enterprise mobility (security)

18

Post on 19-Oct-2014

121 views

Category:

Technology


1 download

DESCRIPTION

Opnå fuld sikkerhed og kontrol med dine mobile device. Microsoft Services kan vise dig hvordan. Præsentation af Martin Kiær, Microsoft Services.

TRANSCRIPT

Page 1: Enterprise Mobility (Security)
Page 2: Enterprise Mobility (Security)

“If you think technology can solve your security

problems, then you don't understand the

problems and you don't understand the

technology.”

Bruce Schneier

American cryptographer, computer security and privacy specialist

Page 3: Enterprise Mobility (Security)

Assess customer goals, challenges, threats, requirements, and technical security maturity.

Establish a common framework and definition of security, and introduce Microsoft solutions and services.

Explore customer requirements and goals, and share Microsoft capabilities

Outline strategic and

tactical projects, with

business goals and

requirements.

Implement appropriate security solutions based on business goals.

Solutions

Page 4: Enterprise Mobility (Security)

Seen this before?

4

Create

Delete

Attribute

Sync

Cloud

O365, Azure, Amazon, Google, etc.

Active Directory

Exchange, Lotus Notes etc.

HR (PeopleSoft, SAP, Dynamics)

Application

Owner

Business

Manager

Users

IT Helpdesk

Administrator

Administrator

Financials

SharePoint

Sales

Page 5: Enterprise Mobility (Security)
Page 6: Enterprise Mobility (Security)

Limited or no use of Active Directory

User provisioning and access management done manually

Minimal enterprise identity and access policy standards

Active Directory for User Authentication and Authorization

Single sign-on to Windows-integrated applications

Active Directory security groups used for user access control

Desktops not managed by group policy

Group policy used to manage desktops for security and settings

Desktops are tightly managed

Centrally managed, automated user account provisioning across systems

Centrally managed, automated access controls across systems

Page 7: Enterprise Mobility (Security)

Capability Basic Standardized Rationalized Dynamic

Administration

Identity ProliferationApplication Centric, Multiple Enterprise ID Stores

Enterprise ID Store + Application Specific Stores Virtualized Identity Service Single Enterprise ID Store

Provisioning Manual, AdhocSome custom built scripts / Mostly Manual

Automated Creation in one or more ID stores using COTS Email Notifications to other system owners Automated Creation in all ID Stores

Deprovisioning Manual, AdhocSome custom built scripts / Mostly Manual

Automated Deprovisioning in one or more ID StoresEmail Notifications to other system owners

Automated deprovisioning in all ID Stores

Identity UpdatesManually performed by Service Desk in some identity systems

Manually performed by Service Desk in all identity systems

Automated to some identity systems from Authoritative Source

Automated to all identity systems from Authoritative Source plus Self-Service capabilities

SynchronizationManually performed by Service Desk in some identity systems

Manually performed by Service Desk in all identity systems

Synchronization among some identity systems, Time-Based

Synchronization amongst all identity systems, Event-Driven

Password ManagementManually performed by Service Desk in some identity systems

Manually performed by Service Desk in all identity systems

Self-Service Password Reset to central identity system (no synchronization)

Self-Service Password Reset and synchronization to all identity systems

Group Management Manual by Admin, StaticOwner Managed (Delegations), Static

Owner Managed, Self-Service, Approvals Dynamic/Attribute Based

Application Entitlement Management Application owner specific

Central Service Desk, manual workflow

Central access request service with automated workflow Dynamic/Attribute Based

User Interface Service Center/Help DeskInternally Accessible, Manual Updates Internally Accessible, Self-Service Externally Accessible

Change Control None Call Service Desk / Manual WorkflowCall Help Desk / Some Electronic Workflow

Self-Service Request with Electronic Workflow

Authentication

ConvenienceMultiple IDs, Multiple Credentials, Multiple Prompts

Multiple IDs, Multiple Credentials, Single Prompt per Credential Multiple IDs, Single Credential

Single ID, Single Credential, Single Prompt (SSO)

Source Application Centric Issuer(s) Virtual Issuer Central Issuer Federated and Central Issuers

Protocols Multiple Protocols, No StandardStandard set of protocols (no transition, no delegation)

Standardized Protocols with ability to transition (no delegation)

Standardized Protocols with ability for transition and delegation

Assurance Shared Accounts, No AssurancePersonalized Accounts, Password Based Multi-Factor AuthN Risk-Based AuthN

Authorization

Entitlement Type Application Centric Group-Based Role-Based, Attribute-Based Policy-Based

Access Policies Written Enforced per Application/Resource Centrally Enforced Centrally Enforced with Attestation

EnforcementAPI (Handled within Application specific code) Proxy (Handled outside App)

