Transcription
Dell Software Solutionsfor Identity and AccessManagement in GovernmentConnected Security for FICAM and SICAM with Dell One Identity SolutionsAbstractIntroductionCybersecurity is the foundation upon which governmentsprovide information technology-based services to usersand constituents. Critical to providing a safe and effectivecybersecurity infrastructure is identity and access management(IAM)—ensuring that users have proper access to the informationand applications to which they’re entitled, no more, no less.The FICAM Roadmap and Implementation Guidance documentwas first published in 2009, and version 2.0 was released atthe end of 2011. The Office of Management and Budget’sMemorandum 11-11 requires that agencies align their processeswith that document.The federal government’s Federal Identity, Credentialand Access Management (FICAM) framework defines therequired functionality for IAM in U.S. agency and organizationinfrastructures. A similar framework, State Identity, Credentialand Access Management (SICAM), adapts FICAM forstate governments.This paper explains how Dell Software’s IAM solutions canhelp your agency or organization achieve, maintain and proveFICAM or SICAM compliance.The State Identity Credential and Access Management (SICAM)Guidance and Roadmap document was published in September2012 by the National Association of State Chief InformationOfficers (NASCIO).It should be noted that these are functional frameworks, andcan be applied by local governments as well.Adhering to FICAM is a requirement for all federal agencies andorganizations, per the 2011 Office of Management and Budget(OMB) Memorandum 11-11. SICAM is not a mandate, but ithas particular significance in that it focuses on interoperability
given reliance on federal funding forspecific programs.with federal agencies and organizations,something that state and localgovernments need to account forCredential managementSponsorshipEnrollmentIssuanceCredential productionIdentity itative attribute sourcesAuditing and reportingDigital identity lifecyclemanagementCredential rationAccess management Identity Attributes Credentials Time Privileges Role Location Status Roles EntitlementattributesExternal agencyState, local, or tribalgovermnentResourcemanagementBusiness partnerCitizenPhysical accessPrivilegemanagementPolicymanagementLogical accessFigure 1. Components of the Federal Identity, Credential and Access ManagementFramework include identity management, access management, credentialmanagement, federation and reporting, and auditing and reporting.Credential managementSponsorshipEnrollmentIssuanceCredential productionIdentity managementAttribute checkOn-boardingAuthoritative attributeDigital identity lifecyclemanagementCredential rationAccess management Roles EntitlementattributesExternal agency ordepartmentFederal, state, local,international or tribalgovernmentResourcemanagement Identity Attributes Credentials Time Privileges Role Location StatusPrivilegemanagementPolicymanagementBusiness partnerCitizenPhysical accessLogical accessFigure 2. SICAM framework: The State Identity Credential and Access Managementarchitecture is derived from FICAM, though not fully identical.2
Dell Software solutions for FICAMand SICAM complianceMeeting the specific requirements ofthese frameworks is no easy task. Few,if any, government agencies can affordthe expense or potential disruption inservices that would naturally accompanya complete IAM rebuild.The Dell One Identity family of IAMsolutions easily integrates into existingIAM implementations to provide thefeatures and functionality necessary tobecome FICAM or SICAM compliant.Dell One Identity covers all componentsof these frameworks, and is a key part ofDell Software’s end-to-end ConnectedSecurity hardware, software and services.person entities (NPEs) to further securitygoals within the enterprise.Dell Software’s solutions for identitymanagement include: Access managementAccess management is the managementand control of the ways in whichentities are granted or denied accessto resources. The purpose of accessmanagement is to ensure that the properidentity verification is made when anindividual attempts to access securitysensitive buildings, computer systems ordata.2 It has two areas of operations: The following sections describe thecomponents of FICAM and SICAMframeworks, and note which DellSoftware solutions can help in eacharea; for more information about thosesolutions, see Table 1 later in this paper.The component descriptions originate,with minor modifications, from theFICAM Implementation and GuidanceRoadmap v2.0.Identity managementIdentity management is the combinationof technical systems, policies andprocesses that create, define, governand synchronize the ownership,utilization and safeguarding of identityinformation. The primary goal