Identity management capabilities

Today's security infrastructure is identity driven. Secure business applications ask two key questions: who are you, and what can you access? IBM offers a complete solution for identity management across the enterprise. the identity management capabilities provided by WebSphere Application Server in conjunction with other WebSphere products and Tivoli.

For an identity management primer, refer to the identity management white paper, Help improve security and lower costs with repeatable identity management solutions. The paper describes the:

As described later, the IBM portfolio supports the following identity management capabilities.

  • Offer single sign on for your users' convenience

  • Control access to Web applications

  • Administer identities

  • Provision users

  • Federate disparate sources of identity data

  • Provide standard directory services to applications

  • Use strong authentication

  • Control and manage access to Web applications, Web services, and your Service Oriented Architecture (SOA)

  • Ensure regulatory compliance

  • Secure your business portal

  • Provide instance based access control for business rules

  • Secure work flows containing people interactions

  • Secure integration with other business applications

  • Government solutions

Products that work in conjunction with WAS to provide a full range of identity management capabilities include, but are not limited to:

Offer single sign on for your users' convenience

With WebSphere Application Server, Web users can authenticate once when accessing Web resources across multiple application servers. Choices for securely negotiating and authenticating HTTP requests for secured resources include trust association interceptor (TAI) that uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO), or using Tivoli Access Manager WebSEAL or Tivoli Access Manager plug-in for Web servers as reverse proxy servers to provide access management and single sign-on (SSO) capability. See Implementing single sign-on to minimize Web user authentications for details.

Add Tivoli Access Manager for e-business to achieve Web SSO and secure session management across e-communities, to securely extend your business processes to business partners and business affiliates. You can enable a flexible SSO to Web-based applications that can span multiple sites or domains with a range of SSO options, to help eliminate help-desk calls and other security problems associated with multiple passwords. By integrating with other SSO providers (such as Kerberos from a Microsoft domain logon, and client/server SSO solutions) Access Manager goes beyond 'reduced sign-on' to help implement a single authentication for the user across all system interactions.

Upgrade to Tivoli Federated Identity Manager to achieve standardized cross-domain SSO. The product supports a number of SSO federated identity and Web Services security standards, including Liberty Alliance specifications, SAML, WS-Federation, WS-Security and WS-Trust. This enables the company or the provider to interoperate and get SSO benefits from partners who implement any of these standards. Single Sign On (SSO) simplifies sign on for third-party users who typically have a primary relationship with their home organization. A federated business model enables a company to obtain trusted information about a third-party identity (such as customer, supplier, or a client employee) from that user's home organization without having to create, enroll, or manage a new account.

Reduce help-desk calls and other security problems associated with multiple passwords, using Tivoli Access Manager for e-business. Achieve a flexible SSO to Web-based applications that can span multiple sites or domains with a range of SSO options. By integrating with other SSO providers (such as Kerberos from a Microsoft domain logon, and client/server SSO solutions) Access Manager goes beyond 'reduced sign-on' to help implement a single authentication for the user across all system interactions.

Enhance user experience and reduced help desk costs, with one less password to remember. Use Tivoli Access Manager for e-business to achieve Microsoft desktop single sign on. Windows users can be automatically authenticated to applications protected by Access Manager for e-business.

Improve end-user experience through Single Sign On (SSO) implemented by Tivoli Federated Identity Manager.

Reduce administrative cost by delivering rapid enrollment and personalized access to end-users at their convenience with integrated self-care. The Tivoli Access Manager for e-business Self-Registration capability enables end-users to quickly self-enroll to the Enterprise Web environment without requiring manual intervention or lengthy procedures.

Administer identities

WebSphere Application Server provides fine-grained administration.

Use these products in conjunction with WAS for additional capabilities.

Achieve centralized administration of both access control and data protection policies across mainframe and distributed servers withTivoli Access Manager for Business Integration. An authorized administrator can perform Web-based administration remotely without visiting a system or deploying a special administration client.

