Contact Us   |   FAQ   |   Cart/Checkout
  |   Register   |  
Search  
SHOP BY TOPIC

Hardening Network Security

Last Updated 2/3/2009 3:43:04 PM


Abstract
In this chapter from "Hardening Network Security," you'll get a step-by-step plan that you can use to build an identity management solution in your environment, including tips on identity management drivers and liabilities, building an identity management foundation, enforcing corporate access control policies, and managing identities through workflow and audit processes.

'

Identity management, the management of digital identities, is a critical measure for long-term security. Specifically, it refers to controlling the digital representation of users across an organization. Issues ranging from legal and regulatory forces to business requirements are driving your business toward an identity management solution. In most cases, this means adopting an identity management system to coordinate the management of the digital identities that define users on virtually every electronic system you use.

In the past, you've managed identities with point solutions. For example, when you build or buy a new application, you construct a new access management element and yet another new digital identity for your users. While most of these access management structures can be designed to be rather secure by themselves, they generally do not remain autonomous for long. They end up providing a piece of a larger solution, being accessed in ways that were not originally planned for, and possibly being replaced by a different application or system all together. Meanwhile, the users of these systems have multiple identities defined in multiple systems across your organization, making it difficult to determine the sum of each user's access among your information systems. Today, your organization cannot afford to manage identities in this manner.

Identity management is designed to address this issue and may be able to provide your organization with a more favorable course of action. This chapter gives you a step-by-step plan that you can use to build an identity management solution in your environment.


UNDERSTAND IDENTITY MANAGEMENT DRIVERS

The adoption of identity management systems is driven in different organizations by different needs. Different aspects of identity management solve different issues, and each organization has different needs. The first step in leveraging identity management systems to provide increased security is to understand what the business drivers are for your specific organization. For example, your organization may need to manage the identities for internal employees to improve your organization's security posture. Or, you may be looking for a method to manage the identities of your customers across multiple applications.

Identity management can mean a number of different things to a number of different organizations. Organizations such as casinos may use identity management to spot individuals who have been blacklisted from among the hundreds of thousands of people who are allowed to pass through their doors on a daily basis. Identity management systems have even been used to track fish in large aquariums to determine which ones are eating the others.

While there are many examples of what identity management could mean to an organization, this chapter looks at the most common requirements and analyzes the approaches that could be used to implement them. The most prevalent business drivers for identity management in corporations are liability and cost, time savings, and security.

Determine Identity Management Liability Drivers

A liability is an obligation or debt. It's often explained as the possibility of increased indebtedness. For example, if your organization does not follow standard safety procedures, it may be liable if employees are injured on the job. This liability may mean large monetary expenditures. Business liability can often be reduced by making changes in safety and security practices. Liability drivers are of two major types: external and internal. External liability drivers are laws or regulations that affect your specific industry. If laws are followed, a business's liability is reduced. Examples of an external liability would be legislation such as HIPAA (Health Insurance Portability and Accountability Act of 1996) or SOX (Sarbanes-Oxley Act of 2002). An internal liability driver is a driver that is inspired to be addressed internally without an external mandate. For example, an internal liability driver might be the threat posed by former employees. Your ability to effectively identify and remove the access to computer resources by ex-employees can reduce liability of those IDs being used for ill will.

Identify External Liability Issues to Resolve with Identity Management
How information security and privacy laws and regulations will affect the way you manage information is not yet clear. However, you should be knowledgeable of these laws and strive toward compliance. Laws and regulations are starting to focus on defining what should be common business best practices. Because business practices today tend to be coupled with electronic systems, new laws may mean modifications to those systems. For example, accounting has not been done by hand and on paper for a number of years now. As a result, controlling who has electronic access to accounting systems has taken the place of controlling who has access to a written ledger.

HEADS UP!

No law or pending legislation identifies the specific product or technology you must implement to be compliant. There are, however, vendors who say that you have to implement their technology to be compliant with a piece of legislation. This is simply not true. The laws and regulations focus on a particular point that needs to be addressed or a particular result that needs to occur. Some technologies will make it easier to facilitate that outcome, but you should never buy into the mindset that a technology by itself will make your environment compliant with a law or regulation. In the words of one of the security industry's thought leaders, Bruce Schneier, "Security is a process, not a product."

