identity & access management: real world challenges...
TRANSCRIPT
Identity & Access Management: Real World Challenges & Solutions
[Your name][Your Title]Microsoft Corporation
Lower TCO
2000
NOSDirectory
InternetDirectory
AuthenticationWindows
ManagementMeta-
Directory
The Changing Role of IT Professionals
IdentityLifecycle Information
Protection
SSO/Federation
StrongAuth
Directory
IDA
Compliance
Security and Privacy
Operational Efficiency
Business Enablement
2006
SecurityProtecting confidential information from improper distribution
Ensuring that only authorized users get network access
Business
Enablement
Freeing up IT resources to focus on high business-value work
Creating new ways to connect with customers & partners
ComplianceProvisioning in accordance with company policies
Establishing auditable processes for granting access rights
OperationalEfficiency
Automating, reducing and simplifying manual processes
Reducing the complexity of managing many identity stores
IDA Challenges
38% of users recycle passwords; 18% write them down
Helpdesk staffs spend 1/3 of the day resetting passwords
Enterprises report forwarding of e-mails among their top three security breaches
On average, users are provisioned in 16 systems and de-provisioned in 10
What’s Getting in the Way?
Multiple products with separate management, infrastructure, and connectors
Feature overlap across management and core infrastructure
User Portals
Designers
Role Mgmt
Reporting
Policy Model
Workflow
Configuration DB
Dev Model
Identity Stores
SupportedApplications
DifferentUser
ProvisioningStrong
AuthenticationAccess
ManagementFederatedIdentity
Directories HR Systems ERP Systems Databases Audit Systems
UserExperiences
Infrastructure
Connectors
UserExperiences
Infrastructure
Connectors
UserExperiences
Infrastructure
Connectors
UserExperiences
Infrastructure
Connectors
Conventional Approaches
Extensibility
IDA Management Capabilities
User and Developer Experiences
Platform Components
Our Approach
Best of breed for Windows that extends to the enterprise
Extensibility20+ Connectors WS-*
PlatformComponents
BizTalk .NET Visual Studio MIIS SDK
Active Directory & Microsoft Identity Integration Server
Active DirectoryFederation Services
Rights ManagementServices
CertificateServices
MicrosoftOffice
WindowsWeb
PortalsVisual Studio
User &DeveloperExperiences
Identity Lifecycle Manager 2007IDAManagementCapabilities
Partners
Microsoft’s Offerings
A comprehensive set of IDA platform technologies and solution scenarios
Complemented by a broad international partner program
MicrosoftOffice
WindowsWebSites
Visual Studio
Extensibility20+ Connectors WS-*
PlatformComponents
BizTalk .NET Visual Studio MIIS SDK
Active Directory & Microsoft Identity Integration Server
Active DirectoryFederation Services
Rights ManagementServices
CertificateServices
Identity Lifecycle Manager 2007IDAManagementCapabilities
User &DeveloperExperiences
Partners
DirectoryServices
FederatedIdentity/SSO
InformationProtection
IdentityLifecycle Mgmt
Microsoft SolutionFocus Areas
StrongAuthentication
Focus on 5 Solution Areas
ConfigurationSecurity Policy
VPN & Remote AccessSingle Sign-On
Edge Security
DirectoriesDatabases
MainframesUNIX
Other Systems
Active Directory
An ideal foundation: the world’s most widely deployed directory service
Central authority for identity and access information
Full support for stand-alone, scalable LDAP directory operation
ConfigurationSecurity
QuarantinePolicies
Windows Clients
Network ResourcesFile Shares
PrintersPolicies
Windows Servers
ConfigurationQuality of ServiceSecurity PoliciesSingle Sign-On
Network Devices
Account InformationPrivileges
Profiles/ PoliciesSingle Sign-On
Windows Users
Product InformationPrivileges
Profiles/PoliciesAutomated deployment
Office, SharePoint, …
Single Sign-OnAutomated deployment
ConfigurationApp-specific data
3rd Party Applications
Federated Identity
Live Services
Federated IdentitySecurity Token Services
Federation
Read only Domain Controller
Better Auditing and Tracking Functionality
Integration of Latest Encryption Technologies
Security
Support for the latest Standards – (IPv6)
Addresses Needs of Wider Audience (Asia)
Standards &
Globalization
Reliability
Simpler and More Flexible Deployment Options
Service-based for Easier Management
Enhanced Data Integrity
In Windows Server 2008
Active Directory Summary
Business Benefits
A single place in the network to store and manage information about users, settings, and their privileges
Enables multiple types of security in your network
Important source of compliance & audit data
Partner Value Add
NetPro & Quest: Advanced directory management tools
Centrify & Quest: Extend AD to non-Windows platforms
New User User ID Creation
Credential Issuance
Entitlements
Change User Entitlement Changes
Promotions
Transfers
Help Desk “Lost” Credentials
Password Reset
New Entitlements
Retire User Delete Accounts
Remove Entitlements
Reporting Compliance
Audit
Security
Self-Service Password Kiosk
Identity
New Entitlements
Identity Lifecycle Management
Information Workers
DevelopersSystems integration
Business rule development
Workflow, provisioning, etc.
