identity and access management paula kiernan senior consultant ward solutions
TRANSCRIPT
Identity and Access Management
Paula Kiernan
Senior Consultant
Ward Solutions
Session Prerequisites
Hands-on experience with Microsoft Windows Server, Windows management tools, and Active Directory
Basic understanding of network security fundamentals
Basic understanding of directory and security services used in heterogeneous computing environments
Level 200
Session Overview
Overview of Identity and Access Management Concepts
Identity Management
Intranet Access Management
Extranet Access Management
Overview of Identity and Access Management Concepts
Overview of Identity and Access Management Concepts
Identity Management
Intranet Access Management
Extranet Access Management
Challenges to managing digital identities include:Challenges to managing digital identities include:
Multiple identity stores
Intranet access management
Extranet access management
Multiple identity stores
Intranet access management
Extranet access management
Managing Digital Identities: What Are the Challenges?
What Is Identity and Access Management?
Directory Services
Access Management
Identity Life Cycle
Management
Application Integration
How Can Identity and Access Management Reduce Directory Management Effort?
Initiatives that reduce directory management effort include:Initiatives that reduce directory management effort include:
Automating provisioning and deprovisioning
Implementing identity aggregation and synchronization
Establishing directory service and security standards
Establishing software development and procurement standards
Reducing TCO
Automating provisioning and deprovisioning
Implementing identity aggregation and synchronization
Establishing directory service and security standards
Establishing software development and procurement standards
Reducing TCO
How Can Identity and Access Management Simplify the End User Experience?
Initiatives that simplify the end user experience include:Initiatives that simplify the end user experience include:
Consolidating identity stores
Improving password management
Enabling SSO
Improving access for employees, customers, and partners
Consolidating identity stores
Improving password management
Enabling SSO
Improving access for employees, customers, and partners
How Can Identity and Access Management Increase Security?
Initiatives that increase security include:Initiatives that increase security include:
Establishing security and access policies
Improving password management
Strengthening authentication mechanisms
Establishing security audit policy
Developing identity-aware applications
Establishing security and access policies
Improving password management
Strengthening authentication mechanisms
Establishing security audit policy
Developing identity-aware applications
Understanding Identity and Access Management Technologies
Directory Services
Users, AttributesCredentials, and Groups
Active DirectoryActive Directory Application Mode
Identity Life Cycle
ManagementIdentity Integration
Provisioning/DeprovisioningDelegated Administration
Self-Service AdministrationCredential and Password
Management
AccessManagement
AuthenticationAuthorizationTrust Security Auditing
Identity Management
Overview of Identity and Access Management Concepts
Identity Management
Intranet Access Management
Extranet Access Management
Managing Identities: What Are the Challenges?
Challenges related to managing multiple identity stores include:Challenges related to managing multiple identity stores include:
Management costs
Employee productivity
Security
Customer service and supply chain integration
Management costs
Employee productivity
Security
Customer service and supply chain integration
Understanding the Identity Life Cycle
22
Change User-Promotions-Transfers-Entitlement changes
Change User-Promotions-Transfers-Entitlement changes
11New User-User ID creation-Credential issuance-Entitlements
New User-User ID creation-Credential issuance-Entitlements
33
Help Desk-Password reset-New entitlements
Help Desk-Password reset-New entitlements
44
Retire User-Delete accounts-Remove entitlements
Retire User-Delete accounts-Remove entitlements
Managing Identity Integration
Approaches to managing identity integration among directory stores include:Approaches to managing identity integration among directory stores include:
Manual administrationManual administration
Custom scriptsCustom scripts
Integration servicesIntegration services
Identity integration productsIdentity integration products
Understanding Identity Integration Products and Services
You can implement identity integration by using a number of identity integration products and services:You can implement identity integration by using a number of identity integration products and services:
Identity Integration Feature Pack
Microsoft Identity Integration Server 2003
Services for UNIX
Services for NetWare
Host Integration Server
Active Directory Connector
Active Directory to ADAM Synchronizer
Identity Integration Feature Pack
Microsoft Identity Integration Server 2003
Services for UNIX
Services for NetWare
Host Integration Server
Active Directory Connector
Active Directory to ADAM Synchronizer
Using the Identity Integration Feature Pack to Manage Identities
IIFP is a free product that provides connections to only the following directories and e-mail applications: IIFP is a free product that provides connections to only the following directories and e-mail applications:
Active Directory for Windows 2000 Server and later
Active Directory Application Mode (ADAM)
GAL synchronization for Exchange 2000 Server and Exchange Server 2003
Active Directory for Windows 2000 Server and later
Active Directory Application Mode (ADAM)
GAL synchronization for Exchange 2000 Server and Exchange Server 2003
