Identity and Access Management - Futures and Roadmap Andreas Luther Group Program Management...

Identity and Access Identity and Access Management - Futures Management - Futures and Roadmapand Roadmap

Andreas LutherAndreas LutherGroup Program ManagementGroup Program ManagementIdentity and Access - MIISIdentity and Access - MIISMicrosoft CorporationMicrosoft Corporation

SituationSituation

Increasingly connected systemsIncreasingly connected systemsConnections span technical, org boundariesConnections span technical, org boundaries

Distinctions blur - customer, partner, employee, Distinctions blur - customer, partner, employee, intranet, Internetintranet, Internet

Demand for business process integrationDemand for business process integrationClear business drivers around security, cost Clear business drivers around security, cost efficiency, regulatory complianceefficiency, regulatory compliance

Issues around policy, compliance, reportingIssues around policy, compliance, reporting

Rapid rise of threats to online safetyRapid rise of threats to online safetyPhishing, pharming, Phishing, pharming, phraudphraud

Concerns over privacy, trackingConcerns over privacy, tracking

Technology AreasTechnology Areas

ConnectorsConnectorsIntegration with non-Windows integrated applications and systemsIntegration with non-Windows integrated applications and systems

Identity and Access PlatformIdentity and Access Platform

User ExperienceUser ExperienceLogon & credentialsLogon & credentials

Self-serviceSelf-service

Developer ExperienceDeveloper ExperienceDirectory APIsDirectory APIsAccess APIsAccess APIs

Integration APIsIntegration APIs

IT Pro ExperienceIT Pro ExperienceManagementManagement

Delegated adminDelegated admin

Integration ServicesIntegration ServicesProcess automationProcess automation

Process controlProcess control

Directory ServicesDirectory ServicesDistributedDistributedpublicationpublication

Access ServicesAccess ServicesAuthenticationAuthenticationAuthorizationAuthorization

AuditAuditCredential managementCredential management

Microsoft’s StrategyMicrosoft’s Strategy

Add native support for interoperable Add native support for interoperable federated identity to Active Directory federated identity to Active Directory using web servicesusing web services

Build on Microsoft Identity Integration Build on Microsoft Identity Integration Server as platform for process-driven Server as platform for process-driven management of identities management of identities and entitlementsand entitlements

Evolve and refine Active Directory Evolve and refine Active Directory directory servicesdirectory services

What is a Digital Identity?What is a Digital Identity?

A set of A set of claims claims one one subject makes subject makes about anotherabout another

Many identities for Many identities for many usesmany uses

Required for Required for transactions in real transactions in real world and onlineworld and online

Active Directory Federation ServicesActive Directory Federation Services

Federated web single sign onFederated web single sign onWS-Federation Passive Requestor ProfileWS-Federation Passive Requestor Profile

Support SAML token, claims as SAML assertionsSupport SAML token, claims as SAML assertions

Integrated with Windows SSOIntegrated with Windows SSO

Support Windows Integrated Security and Support Windows Integrated Security and native claims-based identitynative claims-based identity

Transform claims into SIDs for Windows appsTransform claims into SIDs for Windows apps

Enable web apps to natively consume claimsEnable web apps to natively consume claims

Authorization Manager integrationAuthorization Manager integration

Delivered in Windows Server 2003 R2Delivered in Windows Server 2003 R2

Process-driven Process-driven management of identities management of identities and entitlementsand entitlements

MIIS RoadmapMIIS RoadmapExtending MA Reach and password capabilities MIIS 2003 SP1

