Presentation is loading. Please wait.

Presentation is loading. Please wait.

Click to edit Master title style HEALTH INFORMATION 1 Identity & Access Management Presenter: Mike Davis (760) 632-0294 January 09, 2007.

Similar presentations


Presentation on theme: "Click to edit Master title style HEALTH INFORMATION 1 Identity & Access Management Presenter: Mike Davis (760) 632-0294 January 09, 2007."— Presentation transcript:

1 Click to edit Master title style HEALTH INFORMATION 1 Identity & Access Management Presenter: Mike Davis (760) January 09, 2007

2 Click to edit Master title style HEALTH INFORMATION 2 Definitions IdM: Identity management (IdM) is comprised of the set of business processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities within a legal and policy context. - BurtonGroup 2003 IAM: Identity and access management (IAM) is comprised of the set of services to include authentication, user provisioning (UP), password management, role matrix management, enterprise single sign-on, enterprise access management, federation, virtual and metadirectory services, and auditing. - Gartner

3 Click to edit Master title style HEALTH INFORMATION 3 More Definitions Provisioning: Provisioning of user access control credentials refers to the creation, maintenance, correlation, synchronization and deactivation of user-objects and user-attributes, as they exist in one or more systems, directories or applications, in response to an automated or interactive business processes. Provisioning software may include one or more of the following processes: change propagation, self service workflow, consolidated user administration, delegated user administration, and federated change control. Provisioning is typically a subsystem or function of an identity management system that is particularly useful within organizations where users may be represented by multiple user objects on multiple systems. - EDE IPT The process of managing attributes and accounts within the scope of a defined business process or interaction. Provisioning an account or service may involve the Creation, modification, deletion, suspension, restoration of a defined set of accounts or attributes. – OASIS SPML

4 Click to edit Master title style HEALTH INFORMATION 4 Yet More Definitions Single Sign-on: (SSO) Any user authentication system permitting users to access multiple data sources through a single point of entry. Part of an integrated access management framework. At present, there is no universal definition of SSO, no agreement on whether it is really possible and no understanding of what is considered true SSO. - Pistolstar

5 Click to edit Master title style HEALTH INFORMATION 5 Identity Mgt Attributes (1of 2)

6 Click to edit Master title style HEALTH INFORMATION 6 More Identity Mgt Attributes (2of 2)

7 Click to edit Master title style HEALTH INFORMATION 7 Access Mgt Attributes OneVA Identity Management IPT, December 19, 2005 OneVA Enterprise Identity Management White Paper, v1.3, October 12, 2006

8 Click to edit Master title style HEALTH INFORMATION 8 Authentication Services Centralized authentication services reduces complexity –PIV (HSPD12, NIST FIPS PUB 201) –MS NAS (AD Kerberos) Applications should accept trusted third party credential…applications do not authenticate users directly –Kerberos, X509, SAML –CCOW –Security token services (STS) SSO is intrinsic –SSO is now expected –SSO is now technically feasible

9 Click to edit Master title style HEALTH INFORMATION 9 WS Trust scenario A client sends a SOAP message (Request) to a SOAP based application Server. The original client request is intercepted at a SOAP gateway and redirected (based on Policy) to the IP/STS. The SOAP gateway and STS will use WS-Trust messages to enable interoperable processing of the more fundamental WS-Security protected SOAP message sent between the client and the service.

10 Click to edit Master title style HEALTH INFORMATION 10 IDM…Whose Identity is It? VHA Problem Statement: How does Security IdM portion of IAM fit with traditional ownership of IdM controlled by administrative, demographic, payroll and HR functions. Solution: Need standards for IdM and for IAM. Consistent vocabularies. Clear differentiation of role/ ownership Id data used for different purposes. Oracle Identity Governance Framework is setting the initial definitions in this area prior to vetting in standards organization (TBD). Identity Governance Framework

11 Click to edit Master title style HEALTH INFORMATION 11 IAM Technology Viewpoint Assertions Advice Implications Obstacles IAM (PIV) transforms future SOA security infrastructures Centralization reduces complexity of authn/authz administration Web Services provide the key underlying standards/technology Application security (end-end) replaces castle and moat paradigm SSO is assumed/expected Lack of consistent approach (Different goals, views, vendors) Immature/incomplete industry technology/few solutions Developer experience/confidence/ in solutions…resistance to change Projects will use existing/closed solutions to avoid risk Projects will not be able to adapt to coming centralized infrastructure Project schedules will limit time to innovate in security Security will continue to lag Implement/innovate/adopt: SOA Architecture CCOW, Kerberos SSO/TTP Authn HL7 RBAC/ASIS XACML Implement Web Services Manage globally, enforce locally Pilot a SOA Security Application


Download ppt "Click to edit Master title style HEALTH INFORMATION 1 Identity & Access Management Presenter: Mike Davis (760) 632-0294 January 09, 2007."

Similar presentations


Ads by Google