Identity and Access Management:

Overview
Rafal Lukawiecki
Strategic Consultant, Project Botticelli Ltd
[email protected]
www.projectbotticelli.co.uk

Copyright 2006 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all
information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in
File/Properties. This presentation is based on work of many authors from Microsoft, Oxford Computer Group and other companies. Please see the “Introductions”
presentation for acknowledgments.
2

Objectives

Build a good conceptual background to enable

later technical discussions of the subject
Overview the problems and opportunities in the
field of identity and access management
Introduce terminology
Highlight a possible future direction
3

Session Agenda

Identity Problem of Today

Identity Laws and Metasystem
Components and Terminology
Roadmap
4

Identity Problem of
Today
5

Universal Identity?

Internet was build so that communications are

anonymous
In-house networks use multiple, often mutually-
incompatible, proprietary identity systems
Users are incapable of handling multiple
identities
Criminals love to exploit this mess
6

Explosion of IDs
Business Partners
# of Automation (B2B)
Digital IDs
Company
(B2E)

Customers
(B2C)

Mobility

ns
it o Internet
lica
p p
A
Client Server

Mainframe

Time

Pre 1980’s 1980’s 1990’s 2000’s

7

The Disconnected Reality

•Authenticati
•
on
Authorizatio HR
•
nIdentity
Data
System
•Authenticati
•
on
Authorizatio
•Identity
n
NOS
Data
•Authenticati
•Authorizatio
on Lotus
•Identity
n
Data
Notes Apps
Enterprise Directory
•Authenticati
•
on
Authorizatio Infra
•
nIdentity
Data
Application
•Authenticati
•
on
Authorizatio COTS
•Identity
n
Data
Application
•Authenticati
•Authorizatio
on In-House
•Identity
n
Data
Application
•Authenticati
•
on
Authorizatio In-House
•
nIdentity
Data
Application
“Identity Chaos”
Lots of users and systems required to do business
Multiple repositories of identity information; Multiple user IDs, multiple passwords
Decentralized management, ad hoc data sharing
8

Multiple Contexts
Customer satisfaction & customer intimacy
Cost competitiveness
Reach, personalization

Your CUSTOMERS Your SUPPLIERS

Collaboration
Outsourcing
Faster business cycles;
process automation
Value chain

Your COMPANY and

your EMPLOYEES

M&A
Mobile/global workforce
Flexible/temp workforce

Your REMOTE and Your PARTNERS

VIRTUAL EMPLOYEES
9

Trends Impacting Identity

Rising Tide of Regulation and Compliance
SOX, HIPAA, GLB, Basel II, 21 CFR Part 11, …
$15.5 billion spend in 2005 on compliance (analyst estimate)

Deeper Line of Business Automation and

Integration
One half of all enterprises have SOA under development
Web services spending growing 45% CAGR

Increasing Threat Landscape

Identity theft costs banks and credit card issuers $1.2 billion in 1 yr
$250 billion lost in 2004 from exposure of confidential info

Maintenance Costs Dominate IT Budget

On average employees need access to 16 apps and systems
Companies spend $20-30 per user per year for PW resets

Data Sources: Gartner, AMR Research, IDC, eMarketer, U.S. Department. of Justice
10

Pain Points

Security/ Business
IT Admin Developer End User
Compliance Owner
Too many user stores and Redundant Too many Too many Too expensive to
account admin requests
code in each orphaned reach new
Unsafe sync scripts passwords accounts partners, channels
app
Long waits for Limited auditing Need for control
Rework code access to ability
too often
apps,
resources
11

Possible Savings
Directory Synchronization
“Improved updating of user data: $185 per user/year”
“Improved list management: $800 per list”
- Giga Information Group
Password Management
“Password reset costs range from $51 (best case) to $147 (worst
case) for labor alone.” – Gartner
User Provisioning
“Improved IT efficiency: $70,000 per year per 1,000 managed users”
“Reduced help desk costs: $75 per user per year”
- Giga Information Group
12

Can We Just Ignore It All?

Today, average corporate user spends 16 minutes a day

logging on
A typical home user maintains 12-18 identities
Number of phishing and pharming sites grew over
1600% over the past year
Corporate IT Ops manage an average of 73 applications
and 46 suppliers, often with individual directories
Regulators are becoming stricter about compliance and
auditing
Orphaned accounts and identities lead to security
problems

Source: Microsoft’s internal research and Anti-phishing Working Group Feb 2005
13

One or Two Solutions?

