Enterprise IT Identity & Access Management

Introduction to IAM Buyer's Guide

Yale Li — Tue, 01 Apr 2008 14:00:00 GMT

“Our vision for security is to create a world where there is greater trust — where people and organizations can use a range of devices to be more reliably and securely connected to the information, services and people that matter most to them.” - Bill Gates, Chairman, Microsoft

“As a CIO, I strive to ensure productive, secure, cost effective solutions that help our users realize their potential. Identity and Access Management is the foundation for any solution that I provide to our users.” - Ron Markezich, VP, Microsoft

Thank you for visiting my weblog. Please scroll down because I'll keep the Introduction page at top.

Audiences: CIOs, CSOs, IT Directors/Managers, Enterprise/IT Architects, IT Pros, PMs, Consultants, IAM Product Vendors, Developers

Purpose: To share my personal view and experience on how Identity & Access Management (IAM, also referred as IdM or IdA) should be done in enterprise IT B2E (Business to Employees) environment (up to half million seats and one million nodes globally). Unlike most other IAM Internet sites, I do not sell products or services. I see IAM from a buyer's angle rather than from a seller's angle. My goal is to purely share information and benefit other enterprise IT divisions / departments to improve security, increase productivity, minimize cost, and satisfy regulatory compliance in long term. Hopefully, this will also set an IT requirements bar for IAM product vendors.

Yale Li, PMP, CISSP, ITIL, CCNA, MCSE+I, MCSD, MCDBA, MCNE, CLP, CWSE, CLSE, CNP, CCP, ASE

Disclaimer: All opinions posted here are those of the author and are in no way intended to represent the opinions of author's employer. This posting is provided "AS IS" with no warranties, and confers no rights. Use of included code samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm

Major IAM Vendors

Yale Li — Tue, 01 Apr 2008 14:00:00 GMT

Vendor selection is critical in IT business. I still remember an old story when I joint big blue family last Century: a wise advice was spread among IT decision makers globally: “You will never be fired if you buy from IBM”.

It had worked for a long while. Then, people got fired. Finally, you can not buy PCs from IBM because they are sold to Lenovo. Despite of the result, this phenomenon reflects an enterprise strategy: go with the industry and market leader.

In currently IAM industry and market, a question is “who is the leader?”. My answer is none because no single vendor can provide a complete end to end IAM solution. Near a hundred IAM vendors are fighting a war to become the leader. Mergers and acquisitions happen frequently.

Before you invest on IAM projects, you should be aware of major IAM product vendors. Just like buying a car, you will have more choices if you know all major auto makers. I have gathered most major IAM vendors in following list (in alphabetic order):

A10 Networks - http://www.a10networks.com

Abridean (bought by nCiper) - http://www.abridean.com
ActivIdentity (renamed from ActivCard) - http://www.actividentity.com
Alacris (bought by Microsoft) - http://www.microsoft.com/windowsserversystem/clm
Aladdin - http://www.aladdin.com
ASG - http://www.asg.com
Authentify - http://www.authentify.com
Avatier - http://www.avatier.com
Axalto (see Gemalto) - http://www.axalto.com
Bayshore - http://www.bayshore.com
BEA - http://www.bea.com
Beta Systems - http://www2.betasystems.com/en
BHOLD - http://www.bholdcompany.com
BindView (bought by Symantec) - http://www.bindview.com
BMC - http://www.bmc.com
BNX Systems - http://www.bnx.com
Bridgestream - http://www.bridgestream.com
CA - http://www.ca.com/

Centrify - http://www.centrify.com/

Citrix - http://www.citrix.com
Courion - http://www.courion.com
Credentica - http://www.credentica.com
Datapower (bought by IBM) - http://www.datapower.com
Digital Persona - http://www.digitalpersona.com
Enatel - http://www.enatel.com
Entegrity - http://www.entegrity.com
Entrust - http://www.entrust.com
Epok - http://www.epokinc.com
Eurekify - http://www.eurekify.com
Evidian - http://www.evidian.com

Fastpass - http://www.fastpasscorp.com

Fischer Int’l - http://www.fischerinternational.com
Gemplus (see Gemalto) - http://www.gemplus.com

