Identity & Access Management

Amol BhandarkarTechnology Solution Professional – IDA | Microsoftamolrb@microsoft.com

Agenda

Identity & Access ManagementILM 2 High level architectureILM 2 FeaturesDemo of ILM 2Intelligent Application GatewayAD Rights Management Service

Identity & Access Management

Identity-Based Access

Network Access• Identity-oriented

edge access - e.g. NAP

Identity InfrastructureIdentity & Credentials Infrastructure : Directory – Identity/Credentials, Infocards, Meta/Virt Dir, Basic Policy

Identity & Access ManagementCompliance and Audit: Monitoring, reporting , auditing of identity-based access activity

Identity & Credential Management: User provisioning, Certificate & Smartcard Management, User self-service

Policy Management: Identity policy, user/role-based access policy, federation policy, Delegation

Access Management: Group Management, Federation/Trust Management, Entitlements, RBAC

Remote Access• Access resources

remotely - e.gSSL VPN

App Access• SSO,

Web/Ent/Host Access, Federation

Info Access• Drive Encryption,

ILP, Rights Management

Microsoft Identity Lifecycle Manager

Identity SynchronizationUser ProvisioningCertificate and Smartcard Management

Office Integration for Self-ServiceSupport for 3rd Party CAsCodeless ProvisioningGroup & DL ManagementWorkflow and Policy

User Management

GroupManagement

Credential Management

Common PlatformWorkflowConnectorsLoggingWeb Service APISynchronization

PolicyManagement

ILM 2 High Level Architecture

Credential Management

Heterogeneous certificate management with 3rd party CAsManagement of multiple credential types, including One Time PasswordsSelf-service password reset integrated with Windows logon

GroupManagement

Rich Office-based self-service group management toolsOffline approvals through OfficeAutomated group and distribution list updates

UserManagement

Integrated provisioning of identities, credentials, and resourcesAutomated, codeless user provisioning and de-provisioningSelf-service profile management

PolicyManagement

SharePoint-based console for policy authoring, enforcement & auditingExtensible WS– * APIs and Windows Workflow Foundation workflowsHeterogeneous identity synchronization and consistency

Identity Lifecycle Manager “2” Features

6

End User Scenarios

Credential Management

GroupManagement

UserManagement

PolicyManagement

7

Self-service smart card provisioning

User requests to join secure distribution list for newproduct development

User changes their cell phone number

Integration with Windows logonNo need to call help deskFaster time to resolution

Request process through OfficeNo waiting for help deskFaster time to resolution

Automatic updating of business applicationsNo need to call help deskFaster time to resolution

Example Scenario ILM “2” Advantages

CFO gives final approval for newuser to access in-scope SOX app

Automatic routing of multiple approvalsApproval process through OfficeAudit trail of approvals

IT Administrator Scenarios

Credential Management

GroupManagement

UserManagement

8

PolicyManagement

Create workflow to automatically issue passwords and smart cards to new users

Design policy to automatically create departmental security groups

Author policy to require HRapproval for job title change

Automatically provision new employees with identity, mailbox, and credentials

Centralized managementAutomatic policy enforcement across systems

Automatic policy enforcement across systemsManagement of role changes & retirements

Generation and delivery of initialone-time use passwordIntegration of smart cardenrollment with provisioning

Automatic management of group membershipSecure access to departmental resources, with audit trail

Example Scenario ILM “2” Advantages

ILM "2" in Action

Directories

Custom

Self-Service integration

LOB Applications

ILM “2” Portal

ISV PartnerSolutions

WindowsLog On

IT Departments

Databases

Policy ManagementCredential Management

User Management Group Management

AuthN & AuthZWorkflows

Action Workflow

AppDB

Sync DB

ILM "2" In Action

Management Agents

New user added in HR app

ILM managesmanager and

dept head approvals

Once approved, changes

committed to ILM app store

ILM sends welcomeand confirmation

e-mails

Identity Stores

ILM synchronizes updates with external identity stores

Sync receivesrequest

Sync DB

Management Agents

HR-driven provisioning a of new employee

ILM "2" In ActionSelf-service smart card provisioning

AuthN & AuthZWorkflows

Delegation& Permissions

Action Workflow

AppDB

Sync DB

Management Agents

New user added in HR app

Does userhave permission

to add user to ILM?

ILM managesmanager and

dept head approvals

Once approved, changes

committed to ILM app store

ILM sends welcomeand confirmation

e-mails

Identity Stores

ILM syncs to external identity stores

Sync receivesrequest

Sync

DB

Management Agents

Approval workflowsCard created & printedCertificates requested

Self-service notification and One

Time Password sent to end user

End user downloads

certificates onto smart card

ILM "2" In ActionSelf-service password management

AuthN & AuthZWorkflows

Delegation& Permissions

Action Workflow

AppDB

Sync DB

Management Agents

User forgets passwordRequests password

reset at Win logon and answers Q/A

Does userhave permission

to reset password?ILM validates Q/A

response from user

Changes committed to ILM

app store

ILM makes WMI call to reset password

in AD

Identity Stores

ILM syncs new password to external identity

stores

ILM receives XML

Request Processor

Identity Management

DEMO

INTELLIGENT APPLICATION GATEWAY

Supports all Applications with SSL VPNWeb – Client/Server - File AccessMicrosoft – SharePoint, Exchange, DynamicsIn-house developedThird-party, e.g. Citrix, IBM, Lotus, SAP, PeopleSoft…

