Вы находитесь на странице: 1из 33

Information Security or Identity and Access Management

Tom Barton, University of Chicago Christopher Misra, University of Massachusetts

April 2013

Session Abstract
Information security shares a complex and interrelated space with identity and access management. IAM forms the basis for many of the other security controls we deploy; however, often there are gaps in understanding or even adversarial relationships between the responsible parties. This session will discuss and explore approaches to solving this problem.

April 2013

Security Professionals

Introduction
Our discipline has slowly matured from chasing bots to implementing controls as part of a program
ISO 27002, NIST 800-53, etc

Identity and Access Management has matured on a parallel path from password changes to complex business systems
Shibboleth, Grouper

The intersection of these spaces does not always harmonize (yet)


April 2013 Security Professionals 3

Common Goals
Security services traditionally focus on preventing badness
protective, defensive and reactive tools and techniques.

Middleware provide infrastructure services that enhance security


identification, authentication, and authorization.

A comprehensive security architecture is necessary to align these services to meet an organization's security needs. We are trying to solve many of the same problems

April 2013

Security Professionals

Current Threat Environment


We have not solved all (or even most) of our information security problems
And we should all remain gainfully employed for a long time doing so.

However, the environment continues to change.


Everyone wants their own application, local or hosted Those who operate these applications frequently do not have a strong security background Assignment of privilege is decentralized and often poorly managed Audit of privilege is limited except in the highest visibility applications
April 2013 Security Professionals 5

IAM as an Information Security Control


Who provisions access to your critical applications?
By hand? How secure are those provisioning applications? Can you locate and parse the logs and audit trails?

Applications and authentication services generate a lot of logs


Can you find these logs? Can you correlate across these disparate applications and authentication logs? Can you further correlate these applications against network-centric data sources?
April 2013 Security Professionals 6

Data Release and Cloud-based Applications


Has your campus defined data owners for sensitive data elements or workflows?
Who can approve the release of student data to a cloud based service?

Is there a catalog defining the System of Record for these data? Does Information Security have any engagement and/or approval authority in the process?

April 2013

Security Professionals

Opinion time
Security and Middleware staff need to be engaged with IAM design and implementations
Working with them now may both prevent bad things and even facilitate good things We are probably trying to solve some of the same problems IAM is just another control

Educating our community about the drivers is in our collective interest


Preventing data leakage from poorly managed applications and authorizations

April 2013

Security Professionals

Case Study: University of Massachusetts


Organizational Structure

Operational Practices
Where we are effective Challenges

April 2013

Security Professionals

UMass: IAM and Organization Structures


Information Security reports directly to my Associate CIO role
Security program rollout, Incident response, Forensics, Firewalls, etc.

Identity Management is spread across two groups; Enterprise Services (ES) and Administrative Computing (ACSO)
ES also reports to me, but in a different role.

ACSO is responsible for our PeopleSoft instance which holds all person and account SoR data ES is responsible for Kerberos, LDAP, RADIUS, Shibboleth deployment and operations
April 2013 Security Professionals 10

UMass: Operational Practices


Our accounts and groups provisioning data are written in PeopleTools and stored in Peoplesoft (oracle DB) Provisioning occurs via a RESTful transport from a DB view (along with triggers) Provisioning code is PERL based and interacts with applications and services using Service Handlers Service Handlers manage passwords, LDAP objects, account provisioning and deprovisioning
Often run by the service owners directly

April 2013

Security Professionals

11

UMass: Service Provisioning


Reconcile LDAP-enabled Services System of Record SAM authnz LDAP View(s) Provisioning Provision (LDAP)

Provision (LDAP) Authn/z (LDAP)


1:1

LDAP SQL Krb

kadmin
Fixed vocabulary overwrite (from SoR) Batch-processed (T)

Kerberos

State

State vocabulary Transaction-oriented (<<t)

Action

Service-specific provision/rectify Service-defined time interval (t_s)

Service

Proposed Service Provisioning Summer 2006 Version 1.0 Office of Information Technolgies Classification: Restricted 21 April 2006

April 2013

Security Professionals

12

UMass: Authentication as an Audit artifact


Using this data-driven provisioning approach permits audit artifact creation through log
All provisioning actions have a system of record

All LDAP and RADIUS logs are directed to our SIEM (Qradar) Shibboleth logs (extensively), but parsing those logs is not for the faint of heart

April 2013

Security Professionals

13

UMass: Approaches to bridge the gap


Given the distributed nature of my organization, I use the following approach to ensure alignment between InfoSec and IAM
Authentication and authorization system architecture changes require Information Security approval Data release for cloud-services requires data owner and Information Security approval Information Technology procurement requires information security approval

The compliance responsibility fall to InfoSec, the operations fall to Enterprise Services
I am concerned as to how long this approach will scale.
April 2013 Security Professionals 14

UMass: Challenges
Web application authentication log analysis is exceptionally challenging (still)
The more complex and multi-tiered the application, the longer it takes. We still need my ES staff to explain how it all works Load balancers make the problem worse Gain some redundancy, lose some fidelity

The compliance burden on InfoSec has grown exponentially in the last 2 years.
Aside from the issues here, PCI-DSS, ITAR/EAR, TCP approvals, IRB reviews, etc.

