User Provisioning: High-impact Strategies - What You Need to Know: Definitions, Adoptions, Impact, Benefits, Maturity, Vendors

161 pages

English

Découvre YouScribe en t'inscrivant gratuitement

Je m'inscris

User Provisioning: High-impact Strategies - What You Need to Know: Definitions, Adoptions, Impact, Benefits, Maturity, Vendors , livre ebook

Emereo Publishing - Kevin Roebuck

Découvre YouScribe en t'inscrivant gratuitement

Je m'inscris

Obtenez un accès à la bibliothèque pour le consulter en ligne
En savoir plus

161 pages

English

Obtenez un accès à la bibliothèque pour le consulter en ligne
En savoir plus

A propos
Informations
Extrait

Description

User provisioning refers to the creation, maintenance and deactivation of user objects and user attributes, as they exist in one or more systems, directories or applications, in response to automated or interactive business processes. User provisioning software may include one or more of the following processes: change propagation, self service workflow, consolidated user administration, delegated user administration, and federated change control. User objects may represent employees, contractors, vendors, partners, customers or other recipients of a service. Services may include electronic mail, inclusion in a published user directory, access to a database, access to a network or mainframe, etc. User provisioning is a type of identity management software, particularly useful within organizations, where users may be represented by multiple objects on multiple systems.

This book is your ultimate resource for User Provisioning. Here you will find the most up-to-date information, analysis, background and everything you need to know.

In easy to read chapters, with extensive references and links to get you to know all there is to know about User Provisioning right away, covering: User provisioning software, BoKS (software), CAPTCHA, Central Authentication Service, Enigform, Local Security Authority Subsystem Service, PassWindow, Radiator RADIUS server, ReCAPTCHA, Security Accounts Manager, Identity management, Windows CardSpace, CCSO Nameserver, Certification on demand, Common Indexing Protocol, Credential, Digital identity, Directory information tree, Directory System Agent, Electronic authentication, Federated identity, Federated identity management, Federated Naming Service, Future of Identity in the Information Society, Group (computing), Identity access management, Identity as a service, Identity assurance, Identity Assurance Framework, Identity change, Identity Governance Framework, Identity intelligence, Identity management system, Identity Management Theory, Identity metasystem, Identity score, Information Card, Information Card Foundation, Liberty Alliance, Scott Mitic, Mobile identity management, Mobile signature, Mobile Signature Roaming, Multi-master replication, Novell Storage Manager, Online identity management, Oracle Identity Management, Organizational Unit, Password management, Password manager, Privacy, Privacy-enhancing technologies, Profiling practices, Service Provisioning Markup Language, Syncope (software), Trombinoscope, User profile, White pages schema, Athens (access and identity management service), Courion Corporation, Forefront Identity Manager, FreeIPA, Hitachi ID Systems, IBM Tivoli Access Manager, IBM Tivoli Identity Manager, Imprivata, Microsoft Identity Integration Server, Novell Identity Manager, OpenPTK, Optimal IdM, Password synchronization, Self-service password reset

This book explains in-depth the real drivers and workings of User Provisioning. It reduces the risk of your technology, time and resources investment decisions by enabling you to compare your understanding of User Provisioning with the objectivity of experienced professionals.

Sujets

General

General officer

Informatique

COMPUTERS

Informations

Publié par	Emereo Publishing
Date de parution	24 octobre 2012
Nombre de lectures	0
EAN13	9781743048863
Langue	English
Poids de l'ouvrage	4 Mo

Informations légales : prix de location à la page 0,1598€. Cette information est donnée uniquement à titre indicatif conformément à la législation en vigueur.

Extrait

Topîc relevant selected content rom tHe HîgHest rated entrîes, typeset, prînted and sHîpped.

Combîne tHe advantages o up-to-date and în-deptH knowledge wîtH tHe convenîence o prînted books.