Q4/CY04

Additional MAs MA SDK

Password ExtensionsPassword synchronization

Extending MA Reach - Ongoing Oob deliverables –

starting June 05Additional MAs

Improving password management capabilities

MIIS 2003 SP2 Q2/CY06

End-user self-service password reset

Process Integration Services MIIS - Gemini

Codeless provisioningEntitlement reporting

Self-service platformAdditional MAs

Tools to simplify MIIS deployments MIIS 2003

ResKit 2 Q4/CY04

Provisioning Wizard

Workflow sample app


Q4/CY04









ResKit 2 Q4/CY04

Provisioning Wizard

Workflow sample app




MIIS 2003 – Oob MA DeliverablesMIIS 2003 – Oob MA Deliverables

Mainframe MAsMainframe MAsRACF: June 05RACF: June 05

ACF2, TS: Fall 05ACF2, TS: Fall 05

ERP MAsERP MAsSAP, PeopleSoft: Fall 05SAP, PeopleSoft: Fall 05

Generic LDAP MAGeneric LDAP MAConsidered for Gemini releaseConsidered for Gemini release


Q4/CY04









ResKit 2 Q4/CY04

Provisioning Wizard

Workflow sample app




MIIS 2003 SP2 Password Self MIIS 2003 SP2 Password Self Service ResetService Reset

Problem: Users forget passwordsProblem: Users forget passwordsDowntime reduces employee productivityDowntime reduces employee productivity

High help desk costs associated with reset requestsHigh help desk costs associated with reset requests

Solution: Password self service reset enables employees to reset Solution: Password self service reset enables employees to reset forgotten passwordsforgotten passwords

Self Service Password Reset planned for MIIS SP2Self Service Password Reset planned for MIIS SP2Leverages MIISLeverages MIIS

System connectivitySystem connectivity

Account managementAccount management

User RegistrationUser RegistrationProactive enrollment or help desk can force users to enroll when password is Proactive enrollment or help desk can force users to enroll when password is forgottenforgotten

Q&A authentication configuration is very flexible to accommodate different Q&A authentication configuration is very flexible to accommodate different organizations security requirementorganizations security requirement

Q&A can be exposed to Help Desk to authenticate callersQ&A can be exposed to Help Desk to authenticate callers

Significant update to web applications shipped with MIIS 2003Significant update to web applications shipped with MIIS 2003

Working with Speech Server team to enable phone password resetWorking with Speech Server team to enable phone password reset


Q4/CY04









ResKit 2 Q4/CY04

Provisioning Wizard

Workflow sample app




Process-driven Process-driven management of identities management of identities and entitlementsand entitlements

Identity and Access Platform - Identity and Access Platform - Technology AreasTechnology Areas

ConnectorsConnectorsIntegration with non-Windows integrated applications and systemsIntegration with non-Windows integrated applications and systems

Identity and Access PlatformIdentity and Access Platform

User ExperienceUser ExperienceLogon & credentialsLogon & credentials

Self-serviceSelf-service

Developer ExperienceDeveloper ExperienceDirectory APIsDirectory APIsAccess APIsAccess APIs

Integration APIsIntegration APIs

IT Pro ExperienceIT Pro ExperienceManagementManagement

Delegated adminDelegated admin

Integration ServicesIntegration ServicesProcess automationProcess automation

Process controlProcess control

Directory ServicesDirectory ServicesDistributedDistributedpublicationpublication

Access ServicesAccess ServicesAuthenticationAuthenticationAuthorizationAuthorization

AuditAuditStrong credentialsStrong credentials

Integration Services - Business Integration Services - Business Drivers and RequirementsDrivers and Requirements

Strengthen securityStrengthen securityEnforcement of “Least User Access” as required by SOAX, Enforcement of “Least User Access” as required by SOAX, HIPAA etc.HIPAA etc.Automated de-provisioning of accounts and entitlementsAutomated de-provisioning of accounts and entitlementsCentral auditingCentral auditing

Increasing operational efficiencyIncreasing operational efficiencyAutomation: Provisioning and de-provisioning based on Automation: Provisioning and de-provisioning based on business rulesbusiness rulesSelf-service applications to empower business owners to make Self-service applications to empower business owners to make entitlement decisionsentitlement decisions

Online business enablementOnline business enablementSelf-service applications for user registration and account Self-service applications for user registration and account managementmanagement