April 2013

Security Professionals

15

Topics requiring more discussion


Federations need to be understood in the context of operational security needs
How aware are security staff of current federation activities on your campus? See recent eduRoam discussions

IAM is yet another technology in our security toolkits


Integrating business processes with security requirements Authentication and authorization are a necessary, but insufficient, condition for secure applications

April 2013

Security Professionals

16

Topics requiring more discussion


Audit and log correlation will allow us to maintain situational awareness
In our increasingly complex environments Additional abstraction layers is rendering many traditional detective techniques less effective Orchestrating logs across systems provides visibility that many of us dont currently have

Privilege management
Assignment of authorizations places more of our data at risk of disclosure A next step in incident handling

April 2013

Security Professionals

17

Case Study: University of Chicago


Organizational strategy IAM picture An access management service is a Good Thing! Why you need Identity Assurance

Me
Senior Director & CISO reporting to CIO Internet2 middleware leadership Grouper InCommon Federation Technical Advisory Committee Identity Assurance Framework

April 2013

Security Professionals

18

Sr Dir Architecture, Integration & Security CISO


IdM & Integration
Identifiers & Integration

IT Security & Compliance


Incident Response & Outreach

Architecture

Technical Architecture

Domain Architects

Authentication & Access Management

Validation Services

Enterprise Information Architecture Bursar & Financial Services Systems & Network Engineering

Data Stewardship Council

Online Directory

eCommerce Technical Support Firewalls & Network Access Control Library, Campus & Student Life Security Professionals

De/ Provisioning

ID Cards & OneCard Platform April 2013

19

Security strategies need all three pieces


Data Usage Request process
Architecture flywheels Data Stewardship Council (DSC) IAM Business Analyst supports process IT Security kicked it off with DSC data classification

Network access
Role-based: IT Security using IAM services

Identity Assurance
InCommon Silver: IAM + IT Security MFA: IAM + IT Security

Technical Architecture
Participation by Domain Leads in all areas Run by Architecture Almost all reviews have IT Security & IAM aspects
April 2013 Security Professionals 20

IAM highlights
Real-time integration with Medical Center IAM
Unified authentication across all services

Delegation
Credentials (accounts, ID Cards) Groups for access management

De/Provisioning
Campus, cloud

Accounts are (almost) never deactivated


Weve sufficiently mitigated the risk with access management instead

April 2013

Security Professionals

21

Employees BSD Divisions Schools Departments Affiliates End users Grouper UI CNet UI idm WS CAT-HR, TAG, CCI UIs

UCMC HR

UCMC IdM

LMS iExpense

UCHAD ProdShop

BSDAD

idxlt WS

Identity SoR
CNetID, ChicagoID UChicago Card MCDB Grouper

uuidm WS UC LDAP OneCard Platform

adlocal

ad.u.e

UCAD forest Apps RADIUS Apps shibboleth Carding, Door access feeds

Apps

Grouper WS

UC Payroll

Gargoyle

Griffin

Lab School

FAS

Library

information flow authentication trust


April 2013 Security Professionals

IdM Funtional Architecture v6 June 2012


22

Why have an access management strategy?


Lower cost and time to deliver a new service Simplify and make consistent by using the same group or role in many places
Physics 101 Course Group

Email Group Wiki Access Lab Reservations

23

April 2013

Security Professionals

Additional benefits of access management


Empower the right people to manage access. Take central IT out of the loop. See who can access what, with a report rather than a fire drill

24

April 2013

Security Professionals

Access management stages: authorization > authentication


1. Start out using a single user attribute, affiliation, in LDAP or Active Directory. This lets services implement simple access policies.
Affiliation
student faculty staff guest
25

Service

Staff portal

April 2013

Security Professionals

Access management stages: authorization > authentication


2. Enrich & centralize access management with groups determined from systems of record Courses, financial accounts, departments Define service-specific access policies in the centralized access management system
Math Faculty Group can access Math Faculty Resources

26

April 2013

Security Professionals

Access management stages: authorization > authentication 3. Get central IT out of the loop
Distributed management Exceptions Departmental applications
Math Faculty Group Math Support Group

+
27

can access

Math Faculty Resources

April 2013

Security Professionals

Access management stages: authorization > authentication


4. Increase integration of access management
Direct integration with applications using web services SOAP/REST/ESB Roles & privileges to support applications more deeply
For Math Department, while John works there
HR Admin Role

28

April 2013

Security Professionals

UChicago VPN simple delegation example


eligible
vpn:authorized Core Business Systems

staff student postdoc IRB

IdM system

denied
closure locked

IRB Office

IT Security Team

Different groups, different authorities VPN only uses vpn:authorized


29

April 2012

Are your credentials good enough to protect access to sensitive data?


What standard do you use to know? NIST Levels of Assurance 1 4 InCommon Bronze and Silver Specifications written for US Higher Eds Approved by US government for access to federal agency services Approved by International Grid Trust Federation for access to national & international HPC
30

Getting Past Passwords


Passwords are bad and will get worse. We know!

Strategy and choices 1. Use stronger credentials where you can 2. Improve passwords until you no longer need them
Bronze satisfactory password management Silver good password management or stronger creds
31

InCommon Silver at UChicago


Audit of IAM processes & systems underway

Users opt-in
Picture ID at ID Card Office Annual password reset Password at least 12 characters (passphrases coming) Register cell phone or external email Password lockout applies

PIs, unit heads may ask their users to opt-in

32

Questions?

April 2013

Security Professionals

33