Identity & Access Management: Real World Challenges & Solutions

[Your name][Your Title]Microsoft Corporation

Lower TCO

2000

NOSDirectory

InternetDirectory

AuthenticationWindows

ManagementMeta-

Directory

The Changing Role of IT Professionals

IdentityLifecycle Information

Protection

SSO/Federation

StrongAuth

Directory

IDA

Compliance

Security and Privacy

Operational Efficiency

Business Enablement

2006

SecurityProtecting confidential information from improper distribution

Ensuring that only authorized users get network access

Business

Enablement

Freeing up IT resources to focus on high business-value work

Creating new ways to connect with customers & partners

ComplianceProvisioning in accordance with company policies

Establishing auditable processes for granting access rights

OperationalEfficiency

Automating, reducing and simplifying manual processes

Reducing the complexity of managing many identity stores

IDA Challenges

38% of users recycle passwords; 18% write them down

Helpdesk staffs spend 1/3 of the day resetting passwords

Enterprises report forwarding of e-mails among their top three security breaches

On average, users are provisioned in 16 systems and de-provisioned in 10

What’s Getting in the Way?

The Approaches

Multiple products with separate management, infrastructure, and connectors

Feature overlap across management and core infrastructure

User Portals

Designers

Role Mgmt

Reporting

Policy Model

Workflow

Configuration DB

Dev Model

Identity Stores

SupportedApplications

DifferentUser

ProvisioningStrong

AuthenticationAccess

ManagementFederatedIdentity

Directories HR Systems ERP Systems Databases Audit Systems

UserExperiences

Infrastructure

Connectors

UserExperiences

Infrastructure

Connectors

UserExperiences

Infrastructure

Connectors

UserExperiences

Infrastructure

Connectors

Conventional Approaches

Extensibility

IDA Management Capabilities

User and Developer Experiences

Platform Components

Our Approach

Best of breed for Windows that extends to the enterprise

Extensibility20+ Connectors WS-*

PlatformComponents

BizTalk .NET Visual Studio MIIS SDK

Active Directory & Microsoft Identity Integration Server

Active DirectoryFederation Services

Rights ManagementServices

CertificateServices

MicrosoftOffice

WindowsWeb

PortalsVisual Studio

User &DeveloperExperiences

Identity Lifecycle Manager 2007IDAManagementCapabilities

Partners

Microsoft’s Offerings

A comprehensive set of IDA platform technologies and solution scenarios

Complemented by a broad international partner program

MicrosoftOffice

WindowsWebSites

Visual Studio

Extensibility20+ Connectors WS-*

PlatformComponents

BizTalk .NET Visual Studio MIIS SDK

Active Directory & Microsoft Identity Integration Server

Active DirectoryFederation Services

Rights ManagementServices

CertificateServices

Identity Lifecycle Manager 2007IDAManagementCapabilities

User &DeveloperExperiences

Partners

DirectoryServices

FederatedIdentity/SSO

InformationProtection

IdentityLifecycle Mgmt

Microsoft SolutionFocus Areas

StrongAuthentication

Focus on 5 Solution Areas

Directory Services

ConfigurationSecurity Policy

VPN & Remote AccessSingle Sign-On

Edge Security

DirectoriesDatabases

MainframesUNIX

Other Systems

Active Directory

An ideal foundation: the world’s most widely deployed directory service

Central authority for identity and access information

Full support for stand-alone, scalable LDAP directory operation

ConfigurationSecurity

QuarantinePolicies

Windows Clients

Network ResourcesFile Shares

PrintersPolicies

Windows Servers

ConfigurationQuality of ServiceSecurity PoliciesSingle Sign-On

Network Devices

Account InformationPrivileges

Profiles/ PoliciesSingle Sign-On

Windows Users

Product InformationPrivileges

Profiles/PoliciesAutomated deployment

Office, SharePoint, …

Single Sign-OnAutomated deployment

ConfigurationApp-specific data

3rd Party Applications

Federated Identity

Live Services

Federated IdentitySecurity Token Services

Federation

Read only Domain Controller

Better Auditing and Tracking Functionality

Integration of Latest Encryption Technologies

Security

Support for the latest Standards – (IPv6)

Addresses Needs of Wider Audience (Asia)

Standards &

Globalization

Reliability

Simpler and More Flexible Deployment Options

Service-based for Easier Management

Enhanced Data Integrity

In Windows Server 2008

Active Directory Summary

Business Benefits

A single place in the network to store and manage information about users, settings, and their privileges

Enables multiple types of security in your network

Important source of compliance & audit data

Partner Value Add

NetPro & Quest: Advanced directory management tools

Centrify & Quest: Extend AD to non-Windows platforms

Identity Lifecycle Management

New User User ID Creation

Credential Issuance

Entitlements

Change User Entitlement Changes

Promotions

Transfers

Help Desk “Lost” Credentials

Password Reset

New Entitlements

Retire User Delete Accounts

Remove Entitlements

Reporting Compliance

Audit

Security

Self-Service Password Kiosk

Identity

New Entitlements

Identity Lifecycle Management

Information Workers

DevelopersSystems integration

Business rule development

Workflow, provisioning, etc.

