© 2008 microsoft corporation. all rights reserved. this presentation is for informational purposes...

© 2008 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

How to use Identity Management to be MORE productive?Robert Jones, Identity and RMS Architect

RMS Requires Identity Assurance to ensure security

• Identity Management is core to deploying highly secure applications like RMS

People

Information

Resources

Business Policies

WorkflowRegulations

Email

Voice

Portals

Permissions & Accesswith Policies

Credentials

Users & Devices

Security(Deny)

Identity(Grant)

Security Policies & Auditing

Directory services

Identity and Access Solutions Framework

Common Services

FederatedIdentity

Information Protection

Strong Authenticatio

n

Identity Lifecycle Management


Identity Lifecycle Manager Synchronisation Services

Company (B2E) Partners (B2B)

Customers B2C)

Mobility

Islands of Applications - Has lead to islands of identities

Pre 1980’s

1980’s 1990’s 2000’s

# of Digital IDs

Time

Mainframe

Client Server

Internet

Applicatio

ns

BusinessAutomation

What is Identity Management?

• A system of procedures and policies to manage the lifecycle and entitlements of electronic credentials.Repositories for storing and managing accounts,

identity information, and security credentials.

The processes used to create and delete accounts, manage account and entitlement changes, and track policy compliance. Authenticated credentials should control access to apps and networked resources based on trust and identity.

The processes of projecting your login credentials to gain access to resources not owned and controlled by your domain/organisation.

Directory Services

Identity, Access Lifecycle Management

Federation

The ID Lifecycle

New User- User ID Creation- Credential Issuance- Access Rights

Account Changes- Promotions- Transfers- New Privileges- Attribute Changes

Password Mgmt- Strong Passwords- “Lost” Password- Password ResetRetire User

- Delete/Freeze Accounts- Delete/Freeze Entitlements

Synchronize Identity

- Extend lifecycle information across all identity stores

Entitlement Reporting- Audit/log any ILM changes- Keep track of Entitlements

Identity Aggregation

• Data consistency across multiple repositories

• “Agentless” connection to other systems

• Provides attribute-level control

• Manage global address lists (GAL)

• Automate group and DL management

Exchange 5.5

Active Directory

Notes

iPlanet

OracleSQL

Available Connectors (MIIS):

● Active Directory & Active Directory Application Mode

● Computer Associates ACF2● IBM DB2, Lotus Domino 5.x/6.x, Tivoli

Directory Server, RACF● Microsoft SQL 2000, SQL 7● Novell eDirectory● Oracle 8i/9i● Microsoft Exchange 5.5, 2000, 2003● Microsoft NT 4.x● Sun/iPlanet/Netscape Directory● Various flat-file formats: DSML, LDIF, CSV,

fixed width● SAP, PeopleSoft● CA-ACF2● CA-TopSecret ● IBM OS/400

Active Directory

Notes

OracleSQL

iPlanet


Identity Lifecycle Manager Certificate Services

Alacris Acquisition

Identity and access

Secure collaboration

Credential Management

certificates

Business Scenarios - Driving use of digital certificates

Virtual private networks (VPNs) and secure wireless access enable secure and cost-effective network access

Network access protection (NAP) protects networks from unhealthy pc’s

Encryption with central key archival ensures encrypted content is recoverable

Strong authentication and smart cards reduce password management costs

CLM ArchitectureLogical Architecture Other Services

SQL Server

Active Directory

E-mail Server

Microsoft CLM Server

Microsoft CAs

End User

Physical Architecture

Microsoft Certificate Authority

CLM Policy Module

CLM Exit Module

Internet Explorer

CLM AD Integration

CLM Web App

Internet Information Server

CLM Browser Control

Smart Card Middleware

PKI Features

Policy


Information Protection

Information Protection with Windows Rights Management Services

Access Control

List Perimeter

No

Yes

Authorized Users

Unauthorized Users

Information Leakage

Unauthorized Users

…RMS addresses ongoing information usage

Traditional solutions control initial access

Firewall Perimeter

IE w/RMA, Windows RMS

• Users without Office 2003 can view rights-protected files

• Enforces assigned rights: view, print, export, copy/paste & time-based expiration

Secure Intranets

Office 2003 and 2007 (Word,

PowerPoint, Excel, Infopath)

Sharepoint Server 2007

Windows RMS

• Control access to sensitive info• Set access level - view, change,

print...• Determine length of access• Automatically apply usage policies to

documents libraries• Log and audit who has accessed

rights-protected information

Secure Documents

Outlook 2003 and 2007

Windows RMS

• Keep corporate e-mail off the Internet• Prevent forwarding of confidential

information• Templates to centrally manage

policies

Secure Emails

Safeguard Sensitive Information with RMSProtect e-mail, documents, and Web content

Overview of RMS components

RMS Client • RMS Lockbox

• Client API

• Templates (XML Copy)

RMS Server• Certification

• Licensing

• Templates

Active Directory• Authentication

• Service Discovery

• Group Membership

SQL Server• Configuration

data

• Logging

• Cache

RMS-enabled Client and Server Applications

Example: Rights-Protected Document - Word, Excel, or PowerPoint 2003 Pro

a

Rights Info w/ email addresses

Content Key

Publishing License

The Content of the File

(Text, Pictures, metadata, etc)

End User Licenses

Content Key(big random number)

Rights for a

particular user

Encrypted with the server’s public key

Created when file is

protected

Encrypted with Content Key, a cryptographically secure 128-

bit AES symmetric

encryption key

Encrypted with the server’s public key

Encrypted with the user’s public key

Only added to the file after

server licenses a user

to open it

Encrypted with the user’s public key

NOTE: Outlook

E-mail EULs are stored in the

local user profile directory

Store

Create

Access

Roam

Share

Retire

The information lifecycleAuthor

Generate

Annotate

Edit

Archive

Recovery

Delete

Revoke

Expiry

Home

Enterprise

Mobile

CloudPC

USB drivePeer-to-peer

Workflow

Instant messaging

Cloud workspace

USB drive

E-mail

Search

Print

Display

Memory

Network

Hard disk

USB driveHosted storage

SharePoint and RMS

• Documents can be stored encrypted or non encrypted on the server

• Recommendations are:• Store Documents Non Encrypted• Non encrypted documents can be searched• Let SharePoint encrypt documents on retrieval

• Using SharePoint ensures the use and adoption of RMS

• Enhances the SharePoint proposition• Education of users is still required

What is Microsoft Forefront?

• Microsoft Forefront is a comprehensive line of business security products providing greater protection and control through integration with your existing IT infrastructure and through simplified deployment, management, and analysis.

EdgeClient and Server OS

Server Applications

Next steps

• Receive the latest Security news, sign-up for the:• Microsoft Security Newsletter • Microsoft Security Notification Service

• Assess your current IT security environment• Download the free Microsoft Security

Assessment Tool

• Find all your security resources here http://www.microsoft.com/uk/security/infosec2008

http://www.microsoft.com/uk/security/infosec2008

http://www.microsoft.com/uk/security/infosec2008

Session Evaluation

• Hand-in you session evaluation on your way out• Win one of 2 Xbox 360® Elite’s in our free

prize draw* • Winners will be drawn at 3.30 today

• Collect your goody bag which includes. • Windows Vista Business (Upgrade), • Forefront Trials, • Forefront Hand-On-Labs• Security Resources CD

• I’ll be at the back of the room if you have any questions

* Terms and conditions apply, alternative free entry route available.