Download presentation
Presentation is loading. Please wait.
Published byRichard Holmes Modified over 9 years ago
1
February 24 th, 9am-11am Part 1: Preventing the “Big Lebowski” Justin Stanton, Stuart Ami from Interlink Group, LLC Part 2: Windows Focused Identity Administration Ron Clarkson from NetIQ Corporation
2
Agenda Introduction Business Drivers EIM Components Is EIM Right For You? Implementation Strategies Snapshot of a Solution Administration Overview NetIQ Identity Administration Capabilities Extending Beyond Windows with MIIS Summary Demo
3
February 24 th, 9am-11am Preventing the “Big Lebowski” Justin Stanton, Stuart Ami Interlink Group, LLC
4
Topics Overview Business Drivers EIM Components Is EIM Right For You? Implementation Strategies Snapshot of a Solution
5
What is Identity Management? The strategy of employing process and technologies to manage information about the identity of users and control access to company resources
6
Identity Chaos Absence of Federated Directories Federation. n - “the technology and business processes necessary for the interconnecting of users, applications, and systems.” ? ? ? ? ?
7
Identity Chaos (continued) Proprietary Identity Stores Proprietary Administration Proprietary User Provisioning Proprietary User Access Control
8
Identity Lifecycle Account Creation (Provisioning) Account Maintenance Account Revocation (De-provisioning) De-provisioning Maintenance Provisioning
9
Account Creation Rising support costs Increased complexity External vs. internal Maintenance De-provisioning Provisioning
10
Account Maintenance Rising costs to support 45% of total help desk calls are password resets 1 11% of all employees will experience an access right issue every month 2 Often the result of configuration errors made during account creation 1 & 2 META Group research conducted on companies with over $500 million in annual revenue Maintenance De-provisioning Provisioning
11
Account Revocation Costs and risks on the rise Unclear “scope of access” Inability to react can lead to increased vulnerability Maintenance De-provisioning Provisioning
12
Identity Lifecycle Business Risks (yep, there’s more!) Lower productivity Avg. time to complete user provisioning request is 6 to 29 hours! 1 Duplicate and conflicting user information On average, internal user information is stored in 22 different identity stores and external user data is stored in 6 different identity data stores 2 Lack of information security Difficulty in meeting regulatory compliance 1 & 2 META Group research conducted on companies with over $500 million in annual revenue
13
Identity Management Components
14
Federation Authentication PasswordMgmt Directories Authorization Self-Service Single Sign On Provisioning
15
Directory Services “Foundation” of an Identity Management solution Stores digital identity information, policies, and user credentials Interacts directly with all other EIM components LDAP - emerging directory standard Does not necessarily store ALL identity attributes
16
Meta-directory Services Provides a unified view of a user’s digital identity Integration and synchronization of digital identity data Facilitates bi-directional flow of information between directory and identity store(s) Processes unidirectional flow of data coming from authoritative sources and transfers data to the EIM system
17
Federation Interface between directory services and application authentication/authorization Trust relationships provide a way to authenticate digital identities among autonomous organizations Forest trusts, shadow accounts, and PKI trusts
18
Authentication Proving a user is who they claim to be Single Factor Authentication Multi-Factor Authentication Identifying Credentials Smartcards Biometrics Proximity
19
Authorization Determines access permissions to services, resources, and applications Role-Based Access Can be based on a company’s organizational model
20
Administration Centralized Administration Delegated Administration
21
Provisioning Lifecycle of a digital identity Role-based access can ease administration Don’t forget de-provisioning and re-provisioning!
22
Password Management Synchronize passwords across multiple systems User self-service functionality Reduces burden on help desk
23
Self-Service Empowers users to manage aspects of their own digital identity Reduces risk associated with password sharing Reduces administrative costs and burden on help desk
24
Single Sign-On (SSO) Single point of authentication Automates access to authorized services, applications, and resources Eliminates the security headaches and vulnerabilities associated with multiple IDs/passwords Best if used with Multi-Factor Authentication
25
Is Identity Management Right For You?
26
Any of these sound familiar? Users have more than six username and password combinations? Turnaround time to provision an account for new employees is > 1 day? Turnaround time to revoke a terminated user’s account and permissions is > 1 day? Access to critical resources cannot be restricted? Access to critical resources cannot be audited or monitored? CFO needs Sarbanes-Oxley compliance measures? HIPAA compliance becoming a real concern?
27
Interested in ROI? Potential savings of $4,395,081.60 per year 1 Gartner estimates that a 300% ROI over three years can be earned for a company with 10,000 employees implementing a provisioning solution for 12 applications 2 1 META Group research conducted on 420 companies with over $500 million in annual revenue 2 Gartner Group Research on companies over 10,000 employees Your actual mileage may vary
28
Implementation Strategies Executive Level buy-in and commitment is essential Clearly define business objectives Take a comprehensive approach to design Top – Down Bottom – Up Prioritize tasks by Aggregation Consolidation Integration Involve ALL stakeholders!
29
Lessons Learned (Continued) Balance “wish” with “risk” Identify requirements before vendor selection phase Have vendors provide a proof of concept in YOUR environment Take a “phased” approach to implementation Implement most business-critical applications last
30
Email LOB App 1 LOB App 2 IntranetApplications ActiveDirectory Security Token (e.g. Kerberos Ticket) EIM Solution Snapshot Single Sign-on / Authentication Smart card using Microsoft Certificate Services
31
Email LOB App 1 LOB App 2 IntranetApplications ActiveDirectory EIM Solution Snapshot Re-provisioning / Authorization Policy Policy Metadirectory(MIIS) 1.Add his last name, ”Lebowski”: 2.Promoted from janitor to cashier Add SN “Lebowski” Added last name: “Lebowski” Update last name: “Lebowski” 1.Remove user from Janitor Group 2.Add user to Cashier Group Update attributes to reflect new position: “Cashier”
32
The Total Solution Microsoft provides the x-platform infrastructure – MIIS Interlink provides the integration and professional services What about an administrative interface? …allow me to introduce NetIQ!
