IBM Tivoli Security for SA Government IBM Software Group Jan Claus Julicher
by user
Comments
Transcript
IBM Tivoli Security for SA Government IBM Software Group Jan Claus Julicher
IBM Software Group IBM Tivoli Security for SA Government Jan Claus Julicher Senior Security Specialist [email protected] © 2007 IBM Corporation IBM Software Group | Tivoli software IBM’s security management vision and strategy: Preemptive, comprehensive security and compliance offerings ASSESS the overall security and compliance status of business infrastructure WATCH internal and external behaviors; address aberrations and violations Watch Assess Access Defend Manage ACCESS of business systems and information to ensure integrity and compliance 2 IBM Tivoli Identity Manager DEFEND against potential security threats and business risks © 2007 IBM Corporation IBM Software Group | Tivoli software T I A M ivoli ccess 3 IBM Tivoli Identity Manager dentity & anager © 2007 IBM Corporation IBM Software Group | Tivoli software Identity and Access Management Business Drivers – SECURE MY ENVIRONMENT!!! – Automate and audit starter/mover/leaver process – Single ID & Password – Internet Banking Principles – delegated administration and self-service – Strong Audit Control – purge of invalid accounts, reporting – PW Reset Automation and Self-Service 4 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Manual Provisioning Request for Access Generated Organizations use slow User Change and inconsistent processes to provision user access rights Users with Accounts Administrators Create Accounts Policy & Role Examined Elapsed turn-on time: up to 12 days per user Account turn-off performance: 30-60% of accounts are invalid 5 IT InBox 1 FTE user admin only handles 300-500 users IBM Tivoli Identity Manager Approval Routing © 2007 IBM Corporation IBM Software Group | Tivoli software Increase speed and efficiency of security management processes with Tivoli Identity Manager • Manage changes in minutes, not days Identity change (add/del/mod) Approvals gathered Accounts updated Detect and correct local privilege settings • Reduce errors Accounts on 70 different types of systems managed. Plus, In-House Systems & portals • Free valuable administrators for more productive work Tivoli Identity Manager • Support scalable business processes Applications Databases Operating Systems HR Systems/ Identity Stores 6 Access policy evaluated IBM Tivoli Identity Manager Networks & Physical Access © 2007 IBM Corporation IBM Software Group | Tivoli software The TIM Provisioning Model attr Provisioning Policy User Role Service (Resource) Users assigned to roles based on responsibilities Role members are provisioned to resource(s) via a Provisioning Policy Provisioning Policies can also define attributes for a user 7 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Reconciliation Compares “What Is” to “What Should Be” Provisioning Policy User Role Service (Resource) Policy enforced during reconciliation (I.e. permissions on resource) • TIM can “roll back” unauthorized changes made by local admin Reconciliation identifies orphan accounts • Adopted, suspended, restored or de-provisioned 8 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Delegated Administration Reduces Admin Overhead The “Virtual” Enterprise User & Privilege Information “Junior” administrators can control people and attributes Sales Workgroup Administrator Marketing Finance Workgroup Administrator Can restrict internal TIM resources • Services, Provisioning Policies, Reports, etc Workgroup Administrator 9 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Self Service Reduces Help Desk Calls Users may service all of their own attributes (address, title, etc) Challenge response for password reset Changes can be reviewed and approved through workflow Password Pickup Cross-platform password sync for TIM services Reverse password sync for Windows and/or Access Manager users 1 10 IBM Tivoli Identity Manager 2 © 2007 IBM Corporation IBM Software Group | Tivoli software Access Management Problems Time & Money User frustration and complaints due to password and security complexity. Employees locked out interrupting work and revenue producing activity. High password-related user support costs. Security Weakened security due to poor password selection and management. Difficulty in securing critical applications. Difficulty of integrating advanced authentication for applications. Regulatory Need to prevent public access to private data (HIPAA, GLBA) and track and report on all access (SOX). 