Recognize Laws that Do Not Specify Product Compliance Solutions While laws and regulations don't specify the exact hardware or software product that is needed for compliance, they do outline, at a minimum, what your business practices and processes should be. Because business practices have a number of interdependencies with technology, you may need to modify your technology implementations to align the business with the laws and regulations.

The recent wave of corporate scandals has highlighted the need for accountability. Specifically, organizations should be able to identify responsibility for actions that could affect the financial statements of the organization, whether the actions involve technology or not. This does not mean that new laws requiring accountability for financial statement information require identity management solutions, regardless of what a vendor may suggest or insist in their presentation. However, organizations must be able to provide some level of assurance that they can determine what affects the systems involved in processing financial information. In a majority of the corporate accounting scandals publicly discussed, the perpetrators have been identified. These individuals, for lack of a better term, were "trusted insiders" and could have accomplished their frauds even if a technical solution were in place. Identity management will not prevent dishonest people from doing dishonest things. Identity management may reduce the likelihood of an opportunist taking advantage of the system and may increase accountability.

Understand Current Legislation Because laws and regulations are written by politicians and lawyers, they require interpretation to identify the business and/or technological perspective. The interpretations of legislation throughout this section focus on potential technical liabilities that you may need to address. You should seek the same kind of interpretation for other laws and regulations, both those currently in force and those that may be ratified in the future. Examples of other laws and regulations that may affect your organization are the European Data Protection Directive, the Gramm-Leach- Bliley Act (GLBA), and the U.S. Patriot Act.

It is a good idea not to interpret the technical impacts of laws and regulations in a vacuum but rather to educate yourself as to what the potential technical impacts of a law or regulation could be on your organization. Generally, the best way to do this is to locate a subscription service that gives you information on how these regulations are evolving and what their immediate and future impact will be on IT. (Two such subscription services are SANS PrivacyBits and SANS AuditBits, both of which can be accessed at http://www.sans.org/newsletters/.) Additionally, your corporate counsel can generally offer valuable insight as to how these regulations can directly impact your specific organization.

Reviewing the different aspects of external liability sources will convince you that it is important to offer a method to effectively manage who has the capability to do what to information within your environment. With this in mind, consider two acts that may affect the management of digital identities (both carbon-based and noncarbon-based users) within your environment: the Health Information Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act. The following are examples of their impact on identity management:
  • HIPAA privacy directives Define and direct who is permitted to access, view, and disclose what patient information. It poses questions such as these: Does a claims processor need to be able to view the entire medical history of a patient? What if the claims processor has multiple roles within a healthcare organization? How is the digital identity of a claims processor limited specifically to the information that they need to see for the specific role that they are performing?
  • HIPAA security directives Address requirements for the audit of information access, including information on what is accessed and by whom. Auditing is one of the primary aspects that are needed to establish accountability for who has access and who has the ability to access what information.
  • Sarbanes-Oxley Act Defines financial-based controls. It requires organizations to assess the effectiveness of their internal controls, which are those policies and procedures (both technical and nontechnical) that control the management of financial information. The management of identities that access financial systems is one such control.
Identify Internal Liability Issues to Resolve with Identity Management
Internal liability may share some of the same themes as external liability. Whereas external issues are items that impact all organizations within an industry or that fit a particular corporate profile, internal issues focus specifically on your organization. For example, an employee who has left your organization could pose a threat to your organization if they still have dial-in access to your network. While there might not be any specific fines that could be imposed on the organization if this occurs, there is a threat to the organization in that unauthorized access to the environment can be attained. The inability to properly manage identities affects not only current employees and their access but also individuals who no longer need access to the current environment.

Determine Identity Management Cost- and Time-Saving Drivers

Identity management can mean cost and time savings. Cost savings can result from reduced user administration overhead. Additional service offerings can affect the bottom line.

