Strong Authentication with Identity Lifecycle Manager John Weigelt National Technology Officer Microsoft Canada Hugh Lindley VP, Identity Assurance Avaleris Inc.
Identity at the Center
Security BusinessEnablement Operational Efficiency Compliance Ensuring that only authorized users get network access Protecting confidential information from improper distribution Freeing up IT resources to focus on high business-value work Creating new ways to connect with customers & partners Provisioning in accordance with company policies Establishing auditable processes for granting access rights Automating, reducing and simplifying manual processes Reducing the complexity of managing many identity stores IDA Challenges
Extensibility 20+ Connectors WS-* Platform Components Workflow Foundation Windows Services Active Directory Domain & Directory Services Active Directory Federation Services Rights Management Services Certificate Services Microsoft Office Windows Web Sites.Net & Visual Studio User and Developer Experiences Identity Lifecycle Manager IDA Management Microsoft’s IDA Offerings
Directory Services Strong Authentication Federated Identity/SSO Information Protection Identity Lifecycle Mgmt Microsoft Solution Focus Areas Extensibility 20+ Connectors WS-* Platform Components Workflow Foundation Windows Services Active Directory Domain & Directory Services Active Directory Federation Services Rights Management Services Certificate Services Microsoft Office Windows Web Sites.Net & Visual Studio User and Developer Experiences Identity Lifecycle Manager IDA Management Focused on 5 Solution Areas
MIIS CLM Beta Previously Today Microsoft Identity Lifecycle Manager H 2008 Metadirectory Certificate Management User Provisioning Empowers People IT Control with Less Effort Increases Operational Efficiency ILM “2” UserManagement AccessManagement CredentialManagement Common Platform ConnectorsDelegationWorkflow Web Service API Logging PolicyManagement Identity Lifecycle Manager
Microsoft ILM 2007 Brings together metadirectory, certificate & smart card lifecycle management, and user provisioning across Windows and enterprise systems into a single packaged offering. User Provisioning Automates the process of on-boarding and off-boarding users Simplifies compliance through automated IDA enforcement Enforces consistent credentials across systems Certificate and Smart Card Management Reduces cost of managing certificate-based credentials Automates workflow-driven certificate issuance and revocation Vastly simplifies deployment of smart cards Identity Synchronization Provides single view of a user across enterprise systems Automatically keeps identity information across systems consistent
Partner Title Hugh Lindley, CISSP VP, Identity Assurance Avaleris Inc. (613) ext 235
Company Profile Microsoft Identity & Access (IDA) Systems Integration Partner Global provider of Identity Assurance professional services & solutions Incorporated by founders of Alacris -- the original developer of idNexus Predecessor to Microsoft Certificate Lifecycle Manager (CLM) Acquired by Microsoft in late now integrated with Microsoft ILM 2007 Successfully deployed in over 25 global clients in North America & Europe Value Avaleris Provides Heritage of client success & proven solution approach in Identity Assurance Understanding of the management & implementation challenges Depth of technical expertise in Microsoft IDA products About Avaleris
Agenda The business case for Multi-Factor Authentication Typical ILM 2007 deployment scenarios Smart card deployment scenario walkthrough ILM 2007 demonstration Share best practices & lessons learned Identify additional resources
Business Drivers Canada GSP and MITS Federal Accountability Act PIPEDA, FIPA, MFIPPA Bill ICOFR International HSPD-12 / FIPS 201 Sarbanes-OxleyHIPAAGramm-Leach-Bliley Basel II EU - Data Protection Directive EU - Qualified Certificates & Signatures FFIEC Security and Risk Management Privacy and Information Protection Auditability and Accountability Effective deployment and lifecycle management of MFA Simplifying user authentication Increased efficiency of helpdesk staff Regulatory Compliance Increased IT Security & Operational Efficiencies
Implementation Challenges Lifecycle Management of Smart Cards and Certificates Smart card personalization and customization Dealing with lost, stolen or forgotten smart cards Deployment of smart card middleware Multi-channel authentication Alignment of management and security practices High number of distributed sites and locations Leveraging existing IT infrastructure Integration with other IDA solution components Minimizing help-desk workload
ILM 2007 Functionality Smart Card / Certificate Lifecycle Management Single administration point for digital certificates and smart cards Configurable policy-based workflows for common tasks Enroll / renew / update Recover / card replacement Revoke Retire / disable smart card Issue temporary / duplicate smart card Personalize smart card Detailed auditing and reporting Support for centralized, decentralized and self-service scenarios Tightly integrated with Active Directory
Smart Cards in the Public Sector U.S. Federal Government HSPD-12 / FIPS issued fall of 2004 Goal: Establish a common identification standard for all federal government employees and contractors Personal Identity Verification (PIV) – I (Oct 2005): Identity validation & credential issuance process Personal Identity Verification (PIV) - I I (Oct 2006): Ability to issue FIPS 201 compliant smart card Most departments / agencies have met initial FIPS 201 milestones and are working towards production implementations Growing interest in broader public & private sectors
Deployment Scenarios Smart Card Authentication Secure (S/MIME) Secure Remote Access (VPN) Wireless LAN Authentication File and Hard Drive Encryption Secure Web Applications Distributed Certificate Enrollment Document Signing
Deployment Scenarios Smart Card Authentication Secure (S/MIME) Secure Remote Access (VPN) Wireless LAN Authentication File and Hard Drive Encryption Secure Web Applications Distributed Certificate Enrollment Document Signing
Smart Card Deployment Requirement: Two-factor authentication Smart card based network login Verification of Employee ID before card issuance Address smart card management issues 100’s – 10,000’s of users
Smart Card Deployment Deployment Considerations: 1.Registration and Issuance Process 2.Choice of Smart Card Platform 3.Lifecycle Management of the Smart Cards 4.Middleware Deployment (if not Base CSP)
Microsoft Certificate Lifecycle Manager Microsoft CAs End User Physical Architecture SQL AD CLM Policy Module CLM Exit Module Internet Explorer CLM Browser Control CLM AD Integration CLM Web App Internet Information Server Component Architecture Microsoft Certificate Authority Smart Card Middleware ILM 2007 Architecture
Include policies for each task that might be performed Additional profile data included for smart card management Can include templates issued from more than one CA Profile Templates include one or more certificate managed as a single entity Policy updates managed on a per user basis by Active Directory (AD) groups Contains necessary information to enforce policy across multiple certificates, users, and groups Stored in AD and available across the forest Certificate Template(s) Management Policies Profile Templates Enrollment Work flow Self-Service Data Collection Recovery Work flow Self-Service Data Collection Etc., Work flow Self-Service Data Collection Smart Card Information (if needed)
Smart Card Deployment DuplicateEnroll Online Update Replace Policy Recover on Behalf Renew Policy Reinstate Policy Disable Policy Retire Policy Temporary Cards Unblock
Enroll Policy Some questions to answer: What level of assurance are you trying to achieve? Are you giving the end-user the ability to self-service? Are you using enrollment agents? Are you collecting comments? How many approvals do you require? Who can initiate the request? Who can approve the request? What types of data will you be collecting? Are you using one-time secrets for registration? Are you printing smart cards or documentation during enrollment?
Enroll Policy
Smart Card Deployment DuplicateEnroll Online Update Replace Policy Recover on Behalf Renew Policy Reinstate Policy Disable Policy Retire Policy Temporary Cards Unblock
Demo Title Smart Card Enrollment Policy and Smart Card Issuance
Benefits of ILM 2007 Approach Two Factor Authentication Reduced cost and complexity Flexible policy driven workflow model Integrated Identity Lifecycle Management (certs, SC, etc) Supports a range of smart card platforms Less custom development effort required Leverages existing infrastructure
Lessons Learned Business Proceed in phased approach to realize success early Align issuance process with management and security policy Use risk assessments to identify high-sensitivity systems Determine your required level of assurance Map access control workflow and optimize where possible Technical Understand the Smart Card Lifecycle Management Challenge Map out optimal deployment scenario CentralizedDecentralizedSelf-Service Select a smart card & middleware strategy Deal with temporary card issuance Leverage existing infrastructure where practical
ILM 2007 Resources Microsoft ILM 2007 Website - DatasheetsWhitepapers Flash Demo Avaleris Website - Identity Assurance Solutions ILM 2007 Service Offerings Whitepapers & technical information Avaleris ILM 2007 Lunch & Learn Series Closer look at ILM 2007 within context of your specific requirements Map out next steps towards ILM 2007 Proof of Concept Pilot Contact Avaleris representative for schedule of upcoming sessions
Avaleris Contacts Hugh Lindley, CISSP VP, Identity Assurance (613) ext 235 Anita Burwash VP, Sales (613) ext 221