11 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software IBM Tivoli Access Manager for Enterprise SSO IBM Tivoli Access Manager for ESSO is a powerful solution for web and legacy single sign-on and Windows-based self-service password reset Key Features IBM Tivoli Access Manager for Enterprise Single Sign 12 on is our core enterprise SSO solution The Desktop Password Reset Adapter enables end users to reset their Windows password, directly from their locked workstation The Authentication Adapter allows organizations to use any combination of tokens, smart cards, biometrics and passwords to control access to their applications The Provisioning Adapter enables system administrators to directly distribute usernames and passwords to TAM for ESSO The Kiosk Adapter provides automated termination of inactive sessions and application shutdown for Kiosks or shared workstation users IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Tivoli Access Mgr. for Enterprise Single Sign-On (Benefits) Simplifies the end user experience by eliminating the need to remember and manage usernames and passwords. Enhances security by eliminating poor end-user password behavior. Reduces help desk costs by lowering the number of password reset calls. Deploys without requiring modification to target systems, platforms or applications - delivers quick time to value! Advances identity management, compliance and authentication initiatives. 13 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software IBM Tivoli Access Manager for e-business IBM Tivoli Access Manager is an awardwinning, policy-based, access control security solution for e-business and enterprise applications, featuring Web-based single sign-on and distributed Web-based administration. Key Features Delivers unified authentication and authorization 14 access to diverse Web-based applications within entire enterprise Supports flexible single sign-on to Web, Microsoft, telnet and mainframe application environments Achieves rapid and scalable deployment of Web applications, with standards-based support for Java 2 Enterprise Edition (J2EE) applications Offers design flexibility through a highly scalable proxy architecture and/or easy-to-install Web server plug-ins, rule- and role-based access control, support for leading user registries & platforms, and advanced APIs for further customized security Common Criteria certified IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software What does TAMeB do? Tivoli Access Manager lets you create a secure domain(s) where all communication is protected from unauthorized access and undetected corruption. Tivoli Access Manager processes a client/access request in the following manner: 1. Proves who the client is using authentication. 2. Acquires rights in the form of authorization credentials. 3. Performs an authorization decision that is based on these credentials. Using the authorization decision (yes or no), either the resource requested is returned to the user or an error message can be sent with access denied. 15 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software TAMeB & TAM-ESSO TAMeB (scope: Internet, extranet, intranet) SSO and strong authentication to back-end Web applications protected behind WebSEAL. TAMESSO (scope: intranet) SSO and strong authentication to desktop-based applications (including TAMeB) via desktop / kiosk. You get SSO from desktop to TAMeB to back-end Web apps. TAMeB and TAMESSO share the same directory The same user is defined one time to TAMeB and TAMESSO. Extranet User Internet External User Internet (External) Firewall Enterprise (Internal) Firewall LDAP TAMeB proxies and/or plug-ins TAMESSO enabled desktops Trusted Network Load Balancer Web Servers TAMeb Proxies Load Balancer Internal Users TAM Policy Server 16 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Why IBM Tivoli Identity and Access Manager? Integration with Tivoli Security and NetCool portfolio Out-of-the-box adapters – widest platform support Tivoli Directory Integrator Tivoli Directory Server All necessary components included and supported by IBM (Database, AppServer, LDAP, etc) Powerful but easy to use workflow Standards-based – HTTP/HTTPS, SSL, DSML, DAML, JNDI, XML etc 17 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software What is T S I E M ? ivoli ecurity vent 18 IBM Tivoli Identity Manager nformation anager © 2007 IBM Corporation IBM Software Group | Tivoli software IBM SIEM is… Tivoli Compliance Insight Manager (TCIM) Log Collection and Management with Raw Logs Compliance Reporting Privileged user monitoring with behavioral anomaly detection Tivoli Security Operations Manager (TSOM) Event Correlation with Alerting and Notification Dashboard that supports and assists with investigation A platform for Incident Response and Management 19 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Comprehensive Security Should Address Both Threats and Access 1. “IT Security” Primarily address security threats Look at, correlate and alert on events generated by your perimeter security devices 2. “Line of Business Security” Look at audit events generated by your apps, dbases and security devices Primarily address user security – Who can come in? – What can they do? – Can I easily prove it to an auditor? 