Identity and Access Management - Futures and Roadmap Andreas Luther Group Program Management...
-
Upload
juniper-abraham-willis -
Category
Documents
-
view
227 -
download
5
Transcript of Identity and Access Management - Futures and Roadmap Andreas Luther Group Program Management...
Identity and Access Identity and Access Management - Futures Management - Futures and Roadmapand Roadmap
Andreas LutherAndreas LutherGroup Program ManagementGroup Program ManagementIdentity and Access - MIISIdentity and Access - MIISMicrosoft CorporationMicrosoft Corporation
SituationSituation
Increasingly connected systemsIncreasingly connected systemsConnections span technical, org boundariesConnections span technical, org boundaries
Distinctions blur - customer, partner, employee, Distinctions blur - customer, partner, employee, intranet, Internetintranet, Internet
Demand for business process integrationDemand for business process integrationClear business drivers around security, cost Clear business drivers around security, cost efficiency, regulatory complianceefficiency, regulatory compliance
Issues around policy, compliance, reportingIssues around policy, compliance, reporting
Rapid rise of threats to online safetyRapid rise of threats to online safetyPhishing, pharming, Phishing, pharming, phraudphraud
Concerns over privacy, trackingConcerns over privacy, tracking
Technology AreasTechnology Areas
ConnectorsConnectorsIntegration with non-Windows integrated applications and systemsIntegration with non-Windows integrated applications and systems
Identity and Access PlatformIdentity and Access Platform
User ExperienceUser ExperienceLogon & credentialsLogon & credentials
Self-serviceSelf-service
Developer ExperienceDeveloper ExperienceDirectory APIsDirectory APIsAccess APIsAccess APIs
Integration APIsIntegration APIs
IT Pro ExperienceIT Pro ExperienceManagementManagement
Delegated adminDelegated admin
Integration ServicesIntegration ServicesProcess automationProcess automation
Process controlProcess control
Directory ServicesDirectory ServicesDistributedDistributedpublicationpublication
Access ServicesAccess ServicesAuthenticationAuthenticationAuthorizationAuthorization
AuditAuditCredential managementCredential management
Microsoft’s StrategyMicrosoft’s Strategy
Add native support for interoperable Add native support for interoperable federated identity to Active Directory federated identity to Active Directory using web servicesusing web services
Build on Microsoft Identity Integration Build on Microsoft Identity Integration Server as platform for process-driven Server as platform for process-driven management of identities management of identities and entitlementsand entitlements
Evolve and refine Active Directory Evolve and refine Active Directory directory servicesdirectory services
What is a Digital Identity?What is a Digital Identity?
A set of A set of claims claims one one subject makes subject makes about anotherabout another
Many identities for Many identities for many usesmany uses
Required for Required for transactions in real transactions in real world and onlineworld and online
Active Directory Federation ServicesActive Directory Federation Services
Federated web single sign onFederated web single sign onWS-Federation Passive Requestor ProfileWS-Federation Passive Requestor Profile
Support SAML token, claims as SAML assertionsSupport SAML token, claims as SAML assertions
Integrated with Windows SSOIntegrated with Windows SSO
Support Windows Integrated Security and Support Windows Integrated Security and native claims-based identitynative claims-based identity
Transform claims into SIDs for Windows appsTransform claims into SIDs for Windows apps
Enable web apps to natively consume claimsEnable web apps to natively consume claims
Authorization Manager integrationAuthorization Manager integration
Delivered in Windows Server 2003 R2Delivered in Windows Server 2003 R2
Process-driven Process-driven management of identities management of identities and entitlementsand entitlements
MIIS RoadmapMIIS RoadmapExtending MA Reach and password capabilities MIIS 2003 SP1
Q4/CY04
Additional MAs MA SDK
Password ExtensionsPassword synchronization
Extending MA Reach - Ongoing Oob deliverables –
starting June 05Additional MAs
Improving password management capabilities
MIIS 2003 SP2 Q2/CY06
End-user self-service password reset
Process Integration Services MIIS - Gemini
Codeless provisioningEntitlement reporting
Self-service platformAdditional MAs
Tools to simplify MIIS deployments MIIS 2003