33
February 24 th, 9am-11am Windows Focused Identity Administration By Ron Clarkson
34
Topics Administration Overview NetIQ Identity Administration Capabilities Extending Beyond Windows with MIIS Summary Demo
35
February 24 th, 9am-11am Administration Overview
36
What Is Identity Administration? Identity Administration ensures that authoritative data stores ARE! Hard to achieve IdM ROI without proper identity administration For Windows focused organizations AD administration most critical piece of identity administration
37
What Are The Challenges? ChallengeNetIQ Approach Content Accuracy Un-bypassable content policy enforcement Restricting Data Access Role based security Secure delegation of tasks Auditing of Changes Centralized auditing of AD changes Cost Effective User Admin Automation and Self Service
38
Why Is It Important? ChallengeImportance Content Accuracy Need truly authoritative data stores Restricting Data Access Lower security risk Auditing of Changes Regulatory compliance Cost Effective User Admin Do more with less
39
How Do We Do It? Task Appropriate Directory Access LAYERED SECURITY ARCHITECTURE Desktop Management / Group Policy Admin AD Architect / Security Admin Departmental Admin / Help Desk Admin Offline access for sensitive tasks that can impact the entire enterprise environment if performed online. Native access for auditing and management of the Active Directory security model and similar tasks that require a high level of privilege. Protected access for tasks that require low levels of privilege, and high levels of auditing, automation and extensibility.
40
February 24 th, 9am-11am NetIQ Identity Administration Capabilities
41
Challenge: Keep Content Accurate Goals: Make sure account management activities comply with appropriate policies Challenges: Content control (data validation policies, etc.) Content consistency Contextual control (not only what, but when)
42
Challenge: Secure Delegation Goals: Delegate out day-to-day administration tasks without giving away the keys to the kingdom Challenges: Defining roles & responsibilities Delivering appropriate capabilities Providing easy admin interfaces to “delegates” Avoiding power escalation (identity theft, etc.) Delegating certain aspects tasks is difficult Undelegation is even more challenging
43
Challenge: Centralize Auditing Goals: Capture all account management activities (Who did what to whom or what, and when?) Challenges: Enforcement of audits Capturing & centralizing activities in a multi-master environment AD security audit log conciseness & interpretation Completeness of audit
44
Challenge: Automation of Repetitive Tasks Goals: Enable provisioning and deprovisioning through automation Challenges: Automation of tasks isn’t possible natively Home directory Home shares Mailbox creation Group membership adds/deletes Distribution list adds/deletes Difficult to delegate some of these rights natively without giving away the keys to the kingdom
45
Directory & Resource Administrator The What Enforce Policies Secure Delegation Centralized Auditing Automate Tasks The Why Keep AD content accurate Offload tasks to help desk Know who accessed what, when Reduce repetitive work
46
Challenge: End User Self Service Goal Task end users to manage own information where possible Challenges No native web interface to expose AD attributes about personal information No interface to unlock accounts, reset passwords Ability to log in to reset password when unable to access own account
47
Secure Password Administrator Module The What Password Resets & Unlocks Password Synchronization Self Service for NT and Windows The Why Reduces calls to help desk Keeps accounts in synch Prevent account hijacking
48
Challenge: Role Based Security Goals: Simple & sustainable permissions set up & management within Active Directory Challenges: Defining appropriate permissions templates for various job functions or roles Applying permissions to Active Directory in a repeatable way Updating “roles” over time Documentation of role definitions & applications Analysis & Remediation Permissions Administration PermissionsImplementation
49
Directory Security Administrator The What Native ACL Administration Role Based Security Permissions Search The Why Manage within Active Directory Easier privilege management See who can do what
50
February 24 th, 9am-11am Extending Beyond Windows with MIIS `
51
What is MIIS? Microsoft Identity Integration Server IS… Two-way synchronization infrastructure Connects AD to AD or AD to X-platform Vision is to facilitate IdM for Win Focused Orgs Current focus in to provide X-platform password synch Microsoft Identity Integration Server IS NOT… Authentication Directory (That’s still AD) User Administration Password Self Service Content Enforcement Role Based Security
52
How MIIS Works Metaverse Uneditable store of authoritative directory attributes Connector Space Contains statefull directory info Management Agents Synchronization across dirs Connected Directories AD, LDAP, SunONE Oracle, Txt file, etc. MIIS Store (SQL Server)
53
The Total Solution: NetIQ, MIIS, Interlink NetIQ provides the administrative interface MIIS provides the X-platform infrastructure Interlink provides the integration Example: X-Platform Password Self Service 1. NetIQ provides front end authorization interface 2. MIIS provides password synch beyond Windows 3. Interlink provides solution integration/customization 4. User gets single web interface to update passwords
54
February 24 th, 9am-11am Summary
55
User Provisioning is the Holy Grail Identity Management is a critical & necessary step Can’t do ID Mgmt without ID administration process Enforce content policies Enable self service Automate provisioning tasks Delegate tasks and implement role based security Interlink, Microsoft, and NetIQ provide the complete solution for the Windows Focused Organization User Provisioning is the Holy Grail Identity Management is a critical & necessary step Can’t do ID Mgmt without ID administration process Enforce content policies Enable self service Automate provisioning tasks Delegate tasks and implement role based security Interlink, Microsoft, and NetIQ provide the complete solution for the Windows Focused Organization
56
February 24 th, 9am-11am Demo
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.