20 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software T S O M ivoli perations 21 IBM Tivoli Identity Manager ecurity anager © 2007 IBM Corporation IBM Software Group | Tivoli software The problem we solve…. 22 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software IBM Tivoli Security Operations Manager 4.1 The TSOM application (previously GuardedNet neuSECURE, MicroMuse NetCool neuSECURE) has been re-branded as part of IBM Tivoli’s security product line, as IBM Tivoli Security Operations Manager. Guardednet released neuSECURE in 2001 MicroMuse acquired GuardedNet in August 2005 IBM acquired Micromuse in Dec. 2005 23 New name is reflective of the product’s role as the core platform for an enterprise or service provider Security Operations Center (SOC). Supports both real-time correlation and incident management needs (SEM) and internal policy monitoring and regulatory compliance reporting, (SIM). IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Security Operations Challenges Operational Efficiency - Too much data, too many formats, complex processes Business Resource Constraints – Making the most of fixed resources – people, hardware, software Business Risk - Managing the ripple affect of security breaches to the business Security Regulatory Compliance – Support for regulatory and policy initiatives Operations IT Process Optimization - Cross-silo information sharing (NOC, SOC, Help Desk) 24 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Single SIM Interface for Heterogeneous Point Solutions Heterogeneous collection & correlation threat analysis Vendor-specific configuration & control of point solutions i.e. Firewall-1, Site Protector Routers Application s Servers Antivirus Firewall IBM Tivoli Identity Manager Configuration & Control Product Network IDS 25 Host IDS Vendorspecific point solutions Security Information Management (SIM) © 2007 IBM Corporation IBM Software Group | Tivoli software Business Relevant Incident Recognition >Database for historical analysis >Dashboard for real-time view >Action: e.g. email/ticket/script “TSOM automates the aggregation and correlation process. It mitigates false positives and alerts my team to real threats in a timely manner. The product is more or less what I would have designed and built myself, given four years and a pool of developers.” – Jeff Hartley, Cox Communications 26 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software TSOM Architecture 27 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Event Collection EAM 28 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Event Correlation 29 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Result 30 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Frequency Results - Consolidated View via Main Dashboard Event Class Event Class Domain Frequenc y Frequency 31 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Results - Centralised Reporting Powerful Reporting Engine Leveraging the power of TSOM’s complete set of reports and report templates provides a comprehensive view of your security posture over time. (140 standard reports +) 32 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software T C I M 33 ivoli ompliance nsight anager IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software activity How do you Capture, Comprehend and Communicate your security data? time 34 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software The Problems We Help to Solve “I need to provide reports to my auditors and regulators” “My staff lacks the time, expertise, and desire to scan logs” “I need to store logs for forensics” 35 IBM Tivoli Identity Manager “I need to prove that I have effective IT security controls” “I’m concerned about privileged actions” Communicate Comprehend Capture “I have no idea which logs to collect or how” © 2007 IBM Corporation IBM Software Group | Tivoli software Enterprise Log Management Capabilities: Secure, reliable log capture from any Capture 36 platform Auto collection of syslogs Full support for native log collection Store in an efficient, compressed depot Access data when needed Search across all logs Reports to prove complete collection Benefits: Reduce costs by automating and centralizing collection Save time by decreasing the length of audits Im plem entation tim e: plug and play. IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Log Continuity Report 37 IBM Tivoli Identity Manager Log Continuity Report Instant proof to auditors and regulators that your log management program is complete and continuous. © 2007 IBM Corporation IBM Software Group | Tivoli software Investigate 38 IBM Tivoli Identity Manager Depot Investigation Tool Information at your fingertips, with easy to use search © 2007 IBM Corporation IBM Software Group | Tivoli software Sophisticated Log Interpretation and Correlation Capabilities: W7 normalization Interpret EVERY log (Syslog Comprehend and native logs) into English Compare billions of log entries to baseline policy 39 Benefits: Interpret and monitor all logs with fewer and less expensive resources More quickly detect and solve security problems Out of the box log normalization! IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Comprehend How do I make sense of all this? 40 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Comprehend Translate Logs into English - TCIM’s W7 Methodology 41 1. 