Identity Management for the 21st Century IT Mission

Please download to get full document.

View again

All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
  The 21st century mission is dependent on providing secure and agile access to information across an increasing range of stakeholders, both internal and external to your agency. This comes amidst evolving IT missions, budget challenges, a complete IT compliance landscape and an increased need for rapidly deployable and flexible solutions. This webinar explores integrated identity management solutions and real life use case examples. Presented By • Stephanie McVitty - Account Manager, Compsec • Paul Grassi - Vice President of Federal Programs, Sila Solutions Group • Jim Rice - Vice President of Federal, Layer 7 • Dieter Schuller - VP of Sales, Radiant Logic • Phil McQuitty - Director of Systems Engineering, Sailpoint • Gerry Gebel - President, Axiomatics Americas
Related documents
  • 1. Identity Management for the 21st Century IT Mission Presented By: • Paul Grassi: VP of Federal Programs, Sila Solutions Group • Jim Rice: VP of Federal, Layer 7 • Dieter Schuller: VP of Business Development, Radiant Logic • Gerry Gebel: President, Axiomatics Americas • Phil McQuitty: Director of Systems Engineering, SailPoint • Stephanie McVitty: Account Manager, Compsec Wednesday: August 14, 2013
  • 2. • Today’s Challenges • History: How Did We Get Here? • The Evolution of Access Control • Building Blocks for Agile Access • Creating a Framework for Success • The Ideal ABAC Process • Use Case Deep Dive • Next Steps: Are You ABAC-Ready? Key Discussion Areas 2
  • 3. Today’s Challenges 3
  • 4. • We keep trying to solve a legacy problem with a legacy solution • Made authorization an IT solution, not a business solution • Bogged down with stovepipes, multiple policies, and poorly defined infrastructure • Focused on the door – not the data We have made great progress! Industry deserves credit. Examples of NSTIC/IDESG, NIST 800-162 Draft, FICAM AAES work; focus on attributes and confidence scores • Yet, we’ve done some amazing things How Did We Get Here? 4
  • 6. Action Reusable Policy Agile Access Decisions Agile Access Decisions Federated Identity Federated Attributes Environment Context Resource Attributes Building Blocks for Agile Access 6
  • 7. PROGRAMMATIC AND TECHNICAL MANAGEMENT Portability, Confidence, and Trusted Attributes Access Anywhere Mobility/ Cloud Lifecycle, Governance and Risk Mission Agility ABAC Framework 7
  • 8. Layer 7 Overview 8 Applications & Data Enterprise … Outside Partners / Divisions External Developers Mobile Apps Cloud Services Other Things Layer 7 API Gateways Provide API Access Control for the New “Open” Enterprise
  • 9. Enterprises are Exposing More Connectivity & Security Challenges for Open Enterprise: • Protection of applications exposed over internet • Reuse of information shared across departments, partners, mobile & Cloud • Ease of integration: reconciling disparate identity, data types, standards, services • Federated & Delegated Security • Performance optimization (caching, protocol compression, …) • Brokering cloud services • Proxy connections to social, cloud, notification services that enterprises can control • Cloud interactions • Central governance of policies and security Mobile / Tablet Apps Web Platform Integration Open APIs for Developer Channel Private Cloud Annexes (Savvis or Datacenter) Cloud Services Over the Top TV and Media (Xbox Live and Smart TV) Real-time Partner Integration Login Password This new open, extended enterprise is a hybrid enterprise because it blends inside/outside as well as private/pubic 9
  • 10. Layer 7 Policy Approach API Integration Gateway API Service Manager API Identity & Access Broker API Developer Portal Health Tracking Workflow Performance Global Staging Developer Enrollment API Docs Forums API Explorer RankingsQuotas Plans AnalyticsReporting Config Migration Patch Management Policy Migration Throttling Prioritization Caching Routing Traffic ControlTransformation Security Composition Authentication Single Sign OnAPI KeysEntitlements Token Service OAuth 1.x OAuth 2.0 OpenID Connect 10
  • 11. Layer 7 ABAC Reference Implementation 11
  • 12. RadiantOne Architecture • A Federated Identity Service through Model-Driven Virtualization • Provides all functions of a complete AAES service • Abstraction layer • Platform consists of advanced Virtual Directory Server (VDS), Identity Correlation and Synchronization (ICS), and Cloud Federation Service (CFS) 12
  • 13. RadiantOne Key Capabilities LDAP Directory Active Directory HR Database employeeNumber=2 samAcountName=Andrew_Fuller objectClass=user mail: uid=AFuller title=VP Sales ClearanceLevel=1 Region=PA memberOf=Sales Correlated Identity Virtual View employeeNumber=2 samAccountName=Andrew_Fuller objectClass=user mail: departmentNumber=234 uid=AFuller title=VP Sales givenName=Andrew sn=Fuller departmentNumber=234 EmployeeID=509-34-5855 ClearanceLevel=1 Region=PA UserID=EMP_Andrew_Fuller DeptID=Sales234 cn=Sales objectClass=group member=Andrew_Fuller **Based on identities that have: • ClearanceLevel=1 • title=VP Sales • Region=PA Dynamic Groups Virtual View User Lookup Attribute Server 13
  • 14. Manage Policy Administration Point Decide Policy Decision Point Support Policy Information Point Policy Retrieval Point Enforce Policy Enforcement Point Axiomatics Architecture 14
  • 15. Authorization at Any Layer 15
  • 16. Anywhere Authorization Architecture 16
  • 17. SailPoint Architecture Service Desk Integration Resource Connectors Provisioning Integration Security & Activity Unified Governance Platform Open Connectivity Foundation Cloud SaaS Role Model Policy Model Identity Warehouse Risk Model Workflow Password Management Compliance Management Single Sign-On Identity Analytics SailPoint ICAM Solutions Access Request & Provisioning 17