A portîon o tHe proceeds o eacH book wîll be donated to tHe Wîkîmedîa Foundatîon to sup-port tHeîr mîssîon: to empower and engage people around tHe world to collect and develop educatîonal content under a ree lîcense or în tHe publîc domaîn, and to dîssemînate ît efec-tîvely and globally.

he content wîtHîn tHîs book was generated collaboratîvely by volunteers. Please be advîsed tHat notHîng ound Here Has necessarîly been revîewed by people wîtH tHe expertîse requîred to provîde you wîtH complete, accurate or relîable înormatîon. Some înormatîon în tHîs book maybe mîsleadîng or sîmply wrong. he publîsHer does not guarantee tHe valîdîty o tHe înor-matîon ound Here. I you need specîic advîce (or example, medîcal, legal, inancîal, or rîsk management) please seek a proessîonal wHo îs lîcensed or knowledgeable în tHat area.

Sources, lîcenses and contrîbutors o tHe artîcles and îmages are lîsted în tHe sectîon entîtled “Reerences”. Parts o tHe books may be lîcensed under tHe GNU Free Documentatîon Lîcense. A copy o tHîs lîcense îs încluded în tHe sectîon entîtled “GNU Free Documentatîon Lîcense”

All used tHîrd-party trademarks belong to tHeîr respectîve owners.

Contents

Articles User provisioning software BoKS (software) CAPTCHA Central Authentication Service Enigform Local Security Authority Subsystem Service PassWindow Radiator RADIUS server reCAPTCHA Security Accounts Manager Identity management Windows CardSpace CCSO Nameserver Certification on demand Common Indexing Protocol Credential Digital identity Directory information tree Directory System Agent Electronic authentication Federated identity Federated identity management Federated Naming Service Future of Identity in the Information Society Group (computing) Identity access management Identity as a service Identity assurance Identity Assurance Framework Identity change Identity Governance Framework Identity intelligence Identity management system Identity Management Theory

1 4 7 12 13 14 15 16 17 20 21 27 30 32 32 33 37 41 42 43 45 45 47 47 49 50 52 53 55 58 59 61 62 65

Identity metasystem Identity score Information Card Information Card Foundation Liberty Alliance Scott Mitic Mobile identity management Mobile signature Mobile Signature Roaming Multi-master replication Novell Storage Manager Online identity management Oracle Identity Management Organizational Unit Password management Password manager Privacy Privacy-enhancing technologies Profiling practices Service Provisioning Markup Language Syncope (software) Trombinoscope User profile White pages schema Athens (access and identity management service) Courion Corporation Forefront Identity Manager FreeIPA Hitachi ID Systems IBM Tivoli Access Manager IBM Tivoli Identity Manager Imprivata Microsoft Identity Integration Server Novell Identity Manager OpenPTK Optimal IdM Password synchronization Self-service password reset

66 69 73 79 80 84 85 87 89 90 93 94 96 99 100 100 102 112 116 121 124 126 127 127 128 131 134 135 136 137 138 138 139 143 145 146 148 149

References Article Sources and Contributors Image Sources, Licenses and Contributors

Article Licenses License

152 156

157

User provisioning software

User provisioning softwareis software intended to help organizations more quickly, cheaply, reliably and securely manage information about users on multiple systems and applications. They are a type of identity management system.

Background: Systems, Applications and Users People are represented by user objects or login accounts on different systems and applications. Examples of systems and applications include: LDAP directories. Microsoft Active Directory and Novell eDirectory. Operating systems such as Linux, Unix, Solaris, AIX, HP-UX and Windows Server. Mainframe security products such as RAC/F, CA ACF/2 and CA TopSecret. ERP applications such as SAP R/3, PeopleSoft, JD Edwards, Lawson Financials and Oracle eBusiness Suite. E-mail systems such as Microsoft Exchange and Lotus Notes. Databases such as Oracle, Microsoft SQL Server, IBM DB2 and MySQL. A variety of other, custom or vertical-market systems and applications.. User objects generally consist of: A unique identifier. A description of the person who has been assigned the user object -- principally their name. Contact information for that person, such as their e-mail address, phone numbers, mailing address, etc. Organizational information about that person, such as the ID of their manager, their department or their location. A password and/or other authentication factors. Note that users need not be able to login to a system or application. The user object may be a record in an HR application or an entry in a phone book system, which the user cannot log into but which nonetheless represents the user. User objects are generally connected to other parts of a system or application through security entitlements. On most systems, this is done by placing a user into one or more security groups, where users of each group are granted some security rights.