IT ProfessionalsSystem architecture

and deployment

System administration

Governance

Security policy

Resetting passwords and PINs

Managing group and

DL membership

Managing resource access

Encoding and automating policy

Managing end user requests

IT Overloaded

Information Workers Frustrated

Inefficient Operations

User Experiences Today

MIIS

CLM Beta

Previously Today

Microsoft IdentityLifecycle Manager 2007

Identity Synchronization

User Provisioning

Certificate & SmartcardManagement

2H 2008

Integrated user experiences

Spans user, credential, accessand policy management

Built on a common foundation

ILM “2”

User Management

AccessManagement

Credential Management

Common PlatformConnectorsDelegationWorkflowLoggingWeb Service API

PolicyManagement

Identity Lifecycle Manager

Certificate andSmart Card

Management

Reduces cost of managing certificate-based credentials

Automates certificate issuance & revocation

Vastly simplifies deployment of smart cards

UserProvisioning

Automates the process of on-boarding & off-boarding users

Simplifies compliance through automated IDA enforcement

Enforces consistent credentials across systems

IdentitySynchronization

Provides single view of a user across enterprise systems

Keeps identity information consistent across systems

Identity Lifecycle Manager 2007

Business Benefits

The ability to integrate a wide range of systems and applications into common business processes

Business process automation facilitates improves operational efficiency

Focus on automating business rules and processes facilitates compliance enforcement and reporting

Partner Value Add

Dot Net Factory, Omada, & Quest: Extending MIIS & connectors

M-Tech: Support for additional stores

BHOLD: Enterprise roles management

M-Tech & Courion: Password management

Lifecycle Management Summary

Information Protection

The Information Lifecycle

Increasing regulation: SOX, HIPAA, GLBA

Non-compliance can lead to significant legal fees, fines and/or

settlements

Legal &

Regulatory

Compliance

Leaked e-mails can be damaging in many ways

Unintended forwarding of sensitive information can adversely

impact the company‟s image and/or credibility

Image &

Credibility

Financial

Costs

Cost of digital leakage per year is measured in $ billions

Loss of revenue, market capitalization, and competitive

advantage

The Need for Information Protection

IndependentConsultant

PartnerOrganization

Home

Mobile Devices

USB Drive

The flow of information has no boundaries

Information is shared, stored and accessed outside the control of its owner

Host and network security controls aren’t the right tools to solve this problem

The Enterprise

The Information Workplace

Policy RMSPolicy

• Solution: Protect the information itself

• Retain the policy and protection as the

information is „in motion‟

Rights Management Services

RMS Server

ActiveDirectory

SQL Server

Policy

How RMS Works

2Protection and

policy stay with

the file

4 Policy

Portal stores

file in the

clear

Policy

Portal

protects file

on access

5

1Protection

and policy

stay with the

file

3

Protection

and policy

stay with the

file

6Policy

Archive stores

file and policy

in the clear

Rights Management Scenarios

RMS becomes a Claims-Aware Application to support

cross company information protection

Supports existing SharePoint sites

Interoperability

Manageability

RMS becomes a Windows Server 2008 server role

Enhanced RMS MMC management experience

New RMS health model

Security BitLocker support

In Windows Server 2008

Business Benefits

Reduces the financial, operational & corporate risk of „data in motion‟

Facilitates compliance regulations with data privacy requirements

Lowers operational costs by protecting content electronically instead of requiring hardcopy protection approaches

The Role of Partners

Liquid Machines: PDF, Blackberry & CAD format support

Workshare: Content filtering & dynamic rights protection

Meridio & K2: Electronic Content Management

Information Protection Summary

Federated Identity/SSO

Resource Realm

Application 1*

Agent

Application 2*

Agent

*IIS 6 Web Server

ADFS

AD

ADAM

Login

Scenario 1: Web SSO

Account Realm Resource Realm

Application 2*

Agent

*IIS 6 Web Server

ADFSADFS

AD

ADAM

AD

ADAM

Application 1*

Agent

Claims

Scenario 2: B2B Federation

RMS becomes a Claims-Aware Application

SharePoint becomes a Claims-Aware ApplicationCollaboration

Manageability

Simplified Deployments Via Native Platform Integration

Stronger Administrative Controls

Better Administrator Information Systems

ADFS 2(Release TBD)

Will use the full WS-* stack (ex: WS-Federation, WS-Trust)

Active versus passive client-side operation

Security Token Service supporting WS-Trust token operations

In Windows Server 2008

Business Benefits

Enables new models for cross-company single sign-on systems

Facilitates single-sign on across Windows and non-Windows environments

Reduces the risk of unauthorized access by eliminating the need for cross-company synchronization of user and rights information

