盛骏 Technical Specialist Novell China

Presentation on theme: "盛骏 Technical Specialist Novell China"— Presentation transcript:

1 盛骏 Technical Specialist Novell China
身份管理解决方案 盛骏 Technical Specialist Novell China

2 日程 为什么要身份管理 Novell身份管理解决方案 Novell 单点登录 成功案例 Q&A

3 为什么要身份管理 —What’s IDM

4 疑问…… 我需要身份管理解决方案吗?

5 几个问题…… 在您的企业里应用系统中是否有太多的密码需要记忆？ 作为系统管理员，您是否需要花费很多的时间去管理用户帐号和访问权限？
各部门管理员需要花费多长时间才能为一个新的用户在所有的应用系统中建立账号？是否工作重复，效率低下? 员工离开企业时能否立即停用其在各个应用子系统中的账号？ 用户的详细信息在各个系统中是否一致？ 添加新的应用时是否有一致的认证和授权框架可以利用？ 如何满足行业政策规范的要求？ 是否可以对企业内应用系统实现监控和跟踪？

6 专家们是怎么说的…… 在一些大型企业中，用户需要记住超过20个密码用于访问他们的系统
30-45% 的IT管理员的电话是寻求有关密码方面的帮助 在大多数企业中,大约需要从几天到几周的时间实现用户帐号在各个应用中创建 平均只有73%的内部用户和69%的外部用户离开时其账号被及时停用 需要很多额外的费用为每个应用系统建立安全的访问控制

7 今天的企业环境 员工 客户 IT 管理员 供应商 合作伙伴 移动用户 离职员工 人事系统 邮件 局域网 PABX 财务系统 其它应用 CRM

8 今天的企业环境 ? ? ? ? ? ? ? 员工 客户 IT 管理员 供应商 合作伙伴 移动用户 离职员工
如何为企业用户减少需要记忆的密码？ ? 如何让员工及客户安全的访问企业系统? ? 如何缩短为新用户在各个系统中创建账号的时间? ? 如何防止离开的员工仍能继续访问企业内系统? ? 如何确保员工/客户能够访问到企业各个系统中最新的信息? ? 如何减少在管理用户帐号方面的花费? ? 如何对企业的应用系统进行审计? ? 人事系统 邮件 局域网 PABX 财务系统 其他应用 CRM

9 ISO17799:2005 扩展的控制点示例 管理用户生命周期：资产和访问权限的建立和消 开户 生命周期管 理
销户 If we take a closer look at Human Resources Security, we realize it highlights the importance of managing users, their identities their privileges. This boils down to controlling access rights to various information assets (hardware, software and data). This means user lifecycle management from the time the relationship starts between user and company to when the relationship ends (eg. resignation).

10 在一个集成的身份平台一切变得简单 An integrated identity foundation gives you:
Role-based enterprise dashboards and user portals 审计 用户自我服务 基于角色的资源访问 企业黄页 强认证 自动化的工作流 单点登录 流程化账号自动配 置 密码管理 身份驱动 Web services 身份基础 This slide is meant to illustrate that once you have a strong identity integration platform in place, you can implement a wide range of identity-driven capabilities and solutions. Think through in advance how to explain how each of these capabilities relies on identities. This is an opportunity to see which of these capabilities matter most to the client. You can make this message more powerful if you do some research in advance to find out what kinds of challenges the organization is facing with each of these capabilities. Use this slide – the Identity-driven Web services mention– to make the point that identity applies to any corporate asset (process, application, device) as well as people. “Just as one cannot manage what cannot be measured, one cannot secure what cannot be identified. Identity management can and will play a critical role in delivering an effective information security program.” ― Earl Perkins, Meta Group 11/03 “Moreover, identity management is critical to scaling e-business relationships across larger populations as well as enabling distributed applications to interoperate using secure Web services.” Jamie Lewis, The Burton Group 07/03 “Moreover, identity management is critical to scaling e-business relationships across larger populations as well as enabling distributed applications to interoperate using secure Web services.” Jamie Lewis, The Burton Group, July 2003 An integrated identity foundation gives you: Consistent, up-to-date identity information Consistent application of business and security policies Ability to manage relationships in a Web services environment “Just as one cannot manage what cannot be measured, one cannot secure what cannot be identified. Identity management can and will play a critical role in delivering an effective information security program.” Earl Perkins, Meta Group, November 2003

