Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity and Access Management - Futures and Roadmap Andreas Luther Group Program Management Identity and Access - MIIS Microsoft Corporation.

Published byJuniper Abraham Willis Modified over 9 years ago

Similar presentations

Presentation on theme: "Identity and Access Management - Futures and Roadmap Andreas Luther Group Program Management Identity and Access - MIIS Microsoft Corporation."— Presentation transcript:

1 Identity and Access Management - Futures and Roadmap Andreas Luther Group Program Management Identity and Access - MIIS Microsoft Corporation

2 Situation Increasingly connected systems Connections span technical, org boundaries Distinctions blur - customer, partner, employee, intranet, Internet Demand for business process integration Clear business drivers around security, cost efficiency, regulatory compliance Issues around policy, compliance, reporting Rapid rise of threats to online safety Phishing, pharming, phraud Concerns over privacy, tracking

3 Technology Areas Connectors Integration with non-Windows integrated applications and systems Identity and Access Platform User Experience Logon & credentials Self-service Developer Experience Directory APIs Access APIs Integration APIs IT Pro Experience Management Delegated admin Integration Services Process automation Process control Directory Services Distributedpublication Access Services AuthenticationAuthorizationAudit Credential management

4 Microsoft’s Strategy Add native support for interoperable federated identity to Active Directory using web services Build on Microsoft Identity Integration Server as platform for process-driven management of identities and entitlements Evolve and refine Active Directory directory services

5 What is a Digital Identity? A set of claims one subject makes about another Many identities for many uses Required for transactions in real world and online

6 Active Directory Federation Services Federated web single sign on WS-Federation Passive Requestor Profile Support SAML token, claims as SAML assertions Integrated with Windows SSO Support Windows Integrated Security and native claims-based identity Transform claims into SIDs for Windows apps Enable web apps to natively consume claims Authorization Manager integration Delivered in Windows Server 2003 R2

7 Process-driven management of identities and entitlements

8 MIIS Roadmap Extending MA Reach and password capabilities MIIS 2003 SP1 Q4/CY04 Additional MAs MA SDK Password Extensions Password synchronization Extending MA Reach - Ongoing Oob deliverables – starting June 05 Additional MAs Improving password management capabilities MIIS 2003 SP2 Q2/CY06 End-user self-service password reset Process Integration Services MIIS - Gemini Codeless provisioning Entitlement reporting Self-service platform Additional MAs Tools to simplify MIIS deployments MIIS 2003 ResKit 2 Q4/CY04 Provisioning Wizard Workflow sample app

9 MIIS Roadmap Extending MA Reach and password capabilities MIIS 2003 SP1 Q4/CY04 Additional MAs MA SDK Password Extensions Password synchronization Extending MA Reach - Ongoing Oob deliverables – starting June 05 Additional MAs Improving password management capabilities MIIS 2003 SP2 Q2/CY06 End-user self-service password reset Tools to simplify MIIS deployments MIIS 2003 ResKit 2 Q4/CY04 Provisioning Wizard Workflow sample app Process Integration Services MIIS - Gemini Codeless provisioning Entitlement reporting Self-service platform Additional MAs

10 MIIS 2003 – Oob MA Deliverables Mainframe MAs RACF: June 05 ACF2, TS: Fall 05 ERP MAs SAP, PeopleSoft: Fall 05 Generic LDAP MA Considered for Gemini release

11 MIIS Roadmap Extending MA Reach and password capabilities MIIS 2003 SP1 Q4/CY04 Additional MAs MA SDK Password Extensions Password synchronization Extending MA Reach - Ongoing Oob deliverables – starting June 05 Additional MAs Improving password management capabilities MIIS 2003 SP2 Q2/CY06 End-user self-service password reset Tools to simplify MIIS deployments MIIS 2003 ResKit 2 Q4/CY04 Provisioning Wizard Workflow sample app Process Integration Services MIIS - Gemini Codeless provisioning Entitlement reporting Self-service platform Additional MAs