Partner Value Add

Centrify & Quest: Multi-platform support

Federated Identity/SSO Summary

Strong Authentication

A full-featured certificate authority that is part of Windows Server

Enables scenarios such as smart cards, IPSec, VPN, e-mail signing & secure wireless networking

Integrates fully with Identity Lifecycle Manager 2007

RAS/VPNServer

IAS/RADIUS Server

Wireless APSwitch

VPN Client

Wireless Client

Client Computer

CertificateServer Active

Directory

Certificate Templates

Certificate Services and ILMTrusted Environment

Certificate Lifecycle Management in ILM

Single administration point for digital certificates and smart cards

Configurable policy-based workflows for common tasksEnroll/renew/updateRecover/card replacementRevokeRetire/disable smart cardIssue temporary/duplicate smart cardPersonalize smart card

Detailed auditing and reporting

Support for both centralized and self-service scenarios

Integration with existing infrastructure investmentsWindows Active Directory; Windows Certificate Services

Leading Edge Cryptographic Support (CNG)

Improved Operational Security for Certificate Services

More Flexible and Secure Certificates

Security

Employs Latest Industry StandardsInteroperability

Manageability

Simple and More Flexible Certificate Services Deployments

Consolidated & Globalized Management Tools

Improved Monitoring & Reporting Framework

Granular Control over 3rd Party Certificates

In Windows Server 2008

Partner Value Add

Gemalto & Aladdin: Smart cards and tokens

nCipher: Hardware security modules

Business Benefits

Significantly improves the core security of your network

Improves operational efficiency via features such as auto enrollment

Reduces costs via being delivered in the Windows Server operating system

Strong Authentication Summary

Achieving Success

Two Alternatives

Option 1: All at onceTarget connecting everything at once

De-prioritize infrastructure, data, and process rationalization

Option 2: Step-wise approachStart with the directory andmetadirectory basics

Create a basic lifecycle solution and then build incrementally on it

Prioritize strong authentication,federation, and information protection

Infrastructure Optimization Model

Basic – 22% Standardized – 60% Rationalized – 5% Dynamic – 3%

Uncoordinated, manual

InfrastructureKnowledge not

captured

Managed IT Infrastructure with limitedautomation

and knowledge capture

Managed and consolidated ITInfrastructure

with extensive Automation

Fully automated management,

Knowledge capture automated anduse automated

CostCenter

More Efficient Cost Center

BusinessEnabler

StrategicAsset

Dynamic

StrategicAsset

IDA Optimization ModelBasic Standardized Rationalized

CostCenter

More EfficientCost Center

BusinessEnabler

Lifecycle

No Formal Lifecycle Processes

Directory Data & Workflow ProcessStandardization

MetadirectoryUsed to Keep Information

Synchronized

Identity LifecyclesManaged Via

Policies &Workflow

Info Protection

Physical Protection

Encryption-Protected Content

Enterprise RightsManagement (ERM)

& Mobile devices

Policy-Based ERMAcross Partners &

Customers

Federated Identity

Multiple User IDs

One User ID & Password For All

Extranet Applications

Federated Trust Used Instead of ExtranetUser ID & Password

Federated Trust Applied To

Web Services

Strong PasswordPolicy enforcement

Multi-Factor Authentication Used

For High-Risk Scenarios

Multi-FactorAuthentication Used

For All CorporateApplications & Users

Strong Authentication

User IDs andPassword

Directory

Multiple Login Points

To Resources

A Primary DirectoryUsed to Authenticate

Users To Windows Applications

Employee Authentication

Extended Outside The Enterprise

A Primary DirectoryUsed to

AuthenticateUsers to Non-Windows Apps

Dynamic

StrategicAsset

Progress Is IncrementalBasic Standardized Rationalized

CostCenter

More EfficientCost Center

BusinessEnabler

Directory

Lifecycle

InformationProtection

StrongAuthentication

FederatedIdentity

Summary

Changing The Equation

*IDC Data

Total IDA Spending

Less spending onspecialized infrastructure

Higher end-user productivity

IT staff focused moreon business enablement

Lower spending onservices

IT Staff

S/W

Services

Cost

ROI

Windows Communication Foundation

Windows CardSpace

Improved Smart Card Usability

Active Directory

Windows Certificate Services

Microsoft Metadirectory Server

Windows 2000

Deployability and Manageability Enhancements

Windows Authorization Manager

Microsoft Identity Integration Server (MIIS)

Windows Rights Management Services

Windows 2003

WindowsVista

Active Directory Federation Services

Active Directory Application Mode

Windows

2003 R2

Identity Lifecycle Manager 2007

LHSWave

ILM “2”

RMS, CS, DS enhancements

ADFS 2

© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO

WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.