TechNet Architectural Design Series Part 5: Identity and Access Management Gary Williams & Colin Brown Microsoft Consulting Services
Live Meeting Information... Feedback Panel Questions & Answers Blog -
Session 5: Identity and Access Management Gary Williams – Identity Management Consultant Colin Brown – Security Consultant MCS Talks Infrastructure Architecture
Agenda Introduction to Identity Terminology Challenges & Issues Identity Environment – Fact Finding Identity Solutions ProductsArchitecture Work Packages Recommendations
Introduction to Identity Terminology
IDA / IAM / IdM Digital Identity Credential Security Principal Authentication Identity Store Identity Synchronisation Identity Integration Services Provisioning Identity Lifecycle Management Introduction IDA Terminology
EntitlementAuthorisationTrust Identity Federation Security Auditing Access Services Digital Certificates Public Key Infrastructure (PKI) Certificate Revocation List (CRL) Encryption Introduction IDA Terminology
Challenges & Issues
Pre 1980’s 1980’s1990’s2000’s # of Digital IDs Time Applications Mainframe Client Server Internet BusinessAutomation Company(B2E) Partners(B2B) Customers(B2C) Mobility Islands Of Applications Has lead to islands of identities
Identity ecosystems develop organically Fragmented identity infrastructures One system is added at a time Applications, Databases, Operating Systems Each system potentially requires a unique identity repository Changing organisation perimeter Credentials often do not cross boundaries Politics Product/skillset knowledge Challenges & Issues Why do Identity Management projects fail?
Identity & Access Management : Providing the right people with the right access at the right time Identity Store Authentication Authorisation Who I am What can I do Lifecycle Management / Administration Monitoring/Audit Setting the scene What is it we are trying to achieve?
Identity Environment – Fact Finding
Identity Drivers & requirements Extend reach and range Increase scalability Lowering costs Balance centralised vs. distributed management More general purpose & reusable Product selection must achieve Business justification Work against business requirements Source of truth (authoritative) repository Main repository & list of other identity repositories Identity Flow Identity Environment – Fact Finding
Information Quality How and where is identity data created How is it removed, maintained & synchronised How is data creation, deletion or modification validated Operational Procedures Access rights to all systems Hire / Fire procedures Department or role changes Role definition Separation of duties (admin controls) Identity Environment – Fact Finding
Identity Solutions
Solutions – Identity Products Active Directory Domain ServicesActive Directory Lightweight Directory ServicesActive Directory Federation ServicesActive Directory Certificate ServicesActive Directory Rights Management ServicesIdentity Lifecycle ManagerMicrosoft Partners
Solutions - Example Architecture
Solutions – Planning Think strategically act tactically Phased approach This is generally not a technical problem Business processes Workflow definition An Identity and Access Management solution is a long term engagement
Solutions – Work Packages IDA Framework
Solutions – White Pages Architectural Overview
Solutions – Provisioning & De-provisioning
Reduce credentials to a single password or PIN Simplify the user experience Reduce helpdesk overhead Improve overall security Solutions – Password Management
Record identity related events, such as: Logon/off Administrative actions Object access In order to be able to: Reveal potential security problems Ensure user accountability Provide evidence Solutions – Auditing & Reporting
Capture or create business process to Define identity profiles Associate allowable actions Delineate self-service and administrative actions Solutions – Profile Management
Solutions – Role Based Access Control
Provide a single authentication action In order to Reduce user authentication events Reduce authentication stores and associated management overhead Solutions – Single Sign-On
Reduce the number of identity repositories ComplexityDuplication Administrative overhead Solutions – Directory Consolidation
Provide a strong authentication mechanism Provide 2 factor authentication In order to Secure network services Provide security services to applications Provide higher security assurance Solutions – Securing Network Services
SQL1 SQL2 Root CA Manual Publish Issuing CA’s RA1 RA2 Clients VPN AD SSL Web Exchange TS1 TS2 Log Shipping Mirroring Load Balancing Solutions – Securing Network Services
Workstation RMS Server Certification Licensing Templates Active Directory Authentication Service Discovery Group Membership SQL Server Configuration data Logging Cache MOSS 2007 Document Libraries with IRM Exchange 2007 SP1 Pre-licensing Fetching Solutions – Protecting Data Wherever It Goes
Recommendations
Goals of an IAM Strategy Secure, pervasive, consistent and reliable authentication and authorisation Open standards that allow integration across security boundaries. Reduce cost of managing identities Extending access to applications & files to out of office/mobile users Improve management and maintenance of user identities.
IAM Strategy Recommendations Document IAM infrastructure. Produce fast results Address high risk areas early Increase integration between directory, security and application services Improve capabilities that promote finding organisational data
IAM Strategy Recommendations Most IAM projects are bigger than organisations expect Not all technologies within IAM provide direct benefits though all are necessary for the complete framework Use the proper justification and benefit statements as part of your deployment
Ihr Potenzial. Unser Antrieb. Thank you for attending this TechNet Event Visit the blog at: Register for the next session, Desktop Deployment, at: D= &Culture=en-GB