TechNet Architectural Design Series Part 5: Identity and Access Management

TechNet Architectural Design SeriesPart 5: Identity and Access Management

Gary Williams & Colin BrownMicrosoft Consulting Services

Live Meeting Information...

Feedback Panel

Questions & Answers

Blog - http://blogs.technet.com/MCSTalks

Session 5: Identity and Access Management Gary Williams – Identity Management ConsultantColin Brown – Security Consultant

MCS Talks Infrastructure Architecture

Agenda

Introduction to Identity TerminologyChallenges & IssuesIdentity Environment – Fact FindingIdentity Solutions

ProductsArchitectureWork Packages

Recommendations

Introduction to Identity Terminology

IDA / IAM / IdMDigital IdentityCredentialSecurity PrincipalAuthenticationIdentity StoreIdentity SynchronisationIdentity Integration ServicesProvisioningIdentity Lifecycle Management

Introduction IDA Terminology

EntitlementAuthorisationTrustIdentity FederationSecurity AuditingAccess ServicesDigital CertificatesPublic Key Infrastructure (PKI)Certificate Revocation List (CRL)Encryption

Introduction IDA Terminology

Challenges & Issues

Pre 1980’s 1980’s 1990’s 2000’s

# ofDigital IDs

Time

Applicatio

ns

Mainframe

Client Server

Internet

BusinessAutomation

Company(B2E)

Partners(B2B)

Customers(B2C)

Mobility

Islands Of Applications Has lead to islands of identities

Identity ecosystems develop organicallyFragmented identity infrastructures

One system is added at a timeApplications, Databases, Operating Systems

Each system potentially requires a unique identity repositoryChanging organisation perimeter

Credentials often do not cross boundariesPoliticsProduct/skillset knowledge

Challenges & IssuesWhy do Identity Management projects fail?

Identity & Access Management :

Providing the right people with the right access at the right time

Identity Store

Authentication

Authorisation

Who I am

What can I do

Lifecycle Management /Administration

Monitoring/Audit

COMPLIANCE!

Setting the sceneWhat is it we are trying to achieve?

Identity Environment – Fact Finding

Identity Drivers & requirementsExtend reach and rangeIncrease scalabilityLowering costsBalance centralised vs. distributed managementMore general purpose & reusableProduct selection must achieve

Business justificationWork against business requirements

Source of truth (authoritative) repositoryMain repository & list of other identity repositories

Identity Flow

Identity Environment – Fact Finding

Information QualityHow and where is identity data createdHow is it removed, maintained & synchronisedHow is data creation, deletion or modification validated

Operational ProceduresAccess rights to all systemsHire / Fire proceduresDepartment or role changesRole definition Separation of duties (admin controls)

Identity Environment – Fact Finding

Identity Solutions

Solutions – Identity Products

Active Directory Domain Services

Active Directory Lightweight Directory Services

Active Directory Federation Services

Active Directory Certificate Services

Active Directory Rights Management Services

Identity Lifecycle Manager

Microsoft Partners

Solutions - Example Architecture

Solutions – Planning

Think strategically act tacticallyPhased approach

This is generally not a technical problemBusiness processesWorkflow definition

An Identity and Access Management solution is a long term engagement

Solutions – Work PackagesIDA FrameworkWhite Pages

Provisioning/De-provisioning

Password Management

Auditing & Reporting

Profile Management

Role Based Access

Single Sign-On

Directory Consolidation

Securing Network Services

Protecting Data Wherever it goes

Solutions – White PagesArchitectural Overview

Solutions – Provisioning & De-provisioning

Solutions – Provisioning & De-provisioning

Reduce credentials to a single password or PIN Simplify the user experienceReduce helpdesk overheadImprove overall security

Solutions – Password Management

Record identity related events, such as:Logon/offAdministrative actionsObject accessIn order to be able to:

Reveal potential security problemsEnsure user accountabilityProvide evidence

Solutions – Auditing & Reporting

Capture or create business process to Define identity profiles Associate allowable actionsDelineate self-service and administrative actions

Solutions – Profile Management

Solutions – Role Based Access Control

Provide a single authentication actionIn order to

Reduce user authentication eventsReduce authentication stores and associated management overhead

Solutions – Single Sign-On

Reduce the number of identity repositoriesComplexityDuplicationAdministrative overhead

Solutions – Directory Consolidation

Provide a strong authentication mechanismProvide 2 factor authenticationIn order to

Secure network servicesProvide security services to applicationsProvide higher security assurance

Solutions – Securing Network Services

SQL1 SQL2

Root CA

Manual Publish

Issuing CA’s

RA1 RA2

Clients

VPN AD

SSL Web Exchange

TS1 TS2

Log ShippingMirroring

Load Balancing

Solutions – Securing Network Services

Workstation

RMS Server• Certification• Licensing• Templates

Active Directory• Authentication• Service Discovery• Group Membership

SQL Server• Configuration data• Logging • Cache

MOSS 2007• Document

Libraries with IRM

Exchange 2007 SP1• Pre-licensing

Fetching

Solutions – Protecting Data Wherever It Goes

Recommendations

Goals of an IAM Strategy

Secure, pervasive, consistent and reliable authentication and authorisationOpen standards that allow integration across security boundaries.Reduce cost of managing identitiesExtending access to applications & files to out of office/mobile usersImprove management and maintenance of user identities.

IAM Strategy Recommendations

Document IAM infrastructure.Produce fast resultsAddress high risk areas earlyIncrease integration between directory, security and application servicesImprove capabilities that promote finding organisational data

IAM Strategy Recommendations

Most IAM projects are bigger than organisations expectNot all technologies within IAM provide direct benefits though all are necessary for the complete frameworkUse the proper justification and benefit statements as part of your deployment

Thank you for attending this TechNet Event

Visit the blog at:http://blogs.technet.com/mcstalks

Register for the next session, Desktop Deployment, at:http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032390854&Culture=en-GB