Date post: | 17-Jan-2016 |
Category: |
Documents |
Upload: | frank-ross |
View: | 223 times |
Download: | 0 times |
Strong Authentication Strong Authentication with Identity Lifecycle with Identity Lifecycle ManagerManager
Strong Authentication Strong Authentication with Identity Lifecycle with Identity Lifecycle ManagerManagerJohn WeigeltJohn WeigeltNational Technology OfficerNational Technology OfficerMicrosoft CanadaMicrosoft Canada
Hugh LindleyHugh LindleyVP, Identity AssuranceVP, Identity AssuranceAvaleris Inc.Avaleris Inc.
Identity at the CenterIdentity at the Center
SecuritySecurity
BusinessBusinessEnablementEnablement
OperationalOperationalEfficiencyEfficiency
ComplianceCompliance
Ensuring that only authorized users get network Ensuring that only authorized users get network accessaccess
Protecting confidential information from improper Protecting confidential information from improper distributiondistributionFreeing up IT resources to focus on high business-Freeing up IT resources to focus on high business-value workvalue work
Creating new ways to connect with customers & Creating new ways to connect with customers & partnerspartners
Provisioning in accordance with company policiesProvisioning in accordance with company policies
Establishing auditable processes for granting access Establishing auditable processes for granting access rightsrights
Automating, reducing and simplifying manual Automating, reducing and simplifying manual processesprocesses
Reducing the complexity of managing many identity Reducing the complexity of managing many identity storesstores
IDA ChallengesIDA Challenges
ExtensibilitExtensibilityy
20+ Connectors20+ Connectors WS-*WS-*
PlatformPlatformComponentsComponents
Workflow Foundation Windows ServicesWorkflow Foundation Windows Services
Active Directory Domain & Directory ServicesActive Directory Domain & Directory Services
Active DirectoryActive DirectoryFederation ServicesFederation Services
Rights ManagementRights ManagementServicesServices
CertificateCertificateServicesServices
MicrosoftMicrosoftOfficeOffice WindowsWindows WebWeb
SitesSites.Net &.Net &
Visual StudioVisual Studio
User andUser andDeveloperDeveloper
ExperiencesExperiences
Identity Lifecycle ManagerIdentity Lifecycle ManagerIDAIDA
ManagementManagement
Microsoft’s IDA OfferingsMicrosoft’s IDA Offerings
DirectoryDirectoryServicesServices
StrongStrongAuthenticationAuthentication
FederatedFederatedIdentity/SSOIdentity/SSO
InformationInformationProtectionProtection
IdentityIdentityLifecycle MgmtLifecycle Mgmt
Microsoft SolutionMicrosoft SolutionFocus AreasFocus Areas
ExtensibiliExtensibilityty
20+ Connectors20+ Connectors WS-*WS-*
PlatformPlatformComponentsComponents
Workflow Foundation Windows ServicesWorkflow Foundation Windows Services
Active Directory Domain & Directory ServicesActive Directory Domain & Directory Services
Active DirectoryActive DirectoryFederation ServicesFederation Services
Rights ManagementRights ManagementServicesServices
CertificateCertificateServicesServices
MicrosoftMicrosoftOfficeOffice WindowsWindows WebWeb
SitesSites.Net &.Net &
Visual StudioVisual Studio
User andUser andDeveloperDeveloper
ExperiencesExperiences
Identity Lifecycle ManagerIdentity Lifecycle Manager IDAIDAManagementManagement
Focused on 5 Solution AreasFocused on 5 Solution Areas
MIISMIIS
CLM BetaCLM Beta
PreviouslyPreviously TodayToday
Microsoft IdentityMicrosoft IdentityLifecycle Manager 2007Lifecycle Manager 2007
2H 20082H 2008
MetadirectoryMetadirectory
Certificate ManagementCertificate Management
User ProvisioningUser Provisioning
Empowers PeopleEmpowers People
IT Control with Less EffortIT Control with Less Effort
Increases Operational EfficiencyIncreases Operational Efficiency
ILM “2”ILM “2”
User User ManagementManagement
AccessAccessManagementManagement
Credential Credential ManagementManagement
Common PlatformCommon PlatformConnectorsConnectorsDelegationDelegationWorkflowWorkflow
Web Service APIWeb Service APILoggingLogging
PolicyPolicyManagementManagement
Identity Lifecycle ManagerIdentity Lifecycle Manager
Microsoft ILM 2007Microsoft ILM 2007Brings together metadirectory, certificate & smart card lifecycle Brings together metadirectory, certificate & smart card lifecycle management, and user provisioning across Windows and enterprise management, and user provisioning across Windows and enterprise systems into a single packaged offering.systems into a single packaged offering.