Better Option:
Build a global, universal, federated identity metasystem
Will take years…

Quicker Option:
Build an in-house, federated identity metasystem based on
standards
Federate it to others, system-by-system

But: both solutions could share the same conceptual

basis
14

Identity Laws and

Metasystem
15

Lessons from Passport

Passport designed to solve two problems

Identity provider for MSN
250M+ users, 1 billion logons per day
Significant success
Identity provider for the Internet
Unsuccessful:
Not trusted “outside context”
Not generic enough
Meant giving up control over identity management
Cannot re-write apps to use a central system

Learning: solution must be different than

Passport
16

Idea of an Identity Metasystem

Not an Identity System

Agreement on metadata and protocols, allowing
multiple identity providers and brokers
Based on open standards
Supported by multiple technologies and
platforms
Adhering to Laws of Identity
With full respect of privacy needs
17

Roles Within Identity Metasystem

Identity Providers
Organisations, governments, even end-users
They provide Identity Claims about a Subject
Name, vehicles allowed to drive, age, etc.

Relying Parties
Online services or sites, doors, etc.
Subjects
Individuals and other bodies that need its identity
established
18

Metasystem Players

Identity
Providers
Issue identities

Relying Parties
Require identities

Subjects
Individuals and other
entities about whom
claims are made
19

Identity Metasystem Today

Basically, the set of WS-* Security Guidelines as

we have it
Plus
Software that implements the services
Microsoft and many others working on it
Companies that would use it
Still to come, but early adopters exist
End-users that would trust it
Will take time
20

Identity Lawswww.identityblog.com

1. User Control and Consent

2. Minimal Disclosure for a Constrained Use
3. Justifiable Parties
4. Directed Identity
5. Pluralism of Operators and Technologies
6. Human Integration
7. Consistent Experience Across Contexts
21

Enterprise Applicability

That proposed metasystem would work well

inside a corporation
Of course, we need a solution before it becomes
a reality
Following the principles seems a good idea
while planning immediate solutions
Organic growth likely to lead to an identity
metasystem in long term
22

Enterprise Trends

Kerberos is very useful but increasingly it does not span

disconnected identity forests and technologies easily
We are moving away from static Groups and traditional
ACLs…
Increasingly limited and difficult to manage on large scales
…towards a dynamic combination of:
Role-Based Access Management, and,
Rich Claims Authorization
PKI is still too restrictive, but it is clearly a component of
a possible solution
23

Components and
Terminology
24

What is Identity Management?

e Sign
ss w ord Sing l
Pa ent On Secure Remote
g e m Fede
Mana ratio
n Access

Role
Manageme
nt
Web Services Provisionin
g
Security

Authorization d it in g&
Au ing
p o rt
Re
t or ies
c
g Dire
Digital Stron tion
Rights he nti ca
Management Aut PKI
25

Identity and Access Management

Directory Repositories for storing and managing

accounts, identity information, and
Services security credentials

A system of procedures, policies and

technologies
Access to manage
The process the credentials
of authenticating lifecycle and
controlling access to networked resources
and entitlements
Management based on trust andof electronic
identity

credentials
Identity The processes used to create and delete
Lifecycle accounts, manage account and entitlement
Management changes, and track policy compliance
26

Remember the Chaos?

•Authenticati
•Authorizatio
on HR
•Identity
n
Data
System
•Authenticati
•Authorizatio
on
•Identity
n
NOS
Data
•Authenticati
•Authorizatio
on Lotus
•Identity
n
Data
Notes Apps
Enterprise Directory
•Authenticati
•Authorizatio
on Infra
•Identity
n
Data
Application
•Authenticati
•Authorizatio
on COTS
•Identity
n
Data
Application
•Authenticati
•Authorizatio
on In-House
•Identity
n
Data
Application
•Authenticati
•Authorizatio
on In-House
•Identity
n
Data
Application
27

Identity Integration
•Authenticati
•
on
Authorizatio HR
•
nIdentity
Data
System

Identity Integration Server

•Authenticati
•
on
Authorizatio
Student
•Identity
n
Data
Admin
•Authenticati
•Authorizatio
on Lotus
Enterprise Directory •Identity
n Notes Apps
Data
•Authenticati
•
on
Authorizatio Infra
•
nIdentity
Data
Application
•Authenticati
•
on
Authorizatio COTS
•Identity
n
Data
Application
•Authenticati
•Authorizatio
on In-House
•Identity
n
Data
Application
•Authenticati
•
on
Authorizatio In-House
•
nIdentity
Data
Application
28

