Archive for the ‘Service Models’ Category

Attribute Based Access Control (ABAC) – The Next Big Piece of the Puzzle

Tuesday, May 24th, 2011

Identity Management is a very important part of today’s responsive IT environment.  For about the last dozen years or so we have all been working diligently to connect each of our disparate systems and provision everything that we could get our connectors attached to.  Identity Management continues to be a huge issue for many organizations.  How does a large multi-national company maintain the tens of thousands of identities that access their systems each day.  Or how does a medium sized company with a lean staffed IT department maintain their internal identities and also manage the B2B relationships and systems accesses that come along with them?

But now that we’ve got identities provisioned and accesses granted to the key systems what do we do with all of that great information we’ve been gathering about the users?  We grant and/or deny access to services with it. As a result we moved into the realm of role based access control.  When a user had a change of role within an organization we reflected that in their digital identity.  From there we may provision a change to a downstream system or application that changes their access to an application or other data source.  This approach provided us a much more dynamic environment that reacted to the ever changing roles within an organization but it still had one big issue, the applications security needed to be tightly integrated to the system of record whether that be Active Directory, Oracle or some other authoritative system.  This approach is very costly and time consuming, especially in today’s dynamic IT environment.

Through Identity Management we effectively made Identity as a Service (IDaaS) to be consumed by the disparate systems in the enterprise.  Access management has accomplished the same thing for authentication.  But authorization has continued to be heavily the burden of the application itself.  This is where Attribute Based Access Control (ABAC) and the XACML standard become part of the complete security picture.  ABAC effectively takes the burden of authentication away from the application and provides it as a service within the organization to be consumed by any application or data source that needs protection.  XACML makes this idea a reality by providing a standard by which the different components can effectively speak the same language for authorization services.

An ABAC deployment has several advantages which include dynamic access to critical data based on an individuals attributes instead of a preset ACL or provisioned access.  Access is evaluated at the time of request and either granted or denied based on the requester’s attributes.  This has particular advantage in a federated environment where the owner of the system may not own the identity that is requesting the resource.  It is not the job of the authorization service to establish the identity, that is handled by the identity and authentication services.  It is simply the job of the authorization service to determine if the authenticated identity is granted access to the protected resource based on a policy that is interpreted at the time of the request.

There are a number of components that make up an ABAC solution.  These components include, but are not limited to, a Policy Decision Service (PDS) also known as a Policy Decision Point (PDP), a Policy Enforcement Point (PEP), and an Attribute Service (AS) also known as a Policy Information Point (PIP).  When implemented according to standards these components may be provided by a single vendor or chosen across multiple vendors based on best in class technology.  There are a number of vendors that provide these services including, but not limited to; Axiomatics, Bitkoo, Oracle, CA, Jericho Systems,Vordel, Cisco, Siemens, Epok, Layer 7, Quest, Pericore, NextLabs and IBM. Each of these vendors, and others, provide standards based (XACML) solutions that allow the application developers to concentrate on implementing the business logic of the application and allow the authorization to be handled externally.

While the level of integration with the application varies across the vendors along with the back end systems/data sources varies as well, it is clear that a large step has been taken with ABAC and XACML moving toward Authorization as a Service.  While there is still some work to be done (some of which is very clearly addressed in the XACML 3.0 specification) this is a solution that is ready for wide adoption.  I think it can be confidently stated that Attribute Based Access Control is truly the next big piece of the puzzle for many service hungry IT environments.

As always, questions, comments or concerns?  Feel free to reach out to us at IDMWorks.

Tags: , , , , , , , , , , , , , , , , ,
Posted in Access Management, Attribute Based Access Control (ABAC), Identity as a Service (IDaaS), Oracle Entitlements Server (OES), XACML | 1 Comment »

Security & Cloud Computing

Monday, May 23rd, 2011

A study of North American and European cloud computing service providers was recently completed by CA Technologies and the Ponemon Institute.  The study included Public, Private and Hybrid (both Private and Public cloud services).  Most of the service providers believe their biggest selling points are ‘lower cost and relative speed’ of Services falling in line with SaaS (Software as a service) and IaaS (Infrastructure as a Service) offerings.  Of note is the biggest concern that about lack of security in the cloud and within the applicable services.  Per the study, on average, providers have less than 10% of resources spent on security with most having no dedicated security personnel, leaving the onus for cloud security on the customer!