Using Microsoft Identity Integration Server to Manage Identities
MIIS 2003 provides the following set of features:MIIS 2003 provides the following set of features:
Identity aggregation and synchronizationIdentity aggregation and synchronization
Support for over 20 repositories
Provides a single enterprise view of a user
Uses SQL Server as the information repository
Support for over 20 repositories
Provides a single enterprise view of a user
Uses SQL Server as the information repository
Account provisioningAccount provisioning
Automated account creation/deletion
Group & distribution list management
Workflow
Password management
Automated account creation/deletion
Group & distribution list management
Workflow
Password management
Understanding Identity Integration Using MIIS
Synchronizes multiple repositories
Agentless connection to other systems
Attribute level control
Manage global address lists
Automate group and DL management
Synchronizes multiple repositories
Agentless connection to other systems
Attribute level control
Manage global address lists
Automate group and DL management
Legend
CS=Connector Space
MA=Management Agent
MV=Metaverse
Legend
CS=Connector Space
MA=Management Agent
MV=Metaverse
CS
CS
CS
CS MV MAMA
MA
MA
Intranet Active Directory
Lotus NotesMIIS 2003
Sun ONEDirectory
Extranet Active Directory
Implementing Account Provisioning
Typical ways of implementing account provisioning include:Typical ways of implementing account provisioning include:
HR-driven provisioning
Web-driven provisioning
Complex workflow provisioning using Microsoft BizTalk Server 2004 orchestration
HR-driven provisioning
Web-driven provisioning
Complex workflow provisioning using Microsoft BizTalk Server 2004 orchestration
Managing Passwords
MIIS 2003 provides the ability to manage passwords through:MIIS 2003 provides the ability to manage passwords through:
Help desk reset
Windows-initiated changes
Web-initiated changes
Other system–initiated changes through non-Microsoft software
Help desk reset
Windows-initiated changes
Web-initiated changes
Other system–initiated changes through non-Microsoft software
Identity Management: Best Practices
Train development and support staffTrain development and support staff
Identify all existing systems or processes that might conflict with identity synchronization Identify all existing systems or processes that might conflict with identity synchronization
Define all business rules before implementationDefine all business rules before implementation
Determine service-level agreementsDetermine service-level agreements
Plan for custom code developmentPlan for custom code development
Implement a disaster recovery plan and secure the MIIS service accountsImplement a disaster recovery plan and secure the MIIS service accounts
Intranet Access Management
Identity and Access Management Concepts
Identity Management
Intranet Access Management
Extranet Access Management
Intranet Access Management: What Are the Challenges?
Common business challenges related to intranet access management include:Common business challenges related to intranet access management include:
No single sign-on capabilities
A higher number of password reset requests
Multiple, inconsistent approaches to security services
No single sign-on capabilities
A higher number of password reset requests
Multiple, inconsistent approaches to security services
Approaches to Single Sign-on
Approaches to single sign-on, in order of preference, include:Approaches to single sign-on, in order of preference, include:
Application integration with Windows security services
Platform integration with Windows directory and security services
Application integration with Windows directory services
Indirect integration through credential mapping
Synchronized accounts and passwords
Application integration with Windows security services
Platform integration with Windows directory and security services
Application integration with Windows directory services
Indirect integration through credential mapping
Synchronized accounts and passwords
Implementing Single Sign-on
Approaches to implementing single sign-on include:Approaches to implementing single sign-on include:
Desktop-integrated SSODesktop-integrated SSO
Web SSOWeb SSO
Credential mapping, or Enterprise SSOCredential mapping, or Enterprise SSO
Using Credential Manager
Credential Manager supports the following types of credentials:Credential Manager supports the following types of credentials:
User name and password combinations
X.509 digital certificates
Microsoft Passport credentials
User name and password combinations
X.509 digital certificates
Microsoft Passport credentials
Credential Manager is used to save the user’s credentials automatically and use them for future access to a resource
Credential Manager is used to save the user’s credentials automatically and use them for future access to a resource
Understanding Windows Authorization Options
Windows Server 2003 supports a number of authorization mechanisms:Windows Server 2003 supports a number of authorization mechanisms:
The Windows access control list–based impersonation model
Role-based authorization
ASP.NET authorization
The Windows access control list–based impersonation model
Role-based authorization
ASP.NET authorization
Understanding Windows Server 2003 Authorization Manager
Authorization Manager organizes users into various roles within the application, as shown:Authorization Manager organizes users into various roles within the application, as shown:
Bob
Mary
Authorization Checked at Application Server
Role-based Access to Resources
Authorization Policy Store
Bob = User
Mary = Manager
Extranet Access Management
Overview of Identity and Access Management
Identity Management
Intranet Access Management
Extranet Access Management
Extranet Access Management: What Are the Challenges?
