Strong Authentication Strong Authentication with Identity Lifecycle with Identity Lifecycle ManagerManager

Strong Authentication Strong Authentication with Identity Lifecycle with Identity Lifecycle ManagerManagerJohn WeigeltJohn WeigeltNational Technology OfficerNational Technology OfficerMicrosoft CanadaMicrosoft Canada

Hugh LindleyHugh LindleyVP, Identity AssuranceVP, Identity AssuranceAvaleris Inc.Avaleris Inc.

Identity at the CenterIdentity at the Center

SecuritySecurity

BusinessBusinessEnablementEnablement

OperationalOperationalEfficiencyEfficiency

ComplianceCompliance

Ensuring that only authorized users get network Ensuring that only authorized users get network accessaccess

Protecting confidential information from improper Protecting confidential information from improper distributiondistributionFreeing up IT resources to focus on high business-Freeing up IT resources to focus on high business-value workvalue work

Creating new ways to connect with customers & Creating new ways to connect with customers & partnerspartners

Provisioning in accordance with company policiesProvisioning in accordance with company policies

Establishing auditable processes for granting access Establishing auditable processes for granting access rightsrights

Automating, reducing and simplifying manual Automating, reducing and simplifying manual processesprocesses

Reducing the complexity of managing many identity Reducing the complexity of managing many identity storesstores

IDA ChallengesIDA Challenges

ExtensibilitExtensibilityy

20+ Connectors20+ Connectors WS-*WS-*

PlatformPlatformComponentsComponents

Workflow Foundation Windows ServicesWorkflow Foundation Windows Services

Active Directory Domain & Directory ServicesActive Directory Domain & Directory Services

Active DirectoryActive DirectoryFederation ServicesFederation Services

Rights ManagementRights ManagementServicesServices

CertificateCertificateServicesServices

MicrosoftMicrosoftOfficeOffice WindowsWindows WebWeb

SitesSites.Net &.Net &

Visual StudioVisual Studio

User andUser andDeveloperDeveloper

ExperiencesExperiences

Identity Lifecycle ManagerIdentity Lifecycle ManagerIDAIDA

ManagementManagement

Microsoft’s IDA OfferingsMicrosoft’s IDA Offerings

DirectoryDirectoryServicesServices

StrongStrongAuthenticationAuthentication

FederatedFederatedIdentity/SSOIdentity/SSO

InformationInformationProtectionProtection

IdentityIdentityLifecycle MgmtLifecycle Mgmt

Microsoft SolutionMicrosoft SolutionFocus AreasFocus Areas

ExtensibiliExtensibilityty

20+ Connectors20+ Connectors WS-*WS-*

PlatformPlatformComponentsComponents

Workflow Foundation Windows ServicesWorkflow Foundation Windows Services

Active Directory Domain & Directory ServicesActive Directory Domain & Directory Services

Active DirectoryActive DirectoryFederation ServicesFederation Services

Rights ManagementRights ManagementServicesServices

CertificateCertificateServicesServices

MicrosoftMicrosoftOfficeOffice WindowsWindows WebWeb

SitesSites.Net &.Net &

Visual StudioVisual Studio

User andUser andDeveloperDeveloper

ExperiencesExperiences

Identity Lifecycle ManagerIdentity Lifecycle Manager IDAIDAManagementManagement

Focused on 5 Solution AreasFocused on 5 Solution Areas

MIISMIIS

CLM BetaCLM Beta

PreviouslyPreviously TodayToday

Microsoft IdentityMicrosoft IdentityLifecycle Manager 2007Lifecycle Manager 2007

2H 20082H 2008

MetadirectoryMetadirectory

Certificate ManagementCertificate Management

User ProvisioningUser Provisioning

Empowers PeopleEmpowers People

IT Control with Less EffortIT Control with Less Effort

Increases Operational EfficiencyIncreases Operational Efficiency

ILM “2”ILM “2”

User User ManagementManagement

AccessAccessManagementManagement

Credential Credential ManagementManagement

Common PlatformCommon PlatformConnectorsConnectorsDelegationDelegationWorkflowWorkflow

Web Service APIWeb Service APILoggingLogging

PolicyPolicyManagementManagement

Identity Lifecycle ManagerIdentity Lifecycle Manager

Microsoft ILM 2007Microsoft ILM 2007Brings together metadirectory, certificate & smart card lifecycle Brings together metadirectory, certificate & smart card lifecycle management, and user provisioning across Windows and enterprise management, and user provisioning across Windows and enterprise systems into a single packaged offering.systems into a single packaged offering.

