Identity and Access Management. Agenda Introduction What is Idm? Active Directory – what is...
-
date post
19-Dec-2015 -
Category
Documents
-
view
218 -
download
2
Transcript of Identity and Access Management. Agenda Introduction What is Idm? Active Directory – what is...
Identity and Access Identity and Access ManagementManagement
AgendaAgenda
Introduction What is Idm? Active Directory – what is
new in Windows Server 2003?
ADAM – easing the pain of AD
Enterprise Single Sign On Federated Identity
Management
Business NeedsBusiness Needs
ExtendedExtendedEnterpriseEnterpriseExtendedExtendedEnterpriseEnterprise
Integrate Partners in Supply ChainIntegrate Partners in Supply Chain Connect with CustomersConnect with Customers Empower the information workersEmpower the information workers
Integrate Partners in Supply ChainIntegrate Partners in Supply Chain Connect with CustomersConnect with Customers Empower the information workersEmpower the information workers
Improve SecurityImprove SecurityImprove SecurityImprove Security Reduce number of userid/passwordReduce number of userid/password Reduce De-provisioning risksReduce De-provisioning risks Enforce policies and improve audit capabilityEnforce policies and improve audit capability
Reduce number of userid/passwordReduce number of userid/password Reduce De-provisioning risksReduce De-provisioning risks Enforce policies and improve audit capabilityEnforce policies and improve audit capability
Regulatory Regulatory ComplianceComplianceRegulatory Regulatory ComplianceCompliance
HIPAAHIPAA Sarbanes Oxley ActSarbanes Oxley Act Gramm-Leach-Bliley Gramm-Leach-Bliley
HIPAAHIPAA Sarbanes Oxley ActSarbanes Oxley Act Gramm-Leach-Bliley Gramm-Leach-Bliley
Reduce Operational Reduce Operational CostsCosts
Reduce Operational Reduce Operational CostsCosts
Provide self-service capabilityProvide self-service capability Decrease IT Security and Management Costs Decrease IT Security and Management Costs Lower application development costsLower application development costs
Provide self-service capabilityProvide self-service capability Decrease IT Security and Management Costs Decrease IT Security and Management Costs Lower application development costsLower application development costs
Consider the factsConsider the facts Too Many User RepositoriesToo Many User Repositories
Enterprises have 68 internal and 12 external account storesEnterprises have 68 internal and 12 external account stores 75% of internal users and 38% of external users are in multiple stores75% of internal users and 38% of external users are in multiple stores
Inefficient Account Provisioning/De-ProvisioningInefficient Account Provisioning/De-Provisioning User management consumes 34% of the total time IT spends on IdMUser management consumes 34% of the total time IT spends on IdM Users gets provisioned in 16 systems and de-provisioned in 10.Users gets provisioned in 16 systems and de-provisioned in 10.
Impact on User Productivity Impact on User Productivity On average IT is managing access to 73 unique applications requiring On average IT is managing access to 73 unique applications requiring
user access.user access. Average user spends 16 minutes a day for loginsAverage user spends 16 minutes a day for logins SSO increases user productivity by 15% and efficiency by 18%SSO increases user productivity by 15% and efficiency by 18%
Increasing IT Operational costsIncreasing IT Operational costs 45% of all help desk calls are for p/w resets45% of all help desk calls are for p/w resets 15% of users will call help desk for p/w reset15% of users will call help desk for p/w reset Organisations are managing on average 46 suppliers, spending over Organisations are managing on average 46 suppliers, spending over
1380 hours managing changes to access privilege.1380 hours managing changes to access privilege.
Source: META Group research conducted on behalf of PricewaterhouseCoopers, June 2002, MSFT InternalSource: META Group research conducted on behalf of PricewaterhouseCoopers, June 2002, MSFT Internal
IAM Adoption DriversIAM Adoption DriversReduce Identity
Related Operational
Costs
Reduce Identity Related
Operational Costs
• Reduce help desk costs for user management and password resets• Reduce cost of provisioning and de-provisioning customers• Reduce the cost of managing multiple user-repositories
• Reduce help desk costs for user management and password resets• Reduce cost of provisioning and de-provisioning customers• Reduce the cost of managing multiple user-repositories
E-Business EnablementE-Business Enablement
• Increase efficiency with supply chain with partner integration• Improve customer experience• Employee portal/personalisation
• Increase efficiency with supply chain with partner integration• Improve customer experience• Employee portal/personalisation
Reduce Risk of Unauthorised
Access
Reduce Risk of Unauthorised
Access
• Auditing and reporting• Rapid revocation of access• Enforcement of security and privacy policy across the enterprise
• Auditing and reporting• Rapid revocation of access• Enforcement of security and privacy policy across the enterprise
Comply with Regulatory
Compliances
Comply with Regulatory
Compliances
• Sarbannes-Oxley Act• GLB Act• HIPAA
• Sarbannes-Oxley Act• GLB Act• HIPAA
IAM Solution RequirementsIAM Solution RequirementsDirectory ServicesDirectory Services
Brings multiple data stores together to form a single digital identity. It includes security and profile information.