12 MIIS 2003 SP2 Password Self Service Reset Problem: Users forget passwords Downtime reduces employee productivity High help desk costs associated with reset requests Solution: Password self service reset enables employees to reset forgotten passwords Self Service Password Reset planned for MIIS SP2 Leverages MIIS System connectivity Account management User Registration Proactive enrollment or help desk can force users to enroll when password is forgotten Q&A authentication configuration is very flexible to accommodate different organizations security requirement Q&A can be exposed to Help Desk to authenticate callers Significant update to web applications shipped with MIIS 2003 Working with Speech Server team to enable phone password reset

13 MIIS Roadmap Extending MA Reach and password capabilities MIIS 2003 SP1 Q4/CY04 Additional MAs MA SDK Password Extensions Password synchronization Extending MA Reach - Ongoing Oob deliverables – starting June 05 Additional MAs Improving password management capabilities MIIS 2003 SP2 Q2/CY06 End-user self-service password reset Tools to simplify MIIS deployments MIIS 2003 ResKit 2 Q4/CY04 Provisioning Wizard Workflow sample app Process Integration Services MIIS - Gemini Codeless provisioning Entitlement reporting Self-service platform Additional MAs

14 Process-driven management of identities and entitlements

15 Identity and Access Platform - Technology Areas Connectors Integration with non-Windows integrated applications and systems Identity and Access Platform User Experience Logon & credentials Self-service Developer Experience Directory APIs Access APIs Integration APIs IT Pro Experience Management Delegated admin Integration Services Process automation Process control Directory Services Distributedpublication Access Services AuthenticationAuthorizationAudit Strong credentials

16 Integration Services - Business Drivers and Requirements Strengthen security Enforcement of “Least User Access” as required by SOAX, HIPAA etc. Automated de-provisioning of accounts and entitlements Central auditing Increasing operational efficiency Automation: Provisioning and de-provisioning based on business rules Self-service applications to empower business owners to make entitlement decisions Online business enablement Self-service applications for user registration and account management Regulatory requirements Workflow to model controls State based identity management system to enforce use of controls and compliance Central auditing allows tracking of in- and out of compliance situations

17 Example: Resource Access in Windows Policy is de-centralized No single store to lookup relationships between Users, resources and access control policies Administration is de-centralized No reporting capabilities Token

18 Abstract Model Digital subjects, resources and access policies share lifecycle management characteristics Need to be authored and provisioned, incl. process Changes managed from authoritative source and enforced Need to have owner Relationships have to be managed and enforced Access Policy Guard Resource Guard Digital Actor Guard

19 Requirements for Process Integration Service Provisioning and lifecycle management of digital subjects Provisioning and lifecycle management of resources File shares, SharePoint sites Provisioning and lifecycle management of access control policies ACLs, SharePoint access rights, web services Workflow to model compliance controls Enforce compliance and flag out-of-compliance situations Central auditing system Audit all aspects of provisioning and lifecycle management (state auditing) Trigger actions (workflows) if out-of-compliance situations are found Integrate with forensic auditing systems (ACS, MOM) Complete set of APIs for any aspects of entitlement provisioning and process integration service configuration

20 MIIS Evolves into Process Integration Services Digital actors, resources and policies are all identities State-based Metadirectory is the right approach Discovery of identities through Management Agents Aggregation of identity information in central store Use business rules to manage relationships between identities Periodically validate compliance of relationships by comparing existing relationships with model through synchronization Enforce compliance through synchronization Audit all relationship changes MIIS 2003 has the right architecture Future versions will add workflow, business rules authoring, control authoring and auditing

21 Metadirectory Access Control Configuration - Revised HR Policy AResource A Policy A: All members of Sales role R Provision Bob: Sales Resource configuration: Use Policy A

22 Metadirectory Access Control Configuration - Revised HR Policy AResource A Policy A: All members of Sales role: R Provision Bob: Sales Resource configuration: Use Policy A Provision Lori: Marketing Web Service