11 身份管理定义

12 Novell 身份管理方案 —How we do

13 Novell身份及安全管理解决方案框架 Novell Sentinel/Audit 身份自动化配置 Novell eDirectory
自动化身份密码管理 基础信息安全管理 统一的身份库 统一的权限管理策略 自动化权限管理 统一的密码管理策略 统一的系统认证策略 Web应用访问控制管理 自动化的安全事件及信息管理/身份审计 应用程序访问控制管理 统一的审计管理策略 Novell Sentinel/Audit 身份自动化配置 Novell IDM Novell Access Manager Novell Secure Login Novell eDirectory 中央身份库 SuSE Linux/ other OS

14 身份管理术语图解 Conclusion: Enterprises will use multiple products to manage the complexity of user authentication and authorization in a heterogeneous environment. Short-term, Enterprise User Administration (EUA) provisioning tools help avoid the cost of adding staff rather than reducing current staff (cost avoidance vs. cost reduction). Over time, however, cost savings can be achieved using less-expensive full-time equivalents (FTEs) for administration activities, as well as by automating the request process where manual intervention is not required. The main impediments to installing EUA/provisioning tools are the lack of documented access roles based on business functionality and weakly defined procedures for handling users’ changing roles. Clearly, reorganization places a burden on security administration staff, and a tool that automates even a subset of the mass of changes can help. However, if the rules governing access for a user who moves from one job to another are unclear, no automation tool will help — they will simply highlight the procedural shortcomings the organization must resolve. Enterprises report that the more time they spend in the planning stages of the project, the more successful the implementation. Gartner estimates that the upper threshold of the EUA/provisioning market is approximately 4,000 enterprises worldwide (profit, not-for-profit and government organizations) due to the characteristics of an enterprise that can justify the EUA/provisioning investment. The characteristics are size (4,000 to 5,000 users, $4 billion in revenue), complexity and heterogeneity of the technical environment, and personnel churn. Even if it is free, using an EUA/provisioning product may not make sense if the enterprise’s user administration needs are not resource-intensive.

15 Novell Network Before Zero Day Start
从这个部署图中，我们无法找到一个集中的用户认证，授权，管理中心 。当部署一个新的应用的 时候，不能确定最初始的人员数据和授权数据从哪里获得，更没有现成 可利用的用户管理中心。 同样任何一个点的用户数据更新以后，都无法保证所有点的数据能同时 更新，也无法获得整个 企业部署中的最实时的用户信息。

16 Zero Day Start Provisioning Dataflow Infrastructure (today)
经过身份管理部署和身份整合以后，有一个清晰的集中用户管理平台， 跟企业门户，单点登录服务，企业内部的 各种应用有规则的互联。部署新的应用时，只要跟“中央身份库”挂接， 就可得到最新，最全的用户身份信息，同时 利用身份管理服务器与其他应用轻松连接并同步信息。员工在访问门户 的同时会根据其角色自动获得在所有新旧应用 中合适的使用权限。

17 Novell身份管理方案体系架构 企业门户 员工 Web SSO 客户 供应商 合作伙伴 人事系统 IDM 身份管理， 传统应用 SSO
Contractors 邮件系统 主要的身份 管理服务 身份同步和Provisioning 认证,授权及单点登录 审批流程，,监控和审计 企业门户 PABX 其它应用 财务系统 网络操作系统

18 完整的用户生命周期管理 The main challenge of identity management is how to manage a growing group of users that are constantly changing New employees, partners, contractors, and customers come on board daily, and they need access to business resources immediately. Users struggle with remembering multiple passwords New projects require immediate and temporary access rights Employees change location -> Access and Information changes Current users’ responsibilities change, and so does their access privilege needs and profile information Or, their relationship ends, and you need to quickly revoke their access completely It is critical for organizations to be able to streamline user administration throughout the user lifecycle with the organization. With Nsure Identity Manager, you can: deliver first-day access to essential resources - provisioning synchronize multiple passwords into a single login – password management modify or revoke access rights and information instantly as the user’s role changes – routine user administration Allow users to manage their own passwords and information De-provision users when the relationship ends – de-provisioning This presentation will focus on the four key identity management capabilities that address all aspects of user lifecycle management: Provisioning De-Provisioning Routine User Administration Deprovisioning

19 基于策略访问 你是谁? 你的角色是什么? 你能访问那些系统? Your business
If you’re a CIO, every decision you make about giving people access to your business resources – every effort you make to deliver services or content to people – is based on identity. You can’t deliver resources to people – or effectively control access to those resources – unless you know who they are, how they relate to your business, and what they need from you. But there are just too many systems, too many people, and too many complex roles and relationships to deal with – especially if it’s done manually – system by system, person by person. Getting exactly the right information to exactly the right people is a major challenge – especially in diverse, complex organizations. 你是谁? 你的角色是什么? 你能访问那些系统?