User ProvisioningUser ProvisioningAutomates the process of on-boarding and off-boarding usersAutomates the process of on-boarding and off-boarding usersSimplifies compliance through automated IDA enforcementSimplifies compliance through automated IDA enforcementEnforces consistent credentials across systemsEnforces consistent credentials across systems

Certificate and Smart Card ManagementCertificate and Smart Card ManagementReduces cost of managing certificate-based credentialsReduces cost of managing certificate-based credentialsAutomates workflow-driven certificate issuance and revocationAutomates workflow-driven certificate issuance and revocationVastly simplifies deployment of smart cardsVastly simplifies deployment of smart cards

Identity SynchronizationIdentity SynchronizationProvides single view of a user across enterprise systemsProvides single view of a user across enterprise systemsAutomatically keeps identity information across systems consistentAutomatically keeps identity information across systems consistent

Hugh Lindley, CISSPHugh Lindley, CISSPVP, Identity AssuranceVP, Identity AssuranceAvaleris Inc.Avaleris Inc.

hugh.lindley@avaleris.comhugh.lindley@avaleris.com(613) 237-9695 ext 235(613) 237-9695 ext 235

Company ProfileCompany Profile

Microsoft Identity & Access (IDA) Systems Integration PartnerMicrosoft Identity & Access (IDA) Systems Integration Partner

Global provider of Identity Assurance professional services & Global provider of Identity Assurance professional services & solutionssolutions

Incorporated by founders of Alacris -- the original developer of Incorporated by founders of Alacris -- the original developer of idNexusidNexus

Predecessor to Microsoft Certificate Lifecycle Manager (CLM)Predecessor to Microsoft Certificate Lifecycle Manager (CLM)

Acquired by Microsoft in late 2005 -- now integrated with Microsoft ILM Acquired by Microsoft in late 2005 -- now integrated with Microsoft ILM 20072007

Successfully deployed in over 25 global clients in North America & Successfully deployed in over 25 global clients in North America & EuropeEurope

Value Avaleris ProvidesValue Avaleris Provides

Heritage of client success & proven solution approach in Identity Heritage of client success & proven solution approach in Identity AssuranceAssurance

Understanding of the management & implementation challengesUnderstanding of the management & implementation challenges

Depth of technical expertise in Microsoft IDA productsDepth of technical expertise in Microsoft IDA products

About AvalerisAbout Avaleris

AgendaAgendaThe business case for Multi-Factor AuthenticationThe business case for Multi-Factor Authentication

Typical ILM 2007 deployment scenariosTypical ILM 2007 deployment scenarios

Smart card deployment scenario walkthroughSmart card deployment scenario walkthrough

ILM 2007 demonstrationILM 2007 demonstration

Share best practices & lessons learnedShare best practices & lessons learned

Identify additional resourcesIdentify additional resources

Business DriversBusiness Drivers

CanadaCanada

GSP and MITSGSP and MITS

Federal Accountability ActFederal Accountability Act

PIPEDA, FIPA, MFIPPAPIPEDA, FIPA, MFIPPA

Bill 198 - ICOFRBill 198 - ICOFR

InternationalInternational

HSPD-12 / FIPS 201HSPD-12 / FIPS 201

Sarbanes-OxleySarbanes-Oxley

HIPAAHIPAA

Gramm-Leach-BlileyGramm-Leach-Bliley

Basel IIBasel II

EU - Data Protection DirectiveEU - Data Protection Directive

EU - Qualified Certificates & SignaturesEU - Qualified Certificates & Signatures

FFIECFFIEC

Security and Risk ManagementSecurity and Risk Management

Privacy and Information ProtectionPrivacy and Information Protection

Auditability and AccountabilityAuditability and Accountability

Effective deployment and lifecycle Effective deployment and lifecycle management of MFAmanagement of MFA