ResKit 2 Q4/CY04
Provisioning Wizard
Workflow sample app
MIIS RoadmapMIIS RoadmapExtending MA Reach and password capabilities MIIS 2003 SP1
Q4/CY04
Additional MAs MA SDK
Password ExtensionsPassword synchronization
Extending MA Reach - Ongoing Oob deliverables –
starting June 05Additional MAs
Improving password management capabilities
MIIS 2003 SP2 Q2/CY06
End-user self-service password reset
Tools to simplify MIIS deployments MIIS 2003
ResKit 2 Q4/CY04
Provisioning Wizard
Workflow sample app
Process Integration Services MIIS - Gemini
Codeless provisioningEntitlement reporting
Self-service platformAdditional MAs
MIIS 2003 – Oob MA DeliverablesMIIS 2003 – Oob MA Deliverables
Mainframe MAsMainframe MAsRACF: June 05RACF: June 05
ACF2, TS: Fall 05ACF2, TS: Fall 05
ERP MAsERP MAsSAP, PeopleSoft: Fall 05SAP, PeopleSoft: Fall 05
Generic LDAP MAGeneric LDAP MAConsidered for Gemini releaseConsidered for Gemini release
MIIS RoadmapMIIS RoadmapExtending MA Reach and password capabilities MIIS 2003 SP1
Q4/CY04
Additional MAs MA SDK
Password ExtensionsPassword synchronization
Extending MA Reach - Ongoing Oob deliverables –
starting June 05Additional MAs
Improving password management capabilities
MIIS 2003 SP2 Q2/CY06
End-user self-service password reset
Tools to simplify MIIS deployments MIIS 2003
ResKit 2 Q4/CY04
Provisioning Wizard
Workflow sample app
Process Integration Services MIIS - Gemini
Codeless provisioningEntitlement reporting
Self-service platformAdditional MAs
MIIS 2003 SP2 Password Self MIIS 2003 SP2 Password Self Service ResetService Reset
Problem: Users forget passwordsProblem: Users forget passwordsDowntime reduces employee productivityDowntime reduces employee productivity
High help desk costs associated with reset requestsHigh help desk costs associated with reset requests
Solution: Password self service reset enables employees to reset Solution: Password self service reset enables employees to reset forgotten passwordsforgotten passwords
Self Service Password Reset planned for MIIS SP2Self Service Password Reset planned for MIIS SP2Leverages MIISLeverages MIIS
System connectivitySystem connectivity
Account managementAccount management
User RegistrationUser RegistrationProactive enrollment or help desk can force users to enroll when password is Proactive enrollment or help desk can force users to enroll when password is forgottenforgotten
Q&A authentication configuration is very flexible to accommodate different Q&A authentication configuration is very flexible to accommodate different organizations security requirementorganizations security requirement
Q&A can be exposed to Help Desk to authenticate callersQ&A can be exposed to Help Desk to authenticate callers
Significant update to web applications shipped with MIIS 2003Significant update to web applications shipped with MIIS 2003
Working with Speech Server team to enable phone password resetWorking with Speech Server team to enable phone password reset
MIIS RoadmapMIIS RoadmapExtending MA Reach and password capabilities MIIS 2003 SP1
Q4/CY04
Additional MAs MA SDK
Password ExtensionsPassword synchronization
Extending MA Reach - Ongoing Oob deliverables –
starting June 05Additional MAs
Improving password management capabilities
MIIS 2003 SP2 Q2/CY06
End-user self-service password reset
Tools to simplify MIIS deployments MIIS 2003
ResKit 2 Q4/CY04
Provisioning Wizard
Workflow sample app
Process Integration Services MIIS - Gemini
Codeless provisioningEntitlement reporting
Self-service platformAdditional MAs
Process-driven Process-driven management of identities management of identities and entitlementsand entitlements
Identity and Access Platform - Identity and Access Platform - Technology AreasTechnology Areas
ConnectorsConnectorsIntegration with non-Windows integrated applications and systemsIntegration with non-Windows integrated applications and systems
Identity and Access PlatformIdentity and Access Platform
User ExperienceUser ExperienceLogon & credentialsLogon & credentials
Self-serviceSelf-service
Developer ExperienceDeveloper ExperienceDirectory APIsDirectory APIsAccess APIsAccess APIs
Integration APIsIntegration APIs
IT Pro ExperienceIT Pro ExperienceManagementManagement
Delegated adminDelegated admin
Integration ServicesIntegration ServicesProcess automationProcess automation
Process controlProcess control
Directory ServicesDirectory ServicesDistributedDistributedpublicationpublication
Access ServicesAccess ServicesAuthenticationAuthenticationAuthorizationAuthorization
