This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Identity and Access Management: Identity and Access Management: OverviewOverview
Build a good conceptual background to enable Build a good conceptual background to enable later technical discussions of the subjectlater technical discussions of the subject
Overview the problems and opportunities in the Overview the problems and opportunities in the field of identity and access managementfield of identity and access management
Introduce terminologyIntroduce terminology
Highlight a possible future directionHighlight a possible future direction
33
Session AgendaSession Agenda
Identity Problem of TodayIdentity Problem of Today
Identity Laws and MetasystemIdentity Laws and Metasystem
Components and TerminologyComponents and Terminology
RoadmapRoadmap
44
Identity Problem of Identity Problem of TodayToday
55
Universal Identity?Universal Identity?
Internet was build so that communications are Internet was build so that communications are anonymousanonymous
In-house networks use multiple, often mutually-In-house networks use multiple, often mutually-incompatible, proprietary identity systemsincompatible, proprietary identity systems
Users are incapable of handling multiple Users are incapable of handling multiple identitiesidentities
Criminals love to exploit this messCriminals love to exploit this mess
66
Explosion of IDsExplosion of IDs
Pre 1980’sPre 1980’s 1980’s1980’s 1990’s1990’s 2000’s2000’s
# ofDigital IDs
Time
Applicatio
ns
MainframeMainframe
Client ServerClient Server
InternetInternet
BusinessBusinessAutomationAutomation
CompanyCompany(B2E)(B2E)
PartnersPartners(B2B)(B2B)
CustomersCustomers(B2C)(B2C)
MobilityMobility
77
The Disconnected RealityThe Disconnected Reality
““Identity Chaos” Identity Chaos”
Lots of users and systems required to do businessLots of users and systems required to do business
Multiple repositories of identity information; Multiple user IDs, multiple passwordsMultiple repositories of identity information; Multiple user IDs, multiple passwords
Decentralized management, ad hoc data sharingDecentralized management, ad hoc data sharing
Increasing Threat LandscapeIdentity theft costs banks and credit card issuers $1.2 billion in 1 yr$250 billion lost in 2004 from exposure of confidential info
Maintenance Costs Dominate IT BudgetOn average employees need access to 16 apps and systemsCompanies spend $20-30 per user per year for PW resets
Deeper Line of Business Automation and IntegrationOne half of all enterprises have SOA under developmentWeb services spending growing 45% CAGR
Rising Tide of Regulation and ComplianceSOX, HIPAA, GLB, Basel II, 21 CFR Part 11, …$15.5 billion spend in 2005 on compliance (analyst estimate)
Data Sources: Gartner, AMR Research, IDC, eMarketer, U.S. Department. of Justice
““Improved updating of user data: $185 per user/year”Improved updating of user data: $185 per user/year”
““Improved list management: $800 per list”Improved list management: $800 per list”
- Giga Information Group- Giga Information Group
Password ManagementPassword Management
““Password reset costs range from $51 (best case) to $147 (worst Password reset costs range from $51 (best case) to $147 (worst case) for labor alone.” – case) for labor alone.” – GartnerGartner
User ProvisioningUser Provisioning
““Improved IT efficiency: $70,000 per year per 1,000 managed users”Improved IT efficiency: $70,000 per year per 1,000 managed users”
““Reduced help desk costs: $75 per user per year”Reduced help desk costs: $75 per user per year”
- Giga Information Group- Giga Information Group
1212
Can We Just Ignore It All?Can We Just Ignore It All?
Today, average corporate user spends 16 minutes a day Today, average corporate user spends 16 minutes a day logging onlogging on
A typical home user maintains 12-18 identitiesA typical home user maintains 12-18 identities
Number of phishing and pharming sites grew over Number of phishing and pharming sites grew over 1600% over the past year1600% over the past year
Corporate IT Ops manage an average of 73 applications Corporate IT Ops manage an average of 73 applications and 46 suppliers, often with individual directoriesand 46 suppliers, often with individual directories
Regulators are becoming stricter about compliance and Regulators are becoming stricter about compliance and auditingauditing
Orphaned accounts and identities lead to security Orphaned accounts and identities lead to security problemsproblems
Source: Microsoft’s internal research and Anti-phishing Working Group Feb 2005
1313
One or Two Solutions?One or Two Solutions?
