Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft Services Microsoft Identity Solutions Anthony Witecki, Microsoft Consulting Services.

Similar presentations


Presentation on theme: "Microsoft Services Microsoft Identity Solutions Anthony Witecki, Microsoft Consulting Services."— Presentation transcript:

1 Microsoft Services Microsoft Identity Solutions Anthony Witecki, Microsoft Consulting Services

2 2 Enterprise Identity 4 Pillars of Identity Each pillar needs to be accounted for at each access control layer Access Control Layers Brokered at multiple layers in a system Moves from fine-grained access (data and application layer) to coarse-grained access (network and OS layer) An identity is the sole item connecting an individual to a variety of services both on and off premises. In order to be viewed holistically, there needs to be two main elements.

3 3 The Identity Pillars Administration Single View Automated Provisioning and De-provisioning Synchronization Manual Administration Self-Service Entitlement management Requests Manage business identity rules at the enterprise-level Central IdM system brokers requests and approvals Align business processes to workflows Approvals For coarse-grained access, assign application owners as approvers For fine-grained access, leverage the RBAC/ABAC/PBAC system in place Administration Single View Automated Provisioning and De-provisioning Synchronization Manual Administration Self-Service Entitlement management Requests Manage business identity rules at the enterprise-level Central IdM system brokers requests and approvals Align business processes to workflows Approvals For coarse-grained access, assign application owners as approvers For fine-grained access, leverage the RBAC/ABAC/PBAC system in place Authentication Security Authentication Strength Multi-Factor Authentication Authentication Delegation Experience Disjoint Sign On Global Sign On Reduced Sign On Single Sign On To Achieve SSO Central Issuer Credential Forwarding Protocol Transition Authentication Security Authentication Strength Multi-Factor Authentication Authentication Delegation Experience Disjoint Sign On Global Sign On Reduced Sign On Single Sign On To Achieve SSO Central Issuer Credential Forwarding Protocol Transition Authorization Abstraction Authorization hard coded into the app Abstract authorization away from the app Coarse-Grained Similar to locking your front door Works well at the Network and Operating System layers Fine-Grained Role-Based Define tasks based on your job and group them together Attribute-Based Application owns the decision based on claims about you Policy-Based Decision made centrally by the enterprise Authorization Abstraction Authorization hard coded into the app Abstract authorization away from the app Coarse-Grained Similar to locking your front door Works well at the Network and Operating System layers Fine-Grained Role-Based Define tasks based on your job and group them together Attribute-Based Application owns the decision based on claims about you Policy-Based Decision made centrally by the enterprise Auditing Many Places Needs to happen at every layer Network > VPN, SSL VPN, Access Gateway OS > Servers and clients Application > App-specific logs / web server logs Resources > Various Many Systems At the decision maker At the application At the entitlement source Decentralization Collect logs from various systems Normalize the data Analyze data / Generate reports Auditing Many Places Needs to happen at every layer Network > VPN, SSL VPN, Access Gateway OS > Servers and clients Application > App-specific logs / web server logs Resources > Various Many Systems At the decision maker At the application At the entitlement source Decentralization Collect logs from various systems Normalize the data Analyze data / Generate reports Single Credential Multiple Credentials Single Source Multiple Sources DSO GSO RSO SSO

4 4 Administration Build an accurate view of the identity The #1 goal of the administration pillar is to establish that “single view” of an identity There are many solutions to this when dealing with on-premise identities: Automated Provisioning and De- provisioning Synchronization Manual Administration Self-Service Entitlement management Manage business identity rules at the enterprise-level Use a central identity management system as the request and approval broker Ensure that your business processes can to the request and approval workflows For coarse-grained access, assign application owners as approvers For fine-grained access, leverage the RBAC/ABAC/PBAC system in place

5 5 Authentication How much assurance is “enough”? Authentication Strength Directory binds Challenge / Response Asymmetric Cryptography Multi-Factor Authentication Assurance levels Cost Authentication Delegation Disjoint Sign On Multiple credentials Multiple authenticators Global Sign On Single set of credentials Multiple authenticators Reduced Sign On Single or Multiple credentials Multiple authenticators Single Sign On Central token issuer Credential forwarding Protocol transition

6 6 Authorization Make the best decision possible Authorization hard-coded into the app Expensive and Slow Abstract authorization away from the app Modularized operations Flexibility Based on your job function Define tasks and group them together Based on something about you Application owns the decision - ties attributes to operations Claims-based access Similar to locking your front door Works well at the Network and Operating System layers Externalize the authorization decision Fits nicely into a SOA-based approach Centralized

7 7 Auditing Who did what, when, and how did they get access to it? Auditing needs to be comprehensive and occur at every layer in the access control model Network VPN, SSL VPN, Access Gateway Operating System Servers and potentially clients Application App-specific logs and web server logs Resources At the decision maker What was the decision and how was it made? At the application What did the identity do? At the entitlement source How long did the identity have this attribute?