Agent (applied externally and injected into app), Proprietary

Protocol Based using Industry Standard, non-Proprierary Protocols

Audit

Collection None Disparate Synchronized Central Store

Access Logging No LoggingBasic logs - Network IP, Server Event logs, Web Server logs Disparate Application-level logging Common Application Logging Platform

Change Logging None Request Request and Change Request, Approval, Change

Alerting Reactive, No AlertingReactive, Some Alerting on Key Systems Reactive, Alerting across all systems Alerting and Automatic Remediation

Reporting Methodology Manual, Adhoc Manual with defined processAutomated Report Generation on Key Systems

Automated Reporting and Generation on all Systems

Reporting Types None Change/Historical Attestation Industry/Regulatory Specific

Page 8: Enterprise Mobility (Security)

Capability Basic Standardized Rationalized Dynamic

Administration

Identity ProliferationApplication Centric, Multiple Enterprise ID Stores

Enterprise ID Store + Application Specific Stores Virtualized Identity Service Single Enterprise ID Store

Provisioning Manual, AdhocSome custom built scripts / Mostly Manual

Automated Creation in one or more ID stores using COTS Email Notifications to other system owners Automated Creation in all ID Stores

Deprovisioning Manual, AdhocSome custom built scripts / Mostly Manual

Automated Deprovisioning in one or more ID StoresEmail Notifications to other system owners

Automated deprovisioning in all ID Stores

Identity UpdatesManually performed by Service Desk in some identity systems

Manually performed by Service Desk in all identity systems

Automated to some identity systems from Authoritative Source

Automated to all identity systems from Authoritative Source plus Self-Service capabilities

SynchronizationManually performed by Service Desk in some identity systems

Manually performed by Service Desk in all identity systems

Synchronization among some identity systems, Time-Based

Synchronization amongst all identity systems, Event-Driven

Password ManagementManually performed by Service Desk in some identity systems

Manually performed by Service Desk in all identity systems

Self-Service Password Reset to central identity system (no synchronization)

Self-Service Password Reset and synchronization to all identity systems

Group Management Manual by Admin, StaticOwner Managed (Delegations), Static

Owner Managed, Self-Service, Approvals Dynamic/Attribute Based

Application Entitlement Management Application owner specific

Central Service Desk, manual workflow

Central access request service with automated workflow Dynamic/Attribute Based

User Interface Service Center/Help DeskInternally Accessible, Manual Updates Internally Accessible, Self-Service Externally Accessible

Change Control None Call Service Desk / Manual WorkflowCall Help Desk / Some Electronic Workflow

Self-Service Request with Electronic Workflow

Authentication

ConvenienceMultiple IDs, Multiple Credentials, Multiple Prompts

Multiple IDs, Multiple Credentials, Single Prompt per Credential Multiple IDs, Single Credential

Single ID, Single Credential, Single Prompt (SSO)

Source Application Centric Issuer(s) Virtual Issuer Central Issuer Federated and Central Issuers

Protocols Multiple Protocols, No StandardStandard set of protocols (no transition, no delegation)

Standardized Protocols with ability to transition (no delegation)

Standardized Protocols with ability for transition and delegation

Assurance Shared Accounts, No AssurancePersonalized Accounts, Password Based Multi-Factor AuthN Risk-Based AuthN

Authorization

Entitlement Type Application Centric Group-Based Role-Based, Attribute-Based Policy-Based

Access Policies Written Enforced per Application/Resource Centrally Enforced Centrally Enforced with Attestation

EnforcementAPI (Handled within Application specific code) Proxy (Handled outside App)

Agent (applied externally and injected into app), Proprietary

Protocol Based using Industry Standard, non-Proprierary Protocols

Audit

Collection None Disparate Synchronized Central Store

Access Logging No LoggingBasic logs - Network IP, Server Event logs, Web Server logs Disparate Application-level logging Common Application Logging Platform

Change Logging None Request Request and Change Request, Approval, Change

Alerting Reactive, No AlertingReactive, Some Alerting on Key Systems Reactive, Alerting across all systems Alerting and Automatic Remediation

Reporting Methodology Manual, Adhoc Manual with defined processAutomated Report Generation on Key Systems

Automated Reporting and Generation on all Systems

Reporting Types None Change/Historical Attestation Industry/Regulatory Specific

Page 9: Enterprise Mobility (Security)

Capability Basic Standardized Rationalized Dynamic

Administration

Identity ProliferationApplication Centric, Multiple Enterprise ID Stores

Enterprise ID Store + Application Specific Stores Virtualized Identity Service Single Enterprise ID Store

Provisioning Manual, AdhocSome custom built scripts / Mostly Manual

Automated Creation in one or more ID stores using COTS Email Notifications to other system owners Automated Creation in all ID Stores

