© 2008 microsoft corporation. all rights reserved. this presentation is for informational purposes...
TRANSCRIPT
© 2008 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
How to use Identity Management to be MORE productive?Robert Jones, Identity and RMS Architect
RMS Requires Identity Assurance to ensure security
• Identity Management is core to deploying highly secure applications like RMS
People
Information
Resources
Business Policies
WorkflowRegulations
Voice
Portals
Permissions & Accesswith Policies
Credentials
Users & Devices
Security(Deny)
Identity(Grant)
Security Policies & Auditing
Directory services
Identity and Access Solutions Framework
Common Services
FederatedIdentity
Information Protection
Strong Authenticatio
n
Identity Lifecycle Management
© 2008 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Identity Lifecycle Manager Synchronisation Services
Company (B2E) Partners (B2B)
Customers B2C)
Mobility
Islands of Applications - Has lead to islands of identities
Pre 1980’s
1980’s 1990’s 2000’s
# of Digital IDs
Time
Mainframe
Client Server
Internet
Applicatio
ns
BusinessAutomation
What is Identity Management?
• A system of procedures and policies to manage the lifecycle and entitlements of electronic credentials.Repositories for storing and managing accounts,
identity information, and security credentials.
The processes used to create and delete accounts, manage account and entitlement changes, and track policy compliance. Authenticated credentials should control access to apps and networked resources based on trust and identity.
The processes of projecting your login credentials to gain access to resources not owned and controlled by your domain/organisation.
Directory Services
Identity, Access Lifecycle Management
Federation
The ID Lifecycle
New User- User ID Creation- Credential Issuance- Access Rights
Account Changes- Promotions- Transfers- New Privileges- Attribute Changes
Password Mgmt- Strong Passwords- “Lost” Password- Password ResetRetire User
- Delete/Freeze Accounts- Delete/Freeze Entitlements
Synchronize Identity
- Extend lifecycle information across all identity stores
Entitlement Reporting- Audit/log any ILM changes- Keep track of Entitlements
Identity Aggregation
• Data consistency across multiple repositories
• “Agentless” connection to other systems
• Provides attribute-level control
• Manage global address lists (GAL)
• Automate group and DL management
Exchange 5.5
Active Directory
Notes
iPlanet
OracleSQL
Available Connectors (MIIS):
● Active Directory & Active Directory Application Mode
● Computer Associates ACF2● IBM DB2, Lotus Domino 5.x/6.x, Tivoli
Directory Server, RACF● Microsoft SQL 2000, SQL 7● Novell eDirectory● Oracle 8i/9i● Microsoft Exchange 5.5, 2000, 2003● Microsoft NT 4.x● Sun/iPlanet/Netscape Directory● Various flat-file formats: DSML, LDIF, CSV,
fixed width● SAP, PeopleSoft● CA-ACF2● CA-TopSecret ● IBM OS/400
Active Directory
Notes
OracleSQL
iPlanet
© 2008 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Identity Lifecycle Manager Certificate Services
Alacris Acquisition
Identity and access
Secure collaboration
Credential Management
certificates
Business Scenarios - Driving use of digital certificates
Virtual private networks (VPNs) and secure wireless access enable secure and cost-effective network access
Network access protection (NAP) protects networks from unhealthy pc’s
Encryption with central key archival ensures encrypted content is recoverable
Strong authentication and smart cards reduce password management costs
CLM ArchitectureLogical Architecture Other Services
SQL Server
Active Directory
E-mail Server
Microsoft CLM Server
Microsoft CAs
End User
Physical Architecture
Microsoft Certificate Authority
CLM Policy Module
CLM Exit Module
Internet Explorer
CLM AD Integration
CLM Web App
Internet Information Server
CLM Browser Control
Smart Card Middleware
PKI Features
Policy
© 2008 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Information Protection
Information Protection with Windows Rights Management Services
Access Control
List Perimeter
No
Yes
Authorized Users
Unauthorized Users
Information Leakage
Unauthorized Users
…RMS addresses ongoing information usage
Traditional solutions control initial access
Firewall Perimeter
IE w/RMA, Windows RMS
• Users without Office 2003 can view rights-protected files
• Enforces assigned rights: view, print, export, copy/paste & time-based expiration
Secure Intranets
Office 2003 and 2007 (Word,
PowerPoint, Excel, Infopath)
Sharepoint Server 2007
Windows RMS
• Control access to sensitive info• Set access level - view, change,
print...• Determine length of access• Automatically apply usage policies to
documents libraries• Log and audit who has accessed
rights-protected information
Secure Documents
Outlook 2003 and 2007
Windows RMS
• Keep corporate e-mail off the Internet• Prevent forwarding of confidential
information• Templates to centrally manage
policies
Secure Emails
Safeguard Sensitive Information with RMSProtect e-mail, documents, and Web content
Overview of RMS components
RMS Client • RMS Lockbox
• Client API
• Templates (XML Copy)
RMS Server• Certification
• Licensing
• Templates
Active Directory• Authentication
• Service Discovery
• Group Membership
SQL Server• Configuration
data
• Logging
• Cache
RMS-enabled Client and Server Applications
Example: Rights-Protected Document - Word, Excel, or PowerPoint 2003 Pro
a
Rights Info w/ email addresses
Content Key
Publishing License
The Content of the File
(Text, Pictures, metadata, etc)
End User Licenses
Content Key(big random number)
Rights for a
particular user
Encrypted with the server’s public key
Created when file is
protected
Encrypted with Content Key, a cryptographically secure 128-
bit AES symmetric
encryption key
Encrypted with the server’s public key
Encrypted with the user’s public key
Only added to the file after
server licenses a user
to open it
Encrypted with the user’s public key
NOTE: Outlook
E-mail EULs are stored in the
local user profile directory
Store
Create
Access
Roam
Share
Retire
The information lifecycleAuthor
Generate
Annotate
Edit
Archive
Recovery
Delete
Revoke
Expiry
Home
Enterprise
Mobile
CloudPC
USB drivePeer-to-peer
Workflow
Instant messaging
Cloud workspace
USB drive
Search
Display
Memory
Network
Hard disk
USB driveHosted storage
SharePoint and RMS
• Documents can be stored encrypted or non encrypted on the server
• Recommendations are:• Store Documents Non Encrypted• Non encrypted documents can be searched• Let SharePoint encrypt documents on retrieval
• Using SharePoint ensures the use and adoption of RMS
• Enhances the SharePoint proposition• Education of users is still required
What is Microsoft Forefront?
• Microsoft Forefront is a comprehensive line of business security products providing greater protection and control through integration with your existing IT infrastructure and through simplified deployment, management, and analysis.
EdgeClient and Server OS
Server Applications
Next steps
• Receive the latest Security news, sign-up for the:• Microsoft Security Newsletter • Microsoft Security Notification Service
• Assess your current IT security environment• Download the free Microsoft Security
Assessment Tool
• Find all your security resources here http://www.microsoft.com/uk/security/infosec2008
Session Evaluation
• Hand-in you session evaluation on your way out• Win one of 2 Xbox 360® Elite’s in our free
prize draw* • Winners will be drawn at 3.30 today
• Collect your goody bag which includes. • Windows Vista Business (Upgrade), • Forefront Trials, • Forefront Hand-On-Labs• Security Resources CD
• I’ll be at the back of the room if you have any questions
* Terms and conditions apply, alternative free entry route available.