Add to collection(s) Add to saved
  1. Business
  2. Management

What Is Identity and Access Management?

advertisement 
Identity and Access
Management
Paula Kiernan
Senior Consultant
Ward Solutions
Session Prerequisites
Hands-on experience with Microsoft Windows Server,
Windows management tools, and Active Directory
Basic understanding of network security fundamentals
Basic understanding of directory and security services
used in heterogeneous computing environments
Level 200
Session Overview
Overview of Identity and Access Management Concepts
Identity Management
Intranet Access Management
Extranet Access Management
Overview of Identity and Access
Management Concepts
Overview of Identity and Access Management
Concepts
Identity Management
Intranet Access Management
Extranet Access Management
Managing Digital Identities:
What Are the Challenges?
Challenges to managing digital identities include:
Multiple identity stores
Intranet access management
Extranet access management
What Is Identity and Access Management?
Identity
Life Cycle
Management
Access
Management
Directory Services
Application Integration
How Can Identity and Access Management
Reduce Directory Management Effort?
Initiatives that reduce directory management
effort include:
Automating provisioning and
deprovisioning
Implementing identity aggregation and
synchronization
Establishing directory service and
security standards
Establishing software development and
procurement standards
Reducing TCO
How Can Identity and Access Management
Simplify the End User Experience?
Initiatives that simplify the end user experience
include:
Consolidating identity stores
Improving password management
Enabling SSO
Improving access for employees, customers, and partners
How Can Identity and Access Management
Increase Security?
Initiatives that increase security include:
Establishing security and access policies
Improving password management
Strengthening authentication mechanisms
Establishing security audit policy
Developing identity-aware applications
Understanding Identity and Access
Management Technologies
Identity
Life Cycle
Management
Identity Integration
Provisioning/Deprovisioning
Delegated Administration
Self-Service Administration
Credential and Password
Management
Access
Management
Authentication
Authorization
Trust
Security Auditing
Directory Services
Users, Attributes
Credentials, and Groups
Active Directory
Active Directory Application Mode
Identity Management
Overview of Identity and Access Management Concepts
Identity Management
Intranet Access Management
Extranet Access Management
Managing Identities: What Are the Challenges?
Challenges related to managing multiple identity
stores include:
Management costs
Employee productivity
Security
Customer service and supply chain integration
Understanding the Identity Life Cycle
1
4
New User
-User ID creation
-Credential issuance
-Entitlements
Retire User
-Delete accounts
-Remove entitlements
3
2
Change User
Help Desk
-Password reset
-New entitlements
-Promotions
-Transfers
-Entitlement changes
Managing Identity Integration
Approaches to managing identity integration among
directory stores include:
Manual administration
Custom scripts
Integration services
Identity integration products
Understanding Identity Integration Products
and Services
You can implement identity integration by using a
number of identity integration products and services:
Identity Integration Feature Pack
Microsoft Identity Integration
Server 2003
Services for UNIX
Services for NetWare
Host Integration Server
Active Directory Connector
Active Directory to ADAM
Synchronizer
Using the Identity Integration Feature Pack to
Manage Identities
IIFP is a free product that provides connections to only
the following directories and e-mail applications:
Active Directory for Windows 2000 Server and later
Active Directory Application Mode (ADAM)
GAL synchronization for Exchange 2000 Server and
Exchange Server 2003
Using Microsoft Identity Integration Server
to Manage Identities
MIIS 2003 provides the following set of features:
Identity aggregation and synchronization
Support for over 20 repositories
Provides a single enterprise view of a user
Uses SQL Server as the information repository
Account provisioning
Automated account creation/deletion
Group & distribution list management
Workflow
Password management
Understanding Identity Integration Using MIIS
Synchronizes multiple repositories
Agentless connection to other systems
Attribute level control
Intranet Active
Directory
Manage global address lists
Sun ONE
Directory
CS
MA
MV
CS
MA
Extranet Active
Directory
MA
CS=Connector Space
MV=Metaverse
CS
CS
Legend
MA=Management Agent
MA
Automate group and DL management
MIIS 2003
Lotus Notes
Implementing Account Provisioning
Typical ways of implementing account provisioning
include:
HR-driven provisioning
Web-driven provisioning
Complex workflow provisioning using Microsoft BizTalk
Server 2004 orchestration
Managing Passwords
MIIS 2003 provides the ability to manage
passwords through:
Help desk reset
Windows-initiated changes
Web-initiated changes
Other system–initiated changes through
non-Microsoft software
Identity Management: Best Practices
 Define all business rules before implementation
 Determine service-level agreements
all existing systems or processes that might
 Identify
conflict with identity synchronization
 Train development and support staff
 Plan for custom code development
 Implement a disaster recovery plan and secure the MIIS
service accounts
Intranet Access Management
Identity and Access Management Concepts
Identity Management
Intranet Access Management
Extranet Access Management
Intranet Access Management: What Are
the Challenges?