2. 3. 4. 5. 6. 7. Who did What type of action on What file/data When did he do it and Where from Where Where to TCIM does the hard work, so you don’t have to!! IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Compliance Dashboard 42 IBM Tivoli Identity Manager Compliance Dashboard Logs after W7 – Billions of log files summarized on one overview graphic! © 2007 IBM Corporation IBM Software Group | Tivoli software W& Eventlist 43 IBM Tivoli Identity Manager W7 Eventlist Note!: Mike Bonfire, a DBA, is reading the payroll © 2007 IBM Corporation IBM Software Group | Tivoli software Full Audit and Compliance Reporting Communicate Capabilities: Hundreds of reports Compliance modules Real-time alerts Custom reports 44 Benefits: Reduce length and effort required for audits Reports in an instant, thereby saving time Reduce risk of insider threat: Info protection Change control User management IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Compliance Modules 45 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Regulation specific modules with tailored reports to jumpstart your compliance efforts – saving you staff time and reducing audit costs 46 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Operational Change Control 47 IBM Tivoli Identity Manager Operational Change Control Report See a summary of all the operational changes made by different groups © 2007 IBM Corporation IBM Software Group | Tivoli software Event List Zoom in into the all actions that IT admin did on the financial Server and see the creation of the user account of Chin055 Eventlist 48 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software EventDetail 49 IBM Tivoli Identity Manager An Event Detail Report Even drill down into that specific event and see all the event details, and we can even go to the raw log-file © 2007 IBM Corporation IBM Software Group | Tivoli software The IBM Tivoli SIEM Solution Deployment Event Sources Points of Presence IBM Tivoli SIEM Install Output TCIM Server Compliance Dashboard Applications Collectors Reports Databases SYSLOG NG Mainframe Retrieve Log-files Operating Systems Operational Dashboard IDS & IPS TSOM EAMs TSOM CMS Server Third party integration Firewalls alerts 50 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Questions? 51 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Architectural Overview - TSOM CMS (Central M anagement System) AIX, Linux or Solaris ` Database DB2 or Oracle TSOM UI Java App EAM (Event Aggregation M odule) AIX , Linux or Solaris Asia South America EAM (Event Aggregation M odule) North America EAM Europe (Event Aggregation M odule) EAM EAM (Event Aggregation M odule) (Event Aggregation M odule) Lower Tier SIM Windows Servers NIDS/NIPS Universal Collection M odule(UCM) Syslog/ Cisco IDS Firewalls Unix Servers Check Point OPSEC/ SNM P/ Syslog 52 IBM Tivoli Identity Manager Syslog © 2007 IBM Corporation IBM Software Group | Tivoli software What is T E L M ? ivoli vent og anager 53 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Tivoli Event Log Management (TELM) 1.0 PRPQ Why TELM? Response to competitive pressure from Log Management solutions (LogLogic, SenSage) Customers may need Log Management first to quickly check a box, but if competitors get in at this layer, it will be harder to upsell to full SIEM capabilities What is TELM 1.1? TCIM 8.5 Enterprise Server, with limited report usage, specially priced to compete It is not feature reduced TCIM – customer is limited to specific reports by paper TELM license only It is a PRPQ, and requires special approvals TELM v 2.0 will be a future sellable component of TSIEM 2.0 as a growth path for TELM 1.1 customers Available from February 22, 2008 54 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software TSOM - Supports over 200 event & log sources, including: Firewalls Check Point Firew all-1 Cisco PIX CyberGuard Fortinet FortiGate GNATBox Juniper (Netscreen) Linux IP Tables Lucent Brick Microsoft ISA Server Nortel Sw itched Firew all Stonesof t's StoneGate Secure Computing's Sidew inder Symantec's Enterprise Firew all SonicWALL Sun SunScreen Vulnerability Assessment Nessus Vigilante ISS Inte rne t Scanne r QualysGuard