Regulatory requirementsRegulatory requirementsWorkflow to model controls Workflow to model controls State based identity management system to enforce use of State based identity management system to enforce use of controls and compliancecontrols and complianceCentral auditing allows tracking of in- and out of compliance Central auditing allows tracking of in- and out of compliance situationssituations

Example: Resource Access Example: Resource Access in Windowsin Windows

Policy is de-centralizedPolicy is de-centralizedNo single store to lookup relationships between No single store to lookup relationships between Users, resources and access control policiesUsers, resources and access control policies

Administration is de-centralizedAdministration is de-centralizedNo reporting capabilitiesNo reporting capabilities

Token

Abstract ModelAbstract Model

Digital subjects, resources and access policies Digital subjects, resources and access policies share lifecycle management characteristicsshare lifecycle management characteristics

Need to be authored and provisioned, incl. processNeed to be authored and provisioned, incl. processChanges managed from authoritative source and enforcedChanges managed from authoritative source and enforcedNeed to have ownerNeed to have ownerRelationships have to be managed and enforcedRelationships have to be managed and enforced

Access Policy

Gua

rd

Resource

Gua

rd

Digital Actor

Gua

rd

Requirements for Process Requirements for Process Integration ServiceIntegration Service

Provisioning and lifecycle management of digital subjectsProvisioning and lifecycle management of digital subjects

Provisioning and lifecycle management of resourcesProvisioning and lifecycle management of resourcesFile shares, SharePoint sitesFile shares, SharePoint sites

Provisioning and lifecycle management of access control Provisioning and lifecycle management of access control policiespolicies

ACLs, SharePoint access rights, web servicesACLs, SharePoint access rights, web services

Workflow to model compliance controlsWorkflow to model compliance controls

Enforce compliance and flag out-of-compliance situationsEnforce compliance and flag out-of-compliance situations

Central auditing systemCentral auditing systemAudit all aspects of provisioning and lifecycle management (state Audit all aspects of provisioning and lifecycle management (state auditing)auditing)

Trigger actions (workflows) if out-of-compliance situations are Trigger actions (workflows) if out-of-compliance situations are foundfound

Integrate with forensic auditing systems (ACS, MOM)Integrate with forensic auditing systems (ACS, MOM)

Complete set of APIs for any aspects of entitlement Complete set of APIs for any aspects of entitlement provisioning and process integration service configurationprovisioning and process integration service configuration

MIIS Evolves into Process MIIS Evolves into Process Integration ServicesIntegration Services

Digital actors, resources and policies are all Digital actors, resources and policies are all identitiesidentities

State-based Metadirectory is the right approachState-based Metadirectory is the right approachDiscovery of identities through Management AgentsDiscovery of identities through Management Agents

Aggregation of identity information in central storeAggregation of identity information in central store

Use business rules to manage relationships between Use business rules to manage relationships between identitiesidentities

Periodically validate compliance of relationships by Periodically validate compliance of relationships by comparing existing relationships with model through comparing existing relationships with model through synchronizationsynchronization

Enforce compliance through synchronizationEnforce compliance through synchronization

Audit all relationship changesAudit all relationship changes

MIIS 2003 has the right architectureMIIS 2003 has the right architecture

Future versions will add workflow, business rules Future versions will add workflow, business rules authoring, control authoring and auditingauthoring, control authoring and auditing

Metadirectory

Access Control Configuration - Access Control Configuration - RevisedRevised

HRHR

Policy AResource A

Policy A: All members of Sales role RProvision Bob: Sales

Resource configuration: Use Policy A

Metadirectory

Access Control Configuration - Access Control Configuration - RevisedRevised

HRHR

Policy AResource A

Policy A: All members of Sales role: RProvision Bob: Sales

Resource configuration: Use Policy AProvision Lori: Marketing

Workflow

Web S

erv

ice

Web S

erv

ice

Benefits of this ModelBenefits of this Model

Centralized management of digital subjects, Centralized management of digital subjects, resources and policiesresources and policies

