Building and Implementing An Identity Management Roadmap John Taylor Manager, IT Security & Service Continuity Phil Hall Security Consultant Apologies : Russell McClimont IT Security Services Manager, eCommerce Security

 Strategic Overview  Architectural building blocks and identity management overview  Creating the identity management roadmap  Business requirements, principles/blueprint and technical positions  Project implementation  A couple of examples Presentation Overview

Architectural Building Blocks Removed

Information Security Framework Removed

Identity Management – Strategic Overview Removed

Business Issues Faced  High administration cost  Inefficient management of user repositories  Numerous authentication points  Various passwords  Disconnect between external and internal facing systems for user access  Security built within each application Identity Management – Strategic Overview

Removed

Direction  Move towards reduced sign-on through the linkage of Web based protocols- Tivoli Access Manager and Tivoli Identity Manager (‘legacy’ based and non web based systems).  Centralised user management through corporate Meta Directory services.  User self registration and ‘access’ management for majority of the environment through the use of Tivoli Identity Manager.  Centralised authentication and authorisation services to leverage off existing investments.  Work flow management through Tivoli Identity Manager. Identity Management – Strategic Overview

Establishing an Identity Management Roadmap Removed

 Must have a formal identity management architecture. Roadmap is a migration strategy for realising this architecture  Clearly define what identity management is and is not  Essential to ‘ring-fence’ architecture and roadmap  Directories - always a tricky area to address  Vendors have a view that suits their product suite  A discrete set of related services  Business objectives and / or issues that identity management services will address  Investment in a set of complimentary technologies that are consistent with overall IT Architecture / Strategy. Minimise duplication!  Four key components, these are…. Key Components - Overview

 Identity Management guiding principles  E.g. “Provisioning of IT access will be based on a mix of automatic provisioning of basic services and self-service registration”  Limited in number, no more than 20  Must compliment general IT principles and security principles  Architecture blueprints  Reflect guiding principles  Models of identity management architecture  Describes identity management architecture in terms of discrete, yet related services  Products are not referred to, keep it generic Principles & Blueprints

 Technical Choices and Decisions  Describe identity management services in terms of a series of possible options and chosen technology / solution  A series of technical positions based on “fitness for purpose”  Migration strategy  Describes activities essential to achieving identity management architecture  Describes each activity in terms of relationship with other activities and time.. But it is not a project plan!  Activities are grouped together to form work streams  Must consider external factors, e.g. other projects  Should demonstrate a timely return on investment  Maximise strategic direction, minimise use of tactical solutions  Consider budgets and resource levels / experience Technical Positions & Migration Strategy

 Map identity management services to business objectives  Link to IT and Security architectures  Demonstrate structured approach to architecture and roadmap development… we know what we are doing!  Document Business objectives, issues and requirements  Baseline ‘as is’ and perform gap analysis  Document principles, blueprints, technical positions and migration strategy  Demonstrate value in short term and at regular intervals thereafter  Simple high impact solutions, e.g. integrated login, password synchronization  Integrate individual solutions to provide comprehensive infrastructure  Simplify delivery of a critical IT project using an identity management service Getting Support from the Business

Map business objective to identity management service Removed

Map the identity management product to the identity management service – business requirement. Removed

Identity Management Implementation Flow Removed

Migration of ‘Existing’ WAM System IAG acquired CGU in IAG had existing web access management system using Directory Smart as underlying architecture. CGU installed Access Manager. Gap analysis process against roadmap requirements. Chose to migrate Directory Smart to Access Manager.

Requirements Complete delivery by December Maintain client self help and single sign-on functionality as provided by Directory Smart. On going new integration activities to be performed with Access Manager. Compliance with IT Security Architectural principles and strategy.

Issues Develop a migration strategy for 40+ applications. Architectural differences – proxy Vs agent based. Avoiding additional authentication points. Introducing a new administration tool to the help desk. Maintaining existing Q&A functionality.

Achievements Phase 1 is complete - Access Manager is being used to handle the gatekeeper service for all applications. Automated account provisioning for intranet clients supplied by HR source (SAP) through IDI connectors. Password reset service provided by Identity Manager. Access Manager providing authentication service to Identity Manager interface.

ITAM WebSEAL ITAM IDS DSmart 1. Initial request 2. Post 3. Authentication 5. Webseal Session ID & Creds Cached DSMART IDS 6. Request + iv_user, tag pwd attribute 4. Check user. Extract pwd 8. Post DS cookie & caller url etc. 9. Post cookie 10. Request with client cookie 7. Check user. Endpoint Application Integrated Single Sign-On Process

TIM Password Synchronisation Deliver same sign-on services for non web applications Support for core system repositories – ACF2, RACF, TAM IDS & various Windows domain controllers (AD, 2000, NT) Reduce help desk workload by simplifying password management Reduce risk of exposure by strengthening and standardising password policies Requirements

Issues Impact of password policy change – bringing endpoint systems in line, & client educational process Scalability of domain account synchronisation solution – local agents or agent server Limitations of RACF agent

Achievements Reduced password reset tasks for the help desk Stronger password policy for core systems Consolidation of three separate passwords to one – domain, intranet & mainframe.

ITIM RACF Agent ACF2 Agent RACF 2 RACF 2 RACF 2 ACF2 3 NT Agent 5 Domains Windows NT SAM W2003 Agent Windows 2003 AD Password Change Set Q&A TSC Password Reset Lost Password TAM Agent Password Sync IDI Sync TAM Directory Reverse PW sync OID DirectorySAP Directory Password Sync IDI Sync HR Feed HR Feed Provisioning

Next Steps Phase two of the TAM migration exercise – applications ported from Directory Smart Spengo – Integrated Sign-On for Active Directory clients Roll out password synchronisation service to the organisation Rollout of account provisioning service to the organisation Rationalising disparate source HR feeds through IDI/TIM Association of existing ‘un-owned’ accounts to an enterprise identity – reduce the number of orphans Automated provisioning & termination cycle for basic access…..