User Lifecycle Processes

Organizations implement business processes to create, manage and delete user objects on their systems and applications: Onboarding: Represents the steps taken when a new employee is hired, a contractor starts work, or a customer or partner is granted access to systems. This term alludes to the process of loading passengers onto a commercial airliner. Management: Users are dynamic -- they change names, addresses, responsibilities and more. Changes experienced by users in the physical world must be reflected by user objects on systems and applications. Support: Users sometimes experience problems with systems and applications. They may forget their password or require new security entitlements, for example.

User provisioning software

User support means changing data about users on systems and applications, resetting user passwords and so on, to resolve user problems. Deactivation: Users have a finite lifespan and normally an even shorter relationship with an organization where a system or application is managed. When users leave -- termination, resignation, retirement, end of contract, end of customer relationship, etc. --their access to systems and applications should likewise be deactivated. Incidentally, the term lifecycle does not imply that users who have been activated will necessarily be onboarded again. However, this does happen. For example, employees may leave a company and be hi-hired later, or contractors may end their contract only to be hired as employees.

User Provisioning Systems User provisioning systems are intended to help organizations streamline user lifecycle processes so that updates to user objects on their systems and applications can be made: More quickly -- so users don't have to wait for changes. More efficiently -- to reduce the cost of managing systems and applications in response to user lifecycle events. More securely -- to reduce the risk of system compromise due to user objects that have outlived their usefulness, due to inappropriate security entitlements and due to easily guessed or otherwise compromised passwords.

User Provisioning Processes A user provisioning system may implement one or more processes to achieve the aforementioned goals. These processes may include: Auto-provisioning. For example: Monitor an HR application and automatically create new users on other systems and applications when new employee records appear in the HR database. Auto-deactivation. For example: Monitor an HR application and automatically deactivate users objects on other systems and applications when an employee records either disppears or is marked as inactive in the HR database. Automatically deactivate user objects for users, such as contractors, whose scheduled termination date has passed. Identity synchronization. For example: When changes in a user's e-mail address are detected on a mail system, automatically update the same user's e-mail address on other systems. When changes in a user's name, phone number or mailing address are detected on an HR system, automatically update the same user's e-mail address on other systems. Self-service profile changes. For example: Allow users to update their own contact information. Self-service access requests. For example: Allow users to request access to systems and applications. Delegated access requests. For example: Allow managers to request access to systems and applications on behalf of their direct subordinates. Authorization workflow. For example: Ask business stake-holders to review and either approve or reject proposed changes to user profiles or access rights.

User provisioning software

Access certification. For example: Periodically ask managers to verify that the list of their direct subordinates (a) are still employed with the organization and (b) still report to them. Periodically data or application owners to verify a list of users with access to their data or application.

User Provisioning System Components A user provisioning system must, in general, include some or all of the following components: Connectors, to read information about users from integrated systems and applications and to send updates (e.g., create new user, delete user, modify user information) back to those systems and applications. An internal database, that tracks user objects and other data from integrated systems and applications. An auto-discovery system, which populates the internal database using the connectors. A user interface where users can review the contents of the internal database, make change requests, approve or reject proposed changes, etc. A workflow engine, used primarily to invite users to review and either approve or reject changes. A policy engine, which evaluates both current user information and proposed changes to see if they meet corporate rules and regulations. A reporting engine, which helps organizations extract information from the internal database.

References Casassa Mont, Marco; Baldwin, Adrian; Shiu, Simon (2009),Identity Analytics - "User Provisioning" Case [1] Study: Using Modelling and Simulation for Policy Decision Supportpp.a49 , Hommel, Wolfgang; Schiffers, Michael (2005),Supporting Virtual Organization Lifecycle Management by [2] Dynamic Federated User Provisioning , pp.a12 Becker, M; Drew, M (2005), "Overcoming the challenges in deploying user provisioning/identity access [3] management backbone" ,BT Technology Journal(BT Technology Journal)23(4): 71–79, 2006, doi:10.1007/s10550-006-0009-x [4] Witty, Roberta J (2003),The Identity and Access Management Market Landscapepp.a11 , [5] Sodhi, Gavenraj (2004),User provisioning with SPMLpp.a86 , –96