Increased customer satisfaction due to a better overall user experience with current and new systems can mean increased sales. Solving the problem of password resets can provide both benefits (cost- and time-saving drivers). No matter where in the world you ask, one of the top calls to any corporate help desk is for password resets. Password resets are required when users forget their passwords. Password resets consume the time (and possibly money) of both users and the personnel actually resetting the password. If users can reset their own passwords in a secure fashion, the time and frustration usually associated with password resets can be minimized. Fewer people are required to maintain the same service levels of the help desk, and users have a better experience because they neither have to wait nor be embarrassed by admitting to others that they forgot a password. An organization may find that this increases customer loyalty and possibly maintains a competitive edge.

NOTE: Setting up self-help password resets requires collecting unique, private information from customers, to authenticate them if they attempt to reset their password. The best time to collect this information is during enrollment, because users rarely modify their personal information after they establish an account. During enrollment, allow users to choose their own confirmation questions and answers, and to choose multiple questions. This enables you to avoid posing generic questions that everyone can answer, like "What is your favorite color?" or "Where were you born?" Using these "conversational questions" increases the risk that an adversary might figure out a password, because a user might unwittingly relay their password reset information in a general conversation. Allowing users to create their own questions and answers reduces this risk significantly. Caution and train users to understand that the answers they provide for the questions hold the same value as a password. Therefore, as an administrator, you should confirm that these passwords are not retained in an insecure format, like in clear text in a database.

Another benefit of an identity management solution that can bring forth cost and/ or time savings in your environment is the ability to efficiently and quickly set up user access to systems and services. Setting up a user's accounts and providing them with appropriate resource access to information systems should not take multiple hours or days, but it often does when multiple unmanaged, unique systems are present. The potential for loss of business also exists because IT cannot quickly cater to user requests. User requests, and access to systems, may be the result of both employee and customer requirements. The easier you can make the customer login experience (including their password management experience), the more they may use the application and the more referrals you may receive from them.

These factors alone (decrease in support personnel required to service customers, the capability for users to support themselves, and the ability to efficiently set up users to use a service) are very significant when considering the political landscape of using IT more efficiently. While all of these points may not be tangible, they do lead to competitive advantages.

Determine Identity Management Security Drivers

Identity management has many different interpretations; however, all of them are focused on the age-old issue of user management. In the world of identity management, key points need to be determined long before a technological solution is introduced. One such point is the identification of which resources users require access to. You must define the directories that currently include both internal and external resources, perhaps Internet-facing data stores. Another key point is the ability to determine exactly what each unique user can access.

From a security perspective, it is also important to define the user's role on the network and how that translates to applications and data stores. You should be able to identify who has access to what on which system. Given a user ID, you should be able to determine which applications the user has access to and what roles within those applications the user has. This is a rather easy task if your organization has a limited number of systems that users can access, but the task is almost impossible in larger organizations. For example, if your organization is small and its users access the network operating system (NOS), one or two applications that are specific to their jobs, and maybe a human resources (HR) system, identity management can be pretty straightforward. In fact, in some cases, it might even be done manually with rather decent results. However, most users within a typical large organization have in excess of 16 different identities that actually represent them across the enterprise. In situations like this, it is very inefficient and often cost prohibitive to attempt to manually manage users with all of their various system accesses. This is the exact problem that identity management solutions are meant to solve.

The second thought from a security perspective is that you should be able to identify who has access to what on which system. This is different from the problem presented earlier in this section. In that example, you were interested in identifying what a user can do. Here, your concern is how to identify, for each resource, who can access it and what can they do with it. While this may seem fairly straightforward and something that should be offered on virtually any application or system, it's often not easy to obtain. In addition, other critical information about the user, the data, and the level of access is also difficult to determine from a multisystem perspective. You should, for example, be able to answer the following questions:
  • Does this person need access to this system?
  • Is this person still an employee?
  • If this person is an employee, are they in a role that requires this access?
  • If they got this access because they required it, do they still require it now? (In other words, have they been promoted, demoted, transferred, or otherwise moved into another role that no longer requires this access?)
  • Does the access they require to one system actually contradict access that they may have to another system? (In other words, if a user has access to part of an accounts payable system, does that access also then give them access to an accounts receivable system?)
These questions are only a few of those that you must answer as you move toward an identity management solution.