ProvisioningProvisioningHow identities are created, modified and retired using taking advantage of user information in the directory infrastructure.Authenticati
onAuthenticati
onProving an identity to a network application or resource. This includes user-id/password log-ons and public key certificates.
Authorisation
Authorisation
Determine the entitlements of the digital identity once it is authorised for access and action performance.
PrivacyPrivacyProvide precise control of access rights and privileges, digital information is secured and privacy is protected.
ApplicationsApplicationsUltimate consumers of digital identity and the enforcers of the entitlements derived from the identity.
Active Directory &Microsoft Identity Integration Server
Active Directory &Microsoft Identity Integration Server
Microsoft Identity Integration ServerMicrosoft Identity Integration Server
Security Services in Windows Server 2003
Security Services in Windows Server 2003
Role Based Access Control in
Windows Server 2003
Role Based Access Control in
Windows Server 2003
Active Directory & Microsoft Identity Integration Server
Active Directory & Microsoft Identity Integration Server
Microsoft Applications
Microsoft Applications
Key Solution ScenariosKey Solution Scenarios
Business to Enterprise
Business toBusiness
Business to Consumer
• Required level of authorisation security• Elimination of multiple sign-ins for all
client platforms• Synchronisation of digital identity
across multiple platforms• Application integration and business
process automation across multiple platforms
• Access to host based systems and management of digital assets located on other platforms
• Secure management of information assets
• Active Directory
• MIIS• Biztalk Server
2004• Host
Integration Server
• Unix, Netware & Mac Services• Establish and maintain trust between
separate but trusted business partners• Federate systems with a single trust
relationship to provide a seamless authentication and authorisation experience
• Active Directory
• Windows Server 2003
• Oblix and OpenNetwork partner products• Extend information systems and
applications to consumer • Outsource consumer authorisation tasks
but still maintain control of authorisation
• Integration with a system or platform that is not supported by a Microsoft product
• Active Directory
• Windows Server 2003
• Microsoft .NET Passport
• Oblix and OpenNetwork
What is new in ADS for What is new in ADS for Windows Server 2003?Windows Server 2003?
MachinesMachinesMachinesMachines ApplicationsApplicationsApplicationsApplicationsDevicesDevicesDevicesDevices
Active Directory Active Directory ArchitectureArchitecture
Active Directory organizes information Active Directory organizes information hierarchically to ease network use and hierarchically to ease network use and managementmanagement
RootRootRootRoot
UsersUsersUsersUsers
MarketingMarketingMarketingMarketing PersonnelPersonnelPersonnelPersonnel
= Container= Container
= Object= Object
ActiveActive Directory Directory ArchitectureArchitecture
Directory objects have attributesDirectory objects have attributes Object and attributes are protected by ACLsObject and attributes are protected by ACLs
RootRootRootRoot
UsersUsersUsersUsers MachinesMachinesMachinesMachines ApplicationsApplicationsApplicationsApplications
MarketingMarketingMarketingMarketing PersonnelPersonnelPersonnelPersonnel
Name: Bob JonesName: Bob JonesEmail: [email protected]: [email protected]: 555-1234Phone: 555-1234SSN: 456-78-9101SSN: 456-78-9101
Name: Bob JonesName: Bob JonesEmail: [email protected]: [email protected]: 555-1234Phone: 555-1234SSN: 456-78-9101SSN: 456-78-9101
DevicesDevicesDevicesDevices
ActiveActive Directory Architecture Directory Architecture
Active Directory supports multi-master Active Directory supports multi-master replication for flexibility, high-availability replication for flexibility, high-availability and performanceand performance
Change Change Room# to Room# to
6/21106/2110
Change Change Room# to Room# to
6/21106/2110
Add User: Add User: BillBill
Add User: Add User: BillBill
NorthNorthAmericaAmerica
SiteSite
EuropeEuropeSiteSite
Top-level Domain
DC2
DC1
DC3
DC5
DC6
DC4
SimplifiesSimplifies Management Management
Active Directory organizes users and network Active Directory organizes users and network resources hierarchically to simplify resources hierarchically to simplify managementmanagement
RootRootRootRoot