User ProvisioningUser ProvisioningAutomates the process of on-boarding and off-boarding usersAutomates the process of on-boarding and off-boarding usersSimplifies compliance through automated IDA enforcementSimplifies compliance through automated IDA enforcementEnforces consistent credentials across systemsEnforces consistent credentials across systems
Certificate and Smart Card ManagementCertificate and Smart Card ManagementReduces cost of managing certificate-based credentialsReduces cost of managing certificate-based credentialsAutomates workflow-driven certificate issuance and revocationAutomates workflow-driven certificate issuance and revocationVastly simplifies deployment of smart cardsVastly simplifies deployment of smart cards
Identity SynchronizationIdentity SynchronizationProvides single view of a user across enterprise systemsProvides single view of a user across enterprise systemsAutomatically keeps identity information across systems consistentAutomatically keeps identity information across systems consistent
Hugh Lindley, CISSPHugh Lindley, CISSPVP, Identity AssuranceVP, Identity AssuranceAvaleris Inc.Avaleris Inc.
[email protected]@avaleris.com(613) 237-9695 ext 235(613) 237-9695 ext 235
Company ProfileCompany Profile
Microsoft Identity & Access (IDA) Systems Integration PartnerMicrosoft Identity & Access (IDA) Systems Integration Partner
Global provider of Identity Assurance professional services & Global provider of Identity Assurance professional services & solutionssolutions
Incorporated by founders of Alacris -- the original developer of Incorporated by founders of Alacris -- the original developer of idNexusidNexus
Predecessor to Microsoft Certificate Lifecycle Manager (CLM)Predecessor to Microsoft Certificate Lifecycle Manager (CLM)
Acquired by Microsoft in late 2005 -- now integrated with Microsoft ILM Acquired by Microsoft in late 2005 -- now integrated with Microsoft ILM 20072007
Successfully deployed in over 25 global clients in North America & Successfully deployed in over 25 global clients in North America & EuropeEurope
Value Avaleris ProvidesValue Avaleris Provides
Heritage of client success & proven solution approach in Identity Heritage of client success & proven solution approach in Identity AssuranceAssurance
Understanding of the management & implementation challengesUnderstanding of the management & implementation challenges
Depth of technical expertise in Microsoft IDA productsDepth of technical expertise in Microsoft IDA products
About AvalerisAbout Avaleris
AgendaAgendaThe business case for Multi-Factor AuthenticationThe business case for Multi-Factor Authentication
Typical ILM 2007 deployment scenariosTypical ILM 2007 deployment scenarios
Smart card deployment scenario walkthroughSmart card deployment scenario walkthrough
ILM 2007 demonstrationILM 2007 demonstration
Share best practices & lessons learnedShare best practices & lessons learned
Identify additional resourcesIdentify additional resources
Business DriversBusiness Drivers
CanadaCanada
GSP and MITSGSP and MITS
Federal Accountability ActFederal Accountability Act
PIPEDA, FIPA, MFIPPAPIPEDA, FIPA, MFIPPA
Bill 198 - ICOFRBill 198 - ICOFR
InternationalInternational
HSPD-12 / FIPS 201HSPD-12 / FIPS 201
Sarbanes-OxleySarbanes-Oxley
HIPAAHIPAA
Gramm-Leach-BlileyGramm-Leach-Bliley
Basel IIBasel II
EU - Data Protection DirectiveEU - Data Protection Directive
EU - Qualified Certificates & SignaturesEU - Qualified Certificates & Signatures
FFIECFFIEC
Security and Risk ManagementSecurity and Risk Management
Privacy and Information ProtectionPrivacy and Information Protection
Auditability and AccountabilityAuditability and Accountability
Effective deployment and lifecycle Effective deployment and lifecycle management of MFAmanagement of MFA
Simplifying user authenticationSimplifying user authentication
Increased efficiency of helpdesk Increased efficiency of helpdesk staffstaff
