Upload
e-xpert-solutions-sa
View
360
Download
0
Embed Size (px)
Citation preview
Séminaire Fédération d’identité : des concepts Théoriques aux études de cas d’implémentations concrètes. Nagib Aouini, Head of IAM Division
Genève, 27.11.2014
Organisé par
AGENDA
Contexte / Besoins / Challenges clients – 5 min
Vision Fédération (concepts, benefices, besoins) – 15 min
Architecture sécurité ELCA – 15 min
Stratégie Projet – 5 min
Lessons Learned / Services Sécurité ELCA / Questions / Réponses – 15 min
CURRENT CUSTOMER NEEDS
■ Allow a secure access to a B2B applications based on SharePoint 2013 to all employees, business partners and contractors (maximum 100’000 users).
■ Simplify the registration and on-boarding process to business partners and employee without adding huge administration tasks to Business and IT admins (access right management).
■ Provide the best user-experience for end-users in terms of access, registration and collaboration.
■ Identify user and audit all access to sensitive documents using a unique identifier (which is strongly linked to the phyiscal person).
■ Deliver the best performance for the B2B application and support peak demand during specific events.
BUSINESS DRIVERS
Business FacilitationBusiness Facilitation
Improve security & risk management
Improve security & risk management
Strong authentication to protect sensitive assets Enforce access control policy Timely revocation of inactive accounts Imposing policies and improve audit capability
Regulatory complianceRegulatory compliance Loi fédérale du 19 juin 1992 (LPD) Company Audit policy and compliance report
Reduce operational costsReduce operational costs
Align technology in both data-centers (use of F5) Reducing management costs and security Cutting costs of developments by using standard protocols
(SAML2, OAUTH, WS-Fed …)
Improve user experience (with SSO and federated SSO)
Integrating partners (top sponsors) Integrate new business application in time-to-market
(SaaS apps, on-premises using SAML SSO).
BUSINESS CHALLENGES
Project Business Team :
How to manage this mass amount of users in term of registration and access
rights ? We are only 5 people !
Project Business Team :
How to manage this mass amount of users in term of registration and access
rights ? We are only 5 people !
IT Security OfficerI will not let 100’000 users accessing my network without identifiying them in a secure way ! Today our LAN is not opened to Internet Worldwide.
IT Security OfficerI will not let 100’000 users accessing my network without identifiying them in a secure way ! Today our LAN is not opened to Internet Worldwide.
IT System administratorHow many system administrator we need to manage those amount of servers (required for SharePoint 2013). Do we need to manage a lot of firewall rules for SAML ?
IT System administratorHow many system administrator we need to manage those amount of servers (required for SharePoint 2013). Do we need to manage a lot of firewall rules for SAML ?Help Desk and Support
I don’t want to receive call or ticket for people working outside our company. I’m supposed to handle request only
for employee !
Help Desk and Support
I don’t want to receive call or ticket for people working outside our company. I’m supposed to handle request only
for employee !
Head of ITAre you sure that SAML is the right
choice ? Does it will faster application integration in the future.
Does it enables SSO to SaaS platform ? It cost a lot, No ?
Head of ITAre you sure that SAML is the right
choice ? Does it will faster application integration in the future.
Does it enables SSO to SaaS platform ? It cost a lot, No ?
AGENDA
Contexte / Besoins / Challenges clients – 5 min
Vision Fédération (concepts, benefices, besoins) – 15 min
Architecture sécurité ELCA – 15 min
Stratégie Projet – 5 min
Lessons Learned / Services Sécurité ELCA / Questions / Réponses – 15 min
Company Logo
HOW FEDERATED IDENTITY AND SSO CAN SOLVE THOSES CHALLENGES ?
