1 / 29

Strong Authentication with Identity Lifecycle Manager

Strong Authentication with Identity Lifecycle Manager. John Weigelt National Technology Officer Microsoft Canada Hugh Lindley VP, Identity Assurance Avaleris Inc. Identity and Access. Regulations. IT Controls. Business Policy. Security. Business Process. Interact. Inform. Decisions.

pandora-gilmore
Télécharger la présentation

Strong Authentication with Identity Lifecycle Manager

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Strong Authentication with Identity Lifecycle Manager John Weigelt National Technology Officer Microsoft Canada Hugh Lindley VP, Identity Assurance Avaleris Inc.

  2. Identity and Access Regulations IT Controls Business Policy Security Business Process Interact Inform Decisions Collaboration Identity at the Center

  3. IDA Challenges Compliance • Provisioning in accordance with company policies • Establishing auditable processes for granting access rights Security • Ensuring that only authorized users get network access • Protecting confidential information from improper distribution Business Enablement • Freeing up IT resources to focus on high business-value work • Creating new ways to connect with customers & partners OperationalEfficiency • Automating, reducing and simplifying manual processes • Reducing the complexity of managing many identity stores

  4. User andDeveloperExperiences MicrosoftOffice Windows WebSites .Net & Visual Studio IDAManagement Identity Lifecycle Manager PlatformComponents Active DirectoryFederation Services CertificateServices Rights ManagementServices Active Directory Domain & Directory Services Workflow Foundation Windows Services 20+ Connectors Extensibility WS-* Microsoft’s IDA Offerings

  5. User andDeveloperExperiences MicrosoftOffice Windows WebSites .Net & Visual Studio IDAManagement Identity Lifecycle Manager PlatformComponents Active DirectoryFederation Services CertificateServices Rights ManagementServices Active Directory Domain & Directory Services 20+ Connectors Extensibility WS-* Workflow Foundation Windows Services Focused on 5 Solution Areas Microsoft SolutionFocus Areas DirectoryServices InformationProtection StrongAuthentication FederatedIdentity/SSO IdentityLifecycle Mgmt

  6. MIIS CLM Beta Identity Lifecycle Manager Today 2H 2008 Previously Common Platform Connectors Delegation Workflow Web Service API Logging User Management Access Management Microsoft IdentityLifecycle Manager 2007 ILM “2” Credential Management Policy Management • Metadirectory • Certificate Management • User Provisioning • Empowers People • IT Control with Less Effort • Increases Operational Efficiency

  7. Microsoft ILM 2007 • Brings together metadirectory, certificate & smart card lifecycle management, and user provisioning across Windows and enterprise systems into a single packaged offering. • Identity Synchronization • Provides single view of a user across enterprise systems • Automatically keeps identity information across systems consistent • Certificate and Smart Card Management • Reduces cost of managing certificate-based credentials • Automates workflow-driven certificate issuance and revocation • Vastly simplifies deployment of smart cards • User Provisioning • Automates the process of on-boarding and off-boarding users • Simplifies compliance through automated IDA enforcement • Enforces consistent credentials across systems

  8. Partner Title Hugh Lindley, CISSPVP, Identity Assurance Avaleris Inc. hugh.lindley@avaleris.com (613) 237-9695 ext 235

  9. About Avaleris Company Profile • Microsoft Identity & Access (IDA) Systems Integration Partner • Global provider of Identity Assurance professional services & solutions • Incorporated by founders of Alacris -- the original developer of idNexus • Predecessor to Microsoft Certificate Lifecycle Manager (CLM) • Acquired by Microsoft in late 2005 -- now integrated with Microsoft ILM 2007 • Successfully deployed in over 25 global clients in North America & Europe Value Avaleris Provides • Heritage of client success & proven solution approach in Identity Assurance • Understanding of the management & implementation challenges • Depth of technical expertise in Microsoft IDA products

  10. Agenda • The business case for Multi-Factor Authentication • Typical ILM 2007 deployment scenarios • Smart card deployment scenario walkthrough • ILM 2007 demonstration • Share best practices & lessons learned • Identify additional resources

  11. Canada GSP and MITS Federal Accountability Act PIPEDA, FIPA, MFIPPA Bill 198 - ICOFR International HSPD-12 / FIPS 201 Sarbanes-Oxley HIPAA Gramm-Leach-Bliley Basel II EU - Data Protection Directive EU - Qualified Certificates & Signatures FFIEC Business Drivers Increased IT Security & Operational Efficiencies Regulatory Compliance Security and Risk Management Privacy and Information Protection Auditability and Accountability Effective deployment and lifecycle management of MFA Simplifying user authentication Increased efficiency of helpdesk staff

  12. Implementation Challenges • Lifecycle Management of Smart Cards and Certificates • Smart card personalization and customization • Dealing with lost, stolen or forgotten smart cards • Deployment of smart card middleware • Multi-channel authentication • Alignment of management and security practices • High number of distributed sites and locations • Leveraging existing IT infrastructure • Integration with other IDA solution components • Minimizing help-desk workload