UsersUsersUsersUsers MachinesMachinesMachinesMachines ApplicationsApplicationsApplicationsApplications
MarketingMarketingMarketingMarketing PersonnelPersonnelPersonnelPersonnel
DevicesDevicesDevicesDevices
Give ‘Personnel’ Members Give ‘Personnel’ Members the HR Applicationthe HR Application
Give ‘Personnel’ Members Give ‘Personnel’ Members the HR Applicationthe HR Application
Color Printer in Color Printer in Building 6Building 6
Color Printer in Color Printer in Building 6Building 6
Delegate Management Delegate Management Tasks to Office AdminsTasks to Office AdminsDelegate Management Delegate Management Tasks to Office AdminsTasks to Office Admins
StrengthensStrengthens Security Security
Active Directory provides Internet-ready Active Directory provides Internet-ready security services to protect data while security services to protect data while facilitating accessfacilitating access
RootRootRootRoot
UsersUsersUsersUsers MachinesMachinesMachinesMachines ApplicationsApplicationsApplicationsApplications
MarketingMarketingMarketingMarketing ExtranetExtranetExtranetExtranet
DevicesDevicesDevicesDevices
Restrict Access Rights of Restrict Access Rights of Extranet UsersExtranet Users
Restrict Access Rights of Restrict Access Rights of Extranet UsersExtranet Users
KerberosKerberosX.509X.509
Smart CardSmart Card
KerberosKerberosX.509X.509
Smart CardSmart Card
PKI CertificatesPKI CertificatesPKI CertificatesPKI Certificates
ExtendsExtends Interoperability Interoperability
Active Directory provides a platform for Active Directory provides a platform for integrating and extending systems through integrating and extending systems through open interfaces, connectors and open interfaces, connectors and synchronization mechanismssynchronization mechanisms
RootRootRootRoot
UsersUsersUsersUsers MachinesMachinesMachinesMachines ApplicationsApplicationsApplicationsApplications
FinanceFinanceFinanceFinance PersonnelPersonnelPersonnelPersonnel
DevicesDevicesDevicesDevices
Policy: Give Personnel Policy: Give Personnel access to ‘Change access to ‘Change
Salary’ Menu OptionsSalary’ Menu Options
Policy: Give Personnel Policy: Give Personnel access to ‘Change access to ‘Change
Salary’ Menu OptionsSalary’ Menu Options
Policy: Give Finance Policy: Give Finance more bandwidth at the more bandwidth at the
end of the monthend of the month
Policy: Give Finance Policy: Give Finance more bandwidth at the more bandwidth at the
end of the monthend of the month
Application: Exchange Application: Exchange mailbox informationmailbox information
Application: Exchange Application: Exchange mailbox informationmailbox information
Windows UsersWindows Users• Account infoAccount info• PrivilegesPrivileges• ProfilesProfiles• PolicyPolicy
Windows ClientsWindows Clients• Mgmt profileMgmt profile• Network infoNetwork info• PolicyPolicy
Windows ServersWindows Servers• Mgmt profileMgmt profile• Network infoNetwork info• ServicesServices• PrintersPrinters• File sharesFile shares• PolicyPolicy
A Focal Point for:A Focal Point for:• ManageabilityManageability• SecuritySecurity• InteroperabilityInteroperability
ActiveActiveDirectoryDirectory
ApplicationsApplications• Server configServer config• Single Sign-OnSingle Sign-On• App-specificApp-specific
directory info directory info • PolicyPolicy
Network DevicesNetwork Devices• ConfigurationConfiguration• QoS policyQoS policy• Security policySecurity policy
InternetInternet
Firewall ServicesFirewall Services• ConfigurationConfiguration• Security PolicySecurity Policy• VPN policyVPN policy
OtherOtherDirectoriesDirectories• White pagesWhite pages• E-CommerceE-Commerce
Other NOSOther NOS• User registryUser registry• SecuritySecurity• PolicyPolicy
E-Mail ServersE-Mail Servers• Mailbox infoMailbox info• Address bookAddress book
Windows Windows Active DirectoryActive Directory
Well-known New FeaturesWell-known New Features LVR replicationLVR replication Improved ISTGImproved ISTG Domain renameDomain rename Cross-forest trustCross-forest trust Universal Group CachingUniversal Group Caching Install from MediaInstall from Media No-GC-Full-Sync for PAS No-GC-Full-Sync for PAS
schema extensionsschema extensions SID History migration SID History migration
delegationdelegation Concurrent LDAP bindsConcurrent LDAP binds Manual trigger of online Manual trigger of online
defragdefrag DNS in app partitionsDNS in app partitions Single instance storeSingle instance store