Federated Identity & SSOFederated Identity & SSOFederated Identity & SSOFederated Identity & SSO
Benefits
User experienceUser experience SimplifySimplifyAccessAccess
SecureSecureAccessAccess
FacilitateFacilitateIntegrationIntegration
simplifier la navigation de l'utilisateur
simplifier la navigation de l'utilisateur
Un service unique d’authentification
Un service unique d’authentification
Plus de mot passe mais des jetons qui transitent
Plus de mot passe mais des jetons qui transitent
Utilisation du standard SAML qui traverse les réseaux
Utilisation du standard SAML qui traverse les réseaux
Verifying that a user, device, or service such as an application provided on a network server is the entity that it claims to be.
Determining which actions an authenticated entity is authorized to perform on the network
WHAT IS FEDERATED IDENTITY MANAGEMENT?
Identity Provider (IdP) – Entity performing authentication
Service Provider (SP) – Entity allowing authorized resource access
Service Provider (SP) – Entity allowing authorized resource access
IDPIDP Service ProviderService Provider
Identity management deals with identifying individuals in a system and controlling access to the resources in that system
AuthorisationAuthorisation
Functionalities and data
Functionalities and data
AuthenticationAuthentication
App 2App 2
AuthorisationAuthorisation
Functionalities and data
Functionalities and data
App 2App 2
AuthorisationAuthorisation
Functionalities and data
Functionalities and data
App 1App 1
AuthorisationAuthorisation
Functionalities and data
Functionalities and data
AuthenticationAuthentication
App 1App 1
Classic
IDENTIFICATION AND AUTHENTICATION SAML-Based
9
Active Directory
AuthenticationAuthentication
Active Directory
IdPIdP
SPSP
CLAIMS SAMLv2
© ELCA - dd.mm.yyyy VISA
Annuaire
SSO
Ressourcesnumériques
SP
IdP
Fournisseur de service (SP)
Fournisseur d’identité (IdP)
Service de découverte des IdP
IDENTITY FEDERATION OVERVIEW
TRUST ENTRE IDP ET SP
■ Cryptographie asymétrique (paire de clés)
Clé publique (connue de l’émetteur) du récepteur utilisée pour l’encryption
− L’émetteur doit être capable de vérifier l’authenticité de la clé publique!
Clé privée (secret du récepteur) utilisée pour la décryption
La paire de clés (privée et publique) sont générées au même moment
Aussi connu sous le nom de “ cryptographie à clé publique”
L’échange de message est similaire entre un IDP et un SP qui se font confiance
Extract
SignatureEncryptionAlgorithm
EncryptionAlgorithm
DecryptionAlgorithm
DecryptionAlgorithm
SP Public KeySP Public Key SP Private KeySP Private KeyIDP SP
SAML TOKEN
SAML token carry pieces of information about the user(can contain more information than a Windows Kerberos Token)
NameName
AgeAge
LocationLocation
Token
Client Application A
IdentityProvider(ADFS)
1
2
Token
ExternalApplication B<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:AttributeStatement> <saml:Attribute AttributeName=“loginID" AttributeNamespace="http://..."> <saml:AttributeValue>A3478372</saml:AttributeValue> </saml:Attribute>
<saml:Attribute AttributeName="name" AttributeNamespace="http://... "> <saml:AttributeValue>Bob</saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName=“employeeType" AttributeNamespace="http://... "> <saml:AttributeValue>internal</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#" /></saml:Assertion>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> <saml:AttributeStatement> <saml:Attribute AttributeName=“loginID" AttributeNamespace="http://..."> <saml:AttributeValue>A3478372</saml:AttributeValue> </saml:Attribute>
