Identity and Access Management Overview

Identity and Access Management:
Overview
Rafal Lukawiecki
Strategic Consultant, Project Botticelli Ltd
rafal@projectbotticelli.co.uk
www.projectbotticelli.co.uk
Copyright 2006 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all
information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in
File/Properties. This presentation is based on work of many authors from Microsoft, Oxford Computer Group and other companies. Please see the “Introductions”
presentation for acknowledgments.
2
Objectives
Build a good conceptual background to enable

later technical discussions of the subject
Overview the problems and opportunities in the
field of identity and access management
Introduce terminology
Highlight a possible future direction
3
Session Agenda
Identity Problem of Today

Identity Laws and Metasystem
Components and Terminology
Roadmap
4
Identity Problem of
Today
5
Universal Identity?
Internet was build so that communications are

anonymous
In-house networks use multiple, often mutually-
incompatible, proprietary identity systems
Users are incapable of handling multiple
identities
Criminals love to exploit this mess
6
Explosion of IDs
Business Partners
# of Automation (B2B)
Digital IDs
Company
(B2E)
Customers
(B2C)
Mobility
ns
it o Internet
lica
p p
A
Client Server
Mainframe
Time
Pre 1980’s 1980’s 1990’s 2000’s

7
The Disconnected Reality

•Authenticati
•
on
Authorizatio HR
•
nIdentity
Data
System
•Authenticati
•
on
Authorizatio
•Identity
n
NOS
Data
•Authenticati
•Authorizatio
on Lotus
•Identity
n
Data
Notes Apps
Enterprise Directory
•Authenticati
•
on
Authorizatio Infra
•
nIdentity
Data
Application
•Authenticati
•
on
Authorizatio COTS
•Identity
n
Data
Application
•Authenticati
•Authorizatio
on In-House
•Identity
n
Data
Application
•Authenticati
•
on
Authorizatio In-House
•
nIdentity
Data
Application
“Identity Chaos”
Lots of users and systems required to do business
Multiple repositories of identity information; Multiple user IDs, multiple passwords
Decentralized management, ad hoc data sharing
8
Multiple Contexts
Customer satisfaction & customer intimacy
Cost competitiveness
Reach, personalization
Your CUSTOMERS Your SUPPLIERS

Collaboration
Outsourcing
Faster business cycles;
process automation
Value chain
Your COMPANY and

your EMPLOYEES
M&A
Mobile/global workforce
Flexible/temp workforce
Your REMOTE and Your PARTNERS

VIRTUAL EMPLOYEES
9
Trends Impacting Identity

Rising Tide of Regulation and Compliance
SOX, HIPAA, GLB, Basel II, 21 CFR Part 11, …
$15.5 billion spend in 2005 on compliance (analyst estimate)
Deeper Line of Business Automation and

Integration
One half of all enterprises have SOA under development
Web services spending growing 45% CAGR
Increasing Threat Landscape

Identity theft costs banks and credit card issuers $1.2 billion in 1 yr
$250 billion lost in 2004 from exposure of confidential info
Maintenance Costs Dominate IT Budget

On average employees need access to 16 apps and systems
Companies spend $20-30 per user per year for PW resets
Data Sources: Gartner, AMR Research, IDC, eMarketer, U.S. Department. of Justice
10
Pain Points
Security/ Business
IT Admin Developer End User
Compliance Owner
Too many user stores and Redundant Too many Too many Too expensive to
account admin requests
code in each orphaned reach new
Unsafe sync scripts passwords accounts partners, channels
app
Long waits for Limited auditing Need for control
Rework code access to ability
too often
apps,
resources
11
Possible Savings
Directory Synchronization
“Improved updating of user data: $185 per user/year”
“Improved list management: $800 per list”
- Giga Information Group
Password Management
“Password reset costs range from $51 (best case) to $147 (worst
case) for labor alone.” – Gartner
User Provisioning
“Improved IT efficiency: $70,000 per year per 1,000 managed users”
“Reduced help desk costs: $75 per user per year”
- Giga Information Group
12
Can We Just Ignore It All?
Today, average corporate user spends 16 minutes a day

