Identity and Access Management Business Ready Security Solutions Karl Bjarne Westbye Security & Management, Microsoft 24. Mars 2010
Business Needs and IT Challenges Provide secure access to applications from anywhere Simplify user experience for collaboration Provide seamless movement between applications Reduce cost of account management Multiple locations and devices Difficulty in extending business resources Disparate systems to manage Complex account lifecycle management BUSINESS Needs Agility and Flexibility IT Needs Control
Current Situation Time and labor intensive process Different sign on requirements for applications Password reset and access requests handled through help desk Multiple identities and limited sign-on help Remote access solution w/ separate identities Contoso managing Fabrikam accounts Fabrikam managing Contoso accounts
Business Ready Security Help securely enable business by managing risk and empowering people Protect everywhere, access anywhere Identity Simplify the security experience, manage compliance Highly Secure & Interoperable Platform Integrate and extend security across the enterprise from: Block Cost Siloed to: Enable Value Seamless
Business Ready Security Solutions Secure Messaging Secure Collaboration Secure Endpoint Information Protection Identity and Access Management Active Directory Federation Services
Identity and Access Management Enable more secure, identity-based access to applications on-premises and in the cloud from virtually any location or device PROTECT everywhere ACCESS anywhere INTEGRATE and EXTEND security SIMPLIFY security, MANAGE compliance Provide more secure, always-on access Enable access from virtually any device Control access across organizations Provide standardsbased interoperability Extend powerful selfservice capabilities to users Automate and simplify management tasks
Provide More Secure, Anywhere Access Empower Business Seamless and more secure access Simplified, always-on access Empower IT Policy-based network access Ability to manage machines anywhere Empower Business Consolidated secure portal to simplify remote access to resources Simplified sign-on Empower IT Policy-based resource access DIRECT ACCESS Empower Business Access from virtually any device Empower IT Policy-based restricted access Click here to see the technical details
Simplify Identity Management Empower Business Self-service profile, credential, and group management Password and PIN reset from Windows login Group management from within Microsoft Office Single identity across heterogeneous applications Empower IT End-to-end, workflow-driven user provisioning Policy-controlled self-service capabilities Automatic, attribute-based group membership for simplified resource access GOVERNED SELF-SERVICE AND AUTOMATION Source: Windows identity management tools move closer to completion. Tech Target, November 2008. http://searchwinit.techtarget.com/news/article/0,289142,sid1_gci1337386,00.html Click here to see the technical details
Platform Protection & Access Solutions Management Business Ready Security: The Road Ahead Active Directory Domain Services Active Directory Domain Services DirectAccess Subject to Change
Technology Drilldown The Microsoft Solution for Identity and Access Management Protect Everywhere, Access Anywhere Access to on-premises and cloud services User provisioning Strong authentication Integrate and Extend Security Standards-based, interoperable identity sharing Support for heterogeneous environments Simplify Security, Manage Compliance Self-service capabilities in Microsoft Office and Microsoft Windows Compliance management
Secure and Seamless Access Integrated SSL VPN capabilities for both managed and non-managed clients Simplified remote access by non-windows, down-level, or non-trusted endpoints DirectAccess in Microsoft Windows Server 2008 R2, along with Forefront Unified Access Gateway (UAG) 2010, enables more secure, seamless, always-on access to messaging and applications from Microsoft Windows 7 clients UAG 2010 extends the benefits of DirectAccess to down-level servers and applications across your infrastructure Mobile Data Center/Corporate Network Partners (non-managed) Home/Kiosk Internet Layer3 VPN HTTPS (443) DirectAccess AUTHENTICATION AND POLICY Terminal Services Remote Desktop Citrix CRM IBM, SAP, Oracle Non-Web, Legacy Down-level Employees (managed) SmartCard, RADIUS, LDAP.
DirectAccess Seamless Access Without VPN Always On Manage Out Access Policies Protected Transactions
Consolidated Secure Portal Single point of entry to share and publish applications Locate applications without tracking site addresses Embed the Forefront UAG portal as a Web Part inside the enterprise portal Same user experience for remote users Remote user can be allowed access to corporate applications and shared folder without direct access to internal resources. Business partner has limited access to corporate network; UAG allows access only to those applications for which users have permissions.
Policy-Based Granular Access Out-of-the-box support for more than 70 variables of detection, including antivirus, anti-malware, and personal firewall Easy-to-configure graphical interface to simplify management of endpoint detection policies Extended GUI for manual editing of policies Uses Windows Shell Scripting to create any policy and inspect for any client-side variable Example: E-mail attachment forwarding
Network Access Protection Health state validation against the health requirement policies Health policy compliance with health requirement policies Limited access to non-compliant computers until the updates and configuration changes are complete Remote user sends request to access corporate network. 1 If endpoint doesn't comply, policy is redirected to Microsoft remediation Network server for updates. Policy Servers Not Policy Compliant 4 Restricted Network Remediation Servers e.g., WSUS UAG verifies endpoint against If endpoint complies, NAP NAP policy. policy is allowed access to corporate network. 2 Policy Compliant 3 Corporate Network Health Policies e.g., patch-level, AV signature version
SIMPLIFY security, MANAGE compliance
Identity Management User provisioning Policy-based identity lifecycle management system Built-in workflow for identity management Automatically synchronize all user information to different directories across the enterprise Automates the process of on-boarding users Active Directory User Enrollment Workflow Lotus Domino LDAP HR System Approval FIM SQL Server Oracle DB User provisioned on all allowed systems Manager FIM CM
Identity Management User de-provisioning Automated user de-provisioning Built-in workflow for identity management Real-time de-provisioning from all systems to prevent unauthorized access and information leakage Active Directory User de-provisioned Workflow Lotus Domino LDAP HR System FIM SQL Server Oracle DB User de-provisioned or disabled on all systems FIM CM
Strong Authentication Certificate Authority Increase access security beyond username and password solutions Streamline deployment by enrolling user and computer certificates without user intervention Simplify certificate and SmartCard management using Forefront Identity Manager (FIM) Enhance remote access security through certificates with Network Access Protection Stronger authentication through certificates for administrative access and management FIM policy triggers request for FIM CM to issue certificate or Certificate is issued to user and SmartCard written to either machine or smart card End User SmartCard User is validated using multifactor authentication FIM CM HR System FIM FIM Certificate Management (CM) requests certificate creation User Enrollment from AD and CS Authentication request sent by HR System Active Directory Certificate Services (AD CS) SmartCard User ID and Password End User
Strong Authentication SmartCard Secure and appropriate access to corporate resources by deploying and managing strong two-factor authentication, encryption, and signing services to users via certificates and smart cards Integrates enterprises heterogeneous identity infrastructure and strong authentication systems Strong authentication and authorization for remote access Differentiated access based on authentication method(s) Forefront TMG AD DS Third-Party Apps End User SmartCard **** PIN User provides two-factor authentication Forefront UAG AD DS validates the authentication credentials User is allowed TBD access to the resources Users get access to the allowed applications This is just an example of secure authentication for remote users. It also applies to internal users.