Better Option:Better Option:
Build a global, universal, federated identity metasystemBuild a global, universal, federated identity metasystem
Will take years…Will take years…
Quicker Option:Quicker Option:
Build an in-house, federated identity metasystem based on Build an in-house, federated identity metasystem based on standardsstandards
Federate it to others, system-by-systemFederate it to others, system-by-system
But: both solutions could share the same conceptual But: both solutions could share the same conceptual basisbasis
1414
Identity Laws and Identity Laws and MetasystemMetasystem
1515
Lessons from PassportLessons from Passport
Passport designed to solve two problemsPassport designed to solve two problems
Identity provider for MSNIdentity provider for MSN
250M+ users, 1 billion logons per day250M+ users, 1 billion logons per day
Significant successSignificant success
Identity provider for the InternetIdentity provider for the Internet
Meant giving up control over identity managementMeant giving up control over identity management
Cannot re-write apps to use a central systemCannot re-write apps to use a central system
Learning: solution must be different than Learning: solution must be different than PassportPassport
1616
Idea of an Identity MetasystemIdea of an Identity Metasystem
Not an Identity Not an Identity SystemSystem
Agreement on metadata and protocols, allowing Agreement on metadata and protocols, allowing multiple identity providers and brokersmultiple identity providers and brokers
Based on open standardsBased on open standards
Supported by multiple technologies and Supported by multiple technologies and platformsplatforms
Adhering to Laws of IdentityAdhering to Laws of Identity
With full respect of privacy needsWith full respect of privacy needs
1717
Roles Within Identity MetasystemRoles Within Identity Metasystem
Identity ProvidersIdentity Providers
Organisations, governments, even end-usersOrganisations, governments, even end-users
They provide They provide Identity Claims Identity Claims about a about a SubjectSubject
Name, vehicles allowed to drive, age, etc.Name, vehicles allowed to drive, age, etc.
Relying PartiesRelying Parties
Online services or sites, doors, etc.Online services or sites, doors, etc.
SubjectsSubjects
Individuals and other bodies that need its identity Individuals and other bodies that need its identity establishedestablished
1.1. User Control and ConsentUser Control and Consent
2.2. Minimal Disclosure for a Constrained UseMinimal Disclosure for a Constrained Use
3.3. Justifiable PartiesJustifiable Parties
4.4. Directed IdentityDirected Identity
5.5. Pluralism of Operators and TechnologiesPluralism of Operators and Technologies
6.6. Human IntegrationHuman Integration
7.7. Consistent Experience Across ContextsConsistent Experience Across Contexts
2121
Enterprise ApplicabilityEnterprise Applicability
That proposed metasystem would work well That proposed metasystem would work well inside a corporationinside a corporation
Of course, we need a solution before it becomes Of course, we need a solution before it becomes a realitya reality
Following the principles seems a good idea Following the principles seems a good idea while planning immediate solutionswhile planning immediate solutions
Organic growth likely to lead to an identity Organic growth likely to lead to an identity metasystem in long termmetasystem in long term
2222
Enterprise TrendsEnterprise Trends
Kerberos is Kerberos is very useful very useful but increasingly it does not span but increasingly it does not span disconnected identity forests and technologies easily disconnected identity forests and technologies easily
We are moving away from We are moving away from static static Groups and traditional Groups and traditional ACLs…ACLs…
Increasingly limited and difficult to manage on large scalesIncreasingly limited and difficult to manage on large scales
……towards a towards a dynamic dynamic combination of:combination of:
PKI is still too restrictive, but it is clearly a component of PKI is still too restrictive, but it is clearly a component of a possible solutiona possible solution
2323
Components and Components and TerminologyTerminology
2424
What is Identity Management?What is Identity Management?
ProvisioningProvisioning
Single Sign Single Sign
OnOn
PKIPKI
StrongStrong
AuthenticationAuthentication
FederationFederation
DirectoriesDirectories
AuthorizationAuthorization
Secure Remote Secure Remote AccessAccess
PasswordPassword
ManagementManagement
Web ServicesWeb ServicesSecuritySecurity
Auditing &Auditing &
ReportingReporting
RoleRoleManagementManagement
DigitalDigitalRights Rights
ManagementManagement
2525
Identity and Access ManagementIdentity and Access Management
The process of authenticating credentials and The process of authenticating credentials and controlling access to networked resources controlling access to networked resources based on trust and identitybased on trust and identity
Repositories for storing and managing Repositories for storing and managing accounts, identity information, and accounts, identity information, and security credentials security credentials
The processes used to create and delete The processes used to create and delete accounts, manage account and entitlement accounts, manage account and entitlement changes, and track policy compliancechanges, and track policy compliance
Directory Services
Access Management
Identity Lifecycle
Management
A system of procedures, policies and A system of procedures, policies and technologies to manage the lifecycle technologies to manage the lifecycle
and entitlements of electronic and entitlements of electronic credentialscredentials
2626
Remember the Chaos?Remember the Chaos?