logging on
A typical home user maintains 12-18 identities
Number of phishing and pharming sites grew over
1600% over the past year
Corporate IT Ops manage an average of 73 applications
and 46 suppliers, often with individual directories
Regulators are becoming stricter about compliance and
auditing
Orphaned accounts and identities lead to security
problems
Source: Microsoft’s internal research and Anti-phishing Working Group Feb 2005
13
One or Two Solutions?
Better Option:
Build a global, universal, federated identity metasystem
Will take years…
Quicker Option:
Build an in-house, federated identity metasystem based on
standards
Federate it to others, system-by-system
But: both solutions could share the same conceptual

basis
14
Identity Laws and

Metasystem
15
Lessons from Passport
Passport designed to solve two problems

Identity provider for MSN
250M+ users, 1 billion logons per day
Significant success
Identity provider for the Internet
Unsuccessful:
Not trusted “outside context”
Not generic enough
Meant giving up control over identity management
Cannot re-write apps to use a central system
Learning: solution must be different than

Passport
16
Idea of an Identity Metasystem
Not an Identity System

Agreement on metadata and protocols, allowing
multiple identity providers and brokers
Based on open standards
Supported by multiple technologies and
platforms
Adhering to Laws of Identity
With full respect of privacy needs
17
Roles Within Identity Metasystem
Identity Providers
Organisations, governments, even end-users
They provide Identity Claims about a Subject
Name, vehicles allowed to drive, age, etc.
Relying Parties
Online services or sites, doors, etc.
Subjects
Individuals and other bodies that need its identity
established
18
Metasystem Players
Identity
Providers
Issue identities
Relying Parties
Require identities
Subjects
Individuals and other
entities about whom
claims are made
19
Identity Metasystem Today
Basically, the set of WS-* Security Guidelines as

we have it
Plus
Software that implements the services
Microsoft and many others working on it
Companies that would use it
Still to come, but early adopters exist
End-users that would trust it
Will take time
20
Identity Lawswww.identityblog.com
1. User Control and Consent

2. Minimal Disclosure for a Constrained Use
3. Justifiable Parties
4. Directed Identity
5. Pluralism of Operators and Technologies
6. Human Integration
7. Consistent Experience Across Contexts
21
Enterprise Applicability
That proposed metasystem would work well

inside a corporation
Of course, we need a solution before it becomes
a reality
Following the principles seems a good idea
while planning immediate solutions
Organic growth likely to lead to an identity
metasystem in long term
22
Enterprise Trends
Kerberos is very useful but increasingly it does not span

disconnected identity forests and technologies easily
We are moving away from static Groups and traditional
ACLs…
Increasingly limited and difficult to manage on large scales
…towards a dynamic combination of:
Role-Based Access Management, and,
Rich Claims Authorization
PKI is still too restrictive, but it is clearly a component of
a possible solution
23
Components and
Terminology
24
What is Identity Management?

e Sign
ss w ord Sing l
Pa ent On Secure Remote
g e m Fede
Mana ratio
n Access
Role
Manageme
nt
Web Services Provisionin
g
Security
Authorization d it in g&
Au ing
p o rt
Re
t or ies
c
g Dire
Digital Stron tion
Rights he nti ca
Management Aut PKI
25
Identity and Access Management
Directory Repositories for storing and managing

accounts, identity information, and
Services security credentials
A system of procedures, policies and

technologies
Access to manage
The process the credentials
of authenticating lifecycle and
controlling access to networked resources
and entitlements
Management based on trust andof electronic
identity
credentials
Identity The processes used to create and delete
Lifecycle accounts, manage account and entitlement
Management changes, and track policy compliance
26
Remember the Chaos?

