IT Security Architecture - V 2 01

Telefonica IT Security Reference
Architecture
V2.0
IT Security / Global IT
Telefonica
29.09.2014
Index
Objectives and Core Principles
01
Security Framework
02
IT Security Architecture
03
Conclusions
04
01
Executive
ObjectivesSummary
and Core Principles
Rational 1
o Design of a security baseline that identifies the technologies and best practices to
What meet the security requirements aligned with the business requirements.
o The goal is to provide confidentiality, integrity, availability, accountability and
assurance to IT systems.
o Able to evolve with the organization.

o Support new business initiatives and technology strategies.
Why
o Handle the types of threats that may emerge.
o Able to accommodate many different types of information, applications, and users.
o Designing a single enterprise IT security framework.

o Unifying the disparate security resources commonly found in IT environments.
How o Supporting the security needs of business solutions (e.g. BSS, Cloud Services, )..
o Standardizing enablers to meet the government regulations around protecting
personal information, payment data, financial records, archives, audit data, etc.
o Establishing criteria and guidelines for tactical global selection processes (business-
driven).
4
DISCOVER, DISRUPT, DELIVER
Common Standards 1
Design of Architecture support in the principal frameworks for IT Governance and Compliance.
Set of practices for IT service Management (ITSM) that

focuses on aligning IT services with the needs of
business
Strong focus on IT Service Mng.
Control Framework for IT Management and IT

Objectives for Governance - Supporting toolset that
Information allows to bridge the gap between control
and related requirements, technical issues and
Technology1 business risks
(CobiT)
Telefonica´s
Corporate
Information Security
Standard_v4 Set of compulsory organization, security
controls and criteria to be applied to
reduce residual risk to an acceptable level
Strong focus on IT Security
5
02
Executive
IT SecuritySummary
Reference
Architecture
Applying IT Security Processes to IT Assets, consistent with Business
Requirements 2
Business Requirements
 Effectiveness  Confidentiality  Availability
 Efficiency  Integrity  Compliance
Corporate Information Security Normative
IT Assets to secure
IT secure and IT SECURITY FRAMEWORK (*)
resilient, cost- Information

effectively IT SECURITY PROCESSES MAP
Workplace
IT SECURITY STANDARDS LIBRARY Applications

IT capabilities
required by Base SW & Middleware
Information IT SECURITY REFERENCE ARCHITECTURE Infrastructure
Security
IT SECURITY SYSTEMS MAP FUNCTIONAL ARCHITECTURE USE CASES
Security systems map defined Functional description of the Description of the design
by the combination of IT security components of the patterns and scenarios where
Assets and IT Security high priority security systems. the functional components of
Processes the security systems are used
Focus on some systems based
Technological mapping per on the maturity level and
system and OB aligned with strategic plan
(*) The IT Security Framework is completed with

7 the IT Security Maturity Assessment
The IT Security Systems Map is defined by the combination of IT Assets and IT
Security Processes 2
IT Security Systems Map

IT Assets to be secured
Information
Governance Identity Incident &
Workplace management & Vulnerability
Access Control Management
Applications
Base SW & Middleware

Workplace Application Data Security
Infrastructure Security
IT Security Processes Map

Change & Network Security Disaster Recovery
Configuration
Management
8
Security Systems in the Functional IT Security Architecture 2
Governance Identity management & Access Incident & Vulnerability
Control Management
GRC
Identity Authentication Vulnerability Security logs
Security Compliance Management & management monitoring
& Dashboard Authorization
Privileged Incident
Security Knowledge Early warning
Users Security Management
Base
Workplace Application Security Data Security

Endpoint Database
MDM
protection SOA Security Protection
Secure Mail
Gateway DLP IRM
SSLDC
Secure Web PKI
Gateway
Change & Configuration Network Security Disaster Recovery

Management
FW-VPN IPS – IDS Contingency &
Program Recovery
changes
WAF AntiDDOS
Backup &
Infrastructure Archive
changes NAC
9
IT Security Architecture Priorities 2
To develop further the architecture for systems analysis and selection and for the elaboration of detailed use
cases, we identify the following priorities:
Capabilities Looking for... Benefits
o Simplify account provisioning – termination.

 Centralized account o Reduce the management overhead - manually of
management. user request and provisioning of multiple data stores
Identity o Reduce errors, improve security, user experience
 Synchronized identity
management
information. and user productivity.
 User Self-Help services. o Guarantee the Segregation of Duties..
o Control the security of legacy applications.
o Consolidate authentication and access control

 Simplify authentication and services.
Authentication & o Allow multiple types of authentication mechanism.
authorization management
Authorization o Policies update on the fly for all IT resources
 Centralized access policies.
immediately
o Limit ADM access to IT resources.

 Reinforcement control of
Privileged Users o Control the main DB & OS configuration
infrastructure administration &
Security vulnerabilities.
critical facilities.
1
DISCOVER, DISRUPT, DELIVER 0
IT Security Architecture Priorities 2
Capabilities Looking for... Benefits
Database  Improve the Database o Facilitate audit of sensitive data and critical
Protection Security transactions.
 Centralized log
management. o Aggregation data of many sources.
 Turn data into useful o Correlation using common attributes and linking
Security Logs
information. events.
Monitoring o Automated analysis of events and in time report.
 Real time Alerting.
 Long-term storage of o Compliance requirements and Forensic Analysis.
historical data.
o Improve the security for both external and internal

 Secure access to internal and
client access.
external web services o Common security policy development
SOA Security
 Common security components
o Developing both integration and consolidation
to protect the services
activities in a secure way
 Discover and properly o Improve the system performance and the reliability.
Vulnerability
analyse the system o Reduce many incidents, decreasing the time spent
Management
vulnerabilities. within this kind of processes.
1
Security Systems in the IT Security Architecture 2
Governance Identity management & Access Control Vulnerability & Incident Management
Identity Authentication & Vulnerability Security logs

Management Authorization management monitoring
Privileged Users Incident

Early warning
Security Management

Database
SOA Security Protection
DLP IRM
SSLDC
PKI

Configuration
Management
The identified components in the architecture will be further detailed for solution identification and detailed
reference design patterns / use cases
1
Sourcing strategy 2
o Internal analysis based on technological map in Telefonica and current contracts.

Analysis o External analysis based on market trends and vendor analysis.
Demand o Demand is not aggregated globally except for Do-It-Once deployments (TGT)
Strategy o Select single solutions where:
 System operation is performed in consolidated DCs
 FS projects with homogeneous providers
Contract o Local RFPs on a reduced number of solutions for synergies in knowledge sharing and capability reuse
Strategy o Negotiate and buy directly from manufacturers or from certified local integrators.
o Corrective and evolutive support and maintenance is critical and shall be included into the
corresponding RFPs.
13
Market Solutions – short list 2
Governance Identity management & Access Control Vulnerability & Incident Management
Identity Mgmt Authn & Authz Vulnerability Security logs
ORACLE CA ORACLE CA management monitoring
IBM IBM HP RSA
Privileged Users Incident

Security Early warning
Management
CA

SOA Security Database Protection
IBM AXWAY ORACLE IMPERVA ORACLE
DLP IRM
SSLDC
PKI

Configuration
Management
1
03
Executive
IT SecuritySummary
Functional
Architecture
Components in the IT Security Architecture 3
Identity Management & Access Control
Identity Management Authentication & Authorization Management
Authentication
Identity Directory Services
Administration Virtualization Federation User
Single Sign-On
Service Authentication
Provisioning Synchronization
Reconciliation Governance Authorization

Role Manager Centralized policy
Workflow & self Policy Based Access Control
Attestation management
service
Audit & Risk
Control Unified Access Control Fine-Grained Access Control
Privileged Users Security
Shared Account Manager Fine-grained Access Control User Activity Reporting
Database Protection SOA Security

Access Control Data Masking API GATEWAY SECURITY SERVICES
Data Encryption Data Firewall
Incident & Vulnerability Management

Security logs monitoring Vulnerability Management
Threat Vulnerability
Compliance SIEM Scanning
Management
1
3.1
IDENTITY MANAGEMENT &
ACCESS CONTROL

IdM & Access Vulnerability &
Components in the IT Security Architecture

Control
Application
Security
Incident Mgt.
Data Security 3.1
Identity management & Access Control
Identity Authentication &
Management Authorization
Privileged Users
Security
Identity Management & Access Control

Identity Management Authentication & Authorization
Authentication
Identity Directory Services
Administration Virtualization Federation User
Single Sign-On
Service Authentication
Provisioning Synchronization
Reconciliation Governance Authorization

Role Manager Centralized policy
Workflow & self Policy Based Access Control
Attestation management
service
Audit & Risk
Control
Unified Access Control Fine-Grained Access Control
Privileged Users Security
Shared Account Manager Fine-grained Access Control User Activity Reporting
1
Identity Management
Control
Application
Security
Incident Mgt.
Data Security 3.1
Read
A
Other
sources not Trusted
Trusted Read/Write Active
Active
Identity Governance loaded in Source directory,
directory,
Source SAP,
SAP,
Identity (HHRR)
(HHRR) Others
Others
Define and manage roles and automate Management
critical identity-based controls,
Identity Provisioning B
managing the role lifecycle, providing Read Write
Virtual C
Identity governance A Read
key identity governance capabilities Directory
including auditing, reporting, Read Connectors Write
Service
User Reconciliation
attestation, certification, and analytics. Manager Update Role User/Account (Write)
s
Mining User
Change
Event
Identity Provisioning B Review
User
User and Event
Certification/ and
Provisioning User
User
Virtual Directory Engine

Review accounts
accounts
Attestation Update DB
User provisioning and administration Repository
Repository Workflow DB
Connectors (R/W)
Engine
that automates the process of adding, Application Event
updating, and deleting user Owner/IT
accounts from applications and Role IAM R/W
directories, improving regulatory
Role
Lifecycles Approval Other DS
Change Engine
Management Workflow
compliance by providing granular reports Business
Event
that attest to who has access to what User Engine
Role
resources. Synchronization
Request
Repository
Repository Other
Repository
Repository Sources
C (Rules/
(Rules/
Virtual Directory Service Risk
Policy/
Policy/
Roles)
Roles)
Management
Central user repository for
Identity Management, providing a Audit Audit
Audit Audit Self
scalable, secure, high-performance DB
DB DB
DB
LDAP data store. Service
Reporting
19
Identity Management
Control
Application
Security
Incident Mgt.
Data Security 3.1
Read
Other
sources not Trusted
Active
loaded in directory,
Source
Source directory,
SAP,
SAP,
A Identity Governance Identity (HHRR)
(HHRR) Others
Others
Management
Read Write C
Identity governance A Read Virtual
1 Directory
CERTIFICATION & ATTESTATION Service
o Ensuring compliance with Access User Read Connectors Write
Reconciliation
Control Policies reporting Identity & Manager Update Role User/Account (Write)
s
Access Data to User responsible Mining User
o Updating target systems based on 2 Change
Event
results of certification process. Review
User
User and Event
Certification/ and
Provisioning User
User

Review accounts
accounts
Repository
Repository Workflow DB
1
Connectors (R/W)
2 Engine
Application Event
ROLE MINING Owner/IT
o Creation, administration and versioning
of role. Role IAM R/W
Role
o Roles information is synchronized with Change Engine
Management Workflow
the Role Lifecycles Management which Business
Event
define the rules and conditions to User
2 Engine
Role
determinate whether a user may or Synchronization
Request
may not belong to a certain role. Repository
Repository Other
Repository
Repository Sources
(Rules/
3 (Rules/
Policy/
Policy/
RISK MANAGEMENT Risk Roles)
Roles)
o Compliance & Risk report of gaps, Management
security exceptions and anomalous 3
activity. Audit Audit
REPORTING Audit Audit Self
4 DB
DB 4 DB
DB
o Detect when violations of the roles and Service
conditions defined. Reporting
4 3
AUDIT DB:
o Provides a historical record of
operations that occur in platform of
Identity Management.
20
Identity Management
Control
Application
Security
Incident Mgt.
Data Security 3.1
Read
B Identity Provisioning Other

sources not Trusted
Active
Source
Source directory,
SAP,
SAP,
Identity (HHRR)
(HHRR)
5 Others
Others
5 Management
PROVISIONING
o HHRR: Authority Resource Identity Provisioning B
Read Write C
o Self Service Interface – making request Identity governance A Read Virtual
Directory
and handle some tasks (password reset,
Service
personal information changes, …). User Read Connectors Write
Reconciliation
Manager Update Role User/Account (Write)
s 9
6 Mining User 7
APPROVAL & PROVISIONING (Work Flow) Change
o Interacting with users configured to Event
Review
grant approval to each Type of User
User and Event
Certification/ and
Provisioning User
User

Request. Review Attestation Update
accounts
accounts
Repository
Repository WorkFlow DB
DB
Connectors (R/W)
7 Engine
Application Event
CONNECTORS Owner/IT 4
o Adapters deployed for each endpoint
(Directories, Databases, Oss, Systems, Role IAM R/W
Role
Applications). Change Engine
Management Workflow
Event
8 Business 8 Engine
User
IAM ENGINE
Role 6
Synchronization
o Configuration of access control policies Request
Repository
Repository Other
using the users and roles information. Repository Sources
Repository
o Password Management (Rules/
(Rules/
o Self Service Options for Users Risk
Policy/
Policy/
Roles)
Roles)
o Customization and Extensibility Management
9
RECONCILIATION Audit
Audit Audit
Audit Self
o Detecting local changes and attempt to DB
DB DB
DB Service
eliminate them. 5
o Alerting security administrators when Reporting
such changes are detected.
o Reporting inconsistencies in the
systems.
o Detecting changes in authorized
source, and release it to applications
21
Identity Management
Control
Application
Security
Incident Mgt.
Data Security 3.1
Read
Other
sources not Trusted
Active
Source
Source directory,
SAP,
SAP,
C Virtual Directory Service Identity (HHRR)
(HHRR) Others
Others
Management
Read Write C
Identity governance A Read Virtual
10 Directory
VIRTUAL DIRECTORY Service
o Directories strategically placed for User Read Connectors Write
Reconciliation
geographic local distribution. Manager Update Role User/Account (Write)
s
o Redundant Directories for fault- Mining User
tolerance and scalability. Change
o Identity information located in more Event
Review
than one identity store (employees User
User and Event
Certification/ and
Provisioning User
User

Review accounts
accounts
maintained in LDAP while contractors Attestation Update Repository
DB
and partners are maintained in other
Connectors (R/W)
Engine
databases). Application Event
Owner/IT
Looking for: Role IAM R/W

Role
o Use a virtualization service to logically Change Engine
combine these stores into a single Management Workflow
Event
Business
virtual view. User Engine
o Use a service to synchronize identity Role
Synchronization
sources, necessary when similar data Request
Repository
Repository Other
are stored in more than one directory
or database, ensuring that data are
Repository
Repository Sources
(Rules/
(Rules/
kept consistent when changes are Policy/
Policy/
Risk Roles)
made. Management
Roles)
CONNECTOR (R/W): 10
o Federation across heterogeneous data
source Audit
Audit Audit
Audit Self
o allowing to perform changes over data DB
DB DB
DB Service
sources
Reporting
22
Identity Management – Mapping to Oracle Technology

Control
Application
Security
Incident Mgt.
Data Security 3.1
Read
A Other
ORACLE IDENTITY ANALYTICS (OIA) sources
not Trusted
Active
Oracle Identity Analytics provides loaded in Source
Source
directory,
directory,
SAP,
SAP,
enterprises with the ability to define and Identity (HHRR)
(HHRR) Others
Others
manage roles and automate critical Managem
identity-based controls. ent Identity Provisioning B
Read
Identity governance A OIM Read
Write
Virtual
ODS
C
OIA Directory
Service
Read Connectors Write
B
User
Manager Update Role User/Account ICF
Reconciliation ICF
(Write)
s
Mining User
OUD
ORACLE IDENTITY MANAGER (OIM) Change
Event
Review
User
User and Event
Oracle Identity Manager is a powerful Certification/ and
Provisioning User
User
Certification Engine
OVD Directory Engine