IAM Benefits

Benefits today Benefits to take

(Tactical) you forward
(Strategic)
Save money and improve operational
efficiency New ways of working

Improved time to deliver applications

and service
Improved time to market
Enhance Security
Closer Supplier, Customer,
Partner and Employee
Regulatory Compliance and Audit relationships
29

Some Basic Definitions

Authentication (AuthN)
Verification of a subject’s identity by means of relying on a
provided claim
Identification is sometimes seen as a preliminary step of
authentication
Collection of untrusted (as yet) information about a subject, such as
an identity claim
Authorization (AuthZ)
Deciding what actions, rights or privileges can the subject be
allowed

Trend towards separation of those two

Or even of all three, if biometrics are used
30

Components of IAM

Administration
User Management
Password Management
Workflow
Delegation
Access Management

Authentication
Administration
Authorization
Authentication
Authorization
Identity Management
Account Provisioning
Account Deprovisioning
Synchronisation Reliable Identity Data
31

IAM Architecture
32

Roadmap
33

Microsoft’s Identity Management

Directory (Store) Access Identity
Services Management Lifecycle
Management

Active Active Directory Identity Integration

Directory & ADAM Federation Services Server

Extended Directory Authorization

BizTalk
Services Manager

Enterprise Audit Collection

PKI / CA
Single Sign On Services

Services for Unix / ISA SQL Server

Services for Netware Server Reporting
34

Components of a Microsoft-based IAM

Infrastructure Directory Active Directory

Application Directory AD/AM (LDAP)

Lifecycle Management MIIS
Workflow BizTalk, Partner Solutions (Ultimus BPM, SAP)
Role-Based Access Control Authorization Manager or Partner Solutions
(ex: OCG, RSA) and traditional approaches
Directory & Password MIIS & Partner solutions
Synchronization
SSO (Intranet) Kerberos/NTLM, Vintela/Centrify
Enterprise SSO (Intranet) Sharepoint ESSO, BizTalk ESSO, HIS ESSO
Strong Authentication SmartCards, CA/PKI, Partner (eg. RSA – SecurID,
MCLMS, WizeKey)
Web SSO ADFS, Partner (eg. RSA – ClearTrust)
Integration of UNIX/Novell SFU, SFN, Partner (eg. Vintella/Centrify)
Federation ADFS
35

Summary
36

Summary

We have reached an “Identity Crisis” both on the

intranet and the Internet
Identity Metasystem suggests a unifying way
forward
Meanwhile, Identity and Access Management
systems need to be built so enterprises can
benefit immediately
Microsoft is rapidly becoming a strong provider
of IAM technologies and IM vision
www.microsoft.com/idm & www.microsoft.com/itsshowtime & www.microsoft.com/technet
37

Special Thanks
This seminar was prepared with the help of:

Oxford Computer Group Ltd

Expertise in Identity and Access
Management (Microsoft Partner)
IT Service Delivery and Training
www.oxfordcomputergroup.com

Microsoft, with special thanks to:

Daniel Meyer – thanks for many
slides
Steven Adler, Ronny Bjones, Olga
Londer – planning and reviewing
Philippe Lemmens, Detlef Eckert –
Sponsorship
Bas Paumen & NGN - feedback
38

Appendix
39

Identity Management Platform

Directory
ServicesUser Service Network
Management Managemen Management
t
Network Access Infrastructu
Security Control re
Managemen
t
40

Identity Management Platform

Frontend Services
Self-Service Enterprise Enterprise
Interface User-Man. Role-Man.

Auditing & IDM Policy

Reporting Workflow Managemen
t
Provisioning
Services
Automated Automated Password
Provisioning Synch. Managemen
t

Directory
ServicesUser Service Network
Management Managemen Management
t
Network Access Infrastructu
Security Control re
Managemen
t
41

Identity Management Platform

Access Services Frontend Services

Web Self-Service Enterprise Enterprise
SSO Interface User-Man. Role-Man.

Federated Auditing & IDM Policy

SSO Reporting Workflow Managemen
t
Unix/Linux Provisioning
SSO Services
Automated Automated Password
Provisioning Synch. Managemen
Host t
SSO
Directory
Remote ServicesUser Service Network
Access Management Managemen Management
t
Access Network Access Infrastructu
Audit&Rep Security Control re
Managemen
t
42

Identity Management Platform

Frontend Services
Access Services
Web Self-Service Enterprise Enterprise
SSO Interface User-Man. Role-Man.