8 8 Auditing Who did what, when, and how did they get access to it? Ability to illustrate who approved: A new or deleted identity Addition or subtraction of entitlements from an identity Who, or which, identities had access to what service or resource and when (also who approved that access) Any changes related to the identity object and associated approval/rejection processes Ability to show auditors information surrounding an identities overall lifecycle Ability to create and provide reports on the above Collect logs from various systems Normalize the data Analyze data / Generate reports

9 9 What is Microsoft Doing About My Identity Crisis? 15 POINT INSPECTION

10 10 Implementation Roadmap Provide customers with an roadmap based on customer goals and technology capabilities Gives an end-state vision with incremental success Leverage Offerings: Enterprise Identity Management Enterprise Federated Identity Some work may require a custom Services engagement Fill in the gap over time with new offerings

11 11 Services Offering: Security, Identity & Access Management (SIAM) Secured by

12 Enterprise Deployment Model

13 13 Case Study in Washington State PUBLIC Web Application Federation Server Public Authentication Browse Redirect Browse Trust Identity Provider Resource Provider Federation Server Trust Enterprise Active Directory HRMS Identity Provisioning De-provisioning Person Table Retirement Systems Constituent Data

14 14 General Requirements - Authentication Active Directory used for authentication Can authenticate users in the same forest as the AD FS servers Can authenticate users in trusted forests, but there must be a forest-level two-way trust in place Non-Microsoft Identity Providers can be used Only Identity Providers that Microsoft has published a federation step-by-step guide for Partner agreements and paperwork must be in place prior to deployment of the solution Home Realm Discovery page will not be customized as part of this engagement User authentication over the Internet Forms-based authentication only Certificate-based authentication can be used, but configuring it is outside the scope of this engagement –Customer can configure certificate authentication post-engagement if they wish

15 15 General Requirements - Certificates Customer must supply SSL certificates for the federation service Each AD FS 2.0 server and AD FS 2.0 proxy server requires an SSL certificate: Same DNS name must be used for the subject name on every cert Each server must have a public/private key pair Each server is not required to use the same certificate, but they can if the issuer allows it Can purchase the necessary certificates from a third party issuing authority May need to purchase multiple certificates, depending on the issuer’s policies Wildcard or SAN certificates can be used, but are not necessary Can issue the certificates from the customer’s Certificate Authority The issuing CA must be trusted by all clients logging on to the federation service Ideal if your clients are all “managed clients” Not ideal if users are connecting over the internet with non-corporate computers Hybrid Approach Possible Use internally-issued certificates for the internal federation servers Purchase trusted certificates for Proxy federation servers

16 16 Solution Requirements for Federation Which Scenarios Apply? Internal employee access Allow employees to achieve SSO to federated applications when on the network Allow employees to achieve SSO to federated applications when working remotely Internal organization may be a large, complex multi-forest infrastructure, looking to simplify access without trusts Sharing applications with another organization Allow partners to use their own accounts for accessing SharePoint 2007 Allow partners to use their own accounts for accessing data protected with Active Directory Rights Management Services Increase security by leveraging partner’s de-provisioning process Access applications hosted by another organization Use domain credentials for SSO and access to Office 365 applications Use domain credentials for SSO and access to partner-hosted applications

17 17 Application Requirements for Federation Applications must be claims-aware.Net applications must use Windows Identity Foundation Non-Microsoft applications must use SAML 2.0 or WS-Federation protocols Customer will configure relying party trusts outside of this engagement Except for Office 365, SharePoint 2007, or AD RMS relying parties Microsoft will not modify existing applications to make them claims-aware

18 18 Requirements for Identity Synchronization Identity repositories must be identified and classified by integrity level Identity attributes must be identified and matched to authoritative repositories This becomes the Metaverse or Metadirectory Security and distribution groups must be classified by security level User provisioning must be mapped out What systems are used during the entry and exit processes? What approvals are necessary for each system? Certificate management requirements must be defined

19 Questions?

20 20


Download ppt "Microsoft Services Microsoft Identity Solutions Anthony Witecki, Microsoft Consulting Services."

Similar presentations


Ads by Google