identity and access management: overview rafal lukawiecki strategic consultant, project botticelli...

Identity and Access Management: Identity and Access Management: OverviewOverview

Rafal LukawieckiRafal Lukawiecki

Strategic Consultant, Project Botticelli LtdStrategic Consultant, Project Botticelli Ltd

[email protected]@projectbotticelli.co.uk

www.projectbotticelli.co.ukwww.projectbotticelli.co.uk

Copyright 2006 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all Copyright 2006 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in File/Properties. This presentation is based on work of many authors from Microsoft, Oxford Computer Group and other companies. Please see the “Introductions” File/Properties. This presentation is based on work of many authors from Microsoft, Oxford Computer Group and other companies. Please see the “Introductions” presentation for acknowledgments.presentation for acknowledgments.

mailto:[email protected]

http://www.projectbotticelli.co.uk/

22

ObjectivesObjectives

Build a good conceptual background to enable Build a good conceptual background to enable later technical discussions of the subjectlater technical discussions of the subject

Overview the problems and opportunities in the Overview the problems and opportunities in the field of identity and access managementfield of identity and access management

Introduce terminologyIntroduce terminology

Highlight a possible future directionHighlight a possible future direction

33

Session AgendaSession Agenda

Identity Problem of TodayIdentity Problem of Today

Identity Laws and MetasystemIdentity Laws and Metasystem

Components and TerminologyComponents and Terminology

RoadmapRoadmap

44

Identity Problem of Identity Problem of TodayToday

55

Universal Identity?Universal Identity?

Internet was build so that communications are Internet was build so that communications are anonymousanonymous

In-house networks use multiple, often mutually-In-house networks use multiple, often mutually-incompatible, proprietary identity systemsincompatible, proprietary identity systems

Users are incapable of handling multiple Users are incapable of handling multiple identitiesidentities

Criminals love to exploit this messCriminals love to exploit this mess

66

Explosion of IDsExplosion of IDs

Pre 1980’sPre 1980’s 1980’s1980’s 1990’s1990’s 2000’s2000’s

# ofDigital IDs

Time

Applicatio

ns

MainframeMainframe

Client ServerClient Server

InternetInternet

BusinessBusinessAutomationAutomation

CompanyCompany(B2E)(B2E)

PartnersPartners(B2B)(B2B)

CustomersCustomers(B2C)(B2C)

MobilityMobility

77

The Disconnected RealityThe Disconnected Reality

““Identity Chaos” Identity Chaos”

Lots of users and systems required to do businessLots of users and systems required to do business

Multiple repositories of identity information; Multiple user IDs, multiple passwordsMultiple repositories of identity information; Multiple user IDs, multiple passwords

Decentralized management, ad hoc data sharingDecentralized management, ad hoc data sharing

Enterprise Directory

HRHRSystemSystem

InfraInfraApplicationApplication

LotusLotusNotes AppsNotes Apps

In-HouseIn-HouseApplicationApplication

COTSCOTSApplicationApplication

NOSNOS


•Authentication•Authorization•Identity Data




•Authorization•Identity Data

•Authentication



88

Your COMPANY andyour EMPLOYEES

Your SUPPLIERS

Your PARTNERSYour REMOTE andVIRTUAL EMPLOYEES

Your CUSTOMERS

Customer satisfaction & customer intimacyCost competitivenessReach, personalization

CollaborationOutsourcingFaster business cycles; process automationValue chain

M&AMobile/global workforceFlexible/temp workforce

Multiple ContextsMultiple Contexts

99

Trends Impacting IdentityTrends Impacting Identity

Increasing Threat LandscapeIdentity theft costs banks and credit card issuers $1.2 billion in 1 yr$250 billion lost in 2004 from exposure of confidential info

Maintenance Costs Dominate IT BudgetOn average employees need access to 16 apps and systemsCompanies spend $20-30 per user per year for PW resets

