IBM Security Systems

Familia de soluciones de Identity and

Access Management
www.ibm.com/security

Juan Paulo Cabezas, Arquitecto de IBM Security Systems

jcabezas@cl.ibm.com
©
1 2012 IBM Corporation © 2014 IBM Corporation
 IBM Security Systems

Agenda

Introducción
IBM Security Access Manager
Federated Identity Manager
IBM Security Directory Integrator
IBM Security Identity Manager
Preguntas

2 © 2014 IBM Corporation

 IBM Security Systems

INTRODUCCIÓN

3 © 2012
2014 IBM Corporation
 IBM Security Systems

IBM provee soluciones de seguridad mediante un framework amplio

Inteligencia

Integración

Expertise

4 * Using the IBM Security Framework: http://www.redbooks.ibm.com/abstracts/sg248100.html?Open © 2014 IBM Corporation

 IBM Security Systems

IBM Provides Threat-Aware Identity and Access Management

Capabilities to help organizations secure enterprise identity as a new perimeter

Safeguard mobile, Prevent insider

cloud and social threat and
interactions identity fraud

• Validate “who is who” • Manage shared access

when users connect from inside the enterprise
outside the enterprise • Defend applications and
• Enforce proactive access access against targeted web
policies on cloud, social and attacks and vulnerabilities
mobile collaboration channels

Deliver intelligent Simplify identity

identity and access silos and cloud
assurance integrations

• Enable identity management • Provide visibility into all available

for the line of business identities within the enterprise
• Enhance user activity monitoring • Unify “Universe of Identities”
and security intelligence across for security management
security domains
5 © 2014 IBM Corporation
 IBM Security Systems

IBM IAM Vision

6 © 2014 IBM Corporation

 IBM Security Systems

IBM IAM Vision – Our Capabilities Mapping

QRadar
Security
Intelligence

Access Sec. Pol Priv.

Mgr Mgr Identity
Identity
Mgr
Mgr
ESSO

Fed ID Dir Dir

Mgr Server Integrator

7 © 2014 IBM Corporation

 IBM Security Systems

Summary of IBM capabilities

Safeguard Prevent Simplify Deliver

mobile, cloud and advanced cloud integrations actionable identity
social access insider threats and identity silos intelligence

Access Manager for Privileged Identity Federated Identity

Identity Manager
Mobile Manager Manager

Access Manager for Access Manager for Directory Integrator & Identity and Access
Web ESSO Server Assurance

8 © 2014 IBM Corporation

 IBM Security Systems

IBM SECURITY ACCESS MANAGER

9 © 2012
2014 IBM Corporation
 IBM Security Systems

Familia de IBM Security Access Management

IBM Security Access Manager for Web
• Acceso seguro de usuario y gestión de sesiones integrado,
protección de contenido web en un formato hardware o virtual
Appliance.
• Capacidades de gestión de acceso Web mejorada con soporte
Web Access
nativo de 64 bits, la facilidad de implementación e integración
• Hardware Appliance (Access Manager Proxy 5100) soporta
implementaciones Standalone y/o integración con servidores
externos de LDAP y de políticas
• Módulo de Web Application Firewall con SSL integrado (Reverse
Proxy)
• Provee front-end Load balancer Access

IBM Security Access Manager for Mobile

• Capacidades mejoradas de federación y motor de riesgo interno Risk-based Access
para control de acceso basado en contexto.
• Soporte de autenticación OTP para emails y celulares
• Nueva UI para generación de SaaS y Cloud SSO
• Integración nativa con GoogleApps, Salesforce.com, Office 365,
Workday para habilitación rápida y control de acceso.
• Soporte para estándares Oauth, OpenID, SAML, entre otros.
Federated Access
10 10 © 2014 IBM Corporation
 IBM Security Systems

IBM Security Access Manager 8.0 - Innovative and Differentiating

IAM Capabilities
Empowering clients to more easily deliver end-to-end security solutions to mitigate
the risks associated with a diverse set of Web, Mobile and Cloud applications
Embedded Threat Tolly Group evaluation validates that ISAM for Web
is able to effectively protect against 100% of OWASP
1 Protection for Top 10 web application risks while maintaining high
Web & Mobile performance and scalability

As the centralized policy enforcement point for all

Integrated Security Web-based access, ISAM generates actionable events
2 Intelligence for QRadar SIEM that enable clients to stay ahead of
threats and demonstrate regulatory compliance

Out-of-the-box consumption of Trusteer Mobile SDK

Protection from High and Secure Browser context data enables users to
3 Risk Mobile Devices create comprehensive access policies that include fraud
and malware detection without modifying applications

