identity lifecycle management rafal lukawiecki strategic consultant, project botticelli ltd...

Download Identity Lifecycle Management Rafal Lukawiecki Strategic Consultant, Project Botticelli Ltd rafal@projectbotticelli.co.uk www.projectbotticelli.co.uk Copyright

Post on 19-Dec-2015

218 views

Category:

Documents

3 download

Embed Size (px)

TRANSCRIPT

  • Slide 1
  • Identity Lifecycle Management Rafal Lukawiecki Strategic Consultant, Project Botticelli Ltd rafal@projectbotticelli.co.uk www.projectbotticelli.co.uk Copyright 2006 Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the Comments field in File/Properties. This presentation is based on work of many authors from Microsoft, Oxford Computer Group and other companies. Please see the Introductions presentation for acknowledgments.
  • Slide 2
  • 2Objectives Introduce Microsoft Identity Integration Server and related products and technologies Explain the processes involved in lifecycle management
  • Slide 3
  • 3 Session Agenda Functionality of Microsoft Identity Integration Server Scenarios and Applications of MIIS A Few Tips on MIIS
  • Slide 4
  • 4 Microsofts Identity Management PKI / CA Extended Directory Services Active Directory & ADAM Enterprise Single Sign On AuthorizationManager Active Directory Federation Services Audit Collection Services BizTalk Identity Integration Server ISAServer SQL Server Reporting Services for Unix / Services for Netware Directory (Store) Services AccessManagement IdentityLifecycleManagement
  • Slide 5
  • 5 Functionality of Microsoft Identity Integration Server
  • Slide 6
  • 6 What is MIIS? MIIS is Rock-solid synchronization engine for identity information Software that ensures consistency of identity data across repositories MIIS makes it radically easier to design, deploy and manage a metadirectory across an enterprise of any size
  • Slide 7
  • 7 IIFP - Identity Integration Feature Pack for Windows Server 2003 Subset of MIIS functionality available free of charge as download Synchronisation with only the following stores: Active Directory ADAM Exchange 2000/3 Server
  • Slide 8
  • 8 New User -User ID Creation -Credential Issuance -Access Rights Account Changes -Promotions -Transfers -New Privileges -Attribute Changes Password Mgmt -Strong Passwords -Lost Password -Password Reset Retire User -Delete/Freeze Accounts -Delete/Freeze Entitlements MIIS: Identity Lifecycle Management
  • Slide 9
  • 9 MIIS Capabilities & Benefits Key capabilities: Identity Synchronization Provisioning & Deprovisioning Password Management Agentless connection to heterogeneous systems Key benefits: Easy to deploy Easy to translate business rules into MIIS Easy to build solution over time Robust and Scalable Low cost State Based Identity Data LDAPSQL NOS LOB Apps
  • Slide 10
  • 10 Metadirectory Concept Represents all identity information from all connected data sources Through a mechanism of rules, allows for even most intricate relationships to be maintained between seemingly incompatible identity management systems The heart of MIIS system
  • Slide 11
  • 11LDAP Scenario Join/Leave Join/LeaveProvisioningRBAC HR AD Email MIIS Example: University of West England 40,000 Students 8,000 new students each year Provisioned into 4 systems (including AD, Exchange, NT, HR) Immediate savings of 50k/year Example: University of West England 40,000 Students 8,000 new students each year Provisioned into 4 systems (including AD, Exchange, NT, HR) Immediate savings of 50k/year
  • Slide 12
  • 12 Scenario Password Join/LeaveProvisioningRBACPortalSelf-service/helpdesk ID data/passwords Example: Elsevier Passwords managed across AD, Lotus Notes, Sun ONE Example: Elsevier Passwords managed across AD, Lotus Notes, Sun ONE AD LDAPEmail MIIS UserChange HelpdeskReset PCNS UserReset? Web Applications
  • Slide 13
  • 13 Scenario Portal Join/LeaveProvisioningRBACPortalSelf-service/helpdesk ID data/passwords Portals AD LDAP Email MIIS HR ADAM WebApplication
  • Slide 14
  • 14 Most Typical Implementations White Pages Directory Synchronization Identity Administration / Self Service
  • Slide 15
  • 15 MIIS Terms Connected Data Source (CD) Any source and/or destination containing identity data Management Agent (MA) Facilitates the communication between CD and CS and MV Connector Space (CS) Staging area (SQL) for inbound or outbound synchronized attributes Metaverse (MV) Central (SQL) store of identity information Matching CS entries to a single MV entry is called join CD MIIS CS MV MA
  • Slide 16