AuditAuditStrong credentialsStrong credentials
Integration Services - Business Integration Services - Business Drivers and RequirementsDrivers and Requirements
Strengthen securityStrengthen securityEnforcement of “Least User Access” as required by SOAX, Enforcement of “Least User Access” as required by SOAX, HIPAA etc.HIPAA etc.Automated de-provisioning of accounts and entitlementsAutomated de-provisioning of accounts and entitlementsCentral auditingCentral auditing
Increasing operational efficiencyIncreasing operational efficiencyAutomation: Provisioning and de-provisioning based on Automation: Provisioning and de-provisioning based on business rulesbusiness rulesSelf-service applications to empower business owners to make Self-service applications to empower business owners to make entitlement decisionsentitlement decisions
Online business enablementOnline business enablementSelf-service applications for user registration and account Self-service applications for user registration and account managementmanagement
Regulatory requirementsRegulatory requirementsWorkflow to model controls Workflow to model controls State based identity management system to enforce use of State based identity management system to enforce use of controls and compliancecontrols and complianceCentral auditing allows tracking of in- and out of compliance Central auditing allows tracking of in- and out of compliance situationssituations
Example: Resource Access Example: Resource Access in Windowsin Windows
Policy is de-centralizedPolicy is de-centralizedNo single store to lookup relationships between No single store to lookup relationships between Users, resources and access control policiesUsers, resources and access control policies
Administration is de-centralizedAdministration is de-centralizedNo reporting capabilitiesNo reporting capabilities
Token
Abstract ModelAbstract Model
Digital subjects, resources and access policies Digital subjects, resources and access policies share lifecycle management characteristicsshare lifecycle management characteristics
Need to be authored and provisioned, incl. processNeed to be authored and provisioned, incl. processChanges managed from authoritative source and enforcedChanges managed from authoritative source and enforcedNeed to have ownerNeed to have ownerRelationships have to be managed and enforcedRelationships have to be managed and enforced
Access Policy
Gua
rd
Resource
Gua
rd
Digital Actor
Gua
rd
Requirements for Process Requirements for Process Integration ServiceIntegration Service
Provisioning and lifecycle management of digital subjectsProvisioning and lifecycle management of digital subjects
Provisioning and lifecycle management of resourcesProvisioning and lifecycle management of resourcesFile shares, SharePoint sitesFile shares, SharePoint sites
Provisioning and lifecycle management of access control Provisioning and lifecycle management of access control policiespolicies
ACLs, SharePoint access rights, web servicesACLs, SharePoint access rights, web services
Workflow to model compliance controlsWorkflow to model compliance controls
Enforce compliance and flag out-of-compliance situationsEnforce compliance and flag out-of-compliance situations
Central auditing systemCentral auditing systemAudit all aspects of provisioning and lifecycle management (state Audit all aspects of provisioning and lifecycle management (state auditing)auditing)
Trigger actions (workflows) if out-of-compliance situations are Trigger actions (workflows) if out-of-compliance situations are foundfound
Integrate with forensic auditing systems (ACS, MOM)Integrate with forensic auditing systems (ACS, MOM)
Complete set of APIs for any aspects of entitlement Complete set of APIs for any aspects of entitlement provisioning and process integration service configurationprovisioning and process integration service configuration
MIIS Evolves into Process MIIS Evolves into Process Integration ServicesIntegration Services
Digital actors, resources and policies are all Digital actors, resources and policies are all identitiesidentities
State-based Metadirectory is the right approachState-based Metadirectory is the right approachDiscovery of identities through Management AgentsDiscovery of identities through Management Agents
Aggregation of identity information in central storeAggregation of identity information in central store
Use business rules to manage relationships between Use business rules to manage relationships between identitiesidentities