Gemalto (merger of Gemplus and Axalto) - http://www.gemalto.com
GlobalSign - http://www.globalsign.com

HID - http://www.hidcorp.com

HP - http://www.hp.com

IBM - http://www.ibm.com

Identity Engines - http://www.idengines.com
Imanami - http://www.imanami.com
Imprivata - http://www.imprivata.com
Indala - http://www.indala.com
Jericho Sys Juniper - http://www.jerichosystems.com

LogicTrends - http://www.logictrends.com

Maxware - http://www.maxware.com
Microsoft - http://www.microsoft.com

Mirapoint - www.mirapoint.com

M-Tech - www.mtechit.com

nCipher - http://www.ncipher.com
NetIQ - http://www.netiq.com
NetPro - http://www.netpro.com
NeuStar - http://www.neustar.biz
Novell - http://www.novell.com
Oblix (bought by Oracle) - http://www.oracle.com/oblix
OctetString (bought by Oracle) - http://www.oracle.com/octetstring
Omnikey - http://www.omnikey.com
Oracle - http://www.oracle.com
OSM - http://www.cosuser.com
Paramount Defenses - http://www.paramountdefenses.com

Passlogix - http://www.passlogix.com
Persistent Sys. - http://www.Persistent.com
Philips - http://www.philips.com
Ping Identity - http://www.persistentsys.com
Proginet - http://www.proginet.com
Protocom (bought by ActivIdentity) - http://www.protocom.com
Quest - http://www.quest.com
Radiant Logic - http://www.radiantlogic.com
Red Hat - http://www.redhat.com
RSA Security (bought by EMC) - http://www.rsasecurity.com
SafeStone - http://www.safestone.com
Secured Services - http://www.secured-services.com
Securent - http://www.securent.net

SecurIT - http://www.securIT.biz
Sentillion - http://www.Sentillion.com
Siemens - http://www.siemens.com
Sun - http://www.sun.com
Sxip - http://www.sxip.com
Symantec - http://www.symantec.com
SymLabs - http://www.symlabs.com

Thor (bought by Oracle) - http://www.thortechnologies.com
Trustgenix (bought by HP) - http://www.trustgenix.com
Valicert - http://www.valicert.com

VASCO - http://www.vasco.com
Veridicom - http://www.veridicom.com
Voelcker - http://www.voelcker.com
ZeroKnowledge - http://www.zeroknowledge.com

I understand it is not practical to review every product of every vendor through an individual effort. In order to rate vendors fairly, I encourage you to join the community and post your comment if you have experience with any vendors and their products.

RSA 2007 Conference Take Aways

Yale Li — Sat, 10 Feb 2007 04:00:00 GMT

There was no much exciting news at RSA2007. I think I need to write a few things down here or otherwise I will no longer remember them:

- Information Centric Security: The information is the king. However, the king can not live in a castle all the time. You, as a security professional, should be a knight to protect the king no matter where the king goes. How: add security controls to data in addition to network (for example, use Rights Management Server to protect data in addition to IPSec).

- User Centric Identity: Identity and Access Management is all about enabling people to do business more efficiently and securely. It will be supported by solutions such as Strong Authentication, Identity Lifecycle Management, Federation Services etc. You will see that more and more dedicated security companies merged into bigger business companies as a trend.

Following is a link to photo taken for Bill Gates' last RSA conference keynote speech with his successor Craig Mundie. Identity is one of three major area in their security strategy (the content in this blog is a kind of input to that vision). The other two are Network and Protection.

http://blogs.technet.com/photos/yaleli/picture633509.aspx

Review - Microsoft CLM Certificate Lifecycle Manager Beta 2

Yale Li — Wed, 25 Oct 2006 13:00:00 GMT

I reviewed CLM Beta 1 half year ago and rated it low. Now, CLM Beta 2 is ready for prime time and I'm going to deploy it in production environment. I've seen a lot of improvements in Beta 2 so many cons in Beta 1 are removed. Base CSP Smart Card support is a huge for me. For smart card PIN distribution to users, CLM provide 3 - 4 ways:

- User Provided: The admin or user will provide the initial PIN at the time of enrollment

- Random: Nobody knows the initial PIN; Users will need to do self service PIN unblock to get the initial PIN.

