1 / 40

Identity Management Secure Connected Infrastructure

Identity Management Secure Connected Infrastructure. Julius Davies Principal Systems Engineer Microsoft Security Solutions, Feb 4 th , 2003. Agenda. Identity Management and Secure Connected Infrastructure The Microsoft Identity Management Strategy Roadmap Next Steps. Components Of SCI.

ezra
Télécharger la présentation

Identity Management Secure Connected Infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Identity ManagementSecure Connected Infrastructure Julius Davies Principal Systems Engineer Microsoft Security Solutions, Feb 4th, 2003

  2. Agenda • Identity Management and Secure Connected Infrastructure • The Microsoft Identity Management Strategy • Roadmap • Next Steps

  3. Components Of SCI • Directory Services (AD & MMS) • Authentication (Credential Mgmt, Protocols, Federation) • Authorization (ACLs and Roles) • Policy based management (GP, and GPMC) Identity Management Secure Network Connectivity • Secure Internet connectivity (MSA & ISA) • Secure remote access (VPN, IAS) • Secure wireless networks (PKI + 802.1x) Security Management & Operations • Tools (MBSA, MSUS) • Guidance (MOC, PAGs, Security Best Practices) • Services (MSQS, PSS, & professional services)

  4. UNIX Application ActiveDirectory Non-AD Directory Active Directory Secure Connected Infrastructure Overview VPN Gateway Wireless LAN Exchange SQL Server File Sharing Firewall LAN Secure Network Connectivity Integrated Identity Management Security Management and Operations Web Services Lower Cost of Security • Integrated infrastructure solution • Centralized management of network resources • Fewer identities and directories to manage • Interoperability with other platforms Reduced Security Risk • Prescriptive guidance • Internet protection via firewall and content filtering • Security tools and services • Security patch management infrastructure

  5. email VPN File Share Web Service Internet B2B Why Identity ManagementUser Perspective The Problem • Too many credentials • Which one for which app • Multiple logons Mainframe UNIX App The Business Impact • Increases risk of compromise • Reduced productivity • Increased helpdesk expenses User Account/Credentials

  6. email VPN File Share Web Service Internet B2B Why Identity Management IT Perspective The Problem • Provisioning new accounts • Password management • Auditing user activity • De-provisioning users • Managing non-employee access Mainframe UNIX App The Business Impact • People Intensive • Delayed access for new hires • Risk of unauthorized access • No single view of the user Account Directory

  7. A bit of history…ORHow the Microsoft Identity Management vision has morphed over time…

  8. Identity Management, Circa 1997 Active Directory Portal application Centralized management • “Enterprise directory” + “NOS directory” • Repository of consolidated information • Centralized management, provisioning • Single-sign-on • Data re-used by many applications LDAP, Kerberos Generic app using single- sign-on HR/ERP application LDAP, Kerberos Automated provisioning Whitepages/ GAL Policy-based admin, single-sign-on, for Windows-based resources

  9. Where We Are Today (Non-existent) LDAP Portal application Centralized management • Directories deployed per-app; little re-use • Provisioning, sync are ad-hoc eDirectory Ad-hoc sync LDAP Generic LDAP-based app HR/ERP app Database iPlanet Generic dump Whitepages LDAP iPlanet Policy & SSO for Windows Outlook/ Exchange MAPI Active Directory

  10. How Did We Get Here? • Political factors • Lack of coordination between business units; In a large org, app owner may be unaware of central DS deployment • Central schema closely guarded, bureaucratic process for update, why not just deploy own? • App owner wants full accountability, wants to own DS servers • “I don’t want to unleash my corporate developers on my domain controllers.”

  11. How Did We Get Here? • Technical factors • Data may only be interesting to one app; no reason to put in central directory • Data may be unsuited for broad replication (volatile or relatively large) • DS-enabled app usually sold with preferred DS in mind • Customers much more likely to use vendor’s preferred DS for support reasons • App may want data stored locally for performance; avoid network roundtrips

  12. How Did We Get Here? • Active Directory factors • AD not as easy to set up as some competitor directories because of its NOS capabilities/role • Active Directory may not yet be deployed; corporate developers and ISVs not going to wait!