Regulatory ComplianceRegulatory Compliance Increased IT Security &Increased IT Security &Operational EfficienciesOperational Efficiencies
Implementation ChallengesImplementation ChallengesLifecycle Management of Smart Cards and CertificatesLifecycle Management of Smart Cards and Certificates
Smart card personalization and customizationSmart card personalization and customization
Dealing with lost, stolen or forgotten smart cards Dealing with lost, stolen or forgotten smart cards
Deployment of smart card middlewareDeployment of smart card middleware
Multi-channel authenticationMulti-channel authentication
Alignment of management and security practicesAlignment of management and security practices
High number of distributed sites and locationsHigh number of distributed sites and locations
Leveraging existing IT infrastructureLeveraging existing IT infrastructure
Integration with other IDA solution componentsIntegration with other IDA solution components
Minimizing help-desk workloadMinimizing help-desk workload
ILM 2007 FunctionalityILM 2007 FunctionalitySmart Card / Certificate Lifecycle ManagementSmart Card / Certificate Lifecycle Management
Single administration point for digital certificates and smart cardsSingle administration point for digital certificates and smart cards
Configurable policy-based workflows for common tasksConfigurable policy-based workflows for common tasks
Enroll / renew / updateEnroll / renew / update
Recover / card replacementRecover / card replacement
RevokeRevoke
Retire / disable smart cardRetire / disable smart card
Issue temporary / duplicate smart cardIssue temporary / duplicate smart card
Personalize smart cardPersonalize smart card
Detailed auditing and reportingDetailed auditing and reporting
Support for centralized, decentralized and self-service scenariosSupport for centralized, decentralized and self-service scenarios
Tightly integrated with Active DirectoryTightly integrated with Active Directory
Smart Cards in the Public Smart Cards in the Public SectorSectorU.S. Federal GovernmentU.S. Federal Government
HSPD-12 / FIPS 201-- issued fall of 2004HSPD-12 / FIPS 201-- issued fall of 2004
Goal: Goal: Establish a common identification standard for Establish a common identification standard for all federal all federal government employees and contractorsgovernment employees and contractors
Personal Identity Verification (PIV) – I (Oct 2005):Personal Identity Verification (PIV) – I (Oct 2005):
Identity validation & credential issuance processIdentity validation & credential issuance process
Personal Identity Verification (PIV) - I I (Oct 2006):Personal Identity Verification (PIV) - I I (Oct 2006):
Ability to issue FIPS 201 compliant smart cardAbility to issue FIPS 201 compliant smart card
Most departments / agencies have met initial FIPS 201 Most departments / agencies have met initial FIPS 201 milestones and are working towards production milestones and are working towards production implementationsimplementations
Growing interest in broader public & private sectorsGrowing interest in broader public & private sectors
Deployment ScenariosDeployment ScenariosSmart Card AuthenticationSmart Card Authentication
Secure Email (S/MIME)Secure Email (S/MIME)
Secure Remote Access (VPN)Secure Remote Access (VPN)
Wireless LAN AuthenticationWireless LAN Authentication
File and Hard Drive EncryptionFile and Hard Drive Encryption
Secure Web ApplicationsSecure Web Applications
Distributed Certificate EnrollmentDistributed Certificate Enrollment
Document SigningDocument Signing
Deployment ScenariosDeployment ScenariosSmart Card AuthenticationSmart Card Authentication
Secure Email (S/MIME)Secure Email (S/MIME)
Secure Remote Access (VPN)Secure Remote Access (VPN)
Wireless LAN AuthenticationWireless LAN Authentication
File and Hard Drive EncryptionFile and Hard Drive Encryption
