the application from any particular authentication technology IdM workflow can govern the approval process, provide audit controls, and flag the user’s identity for other business rules First-access provisioning saves time and effort for the application administrator “Just as secure, with just as much control, just using different tools”

41 41 Questions? Q A &


Download ppt "User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT."

Similar presentations


Ads by Google