Challenges related to extranet access management include:Challenges related to extranet access management include:
Providing secure sessions over the Web
The need for a robust authentication and access control mechanism
The need for a common security model that includes authentication, Web SSO, authorization, and personalization
Providing secure sessions over the Web
The need for a robust authentication and access control mechanism
The need for a common security model that includes authentication, Web SSO, authorization, and personalization
Identifying Extranet Considerations
Considerations that may affect your extranet access management approach include:Considerations that may affect your extranet access management approach include:
Virtual Private Network or Web SSO access
Directory service selection
Existing applications
Identity life-cycle management
Password security
Virtual Private Network or Web SSO access
Directory service selection
Existing applications
Identity life-cycle management
Password security
Understanding Authentication Methods for Extranet Access
Protocols used for extranet access include:Protocols used for extranet access include:
SSL 3.0 and TLS 1.0 SSL 3.0 and TLS 1.0
Passport authentication Passport authentication
Digest authentication Digest authentication
Forms-based authentication Forms-based authentication
Basic authentication Basic authentication
Understanding Authorization Techniques for Extranet Access
Extranet authorization techniques can include the following:Extranet authorization techniques can include the following:
ACLACL
RBAC RBAC
Using Trusts and Shadow Accounts for Extranet Access
Alternatives to using trusts include:Alternatives to using trusts include:
Using shadow accounts
Implementing public key infrastructure trusts
Using qualified subordination
Using shadow accounts
Implementing public key infrastructure trusts
Using qualified subordination
Implementing Security Auditing
Use security auditing to monitor the following services:Use security auditing to monitor the following services:
Directory services
Authentication
Authorization
Directory services
Authentication
Authorization
The following products and technologies can be used for security auditing and reporting:The following products and technologies can be used for security auditing and reporting:
Windows Security Event Log
WMI
MOM
Windows Security Event Log
WMI
MOM
Session Summary
Implementing an identity and access management solution will greatly reduce management effort, simplify the end user experience, and increase overall security
Implementing an identity and access management solution will greatly reduce management effort, simplify the end user experience, and increase overall security
MIIS 2003 can manage identity information, automate provisioning and deprovisioning, and synchronize various types of information among multiple identity store formats
MIIS 2003 can manage identity information, automate provisioning and deprovisioning, and synchronize various types of information among multiple identity store formats
A thorough understanding of authentication and authorization options provides the background needed to effectively secure your network infrastructure
A thorough understanding of authentication and authorization options provides the background needed to effectively secure your network infrastructure
It is important to understand which authentication and authorization protocols are appropriate for extranet access It is important to understand which authentication and authorization protocols are appropriate for extranet access
Next Steps
Find additional security training events:
http://www.microsoft.com/seminar/events/security.mspx
Sign up for security communications:
http://www.microsoft.com/technet/security/signup/default.mspx
Order the Security Guidance Kit:
http://www.microsoft.com/security/guidance/order/default.mspx
Get additional security tools and content:
http://www.microsoft.com/security/guidance
Questions and Answers
Contact Details
Paula Kiernan
Ward Solutions
www.ward.ie