•Authenticati
•Authorizatio
on HR
•Identity
n
Data
System
•Authenticati
•Authorizatio
on
•Identity
n
NOS
Data
•Authenticati
•Authorizatio
on Lotus
•Identity
n
Data
Notes Apps
Enterprise Directory
•Authenticati
•Authorizatio
on Infra
•Identity
n
Data
Application
•Authenticati
•Authorizatio
on COTS
•Identity
n
Data
Application
•Authenticati
•Authorizatio
on In-House
•Identity
n
Data
Application
•Authenticati
•Authorizatio
on In-House
•Identity
n
Data
Application
27
Identity Integration
•Authenticati
•
on
Authorizatio HR
•
nIdentity
Data
System
Identity Integration Server

•Authenticati
•
on
Authorizatio
Student
•Identity
n
Data
Admin
•Authenticati
•Authorizatio
on Lotus
Enterprise Directory •Identity
n Notes Apps
Data
•Authenticati
•
on
Authorizatio Infra
•
nIdentity
Data
Application
•Authenticati
•
on
Authorizatio COTS
•Identity
n
Data
Application
•Authenticati
•Authorizatio
on In-House
•Identity
n
Data
Application
•Authenticati
•
on
Authorizatio In-House
•
nIdentity
Data
Application
28
IAM Benefits
Benefits today Benefits to take

(Tactical) you forward
(Strategic)
Save money and improve operational
efficiency New ways of working
Improved time to deliver applications

and service
Improved time to market
Enhance Security
Closer Supplier, Customer,
Partner and Employee
Regulatory Compliance and Audit relationships
29
Some Basic Definitions
Authentication (AuthN)
Verification of a subject’s identity by means of relying on a
provided claim
Identification is sometimes seen as a preliminary step of
authentication
Collection of untrusted (as yet) information about a subject, such as
an identity claim
Authorization (AuthZ)
Deciding what actions, rights or privileges can the subject be
allowed
Trend towards separation of those two

Or even of all three, if biometrics are used
30
Components of IAM
Administration
User Management
Password Management
Workflow
Delegation
Access Management
Authentication
Administration
Authorization
Authentication
Authorization
Identity Management
Account Provisioning
Account Deprovisioning
Synchronisation Reliable Identity Data
31
IAM Architecture
32
Roadmap
33
Microsoft’s Identity Management

Directory (Store) Access Identity
Services Management Lifecycle
Management
Active Active Directory Identity Integration

Directory & ADAM Federation Services Server
Extended Directory Authorization

BizTalk
Services Manager
Enterprise Audit Collection

PKI / CA
Single Sign On Services
Services for Unix / ISA SQL Server

Services for Netware Server Reporting
34
Components of a Microsoft-based IAM

Infrastructure Directory Active Directory
Application Directory AD/AM (LDAP)

Lifecycle Management MIIS
Workflow BizTalk, Partner Solutions (Ultimus BPM, SAP)
Role-Based Access Control Authorization Manager or Partner Solutions
(ex: OCG, RSA) and traditional approaches
Directory & Password MIIS & Partner solutions
Synchronization
SSO (Intranet) Kerberos/NTLM, Vintela/Centrify
Enterprise SSO (Intranet) Sharepoint ESSO, BizTalk ESSO, HIS ESSO
Strong Authentication SmartCards, CA/PKI, Partner (eg. RSA – SecurID,
MCLMS, WizeKey)
Web SSO ADFS, Partner (eg. RSA – ClearTrust)
Integration of UNIX/Novell SFU, SFN, Partner (eg. Vintella/Centrify)
Federation ADFS
35
Summary
36
Summary
We have reached an “Identity Crisis” both on the

intranet and the Internet
Identity Metasystem suggests a unifying way
forward
Meanwhile, Identity and Access Management
systems need to be built so enterprises can
benefit immediately
Microsoft is rapidly becoming a strong provider
of IAM technologies and IM vision
www.microsoft.com/idm & www.microsoft.com/itsshowtime & www.microsoft.com/technet
37
Special Thanks
This seminar was prepared with the help of:
Oxford Computer Group Ltd