20 策略管理 Identity One time 自动 跨越所有系统 安全策略 消除错误 Your business 员工 合作伙伴 B2B
客户 安全策略 One time 自动 跨越所有系统 消除错误 Identity That leads us to another major identity-related concern: making sure people have access to the information and resources they need – and nothing else. Granting appropriate access rights can be a complicated, expensive, and mistake-prone process when you’re dealing with thousands of people and dozens of different systems. Novell Nsure links all of your applications, databases, and directories – and allows you to centrally store and manage security policies across all those systems. That means you can create security and access policies one time – then automatically apply them to all the systems in your organization. Not only does this save your business the time and expense of creating and maintaining security policies on dozens of different systems – but it also eliminates the kinds of mistakes and omissions that result in access security holes. This kind of centralized, identity-based access control framework means you can finally grant people outside your organization safe, controlled access to your corporate resources – and build more productive, personalized business relationships with customers, partners, and suppliers. And Novell Nsure also offers a number of solutions that leverage your Secure Identity Management framework to control and manage passwords, so you can eliminate the help desk calls and security problems that come when people have to remember multiple usernames and passwords for different systems. With a secure identity management framework in place, you’ll never have to worry about ex-employees still having access to random systems weeks or months after they leave your company. It’s also very easy to add auditing capabilities to Novell’s Nsure framework. These capabilities use the directory to track transactions across many different systems, ensure accuracy, and provide a record. These auditing capabilities provide an easy, cost-effective way for organizations to comply with industry and government regulations (HIPAA, FDIC, Gramm- Leach-Bliley, and the Data Protection Act are a few examples). 财务 市场 销售 客户服务

21 基于角色的用户自动配置 场景: 新用户加入 HR Manager Waldo Wilkes wwilkes Waldo Nsure
基于角色的用户自动配置 场景: 新用户加入 HR 系统 HR Manager 1) 一个新用户记录在人事系统中创建 (或 者其他的权威数据源) Waldo Wilkes 数据库 CRM wwilkes Waldo 帐务系统 Microsoft Exchange Nsure Identity Manager Waldo_Wilkes Role-based User Provisioning The HR manager enters a record in the HR system for Waldo Wilkes, a new physician at one of the DH&MC hospitals. Nsure Identity Manager steps in and automatically: ¥ Captures the information and applies DH&MC business rules to create the appropriate name formats and data replication in all connected applications and systems--for example, creating the name wwilkes based on the Company’s naming policy. ¥ Creates accounts in other applications, which in turn provide authoritative identity information. For example, Microsoft Exchange acts as the authoritative source for addresses. Based on this rule, Microsoft Exchange creates the address and Novell Identity Manager communicates it to all of the other connected systems. ¥ Transforms data into appropriate formats for each connected system. For example, in PeopleSoft* the phone number format is xxx-xxx-xxxx while the Microsoft Exchange phone number format is (xxx) xxxxxxx. Based on these business rules, Nsure Identity Manager transforms the phone number format to the correct one for each system. ¥ Responds to this modification by applying the appropriate business rules to update all other applications. For example, Nsure Identity Manager creates a Microsoft Exchange mailbox in the Austin, Texas container, because PeopleSoft--the authoritative source for location information--lists Austin as Waldo Wilkes’ work location. 2) Identity Manager 获取新用户创建事件 物理资源 3) Identity Manager 然后在每个连接的系统中创建一个账号，并基于 建立的业务规则同步适当的信息。