IT ProfessionalsSystem architecture
and deployment
System administration
Governance
Security policy
Resetting passwords and PINs
Managing group and
DL membership
Managing resource access
Encoding and automating policy
Managing end user requests
IT Overloaded
Information Workers Frustrated
Inefficient Operations
User Experiences Today
MIIS
CLM Beta
Previously Today
Microsoft IdentityLifecycle Manager 2007
Identity Synchronization
User Provisioning
Certificate & SmartcardManagement
2H 2008
Integrated user experiences
Spans user, credential, accessand policy management
Built on a common foundation
ILM “2”
User Management
AccessManagement
Credential Management
Common PlatformConnectorsDelegationWorkflowLoggingWeb Service API
PolicyManagement
Identity Lifecycle Manager
Certificate andSmart Card
Management
Reduces cost of managing certificate-based credentials
Automates certificate issuance & revocation
Vastly simplifies deployment of smart cards
UserProvisioning
Automates the process of on-boarding & off-boarding users
Simplifies compliance through automated IDA enforcement
Enforces consistent credentials across systems
IdentitySynchronization
Provides single view of a user across enterprise systems
Keeps identity information consistent across systems
Identity Lifecycle Manager 2007
Business Benefits
The ability to integrate a wide range of systems and applications into common business processes
Business process automation facilitates improves operational efficiency
Focus on automating business rules and processes facilitates compliance enforcement and reporting
Partner Value Add
Dot Net Factory, Omada, & Quest: Extending MIIS & connectors
M-Tech: Support for additional stores
BHOLD: Enterprise roles management
M-Tech & Courion: Password management
Lifecycle Management Summary
Increasing regulation: SOX, HIPAA, GLBA
Non-compliance can lead to significant legal fees, fines and/or
settlements
Legal &
Regulatory
Compliance
Leaked e-mails can be damaging in many ways
Unintended forwarding of sensitive information can adversely
impact the company‟s image and/or credibility
Image &
Credibility
Financial
Costs
Cost of digital leakage per year is measured in $ billions
Loss of revenue, market capitalization, and competitive
advantage
The Need for Information Protection
IndependentConsultant
PartnerOrganization
Home
Mobile Devices
USB Drive
The flow of information has no boundaries
Information is shared, stored and accessed outside the control of its owner
Host and network security controls aren’t the right tools to solve this problem
The Enterprise
The Information Workplace
Policy RMSPolicy
• Solution: Protect the information itself
• Retain the policy and protection as the
information is „in motion‟
Rights Management Services
2Protection and
policy stay with
the file
4 Policy
Portal stores
file in the
clear
Policy
Portal
protects file
on access
5
1Protection
and policy
stay with the
file
3
Protection
and policy
stay with the
file
6Policy
Archive stores
file and policy
in the clear
Rights Management Scenarios
RMS becomes a Claims-Aware Application to support
cross company information protection
Supports existing SharePoint sites
Interoperability
Manageability
RMS becomes a Windows Server 2008 server role
Enhanced RMS MMC management experience
New RMS health model
Security BitLocker support
In Windows Server 2008
Business Benefits
Reduces the financial, operational & corporate risk of „data in motion‟
Facilitates compliance regulations with data privacy requirements
Lowers operational costs by protecting content electronically instead of requiring hardcopy protection approaches
The Role of Partners
Liquid Machines: PDF, Blackberry & CAD format support
Workshare: Content filtering & dynamic rights protection
Meridio & K2: Electronic Content Management
Information Protection Summary
Resource Realm
Application 1*
Agent
Application 2*
Agent
*IIS 6 Web Server
ADFS
AD
ADAM
Login
Scenario 1: Web SSO
Account Realm Resource Realm
Application 2*
Agent
*IIS 6 Web Server
ADFSADFS
AD
ADAM
AD
ADAM
Application 1*
Agent
Claims
Scenario 2: B2B Federation
RMS becomes a Claims-Aware Application
SharePoint becomes a Claims-Aware ApplicationCollaboration
Manageability
Simplified Deployments Via Native Platform Integration
Stronger Administrative Controls
Better Administrator Information Systems
ADFS 2(Release TBD)
Will use the full WS-* stack (ex: WS-Federation, WS-Trust)
Active versus passive client-side operation
Security Token Service supporting WS-Trust token operations
In Windows Server 2008
Business Benefits
Enables new models for cross-company single sign-on systems
Facilitates single-sign on across Windows and non-Windows environments
Reduces the risk of unauthorized access by eliminating the need for cross-company synchronization of user and rights information
