Download presentation
Presentation is loading. Please wait.
1
Identity and Access Management
Paula Kiernan Senior Consultant Ward Solutions
2
Session Prerequisites
Hands-on experience with Microsoft Windows Server, Windows management tools, and Active Directory Basic understanding of network security fundamentals Basic understanding of directory and security services used in heterogeneous computing environments Level 200
3
Session Overview Overview of Identity and Access Management Concepts
Identity Management Intranet Access Management Extranet Access Management
4
Overview of Identity and Access Management Concepts
Identity Management Intranet Access Management Extranet Access Management
5
Managing Digital Identities: What Are the Challenges?
Challenges to managing digital identities include: Multiple identity stores Intranet access management Extranet access management
6
What Is Identity and Access Management?
Identity Life Cycle Management Access Management Directory Services Application Integration
7
How Can Identity and Access Management Reduce Directory Management Effort?
Initiatives that reduce directory management effort include: Automating provisioning and deprovisioning Implementing identity aggregation and synchronization Establishing directory service and security standards Establishing software development and procurement standards Reducing TCO
8
How Can Identity and Access Management Simplify the End User Experience?
Initiatives that simplify the end user experience include: Consolidating identity stores Improving password management Enabling SSO Improving access for employees, customers, and partners
9
How Can Identity and Access Management Increase Security?
Initiatives that increase security include: Establishing security and access policies Improving password management Strengthening authentication mechanisms Establishing security audit policy Developing identity-aware applications
10
Understanding Identity and Access Management Technologies
Identity Life Cycle Management Identity Integration Provisioning/Deprovisioning Delegated Administration Self-Service Administration Credential and Password Management Access Management Authentication Authorization Trust Security Auditing Directory Services Users, Attributes Credentials, and Groups Active Directory Active Directory Application Mode
11
Identity Management Overview of Identity and Access Management Concepts Identity Management Intranet Access Management Extranet Access Management
12
Managing Identities: What Are the Challenges?
Challenges related to managing multiple identity stores include: Management costs Employee productivity Security Customer service and supply chain integration
13
Understanding the Identity Life Cycle
1 New User -User ID creation -Credential issuance -Entitlements 4 Retire User -Delete accounts -Remove entitlements 2 Change User -Promotions -Transfers -Entitlement changes 3 Help Desk -Password reset -New entitlements
14
Managing Identity Integration
Approaches to managing identity integration among directory stores include: Manual administration Custom scripts Integration services Identity integration products
15
Understanding Identity Integration Products and Services
You can implement identity integration by using a number of identity integration products and services: Identity Integration Feature Pack Microsoft Identity Integration Server 2003 Services for UNIX Services for NetWare Host Integration Server Active Directory Connector Active Directory to ADAM Synchronizer
16
Using the Identity Integration Feature Pack to Manage Identities
IIFP is a free product that provides connections to only the following directories and applications: Active Directory for Windows 2000 Server and later Active Directory Application Mode (ADAM) GAL synchronization for Exchange 2000 Server and Exchange Server 2003
17
Using Microsoft Identity Integration Server to Manage Identities
MIIS 2003 provides the following set of features: Identity aggregation and synchronization Support for over 20 repositories Provides a single enterprise view of a user Uses SQL Server as the information repository Account provisioning Automated account creation/deletion Group & distribution list management Workflow Password management
18
Understanding Identity Integration Using MIIS
Synchronizes multiple repositories Agentless connection to other systems Attribute level control Manage global address lists Automate group and DL management CS MV MA Intranet Active Directory Sun ONE Directory Extranet Active Directory Legend CS=Connector Space MA=Management Agent MV=Metaverse MIIS 2003 Lotus Notes
19
Implementing Account Provisioning
Typical ways of implementing account provisioning include: HR-driven provisioning Web-driven provisioning Complex workflow provisioning using Microsoft BizTalk Server 2004 orchestration
20
Managing Passwords MIIS 2003 provides the ability to manage passwords through: Help desk reset Windows-initiated changes Web-initiated changes Other system–initiated changes through non-Microsoft software
21
Identity Management: Best Practices
Define all business rules before implementation ü Determine service-level agreements ü Identify all existing systems or processes that might conflict with identity synchronization ü Train development and support staff ü Plan for custom code development ü Implement a disaster recovery plan and secure the MIIS service accounts ü
22
Intranet Access Management
Identity and Access Management Concepts Identity Management Intranet Access Management Extranet Access Management
23
Intranet Access Management: What Are the Challenges?
Common business challenges related to intranet access management include: No single sign-on capabilities A higher number of password reset requests Multiple, inconsistent approaches to security services
24
Approaches to Single Sign-on
Approaches to single sign-on, in order of preference, include: Application integration with Windows security services Platform integration with Windows directory and security services Application integration with Windows directory services Indirect integration through credential mapping Synchronized accounts and passwords
25
Implementing Single Sign-on
Approaches to implementing single sign-on include: Desktop-integrated SSO Web SSO Credential mapping, or Enterprise SSO
26
Using Credential Manager
Credential Manager is used to save the user’s credentials automatically and use them for future access to a resource Credential Manager supports the following types of credentials: User name and password combinations X.509 digital certificates Microsoft Passport credentials
27
Understanding Windows Authorization Options
Windows Server 2003 supports a number of authorization mechanisms: The Windows access control list–based impersonation model Role-based authorization ASP.NET authorization
28
Understanding Windows Server 2003 Authorization Manager
Authorization Manager organizes users into various roles within the application, as shown: Authorization Policy Store Mary Mary = Manager Bob = User Bob Authorization Checked at Application Server Role-based Access to Resources
29
Extranet Access Management
Overview of Identity and Access Management Identity Management Intranet Access Management Extranet Access Management
30
Extranet Access Management: What Are the Challenges?
Challenges related to extranet access management include: Providing secure sessions over the Web The need for a robust authentication and access control mechanism The need for a common security model that includes authentication, Web SSO, authorization, and personalization
31
Identifying Extranet Considerations
Considerations that may affect your extranet access management approach include: Virtual Private Network or Web SSO access Directory service selection Existing applications Identity life-cycle management Password security
32
Understanding Authentication Methods for Extranet Access
Protocols used for extranet access include: SSL 3.0 and TLS 1.0 Passport authentication Digest authentication Forms-based authentication Basic authentication
33
Understanding Authorization Techniques for Extranet Access
Extranet authorization techniques can include the following: ACL RBAC
34
Using Trusts and Shadow Accounts for Extranet Access
Alternatives to using trusts include: Using shadow accounts Implementing public key infrastructure trusts Using qualified subordination
35
Implementing Security Auditing
Use security auditing to monitor the following services: Directory services Authentication Authorization The following products and technologies can be used for security auditing and reporting: Windows Security Event Log WMI MOM
36
Session Summary Implementing an identity and access management solution will greatly reduce management effort, simplify the end user experience, and increase overall security ü MIIS 2003 can manage identity information, automate provisioning and deprovisioning, and synchronize various types of information among multiple identity store formats A thorough understanding of authentication and authorization options provides the background needed to effectively secure your network infrastructure It is important to understand which authentication and authorization protocols are appropriate for extranet access
37
Next Steps Find additional security training events:
Sign up for security communications: default.mspx Order the Security Guidance Kit: default.mspx Get additional security tools and content:
38
Questions and Answers
39
Paula Kiernan Ward Solutions paula.kiernan@ward.ie www.ward.ie
Contact Details Paula Kiernan Ward Solutions
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.