• No se han encontrado resultados

PRINCIPIOS FUNDAMENTALES

2.5. Categorías fundamentales

2.5.7 Efectos negativos de vivir en una cultura de maltrato

Identity and access management governance is driving organizations to seek end-to-end solutions to manage the full life cycle of identities and their

associated entitlements. These initiatives extend to how organizations manage their electronic identities, access to IT systems, and processes. Organizations aim to:

򐂰 Manage visibility of IT resources critical to business operations.

Organizations seek to understand what their critical business related IT assets are and who has access to them.

򐂰 Control identity aspects of an IT infrastructure.

After identities and resources are clearly understood, policy based

management systems can be put in place to control which identities can have access to which systems under what circumstances.

򐂰 Automate identity related processes.

Manual IT processes are error prone, difficult to control, and hard to

effectively audit. Organizations seek to automate identity related processes to improve their ability to govern their critical systems and comply with

regulations.

Managing identities and the systems they have access to is a challenging task for today’s organizations. Keeping track of which identities have access to which systems is a complex task, especially as an organization grows. To deal with this problem effectively, a structured, automated approach needs to be implemented. Identity management provides a policy based mechanism to control and monitor provisioned IT entitlements using a centrally defined policy based on roles. An identity management system should allow a business to implement modeled business processes involved in provisioning and ongoing management of entitlements, which allows an organization to bring strong governance to the process of entitlements provisioning.

4.1.1 Integration with identity management

Both identity management and security policy management systems make use of a role based approach. The roles defined in an identity management system are used to drive the provisioning of IT entitlements, whereas roles in a security policy management system are used to drive policy based runtime authorization decisions. There is often some overlap between the role definitions required for the identity management system and the role definitions required for the security policy management system.There may be a one-to-one mapping between the roles in the two systems or business logic may need to be applied to transform the set of roles in an identity management system into an appropriate role structure that can be applied to a security policy management solution. A tool that can interface with both systems and can apply business logic is required to integrate the two systems, as shown in Figure 4-1.

Figure 4-1 Integrating identity management roles with security policy management The flow of information between the two systems consists of three steps:

1. An identity management systems typically exposes an interface for retrieving data from its repository. An integration tool needs to provide an Identity Management System (IDMS) connector that can connect to the IDMS and extract the required information, which in this case is role metadata.

2. Business logic may need to be applied to the data retrieved from the IDMS, such as mapping a set of roles definitions in the IDMS to a set of roles useful for a security policy management system. This transformation may include using a subset of roles from IDMS, a super-set of the roles from the IDMS, a consolidated set of roles from the IDMS, and so on.

3. A security policy management system typically exposes an interface for adding data to its repository. An integration tool needs to provide a security policy management system connector that can connect to the system and store data in its repository.

4.1.2 Integration with Tivoli Identity Manager

Tivoli Identity Manager is a market leading and role based provisioning solution that allows an organization to manage their provisioned entitlements in line with a business policy.

The roles defined in Tivoli Identity Manager can be useful when defining policy in Tivoli Security Policy Manager. Consider a scenario where only a subset of roles defined in Tivoli Identity manager are appropriate for use in Tivoli Security Policy Manager. Business logic needs to be applied to define which roles should be exported from Tivoli Identity Manager into Tivoli Security Policy Manager. IBM Tivoli Directory Integrator enables you to integrate data from different repositories in an easy and flexible way. Tivoli Directory Integrator provides a means of connecting to a range of IT systems to collect data, normalize it and apply logic to transform the data into new forms. It provides a large set of software components known as connectors that allow it to interface with a wide range of IT systems.

Tivoli Directory Integrator could be used to map roles between Tivoli Identity Manager and Tivoli Security Policy Manager, as shown in Figure 4-2.

Figure 4-2 Integrating Tivoli Identity Manager with Tivoli Security Policy Manager for importing roles

The integration works as follows:

1. Tivoli Directory Integrator can interface with Tivoli Identity Manager to listen for updates to Tivoli Identity Manager roles through a change log connector. 2. Business logic can be defined in a Tivoli Directory Integrator AssemblyLine to

map Tivoli Identity Manager roles to a set of roles appropriate for Tivoli Security Policy Manager.

3. Tivoli Directory Integrator can interface with Tivoli Security Policy Manager using the API discussed in 8.2, “Policy management API” on page 237 to import the new role definitions.

4.1.3 Integration with other identity management systems

Tivoli Security Policy Manager can use Tivoli Directory Integrator to interface with many different types of external systems. Patterns similar to the one outlined in 4.1.2, “Integration with Tivoli Identity Manager” on page 96 can be used if the identity management vendor provides a public interface that role data can be retrieved from using Tivoli Directory Integrator.