Simplifying user authenticationSimplifying user authentication

Increased efficiency of helpdesk Increased efficiency of helpdesk staffstaff

Regulatory ComplianceRegulatory Compliance Increased IT Security &Increased IT Security &Operational EfficienciesOperational Efficiencies

Implementation ChallengesImplementation ChallengesLifecycle Management of Smart Cards and CertificatesLifecycle Management of Smart Cards and Certificates

Smart card personalization and customizationSmart card personalization and customization

Dealing with lost, stolen or forgotten smart cards Dealing with lost, stolen or forgotten smart cards

Deployment of smart card middlewareDeployment of smart card middleware

Multi-channel authenticationMulti-channel authentication

Alignment of management and security practicesAlignment of management and security practices

High number of distributed sites and locationsHigh number of distributed sites and locations

Leveraging existing IT infrastructureLeveraging existing IT infrastructure

Integration with other IDA solution componentsIntegration with other IDA solution components

Minimizing help-desk workloadMinimizing help-desk workload

ILM 2007 FunctionalityILM 2007 FunctionalitySmart Card / Certificate Lifecycle ManagementSmart Card / Certificate Lifecycle Management

Single administration point for digital certificates and smart cardsSingle administration point for digital certificates and smart cards

Configurable policy-based workflows for common tasksConfigurable policy-based workflows for common tasks

Enroll / renew / updateEnroll / renew / update

Recover / card replacementRecover / card replacement

RevokeRevoke

Retire / disable smart cardRetire / disable smart card

Issue temporary / duplicate smart cardIssue temporary / duplicate smart card

Personalize smart cardPersonalize smart card

Detailed auditing and reportingDetailed auditing and reporting

Support for centralized, decentralized and self-service scenariosSupport for centralized, decentralized and self-service scenarios

Tightly integrated with Active DirectoryTightly integrated with Active Directory

Smart Cards in the Public Smart Cards in the Public SectorSectorU.S. Federal GovernmentU.S. Federal Government

HSPD-12 / FIPS 201-- issued fall of 2004HSPD-12 / FIPS 201-- issued fall of 2004

Goal: Goal: Establish a common identification standard for Establish a common identification standard for all federal all federal government employees and contractorsgovernment employees and contractors

Personal Identity Verification (PIV) – I (Oct 2005):Personal Identity Verification (PIV) – I (Oct 2005):

Identity validation & credential issuance processIdentity validation & credential issuance process

Personal Identity Verification (PIV) - I I (Oct 2006):Personal Identity Verification (PIV) - I I (Oct 2006):

Ability to issue FIPS 201 compliant smart cardAbility to issue FIPS 201 compliant smart card

Most departments / agencies have met initial FIPS 201 Most departments / agencies have met initial FIPS 201 milestones and are working towards production milestones and are working towards production implementationsimplementations

Growing interest in broader public & private sectorsGrowing interest in broader public & private sectors

Deployment ScenariosDeployment ScenariosSmart Card AuthenticationSmart Card Authentication

Secure Email (S/MIME)Secure Email (S/MIME)

Secure Remote Access (VPN)Secure Remote Access (VPN)

Wireless LAN AuthenticationWireless LAN Authentication

File and Hard Drive EncryptionFile and Hard Drive Encryption

Secure Web ApplicationsSecure Web Applications

Distributed Certificate EnrollmentDistributed Certificate Enrollment

Document SigningDocument Signing

Deployment ScenariosDeployment ScenariosSmart Card AuthenticationSmart Card Authentication

Secure Email (S/MIME)Secure Email (S/MIME)

Secure Remote Access (VPN)Secure Remote Access (VPN)

