Вы находитесь на странице: 1из 33

Information Security or Identity and Access Management

Tom Barton, University of Chicago Christopher Misra, University of Massachusetts

April 2013

Session Abstract
Information security shares a complex and interrelated space with identity and access management. IAM forms the basis for many of the other security controls we deploy; however, often there are gaps in understanding or even adversarial relationships between the responsible parties. This session will discuss and explore approaches to solving this problem.

April 2013

Security Professionals

Our discipline has slowly matured from chasing bots to implementing controls as part of a program
ISO 27002, NIST 800-53, etc

Identity and Access Management has matured on a parallel path from password changes to complex business systems
Shibboleth, Grouper

The intersection of these spaces does not always harmonize (yet)

April 2013 Security Professionals 3

Common Goals
Security services traditionally focus on preventing badness
protective, defensive and reactive tools and techniques.

Middleware provide infrastructure services that enhance security

identification, authentication, and authorization.

A comprehensive security architecture is necessary to align these services to meet an organization's security needs. We are trying to solve many of the same problems

April 2013

Security Professionals

Current Threat Environment

We have not solved all (or even most) of our information security problems
And we should all remain gainfully employed for a long time doing so.

However, the environment continues to change.

Everyone wants their own application, local or hosted Those who operate these applications frequently do not have a strong security background Assignment of privilege is decentralized and often poorly managed Audit of privilege is limited except in the highest visibility applications
April 2013 Security Professionals 5

IAM as an Information Security Control

Who provisions access to your critical applications?
By hand? How secure are those provisioning applications? Can you locate and parse the logs and audit trails?

Applications and authentication services generate a lot of logs

Can you find these logs? Can you correlate across these disparate applications and authentication logs? Can you further correlate these applications against network-centric data sources?
April 2013 Security Professionals 6

Data Release and Cloud-based Applications

Has your campus defined data owners for sensitive data elements or workflows?
Who can approve the release of student data to a cloud based service?

Is there a catalog defining the System of Record for these data? Does Information Security have any engagement and/or approval authority in the process?

April 2013

Security Professionals

Opinion time
Security and Middleware staff need to be engaged with IAM design and implementations
Working with them now may both prevent bad things and even facilitate good things We are probably trying to solve some of the same problems IAM is just another control

Educating our community about the drivers is in our collective interest

Preventing data leakage from poorly managed applications and authorizations

April 2013

Security Professionals

Case Study: University of Massachusetts

Organizational Structure

Operational Practices
Where we are effective Challenges

April 2013

Security Professionals

UMass: IAM and Organization Structures

Information Security reports directly to my Associate CIO role
Security program rollout, Incident response, Forensics, Firewalls, etc.

Identity Management is spread across two groups; Enterprise Services (ES) and Administrative Computing (ACSO)
ES also reports to me, but in a different role.

ACSO is responsible for our PeopleSoft instance which holds all person and account SoR data ES is responsible for Kerberos, LDAP, RADIUS, Shibboleth deployment and operations
April 2013 Security Professionals 10

UMass: Operational Practices

Our accounts and groups provisioning data are written in PeopleTools and stored in Peoplesoft (oracle DB) Provisioning occurs via a RESTful transport from a DB view (along with triggers) Provisioning code is PERL based and interacts with applications and services using Service Handlers Service Handlers manage passwords, LDAP objects, account provisioning and deprovisioning
Often run by the service owners directly

April 2013

Security Professionals


UMass: Service Provisioning

Reconcile LDAP-enabled Services System of Record SAM authnz LDAP View(s) Provisioning Provision (LDAP)

Provision (LDAP) Authn/z (LDAP)



Fixed vocabulary overwrite (from SoR) Batch-processed (T)



State vocabulary Transaction-oriented (<<t)


Service-specific provision/rectify Service-defined time interval (t_s)


Proposed Service Provisioning Summer 2006 Version 1.0 Office of Information Technolgies Classification: Restricted 21 April 2006

April 2013

Security Professionals


UMass: Authentication as an Audit artifact

Using this data-driven provisioning approach permits audit artifact creation through log
All provisioning actions have a system of record

All LDAP and RADIUS logs are directed to our SIEM (Qradar) Shibboleth logs (extensively), but parsing those logs is not for the faint of heart

April 2013

Security Professionals


UMass: Approaches to bridge the gap

Given the distributed nature of my organization, I use the following approach to ensure alignment between InfoSec and IAM
Authentication and authorization system architecture changes require Information Security approval Data release for cloud-services requires data owner and Information Security approval Information Technology procurement requires information security approval

The compliance responsibility fall to InfoSec, the operations fall to Enterprise Services
I am concerned as to how long this approach will scale.
April 2013 Security Professionals 14

UMass: Challenges
Web application authentication log analysis is exceptionally challenging (still)
The more complex and multi-tiered the application, the longer it takes. We still need my ES staff to explain how it all works Load balancers make the problem worse Gain some redundancy, lose some fidelity

The compliance burden on InfoSec has grown exponentially in the last 2 years.
Aside from the issues here, PCI-DSS, ITAR/EAR, TCP approvals, IRB reviews, etc.