The areas of security, as viewed by the vendor/providers, not deemed critical were in areas of compliance and regulation (at the bottom of each list with very low percentages, 15% or less being deployed by Cloud Vendor/Providers). The prime example below being:

  • Single sign-on
  • Data loss prevention
  • Correlation or event management
  • Access governance systems
  • Encryption for wireless communication

Perhaps the most telling and worrisome quote in regards to this practice being:

“The majority of cloud providers believe it is their customer’s responsibility to secure the cloud and not their responsibility. They also say their systems and applications are not always evaluated for security threats prior to deployment to customers.”

So if security is the responsibility of the customer and areas such as User Provisioning, Access Management and Data Loss Prevention are on the bottom of the heap as priorities, customers need to be wary.

Going Cloud this year?  Give us at IDMWorks a shout and let’s talk security first.

Tags: , , , ,
Posted in Cloud Computing, Infrastructure as a Service (IaaS), Security & Risk, Software as a Service (SaaS) | 1 Comment »

Private Cloud Identity Management Considerations

Sunday, February 20th, 2011

The most natural evolution for many enterprises in their migration from traditional enterprise IT to a cloud model is the Private Cloud. One of the significant advantages of a private cloud model is the level of control and the level of security that if can offer IT organizations over their own cloud infrastructure.  Traditional Enterprise IdM relies on tight integration and heavy customization. The cloud’s model of sharing resources makes tight coupling a non starter.

The cloud model instead needs an identity management infrastructure with the following characteristics:

  1. Service Oriented – so that applications can take advantage of reusable shared components supported by your IT organization using SaaS (Software as a Service)
  2. Standard Oriented – so that your services can work seamlessly with other applications on premise and off premise (SAML, SPML, XACML, OpenID, etc.).
  3. Loosely Coupled – so that you can build and deploy services by leveraging existing ones using PaaS (Platform as a Service).
  4. Interoperable – work seamlessly with your traditional infrastructure without introducing any deployment risks using IaaS (Infrastructure as a Service).

In a private cloud, your IT has to worry about sustaining compliance and keeping compliance costs down. In a public cloud on other hand, service providers have a significantly higher bar when it comes to compliance.  Audit standards like SAS 70 are applicable to public cloud service providers.  Sustainable compliance demands automation. So technologies like Identity and Access Governance are necessary to meet complex demands of compliance such as attestation and access governance.

Self Service is also critical in private cloud scenarios. Self service can keep administrative overhead costs down. Delegated Administration is also necessary in private clouds so that central IT can delegate control of identity management for departments to departmental owners. Technologies like Identity Administration can help with self service provisioning, password reset and in enforcing delegated administration.

Questions? Feel free to reach out to us at IDMWorks.

Tags: , , , , , , , , , ,
Posted in Cloud Computing, Identity Management, Infrastructure as a Service (IaaS), Oracle Platform Security Services (OPSS), Platform as a Service (PaaS), Software as a Service (SaaS) | 1 Comment »

Macintosh SSO via PasswordBank

Sunday, February 20th, 2011

I recently had the opportunity to participate with PasswordBank (PB) at a Proof of Concept (POC) demonstration for a company in Chicago. The company was interested in seeing how the PB SSO product would integrate with their Macintosh Users. Most of the senior company officers were Mac users and the ability of the PB SSO product to work with the Mac was the focus of the POC.

The PasswordBank Server was pre-configured by PB in the Amazon Cloud prior to the POC. This is the same installation/configuration that would be done on a bare metal server onsite. Installation is rather straightforward and requires only a couple of hours. The entire server/database combination can be setup on a single server via a single DVD. The server is CentOS based and the DVD includes the PB software as well as a MySQL database.