Partner Value Add
Centrify & Quest: Multi-platform support
Federated Identity/SSO Summary
A full-featured certificate authority that is part of Windows Server
Enables scenarios such as smart cards, IPSec, VPN, e-mail signing & secure wireless networking
Integrates fully with Identity Lifecycle Manager 2007
RAS/VPNServer
IAS/RADIUS Server
Wireless APSwitch
VPN Client
Wireless Client
Client Computer
CertificateServer Active
Directory
Certificate Templates
Certificate Services and ILMTrusted Environment
Certificate Lifecycle Management in ILM
Single administration point for digital certificates and smart cards
Configurable policy-based workflows for common tasksEnroll/renew/updateRecover/card replacementRevokeRetire/disable smart cardIssue temporary/duplicate smart cardPersonalize smart card
Detailed auditing and reporting
Support for both centralized and self-service scenarios
Integration with existing infrastructure investmentsWindows Active Directory; Windows Certificate Services
Leading Edge Cryptographic Support (CNG)
Improved Operational Security for Certificate Services
More Flexible and Secure Certificates
Security
Employs Latest Industry StandardsInteroperability
Manageability
Simple and More Flexible Certificate Services Deployments
Consolidated & Globalized Management Tools
Improved Monitoring & Reporting Framework
Granular Control over 3rd Party Certificates
In Windows Server 2008
Partner Value Add
Gemalto & Aladdin: Smart cards and tokens
nCipher: Hardware security modules
Business Benefits
Significantly improves the core security of your network
Improves operational efficiency via features such as auto enrollment
Reduces costs via being delivered in the Windows Server operating system
Strong Authentication Summary
Two Alternatives
Option 1: All at onceTarget connecting everything at once
De-prioritize infrastructure, data, and process rationalization
Option 2: Step-wise approachStart with the directory andmetadirectory basics
Create a basic lifecycle solution and then build incrementally on it
Prioritize strong authentication,federation, and information protection
Infrastructure Optimization Model
Basic – 22% Standardized – 60% Rationalized – 5% Dynamic – 3%
Uncoordinated, manual
InfrastructureKnowledge not
captured
Managed IT Infrastructure with limitedautomation
and knowledge capture
Managed and consolidated ITInfrastructure
with extensive Automation
Fully automated management,
Knowledge capture automated anduse automated
CostCenter
More Efficient Cost Center
BusinessEnabler
StrategicAsset
Dynamic
StrategicAsset
IDA Optimization ModelBasic Standardized Rationalized
CostCenter
More EfficientCost Center
BusinessEnabler
Lifecycle
No Formal Lifecycle Processes
Directory Data & Workflow ProcessStandardization
MetadirectoryUsed to Keep Information
Synchronized
Identity LifecyclesManaged Via
Policies &Workflow
Info Protection
Physical Protection
Encryption-Protected Content
Enterprise RightsManagement (ERM)
& Mobile devices
Policy-Based ERMAcross Partners &
Customers
Federated Identity
Multiple User IDs
One User ID & Password For All
Extranet Applications
Federated Trust Used Instead of ExtranetUser ID & Password
Federated Trust Applied To
Web Services
Strong PasswordPolicy enforcement
Multi-Factor Authentication Used
For High-Risk Scenarios
Multi-FactorAuthentication Used
For All CorporateApplications & Users
Strong Authentication
User IDs andPassword
Directory
Multiple Login Points
To Resources
A Primary DirectoryUsed to Authenticate
Users To Windows Applications
Employee Authentication
Extended Outside The Enterprise
A Primary DirectoryUsed to
AuthenticateUsers to Non-Windows Apps
Dynamic
StrategicAsset
Progress Is IncrementalBasic Standardized Rationalized
CostCenter
More EfficientCost Center
BusinessEnabler
Directory
Lifecycle
InformationProtection
StrongAuthentication
FederatedIdentity
Changing The Equation
*IDC Data
Total IDA Spending
Less spending onspecialized infrastructure
Higher end-user productivity
IT staff focused moreon business enablement
Lower spending onservices
IT Staff
S/W
Services
Cost
ROI
Windows Communication Foundation
Windows CardSpace
Improved Smart Card Usability
Active Directory
Windows Certificate Services
Microsoft Metadirectory Server
Windows 2000
Deployability and Manageability Enhancements
Windows Authorization Manager
Microsoft Identity Integration Server (MIIS)
Windows Rights Management Services
Windows 2003
WindowsVista
Active Directory Federation Services
Active Directory Application Mode
Windows
2003 R2
Identity Lifecycle Manager 2007
LHSWave
ILM “2”
RMS, CS, DS enhancements
ADFS 2
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO
WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.