低成本身份管理
本书面向的读者是最终企业/组织的安全和IT从业者,特别是架构师,他们负责实施企业范围的身份与访问控制管理系统(IAM)。它既非关于身份认真的概念性解答(这方面我们希望推荐Kim Camerron的名作Laws of Identity),也不是关于某款产品的详细技术手册。它是一本基于作者们的经验描述的在企业内实施IAM的一套规范且经济的架构方法。
早在2009初,我们为一家大型知名的澳大利亚金融服务公司建设了一套IAM系统,使用的是一种非传统方法。虽然该系统还未达到它预期的目标状态,但是我们已经取得了一些重要成绩,而且我们相信,我们的经验能为其他考虑做类似事情的公司提供宝贵经验。身份管理的应用实践并无太多公开的知识基础,所以,我们很乐意将我们的经验贡献出来。我们在这里描述的大多数内容是我们已经实施或验证的。有一些引用了我们为满足下一步需求所做的设计,另一些则反映了我们的后见之明,即在实施之后回头看架构应该设计成的样子。我们将这些领悟提炼成一套架构方法,我们从称之为LIMA1。
我们的背景和经验主要是Java技术,所以使用Java的公司可能从我们的建议中获益最大,但是我们坚信这些通用原则同样适用于其他技术平台。如同其他主动性建议一样,读者需要注意。我们不提供或表明任何保证或担保。读者在基于此方法设计解决方案时需要运用常识及良好的设计判断。
免费下载
免费下载本书
英文目录
ACKNOWLEDGEMENTS
INTENDED AUDIENCE
COVER ILLUSTRATION
OVERVIEW – CHARACTERISTICS OF LIMA AT A GLANCE
INTRODUCTION
THE MODERN ENTERPRISE – A REALITY CHECK
SO YOU THINK YOU'RE GOING TO CHANGE THE WORLD
WHO'S YOUR SUGAR DADDY? FUNDING MODELS THAT WORK
FIRST THINGS FIRST – OBJECTIVES OF IDENTITY AND ACCESS MANAGEMENT
THE TROUBLE WITH BRAND-NAME PRODUCTS
MISCONCEPTIONS ABOUT SECURITY
AUDITORS, SECURITY AND WORDS OF WISDOM
INTRODUCING LIMA – A DIFFERENT ARCHITECTURE FOR IAM
LOOSE COUPLING – A FIRM FOUNDATION FOR IAM
SNEAK PREVIEW – WHAT A LIMA IMPLEMENTATION LOOKS LIKE
ACCESS MANAGEMENT, LIMA-STYLE
ACCESS MANAGEMENT CONCEPTS
HOW SINGLE SIGN-ON WORKS
THE BEST THINGS IN LIFE (AND IN IAM) ARE FREE
CENTRAL AUTHENTICATION SERVICE AND THE CAS PROTOCOL
SHIBBOLETH'S FEDERATED IDENTITY MODEL
CAS SERVER CONFIGURATION AND THE “TWO-LAYER PROTOCOL ARCHITECTURE”
ENHANCING ACCESS MANAGEMENT FUNCTIONALITY INCREMENTALLY
EXTENSION CASE STUDY 1: LAN SSO INTEGRATION WITH SPNEGO
EXTENSION CASE STUDY 2: TWO-FACTOR AUTHENTICATION WITH SMS ONE-TIME TOKENS
EXTENSION CASE STUDY 3: FEDERATED IDENTITY WITH SAML TOKENS
LIMITS TO THE TWO-LAYER PROTOCOL ARCHITECTURE
MISCELLANEOUS TOPICS IN ACCESS MANAGEMENT
PROTECTING NON-WEB APPLICATIONS
IMPLEMENTING “SINGLE SIGN-OUT”
IAM AND CLOUD COMPUTING
WHAT DO WE DO WITH ACTIVE DIRECTORY?
TAILORING COARSE-GRAINED ACCESS CONTROL
USING CAS TO CENTRALISE ENFORCEMENT OF AUTHORISATION RULES
USING A REVERSE-PROXY DEVICE AS A COMMON INTERCEPTOR
ACCESS MANAGEMENT FOR “PORTAL” APPLICATIONS
IDENTITY MANAGEMENT, LIMA-STYLE
IDENTITY MANAGEMENT CONCEPTS
SEPARATING CHURCH AND STATE – THE ROLES OF DIRECTORY AND DATABASE
DESIGNING THE IAM DIRECTORY
USER UUID – THE ONE RING TO RULE THEM ALL
DECOUPLING AUTHENTICATION, COARSE-GRAINED AND FINE-GRAINED AUTHORISATION REALMS
PERSON UUID – THE ULTIMATE IDENTITY REFERENCE
DATA REPLICATION AND MASTER DATA MANAGEMENT
DESIGNING THE IAM DATABASE
REST EASY WITH REST SERVICES
IAM REST SERVICE INTERFACE AT A GLANCE
AUTOMATED USER PROVISIONING – INVOCATION OF REST SERVICES
USER ADMINISTRATION
IAM, PROTECT THYSELF
PROVISIONING USERS TO DOWNSTREAM SYSTEMS
DESIGNING USER PROVISIONING MESSAGES
IMPLEMENTING LIMA
TRANSITIONING TO THE TARGET STATE
HARMONISING DATA
MANAGING SSO REALMS
MANUAL PROVISIONING
THE BAU OF IAM – A “COOKIE-CUTTER” IMPLEMENTATION
DEVELOPMENT TASKS
PROVISIONING TASKS
CONCLUSION
APPENDIX A – TYPICAL SECURITY REQUIREMENTS FROM AN IAM SYSTEM
APPENDIX B – MAPPING THE LIMA DESIGN TO THE OASIS MODEL OF IAM
APPENDIX C – SPECIAL CASE EXAMPLE 1 (MULTIPLEXING USER IDS)
APPENDIX D – SPECIAL CASE EXAMPLE 2 (RESETTING LAN PASSWORDS)
APPENDIX E – A SAMPLE PHASED ROLL-OUT PLAN