- Server Distributed: CLM will print the initial PIN on a hard copy of user letter; This simulates bank ATM PIN distribution; A template is provided with many configurable variables for letter customization.

- Custom Distributed: This allows you to program custom API if above ways don't work for you.

Pros:

- Microsoft Base CSP Smart Card support

- Custome API to enhance CLM functionalities

- Format (Initialize) smart card

- HSM support for agent key protection

- SQL 2005 support

- Turn key system and no coding is required

- Can manage both smart cards (including USB tokens) and certificates

- Feature rich self service Web UI

- Built-in work flow engine to handle approval and notification

- Flexable policies

- Temp smart card

- Easy installation

Cons:

- In multiple forest environment, each forest needs its own CLM and SQL database.

- Granting permission is tedious work

- CLM Client and .NET Framework 2.0 are required on client PC for self service.

Overall Rating:

8 out of 10

(0-2: fail to work, 3-5: work in demo/test environment, 6-8: work in production environment, 9-10: excellent quality, great value, highly recommended)

Review - ADFS v1 & Preview - ADFS v2

Yale Li — Wed, 25 Oct 2006 13:00:00 GMT

Active Directory Federation Service (ADFS) is a component of Active Directory released as part of Windows Server 2003 R2. ADFS v1 can be used in various B2B/B2E/B2C Web Single Sign On and Identity Federation scenarios.

Pros:

- Enable Federated SSO between organizations

- Enable Extranet SSO within the same corporate environment

- Support either password and client cert/smart card logon

- AD and ADAM intergration

- Easy installation (ADFS-A, ADFS-R, ADFS-Proxy, ADSF-Web Agent)

Cons:

- NT Token based and Claims based web app support only

- Requires Windows Server R2 and ADFS web agent installation on IIS web server

- Everyone with machine join rights can setup ADFS Account server and Resource server (corporate may lose controll without security policy)

- No CardSpace support

Overall Rating:

8 out of 10

(0-2: fail to work, 3-5: work in demo/test environment, 6-8: work in production environment, 9-10: excellent quality, great value, highly recommended)

ADFS v2, to be released in Longhorn Server timeframe, will add support for:

- Rich client web service apps

- Windows CardSpace

- Others (undecided yet, such as manageability, SAML 2.0 support, brokered authentication ...)

IAM in TwC

Yale Li — Sat, 10 Jun 2006 03:00:00 GMT

I attended 2006 Microsoft EE & TwC Forum recently and tried to find out if there is any relationship between IAM and TwC. It is interesting that TwC (Trustworthy Computing) has Identity and Access Control as a grand child.

At top level, TwC has four children, referred as 4 pillars:

1. Security

2. Privacy

3. Reliability

4. Business Practices

At next level, the Security pillar in TwC has three children, known as 3 elements:

1. Fundamentals

2. Threat and Vulnerability Mitigation

3. Identity and Access Control

Finally, IAC (Identity and Access Control) itself has 3 parts:

1. Trustworthy Identity: Strong Authentication and Credential Management (http://download.microsoft.com/download/9/e/2/9e206d8a-37a2-4c17-a6df-ef1e82ce37f4/TrustworthyID.doc)

2. Access Policy Management: Authorizing for Access (http://download.microsoft.com/download/e/e/4/ee4eb053-31bf-4180-96a5-91866e43ee6c/AccessPolicyMgt.doc)

3. Information Protection (http://download.microsoft.com/download/2/b/d/2bdcaef5-865f-46f0-a555-cb6ce5c6bd0e/information_protection.doc)

The forum content (such as Microsoft's 10 year authentication and authorization strategies) may be confidential and not available for public yet. But above docs should provide you enough readings about IAM in TwC.

