PRINCIPIOS FUNDAMENTALES
2.5. Categorías fundamentales
2.5.8. Abuso Sexual
2.5.8.2. Causas y efectos de la agresividad en niños
The goal of access management is to provide and ensure appropriate access to an organization’s resources. In terms of an organization’s IT resources, it aims to secure access to a set of heterogeneous systems, built on a range of modern and established technology. This task is accomplished typically by offering a set of security services that integrate with an organization’s IT infrastructure. The following areas are key components of access management systems:
Authentication services
There are a variety of technology, organizational, and business reasons why different authentication schemes are used throughout an organization. Access management systems typically offer a range of authentication capabilities to support these needs. After an identity is authenticated, identity tokens should be propagated to IT systems within the organization to avoid the cost of unnecessarily implementing authentication services at multiple points within the organization, thus enabling an organization wide single sign-on (SSO) solution.
Authorization services
An access management system should allow integration with existing and emerging infrastructure to provide secure and centralized policy management capabilities. Resources need to be discovered and modeled so that policy can be authored against them. This component requires a flexible
authorization framework and a range of supported integration points. Federated identity services
Organizations are increasingly looking to use strategic relationships with partners and customers. These relationships are often defined at the business level through contracts and agreements. To facilitate the implementation of these commitments, IT systems may be required to interface with systems outside the traditional scope of their environment. Providing a mechanism to federate identities across organizations is a key component of this strategy.
A system that provides federated identity services should propagate identities between organizations in an standards compliant manner. An important part of federation services is a trust service component that allows the
transformation of a range of security tokens into consumable formats. Audit services
Comprehensive auditing capabilities should be provided by an access management system to support identity and access management governance. Auditing systems should be able to be used by compliance systems to generate a holistic record of access to business critical systems. Traditionally, access management solutions have provided authentication, authorization, federation, and audit services for web and operating system based resources. New standards and technology such as web services, service orientated architecture (SOA), and cloud initiatives are driving new integration points in the access management space. When combined with requirements to implement authorization based on both data-level and context sensitive
attributes, new patterns for access management need to be considered. It is desirable to use existing investments in access management technology to provide true end-to-end and flexible policy management solutions. Authentication and trust services can be used as key components when implementing policy management solutions.
As an example, consider an organization that has an existing investment in web-based access control systems. A reverse proxy server provides
authentication services at the perimeter of the network. In this example, consider that the authentication processing involves significant complexity and that it is highly desirable to re-use this investment if possible. The access management system stores identity information in a proprietary authentication token that can be used for single sign-on with other systems within the organization. The identity token contains identity information and attributes about the identity that can be useful for defining policies. To implement a solution that takes advantage of identity information from an existing access management system, a trust service may be required to transform the identity token into a normalized format that the policy management system can consume, extract identity information from and apply policy to. After a normalized identity is established, policy can be authored, distributed, and enforced throughout the environment using attributes from the normalized token.
4.2.1 Integration with Tivoli Access Manager for e-business
Organizations are increasingly using web-based technologies to expose business services to customers, employees, and partners. A rapidly evolving web technology landscape makes securing access to these services difficult. Tivoli Access Manager for e-business (TAMeB) helps organizations improve identity and access management governance by providing authentication, authorization, and single sign-on capabilities for web based resources. Tivoli Access Manager for e-business provides several components that can implement access control at various points within an organization. A common pattern is to implement a defense in-depth strategy to provide a layered security approach. Access is authorized in the outer most layer of the network, known as the demilitarized zone (DMZ). The Tivoli Access Manager for e-businessWebSEAL component provides a reverse proxy solution that can be used to implement authentication, authorization, and single sign-on capabilities in the DMZ. This setup allows users to be authenticated and authorized in line with a centrally defined policy before proceeding to applications residing in more protected areas of the network.
As part of the Tivoli Access Manager for e-business authentication process, a credential is built that can contain detailed information about subjects. The credential artifact is used in the authorization process implemented by WebSEAL and can optionally be used by other downstream components to propagate trusted subject information.
Tivoli Security Policy Manager introduces an integration to allow Tivoli Access Manager for e-business credentials and the attributes they contain to be used in policy management. Figure 4-3 shows the flow of the integration:
Figure 4-3 Tivoli Access Manager integration with Tivoli Security Policy Manager
The logical flow to use a Tivoli Access Manager for e-business credential to enforce complex policy is as follows:
1. A user requests a web-based resource, protected by Tivoli Access Manager for e-business WebSEAL, which authenticates the user using the configured authentication mechanism. Upon successful authentication, a credential is constructed that contains a list of relevant attributes about the user. This credential is used to authorize the user based on Tivoli Access Manager for e-business’ authorization policy.
2. If the user is permitted, the request can be passed to the target web resource. In this scenario, Tivoli Access Manager for e-business WebSEAL can be configured to pass an authentication artifact known as
iv-creds
, which contains identity information.3. The security token, in this case iv-cred, is passed to the Tivoli Security Policy Manager Runtime Security Service (RTSS) for processing in one of two ways. It can be converted to a collection of XACML subject attributes (3a) or left in its original format (3b) for use in a Tivoli Security Policy Manager access decision.
a. Process the iv-cred security token to create a collection of XACML subject attributes.
The JACCPlus API extends the Java Authorization Contract for
Containers (JACC) API to allow an application to control the context within which the authorization decision is made. It supports parsing an iv-cred token, which can be processed by the JACCPlus API to produce a collection of XACML subject attributes that can be passed to the Tivoli Security Policy Manager policy decision point. The JACCPlus API to pass the iv-cred is discussed in 8.1.1, “Tivoli Security Policy Manager
authorization API” on page 214.
From a policy authoring point of view, a policy must be authored using attributes names from the expected token. When JACCPlus is configured to pass attributes to the RTSS as a collection of XACML subject attributes, a policy should be authored using attribute names as they appear in the Tivoli Access Manager for e-business credential.
b. Process the iv-creds security token as an generic token.
An extension to the JACCPlus API has been implemented to support passing the iv-cred token directly to the RTSS. To enforce policy, the RTSS requires that the iv-cred token be normalized into a standard format. Tivoli Security Policy Manager introduces a new policy information point (PIP) to manage security tokens called the
Security Trust Service
(STS)
PIP. Figure 4-3 on page 101 shows how RTSS makes use of the STS PIP. The PIP uses WS-Trust to communicate with an STS.An STS PIP should be configured to use a product that implements a trust service. A trust service provides the ability to convert a number of different security tokens to alternate formats. Tivoli Federated Identity Manager provides a Security Token Service (STS) that can convert the iv-creds token into a format consumable by RTSS for authorization. An RTSS security token PIP should be configured to use the Tivoli Federated Identity Manager Security Token Service (STS) to validate the iv-cred token, map any attributes required, and issue a SAML 1.x token.
SAML requirements: The STS PIP requires that a Security Assertion
Markup Language (SAML) 1.x token be returned. Policy can be authored using the SAML attribute identifiers from the transformed SAML 1.x token.