Deeper Line of Business Automation and IntegrationOne half of all enterprises have SOA under developmentWeb services spending growing 45% CAGR

Rising Tide of Regulation and ComplianceSOX, HIPAA, GLB, Basel II, 21 CFR Part 11, …$15.5 billion spend in 2005 on compliance (analyst estimate)

Data Sources: Gartner, AMR Research, IDC, eMarketer, U.S. Department. of Justice

1010

BusinessBusinessOwnerOwnerEnd UserEnd UserIT AdminIT Admin DeveloperDeveloper Security/ Security/

ComplianceCompliance

Too expensive Too expensive to reach new to reach new partners, partners, channelschannels

Need for Need for controlcontrol

Too many Too many passwordspasswords

Long waits for Long waits for access to access to apps, apps, resourcesresources

Too many user Too many user stores and stores and account admin account admin requestsrequests

Unsafe sync Unsafe sync scriptsscripts

Pain PointsPain Points

Redundant Redundant code in each code in each appapp

Rework code Rework code too oftentoo often

Too many Too many orphaned orphaned accountsaccounts

Limited Limited auditing auditing abilityability

1111

Possible SavingsPossible Savings

Directory SynchronizationDirectory Synchronization

““Improved updating of user data: $185 per user/year”Improved updating of user data: $185 per user/year”

““Improved list management: $800 per list”Improved list management: $800 per list”

- Giga Information Group- Giga Information Group

Password ManagementPassword Management

““Password reset costs range from $51 (best case) to $147 (worst Password reset costs range from $51 (best case) to $147 (worst case) for labor alone.” – case) for labor alone.” – GartnerGartner

User ProvisioningUser Provisioning

““Improved IT efficiency: $70,000 per year per 1,000 managed users”Improved IT efficiency: $70,000 per year per 1,000 managed users”

““Reduced help desk costs: $75 per user per year”Reduced help desk costs: $75 per user per year”

- Giga Information Group- Giga Information Group

1212

Can We Just Ignore It All?Can We Just Ignore It All?

Today, average corporate user spends 16 minutes a day Today, average corporate user spends 16 minutes a day logging onlogging on

A typical home user maintains 12-18 identitiesA typical home user maintains 12-18 identities

Number of phishing and pharming sites grew over Number of phishing and pharming sites grew over 1600% over the past year1600% over the past year

Corporate IT Ops manage an average of 73 applications Corporate IT Ops manage an average of 73 applications and 46 suppliers, often with individual directoriesand 46 suppliers, often with individual directories

Regulators are becoming stricter about compliance and Regulators are becoming stricter about compliance and auditingauditing

Orphaned accounts and identities lead to security Orphaned accounts and identities lead to security problemsproblems

Source: Microsoft’s internal research and Anti-phishing Working Group Feb 2005

1313

One or Two Solutions?One or Two Solutions?

Better Option:Better Option:

Build a global, universal, federated identity metasystemBuild a global, universal, federated identity metasystem

Will take years…Will take years…

Quicker Option:Quicker Option:

Build an in-house, federated identity metasystem based on Build an in-house, federated identity metasystem based on standardsstandards

Federate it to others, system-by-systemFederate it to others, system-by-system

But: both solutions could share the same conceptual But: both solutions could share the same conceptual basisbasis

1414

Identity Laws and Identity Laws and MetasystemMetasystem

1515

Lessons from PassportLessons from Passport

Passport designed to solve two problemsPassport designed to solve two problems

Identity provider for MSNIdentity provider for MSN

250M+ users, 1 billion logons per day250M+ users, 1 billion logons per day

Significant successSignificant success

Identity provider for the InternetIdentity provider for the Internet

Unsuccessful:Unsuccessful:Not trusted “outside context”Not trusted “outside context”

Not generic enoughNot generic enough

Meant giving up control over identity managementMeant giving up control over identity management

Cannot re-write apps to use a central systemCannot re-write apps to use a central system

