identity_and_access_management_overview.ppt
Post on 26-Oct-2015
43 Views
Preview:
DESCRIPTION
TRANSCRIPT
Identity and Access Management: Identity and Access Management: OverviewOverview
Rafal LukawieckiRafal Lukawiecki
Strategic Consultant, Project Botticelli LtdStrategic Consultant, Project Botticelli Ltd
rafal@projectbotticelli.co.uk
www.projectbotticelli.co.uk
Copyright 2006 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all Copyright 2006 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in File/Properties. This presentation is based on work of many authors from Microsoft, Oxford Computer Group and other companies. Please see the “Introductions” File/Properties. This presentation is based on work of many authors from Microsoft, Oxford Computer Group and other companies. Please see the “Introductions” presentation for acknowledgments.presentation for acknowledgments.
22
ObjectivesObjectives
Build a good conceptual background to enable Build a good conceptual background to enable later technical discussions of the subjectlater technical discussions of the subject
Overview the problems and opportunities in the Overview the problems and opportunities in the field of identity and access managementfield of identity and access management
Introduce terminologyIntroduce terminology
Highlight a possible future directionHighlight a possible future direction
33
Session AgendaSession Agenda
Identity Problem of TodayIdentity Problem of Today
Identity Laws and MetasystemIdentity Laws and Metasystem
Components and TerminologyComponents and Terminology
RoadmapRoadmap
55
Universal Identity?Universal Identity?
Internet was build so that communications are Internet was build so that communications are anonymousanonymous
In-house networks use multiple, often mutually-In-house networks use multiple, often mutually-incompatible, proprietary identity systemsincompatible, proprietary identity systems
Users are incapable of handling multiple Users are incapable of handling multiple identitiesidentities
Criminals love to exploit this messCriminals love to exploit this mess
66
Explosion of IDsExplosion of IDs
Pre 1980’sPre 1980’s 1980’s1980’s 1990’s1990’s 2000’s2000’s
# ofDigital IDs
Time
Applicatio
ns
MainframeMainframe
Client ServerClient Server
InternetInternet
BusinessBusinessAutomationAutomation
CompanyCompany(B2E)(B2E)
PartnersPartners(B2B)(B2B)
CustomersCustomers(B2C)(B2C)
MobilityMobility
77
The Disconnected RealityThe Disconnected Reality
““Identity Chaos” Identity Chaos”
Lots of users and systems required to do businessLots of users and systems required to do business
Multiple repositories of identity information; Multiple user IDs, multiple passwordsMultiple repositories of identity information; Multiple user IDs, multiple passwords
Decentralized management, ad hoc data sharingDecentralized management, ad hoc data sharing
Enterprise Directory
HRHRSystemSystem
InfraInfraApplicationApplication
LotusLotusNotes AppsNotes Apps
In-HouseIn-HouseApplicationApplication
COTSCOTSApplicationApplication
NOSNOS
In-HouseIn-HouseApplicationApplication
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authorization•Identity Data
•Authentication
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
88
Your COMPANY andyour EMPLOYEES
Your SUPPLIERS
Your PARTNERSYour REMOTE andVIRTUAL EMPLOYEES
Your CUSTOMERS
Customer satisfaction & customer intimacyCost competitivenessReach, personalization
CollaborationOutsourcingFaster business cycles; process automationValue chain
M&AMobile/global workforceFlexible/temp workforce
Multiple ContextsMultiple Contexts
99
Trends Impacting IdentityTrends Impacting Identity
Increasing Threat LandscapeIdentity theft costs banks and credit card issuers $1.2 billion in 1 yr$250 billion lost in 2004 from exposure of confidential info
Maintenance Costs Dominate IT BudgetOn average employees need access to 16 apps and systemsCompanies spend $20-30 per user per year for PW resets
Deeper Line of Business Automation and IntegrationOne half of all enterprises have SOA under developmentWeb services spending growing 45% CAGR
Rising Tide of Regulation and ComplianceSOX, HIPAA, GLB, Basel II, 21 CFR Part 11, …$15.5 billion spend in 2005 on compliance (analyst estimate)
Data Sources: Gartner, AMR Research, IDC, eMarketer, U.S. Department. of Justice
1010
BusinessBusinessOwnerOwnerEnd UserEnd UserIT AdminIT Admin DeveloperDeveloper Security/ Security/
ComplianceCompliance
Too Too expensive to expensive to reach new reach new partners, partners, channelschannels
Need for Need for controlcontrol