Access to the PasswordBank WebSSO requires the use of a browser plug-in.  In the case of the POC, the new Safari plug-in was used. Safari was the browser of choice for this customer.

Two methods of cloud based server configuration were discussed. The first was the single server in the cloud with no local presence. All traffic would have to be enabled to the cloud server in order for SSO to work. The second method, known as the hybrid, utilized a password router to intercept traffic inside the firewall and route the SSO traffic to the cloud server.  This router, also known as an Identity Server, would reside on any IIS server along with whatever web services were running in IIS. For this POC the single cloud server was used.

The Safari plug-in is managed through the extensions settings for Safari.

Settings include the check box to enable the server and the URL for the PB Server. The second setting is used for the hybrid mode where the Identity Server/Password Router would be setup.

Application configuration is very simple. Once the application URL has been entered (LinkedIn in this case), the PB extension will attempt to capture the login information as it is entered.

Note the PasswordBank banner is shown. That is the indication that the password capture process is happening. Once you enter your userid and password it will be captured and the banner will not show again. Your credentials are now stored for future use.  Should your password expire the PB extension will detect this and offer the means to update the credentials. The next time you go to LinkedIn the PB extension will provide the credentials.

Should you not wish to have credentials entered automatically the PB extension can be paused for a particular application.

  • Credentials can always be modified for each application individually without having to access the application.
  • Credentials can also be deleted by a user for an application. This would cause the PB extension to ask for credentials again the next time the user accessed the application.

Applications are created by users who have Administrative rights to create applications.  They do this by accessing the application one time. Once created, any user may access the application and have SSO for that application. Applications are named after the Title value of the web page but his is readily changed should the title not accurately reflect the application (we had a few in the POC where the title was simply “Login”).  The administrative UI provides the ability to customize the applications in many ways. Application accessed via PB can be granted to a user or group and user stores can be internal or external (i.e. Active Directory).

User Access to the PasswordBank server is via User Certificate.  Administrative users generate certs for users, and users have the means to retrieve them via web or to have them emailed to themselves.  Once a cert is installed in the OSX Keychain Safari will request the cert when the extension is accessed via the dedicated PB icon (right most icon shown below).

Hint: If you click on Always Allow then you will not be asked this for any future access.

This is a very simple, yet flexible, means to provide SSO functions within Safari on a Macintosh.  Should your Mac users be Firefox based  a similar plug-in is available. PasswordBank has an OSX Client in the works that would extend single sign on to the OS level similar to what it already provides for Windows XP, Windows 7 and Linux Desktop Operating Systems.  These clients integrate at the OS login to provide Single Sign-On for the entire user experience.

As usual let us at IDMWorks know if you have questions or comments.

Tags: , , , , ,
Posted in Apple, Cloud Computing, Password Management, PasswordBank, Single Sign On (SSO), Software as a Service (SaaS) | 1 Comment »

Externalizing Authorization from Applications using Oracle Entitlements Server

Sunday, February 20th, 2011

Organizations can build better security with added IT agility for private clouds by externalizing authorization from applications using Oracle Entitlements Server.

Typically in a private cloud scenario you might have a data center with a hardware grid hosting a middleware platform so let’s take the next step:

  1. You have the departmental application owners building their own custom applications using the set of shared services available through the framework.  Application developers can then use Oracle’s Platform Security Services as the single security framework for both Oracle and third-party environments, externalizing Authorization  Controls from Application into XACML policies, decreasing application development, administration, and maintenance costs.
  2. The application is deployed to the runtime environment
  3. Enterprise IT defines policies and services.  So you have a centralized infrastructure to enforce your security policies throughout the organization.  With Oracle Entitlements Server, IT then centralizes enforcement of consistent policies throughout the infrastructure
  4. Once the application is deployed end users can access the applications.  The application, in conjunction with Oracle Entitlements Server security modules, enforce fine-grained security policies in the app (so you can restrict access to sensitive application functions by user entitlements)

If security mandates evolve or policies changes the application doesn’t need to be recoded.  The new policies can be enforced across all applications using the OES infrastructure.

Questions, comments concerns?  Ask away at IDMWorks.