Forefront Identity Manger 2010 Architecture Solutions Group Mgmt User Mgmt Credential Mgmt Policy Mgmt Custom FIM Client Experiences FIM Service and Portal FIM Service Outlook FIM Portal Windows Custom ILM Sync ILM-CM Portal ILM-CM Request Processor Delegation & Permissions AuthN Workflow AuthZ Workflow App DB Action Workflow Sync DB Adapters ILM-CM DB Cert Mgmt Identity and data stores Directories Applications Databases E-Mail Systems
HR System FIM LDAP Active Directory/ Exchange SQL Server DB givenname sn title mail employeeid telephone Sammy Dearling 008 givenname sn title mail employeeid telephone givenname sn title mail employeeid telephone Samara Darling 007 givenname sn title mail employeeid telephone Sam Dearing Intern 007 givenname sn title mail employeeid telephone 555-0129 Samantha Dearing 007 Coordinator someone@example.com 555-0129 Samantha Dearing Coordinator 007 Identity Data Aggregation GivenName sn title mail employeeid telephone someone@example.com Samantha Dearing 007 Coordinator 555-0129 Identity Synchronization and Consistency Identity synchronization across multiple directories Attribute Ownership FirstName LastName EmployeeID Title E-Mail Telephone
Identity Synchronization and Consistency Identity consistency across multiple directories Attribute Ownership FirstName LastName EmployeeID Title E-Mail HR System SQL Server DB Active Directory / Exchange givenname sn title mail employeeid telephone givenname sn title mail employeeid telephone givenname sn title mail employeeid telephone Samantha Dearing 007 Samara Darling Coordinator 007 Sam Dearing Intern someone@example.com 007 FIM givenname Samantha Bob sn Dearing title Coordinator mail someone@example.com employeeid 007 telephone 555-0129 Identity Data Brokering (Convergence) Telephone LDAP givenname sn title mail employeeid telephone Sammy Dearling 007 555-0129
Group Management Self-service group and distribution list management with the FIM 2010 Web portal Office integration allows users to manage group membership from within Microsoft Office Outlook for maximum productivity Enables users to use Outlook to manage approvals while they are offline Automatically add users to either group based on their employee type at the time they are provisioned to Active Directory Group and distribution list management, including dynamic membership calculation in these groups and distribution lists based on user s attributes FIM Add-in for Outlook SharePoint-Based Management Console
Advanced Group Management Integrates with Exchange and Outlook Manages distribution and security groups Self-service group management Criteria-based group membership Integrated approval
Min portal i FIM
Godkjenning i Outlook
Arbeidsflyt opprett bruker
Workflow Management Enables IT to quickly define, automate, and enforce identity management policies IT can use the integrated workflow in the approval/rejection process Automatic notifications for request approvals or rejections
Management Policy Rules SharePoint-based console for policy authoring, enforcement, and auditing Create rules governing users and groups using easy-to-use menu-driven controls Helps organizations integrate policies across the enterprise
Self-Service Password Management Enables users to reset their own passwords through both Windows logon and FIM password reset portal Controls helpdesk costs by enabling end users to manage certain parts of their own identities Improves security and compliance with minimal errors while managing multiple identities and passwords User requests password reset FIM Server Active Directory Oracle Passwords updated SQL Server End User IBM DS Reset Password LDAP FIM capabilities integrated with Windows logon Randomly selects a number of questions
Manage Compliance Active Directory Federation Services P OL I CY I DE NT I T Y MA NA GE ME NT Enterprise policy enforcement for external partners and vendors to prevent unauthorized access Granular authorization policy enables IT to define what parts of an application a user has access to based on identity, role, endpoint profile, and device compliance (health state) Maintains identity across multiple systems in the enterprise Offers real-time / automated offboarding of users to prevent unauthorized access to information Stores information on requests, approvals, and other identity management tasks Centralized reporting and alerting with UAG management console Endpoint integrity checking through Network Access Protection and UAG Post-session endpoint cache cleanup to help prevent information leaks
Forefront Identity Manager Powerful self-service capabilities and automation for IT professionals Comprehensive Protection Integrated Security Simplified Management Strong authentication User provisioning Identity synchronization Extensible workflows Password synchronization across heterogeneous system Self-service management Credential lifecycle management Identity and access management via SharePoint Server
Mer informasjon
2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.