Define and manage a centralized authentication, access, and audit policy for a broad range of business initiatives with Tivoli Access Manager for e-business. Initiative include employee, customer and partner portals, CRM systems, e-procurement, cross-company single sign-on (SSO) projects, and outsourcing projects.

Manage users and groups, including dynamic and nested groups. Achieve dynamic group support with Tivoli Access Manager for e-business. An upper limit on static groups makes dynamic groups the only option in some cases, while dynamic groups may be preferred in other environments. Integrates with existing data management environments.

Use Tivoli Access Manager for e-business to achieve integrated security management for critical WebSphere applications leveraging IMS, CICS and DB2 transactions on mainframe and non-mainframe platforms.

Reduce administrative cost by delivering rapid enrollment and personalized access to end-users at their convenience with integrated self-care. The Tivoli Access Manager for e-business Self-Registration capability enables end-users to quickly self-enroll to the Enterprise Web environment without requiring manual intervention or lengthy procedures.

Use the Web Portal Manager of Tivoli Access Manager for Operating Systems for easier, graphically based management.

Access Control Lists (ACLs) help you pro-actively prevent security breaches across your enterprise, using Tivoli Access Manager for Operating Systems.

Scale to tens of millions of entries, as well as groups of hundreds of thousands of members with Tivoli Directory Server.

Enhance directory security with the password strength features of Tivoli Directory Server. Enable the pre-expiration of passwords, the definition of password rules, maintenance of password history and failed attempt account in correlation with ACL protection.

Manage organizations and entities. Lower overhead costs by automatically managing accounts, credentials, and access rights throughout the user life cycle with workflow provided by Tivoli Identity Manager.

Reduce help-desk costs and ease the burden of daily administration on help-desk and IT staff with the self-service interfaces of Tivoli Identity Manager. Enable users to perform password resets, password synchronization, and modification to personal information without administrative intervention.

Use Tivoli Identity Manager to cut elapsed turn-on time for new accounts; improve productivity by allowing end users to rapidly reset and synchronize their own passwords; and decrease errors by automating user submission and approval requests.

Take advantage of the various products' APIs to integrate and customize your identity management solution.

Provision users

Use these products in conjunction with WAS for additional capabilities.

Quickly connect users to appropriate resources while reducing administration workload, with Tivoli Identity Manager. Embedded provisioning engine and universal integration tools automate the implementation of administrative requests on the environment, and provide universal connectors for extending the management model to support new and custom environments.

Demonstrate enforcement of internal controls to auditors and eliminate orphan or over privileged accounts. Use Tivoli Identity Manager closed loop user provisioning to detect and correct discrepancies between approved account access and local privileges.

Implement and modify provisioning policies more quickly and accurately. Use Tivoli Identity Manager to simulate the impact of provisioning policy on user accounts before committing changes.

Centralize the definition of users and provisioning of user services with the centralized administration of Tivoli Identity Manager. Role and rule-based delegated administration enables grouping of users according to business needs and delegation of administrative privileges along organizational and geographical boundaries.

Tivoli Identity Manager provisioning is integrated with access and identity. Access to Web applications and other applications can be determined by one user profile. The product interacts directly with users and with two external types of systems: identity sources and access control mechanisms. The identity systems deliver authoritative information about the users that need accounts. The provisioning system communicates directly with access control systems to create accounts, supply user information and passwords and define the entitlements of the account.

Pair Tivoli Identity Manager with WebSphere Process Server to achieve identity-based workflow. Streamlined automated workflow can decrease errors and inconsistency in business processes. Intelligent approval routing automates the submission and approval processes for access requests and changes to user information.

Federate disparate sources of identity data

Federated identity is a technology for brokering identities between companies or business units. Federated identity management is the set of business agreements, technical agreements and policy agreements that enable companies to partner to lower their overall identity management costs and improve user experience. It leverages the concept of a portable identity - the idea that your identity is not bound to a specific credential - to simplify the administration of users in a federated business relationship. Federation simplifies integration because there is a common way to share identities between companies and manage user sessions. Identity Federation services within a Service Oriented Architecture (SOA) ensure that users have simplified access and single sign on to the composite application environment.