Review accounts
accounts
Attestation Update
ICF
DIP
DB
and flexible enterprise identity Repository
Connectors (R/W)
Engine
management system that automatically Application Event
manages users' access privileges within Owner/IT
enterprise IT resources. Role IAM R/W

Role
Change Engine
ADF
BTEL
Suite
SOA
Management Workflow
Event
Business
Engine
Virtual
User
Role
Synchronization
Request
C Repository
Repository Other
ORACLE DIRECTORY SERVICES Repository
Repository Sources
Access
(Rules/
Access
(Rules/
Policy/
Policies
Policy/
Risk Policies
Roles)
Oracle Directory is an LDAP service that Management
Roles)
provides a single, abstracted view of

enterprise directory servers and
Audit
Audit Audit
Audit Self
databases from a variety of vendors. DB
Request
DB DB
DB
Oracle Directory can serve as a single Service
Engine
source of truth in an environment with Oracle Bi
Reporting
multiple data sources. Publisher
23

Control
Application
Security
Incident Mgt.
Data Security 3.1
Read
Other
sources
not Trusted
Trusted Active
A ORACLE IDENTITY ANALYTICS (OIA)
loaded in
Read/Write Active
directory,
Source
Source directory,
SAP,
SAP,
Identity (HHRR)
(HHRR) Others
Others
Managem
1
OIA performs the following functions: ent Identity Provisioning B
Read
Identity gobernance A OIM Read
Write
Virtual
ODS
C
o Ensuring user compliance with access
control policies by reporting identity
OIA Directory
Service
access logs.
User
Reconciliation ICF
(Write)
s
o Reporting inconsistencies and non- Mining User
OUD
compliance changes in systems . Change
o Management of role assignments Event
o Review
Assignment or modification of user User
User and Event
Certification/ and
Provisioning User
User

roles by synchronization with the Review Attestation
accounts
accounts
Update
ICF
DIP
DB
Access Provisioning which define rules Repository
Connectors (R/W)
and conditions for access.
2 Engine
Application Event
o Establishment of mechanisms for risk Owner/IT
reporting and security compliance for Role IAM R/W
identifying gaps, Security exceptions Role
Change Engine
ADF
BTEL
Suite
and anomalous activity.
SOA
Management Workflow
Event
Business
Engine
Virtual
User
Role
2 Synchronization
Request
CERTIFICATION ENGINE: Repository
Repository Other
Repository
Repository Sources
o Attestation enables users designated as Access
(Rules/
Access
(Rules/
Policy/
Policies
Policy/
reviewers to be notified of reports they Risk Policies
Roles)
Roles)
must review. These reports describe Management
provisioned resources of other users. A
reviewer can attest to the accuracy of Audit Audit
Audit Audit Self
Request
the entitlements by providing a DB DB
DB DB Service
Engine
response. The attestation action, along
with the response the reviewer 1 Oracle Bi
Reporting
provides, any associated comments, Publisher
and an audit view of the data that the
reviewer views and attests to, is
tracked and audited to provide a
complete trail of accountability
24

Control
Application
Security
Incident Mgt.
Data Security 3.1
Read
Other
sources
not Trusted
Active
loaded in Source
Source
directory,
directory,
SAP,
SAP,
B ORACLE IDENTITY MANAGER (OIM) Identity (HHRR)
(HHRR) Others
Others
Managem
ent B
3 Identity Provisioning
IDENTITY CONNECTOR FRAMEWORK (ICF):
Read
Write
Virtual
ODS
C
o Connectors allow OIM to carry out user OIA Directory
Service
provisioning or reconciliation operations Read Connectors Write
User
Update Role User/Account ICF
Reconciliation ICF
(Write)
on target systems. Manager
s
Mining 3 User 3 OUD
Change
Event
4 Review
User
User and Event
Certification/ and
Provisioning User
User
SERVICE ORIENTED ARCHITECTURE SUITE Certification Engine

Review accounts
accounts
Attestation Update
ICF
DIP
BUSINESS PROCESS EXECUTION LANGUAGE Repository
DB
Connectors (R/W)
Engine
(SOA SUITE BPEL): Event
Application
o Oracle SOA transforms complex Owner/IT 3
application integration into agile and
Role IAM R/W
re-usable service-based connectivity to Role
Change Engine
ADF
BTEL
Suite
speed time to market, respond faster to
SOA
Management Workflow
Event
business requirements, and lower costs. Business
Engine
Virtual
User
Role
ORACLE APPLICATION DEVELOPMENT Synchronization
4
Request
FRAMEWORK (ADF ): Repository
Repository Other
o Oracle ADF is an end-to-end Java EE Repository
Repository Sources
framework that simplifies application Access
(Rules/
Access
(Rules/
Policy/
Policies
Policy/
development by providing out-of-the- Risk Policies
Roles)
Roles)
box infrastructure services and a visual Management
and declarative development
experience.
Audit
Audit Audit
Audit Self
Request
DB
DB DB
DB Service
Engine
Oracle Bi
Reporting
Publisher
25

Control
Application
Security
Incident Mgt.
Data Security 3.1
Read
Other
sources
not Trusted
Active
loaded in Source
Source
directory,
directory,
SAP,
SAP,
B ORACLE IDENTITY MANAGER (OIM) Identity (HHRR)
(HHRR) Others
Others
Managem
ent Identity Provisioning B
Read
Write
Virtual
ODS
C
5
REQUEST ENGINE:
OIA Directory
Service
o The request engine splits the request
User
Reconciliation ICF
(Write)
s
into individual target user and Mining User
OUD
requested operation or entity Change
combination, and invokes the Event
operational approval for each Review
User
User and Event
Certification/ and
Provisioning User
User

combination. Review Attestation
accounts
accounts
Update
ICF
DIP
Repository
DB
Connectors (R/W)
Engine
Event
6 Application
Owner/IT
ORACLE BI PUBLISHER:
o Oracle BI Publisher is an Oracle's Role IAM R/W
Role
enterprise reporting solution and Change Engine
ADF
BTEL
Suite
SOA
provides a single reporting environment Management Workflow
Event
Business
to author, manage, and deliver all of Engine
Virtual
User
Role
your reports and business documents.
Synchronization
Request
Repository
Repository Other
7
Repository
Repository Sources
Access
(Rules/
Access
(Rules/
ACCESS POLICIES: Policy/
Policies
Policy/
Policies
o Access policies are a list of user groups Risk Roles)
Roles)
Management 7
and the resources with which users in
the group are to be provisioned or
deprovisioned. Audit
Audit Audit
Audit Self
Request
DB
DB DB
DB Service
Engine
Oracle Bi 5
Reporting
Publisher
6
26

Control
Application
Security
Incident Mgt.
Data Security 3.1
Read
Other
sources
C ORACLE DIRECTORY
not Trusted
Active
loaded in Source
Source
directory,
directory,
SAP,
SAP,
8 Identity (HHRR)
(HHRR) Others
Others
ORACLE DIRECTORY SERVICES (ODS) Managem
includes: ent Identity Provisioning B
o Oracle Unified Directory (OUD) is a
Read
Write
Virtual
ODS
C
comprehensive next generation OIA Directory
Service
directory service entirely developed in Read Connectors Write
User
Reconciliation ICF
(Write)
Java. It is fully LDAP v3 compliant, easy s
to deploy and manage, and has Mining User
OUD
monitoring capabilities that addresses Change
large deployments with high Event
Review
performance. Certification/
User
User and
and Event User
Certification Engine Provisioning User

Review accounts
accounts
Attestation Update
ICF
DIP
Repository
DB
Connectors (R/W)
o Oracle Virtual Directory (OVD) Engine
provides identity aggregation and Application Event
transformation. It unifies identity data Owner/IT
across heterogeneous data sources Role IAM R/W
without consolidating, and re-uses
Role
Change Engine
ADF
BTEL
Suite
SOA
identity data without copying. Management Workflow
Event
Business
Engine
Virtual
User
o ORACLE DIRECTORY INTEGRATION Role
Synchronization
PLATFORM (DIP): The Oracle Directory Request
Integration Platform enables you to
Repository
Repository Other
synchronize Oracle Internet Directory Repository
Repository Sources
Access
(Rules/
Access
(Rules/
data with other data sources. You save Policy/
Policies
Policy/
Risk Policies
time and resources by using Oracle
Management
Roles)
Roles) 8
Internet Directory as the central
repository for different LDAP-enabled
applications and connected directories. Audit
Audit Audit
Audit Self
Request
Synchronization can be one-way or two- DB
DB DB
DB
way. Service
Engine
Oracle Bi
Reporting
Publisher
27
Identity Management – Mapping to CA Technology

Control
Application
Security
Incident Mgt.
Data Security 3.1
Read
Other
sources
A CA GOVERNANCE MINDER not Trusted
Active
loaded in Source
Source
directory,
Provisioning
directory,
Provisioning
Directory
SAP,
Directory
SAP,
CA Governance Minder is designed to Identity (HHRR)
(HHRR) Others
Others
automate identity and access Managem

governance processes and provides ent Identity ProvisioningMINDER B
CA GOVERNANCE
Read CA IDENTITY Write
Virtual C
continuous identity controls. This starts A Read
MINDER Directory
with leveraging a business-friendly role Service
foundation to present information to User Read CA IdentityMinder
Reconciliation
Provisioning
Connector
Connectors Write
Manager Update Role User/Account Server (Write)
server
users in the context that makes sense to s
Mining
them. It also checks security policies and User
Change
highlights potential access or
Governance Minder WorkStation

Event
entitlement violations to business Review
Governance Minder Portal

User
Userand Event
Certification/ User
Userand
Provisioning User
User

managers during processes such as Review Attestation Update
accounts
accounts
Store Provisioning DB
Store
Repository
Repository WorkFlow
Manager DB
entitlements certification.
Connectors (R/W)
Engine
Application Event
Owner/IT
Role Policy
IAM R/W
Role
Lievecycle Approval Other DS
B Change Engine
Xpress WorkPoint
Management Workflow
Event Workflow
Business
CA IDENTITYMINDER User Engine
Role
Synchronization
Request
Delivers a unified solution for user Repository
Repository Other
provisioning and user management that Repository
Repository Sources
(Rules/
(Rules/
manages users’ identities throughout Policy/
Policy/
Risk Roles)
their entire lifecycle, providing them Management
Roles)
with timely, appropriate access to

applications and data.
Audit
Audit
CA
CA Audit
Audit Audit
CA
CA Audit
Audit
Audit Self
DB
DB
DB
DB DB
DB IDM APP
Service
IAM Report
Reporting
Server
28

Control
Application
Security
Incident Mgt.
Data Security 3.1
Read
Other
sources
not Trusted
Active
loaded in Source
Source
directory,
Provisioning
directory,
Provisioning
Directory
SAP,
Directory
SAP,
A CA GOVERNANCEMINDER Identity (HHRR)
(HHRR) Others
Others
Managem
ent B
CA GOVERNANCE
Read
Identity ProvisioningMINDER
CA IDENTITY Write
Virtual C
A Read
MINDER Directory
Service
1 User Read CA IdentityMinder
Reconciliation
Provisioning
Connector
Connectors Write
CA GOVERNANCEMINDER PORTAL: Manager Update Role User/Account Server (Write)
server
s
o Provides a web-based, business- Mining User
oriented user Interface, as well as Change

back-end services including the Event
Review

analytics engine, workflow service and User
User
User and
and Event User
Certification/ User Provisioning User

reporting engine. Review accounts
accounts Provisioning
Attestation Update Store DB
Store
Repository
Repository WorkFlow
Manager DB
CA GOVERNANCEMINDER WORKSTATION:
Connectors (R/W)
Engine
o Designed for role analysts and technical Application Event
auditors, these tools provide a Owner/IT
complete environment for development Role Policy
IAM R/W
and maintenance of the role and Role
Change Engine
Xpress WorkPoint
compliance model. Management
Event Workflow
Business Workflow
User Engine
Role
Synchronization
Request
Repository
Repository Other
Repository
Repository Sources
(Rules/
(Rules/
Policy/
Policy/
Risk Roles)
Roles)
Management
Audit
Audit
CA
CA Audit
Audit Audit
CA
CA Audit
Audit
Audit Self
DB
DB
DB
DB DB
DB IDM APP
Service
1 IAM Report
Reporting
Server
29

Control
Application
Security
Incident Mgt.
Data Security 3.1
Read
Other
sources
not Trusted
Active
loaded in Source
Source
directory,
Provisioning
directory,
Provisioning
Directory
SAP,
Directory
SAP,
B CA IDENTITYMINDER Identity (HHRR)
(HHRR) Others
Others
Managem
ent B
2 CA GOVERNANCE
Read
CA IDENTITY Write
Virtual C
PROVISIONING SERVER: CA Governance MINDER A Read
o Provides IT logic services including MINDER Directory
Service
translation between business and IT User Read CA IdentityMinder
Reconciliation
Provisioning
Connector
Connectors Write
terminology and mapping users with Manager Update Role User/Account Server (Write)
server
s
their target system credentials. It also Mining 2
User
provides synchronization and Change

reconciliation services to push Event
Review

necessary changes to endpoint systems User
User
User and
and Event User
Certification/ User Provisioning User

and identify changes made outside of Review accounts
Attestation Update Store DB
Store
Repository
Repository WorkFlow
Manager DB
CAIdentity Manager.
Connectors (R/W)
Engine
Application Event
Owner/IT
3 Role Policy
IAM R/W
POLICY XPRESS
Role
Change Engine
Xpress WorkPoint
o Creates complex business logic or Management Workflow
Business 3 Event Workflow
policies without the need to develop Engine
User
custom code. Role
Synchronization
Request
Repository
Repository Other
Repository
Repository Sources
(Rules/
4 (Rules/
Policy/
Policy/
IDENTITY MANAGER APPLICATION (IDM Risk Roles)
Roles)
APP): Management
o This standards-based J2EE application
serves as the user interface and Audit Audit
Audit
CA
CA Audit
Audit CA
CA Audit
Audit
Audit Self
business logic layer. It includes the web DB
DB
DB
DB DB
DB IDM APP
Service
user interface, delegated 9
administration framework and IAM Report 4
Reporting
Server
workflow, policy evaluation, audit and
reporting services.
30

Control
Application
Security
Incident Mgt.
Data Security 3.1
Read
Other
sources
not Trusted
Active
loaded in Source
Source
directory,
Provisioning
directory,
Provisioning
Directory
SAP,
Directory
SAP,
(HHRR) Others
Others
Managem
ent
CA GOVERNANCE
Read
CA IDENTITY Write
B
Virtual C
A Read
5 MINDER Directory
Service
CONNECTOR SERVER: User Read CA IdentityMinder
Reconciliation
Provisioning
Connector
Connectors Write
o A connector acts as a gateway to a Manager Update Role User/Account Server (Write)
server
s
native endpoint type system Mining
technology.
User 5
Change

Event
Review

User
Userand
6 Certification/ User
Userand Event
Provisioning User
User

Review accounts
PROVISIONING MANAGER: Attestation Update Store DB
Store
Repository
Repository WorkFlow
Manager DB
Connectors (R/W)
o The CA IdentityMinder Provisioning Engine
Event
Manager manages the Provisioning Application
Owner/IT 6
Server through a graphical interface.
This is used for administrative tasks Role Policy
IAM R/W
Role
such as managing Provisioning Server Change Engine
Xpress WorkPoint
Management Workflow
options. In some cases, you may also Event Workflow
Business
use the Provisioning Manager to manage User Engine
certain endpoint attributes, which you Role
Synchronization
7
cannot manage in the CA Repository
Repository
Request
Other
IdentityMinder User Console. Repository
Repository Sources
(Rules/
(Rules/
Policy/
Policy/
7 Risk Roles)
Roles)
Management
WORKPOINT WORKFLOW:
o These components enable you to place
a CA IdentityMinder task under Audit
Audit Audit
CA Audit
CA
CA Audit
Audit Audit
CA Audit Self
workflow control, and to modify DB
DB
DB
DB DB
DB IDM APP
Service
existing workflow process definitions or
IAM Report
create new definitions. Reporting
Server
31

