benefits and risks of a single identity - ibm connect 2017
TRANSCRIPT
February 2017
Benefits and Risks of a Single Identity
Gabriella DavisTechnical Director - IBM Lifetime Champion
The Turtle Partnership
DEV-1078
IBM Connect 2017 Conference
Who Am I?
Adminofallthingsandespeciallyquitecomplicatedthingswherethefunis
Workingwithsecurity,healthchecks,singlesignon,designanddeploymentofIBMtechnologiesandthingsthattheytalkto
Stubbornandrelentlessproblemsolver
LivesinLondonabouthalfoftheAmegabriella@turtlepartnership.comtwiDer:gabturtle
AwardedthefirstIBMLifeAmeAchievementAwardforCollaboraAonSoluAons
Roadmap For This Session
✤ What is single identity and why would I care?
✤ What technologies are available to me?
✤ What needs to be in place for single identity to work well
✤ The risks of single identity in an IOT and online world
What Do We Mean By Single Identity?
• Identity Management• I am an individual but one that is part of this group• I take my individuality into different systems• I take information about me across different systems•This is the difference between federation and single sign on
Things have gotten a bit more complicated than that..
Multiple systems and standards including SAML, OpenID, OAuth, Facebook LoginUsers require logins across personal, consumer, and enterprise systems
Individual
Identities Across Systems
Attributes Within Systems
An individual will have separate identities across different systems, where some attributes are shared such as email or name and others might be system specific. As the user moves between systems their individual identity remains the same.
Why Is Having A Single Identity Valuable?
Preferences Behaviour
& HistoryPatterns Being Present
how i use the system, how i prefer to work with it, what parts of it i prefer to see / engage with
what I do, what i have interacted with in the past, what I reuse or repeat
spotting ways in which I reuse or repeat in order to present information to me that I might not be aware of or highlight information that the pattern says I should be interested in
just because i’m using system A doesn’t mean someone in system B can’t find and interact with me. I have one identity if signed onto multiple systems.
Key Components of Single Identity
Authentication
Authentication is critical to ensure Gab Davis in SystemA is the same as Gab Davis in SystemB and the information that goes with that ‘Gab Davis” is correct
✤ Hello - have you met my friend?
✤ Is trust transferable?
Trust
Once you create a way in you are establishing a security level as that of the lowest entry point
✤ Access rights
✤ Identity data such as name or email
✤ System specific attributes such as your favourite drink
Attributes
Sparkling WineFlute
White Wine Glass
Standard Wine Glass
Light Red Wine Glass
Blod Red Wine Glass
Common Authentication Technologies
FEDERATION
OAUTH
OPENIDIWA
Password Synchronisation This ISN’T Single Identity
Synchronising passwords across different systems
SametimeLDAP
ConnectionsLDAP
Traveler Authentication
Password Synchronisation
Tool
You’re not the same person, you’re just using the same password
You’re not the same person, you’re just using the same password
Single LDAP Source This Kind-Of Is - At Its Most Basic
Authenticating against a single password in a single place
Sametime
Network Login
Connections
LDAP Password
Technically you are the same person as you authenticate using the same identity but that’s it, there is no other information being held or exchanged.
This Is Closer - but not quite IWA/Kerberos/SPNEGO
✤ The single authentication to Windows has granted access to other systems using the same identity
1 2 3 4 5
ACTIVE DIRECTORY GENERATES
TOKEN
USER TRIES TO ACCESS A WEBSITE
BROWSER SENDS IWA
TOKEN TO THE WEB SERVER ALONG WITH USER NAME
THE WEB SERVER
CONTACTS ACTIVE
DIRECTORY TO VALIDATE
TOKEN AND RETRIEVE THE USER’S NAME
STEPS
USER LOGS INTO WINDOWS
Federated Login Is Single Identity Security Assertion Markup Language
16
1 2 3 4 5USER ATTEMPTS TO LOG IN TO A
WEBSITE
USER IS REDIRECTED TO
IDENTITY PROVIDER
IDENTITY PROVIDER REQUESTS
AUTHENTICATION OR (IF USER IS LOGGED IN)
RETURNS CREDENTIALS
USER IS REDIRECTED BACK TO ORIGINAL SITE WITH SAML
ASSERTION ATTACHED
ORIGINAL SITE USES ITS SAML SERVICE
PROVIDER TO CONFIRM SAML ASSERTION AND GRANT ACCESS
STEPS
✤ Simple SAML Steps
SAML - Federated Single Identity
17
✤ IdP - Identity Provider (SSO)
✤ ADFS (Active Directory Federation Services)
✤ can be combined with IWA
✤ TFIM (Tivoli Federated Identity Manager)
✤ SP - Service Provider
✤ IBM Domino (web federated login)
✤ IBM SmartCloud
✤ IBM Notes (requires ID Vault) (notes federated login)
SAML Behaviour
✤ IdP (Identity Providers) use HTTP or SOAP to communicate to SP (Service Providers) via XML based assertions
✤ Assertions have three roles
✤ Authentication
✤ Authorisation
✤ Retrieving Attributes
✤ Many kinds of authentication methods are supported depending on your chosen IdP
✤ Once initially federated no subsequent password or credentials are passed
Federation For Social Systems OAuth / OpenID / Facebook Login!