Use these products in conjunction with WAS for additional capabilities.

Use Tivoli Access Manager for e-business to provide first-point-of-contact and session management that typically are prerequisites to federation with IBM Tivoli Federated Identity Manager.

Connect to disparate data sources with Tivoli Directory Integrator as an enterprise directory.

Ensure data availability and to maximize server response time, using Tivoli Directory Server to achieve single-master multiple replication, multiple-master replication, cascaded, gateway and partial replication.

Simplify the administration and the lifecycle management of user identities and obtain a simple, loosely-coupled model for managing identity and access to resources that span companies or security domains with the open standards and specifications support of Tivoli Federated Identity Manager, including Liberty, SAML, WS-Federation, WS-Security and WS-Trust. Works with standards based, off-the-shelf products.

Reduce administration and provisioning costs related to managing identities for third-party users, with Tivoli Federated Identity Manager. Rather than having to enroll third-party users into a company's internal identity systems, federated identity management enables IT service providers to offload the cost of user administration to their business partner companies. Because the business partner company acts like an identity provider, the service provider does not have to take on the burden of user administration costs such as user enrollment, account management, password management, password reset, help desk, or customer care costs.

Simplify integration with a common way to share identities between companies and manage user sessions. Tivoli Federated Identity Manager facilitates "straight through processing" techniques because the identity provider does not have to replicate or stage business processes on behalf of a service provider. By employing Tivoli Access Manager for e-business (included with FIM), FIM is able to provide integrated session management, significantly facilitating inter-company transactions. With a federated identity model, identity providers have an opportunity to streamline inter-company transactions, thereby reducing costs, and simplifying integration.

Obtain great flexibility for synchronization, using Tivoli Directory Integrator.

Simplify integration between your company and your partners' Web sites and business applications, including simplified session management with Tivoli Federated Identity Manager.

Provide standard directory services to applications

WebSphere Application Server supports a variety of registry and repository choices, including Lightweight Directory Access Protocol (LDAP) directories. See Select a user registry .

Use these products in conjunction with WAS for additional capabilities.

Obtain rapid time to value and save development costs with Tivoli Access Manager for Business Integration for application-level data protection for WebSphere MQ-based applications. Implement comprehensive security without writing complex security code, or modifying or recompiling existing applications.

Store credentials in Novell eDirectory withTivoli Access Manager for Business Integration.

Achieve integration with over 70 ISV offerings , with Tivoli Access Manager for e-business. Offerings including Siebel CRM, SAP, PeopleSoft and Portal solutions from WebSphere, Plumtree, and others. Enterprises benefit from a common security model (authentication, access control, Single Sign On and audit) across the e-business, ISV and legacy applications. This reduces costly integrations and delivers rapid time to value in solution deployment because enterprises can standardize on a single identity and access management platform.

Deploy the security architecture of your choice due to the multiple directory support of Tivoli Access Manager for e-business.

Synchronize and exchange information between applications or directory sources with Tivoli Directory Integrator.

Manage data across a variety of repositories providing the consistent directory infrastructure needed for a wide variety of applications, including security and provisioning, with Tivoli Directory Integrator.

Leverages existing investments in directory and identity repositories, platforms, and operating systems with Tivoli Directory Integrator.

Avoid the time-consuming design of schemata, which can slow the deployment of the LDAP directory. Tivoli Directory Server provides comprehensive, extensible, and dynamically updatable schema.

Manage users and groups, including dynamic and nested groups. Achieve dynamic group support with Tivoli Access Manager for e-business. An upper limit on static groups makes dynamic groups the only option in some cases, while dynamic groups may be preferred in other environments. Integrates with existing data management environments.

Use Tivoli Access Manager for e-business to achieve integrated security management for critical WebSphere applications leveraging IMS, CICS and DB2 transactions on mainframe and non-mainframe platforms.

