user authentication for enterprise applications november 16, 2005 tom board, nuit
TRANSCRIPT
User Authentication for Enterprise Applications
November 16, 2005Tom Board, NUIT
2
Thesis• Trustworthy authentication and authorization are
important• Moving the authentication and authorization
functions out of applications will allow rapid deployment of desirable new technologies
• The services needed are largely available today, and will be complete within 18 months
• The work must now shift to the applications and business processes
3
Agenda
• What are the Problems?
• Industry Trends in User Authentication
• What is NUIT Planning?
• How Should Application Administrators and Planners Prepare?
• Transitions
• Wrap-up
4
Agenda
• What are the Problems?
• Industry Trends in User Authentication
• What is NUIT Planning?
• How Should Application Administrators and Planners Prepare?
• Transitions
• Wrap-up
5
What are the Problems?• External: granting & removing access through
auditable processes• Internal/external: accountability using access
records• Internal/external: maintaining trustworthiness of
tokens or credentials• Internal: reducing the cost of implementing new
security methods• Internal: navigating University applications may
be too complicated for users
6
Contexts
• Network: for access control security
• Enterprise applications: for integrity of business functions
• Divisional and school applications: for consistency and ease of management
• User experience: to reduce complexity
7
Agenda
• What are the Problems?
• Industry Trends in User Authentication
• What is NUIT Planning?
• How Should Application Administrators and Planners Prepare?
• Transitions
• Wrap-up
8
Industry Trends in User Authentication
• Defining clear business rules for identity creation and lifecycle management
• Requiring stronger passwords
• Requiring multi-factor authentication for high-value transactions
• Requiring trustworthy administrative processes
9
Business Rules for Identity Lifecycle Management
• Document the necessary and sufficient conditions for identity creation
• Define the lifecycle and the authorizations granted and revoked at each transition
• Grant authorizations in keeping with business goals and to minimize risks
• Log and audit the management processes
10
Stronger Passwords• Password cracking technology is advancing
beyond our ability to remember passwords• Because attacks are automated, risks are
greater and defenses must be stronger• Passwords must become longer and more
complex.• Likely future minimum will be 8 characters with
more syntax requirements• Implementation requires new IdM system
11
Multi-Factor Authentication• Factors: something you …
– Know (passwords)– Have (swipe card, USB token)– Are (thumbprint, handprint, retinal pattern)– Do (typing pattern, walking gait)
• How many factors are needed to be POSITIVE that the attempted access is by the real person?– What is the risk of being wrong?– What is the inconvenience?– Who will decide?
12
The Importance of Trustworthiness• Federal guidelines for electronic signature stress the
security and trustworthiness of token distribution• Federated authentication between security realms is
based upon trust in our authentication assertions, a portion of which is trust in the management of tokens.
• Our practices for identification, distribution and management of authentication tokens must be judged trustworthy
• Policies on protection of tokens must be enforced• Trust is a contract with legal implications
13
Agenda
• What are the Problems?
• Industry Trends in User Authentication
• What is NUIT Planning?
• How Should Application Administrators and Planners Prepare?
• Transitions
• Wrap-up
14
NUIT Plan• Single identity for each person• Four network-wide authentication services but
only one and one-half authorization services• Workflow-based management of identities and
access control• Federated authentication with others• Smartcards, USB tokens, etc.• A key step: remove authentication from
applications and place it in the surrounding service environment
15
Single Identity (NetID)• Why?
– Tied to authoritative sources– Single token allows rapid action to allow,
modify, or revoke access or permissions– Common authentication infrastructure
simplifies user experience (portal, SSO)
• What about aggregated risk?– Use multi-factor authentication selectively– Educate users – it’s not just e-mail now
16
Four Services
• LDAP 3.x: authentication and authorization attributes
• MSFT Active Directory: authentication and some authorization attributes
• MIT Kerberos 5: authentication
• Web SSO: authentication and coarse-grained access control through LDAP authorization attributes
17
Web SSO (Single Sign-On)
• More correctly: Web Access Management
• Presents a challenge for an authentication token and caches the resulting level of authentication in a session cookie
• Extension: access policies are used to describe the authentication level needed for each URL
18Web Access Mgmt
W e b s e rve r"s him "
0 app.no r thwe s te rn.e du /*1 app.no r thwe s te rn.e du /re po r ts /*2 app.no r thwe s te rn.e du /m o dify/*3 app.no r thwe s te rn.e du /m o dify/bankac c o unts /*
W AM P o lic ie s
W AMs e rve r
c he c k c o o kie
c hal le nge
1 = p as s w o r d
2 = p h y s ic a l to k en
3 = s u p er v is o r p h y s ic a l to k en
C he c k U R L po lic ie s
Applic at io n
c ookie
W e b Se rve r
app.no r thwe s te rn.e du / ....