ESTABLISH AN IDENTITY MANAGEMENT FOUNDATION

Very rarely is the number of applications available to users reduced. Most likely, more applications will be added in the future, and you must be able to manage the identities of users of those applications.

Every application has its "own" method of identifying users and controlling access management, but the goal of identity management is to be able to centrally control all aspects of an individual's identity across all systems. In addition to current systems, you must be able to control the identities for new applications, platforms, and systems as they are added, and to extend identity management to apply to new customers and partners. The first step is to build the foundation on which identity management can be constructed.

Adopt a Standards-Based Directory Service

While it is difficult to predict the future, you should attempt to adopt standards that can be used in the future. When implementing a new application, use a standard directory service like an X.500 directory. Implementing an X.500-type directory or some other standard by itself will not give you identity management. However, as you progress down the path of implementing an identity management solution, having a standardsbased directory service will give you the leverage and flexibility you may need to do the best job of building a centralized directory. Additionally, having a standard directory as your identity management underpinning will help prevent you from being locked into a vendor that uses a proprietary directory store, like a modified database. X.500 directories are compatible with each other; vendor modified database solutions do not carry the same guarantee.

NOTE: A number of other standards are emerging and being used in the identity management arena. It is important that you monitor these standards and understand what impact they may have on your environment. Standards like the Security Assertion Markup Language (SAML) and Service Provisioning Markup Language (SPML) have been designed to promote interoperability between independent identity systems. Information on standards that affect the identity management space can be found by clicking the Standards button under the Industry Resources menu on the left side of the Digital Identity World web page located at http://www.digitalidworld.com/.

Match Identity Management Solutions with Organizational Needs

You may not be able to find an identity management solution that meets all of your needs. Standards for identity management are still being developed. Vendors have matured based on different roadmaps. As a result, product vendors have not yet integrated all of the elements of their solutions. Additionally, sometimes organizations will require a more flexible solution than any vendor offers. This is a maturing market and no vendor does everything well.

Identify Organizational Identity Management Needs
If you cannot identify the problems that identity management can solve for you, you will be implementing a solution that targets tasks and objectives that vendors and project managers know will be successful, rather then a solution that solves your specific requirements.

CAUTION:
This approach of providing solutions to perceived problems rather than to real ones is widespread. If this is your organization's traditional approach, stop now and ask the question, do we really have a problem that identity management can solve?

To identify your requirements, start with identity issues of which you are already aware. Most organizations have internal issues with regard to effectively managing the identities of their employees. Do you? If so, then this is a good place to start. Customerfacing applications or external applications also require management of identities. If you can manage customer data, you can leverage the information across multiple applications. It is possible that your external applications may be the area in most need of identity management in your organization.

Identity management can mean different things to management, vendors, and implementers. To obtain a solution that matches your needs, you need to provide a detailed assessment of the problem you are trying to solve. Armed with this detail, the steps that you need to take and the components necessary for a solution can be more easily found. The alternative is also true. The more vague your understanding and expression of need is, the more useless your identity management solution will be.

The following table provides examples of four possible primary needs and the type of product that you should try to acquire for each primary need:

Primary NeedRecommended Product
Find out which users have access to what systems and what their user IDs are across those systems. Look for a product that has strong directory and correlation capabilities.
Password synchronization. (Make passwords for user applications, platforms, or systems the same so that users have only one password to remember.) After you review what the password requirements are for each of the systems, review the requirements for your environment and determine if it will be acceptable to force users to one location to make a password change or if users will need the ability to change their password in any location and have that change propagated to the rest of the applications, platforms, and systems. If you are looking to do the former, you will be able to use a system that uses agent or agentless technologies. (Agent vs. agentless is defined later in this chapter.) If you are looking for users to be able to change their password in any one location, you will need to look at a product, at least in part, that supports agent technology.
Set up and remove users in your environment as they come and go. (Provisioning and de-provisioning) Look for a product that has "hooks," or the ability to interface with the applications, platforms, and systems that are needed by users in your environment. All of the top-tier identity management products will offer hooks into common application suites (like Windows Active Directory, SAP, and PeopleSoft); however, there is often a need to interface with custom applications. Because most environments have a number of custom applications, you will need to understand how the product that you select will interface with those custom applications. For example, some products offer an SDK (software development kit) for you to program interfaces as needed, others will offer small applications that will allow you to "build" a connector to interface with a custom application, others will have professional services that will design agents for you, and others will work with third-party middleware to interface with your custom applications. The decision as to which is the best for your environment will depend on the resources that you have available to you, the programming experience that you have in house, and how many custom applications you will need to interface with.
Implement an entire identity management strategy using a single product or suite of products. Look for a product that has the capability to fulfill directory services, provision users, service users, workflow, and the like while taking into account all the preexisting technologies within your environment and how they will be impacted. For this type of identity management implementation, a suite product will always work better than a "best-of-breed" product selection.