Reduce administrative cost by delivering rapid enrollment and personalized access to end-users at their convenience with integrated self-care. The Tivoli Access Manager for e-business Self-Registration capability enables end-users to quickly self-enroll to the Enterprise Web environment without requiring manual intervention or lengthy procedures.

Use strong authentication

Control and manage access to Web applications, Web services, and Service Oriented Architecture

WebSphere Application Server provides a solid base for protecting Web applications and Web services in a Service Oriented Architecture. See Securing Web services applications using JAX-RPC at the message level .

Use these products in conjunction with WAS for additional capabilities.

Web applications

Leverage a common security policy model with Tivoli Access Manager for e-business to with the Tivoli Access Manager.

Achieve highly secure e-business with Tivoli Access Manager for e-business, which provides flexible deployment that supports proxies, plug-ins, and agents.

Enhance application and database security with Tivoli Access Manager for Operating Systems. Restricts ability to switch user IDs. Prevents deliberate or accidental loss of application data, tampering with log files, and prevents unauthorized assumption of application administrative IDs.

Eliminate many user-access problems, while still using the standard UNIX authentication mechanisms, with Tivoli Access Manager for Operating Systems. Login Policy Enforcement tracks the UNIX login process and applies policies that prevent unauthorized access, such as the number of permitted failed login attempts before the user is locked out.

Ensure application speed and user experience are not impeded by access control decision speed with the multi-threaded architecture enabled by Tivoli Access Manager for Operating Systems.

Prevent password theft with Tivoli Access Manager for Operating Systems.

Ensure security and consistent policy on your most sensitive systems with the centralized control and local autonomy provided by Tivoli Identity Manager.

Defend against the top security threat that enterprises face: misbehavior by internal users and employees with Tivoli Access Manager for Operating Systems.

Ramp up quickly to effective security with Tivoli Access Manager for Operating Systems. Fast Track Policy Modules are pre-written, customizable, best-practice policies.

Achieve centralized administration of security policy across the enterprise with Tivoli Access Manager for Operating Systems.

Create the authoritative data spaces needed to expose only trustworthy data to advanced software applications such as Web services, with Tivoli Directory Integrator.

Authorization services also help application developers use standard development tools such as Eclipse or Rational by providing a standards-based API interfaces.

Web services

Integrates seamlessly with a wide variety of repositories and technologies and enables integration with new and existing Web Services in the enterprise through the standards & Web Services support of Tivoli Directory Integrator.

Extend the reach of the directory to web services with Tivoli Directory Server. Expose the directory and deliver it to web services through XML coding. An enterprise's customers could, for example, make changes to directory data such as phone numbers or street addresses themselves over the Internet rather than calling in to customer service.

Simplify administration of security in cross-enterprise business processes by delivering "security as services" with Tivoli Federated Identity Manager.

Simplify the administration and the lifecycle management of user identities and obtain a simple, loosely-coupled model for managing identity and access to resources that span companies or security domains with the open standards and specifications support of Tivoli Federated Identity Manager, including Liberty, SAML, WS-Federation, WS-Security and WS-Trust.

SOA

SOA Management: Securing Web Services discusses the challenges of security in a Service Oriented Architecture (SOA). The security environment is still disjointedly hard wired into organizational silos segmented into network security, perimeter security, desktop security, server security and application security. Point solutions solve a partial need but they don't work in unison. Hence, they can't appreciably lower system risk, improve platform integrity, or mitigate the risk of broadening access. SOA adoption introduces new and unforeseen challenges with security integration, identity and security management.

  • Multiple Application Platforms (WebSphere, Microsoft or SAP)

  • Multiple Security Domains (internal, external, business unit silos, extranet)

  • Multiple Security Credentials (Kerberos, SAML, WS-Security, RACF)

  • Multiple Protocols (SOAP, HTTP/S, JMS, MQ)

  • Lack of "thread of identity" across the services context

Composite Applications must deal with the challenges of independent security and identity silos. The security solution needs to secure end user interactions as well service interactions (application to application). Security management needs to provide unified customer views for the composite application. The "thread" of user identity needs to be preserved end to end for auditing and compliance purposes.

