TechNet Architectural Design Series Part 5: Identity and Access Management Gary Williams & Colin Brown Microsoft Consulting Services Live Meeting Information... Feedback Panel Questions & Answers Blog - Session 5: Identity and Access Management Gary Williams Identity Management Consultant Colin Brown Security Consultant MCS Talks Infrastructure Architecture Agenda Introduction to Identity Terminology Challenges & Issues Identity Environment Fact Finding Identity Solutions ProductsArchitecture Work Packages Recommendations Introduction to Identity Terminology IDA / IAM / IdM Digital Identity Credential Security Principal Authentication Identity Store Identity Synchronisation Identity Integration Services Provisioning Identity Lifecycle Management Introduction IDA Terminology EntitlementAuthorisationTrust Identity Federation Security Auditing Access Services Digital Certificates Public Key Infrastructure (PKI) Certificate Revocation List (CRL) Encryption Introduction IDA Terminology Challenges & Issues Pre 1980s 1980s1990s2000s # of Digital IDs Time Applications Mainframe Client Server Internet BusinessAutomation Company(B2E) Partners(B2B) Customers(B2C) Mobility Islands Of Applications Has lead to islands of identities Identity ecosystems develop organically Fragmented identity infrastructures One system is added at a time Applications, Databases, Operating Systems Each system potentially requires a unique identity repository Changing organisation perimeter Credentials often do not cross boundaries Politics Product/skillset knowledge Challenges & Issues Why do Identity Management projects fail? Identity & Access Management : Providing the right people with the right access at the right time Identity Store Authentication Authorisation Who I am What can I do Lifecycle Management / Administration Monitoring/Audit Setting the scene What is it we are trying to achieve? Identity Environment Fact Finding Identity Drivers & requirements Extend reach and range Increase scalability Lowering costs Balance centralised vs. distributed management More general purpose & reusable Product selection must achieve Business justification Work against business requirements Source of truth (authoritative) repository Main repository & list of other identity repositories Identity Flow Identity Environment Fact Finding Information Quality How and where is identity data created How is it removed, maintained & synchronised How is data creation, deletion or modification validated Operational Procedures Access rights to all systems Hire / Fire procedures Department or role changes Role definition Separation of duties (admin controls) Identity Environment Fact Finding Identity Solutions Solutions Identity Products Active Directory Domain ServicesActive Directory Lightweight Directory ServicesActive Directory Federation ServicesActive Directory Certificate ServicesActive Directory Rights Management ServicesIdentity Lifecycle ManagerMicrosoft Partners Solutions - Example Architecture Solutions Planning Think strategically act tactically Phased approach This is generally not a technical problem Business processes Workflow definition An Identity and Access Management solution is a long term engagement Solutions Work Packages IDA Framework Solutions White Pages Architectural Overview Solutions Provisioning & De-provisioning Reduce credentials to a single password or PIN Simplify the user experience Reduce helpdesk overhead Improve overall security Solutions Password Management Record identity related events, such as: Logon/off Administrative actions Object access In order to be able to: Reveal potential security problems Ensure user accountability Provide evidence Solutions Auditing & Reporting Capture or create business process to Define identity profiles Associate allowable actions Delineate self-service and administrative actions Solutions Profile Management Solutions Role Based Access Control Provide a single authentication action In order to Reduce user authentication events Reduce authentication stores and associated management overhead Solutions Single Sign-On Reduce the number of identity repositories ComplexityDuplication Administrative overhead Solutions Directory Consolidation Provide a strong authentication mechanism Provide 2 factor authentication In order to Secure network services Provide security services to applications Provide higher security assurance Solutions Securing Network Services SQL1 SQL2 Root CA Manual Publish Issuing CAs RA1 RA2 Clients VPN AD SSL Web Exchange TS1 TS2 Log Shipping Mirroring Load Balancing Solutions Securing Network Services Workstation RMS Server Certification Licensing Templates Active Directory Authentication Service Discovery Group Membership SQL Server Configuration data Logging Cache MOSS 2007 Document Libraries with IRM Exchange 2007 SP1 Pre-licensing Fetching Solutions Protecting Data Wherever It Goes Recommendations Goals of an IAM Strategy Secure, pervasive, consistent and reliable authentication and authorisation Open standards that allow integration across security boundaries. Reduce cost of managing identities Extending access to applications & files to out of office/mobile users Improve management and maintenance of user identities. IAM Strategy Recommendations Document IAM infrastructure. Produce fast results Address high risk areas early Increase integration between directory, security and application services Improve capabilities that promote finding organisational data IAM Strategy Recommendations Most IAM projects are bigger than organisations expect Not all technologies within IAM provide direct benefits though all are necessary for the complete framework Use the proper justification and benefit statements as part of your deployment Ihr Potenzial. Unser Antrieb. Thank you for attending this TechNet Event Visit the blog at:Register for the next session, Desktop Deployment, at:D= &Culture=en-GB