<saml:Attribute AttributeName="name" AttributeNamespace="http://... "> <saml:AttributeValue>Bob</saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName=“employeeType" AttributeNamespace="http://... "> <saml:AttributeValue>internal</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#" /></saml:Assertion>
FEDERATED SSO FLOW
Client Application
SocialIdentityProvider
GET /openid/auth
GET /default.aspx
GET /default.aspx
SSO WITH OPENID PROVIDER AND SOCIAL NETWORK
GET /app1
SSP IdP
Redirect 302 - GET /saml2/SAMLRequest
11
22
33
44
55
OpenId Token
POST /saml/66
77
Service Provider
FEDERATION MODELS – PEER-TO-PEER
SP
SP x
IDP 3IDP 3
IDP 2IDP 2
IDP 1IDP 1
COMPANY LAN
IDP
Trust link
SP y
IDENTITY FEDERATION WITH A “HUB” SAML ARCHITECTURE
16
HUBHUB
Data-Center
SP 1App Z
SP 2App XSP 2
App XSP 3
App YSP 3
App Y
IDP : HQIDP : HQ
IDP : WIDP : W
IDP : ZIDP : Z
IDP : YIDP : Y
IDP : XIDP : X
SP 1App ASP 1
App A
SP 1App CSP 1
App C
SP 1App BSP 1
App B
Other applications:
• SaaS (cloud),• Partners …
PARTNER CATEGORIZATION
- Not mandatory- Make business easier- «Low» level of trust
- Essential for business- Several services used- «Medium» level of trust
- Essential for strategy- Advanced SLA- Sensitive applications- «High» level of trust
ACCOUNT AND ACCESS MANAGEMENT
■ Account provisioning
- Transient (no need to map account to an existing)
- Just-in-time (JIT) provisioning (need a mapping ID)
- Directory synchronization (via CRM or regular export / import)
■ Access management
- Generic partner account
- Establish roles among the partner’s users
- Each partner’s user has its own account partner-gen-user
part-t1-user
part-t2-user
part-t4-user
part-t3-user
WHY DO WE NEED A UNIQUE ID
■ Ability to uniquely identify a user (or application, machine, service,…) in the IT environment for e.g. audit purpose
■ No need to manage matching tables per application between ID and physical user
■ It is a mandatory prerequisite for internal SSO and external identity federation
■ The ID needs to be kept and archived even if the employee left the company. It must never be re-assigned to any other employee to avoid access rights recovery risk.
Partners identified Categorization Reliability Auditability Confidentiality
Federation technology
FEDERATED IDENTITY CHECKLIST
Unique Identifier
User data reliability
Rules and regulations documented
Audit
Service providers
Federation token consumer
SLA - Availability
Identity providers
Federation token issuer
Strong authentication
IAM processes
LEGAL AND CONTRACTUAL CONSTRAINTS
■ Identity authenticity
- Depends on the partner trust level
- Defines constraints on which service is accessed
■ Confidentiality vs. auditability
AuditTrack user activity
ConfidentialityHide user identity
CONSTRAINTSvs.
NEED
FEDERATED SSO EXAMPLE
Multi-organization collaboration common
Accounts generally maintained by one organization
Grant access for externally authenticated users
BusinessAgreement
AuthenticateUser
AccessResources
Customer BusinessPartner
We don’t need to maintain or create external account for those users as Customer trust the partner !
We don’t need to maintain or create external account for those users as Customer trust the partner !
FEDERATED IDENTITY MANAGEMENT : EXAMPLE
23.
Central Directory
Synchronization
Application
AuthenticationServices
User
SAML tokens
Session
Access
Applications ExchangeBase RHSAP Databases
FederatedIAM
Federatedpartners
Trust
CRM or contacts
AGENDA
Contexte / Besoins / Challenges clients – 5 min
Vision Fédération (concepts, benefices, besoins) – 15 min
Architecture sécurité ELCA – 15 min
Stratégie Projet – 5 min
Lessons Learned / Services Sécurité ELCA / Questions / Réponses – 15 min
25
ELCA APPROACH : DEFENSE IN DEPTH APPROACH
Secure CDNSecure CDN
DC3DC3 DC4DC4 DC 1 & 2DC 1 & 2
B2B appIAM & Security B2B appIAM & Security
ADFS
AD Ext
.2FA
ADFS
AD Ext
.2FA
IAM & Security
ADFS
AD Int.