Built-in Identity Built-in support to seamlessly authenticate and

authorize users of Worklight developed mobile
4 Assurance for applications and provide additional value-add with
IBM Worklight context based access enforcement

Consolidated platform allows both Web and Mobile

Modular Access capabilities to be licensed as needed, including flexible
5 Management Platform deployment options with both physical and virtual appliance
form factors
11 © 2014 IBM Corporation
 IBM Security Systems

Simplify the Creation of Mobile-Centric Security Policies

Streamlined user experience enables rapid deployment of complex access policies

Enhanced

• IBM SAM for Mobile offers new easy-to-

use visual editor for creating reusable Java
multi factor authentication policies Script

- Out of the box Multi Factor

Authentication policies including REST

TOTP, HOTP, etc.

- Create custom auth policies JDBC

• Extensible policy information points

(PIPs) make it easier to include external LDAP
data as part of context based access
(CBA) decisions
• REST (XML/JSON)
• JavaScript
• JDBC and LDAP
12 © 2014 IBM Corporation
 IBM Security Systems

More Rapidly Respond to Emerging Threats & Security Requirements

Appliance form factor enables
faster time to value with intuitive
user experience and consistent
policy enforcement across multiple
applications & channels

IBM Security
Access Manager

User-centric GUI for authoring

comprehensive risk based policies that
can be attached to multiple applications

SDK to integrate with 3rd party

authentication vendors to leverage your
existing investment

Highly Scalable Virtual and HW

appliances reduce TCO of solution
13 © 2014 IBM Corporation
 IBM Security Systems

Additional Authentication Mechanisms

Knowledge question authentication ISAM FOR MOBILE

(e.g., “What is your favorite color?”)
End User Agreement mechanism, can be inserted into an
authentication flow.

14 © 2014 IBM Corporation

 IBM Security Systems

ISAM Registry Enhancements:

Embedded Registry & Federated Registry

Embedded registry will be supported in a clustered HA environment (8.0.0.4)

Embedded registry can be used for storing metadata and keep user records in remote directories
No schema or ISAM metadata (aka secAuthority=Default) needs to be stored on any federated registry
Enables native support for Microsoft Active Directory with no schema updates!
New ‘Basic’ User type introduced that doesn’t require the user to be ‘imported’ and/or have a secUser
LDAP object.
ISAM Appliance Application
Application
ISAM for Web Application
client Proxy Application
Application

ISAM IBM
Registry Directory
+ ISAM
Registry

The ISAM
Embedded Active metadata can
registry which
Directory be on external
can include all
registry
metadata, user
& group data
Oracle
Directory
15 © 2014 IBM Corporation
 IBM Security Systems
Scenarios: 3 6

Context Based Access Control + Web Application Firewall

Production deployment – Mixed physical and virtual appliances

ISDS DB2

Directory Runtime
Server Database

Web Mobile
Web

Web
Mobile
Web

Policy Server
Load Balancer
Distributed Session Cache
Content Protection
Authentication Services
Reverse Proxy
Context/Risk Based Access
OAuth Authorisation Server

Untrusted Application
DMZ
zone zone

16 © 2014 IBM Corporation

 IBM Security Systems
Scenarios: 3 6

Context Based Access Control + Web Application Firewall

Development and test environment – “All in one” virtual appliances

Mobile
Web

Content Protection
Reverse Proxy
Policy Server
Distributed Session Cache
Internal LDAP
Internal Runtime Database
Authentication Services
Context/Risk Based Access
OAuth Authorisation Server

17 © 2014 IBM Corporation

 IBM Security Systems

WAF : Custom Responses

Custom action

Default action

18 © 2014 IBM Corporation

 IBM Security Systems

WAF : Auditing

Logging can be sent to:

1) File
2) Remote Azn server
3) Remote syslog server

19 © 2014 IBM Corporation

 IBM Security Systems

Access Manager: Current Scenario to Product Mapping (1 of 2)

Scenario Product(s)
Coarse-grained web & mobile authorization
1 Providing the ability to secure access to resources at the URL level based on the user and ISAM for Web
their groups membership

Authentication Services out-of-the-box 2-factor authentication

2 Providing capability out-of-the-box strong authentication mechanisms and context enabled ISAM for Mobile
authentication policy. Different forms of one-time password delivered via SMS or e-mail and
non-delivery types like HMAC OTP (HOTP & TOTP)

Mobile Device registration, SSO and revocation

3 Removes the need to mobile devices to store the primary credentials (userid/pwd) or even ISAM for Mobile
use them on the device and allow for the user to revoke the registered device if it’s lost or
stolen.