Learning: solution must be different than Learning: solution must be different than PassportPassport

1616

Idea of an Identity MetasystemIdea of an Identity Metasystem

Not an Identity Not an Identity SystemSystem

Agreement on metadata and protocols, allowing Agreement on metadata and protocols, allowing multiple identity providers and brokersmultiple identity providers and brokers

Based on open standardsBased on open standards

Supported by multiple technologies and Supported by multiple technologies and platformsplatforms

Adhering to Laws of IdentityAdhering to Laws of Identity

With full respect of privacy needsWith full respect of privacy needs

1717

Roles Within Identity MetasystemRoles Within Identity Metasystem

Identity ProvidersIdentity Providers

Organisations, governments, even end-usersOrganisations, governments, even end-users

They provide They provide Identity Claims Identity Claims about a about a SubjectSubject

Name, vehicles allowed to drive, age, etc.Name, vehicles allowed to drive, age, etc.

Relying PartiesRelying Parties

Online services or sites, doors, etc.Online services or sites, doors, etc.

SubjectsSubjects

Individuals and other bodies that need its identity Individuals and other bodies that need its identity establishedestablished

1818

Metasystem PlayersMetasystem Players

Relying PartiesRelying PartiesRequire identitiesRequire identities

SubjectsSubjectsIndividuals and other Individuals and other entities about whom entities about whom

claims are madeclaims are made

Identity Identity ProvidersProviders

Issue identitiesIssue identities

1919

Identity Metasystem TodayIdentity Metasystem Today

Basically, the set of WS-* Security Guidelines as Basically, the set of WS-* Security Guidelines as we have itwe have it

PlusPlus

Software that implements the servicesSoftware that implements the services

Microsoft and many others working on itMicrosoft and many others working on it

Companies that would use itCompanies that would use it

Still to come, but early adopters existStill to come, but early adopters exist

End-users that would trust itEnd-users that would trust it

Will take timeWill take time

2020

Identity LawsIdentity Lawswww.identityblog.comwww.identityblog.com

1.1. User Control and ConsentUser Control and Consent

2.2. Minimal Disclosure for a Constrained UseMinimal Disclosure for a Constrained Use

3.3. Justifiable PartiesJustifiable Parties

4.4. Directed IdentityDirected Identity

5.5. Pluralism of Operators and TechnologiesPluralism of Operators and Technologies

6.6. Human IntegrationHuman Integration

7.7. Consistent Experience Across ContextsConsistent Experience Across Contexts

2121

Enterprise ApplicabilityEnterprise Applicability

That proposed metasystem would work well That proposed metasystem would work well inside a corporationinside a corporation

Of course, we need a solution before it becomes Of course, we need a solution before it becomes a realitya reality

Following the principles seems a good idea Following the principles seems a good idea while planning immediate solutionswhile planning immediate solutions

Organic growth likely to lead to an identity Organic growth likely to lead to an identity metasystem in long termmetasystem in long term

2222

Enterprise TrendsEnterprise Trends

Kerberos is Kerberos is very useful very useful but increasingly it does not span but increasingly it does not span disconnected identity forests and technologies easily disconnected identity forests and technologies easily

We are moving away from We are moving away from static static Groups and traditional Groups and traditional ACLs…ACLs…

Increasingly limited and difficult to manage on large scalesIncreasingly limited and difficult to manage on large scales

……towards a towards a dynamic dynamic combination of:combination of:

Role-Based Access Management, and,Role-Based Access Management, and,

Rich Claims AuthorizationRich Claims Authorization

PKI is still too restrictive, but it is clearly a component of PKI is still too restrictive, but it is clearly a component of a possible solutiona possible solution

2323

Components and Components and TerminologyTerminology

2424

What is Identity Management?What is Identity Management?

