1 / 41

User Authentication for Enterprise Applications

User Authentication for Enterprise Applications. November 16, 2005 Tom Board, NUIT. Thesis. Trustworthy authentication and authorization are important Moving the authentication and authorization functions out of applications will allow rapid deployment of desirable new technologies

alden
Download Presentation

User Authentication for Enterprise Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT

  2. Thesis • Trustworthy authentication and authorization are important • Moving the authentication and authorization functions out of applications will allow rapid deployment of desirable new technologies • The services needed are largely available today, and will be complete within 18 months • The work must now shift to the applications and business processes

  3. Agenda • What are the Problems? • Industry Trends in User Authentication • What is NUIT Planning? • How Should Application Administrators and Planners Prepare? • Transitions • Wrap-up

  4. Agenda • What are the Problems? • Industry Trends in User Authentication • What is NUIT Planning? • How Should Application Administrators and Planners Prepare? • Transitions • Wrap-up

  5. What are the Problems? • External: granting & removing access through auditable processes • Internal/external: accountability using access records • Internal/external: maintaining trustworthiness of tokens or credentials • Internal: reducing the cost of implementing new security methods • Internal: navigating University applications may be too complicated for users

  6. Contexts • Network: for access control security • Enterprise applications: for integrity of business functions • Divisional and school applications: for consistency and ease of management • User experience: to reduce complexity

  7. Agenda • What are the Problems? • Industry Trends in User Authentication • What is NUIT Planning? • How Should Application Administrators and Planners Prepare? • Transitions • Wrap-up

  8. Industry Trends in User Authentication • Defining clear business rules for identity creation and lifecycle management • Requiring stronger passwords • Requiring multi-factor authentication for high-value transactions • Requiring trustworthy administrative processes

  9. Business Rules for Identity Lifecycle Management • Document the necessary and sufficient conditions for identity creation • Define the lifecycle and the authorizations granted and revoked at each transition • Grant authorizations in keeping with business goals and to minimize risks • Log and audit the management processes

  10. Stronger Passwords • Password cracking technology is advancing beyond our ability to remember passwords • Because attacks are automated, risks are greater and defenses must be stronger • Passwords must become longer and more complex. • Likely future minimum will be 8 characters with more syntax requirements • Implementation requires new IdM system

  11. Multi-Factor Authentication • Factors: something you … • Know (passwords) • Have (swipe card, USB token) • Are (thumbprint, handprint, retinal pattern) • Do (typing pattern, walking gait) • How many factors are needed to be POSITIVE that the attempted access is by the real person? • What is the risk of being wrong? • What is the inconvenience? • Who will decide?

  12. The Importance of Trustworthiness • Federal guidelines for electronic signature stress the security and trustworthiness of token distribution • Federated authentication between security realms is based upon trust in our authentication assertions, a portion of which is trust in the management of tokens. • Our practices for identification, distribution and management of authentication tokens must be judged trustworthy • Policies on protection of tokens must be enforced • Trust is a contract with legal implications

  13. Agenda • What are the Problems? • Industry Trends in User Authentication • What is NUIT Planning? • How Should Application Administrators and Planners Prepare? • Transitions • Wrap-up

  14. NUIT Plan • Single identity for each person • Four network-wide authentication services but only one and one-half authorization services • Workflow-based management of identities and access control • Federated authentication with others • Smartcards, USB tokens, etc. • A key step: remove authentication from applications and place it in the surrounding service environment

  15. Single Identity (NetID) • Why? • Tied to authoritative sources • Single token allows rapid action to allow, modify, or revoke access or permissions • Common authentication infrastructure simplifies user experience (portal, SSO) • What about aggregated risk? • Use multi-factor authentication selectively • Educate users – it’s not just e-mail now

  16. Four Services • LDAP 3.x: authentication and authorization attributes • MSFT Active Directory: authentication and some authorization attributes • MIT Kerberos 5: authentication • Web SSO: authentication and coarse-grained access control through LDAP authorization attributes

  17. Web SSO (Single Sign-On) • More correctly: Web Access Management • Presents a challenge for an authentication token and caches the resulting level of authentication in a session cookie • Extension: access policies are used to describe the authentication level needed for each URL

  18. Web Access Mgmt

  19. Timeline* * This timeline is for illustrative purposes only and should not be used in planning – please consult with an experienced professional. The views expressed are those of the author and not those of NUIT. No warranty expressed or implied. YMMV. All bets are off.

