Amol Bhandarkar Technology Solution Professional – IDA | Microsoft [email protected].
-
Upload
muriel-robertson -
Category
Documents
-
view
221 -
download
4
Transcript of Amol Bhandarkar Technology Solution Professional – IDA | Microsoft [email protected].
Identity & Access Management
Amol BhandarkarTechnology Solution Professional – IDA | [email protected]
Agenda
Identity & Access ManagementILM 2 High level architectureILM 2 FeaturesDemo of ILM 2Intelligent Application GatewayAD Rights Management Service
Identity & Access Management
Identity-Based Access
Network Access• Identity-oriented
edge access - e.g. NAP
Identity InfrastructureIdentity & Credentials Infrastructure : Directory – Identity/Credentials, Infocards, Meta/Virt Dir, Basic Policy
Identity & Access ManagementCompliance and Audit: Monitoring, reporting , auditing of identity-based access activity
Identity & Credential Management: User provisioning, Certificate & Smartcard Management, User self-service
Policy Management: Identity policy, user/role-based access policy, federation policy, Delegation
Access Management: Group Management, Federation/Trust Management, Entitlements, RBAC
Remote Access• Access resources
remotely - e.gSSL VPN
App Access• SSO,
Web/Ent/Host Access, Federation
Info Access• Drive Encryption,
ILP, Rights Management
Microsoft Identity Lifecycle Manager
Identity SynchronizationUser ProvisioningCertificate and Smartcard Management
Office Integration for Self-ServiceSupport for 3rd Party CAsCodeless ProvisioningGroup & DL ManagementWorkflow and Policy
User Management
GroupManagement
Credential Management
Common PlatformWorkflowConnectorsLoggingWeb Service APISynchronization
PolicyManagement
ILM 2 High Level Architecture
Credential Management
Heterogeneous certificate management with 3rd party CAsManagement of multiple credential types, including One Time PasswordsSelf-service password reset integrated with Windows logon
GroupManagement
Rich Office-based self-service group management toolsOffline approvals through OfficeAutomated group and distribution list updates
UserManagement
Integrated provisioning of identities, credentials, and resourcesAutomated, codeless user provisioning and de-provisioningSelf-service profile management
PolicyManagement
SharePoint-based console for policy authoring, enforcement & auditingExtensible WS– * APIs and Windows Workflow Foundation workflowsHeterogeneous identity synchronization and consistency
Identity Lifecycle Manager “2” Features
6
End User Scenarios
Credential Management
GroupManagement
UserManagement
PolicyManagement
7
Self-service smart card provisioning
User requests to join secure distribution list for newproduct development
User changes their cell phone number
Integration with Windows logonNo need to call help deskFaster time to resolution
Request process through OfficeNo waiting for help deskFaster time to resolution
Automatic updating of business applicationsNo need to call help deskFaster time to resolution
Example Scenario ILM “2” Advantages
CFO gives final approval for newuser to access in-scope SOX app
Automatic routing of multiple approvalsApproval process through OfficeAudit trail of approvals
IT Administrator Scenarios
Credential Management
GroupManagement
UserManagement
8
PolicyManagement
Create workflow to automatically issue passwords and smart cards to new users
Design policy to automatically create departmental security groups
Author policy to require HRapproval for job title change
Automatically provision new employees with identity, mailbox, and credentials
Centralized managementAutomatic policy enforcement across systems
Automatic policy enforcement across systemsManagement of role changes & retirements
Generation and delivery of initialone-time use passwordIntegration of smart cardenrollment with provisioning
Automatic management of group membershipSecure access to departmental resources, with audit trail
Example Scenario ILM “2” Advantages
ILM "2" in Action
Directories
Custom
Self-Service integration
LOB Applications
ILM “2” Portal
ISV PartnerSolutions
WindowsLog On
IT Departments
Databases
Policy ManagementCredential Management
User Management Group Management
AuthN & AuthZWorkflows
Action Workflow
AppDB
Sync DB
ILM "2" In Action
Management Agents
New user added in HR app
ILM managesmanager and
dept head approvals
Once approved, changes
committed to ILM app store
ILM sends welcomeand confirmation
e-mails
Identity Stores
ILM synchronizes updates with external identity stores
Sync receivesrequest
Sync DB
Management Agents
HR-driven provisioning a of new employee
ILM "2" In ActionSelf-service smart card provisioning
AuthN & AuthZWorkflows
Delegation& Permissions
Action Workflow
AppDB
Sync DB
Management Agents
New user added in HR app
Does userhave permission
to add user to ILM?