Too many Too many passwordspasswords
Long waits Long waits for access to for access to apps, apps, resourcesresources
Too many Too many user stores user stores and account and account admin admin requestsrequests
Unsafe sync Unsafe sync scriptsscripts
Pain PointsPain Points
Redundant Redundant code in each code in each appapp
Rework code Rework code too oftentoo often
Too many Too many orphaned orphaned accountsaccounts
Limited Limited auditing auditing abilityability
1111
Possible SavingsPossible Savings
Directory SynchronizationDirectory Synchronization
““Improved updating of user data: $185 per user/year”Improved updating of user data: $185 per user/year”
““Improved list management: $800 per list”Improved list management: $800 per list”
- Giga Information Group- Giga Information Group
Password ManagementPassword Management
““Password reset costs range from $51 (best case) to $147 (worst Password reset costs range from $51 (best case) to $147 (worst case) for labor alone.” – case) for labor alone.” – GartnerGartner
User ProvisioningUser Provisioning
““Improved IT efficiency: $70,000 per year per 1,000 managed users”Improved IT efficiency: $70,000 per year per 1,000 managed users”
““Reduced help desk costs: $75 per user per year”Reduced help desk costs: $75 per user per year”
- Giga Information Group- Giga Information Group
1212
Can We Just Ignore It All?Can We Just Ignore It All?
Today, average corporate user spends 16 minutes a day Today, average corporate user spends 16 minutes a day logging onlogging on
A typical home user maintains 12-18 identitiesA typical home user maintains 12-18 identities
Number of phishing and pharming sites grew over Number of phishing and pharming sites grew over 1600% over the past year1600% over the past year
Corporate IT Ops manage an average of 73 applications Corporate IT Ops manage an average of 73 applications and 46 suppliers, often with individual directoriesand 46 suppliers, often with individual directories
Regulators are becoming stricter about compliance and Regulators are becoming stricter about compliance and auditingauditing
Orphaned accounts and identities lead to security Orphaned accounts and identities lead to security problemsproblems
Source: Microsoft’s internal research and Anti-phishing Working Group Feb 2005
1313
One or Two Solutions?One or Two Solutions?
Better Option:Better Option:
Build a global, universal, federated identity metasystemBuild a global, universal, federated identity metasystem
Will take years…Will take years…
Quicker Option:Quicker Option:
Build an in-house, federated identity metasystem based on Build an in-house, federated identity metasystem based on standardsstandards
Federate it to others, system-by-systemFederate it to others, system-by-system
But: both solutions could share the same conceptual But: both solutions could share the same conceptual basisbasis
1515
Lessons from PassportLessons from Passport
Passport designed to solve two problemsPassport designed to solve two problems
Identity provider for MSNIdentity provider for MSN
250M+ users, 1 billion logons per day250M+ users, 1 billion logons per day
Significant successSignificant success
Identity provider for the InternetIdentity provider for the Internet
Unsuccessful:Unsuccessful:Not trusted “outside context”Not trusted “outside context”
Not generic enoughNot generic enough
Meant giving up control over identity managementMeant giving up control over identity management
Cannot re-write apps to use a central systemCannot re-write apps to use a central system
Learning: solution must be different than Learning: solution must be different than PassportPassport
1616
Idea of an Identity MetasystemIdea of an Identity Metasystem
Not an Identity Not an Identity SystemSystem
Agreement on metadata and protocols, allowing Agreement on metadata and protocols, allowing multiple identity providers and brokersmultiple identity providers and brokers
Based on open standardsBased on open standards
Supported by multiple technologies and Supported by multiple technologies and platformsplatforms
Adhering to Laws of IdentityAdhering to Laws of Identity
With full respect of privacy needsWith full respect of privacy needs
1717
Roles Within Identity MetasystemRoles Within Identity Metasystem
Identity ProvidersIdentity Providers
Organisations, governments, even end-usersOrganisations, governments, even end-users
They provide They provide Identity Claims Identity Claims about a about a SubjectSubject
Name, vehicles allowed to drive, age, etc.Name, vehicles allowed to drive, age, etc.