Control
Application
Security
Incident Mgt.
Data Security 3.1
Read
Other
sources
not Trusted
Active
loaded in Source
Source
directory,
Provisioning
directory,
Provisioning
Directory
SAP,
Directory
SAP,
(HHRR) 8 Others
Others
Managem
ent Identity ProvisioningMINDER B
8 CA GOVERNANCE
Read CA IDENTITY Write
Virtual C
USER STORE/PROVISIONING DIRECTORY: A Read
MINDER Directory
Service
o CA IdentityMinder uses data sources to User Read CA IdentityMinder
Reconciliation
Provisioning
Connector
Connectors Write
connect to databases that store Manager Update Role User/Account Server (Write)
server
s
information required to support CA Mining User
IdentityMinder functionality. These Change
Event

databases can reside in a single physical Review
instance of a database, or in separate

User
Userand Event
Certification/ User
Userand
Provisioning User
User

Review accounts
instances. Attestation Update Store
Store
DB
Repository Manager
o It is an instance of CA Directory and
Connectors (R/W)
Engine
includes global users, which associate Application Event
users in the Provisioning Directory with Owner/IT
accounts on endpoints such as Microsoft Role Policy
IAM R/W
Exchange, Active Directory, and SAP.
Role
Change Engine
Xpress WorkPoint
Management Workflow
Event Workflow
Business
9 User Engine
CA AUDIT DB: Role
o Provides a historical record Synchronization
of Request
operations that occur in a CA
Repository
Repository Other
IdentityMinder environment. Repository
Repository Sources
(Rules/
(Rules/
Policy/
Policy/
Risk Roles)
Roles)
10 Management
IAM REPORT SERVER:
o CA IdentityMinder provides reports that
you can use to monitor the status of a Audit
Audit
CA
CA Audit
Audit Audit
CA
CA Audit
Audit
Audit Self
CA IdentityMinder environment. To use DB
DB
DB
DB DB
DB IDM APP
Service
9 9
the reports provided with CA IAM Report
Reporting
Server
IdentityMinder, you install the IAM
Report Server, which is included with
10
CA IdentityMinder.
32
Identity Management – Mapping to IBM Technology

Control
Application
Security
Incident Mgt.
Data Security 3.1
A IDENTITY GOVERNANCE
Read
Other
Identity Management products enable sources
managers to govern and manage users’ not Trusted Active
roles and privileges across the extended loaded in Source directory,
directory,
Source SAP,
enterprise, including in the cloud. These Identity (HHRR)
(HHRR)
SAP,
Others
Others
threat-aware solutions deliver intelligent Managem
B identity and access assurance, ent Identity Provisioning B
controlling and auditing user activity and Read Write
Directory C
Identity gobernance A Read
strengthening access controls. They help Service
organizations achieve more effective Read Connectors Write
User Reconciliation
governance, prevent insider threats and Manager Update Role User/Account (Write)
s
identity fraud, and achieve regulatory Mining User
compliance. Change
IBM Security Directory Integrator

Event
Server
B Review
User
User and Event
IBM SECURITY IDENTITY AND ACCESS Certification/ and
Provisioning User
User
Engine
Review accounts
accounts
ASSURANCE Repository
Connectors (R/W)
Engine
Directory
Application Event
This solutions helps provide efficient and
IBM SECURITYIAMIDENTITY
Directory
Owner/IT
compliant access for the right people to Role R/W

Role Other DS
the right assets at the right time. This Change
MANAGER
Lifecycles
- ISIM Workflow
Engine Approval
Security
Management
preconfigured set of five IBM software Business
Event
Engine
Virtual
products helps administer, protect and User
Role
monitor user access to online Synchronization
Request
applications and data. Other
IBM
Repository
Repository
Repository
Repository Sources
(Rules/
(Rules/
Policy/
Policy/
C Risk Roles)
Roles)
DIRECTORY SERVICES Management
Directory Services products provide a Audit

Audit Audit
Audit Self
foundation for enterprise security and DB
DB DB
DB Service
identity visibility that combines
COGNOS
Reporting
performance, global scalability and
“government class” security. With deep
integration to legacy directory services,
they enable organizations to keep what
is already in place.
33

Control
Application
Security
Incident Mgt.
Data Security 3.1
Read
Other
sources
not Trusted
Active
loaded in Source
Source
directory,
directory,
SAP,
SAP,
A CA GOVERNANCEMINDER
IDENTITY GOVERNANCE Identity (HHRR)
(HHRR) Others
Others
Managem
ent B
1 Read
Identity Provisioning
Write
A Read Directory C
IBM SECURITY IDENTITY MANAGER Identity gobernance
Service
o IBM Security Identity Manager enables
User Read Connectors Write
organizations drive effective identity Reconciliation
Manager Update Role User/Account (Write)
management and governance across the s
enterprise. This solution helps Mining User
strengthen regulatory compliance and Change

Event
Server
security by reducing the risk of identity Review
User
User and Event
fraud. It automates the creation, Certification/ and
Provisioning User
User
Engine
Review accounts
accounts
modification, recertification and Repository
Connectors (R/W)
termination of user privileges and Engine
Directory
Application Event
supports policy-based password
Directory
Owner/IT
management throughout the user
lifecycle. Role R/W
Role Other DS
Change
MANAGER
Lifecycles
- ISIM Workflow
Engine Approval
Security
Management
Event
Business
2 Engine
Virtual
User
Role
IBM COGNOS ACTIVE REPORT: Synchronization
Request
Other
IBM
Repository
Repository
o IBM Cognos Active Report provides an Repository Sources
Repository
interactive analytics experience in a (Rules/
(Rules/
Policy/
Policy/
self-contained Cognos Business Risk Roles)
Roles)
Intelligence application for browsing Management
and exploring data offline
Audit
Audit Audit
Audit Self
DB
DB DB
DB Service
1 COGNOS
Reporting
2
34

Control
Application
Security
Incident Mgt.
Data Security 3.1
Read
Other
sources
not Trusted
Active
loaded in Source
Source
directory,
directory,
SAP,
SAP,
A
C CA GOVERNANCEMINDER
DIRECTORY SERVICE Identity (HHRR)
(HHRR) Others
Others
Managem
ent Identity Provisioning B
Read Write
3 Identity gobernance A Read Directory C
IBM SECURITY DIRECTORY SERVER: Service
o It provides a platform for your Read Connectors Write
User Reconciliation
enterprise security initiatives. This Manager Update Role User/Account (Write)
enterprise identity management Mining
s
software uses the Lightweight Directory User
Change

Access Protocol (LDAP). IBM Security
Server
Event
Directory Server provides a trusted Review
User
Certification/ User and
and Event User
identity data infrastructure for Provisioning User
Engine
Review accounts
accounts
authentication. Repository
Directory
Connectors (R/W)
Engine
Application Event
4
Directory
Owner/IT
IBM SECURITY DIRECTORY INTEGRATOR: Role R/W
Role Other DS
MANAGER - ISIM Workflow
o It helps you build an authoritative data Lifecycles Approval
Engine
Security
Change
infrastructure by integrating data from Management
Event
directories, databases, collaborative Business
Engine
Virtual
User
systems, applications and other data Role
sources. Synchronization
Request
IBM
Repository
Repository Other
Repository
Repository Sources
(Rules/
(Rules/
Policy/
Policy/
Risk Roles)
Roles)
Management
3 4
Audit
Audit Audit
Audit Self
DB
DB DB
DB Service
COGNOS
Reporting
35
Identity Management – Use case IdM & Access Vulnerability &
Synchronization with HR authoritative source

Control
Application
Security
Incident Mgt.
Data Security 3.1
Objective
Objective
Automate account creation and deletion based on information provided by HR
Description
Description
• Changes in the HR repository, that acts as trusted source, are propagated to the Identity Management system through a connector.
• The changes are committed to the internal Identity Management repository and depending on the internal rules, provisioning
events are triggered.
• Through specific connectors accounts are created , modified, disabled or deleted in the end repositories.
• User attributes such as organization unit and position are used to create policy rules and to automate the creation of the accounts
in the systems.
Identity
Provisioning App1
App1
Connector Repository
Repository
Provisioning
Trusted
Trusted Connector
Source
Workflow Engine
Source (HR)
(HR)
Connector
Users
Users App
App N
N
Repository
Repository Repository
Repository
36
External users lifecycle

Control
Application
Security
Incident Mgt.
Data Security 3.1
Objective
Objective
Manage external user accounts lifecycle
Description
Description
• External user information is not usually stored in HR systems.
• If there is a repository with external user information, a synchronization process similar to the employee scenario can be
deployed.
• In most cases, a workflow is deployed in the Identity Management . A person in the organization, responsible for the external user,
must register him and default accounts are generated in the target systems.
• User managers must review periodically the list of their external users and disable the accounts that no longer have to access the
organization systems.
Identity
Provisioning App1
App1
Repository
Provisioning
External
External user
user Connector
repository
Workflow Engine
repository
Connector
Users
Users App
App N
N
Repository
Repository Repository
Repository
37
Reconciliation
Control
Application
Security
Incident Mgt.
Data Security 3.1
Objective
Objective
Describe the process of reconciliation of users and permissions
Description
Description
• The reconciliation is a process of comparing and synchronizing accounts information between the target repository and the
identity management system.
• Changes that have not been originated in the identity management system, are detected on the target repository. This happens
typically when an administrator makes a change on the target system directly.
• Depending on the connector technology, changes are detected in real-time or at scheduled times.
• In the identity management system events are triggered when these changes are detected. These changes can be used only to
update the account information that is stored in the internal identity management repository or to create some provisioning tasks
in the same or on other target systems.
• Synchronization with the HR authoritative source is an example of this reconciliation process
Identity Users
Users
Provisioning Repository
Repository
2 1
App1
App1
Reconciliation Connector Repository
Repository
Engine
3 4
Provisioning App
App N
N
Workflow Engine Repository
38
Workflows for provisioning

Control
Application
Security
Incident Mgt.
Data Security 3.1
Objective
Objective
Describe the process of request and approval for managing users and permissions
Description
Description
• The actors in this scenario are the requester, the organizational user manager and the target application owner. Delegation can be
implemented for each of this roles in the workflow.
• Based on the attributes and roles of the requester, only a subset of operations can be selected. To guarantee the separation of
duties, role constrains must be enforced.
• The user manager approves request and several provision workflows are created depending on the target applications involved.
• Once the owner of the target application has approved the request the operation executed through the connector.
• All the approvals can be explicit or implicit. The requests can also be generated automatically when some event is triggered such
as a reconciliation event.
Identity App owner

Provisioning Approval Workflow Engine
User
Manager Approval Approval Connector App1
App1
Repository
Repository
Self Request Approval

Service Connector App
App N
N
Repository
Repository
User App owner
39
Attestation
Control
Application
Security
Incident Mgt.
Data Security 3.1
Objective
Objective
Describe the process of attestation
Description
Description
• Attestation is an ongoing process where managers and designated approvers review who has access to what to confirm that each
user/role has access only to the resources necessary to perform their job function.
• With the Governance module, the reviewers have a 360º view of users roles and permissions and can recertify them.
• Also a compliance dashboard is presented and it is possible to remediate problems with conflicting roles.
Governance Identity
Provisioning App1
App1
Repository
Provisioning
Attestation
Workflow Engine
Reviewer Connector
App
App N
N
Repository
Repository
40
Application integration in the Identity Mgmt. Platform

Control
Application
Security
Incident Mgt.
Data Security 3.1
Objective
Objective
Describe the different scenarios for application integration in the Identity Management Solution
Description
Description
• The ideal scenario is when the application can use an existing corporate user repository that is already integrated in the identity
management solution. The application user roles are mapped to attributes or objects in the repository, typically, user groups.
• If the application has its own user repository, the identity management platform needs a connector to make the provision and the
reconciliation of users. If no standard connector is available, the application must expose an API to provide the required functions
to manage the users. A web service is the preferred solution.
• It is frequent a mix of the previous scenarios. The application can delegate the authentication and a coarse grained authorization
to external repository but needs additional information of the user in its internal repository.
Standard External Application

Identity Connector
External
corporate
corporate
Repository
Provisioning Repository
Preferred scenario
Application
Custom
Connector API App
Provisioning App User
User
Repository
Repository
Workflow Engine
Standard Application
Connector
App
App User
User
Repository
Repository
41
Application integration in the Identity Mgmt. Platform (II)

Control
Application
Security
Incident Mgt.
Data Security 3.1
Objective
Objective
Describe the different scenarios for application integration in the Identity Management Solution
Description
Description
• Sometimes it is not possible to develop a custom connector or the development cost is high. In this case only the workflow is
integrated in the IdM.
• Administrators can manage the users in the application repository, but the request is made through the IdM and also the approvals.
• When the request has been approved, a task is generated for the administrator. After the task is completed, the administrator
marks it as finished in IdM.
• As there is no connector, a periodic manual reconciliation is needed to check if users have been modified direcltly in the
application repository.
Identity App owner

Provisioning Approval Workflow Engine
User
Manager Approval Approval Connector App1
App1
Repository
Repository
Self Approval
Request Task generation
Service App App
App N
N
Repository
Repository
Admin
User App owner
42
Authentication & Authorization – Reference Architecture

Control
Application
Security
Incident Mgt.
Data Security 3.1
A
LOCAL SECURITY DOMAIN Web IDENTITY ACCESS

DIRECTORY SERVICES
Server MANAGEMENT
Authentication is the module through END USER
which a user provides sufficient
B credentials to gain initial access to an A C
application system or a particular AUTHENTICATION SERVICE

resource.
LDAP SMART CARD OTHERS
SSO Token
Generation External Domain
B
& Authentication
Authentication
Federation Identity Provider

Policies
Validation Policies
Rules
Rules
Remote
Application
AUTHORIZATION
App Server
Authorization is the module that
Security Platform Federation
determines whether a user is Audit & Risk
permitted to access a particular Control Service
PEP PDP B
SEC ADMIN Provider
resource. ROLES IT AUDIT
ROLES
Remote
Centralized PDP
Security
Attrib
Attrib Services
C ute
ute
EXTERNAL SECURITY DOMAIN Store
Store PRP
Identity federation across security

domains: request made by the user to PIP
Fine
Fine –– Grained
Grained Coarse
Coarse –– Grained
Grained
a web resource in another security Policies
PAP Policies &
Policies & Rules
Rules Policies &
& Rules
Rules
domain which does not have the ability
to authenticate users of the local SEC ADMIN
domain. Instead, it trusts an identity
provider to vouch for user authenticity
and pass along an assertion of identity.
43

Control
Application
Security
Incident Mgt.
Data Security 3.1
Web IDENTITY ACCESS

DIRECTORY SERVICES
Server MANAGEMENT
1
A LOCAL SECURITY DOMAIN END USER 2
A C
AUTHENTICATION SERVICE
1
o LDAP SMART CARD OTHERS
User attempts to access a internal 4
protected resource.
SSO Token
2 Generation
o Web Agent check the presence of a External Domain
& Authentication
security token. Authentication

Policies
Validation Policies
Rules
Rules
Remote
3 Application
3
o The service provider validates the
assertion and uses its own local security App Server
services to create a session token to be Security Platform Federation
Audit & Risk
used for further (direct) interaction Service
with the user. PEP PDP Control B
SEC ADMIN Provider
o Token not found: Agent redirects the ROLES
ROLES
IT AUDIT
user to the authentication service
where the user is prompted to
authenticate. Remote
Centralized PDP
Security
Attrib
Attrib Services
ute
ute
Store
Store PRP
4
o Authentication successful: SSO token is
created and returned. PIP
Fine
Fine –– Grained
Grained Coarse
Grained
PAP Policies &
Policies & Rules
Rules Policies
Policies &
& Rules
Rules
SEC ADMIN
44