  13. ILM 2007 Functionality Smart Card / Certificate Lifecycle Management • Single administration point for digital certificates and smart cards • Configurable policy-based workflows for common tasks • Enroll / renew / update • Recover / card replacement • Revoke • Retire / disable smart card • Issue temporary / duplicate smart card • Personalize smart card • Detailed auditing and reporting • Support for centralized, decentralized and self-service scenarios • Tightly integrated with Active Directory

  14. Smart Cards in the Public Sector • U.S. Federal Government • HSPD-12 / FIPS 201-- issued fall of 2004 • Goal: Establish a common identification standard for all federal government employees and contractors • Personal Identity Verification (PIV) – I (Oct 2005): • Identity validation & credential issuance process • Personal Identity Verification (PIV) - I I (Oct 2006): • Ability to issue FIPS 201 compliant smart card • Most departments / agencies have met initial FIPS 201 milestones and are working towards production implementations • Growing interest in broader public & private sectors

  15. Deployment Scenarios • Smart Card Authentication • Secure Email (S/MIME) • Secure Remote Access (VPN) • Wireless LAN Authentication • File and Hard Drive Encryption • Secure Web Applications • Distributed Certificate Enrollment • Document Signing

  16. Deployment Scenarios • Smart Card Authentication • Secure Email (S/MIME) • Secure Remote Access (VPN) • Wireless LAN Authentication • File and Hard Drive Encryption • Secure Web Applications • Distributed Certificate Enrollment • Document Signing

  17. Smart Card Deployment Requirement: • Two-factor authentication • Smart card based network login • Verification of Employee ID before card issuance • Address smart card management issues • 100’s – 10,000’s of users

  18. Smart Card Deployment Deployment Considerations: • Registration and Issuance Process • Choice of Smart Card Platform • Lifecycle Management of the Smart Cards • Middleware Deployment (if not Base CSP)

  19. Physical Architecture Component Architecture E-mail SQL Microsoft Certificate Authority AD CLM Policy Module Microsoft CAs CLM Exit Module MicrosoftCertificate Lifecycle Manager CLM AD Integration CLM Web App Internet Information Server Internet Explorer End User CLM Browser Control Smart Card Middleware ILM 2007 Architecture

  20. Profile Templates Certificate Template(s) Management Policies EnrollmentWork flowSelf-ServiceDataCollection RecoveryWork flowSelf-ServiceDataCollection Etc.,Work flowSelf-ServiceDataCollection Smart Card Information(if needed) ILM 2007 Architecture Include policies for each taskthat might be performed Additional profile data includedfor smart card management Can include templates issued from more than one CA Profile Templates include oneor more certificate managedas a single entity Policy updates managedon a per user basis by Active Directory (AD) groups Contains necessary informationto enforce policy across multiple certificates, users, and groups Stored in AD and availableacross the forest

  21. Smart Card Deployment • Duplicate • Enroll • Online Update • Replace Policy • Recover on Behalf • Renew Policy • Reinstate Policy • Disable Policy • Retire Policy • Temporary Cards • Unblock

  22. Enroll Policy Some questions to answer: • What level of assurance are you trying to achieve? • Are you giving the end-user the ability to self-service? • Are you using enrollment agents? • Are you collecting comments? • How many approvals do you require? • Who can initiate the request? • Who can approve the request? • What types of data will you be collecting? • Are you using one-time secrets for registration? • Are you printing smart cards or documentation during enrollment?

  23. Enroll Policy

  24. Smart Card Deployment • Duplicate • Enroll • Online Update • Replace Policy • Recover on Behalf • Renew Policy • Reinstate Policy • Disable Policy • Retire Policy • Temporary Cards • Unblock

  25. Demo Title Smart Card Enrollment Policy and Smart Card Issuance

  26. Benefits of ILM 2007 Approach • Two Factor Authentication • Reduced cost and complexity • Flexible policy driven workflow model • Integrated Identity Lifecycle Management (certs, SC, etc) • Supports a range of smart card platforms • Less custom development effort required • Leverages existing infrastructure

  27. Business Proceed in phased approach to realize success early Align issuance process with management and security policy Use risk assessments to identify high-sensitivity systems Determine your required level of assurance Map access control workflow and optimize where possible Technical Understand the Smart Card Lifecycle Management Challenge Map out optimal deployment scenario Centralized Decentralized Self-Service Select a smart card & middleware strategy Deal with temporary card issuance Leverage existing infrastructure where practical Lessons Learned

  28. ILM 2007 Resources • Microsoft ILM 2007 Website - www.microsoft.com/ilm • Datasheets • Whitepapers • Flash Demo • Avaleris Website - www.avaleris.com • Identity Assurance Solutions • ILM 2007 Service Offerings • Whitepapers & technical information • Avaleris ILM 2007 Lunch & Learn Series • Closer look at ILM 2007 within context of your specific requirements • Map out next steps towards ILM 2007 Proof of Concept Pilot • Contact Avaleris representative for schedule of upcoming sessions

  29. Avaleris Contacts • Hugh Lindley, CISSP • VP, Identity Assurance • hugh.lindley@avaleris.com • (613) 237-9795 ext 235 • Anita Burwash • VP, Sales • anita.burwash@avaleris.com • (613) 237-9695 ext 221

More Related