  • 16 MV entries are linked to CS entries through: Projection Provisioning a connector Joining CS entries represent objects in Connected Data Sources Synchronization is between MV and CS Staging is from CD to CS Export is from CS to CD MIIS Concepts MIIS Metaverse(MV) ConnectorSpace(CS) User Connected Data Sources (CD) Notes Oracle SQL SAP Lets zoom in on what MIIS does
  • Slide 17
  • 17 MIIS Sequence Of Events Oracle HR database staged and projected Provision and export to SQL-based approval system Manager approval app causes import and delta synchronization Sun One and Notes connectors provisioned and exported Connected Data Sources (CD) User Oracle SQL Metaverse(MV) ConnectorSpace(CS) Notes SAP
  • Slide 18
  • 18 Object creation CD HR MV PersonObject Provision Step MV Rules Extension CS PersonObject Connector 1) HR MA imports new user object 2) Project new user 3) Create new connector 4) Set Anchor Value 5) Set other initial values 6) Export attribute flow 7) Normal MA Export Run (creates object in CD)
  • Slide 19
  • 19 Object Deletion Note: Deprovision does not necessarily mean delete CD HR MV PersonObject CS PersonObject Connector Connector filter status=terminatesSatisfied CS Object becomes dis- connector MV Object deleted Make normal disconnector Make explicit disconnector Delete Object Delete Object Custom extension Custom extension Disconnector cleanup MA Rules ExtensionDeprovision (3)(4) 1) HR MA imports user object with status = terminated 2) Object deletion rule applies 5) MA Export deletes CD object
  • Slide 20
  • 20 Scenarios and Applications of MIIS
  • Slide 21
  • 21 Identity Lifecycle Management with MIIS Password Management Identity Provisioning SynchronisationAudit Compliance Assurance Role Management (for Role-based Access Management)
  • Slide 22
  • 22 Password Synchronization AD Domain Controller MIIS Target Systems Source System PCNS Encrypted Pwd PCNSFlt.DLL Password Reset AD MA Password Resets MA Password Extension Ctrl-Alt-Del
  • Slide 23
  • 23 Password Management Initial password set versus password management Passwords are write-only Scope of password management Security groups Events and password history Developing custom applications WMI Helpdesk Web App Self-serve NT4 Lotus Notes AD AD MIIS Sun ONE AD/ ADAM Novell eDirectory
  • Slide 24
  • 24Application- based sign-on Infrastructure Directory (AD) LOB5 3 rd party LDAP LOB4 1.User changes password using password management web app Pwd mgmt 2.Pwd mgmt app finds matching accounts in MIIS 3.Passwords updated 4.User signs-on to app ADAM MIIS Password Management
  • Slide 25
  • 25Provisioning Identity can be sourced from a number of directories through management agents (MAs): Database, LDAP, File-based Whenever a Metaverse object is changed, Provision Methods run This is code in a Metaverse rule DLL If not catered by an existing management agent, you can customise it to suit most unusual provisioning needs Deprovisioning is those operations that occur at the end of an identity life cycle (deletion, disabling)
  • Slide 26
  • 26 Synchronisation MIIS Out-of-the-Box Connectivity NT 4 Exchange 5.5 Lotus Notes SQL Server Oracle Informix and dBase IBM RACF IBM DB2 Novell eDirectory PeopleSoftSAP Partner (Extensible) Management Agents (NEW!) Other systems to follow Active Directory / Exchange Active Directory Application Mode (ADAM) SunOne Directory (iPlanet) IBM Tivoli Directory Server (SecureWay) DSML 2.0 LDAP Directory Interchange Format (LDIF) Delimited Text Fixed-Width Text Attribute-Value Pair Text
  • Slide 27
  • 27 Audit and Compliance Regulatory requirements: SarbOx, Data Protection Directive/Act, Freedom of Information Acts, HIPAA Arguably, we have to monitor the directories, not MIIS claims. As this is very difficult today, here is an interim suggestion: 1. Centralise all tracked identity information on an MIIS metadirectory 2. Audit MIIS events 3. Code bespoke rules 4. Obtain existing compliance checking code (e.g. OCG) 5. Use Microsoft Audit Collection Service (ACS) for ensuring integrity of the audit ACS plans to ship with next version of Microsoft Operations Manager
  • Slide 28
  • 28 WMI Monitored Clients Monitored Servers SQLCollector Events subject to tamperingEvents under control of auditors Security logs Real-Time Intrusion Detection Applications Forensic Analysis Management System Audit Collection Services Architectural Overview
  • Slide 29
  • 29 Additional Security Benefit Through analysis of MIIS audit (for example, using Microsoft Operations Manager) you can detect unusual and unexpected operations This can become a basis for building an element of your automated Intrusion Detection System (IDS) Please refer to Holistic Security seminar, Part 2, available on www.microsoft.com/itsshowtime fo

Recommended

View more >