19Timeline*
* This timeline is for illustrative purposes only and should not be used in planning – please consult with an experienced professional. The views expressed are those of the author and not those of NUIT. No warranty expressed or implied. YMMV. All bets are off.
2006 2007Task Jan-Mar Apr-Jun Jul-Sep Oct-Dec Jan-Mar Apr-Jun Jul-Sep
Ph ase 1
S ign contrac tsH RIS 8.9 Im plem enta tion
Im plem ent W A MD eploy W A M
P repare S N A PP repare B us iness R ules
P repare feedsIns ta ll IdM
IdM process feedsP ara lle l opera tions
C utover to IdMS E S 8.9 Im plem enta tion
Financial S ystem Im plem ntatio n
20
Agenda
• What are the Problems?
• Industry Trends in User Authentication
• What is NUIT Planning?
• How Should Application Administrators and Planners Prepare?
• Transitions
• Wrap-up
21
How Should Applications Prepare?
• Move user authentication into the Web server – application invocation implies successful authentication
• Use identity management workflow to control access to the application
• Use attributes for coarse-grained access control• Optional: Define institutional roles that can drive
coarse-grained (and fine-grained) access control• Optional: Employ first-access provisioning to
simplify management of application user profiles
22
Authenticating at the Web Server
• Applications must give up internal passwords and programming logic to check NetID passwords
• Moving this function to the Web server level allows new functions (Web SSO) to be deployed without wide-spread effects
• If the application is invoked, then the user was successfully authenticated
23
Approve Access Through IdM
• The Identity Management (IdM) system must know if a NetID has been granted access to an enterprise application.
• Using IdM-based workflow to request, authorize, approve and grant access can support this easily.
• The IdM system can enforce business rules subject to entitlements granted.
24
Remove Access Through IdM• What business rules are appropriate (or
required) when an identity changes status?– Move between departments– Move between divisions/schools– Graduation, withdrawal, no registration– Termination
• Possible actions:– Continue services indefinitely or for a defined number
of days– Suspend access and (a) notify individual, and/or (b)
notify supervisor, and/or (c) notify service manager– Suspend without notices
25
Coarse-Grained Access Control
• Through Web SSO and access rules, any NetID attribute can be used to allow or deny access to an application Web page.– Role: “faculty”, “employee”– Entitlement: “access to HRIS”
• Session environment can also be used– IP address– Level of authentication
26
Fine-Grained Access Control• Fine-grained access control is based upon user
profile information unique to the application or interpreted by the application at execution time.– “Can view salaries”– “Can change salaries”– “Can authorize checks up to $100,000”
• Fine-grained access controls could be determined from institutional roles – or not– Examples: “department assistant” implies
• “Can view salaries”• “Can administer grant funds within department”
27Coarse vs. Fine Controls
U s e rp ro file s
D a ta b a s e
Ses
sion
set
-up
Pro
cess
ing
LD A P Re g is t ry
Id e n t ity M a n a g e me n tS y s te m
A p p lic atio n
A c c e s s p o lic yd a ta b a s e
W e b S S O
A c c e s s Co n t ro lS y s te m
A d min is t ra to r
A u th o rity
Acc
ess
Con
trol
Lay
erC o a rs e -G ra ine d
C o ntro lsF ine -G ra ine dC o ntro ls
28
First-Access Provisioning• Avoid provisioning user profiles within the
application until the user attempts access– Eliminate unnecessary local user profiles
• Recognizing no user profile exists:– Invoke an IdM workflow to request access– Create a place-holder profile and allow limited access
by default– Automatically create a profile from attribute
information (institutional roles)
• Result: savings in administrative time
29
Agenda
• What are the Problems?
• Industry Trends in User Authentication
• What is NUIT Planning?
• How Should Application Administrators and Planners Prepare?