2FA
Use case 2:employee
from Internet
Use case 1:employee from LAN
Use case 3:Federated
partner from LAN
Use case 5:Federated
partner from Internet
Use case 4:Not-federated
partner from Internet
F5 Big-IP F5 Big-IP F5 Big-IP
IdP SAML
TestTest ProdProd
Internet
DEFENSE IN DEPTH APPROACH
Security mechanism•HTML/HTTP inspection•Input/Validation checks•Secured Custom code•Sanitization
Security mechanism•HTML/HTTP inspection•Input/Validation checks•Secured Custom code•Sanitization
Security mechanism•OS Hardening with BPA / Security Templates•IIS Hardening•HIDS
Security mechanism•OS Hardening with BPA / Security Templates•IIS Hardening•HIDS
Security mechanism•Strong Authentication•RBAC model•Security Policy•Encryption at rest/transit•Audit•Access control
Security mechanism•Strong Authentication•RBAC model•Security Policy•Encryption at rest/transit•Audit•Access control
Security mechanism•Secured equipment rack•Physical controlled access•Secure facilities•RFI/EMI shielding•Geographical site locaton
Security mechanism•Secured equipment rack•Physical controlled access•Secure facilities•RFI/EMI shielding•Geographical site locaton
Security mechanism•Network device access control lists•IPSec Encryption•NIDS•Firewall
Security mechanism•Network device access control lists•IPSec Encryption•NIDS•Firewall
• Secure CDN
• F5-ASM • 2FA
• Web Password
• F5-APM
• SIEM - Splunk
• CheckPoint
• IPS – ISS
• VPN IPSec
• Best Practice
Analyzer
• WSUS
• Symantec / McAfee
• DataCenter1 –
ISO27002
• DataCenter2 –
ISO20000/ITIL
Source : Microsoft defense in depth approach
App 1: prod
NETWORK DEFENSE: NETWORK SEGMENTATION
28
App 2: test
Front End
Middle End
App 2: prod
Back End
TRACK USER ACTIVITY : UNIQUE ID
29
Employees
Contacts
Active Directory and
others …
The unique ID will be independent of
the first name and last name of the
user
The unique ID will be generated
according to specific algorithm
Internal and external users will use
their email address to login on the
B2B applications, but the logs will
track them using their unique ID
Site:B
Read
Write
Approve
Create users
Site:A
Read
Write
Download
Create users
Site:C
Read
Update
Delete
SIMPLIFY ACCESS RIGHT MGT : ATTRIBUTE BASED ACCESS CONTROL
01/16/15 30
Internet
B2Bapplication
Name: Mary COrg: X
Fct: AuditLoc: CH
Name: Paul BOrg: Y
Fct: MarketingLoc: BR
Name: Marc AOrg: Z
Fct: AccommodationLoc: UK
AGENDA
Contexte / Besoins / Challenges clients – 5 min
Vision Fédération (concepts, benefices, besoins) – 15 min
Architecture sécurité ELCA – 15 min
Stratégie Projet – 5 min
Lessons Learned / Services Sécurité ELCA / Questions / Réponses – 15 min
OUR IAM METHODOLOGY
32
ORGANISATION CHART
Decide on major options Ensure alignment with corporate and
business strategies Communicate
Steering committee Sponsor Head of Technology Security Officer
Steering committee Sponsor Head of Technology Security Officer
Project team ELCA consultants and technical experts ELCA project manager E-Xpert Solutions F5 experts
Project team ELCA consultants and technical experts ELCA project manager E-Xpert Solutions F5 experts
Project sponsor board B2B Project representatives IT representatives Security representatives
Project sponsor board B2B Project representatives IT representatives Security representatives
Gather and analyse information Propose solutions, evaluate options Produce deliverables Manage the mission
Responsibilities
Responsibilities
Provide information Challenge deliverables and
proposed solutions Validate deliverables and
proposed solutions
Responsibilities
N.Aouini
Others providers
PROJECT PLAN
M1M1 M2M2 M3M3 M4M4 M5M5 .. M11.. M11M6M6 M12M12
21
Légende:Kick-off meetingSteering committee
Workshops
S3
Weekly status
S4S2 S2
S1
S3
4
Plan
PHASE 2 : DEPLOY
& RUN
PHASE 1 : IMPLEMENTPHASE 0 : ANALYZE
PHASE 3 :
ROLL-OUT
S1
3
34
Security ArchitectureConcept
WS#1 : Identity FederationWS#2 : Strong authenticationWS#3 : IAM ProcessesWS#4 : AuthZ Models
F5-APM setup finished
AGENDA
Contexte / Besoins / Challenges clients – 5 min
Vision Fédération (concepts, benefices, besoins) – 15 min
Architecture sécurité ELCA – 15 min
Stratégie Projet – 5 min
Lessons Learned / Services Sécurité ELCA / Questions / Réponses – 15 min
BENEFITS OF FEDERATED SSO
Access to the platform available worldwide with best technology providing high performance, strong security and high quality user-experience .