Control
Application
Security
Incident Mgt.
Data Security 3.1
Web IDENTITY ACCESS

DIRECTORY SERVICES
Server MANAGEMENT
A LOCAL SECURITY DOMAIN END USER 5

A C
5
o In case of user's password needs to be LDAP SMART CARD OTHERS
reset or changed: Authentication server
redirect the user a self-service SSO Token
management interface.
& Authentication
Authentication

Policies
6 Validation Policies
Rules
Rules
Remote
o Monitor authentication requests to Application
detect unusual behavior (logs such data
and uses rules to detect unusual App Server
occurrences that might indicate fraud,
such as users logging in from different Audit & Risk
locations in a short period of time using Control Service
PEP PDP B
the same identity, or the use of many SEC ADMIN 6 Provider
ROLES IT AUDIT
different computers for the same user. ROLES
Remote
Centralized PDP
Security
Attrib
Attrib Services
ute
ute
Store
Store PRP
PIP
Fine
Fine –– Grained
Grained Coarse
Grained
PAP Policies &
Policies & Rules
Rules Policies
Policies &
& Rules
Rules
SEC ADMIN
45

Control
Application
Security
Incident Mgt.
Data Security 3.1
Web IDENTITY ACCESS

DIRECTORY SERVICES
Server MANAGEMENT
A
B AUTHORIZATION END USER
A C
XACML standard defines a declarative SSO Token

access control policy language Generation
implemented in XML and a processing External Domain
& Authentication
model describing how to evaluate access Authentication

Policies
requests according to the rules defined in
Validation Policies
Rules
Rules
Remote
policies. Application
o PAP - Policy Administration Point App Server

o PDP - Policy Decision Point Security Platform
Audit & Risk Federation
o PEP - Policy Enforcement Point
Control Service
o PIP - Policy Information Point PEP PDP B
SEC ADMIN Provider
o PRP - Policy Retrieval Point ROLES IT AUDIT
ROLES
Remote
Centralized PDP
Security
Attrib
Attrib Services
ute
ute
Store
Store PRP
PIP
Fine
Fine –– Grained
Grained Coarse
Grained
PAP Policies &
Policies & Rules
Rules Policies
Policies &
& Rules
Rules
SEC ADMIN
46

Control
Application
Security
Incident Mgt.
Data Security 3.1
Web IDENTITY ACCESS

DIRECTORY SERVICES
Server MANAGEMENT
A
A C
7
APP SERVER or LEGACY APP: AUTHENTICATION SERVICE
o Access to protected resources when
both authentication and authorization
are successful. App Server can either
validate it based on a digital signature. SSO Token
PEP: & Authentication
o Intercepts user's access request to a Authentication

Policies
resource, makes a decision request to
Validation Policies
Rules
Rules
Remote
the PDP to obtain the access decision. Application
PDP: App Server

o The security platforms may or may not Security Platform
provide the ability to make policy- Service
based decisions - uses an embedded PEP PDP Control B
SEC ADMIN Provider
(PDP), or leverage a shared, or 7 ROLES
ROLES
IT AUDIT
centralized PDP.
8
Remote
8 Centralized PDP
Security
CENTRALIZED PDP: Attrib
Attrib Services
ute
ute
o PDPs get policy information from the Store
Store PRP
policy retrieval point (PRP). Policies are
retrieved from policy stores.
PIP
Fine
Fine –– Grained
Grained Coarse
Grained
PAP Policies &
Policies & Rules
Rules Policies
Policies &
& Rules
Rules
SEC ADMIN
47

Control
Application
Security
Incident Mgt.
Data Security 3.1
Web IDENTITY ACCESS

DIRECTORY SERVICES
Server MANAGEMENT
A
A C
9
PIP: LDAP SMART CARD OTHERS
o PDPs may require additional
information, such as user attributes,
etc., in order to make access decisions.
SSO Token
The policy information point (PIP) Generation External Domain
provides this sort of information. & Authentication
Authentication

Policies
Validation Policies
Rules
Rules
Remote
Application
10
PRT: App Server
o The authorization service also offers a Security Platform Federation
Audit & Risk
provider interface that supports Service
PEP PDP Control B
multiple authorization schemes (e.g. SEC ADMIN Provider
coarse-grained and fine-grained access ROLES IT AUDIT
ROLES
control).
Remote
Centralized PDP
Security
Attrib
Attrib Services
11 ute
ute
PAP: Store
Store PRP
o Auditing is provided in order to track
events such as access requests, access
11
decisions, and policy changes.
9
PIP
Components such as PDPs and PAPs
Fine
Fine –– Grained
Grained Coarse
Grained
must log activity that can be reviewed Policies
PAP Policies &
Policies & Rules
Rules Policies &
& Rules
Rules
by an auditor or sec administrator.
10
SEC ADMIN
48

Control
Application
Security
Incident Mgt.
Data Security 3.1
Web IDENTITY ACCESS

DIRECTORY SERVICES
Server MANAGEMENT
A
C EXTERNAL SECURITY DOMAIN END USER
A C
12
FEDERATION IDENTITY PROVIDER: LDAP SMART CARD OTHERS
o User request is forwarded to the local
federation identity provider in order to
generate a SAML assertion that is
SSO Token 12 13
trusted by the remote service provider. Generation External Domain
& Authentication
Authentication

Policies
Validation Policies
Rules
Rules
Remote
Application
13
EXTERNAL DOMAIN: App Server
o Identity provider use the local identity Security Platform Federation
Audit & Risk
to establish a remote identity. Service
o The local identity is mapped to a PEP PDP Control B
SEC ADMIN Provider
different identity that is known by the ROLES IT AUDIT
ROLES
remote domain.
o Once authenticated, the identity
provider redirects the request, along Remote
Centralized PDP
with the federated assertion to the Security
Attrib
Attrib Services
service provider. ute
ute
Store
Store PRP
PIP
Fine
Fine –– Grained
Grained Coarse
Grained
PAP Policies &
Policies & Rules
Rules Policies
Policies &
& Rules
Rules
SEC ADMIN
49
Authentication & Authorization – Mapping to ORACLE Tech.

Control
Application
Security
Incident Mgt.
Data Security 3.1
OAM
Web IDENTITY ACCESS
DIRECTORY SERVICES
WEBGATE
Server MANAGEMENT
END USER
A
B A C
ORACLE ACCESS MANAGER
Oracle Access Manager allows your users

OAM ACCESS SERVER Oracle AM Suite
to seamlessly gain access to web
applications and other IT resources
across your enterprise. It provides a SSO Token
centralized and automated single sign-on OAM
Generation
ACCESS External Domain
(SSO) solution, which includes an SERVER
& Authentication
Authentication

Policies
extensible set of authentication methods Validation Policies
Rules
Rules
Remote
and the ability to define workflows Application
around them. It also contains an
authorization engine, which grants or OESServer
App SM
denies access to particular resources Security Platform
Audit (risk)
OAAM & Risk& Federation
based on properties of the user Control
Audit services
AM Identity Federation
Service
PEP PEP PDP B
requesting access as well as based on SEC ADMIN Provider
ROLES IT AUDIT
the environment from which the request ROLES
is made. Comprehensive policy
management, auditing, and integration OAM ACCESS Remote
Centralized PDP
with other components of your IT SERVER Security
Attrib
Attrib Services
infrastructure enrich this core ute
ute
functionality. Store
Store PRP
PIP
Fine ––OES
Fine Grained
OES
Grained Coarse
Grained
OES PAP
Console Policies &
& Rules
Repository
Policies
RepositoryRules Policies
Policies &
& Rules
Rules
SEC ADMIN
50

Control
Application
Security
Incident Mgt.
Data Security 3.1
OAM
Web IDENTITY ACCESS
DIRECTORY SERVICES
WEBGATE
Server MANAGEMENT
A ORACLE ACCESS MANAGER END USER

1
A C
1
OAM WEBGATES:
2
o A web server plug-in access client LDAP SMART CARD OTHERS
analogous to Sun OpenSSO Enterprise
Policy Agent. WebGate intercepts HTTP 2
requests for Web resources and
SSO Token
forwards them to the Access Server for OAM
Generation
authentication and authorization. SERVER
& Authentication
Authentication

Policies
Validation Policies
Rules
Rules
Remote
Application
2
OAM ACCESS SERVER:
o Provides centralized authentication, OESServer
App SM
authorization, and auditing to enable Security Platform 3 Federation
single sign-on and secure access control
Audit (risk)
OAAM & Risk&
Control
Audit services
Service
across enterprise resources. PEP PEP PDP B
SEC ADMIN Provider
ROLES IT AUDIT
ROLES
3 2 OAM ACCESS Remote

OAAM (RISK)& AUDIT SERVICES: Centralized PDP
o Oracle Adaptive Access Manager helps SERVER Security
Attrib
Attrib Services
organizations prevent fraud and misuse ute
ute
by strengthening existing Store
Store PRP
authentication flows, evaluating the
risk of events as they happen and
providing risk-based interdiction PIP
mechanisms such as multi-factor out-
Fine ––OES
Fine Grained
OES
Grained Coarse
Grained
of-band authentication. OES PAP
Console Policies
Policies &
& Rules
Policies &
& Rules
Rules
Repository
SEC ADMIN
51

Control
Application
Security
Incident Mgt.
Data Security 3.1
OAM
Web IDENTITY ACCESS
DIRECTORY SERVICES
WEBGATE
Server MANAGEMENT
A
B ORACLE ACCESS MANAGER END USER
A C
4
OES SM:
o Standards-based, policy-driven security LDAP SMART CARD OTHERS
solution that provides real time fine-
grained authorization in Application.
SSO Token
OAM
Generation
5 SERVER
& Authentication
Authentication

Policies
OES CONSOLE: Validation Policies
Rules
Rules
Remote
o Oracle Entitlements Server is a fine- Application
grained authorization product that
allows an organization to protect its 4
OESServer
App SM
resources by defining and managing
policies that control access to, and Audit (risk)
OAAM & Risk&
usage of, these resources. Access Control
Audit services
Service
PEP PEP PDP B
privileges are defined in a policy by
SEC ADMIN Provider
ROLES IT AUDIT
specifying who can do what to which ROLES
resource, when it can be done, and
how. OAM ACCESS Remote
Centralized PDP
SERVER Security
Attrib
Attrib Services
ute
ute
6 Store
Store PRP
OES REPOSITORY:
o Analysis tools for fine-graine.
PIP
5 Fine ––OES
Fine Grained
OES
Grained Coarse
Grained
OES PAP
Console 6 Policies
Policies &
& Rules
Repository
Policies &
& Rules
Rules
SEC ADMIN
52

Control
Application
Security
Incident Mgt.
Data Security 3.1
OAM
Web IDENTITY ACCESS
DIRECTORY SERVICES
WEBGATE
Server MANAGEMENT
A
C ORACLE ACCESS MANAGER END USER
A C
7
AM IDENTITY FEDERATION:
SSO Token
o Oracle Identity Federation (OIF) is a OAM
Generation
ACCESS 7
complete, enterprise-level solution for External Domain
SERVER
& Authentication
Authentication
secure identity information exchange

Policies
Validation Policies
Remote
between partners. OIF reduces account Rules
Rules
management for partner identities and Application

lowers the cost of integrations through
support of industry federation OESServer
App SM
standards. Oracle Identity Federation Security Platform Federation
protects existing IT investments by
Audit (risk)
OAAM & Risk&
Control
Audit services
Service
integrating with a wide variety of data PEP PEP PDP B
SEC ADMIN Provider
stores, user directories, authentication ROLES IT AUDIT
ROLES
providers and applications.
OES SM Remote
Centralized PDP
(Centralized) Security
Attrib
Attrib Services
ute
ute
Store
Store PRP
PIP
Fine ––OES
Fine Grained
OES
Grained Coarse
Grained
OES PAP
Console Policies &
& Rules
Repository
Policies
Policies &
& Rules
Rules
SEC ADMIN
53
Authentication & Authorization – Mapping to CA Technology

Control
Application
Security
Incident Mgt.
Data Security 3.1
A
B
CA SITEMINDER SM
Web IDENTITY ACCESS
DIRECTORY SERVICES
Agent
Server MANAGEMENT
CA SiteMinder provides a shared END USER
authentication service that can be
leveraged across all web-based resources CA SiteMinderA CA SiteMinder Federation C
and applications. By centralizing this SM Agent SERVICE
AUTHENTICATION
service, CA SiteMinder offers
unparalleled control over what type of LDAP SMART CARD OTHERS
authentication method/credential is
used to protect a web resource, and how SSO Token
that authentication scheme is deployed Generation
SM Agent External Domain
and managed. & Report,
Report,
Authentication
Authentication
Audit

Policies
Validation Audit
Policies
Rules Remote
CA SiteMinder can support custom Database
Rules
Database Application
authentication mechanisms and
integration with third-party Secure
App Proxy
Server
Server
authentication solutions via the Security Platform
published Authentication API. Risk Minder Service
PEP PEP PDP Control B
SEC ADMIN Provider
ROLES IT AUDIT
ROLES
C CA SITEMINDER FEDERATION Remote

Policy Server
Centralized PDP
Security
CA SiteMinder Federation Services Attrib
Attrib Services
ute
extends the web single sign-on ute
Store Policy Server
PRP
Store
experience provided by CA SiteMinder
Web access manager (CA SiteMinder
WAM) to applications and portals PIP
provided internally by other Fine –– Grained Coarse
Admin User Fine Grained
*Axiomatics Coarse –– Grained
Grained
organizational business units, or PAP *Axiomatics
Policies
Policies &
& Rules
Rules Policies
Policies &
& Rules
Rules
Interface
externally on the internet by partners or
application outsourcers. SEC ADMIN
54

Control
Application
Security
Incident Mgt.
Data Security 3.1
SM
Web IDENTITY ACCESS
DIRECTORY SERVICES
Agent
Server MANAGEMENT
A CA SITEMINDER END USER

1
1 CA SiteMinderA CA SiteMinder Federation C

1 SM Agent SERVICE
AUTHENTICATION
SM AGENT:
o The agent acts as a Policy Enforcement
Point (PEP) and also performs the 1
services of authentication management
SSO Token
and single sign-on. They can also Generation External Domain
SM Agent
& Report,
support optional requirements such as Report,
Authentication
Authentication
Audit

Policies
securely passing user entitlements to Validation Audit
Policies
Rules Remote
Database
Rules
Database
protected business applications. Agents Application
come in several forms and each is
tailored to the platform it protects. Secure Proxy
2
App Server
Server
There are Agents for Web servers, J2EE
servers, ERP systems, Proxy servers, Audit & Risk
and more. Risk Minder
Control Service
PEP PEP PDP B
SEC ADMIN Provider
ROLES IT AUDIT
ROLES
2
Remote
SECURE PROXY SERVER: Policy Server
Centralized PDP
Security
Attrib
Attrib Services
o The secure proxy server is an optional ute
ute
standalone server component that Store
Store Policy Server
PRP
provides a proxy-based PEP for CA
SiteMinder access control on web
applications and resources. This PIP
component provides a network gateway *Axiomatics
*Axiomatics
Fine
Fine –– Grained
Grained Coarse
Grained
for the enterprise and supports multiple Admin User Reveres
Reveres Policies
PAP Policies
Policies && Rules
Rules Policies &
& Rules
Rules
session schemes that do not rely on Interface Query
Query
traditional cookie-based technology. In SEC ADMIN
addition, it can also support mobile
devices, identity federation, and REST-
based web services.
55

Control
Application
Security
Incident Mgt.
Data Security 3.1
SM
Web IDENTITY ACCESS
DIRECTORY SERVICES
Agent
Server MANAGEMENT
CA SiteMinderA CA SiteMinder Federation C

3 SM Agent SERVICE
AUTHENTICATION
CA RISKMINDER:
o CA RiskMinder is a powerful risk-based,
adaptive authentication solution that
works in real time to evaluate context,
SSO Token
calculate a risk score, recommend Generation External Domain
SM Agent
& Report,
actions and provide alerts/case Report,
Authentication
Authentication
Audit