  13. What Could Be Better? Portal application • No central management Centralized management eDirectory Generic LDAP-based app HR/ERP app Database IBM Secureway Whitepages iPlanet Policy & SSO for Windows Outlook/ Exchange Active Directory

  14. What Could Be Better? Portal application • No central management • Data shared between apps becomes inconsistent Centralized management eDirectory Generic LDAP-based app HR/ERP app Database IBM Secureway Whitepages iPlanet Policy & SSO for Windows Outlook/ Exchange Active Directory

  15. What Could Be Better? Portal application • No central management • Data shared between apps becomes inconsistent • Multiple user IDsand passwords Centralized management eDirectory Generic LDAP-based app HR/ERP app Database IBM Secureway Whitepages iPlanet Policy & SSO for Windows Outlook/ Exchange Active Directory

  16. What Could Be Better? Portal application • No central management • Data shared between apps becomes inconsistent • Multiple user IDsand passwords • Multiple dissimilar implementations requiring dissimilar skill sets Centralized management eDirectory Generic LDAP-based app HR/ERP app Database IBM Secureway Whitepages iPlanet Policy & SSO for Windows Outlook/ Exchange Active Directory

  17. Microsoft Strategy: a CompleteDirectory Services Solution

  18. 3rd-party DS UDDI Web Service DS App DS MMS 3.0 AD/AM AD/AM App DS App DS Metadirectory access Active Directory sync Infrastructure Directory The Solution DS-enabled app • Integrated product suite for full range of usage scenarios Centralized identity management DS-enabled app HR/ERP app Database DS-enabled app

  19. 3rd-party DS UDDI Web Service DS App DS MMS 3.0 AD/AM AD/AM App DS App DS Metadirectory access Active Directory sync Infrastructure Directory Drill Down DS-enabled app • The infrastructure directory role Centralized identity Management DS-enabled app HR/ERP app Database DS-enabled app

  20. AD As Infrastructure DirectoryRole of the Infrastructure Directory • Centralized authentication • Avoid proliferation of user IDs and passwords • Supports multiple protocols (Kerberos, NTLM, Smartcard, “LDAP”) • Store for data shared between apps, or data to be globally distributed • Small, relative unchanging schema • Examples • Address book-type information • Service publication/discovery

  21. 3rd-party DS UDDI Web Service DS App DS MMS 2003 AD/AM AD/AM App DS App DS Metadirectory access Active Directory sync Infrastructure Directory Drill Down DS-enabled app • The metadirectory role Centralized identity management DS-enabled app HR/ERP app Database DS-enabled app

  22. MMS As MetadirectoryThe Role of Metadirectory • Classic metadirectory • To enable a holistic view of Identity Management • Get data (such as telephone numbers) from an authoritative source and sync it to the directories where it is needed • As a programmable platform for • Centralized Identity Management solutions • Provisioning Identity • Complex workflow driven provisioning with Biztalk • For data aggregation between forests • Merged global address list cross forests • Find printers from remote forests

  23. The Different Categories of Provisioning • Business Provisioning • Workflow • Simple Provisioning Title Tel No. Email Business Provisioning Application And MMS IT Provisioning Workflow MMS Engine Title Source Tel No. Email Title Tel No. Email • MMS • MA coding • Possibly Biztalk Orchestration • Raw MMS • No code • MMS Only • 3rd Parties • Business Layers & Waveset • Business & IT • Complex rules and workflow • Reporting Title Tel No. Email

  24. Password Management Web Application: Administrator “Set P/W” Self-Service “Change P/W” • Set\ Change Password capability: • iPlanet, AD, NT4, NDS, NOTES • Complete List TBD • Performed “Out of Band” with MMS data flows • Core function delivered as a web service • Web Application provided to support: • Admin P/W Set • Self Service P/W change MMS SQL Management Agents

  25. Full Password Synch Use ISV – e.g. M-Tech’s PSYNCH MMS Used to Capture User’s Account information MMS Psynch Engine Interfaces SQL P-Synch Interface Persistent Join Data Password SyncP-Synch – MMS Integration

  26. MMS As MetadirectoryWhy MMS 2003 is Significant • Simplified deployment and operations for core scenarios • Transparency in design, deployment, ops • Data lineage, preview mode, statistics/logging • Leverage familiar, existing technology • XML for rules, config, import/export • Visual Studio .NET for extension development • Familiar SQL Server 2000 store • Programming platform for “Identity Management” solutions

  27. 3rd-party DS UDDI Web Service DS App DS MMS 3.0 AD/AM AD/AM App DS App DS Metadirectory access Active Directory sync Infrastructure Directory Drill Down DS-enabled app • The application directory role Centralized identity management DS-enabled app HR/ERP app Database DS-enabled app

  28. Introducing: AD/AM Active Directory in Application Mode NOS Active Directory • Same code as Active Directory • Programming model, admin tools virtually identical to infrastructure AD - familiarity means skill sets easily transferable LSASS DSAMAIN LDAP LDAP KDC Lanman MAPI REPL REPL DSA DSA SAM dependencies (traditional AD minus legacy) FRS DNS

  29. Introducing: AD/AM • New capabilities • Simple install and setup (no DCPROMO) • Restart or reinstall without reboot • Multiple instances on single machine • Each instance with own schema • X.500-style O=, C= naming • For developers: runs on Windows XP • Same as AD in every other way except • No locator via DNS SRV records • Users, groups in AD/AM are not Windows security principals