Tags: , , , , , , , , , , , ,
Posted in Attribute Based Access Control (ABAC), Cloud Computing, Oracle Entitlements Server (OES), Oracle Platform Security Services (OPSS), XACML | No Comments »

Cloud Layering through IaaS, PaaS & SaaS

Friday, February 18th, 2011

We have beaten the Public vs. Private Cloud advantages subject to death here on this blog.

So today’s subject will be an explanation of the various layers of Cloud offerings available.

A cloud-based offering can be provided at different levels and with different service models.

1) Infrastructure as a Service (IaaS) – A very basic, low-level infrastructure of servers with operating systems can be provided; Amazon EC2 is probably the most widely known example.

2) Platform as a Service (PaaS) - Offering more structure and composable components gives us “Platform as a Service” such as the Google App Engine or Salesforce’s Force.com.

3) Software as a Service (SaaS) – The highest level offering is a full application, “Software as a Service” such as Oracle’s “On Demand” offerings or Salesforce.com.

But be warned, the higher a level the cloud offering, the less the “customer” of the cloud has to do or build, but the more constrained he is. It’s a trade-off between effort and flexibility.

Furthermore, as you move from IaaS, to PaaS and finally SaaS, you get fewer controls and less visibility into what the service provide offers. Many Service Providers may not implement standards which can make interoperability and integration challenging.

Questions? Feel free to reach out to us at IDMWorks here.

Tags: , , , , , , , , , , ,
Posted in Cloud Computing, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Service Models, Software as a Service (SaaS) | No Comments »

PasswordBank ESSO, Private Cloud and IDaaS

Tuesday, December 21st, 2010

I wanted to point out a neat Enterprise Single Sign-On (ESSO) tool (and a few other offerings) we’ve seen from PasswordBank.  For those with a Passlogix (now Oracle) v-GO ESSO implementation that don’t want to go the Oracle route I might recommend checking out the PasswordBank Enterprise Single Sign-on solution.  I have seen the Passlogix tool in action quite a bit over the years and have implemented the Citrix Password Manager for XenApp SSO to do the same and had interesting results with both.  To bottom line this, ESSO is one of the easier Identity and Access Management streams to implement cleanly and efficiently.  Now that Oracle has snatched up Passlogix to complete its IdM Empire I have had quite a few inquiries as to competing products.  While I can respect the juggernaut that is Oracle (as I am a fan of many of their products) I can also understand and empathize when a customer doesn’t wish to continue down the Larry Ellison expressway for all of its needs.  It is similar to me spreading out my technophile leanings to include a MS OS on my HP laptop, an Apple IPad, a Verizon MiFI and a Blackberry smart phone using ATT.  I do this partly because I don’t believe in putting all of my eggs in software basket and another to broaden my technological fingerprint.  So when I get that from clients looking to diversify their IDM stack to include both varied vendors and best of breed I start to take an inventory of the players, landscape and potential.

Now back to the ESSO discussion.  Without going overboard here I recommend taking a look at the PasswordBank product.  They have a range of applications but in this I want to talk ESSO.  The PasswordBank ESSO solution can be deployed on Windows, Linux and Mac Desktop Operating Systems which covers pretty much the gamut these days.  This is the biggest differentiator I see from PasswordBank as I am hard pressed to find a vendor with both Linux and Mac OS ESSO in one handy little package.  As would be expected the PasswordBank application has SSPR (Self Service Password Reset) a standard for ESSO.  Interestingly enough the PasswordBank folks also have a Private Cloud service that hooks into the ESSO solution and feeds into the Identity as a Service (IDaaS) model.

I have scheduled a demo with the PasswordBank team and will report back with my finding shortly.  Until then let us know if you have had experience with the PasswordBank application by sounding off below and look for a thorough review from the IDMWorks team in the near future.  Also, feel free to reach out and contact us if you want a in-depth report we will generate once we complete our review.

Tags: , , , , , , , , , ,
Posted in Cloud Computing, Enterprise Single Sign On (ESSO), Identity as a Service (IDaaS), PasswordBank | 2 Comments »