Policies
management. Validation Audit
Policies
Rules Remote
4 Database
Rules
Database Application
4 Secure Proxy
AUDIT DATABASE: App Server
Server
Security Platform 3 Federation
Audit & Risk
o Provides a historical record of Risk Minder
Control Service
operations that occur in an Identity PEP PEP PDP B
SEC ADMIN Provider
Manager environment. ROLES
ROLES
IT AUDIT
REPORT DATABASE:
Remote
Policy Server
Centralized PDP
o Stores snapshot data, which reflects Security
Attrib
Attrib Services
the current state of objects in CA ute
ute
Identity Manager at the time the Store
Store Policy Server
PRP
snapshot is taken. You can generate
reports from this information to view
the relationship between objects, such PIP
as users and roles. *Axiomatics
*Axiomatics
Fine
Fine –– Grained
Grained Coarse
Grained
Admin User Reveres
Reveres Policies
PAP Policies
Policies && Rules
Rules Policies &
& Rules
Rules
Interface Query
Query
SEC ADMIN
56

Control
Application
Security
Incident Mgt.
Data Security 3.1
SM
Web IDENTITY ACCESS
DIRECTORY SERVICES
Agent
Server MANAGEMENT

5 SM Agent SERVICE
AUTHENTICATION
POLICY SERVER:
o The Policy Server is the heart of CA
SiteMinder and acts as the Policy
Decision Point (PDP). The Policy Server
SSO Token
authenticates users on behalf of the Generation External Domain
SM Agent
& Report,
PEP, evaluates security policies, and Report,
Authentication
Authentication
Audit

Policies
makes authorization decisions that are Validation Audit
Policies
Rules Remote
Database
Rules
Database
communicated back to the PEP. It also Application
audits each of these events.
Additionally, the in-built directory Secure
App Proxy
Server
abstraction technology allows multiple Server
user directories and databases to be Audit & Risk
arbitrarily defined, chained, and Risk Minder
Control Service
PEP PEP PDP B
mapped for authentication and SEC ADMIN Provider
ROLES IT AUDIT
authorization. ROLES
6 5 Remote
ADMIN USER INTERFACE: Policy Server
Centralized PDP
Security
Attrib
Attrib Services
o CA SiteMinder is managed by an ute
ute
application-based user interface that Store
Store Policy Server
PRP
provides a centralized Policy 5
Administration Point (PAP); one
instance of the Admin UI server can PIP
connect to and manage multiple Policy *Axiomatics
*Axiomatics
6 Admin User Fine
Fine –– Grained
Grained
Reveres
Coarse
Grained
Servers and agents. This interface also PAP Reveres
Policies
Policies && Rules
Rules Policies
Policies &
& Rules
Rules
supports both restricted delegation for Interface Query
Query
fine-grained control and unlimited SEC ADMIN
delegation to simplify security policy
administration.
57

Control
Application
Security
Incident Mgt.
Data Security 3.1
SM
Web IDENTITY ACCESS
DIRECTORY SERVICES
Agent
Server MANAGEMENT

SM Agent SERVICE
AUTHENTICATION
7
*PARTNER AXIOMATICS: SSO Token
SM Agent
& Report,
o Axiomatics offers a technology platform Report,
Authentication
Authentication
Audit

Policies
which is even better suited for multi- Validation Audit
Policies
Rules Remote
Database
Rules
Database
dimensional filtering of large data sets Application
to achieve fine-grained authorization:
the Axiomatics Reveres Query (ARQ) Secure
App Proxy
Server
technology solutions. With this Server
technology added on top of an XACML Audit & Risk
Policy Decision Point, many different Risk Minder
Control Service
PEP PEP PDP B
types of special-purpose filters can be SEC ADMIN Provider
ROLES IT AUDIT
offered with no or minimal ROLES
authorization overhead.
Remote
Policy Server
Centralized PDP
Security
Attrib
Attrib Services
ute
ute
Store
Store Policy Server
PRP
PIP
*Axiomatics
*Axiomatics
Fine
Fine –– Grained
Grained Coarse
Grained
Admin User Reveres
Reveres Policies
PAP Policies
Policies && Rules
Rules Policies &
& Rules
Rules
Interface 7 Query
Query
SEC ADMIN
58

Control
Application
Security
Incident Mgt.
Data Security 3.1
SM
Web IDENTITY ACCESS
DIRECTORY SERVICES
Agent
Server MANAGEMENT
A
C CA SITEMINDER FEDERATION END USER

SM Agent SERVICE
AUTHENTICATION
8
CA SITE MINDER FEDERATION: SSO Token
o CA SiteMinder can support identity SM Agent
& Report,
Report,
Authentication
federation, such that user identity Authentication
Audit

Policies
information can be securely shared
Validation Audit
Policies
Rules Remote
Database
Rules
Database
between two organizations/security Application
domains in order to facilitate single
Secure Proxy
sign-on (SSO). This is achieved through App Server
Server
support for a wide variety of open Security Platform
standards-based tokens including, Risk Minder Service
SAML, OAuth, OpenID, and WS- PEP PEP PDP Control B
SEC ADMIN Provider
Federation. ROLES IT AUDIT
ROLES
Remote
Policy Server
Centralized PDP
Security
Attrib
Attrib Services
ute
ute
Store
Store Policy Server
PRP
PIP
*Axiomatics
*Axiomatics
Fine
Fine –– Grained
Grained Coarse
Grained
Admin User Reveres
Reveres Policies
PAP Policies
Policies && Rules
Rules Policies &
& Rules
Rules
Interface Query
Query
8
SEC ADMIN
59
Authentication & Authorization – Mapping to IBM Tech.

Control
Application
Security
Incident Mgt.
Data Security 3.1
Web IDENTITY ACCESS

A DIRECTORY SERVICES
Server MANAGEMENT
END USER
IBM SECURITY ACCESS MANAGER FOR
WEB A C
IBM Security Access Manager for Web is AUTHENTICATION SERVICE

an integrated access appliance that LDAP SMART CARD OTHERS
B provides web access security protection
in a modular package. It defends
SSO Token
applications and data against targeted
web attacks and vulnerabilities.
& Authentication
Authentication

Policies
Validation Policies
Rules
Rules
Remote
Application
B
App Server
Security Platform IBM Security Access Manager
Audit & Risk For TIVOLI Federated
Federation
Service
TIVOLI FEDERATED IDENTITY MANAGER
PEP PDP
Web Control
SEC ADMIN
IT AUDIT
B
Identity Manager
Provider
ROLES
ROLES
IBM Tivoli Federated Identity Manager
provides web and federated single sign- Remote
on (SSO) to users throughout multiple Centralized PDP
Security
Attrib
applications. It uses federated SSO for Attrib
ute
Services
ute
security-rich information sharing for Store
Store PRP
private, public and hybrid cloud
deployments.
PIP
Fine
Fine –– Security
Tivoli
Tivoli Grained
Grained
Security Coarse
Grained
PAP Policies
Policy &
& Rules
Policy Manager
Policies Rules
Manager Policies
Policies &
& Rules
Rules
SEC ADMIN
60
Authentication & Authorization – Use case IdM & Access Vulnerability &
Web Single-Sign On and coarse-grained authz. with agents

Control
Application
Security
Incident Mgt.
Data Security 3.1
Objective
Objective
Describe the Single sign-On process with web access managements platform that rely on agent for authentication and authorization
Description
Description
• Web Access management (WAM) is the name commonly used for the identity management platform to control the access to web
resources. One common scenario is the use of agents or plugins in the Web Server.
• The agent acts as a PEP (Policy Enforcement Point). If the user is not authenticated is redirected to the Access Management
Server. After the user is successfully authenticated, he is sent back to the web resource he was trying to access.
• Until the session expires, the user can access resources protected by the WAM platform without authenticating again.
• Depending on the policy, the user is granted access to the URL he is trying to access. This is usually called coarse-grained access
control because once the user has been granted access to the URL, the Web access Management platform does not limit specific
operations.
Access
Management Coarse
Policies
Policies &
Grained
& Rules
Rules
Server
2
3 Corporate
Corporate User
User
Repository
Repository
Web Server
Web Agent /
Web Browser Plugin
1
61
Web Single-Sign On and coarse-grained authz. with proxy

Control
Application
Security
Incident Mgt.
Data Security 3.1
Objective
Objective
Describe the Single Sign-On process with Web Access Managements platform that rely on a reverse proxy configuration
Description
Description
• In this scenario no plugins are used and a reverse proxy architecture is deployed.
• All the web browser requests go through the Access Management Server which performs the authentication and the authorization
of the user.
• The Access Management Server that acts as a reverse proxy, is usually placed in the DMZ.
• Sometimes mixed architectures can web deployed. The reverse proxy is mandatory when no agent is available for a particular web
server technology
Coarse
Grained Corporate
Corporate User
User
Policies
Policies &
& Rules
Rules Repository
Repository
Access Web Server

Web Browser Management
Server
62
Fine-grained access control

Control
Application
Security
Incident Mgt.
Data Security 3.1
Objective
Objective
Describe the fine-grained access control scenario vs the coarse-grained access control
Description
Description
• With Web Access Managements solutions the URL based perimeter authorization (coarse-grained) is externalized but the core
application side authorization is often handled by custom application code.
• The fine-grained access control restricts the operations that a user can make on a resource based on his attributes (ABAC) or his
role (RBAC).
• The externalization of the authorization requires very low latency because a single web access to a single page can generate
multiple authorization requests.
• Changes can be made in real time without deploying a new version of the application if changes in the authorization policy must
be applied.
• Protocol XACML is used to evaluate access requests according to the rules defined in policies.
XACML
Grant
Request Fine-grained
Application
Policy Server Fine
Fine –– Grained
Grained
Policies
Policies &
& Rules
Rules
Deny
63
Web Single-Sign On using a Virtual Directory

Control
Application
Security
Incident Mgt.
Data Security 3.1
Objective
Objective
Describe the Single Sign-On process when users are in different repositories and a Virtual Directory is used
Description
Description
• Web Access Managements solutions usually can authenticate users residing un a LDAP directory server.
• Virtual Directories create an integrated view of multiple data sources without changing their structure. This structure is accessible
with LDAP protocol and enable Web Access platforms to use multiple repositories natively without developing special connectors.
• Sometimes the repositories are also LDAP but that contains different type of users such as employees or external users.
Access
Management Coarse
Policies
Policies &
Grained
& Rules
Rules
User
User repository
repository
Server
2
3 Virtual
Virtual Directory
Directory
User
User repository
repository
Web Server
Web Agent / User
User repository
repository
Web Browser Plugin
1
64
Federated Identity single sing-on

Control
Application
Security
Incident Mgt.
Data Security 3.1
Objective
Objective
Describe the Single Sign-On when using identity federation
Description
Description
• Identity federation enable users of one domain to securely access data or systems of another domain seamlessly, and without the
need for completely redundant user administration.
• In this scenario, a Federated Identity Provider (IP) authenticates the user and generates a token (asserts the identity) that it is
trusted by the service provider (SP). Information of the user attributes can also be shared.
• The flow is similar to the Web SSO use case but in this case, the users belong to a different domain than the service they are trying
to access
• There are some standards to support the identity Federation such as SAML, Oauth and Open ID.
Domain 1
Federated
Identity User
User Repository
Repository
Provider
2
3
Service
Provider
Web Agent /
Web Browser Plugin
1
Domain 2
65
Privileged Users Security – Reference Architecture

Control
Application
Security
Incident Mgt.
Data Security 3.1
Regulates and audits access to the critical servers consistently across platforms:
o Manages privileged user passwords. OS ACCESSS CONTROL IT RESOURCES

PROTECTED
o Fine-grained control over privileged
users. 4
o Enforces regulatory compliance
Agents
1 DIRECTORY
requirements - reporting server access SERVICES
Shared Account Infrastructure
policies. EXTERNAL
Manager
PARTIES
o Enables authenticate UNIX and Linux
privileged users from an external Applications
2 AUTHORIZATION
repository MNG.
o Hardens the operating system which SYSTEM
Fine-grained Access
ADMINISTRATORS Controls Fine
Fine –– Grained
reduces external security risks and Grained
Policies &
Policies & Rules
Rules
facilitates operating environment
reliability. 3
o Integrates Out Of the Box with an External AUTHENTICATION
Authentication MNG.
auditing infrastructure that produces in- Module
depth regulation specific reports.
SECURITY
SIEM
ADMINISTRATORS
1 2 3 4
Provides secure storage and Harden the operating system Allows UNIX and Linux users to Agents integrate natively with
access to privileged user and enforce segregation of authenticate using an external the operating system to enforce
passwords. duties. repository. and audit the granular policies.
66
Privileged Users Security - Mapping to CA Control Minder

Control
Application
Security
Incident Mgt.
Data Security 3.1
Regulates and audits access to the critical servers consistently across platforms:
1
SHARED ACCOUNT MANAGER:
o CA ControlMinder Shared Account

OS ACCESSS CONTROL IT RESOURCES
PROTECTED
Management helps mitigate both
internal and external risk by controlling 4
how users access shared privileged
Agents
Agents
accounts with shared password 1 DIRECTORY
management. CA ControlMinder SERVICES
Shared Account
EXTERNAL Shared Account Infrastructure
PARTIES Manager
2
Manager
Applications
FINE GRAIN ACCESS CONTROL
2 AUTHORIZATION
CA ControlMinder MNG.
Fine-grained Access
o Fine-grained access controls include the SYSTEM Fine Grain Access
Controls
ADMINISTRATORS Fine
core elements of CA ControlMinder, Control Fine –– Grained
Grained
Policies &
Policies & Rules
Rules
which are used to harden the operating
system and enforce segregation of 3
duties. CA ControlMinder
External AUTHENTICATION
UNAB Unix MNG.
Authentication
Authentication
Module
3 Broker
UNAB UNIX AUTHENTICATION BROKER
SECURITY
SIEM
ADMINISTRATORS
o UNIX Authentication Bridge (UNAB)
allows UNIX and Linux® users to
authenticate using their Active
Directory credentials.
4
CONTROLMINDER OS AGENT:
o ControlMinder OS Agents integrate

natively with the operating system to
enforce and audit the granular policies.
67
Privileged user security– Use case IdM & Access Vulnerability &
Shared password manager

Control
Application
Security
Incident Mgt.
Data Security 3.1
Objective
Objective
Describe the process of managing in a secure way the password of privileged accounts in the systems
Description
Description
• The necessity to share privileged accounts among many users makes it difficult to hold people accountable for privileged activity.
• With shared password management platform it is possible to mitigate both internal and external risk by controlling how users
access shared privileged accounts.
• Without needing agents in the platform it is possible to check-out and check-in password for privileged users.
• The user authenticates to the shared password manager platform using his personal login and password and then, based on his
role, he can checkout the password for an account. No agent is needed to perform this operation that basically consists in setting
a new password for the account.
• When users no longer need the password, they make a check-in and the password is changed for a random one so nobody can use
it.
Check-in /
Check-out password
Shared
Authn & AuthZ
Password Corporate
Corporate User
User
Repository
User Manager Repository
Password change
Login
Target system
68
Shared password manager as jumper host

Control
Application
Security
Incident Mgt.
Data Security 3.1
Objective
Objective
Describe the process of managing in a secure way the password of privileged accounts in the systems using a jumper host
Description
Description
• In this scenario the Shared Password Manager does not give the newly generated password to the user. Instead, the user is logged
automatically in the target system.
• This prevents “over-the-shoulder” password theft and speeds up the process for the password requester.
• The session can be recorded so all the actions made with the privileged account can be tracked and logged.
Check-in /
Check-out
Shared
Authn & AuthZ
Password Corporate
Corporate User
User
Repository
User
Manager Repository
Login Password change
Target system
69
Shared password manager for applications