Wireless LAN AuthenticationWireless LAN Authentication

File and Hard Drive EncryptionFile and Hard Drive Encryption

Secure Web ApplicationsSecure Web Applications

Distributed Certificate EnrollmentDistributed Certificate Enrollment

Document SigningDocument Signing

Smart Card DeploymentSmart Card DeploymentRequirement:Requirement:

Two-factor authenticationTwo-factor authentication

Smart card based network loginSmart card based network login

Verification of Employee ID before card issuanceVerification of Employee ID before card issuance

Address smart card management issuesAddress smart card management issues

100’s – 10,000’s of users100’s – 10,000’s of users

Smart Card DeploymentSmart Card DeploymentDeployment Considerations:Deployment Considerations:

1.1. Registration and Issuance ProcessRegistration and Issuance Process

2.2. Choice of Smart Card PlatformChoice of Smart Card Platform

3.3. Lifecycle Management of the Smart CardsLifecycle Management of the Smart Cards

4.4. Middleware Deployment (if not Base CSP)Middleware Deployment (if not Base CSP)

MicrosoftMicrosoftCertificateCertificateLifecycle Lifecycle ManagerManager

Microsoft CAsMicrosoft CAs

End UserEnd User

Physical ArchitecturePhysical Architecture

SQLSQLADAD

E-mailE-mail CLM Policy ModuleCLM Policy Module

CLM Exit ModuleCLM Exit Module

Internet ExplorerInternet Explorer

CLM Browser ControlCLM Browser Control

CLM AD IntegrationCLM AD Integration

CLM Web AppCLM Web App

Internet Information ServerInternet Information Server

Component ArchitectureComponent Architecture

Microsoft Certificate AuthorityMicrosoft Certificate Authority

Smart Card MiddlewareSmart Card Middleware

ILM 2007 ArchitectureILM 2007 Architecture

ILM 2007 ArchitectureILM 2007 ArchitectureInclude policies for each taskInclude policies for each taskthat might be performedthat might be performed

Additional profile data includedAdditional profile data includedfor smart card managementfor smart card management

Can include templates issued Can include templates issued from more than one CAfrom more than one CA

Profile Templates include oneProfile Templates include oneor more certificate managedor more certificate managedas a single entityas a single entity

Policy updates managedPolicy updates managedon a per user basis by Active on a per user basis by Active Directory (AD) groupsDirectory (AD) groups

Contains necessary informationContains necessary informationto enforce policy across multiple to enforce policy across multiple certificates, users, and groupscertificates, users, and groups

Stored in AD and availableStored in AD and availableacross the forestacross the forest

Certificate Template(s)Certificate Template(s)

Management PoliciesManagement Policies

Profile TemplatesProfile Templates

EnrollmentEnrollmentWork flowWork flow

Self-ServiceSelf-ServiceDataData

CollectionCollection

RecoveryRecoveryWork flowWork flow

Self-ServiceSelf-ServiceDataData

CollectionCollection

Etc.,Etc.,Work flowWork flow

Self-ServiceSelf-ServiceDataData

CollectionCollection

Smart Card InformationSmart Card Information(if needed)(if needed)

Smart Card DeploymentSmart Card DeploymentDuplicateDuplicate

EnrollEnroll

Online UpdateOnline Update

Replace PolicyReplace Policy

Recover on BehalfRecover on Behalf

Renew PolicyRenew Policy

Reinstate PolicyReinstate Policy

Disable PolicyDisable Policy

Retire PolicyRetire Policy

Temporary CardsTemporary Cards

UnblockUnblock

Enroll PolicyEnroll PolicySome questions to answer:Some questions to answer:

What level of assurance are you trying to achieve?What level of assurance are you trying to achieve?

Are you giving the end-user the ability to self-service? Are you giving the end-user the ability to self-service?

Are you using enrollment agents? Are you using enrollment agents?

Are you collecting comments? Are you collecting comments?

How many approvals do you require? How many approvals do you require?

Who can initiate the request? Who can initiate the request?

Who can approve the request?Who can approve the request?

What types of data will you be collecting? What types of data will you be collecting?