Update logon timestamp Update logon timestamp attributeattribute
Kerberos KDC versionKerberos KDC version User password on User password on
INetOrgPersonINetOrgPerson DC rename with netdomDC rename with netdom Auth manager can store Auth manager can store
auth policiesauth policies Selective authentication Selective authentication
cross-forestcross-forest Dynamic aux classesDynamic aux classes User to INetOrgPerson User to INetOrgPerson
changechange Schema de-/reactivationSchema de-/reactivation BasicBasic and and query basedquery based
groupsgroups
Areas of ADS ChangesAreas of ADS Changes
DeploymentDeployment SecuritySecurity ReplicationReplication Backup / RestoreBackup / Restore Time ServiceTime Service Migration - ADMTMigration - ADMT
Deployment - Redirected Deployment - Redirected Users and Computers Users and Computers ContainersContainers CN=Users and CN=computers have object class CN=Users and CN=computers have object class
“container”“container” No GPO, no managed containerNo GPO, no managed container
Down level APIs and shell move objects into these Down level APIs and shell move objects into these containers by defaultcontainers by default ““net user”, “net group”, “netdom /add” with no OUnet user”, “net group”, “netdom /add” with no OU Computer properties – domain membershipComputer properties – domain membership Additional administrative work needed to move Additional administrative work needed to move
objectsobjects Use “rediruser.exe” and “redircomp.exe” from Use “rediruser.exe” and “redircomp.exe” from
Windows 2003 Resource KitWindows 2003 Resource Kit CaveatsCaveats
Windows 2003 domain functional level requiredWindows 2003 domain functional level required Exchange 2000 domainprep failsExchange 2000 domainprep fails
Deployment - Property SetsDeployment - Property Sets
Property set: Collection of attributes that can Property set: Collection of attributes that can be managed together in a one setbe managed together in a one set Granting permissionsGranting permissions Example: “Public Information Set”, includes Example: “Public Information Set”, includes
attributes like department, manager and attributes like department, manager and surnamesurname
Base schema defines list of property setsBase schema defines list of property sets Windows 2000: Base schema property sets Windows 2000: Base schema property sets
could not be changedcould not be changed Windows 2003: Attributes can be removed Windows 2003: Attributes can be removed
from base property sets and moved to self-from base property sets and moved to self-defined property setsdefined property sets Attributes can still only be member in a Attributes can still only be member in a
single attribute setsingle attribute set
Deployment - KCCDeployment - KCC
KCC changes in Windows 2003KCC changes in Windows 2003 Bridgehead server load balancingBridgehead server load balancing ADLB (Active Directory Load Balancing tool)ADLB (Active Directory Load Balancing tool)
Deployment - Lingering Deployment - Lingering Objects ImprovementsObjects Improvements Windows 2000 ServerWindows 2000 Server
Lingering object was revived when replicatedLingering object was revived when replicated Windows 2000 SP3 and Windows Server 2003Windows 2000 SP3 and Windows Server 2003
If “Strict Replication Consistency” reg key is set, source DC If “Strict Replication Consistency” reg key is set, source DC is “quarantined”is “quarantined”
New Windows Server 2003 forest always has reg key setNew Windows Server 2003 forest always has reg key set Windows Server 2003 DC ALWAYS quarantines replication Windows Server 2003 DC ALWAYS quarantines replication
source if replication has not succeeded for more than source if replication has not succeeded for more than tombstone lifetimetombstone lifetime Independent from “Strict Replication Consistency” reg keyIndependent from “Strict Replication Consistency” reg key Independent from lingering object detectionIndependent from lingering object detection Can be overwritten with repadmin or registry keyCan be overwritten with repadmin or registry key
Make sure that you run tool to bulk-delete lingering Make sure that you run tool to bulk-delete lingering objects firstobjects first
Deployment - New Deployment - New Replication Latency EventReplication Latency Event
Event ID 1864Event ID 1864 Helps finding domain controllers that Helps finding domain controllers that
