Wendy Nather, Research Director, Enterprise Security Practice, 451 Research
At first, "identities" just meant employees, and then they meant customers and partners. Then the cloud came along, and all hell broke loose.
But it's always been a lot more complicated in government due to the intersection of roles, context, legal requirements, public information and privacy rights, and a dynamic environment. This is a real-life case study of the migration from a custom-written, ten year old, single sign-on portal with around 60 applications, to a COTS IAM product. Thirty minutes can't do it justice, but it'll be enough to bring some of the pain.
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
CIS13: The Good, The Bad, and the Government: Wrangling Attributes in the State of Texas
1. The
Good,
The
Bad,
and
the
Government:
Wrangling
A6ributes
in
the
State
of
Texas
Wendy
Nather
@451wendy
Research
Director,
Enterprise
Security
Prac=ce
2. The
backdrop
Custom-‐wriDen
single
sign-‐on
portal
(10+
years
old)
Provides
SSO
for
~60-‐75
apps
External
user
base
of
~50,000
Internal
user
base
of
~800
The
challenge:
drag
it
kicking
and
screaming
into
some
part
of
the
21st
century
2
3. Other
complica=ng
factors
Family
Educa=onal
Rights
and
Privacy
Act
(FERPA)
compliance
~1300
school
districts
~8,000
campuses
~20
regional
educa=onal
service
centers
(ESCs)
Other
partners/stakeholders:
other
Texas
state
agencies,
higher
educa=on,
contractors
of
all
kinds,
nonprofits,
educators,
cer=fica=on
bodies
…
roughly
2500
different
organiza=ons
3
4. Mul=ple
roles
and
contexts
TEA
employee
of
some
division
or
cost
center,
at
some
posi=on
level
Contractors
pretending
to
be
TEA
employees
Personnel
at
ESCs,
districts,
campuses
Administrators,
educators,
auditors,
researchers
People
using
different
applica=ons
in
different
capaci=es
on
behalf
of
mul=ple
organiza=ons
Differing
levels
of
delega=on,
both
organiza=onal
and
legal
4
5. Ge`ng
a
clue
Professor
Plum
in
the
kitchen
with
a
lead
pipe
with
a
candles=ck
in
the
library
with
a
lead
pipe
with
a
rope
6. Ge`ng
a
clue
Professor
Plum
killing
in
the
kitchen
with
a
lead
pipe
with
a
candles=ck
being
killed
in
the
library
with
a
lead
pipe
with
a
rope
7. Ge`ng
a
clue
Professor
Plum
killing
in
the
kitchen
with
a
lead
pipe
with
a
candles=ck
in
the
library
with
a
lead
pipe
with
a
rope
being
killed
in
the
kitchen
with
a
lead
pipe
with
a
rope
in
the
library
with
a
lead
pipe
with
a
candles=ck
8. Ge`ng
a
clue
Professor
Plum
killing
in
the
kitchen
with
a
lead
pipe
with
a
candles=ck
in
the
library
with
a
lead
pipe
with
a
rope
being
killed
in
the
kitchen
with
a
lead
pipe
with
a
rope
in
the
library
with
a
lead
pipe
with
a
candles=ck
9. Ge`ng
a
clue
Professor
Plum
killing
in
the
kitchen
with
a
lead
pipe
with
a
candles=ck
in
the
library
with
a
lead
pipe
with
a
rope
being
killed
in
the
kitchen
with
a
lead
pipe
with
a
rope
in
the
library
with
a
lead
pipe
with
a
candles=ck
10. Context
plus
governance
=
…
Iden=ty
authority
Access
authority
Who
you
are
+
Why
you
should
have
access
What
you
may
access
En=tlements
12. Workflow
example
TEA
ESC
District1
User
District2
App
owner
App
owner
Delegate
12
13. Constraints
Can’t
be
full
federa=on
due
to
compliance
requirements
Principle
of
least
privilege
means
scoping
down
wherever
possible
Separa=on
of
du=es
requires
discrete
roles
and
en=tlements
13
14. Constraints
Can’t
be
full
federa=on
due
to
compliance
requirements
Principle
of
least
privilege
means
scoping
down
wherever
possible
Separa=on
of
du=es
requires
discrete
roles
and
en=tlements
And
remember
…
Most
of
the
users
don’t
really
want
to
be
there.
14
15. Constraints
Can’t
be
full
federa=on
due
to
compliance
requirements
Principle
of
least
privilege
means
scoping
down
wherever
possible
Separa=on
of
du=es
requires
discrete
roles
and
en=tlements
And
remember
…
Most
of
the
users
don’t
really
want
to
be
there.
They
are
not
at
all
technical.
15
16. Constraints
Can’t
be
full
federa=on
due
to
compliance
requirements
Principle
of
least
privilege
means
scoping
down
wherever
possible
Separa=on
of
du=es
requires
discrete
roles
and
en=tlements
And
remember
…
Most
of
the
users
don’t
really
want
to
be
there.
They
are
not
at
all
technical.
And
you
can’t
fire
them.
16
17. Moral
of
the
story
Need
to
be
granular
with
iden=ty,
authoriza=on
and
en=tlements
for
risk
and
compliance
management
Be
careful
with
RBAC
–
keep
it
out
of
your
code
IAM
is
not
a
project,
it’s
an
ongoing
journey
17