Data drivenData driven

Application driven (Self-Service or delegated)Application driven (Self-Service or delegated)

Heterogeneous environmentsHeterogeneous environments

Workflow allows modeling of controlsWorkflow allows modeling of controls

Compliance validation and enforcementCompliance validation and enforcementState in Metadirectory is authoritativeState in Metadirectory is authoritative

If administrator adds Sally to ACL on If administrator adds Sally to ACL on \\movies\\movies, , Metadirectory resets ACL and triggers warningMetadirectory resets ACL and triggers warning

Use of controlsUse of controls

Centralized auditing and reportingCentralized auditing and reporting

Auditing and ReportingAuditing and Reporting

All operations create audit entriesAll operations create audit entriesIncluding approval steps in workflowsIncluding approval steps in workflows

Reports answer the following questions:Reports answer the following questions:Who had access to Who had access to \\movies\\movies on 6/2/05 and why? on 6/2/05 and why?

Bob, member of sales roleBob, member of sales role

Who had access to Who had access to \\movies\\movies on 6/5/05 and why? on 6/5/05 and why?Bob, member of sales roleBob, member of sales role

Lori, because Bob approved requestLori, because Bob approved request

What resource did Lori have access to on 6/5/05 and why?What resource did Lori have access to on 6/5/05 and why?\\movies\\movies, because Bob approved request, because Bob approved request

What resources were protected by policy A on 6/5/05?What resources were protected by policy A on 6/5/05?\\movies\\movies

What resources can be accessed by Sales members?What resources can be accessed by Sales members?\\movies\\movies

MIIS GeminiMIIS Gemini

Add core functionality required for Process Add core functionality required for Process Integration ServicesIntegration Services

Rich workflowRich workflow

Centralized auditingCentralized auditing

Self-service application platform with integrated workflow Self-service application platform with integrated workflow and auditingand auditing

Computed attributesComputed attributes

Entitlement management based on organizational rolesEntitlement management based on organizational roles

Expose new functionalities to IT Pros and end usersExpose new functionalities to IT Pros and end usersIdentity manager console for declarative entitlement Identity manager console for declarative entitlement managementmanagement

Self-service applicationsSelf-service applications

Expose self-service application interfaces for ISVs Expose self-service application interfaces for ISVs and corporate developersand corporate developers

Gemini Provisioning FeaturesGemini Provisioning FeaturesIntegrated Toolset to Manage the Lifecycle of Digital Integrated Toolset to Manage the Lifecycle of Digital Identities and EntitlementsIdentities and Entitlements

Declarative ProvisioningDeclarative ProvisioningUI to define rules when and where entitlements are created plus UI to define rules when and where entitlements are created plus templates how they are createdtemplates how they are createdNo more coding requiredNo more coding required

Self-Service PlatformSelf-Service PlatformWeb service interfaces to build self-service applicationsWeb service interfaces to build self-service applications

E.g., account requests, entitlement requests, password resets, group E.g., account requests, entitlement requests, password resets, group membership requestmembership request

Tight integration with VS to develop Self-Service appsTight integration with VS to develop Self-Service appsApplication MVApplication MV

Group Management ImprovementsGroup Management ImprovementsMulti-forest, computed groups, AutogroupMulti-forest, computed groups, Autogroup

Unified workflow modelUnified workflow modelDeclarative provisioning, self-service apps, existing Declarative provisioning, self-service apps, existing synchronization framework and group management need synchronization framework and group management need workflowworkflowSingle model to manage workflowsSingle model to manage workflows

Gemini Provisioning FeaturesGemini Provisioning FeaturesIntegrated Toolset to Manage the Lifecycle of Digital Integrated Toolset to Manage the Lifecycle of Digital Identities and EntitlementsIdentities and Entitlements

Ready to use “Out of the Box Self-Service Ready to use “Out of the Box Self-Service Applications”Applications”

