Post on 25-Feb-2016
description
transcript
TechNet Architectural Design SeriesPart 5: Identity and Access Management
Gary Williams & Colin BrownMicrosoft Consulting Services
Live Meeting Information...
Feedback Panel
Questions & Answers
Blog - http://blogs.technet.com/MCSTalks
Session 5: Identity and Access Management Gary Williams – Identity Management ConsultantColin Brown – Security Consultant
MCS Talks Infrastructure Architecture
Agenda
Introduction to Identity TerminologyChallenges & IssuesIdentity Environment – Fact FindingIdentity Solutions
ProductsArchitectureWork Packages
Recommendations
Introduction to Identity Terminology
IDA / IAM / IdMDigital IdentityCredentialSecurity PrincipalAuthenticationIdentity StoreIdentity SynchronisationIdentity Integration ServicesProvisioningIdentity Lifecycle Management
Introduction IDA Terminology
EntitlementAuthorisationTrustIdentity FederationSecurity AuditingAccess ServicesDigital CertificatesPublic Key Infrastructure (PKI)Certificate Revocation List (CRL)Encryption
Introduction IDA Terminology
Challenges & Issues
Pre 1980’s 1980’s 1990’s 2000’s
# ofDigital IDs
Time
Applicatio
ns
Mainframe
Client Server
Internet
BusinessAutomation
Company(B2E)
Partners(B2B)
Customers(B2C)
Mobility
Islands Of Applications Has lead to islands of identities
Identity ecosystems develop organicallyFragmented identity infrastructures
One system is added at a timeApplications, Databases, Operating Systems
Each system potentially requires a unique identity repositoryChanging organisation perimeter
Credentials often do not cross boundariesPoliticsProduct/skillset knowledge
Challenges & IssuesWhy do Identity Management projects fail?
Identity & Access Management :
Providing the right people with the right access at the right time
Identity Store
Authentication
Authorisation
Who I am
What can I do
Lifecycle Management /Administration
Monitoring/Audit
COMPLIANCE!
Setting the sceneWhat is it we are trying to achieve?
Identity Environment – Fact Finding
Identity Drivers & requirementsExtend reach and rangeIncrease scalabilityLowering costsBalance centralised vs. distributed managementMore general purpose & reusableProduct selection must achieve
Business justificationWork against business requirements
Source of truth (authoritative) repositoryMain repository & list of other identity repositories
Identity Flow
Identity Environment – Fact Finding
Information QualityHow and where is identity data createdHow is it removed, maintained & synchronisedHow is data creation, deletion or modification validated
Operational ProceduresAccess rights to all systemsHire / Fire proceduresDepartment or role changesRole definition Separation of duties (admin controls)
Identity Environment – Fact Finding
Identity Solutions
Solutions – Identity Products
Active Directory Domain Services
Active Directory Lightweight Directory Services
Active Directory Federation Services
Active Directory Certificate Services
Active Directory Rights Management Services
Identity Lifecycle Manager
Microsoft Partners
Solutions - Example Architecture
Solutions – Planning
Think strategically act tacticallyPhased approach
This is generally not a technical problemBusiness processesWorkflow definition
An Identity and Access Management solution is a long term engagement
Solutions – Work PackagesIDA FrameworkWhite Pages
Provisioning/De-provisioning
Password Management
Auditing & Reporting
Profile Management
Role Based Access
Single Sign-On
Directory Consolidation
Securing Network Services
Protecting Data Wherever it goes
Solutions – White PagesArchitectural Overview
Solutions – Provisioning & De-provisioning
Solutions – Provisioning & De-provisioning
Reduce credentials to a single password or PIN Simplify the user experienceReduce helpdesk overheadImprove overall security
Solutions – Password Management
Record identity related events, such as:Logon/offAdministrative actionsObject accessIn order to be able to:
Reveal potential security problemsEnsure user accountabilityProvide evidence
Solutions – Auditing & Reporting
Capture or create business process to Define identity profiles Associate allowable actionsDelineate self-service and administrative actions
Solutions – Profile Management
Solutions – Role Based Access Control
Provide a single authentication actionIn order to
Reduce user authentication eventsReduce authentication stores and associated management overhead
Solutions – Single Sign-On
Reduce the number of identity repositoriesComplexityDuplicationAdministrative overhead
Solutions – Directory Consolidation
Provide a strong authentication mechanismProvide 2 factor authenticationIn order to
Secure network servicesProvide security services to applicationsProvide higher security assurance
Solutions – Securing Network Services
SQL1 SQL2
Root CA
Manual Publish
Issuing CA’s
RA1 RA2
Clients
VPN AD
SSL Web Exchange
TS1 TS2
Log ShippingMirroring
Load Balancing
Solutions – Securing Network Services
Workstation
RMS Server• Certification• Licensing• Templates
Active Directory• Authentication• Service Discovery• Group Membership
SQL Server• Configuration data• Logging • Cache
MOSS 2007• Document
Libraries with IRM
Exchange 2007 SP1• Pre-licensing
Fetching
Solutions – Protecting Data Wherever It Goes
Recommendations
Goals of an IAM Strategy
Secure, pervasive, consistent and reliable authentication and authorisationOpen standards that allow integration across security boundaries.Reduce cost of managing identitiesExtending access to applications & files to out of office/mobile usersImprove management and maintenance of user identities.
IAM Strategy Recommendations
Document IAM infrastructure.Produce fast resultsAddress high risk areas earlyIncrease integration between directory, security and application servicesImprove capabilities that promote finding organisational data
IAM Strategy Recommendations
Most IAM projects are bigger than organisations expectNot all technologies within IAM provide direct benefits though all are necessary for the complete frameworkUse the proper justification and benefit statements as part of your deployment
Thank you for attending this TechNet Event
Visit the blog at:http://blogs.technet.com/mcstalks
Register for the next session, Desktop Deployment, at:http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032390854&Culture=en-GB