Deprovisioning Manual, AdhocSome custom built scripts / Mostly Manual

Automated Deprovisioning in one or more ID StoresEmail Notifications to other system owners

Automated deprovisioning in all ID Stores

Identity UpdatesManually performed by Service Desk in some identity systems

Manually performed by Service Desk in all identity systems

Automated to some identity systems from Authoritative Source

Automated to all identity systems from Authoritative Source plus Self-Service capabilities

SynchronizationManually performed by Service Desk in some identity systems

Manually performed by Service Desk in all identity systems

Synchronization among some identity systems, Time-Based

Synchronization amongst all identity systems, Event-Driven

Password ManagementManually performed by Service Desk in some identity systems

Manually performed by Service Desk in all identity systems

Self-Service Password Reset to central identity system (no synchronization)

Self-Service Password Reset and synchronization to all identity systems

Group Management Manual by Admin, StaticOwner Managed (Delegations), Static

Owner Managed, Self-Service, Approvals Dynamic/Attribute Based

Application Entitlement Management Application owner specific

Central Service Desk, manual workflow

Central access request service with automated workflow Dynamic/Attribute Based

User Interface Service Center/Help DeskInternally Accessible, Manual Updates Internally Accessible, Self-Service Externally Accessible

Change Control None Call Service Desk / Manual WorkflowCall Help Desk / Some Electronic Workflow

Self-Service Request with Electronic Workflow

Authentication

ConvenienceMultiple IDs, Multiple Credentials, Multiple Prompts

Multiple IDs, Multiple Credentials, Single Prompt per Credential Multiple IDs, Single Credential

Single ID, Single Credential, Single Prompt (SSO)

Source Application Centric Issuer(s) Virtual Issuer Central Issuer Federated and Central Issuers

Protocols Multiple Protocols, No StandardStandard set of protocols (no transition, no delegation)

Standardized Protocols with ability to transition (no delegation)

Standardized Protocols with ability for transition and delegation

Assurance Shared Accounts, No AssurancePersonalized Accounts, Password Based Multi-Factor AuthN Risk-Based AuthN

Authorization

Entitlement Type Application Centric Group-Based Role-Based, Attribute-Based Policy-Based

Access Policies Written Enforced per Application/Resource Centrally Enforced Centrally Enforced with Attestation

EnforcementAPI (Handled within Application specific code) Proxy (Handled outside App)

Agent (applied externally and injected into app), Proprietary

Protocol Based using Industry Standard, non-Proprierary Protocols

Audit

Collection None Disparate Synchronized Central Store

Access Logging No LoggingBasic logs - Network IP, Server Event logs, Web Server logs Disparate Application-level logging Common Application Logging Platform

Change Logging None Request Request and Change Request, Approval, Change

Alerting Reactive, No AlertingReactive, Some Alerting on Key Systems Reactive, Alerting across all systems Alerting and Automatic Remediation

Reporting Methodology Manual, Adhoc Manual with defined processAutomated Report Generation on Key Systems

Automated Reporting and Generation on all Systems

Reporting Types None Change/Historical Attestation Industry/Regulatory Specific

Page 10: Enterprise Mobility (Security)

Capability Basic Standardized Rationalized Dynamic

Administration

Identity ProliferationApplication Centric, Multiple Enterprise ID Stores

Enterprise ID Store + Application Specific Stores Virtualized Identity Service Single Enterprise ID Store

Provisioning Manual, AdhocSome custom built scripts / Mostly Manual

Automated Creation in one or more ID stores using COTS Email Notifications to other system owners Automated Creation in all ID Stores

Deprovisioning Manual, AdhocSome custom built scripts / Mostly Manual

Automated Deprovisioning in one or more ID StoresEmail Notifications to other system owners

Automated deprovisioning in all ID Stores

Identity UpdatesManually performed by Service Desk in some identity systems

Manually performed by Service Desk in all identity systems

Automated to some identity systems from Authoritative Source

Automated to all identity systems from Authoritative Source plus Self-Service capabilities

SynchronizationManually performed by Service Desk in some identity systems

Manually performed by Service Desk in all identity systems

Synchronization among some identity systems, Time-Based

Synchronization amongst all identity systems, Event-Driven

Password ManagementManually performed by Service Desk in some identity systems

Manually performed by Service Desk in all identity systems

Self-Service Password Reset to central identity system (no synchronization)

Self-Service Password Reset and synchronization to all identity systems

Group Management Manual by Admin, StaticOwner Managed (Delegations), Static

Owner Managed, Self-Service, Approvals Dynamic/Attribute Based

Application Entitlement Management Application owner specific

Central Service Desk, manual workflow

Central access request service with automated workflow Dynamic/Attribute Based

User Interface Service Center/Help DeskInternally Accessible, Manual Updates Internally Accessible, Self-Service Externally Accessible