Relying PartiesRelying Parties
Online services or sites, doors, etc.Online services or sites, doors, etc.
SubjectsSubjects
Individuals and other bodies that need its identity Individuals and other bodies that need its identity establishedestablished
1818
Metasystem PlayersMetasystem Players
Relying PartiesRelying PartiesRequire identitiesRequire identities
SubjectsSubjectsIndividuals and other Individuals and other entities about whom entities about whom
claims are madeclaims are made
Identity Identity ProvidersProviders
Issue identitiesIssue identities
1919
Identity Metasystem TodayIdentity Metasystem Today
Basically, the set of WS-* Security Guidelines as Basically, the set of WS-* Security Guidelines as we have itwe have it
PlusPlus
Software that implements the servicesSoftware that implements the services
Microsoft and many others working on itMicrosoft and many others working on it
Companies that would use itCompanies that would use it
Still to come, but early adopters existStill to come, but early adopters exist
End-users that would trust itEnd-users that would trust it
Will take timeWill take time
2020
Identity LawsIdentity Lawswww.identityblog.com
1.1. User Control and ConsentUser Control and Consent
2.2. Minimal Disclosure for a Constrained UseMinimal Disclosure for a Constrained Use
3.3. Justifiable PartiesJustifiable Parties
4.4. Directed IdentityDirected Identity
5.5. Pluralism of Operators and TechnologiesPluralism of Operators and Technologies
6.6. Human IntegrationHuman Integration
7.7. Consistent Experience Across ContextsConsistent Experience Across Contexts
2121
Enterprise ApplicabilityEnterprise Applicability
That proposed metasystem would work well That proposed metasystem would work well inside a corporationinside a corporation
Of course, we need a solution before it becomes Of course, we need a solution before it becomes a realitya reality
Following the principles seems a good idea Following the principles seems a good idea while planning immediate solutionswhile planning immediate solutions
Organic growth likely to lead to an identity Organic growth likely to lead to an identity metasystem in long termmetasystem in long term
2222
Enterprise TrendsEnterprise Trends
Kerberos is Kerberos is very useful very useful but increasingly it does not span but increasingly it does not span disconnected identity forests and technologies easily disconnected identity forests and technologies easily
We are moving away from We are moving away from static static Groups and traditional Groups and traditional ACLs…ACLs…
Increasingly limited and difficult to manage on large scalesIncreasingly limited and difficult to manage on large scales
……towards a towards a dynamic dynamic combination of:combination of:
Role-Based Access Management, and,Role-Based Access Management, and,
Rich Claims AuthorizationRich Claims Authorization
PKI is still too restrictive, but it is clearly a component of PKI is still too restrictive, but it is clearly a component of a possible solutiona possible solution
2424
What is Identity Management?What is Identity Management?
ProvisioningProvisioning
Single Sign Single Sign
OnOn
PKIPKI
StrongStrong
AuthenticationAuthentication
FederationFederation
DirectoriesDirectories
AuthorizationAuthorization
Secure Remote Secure Remote AccessAccess
PasswordPassword
ManagementManagement
Web ServicesWeb ServicesSecuritySecurity
Auditing &Auditing &
ReportingReporting
RoleRoleManagementManagement
DigitalDigitalRights Rights
ManagementManagement
2525
Identity and Access ManagementIdentity and Access Management
The process of authenticating credentials and The process of authenticating credentials and controlling access to networked resources controlling access to networked resources based on trust and identitybased on trust and identity
Repositories for storing and managing Repositories for storing and managing accounts, identity information, and accounts, identity information, and security credentials security credentials
The processes used to create and delete The processes used to create and delete accounts, manage account and entitlement accounts, manage account and entitlement changes, and track policy compliancechanges, and track policy compliance
Directory Services
Access Management
Identity Lifecycle
Management
A system of procedures, policies and A system of procedures, policies and technologies to manage the lifecycle technologies to manage the lifecycle
and entitlements of electronic and entitlements of electronic credentialscredentials
2626
Remember the Chaos?Remember the Chaos?
Enterprise Directory
HRHRSystemSystem
InfraInfraApplicationApplication
LotusLotusNotes AppsNotes Apps
In-HouseIn-HouseApplicationApplication
COTSCOTSApplicationApplication
NOSNOS
In-HouseIn-HouseApplicationApplication
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authorization•Identity Data
•Authentication
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
2727
Identity IntegrationIdentity Integration
HRHRSystemSystem
InfraInfraApplicationApplication
LotusLotusNotes AppsNotes Apps
In-HouseIn-HouseApplicationApplication
COTSCOTSApplicationApplication
Student Student AdminAdmin
In-HouseIn-HouseApplicationApplication
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authorization•Identity Data
•Authentication
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
Identi
ty Inte
gra
tion S
erv
er
Identi
ty Inte
gra
tion S
erv
er
Enterprise Directory
2828
IAM BenefitsIAM Benefits
Benefits to take you forward
(Strategic)
Benefits today(Tactical)
Save money and improve operational Save money and improve operational efficiencyefficiency
Improved time to deliver applications Improved time to deliver applications and serviceand service
Enhance SecurityEnhance Security
Regulatory Compliance and AuditRegulatory Compliance and Audit
New ways of workingNew ways of working
Improved time to marketImproved time to market
Closer Supplier, Customer, Closer Supplier, Customer, Partner and Employee Partner and Employee
relationshipsrelationships
2929
Some Basic DefinitionsSome Basic Definitions
Authentication (AuthN)Authentication (AuthN)
Verification of a subject’s identity by means of relying on a Verification of a subject’s identity by means of relying on a provided claimprovided claim
IdentificationIdentification is sometimes seen as a preliminary step of is sometimes seen as a preliminary step of authenticationauthentication
Collection of untrusted (as yet) information about a subject, such Collection of untrusted (as yet) information about a subject, such as an identity claimas an identity claim
Authorization (AuthZ)Authorization (AuthZ)
Deciding what actions, rights or privileges can the subject be Deciding what actions, rights or privileges can the subject be allowedallowed
Trend towards separation of those twoTrend towards separation of those two
Or even of all three, if biometrics are usedOr even of all three, if biometrics are used
3030
Components of IAMComponents of IAM
AdministrationAdministration
User ManagementUser Management
Password ManagementPassword Management
WorkflowWorkflow