Context-based access control and risk-based access

Scenarios that require authorization decisions based on context that comes from the
4 transaction, environment, resource and action. Context be in many forms, some examples ISAM for Mobile
are: geo location aware device, IP Reputations of the connecting device, transaction details
located in the request’s payload, Trusteer’s Mobile SDK data (e.g., is their malware on the
mobile device) & several other sources including 3rd party business applications.

Browser-based Federated Single Sign-on Federated Identity

5 Providing standards based federated SSO capabilities. Protocols like SAML2, WS- Manager
Federation, OpenID 1.0/2.0, etc

6 Web Application Firewall ISAM for Web

When enabled provides protection against OWASP top 10 attacks and several others
20 © 2014 IBM Corporation
 IBM Security Systems

Access Manager: Current Scenario to Product Mapping (2 of 2)

Scenario Product(s)

API Protection / OAuth support ISAM for Mobile

7 OAuth 2.0 delegated authorization policy management. Can be used to Federated Identity
integration with Facebook and LinkedIn. Manager

Identity / Token mediation

Support for WS-Trust XML token exchange, issue and validation using a security
token service. Most commonly used in scenarios where enterprise service Federated Identity
8 Manager
buses (Message Broker / DataPower) are leveraged to connect program to
program communication that requires validation and transaction of token types
to connect the different endpoints.
Securing hybrid mobile applications
9 Hybrid mobile applications display a mix of native interfaces and web interfaces ISAM for Mobile
allowing for dynamic rich web content to be returned.

Securing Worklight mobile applications

10 Securing Applications that are built on the Worklight mobile development ISAM for Mobile
platform.

11 B2C User self-care Federated Identity

Enabling the user to self enroll, reset their password, and self un-enroll. Manager

21 © 2014 IBM Corporation

 IBM Security Systems

Autenticación con terceros

22 © 2014 IBM Corporation

 IBM Security Systems

FEDERATED IDENTITY MANAGER

23
23 © 2012
2013 IBM Corporation
 IBM Security Systems

Federated Identity Manager: Enabling user access to wide variety of

apps including cloud, SaaS and web services
Simplify cloud integrations
and identity silos

External IdPs IT Enterprise Applications

Administrator

Enterprise IdPs Cloud Applications

Federated Identity
Management

On Premise Off Premise

Cloud Stacks Cloud Stacks

• Consumer Federation and SSO with support for
standard protocols like SAML, OAuth, OpenID, WS-Trust
• Built-in B2C self service and authentication for
scalability & flexible integration to improve identity
assurance
24
• Ease of deployment and integration to support
rapid Cloud, SaaS and application-level federation
• Cross platform SSO with built-in Security Token
Service (STS) transforms between inbound and
outbound security tokens like SAML, Kerberos, LTPA
© 2013 IBM Corporation
 IBM Security Systems

IBM SECURITY DIRECTORY INTEGRATOR

25 © 2012
2014 IBM Corporation
 IBM Security Systems

Key Features
Simplify cloud integrations
and identity silos

IBM Security Universal directory to transform identity silos and

Directory Server and Integrator to support “virtual directory”-like deployments

Scalable directory backbone leveraging existing

Federated Directory infrastructure for enterprise-wide Identity and
Services Access Management
White User
Pages Management Simplified sourcing of identities and attributes
Search in Cloud
Federate for enterprise applications, Cloud/SaaS
Cache integrations
Virtualize
Intelligent White Pages search with social
networking feature to enable intuitive identity
store browsing

In-depth user insight with out of the box reports

and IBM SIEM QRadar integration

26 © 2014 IBM Corporation

 IBM Security Systems

“Untangle” identity silos to support business growth and increase

efficiency
Simplify cloud integrations
and identity silos

Selective
“writes” of
Migrate or co-exist changes to the
original source

Join multiple
directories

Federate authentication
back to original source

Enrich with SCIM REST interface for

data from LDAP server
other sources

Federated Directory Server is a directory integration solution for

27 distributed authentication and data consolidation © 2013 IBM Corporation
 IBM Security Systems

Directory – What’s New

Simplify cloud integrations

and identity silos
NEW

Faster integration to support on-boarding of users into IBM Security Access Manager (ISAM)
for both single and multiple directory environments

Enhanced support for user-onboarding to Cloud applications and SCIM-enabled targets

through SCIM connector

Greater ease of use and navigability through the new integrated LDAP browser

In-depth user insight with the new Qradar connector, LDAP group connector and Cognos based
reporting features

Increased security with support for Pass-through Authentication in “secure” mode

Other new features like support for SDS client on LE Linux, and enhanced ADSync utility

28 © 2013 IBM Corporation