Support for standard authentication methods (SAML2) and simplification of on-boarding process for trusted partners.
Reduce the overall management cost of registration and troubleshooting user access since it is completely an automated process (based on CRM synch).
Ability to control access to sensitive asset using 2FA authentication coupled with SAML2 SSO (Step-Up authentication possible).
Track and audit user activity using a secure unique identifier linked to a single person while respecting privacy.
.
RECOMMANDATIONS #1
37
■ Document the identity and access management (IAM) plan. Understand what the business want in terms of requirement, How it will be operated (insourced or outsourced ?), Who is responsible for which pieces and how they function.
■ Produce fast results – achieve some quick, low cost results■ Address high risk areas early – security issues are often the primary
business concerns (start with SSO and strong authentication) Allow easier security auditing
■ Increase integration between directory and security and application services with SAML Identity Provider.
■ Improve capabilities that promote the ease and efficiency of finding organisational data
■ Precise management of identity entitlements and modification or termination of system access rights through provisioning and de-provisioning mechanisms
RECOMMANDATIONS #2
38
■ Assess existing systems for accreditation and adherence to industry standards to smooth the SAML migration
■ Use a standard set of security protocols (SAML, OAUTH)■ Rationalise, synchronise and where appropriate reduce numbers of
directory services and identity information repositories■ Reduce identity duplication and combine capabilities
To simplify overall infrastructure Choice of a unique identifier for internal and external users Reduce management/administration efforts Enable a greater degree of single sign-on capabilities across the business
systems Allow easier security auditing
■ Manage identity entitlements of system access rights through provisioning and de-provisioning mechanisms
ELCA has a proven expertise to be your IAM partnerWHY CHOOSE OUR SOLUTION
39
■ Proven IAM expertise
■ Ability to deliver on time
■ Quality of deliverables
■ Business focus first
■ Knowledge of customer
needs
■ Team working with customer
representative
■ Innovation and cutting edge
solution
■ Security focus in mind
■ Efficiency
■ Neutral integrator
■ Customization
■ You local IAM partner
employee
Federating partners with SAML
contractors
stakeholder
Approver User IDAdmin
AutoritativeSource(s)
HR
External
Metadirectory
AccessMgt
DashboardReports
AD + Exchange
EnterprisePlatform
Othersapps
Synch
Self-Service
Auditor Application Auditor
SAMLclaims
IAMconnectors
Log collection for Access
Intelligence
ELCA ARCHITECTURE
ELCA IAM SUCCESS STORY
For a large humanitarian worlwide organization (9’000 users, 20’000 partners)
ELCA IAM SUCCESS STORY
For a large humanitarian worlwide organization (9’000 users, 20’000 partners)
For an insurance company (2’000 users, 20’000 broker)ELCA IAM SUCCESS STORY
| 16.01.15 | 43Presentation Title
For an international sports organization 500 users, 100’000 partners worlwide)ELCA IAM SUCCESS STORY
Lausanne I Zürich I Bern I Genf I London I Paris I Ho Chi Minh City
Nagib AouiniHead of divisionIdentity & [email protected]
Thank you for your attention
For further informationplease contact: