Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity and Access Management: Overview

Published byRosamond Anthony Modified over 6 years ago

Similar presentations

Presentation on theme: "Identity and Access Management: Overview"— Presentation transcript:

1 Identity and Access Management: Overview
Rafal Lukawiecki Strategic Consultant, Project Botticelli Ltd Copyright 2006 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in File/Properties. This presentation is based on work of many authors from Microsoft, Oxford Computer Group and other companies. Please see the “Introductions” presentation for acknowledgments.

2 Objectives Build a good conceptual background to enable later technical discussions of the subject Overview the problems and opportunities in the field of identity and access management Introduce terminology Highlight a possible future direction

3 Session Agenda Identity Problem of Today Identity Laws and Metasystem
Components and Terminology Roadmap

4 Identity Problem of Today

5 Universal Identity? Internet was build so that communications are anonymous In-house networks use multiple, often mutually-incompatible, proprietary identity systems Users are incapable of handling multiple identities Criminals love to exploit this mess

6 Explosion of IDs Business Automation # of Digital IDs Applications
Company (B2E) Partners (B2B) Customers (B2C) Mobility # of Digital IDs Internet Client Server Applications Mainframe Time Pre 1980’s 1980’s 1990’s 2000’s

7 The Disconnected Reality
Authentication Authorization Identity Data HR System Authentication Authorization Identity Data NOS Authorization Identity Data Authentication Lotus Notes Apps Enterprise Directory Authentication Authorization Identity Data Infra Application Authentication Authorization Identity Data COTS Application Authentication Authorization Identity Data In-House Application Authentication Authorization Identity Data In-House Application “Identity Chaos” Lots of users and systems required to do business Multiple repositories of identity information; Multiple user IDs, multiple passwords Decentralized management, ad hoc data sharing

8 Multiple Contexts Your SUPPLIERS Your CUSTOMERS
Customer satisfaction & customer intimacy Cost competitiveness Reach, personalization Collaboration Outsourcing Faster business cycles; process automation Value chain Your COMPANY and your EMPLOYEES Your PARTNERS Your REMOTE and VIRTUAL EMPLOYEES M&A Mobile/global workforce Flexible/temp workforce

9 Trends Impacting Identity
Rising Tide of Regulation and Compliance SOX, HIPAA, GLB, Basel II, 21 CFR Part 11, … $15.5 billion spend in 2005 on compliance (analyst estimate) Deeper Line of Business Automation and Integration One half of all enterprises have SOA under development Web services spending growing 45% CAGR Increasing Threat Landscape Identity theft costs banks and credit card issuers $1.2 billion in 1 yr $250 billion lost in 2004 from exposure of confidential info AMR Research: $15.5 billion will be spent on compliance programs in 2005. -Sarbanes-Oxley (SOX) account for 40% or $6.2 billion - Health Insurance Portability and Accountability Act (HIPAA) spending is expected to exceed $3.7 billion, and account for 24% of total spending Shift in spending for compliance from people to software. To date, the majority of compliance budget (2/3) have been on auditors, but companies are looking to change the mix to more software in hopes of lowering their overall compliance budgets. 50% of enterprises have SOA under development or will begin a project within the next 12 months DOJ estimates corporations lost $250 billion as a result of lose of confidential information. According to research by SafeNet, Inc. - 47% of enterprise users have 5 or more passwords to member; 23% have 9 or more - 45% of users have to change their passwords 5 or more times per year; 30% have to change 7 or more times per year Immediate ROI for deploying SSO solutions - US Postal Service avg user had to remember passwords to do their job - After deploying an SSO solution, they experience 80% reduction in PW-related help desk calls from 30,000 to 5,000 per month Maintenance Costs Dominate IT Budget On average employees need access to 16 apps and systems Companies spend $20-30 per user per year for PW resets Data Sources: Gartner, AMR Research, IDC, eMarketer, U.S. Department. of Justice

10 Pain Points Too many user stores and account admin requests
IT Admin Developer End User Security/ Compliance Business Owner Too many user stores and account admin requests Unsafe sync scripts Redundant code in each app Rework code too often Too many passwords Long waits for access to apps, resources Too many orphaned accounts Limited auditing ability Too expensive to reach new partners, channels Need for control

11 Possible Savings Directory Synchronization Password Management
“Improved updating of user data: $185 per user/year” “Improved list management: $800 per list” - Giga Information Group Password Management “Password reset costs range from $51 (best case) to $147 (worst case) for labor alone.” – Gartner User Provisioning “Improved IT efficiency: $70,000 per year per 1,000 managed users” “Reduced help desk costs: $75 per user per year”