Control
Application
Security
Incident Mgt.
Data Security 3.1
Objective
Objective
Describe the process of managing in a secure way the password of privileged accounts for applications
Description
Description
• This scenario resolves the problems of having service account passwords hard-coded in scripts or in configuration files.
• A shared account agent can be used inside a script to replace hard-coded passwords with passwords that can be checked out.
• This simplifies the process of password management for service accounts.
Script Check-out
Shared Authn & AuthZ
Agent
Password Corporate
Corporate User
User
Repository
Repository
Manager
Password change
Login
Target system
70
Fine grained access control

Control
Application
Security
Incident Mgt.
Data Security 3.1
Objective
Objective
Describe the process of fine-grained access control in targets systems
Description
Description
• To enforce a fine-grained access control in server hosts and agent is deployed in target systems.
• This agent enforces the policy an restricts what can be done using a privileged account.
• Users should log in the target machine with his personal account and depending on their role can escalate privileges to another
account to execute specific actions.
• All actions are audited and referenced to the user that originally logged in the target machine.
• Users in the target systems are provisioned with the Identity Management Platform.
Identity
Management
Platform
Provision
Login with Policy Enterprise Admin

personal user Agent Manager Server
Privilege
Escalation
Target system
71
Fine grained access control with centralized authentication

Control
Application
Security
Incident Mgt.
Data Security 3.1
Objective
Objective
Describe the process of fine-grained access control in targets systems that use external user repository
Description
Description
• This scenario is very similar to the previous one, but in this case the target systems do not use an internet user store.
• Typically an existing Corporate LDAP / Directory Active is user to authenticate the users.
• This simplifies the provision task because no new target systems must be managed.
Provision
Identity Corporate
Corporate User
User
Repository
Repository
Management
Platform
Login with Policy Enterprise Admin

personal user Agent Manager Server
Privilege
Escalation
Target system
72
3.2
Executive
DataSummary
Base Protection
Database Security – Reference Architecture

Control
Application
Security
Incident Mgt.
Data Security 3.2
1 5
DB firewall: inspection of SQL Centralized and remote audit
commands and blocks commands policy management:
that are not permitted by consolidation of audit data into
firewall rules. Eliminate a secure repository which
malicious access (e.g. SQL- Database Platform includes audit policies, access
injection or any clients that control, audit alerts, and
attempt commands that have reports.
not been previously approved). DB
Firewall Auditing Features:
2 1 2 Access Control Authentication 3 DIRECTORY o Logging of transactions.
Access Control: SERVICES o Logging of administrative
o Limits operations based on SINGLE MULTI operations.
the user's role and rules. ROLES RULES FACTOR FACTOR o Audit data is transmitted to
o Limits access to columns and a secure centralized store
DATA CLASSIFICATION
rows based on user and data where reports can be run
ADM USER
classification rules and REALM PARTITIONING and alerts triggered.
policies.
o Limits DBA access to realms, Audit 6
or portions of the database, Persisted Data Server Track and manage database
in order to support the Encryption configuration, compare it to
principle of least privilege.
4 pre-defined configuration
Backup AUDIT POLICIES
Encryption
Audit Audit Control policies, scan for vulnerabilities
Auditing
Systems
3 Database ALERTS & REPORTS based on configuration and
Access Control leverages:
Trail Audit Police
Realms patch levels, and provide
o Identity Management and
compliance metrics.
o Authentication mechanisms 5 Audit
Audit
database
database
(single factor - user id and
password, or multi-factor -
7
tokens and/or certificates). Enabling testing of applications,
6 7 data are extracted from
4 production databases and loaded
Configuration & into staging areas. The database
Data Encryption features: Data Masking Staging
Staging
o Persisted Data Encryption.
Vulnerability Manager database
database management system includes a
o Online historical archives & masking component in order to
backup media encryption, in transpose actual values into
order to (data retention false values while
requirements, end-to-end maintaining rules of integrity.
data protection).
74
Database Security - Mapping Imperva Technology

Control
Application
Security
Incident Mgt.
Data Security 3.2
1 3
DATABASE FIREWALL: *PARTNER VORMETRIC:
o SecureSphere Database o The solution solves security

Firewall keeps your and compliance challenges
organization out of the news Database Platform with data-at-rest encryption,
with data center security integrated key management,
that can see all traffic, privileged user access
reduce exposure of DB
Database control, and security
unpatched database servers, Firewall
Firewall intelligence logging.
and stop advanced targeted 1 2 Access Control 1 Authentication DIRECTORY
attacks. Database Firewall SERVICES
helps you avoid expensive SINGLE MULTI
Database
Database
4
breaches by effectively ROLES
UserRights
RULES FACTOR FACTOR
Firewall DATABASE ACTIVITY MONITOR:
protecting databases from Management
DATA CLASSIFICATION
attacks, data loss, and theft. ADM USER o SecureSphere Database
REALM PARTITIONING
Activity Monitor helps you
Audit efficiently demonstrate
SecureSphere
database compliance
Management
Persisted Data Server
2 Vormetric through automated
Encryption
DATABASE USERIGHT processes, audit analysis,
Backup 3 4 AUDIT POLICIES
and customizable reports
Encryption
MANAGEMENT: Audit Audit Control
Auditing
Systems
*Vormetric
Database Database Activity ALERTS & REPORTS across heterogeneous

o
Trail Audit Police database platforms. In
User Rights Management for Realms Monitor
Databases (URMD) helps you addition, SecureSphere
Audit
Audit accelerates incident
establish an automated database
database response and forensic
access rights review process
to eliminate excessive user investigation with
rights. It also enables you to centralized management and
demonstrate compliance advanced analytics.
with regulations such as SOX Configuration & Persistent Data Database Activity Monitor
and PCI DSS. URMD lowers IT Database Assessment Data Masking Staging
Staging helps you pass your database
Vulnerability Manager Masking database
database
labor costs associated with audits and avoid hefty non-
database user access compliance fines.
management.
75
Database Security - Mapping Imperva Technology

Control
Application
Security
Incident Mgt.
Data Security 3.2
5
SECUREPHERE MANAGEMENT:
Database Platform
o The MX Management Server
unifies the administration,
logging, and reporting of DB
Database
multiple SecureSphere Firewall
Firewall 7
gateways. SecureSphere Access Control Authentication DIRECTORY *PARTNER INFORMATICA:
SERVICES
Operations Manager goes one
SINGLE MULTI o It helps your IT organization
step further, allowing you to Database
centrally manage up to 50 ROLES RULES
Database FACTOR FACTOR manage access to your most
UserRight
MX Management Servers. Management Firewall sensitive data. Informatica
DATA CLASSIFICATION Persistent Data Masking
ADM USER
REALM PARTITIONING shields confidential data—
such as credit card numbers,
Audit addresses, and phone
6
SecureSphere
Management
Persisted Data Server numbers—from unintended
DATABASE ASSESSMENT: Vormetric exposure by creating
Encryption
Backup AUDIT POLICIES realistic, de-identified data
o SecureSphere solves this by
Encryption
Audit Audit Control that can be shared safely
Auditing
Systems
Vormetric
quickly identifying sensitive Database Database Activity ALERTS & REPORTS internally or externally.
data, database Trail Audit Police
Realms Monitor
vulnerabilities and
misconfigurations so that 5 Audit
Audit
database
database
you can prioritize and
mitigate them. Database
Assessment helps you stay 6 7
out of the headlines by
ensuring that database Configuration & *Persistent Data
protection conforms to Database Assessment Data Masking Staging
Staging
Vulnerability Manager Masking database
database
regulations, best practices,
and a company’s internal
standards.
76
Database Security – Mapping Oracle Technology

Control
Application
Security
Incident Mgt.
Data Security 3.2
1 3
DataBase firewall: Oracle Advanced Security option
o a SQL grammar analysis (ASO) delivers encryption and data
engine that inspects SQL redaction capabilities, vital to
statements going to the protecting sensitive application
database and determines Database Platform data. ASO is composed of
with high accuracy whether Transparent Data Encryption
to allow, log, alert, (TDE) and Data Redaction that
substitute, or block the SQL. DB
Database help prevent unauthorized access
Oracle Database Firewall Firewall
Firewall to sensitive information at the
supports white list, black 1 1 Access Control 2 Authentication DIRECTORY application layer, in the operating
list, and exception list based SERVICES system, on backup media, and
polices. SINGLE MULTI within database exports.
o Policies can be enforced Database
ROLES Database
RULES FACTOR FACTOR
based upon attributes, Firewall Vault
DATA CLASSIFICATION
including SQL category, time ADM USER 4
of day, application, user, REALM PARTITIONING Oracle Key Vault Audit Vault:
and IP address. o Consolidates audit data and
o Database Firewall events are 4 Audit
Persisted Data Server logs generated by databases,
logged to the Audit Vault 3 Oracle Advanced
operating systems, directories,
Server enabling reports to Encryption
Security Option (ASO) Audit file systems, and custom
span information observed Backup AUDIT POLICIES
Vault sources into a secure
Encryption
Audit Control
Audit Audit Vault
Auditing
on the network alongside Systems
T Server
Database A ALERTS & REPORTS centralized repository
audit data. D Trail Audit Police
S o Information from the network
E Realms O is combined with detailed
2 Audit
Database Vault: Audit audit information for easy
database
database
o Implement preventive compliance reporting and
controls on privileged user alerting.
o The Audit Vault is the central,
access to application data
o Control database access with highly scalable and secure
multifactor policies that are Configuration & DataMasking & repository that stores the
Data Masking Staging
Staging consolidated audit data as well
based on built-in factors Vulnerability Manager Subsetting database
database
such as time of day, IP as event logs generated by the
address, application name, Database Firewall.
o The Audit Vault is the central
and authentication method
platform for reporting,
alerting, and policy
management.
77
Database Security – Mapping Oracle Technology

Control
Application
Security
Incident Mgt.
Data Security 3.2
Database Platform
5
DataMasking and Subsetting
o Oracle Data Masking and 6
DB
Database Oracle Key Vault:
Subsetting enables entire Firewall
Firewall o Centralizes keys in a secure,
copies or subsets of Access Control Authentication DIRECTORY
and robust key management
application data to be SERVICES
platform.
extracted from the SINGLE MULTI o Manages key lifecycle stages
database, obfuscated, and Database
ROLES Database
RULES FACTOR FACTOR
including creation, rotation,
shared with partners inside Firewall Vault
DATA CLASSIFICATION and expiration
and outside of the business.
o The integrity of the ADM USER 6 o Audits all access to keys and
REALM PARTITIONING Oracle Key Vault key lifecycle changes
database is preserved o It is optimized for managing
assuring the continuity of Audit
Oracle Advanced Security
the applications. Persisted
Oracle Data
Advanced Server Transparent Data Encryption
o Uses a template library and Encryption
Security Option (ASO) Audit (TDE) master keys
format rules, consistently Backup AUDIT POLICIES
Vault
Encryption
transforming data in order to Audit Control

Audit Audit Vault
Auditing
Systems
T A Server
maintain referential
D
Database Trail Audit Police
ALERTS & REPORTS
S
integrity for applications
E Realms O
Audit
Audit
database
database
5
Configuration & DataMasking &
Data Masking Staging
Staging
Vulnerability Manager Subsetting database
database
78
Data Base Security – Use cases IdM & Access Vulnerability &
Data base firewall & monitoring

Control
Application
Security
Incident Mgt.
Data Security 3.2
Data
DataBase
BaseFirewall
Firewall&&
Monitoring
Monitoring
• Monitoring of all the privileged activities, schema changes, creation and modification of accounts, roles and privileges.
• Monitoring of security exceptions such as failed logins and SQL errors and data modification monitoring.
• Monitors database activity in real-time and analyzes database traffic, looking for attacks at the protocol and OS level, as well as
unauthorized SQL activity.
• A baseline of all user activity is established. When users perform unexpected queries or violate access policies, and it alerts or
blocks the access.
• It can be deployed in the network inline as transparent bridge or sniffing only (monitor mode) or in the host with an agent.
Network Host
Deployments Deployment
SQL Transparent
Bridge Database Data
Data Base
Base
Protection
Server host
SQL Database
SQL Protection Data
Data Base
Base
Data
Data Base
Base
Agent
Server host
Sniffing only Server host
Database Protection
79
Data encryption at rest, data masking and data redaction

Control
Application
Security
Incident Mgt.
Data Security 3.2
Data
Dataencryption
encryption
at
atrest
rest
• Data-at-rest encryption is an important control for blocking unauthorized access to sensitive data using methods that circumvent
the database and access directly the data files in the operating system.
• This prevents attackers to gain access to sensitive information directly in physical storage
• This is required for compliance when critical information is stored in the data base
• It can be deployed in the network inline as transparent bridge or sniffing only or in the host with an agent.
Data
Dataredaction
redaction
• Data redaction is the modification on the fly of sensitive data in database query results prior to display by applications so that
unauthorized users cannot view the sensitive data.
• Data Redaction reduces exposure of sensitive information and helps prevent exploitation of application flaws that may disclose
sensitive data in application pages
Data
Datamasking
masking
• With data masking production data can be safely used for development, testing, or sharing with external development partners.
• Sensitive data is transformed while maintaining referential integrity and replaced with realistic values.
• Helps comply with data privacy regulations such as SOX and PCI
80
Data encryption at rest, data masking and data redaction (II)

Control
Application
Security
Incident Mgt.
Data Security 3.2
555-346-786-667
Data Redaction
XXXX-XXX-XXX-667 Application Data Encryption

Production
Data Base
at rest
Data
Data file
file &&%!hfgc%&%&
Restricted OS
User User
Data Masking
111-222-3333-444
Development
Data Base
Developer
81
3.3
Security Logs Monitoring
Security Logs Monitoring – Reference Architecture

Control
Application
Security
Incident Mgt.
Data Security 3.3
A
Data Sources
A
DATA SOURCES
Applications
PLATFORM
SECURITY
IT Assets that generate Audit Events, AUDIT
hosted or not by Application Servers. Infrastructure
CONTROL
Security Infrastructure components that SOA Services

generates audit events based on activity
in the environment, either initiated by Legacy Systems
end users or security administrators.
B
Audit Manager SIEM
B
Audit Data
Loader
SIEM Report
Generator IT SECURITY
INFORMATION SECURITY & FRAUD
Core component to aggregate, normalize Event Collector Audit
Audit AUDIT
Records
Records Search
and monitor security events across a INTERVENTION
broad range of network, security, host, Engine

database, and application components. Event
Correlation SECURITY
Incidents Dashboard ADMINISTRATORS
Providing security normalization, context,
correlation and analytics.
SECURITY OPERATION (SOC)
83
Security Logs Monitoring – Reference Architecture

Control
Application
Security
Incident Mgt.
Data Security 3.3
Audit Manager SIEM Data Sources

B
1 Applications
PLATFORM
SECURITY
Audit events are stored in a common database
AUDIT
(Audit Records), in order to: Infrastructure
CONTROL
o Support a common event taxonomy and record SOA Services

structure, enabling consistency and event
correlation.
o Provide the ability to search for events, Legacy Systems
analyze activity, and generate reports based
on events collected.
2
An audit data loading component support B
transformation and loading of events from files 2 Audit Manager SIEM
into the audit database. Audit Data
Loader
Report
3 1
All events or filtered subset of events can be 3 Generator IT SECURITY
forwarded to the Information Manager and stored Event Collector Audit
Audit AUDIT
in the Data Base Records
Records 5
Search INTERVENTION
4 Engine
4 Event
Correlation Rules describe the logic that is Correlation SECURITY
applied to an event or set of events to Incidents Dashboard ADMINISTRATORS
detect possible security concerns.
5
Security reporting and analysis: generation of
reports customized for different consumers.
84
Security Logs Monitoring - Mapping to ArcSight Technology