Foundstone eEye Retina, REM SPI Dynamics WebInspect nCircle IP360 Harris STAT Tenable Lightning Routers/Switches Cisco Routers Cisco Catalyst Sw itches Cisco RCMD Foundry Sw itches F5 Big IP, 3-DNS Juniper JunOS TACACS / TACACS+ Nortel Ethernet Routing Sw itch 5500, 8300, 8600, 400 series Extreme Netw orks Policy 55 Compliance Vericept Network Intrusion Detect/Prevention McAfee Intrushield Sourcefire Network Sensor Sourcefire RNA Juniper IDP ISS RealSecure ISS Proventia G, M ISS BlackICE Sentry Cisco Secure IDS SNORT IDS Enterasys Dragon Nortel Threat Protection System (TPS) Intrusion's SecureNetPro Mirage Networks NFR NID Symantec ManHunt ForeScout ActiveScout QRadar Top Layer Attack Mitigator Labrea TarPit IP Angel Lancope StealthW atch Tipping Point UnityOne NDS Arbor Networks PeakflowX Mazu Networks Host-based Intrusion Detect/Prevention Type80 SMA_RT (zOS-Mainframe RACF) PowerTech (iSeries-AS/400) Cisco CSA NFR HID IBM Netcool SSMs Sana Snare Symantec Intruder Alert (ITA) Sygate Secure Enterprise Tripwire ISS Server Sensor McAfee Entercept VPN Juniper SSL VPN Nortel VPN Router (Contivity) Check Point Cisco IOS VPN Cisco VPN 3000 Juniper VPN Nortel VPN Gateway (SSL VPN) Applications Apache Microsof t IIS IBM We bSphe re Oracle Lotus Dom ino SAP R3 IBM DB2 (comi ng soon) Access and Identity Management Operating Systems Logs, Logging Platforms Oracle Identity Management (Oblix) Solaris (Sun) * AIX (IBM ) RedHat Linux SuSE Linux HP/UX Microsof t Window s Event Log (W2K3 DHCP, W2K DHCP, IIS) Microsof t SNMP Trap Sender Nokia IPSO Novell NetWare OpenBSD Tru64 Tripplight UPS Monitorw are SYSLOG Kiw iSyslog zOS-M ainfram e IDS Cisco ACS IBM Tivoli Acce s s M anage r IBM Tivoli Ide ntity M anage r CA eTrust Access CA eTrust Secure Proxy Server CA eTrust Siteminder (Netegrity) RSA SecureID RADIUS Antivirus CipherTrust IronMail McAf ee Virus Scan Norton AntiVirus (Symantec) McAf ee ePO Trend Micro InterScan Application Security Blue Coat Proxy Nortel ITM (Intelligent Traff ic Mgmt) Teros APS Sentryw are Hive IBM Da ta Power (coming Sun Java System Directory Server Wireless Security AirMagnet AirDefense Management Systems TSOM escalates to: IBM Ne tcool (M icrom us e ) IBM /Tivoli Ente rpris e Cons ole Cisco Information Center Remedy ARS HP OpenView CA Unicenter Management Systems Source of events into TSOM: Check Point Provider-1 CiscoWorks IBM Ne tcool (M icrom us e ) ISS Site Prote ctor Juniper Global Pro (Netscreen) Juniper NSM (Netscreen) Tripw ire Manager Intrusion, Inc. SecureNet Manager McAfee ePO Nortel Def ense Center Sourcef ire Defense Center Q1 QRadar Mgmt Server soon) Discovery Tools IBM Tivoli Identity Manager Lumeta IPSonar NMAP © 2007 IBM Corporation IBM Software Group | Tivoli software TELM 1.1 Capabilities The Management Console to set up the necessary event sources Through the Depot Investigation tool, you can access the following: Log Management Dashboard Log Collect History Report Log Continuity Report Log Retrieval Depot Investigation to create ad hoc reports of raw data in the Depot Configuration tools Events by type: Summary of audited event types Daily verification Failed system operations: List of failed operator and configuration commands Failed system services: List of system processes that ended with a security error condition Logon failure summary: Summary of logon failures Restarts: List of system starts and restarts Users: List of users Detailed investigation 56 Administration: List of administrative actions Logon history by user: List of platforms users with logon events Platform history: List of all platforms with events IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software IBM Security Management Strategy The TSOM offering is part of the broader ITSM Compliance initiative where Security Threats and Security Information monitoring capabilities are reconciled in real-time in support of IT and Business Controls TSOM replaces Tivoli Risk Manager in 2006 & 2007 (has already replaced Netcool for Security Management - NfSM) Netcool for Security Management GuardedNet neuSECURE Tivoli Risk Manager 57 IBM Tivoli Identity Manager IBM Tivoli Security Operations Manager (TSOM) © 2007 IBM Corporation IBM Software Group | Tivoli software Thank you Questions? 58 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software TSOM Customers Netcool/NeuSecure Customers 59 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Automatic provisioning With IBM Tivoli Identity Manager, each step in the provisioning process can be done as efficiently as possible. Request–The request is typically received as a Web form. Approval–IBM Tivoli Identity Manager sends e-mail to the appropriate approver(s). The list of requests pending approval is also available through the Web interface. If an approver does not respond within a set time, IBM Tivoli Identity Manager can forward the request for approval to the approver's backup. Activation–Using adapters, IBM Tivoli Identity Manager can provision accounts to most services. Notification–IBM Tivoli Identity Manager sends e-mail to the requester. 