  20. Agenda • What are the Problems? • Industry Trends in User Authentication • What is NUIT Planning? • How Should Application Administrators and Planners Prepare? • Transitions • Wrap-up

  21. How Should Applications Prepare? • Move user authentication into the Web server – application invocation implies successful authentication • Use identity management workflow to control access to the application • Use attributes for coarse-grained access control • Optional: Define institutional roles that can drive coarse-grained (and fine-grained) access control • Optional: Employ first-access provisioning to simplify management of application user profiles

  22. Authenticating at the Web Server • Applications must give up internal passwords and programming logic to check NetID passwords • Moving this function to the Web server level allows new functions (Web SSO) to be deployed without wide-spread effects • If the application is invoked, then the user was successfully authenticated

  23. Approve Access Through IdM • The Identity Management (IdM) system must know if a NetID has been granted access to an enterprise application. • Using IdM-based workflow to request, authorize, approve and grant access can support this easily. • The IdM system can enforce business rules subject to entitlements granted.

  24. Remove Access Through IdM • What business rules are appropriate (or required) when an identity changes status? • Move between departments • Move between divisions/schools • Graduation, withdrawal, no registration • Termination • Possible actions: • Continue services indefinitely or for a defined number of days • Suspend access and (a) notify individual, and/or (b) notify supervisor, and/or (c) notify service manager • Suspend without notices

  25. Coarse-Grained Access Control • Through Web SSO and access rules, any NetID attribute can be used to allow or deny access to an application Web page. • Role: “faculty”, “employee” • Entitlement: “access to HRIS” • Session environment can also be used • IP address • Level of authentication

  26. Fine-Grained Access Control • Fine-grained access control is based upon user profile information unique to the application or interpreted by the application at execution time. • “Can view salaries” • “Can change salaries” • “Can authorize checks up to $100,000” • Fine-grained access controls could be determined from institutional roles – or not • Examples: “department assistant” implies • “Can view salaries” • “Can administer grant funds within department”

  27. Coarse vs. Fine Controls

  28. First-Access Provisioning • Avoid provisioning user profiles within the application until the user attempts access • Eliminate unnecessary local user profiles • Recognizing no user profile exists: • Invoke an IdM workflow to request access • Create a place-holder profile and allow limited access by default • Automatically create a profile from attribute information (institutional roles) • Result: savings in administrative time

  29. Agenda • What are the Problems? • Industry Trends in User Authentication • What is NUIT Planning? • How Should Application Administrators and Planners Prepare? • Transitions • Wrap-up

  30. 1. Typical “silo” application

  31. 2. Convert to NetID authentication

  32. 3. Move authentication to Web server

  33. 4. Web Access Management (SSO)

  34. 5. Coarse-grained authorization

  35. 6. Request access using IdM workflow

  36. 7. Institutional roles drive provisioning

  37. Step 8

  38. 9. Smart card authentication

  39. Agenda • What are the Problems? • Industry Trends in User Authentication • What is NUIT Planning? • How Should Application Administrators and Planners Prepare? • Transitions • Wrap-up

  40. Wrap-Up • Seek to free the application from any particular authentication technology • IdM workflow can govern the approval process, provide audit controls, and flag the user’s identity for other business rules • First-access provisioning saves time and effort for the application administrator • “Just as secure, with just as much control, just using different tools”

  41. Questions? Q & A

More Related