ProvisioningProvisioning

Single Sign Single Sign

OnOn

PKIPKI

StrongStrong

AuthenticationAuthentication

FederationFederation

DirectoriesDirectories

AuthorizationAuthorization

Secure Remote Secure Remote AccessAccess

PasswordPassword

ManagementManagement

Web ServicesWeb ServicesSecuritySecurity

Auditing &Auditing &

ReportingReporting

RoleRoleManagementManagement

DigitalDigitalRights Rights


2525

Identity and Access ManagementIdentity and Access Management

The process of authenticating credentials and The process of authenticating credentials and controlling access to networked resources controlling access to networked resources based on trust and identitybased on trust and identity

Repositories for storing and managing Repositories for storing and managing accounts, identity information, and accounts, identity information, and security credentials security credentials

The processes used to create and delete The processes used to create and delete accounts, manage account and entitlement accounts, manage account and entitlement changes, and track policy compliancechanges, and track policy compliance

Directory Services

Access Management

Identity Lifecycle

Management

A system of procedures, policies and A system of procedures, policies and technologies to manage the lifecycle technologies to manage the lifecycle

and entitlements of electronic and entitlements of electronic credentialscredentials

2626

Remember the Chaos?Remember the Chaos?


HRHRSystemSystem





NOSNOS







•Authentication



2727

Identity IntegrationIdentity Integration

HRHRSystemSystem





Student Student AdminAdmin







•Authentication



Identi

ty Inte

gra

tion S

erv

er

Identi

ty Inte

gra

tion S

erv

er


2828

IAM BenefitsIAM Benefits

Benefits to take you forward

(Strategic)

Benefits today(Tactical)

Save money and improve operational Save money and improve operational efficiencyefficiency

Improved time to deliver applications Improved time to deliver applications and serviceand service

Enhance SecurityEnhance Security

Regulatory Compliance and AuditRegulatory Compliance and Audit

New ways of workingNew ways of working

Improved time to marketImproved time to market

Closer Supplier, Customer, Closer Supplier, Customer, Partner and Employee Partner and Employee

relationshipsrelationships

2929

Some Basic DefinitionsSome Basic Definitions

Authentication (AuthN)Authentication (AuthN)

Verification of a subject’s identity by means of relying on a Verification of a subject’s identity by means of relying on a provided claimprovided claim

IdentificationIdentification is sometimes seen as a preliminary step of is sometimes seen as a preliminary step of authenticationauthentication

Collection of untrusted (as yet) information about a subject, such Collection of untrusted (as yet) information about a subject, such as an identity claimas an identity claim

Authorization (AuthZ)Authorization (AuthZ)

Deciding what actions, rights or privileges can the subject be Deciding what actions, rights or privileges can the subject be allowedallowed

Trend towards separation of those twoTrend towards separation of those two

Or even of all three, if biometrics are usedOr even of all three, if biometrics are used

3030

Components of IAMComponents of IAM

AdministrationAdministration

User ManagementUser Management

Password ManagementPassword Management

WorkflowWorkflow

DelegationDelegation

Access ManagementAccess Management

Authentication Authentication

AuthorizationAuthorization

Identity ManagementIdentity Management

Account ProvisioningAccount Provisioning

Account DeprovisioningAccount Deprovisioning

SynchronisationSynchronisation Reliable Identity Data

Ad

min

istr

ati

on

Au

thori

zati

on

Au

then

ticati

on

3131

IAM ArchitectureIAM Architecture

3232

RoadmapRoadmap

3333

Microsoft’s Identity ManagementMicrosoft’s Identity Management

PKI / CAPKI / CA

Extended Directory Extended Directory ServicesServices

ActiveActiveDirectory & ADAMDirectory & ADAM

EnterpriseEnterpriseSingle Sign OnSingle Sign On

Authorization Authorization ManagerManager

Active DirectoryActive DirectoryFederation ServicesFederation Services

Audit Collection Audit Collection ServicesServices

BizTalkBizTalk

Identity IntegrationIdentity IntegrationServerServer

ISAISAServerServer

SQL ServerSQL ServerReportingReporting

Services for Unix /Services for Unix /Services for NetwareServices for Netware

Directory (Store)Directory (Store)ServicesServices

AccessAccessManagementManagement

IdentityIdentityLifecycleLifecycle


3434

Components of a Microsoft-based IAMComponents of a Microsoft-based IAMInfrastructure DirectoryInfrastructure Directory Active DirectoryActive Directory