22 X X 日常用户管理 场景: 用户信息发生变化 基于策略的需要删除用户对系统的访问 为新系统自动配置帐号 在新系统中设置密码 Nsure
日常用户管理 场景: 用户信息发生变化 内部应用 基于策略的需要删除用户对系统的访问 为新系统自动配置帐号 在新系统中设置密码 OA X 邮件系统 基于数据库应用 X Nsure Identity Manager 各种移动设备 Now we move onto the next section of the user lifecycle. This area represents the majority of user administration – the daily administration tasks associated with various events – users receiving promotions, moving locations, new projects,etc. In this case we focus on the scenario of someone receivng a job promotion. The administration Tasks that potentially would need to be performed at a “promotion” event are the following: 1- Remove (De-Provision) access to systems 2- Provision Access to new systems 3- Passwords set on new systems This slide highlights the automated user administration (provisioning and deprovisioning) processes. This scenario highlights the fact that de-provisioning is not just about when a person leaves the company. The same security risks exist whenever a user changes roles or responsibilities in the organization. Walk-through the steps outlined on the slide In the next slide we will talk about the self-service capabilities that would allow a user to update their own profile information that may have changed as well during a promotion. 业务系统 内部职工

23 X X X X X X 自动删除 场景: 员工账号的自动删除 1) 用户帐号在人事系统中删除 教职员工 Li Bin 身份库
自动删除 场景: 员工账号的自动删除 人事系统 X OA 1) 用户帐号在人事系统中删除 X 教职员工 Li Bin 基于数据库的应用 X 邮件系统 X 业务系统 X 身份库 各种移动设备 X Capabilities – De-provisioning Users are immediately de-provisioned when relationships end. It lets IT remove all access to business resources when a user’s relationship with the enterprise ends. De-provisioning reduces security risks by preventing former employees, partners, and others from accessing corporate assets. It also saves money by eliminating lingering access to cell phones, phone cards, home Internet connections and other corporate resources. Walk-through the steps outlined on the slide 2) 身份库获取帐号删除事件 3) 身份库自动停用各个系统中的帐号

24 集成审批工作流 在用户应用界面中可以显示审批状态. 功能全面的工作流能力，包括： 针对角色，组，单个人的资源配置 委托管理和代理机制
到期跟踪和上报策略 自助式服务配置 无须编写程序 (Java, script, XML, etc.)

25 身份信息服务 先进的身份开放区域值显示功能强大的 组织结构图示和企业大黄页 自助式密码管理 分级的委托管理功能

26 内置开户报表

27 Designer for Identity Manager
一个最强大的可视化工具来进行身份管理 环境的设计. 图形化地进行复杂系统的配置。 模拟配置情景测试 对所有配置细节自动生成文档 对重复配置模块的再利用减少部署时间

28 Novell Identity Manager 可连接的系统
Databases IBM DB2 Informix Microsoft SQL Server MySQL Oracle Sybase JDBC Directories Critical Path InJoin Directory IBM Directory Server (SecureWay) iPlanet Directory Server Microsoft Active Directory Microsoft Windows NT Domains Netscape Directory Server NIS NIS + Novell NDS Novell eDirectory Oracle Internet Directory Sun ONE Directory Server LDAP Systems Microsoft Exchange 2000, 2003 Microsoft Exchange 5.5 Novell GroupWise Lotus Notes Enterprise Applications Baan Banner J.D.Edwards Lawson Oracle Peoplesoft SAP HR SAP R/3 4.6 and SAP Enterprise Systems (BASIS) SAP Web Application Server 6.20 Siebel Enterprise Message Bus BEA IBM Websphere MQ Open JMS JBOSS Sun TIBCO Mainframe RACF ACF2 Top Secret Midrange OS/400 (AS/400) Operating Systems Microsoft Windows NT 4.0 Microsoft Windows 2000, 2003 SUSE LINUX Debian Linux FreeBSD Red Hat AS and ES Red Hat Linux HP-UX IBM AIX Solaris UNIX Files - /etc/passwd Other Delimited Text Remedy (for Help Desk) SOAP DSML SPML Schools Interoperability Framework (SIF) PBX Avaya PBX Cisco Nortel Plus our connectivity is both bi-direction synchronizes more than just user names. Our systems can be configured to connect any object at the attribute level. True Enterprise Application Integration. Use Novell Composer for even more connectivity

29 行业证言 Both these studies by IDC and Radicati were done in The Radicati report was published in Nov 2003.