Control
Application
Security
Incident Mgt.
Data Security 3.3
B ESM- Enterprise Security Management
A
1
ARCSIGHT SMARTCONNECTORS (AGENTS): Data Sources
o SmartConnectors, hosted individually, or as part of an
ArcSight Connector Appliance, are the interface to the
objects on the network that generate correlation-relevant Applications
data on the network.
PLATFORM
SECURITY
AUDIT
o Intelligently collect, pre-process and manage the transmission Infrastructure
CONTROL
of event data to ensure high performance and complete
information processing. SOA Services
o Data is intelligently filtered and aggregated, allowing the

agents to boil down millions of security events to the Legacy Systems
meaningful few that need to be investigated.
2 B
ARCSIGHT MANAGER: 1 Audit Manager SIEM
o This component drives ArcSight´s analyses, workflow and Audit
ArcSight
Data
services. The ArcSight Manager is portable across a wide SmartConnectors
Loader
variety of operating systems and hardware platforms, and ArcSight
Report
intelligently correlates output from a wide variety of security 2 3
ArcSight CORR Generator
Web IT SECURITY
an security-relevant systems. CORR
Audit INFORMATION SECURITY & FRAUD
Event Collector Audit
ENGINE AUDIT
Manager ENGINE
Records
Records
STORAGE
STORAGE ArcSight
Search INTERVENTION
o The Manager evaluate and tag the events with network and Incidents
actor modeling information, and priority levels.
Console
Engine
Event
CORR Engine Command
Dashboard
Center ADMINISTRATORS
3
CORR ENGINE STORAGE:
o Events are stored in the CORR-Engine’s event retention
period, where correlation operations take place, then copied
daily into archives for long-term storage.
o The CORR-Engine consists of event storage and archiving, and
system storage.
85
Security Logs Monitoring - Mapping to ArcSight Technology

Control
Application
Security
Incident Mgt.
Data Security 3.3
A
Data Sources
B ESM- Enterprise Security Management
Applications
PLATFORM
SECURITY
4 AUDIT
CORR ENGINE: Infrastructure
CONTROL
o The Correlation Optimized Retention and Retrieval (CORR)
Engine is a proprietary data storage and retrieval SOA Services
framework that receives and processes events at high
rates, and performs high-speed searches.
Legacy Systems
5
ARCSIGHT CONSOLE:
o ArcSight Console is designed specifically for security B
analysts, and provides the utmost in flexibility for intuitive Audit Manager SIEM
administration, rich graphical views and in-depth Audit
ArcSight
Data
investigation capabilities. SmartConnectors
Loader
ArcSight
Report
ARCSIGHT WEB
o ArcSight Web brings role-relevant security situational ArcSight Generator
Web IT SECURITY

Audit 5 INFORMATION SECURITY & FRAUD
AUDIT
awareness to every level in the organization. This secure Manager Records
Records ArcSight
Search INTERVENTION
web-based interface provides dashboard viewing,
customized and configurable information views and Incidents Console
Engine
investigation capability to securely deliver broad user Event
4 CORR Engine Command
access throughout the distributed enterprise. Correlation SECURITY
Dashboard ADMINISTRATORS
Center
ARCSIGHT COMMAND CENTER:
o Provides a streamlined interface for managing users,
storage, and event data; monitoring events and running
reports; and configuring storage, updating licenses,
managing component authentication, and setting up SECURITY OPERATION (SOC)
storage notifications.
86
Security Logs Monitoring – ArcSight ESM Architecture

Control
Application
Security
Incident Mgt.
Data Security 3.3
1 2
ARCSIGHT SMARTCONNECTORS ARCSIGHT MANAGER
SmartConnectors, hosted individually, or as part of an ArcSight o The SmartConnector sends the aggregated and filtered events to the
Connector Appliance, are the interface to the objects on the network Manager, where they are evaluated and tagged with network and
that generate correlation-relevant data on the network. actor modeling information, and priority levels, then stored in
o Smart Connectors CORR-Engine storage.
o ArcSight Connector Appliance:is a hardware solution that hosts the
SmartConnectors you need in a single device with a web-based user
interface for centralized management.
o Flex Connector: The FlexConnector framework is a software
development kit (SDK) that enables you to create your own
SmartConnector tailored to the nodes on your network and their
specific event data.
o Forwarding Connector: The Forwarding Connectors forward events
between multiple Managers in a hierarchical ESM deployment, o Actors require a separate license
and/or to one or more Logger deployments
DATA SOURCES
1
Smart Connector Flex ArcSight
Forwarding User Interfaces IT SECURITY
Connector Appliance Connector NCM/TRM INFORMATION SECURITY & FRAUD
Connector
AUDIT
ArcSight INTERVENTION
ArcSight Console
LOGGER
Active
2
Memory ArcSight
Manager Web
Incidents
ARCHIVE
ArcSight
Command
ArcSight Center
CORR ENGINE Compliance SECURITY
ADMINISTRATORS
87

Control
Application
Security
Incident Mgt.
Data Security 3.3
3 4
CORR ENGINE STORAGE CORR ENGINE
o The CORR-Engine storage management system consists of two major o Once events have been normalized, prioritized, and their endpoints
parts: the active retention period and the archives. identified within the network model, they are processed by the
o The Correlation Optimization Retention and Retrieval (CORR) Engine
correlation engine.
organizes events by date. Events flow into the active retention o Events are processed by the correlation engine, where filters, rules,
period, and once a day, events are copied into the archives. The and data monitors connect the dots, find the events of interest, and
CORR-Engine operates on events available in the active retention can initiate immediate response.
period (active “jobs”), and any offline archives that have been o Correlation is a process that discovers the relationships between
activated. events, infers the significance of those relationships, prioritizes
o The archives are a block of storage within the CORR-Engine for
them, then provides a framework for taking actions.
saving copies of events. As long as a days’ worth of events are active
in the retention period, their corresponding archive copy is in an
active state, which just means that the original events are still in
the retention period’s memory. Correlation happens on the original
events in the retention period, not the active archive copy.
DATA SOURCES

Forwarding User Interfaces IT SECURITY
Connector
AUDIT
ArcSight Console
LOGGER
3
Active
Memory ArcSight
Manager Web
Incidents
ARCHIVE
ArcSight
4 Command
ArcSight Center
ADMINISTRATORS
88

Control
Application
Security
Incident Mgt.
Data Security 3.3
5 6
o ARCSIGHT CONSOLE: ArcSight Console is designed specifically for ARCSIGHT LOGGER (OPTIONAL):
security analysts, and provides the utmost in flexibility for intuitive o ArcSight Logger is an event data storage appliance that is optimized
administration, rich graphical views and in-depth investigation for extremely high event throughput. Logger stores security events
capabilities. onboard in compressed form, but can always retrieve unmodified
o ARCSIGHT WEB: ArcSight Web brings role-relevant security situational events on demand for forensics-quality litigation data.
awareness to every level in the organization. This secure web-based o Logger can be deployed stand-alone to receive events from syslog
interface provides dashboard viewing, customized and configurable messages or log files, or to receive events in Common Event Format
information views and investigation capability to securely deliver from SmartConnectors. Logger can forward selected events as syslog
broad user access throughout the distributed enterprise. messages to ESM.
o ARCSIGHT COMMAND CENTER: Provides a streamlined interface for o Multiple Loggers work together to scale up to support high sustained
managing users, storage, and event data; monitoring events and input rates. Event queries are distributed across a peer network of
running reports; and configuring storage, updating licenses, managing Loggers.
component authentication, and setting up storage notifications.
DATA SOURCES

Forwarding 5 User Interfaces IT SECURITY
Connector
AUDIT
6 ArcSight Console
LOGGER
Active
Memory ArcSight
Manager Web
Incidents
ARCHIVE
ArcSight
Command
ArcSight Center
ADMINISTRATORS
89

Control
Application
Security
Incident Mgt.
Data Security 3.3
7 8
ARCSIGHT NCM/TRM (OPTIONAL): ARCSIGHT COMPLIANCE (OPTIONAL):
o ArcSight Network Configuration Manager and Threat Response o The HP Compliance Insight Packages provide a suite of content that
Manager (NCM/TRM) is an appliance that builds and maintains a delivers log review and security monitoring, based on security
detailed understanding of your network’s topology, enabling you to compliance and audit best practices.
centrally manage your network infrastructure and respond instantly,
even automatically, to incidents as they occur.
DATA SOURCES
7 ArcSight
Smart Connector Flex Forwarding User Interfaces IT SECURITY
Connector
AUDIT
ArcSight Console
LOGGER
Active
Memory ArcSight
Manager Web
Incidents
ARCHIVE
ArcSight
8 Command
ArcSight Center
ADMINISTRATORS
90
Security Logs Monitoring - Mapping to RSA Technology

Control
Application
Security
Incident Mgt.
Data Security 3.3
A
Data Sources
B RSA- SECURITY ANALYTICS
Applications
PLATFORM
SECURITY
AUDIT
Infrastructure
1 CONTROL
WAREHOUSE:
o Hadoop (distributed file system, scalable and SOA Services
portable) based distributed computing system
which collects, manages, and enables
advanced analytics and reporting on longer Legacy Systems
term sets of various security data. The
Warehouse can be made up of 3 or more nodes
depending on the organization's analytic, and
resiliency requirements.
B
ARCHIVER: 2 RSA Security Analytics
o Indexes and compresses log data and sends to Audit Data
Decoder
Loader
archiving storage. The archiving storage is then
optimized for long term data retention through Report
compression, forensic analysis, and compliance 1
Generator IT SECURITY
reporting. Concentrator
Archiver/
Audit AUDIT
Records
WareHouse
Records Analytic
Search INTERVENTION
2 Server/
Engine
DECODER : Event Stream
Event Broker
o Captures, parses, and reconstructs, all network Analysis Engine
Correlation
Dashboard
SECURITY
traffic from Layers 2-7 or log and event data ADMINISTRATORS
from hundreds of devices. Incidents
91
Security Logs Monitoring - Mapping to RSA Technology

Control
Application
Security
Incident Mgt.
Data Security 3.3
A
Data Sources
B RSA- SECURITY ANALYTICS
Applications
PLATFORM
SECURITY
3 AUDIT
Infrastructure
CONTROL
CONCENTRATOR:
o Indexes metadata extracted from network or SOA Services
log data and makes it available for enterprise-
wide querying and real-time analytics while
also facilitating reporting and alerting. Legacy Systems
4
EVENT STREAM ANALYSIS ENGINE:
o Processes large volumes of disparate event
data and brings meaning through correlation to B
the events flowing through your enterprise. RSA Security Analytics
Audit Data
Decoder
Loader
5
ANALYTIC SERVER/BROKER: Report 5
o Hosts the web server for reporting, 3 Generator IT SECURITY
investigation, administration, and other Concentrator
Archiver/
Audit AUDIT
aspects of the analyst’s interface. Bridges the Records
WareHouse
Records Analytic
Search INTERVENTION
multiple real-time data stores held in the Server/
Engine
various decoder/concentrator pairs throughout 4 Event Stream
Event Broker
the infrastructure. Also enables reporting on Analysis Engine
data held in the Warehouse and in archived Dashboard ADMINISTRATORS
storage. Incidents
92
Security Logs Monitoring – RSA SA Architecture

Control
Application
Security
Incident Mgt.
Data Security 3.3
1 2
Log Collector: DECODER
o The Log Collector service analyzes and collects logs from event sources o The Decoder captures, parses, and reconstructs all network traffic from Layers
throughout the IT environment in an organization. The logs and the descriptive 2 - 7, or log and event data from hundreds of devices.
content are stored as meta data for use in investigations and reports. o Security Analytics supports two types of Decoders:
o A Local Collector (LC) is a Log Collector service running on a Log Decoder o The Decoder captures network data in packet form.
appliance. The Local Collector sends all collected event data to the Log o The Log Decoder captures log data as events.
Decoder service.
o A Virtual Log Collector (VLC), is a Log Collector service running on a stand-
alone Virtual Machine. Remote Collectors are optional and they must send the 3
events they collect to a Local Collector. Remote Collector deployment is ideal CONCENTRATOR
when you have to collect logs from remote locations. o The Concentrator indexes metadata extracted from network or log data and
makes it available for enterprise-wide querying and real-time analytics while
also facilitating reporting and alerting. Concentrators aggregate data from
Decoders and other Concentrators
1 Virtual Log
Collector
DATA SOURCES
1
Log Collector Audit Manager SIEM
2 Security Analytics
Packed Decoder LOG Decoder Broker Server
Unified
Dashboard
WAREHOUSE Administration
SECURITY
3 LOG Investigation
ADMINISTRATORS
Concentrator ARCHIVER
Concentrator
(DAC) Live
IT SECURITY
Warehouse INFORMATION SECURITY & FRAUD
AUDIT
MALWARE Analysis Broker INTERVENTION
Event Stream Analysis Reporting &
Alerting
(ESA)
Incidents
Log Collector
SMTP/ SNMP / Syslog Hybrid

IPDB
IPDB
WAREHOUSE
(DAC)
93

Control
Application
Security
Incident Mgt.
Data Security 3.3
4 5
WAREHOUSE EVENT STREAM ANALYSIS (ESA)
o A Hadoop-based distributed computing system, which collects, manages, and o The Security Analytics Event Stream Analysis (ESA) appliance provides
enables analytics and reporting on longer-term sets of security data, for advanced stream analytics such as correlation and complex event processing at
example, months or years. The Warehouse can be made up of three or more high throughputs and low latency. It is capable of processing large volumes of
nodes depending on the organization's analytic, archiving, and resiliency disparate event data from Concentrator devices. ESA's advanced Event
requirements. Processing Language allows you to express filtering, aggregation, joins, pattern
recognition and correlation across multiple disparate event streams. Event
ARCHIVER Stream Analysis helps to perform powerful incident detection and alerting.
o Security Analytics has a modular-capacity architecture enabled with direct-
attached capacity (DACs) or storage area networks (SANs), that adapts to the
organization's short-term investigation and longer-term analytic and data- 6
retention needs. The archiving storage is then optimized for long term data MALWARE ANALYSIS
retention through compression, forensic analysis, and compliance reporting. o Is an automated malware analysis processor designed to analyze certain types
of file objects to assess the likelihood that a file is malicious.
Virtual Log
Collector
DATA SOURCES

Security Analytics
Unified
4 Dashboard
Investigation SECURITY
LOG ADMINISTRATORS
Concentrator
(DAC) Live
IT SECURITY
6 AUDIT
5 MALWARE Analysis Broker INTERVENTION
Alerting
(ESA)
Incidents
Log Collector

IPDB
IPDB
WAREHOUSE
(DAC)
94

Control
Application
Security
Incident Mgt.
Data Security 3.3
7 9
BROKER UNIFIED DASHBOARD
o Bridges the multiple real-time data stores held in the various o is the entry point for all Security Analytics modules, providing a portal into
Decoder/Concentrator pairs throughout the infrastructure. functions of other modules for user convenience.
10
8 ADMINISTRATION
SECURITY ANALYTICS SERVER o Is the user interface for administering and monitoring appliances, devices, and
o The web server for reporting, investigation, administration, and other aspects of services. When configured, appliances, devices, and services are available to
the analysts interface. Also enables reporting on data held in the Warehouse. other Security Analytics modules.
Virtual Log
Collector
DATA SOURCES
Log Collector Audit Manager SIEM 8

Security Analytics
Unified
Dashboard
9
WAREHOUSE Administration 10
LOG ADMINISTRATORS
Concentrator
(DAC) Live
IT SECURITY
AUDIT
(ESA) 7 Alerting
Incidents
Log Collector

IPDB
IPDB
WAREHOUSE
(DAC)
95

Control
Application
Security
Incident Mgt.
Data Security 3.3
12
11 LIVE
INVESTIGATION o The Live module is the component that manages communication and synchronization between
o Investigation is the application that allows you to analyze the data captured Security Analytics devices and a library of Live content (Live Content Management System).
from your network in order to identify possible internal or external threats to o Live gathers the best advanced threat intelligence and content in the global security community
your security and IP infrastructure. You can investigate captured data, open and brings it directly into the user’s security operations center to definitively classify computers
query results from other Security Analytics components in an investigation, and associated with botnets, malware, and other malicious exploits. Live aggregates, consolidates,
import data from other collection sources. Security Analytics Investigation and illuminates only the most pertinent information relevant to an organization on a real-time
offers three views for data analysis: Navigate, Events, and Malware Analysis. basis.
13
WAREHOUSE
o The Warehouse module is the user interface for searching and querying Warehouse devices.
Virtual Log
Collector
DATA SOURCES