Expertise in Identity and Access
Management (Microsoft Partner)
IT Service Delivery and Training
www.oxfordcomputergroup.com
Microsoft, with special thanks to:

Daniel Meyer – thanks for many
slides
Steven Adler, Ronny Bjones, Olga
Londer – planning and reviewing
Philippe Lemmens, Detlef Eckert –
Sponsorship
Bas Paumen & NGN - feedback
38
Appendix
39
Identity Management Platform
Directory
ServicesUser Service Network
Management Managemen Management
t
Network Access Infrastructu
Security Control re
Managemen
t
40
Frontend Services
Self-Service Enterprise Enterprise
Interface User-Man. Role-Man.
Auditing & IDM Policy

Reporting Workflow Managemen
t
Provisioning
Services
Automated Automated Password
Provisioning Synch. Managemen
t
Directory
Management Managemen Management
t
Security Control re
Managemen
t
41
Access Services Frontend Services

Web Self-Service Enterprise Enterprise
SSO Interface User-Man. Role-Man.
Federated Auditing & IDM Policy

SSO Reporting Workflow Managemen
t
Unix/Linux Provisioning
SSO Services
Host t
SSO
Directory
Remote ServicesUser Service Network
Access Management Managemen Management
t
Access Network Access Infrastructu
Audit&Rep Security Control re
Managemen
t
42

Frontend Services
Access Services

Federated Reporting Workflow Managemen
SSO t
Provisioning
Unix/Linux
Services
SSO
t
Host
SSO
Directory
Remote
t
Access Security Control re
Audit&Rep Managemen
Extended Directory Services t
Desktop
IDM Env. Certificate Smardcard Information
Management Managemen Rights
t Mgmt.
43

Frontend Services
Access Services

SSO t
Provisioning
Unix/Linux
Services
SSO
t
Host
SSO
Directory
Services User Service Network
Remote Windows Server
Access Management Management Management
(Active Directory/ADAM, Quest /
Network
PKI, Access
AzMan) Centrify
Infrastructure
Access Security Control Management
Audit&Rep
Extended Directory Services

Desktop
t Mgmt.
44

Frontend Services
Access Services

SSO t
Provisioning & Password Management Services
Unix/Linux
Services
SSO
Microsoft Identity
Provisioning Synch. Integration
Managemen
Server t
Host
SSO
Directory
(Active Directory/ADAM,
t Quest
Network Access
PKI, AzMan) /
Infrastructu
Audit&Rep Centri
Managemen
t fy
Desktop
t Mgmt.
45

Frontend Services
Access Services
Active Interface User-Man. Role-Man.
Directory
Federation
Server t
Unix/Linux
Services
SSO
Microsoft Identity
Managemen
Server t
Host
SSO
Directory
t Quest
Network Access
PKI, AzMan) /
Infrastructu
Audit&Rep Centri
Managemen
t fy
Desktop
t Mgmt.
46

Frontend Services
Access Services
Directory
Federation
Server t
Quest Services
/Centrify Microsoft Identity
Managemen
Server t
Host
SSO
Directory
t Quest
Network Access
PKI, AzMan) /
Infrastructu
Audit&Rep Centri
Managemen
t fy
Desktop
t Mgmt.
47

Frontend Services
Access Services
Directory
Federation
Server t
Quest Services
Managemen
Server t
HIS & ESSO
Directory
ISA ServicesUser Service Network
Server ManagementWindows Server
Managemen Management
t Quest
Network Access
PKI, AzMan) /
Infrastructu
Audit&Rep Centri
Managemen
t fy
Desktop
t Mgmt.
48

Frontend Services
Access Services
Directory
Federation
Server t
Quest Services
Managemen
Server t
HIS & ESSO
Directory
t Quest
MOM
Network Access
PKI, AzMan) /
Infrastructu
Security Control re
& ACS Centri
Managemen
t fy
Desktop
t Mgmt.
49

