Identity and Access Management Strategy and Solution
Agenda Business Needs Microsoft’s Strategy Customer Scenarios Solution Accelerators IdM Roadmap Next Steps
Business Needs ExtendedEnterprise Integrate Partners in Supply Chain Integrate Partners in Supply Chain Connect with Customers Connect with Customers Empower the information workers Empower the information workers Improve Security Reduce number of userid/password Reduce number of userid/password Reduce De-provisioning risks Reduce De-provisioning risks Enforce policies and improve audit capability Enforce policies and improve audit capability Regulatory Compliance HIPAA HIPAA Sarbanes Oxley Act Sarbanes Oxley Act Gramm-Leach-Bliley Gramm-Leach-Bliley Reduce Operational Costs Provide self-service capability Provide self-service capability Decrease IT Security and Management Costs Decrease IT Security and Management Costs Lower application development costs Lower application development costs
Consider the facts Too Many User Repositories Enterprises have 68 internal and 12 external account stores 75% of internal users and 38% of external users are in multiple stores Inefficient Account Provisioning/De-Provisioning User management consumes 34% of the total time IT spends on IdM Users gets provisioned in 16 systems and de-provisioned in 10. Impact on User Productivity On average IT is managing access to 73 unique applications requiring user access. Average user spends 16 minutes a day for logins SSO increases user productivity by 15% and efficiency by 18% Increasing IT Operational costs 45% of all help desk calls are for p/w resets 15% of users will call help desk for p/w reset Organisations are managing on average 46 suppliers, spending over 1380 hours managing changes to access privilege. Source: META Group research conducted on behalf of PricewaterhouseCoopers, June 2002, MSFT Internal
IAM Adoption Drivers Reduce Identity Related Operational Costs Reduce help desk costs for user management and password resets Reduce cost of provisioning and de-provisioning customers Reduce the cost of managing multiple user-repositories E-Business Enablement Increase efficiency with supply chain with partner integration Improve customer experience Employee portal/personalisation Reduce Risk of Unauthorised Access Auditing and reporting Rapid revocation of access Enforcement of security and privacy policy across the enterprise Comply with Regulatory Compliances Sarbannes-Oxley Act GLB Act HIPAA
IAM Solution Requirements Directory Services Brings multiple data stores together to form a single digital identity. It includes security and profile information. Provisioning How identities are created, modified and retired using taking advantage of user information in the directory infrastructure. Authentication Proving an identity to a network application or resource. This includes user-id/password log-ons and public key certificates. Authorisation Determine the entitlements of the digital identity once it is authorised for access and action performance. Privacy Provide precise control of access rights and privileges, digital information is secured and privacy is protected. Applications Ultimate consumers of digital identity and the enforcers of the entitlements derived from the identity. Active Directory & Microsoft Identity Integration Server Security Services in Windows Server 2003 Role Based Access Control in Windows Server 2003 Active Directory & Microsoft Identity Integration Server Microsoft Applications
Key Solution Scenarios Business to Enterprise Business to Business Business to Consumer Required level of authorisation security Elimination of multiple sign-ins for all client platforms Synchronisation of digital identity across multiple platforms Application integration and business process automation across multiple platforms Access to host based systems and management of digital assets located on other platforms Secure management of information assets Active Directory MIIS Biztalk Server 2004 Host Integration Server Unix, Netware & Mac Services Establish and maintain trust between separate but trusted business partners Federate systems with a single trust relationship to provide a seamless authentication and authorisation experience Active Directory Windows Server 2003 Oblix and OpenNetwork partner products Extend information systems and applications to consumer Outsource consumer authorisation tasks but still maintain control of authorisation Integration with a system or platform that is not supported by a Microsoft product Active Directory Windows Server 2003 Microsoft.NET Passport Oblix and OpenNetwork
Microsoft IAM Architecture AD/AM Web apps.NET Passport Web users Users Windows based Infrastructure Directory Services Opportunity Active Directory Sale: Required level of authorisation security Extend information systems and applications to consumer Outsource consumer authorisation tasks but still maintain control of authorisation
Microsoft IAM Architecture AD/AM Web apps.NET Passport Web users Windows based Infrastructure Multi-Platform Integration Opportunity BizTalk/HIS/Platform Services Synchronisation of digital identity across multiple platforms Application integration and business process automation across multiple platforms Access to host based systems and management of digital assets located on other platforms LegacySystems Novell Unix/Linux BizTalkHISSFU/SFN Users
Microsoft IAM Architecture AD/AM Web apps.NET Passport Web users Windows based Infrastructure Role/Workflow Opportunity MIIS/Trusted Partner Sale: Elimination of multiple sign-ins for all client platforms Establish and maintain trust between separate but trusted business partners Federate systems with a single trust relationship to provide a seamless authentication and authorisation experience Integration with a system or platform that is not supported by a Microsoft product XML iPlanet Databases XML iPlanet Databases NT Domains Novell Lotus Others MIIS Users