23 Benefits of this Model Centralized management of digital subjects, resources and policies Data driven Application driven (Self-Service or delegated) Heterogeneous environments Workflow allows modeling of controls Compliance validation and enforcement State in Metadirectory is authoritative If administrator adds Sally to ACL on \\movies, Metadirectory resets ACL and triggers warning \\movies Use of controls Centralized auditing and reporting

24 Auditing and Reporting All operations create audit entries Including approval steps in workflows Reports answer the following questions: Who had access to \\movies on 6/2/05 and why? \\movies Bob, member of sales role Who had access to \\movies on 6/5/05 and why? \\movies Bob, member of sales role Lori, because Bob approved request What resource did Lori have access to on 6/5/05 and why? \\movies\\movies, because Bob approved request \\movies What resources were protected by policy A on 6/5/05? \\movies What resources can be accessed by Sales members? \\movies

25 MIIS Gemini Add core functionality required for Process Integration Services Rich workflow Centralized auditing Self-service application platform with integrated workflow and auditing Computed attributes Entitlement management based on organizational roles Expose new functionalities to IT Pros and end users Identity manager console for declarative entitlement management Self-service applications Expose self-service application interfaces for ISVs and corporate developers

26 Gemini Provisioning Features Integrated Toolset to Manage the Lifecycle of Digital Identities and Entitlements Declarative Provisioning UI to define rules when and where entitlements are created plus templates how they are created No more coding required Self-Service Platform Web service interfaces to build self-service applications E.g., account requests, entitlement requests, password resets, group membership request Tight integration with VS to develop Self-Service apps Application MV Group Management Improvements Multi-forest, computed groups, Autogroup Unified workflow model Declarative provisioning, self-service apps, existing synchronization framework and group management need workflow Single model to manage workflows

27 Gemini Provisioning Features Integrated Toolset to Manage the Lifecycle of Digital Identities and Entitlements Ready to use “Out of the Box Self-Service Applications” Only minimal configuration required Entitlement manager, Autouser, Autogroup Auditing / compliance checking All provisioning operations are audited (requests, approvals, changes in CD) Un-authorized changes in CD can be detected and audited; workflow can be kicked off Resource and policy management

28 Gemini Workflow Example Approved? ReceiveDelegation Requestapproval CreateAccount Request No Yes No Escalate Yes NotifyOthers Delegation SendNotification Approved? CreateAccountSendNotification More Processes

29 The Evolution of Directory Services

30 Active Directory Broad usage 86% of US, 57% of enterprises >500 PCs worldwide running Active Directory * Performance at scale Scale out: 1000+ servers Scale up: deployments at 20M+ users Flexibility: AD and ADAM Centralized or distributed physical deployment Centralized or distributed logical management Shared across applications or dedicated to a specific application Interop: Unix/Linux SSO via Vintela, Centrify * Source: Microsoft internal survey, spring 2005

31 Domain Mode Windows Server 2003 R2 Unix compatibility schema ADMT v3 (web download) Longhorn Server Read-only DC: reduced physical security requirements, simplified manageability Restartable AD: reduce DC reboots DC on Server Core: minimize surface area DC/Domain Admin role separation

32 Application Mode Windows Server 2003 ADAM download LDAP-only mode of Active Directory with independent configuration Identical performance at scale Windows Server 2003 R2 ADAM included in OS distribution One-way AD-to-ADAM sync: eliminate need for MIIS (or IIFP) in simple scenarios Longhorn Server: same as R2

33 The Next Generation of Digital Identity

34 Threats to Online Safety The Internet was built without a way to know who and what you are connecting to Everyone offering Internet service has come up with workaround – a patchwork of one-offs Inadvertently taught people to be phished Greater use and greater value attract professional international criminal fringe Understand and exploit weaknesses in patchwork Phishing and pharming at 1000% CAGR

35 From Patchwork to Fabric Little agreement on what identity layer is, or how it should be run Digital identity related to contexts Partial success in specific domains (SSL, Kerberos) Enterprises, governments, verticals prefer one-offs to loss of control Individual is also a key player No simplistic solution is realistic Consider cross cultural, international issues Diverse needs of players means need to integrate multiple constituent technologies

