Identity and Access Management (IAM)

Discussion in 'Computer Security' started by itsecgirl, Dec 8, 2005.

  1. itsecgirl

    itsecgirl Guest

    Hi all,

    I'm new to specializing in Identity and Access Management but not new
    to security. I'm curious to see what many of you corporate users are
    using for this space and if you have a solution in place, which one is
    it? If you don't, then I like to get feedback on your plans for IAM.
    I'm trying to get a focus group survey on the leading players in this
    space from real development and operations experience.

    I'm currently working with Netegrity SiteMinder (also known as eTrust
    SiteMinder from Computer Associates), IBM Tivoli TIM/TAM, and next
    week, I'll be introduced to Sun's suite. If you're interested in this
    area, please post something here so I can follow up with you. Thanks!

    -just a girl
    itsecgirl, Dec 8, 2005
    1. Advertisements

  2. Take a look at Sun's Open Source XACML on Sourceforge. In conjunction with
    Public Key Infrastructure
    it can do the job nicely. See also Signet, a project of Internet2.
    Edward A. Feustel, Dec 9, 2005
    1. Advertisements

  3. one of the issues is PKIs have frequently confused identification
    and authentication. one of the issues was early 90s with work
    on pki x.509 identity digital certificates possibly becoming
    grossly overloaded with personal information.

    later in the mid-90s there were things called relying-party-only
    certificates that were invented because of the privacy and liability
    concerns regarding identity certificates carrying personal information

    the issue with relying-party-only certificates is that it is trivial
    to demonstrate that they are redundant and superfluous ... aka if all
    the necessary information is really on file and has to be referenced
    for authentication operations ... then the digital certificates can be
    eliminated totally and everything retrieved from the online file.

    there is aslo the original pk-init draft for kerberos

    registering a public key in lieu of password and doing digital
    signature verification instead of password matching. later the pk-init
    draft had the pki-based stuff added. periodically i get email from the
    person claiming responsibility for having pki-based stuff added to the
    pk-init draft, apologizing.

    recent discussion in crypto mailing list regarding applicability of
    pki to email authentication. X.509 / PKI, PGP, and IBE Secure Email Technologies X.509 / PKI, PGP, and IBE Secure Email Technologies X.509 / PKI, PGP, and IBE Secure Email Technologies X.509 / PKI, PGP, and IBE Secure Email Technologies X.509 / PKI, PGP, and IBE Secure Email Technologies X.509 / PKI, PGP, and IBE Secure Email Technologies

    part of this is that operational pki identity business processes were
    original targeted at first-time communication between complete
    strangers ... where the respectively parties had no (other) means of
    directly accessing information about the other party (the letters of
    credit/introduction from the sailing ship days). if you apply that to
    say kerberos operation (allowing somebody to connect to your system)
    .... the implication is that everybody that can present a valid pki
    x.509 identity digital certificate would be allowed access to your
    system ... there wouldn't need to be any predefined vetting or userid
    Anne & Lynn Wheeler, Dec 10, 2005
  4. itsecgirl

    itsecgirl Guest

    Hi all, thanks for your posts!

    It was interesting to see the old x.509 and PKI discussion. I must say
    I had my share of challenges with that technology but that was more
    than 5 years ago. From my past experience, x.509, PKI, and Kerberos are
    used for authentication however, do you think companies now need more
    than that? The suite of products I mentioned above covers
    authentication, authorization, and SSO. I'm interested in finding out
    how widely enterprise identity management solution is used. If you have
    a solution, what product you're using and what are your comments on
    your likes and challenges.
    itsecgirl, Dec 15, 2005
  5. In a heterogeneous environment, the products will need to interoperate.
    This either means standards or mapping from one group's products to
    those of another.

    Another thing that is needed is a standard API that permits end-user
    to make use of the features of the infrastructure to make authorization
    (if each application is an island).

    Finally the infrastructure itself needs to be made (and kept) as threat
    as is demanded by the highest level of security maintained by the whole

    Auditing of the distributed system and a reasonable way of inspecting the
    audit is
    also needed.
    Edward A. Feustel, Dec 16, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.