Enterprise Directory
HRHRSystemSystem
InfraInfraApplicationApplication
LotusLotusNotes AppsNotes Apps
In-HouseIn-HouseApplicationApplication
COTSCOTSApplicationApplication
NOSNOS
In-HouseIn-HouseApplicationApplication
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authorization•Identity Data
•Authentication
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
2727
Identity IntegrationIdentity Integration
HRHRSystemSystem
InfraInfraApplicationApplication
LotusLotusNotes AppsNotes Apps
In-HouseIn-HouseApplicationApplication
COTSCOTSApplicationApplication
Student Student AdminAdmin
In-HouseIn-HouseApplicationApplication
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authorization•Identity Data
•Authentication
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
Identi
ty Inte
gra
tion S
erv
er
Identi
ty Inte
gra
tion S
erv
er
Enterprise Directory
2828
IAM BenefitsIAM Benefits
Benefits to take you forward
(Strategic)
Benefits today(Tactical)
Save money and improve operational Save money and improve operational efficiencyefficiency
Improved time to deliver applications Improved time to deliver applications and serviceand service
Enhance SecurityEnhance Security
Regulatory Compliance and AuditRegulatory Compliance and Audit
New ways of workingNew ways of working
Improved time to marketImproved time to market
Closer Supplier, Customer, Closer Supplier, Customer, Partner and Employee Partner and Employee
relationshipsrelationships
2929
Some Basic DefinitionsSome Basic Definitions
Authentication (AuthN)Authentication (AuthN)
Verification of a subject’s identity by means of relying on a Verification of a subject’s identity by means of relying on a provided claimprovided claim
IdentificationIdentification is sometimes seen as a preliminary step of is sometimes seen as a preliminary step of authenticationauthentication
Collection of untrusted (as yet) information about a subject, such Collection of untrusted (as yet) information about a subject, such as an identity claimas an identity claim
Authorization (AuthZ)Authorization (AuthZ)
Deciding what actions, rights or privileges can the subject be Deciding what actions, rights or privileges can the subject be allowedallowed
Trend towards separation of those twoTrend towards separation of those two
Or even of all three, if biometrics are usedOr even of all three, if biometrics are used
3030
Components of IAMComponents of IAM
AdministrationAdministration
User ManagementUser Management
Password ManagementPassword Management
WorkflowWorkflow
DelegationDelegation
Access ManagementAccess Management
Authentication Authentication
AuthorizationAuthorization
Identity ManagementIdentity Management
Account ProvisioningAccount Provisioning
Account DeprovisioningAccount Deprovisioning
SynchronisationSynchronisation Reliable Identity Data
Components of a Microsoft-based IAMComponents of a Microsoft-based IAMInfrastructure DirectoryInfrastructure Directory Active DirectoryActive Directory
Role-Based Access ControlRole-Based Access Control Authorization Manager or Partner Solutions Authorization Manager or Partner Solutions (ex: OCG, RSA) and traditional approaches(ex: OCG, RSA) and traditional approaches
Integration of UNIX/NovellIntegration of UNIX/Novell SFU, SFN, Partner (eg. Vintella/Centrify)SFU, SFN, Partner (eg. Vintella/Centrify)
FederationFederation ADFSADFS
3535
SummarySummary
3636
SummarySummary
We have reached an “Identity Crisis” both on the We have reached an “Identity Crisis” both on the intranet and the Internetintranet and the Internet
Identity Metasystem suggests a unifying way Identity Metasystem suggests a unifying way forwardforward
Meanwhile, Identity and Access Management Meanwhile, Identity and Access Management systems need to be built so enterprises can systems need to be built so enterprises can benefit immediatelybenefit immediately
Microsoft is rapidly becoming a strong provider Microsoft is rapidly becoming a strong provider of IAM technologies and IM visionof IAM technologies and IM vision