Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Published byCaitlin Townsend Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org IdM – The Missing Link (part 1) Avi Douglen CISSP Douglen@hotmail.com 6/9/2009

2 OWASP 2

3 3 Agenda  Background  Why IdM Goes WRONG  What IdM CAN Do  What IdM USUALLY Does  What IdM SHOULD Do

4 OWASP BACKGROUND 4

5 OWASP Some Random IdM Statistics The numbers are very clear… 5

6 OWASP Some Random IdM Statistics  Time to implement enterprise IdM:  Vendors: < 6 months  Real world: 2-3 years AT LEAST 6

7 OWASP Some Random IdM Statistics  Cost to implement enterprise IdM:  Vendors: < $100K  Real world: $2-3 million AT LEAST 7

8 OWASP Some Random IdM Statistics  Savings from IdM implementation  ~ $ 2.5 million yearly  75% of IT user administration costs  > $8 million 8

9 OWASP Some Random IdM Statistics  Success rate for IdM projects  10-15% Success  < 5% Success  > 60% Still pending (not yet complete, maybe never will be…)  Vendors: > 85% Successful implementations 9

10 OWASP Some Random IdM Statistics Okay, the numbers are not THAT clear… 10

11 OWASP Background - Definitions  Identification – Who are you?  Authentication – Prove it!  Authorization – What can you do? 11

12 OWASP Background - Definitions  Digital Identity – A set of claims made by one subject about itself in relation to a given system  IdM systems deal mostly with enterprise-centric identity systems  Not so much user-centric identity 12

13 OWASP Background – Definition(s) of IdM  IdM – Identity Management  Manages identity silos for all systems  Provides single view of shared user directory  Provisioned identities  Delegated authentication 13

14 OWASP Background – Definition(s) of IdM  IAM – Identity and Access Management  Second generation of IdM  Very limited Access Control  Not granular or application-sensitive  Usually at system level  Sometimes provides minimal RBAC features 14

15 OWASP Background – Definition(s) of IdM ““Identity management is… the set of business processes, and a supporting infrastructure, that provides identity-based access control to systems and resources in accordance with established policies” - Burton Group 15

16 OWASP Sample IdM Vendors  Microsoft  AD / ADFS  MIIS  ILM  IBM  Tivoli Directory Server  Tivoli Identity Manager  Tivoli Access Manager  Novell  Identity Manager  Access Manager  EMC / RSA  Oracle  Too many products to mention…  CA  Even more…  Sun  BMC  Numerous niche start- ups…

17 OWASP WHY IDM GOES WRONG 17

18 OWASP Challenges - Political  Lack of leadership and support from sponsors  Getting all stakeholders to have a common view  Data ownership quibbles  Expectation to make IdM a data synchronization engine for application data  Defining an appropriate business process  Overlooking change management — expecting everybody to go through the self-learning process

19 OWASP Challenges - Technical  Lack of definition of the post-production phase  Lack of focus on integration testing  Lack of consistent architectural vision  Expectations for "over-automation"  Deploying too many IdM technologies in too short a time  Niche applications – no “best-of-breed” suite  Lack of requirements coverage – e.g. CSAC

20 OWASP Security Risks  Single point of failure  AKA Break one, break all  Platform vulnerabilities  Integration flaws  Rogue developers  Over-reliance on automation 20

21 OWASP WHAT IDM CAN DO 21

22 OWASP Some IdM Services  Identity repository  Directory services  Provisioning  Password synchronization  Workflow automation  User information self- service  Management of lost passwords  Self-service password reset  Delegated administration  Policy-based access control  Enterprise/Legacy single sign-on (SSO)  Web single sign-on (WebSSO)  Metadata replication / Synchronization  Directory virtualization (Virtual directory)  Role-based access control (RBAC)  Federation

23 OWASP WHAT IDM USUALLY DOES 23

24 OWASP Top 3 Drivers for IdM 1.Regulatory Compliance 2.Lowered Administration Costs 3.Better user experience 4.Security? 24