Only minimal configuration requiredOnly minimal configuration requiredEntitlement manager, Autouser, AutogroupEntitlement manager, Autouser, Autogroup

Auditing / compliance checkingAuditing / compliance checkingAll provisioning operations are audited (requests, All provisioning operations are audited (requests, approvals, changes in CD)approvals, changes in CD)Un-authorized changes in CD can be detected and Un-authorized changes in CD can be detected and audited; workflow can be kicked offaudited; workflow can be kicked off

Resource and policy managementResource and policy management

Gemini Workflow ExampleGemini Workflow Example

Approved?Approved?

Receive Receive DelegationDelegation

Request Request approvalapproval

Create Create AccountAccount

RequestRequest

NoNo

YesYes NoNo

Escalate Escalate

YesYes

NotifyNotifyOthersOthers

DelegationDelegation

Send Send NotificationNotification

Approved?Approved?Create Create

AccountAccountSend Send

NotificationNotification

More ProcessesMore Processes

The Evolution of The Evolution of Directory ServicesDirectory Services

Active DirectoryActive Directory

Broad usageBroad usage86% of US, 57% of enterprises >500 PCs 86% of US, 57% of enterprises >500 PCs worldwide running Active Directory *worldwide running Active Directory *

Performance at scalePerformance at scaleScale out: 1000+ serversScale out: 1000+ serversScale up: deployments at 20M+ usersScale up: deployments at 20M+ users

Flexibility: AD and ADAMFlexibility: AD and ADAMCentralized or distributed physical deploymentCentralized or distributed physical deploymentCentralized or distributed logical managementCentralized or distributed logical managementShared across applications or dedicated to a Shared across applications or dedicated to a specific applicationspecific application

Interop: Unix/Linux SSO via Vintela, CentrifyInterop: Unix/Linux SSO via Vintela, Centrify

* Source: Microsoft internal survey, spring 2005* Source: Microsoft internal survey, spring 2005

Domain ModeDomain Mode

Windows Server 2003 R2Windows Server 2003 R2Unix compatibility schemaUnix compatibility schema

ADMT v3 (web download)ADMT v3 (web download)

Longhorn ServerLonghorn ServerRead-only DC: reduced physical security Read-only DC: reduced physical security requirements, simplified manageabilityrequirements, simplified manageability

Restartable AD: reduce DC rebootsRestartable AD: reduce DC reboots

DC on Server Core: minimize surface areaDC on Server Core: minimize surface area

DC/Domain Admin role separationDC/Domain Admin role separation

Application ModeApplication Mode

Windows Server 2003 ADAM downloadWindows Server 2003 ADAM downloadLDAP-only mode of Active Directory with LDAP-only mode of Active Directory with independent configurationindependent configuration

Identical performance at scaleIdentical performance at scale

Windows Server 2003 R2Windows Server 2003 R2ADAM included in OS distributionADAM included in OS distribution

One-way AD-to-ADAM sync: eliminate One-way AD-to-ADAM sync: eliminate need for MIIS (or IIFP) in simple scenariosneed for MIIS (or IIFP) in simple scenarios

Longhorn Server: same as R2Longhorn Server: same as R2

The Next Generation of The Next Generation of Digital IdentityDigital Identity

Threats to Online SafetyThreats to Online Safety

The Internet was built without a way to know The Internet was built without a way to know who and what you are connecting towho and what you are connecting to

Everyone offering Internet service has come up Everyone offering Internet service has come up with workaround – a patchwork of one-offswith workaround – a patchwork of one-offs

Inadvertently taught people to be phished Inadvertently taught people to be phished

Greater use and greater value attract Greater use and greater value attract professional international criminal fringeprofessional international criminal fringe

Understand and exploit weaknesses in patchworkUnderstand and exploit weaknesses in patchwork