36 “The Laws of Identity” 1. User control and consent 2. Minimal disclosure for a defined use 3. Justifiable parties 4. Directional identity 5. Pluralism of operators and technologies 6. Human integration 7. Consistent experience across contexts Join the discussion at www.identityblog.com

37 Identity Metasystem We need a unifying “Identity metasystem” Protect applications from identity complexities Allow digital identity to be loosely coupled: multiple operators, technologies, and implementations Not first time we’ve seen this in computing Abstract display services made possible through device drivers Emergence of TCP/IP unified Ethernet, Token Ring, Frame Relay, X.25, even the not-yet- invented wireless protocols

38 Metasystem Characteristics Requirements for the Identity Metasystem NegotiationDriven Encapsulation ClaimsTransformation UserExperience Enable participants to negotiate technical policy requirements Technology-agnostic way to exchange policies and claims Trusted way to change one set of claims into another regardless of format Consistent user interface across multiple systems and technologies

39 WS-Trust, WS-MetadataExchange WS-* Metasystem Architecture Security Token Service Kerberos WS-SecurityPolicy SAML Security Token Service WS-SecurityPolicy … ID Provider x509 ID Provider Subject Relying Party Identity Selector

40 Microsoft Support for Identity Metasystem “Indigo” Runtime for building distributed applications supporting identity metasystem “InfoCard” Identity selector for Windows to visualize user’s digital identity Active Directory Infrastructure for identity and access “InfoCard”“Indigo” Active Directory WS-* End-UsersDevelopers IT Organizations

41 © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "Identity and Access Management - Futures and Roadmap Andreas Luther Group Program Management Identity and Access - MIIS Microsoft Corporation."

Similar presentations

InfoCard and the Identity Metasystem Kim Cameron, Chief Architect of Identity Microsoft.

InfoCard and the Identity Metasystem Kim Cameron, Chief Architect of Identity Microsoft.
Microsoft Forefront Identity Manager 2010

Microsoft Forefront Identity Manager 2010
Microsoft Identity Solutions

Microsoft Identity Solutions
Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft

Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
DEV392: Extending SharePoint Products And Technologies Through Web Parts And ASP.NET Clint Covington, Program Manager Data And Developer Services - Office.

DEV392: Extending SharePoint Products And Technologies Through Web Parts And ASP.NET Clint Covington, Program Manager Data And Developer Services - Office.
Virtual techdays INDIA │ 18-20 august 2010 Managing Active Directory Using Microsoft Forefront Identity Manager: Amol R Bhandarkar │ Tech Specialist –

Virtual techdays INDIA │ august 2010 Managing Active Directory Using Microsoft Forefront Identity Manager: Amol R Bhandarkar │ Tech Specialist –
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Identity Management with Microsoft Identity Integration Server.

Identity Management with Microsoft Identity Integration Server.
Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,

Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,
Identity and Access Management

Identity and Access Management
Access and Identity Management for Enterprise Portals Rohit Gupta Director, Identity Management Product Management Oracle Corporation.

Access and Identity Management for Enterprise Portals Rohit Gupta Director, Identity Management Product Management Oracle Corporation.
Managing LOB Applications by Using System Center Operations Manager Published: March 2007.

Managing LOB Applications by Using System Center Operations Manager Published: March 2007.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Understanding Active Directory

Understanding Active Directory
Account Reset Console Delegated and secure self password resets Joe Vachon Sales Engineer.

Account Reset Console Delegated and secure self password resets Joe Vachon Sales Engineer.
© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Automates Infrastructure Outsourcing.

© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Automates Infrastructure Outsourcing.
Microsoft Identity and Access Solutions Market Trends and Futures

Microsoft Identity and Access Solutions Market Trends and Futures
Empower Enterprise Mobility Jasbir Gill Azure Mobility.

Empower Enterprise Mobility Jasbir Gill Azure Mobility.
Identity and Access Management Business Ready Security Solutions.

Identity and Access Management Business Ready Security Solutions.

Similar presentations

Ads by Google