Secure Web ApplicationsSecure Web Applications
Distributed Certificate EnrollmentDistributed Certificate Enrollment
Document SigningDocument Signing
Smart Card DeploymentSmart Card DeploymentRequirement:Requirement:
Two-factor authenticationTwo-factor authentication
Smart card based network loginSmart card based network login
Verification of Employee ID before card issuanceVerification of Employee ID before card issuance
Address smart card management issuesAddress smart card management issues
100’s – 10,000’s of users100’s – 10,000’s of users
Smart Card DeploymentSmart Card DeploymentDeployment Considerations:Deployment Considerations:
1.1. Registration and Issuance ProcessRegistration and Issuance Process
2.2. Choice of Smart Card PlatformChoice of Smart Card Platform
3.3. Lifecycle Management of the Smart CardsLifecycle Management of the Smart Cards
4.4. Middleware Deployment (if not Base CSP)Middleware Deployment (if not Base CSP)
MicrosoftMicrosoftCertificateCertificateLifecycle Lifecycle ManagerManager
Microsoft CAsMicrosoft CAs
End UserEnd User
Physical ArchitecturePhysical Architecture
SQLSQLADAD
E-mailE-mail CLM Policy ModuleCLM Policy Module
CLM Exit ModuleCLM Exit Module
Internet ExplorerInternet Explorer
CLM Browser ControlCLM Browser Control
CLM AD IntegrationCLM AD Integration
CLM Web AppCLM Web App
Internet Information ServerInternet Information Server
Component ArchitectureComponent Architecture
Microsoft Certificate AuthorityMicrosoft Certificate Authority
Smart Card MiddlewareSmart Card Middleware
ILM 2007 ArchitectureILM 2007 Architecture
ILM 2007 ArchitectureILM 2007 ArchitectureInclude policies for each taskInclude policies for each taskthat might be performedthat might be performed
Additional profile data includedAdditional profile data includedfor smart card managementfor smart card management
Can include templates issued Can include templates issued from more than one CAfrom more than one CA
Profile Templates include oneProfile Templates include oneor more certificate managedor more certificate managedas a single entityas a single entity
Policy updates managedPolicy updates managedon a per user basis by Active on a per user basis by Active Directory (AD) groupsDirectory (AD) groups
Contains necessary informationContains necessary informationto enforce policy across multiple to enforce policy across multiple certificates, users, and groupscertificates, users, and groups
Stored in AD and availableStored in AD and availableacross the forestacross the forest
Certificate Template(s)Certificate Template(s)
Management PoliciesManagement Policies
Profile TemplatesProfile Templates
EnrollmentEnrollmentWork flowWork flow
Self-ServiceSelf-ServiceDataData
CollectionCollection
RecoveryRecoveryWork flowWork flow
Self-ServiceSelf-ServiceDataData
CollectionCollection
Etc.,Etc.,Work flowWork flow
Self-ServiceSelf-ServiceDataData
CollectionCollection
Smart Card InformationSmart Card Information(if needed)(if needed)
Smart Card DeploymentSmart Card DeploymentDuplicateDuplicate
EnrollEnroll
Online UpdateOnline Update
Replace PolicyReplace Policy
Recover on BehalfRecover on Behalf
Renew PolicyRenew Policy
Reinstate PolicyReinstate Policy
Disable PolicyDisable Policy
Retire PolicyRetire Policy
Temporary CardsTemporary Cards
UnblockUnblock
Enroll PolicyEnroll PolicySome questions to answer:Some questions to answer:
What level of assurance are you trying to achieve?What level of assurance are you trying to achieve?
Are you giving the end-user the ability to self-service? Are you giving the end-user the ability to self-service?
Are you using enrollment agents? Are you using enrollment agents?
Are you collecting comments? Are you collecting comments?
How many approvals do you require? How many approvals do you require?
Who can initiate the request? Who can initiate the request?
Who can approve the request?Who can approve the request?