60 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Workflows and policies Approvals in IBM Tivoli Identity Manager are created using workflows. A workflow represents the steps that are required by the business before an account can be activated. 61 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Escalating requests If an approver does not respond within a preset time frame, the workflow can specify that the request will be escalated to a different approver. This ensures that even when managers are out of the office, the work will still get done. 62 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Separation of duties Separation of duties is one of the principles of security. This principle states that sensitive operations should require more than one approval. This is because fraud is a lot less likely when it requires collusion between multiple parties. IBM Tivoli Identity Manager allows for separation of duties in workflows. If approval is required from multiple people, then by default they all have to approve the creation of new accounts. 63 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Policies IBM Tivoli Identity Manager supports various kinds of policies to control account provisioning. The following policy types are supported: Identity Policies–determine the user ID that a user will have in provisioned accounts Provisioning Policies–determine which services a role is entitled to Service Selection Policies–extend provisioning policies by allowing more sophisticated processing using JavaScript Password Policies–determine which passwords will be allowed 64 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software TIM architecture IBM Tivoli Identity Manager uses three different middleware products. IBM WebSphere Application Server provides the user interface and application framework. IBM Tivoli Directory Server stores user information. Alternatively, IBM Tivoli Identity Manager can use Sun ONE Directory Server. IBM DB2 stores auditing information. Alternatively, IBM Tivoli Identity Manager can use Oracle or Microsoft SQL Server 2000. 65 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Websphere application server IBM WebSphere Application Server provides the user interface and application framework for IBM Tivoli Identity Manager. It allows users and administrators to access IBM Tivoli Identity Manager using a Web browser. 66 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Configuring Services for Provisioning IBM Tivoli Identity Manager adapters communicate with Identity Manager and manage the accounts for their service. From the perspective of Identity Manager, the adapters provide an interface to add and remove accounts. From the perspective of the service, the adapter functions as a virtual administrator that adds and removes accounts. 67 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Tivoli Directory Server IBM Tivoli Identity Manager uses a Lightweight Directory Access Protocol (LDAP) directory to store most of its configuration. The LDAP Directory Server, typically IBM Tivoli Directory Server, can sit on a separate machine or on the Identity Manager computer. Identity Manager communicates with the directory server using LDAP and may use SSL (Secure Socket Layer). 68 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software TDI adaptors IBM Tivoli Directory Integrator allows implementers to develop new adapters by defining AssemblyLines to create, modify, and destroy accounts. 69 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software IBM Tivoli Directory Integrator Synchronize data across multiple repositories Overview Enables synchronization, transformation and migration of generic and identity data across heterogeneous systems, helping organizations maintain consistent and trusted data across multiple resources. Events Connectors Assembly Line LDIF File Directory RDBMS Parsers Highlights Transforms, moves and synchronizes generic as well as identity data residing in heterogeneous directories, databases, files, collaborative systems and applications, with real-time automated updates to the authoritative data source Helps accelerate deployment of IBM Tivoli® security management software such as IBM Tivoli Identity Manager, IBM Tivoli Access Manager and IBM Tivoli Federated Identity Manager, and other IBM infrastructure software, including IBM Tivoli Change and Configuration Management Database (CCMDB), IBM Tivoli Service Request Manager, IBM WebSphere®, IBM Lotus® Domino® and IBM Lotus Connections middleware Provides an intuitive graphical user interface for development, deployment and maintenance of