External links User provisioning best practices: [6] (free white paper published by Hitachi ID Systems, Inc. - no registration required.) [7] User Provisioning and downstream provisioning from any application or system in your network [8] User provisioning software - Identity Management Frequently asked questions

References [1] http://www.hpl.hp.com/techreports/2009/HPL-2009-57.html [2] http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.84.6068&rep=rep1&type=pdf [3] http://www.springerlink.com/content/b54rx62855483632/ [4] http://www85.homepage.villanova.edu/timothy.ay/DIT2160/IdMgt/the_identity_an.pdf [5] http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6VJC-4BXN4BK-9&_user=10&_coverDate=03%2F31%2F2004& _rdoc=1&_fmt=high&_orig=search&_sort=d&_docanchor=&view=c&_searchStrId=1194442730&_rerunOrigin=scholar.google& _acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=01a0ef109fcca0c8e7f70e0045f20ddb [6] http://identity-manager.hitachi-id.com/docs/user-provisioning-best-practices.html [7] http://www.tools4ever.com/solutions/autoprovisioning/ [8] http://www.geneous.com/faq_access_and_identity_management_solutions.html

BoKS (software)

Developer(s)

Stable release

BoKS

Operating system

Type

License

Website

FoxT

6.5.4

Cross-platform

computer security

Proprietary

[1] www.foxt.com

In computer security,BoKSis a proprietary product for the centralized management of user authentication and authorization (Role-based access control). The name is an abbreviation for the Swedish "Behbrighet- och KontrollSystem", which translates as "Legitimacy and Control System". Its full name is "BoKS Access Control for Servers". BoKS was originally designed for use on Unix systems, but has recently been ported to Windows as well. [2] The product's key features include: Centrally defined access policies for user access to Unix, Linux and Windows servers. Real-time provisioning of security policies from a web interface or the command line. Wide range of configuration options, including various levels of security for specific (groups of) servers. Custom version of OpenSSH which allows fine-grained access control for SSH subsystems such as SFTP, SCP, X11 forwarding and tunneling. Extensible beyond initial set of supported protocols through the use of Pluggable Authentication Modules. Provides tools for proactive security monitoring. Allows for interoperability with directory services such as NIS+ and LDAP.

Operation A basic BoKS infrastructure consists of one master server, one or more replica servers and any number of client (server or desktop) systems. All communications between these hosts are encrypted and take place over a reserved set of TCP/IP ports. The master server runs the main database and the web interface. Any changes made to accounts, security policies and access routes are all made on the master server. Replica servers contain a copy of the database which is asynchronously updated. Replicas handle most of the authentication and authorization requests sent by servers and desktops. Replicas can also be promoted to master server for the purpose of disaster recovery. On the server no modifications to the operating system are required when the agent is installed. The BoKS daemons run alongside all the other processes, while certain key components of the environment are exchanged to enable BoKS security. For example, on modern UNIX/Linux platforms ( e.g. Solaris, HP-UX, AIX and Linux) PAM is reconfigured in such a way to hand off authentication and authorization requests to the local BoKS daemons, which then communicates with a Replica over the network. On older versions of AIX 4.X,5.0,5.1,5.2 and HP-UX 10.X (now all End of Lifed) that are not fully PAM compliant one usually opts to replace the actual daemons (such as OpenSSH, telnet and ftp) with the FoxT versions which automatically hand over these requests. A similar plug-in experience is used for the BoKS Windows Server agent (e.g. in Server 2008 the BoKS agent is installed as a credential provider).

BoKS (software)

Once a user attempts to login to a server OS, the daemon in question will ask a BoKS Replica to verify the provided user name and password (or other authenticator, see later). If these are found to match, BoKS will perform a second check to see whether the user is actually allowed to login to this particular server, at this time and using this access method. If this second check is passed, the user is handed back to the login process to conclude the session in the usual fashion.

Common implementation assumes that enterprise (or service provider) provisioning workflow approval of identity occurs elsewhere. Typically user ID's and business groups reside in a corporate databases (Active Directory or LDAP), identity or role managers, and datafeeds. BoKS becomes an enforcement and compliance reporting engine.

