Identity and Access Management Paula Kiernan Senior Consultant Ward Solutions
Session Prerequisites Hands-on experience with Microsoft Windows Server, Windows management tools, and Active Directory Basic understanding of network security fundamentals Basic understanding of directory and security services used in heterogeneous computing environments Level 200
Session Overview Overview of Identity and Access Management Concepts Identity Management Intranet Access Management Extranet Access Management
Overview of Identity and Access Management Concepts Identity Management Intranet Access Management Extranet Access Management
Managing Digital Identities: What Are the Challenges? Challenges to managing digital identities include: Multiple identity stores Intranet access management Extranet access management
What Is Identity and Access Management? Identity Life Cycle Management Access Management Directory Services Application Integration
How Can Identity and Access Management Reduce Directory Management Effort? Initiatives that reduce directory management effort include: Automating provisioning and deprovisioning Implementing identity aggregation and synchronization Establishing directory service and security standards Establishing software development and procurement standards Reducing TCO
How Can Identity and Access Management Simplify the End User Experience? Initiatives that simplify the end user experience include: Consolidating identity stores Improving password management Enabling SSO Improving access for employees, customers, and partners
How Can Identity and Access Management Increase Security? Initiatives that increase security include: Establishing security and access policies Improving password management Strengthening authentication mechanisms Establishing security audit policy Developing identity-aware applications
Understanding Identity and Access Management Technologies Identity Life Cycle Management Identity Integration Provisioning/Deprovisioning Delegated Administration Self-Service Administration Credential and Password Management Access Management Authentication Authorization Trust Security Auditing Directory Services Users, Attributes Credentials, and Groups Active Directory Active Directory Application Mode
Identity Management Overview of Identity and Access Management Concepts Identity Management Intranet Access Management Extranet Access Management
Managing Identities: What Are the Challenges? Challenges related to managing multiple identity stores include: Management costs Employee productivity Security Customer service and supply chain integration
Understanding the Identity Life Cycle 1 New User -User ID creation -Credential issuance -Entitlements 4 Retire User -Delete accounts -Remove entitlements 2 Change User -Promotions -Transfers -Entitlement changes 3 Help Desk -Password reset -New entitlements
Managing Identity Integration Approaches to managing identity integration among directory stores include: Manual administration Custom scripts Integration services Identity integration products
Understanding Identity Integration Products and Services You can implement identity integration by using a number of identity integration products and services: Identity Integration Feature Pack Microsoft Identity Integration Server 2003 Services for UNIX Services for NetWare Host Integration Server Active Directory Connector Active Directory to ADAM Synchronizer
Using the Identity Integration Feature Pack to Manage Identities IIFP is a free product that provides connections to only the following directories and e-mail applications: Active Directory for Windows 2000 Server and later Active Directory Application Mode (ADAM) GAL synchronization for Exchange 2000 Server and Exchange Server 2003
Using Microsoft Identity Integration Server to Manage Identities MIIS 2003 provides the following set of features: Identity aggregation and synchronization Support for over 20 repositories Provides a single enterprise view of a user Uses SQL Server as the information repository Account provisioning Automated account creation/deletion Group & distribution list management Workflow Password management
Understanding Identity Integration Using MIIS Synchronizes multiple repositories Agentless connection to other systems Attribute level control Manage global address lists Automate group and DL management CS MV MA Intranet Active Directory Sun ONE Directory Extranet Active Directory Legend CS=Connector Space MA=Management Agent MV=Metaverse MIIS 2003 Lotus Notes
Implementing Account Provisioning Typical ways of implementing account provisioning include: HR-driven provisioning Web-driven provisioning Complex workflow provisioning using Microsoft BizTalk Server 2004 orchestration
Managing Passwords MIIS 2003 provides the ability to manage passwords through: Help desk reset Windows-initiated changes Web-initiated changes Other system–initiated changes through non-Microsoft software
Identity Management: Best Practices Define all business rules before implementation ü Determine service-level agreements ü Identify all existing systems or processes that might conflict with identity synchronization ü Train development and support staff ü Plan for custom code development ü Implement a disaster recovery plan and secure the MIIS service accounts ü
Intranet Access Management Identity and Access Management Concepts Identity Management Intranet Access Management Extranet Access Management
Intranet Access Management: What Are the Challenges? Common business challenges related to intranet access management include: No single sign-on capabilities A higher number of password reset requests Multiple, inconsistent approaches to security services
Approaches to Single Sign-on Approaches to single sign-on, in order of preference, include: Application integration with Windows security services Platform integration with Windows directory and security services Application integration with Windows directory services Indirect integration through credential mapping Synchronized accounts and passwords
Implementing Single Sign-on Approaches to implementing single sign-on include: Desktop-integrated SSO Web SSO Credential mapping, or Enterprise SSO
Using Credential Manager Credential Manager is used to save the user’s credentials automatically and use them for future access to a resource Credential Manager supports the following types of credentials: User name and password combinations X.509 digital certificates Microsoft Passport credentials
Understanding Windows Authorization Options Windows Server 2003 supports a number of authorization mechanisms: The Windows access control list–based impersonation model Role-based authorization ASP.NET authorization
Understanding Windows Server 2003 Authorization Manager Authorization Manager organizes users into various roles within the application, as shown: Authorization Policy Store Mary Mary = Manager Bob = User Bob Authorization Checked at Application Server Role-based Access to Resources
Extranet Access Management Overview of Identity and Access Management Identity Management Intranet Access Management Extranet Access Management
Extranet Access Management: What Are the Challenges? Challenges related to extranet access management include: Providing secure sessions over the Web The need for a robust authentication and access control mechanism The need for a common security model that includes authentication, Web SSO, authorization, and personalization
Identifying Extranet Considerations Considerations that may affect your extranet access management approach include: Virtual Private Network or Web SSO access Directory service selection Existing applications Identity life-cycle management Password security
Understanding Authentication Methods for Extranet Access Protocols used for extranet access include: SSL 3.0 and TLS 1.0 Passport authentication Digest authentication Forms-based authentication Basic authentication
Understanding Authorization Techniques for Extranet Access Extranet authorization techniques can include the following: ACL RBAC
Using Trusts and Shadow Accounts for Extranet Access Alternatives to using trusts include: Using shadow accounts Implementing public key infrastructure trusts Using qualified subordination
Implementing Security Auditing Use security auditing to monitor the following services: Directory services Authentication Authorization The following products and technologies can be used for security auditing and reporting: Windows Security Event Log WMI MOM
Session Summary Implementing an identity and access management solution will greatly reduce management effort, simplify the end user experience, and increase overall security ü MIIS 2003 can manage identity information, automate provisioning and deprovisioning, and synchronize various types of information among multiple identity store formats A thorough understanding of authentication and authorization options provides the background needed to effectively secure your network infrastructure It is important to understand which authentication and authorization protocols are appropriate for extranet access
Next Steps Find additional security training events: http://www.microsoft.com/seminar/events/security.mspx Sign up for security communications: http://www.microsoft.com/technet/security/signup/ default.mspx Order the Security Guidance Kit: http://www.microsoft.com/security/guidance/order/ default.mspx Get additional security tools and content: http://www.microsoft.com/security/guidance
Questions and Answers
Paula Kiernan Ward Solutions paula.kiernan@ward.ie www.ward.ie Contact Details Paula Kiernan Ward Solutions paula.kiernan@ward.ie www.ward.ie