While there are many interpretations as to what identity management is, the only meaningful definition is the one that solves your problems with managing identities.

After you assess your organization's needs, match each one with an aspect or aspects of identity management. If users are burdened by large numbers of passwords that they must update frequently, implementing password synchronization across the environment may be the solution. If accountability for financial information is the issue, then being able to audit what users have access to what systems is important.

HEADS UP!

Identity management vendor solutions are maturing in different ways depending on vendor history, direction, growth, and customer demands. Your organization is also growing and may find new needs for identity management. It is possible that you may outgrow the vendor solution that appears to fit your needs today. Before locking yourself into a single vendor's identity management solution, be aware that different vendor solutions may not work seamlessly with others. Look for flexibility in product design and the use of standards that may make integrating with other products in the future easier. When evaluating products, consider your possible future needs, the vendor's track record and projected future abilities, and the flexibility of the solution.

Match Identity Management Needs to Vendor Solutions
Once you have identified your needs, you must determine if a specific vendor can fulfill them. This is not as simple as it seems. For example, every vendor of identity management products, from the mom and pop shops to the most sophisticated product companies in the world, provides a solution that can work with the authentication process and identity objects used in the most prevalent NOS. Additionally, most vendors' products can interoperate with major third-party software packages like PeopleSoft, SAP, and the like. While the requirements for managing identities embedded in these systems are of major concern to you, and their successful management will be the base elements for your first identity management wins within your environment, they are not the only integration issues you will have to address. It is the "other systems" that can become major impediments to successful identity management projects.

You need to determine what these systems are, and what percentage of your total identity management needs they represent. It may be that homegrown applications that serve a majority of your business and applications started out on someone's workstation as a proof of concept. It may be that they now control a major portion of your supply chain. Look for systems that manage the mission-critical aspects of your organization and ensure that the proposed identity management solution will work with them.

Mature vendors and mature vendor products may prove to be invaluable in providing solutions that address the integration of less-well-known products and those unique to your organization. A vendor's custom interfaces or product application programming interfaces (APIs) might easily be adopted by your organization. Alternatively, vendors may have a team that is involved with building interfaces for homegrown, nonstandardbased directories. Either option means that you are more likely to get a stronger identity management solution in the long term. While your unique or less-well-known applications may not be your primary focus as you seek a product to solve your identity management needs, and the results of managing the identities specific to these programs may not be realized for quite some time, it is very important that the vendor demonstrate to you that it has the ability to integrate with those programs and provide the flexibility that your environment requires.

Prepare to Implement an Identity Management Solution

Implementing an identity management solution is an enterprise-wide initiative. In order for it to succeed, you must properly prepare your organization. You must enlist the support of stakeholders, and accurately forecast cost and effort.

Enlist Support of All Stakeholders
When an identity management solution is implemented, it has an impact on the entire enterprise. Additionally, Identity Management implementations will require commitments from multiple parts of the organization for its continued success. This means that you need to obtain buy-in from a large number of groups and departments within your organization.

Application, platform, and systems administrators and developers should be educated early in the process. They need to have an understanding and see the benefits of an identity management solution, not only because their current roles may be affected by the implementation, but also because future developments have to take the identity management solution into account.