Deliver policy-based integrated security management for SOA Web Services with Tivoli Federated Identity Manager.

Authorization services provided by Tivoli products in the Tivoli identity management solution ensure that SOA components can apply consistent authorization policies for Web, HTTP, and Java resources, Web Services, SOAP (WSDL resources), MQ (Queues and Queue Managers) and even core infrastructure platforms such as UNIX and Linux Servers.

Authorization services in an SOA is ensures that a common authorization abstraction model enables application platforms such as WebSphere, MS .NET, BEA and SAP to apply fine-grained authorization for these resource types.

Tivoli Access Manager for e-business implements a centralized policy service for SOA elements enabling business owners to delegate authorization decisions to a Policy server deployed in the SOA environment.

As SOA transactions originate across various channels and protocols it is important to have the centralized session management service of Tivoli Access Manager for e-business to enable various SOA components to have a "common view" of the current user session, for single sign on, single sign off, auditing and reporting, and so on.

Ensure regulatory compliance

Use these products in conjunction with WAS for additional capabilities.

Demonstrate specific compliance with the defined security policy Tivoli Access Manager for Business Integration by obtaining message-level audit function and audit record generation.

Maintain confidentiality of message data and allow for verification of data integrity with Tivoli Access Manager for Business Integration. Securing messages both while they are being processed by WebSphere MQ and while they travel from system to system reduces exposure of data from internal employees or vendors. It can be used as part of a HIPAA compliance solution.

Obtain a central point for reporting on security events and sample reports withTivoli Access Manager for e-business. An audit and reporting service collects audit data from multiple enforcement points, as well as from other platforms and security applications.

Achieve easier, extended auditing and reporting capabilities withTivoli Access Manager for e-business . Audit records are written in standard XML format. An information-gathering tool allows secure, centralized collection and reporting of audit, log, statistics, and such across the extended enterprise.

Tivoli Access Manager for Operating Systems combines full-fledged intrusion prevention—host-based firewall, application and platform protection, user tracking and controls—with robust auditing and compliance checking.

Obtain mainframe-class security and auditing in a lightweight, easy-to-use product with Tivoli Access Manager for Operating Systems.

Document compliance with government regulations, corporate policy and other security mandates using the persistent universal auditing of Tivoli Access Manager for Operating Systems.

Obtain extended auditing capabilities with Tivoli Access Manager for Operating Systems. Configurable audit events can track sensitive access attempts, provide security-related information on user activity, and can send events to a centralized event management console. Verify access policy through secure logging of security events.

Improve business compliance by helping to reduce security exposure with Tivoli Federated Identity Manager.

Address policy compliance needs, using Tivoli Identity Manager to produce centralized reports on security policy, access rights, and audit events to quickly respond to internal audits and regulatory mandates.

Quickly produce reports for internal audits and ensuring regulatory compliance, with Tivoli Identity Manager auditing and reporting mechanisms.

Enforces privacy policies across your IT infrastructure with Tivoli Privacy Manager for e-business.

Monitor access to personal information and generate detailed audit logs with Tivoli Privacy Manager for e-business.

Automatically generate reports detailing compliance to corporate policies with Tivoli Privacy Manager for e-business.

Help privacy officers, legal counsel and IT staff work together to build privacy rules that integrate policy into practices, without knowledge of IT systems in order to author policies. This is provided by Tivoli Privacy Manager for e-business.

Update policies in the future with minimal impact to the environment, using Tivoli Privacy Manager for e-business. Monitor and record users’ privacy preferences on a separate system from individual applications. We can author one policy and deploy it everywhere there are monitored systems, as a cost-effective alternative to modifying or rewriting existing applications in order to incorporate preferences across applications.

Comply with internal audits and regulatory reviews with Tivoli Privacy Manager for e-business. It generates enterprise-wide reports showing policies deployed, enforcement locations and audit trails that detail the management of personal information according to privacy policies.