Phishing and pharming at 1000% CAGRPhishing and pharming at 1000% CAGR

From Patchwork to FabricFrom Patchwork to Fabric

Little agreement on what identity layer is, or Little agreement on what identity layer is, or how it should be runhow it should be run

Digital identity related to contextsDigital identity related to contexts

Partial success in specific domains Partial success in specific domains (SSL, Kerberos)(SSL, Kerberos)

Enterprises, governments, verticals prefer Enterprises, governments, verticals prefer one-offs to loss of controlone-offs to loss of control

Individual is also a key playerIndividual is also a key player

No simplistic solution is realisticNo simplistic solution is realisticConsider cross cultural, international issuesConsider cross cultural, international issues

Diverse needs of players means need to integrate Diverse needs of players means need to integrate multiple constituent technologiesmultiple constituent technologies

““The Laws of Identity”The Laws of Identity”

1.1. User control and consentUser control and consent

2.2. Minimal disclosure for a defined useMinimal disclosure for a defined use

3.3. Justifiable partiesJustifiable parties

4.4. Directional identityDirectional identity

5.5. Pluralism of operators and technologiesPluralism of operators and technologies

6.6. Human integrationHuman integration

7.7. Consistent experience across contextsConsistent experience across contexts

Join the discussion atJoin the discussion at www.identityblog.comwww.identityblog.com

Identity MetasystemIdentity Metasystem

We need a unifying “Identity metasystem”We need a unifying “Identity metasystem”Protect applications from identity complexitiesProtect applications from identity complexities

Allow digital identity to be loosely coupled: Allow digital identity to be loosely coupled: multiple operators, technologies, and multiple operators, technologies, and implementationsimplementations

Not first time we’ve seen this in computingNot first time we’ve seen this in computingAbstract display services made possible through Abstract display services made possible through device driversdevice drivers

Emergence of TCP/IP unified Ethernet, Token Emergence of TCP/IP unified Ethernet, Token Ring, Frame Relay, X.25, even the not-yet-Ring, Frame Relay, X.25, even the not-yet-invented wireless protocolsinvented wireless protocols

Metasystem CharacteristicsMetasystem CharacteristicsRequirements for the Identity MetasystemRequirements for the Identity Metasystem

NegotiationNegotiationDrivenDriven

EncapsulationEncapsulation

ClaimsClaimsTransformationTransformation

UserUserExperienceExperience

Enable participants to negotiate Enable participants to negotiate technical policy requirementstechnical policy requirements

Technology-agnosticTechnology-agnostic way to way to exchange policies and claimsexchange policies and claims

Trusted way to change one set of Trusted way to change one set of claims into another regardless of claims into another regardless of formatformat

Consistent user interface across Consistent user interface across multiple systems and multiple systems and technologiestechnologies

WS-Trust, WS-MetadataExchange

WS-* Metasystem ArchitectureWS-* Metasystem Architecture

SecurityToken

Service

Kerberos

WS-SecurityPolicy

SAML

SecurityToken

ServiceWS-SecurityPolicy

…

ID ProviderID Provider

x509

ID ProviderID Provider

SubjectSubject

Relying PartyRelying Party Relying PartyRelying Party

Identity Selector

Microsoft Support for Microsoft Support for Identity MetasystemIdentity Metasystem

““Indigo”Indigo”

Runtime for building Runtime for building distributed applications distributed applications supporting identity supporting identity metasystemmetasystem

““InfoCard”InfoCard”

Identity selector for Identity selector for Windows to visualize Windows to visualize user’s digital identityuser’s digital identity

Active DirectoryActive Directory

Infrastructure for identity Infrastructure for identity and accessand access

“InfoCard” “Indigo”

Active Directory

WS-*

End-UsersEnd-Users DevelopersDevelopers

IT OrganizationsIT Organizations

Identity and Access Management - Futures and Roadmap Andreas Luther Group Program Management...

Documents

Transcript of Identity and Access Management - Futures and Roadmap Andreas Luther Group Program Management...