One of the best ways to enlist support is to educate stakeholders as to what the benefits will be to each of the stakeholders. For example, if you are speaking with a system administrator, ask them how much time they spend administering users or running user reports for auditors. With the implementation of an identity management solution, their administration of users could be significantly reduced. In turn, they could spend the time that they would normally spend on administrating users more productively doing other systems administration. Additionally, an identity management solution could reduce the time that they need to prepare for audits from days to hours.

If you are enlisting the support of business units or call center management, you could relay to them that an identity management solution could make a new hire productive in a day as opposed to the week that it takes to set up users now.

If you are enlisting the support of an executive, you could inform them that you will be able to provide reports in rather short order that outline exactly who has access to what systems and prove that employees do not have access to any more applications, platforms, and systems than what they need to get their job done. This is something that cannot normally be done with any degree of confidence without an identity management solution.

If you are enlisting the support of a help desk manager, you could share how an identity management system could reduce their call wait times by allowing passwords to be reset automatically.

Every stakeholder in an identity management project needs to see a personal benefit in order for them to commit to the project. Once you identify what problem you want your identity management solution to solve, you will then determine who the stakeholders are.

You will not succeed if executive management does not support the identity management solution. Executive management not only can deliver the support of downstream staff to the initiative but also can maintain that support over the extended time required to implement an identity management solution. Identity management is a journey, not a destination. If executive management does not back your identity management solution, it can easily provoke its failure by continuing to support autonomous solutions.

One way to gain the cooperation and backing of executives is to provide them with both the potential cost savings and ROI possible with identity management solutions and the redundant costs of providing identity management solutions that are unique to every application.

As a centralized identity management solution becomes more pervasive, the autonomous operation of applications, platforms, and systems is less of an option. The time to enlist support from those who are responsible for these items is before the identity management solution requires them to change the way of doing business. Everyone needs to be in agreement from a corporate perspective with regard to the goals and direction of identity management. Obtain this support and you will have less departmental or group resistance to using a corporate identity management solution for future initiatives. The bottom line is that executive management as well as their subordinates need to realize that if they continue to support building identity management into applications on a one-by-one basis, they will continue to incorporate redundant costs by rebuilding solutions and decrease the level of security and ROI because of the increased complexity of managing these solutions.

Correctly Forecast Identity Management Implementation Costs and Effort
Identity management products will not provide the entire identity management solution, so use the 80/20 rule to forecast cost and effort. Solutions are only about 20 percent product and product capabilities and about 80 percent backend consultative work. Understand that this work also includes internal resources. This also means that a purchase price of well under $1 million can swell to a multimillion-dollar investment. This is a fact that product vendors rarely divulge, because their compensation is traditionally based on the sale of the product.

Of the 80 percent of consultative work that is required for a successful implementation, approximately 30 percent of that should be done prior to actually purchasing a product. This may seem excessive at face value; however, in reality, it is probably a little low. Identity management offers the ability to incorporate the management of multiple, widely disbursed directories. There are, however, many different ways that each of those directories are managed, developed, and used. To centrally manage all of those disbursed directories, you must become familiar with how they are utilized today. You have to know how users are set up and retired, how they are administered, what requirements the groups may have with regard to their directories, and who is actually in the directory (employees, customers, etc.). You must know this prior to selecting and purchasing an identity management product.

In addition, you need to know how current directory structures rely on other directories, what processes exist for documenting what is done to the directory (is there workflow that determines how users are set up, or is there a unique validation step that is used for user validation?), and if there are any aspects as to the history of the directory and how it evolved that make it unique. In sum, you have to have a firm understanding of your current environment prior to selecting an enterprise identity management solution.

NOTE: The 80/20 rule also holds true for the costs of implementing an identity management solution. Initial product cost will vary depending on the size and scope of your implementation. Typical product pricing is in the $250,000'$750,000 range. Apply the 80/20 rule to forecast the actual cost to implement the product. It is not uncommon for an enterprise identity management solution to be a multimillion-dollar initiative.


Page: 1, 2
next page

Rate this:
Recent Comments
There are currently no comments. Be the first to make a comment.
Ads by Google
Sponsored Links
Featured Links
© 2010 Penton Media, Inc.  |  Terms of Use  |  Privacy Statement