  30. AD/AM Usage Scenarios • App-specific local directory • Supporting legacy applications • Programmatic LDAP access to MMS 2003 • Extranet Access Management (EAM)

  31. Web portal AD/AM AD/AM Usage Scenarios1. App-Specific Local Directory • Example: web portal with personalization • Store personalization info in AD/AM • Use AD for authentication Store/ retrieve data Authentication Client Server Infrastructure Active Directory

  32. AD/AM AD/AM AD/AM Usage Scenarios1. App-Specific Local Directory • Multi-master replication with site topology – same functionality as AD • App can independently determine schedule, topology of AD/AM instance Web portal AuthN Client Replication Web portal Infrastructure Active Directory Client

  33. Web portal AD/AM AD/AM Usage Scenarios1. App-Specific Local Directory • MMS optional, for provisioning • Provision objects in AD/AM as objects added/removed from infrastructure AD • Publish select data from AD/AM objects into infrastructure AD MMS (optional) Store/ retrieve data AuthN Client Server Infrastructure Active Directory

  34. Policy Server AD/AM AD/AM Usage Scenarios4. Extranet Access Management • EAM solutions can use AD/AM • Netegrity SiteMinder, OpenNetwork DirectorySmart, Oblix NetPoint, etc • “Pseudo-authentication” via LDAP bind calls • Policy storage LDAP bind (authN) Web client LDAP “admin connection” (search, Update) Web servers

  35. What AD/AM is Not • Not usable by Exchange 2000 • Exchange requires security principals • Exchange requires MAPI protocol • Factoring application and infrastructure data part of philosophy for next generation Exchange • Not a Windows logon server • Not a KDC (although can Kerberos authenticate if passing credentials of AD-based user) • AD/AM does not diminish the need for infrastructure Active Directory

  36. Identity Management Technology Roadmap • XML Web Services Specifications • Broad set of specifications to enable federation of Web Services • In collaboration with IBM, Verisign, etc. • WS-Security working group within OASIS • Kerberos, X509v3, SAML and XrML “security tokens” • Windows Server 2003 – April 2003 • Cross Forest Trust – Intranet Federation • Native support for Passport authentication • Integrated Role-Based Access Control • Web Services integration (.NET framework and UDDI) • MMS 2003 – 1st Half 2003 • Directory Integration & Synchronization • Account Provisioning • Password Management • Single view of a user across the enterprise • Active Directory Application Mode – 2H 2003 • Enables AD to be deployed as a “simple” LDAP directory • Used for application specific user information • “Jupiter” (e-business server) – Q4 2003 • SSO through adapters to enterprise applications • Passport Federation Support – H2 2003 • Authentication authority for consumer web services • Federation support in 2003 based on Web Services • “TrustBridge” – TBD • Based on WS-Security for identity interoperability • True federated Single Sign-on (no duplicated or mapped ids) • Web Security runtime to enable federated applications

  37. ` Enterprise Reduced Sign-on Windows Single Sign-On Web SSO / EAM Identity Management Processes Access Management User Management Authentication Directory Services Future Solution Offerings • Web Single Sign-On \ Enterprise Reduced Sign-On • Partnering with OpenNetworks, Oblix, BMC • Works with in Heterogeneous Environment • Consulting required for implementation • Aligned with Windows Server 2003 Launch

  38. Summary • Standardize on a Single Directory Technology • Consolidate LDAP directories with Active Directory • Use AD with integrated security for Windows SSO • Use AD/AM for application specific user information • Use Kerberos for Interoperability • Industry standard protocol for authentication • Native protocol used by Windows Servers and Clients • Used by many UNIX-based applications • Use MMS to Simplify Identity Management • Directory integration synchronization • Enabler for provisioning • Enabler for password management • Single view of the user across the enterprise • Plan for Federated Identity Management • Utilize Web services standards (XML, SOAP, UDDI) • Get familiar with WS-Security • “TrustBridge” will enable secure identity federation

  39. Next Steps • Call To Action • MMS 2003 Release Candidate CD • Walkthru’s for key scenarios: Classic Metadirectory, Simple Provisioning, Multi-forest AD, Group/DL Management and Password Set/Reset • CD-based MMS Planning and Deployment Workshop • Will be available MSDN Universal Subscriber Downloads • Windows Server 2003 Release (MSO’s) • Web Resources: • http://www.microsoft.com/mms • http://www.microsoft.com/activedirectory • Metadirectory Services User Group: • http://groups.yahoo.com/group/MMSUG/ • Analysts: • Gartner, Burton Group, IDC, Meta Group

More Related