April 2013

Security Professionals


Topics requiring more discussion

Federations need to be understood in the context of operational security needs
How aware are security staff of current federation activities on your campus? See recent eduRoam discussions

IAM is yet another technology in our security toolkits

Integrating business processes with security requirements Authentication and authorization are a necessary, but insufficient, condition for secure applications

April 2013

Security Professionals


Topics requiring more discussion

Audit and log correlation will allow us to maintain situational awareness
In our increasingly complex environments Additional abstraction layers is rendering many traditional detective techniques less effective Orchestrating logs across systems provides visibility that many of us dont currently have

Privilege management
Assignment of authorizations places more of our data at risk of disclosure A next step in incident handling

April 2013

Security Professionals


Case Study: University of Chicago

Organizational strategy IAM picture An access management service is a Good Thing! Why you need Identity Assurance

Senior Director & CISO reporting to CIO Internet2 middleware leadership Grouper InCommon Federation Technical Advisory Committee Identity Assurance Framework

April 2013

Security Professionals


Sr Dir Architecture, Integration & Security CISO

IdM & Integration
Identifiers & Integration

IT Security & Compliance

Incident Response & Outreach


Technical Architecture

Domain Architects

Authentication & Access Management

Validation Services

Enterprise Information Architecture Bursar & Financial Services Systems & Network Engineering

Data Stewardship Council

Online Directory

eCommerce Technical Support Firewalls & Network Access Control Library, Campus & Student Life Security Professionals

De/ Provisioning

ID Cards & OneCard Platform April 2013


Security strategies need all three pieces

Data Usage Request process
Architecture flywheels Data Stewardship Council (DSC) IAM Business Analyst supports process IT Security kicked it off with DSC data classification

Network access
Role-based: IT Security using IAM services

Identity Assurance
InCommon Silver: IAM + IT Security MFA: IAM + IT Security

Technical Architecture
Participation by Domain Leads in all areas Run by Architecture Almost all reviews have IT Security & IAM aspects
April 2013 Security Professionals 20

IAM highlights
Real-time integration with Medical Center IAM
Unified authentication across all services

Credentials (accounts, ID Cards) Groups for access management

Campus, cloud

Accounts are (almost) never deactivated

Weve sufficiently mitigated the risk with access management instead

April 2013

Security Professionals


Employees BSD Divisions Schools Departments Affiliates End users Grouper UI CNet UI idm WS CAT-HR, TAG, CCI UIs



LMS iExpense

UCHAD ProdShop


idxlt WS

Identity SoR
CNetID, ChicagoID UChicago Card MCDB Grouper

uuidm WS UC LDAP OneCard Platform



UCAD forest Apps RADIUS Apps shibboleth Carding, Door access feeds


Grouper WS

UC Payroll



Lab School



information flow authentication trust

April 2013 Security Professionals

IdM Funtional Architecture v6 June 2012


Why have an access management strategy?

Lower cost and time to deliver a new service Simplify and make consistent by using the same group or role in many places
Physics 101 Course Group

Email Group Wiki Access Lab Reservations


April 2013

Security Professionals

Additional benefits of access management

Empower the right people to manage access. Take central IT out of the loop. See who can access what, with a report rather than a fire drill


April 2013

Security Professionals

Access management stages: authorization > authentication

1. Start out using a single user attribute, affiliation, in LDAP or Active Directory. This lets services implement simple access policies.
student faculty staff guest


Staff portal

April 2013

Security Professionals

Access management stages: authorization > authentication

2. Enrich & centralize access management with groups determined from systems of record Courses, financial accounts, departments Define service-specific access policies in the centralized access management system
Math Faculty Group can access Math Faculty Resources


April 2013

Security Professionals

Access management stages: authorization > authentication 3. Get central IT out of the loop
Distributed management Exceptions Departmental applications
Math Faculty Group Math Support Group


can access

Math Faculty Resources

April 2013

Security Professionals

Access management stages: authorization > authentication

4. Increase integration of access management
Direct integration with applications using web services SOAP/REST/ESB Roles & privileges to support applications more deeply
For Math Department, while John works there
HR Admin Role


April 2013

Security Professionals

UChicago VPN simple delegation example

vpn:authorized Core Business Systems

staff student postdoc IRB

IdM system

closure locked

IRB Office

IT Security Team

Different groups, different authorities VPN only uses vpn:authorized


April 2012

Are your credentials good enough to protect access to sensitive data?

What standard do you use to know? NIST Levels of Assurance 1 4 InCommon Bronze and Silver Specifications written for US Higher Eds Approved by US government for access to federal agency services Approved by International Grid Trust Federation for access to national & international HPC

Getting Past Passwords

Passwords are bad and will get worse. We know!

Strategy and choices 1. Use stronger credentials where you can 2. Improve passwords until you no longer need them
Bronze satisfactory password management Silver good password management or stronger creds

InCommon Silver at UChicago

Audit of IAM processes & systems underway

Users opt-in
Picture ID at ID Card Office Annual password reset Password at least 12 characters (passphrases coming) Register cell phone or external email Password lockout applies

PIs, unit heads may ask their users to opt-in



April 2013

Security Professionals