Change Control None Call Service Desk / Manual WorkflowCall Help Desk / Some Electronic Workflow

Self-Service Request with Electronic Workflow

Authentication

ConvenienceMultiple IDs, Multiple Credentials, Multiple Prompts

Multiple IDs, Multiple Credentials, Single Prompt per Credential Multiple IDs, Single Credential

Single ID, Single Credential, Single Prompt (SSO)

Source Application Centric Issuer(s) Virtual Issuer Central Issuer Federated and Central Issuers

Protocols Multiple Protocols, No StandardStandard set of protocols (no transition, no delegation)

Standardized Protocols with ability to transition (no delegation)

Standardized Protocols with ability for transition and delegation

Assurance Shared Accounts, No AssurancePersonalized Accounts, Password Based Multi-Factor AuthN Risk-Based AuthN

Authorization

Entitlement Type Application Centric Group-Based Role-Based, Attribute-Based Policy-Based

Access Policies Written Enforced per Application/Resource Centrally Enforced Centrally Enforced with Attestation

EnforcementAPI (Handled within Application specific code) Proxy (Handled outside App)

Agent (applied externally and injected into app), Proprietary

Protocol Based using Industry Standard, non-Proprierary Protocols

Audit

Collection None Disparate Synchronized Central Store

Access Logging No LoggingBasic logs - Network IP, Server Event logs, Web Server logs Disparate Application-level logging Common Application Logging Platform

Change Logging None Request Request and Change Request, Approval, Change

Alerting Reactive, No AlertingReactive, Some Alerting on Key Systems Reactive, Alerting across all systems Alerting and Automatic Remediation

Reporting Methodology Manual, Adhoc Manual with defined processAutomated Report Generation on Key Systems

Automated Reporting and Generation on all Systems

Reporting Types None Change/Historical Attestation Industry/Regulatory Specific

Page 11: Enterprise Mobility (Security)

IT can publish access to resources with the Web Application Proxybased on device awareness and the users identity

IT can provide seamless corporate access with DirectAccess and automatic VPN connections.

Users can work from anywhere on their device with access to their corporate resources.

Users can register devices for single sign-on and access to corporate data with Workplace Join

Users can enroll devices for access to the Company Portal for easy access to corporate applications

IT can publish Desktop Virtualization (VDI) for access to centralized resources

Page 12: Enterprise Mobility (Security)

Not Joined Workplace Joined Domain Joined

User provided devices are “unknown” and IT has no control. Partial access may be provided to corporate information.

Registered devices are “known” and device authentication allows IT to provide conditional access to corporate information

Domain joined computers are under the full control of IT and can be provided with complete access to corporate information

Browser session single

sign-on

Seamless 2-Factor Auth

for web apps

Enterprise apps single

sign-on

Desktop Single Sign-On

( )

( )

Page 13: Enterprise Mobility (Security)

Allow users to manage their identity with an easy to use portal, tightly integrated with Office.

Self-service group and distribution list management, including dynamic membership calculation in these groups and distribution lists, is based on the user’s attributes.

Users can reset their passwords via Windows logon, significantly reducing help desk burden and costs.

Sync users identity across directories, including Active Directory, Oracle, SQL Server, IBM DS, and LDAP.

Manage the complete life cycle of certificates and smart cards through integration with Active Directory.

Page 14: Enterprise Mobility (Security)

Built-in workflow for identity management

Automatically synchronize all user information to different directories across the enterprise

Automate the process of on-boarding new users

Real-time de-provisioning from all systems to prevent unauthorized access and information leakage

LDAP

Certificate Management

Page 15: Enterprise Mobility (Security)

Security Platform SAML

Page 16: Enterprise Mobility (Security)

From: Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques

http://www.microsoft.com/en-us/download/details.aspx?id=36036

From: Best Practices for Securing Active Directory

http://www.microsoft.com/en-us/download/details.aspx?id=38785

From: The one company that wasn't hacked

http://www.infoworld.com/d/security/the-one-company-wasnt-hacked-194184?source=footer

Page 17: Enterprise Mobility (Security)

How MARS works

MARS Server

Domain Groups

• Managed Servers

• Domain Admin

• Schema Admin

• Top Secret Project

12:00

10:00

1. Request Access (10:00)

2. Auto-Approve (10:00)

3. Access Resource (10:01)

4. Access Resource (3:15)Admin

Account

(requester)

11:00

1:00

2:00

3:00

9:00

Admin Group

(pre-defined)

Page 18: Enterprise Mobility (Security)