Designed for Managed and Unmanaged Users & Devices

Automatic detection of user system, software and configurationAccess policies according to device “security state”Delete temporary files and data traces from unmanaged devices

Drives Productivity with Application IntelligenceApply policy at granular application feature levelsDynamically control application data for desired functionalitySingle Sign-on with multiple directories, protocols and formatsFully customizable portal and user interface

Intelligent Application Gateway 2007

Ensure the integrity and safety of network and application

infrastructure by blocking malicious traffic and attacks

Comprehensive policy

enforcement helps drive compliance

with legal and business

guidelines for using sensitive

data

The IAG provides SSL-based application access and protection with endpoint security management, enabling

granular access control and deep content inspection from a broad range of devices and locations to line-of-business,

intranet, and client/server resources.

Control Access Safeguard InformationProtect Assets

Secure, browser-based access to

corporate applications and data from more

locations and more devices

Intelligent Application Gateway

Secure Application Access

Intelligent Application Gateway™

External

Firewall

Port 443

Active Directo

ry

ISA Server

SQL Server

File Shares

IIS

Exchange Server

SharePoint Server

Laptops

Single sign-on to multiple and custom directories

Portal defined by user identity

Native AD integration w/strong and two-factor authentication

Control

Policy-driven intranet access with ACL-level controls

Web application firewall w/app-specific content, command, and URL filtering

‘Restricted zones’ definitions for URLs

File upload / download control; .EXE identification

Positive and negative-logic filtering rules

Protect

Comprehensive monitoring and logging

Session termination & inactivity timeouts

Endpoint compliance check and clean-up

Endpoint policy-defined micro-portal

Safeguard

Custom Applications

Intranet

Customizable Enterprise Security

Intelligent Application Gateway™

External

Firewall

Port 443

LDAP Oracle

Exchange Server

SharePoint Server

Partners

IBM / Lotu

sSAP

Web

Active Directo

ry

SSL VPN connectivity and endpoint security verification

Control

Flexible config. and context-sensitive portal based on endpoint state & user identity

Support for multiple simultaneous portal configurations

Web application firewall with positive and negative logic learns and adapts to new apps

Protect

Per-application policy and comprehensive authentication / authorization mechanisms

Application Optimizer Toolkit lets IT admins / app developers build customized security

Endpoint session control, monitoring and state cleanup

Safeguard

Granular policy enforcement

Extensive monitoring and logging

RIGHTS MANAGEMENT SERVICES (AD RMS)

Retention/DestructionUsageStorageCollection

Destruction

Archive

In Applications

Shared with Third Parties

By Employees,

MarketersElectronicDevices

Backup

Structured Databases

Unstructured Data

Online

From 3rd Party

In Person

Information Lifespan

Technology

PolicyPeople Process

Framework for Data Governance

21

IndependentConsultant

PartnerOrganization

Home

Mobile Devices

USB Drive

The flow of information has no boundariesInformation is shared, stored and accessed outside the control of its owner

The Information Workplace

Traditional solutions protect initial access …

Access Control List Perimeter

No

Yes

Firewall Perimeter

Authorized Users

Unauthorized Users

Information Leakage

Unauthorized Users

…but not usage

Today’s policy expression…

…lacks enforcement tools

Microsoft’s Approach to Information ProtectionActive Directory Rights Management Services (AD RMS)

Persistent Protection

+Data Encryption Policy Enforcement:

• Access Permissions• Use Right Permissions

Provides identity-based protection for sensitive dataControls access to information across the information lifecycleAllows only authorized access based on trusted identitySecures transmission and storage of sensitive information wherever it goes – policies embedded into the content; documents encrypted with 128 bit encryptionEmbeds digital usage policies (print, view, edit, expiration etc. ) in to the content to help prevent misuse after delivery

How does RMS work?

Information Author

The Recipient

RMS Server

SQL Server Active Directory

2 3

4

5

2. Author defines a set of usage rights and rules for their file; Application creates a “publishing license” and encrypts the file

3. Author distributes file

4. Recipient clicks file to open, the application calls to the RMS server which validates the user and issues a “use license”

5. Application renders file and enforces rights

1. Author receives a client licensor certificate the first time they rights-protect information

1

Live Trial- RMS

References

Identity Lifecycle Manager 2www.microsoft.com/ilm2technet.microsoft.com/ilm

Intelligent Application Gatewaywww.microsoft.com/iag http://technet.microsoft.com/en-us/forefront/edgesecurity/bb687299.aspx

AD Rights Management Serviceswww.microsoft.com/rms

Feedback / QnA

Your Feedback is Important!Please take a few moments to fill out our

online feedback form.For detailed feedback, use the form at

http://www.connectwithlife.co.in/vtd/helpdesk.aspx

Or email us at vtd@microsoft.com

Use the Question Manager on LiveMeeting to ask your questions now!

Contact

Email Addressamolrb@microsoft.com

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.