synchronization rules, as well as a scalable, Web-based operations monitoring administrative management console Provides an open synchronization architecture that supports multivendor IT infrastructures with ease of use, ease of deployment, and rapid time to value, while flexibly scaling from small to very large deployments Supports a broad set of platforms, including IBM AIX®, IBM System z™, Microsoft® Windows®, UNIX® and Linux® environments TIP14022-USEN-00 70 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Tivoli Directory Integrator v6.1.2 People & Identity Events Assembly Line RDBMS What’s new! Original TDI offering is now called Identity Edition Synchronize all instances of identity data and other data across enterprise to the authoritative source, which increases accuracy & decreases administrative costs Connectors MQ Web Service Parsers New TDI offering (introduced April 2008) is called General Purpose Edition New edition allows customers to utilize TDI for general purpose data integration Restricted license Ts & Cs prevent identity usage Now offered with Processor Value Unit pricing metric Extensive data integration capabilities Powerful data transformation including access to JavaScript and Java APIs at transformation time Reusable integration solutions Configuration Editor allows quick configuration and deployment of new connections 71 IBM Tivoli Identity Manager Business Benefits Tivoli Directory Integrator provides batch and real-time synchronization between multiple disparate identity or generic data sources so that enterprises can establish an authoritative data infrastructure for data integration Flexibility to handle varied data with a wide array of available connectors, including files, RDBMS, JMS/MQ, HTTP, Web Services, LDAP and custom JavaScript and Java connectors Open, Java-based architecture supports all major platforms, leveraging existing infrastructure investments © 2007 IBM Corporation IBM Software Group | Tivoli software Usage Examples Identity Edition TDI IE is to be used when the primary business requirement is moving, copying, transforming or synchronizing information about users (people) between two or more systems The following are examples of such usage: The customer has information about employees in both Microsoft Active Directory and Lotus Domino. The requirement is that certain information managed in Lotus Domino is automatically propagated to Active Directory. The customer has information about employees in an LDAPv3 compliant directory and RACF. Furthermore, they have information about external users in a DB2 database. The business need is to provide a common repository of users that will be used to authenticate and authorize both internal and external users in an internet-facing WebSphere Portal application. TDI is used to read information from LDAP, RACF and DB2, and maintain all of these users in a new LDAP directory used by Portal to authenticate users. General Purpose Edition TDI GPE can be used for any purpose where information about users is not the primary business requirement. The following are examples of such usage: The customer needs to transform data in flat files and update records in a DB2 database. The customer regularly needs to scan a database for changes and call a Web Services, or send a message to an ESB. The customer needs to monitor an ESB for certain messages, and then perform operations on databases or other targets that TDI supports. The customer needs to move tickets between helpdesk systems. This example illustrates how identity data is a secondary - supplementary - requirement, and therefore falls inside the usage scope of TDI GPE. The customer uses Remedy in a business unit, and needs to drive certain tickets into Rational ClearQuest. In that process, the customer needs to add information about the ticket owner - located in a LDAP directory - to the ticket that's inserted into ClearQuest The customer needs to add information about people to RFID events. TDI GPE is used to read RFID events from WebSphere Premises Server. The events contain location information that can be correlated to individuals, where more information is located in the SAP HR system. TDI GPE looks up the information, adds it to the RFID event data, and drives the aggregated data into DB2 for Alphablox analysis. 