The BoKS configuration may be modified in a number of ways. Through the BoKS web interface. From the Unix command line. Automatic user and group updates from Active Directory and LDAP synchronization Integration with Role or Identity Managers thu APIs By dumping the BoKS database, which is then manually edited and restored (not recommended). [3] Early versions of BoKS could be configured using a Tivoli/Plus module.

Terminology The following terms are frequently used in the management of a BoKS infrastructure.

Term

host

host group

user account

access route

user class

access method

Explanation

Any system on the network, be it master, replica, client (server agent) or non-BoKS host.

A logical grouping of hosts.

A combination of a username, plus its intended target host or hostgroup.

One specific security authorization, assigned to a user account or a user class providing a specific linkage to a host or host group.

A role description assigning a set of access routes to a user account.

A communications protocol, such as telnet, ftp and SSH. Also includes su and suexec.

program group A logical grouping of commands to be executed through suexec, which can be used in an access route.

A few notes: A unique user account is identified by the combination of its user name and the host or host group for which it has been defined. Multiple occurrences of a user name are allowed, as long as they are defined for different hosts or host groups. One common example is the Unix Root user account, which is always defined on the host level. Examples of user accounts: server1:root, SOLARIS:peter, ORACLE:patrick. A user account may have multiple user classes assigned to it. This allows one user account to perform work that is officially split across different departments. For example, SOLARIS:Peter may have both the user classes "SolarisThirdLine" and "BackupManagement". A host can be part of any number of host groups. This allows for fine-grained control over the provisioning of user accounts to specific servers. For example, server1 may be part of host groups SOLARIS, ORACLE and BACKUPEXEC, thus receiving all user accounts defined for those groups. Access routes can be assigned both to individual users, as well as to user classes. Thus one can allow server1:root to login only to the console of server1, while allowing SOLARIS:peter SSH access to all servers in host group SOLARIS. The term "BoKS client" is being replaced in FoxT literature/website and documentation with the more common market term "Server Agent"

BoKS (software)

Supported protocols BoKS supports the following protocols: Serial & network port login(UNIX/Linux), console login (UNIX/Linux & Windows), su, suexec (UNIX/Linux equivalent to sudo), boksrunas (Windows equivalent to runas), secure RDP(Windows) secure telnet (UNIX/Linux), XDM and SSH (UNIX/Linux & Windows). The SSH protocol may be sub-defined and further split into ssh_sh (shell), ssh_exec (remote command execution), ssh_scp (SCP only), ssh_sftp (SFTP only), ssh_x11 (X11 forwarding), ssh_rfwd (remote port forwarding), ssh_fwd (local port forwarding) and ssh* (all of the above). Older non-secure protocols: rlogin, rsh, rexec, ftp, rex, telnet are also supported for legacy purposes, but more typically are set up as banned across your server estate for compliance reasons. Support for PC-NFS has been depreciated. Each protocol definition (defined in an Access Route) can be configured to change or require multiple factors of authentication all: use password authentication all: use X.509 certificate authentication all: use a One Time Password authentication like SecurID or Safeword for su: to use the user's own password to transition to a privileged account for suexec: optionally to keystroke log the session for SSH protocols: SSH keys generated by BoKS, or to re-use existing SSH distributed keys. A typical use case might be server support staff are challenged by a SecurID request to login on a server console in the computer room, and to use a PKI token on their own PC in their normal work area. It's possible to plug other protocols into BoKS, though this will require some customization. It's easiest if the software in question has support for Pluggable Authentication Modules, as there is a standard BoKS module for PAM.

History Over the years the BoKS family of products has changed names and vendors a few times via product acquisition. It originated as BoKS UnixControl at DynaSoft in Sweden, after which it was sold by Security Dynamics, RSA Security (known as Keon), latterly by TFS Technology (known as UnixControl or ServerControl). The company changed its name in 2004 to Fox Technologies Inc, and uses the sales/marketing label FoxT. The individual agent solutions are sold as "BoKS Access Control for Servers", "BoKS Access Control for Desktops", "BoKS Access Control for Applications" Over the years the product has been sold under OEM licenses by other server vendors (HP, SUN) with alternate product names.