Building and
Implementing An Identity
Management Roadmap
John Taylor
Manager, IT Security & Service Continuity
Phil Hall
Security Consultant
Apologies : Russell McClimont
IT Security Services Manager, eCommerce Security
Presentation Overview
 Strategic Overview
 Architectural building blocks and identity
management overview
 Creating the identity management
roadmap
 Business requirements, principles/blueprint
and technical positions
 Project implementation
 A couple of examples
Architectural Building Blocks
• Removed
Information Security Framework
• Removed
Identity Management – Strategic Overview
• Removed
Identity Management – Strategic Overview
Business Issues Faced
 High administration cost
 Inefficient management of user repositories
 Numerous authentication points
 Various passwords
 Disconnect between external and internal facing
systems for user access
 Security built within each application
Identity Management – Strategic Overview
• Removed
Identity Management – Strategic Overview
Direction
 Move towards reduced sign-on through the linkage of Web based
protocols- Tivoli Access Manager and Tivoli Identity Manager (‘legacy’
based and non web based systems).
 Centralised user management through corporate Meta Directory
services.
 User self registration and ‘access’ management for majority of the
environment through the use of Tivoli Identity Manager.
 Centralised authentication and authorisation services to leverage off
existing investments.
 Work flow management through Tivoli Identity Manager.
Establishing an Identity Management Roadmap
• Removed
Key Components - Overview
 Must have a formal identity management architecture. Roadmap is a
migration strategy for realising this architecture
 Clearly define what identity management is and is not
 Essential to ‘ring-fence’ architecture and roadmap
 Directories - always a tricky area to address
 Vendors have a view that suits their product suite
 A discrete set of related services
 Business objectives and / or issues that identity management services
will address
 Investment in a set of complimentary technologies that are consistent
with overall IT Architecture / Strategy. Minimise duplication!
 Four key components, these are….
Principles & Blueprints
 Identity Management guiding principles
 E.g. “Provisioning of IT access will be based on a mix of
automatic provisioning of basic services and self-service
registration”
 Limited in number, no more than 20
 Must compliment general IT principles and security
principles
 Architecture blueprints
 Reflect guiding principles
 Models of identity management architecture
 Describes identity management architecture in terms of
discrete, yet related services
 Products are not referred to, keep it generic
Technical Positions & Migration Strategy
 Technical Choices and Decisions
 Describe identity management services in terms of a series of
possible options and chosen technology / solution
 A series of technical positions based on “fitness for purpose”
 Migration strategy
 Describes activities essential to achieving identity management
architecture
 Describes each activity in terms of relationship with other activities
and time.. But it is not a project plan!
 Activities are grouped together to form work streams
 Must consider external factors, e.g. other projects
 Should demonstrate a timely return on investment
 Maximise strategic direction, minimise use of tactical solutions
 Consider budgets and resource levels / experience
Getting Support from the Business
 Map identity management services to business objectives
 Link to IT and Security architectures
 Demonstrate structured approach to architecture and roadmap
development… we know what we are doing!
 Document Business objectives, issues and requirements
 Baseline ‘as is’ and perform gap analysis
 Document principles, blueprints, technical positions and migration
strategy
 Demonstrate value in short term and at regular intervals thereafter
 Simple high impact solutions, e.g. integrated login, password
synchronization
 Integrate individual solutions to provide comprehensive infrastructure
 Simplify delivery of a critical IT project using an identity management
service
• Removed
Map business objective to identity
management service
Map the identity management product to the identity
management service – business requirement.
• Removed
Identity Management Implementation Flow
• Removed
Migration of ‘Existing’ WAM System
• IAG acquired CGU in 2002.
• IAG had existing web access management
system using Directory Smart as
underlying architecture. CGU installed
Access Manager.
• Gap analysis process against roadmap
requirements.
• Chose to migrate Directory Smart to
Access Manager.
Requirements
• Complete delivery by December 2004.
• Maintain client self help and single sign-on
functionality as provided by Directory
Smart.
• On going new integration activities to be
performed with Access Manager.
• Compliance with IT Security Architectural
principles and strategy.
Issues
• Develop a migration strategy for 40+
applications.
• Architectural differences – proxy Vs agent
based.
• Avoiding additional authentication points.
• Introducing a new administration tool to
the help desk.
• Maintaining existing Q&A functionality.
Achievements
• Phase 1 is complete - Access Manager is being
used to handle the gatekeeper service for all
applications.
• Automated account provisioning for intranet
clients supplied by HR source (SAP) through IDI
connectors.
• Password reset service provided by Identity
Manager.
• Access Manager providing authentication
service to Identity Manager interface.
Integrated Single Sign-On Process
5. Webseal
Session ID & Creds
Cached
1. Initial request
ITAM
WebSEAL
2. Post
6. Request +
iv_user, tag pwd
attribute
DSmart
Endpoint
Application
8. Post DS cookie
& caller url etc.
3. Authentication
9. Post cookie
10. Request with
client cookie
4. Check user.
Extract pwd
ITAM IDS
7. Check user.
DSMART IDS
TIM Password Synchronisation
Requirements
• Deliver same sign-on services for non web
applications
• Support for core system repositories – ACF2,
RACF, TAM IDS & various Windows domain
controllers (AD, 2000, NT)
• Reduce help desk workload by simplifying
password management
• Reduce risk of exposure by strengthening and
standardising password policies
Issues
• Impact of password policy change –
bringing endpoint systems in line, & client
educational process
• Scalability of domain account
synchronisation solution – local agents or
agent server
• Limitations of RACF agent
Achievements
• Reduced password reset tasks for the help
desk
• Stronger password policy for core systems
• Consolidation of three separate passwords
to one – domain, intranet & mainframe.
TSC Password
Reset
ITIM
RACF
Agent
RACF
RACF
2
2
ACF2
Agent
RACF
ACF2
2
3
5 Domains
NT
Agent
Windows NT SAM
W2003
Agent
IDI Sync
HR
Feed
IDI Sync
Password
Sync
SAP Directory
OID Directory
Reverse
PW sync
Password
Sync
TAM Directory
TAM
Agent
Reverse
PW sync
Windows 2003 AD
Password
Change
Next Steps
• Phase two of the TAM migration exercise – applications
ported from Directory Smart
• Spengo – Integrated Sign-On for Active Directory clients
• Roll out password synchronisation service to the
organisation
• Rollout of account provisioning service to the
organisation
• Rationalising disparate source HR feeds through IDI/TIM
• Association of existing ‘un-owned’ accounts to an
enterprise identity – reduce the number of orphans
• Automated provisioning & termination cycle for basic
access…..