25 OWASP Most Common Features  Password reset  Password consolidation and management  Single Sign-on (SSO)  Provisioning  Compliance reporting  Change request workflow  System level access control (RBAC) 25

26 OWASP Missing Security Benefits Where did “Security” go?? 26

27 OWASP WHAT IDM SHOULD DO 27

28 OWASP Possible Security Benefits  Immediate de-provisioning  And re-provisioning  Enterprise wide Password Policy  Security policy enforcement 28

29 OWASP Missing Security Features  Separation of Duties  Granularity of authorization  Scalable application administration  Application audit trail 29

30 OWASP QUESTIONS? DOUGLEN@HOTMAIL.COM 30

Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations

Click to edit Master title style HEALTH INFORMATION 1 Identity & Access Management Presenter: Mike Davis (760) 632-0294 January 09, 2007.

Click to edit Master title style HEALTH INFORMATION 1 Identity & Access Management Presenter: Mike Davis (760) January 09, 2007.
Pennsylvania Banner Users Group 2008 Fall Conference Campus Identity Management in a Banner World.

Pennsylvania Banner Users Group 2008 Fall Conference Campus Identity Management in a Banner World.
Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM
All Contents © 2003 Burton Group. All rights reserved. Identity Management Market Update Prepared for Cal State Universities Mike Neuenschwander senior.

All Contents © 2003 Burton Group. All rights reserved. Identity Management Market Update Prepared for Cal State Universities Mike Neuenschwander senior.
Autenticazione e Gestione delle Identità Giacomo Aimasso – CISM – CISA.

Autenticazione e Gestione delle Identità Giacomo Aimasso – CISM – CISA.
Microsoft Forefront Identity Manager 2010

Microsoft Forefront Identity Manager 2010
Katerina Kalimeri, Senior Sales Consultant Oracle Hellas

Katerina Kalimeri, Senior Sales Consultant Oracle Hellas
On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.

On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.
Copyright © 2005 Imanami Corporation. All Rights Reserved.1 IdM & Security Robert Haaverson Imanami Corporation.

Copyright © 2005 Imanami Corporation. All Rights Reserved.1 IdM & Security Robert Haaverson Imanami Corporation.
Virtual techdays INDIA │ 18-20 august 2010 Managing Active Directory Using Microsoft Forefront Identity Manager: Amol R Bhandarkar │ Tech Specialist –

Virtual techdays INDIA │ august 2010 Managing Active Directory Using Microsoft Forefront Identity Manager: Amol R Bhandarkar │ Tech Specialist –
Www.lumension.com © Copyright 2008 - Lumension Security Lumension Security PatchLink Enterprise Reporting™ 6.4 Overview and What’s New.

© Copyright Lumension Security Lumension Security PatchLink Enterprise Reporting™ 6.4 Overview and What’s New.
© Puryear IT, LLC. 2010 All Rights Reserved. Taking Control of Your User Accounts Identity Management Basics Dustin Puryear Puryear IT, LLC.

© Puryear IT, LLC All Rights Reserved. Taking Control of Your User Accounts Identity Management Basics Dustin Puryear Puryear IT, LLC.
Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,

Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,
Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.

Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
Identity and Access Management

Identity and Access Management
Access and Identity Management for Enterprise Portals Rohit Gupta Director, Identity Management Product Management Oracle Corporation.

Access and Identity Management for Enterprise Portals Rohit Gupta Director, Identity Management Product Management Oracle Corporation.
Identity Management – Why and How Experiences at CU-Boulder Copyright Linda Drake, Director of Development and Integration, University of Colorado, Boulder,

Identity Management – Why and How Experiences at CU-Boulder Copyright Linda Drake, Director of Development and Integration, University of Colorado, Boulder,
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.

EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Automates Infrastructure Outsourcing.

© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Automates Infrastructure Outsourcing.

Similar presentations

Ads by Google