have not replicated withinhave not replicated within 8 hours8 hours 1 weeks1 weeks 1 month1 month 2 months2 months > TSL / number of days> TSL / number of days
Replication - Performance Replication - Performance ImprovementsImprovements
New compression algorithm New compression algorithm Trades CPU for network trafficTrades CPU for network traffic
~20% CPU performance improvements~20% CPU performance improvements Fully backwards compatibleFully backwards compatible Can be disabled via registry keyCan be disabled via registry key
DC then reverts to Windows 2000 compression DC then reverts to Windows 2000 compression algorithmalgorithm
Best PracticeBest Practice Use new compression algorithm to reduce load on Use new compression algorithm to reduce load on
Bridgehead ServersBridgehead Servers Only revert to Windows 2000 algorithm in very slow Only revert to Windows 2000 algorithm in very slow
network conditions ( 64 KBit and lower)network conditions ( 64 KBit and lower)
Replication - Enhanced Tools Replication - Enhanced Tools for Replication HealthCheckfor Replication HealthCheck Run against multiple DCsRun against multiple DCs Make changes on multiple DCsMake changes on multiple DCs ExamplesExamples
Check all Bridgehead serversCheck all Bridgehead servers Check replication latency forest wideCheck replication latency forest wide Replication summaryReplication summary Dump summary to csv fileDump summary to csv file Disable inbound replication on all DCsDisable inbound replication on all DCs
Replication ImprovementsReplication Improvements
Un-GC operation improvedUn-GC operation improved Removing GC NCs took a long time in Removing GC NCs took a long time in
Windows 2000Windows 2000 KCC only deleted 500 objects / passKCC only deleted 500 objects / pass Resulted in 2,000 objects / hourResulted in 2,000 objects / hour
Windows 2003Windows 2003 KCC removes objects as fast as it canKCC removes objects as fast as it can Back-ported to Windows 2000 SP4Back-ported to Windows 2000 SP4
Deployment – Force Deployment – Force RemovalRemoval Some DC issues are hard to troubleshootSome DC issues are hard to troubleshoot Re-installing AD in Windows 2000 means re-Re-installing AD in Windows 2000 means re-
installing Windows 2000installing Windows 2000 Including all applications, shares etc.Including all applications, shares etc.
Windows 2003 has “force removal”Windows 2003 has “force removal” Removes AD even if server cannot communicate Removes AD even if server cannot communicate
over the networkover the network Ignores any service failures on local machineIgnores any service failures on local machine Standalone server after demotionStandalone server after demotion No automatic server metadata clean-upNo automatic server metadata clean-up
Needs to be performed manuallyNeeds to be performed manually Back-ported to Windows 2000 SP4Back-ported to Windows 2000 SP4
Deployment – Password Deployment – Password ResetsResets Administrator initiated password resets Administrator initiated password resets
lead to users not being able to logonlead to users not being able to logon Admin selected password not recognized Admin selected password not recognized
when user tries to change password againwhen user tries to change password again
Solution: Single object replicationSolution: Single object replication When DC chains authentication request to When DC chains authentication request to
PDC and password has changed, PDC PDC and password has changed, PDC replicates user object to DCreplicates user object to DC
Password now updated on DCPassword now updated on DC
Account LockoutAccount LockoutAdmin EnhancementsAdmin Enhancements
ACCTINFO.DLL: ACCTINFO.DLL: Allows administrators to reset user account password on Allows administrators to reset user account password on
a DC in the users sitea DC in the users site
LOCKOUTSTATUS.EXELOCKOUTSTATUS.EXE Displays bad password count and lockout status across Displays bad password count and lockout status across
all DC’s in a domain.all DC’s in a domain. Both utilities in Windows Server 2003 Resource Kit. Both utilities in Windows Server 2003 Resource Kit.
Password Policy + AL RecommendationsPassword Policy + AL Recommendations Environments can be secure without enabling ALEnvironments can be secure without enabling AL Recommendations for AL + Domain P/W settingsRecommendations for AL + Domain P/W settings Key Problem: Setting Bad P/W threshold too low.Key Problem: Setting Bad P/W threshold too low.