Common business challenges related to intranet
access management include:
No single sign-on capabilities
A higher number of password reset requests
Multiple, inconsistent approaches to security services
Approaches to Single Sign-on
Approaches to single sign-on, in order of preference,
include:
Application integration with Windows security services
Platform integration with Windows directory and
security services
Application integration with Windows directory services
Indirect integration through credential mapping
Synchronized accounts and passwords
Implementing Single Sign-on
Approaches to implementing single sign-on include:
Desktop-integrated SSO
Web SSO
Credential mapping, or Enterprise SSO
Using Credential Manager
Credential Manager is used to save the user’s
credentials automatically and use them for future
access to a resource
Credential Manager supports the following types of
credentials:
User name and password combinations
X.509 digital certificates
Microsoft Passport credentials
Understanding Windows Authorization Options
Windows Server 2003 supports a number of
authorization mechanisms:
The Windows access control list–based
impersonation model
Role-based authorization
ASP.NET authorization
Understanding Windows Server 2003
Authorization Manager
Authorization Manager organizes users into various
roles within the application, as shown:
Authorization
Policy Store
Mary
Mary = Manager
Bob = User
Bob
Authorization Checked
at Application Server
Role-based Access to
Resources
Extranet Access Management
Overview of Identity and Access Management
Identity Management
Intranet Access Management
Extranet Access Management
Extranet Access Management:
What Are the Challenges?
Challenges related to extranet access management
include:
Providing secure sessions over the Web
The need for a robust authentication and access
control mechanism
The need for a common security model that includes
authentication, Web SSO, authorization,
and personalization
Identifying Extranet Considerations
Considerations that may affect your extranet access
management approach include:
Virtual Private Network or Web SSO access
Directory service selection
Existing applications
Identity life-cycle management
Password security
Understanding Authentication Methods for
Extranet Access
Protocols used for extranet access include:
SSL 3.0 and TLS 1.0
Passport authentication
Digest authentication
Forms-based authentication
Basic authentication
Understanding Authorization Techniques for
Extranet Access
Extranet authorization techniques can include the
following:
ACL
RBAC
Using Trusts and Shadow Accounts for
Extranet Access
Alternatives to using trusts include:
Using shadow accounts
Implementing public key infrastructure trusts
Using qualified subordination
Implementing Security Auditing
Use security auditing to monitor the following services:
Directory services
Authentication
Authorization
The following products and technologies can be used
for security auditing and reporting:
Windows Security Event Log
WMI
MOM
Session Summary
Implementing an identity and access management solution
 will greatly reduce management effort, simplify the end user
experience, and increase overall security
 MIIS 2003 can manage identity information, automate
provisioning and deprovisioning, and synchronize various
types of information among multiple identity store formats
A thorough understanding of authentication and
 authorization options provides the background needed to
effectively secure your network infrastructure
 It is important to understand which authentication and
authorization protocols are appropriate for extranet access
Next Steps
Find additional security training events:
http://www.microsoft.com/seminar/events/security.mspx
Sign up for security communications:
http://www.microsoft.com/technet/security/signup/
default.mspx
Order the Security Guidance Kit:
http://www.microsoft.com/security/guidance/order/
default.mspx
Get additional security tools and content:
http://www.microsoft.com/security/guidance
Questions and Answers
Contact Details
Paula Kiernan
Ward Solutions
paula.kiernan@ward.ie
www.ward.ie
Related documents
Hill & Knowlton Looks for a New Knowledge Management System
Hill & Knowlton Looks for a New Knowledge Management System
Introducing Internet Marketing
Introducing Internet Marketing
reading
reading
Organizational Behavior 10e
Organizational Behavior 10e
Network Services
Network Services
Construction Check List for The Preserve, Delwood Point, and
Construction Check List for The Preserve, Delwood Point, and
Download
advertisement