Application DirectoryApplication Directory AD/AM (LDAP)AD/AM (LDAP)

Lifecycle ManagementLifecycle Management MIIS MIIS

WorkflowWorkflow BizTalk, Partner Solutions (Ultimus BPM, SAP)BizTalk, Partner Solutions (Ultimus BPM, SAP)

Role-Based Access ControlRole-Based Access Control Authorization Manager or Partner Solutions Authorization Manager or Partner Solutions (ex: OCG, RSA) and traditional approaches(ex: OCG, RSA) and traditional approaches

Directory & Password Directory & Password SynchronizationSynchronization

MIIS & Partner solutionsMIIS & Partner solutions

SSO (Intranet)SSO (Intranet) Kerberos/NTLM, Vintela/CentrifyKerberos/NTLM, Vintela/Centrify

Enterprise SSO (Intranet)Enterprise SSO (Intranet) Sharepoint ESSO, BizTalk ESSO, HIS ESSOSharepoint ESSO, BizTalk ESSO, HIS ESSO

Strong AuthenticationStrong Authentication SmartCards, CA/PKI, Partner (eg. RSA – SmartCards, CA/PKI, Partner (eg. RSA – SecurID, Alacris, WizeKey) SecurID, Alacris, WizeKey)

Web SSOWeb SSO ADFS, Partner (eg. RSA – ClearTrust)ADFS, Partner (eg. RSA – ClearTrust)

Integration of UNIX/NovellIntegration of UNIX/Novell SFU, SFN, Partner (eg. Vintella/Centrify)SFU, SFN, Partner (eg. Vintella/Centrify)

FederationFederation ADFSADFS

3535

SummarySummary

3636

SummarySummary

We have reached an “Identity Crisis” both on the We have reached an “Identity Crisis” both on the intranet and the Internetintranet and the Internet

Identity Metasystem suggests a unifying way Identity Metasystem suggests a unifying way forwardforward

Meanwhile, Identity and Access Management Meanwhile, Identity and Access Management systems need to be built so enterprises can systems need to be built so enterprises can benefit immediatelybenefit immediately

Microsoft is rapidly becoming a strong provider Microsoft is rapidly becoming a strong provider of IAM technologies and IM visionof IAM technologies and IM vision

www.microsoft.com/idm & & www.microsoft.com/itsshowtime & & www.microsoft.com/technet

3737

Special ThanksSpecial ThanksThis seminar was prepared with the help of:This seminar was prepared with the help of:

Oxford Computer Group LtdOxford Computer Group Ltd

Expertise in Identity and Access Expertise in Identity and Access Management (Microsoft Partner)Management (Microsoft Partner)

IT Service Delivery and TrainingIT Service Delivery and Training

www.oxfordcomputergroup.comwww.oxfordcomputergroup.com

MicrosoftMicrosoft, with special thanks to:, with special thanks to:

Daniel Meyer – thanks for Daniel Meyer – thanks for manymany slidesslides

Steven Adler, Ronny Bjones, Olga Steven Adler, Ronny Bjones, Olga Londer – planning and reviewingLonder – planning and reviewing

Philippe Lemmens, Detlef Eckert – Philippe Lemmens, Detlef Eckert – SponsorshipSponsorship

Bas Paumen & NGN - feedbackBas Paumen & NGN - feedback

identity and access management: overview rafal lukawiecki strategic consultant, project botticelli...

Documents

field of identity

universal identity

data sources

mess slide

terminology roadmap

multiple passwords

access management

systems companies