th 30 st 31 , May – 2007 Chateau Laurier Ottawa Identity Management John Weigelt, National Technology Officer Microsoft Canada Outline The Power of Identity Unleashing the Power of Identity Technical Strategy Roadmap Summary 2006 What is Identity Management? Directory Services Repositories for storing and managing accounts, identity information, and security credentials. A system of procedures and policies to The process of authenticating credentials Access manage theandlifecycle entitlements controllingand access to networked of Management resources based on trust and identity. electronic credentials. Identity Lifecycle Management The processes used to create and delete accounts, manage account and entitlement changes, and track policy compliance. The Power of Identity Empowering Communication & Collaboration Connecting Know who you are Interacting with Prove record of interaction Anywhere Access 2006 Grant appropriate access Extending the Enterprise Protect confidential information Connected Systems Identity Facts Too Many User Repositories Enterprises have 68 internal and 12 external account directories 75% of internal users and 38% of external users are in multiple stores Increasing IT Operational costs 45% of all help desk calls are for p/w resets Organizations are managing on average 46 suppliers, spending over 1380 hours managing changes to access privilege. Inefficient Account Provisioning/De-Provisioning User management consumes 34% of the total time IT spends on IdM User accounts get created in 16 systems and deleted in 10. Impact on User Productivity On average IT is managing access to 73 unique applications requiring user access. Average user spends 16 minutes a day for logins SSO increases user productivity by 15% and efficiency by 18% 2006 Source: META Group research conducted on behalf of PricewaterhouseCoopers, June 2002, MSFT Internal IDA Challenges Provisioning in accordance with company policies Compliance Establishing auditable processes for granting access rights Ensuring that only authorized users get network access Security Protecting confidential information from improper distribution Business Enablement Operational Efficiency Freeing up IT resources to focus on high business-value work Creating new ways to connect with customers & partners Automating, reducing and simplifying manual processes Reducing the complexity of managing many identity stores Connected Identity Partners Customers Internet Services Identity Metasystem WS-* Web Services Architecture Extending the Reach of Applications 2006 Extending the Reach of Information Workers Authentication Spectrum Domain Login X-Forest Trust Federation Identity Metasystem Web Self-Asserted Login eAuthentication Employee Network Access eID Cross Program Authentication Interjurisdictional Authentication Business Extranet Citizen Service Delivery Products Domain/Directory Services SQL CardSpace ERM CRM LDAP ADFS X.500 9 Certificate Piecemeal Approaches User Provisioning User Experiences Strong Authentication User Experiences Web Access Management User Experiences Federated Identity User Experiences Infrastructure Infrastructure Infrastructure Infrastructure Connectors Connectors Connectors Connectors Directories HR Systems ERP Systems Databases Different User Portals Designers Role Mgmt Reporting Policy Model Workflow Configuration DB Dev Model Identity Stores Supported Applications Audit Systems Multiple products with separate management, infrastructure, and connectors Feature overlap across management and core infrastructure Microsoft’s Offerings Microsoft Office Windows .Net & Visual Studio Web Sites IDA Management Identity Lifecycle Manager Certificate Services Rights Management Services Active Directory Federation Services Active Directory Domain & Directory Services Workflow Foundation 20+ Connectors User and Developer Experiences Platform Components Windows Services WS-* Extensibility Best of breed for Windows that extends to the enterprise Five Solution Scenarios Microsoft Solution Focus Areas Microsoft Office Windows Web Sites .Net & Visual Studio IDA Management Identity Lifecycle Manager Certificate Services Rights Management Services Active Directory Federation Services Active Directory Domain & Directory Services Workflow Foundation 20+ Connectors User and Developer Experiences Platform Components Directory Services Information Protection Strong Authentication Windows Services WS-* Extensibility Federated Identity/SSO Identity Lifecycle Mgmt Extending trust across domains G2G, G2B Federated Single Sign-on Security Token (eg Kerberos Ticket) Exchange Web Service Collaboration Active Directory ADFS Intranet Applications 1. 2. 3. 4. ADFS Creates XRML token Signs it with department’s private key Sends it back to the user Access external department with the token 1. 2. 3. 4. ADFS Creates SAML token Signs it with department’s private key Sends the token back to the user Accesses Jurisdiction B using the token Department A Jurisdiction B WS Security Application User Account/Credentials Security 2006 Token Requires XRML WS Security Application Requires SAML Password Fatigue Have we been conditioned to be phished? 2006 Phishing & Phraud New Phishing Sites by Month December 2004 – December 2005 7,197 1,707 5,2595,242 4,564 4,3674,630 4,280 3,326 2,854 2,870 2,625 2,560 Mar Apr May Jun Jul Aug Sep Oct Nov Feb Jan Dec Dec 04 05 Source: http://www.antiphishing.org 2006 What is a digital identity? A set of claims someone makes about me Claims are packaged as security tokens Many identities for many uses Useful to distinguish from profiles Identity is Matched to Context In Context Bank card at ATM Gov’t ID at border check Coffee card at coffee stand MSN Passport at HotMail Out of Context Coffee card at border check Maybe Out of Context? Gov’t ID at ATM SSN as Student ID MSN Passport at eBay The Laws of Identity Details An Industry Dialog 1. User control and consent 2. Minimal disclosure for a defined use 3. Justifiable parties 4. Directional identity 5. Pluralism of operators and technologies 6. Human integration 7. Consistent experience across contexts Join the discussion at www.identityblog.com 2006 Identity Metasystem Anonymous Identities Reputation Services Governments Code Devices Individuals Businesses Identity Providers Individuals Metasystem Players Identity Providers Issue identities Relying Parties Require identities Subjects Individuals and other entities about whom claims are made 2006 Roles of Identity Selector Relying Party (RP) Require identities Identity Provider (IP) Issue identities Subject Individual or other entity about whom claims are made. Display digital identities (cards) from IPs Get requirements from RP User selects the card to be presented to RP Identity Selector (IS) “User controls and consents for the release of user’s identity” - (Laws of Identity #1) Windows CardSpace™ Protects users Simple, conistent from phishing & user experience phraud attacks Replaces Support for twousernames and factor passwords with Standards!! authentication strong tokens Built on WS-* Web Services Protocols Can be supported by websites on any technology & platform Tokens are cryptographically strong Private Desktop Runs under separate desktop and restricted account Isolates "InfoCard" from Windows desktop Deters hacking attempts by user-mode processes "InfoCard" cards Richard’s Card Stored locally Assertions about me Not corroborated Woodgrove Bank Provided by banks, government, clubs, etc Stored at STS Metadata only CardSpace Demo IE7 Vista Windows XP with WinFX Built on Open Web Services Protocols An Industry-Wide Activity Benefits of Participating Bet on the “playing field”, not some particular solution Increased reach Claims transformer enables new relationships Increased flexibility Policy, claims transformation “knobs and levers” enable wide variety of relationships Easy to add support for new technology Simple, safe user experience 2006 More Information on IDA Learn More About Identity Lifecycle Management ILM 2007 Home Page www.microsoft.com/ILM 2007 Identity Lifecycle Solutions www.microsoft.com/ILM ILM 2007 Evaluation Edition www.microsoft.com/ILM 2007 Learn About Microsoft Identity and Access (IDA) IDA Solutions Home Page www.microsoft.com/IDA Work with Microsoft IDA Partners IDA Partners www.microsoft.com/IDA 2006 © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.