72 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Simplify Industry leading agentless adapters accelerate time to value Authentication & Security IBM RACF zOS* IBM Tivoli Access Manager CA ACF2 CA Top Secret Entrust PKI* RSA ACE/Server* CA Siteminder Oracle Netpoint Cisco ACS* Relational Database IBM DB2/UDB Informix Dynamic Server Oracle Microsoft SQL Server 2000 Sybase RDBMS-based Applications Design Characteristics: • Secure • Bi-directional • Firewall friendly • Network friendly Complexity Operating Systems Applications & Messaging HP/Compaq Tru64 Unix HP-UX HP-UX NIS IBM AIX IBM AS/400* OpenVMS* RedHat Enterprise Linux Sun Solaris Sun Solaris NIS SuSE Linux Enterprise Server Windows Active Directory Windows Local 2000, 2003, XP Amdocs ClarifyCRM * EMC Documentum * Lotus Notes/Domino Windows Exchange 2000, 2003 Novell e-Directory (NDS) Novell GroupWise Oracle E-Business Suite PeopleSoft (People Tools) SAP Enterprise Portal 6 SAP R/3 Siebel Peregrine Service Center Remedy IBM Rational ClearCase LDAP-based Applications Command Line-based Applications* Universal Provisioning – for Manual Applications *Requires local adapter 73 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software TDI Simplifies Integration with Existing Environments Authoritative Identity Feed Directory Integrator Custom Agent TIM Srv Agent(s) User Bulk Loading of User Information LDAP DB Synchronization of Data Event Handlers Assembly Lines Directory TDI Included, but not required 74 IBM Tivoli Identity Manager Event Connectors LDIF File RDBMS Parsers © 2007 IBM Corporation IBM Software Group | Tivoli software Java API’s Integrate with Existing Systems Provisioning front-end application Portals Account mgmt Password sync Provisioning requests Approvals IVR Systems Password resets Identity Manager Opening/closing of help desk tickets Help Desk Systems 75 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Tivoli Identity Manager Demonstration HR Portal HR feed IBM Tivoli Identity Manager IT Portal Self Registration Extranet 76 Self Registration Self Care HR feed with TDI W orkflow Overview IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Backup slides 77 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software IBM Tivoli Directory Integrator – Identity Edition IBM Tivoli Directory Integrator – Identity Edition provides batch and real-time synchronization between identity data sources so that enterprises can establish an authoritative, up-to-date, identity data infrastructure. Events Connectors Assembly Line LDIF File Directory RDBMS Parsers Key features On Demand Data Infrastructure for Security – – – – Build Metadirectory, Identity data warehouse, or provision directly into existing systems with one tool and one skill set to manage Open, Java-based architecture supports all major platforms, thereby leveraging existing infrastructure investments Applications can run TDI synchronizations remotely & asynchronously Excellent Web services support, including rich XML, DSML and SPML parsing Authoritative Infrastructure for Identity Management – – – – A wide array of available connectors, including using TIM Agents as TDI connectors Synchronize all instances of identity data and other data across enterprise to the authoritative source, which increases accuracy & decreases administrative costs Configuration Editor allows quick configuration and deployment of new connections Administrative management console simplifies monitoring of TDI, unifying complex deployments into a single, customizable view with monitoring and remediation for high availability Highly Manageable Metadirectory Connections – – 78 Reusable integration solutions Enhanced failover capabilities for high-availability and Assembly Line Pooling for bandwidth management IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Analysts Affirm IBM Leadership Gartner: TIM Product Leadership 79 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Demo Detailed Architecture 80 IBM Tivoli Identity Manager © 2007 IBM Corporation IBM Software Group | Tivoli software Integrated Identity Management Pyramid Self-Regulating Access Controls Across Organizations Access Control Policy Automation Productivity: Enforce security policies proactively Distributed Administration Scale: Support large, distributed user base Access Request Audit Trails Compliance: Ease support of audits Access Request Approval Process Automation Orphan Account Control Password Management Connectors to Access Control Systems Data Integration Layer Access Controlled Systems 81 Competitive Advantage: Extend security automation to business partners IBM Tivoli Identity Manager Productivity: Speed accurate account creation Risk: Eliminate Backdoor Access ROI: Cut Helpdesk Costs by 40% Fundamental: Administer web and legacy environments consistently Integration: Meta view of Enterprise Data Assets Security: Consistent Authentication and Authorisation to all Resources © 2007 IBM Corporation IBM Software Group | Tivoli software The TIM components TIM Server handles most operations • Provisioning, Workflow, Self-Service and Admin Operations LDAP stores all person and account information Database mainly stores audit information Agents perform operations on the target system Web Server provides admin and self service Web Server TIM Server Agent(s) User LDAP 82 IBM Tivoli Identity Manager DB © 2007 IBM Corporation