Are you using one-time secrets for registration? Are you using one-time secrets for registration?

Are you printing smart cards or documentation during enrollment? Are you printing smart cards or documentation during enrollment?

Enroll

ManagersManagers

End UsersEnd Users

Help DeskHelp Desk

Initiate Enroll

User is Enrolled

Approve

Employee ID

OTPLogin and Enter OTP

Certificate is copied to the Smart Card.

Verify Employee

ID

Generate One-Time Passwords

Enroll PolicyEnroll Policy

Smart Card DeploymentSmart Card DeploymentDuplicateDuplicate

EnrollEnroll

Online UpdateOnline Update

Replace PolicyReplace Policy

Recover on BehalfRecover on Behalf

Renew PolicyRenew Policy

Reinstate PolicyReinstate Policy

Disable PolicyDisable Policy

Retire PolicyRetire Policy

Temporary CardsTemporary Cards

UnblockUnblock

Smart Card Enrollment Policy andSmart Card Enrollment Policy andSmart Card IssuanceSmart Card Issuance

Benefits of ILM 2007 Benefits of ILM 2007 ApproachApproachTwo Factor AuthenticationTwo Factor Authentication

Reduced cost and complexityReduced cost and complexity

Flexible policy driven workflow model Flexible policy driven workflow model

Integrated Identity Lifecycle Management (certs, Integrated Identity Lifecycle Management (certs, SC, etc)SC, etc)

Supports a range of smart card platformsSupports a range of smart card platforms

Less custom development effort requiredLess custom development effort required

Leverages existing infrastructureLeverages existing infrastructure

Lessons LearnedLessons LearnedBusinessBusiness

Proceed in phased approach Proceed in phased approach to realize success earlyto realize success early

Align issuance process with Align issuance process with management and security management and security policy policy

Use risk assessments to Use risk assessments to identify high-sensitivity identify high-sensitivity systemssystems

Determine your required level Determine your required level of assuranceof assurance

Map access control workflow Map access control workflow and optimize where possibleand optimize where possible

TechnicalTechnical

Understand the Smart Card Understand the Smart Card Lifecycle Management Lifecycle Management ChallengeChallenge

Map out optimal deployment Map out optimal deployment scenarioscenario

CentralizedCentralized

DecentralizedDecentralized

Self-ServiceSelf-Service

Select a smart card & Select a smart card & middleware strategymiddleware strategy

Deal with temporary card Deal with temporary card issuanceissuance

Leverage existing Leverage existing infrastructure where practicalinfrastructure where practical

ILM 2007 ResourcesILM 2007 ResourcesMicrosoft ILM 2007 Website - Microsoft ILM 2007 Website - www.microsoft.com/ilm www.microsoft.com/ilm

DatasheetsDatasheets

WhitepapersWhitepapers

Flash DemoFlash Demo

Avaleris Website - Avaleris Website - www.avaleris.comwww.avaleris.com

Identity Assurance SolutionsIdentity Assurance Solutions

ILM 2007 Service OfferingsILM 2007 Service Offerings

Whitepapers & technical informationWhitepapers & technical information

Avaleris ILM 2007 Lunch & Learn SeriesAvaleris ILM 2007 Lunch & Learn Series

Closer look at ILM 2007 within context of your specific Closer look at ILM 2007 within context of your specific requirementsrequirements

Map out next steps towards ILM 2007 Proof of Concept PilotMap out next steps towards ILM 2007 Proof of Concept Pilot

Contact Avaleris representative for schedule of upcoming Contact Avaleris representative for schedule of upcoming sessionssessions

Avaleris ContactsAvaleris ContactsHugh Lindley, CISSPHugh Lindley, CISSP

VP, Identity AssuranceVP, Identity Assurance hugh.lindley@avaleris.comhugh.lindley@avaleris.com (613) 237-9795 ext 235(613) 237-9795 ext 235

Anita BurwashAnita Burwash VP, SalesVP, Sales anita.burwash@avaleris.comanita.burwash@avaleris.com (613) 237-9695 ext 221(613) 237-9695 ext 221