Control policies, storage locations, audit logs, preferences and consent across the enterprise with Tivoli Privacy Manager for e-business.

Rapidly develop and customize e-business monitors for applications, middleware data repositories and other systems that persistently store privacy-sensitive information with Tivoli Privacy Manager for e-business. Monitors for LDAP and Siebel 7 are included to allow monitoring, enforcement and auditing for LDAP and Siebel 7 applications.

Use Tivoli Security Compliance Manager to automate scans of servers and desktop systems, which can help reduce the cost and time associated with manual security checks.

Provide detailed reports to security officers and compliance auditors so they can take the appropriate steps to make individual systems and departments compliant, with Tivoli Security Compliance Manager.

Improve business operations and increase efficiencies though automation and centralization with Tivoli Security Compliance Manager.

Mediate security policy violations and risks using Tivoli Security Compliance Manager in conjunction with Tivoli automated security management tools.

Automate compliance tasks, monitor correspondence, reduce human error, and tame compliance costs with Tivoli Security Compliance Manager.

Use Tivoli Security Compliance Manager to ensure consistent security audits across the organization, reducing human error.

Reduce the cost and time associated with manual security checks, using the automated scans of server and desktop systems with Tivoli Security Compliance Manager.

Identify software security vulnerabilities prior to costly damage being inflicted by security incidents, using the security vulnerability scans of Tivoli Security Compliance Manager.

Quickly produce reports for audits and ensuring regulatory compliance with the reporting mechanisms of Tivoli Security Compliance Manager.

Manage and secure your business environments from your existing hardware and operating system platforms with Tivoli Access Manager for e-business.

Secure your business portal

Use Portal in conjunction with WAS to satisfy customers, reduce service costs, and enable customer profiles.

  • Portal includes personalization features to be able to respond to end users based on identity (and things derived from identity, such as group memberships and user profile attribute values) and context using rules.

  • Portal has its own access control for protecting Portal resources (pages and portlets) that are not visible in a securable way in a URL. This access control is based on user identity and group memberships.

  • Portal has a basic user interface for user self-registration and self-care after creation. It also features basic User and Group administration interfaces, not intended to replace the management interfaces of the directory server, or to be as function-rich as TIM.

Provide instance based access control for business rules

Use these products in conjunction with WAS for additional capabilities.

Enact rules-enabled authorization checks with WebSphere Process Server. Its rules technology for conditions enables administrators to create rules depending on the role of an invoker, for example. Although it currently does not allow for checking on role and subject information specifically, developers can use a workaround. A Java code snippet can be used to retrieve this information and feed it into the rule condition.

Dramatically improve both how quickly your applications are deployed and how quickly they adapt, achieving rules based authorization with Tivoli Access Manager for e-business. Change access-influencing policy parameters without having to rewrite and recompile applications.

Reduce administrative costs with Tivoli Identity Manager. Role and rule-based delegated administration enables grouping of users according to business needs and delegation of administrative privileges along organizational and geographical boundaries.

Streamlined automated workflow can decrease errors and inconsistency in business processes. Tivoli Identity Manager automates the submission and approval processes for access requests and changes to user information.

Secure work flows containing people interactions

The staff resolution capabilities of WebSphere Process Choreographer, part of WebSphere Process Server, provide role-based staff assignment and are compatible with various directory services.

Secure integration with other business applications

Use these products in conjunction with WAS for additional capabilities.

Leverage your J2EE investment and enable applications to be managed as part of a consistent, policy-driven strategy with Tivoli Access Manager for e-business. The product supports J2EE, Java 2 and JAAS environments, with no plug-in required, no proprietary coding needed and no pre- or post-compile necessary.

Use Tivoli Federated Identity Manager to expand the business reach of service providers creating revenue generating opportunities.

For information about Identity and Privacy Strategies Methodologies and Best Practices, see the related information link below:


Related information
http://www.burtongroup.com/research_consulting/doc.aspx?cid=739