cis13: the good, the bad, and the government: wrangling attributes in the state of texas
DESCRIPTION
Wendy Nather, Research Director, Enterprise Security Practice, 451 Research At first, "identities" just meant employees, and then they meant customers and partners. Then the cloud came along, and all hell broke loose. But it's always been a lot more complicated in government due to the intersection of roles, context, legal requirements, public information and privacy rights, and a dynamic environment. This is a real-life case study of the migration from a custom-written, ten year old, single sign-on portal with around 60 applications, to a COTS IAM product. Thirty minutes can't do it justice, but it'll be enough to bring some of the pain.TRANSCRIPT
The Good, The Bad, and the Government: Wrangling A6ributes in the State of Texas
Wendy Nather @451wendy Research Director, Enterprise Security Prac=ce
The backdrop
Custom-‐wriDen single sign-‐on portal (10+ years old) Provides SSO for ~60-‐75 apps External user base of ~50,000 Internal user base of ~800 The challenge: drag it kicking and screaming into some part of the 21st century
2
Other complica=ng factors
Family Educa=onal Rights and Privacy Act (FERPA) compliance ~1300 school districts ~8,000 campuses ~20 regional educa=onal service centers (ESCs) Other partners/stakeholders: other Texas state agencies, higher educa=on, contractors of all kinds, nonprofits, educators, cer=fica=on bodies … roughly 2500 different organiza=ons
3
Mul=ple roles and contexts
TEA employee of some division or cost center, at some posi=on level Contractors pretending to be TEA employees Personnel at ESCs, districts, campuses Administrators, educators, auditors, researchers People using different applica=ons in different capaci=es on behalf of mul=ple organiza=ons Differing levels of delega=on, both organiza=onal and legal
4
Ge`ng a clue
Professor Plum
in the kitchen
with a lead pipe
with a candles=ck
in the library
with a lead pipe
with a rope
Ge`ng a clue
Professor Plum
killing in the kitchen
with a lead pipe
with a candles=ck
being killed in the library
with a lead pipe
with a rope
Ge`ng a clue
Professor Plum
killing
in the kitchen
with a lead pipe
with a candles=ck
in the library
with a lead pipe
with a rope
being killed
in the kitchen
with a lead pipe
with a rope
in the library
with a lead pipe
with a candles=ck
Ge`ng a clue
Professor Plum
killing
in the kitchen
with a lead pipe
with a candles=ck
in the library
with a lead pipe
with a rope
being killed
in the kitchen
with a lead pipe
with a rope
in the library
with a lead pipe
with a candles=ck
Ge`ng a clue
Professor Plum
killing
in the kitchen
with a lead pipe
with a candles=ck
in the library
with a lead pipe
with a rope
being killed
in the kitchen
with a lead pipe
with a rope
in the library
with a lead pipe
with a candles=ck
Context plus governance = …
Iden=ty authority Access authority
Who you are + Why you should have
access What you may access
En=tlements
Example
11
Workflow example
TEA
ESC
District1
User
District2
App owner
App owner
Delegate
12
Constraints
Can’t be full federa=on due to compliance requirements Principle of least privilege means scoping down wherever possible Separa=on of du=es requires discrete roles and en=tlements
13
Constraints
Can’t be full federa=on due to compliance requirements Principle of least privilege means scoping down wherever possible Separa=on of du=es requires discrete roles and en=tlements And remember … Most of the users don’t really want to be there.
14
Constraints
Can’t be full federa=on due to compliance requirements Principle of least privilege means scoping down wherever possible Separa=on of du=es requires discrete roles and en=tlements And remember … Most of the users don’t really want to be there. They are not at all technical.
15
Constraints
Can’t be full federa=on due to compliance requirements Principle of least privilege means scoping down wherever possible Separa=on of du=es requires discrete roles and en=tlements And remember … Most of the users don’t really want to be there. They are not at all technical. And you can’t fire them.
16
Moral of the story
Need to be granular with iden=ty, authoriza=on and en=tlements for risk and compliance management Be careful with RBAC – keep it out of your code IAM is not a project, it’s an ongoing journey
17
Ques=ons? Comments? [email protected]