Periodically validate compliance of relationships by Periodically validate compliance of relationships by comparing existing relationships with model through comparing existing relationships with model through synchronizationsynchronization
Enforce compliance through synchronizationEnforce compliance through synchronization
Audit all relationship changesAudit all relationship changes
MIIS 2003 has the right architectureMIIS 2003 has the right architecture
Future versions will add workflow, business rules Future versions will add workflow, business rules authoring, control authoring and auditingauthoring, control authoring and auditing
Metadirectory
Access Control Configuration - Access Control Configuration - RevisedRevised
HRHR
Policy AResource A
Policy A: All members of Sales role RProvision Bob: Sales
Resource configuration: Use Policy A
Metadirectory
Access Control Configuration - Access Control Configuration - RevisedRevised
HRHR
Policy AResource A
Policy A: All members of Sales role: RProvision Bob: Sales
Resource configuration: Use Policy AProvision Lori: Marketing
Workflow
Web S
erv
ice
Web S
erv
ice
Benefits of this ModelBenefits of this Model
Centralized management of digital subjects, Centralized management of digital subjects, resources and policiesresources and policies
Data drivenData driven
Application driven (Self-Service or delegated)Application driven (Self-Service or delegated)
Heterogeneous environmentsHeterogeneous environments
Workflow allows modeling of controlsWorkflow allows modeling of controls
Compliance validation and enforcementCompliance validation and enforcementState in Metadirectory is authoritativeState in Metadirectory is authoritative
If administrator adds Sally to ACL on If administrator adds Sally to ACL on \\movies\\movies, , Metadirectory resets ACL and triggers warningMetadirectory resets ACL and triggers warning
Use of controlsUse of controls
Centralized auditing and reportingCentralized auditing and reporting
Auditing and ReportingAuditing and Reporting
All operations create audit entriesAll operations create audit entriesIncluding approval steps in workflowsIncluding approval steps in workflows
Reports answer the following questions:Reports answer the following questions:Who had access to Who had access to \\movies\\movies on 6/2/05 and why? on 6/2/05 and why?
Bob, member of sales roleBob, member of sales role
Who had access to Who had access to \\movies\\movies on 6/5/05 and why? on 6/5/05 and why?Bob, member of sales roleBob, member of sales role
Lori, because Bob approved requestLori, because Bob approved request
What resource did Lori have access to on 6/5/05 and why?What resource did Lori have access to on 6/5/05 and why?\\movies\\movies, because Bob approved request, because Bob approved request
What resources were protected by policy A on 6/5/05?What resources were protected by policy A on 6/5/05?\\movies\\movies
What resources can be accessed by Sales members?What resources can be accessed by Sales members?\\movies\\movies
MIIS GeminiMIIS Gemini
Add core functionality required for Process Add core functionality required for Process Integration ServicesIntegration Services
Rich workflowRich workflow
Centralized auditingCentralized auditing
Self-service application platform with integrated workflow Self-service application platform with integrated workflow and auditingand auditing
Computed attributesComputed attributes
Entitlement management based on organizational rolesEntitlement management based on organizational roles
Expose new functionalities to IT Pros and end usersExpose new functionalities to IT Pros and end usersIdentity manager console for declarative entitlement Identity manager console for declarative entitlement managementmanagement
Self-service applicationsSelf-service applications
Expose self-service application interfaces for ISVs Expose self-service application interfaces for ISVs and corporate developersand corporate developers
Gemini Provisioning FeaturesGemini Provisioning FeaturesIntegrated Toolset to Manage the Lifecycle of Digital Integrated Toolset to Manage the Lifecycle of Digital Identities and EntitlementsIdentities and Entitlements
Declarative ProvisioningDeclarative ProvisioningUI to define rules when and where entitlements are created plus UI to define rules when and where entitlements are created plus templates how they are createdtemplates how they are createdNo more coding requiredNo more coding required
Self-Service PlatformSelf-Service PlatformWeb service interfaces to build self-service applicationsWeb service interfaces to build self-service applications