Security Analytics
Unified
Dashboard
SECURITY
LOG Investigation 11 ADMINISTRATORS
Concentrator
(DAC) Live 12
IT SECURITY
13 AUDIT
Alerting
(ESA)
Incidents
Log Collector

IPDB
IPDB
WAREHOUSE
(DAC)
96

Control
Application
Security
Incident Mgt.
Data Security 3.3
14
REPORTING AND ALERTING 15
o The Reporting and Alerting modules provide the user interface for automated IPDB
reporting and alerting functions. o You have the possibility to choose the Internet Protocol
o The Alerting module enables you to create and manage Event Stream Analysis Database (IPDB) as the source of your data when generating
rules used to generate alerts. You can also view a summary of the alerts reports in the RSA Security Analytics Reporting module. The
generated in a particular time range. IPDB Extractor service sends data from the IPDB to the
o The Reporting module enables you to create and manage reports, alerts and Reporting Engine. The IPDB is the repository for both
charts. You can report and alert on the log and packet data collected and normalized and raw event messages
customize the reports and charts to enhance the visual appearance. You can
create real-time reports or report on historical data.
o The Reporting module relies on the Reporting Engine to provide data for the
reports, alerts and charts
Virtual Log
Collector
DATA SOURCES

Security Analytics
Unified
Dashboard
LOG ADMINISTRATORS
Concentrator
(DAC) Live
IT SECURITY
AUDIT
Event Stream Analysis Reporting & 14
Alerting
(ESA)
Incidents
Log Collector

15
IPDB
IPDB
WAREHOUSE
(DAC)
97
Security Logs Monitoring– Use cases

Control
Application
Security
Incident Mgt.
Data Security 3.3
SIEM COMPLIANCE THREAT MANAGEMENT
Critical capabilities
Real- Time Monitoring Threat Intelligence
Behaviour profiling Data and User Monitoring
Analytics Application Monitoring
Log Management and reporting
Evolution to Big Data Analytics for

security and fraud
98

Control
Application
Security
Incident Mgt.
Data Security 3.3
Real-Time
Real-TimeMonitoring
Monitoring
• Event correlation establishes relationships among messages or events that are generated by devices, systems or applications,
based on characteristics such as the source, target, protocol or event type
• A security event console should provide the real-time presentation of security incidents and events.
• This is important for threat management and for user activity monitoring
Threat
ThreatIntelligence
Intelligence
• Integration with data feeds to identity the latest threats such as botnet and C&C communication detection and IP, URL and
domain reputation data-
• Threat intelligence can be used for triage, incident response and threat assessment increasing the success rate of early breach
detection and as context for enriching alerts and other monitoring data
Behavior
Behaviorprofiling
profiling
• Recognition of suspicious behavior and advanced threats by using a learning phase that builds profiles of normal activity for
various event categories, such as network flows, user activity and server access.
• The platform analyzes against a baseline the massive volume of log, flow and machine data generated every second to discover
anomalies in real time.
• It complements the rule-based correlation
99

Control
Application
Security
Incident Mgt.
Data Security 3.3
Data
Dataand
andUser
UserMonitoring
Monitoring
• This capability establishes user and data context, and enables data access and activity monitoring.
• Functions include integration with IAM infrastructure to obtain user context and the inclusion of user context in correlation,
analytics and reporting.
• The data access monitoring includes Data Bases, File Integrity monitoring and also integration with DLP functions
Application
ApplicationMonitoring
Monitoring
• Integration with packaged applications, and an interface that allows customers to define log formats of unsupported event
sources, and the inclusion of application and user context.
• The application log information can be enriched with WAF, Web server, middleware and database logs.
Analytics
Analytics
• Security event analytics are composed of dashboard views, reports and ad hoc query functions to support the investigation of user
activity and resource access in order to identify a threat, a breach or the misuse of access rights.
• Big Data enables various capabilities, for instance, forensics and the analysis of long-term historical trends. By collecting data on a
large scale and analyzing historical trends, you would be able identify when an attack started, and what were the steps that the
attacker took to get ahold of your systems.
100

Control
Application
Security
Incident Mgt.
Data Security 3.3
Log
Logmanagement
managementandand
reporting
reporting
• Compliance oriented deployments are simplified when the SIEM technology includes predefined and modifiable reports for user
activity, resource access and model reports for specific regulations.
• Reporting capabilities should include predefined reports, as well as the ability to define ad hoc reports or use third-party reporting
tools.
• Log management has become part of the standard of due care for many regulations but it is important to define the security
controls of access, deletion and modification of logs and also the time of retention of logs.
101
Security Logs Monitoring– Evolution to Big Data

Control
Application
Security
Incident Mgt.
Data Security 3.3
Authentication Manager
Accept, Block or Verify
Alert and Case Mgmt. And
Policy Manager
Investigations
IAM, Directory, HR Systems
End Point
1
Advanced Threat Detect Results
SERVERS Results
2
SIEM
Online, Mobile, In-person

Channels
DATA BASES DLP Results
APPLICATIONS FRAUD PREVENTION Results
Big Data Analytics /

DAP Results Visualization
SIEM can integrate DLP and
LDAP
Current Desirable
External Data
2 3
1
Enhance Existing Security Systems Combine Data and Correlate Activity External Cyberthreat and Fraud
With Canned Analytics Using Custom or Ad Hoc Analytics Intelligence
102 Source: Gartner

3.4
Service Oriented Architecture
Security in Service Oriented Architecture 3.4
Main Components
Untrusted Zone / Internet DMZ Trusted Zone / Internal Network
1
2 3
Corporate
Application
External Environment
Service
Consumer Service
API Provider
ESB
GATEWAY
Service
Provider
External
Service
Consumer
Service
Provider
External
Service Internal
Consumer Consumer
4
Identity
Identity
Repository
Repository
1 2 3 4
Identity Repository
API Gateway Enterprise Service Bus Corporate Application
Environment
Repository to enforce the access
Gateway to expose, secure and Software model used for designing and
control with authentication and
manage any backend implementing communication between Applications in J2EE or others
authorization mechanisms
application, infrastructure or mutually interacting software
network system as an API applications in in a service-oriented
architecture
104
Main Components
Untrusted Zone / Internet DMZ Trusted Zone / Internal Network
Corporate
Application
External Environment
Service
Consumer S Service
API E Provider
ESB
GATEWAY C
U
6 RI Service
5 T Provider
External SECURITY Y
Service SECURITY
Consumer
Service
7 Provider
External
Service Internal
Consumer Consumer
Identity
Identity
Repository
Repository
5 6 7
Security in API Gateway Security Enterprise Service Bus Security in Corporate
Application Environment
Security mechanisms MUST be Security mechanisms MUST be
implemented in the API implemented in the integration ESB Security mechanisms CAN be
Gateway to protect internal but can be less restrictive implemented depending on the
services from external accesses service
105
Mapping with security products
Untrusted Zone / Internet Trusted Zone / Internal Network
A
IBM
b a ORACLE b
d
C
SERVICE BUS O Corporate
Application
DATAPOWER W Environment
External
Service (OSB)
Consumer
API API
SS Service
AXWAY ESB M
E Provider
GATEWAY C
GATEWAY U
RI Service
External T Provider
Service
Consumer ORACLE API
SECURITY OWSM
SECURITY b
Y
GATEWAY Service
Provider
External
Service Internal
Consumer Consumer
Identity
Identity
Managemnent
Managemnent
a b
API Gateways from IBM, Axway or Oracle placed in Oracle Web Services Manager (OWSM) is part of the Oracle
the DMZ to protect services from 3 rd party SOA suite
consumers It is a runtime that can be enabled in the Oracle Service
Bus (OSB) and in the endpoints
106
Security in Service Oriented Architecture – Use case IdM & Access Vulnerability &
Protecting internal access to a service published in OSB

Control
Application
Security
Incident Mgt.
Data Security 3.4
Objective
Objective
Protect a service published in the Oracle Service Bus without making changes neither in the internal client nor the web service
Description
Description
• The OWSM agent runtime must be deployed in the client and the server (OSB)
• WS-Security policies are deployed in the client and in the server
• With a WS-Security Username token policy, a user and password is required to access the service.
• OWSM Agent in the client modifies the SOAP message to insert in the request the user name and password
• OWSM Agent in the OSB validates the username and password and checks the authorization against the IdM infrastructure
• Other authentication mechanisms can be used such as X509 Certificates, SAML and Kerberos
Identity
Identity
Repository
Repository
WS-Security
Internal OSB
Consumer OWSM Web Service
Agent OWSM Agent
107
Protecting the access to the service in the last mile

Control
Application
Security
Incident Mgt.
Data Security 3.4
Objective
Objective
Prevent the web service to be accessed from a source different than the OSB
Description
Description
• The OWSM agent runtime is also deployed in the web server where the service is running
• An alternative it would be to restrict at network level the communication so only the OSB is able to connect to the end service
• WS-Security policies can be enforced in the service without modifying it
• The OWSM agent in the OSB can do a credentials mapping. After a successful invocation from the internal consumer the OSB can
find a matching credentials to authenticate to the Web Service.
• It is possible to require different authentication mechanisms at OSB and Web services level (i.e. require a X509 certificate at OSB
layer and a Username token in web service)
Identity
Identity
Repository
Rogue
Repository
consumer
WS-Security WS-Security
Internal OSB OWSM
Consumer Agent Web Service
OWSM Agent
OWSM Agent
108
3rd party consumer accessing an internal service

Control
Application
Security
Incident Mgt.
Data Security 3.4
Objective
Objective
Protect the access to an internal service that must be accessed form an external 3rd party
Description
Description
• The service must be published in an API Gateway placed in the DMZ

• Transport security must be implemented (TLS) between external consumers and the API Gateway and also between the API Gateway
and OSB
• Authentication can be applied at transport level or message level with WS-Security
• For digital services REST with OAuth 2.0 as authorization protocol is recommended.
• The API Gateway authorizes and control the access to the service checking the identity management platform
• The API Gateway can make a credentials mapping when passing the message to the OSB
Identity
Identity
Repository
Repository
External WS-Security
API WS-Security
Consumer OSB
GATEWAY Web Service
REST/OAuth 2.0 OWSM Agent
109
Identity propagation across Web and Web Service

Control
Application
Security
Incident Mgt.
Data Security 3.4
Objective
Objective
Propagation to the end service the identity of the consumer that initiates the transaction
Description
Description
• In cases where the Web service requires the identity of the user that initiated the transaction, a SAML token should be used.
• Users authenticate in the Web application using their login/password
• The Web Access Management plugin that acts as a Policy Enforcement Point (PEP) controls the access to the web application
• When the access has been granted to the application, the OWSM Agent can generate a SAML token to invoke service in the OSB. The
SAML token identifies the original user that was authenticated.
• The OSB invoked the web service including the SAML token in the message
Identity
Identity
Repository
Repository
WAM PEP
User credentials SAML SAML
Browser WEB OSB OWSM
Web Service
Agent
SERVER OWSM Agent
OWSM Agent

End to end message protection (encryption/signature)

Control
Application
Security
Incident Mgt.
Data Security 3.4
Objective
Objective
Protection of the messages content end to end: from external consumer to the backend service
Description
Description
• Message-level security must be implemented to protect the information end-to-end

• WS-Security provides confidentiality, integrity, non-repudiation and authentication services
• To encrypt the information end-to-end, the public key of the web service is used by the client. The message can also be signed using
a private key on the client
• The API Gateway can perform access control with the credentials provided, and check the validation of the signature, but cannot
access to the message content as in encrypted with the web service public key
• The policy installed on the OWSM agent on the server side can extract the encrypted content to be processed by the application
Identity
Identity
Repository
Repository
XML-Signature XML-Signature
XML-Signature
External XML-Encryption
API XML-Encryption XML-Encryption
Consumer GATEWAY OSB OWSM
Agent Web Service
OWSM Agent
111
Access to external services

Control
Application
Security
Incident Mgt.
Data Security 3.4
Objective
Objective
Provide a secure and homogeneous access to external services
Description
Description
• When accessing external services the security requirements depend on the 3rd party.
• Using the API Gateway this requirements can be met while offering a homogeneous access mechanism on the internal side.
• On the internal side a WS-Security authentication policy based on User Name token can be applied to control what internal services
can contact with external services.
• The API Gateway has access to the credentials needed to connect to the remote service.
• After the API Gateway has authenticated the request, it applies a security policy to comply with the 3rd party security requirements.
Identity
Identity
Repository
Repository
External API OWSM

Service Agent Web Service
GATEWAY
112
4
Executive Summary
Conclusions

Conclusions 4
Security Architecture defines the security design baseline:

o Addressing the security requirements (e.g. authorization, authentication, …).
o Identifying the security technology components to be applied.
o Sets a minimum baseline for those security components
Next steps include:
Global IT Security Function OB/TGT Security Function
o Evolve further the Security Architecture to: o Apply the Security Architecture to:
 Align with IT Global Architecture Blueprint.  Check its applicability based on the
criticality of the services / information
 Extend with Telefonica Operational supported by IT systems
context.
 Self-assess and derive a Gap Analysis by
 Apply to specific environments / scenarios matching current security capabilities with
(e.g. Full Stack). reference to security architecture
 Identify Main issues and develop

corresponding action plan to progressively
converge to the model
114

IT Security Architecture - V 2 01

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

IT Security Architecture - V 2 01

Caricato da

Copyright:

Formati disponibili

Telefonica IT Security Reference

o Able to evolve with the organization.

o Designing a single enterprise IT security framework.

Set of practices for IT service Management (ITSM) that

Strong focus on IT Service Mng.

Control Framework for IT Management and IT

Strong focus on IT Security

Corporate Information Security Normative

resilient, cost- Information

IT SECURITY STANDARDS LIBRARY Applications

IT SECURITY SYSTEMS MAP FUNCTIONAL ARCHITECTURE USE CASES

(*) The IT Security Framework is completed with

IT Security Systems Map

Base SW & Middleware

IT Security Processes Map

Workplace Application Security Data Security

Change & Configuration Network Security Disaster Recovery

Capabilities Looking for... Benefits

o Simplify account provisioning – termination.

o Consolidate authentication and access control

o Limit ADM access to IT resources.

Capabilities Looking for... Benefits

o Improve the security for both external and internal

Identity Authentication & Vulnerability Security logs

Privileged Users Incident

Workplace Application Security Data Security

Change & Network Security Disaster Recovery

o Internal analysis based on technological map in Telefonica and current contracts.

Privileged Users Incident

Workplace Application Security Data Security

Change & Network Security Disaster Recovery

Reconciliation Governance Authorization

Privileged Users Security

Shared Account Manager Fine-grained Access Control User Activity Reporting

Database Protection SOA Security

Incident & Vulnerability Management

Components in the IT Security Architecture

Identity Management & Access Control

Reconciliation Governance Authorization

Privileged Users Security

Shared Account Manager Fine-grained Access Control User Activity Reporting

Virtual Directory Engine

Virtual Directory Engine

B Identity Provisioning Other

Virtual Directory Engine

Virtual Directory Engine

Looking for: Role IAM R/W

Identity Management – Mapping to Oracle Technology

OVD Directory Engine

enterprise IT resources. Role IAM R/W

provides a single, abstracted view of

Identity Management – Mapping to Oracle Technology

OVD Directory Engine

Identity Management – Mapping to Oracle Technology

OVD Directory Engine

Identity Management – Mapping to Oracle Technology

OVD Directory Engine

Identity Management – Mapping to Oracle Technology

OVD Directory Engine

Identity Management – Mapping to CA Technology

automate identity and access Managem

Governance Minder WorkStation

Governance Minder Portal