Auditing & IDM Policy

Federated Reporting Workflow Managemen
SSO t
Provisioning
Unix/Linux
Services
Automated Automated Password
SSO
Provisioning Synch. Managemen
t
Host
SSO
Directory
ServicesUser Service Network
Remote
Access Management Managemen Management
t
Network Access Infrastructu
Access Security Control re
Audit&Rep Managemen
Extended Directory Services t
Desktop
IDM Env. Certificate Smardcard Information
Management Managemen Rights
t Mgmt.
43

Identity Management Platform

Frontend Services
Access Services
Web Self-Service Enterprise Enterprise
SSO Interface User-Man. Role-Man.

Auditing & IDM Policy

Federated Reporting Workflow Managemen
SSO t
Provisioning
Unix/Linux
Services
Automated Automated Password
SSO
Provisioning Synch. Managemen
t
Host
SSO
Directory
Services User Service Network
Remote Windows Server
Access Management Management Management
(Active Directory/ADAM, Quest /
Network
PKI, Access
AzMan) Centrify
Infrastructure
Access Security Control Management
Audit&Rep

Extended Directory Services

Desktop
IDM Env. Certificate Smardcard Information
Management Managemen Rights
t Mgmt.
44

Identity Management Platform

Frontend Services
Access Services
Web Self-Service Enterprise Enterprise
SSO Interface User-Man. Role-Man.

Auditing & IDM Policy

Federated Reporting Workflow Managemen
SSO t
Provisioning & Password Management Services
Unix/Linux
Services
Automated Automated Password
SSO
Microsoft Identity
Provisioning Synch. Integration
Managemen
Server t
Host
SSO
Directory
ServicesUser Service Network
Remote Windows Server
Access Management Managemen Management
(Active Directory/ADAM,
t Quest
Network Access
PKI, AzMan) /
Infrastructu
Access Security Control re
Audit&Rep Centri
Managemen
t fy
Extended Directory Services
Desktop
IDM Env. Certificate Smardcard Information
Management Managemen Rights
t Mgmt.
45

Identity Management Platform

Frontend Services
Access Services
Self-Service Enterprise Enterprise
Active Interface User-Man. Role-Man.
Directory
Auditing & IDM Policy
Federation
Reporting Workflow Managemen
Server t
Provisioning & Password Management Services
Unix/Linux
Services
Automated Automated Password
SSO
Microsoft Identity
Provisioning Synch. Integration
Managemen
Server t
Host
SSO
Directory
ServicesUser Service Network
Remote Windows Server
Access Management Managemen Management
(Active Directory/ADAM,
t Quest
Network Access
PKI, AzMan) /
Infrastructu
Access Security Control re
Audit&Rep Centri
Managemen
t fy
Extended Directory Services
Desktop
IDM Env. Certificate Smardcard Information
Management Managemen Rights
t Mgmt.
46

Identity Management Platform

Frontend Services
Access Services
Self-Service Enterprise Enterprise
Active Interface User-Man. Role-Man.
Directory
Auditing & IDM Policy
Federation
Reporting Workflow Managemen
Server t
Provisioning & Password Management Services
Quest Services
Automated Automated Password
/Centrify Microsoft Identity
Provisioning Synch. Integration
Managemen
Server t
Host
SSO
Directory
ServicesUser Service Network
Remote Windows Server
Access Management Managemen Management
(Active Directory/ADAM,
t Quest
Network Access
PKI, AzMan) /
Infrastructu
Access Security Control re
Audit&Rep Centri
Managemen
t fy
Extended Directory Services
Desktop
IDM Env. Certificate Smardcard Information
Management Managemen Rights
t Mgmt.
47

Identity Management Platform

Frontend Services
Access Services
Self-Service Enterprise Enterprise
Active Interface User-Man. Role-Man.
Directory
Auditing & IDM Policy
Federation
Reporting Workflow Managemen
Server t
Provisioning & Password Management Services
Quest Services
Automated Automated Password
/Centrify Microsoft Identity
Provisioning Synch. Integration
Managemen
Server t
HIS & ESSO
Directory
ISA ServicesUser Service Network
Server ManagementWindows Server
Managemen Management
(Active Directory/ADAM,
t Quest
Network Access
PKI, AzMan) /
Infrastructu
Access Security Control re
Audit&Rep Centri
Managemen
t fy
Extended Directory Services
Desktop
IDM Env. Certificate Smardcard Information
Management Managemen Rights
t Mgmt.
48