ofidentity management is to establisha trustworthy process for assigningattributes to a digital identity, and toconnect that identity to an individual.1Identity management includes theprocesses for maintaining and protectingthe identity data of an individual over itslife cycle. Many of the processes andtechnologies used to manage a person‘sidentity may also be applied to non-Identity ManagerIdentity Manager-Active Directory Edition Logical access is the access to an ITnetwork, system, service or application.Physical access is the access to a physicallocation such as a building, parking lot,garage or office.Access management leverages identities,credentials and privileges to determineaccess to resources by authenticatingcredentials. After authentication, adecision on whether the user isauthorized to access the resourcecan be made. These processes allowagencies to obtain a level of assurance inthe identity of the individual attemptingaccess to meet the following: Authentication—Ensuring that all individualsattempting access are properly validatedConfidentiality—Ensuring that all access toinformation is authorizedIntegrity—Protecting information fromunauthorized creation, modificationor deletionReliability, maintainability and availability—Ensuring that authorized parties are able toaccess needed informationNon-repudiation—Ensuring theaccountability of parties when gainingaccess and performing actions“Identity Management Task Force Report,” National Science and Technology Council(NSTC) Subcommittee on Biometrics and Identity Management, 2008.2FIPS Publication 201, “Personal Identity Verification (PIV) of Federal Employees andContractors,” March 2006.13Dell One Identitycan easily integrateinto existing IAMimplementations toprovide the featuresand functionalitynecessary tobecome FICAM orSICAM compliant.
Federation includesthe technology,standards, policiesand processesthat allow anorganization to trustdigital identities,identity attributesand credentialscreated andissued by anotherorganization.In addition, access control sets thestage for additional activities outside ofthe traditional access control paradigm.One corollary to access management isthe ability to ensure that all individualsattempting access have a genuineneed. This is tied to authentication andauthorization, but also to the businessrules surrounding the data itself. Privacyis provided by properly ensuringconfidentiality, and by refraining fromcollecting more information thanis necessary.Dell Software’s solutions for accessmanagement include: Credential managementA credential is an object thatauthoritatively binds an identity (andoptionally, additional attributes) to atoken possessed and controlled by aperson.3 The credentialing processprincipals and elements can alsobe applied for NPE digital identities.However, steps may vary during thecredential issuance process (sponsorship,adjudication and so on) based on anorganization’s security requirements. Forexamples of NPE credential issuance,please refer to the X.509 CertificatePolicy for the U.S. Federal PKI CommonPolicy Framework, Version 3647–1.6,February 11, 2009.344Identity ManagerQuick ConnectVirtual Directory ServerActive RolesPrivileged Password ManagerPrivileged Session ManagerAuthentication ServicesEnterprise Single Sign-onCloud Access ManagerDefenderCredential management supports thelifecycle of the credential itself. Inthe federal government, examples ofcredentials are smart cards, privateand public cryptographic keys, anddigital certificates. The policies aroundcredential management, from identityproofing to issuance to revocation, arefairly mature compared to the other partsof ICAM. The PIV standards4 and FederalPKI Common Policy are examples ofdocuments that have been in place andthat are foundational to agency-specificcredential implementations.Dell Software’s solutions for credentialmanagement include: Enterprise Single Sign-onDefenderFederationFederation is a trust relationship betweendiscrete digital identity providersthat enable a relying party to acceptcredentials for an external identity providerin order to make access control decisions.Federation provides path discovery andsecure access to the credentials neededfor authentication, and federated servicestypically perform security operations atrun time using valid NPE credentials.In implementation, federation includesthe technology, standards, policies andprocesses that allow an organization totrust digital identities, identity attributesand credentials created and issued byanother organization.Dell Software’s solutions forfederation include: Cloud Access ManagerQuick ConnectVirtual Directory ServerNIST SP 800-63, “Electronic Authentication Guideline,” Version 1.0.2, NIST, April 2006. Federal Information Processing Standards Publication 201 [FIPS 201], NISTSP 800-73,16 etc.