What types of data will you be collecting? What types of data will you be collecting?
Are you using one-time secrets for registration? Are you using one-time secrets for registration?
Are you printing smart cards or documentation during enrollment? Are you printing smart cards or documentation during enrollment?
Enroll
ManagersManagers
End UsersEnd Users
Help DeskHelp Desk
Initiate Enroll
User is Enrolled
Approve
Employee ID
OTPLogin and Enter OTP
Certificate is copied to the Smart Card.
Verify Employee
ID
Generate One-Time Passwords
Enroll PolicyEnroll Policy
Smart Card DeploymentSmart Card DeploymentDuplicateDuplicate
EnrollEnroll
Online UpdateOnline Update
Replace PolicyReplace Policy
Recover on BehalfRecover on Behalf
Renew PolicyRenew Policy
Reinstate PolicyReinstate Policy
Disable PolicyDisable Policy
Retire PolicyRetire Policy
Temporary CardsTemporary Cards
UnblockUnblock
Smart Card Enrollment Policy andSmart Card Enrollment Policy andSmart Card IssuanceSmart Card Issuance
Benefits of ILM 2007 Benefits of ILM 2007 ApproachApproachTwo Factor AuthenticationTwo Factor Authentication
Reduced cost and complexityReduced cost and complexity
Flexible policy driven workflow model Flexible policy driven workflow model
Integrated Identity Lifecycle Management (certs, Integrated Identity Lifecycle Management (certs, SC, etc)SC, etc)
Supports a range of smart card platformsSupports a range of smart card platforms
Less custom development effort requiredLess custom development effort required
Leverages existing infrastructureLeverages existing infrastructure
Lessons LearnedLessons LearnedBusinessBusiness
Proceed in phased approach Proceed in phased approach to realize success earlyto realize success early
Align issuance process with Align issuance process with management and security management and security policy policy
Use risk assessments to Use risk assessments to identify high-sensitivity identify high-sensitivity systemssystems
Determine your required level Determine your required level of assuranceof assurance
Map access control workflow Map access control workflow and optimize where possibleand optimize where possible
TechnicalTechnical
Understand the Smart Card Understand the Smart Card Lifecycle Management Lifecycle Management ChallengeChallenge
Map out optimal deployment Map out optimal deployment scenarioscenario
CentralizedCentralized
DecentralizedDecentralized
Self-ServiceSelf-Service
Select a smart card & Select a smart card & middleware strategymiddleware strategy
Deal with temporary card Deal with temporary card issuanceissuance
Leverage existing Leverage existing infrastructure where practicalinfrastructure where practical
ILM 2007 ResourcesILM 2007 ResourcesMicrosoft ILM 2007 Website - Microsoft ILM 2007 Website - www.microsoft.com/ilm www.microsoft.com/ilm
DatasheetsDatasheets
WhitepapersWhitepapers
Flash DemoFlash Demo
Avaleris Website - Avaleris Website - www.avaleris.comwww.avaleris.com
Identity Assurance SolutionsIdentity Assurance Solutions
ILM 2007 Service OfferingsILM 2007 Service Offerings
Whitepapers & technical informationWhitepapers & technical information
Avaleris ILM 2007 Lunch & Learn SeriesAvaleris ILM 2007 Lunch & Learn Series
Closer look at ILM 2007 within context of your specific Closer look at ILM 2007 within context of your specific requirementsrequirements
Map out next steps towards ILM 2007 Proof of Concept PilotMap out next steps towards ILM 2007 Proof of Concept Pilot
Contact Avaleris representative for schedule of upcoming Contact Avaleris representative for schedule of upcoming sessionssessions
Avaleris ContactsAvaleris ContactsHugh Lindley, CISSPHugh Lindley, CISSP
VP, Identity AssuranceVP, Identity Assurance [email protected]@avaleris.com (613) 237-9795 ext 235(613) 237-9795 ext 235
Anita BurwashAnita Burwash VP, SalesVP, Sales [email protected]@avaleris.com (613) 237-9695 ext 221(613) 237-9695 ext 221