TechNet Architectural Design Series Part 5: Identity and Access Management Gary Williams & Colin Brown Microsoft Consulting Services

Live Meeting Information... Feedback Panel Questions & Answers Blog -

Session 5: Identity and Access Management Gary Williams – Identity Management Consultant Colin Brown – Security Consultant MCS Talks Infrastructure Architecture

Agenda Introduction to Identity Terminology Challenges & Issues Identity Environment – Fact Finding Identity Solutions ProductsArchitecture Work Packages Recommendations

Introduction to Identity Terminology

IDA / IAM / IdM Digital Identity Credential Security Principal Authentication Identity Store Identity Synchronisation Identity Integration Services Provisioning Identity Lifecycle Management Introduction IDA Terminology

EntitlementAuthorisationTrust Identity Federation Security Auditing Access Services Digital Certificates Public Key Infrastructure (PKI) Certificate Revocation List (CRL) Encryption Introduction IDA Terminology

Challenges & Issues

Pre 1980’s 1980’s1990’s2000’s # of Digital IDs Time Applications Mainframe Client Server Internet BusinessAutomation Company(B2E) Partners(B2B) Customers(B2C) Mobility Islands Of Applications Has lead to islands of identities

Identity ecosystems develop organically Fragmented identity infrastructures One system is added at a time Applications, Databases, Operating Systems Each system potentially requires a unique identity repository Changing organisation perimeter Credentials often do not cross boundaries Politics Product/skillset knowledge Challenges & Issues Why do Identity Management projects fail?

Identity & Access Management : Providing the right people with the right access at the right time Identity Store Authentication Authorisation Who I am What can I do Lifecycle Management / Administration Monitoring/Audit Setting the scene What is it we are trying to achieve?

Identity Environment – Fact Finding

Identity Drivers & requirements Extend reach and range Increase scalability Lowering costs Balance centralised vs. distributed management More general purpose & reusable Product selection must achieve Business justification Work against business requirements Source of truth (authoritative) repository Main repository & list of other identity repositories Identity Flow Identity Environment – Fact Finding

Information Quality How and where is identity data created How is it removed, maintained & synchronised How is data creation, deletion or modification validated Operational Procedures Access rights to all systems Hire / Fire procedures Department or role changes Role definition Separation of duties (admin controls) Identity Environment – Fact Finding

Identity Solutions

Solutions – Identity Products Active Directory Domain ServicesActive Directory Lightweight Directory ServicesActive Directory Federation ServicesActive Directory Certificate ServicesActive Directory Rights Management ServicesIdentity Lifecycle ManagerMicrosoft Partners

Solutions - Example Architecture

Solutions – Planning Think strategically act tactically Phased approach This is generally not a technical problem Business processes Workflow definition An Identity and Access Management solution is a long term engagement

Solutions – Work Packages IDA Framework

Solutions – White Pages Architectural Overview

Solutions – Provisioning & De-provisioning

Reduce credentials to a single password or PIN Simplify the user experience Reduce helpdesk overhead Improve overall security Solutions – Password Management

Record identity related events, such as: Logon/off Administrative actions Object access In order to be able to: Reveal potential security problems Ensure user accountability Provide evidence Solutions – Auditing & Reporting

Capture or create business process to Define identity profiles Associate allowable actions Delineate self-service and administrative actions Solutions – Profile Management

Solutions – Role Based Access Control

Provide a single authentication action In order to Reduce user authentication events Reduce authentication stores and associated management overhead Solutions – Single Sign-On

Reduce the number of identity repositories ComplexityDuplication Administrative overhead Solutions – Directory Consolidation

Provide a strong authentication mechanism Provide 2 factor authentication In order to Secure network services Provide security services to applications Provide higher security assurance Solutions – Securing Network Services

SQL1 SQL2 Root CA Manual Publish Issuing CA’s RA1 RA2 Clients VPN AD SSL Web Exchange TS1 TS2 Log Shipping Mirroring Load Balancing Solutions – Securing Network Services

Workstation RMS Server Certification Licensing Templates Active Directory Authentication Service Discovery Group Membership SQL Server Configuration data Logging Cache MOSS 2007 Document Libraries with IRM Exchange 2007 SP1 Pre-licensing Fetching Solutions – Protecting Data Wherever It Goes

Recommendations

Goals of an IAM Strategy Secure, pervasive, consistent and reliable authentication and authorisation Open standards that allow integration across security boundaries. Reduce cost of managing identities Extending access to applications & files to out of office/mobile users Improve management and maintenance of user identities.

IAM Strategy Recommendations Document IAM infrastructure. Produce fast results Address high risk areas early Increase integration between directory, security and application services Improve capabilities that promote finding organisational data

IAM Strategy Recommendations Most IAM projects are bigger than organisations expect Not all technologies within IAM provide direct benefits though all are necessary for the complete framework Use the proper justification and benefit statements as part of your deployment

Ihr Potenzial. Unser Antrieb. Thank you for attending this TechNet Event Visit the blog at: Register for the next session, Desktop Deployment, at: D= &Culture=en-GB