Identity Management Platform

Frontend Services
Access Services
Self-Service Enterprise Enterprise
Active Interface User-Man. Role-Man.
Directory
Auditing & IDM Policy
Federation
Reporting Workflow Managemen
Server t
Provisioning & Password Management Services
Quest Services
Automated Automated Password
/Centrify Microsoft Identity
Provisioning Synch. Integration
Managemen
Server t
HIS & ESSO
Directory
ISA ServicesUser Service Network
Server ManagementWindows Server
Managemen Management
(Active Directory/ADAM,
t Quest
MOM
Network Access
PKI, AzMan) /
Infrastructu
Security Control re
& ACS Centri
Managemen
t fy
Extended Directory Services
Desktop
IDM Env. Certificate Smardcard Information
Management Managemen Rights
t Mgmt.
49

Identity Management Platform

Frontend Services
Access Services
Self-Service Enterprise Enterprise
Active Interface User-Man. Role-Man.
Directory
Auditing & IDM Policy
Federation
Reporting Workflow Managemen
Server t
Provisioning & Password Management Services
Quest Services
Automated Automated Password
/Centrify Microsoft Identity
Provisioning Synch. Integration
Managemen
Server t
HIS & ESSO
Directory
ISA ServicesUser Service Network
Server ManagementWindows Server
Managemen Management
(Active Directory/ADAM,
t Quest
MOM
Network Access
PKI, AzMan) /
Infrastructu
Security Control re
& ACS Centri
Managemen
t fy
Extended Directory Services
Info
Card Certificate Smardcard Information
Management Managemen Rights
t Mgmt.
50

Identity Management Platform

Frontend Services
Access Services
Self-Service Enterprise Enterprise
Active Interface User-Man. Role-Man.
Directory
Auditing & IDM Policy
Federation
Reporting Workflow Managemen
Server t
Provisioning & Password Management Services
Quest Services
Automated Automated Password
/Centrify Microsoft Identity
Provisioning Synch. Integration
Managemen
Server t
HIS & ESSO
Directory
ISA ServicesUser Service Network
Server ManagementWindows Server
Managemen Management
(Active Directory/ADAM,
t Quest
MOM
Network Access
PKI, AzMan) /
Infrastructu
Security Control re
& ACS Centri
Managemen
t fy
Info Extended Directory Services
Card Windows MS RMS
PKI Alacris Server
51

Identity Management Platform

Access Services Frontend Services

IIS
Active AzMan
Directory Sharepoint
Federation SQL-Server BizTalk
Server
Provisioning & Password Management Services
Quest
/Centrify Microsoft Identity Integration
HIS/ESSO Server
ISA Directory
Server Services
Windows Server
(Active Directory/ADAM, Quest
MOM /
PKI, AzMan)
& ACS Centri
fy
Info Extended Directory Services
Card Windows MS RMS
PKI Alacris Server
52

Identity Management Platform

Access Services Frontend Services

FastPass
Active AVAC
Directory bHold
Federation Quest Ultimus
Server
Provisioning & Password Management Services
Quest
/Centrify Microsoft Identity Integration
HIS/ESSO Server
ISA Directory
Server Services
Windows Server
(Active Directory/ADAM, Quest
MOM /
PKI, AzMan)
& ACS Centri
fy
Info Extended Directory Services
Card Windows MS RMS
PKI Alacris Server
53

Identity Management Platform

Frontend Services
Access Services
Self-Service Enterprise Enterprise
Active Interface User-Man. Role-Man.
Directory
Auditing & IDM Policy
Federation
Reporting Workflow Managemen
Server t
Provisioning & Password Management Services
Quest Services
Automated Automated Password
/Centrify Microsoft Identity
Provisioning Synch. Integration
Managemen
Server t
HIS & ESSO
Directory
ServicesUser Service Network
Remote Windows Server
Access Management Managemen Management
(Active Directory/ADAM,
t Quest
Network Access
PKI, AzMan) /
Infrastructu
Access Security Control re
Audit&Rep Centri
Managemen
t fy
Extended Directory Services
Desktop
IDM Env. Certificate Smardcard Information
Management Managemen Rights
t Mgmt.