30 Novell ２００６年１月刚刚获得InfoWorld “最优秀的身份管理软件” 年度技术大奖
行业证言 Novell ２００６年１月刚刚获得InfoWorld “最优秀的身份管理软件” 年度技术大奖 在InfoWorld 2006年度技术大奖评选中，Novell Identity Manager 身份管理方案被选为“最优秀的身份管理软件“。这是 一个身望很高的奖项，其优胜者是由InfoWorld 测试中心的分 析专家小组，通过对各家产品的创新性，性能，高效性等方面 对比测试而评出的。 InfoWorld评价Novell 的身份管理说, “强有力的图形化的工作 流，设计配置工具，直觉，易用的用户界面和坚实的目录服务 器做为根基，使得Novell 身份管理成为最具优势的，最强有力 的身份管理软件提供者。” InfoWorld Magazine,Jan 2006 In this recent InforWorld review, Novell regained our leadership in the identity management market largely because of our recently released workflow capabilities as well as Designer for Identity Manager.

31 Novell 身份管理总结 对所有存在账号管理的系统中的账号进行集成和信 息同步。包括：操作系统，应用系统，数据库，目录服务等 。
用户生命周期管理 强大的密码管理 基于角色的访问控制管理 简明的策略定义 委托管理机制 日志审计和报表 基于角色的配置流程 审批工作流 自助式服务订阅 Now that you’re focused on the right target customer, let’s take a closer look at what Identity Manager can do. By integrating and synchronizing user accounts, nobody has more than one identity on the enterprise. This closes potential security holes. It also ensures that users get the appropriate access, throughout their relationship with the organization. With role-based provisioning, Identity Manager automatically provides additional resources or takes them away when an employee’s role changes. The add-on provisioning module allows employees to request resources and get approvals through automated workflows. Self-service features save time for the IT staff as well.

32 Novell 访问控制 及单点登录

33 Novell 访问控制架构

34 无需修改应用程序的单点登录 用户通过支持liberty联盟的身份识别服务器到访问网关进行认证 根据既定策略连接到应用系统
获得应用系统的访问权限同时完成单点登录 对网关和浏览器之间传输的所有数据进行加密

35 Novell 单点登录架构

36 企业桌面单点登录 应用服务器 客户端 目录服务 SecureLogin 从目 录中获得信任壮 在eDirectory中认 证

37 企业桌面单点登录 Application Server Client Workstation Directory 调用应用
应用服务器要 求认证信息 NSL 把获得的信任 壮传到应用服务 器 得到访问许可， 直接开始工作

38 企业桌面应用单点登录 以目录为认证基础的跨平台安全单点登陆解決方案. 主要 用于企业内部员工. 目前市场上支持最多应用的SSO方案: 例如:
几乎所有的Windows登录, 以及Citrix和Telnet環境 客户端访问,如Lotus Notes 和 Microsoft Outlook 远程访问,接入系统: Dial-In User Service (RADIUS)-compliant routers, 包括firewall, VPN登陆 其它很多仿真终端: 包括Attachmate Extra, Eicon Aviva and IBM Personal Communications…等 所有这一切只需在用户的windows机器中安裝一个仅7兆的agent.

39 Novell 解决方案的优势 全面的扩展能力 高安全性 低风险性 各系统间用户帐号整合 平台独立性 对技术标准的支持 单一入口 单点管理
强大的密码管理功能 用户自助管理 低风险性 无需修改应用程序 非入侵式整合 灵活且强劲的图形化实施工具降低实施难度

40 成功案例 —Success story

41 Novell Global Customer List (Partial)

42 Global IdM Customers (partial)
Government Victorian Government French Tax Authority Hongkong SAR Macau Government Ministry of Defence UK Shenzhen Tax ComSuper Michigan State Police Telcos British Telecom Maxis Communications Celcom Telecom NZ Brazil Telecom Manufacturing MXIC Philips Electronics TCL TRW Automotive Insurance MBF Australia Allianz Suisse Standard Life Aviation Star Alliance Lufthansa Cathay Pacific Banking/Finance Bank of Montreal St George Bank PNC Bank Sumitomo Mitsui Bank Bank Mutual Taishin Bank ChinaTrust Bank Cosmos Bank US Bank Bank One M&T Bank Nan Hai Nong Shin China Construction Bank Kbank TransUnion GKB Others RadioShack Coles Myer Hartford Hospital Husky Hewitt Associates Keppel Corporation Assumption University Metrogas

43 This is Your Open Enterprise™