DelegationDelegation
Access ManagementAccess Management
Authentication Authentication
AuthorizationAuthorization
Identity ManagementIdentity Management
Account ProvisioningAccount Provisioning
Account DeprovisioningAccount Deprovisioning
SynchronisationSynchronisation Reliable Identity Data
Ad
min
istr
ati
on
Au
thori
zati
on
Au
then
ticati
on
3333
Microsoft’s Identity ManagementMicrosoft’s Identity Management
PKI / CAPKI / CA
Extended Directory Extended Directory ServicesServices
ActiveActiveDirectory & ADAMDirectory & ADAM
EnterpriseEnterpriseSingle Sign OnSingle Sign On
Authorization Authorization ManagerManager
Active DirectoryActive DirectoryFederation ServicesFederation Services
Audit Collection Audit Collection ServicesServices
BizTalkBizTalk
Identity IntegrationIdentity IntegrationServerServer
ISAISAServerServer
SQL ServerSQL ServerReportingReporting
Services for Unix /Services for Unix /Services for NetwareServices for Netware
Directory (Store)Directory (Store)ServicesServices
AccessAccessManagementManagement
IdentityIdentityLifecycleLifecycle
ManagementManagement
3434
Components of a Microsoft-based IAMComponents of a Microsoft-based IAMInfrastructure DirectoryInfrastructure Directory Active DirectoryActive Directory
Application DirectoryApplication Directory AD/AM (LDAP)AD/AM (LDAP)
Lifecycle ManagementLifecycle Management MIIS MIIS
WorkflowWorkflow BizTalk, Partner Solutions (Ultimus BPM, SAP)BizTalk, Partner Solutions (Ultimus BPM, SAP)
Role-Based Access ControlRole-Based Access Control Authorization Manager or Partner Solutions Authorization Manager or Partner Solutions (ex: OCG, RSA) and traditional approaches(ex: OCG, RSA) and traditional approaches
Directory & Password Directory & Password SynchronizationSynchronization
MIIS & Partner solutionsMIIS & Partner solutions
SSO (Intranet)SSO (Intranet) Kerberos/NTLM, Vintela/CentrifyKerberos/NTLM, Vintela/Centrify
Enterprise SSO (Intranet)Enterprise SSO (Intranet) Sharepoint ESSO, BizTalk ESSO, HIS ESSOSharepoint ESSO, BizTalk ESSO, HIS ESSO
Strong AuthenticationStrong Authentication SmartCards, CA/PKI, Partner (eg. RSA – SmartCards, CA/PKI, Partner (eg. RSA – SecurID, MCLMS, WizeKey) SecurID, MCLMS, WizeKey)
Web SSOWeb SSO ADFS, Partner (eg. RSA – ClearTrust)ADFS, Partner (eg. RSA – ClearTrust)
Integration of UNIX/NovellIntegration of UNIX/Novell SFU, SFN, Partner (eg. Vintella/Centrify)SFU, SFN, Partner (eg. Vintella/Centrify)
FederationFederation ADFSADFS
3636
SummarySummary
We have reached an “Identity Crisis” both on the We have reached an “Identity Crisis” both on the intranet and the Internetintranet and the Internet
Identity Metasystem suggests a unifying way Identity Metasystem suggests a unifying way forwardforward
Meanwhile, Identity and Access Management Meanwhile, Identity and Access Management systems need to be built so enterprises can systems need to be built so enterprises can benefit immediatelybenefit immediately
Microsoft is rapidly becoming a strong provider Microsoft is rapidly becoming a strong provider of IAM technologies and IM visionof IAM technologies and IM vision
www.microsoft.com/idm & & www.microsoft.com/itsshowtime & & www.microsoft.com/technet
3737
Special ThanksSpecial ThanksThis seminar was prepared with the help of:This seminar was prepared with the help of:
Oxford Computer Group LtdOxford Computer Group Ltd
Expertise in Identity and Access Expertise in Identity and Access Management (Microsoft Partner)Management (Microsoft Partner)
IT Service Delivery and TrainingIT Service Delivery and Training
www.oxfordcomputergroup.com
MicrosoftMicrosoft, with special thanks to:, with special thanks to:
Daniel Meyer – thanks for Daniel Meyer – thanks for manymany slidesslides
Steven Adler, Ronny Bjones, Olga Steven Adler, Ronny Bjones, Olga Londer – planning and reviewingLonder – planning and reviewing
Philippe Lemmens, Detlef Eckert – Philippe Lemmens, Detlef Eckert – SponsorshipSponsorship
Bas Paumen & NGN - feedbackBas Paumen & NGN - feedback
top related