Enterprise IT Identity & Access Management : 2. Strategy

IAM in TwC

Yale Li — Sat, 10 Jun 2006 03:00:00 GMT

I attended 2006 Microsoft EE & TwC Forum recently and tried to find out if there is any relationship between IAM and TwC. It is interesting that TwC (Trustworthy Computing) has Identity and Access Control as a grand child.

At top level, TwC has four children, referred as 4 pillars:

1. Security

2. Privacy

3. Reliability

4. Business Practices

At next level, the Security pillar in TwC has three children, known as 3 elements:

1. Fundamentals

2. Threat and Vulnerability Mitigation

3. Identity and Access Control

Finally, IAC (Identity and Access Control) itself has 3 parts:

1. Trustworthy Identity: Strong Authentication and Credential Management (http://download.microsoft.com/download/9/e/2/9e206d8a-37a2-4c17-a6df-ef1e82ce37f4/TrustworthyID.doc)

2. Access Policy Management: Authorizing for Access (http://download.microsoft.com/download/e/e/4/ee4eb053-31bf-4180-96a5-91866e43ee6c/AccessPolicyMgt.doc)

3. Information Protection (http://download.microsoft.com/download/2/b/d/2bdcaef5-865f-46f0-a555-cb6ce5c6bd0e/information_protection.doc)

The forum content (such as Microsoft's 10 year authentication and authorization strategies) may be confidential and not available for public yet. But above docs should provide you enough readings about IAM in TwC.

IAM Strategy

Yale Li — Thu, 08 Jun 2006 10:00:00 GMT

IAM is a combination of processes, technologies, and policies enabled by software to manage digital identities in their lifecycle and specify how they are used to access resources. IAM is a superset of AAA (Authentication, Authorization, Auditing)*. Here are some general strategies for enterprise to consider:

Obtain executive sponsorship because IAM is an important part of information security
Understand your business and define processes first
Automate provisioning process
Offer self services to employees
Buy: Directory Servers, Meta Directories, Virtual directory servers, Administration products (directory and PKI management tools, and provisioning products)
Build: Access Layer, Workflow Processes
Architect: Integrates above compoments and processes together, takes forethought and skill (may not need all components at first)
Lay out requirements and business logics as much as possible before starting integration
Before signing a contract with any vendor, check out references and foster a good partner relationship

*Note: Gartner and Forrester have 4 A's with additional Administration. Auditing is also referred as Audit or Accounting or Accountability.

Authentication Strategy

Yale Li — Tue, 06 Jun 2006 10:00:00 GMT

Authentication is the procedure through which a user or a device or a service (or application) provides sufficient credentials to satisfy access requirements to another service, application, or system.

User Authentication Strategy:

· Prepare and plan for Strong User Authentication

· Educate line of business application owners to use standard OS and directory protocol authentication and avoid application custom authentication.

· Use PKI product for digital certificate service and RMS product for license servic

· Keep Password logon as temporary authentication method for problematic road warriors

· Use Kerberos V5 as authentication protocol

· Use Smartcard/PIN two factor authentication, and evaluate USB Tokens, Wireless Smart Card, Biometrics, TPM authentication

Application/Service Authentication Strategy:

· Use Managed Password (strong password and changed by application itself), Hash, or Software Token for system account

· Evaluate TPM as long term solution for application/service authentication

Device Authentication Strategy:

· Use EAP-TLS machine cert in conjunction with user smart card cert for wireless LAN access

· Use Windows Vista (with Network Access Protection feature at server side) for wireless Corpnet LAN connection

· Use Windows Mobile 2005 (with software cert authentication) for wireless phone device email synchronization

· Evaluate TPM as long term solution for device authentication

Authorization Strategy

Yale Li — Mon, 05 Jun 2006 10:00:00 GMT

Authorization (or establishment or entitlement) defines a user's (or process') rights and permissions to a resource. After a user (or process) is authenticated, authorization determines what that user can do to the resource.

Here are some authorization strategies to improve security:

By default, grant users no rights and permissions
Grant users least privileged rights and permissions on "need to know" basis
Push authorization processes from upper/applications layers to lower/OS layers as much as possible
Prepare or plan Role-Based authorization
Move from manual authorization management processes to automated authorization management processes with next generation IAM role/group management products

Please be aware of that Role-Base authorization will be a subset of Claim-Based authorization in long term.

Auditing Strategy

Yale Li — Sun, 04 Jun 2006 10:00:00 GMT

Auditing (also referred as Audit or Accounting or Accountability) ensures that the activities associated with user access are logged for monitoring, regulatory and investigative purposes.

Auditing Strategies for IAM to be compliance:

Identify regulations you company must be compliance: such as SOX (Sarbanes-Oxley), HIPAA (Health Insurance Portability and Accountability Act), GLBA (Gramm-Leach-Bliley Act), Basel II.
Assess current compliance baseline and perform gap analysis
Implement IAM controls and compare with industry standards and best practices, such as ISO 17799
Measure, test, remediate, and demonstrate your IAM controls
Ensure IAM audit logs are secure and scalable
Get IAM reporting tools that meet auditor's needs

Usually, enterprise IT should have a dedicated governance/audit team (or professionals) to provide compliance guidelines. If not, you should consult with external audit professional service.

Systems Management Stategy

Yale Li — Fri, 17 Mar 2006 15:00:00 GMT

Digital identities includes not only people but also devices, such as machine account and machine certificate, and applications (or software services). Therefore, there is a small overlapped area between systems management and IAM. Although systems management is another big area in IT, you should have a good understanding of systems management in order to figure out where the common area should be organized into.

Major Systems Management Goals:

- Asset and Inventory Management

- Configuration Management

- Remote Control

- Health Monitoring

- Software Provision and Distribution

- Software License Metering

Software Provision and Distribution is most like the area which an IAM system can also take care by using AD GPO or provisioning tool. The strategy is to treat systems management as an exteranl dependancy, just like how HR system is treated as an external dependancy.