OpenID is identify federationOAuth is authorisation OpenID is built on OAuth
Simplified OAuth Process
1 2 3 4 5USER ASKS
FACEBOOK (THE CONSUMER) TO POST ON THEIR
ACTIVITY STREAM
FACEBOOK GOES TO CONNECTIONS (THE SERVICE PROVIDER)
AND ASKS FOR PERMISSION TO
POST
THE SERVICE PROVIDER GIVES THE CONSUMER A
SECRET KEY TO GIVE TO THE USER AND A URL FOR THE
USER TO CLICK ON
THE USER CLICKS ON THE URL AND
AUTHENTICATES WITH THE SERVICE
PROVIDER
THE SERVICE PROVIDER , SATISFIED
THE SECRET KEY IS GOOD, WILL NOW ALLOW THE CONSUMER ACCESS
TO ITS SERVICES
STEPS
IBM Products As SAML Service Providers
✤ Verse on premises and cloud
✤ Domino
✤ Notes - both on premises and Smartcloud
✤ Connections
✤ WebSphere
Preparation For Federation
Directories and DataIDENTITY
LOCATION
HISTORY
SYSTEMS
Identity
✤ Directories that are well constructed and maintained
✤ names
✤ data
✤ accounts
✤ Tie directories together with a common key
Systems
✤ Authorisation
✤ Access Levels
✤ Data Security
✤ Identifying shared attributes
✤ Configuring custom attributes in LDAP and the IdP
Location
✤ Different behaviour in different locations
✤ Locations define data
✤ Why are you here? What is your role?
History
✤ What have you done before
✤ Patterns of behaviour
✤ Suggestions based on history, location and identity
Risks
Personas
✤ Do you want to tie everything together?
✤ Do you have the same persona everywhere?
✤ Is the language you use, your opinions, your political views common everywhere
✤ and something you want to share?
Federation
✤ Once all systems are integrated all systems are vulnerable
✤ You are only as protected as your least secure password / authentication model
✤ Understand what services or service providers you have authorised, what information they hold , what their privacy policies are and what their security policies are
✤ Make sure users understand they have to logout
OAuth/OpenID
✤ Theft of credentials
✤ Excessive access and data rights
✤ Theft of data
✤ Brute force guessing of credentials
✤ URL redirects or interceptions through incomplete URL requests
✤ Token interceptions
✤ Puts the user in control - this is not a bad thing
IOT & Identity
Internet Of Things
✤ A physical device with embedded internet connectivity and “always on” status
✤ The beauty of IOT devices is that they are integrated into your life
✤ there’s no individual authentication
✤ They know everything they need to know simply because of their placement or setup
✤ Their true value is in learning about those things we discussed earlier, preferences, behaviour, patterns
Risks With IOT
✤ Physical devices may now come with built in connectivity as an added feature
✤ Companies who didn’t deploy them for that feature may also not have security policies in place to disable or limit it
✤ Risk assessment happens too late
Risks With IoT
✤ Privacy
✤ Safety
✤ Data Bleed
✤ Additional operational expenses
Summary
Prepare
✤ Have a good directory and define security policies such as token expiration
✤ Protect At Every Point Of Entry
✤ You don’t put a value on the information but someone else will
✤ Your identity has value
✤ Train users to log out, clean caches and understand what multi system access means
✤ Include risk assessment for IoT in any hardware purchasing and deployment
Lots of Good
✤ More passwords and stronger passwords don’t lead to better security
✤ Avoiding passwords entirely but authenticating based on existing information can be more secure
✤ Users are more likely to engage with systems that have fewer barriers to entry
✤ The more systems know about us, how we work and what we need the better they can serve us
✤ There are enormous volumes of data being produced across systems that can be used to save time, cost and effort
Questions?
Notices and disclaimers
Copyright © 2017 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.
U.S. Government Users Restricted Rights — Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.
IBM products are manufactured from new parts or new and used parts. In some cases, a product may not be new and may have been previously installed. Regardless, our warranty terms apply.”
Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.
Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.
References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law
Notices and disclaimers continued
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.
IBM, the IBM logo, ibm.com, Aspera®, Bluemix, Blueworks Live, CICS, Clearcase, Cognos®, DOORS®, Emptoris®, Enterprise Document Management System™, FASP®, FileNet®, Global Business Services ®, Global Technology Services ®, IBM ExperienceOne™, IBM SmartCloud®, IBM Social Business®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, Smarter Commerce®, SoDA, SPSS, Sterling Commerce®, StoredIQ, Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.