  • 18. Entitlement Giving Attributes HR Data Security Directory Attributes Ownership Relationships Modeling Review Process Change Process Audit Process System System Target Target BUSINESS PROCESS MANAGEMENT Entitlement Giving Attributes 18
  • 19. Ownership & Responsibility Change Control Versioning History Verification & Review Analytics & Reporting Identity & Access Governance The Business Process of IAM Data Management Entitlement Giving Attributes… HR Data Security Directory Attributes System System Target Target Entitlement Giving Attributes 19
  • 20. Benefits Policy management and insight available to all levels of the organization. Simple Change Management Maximum Efficiency and Flexibility Range of Deployment Options Simple and Effective Management Cost Effective Scalable Interoperable Business- Friendly Management Increased Access to Information Deploy for performance and architectural needs while maintaining 100% conformance with open standards Easy to deploy new policy without underlying changes to application infrastructure. Eliminate time consuming and confusing processes to gain access to information. Benefits of Our Solution Increased Security and Compliance Operational Business 20
  • 21. Access barriers are removed so users can get their jobs done more efficiently. The Ideal Process 21
  • 22. High Level Use Cases Patient can manage record from authorized personal devices Doctor can read from office computer Opts-in and authorizes PCP and staff to view Claims coordinator can only view appointment information Doctor can write to entire record Nurse can read information pertaining to location; can only write demographic info, symptoms, and vital signs Receptionist trained in HIPAA data protection can only view services performed Research organization can only read anonymized cardiac clinical data from hospitals and patients that opt-in 1 3 2 4 5 6 Nurse can “break the glass” to access location agnostic information 22
  • 23. AuthN Services Secure Gateway Conceptual Architecture EHR Systems FederatedIdentityVirtualization Policy Administration R&D Insurance Governance ProviderViewR&DViewInsuranceViewPatientView NPI Registry Patients Attribute Sources Policy Server Hospital 23
  • 24. Intercepts the request Patient Use Case Attempts to update personal EHR to add blood pressure (BP) information and opt-in to share info with doctor Allows Patient Access to EHR System Patient EHR Preferences /Metadata Signed Opt- In Forms Permit Check request validity Verify patient access using registered device Verify accessing own record Request/receive required attributes (EHR owner, authorized devices) List of registered devices Check if authorized Update BP Authorize doctor to access information 1 2 4 3 24
  • 25. Doctor Use Case Attempts to update patient EHR from office computer Intercepts the request Allows doctor access to patient EHR Patient EHR Preferences /Metadata Signed Opt- In Forms Permit Check access from office computer Check if authorized Verify patient opt-in List of signed opt-in forms Hospital Network EHR Check request validity 1 2 Request/receive required attributes (EHR owner, authorized devices) 3 4 25
  • 26. Remaining Use Cases Use Case Request Layer 7 Axiomatics Radiant Logic EHR Nurse Rheumatology nurse requests access to patient EHR •Checks request location/validity •Checks PDP for authorization •Validates nurse/patient relationship •Allows access to specific attributes of patient EHR Provide nurse and patient attributes to PDP Allows nurse access to read patient rheumatology attributes of EHR; write diagnostics “Break Glass” Nurse requests access to patient cardiac information when patient shows heart attack symptoms •Checks request validity •Checks PDP for authorization •Validates environmental attributes from hospital •Validates nurse/patient relationship Provide Hospital, Nurse and Patient attributes to PDP Allows Nurse access to read Rheumatology and Cardiac attributes of EHR, write diagnostics Reception Reception requests access to patient services to prepare bill •Checks request location/validity •Checks PDP for authorization •Validates employee HIPAA training •Validates employee/patient relationship Provide employee and patient attributes to PDP Allows help desk access only to services performed Insurance Insurance claims processor requests access to patient EHR •Checks request location/validity •Checks PDP for authorization •Validate processor employment with insurance company •Validate covered incident •Validate insurance/patient relationship Provide processor, patient, and insurance attributes to PDP Allows claims processor access only to covered incident information Research & Development Cardiovascular research center requests access to all cardiology patient data •Authenticates R&D server •Checks PDP for authorization •Validate research center and scope •Provides SQL PEP to filter result set and return anonymous data Provide employee and research center attributes to PDP Allows employee access only to anonymized data pertaining to research center scope 26
  • 27. Health Care Systems Attribute and Policy Governance Entitlement Giving Attributes Functional Application #1 Functional Application #2 doc doc Ownership & Responsibility Change Control Provision Verification & Review Analytics Identities, certified entitlements & risk scores would be used at the PIP and PDP to make smarter decisions Axiomatics Policy Server Axiomatics Policy Auditor Governance Use Case 27
  • 28. • Establish Governance • Choose your standards • Determine your attributes and metadata • Determine your authoritative sources • Create a taxonomy and data dictionary • Understand your business processes • Determine the business model • Decide who will own policy/policy management • Coordinate with stakeholders across organization, including audit/compliance, privacy, and security operations • Track performance Are You Ready? 28
  • 29. Questions? 29
  • Related Search
    We Need Your Support
    Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

    Thanks to everyone for your continued support.

    No, Thanks