Auditing and reportingAcross the federal government,information systems, including physicalaccess control system (PACS) solutions,are designed and built to comply withspecific accountability requirements,which mandate the capability toreview and report on various accessevents within individual applications.Each application administrator (or adesignee) is responsible for tracking andreviewing access control events withintheir applications, and investigatinganomalous entries.The processes for completing this taskvary widely across agencies, businessunits and individuals. Typically, in order toprovide contextual audit information ina meaningful manner, resource ownersand administrators have to manuallycorrelate transaction event data frommultiple sources that may be paper- ortechnology-based. Auditing and reportingcapabilities are highly dependent ontechnological constraints such as networklimitations, application setup, applicationage and network infrastructure.In addition, to meet the audit andreporting requirements for all ITresources, PACS solutions must becapable of providing additional reportingservices for physical access eventswithin the organization, as defined in the2009 Interagency Security Committee(ISC) document, “Use of PhysicalSecurity Performance Measures.”Dell Software’s solutions for auditing andreporting include: Identity ManagerChange AuditorInTrustDescriptions of Dell Software solutions for FICAM and SICAM complianceSolutionDescriptionActive RolesActive Roles simplifies the security and protection of Microsoft Active Directory (AD) by providing automated tools to efficiently manage users and groups, aswell as Active Directory delegation. Active Roles helps you to overcome ActiveDirectory’s native limitations, enabling you to do your job faster. And thanksto Active Roles modular architecture, you can afford to meet your businessrequirements today and in the future.Authentication ServicesIntegrate Unix, Linux and Mac OS X into Active Directory while extending thecompliance and security of AD across your enterprise using AuthenticationServices, part of the Privileged Access Suite for Unix.Change AuditorThe Change Auditor solution family audits, alerts and reports on all changesand deletions made to Microsoft Active Directory, Exchange, SharePoint ,VMware vCenter , EMC , NetApp , SQL Server , Windows Server and evenLDAP queries against Active Directory—all in real time and without enablingnative auditing. A central console eliminates the need for multiple IT auditsolutions, reducing complexity.Cloud Access ManagerCloud Access Manager enables you to deploy and manage enterprise-classapplications across your private, public and hybrid clouds. It provides a suiteof tools for managing your cloud infrastructure, including the provisioning,management and automation of applications across the leading private and publiccloud platforms.DefenderDefender uses your current identity store within Active Directory to enabletwo-factor authentication, taking advantage of AD’s inherent scalability andsecurity, and eliminating the costs and time involved to set up and maintainproprietary databases. Defender’s web-based administration, user self-registrationand ZeroIMPACT migration capabilities ease the implementation of two-factorauthentication for both administrators and users. In addition, Defender utilizesthe full battery life of hardware tokens—typically five to seven years—and offerssoftware tokens that never expire.5Defender uses yourcurrent identitystore within ActiveDirectory toenable two-factorauthentication.
SolutionDescriptionIdentity ManagerIdentity Manager makes it easy to manage user identities, privileges and securityacross the enterprise. The solution’s automated provisioning of all resourcessimplifies the access management process, helps ensure that each user has onlythe appropriate access rights, and reduces the burden on IT.Identity ManagerActive Directory EditionIdentity Manager-Active Directory Edition provides Active Directory self-servicegroup management: your line-of-business employees can fulfill their own ActiveDirectory group management access requests and attestation using a simple,easy-to-deploy and customizable request portal with summary dashboardsand detailed reporting. The burden of managing these user access requests istransferred from IT staff to business owners The solution also offers advancedrole-based access control to help you achieve your compliance, security andgovernance objectives.Enterprise SingleSign-onEnterprise Single Sign-on enables your organization to streamline both end-usermanagement and enterprise-wide administration of single sign-on (SSO). It basesapplication and system user logins on your existing Active Directory identities, sothere’s no infrastructure for you to manage.InTrustInTrust enables you to securely collect, store, and report and alert on event logdata from your Windows, Unix and Linux systems, ensuring compliance withexternal regulations, internal policies and security best practices. InTrust helpsyou gain insight into user activity by auditing user access to critical systems fromlogon to logoff. It also detects inappropriate or suspicious access-related eventsin real time.Privileged PasswordManagerPrivileged Password Manager empowers you to control the process of grantingadministrators the credentials necessary to perform their duties. It automatesand secures the process, ensuring that when administrators require elevatedaccess for shared and privileged