12 Can We Just Ignore It All?
Today, average corporate user spends 16 minutes a day logging on A typical home user maintains identities Number of phishing and pharming sites grew over 1600% over the past year Corporate IT Ops manage an average of 73 applications and 46 suppliers, often with individual directories Regulators are becoming stricter about compliance and auditing Orphaned accounts and identities lead to security problems Source: Microsoft’s internal research and Anti-phishing Working Group Feb 2005

13 One or Two Solutions? Better Option: Quicker Option:
Build a global, universal, federated identity metasystem Will take years… Quicker Option: Build an in-house, federated identity metasystem based on standards Federate it to others, system-by-system But: both solutions could share the same conceptual basis

14 Identity Laws and Metasystem

15 Lessons from Passport Passport designed to solve two problems
Identity provider for MSN 250M+ users, 1 billion logons per day Significant success Identity provider for the Internet Unsuccessful: Not trusted “outside context” Not generic enough Meant giving up control over identity management Cannot re-write apps to use a central system Learning: solution must be different than Passport

16 Idea of an Identity Metasystem
Not an Identity System Agreement on metadata and protocols, allowing multiple identity providers and brokers Based on open standards Supported by multiple technologies and platforms Adhering to Laws of Identity With full respect of privacy needs

17 Roles Within Identity Metasystem
Identity Providers Organisations, governments, even end-users They provide Identity Claims about a Subject Name, vehicles allowed to drive, age, etc. Relying Parties Online services or sites, doors, etc. Subjects Individuals and other bodies that need its identity established

18 Individuals and other entities about whom claims are made
Metasystem Players Identity Providers Issue identities Relying Parties Require identities Subjects Individuals and other entities about whom claims are made

19 Identity Metasystem Today
Basically, the set of WS-* Security Guidelines as we have it Plus Software that implements the services Microsoft and many others working on it Companies that would use it Still to come, but early adopters exist End-users that would trust it Will take time

20 Identity Laws www.identityblog.com
User Control and Consent Minimal Disclosure for a Constrained Use Justifiable Parties Directed Identity Pluralism of Operators and Technologies Human Integration Consistent Experience Across Contexts

21 Enterprise Applicability
That proposed metasystem would work well inside a corporation Of course, we need a solution before it becomes a reality Following the principles seems a good idea while planning immediate solutions Organic growth likely to lead to an identity metasystem in long term

22 Enterprise Trends Kerberos is very useful but increasingly it does not span disconnected identity forests and technologies easily We are moving away from static Groups and traditional ACLs… Increasingly limited and difficult to manage on large scales …towards a dynamic combination of: Role-Based Access Management, and, Rich Claims Authorization PKI is still too restrictive, but it is clearly a component of a possible solution

23 Components and Terminology

24 What is Identity Management?
Single Sign On Password Management Secure Remote Access Federation Role Management Web Services Security Provisioning Auditing & Reporting Directories Authorization Digital Rights Management Strong Authentication PKI

25 Identity and Access Management
A system of procedures, policies and technologies to manage the lifecycle and entitlements of electronic credentials Directory Services Repositories for storing and managing accounts, identity information, and security credentials Access Management The process of authenticating credentials and controlling access to networked resources based on trust and identity Identity Lifecycle Management The processes used to create and delete accounts, manage account and entitlement changes, and track policy compliance

26 Remember the Chaos? HR System NOS Lotus Notes Apps
Authentication Authorization Identity Data HR System Authentication Authorization Identity Data NOS Authorization Identity Data Authentication Lotus Notes Apps Enterprise Directory Authentication Authorization Identity Data Infra Application Authentication Authorization Identity Data COTS Application Authentication Authorization Identity Data In-House Application Authentication Authorization Identity Data In-House Application

27 Identity Integration Server
Authentication Authorization Identity Data HR System Authentication Authorization Identity Data Student Admin Authorization Identity Data Authentication Lotus Notes Apps Enterprise Directory Identity Integration Server Authentication Authorization Identity Data Infra Application Authentication Authorization Identity Data COTS Application Authentication Authorization Identity Data In-House Application Authentication Authorization Identity Data In-House Application

28 Benefits to take you forward
IAM Benefits Benefits today (Tactical) Benefits to take you forward (Strategic) Save money and improve operational efficiency New ways of working Improved time to deliver applications and service Improved time to market Enhance Security Closer Supplier, Customer, Partner and Employee relationships Regulatory Compliance and Audit

29 Some Basic Definitions
Authentication (AuthN) Verification of a subject’s identity by means of relying on a provided claim Identification is sometimes seen as a preliminary step of authentication Collection of untrusted (as yet) information about a subject, such as an identity claim Authorization (AuthZ) Deciding what actions, rights or privileges can the subject be allowed Trend towards separation of those two Or even of all three, if biometrics are used