Microsoft IAM Product Mapping Directory Services Access Management Authentication Authorization Provisioning Identity Interoperability Account Provisioning Password Management Application Provisioning/Workflow Policy Management Password Synchronization Web Single Sign On Privacy -Active Directory -MIIS -Windows Server -MIIS -BizTalk -Group Policy -MIIS -Partners -Windows Rights Management
Consulting Opportunity Willingness to Use Non-Product Vendor Consulting On a scale of 1 to 5, where 1 is low willingness and 5 is high willingness Key Takeaways Participants are most willing to use non- product vendor consulting for assessment capabilities, followed by design capabilities Assess Design Staff Augmentation Implementation Post—Implementation Support Source: 2002 Gartner IAM Final Report 21 Executive Interviews with: Large Enterprises (over 5000 employees) 3 Verticals (Financial, Healthcare and Manufacturing)
Opportunity Summary Provisioning Applications with Education and Service Gartner study showed that enterprises span a continuum in understanding and implementation of IAM enterprise solutions, associated best practices, and relative ROIs Service providers (SPs) that can assist enterprises to architect and implement the IAM “solution road map” and help prioritise and assemble the puzzle pieces offer a great value proposition Role-based provisioning Workflow Directory strategies Vendors who can assemble the full solution suite will become market leaders User provisioning solutions will perform all user account and privilege management functionality for both internal and external users for web and non-web applications EAM solutions will perform the real-time enforcement of privileges for the user SPs need to help their clients understand the business value of implementing these EAM solutions: increasing end user productivity, increase focus on business process, and decrease focus on cumbersome IT processes Source: 2002 Gartner IAM Final Report
IdM Solution Accelerator Planning and Implementation Guide Scenarios – Implementation focus Identity aggregation and integrity (multi-systems) Provisioning and de-provisioning Web portal self-provisioning Delegated administration Web SSO SAP integration UNIX workstation Kerberos integration Technologies Directory Certificate Authority Kerberos (Windows and UNIX) 3 rd party Web Single Sign On (OpenNetwork, Oblix)
MS QuickStart Program: Overview
Program Goal Rapidly move customers through evaluation and early planning into product purchase and end-to-end implementation services Deploy Microsoft software faster Integrate sales and services Predictable partner engagement
MS QuickStart Program Suite of packaged consulting offerings Powerful combination of 3 elements: 1.Service packaging Fixed price, length, scope simplifies sale High value start leads to larger sales 2.Microsoft service delivered by partners Microsoft best practices and involvement Subject matter expert partners prime 3.Detailed, prescriptive content Deliver higher value at lower risk Allows more customer face time
Customer Solution Roadmap Evaluate Phase Pre-sales coordination of sales and services Microsoft Solutions Framework Common Disciplines & Shared Focus Microsoft Operations Framework Plan Build Deploy Operate Customer ready implementation roadmap Implement Phase MSF / MOF MS QuickStart Plan services accelerate implementation
MS QuickStart Evaluate Phase Goal: Convince customer to purchase product and consulting to deploy Support the Server Solutions Campaign Use one or more offerings as needed: Idm Briefing Architecture Design Session Proof of Concept Workshop Technical environment and business needs mapped to MS solution
Customer Value Focused and timely delivery Rigorous schedule avoids scope creep Low cost, high value starting point Predictable results Well-documented deliverables help customer champion solution internally Risk assessment flags costly obstacles early Best practices Experience from many other customers Early planning decisions greatly impact later deployment
Partner Value Easy to sell entry-point services Leverage Microsoft brand and IP Coordinate with MS sales Profitable engagements Low cost of sale Detailed materials lower cost of delivery Good margins in fixed price Demonstrate value High value, low risk entry-point service Up sell customer on larger engagement
Microsoft Value MS QuickStart speeds deployments Customer satisfaction = license renewal Predictable way to engage partners Defined expectations and results Joint selling opportunities Clear role for MS Services Develop and package IP early in product lifecycle Support partners in delivery
Consultant Resource Kit Consultant Delivery Guide How to structure the engagement Deliverable Template Starting point for customer deliverable Pre-written text key to timely delivery Consultant Template Guide Topic-by-topic guide matching deliverable template Consultant guide, examples, and resources Resource Planning Guide Team members and meeting schedule Training Video of lead author explaining how to deliver
Microsoft IAM Roadmap Longhorn Wave MIIS 3.0 Active Directory Application Mode 2004 XML Web Services Specifications Jupiter TrustBridge 2003
Summary Identity management essential part of business strategy Highly leveraged – simultaneously increase security and productivity while reducing costs Competitive advantage - quickly enable new scenarios, business opportunities Microsoft and partners deliver complete solution Get more from investment in Active Directory Cross-platform capable
© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.