Identity and Access Management (IAM)

Discussion in 'Computer Security' started by itsecgirl, Dec 8, 2005.

  1. itsecgirl

    itsecgirl Guest

    Hi all,

    I'm new to specializing in Identity and Access Management but not new
    to security. I'm curious to see what many of you corporate users are
    using for this space and if you have a solution in place, which one is
    it? If you don't, then I like to get feedback on your plans for IAM.
    I'm trying to get a focus group survey on the leading players in this
    space from real development and operations experience.

    I'm currently working with Netegrity SiteMinder (also known as eTrust
    SiteMinder from Computer Associates), IBM Tivoli TIM/TAM, and next
    week, I'll be introduced to Sun's suite. If you're interested in this
    area, please post something here so I can follow up with you. Thanks!



    -just a girl
    itsecgirl, Dec 8, 2005
    #1
    1. Advertising

  2. "itsecgirl" <> wrote in message
    news:...
    > Hi all,
    >
    > I'm new to specializing in Identity and Access Management but not new
    > to security. I'm curious to see what many of you corporate users are
    > using for this space and if you have a solution in place, which one is
    > it? If you don't, then I like to get feedback on your plans for IAM.
    > I'm trying to get a focus group survey on the leading players in this
    > space from real development and operations experience.
    >
    > I'm currently working with Netegrity SiteMinder (also known as eTrust
    > SiteMinder from Computer Associates), IBM Tivoli TIM/TAM, and next
    > week, I'll be introduced to Sun's suite. If you're interested in this
    > area, please post something here so I can follow up with you. Thanks!
    >
    >
    >
    > -just a girl
    >

    Take a look at Sun's Open Source XACML on Sourceforge. In conjunction with
    Public Key Infrastructure
    it can do the job nicely. See also Signet, a project of Internet2.
    Regards,
    Ed
    Edward A. Feustel, Dec 9, 2005
    #2
    1. Advertising

  3. "Edward A. Feustel" <> writes:
    > Take a look at Sun's Open Source XACML on Sourceforge. In
    > conjunction with Public Key Infrastructure it can do the job
    > nicely. See also Signet, a project of Internet2. Regards, Ed


    one of the issues is PKIs have frequently confused identification
    and authentication. one of the issues was early 90s with work
    on pki x.509 identity digital certificates possibly becoming
    grossly overloaded with personal information.

    later in the mid-90s there were things called relying-party-only
    certificates that were invented because of the privacy and liability
    concerns regarding identity certificates carrying personal information
    http://www.garlic.com/~lynn/subpubkey.html#rpo

    the issue with relying-party-only certificates is that it is trivial
    to demonstrate that they are redundant and superfluous ... aka if all
    the necessary information is really on file and has to be referenced
    for authentication operations ... then the digital certificates can be
    eliminated totally and everything retrieved from the online file.

    there is aslo the original pk-init draft for kerberos
    http://www.garlic.com/~lynn/subpubkey.html#kerberos

    registering a public key in lieu of password and doing digital
    signature verification instead of password matching. later the pk-init
    draft had the pki-based stuff added. periodically i get email from the
    person claiming responsibility for having pki-based stuff added to the
    pk-init draft, apologizing.

    recent discussion in crypto mailing list regarding applicability of
    pki to email authentication.
    http://www.garlic.com/~lynn/aadsm21.htm#26 X.509 / PKI, PGP, and IBE Secure Email Technologies
    http://www.garlic.com/~lynn/aadsm21.htm#27 X.509 / PKI, PGP, and IBE Secure Email Technologies
    http://www.garlic.com/~lynn/aadsm21.htm#28 X.509 / PKI, PGP, and IBE Secure Email Technologies
    http://www.garlic.com/~lynn/aadsm21.htm#29 X.509 / PKI, PGP, and IBE Secure Email Technologies
    http://www.garlic.com/~lynn/aadsm21.htm#30 X.509 / PKI, PGP, and IBE Secure Email Technologies
    http://www.garlic.com/~lynn/aadsm21.htm#31 X.509 / PKI, PGP, and IBE Secure Email Technologies

    part of this is that operational pki identity business processes were
    original targeted at first-time communication between complete
    strangers ... where the respectively parties had no (other) means of
    directly accessing information about the other party (the letters of
    credit/introduction from the sailing ship days). if you apply that to
    say kerberos operation (allowing somebody to connect to your system)
    .... the implication is that everybody that can present a valid pki
    x.509 identity digital certificate would be allowed access to your
    system ... there wouldn't need to be any predefined vetting or userid
    definition.

    --
    Anne & Lynn Wheeler | http://www.garlic.com/~lynn/
    Anne & Lynn Wheeler, Dec 10, 2005
    #3
  4. itsecgirl

    itsecgirl Guest

    Hi all, thanks for your posts!

    It was interesting to see the old x.509 and PKI discussion. I must say
    I had my share of challenges with that technology but that was more
    than 5 years ago. From my past experience, x.509, PKI, and Kerberos are
    used for authentication however, do you think companies now need more
    than that? The suite of products I mentioned above covers
    authentication, authorization, and SSO. I'm interested in finding out
    how widely enterprise identity management solution is used. If you have
    a solution, what product you're using and what are your comments on
    your likes and challenges.
    itsecgirl, Dec 15, 2005
    #4
  5. "itsecgirl" <> wrote in message
    news:...
    > Hi all, thanks for your posts!
    >
    > It was interesting to see the old x.509 and PKI discussion. I must say
    > I had my share of challenges with that technology but that was more
    > than 5 years ago. From my past experience, x.509, PKI, and Kerberos are
    > used for authentication however, do you think companies now need more
    > than that? The suite of products I mentioned above covers
    > authentication, authorization, and SSO. I'm interested in finding out
    > how widely enterprise identity management solution is used. If you have
    > a solution, what product you're using and what are your comments on
    > your likes and challenges.
    >

    In a heterogeneous environment, the products will need to interoperate.
    This either means standards or mapping from one group's products to
    those of another.

    Another thing that is needed is a standard API that permits end-user
    programs
    to make use of the features of the infrastructure to make authorization
    decisions
    (if each application is an island).

    Finally the infrastructure itself needs to be made (and kept) as threat
    resistant
    as is demanded by the highest level of security maintained by the whole
    system.

    Auditing of the distributed system and a reasonable way of inspecting the
    audit is
    also needed.
    Ed
    Edward A. Feustel, Dec 16, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. uma

    Iam new

    uma, Oct 4, 2004, in forum: MCSD
    Replies:
    3
    Views:
    521
    mandar
    Oct 12, 2004
  2. Ramana
    Replies:
    2
    Views:
    538
  3. TechNews

    Windows Identity Management

    TechNews, Jun 2, 2004, in forum: Computer Support
    Replies:
    1
    Views:
    488
    Boomer
    Jun 2, 2004
  4. a_monk

    Identity Management Best Practices

    a_monk, Jul 14, 2006, in forum: Computer Security
    Replies:
    2
    Views:
    2,449
    Anne & Lynn Wheeler
    Jul 19, 2006
  5. Replies:
    0
    Views:
    380
Loading...

Share This Page