• Transitions
• Wrap-up
301. Typical “silo” application
U s e rp ro file s
D a ta b a s e
Ses
sion
set
-up
Pro
cess
ing
A p p lic atio n
A d min is t ra to r
E -m ail &w o rk flo w
Aut
hent
icat
ion
& A
utho
riza
tion
ID &
Rol
eM
aint
enan
ce
312. Convert to NetID authentication
U s e rp ro file s
D a ta b a s e
Ses
sion
set
-up
Pro
cess
ing
LD A P Re g is t ry
Id e n t ity M a n a g e me n tS y s te m
A p p lic atio n
A d min is t ra to r
E -m ail &w o rk flo w
Aut
hent
icat
ion
& A
utho
riza
tion
ID &
Rol
eM
aint
enan
ce
A u th o rity
323. Move authentication to Web server
U s e rp ro file s
D a ta b a s e
Ses
sion
set
-up
Pro
cess
ing
LD A P Re g is t ry
Id e n t ity M a n a g e me n tS y s te m
A p p lic atio nW e b S e rv e r
A d min is t ra to r
E -m ail &w o rk flo w
A u th o rity
Aut
hent
icat
ion
Aut
hori
zati
on
ID &
Rol
eM
aint
enan
ce
334. Web Access Management (SSO)
U s e rp ro file s
D a ta b a s e
Ses
sion
set
-up
Pro
cess
ing
LD A P Re g is t ry
Id e n t ity M a n a g e me n tS y s te m
A p p lic atio nW e b S e rv e r
A c c e s s p o lic yd a ta b a s e
W e b S S O
A c c e s s Co n t ro lS y s te m
A d min is t ra to r
E -m ail &w o rk flo w
c ookie
A u th o rity
Aut
hent
icat
ion
Aut
hori
zati
on
ID &
Rol
eM
aint
enan
ce
345. Coarse-grained authorization
U s e rp ro file s
D a ta b a s e
Ses
sion
set
-up
Pro
cess
ing
LD A P Re g is t ry
Id e n t ity M a n a g e me n tS y s te m
A p p lic atio nW e b S e rv e r
A c c e s s p o lic yd a ta b a s e
W e b S S O
A c c e s s Co n t ro lS y s te m
A d min is t ra to r
E -m ail &w o rk flo w
c ookie
A u th o rity
Aut
hent
icat
ion
Aut
hori
zati
on
ID &
Rol
eM
aint
enan
ce
356. Request access using IdM workflow
U s e rp ro file s
D a ta b a s e
Ses
sion
set
-up
Pro
cess
ing
LD A P Re g is t ry
Id e n t ity M a n a g e me n tS y s te m
A p p lic atio nW e b S e rv e r
A c c e s s p o lic yd a ta b a s e
W e b S S O
A c c e s s Co n t ro lS y s te m
A d min is t ra to r
E -m ail &w o rk flo w
c ookie
A u th o rity
Aut
hent
icat
ion
Aut
hori
zati
on
ID &
Rol
eM
aint
enan
ce
367. Institutional roles drive provisioning
U s e rp ro file s
D a ta b a s e
Ses
sion
set
-up
Pro
cess
ing
LD A P Re g is t ry
Id e n t ity M a n a g e me n tS y s te m
A p p lic atio nW e b S e rv e r
A c c e s s p o lic yd a ta b a s e
W e b S S O
A c c e s s Co n t ro lS y s te m
Ro le e n g in e
A d min is t ra to r
E -m ail &w o rk flo w
c ookie
A u th o rity
Aut
hent
icat
ion
Aut
hori
zati
on
37Step
8
U s e rp ro file s
D a ta b a s e
Ses
sion
set
-up
Pro
cess
ing
LD A P Re g is t ry
Id e n t ity M a n a g e me n tS y s te m
A p p lic atio nW e b S e rv e r
A c c e s s p o lic yd a ta b a s e
W e b S S O
A c c e s s Co n t ro lS y s te m
Ro le e n g in e
A d min is t ra to r
E -m ail &w o rk flo w
c ookie
A u th o rity
Aut
hent
icat
ion
Aut
hori
zati
on
Fir
st-a
cces
spr
ovis
ioni
ng
389. Smart card authentication
U s e rp ro file s
D a ta b a s e
Ses
sion
set
-up
Pro
cess
ing
LD A P Re g is t ry
Id e n t ity M a n a g e me n tS y s te m
A p p lic atio nW e b S e rv e r
A c c e s s p o lic yd a ta b a s e
W e b S S O
A c c e s s Co n t ro lS y s te m
Ro le e n g in e
A d min is t ra to r
E -m ail &w o rk flo w
c ookie
A u th o rity
Aut
hent
icat
ion
Aut
hori
zati
on
Fir
st-a
cces
spr
ovis
ioni
ng
S m a rt c a rd
C a rdm a na ge m e nt
39
Agenda
• What are the Problems?
• Industry Trends in User Authentication
• What is NUIT Planning?
• How Should Application Administrators and Planners Prepare?
• Transitions
• Wrap-up
40
Wrap-Up• Seek to free the application from any
particular authentication technology• IdM workflow can govern the approval
process, provide audit controls, and flag the user’s identity for other business rules
• First-access provisioning saves time and effort for the application administrator
• “Just as secure, with just as much control, just using different tools”
41
Questions?
QA&