ACCTINFO Property PageACCTINFO Property PageShipped in Windows Server 2003 ResKitShipped in Windows Server 2003 ResKit
F1: ACCTINFO tab in AD Users & Computers snap-in
F2: Domain Password Policy
F3: Users computer name used to change p/w on DC in AD same site
LOCKOUTSTATUS.EXELOCKOUTSTATUS.EXEShipped in Windows 2003 ResKitShipped in Windows 2003 ResKit
F1: Runs as Standalone utility or extension to ACCTINFO. Shows bad p/w count and time across all DC’s in domain
Security - QuotasSecurity - Quotas Users or services can create a large number of Users or services can create a large number of
objects in ADobjects in AD ““Create Child” permission on any containerCreate Child” permission on any container I.e., DNS records, print queues, workstationsI.e., DNS records, print queues, workstations
Security concern: Denial of Service attack, run Security concern: Denial of Service attack, run DC out of disk spaceDC out of disk space
Solution: QuotasSolution: Quotas Goal: Users can only create an x number of Goal: Users can only create an x number of
objectsobjects Objects Objects ownedowned by a user count, not all objects by a user count, not all objects
ever createdever created Efficient to protect from disk space attacksEfficient to protect from disk space attacks Delegated users who can create security Delegated users who can create security
principals (users, inetOrgPersons) still need to principals (users, inetOrgPersons) still need to be fully trustedbe fully trusted
Security - AuditingSecurity - Auditing Windows 2000 auditing hardWindows 2000 auditing hard
Auditing disabled by defaultAuditing disabled by default Single SACL on domain rootSingle SACL on domain root
Fresh install Windows 2003 enables Fresh install Windows 2003 enables auditing by defaultauditing by default Goals: Accountability of changesGoals: Accountability of changes Non-goal: Security breaches and hacksNon-goal: Security breaches and hacks Dedicated SACLs on DS objectsDedicated SACLs on DS objects
ReplicationReplication
DSRM password reset can be auditedDSRM password reset can be audited
Other Security Other Security ImprovementsImprovements Anonymous queries restricted to Anonymous queries restricted to
RootDSE onlyRootDSE only AdminSDHolder extendedAdminSDHolder extended
AdminSDHolder has place-holder ACL for AdminSDHolder has place-holder ACL for administrative accountsadministrative accounts
Extended to all built-in and well-known Extended to all built-in and well-known groups in Windows 2003groups in Windows 2003 Examples: Account Operators, Server Examples: Account Operators, Server
Operators etc.Operators etc. Exceptions: Users and Domain UsersExceptions: Users and Domain Users
Time ServiceTime Service
Windows 2003 uses NTP protocolWindows 2003 uses NTP protocol More robust and flexible protocolMore robust and flexible protocol Higher accuracyHigher accuracy
Easy to customizeEasy to customize Higher sync frequency vs. network trafficHigher sync frequency vs. network traffic Use Group PolicyUse Group Policy
Migration - ADMTMigration - ADMT
Profile Migration in ADD mode while user is Profile Migration in ADD mode while user is logged on to workstationlogged on to workstation
ADMT agent results added to migration log ADMT agent results added to migration log Any attributes not part of the base schema Any attributes not part of the base schema
excluded by defaultexcluded by default ADMT queries schema for extensions at first ADMT queries schema for extensions at first
runrun Schema extensions added to the system Schema extensions added to the system
attribute listattribute list Can be removed manually from the listCan be removed manually from the list Example: Exchange 2000 schema extensionsExample: Exchange 2000 schema extensions
NetBIOS-less supportNetBIOS-less support
Microsoft IAM RoadmapMicrosoft IAM RoadmapLonghorn Wave
MIIS 3.0 Active Directory Application Mode
2004
XML Web Services Specifications• WS-Security working group
within OASIS
Jupiter
TrustBridge
2003
SummarySummary Identity management essential part of Identity management essential part of
business strategybusiness strategy Highly leveraged – simultaneously Highly leveraged – simultaneously
increase security and productivity while increase security and productivity while reducing costsreducing costs
Competitive advantage - quickly enable Competitive advantage - quickly enable new scenarios, business opportunitiesnew scenarios, business opportunities
Microsoft and partners deliver Microsoft and partners deliver complete solutioncomplete solution Get more from investment in Active Get more from investment in Active
DirectoryDirectory Cross-platform capableCross-platform capable
Next StepsNext Steps Assign a ownerAssign a owner Develop a vision and strategyDevelop a vision and strategy Start small with focus on ROIStart small with focus on ROI Leverage Solution AcceleratorsLeverage Solution Accelerators
PlanningPlanning ImplementationImplementation
Establish policyEstablish policy New applications must leverage New applications must leverage
infrastructure sign-on infrastructure sign-on
Engage MCS and/or PartnersEngage MCS and/or Partners
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.