E.g., account requests, entitlement requests, password resets, group E.g., account requests, entitlement requests, password resets, group membership requestmembership request
Tight integration with VS to develop Self-Service appsTight integration with VS to develop Self-Service appsApplication MVApplication MV
Group Management ImprovementsGroup Management ImprovementsMulti-forest, computed groups, AutogroupMulti-forest, computed groups, Autogroup
Unified workflow modelUnified workflow modelDeclarative provisioning, self-service apps, existing Declarative provisioning, self-service apps, existing synchronization framework and group management need synchronization framework and group management need workflowworkflowSingle model to manage workflowsSingle model to manage workflows
Gemini Provisioning FeaturesGemini Provisioning FeaturesIntegrated Toolset to Manage the Lifecycle of Digital Integrated Toolset to Manage the Lifecycle of Digital Identities and EntitlementsIdentities and Entitlements
Ready to use “Out of the Box Self-Service Ready to use “Out of the Box Self-Service Applications”Applications”
Only minimal configuration requiredOnly minimal configuration requiredEntitlement manager, Autouser, AutogroupEntitlement manager, Autouser, Autogroup
Auditing / compliance checkingAuditing / compliance checkingAll provisioning operations are audited (requests, All provisioning operations are audited (requests, approvals, changes in CD)approvals, changes in CD)Un-authorized changes in CD can be detected and Un-authorized changes in CD can be detected and audited; workflow can be kicked offaudited; workflow can be kicked off
Resource and policy managementResource and policy management
Gemini Workflow ExampleGemini Workflow Example
Approved?Approved?
Receive Receive DelegationDelegation
Request Request approvalapproval
Create Create AccountAccount
RequestRequest
NoNo
YesYes NoNo
Escalate Escalate
YesYes
NotifyNotifyOthersOthers
DelegationDelegation
Send Send NotificationNotification
Approved?Approved?Create Create
AccountAccountSend Send
NotificationNotification
More ProcessesMore Processes
Active DirectoryActive Directory
Broad usageBroad usage86% of US, 57% of enterprises >500 PCs 86% of US, 57% of enterprises >500 PCs worldwide running Active Directory *worldwide running Active Directory *
Performance at scalePerformance at scaleScale out: 1000+ serversScale out: 1000+ serversScale up: deployments at 20M+ usersScale up: deployments at 20M+ users
Flexibility: AD and ADAMFlexibility: AD and ADAMCentralized or distributed physical deploymentCentralized or distributed physical deploymentCentralized or distributed logical managementCentralized or distributed logical managementShared across applications or dedicated to a Shared across applications or dedicated to a specific applicationspecific application
Interop: Unix/Linux SSO via Vintela, CentrifyInterop: Unix/Linux SSO via Vintela, Centrify
* Source: Microsoft internal survey, spring 2005* Source: Microsoft internal survey, spring 2005
Domain ModeDomain Mode
Windows Server 2003 R2Windows Server 2003 R2Unix compatibility schemaUnix compatibility schema
ADMT v3 (web download)ADMT v3 (web download)
Longhorn ServerLonghorn ServerRead-only DC: reduced physical security Read-only DC: reduced physical security requirements, simplified manageabilityrequirements, simplified manageability
Restartable AD: reduce DC rebootsRestartable AD: reduce DC reboots
DC on Server Core: minimize surface areaDC on Server Core: minimize surface area
DC/Domain Admin role separationDC/Domain Admin role separation
Application ModeApplication Mode
Windows Server 2003 ADAM downloadWindows Server 2003 ADAM downloadLDAP-only mode of Active Directory with LDAP-only mode of Active Directory with independent configurationindependent configuration
Identical performance at scaleIdentical performance at scale
Windows Server 2003 R2Windows Server 2003 R2ADAM included in OS distributionADAM included in OS distribution
One-way AD-to-ADAM sync: eliminate One-way AD-to-ADAM sync: eliminate need for MIIS (or IIFP) in simple scenariosneed for MIIS (or IIFP) in simple scenarios
Longhorn Server: same as R2Longhorn Server: same as R2
Threats to Online SafetyThreats to Online Safety
The Internet was built without a way to know The Internet was built without a way to know who and what you are connecting towho and what you are connecting to