credentials, such as the Unix root password,that access is granted according to established policy. With Privileged PasswordManager, you’re assured that only appropriate access is granted based on requiredapprovals, that all actions are fully audited and tracked, and that the password ischanged immediately upon its return.Privileged SessionManagerPrivileged Session Manager enables you to issue privileged access while meetingauditing and compliance requirements. Privileged Session Manager is deployedon a secure, hardened appliance and allows you to grant access to administrators,remote vendors and high-risk users for a specific period or session, with fullrecording and replay for auditing and compliance.Quick ConnectQuick Connect synchronizes identity data (users, groups and supporting data forroles) enterprise-wide to support a unified and intelligent approach to identity andaccess management. By integrating identities with Active Roles Server, IdentityManager, Password Manager, Active Directory-based tools or enterprise solutions,Quick Connect automates the provisioning process to control user access, reduceerrors, save administrative time and lower costs.Virtual Directory ServerModify the presentation of data on the fly with Virtual Directory Server, amiddleware application that abstracts back-end data from client applications.Virtual Directory Server allows you to easily integrate new applications into yourexisting identity infrastructure without having to alter directory information. Thatmeans your data stays put and in the same format.Table 1. Dell Software solutions for FICAM and SICAM compliance6
ConclusionFor more informationFICAM and SICAM provide logical,functionally-rooted frameworks forcybersecurity at the federal, state andlocal levels. FICAM and SICAM guidelinesfor identity management, accessmanagement, credential management,and auditing and reporting are complexbut comprehensive. Dell Software canplay an important role in helping yourorganization simplify adherence withthese frameworks and improve thesecurity of your physical infrastructure,applications and data.Federal ICAM websiteFICAM v2.0 Roadmap andImplementation GuidanceState Identity Credential and AccessManagement (SICAM) Guidance andRoadmapDell Connected Security7Dell Software solutions: Email securityEndpoint managementEndpoint securityIdentity and access managementNetwork securitySecure remote accessSecurityDell Software canplay an importantrole in helpingyour organizationsimplify adherencewith the FICAM andSICAM frameworks.
For More Information 2014 Dell, Inc. ALL RIGHTS RESERVED. This documentcontains proprietary information protected by copyright. Nopart of this document may be reproduced or transmitted inany form or by any means, electronic or mechanical, includingphotocopying and recording for any purpose without thewritten permission of Dell, Inc. (“Dell”).Dell, Dell Software, the Dell Software logo and products—asidentified in this document—are registered trademarks of Dell,Inc. in the U.S.A. and/or other countries. All other trademarksand registered trademarks are property of their respectiveowners.The information in this document is provided in connectionwith Dell products. No license, express or implied, by estoppelor otherwise, to any intellectual property right is granted bythis document or in connection with the sale of Dell products.EXCEPT AS SET FORTH IN DELL’S TERMS AND CONDITIONS ASSPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,About Dell SoftwareDell Software helps customers unlock greater potential throughthe power of technology—delivering scalable, affordable andsimple-to-use solutions that simplify IT and mitigate risk. The DellSoftware portfolio addresses five key areas of customer needs:data center and cloud management, information management,mobile workforce management, security and data protection.This software, when combined with Dell hardware and services,drives unmatched efficiency and productivity to acceleratebusiness results. www.dellsoftware.com.If you have any questions regarding your potential use ofthis material, contact:Dell Software5 Polaris WayAliso Viejo, CA 92656www.dellsoftware.comRefer to our Web site for regional and internationaloffice information.8TechBrief-IAM-Govt-US-KS-24070DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMSANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATINGTO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FORA PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NOEVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT,CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTALDAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGESFOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSSOF INFORMATION) ARISING OUT OF THE USE OR INABILITYTO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISEDOF THE POSSIBILITY OF SUCH DAMAGES. Dell makes norepresentations or warranties with respect to the accuracy orcompleteness of the contents of this document and reservesthe right to make changes to specifications and productdescriptions at any time without notice. Dell does not makeany commitment to update the information contained in thisdocument.
Dell Software's solutions for identity management include: Identity Manager Identity Manager-Active Directory Edition Access management Access management is the management and control of the ways in which entities are granted or denied access to resources. The purpose of access management is to ensure that the proper