Frontend Services
Access Services
Directory
Federation
Server t
Quest Services
Managemen
Server t
HIS & ESSO
Directory
t Quest
MOM
Network Access
PKI, AzMan) /
Infrastructu
Security Control re
& ACS Centri
Managemen
t fy
Info
Card Certificate Smardcard Information
t Mgmt.
50

Frontend Services
Access Services
Directory
Federation
Server t
Quest Services
Managemen
Server t
HIS & ESSO
Directory
t Quest
MOM
Network Access
PKI, AzMan) /
Infrastructu
Security Control re
& ACS Centri
Managemen
t fy
Info Extended Directory Services
Card Windows MS RMS
PKI Alacris Server
51

IIS
Active AzMan
Directory Sharepoint
Federation SQL-Server BizTalk
Server
Quest
/Centrify Microsoft Identity Integration
HIS/ESSO Server
ISA Directory
Server Services
Windows Server
(Active Directory/ADAM, Quest
MOM /
PKI, AzMan)
& ACS Centri
fy
Card Windows MS RMS
PKI Alacris Server
52

FastPass
Active AVAC
Directory bHold
Federation Quest Ultimus
Server
Quest
/Centrify Microsoft Identity Integration
HIS/ESSO Server
ISA Directory
Server Services
Windows Server
(Active Directory/ADAM, Quest
MOM /
PKI, AzMan)
& ACS Centri
fy
Card Windows MS RMS
PKI Alacris Server
53

Frontend Services
Access Services
Directory
Federation
Server t
Quest Services
Managemen
Server t
HIS & ESSO
Directory
t Quest
Network Access
PKI, AzMan) /
Infrastructu
Audit&Rep Centri
Managemen
t fy
Desktop
t Mgmt.

Identity and Access Management Overview

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Identity and Access Management Overview

Загружено:

Авторское право:

Доступные форматы

Identity and Access Management:

Build a good conceptual background to enable

Identity Problem of Today

Internet was build so that communications are

Pre 1980’s 1980’s 1990’s 2000’s

The Disconnected Reality

Your CUSTOMERS Your SUPPLIERS

Your COMPANY and

Your REMOTE and Your PARTNERS

Trends Impacting Identity

Deeper Line of Business Automation and

Increasing Threat Landscape

Maintenance Costs Dominate IT Budget

Can We Just Ignore It All?

Today, average corporate user spends 16 minutes a day

One or Two Solutions?

But: both solutions could share the same conceptual

Identity Laws and

Lessons from Passport

Passport designed to solve two problems

Learning: solution must be different than

Idea of an Identity Metasystem

Not an Identity System

Roles Within Identity Metasystem

Identity Metasystem Today

Basically, the set of WS-* Security Guidelines as

1. User Control and Consent

That proposed metasystem would work well

Kerberos is very useful but increasingly it does not span

What is Identity Management?

Identity and Access Management

Directory Repositories for storing and managing

A system of procedures, policies and

Remember the Chaos?

Identity Integration Server

Benefits today Benefits to take

Improved time to deliver applications

Some Basic Definitions

Trend towards separation of those two

Microsoft’s Identity Management

Active Active Directory Identity Integration

Extended Directory Authorization

Enterprise Audit Collection

Services for Unix / ISA SQL Server

Components of a Microsoft-based IAM

Application Directory AD/AM (LDAP)

We have reached an “Identity Crisis” both on the

Oxford Computer Group Ltd

Microsoft, with special thanks to:

Identity Management Platform

Identity Management Platform

Auditing & IDM Policy

Identity Management Platform

Access Services Frontend Services

Federated Auditing & IDM Policy

Identity Management Platform

Auditing & IDM Policy

Identity Management Platform

Auditing & IDM Policy

Extended Directory Services

Identity Management Platform

Auditing & IDM Policy

Identity Management Platform