ILM managesmanager and
dept head approvals
Once approved, changes
committed to ILM app store
ILM sends welcomeand confirmation
e-mails
Identity Stores
ILM syncs to external identity stores
Sync receivesrequest
Sync
DB
Management Agents
Approval workflowsCard created & printedCertificates requested
Self-service notification and One
Time Password sent to end user
End user downloads
certificates onto smart card
ILM "2" In ActionSelf-service password management
AuthN & AuthZWorkflows
Delegation& Permissions
Action Workflow
AppDB
Sync DB
Management Agents
User forgets passwordRequests password
reset at Win logon and answers Q/A
Does userhave permission
to reset password?ILM validates Q/A
response from user
Changes committed to ILM
app store
ILM makes WMI call to reset password
in AD
Identity Stores
ILM syncs new password to external identity
stores
ILM receives XML
Request Processor
Identity Management
DEMO
INTELLIGENT APPLICATION GATEWAY
Supports all Applications with SSL VPNWeb – Client/Server - File AccessMicrosoft – SharePoint, Exchange, DynamicsIn-house developedThird-party, e.g. Citrix, IBM, Lotus, SAP, PeopleSoft…
Designed for Managed and Unmanaged Users & Devices
Automatic detection of user system, software and configurationAccess policies according to device “security state”Delete temporary files and data traces from unmanaged devices
Drives Productivity with Application IntelligenceApply policy at granular application feature levelsDynamically control application data for desired functionalitySingle Sign-on with multiple directories, protocols and formatsFully customizable portal and user interface
Intelligent Application Gateway 2007
Ensure the integrity and safety of network and application
infrastructure by blocking malicious traffic and attacks
Comprehensive policy
enforcement helps drive compliance
with legal and business
guidelines for using sensitive
data
The IAG provides SSL-based application access and protection with endpoint security management, enabling
granular access control and deep content inspection from a broad range of devices and locations to line-of-business,
intranet, and client/server resources.
Control Access Safeguard InformationProtect Assets
Secure, browser-based access to
corporate applications and data from more
locations and more devices
Intelligent Application Gateway
Secure Application Access
Intelligent Application Gateway™
External
Firewall
Port 443
Active Directo
ry
ISA Server
SQL Server
File Shares
IIS
Exchange Server
SharePoint Server
Laptops
Single sign-on to multiple and custom directories
Portal defined by user identity
Native AD integration w/strong and two-factor authentication
Control
Policy-driven intranet access with ACL-level controls
Web application firewall w/app-specific content, command, and URL filtering
‘Restricted zones’ definitions for URLs
File upload / download control; .EXE identification
Positive and negative-logic filtering rules
Protect
Comprehensive monitoring and logging
Session termination & inactivity timeouts
Endpoint compliance check and clean-up
Endpoint policy-defined micro-portal
Safeguard
Custom Applications
Intranet
Customizable Enterprise Security
Intelligent Application Gateway™
External
Firewall
Port 443
LDAP Oracle
Exchange Server
SharePoint Server
Partners
IBM / Lotu
sSAP
Web
Active Directo
ry
SSL VPN connectivity and endpoint security verification
Control
Flexible config. and context-sensitive portal based on endpoint state & user identity
Support for multiple simultaneous portal configurations
Web application firewall with positive and negative logic learns and adapts to new apps
Protect
Per-application policy and comprehensive authentication / authorization mechanisms
Application Optimizer Toolkit lets IT admins / app developers build customized security
Endpoint session control, monitoring and state cleanup
Safeguard
Granular policy enforcement
Extensive monitoring and logging
RIGHTS MANAGEMENT SERVICES (AD RMS)
Retention/DestructionUsageStorageCollection
Destruction
Archive
In Applications
Shared with Third Parties
By Employees,
MarketersElectronicDevices
Backup
Structured Databases
Unstructured Data
Online
From 3rd Party
In Person
Information Lifespan
Technology
PolicyPeople Process
Framework for Data Governance
21
IndependentConsultant
PartnerOrganization
Home
Mobile Devices
USB Drive
The flow of information has no boundariesInformation is shared, stored and accessed outside the control of its owner
The Information Workplace
Traditional solutions protect initial access …
Access Control List Perimeter
No
Yes
Firewall Perimeter
Authorized Users
Unauthorized Users
Information Leakage
Unauthorized Users
…but not usage
Today’s policy expression…
…lacks enforcement tools
Microsoft’s Approach to Information ProtectionActive Directory Rights Management Services (AD RMS)
Persistent Protection
+Data Encryption Policy Enforcement:
• Access Permissions• Use Right Permissions
Provides identity-based protection for sensitive dataControls access to information across the information lifecycleAllows only authorized access based on trusted identitySecures transmission and storage of sensitive information wherever it goes – policies embedded into the content; documents encrypted with 128 bit encryptionEmbeds digital usage policies (print, view, edit, expiration etc. ) in to the content to help prevent misuse after delivery
How does RMS work?
Information Author
The Recipient
RMS Server
SQL Server Active Directory
2 3
4
5
2. Author defines a set of usage rights and rules for their file; Application creates a “publishing license” and encrypts the file
3. Author distributes file
4. Recipient clicks file to open, the application calls to the RMS server which validates the user and issues a “use license”
5. Application renders file and enforces rights
1. Author receives a client licensor certificate the first time they rights-protect information
1
Live Trial- RMS
References
Identity Lifecycle Manager 2www.microsoft.com/ilm2technet.microsoft.com/ilm
Intelligent Application Gatewaywww.microsoft.com/iag http://technet.microsoft.com/en-us/forefront/edgesecurity/bb687299.aspx
AD Rights Management Serviceswww.microsoft.com/rms
Feedback / QnA
Your Feedback is Important!Please take a few moments to fill out our
online feedback form.For detailed feedback, use the form at
http://www.connectwithlife.co.in/vtd/helpdesk.aspx
Or email us at [email protected]
Use the Question Manager on LiveMeeting to ask your questions now!
Contact
Email [email protected]
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.