Everyone offering Internet service has come up Everyone offering Internet service has come up with workaround – a patchwork of one-offswith workaround – a patchwork of one-offs
Inadvertently taught people to be phished Inadvertently taught people to be phished
Greater use and greater value attract Greater use and greater value attract professional international criminal fringeprofessional international criminal fringe
Understand and exploit weaknesses in patchworkUnderstand and exploit weaknesses in patchwork
Phishing and pharming at 1000% CAGRPhishing and pharming at 1000% CAGR
From Patchwork to FabricFrom Patchwork to Fabric
Little agreement on what identity layer is, or Little agreement on what identity layer is, or how it should be runhow it should be run
Digital identity related to contextsDigital identity related to contexts
Partial success in specific domains Partial success in specific domains (SSL, Kerberos)(SSL, Kerberos)
Enterprises, governments, verticals prefer Enterprises, governments, verticals prefer one-offs to loss of controlone-offs to loss of control
Individual is also a key playerIndividual is also a key player
No simplistic solution is realisticNo simplistic solution is realisticConsider cross cultural, international issuesConsider cross cultural, international issues
Diverse needs of players means need to integrate Diverse needs of players means need to integrate multiple constituent technologiesmultiple constituent technologies
““The Laws of Identity”The Laws of Identity”
1.1. User control and consentUser control and consent
2.2. Minimal disclosure for a defined useMinimal disclosure for a defined use
3.3. Justifiable partiesJustifiable parties
4.4. Directional identityDirectional identity
5.5. Pluralism of operators and technologiesPluralism of operators and technologies
6.6. Human integrationHuman integration
7.7. Consistent experience across contextsConsistent experience across contexts
Join the discussion atJoin the discussion at www.identityblog.comwww.identityblog.com
Identity MetasystemIdentity Metasystem
We need a unifying “Identity metasystem”We need a unifying “Identity metasystem”Protect applications from identity complexitiesProtect applications from identity complexities
Allow digital identity to be loosely coupled: Allow digital identity to be loosely coupled: multiple operators, technologies, and multiple operators, technologies, and implementationsimplementations
Not first time we’ve seen this in computingNot first time we’ve seen this in computingAbstract display services made possible through Abstract display services made possible through device driversdevice drivers
Emergence of TCP/IP unified Ethernet, Token Emergence of TCP/IP unified Ethernet, Token Ring, Frame Relay, X.25, even the not-yet-Ring, Frame Relay, X.25, even the not-yet-invented wireless protocolsinvented wireless protocols
Metasystem CharacteristicsMetasystem CharacteristicsRequirements for the Identity MetasystemRequirements for the Identity Metasystem
NegotiationNegotiationDrivenDriven
EncapsulationEncapsulation
ClaimsClaimsTransformationTransformation
UserUserExperienceExperience
Enable participants to negotiate Enable participants to negotiate technical policy requirementstechnical policy requirements
Technology-agnosticTechnology-agnostic way to way to exchange policies and claimsexchange policies and claims
Trusted way to change one set of Trusted way to change one set of claims into another regardless of claims into another regardless of formatformat
Consistent user interface across Consistent user interface across multiple systems and multiple systems and technologiestechnologies
WS-Trust, WS-MetadataExchange
WS-* Metasystem ArchitectureWS-* Metasystem Architecture
SecurityToken
Service
Kerberos
WS-SecurityPolicy
SAML
SecurityToken
ServiceWS-SecurityPolicy
…
ID ProviderID Provider
x509
ID ProviderID Provider
SubjectSubject
Relying PartyRelying Party Relying PartyRelying Party
Identity Selector
Microsoft Support for Microsoft Support for Identity MetasystemIdentity Metasystem
““Indigo”Indigo”
Runtime for building Runtime for building distributed applications distributed applications supporting identity supporting identity metasystemmetasystem
““InfoCard”InfoCard”
Identity selector for Identity selector for Windows to visualize Windows to visualize user’s digital identityuser’s digital identity
Active DirectoryActive Directory
Infrastructure for identity Infrastructure for identity and accessand access
“InfoCard” “Indigo”
Active Directory
WS-*
End-UsersEnd-Users DevelopersDevelopers
IT OrganizationsIT Organizations