30 Reliable Identity Data
Components of IAM Reliable Identity Data Administration Authorization Authentication Administration User Management Password Management Workflow Delegation Access Management Authentication Authorization Identity Management Account Provisioning Account Deprovisioning Synchronisation

31 IAM Architecture

32 Roadmap

33 Microsoft’s Identity Management
Lifecycle Management Directory (Store) Services Access Management Active Directory & ADAM Active Directory Federation Services Identity Integration Server Extended Directory Services Authorization Manager BizTalk PKI / CA Enterprise Single Sign On Audit Collection Services Services for Unix / Services for Netware ISA Server SQL Server Reporting

34 Components of a Microsoft-based IAM
Infrastructure Directory Active Directory Application Directory AD/AM (LDAP) Lifecycle Management MIIS Workflow BizTalk, Partner Solutions (Ultimus BPM, SAP) Role-Based Access Control Authorization Manager or Partner Solutions (ex: OCG, RSA) and traditional approaches Directory & Password Synchronization MIIS & Partner solutions SSO (Intranet) Kerberos/NTLM, Vintela/Centrify Enterprise SSO (Intranet) Sharepoint ESSO, BizTalk ESSO, HIS ESSO Strong Authentication SmartCards, CA/PKI, Partner (eg. RSA – SecurID, MCLMS, WizeKey) Web SSO ADFS, Partner (eg. RSA – ClearTrust) Integration of UNIX/Novell SFU, SFN, Partner (eg. Vintella/Centrify) Federation ADFS

35 Summary

36 Summary We have reached an “Identity Crisis” both on the intranet and the Internet Identity Metasystem suggests a unifying way forward Meanwhile, Identity and Access Management systems need to be built so enterprises can benefit immediately Microsoft is rapidly becoming a strong provider of IAM technologies and IM vision & &

37 Special Thanks This seminar was prepared with the help of:
Oxford Computer Group Ltd Expertise in Identity and Access Management (Microsoft Partner) IT Service Delivery and Training Microsoft, with special thanks to: Daniel Meyer – thanks for many slides Steven Adler, Ronny Bjones, Olga Londer – planning and reviewing Philippe Lemmens, Detlef Eckert – Sponsorship Bas Paumen & NGN - feedback

Download ppt "Identity and Access Management: Overview"

Similar presentations

Autenticazione e Gestione delle Identità Giacomo Aimasso – CISM – CISA.

Autenticazione e Gestione delle Identità Giacomo Aimasso – CISM – CISA.
Quality in Identity and Access Management Systems IDM: Overview Michele Brass, PMP PMI Westchester Chapter Program Manager – Collaboration Tools.

Quality in Identity and Access Management Systems IDM: Overview Michele Brass, PMP PMI Westchester Chapter Program Manager – Collaboration Tools.
Security Controls – What Works

Security Controls – What Works
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
Virtual techdays INDIA │ 18-20 august 2010 Managing Active Directory Using Microsoft Forefront Identity Manager: Amol R Bhandarkar │ Tech Specialist –

Virtual techdays INDIA │ august 2010 Managing Active Directory Using Microsoft Forefront Identity Manager: Amol R Bhandarkar │ Tech Specialist –
Understanding Active Directory

Understanding Active Directory
Dobrodošli!. Dobrodošli Peter Novak EPG Manager, Microsoft Slovenija Copyright 2006 © Microsoft.

Dobrodošli!. Dobrodošli Peter Novak EPG Manager, Microsoft Slovenija Copyright 2006 © Microsoft.
Identity and Access Management: Overview Rafal Lukawiecki Strategic Consultant, Project Botticelli Ltd

Identity and Access Management: Overview Rafal Lukawiecki Strategic Consultant, Project Botticelli Ltd
Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,

Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Identity and Access Management

Identity and Access Management
© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Automates Infrastructure Outsourcing.

© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Automates Infrastructure Outsourcing.
Identity Lifecycle Management Jonny Chambers Senior Technical Specialist Microsoft Ireland

Identity Lifecycle Management Jonny Chambers Senior Technical Specialist Microsoft Ireland
Cognizance Identity and Access Management Identity Management ● Authentication ● Authorization ● Administration The next generation security solution www.cognizancesecurity.com.

Cognizance Identity and Access Management Identity Management ● Authentication ● Authorization ● Administration The next generation security solution
Identity and Access Management Dustin Puryear Sr. Consultant, Puryear IT, LLC

Identity and Access Management Dustin Puryear Sr. Consultant, Puryear IT, LLC
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Unify and Simplify: Security Management

Unify and Simplify: Security Management

Similar presentations

Ads by Google