IAM Strategy

Yale Li — Thu, 08 Jun 2006 10:00:00 GMT

IAM is a combination of processes, technologies, and policies enabled by software to manage digital identities in their lifecycle and specify how they are used to access resources. IAM is a superset of AAA (Authentication, Authorization, Auditing)*. Here are some general strategies for enterprise to consider:

Obtain executive sponsorship because IAM is an important part of information security
Understand your business and define processes first
Automate provisioning process
Offer self services to employees
Buy: Directory Servers, Meta Directories, Virtual directory servers, Administration products (directory and PKI management tools, and provisioning products)
Build: Access Layer, Workflow Processes
Architect: Integrates above compoments and processes together, takes forethought and skill (may not need all components at first)
Lay out requirements and business logics as much as possible before starting integration
Before signing a contract with any vendor, check out references and foster a good partner relationship

*Note: Gartner and Forrester have 4 A's with additional Administration. Auditing is also referred as Audit or Accounting or Accountability.

How to Reduce TCO of Identity & Access Management

Yale Li — Wed, 07 Jun 2006 10:00:00 GMT

Identity & Access Management is an expensive investment in IT. Here are some tips to reduce Total Cost of Ownership:

Follow the rule of economy of scale - If more people use the same solution, the unit cost of the solution will decrease. Therefore, you should always search and use the most popular out of shelf IAM solution in the market place first. Your own custom built solution should be the last resource only when no other commercial solutions are available or they can not meet your needs.
Automate repeating manual tasks - Labor time is always expensive than machine time. You should identify the repeating manual IAM tasks and automate them as much as possible. Most of those tasks can be done by scripting. Technet Script Center is a good resource for Microsoft solutions such as Active Directory: http://www.microsoft.com/technet/scriptcenter/default.mspx. I'll provide more IAM script in Sample Code category in the future.
Outsource your IAM operations - If your company's IT team is based in North America or Europe, you should definitely consider outsourcing IAM Tier 1 or Tier 2 support to offshore, such as India or China. The cost could be reduced to 1/8th for US companies. It will also help to outsource IAM Tier 3 and Architecture/Integration work to larger IT service companies such as Microsoft*, IBM and HP.

In TCO, hardware is the smallest portion, support is the largest portion, and software is in the middle. Currently, Microsoft MIIS is the lowest cost solution for identity lifecycle management service and Microsoft CA is the lowest cost solution for certificate service.

*Note: Microsoft has a new IT service offering called Microsoft Managed Solutions. This is different from Microsoft Consulting Service.

Authentication Strategy

Yale Li — Tue, 06 Jun 2006 10:00:00 GMT

Authentication is the procedure through which a user or a device or a service (or application) provides sufficient credentials to satisfy access requirements to another service, application, or system.

User Authentication Strategy:

· Prepare and plan for Strong User Authentication

· Educate line of business application owners to use standard OS and directory protocol authentication and avoid application custom authentication.

· Use PKI product for digital certificate service and RMS product for license servic

· Keep Password logon as temporary authentication method for problematic road warriors

· Use Kerberos V5 as authentication protocol

· Use Smartcard/PIN two factor authentication, and evaluate USB Tokens, Wireless Smart Card, Biometrics, TPM authentication

Application/Service Authentication Strategy:

· Use Managed Password (strong password and changed by application itself), Hash, or Software Token for system account

· Evaluate TPM as long term solution for application/service authentication

Device Authentication Strategy:

· Use EAP-TLS machine cert in conjunction with user smart card cert for wireless LAN access

· Use Windows Vista (with Network Access Protection feature at server side) for wireless Corpnet LAN connection

· Use Windows Mobile 2005 (with software cert authentication) for wireless phone device email synchronization

· Evaluate TPM as long term solution for device authentication

Authorization Strategy

Yale Li — Mon, 05 Jun 2006 10:00:00 GMT

Authorization (or establishment or entitlement) defines a user's (or process') rights and permissions to a resource. After a user (or process) is authenticated, authorization determines what that user can do to the resource.

Here are some authorization strategies to improve security:

By default, grant users no rights and permissions
Grant users least privileged rights and permissions on "need to know" basis
Push authorization processes from upper/applications layers to lower/OS layers as much as possible
Prepare or plan Role-Based authorization
Move from manual authorization management processes to automated authorization management processes with next generation IAM role/group management products

Please be aware of that Role-Base authorization will be a subset of Claim-Based authorization in long term.