1 / 20

Identity Management at Microsoft

Identity Management at Microsoft. Alan Stone ANZ IT Director Microsoft Corporation. Our definition.

raquel
Télécharger la présentation

Identity Management at Microsoft

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identity Management at Microsoft Alan Stone ANZ IT Director Microsoft Corporation

  2. Our definition.. Identity and Access Management is a set of processes enabled by software to manage the lifecycle of identities, as well as the security and privacy policies that govern how the identities can be used to access IT resources.

  3. Identity Management Service The Service guarantees the privacy, consistency andfidelityof all identities in the Identity Systems (enterprise) through secured access while ensuring regulatory compliance. Microsoft IT approaches Identity Management as an end to end service • Identity Management (IdM) is tied to the AD and is core to ensuring a secure, private and controlled environment. This is a key focus area for Sarbanes-Oxley compliance.

  4. Microsoft IT and IdM • Identity Management in Microsoft similar to your experience • Provisioning and Lifecycle Management • Secure Access Management • Password Management • Enterprise Directory Management • Governance and Compliance • Manageability challenges similar to customers • How to ensure security, enforce least privilege while still providing necessary access • Need to centrally manage a federated(multi-forest) environment • Value of Microsoft IT • Highly effective partnership with Windows Product Group • IT driving solid business requirements into AD, MIIS teams from real-world experiences

  5. Synchronize Identity • Extend lifecycle information across all identity stores • Entitlement Reporting • Audit/log any changes • Keep track of Entitlements The Identity Management Lifecycle • Departing User • De-provision Account • Remove Entitlements • Account Changes • Promotions • Transfers • New Privileges • Attribute Changes • New User • User ID Creation • Credential Issuance • Account Provisioned • Access Assignments

  6. Microsoft IT User Provisioning and Lifecycle • Microsoft IT Guidelines • Clearly define authoritative source for all user attributes • Clearly define and document processes and policies • HR is authority of who works at Microsoft, of Address Book information (Manager, Phone number) • IT is authority of network account name, mailbox, remote access • Increase IT efficiency through automation • Consistency checking automated • Terminations fully automated • Creation partially automated today, full automation coming • Automated Address Book Updates - from HR systems, thru AD to Exchange • Automated Provisioning of some entitlements – OWA, RAS, etc. • Microsoft Identity Integration Server (MIIS) provides foundation for all Identity automation

  7. Metadirectory Connector Namespace Metaverse Namespace Suzan Fine Suzan Fine Sue Fine Sue Fine Name Post Office Location Employee # Name Post Office Location Employee # Full Name Title Employee # Full Name Title Employee # 1 Suzan Fine Suzan Fine Full Name Title Employee # Full Name Title Employee # Name Post Office Location 3 5 5 2 4 How Does Identity Flow in MIIS? Suzan Fine Full Name Title Employee # HRDatabase Suzan Fine Suzan Fine Name Post Office Location Employee # Sue Fine Name Post Office Location Employee # AD andMessaging

  8. Access is a privilege not a right! • Microsoft IT Guidelines • Investigate adopting most restrictive policies and implement company-wide • Build a Policy Management strategy • Post all user policies centrally • Build a Policy Education and Awareness campaign • Microsoft focuses on Business Code of Conduct, Security Basics, Diversity • Principle of Least Privilege Authorization • Role-based access based on minimum access needed • Used to lock-down Intellectual Property (IP) like source code, HR systems • MIIS Solution coming – calculated security group creation and management

  9. Elevated Access Management • Elevated Access = Administrative Account • Any access above and beyond regular user access • Includes Read, Read/Write, Full Admin Control • Access level based on individual’s role and responsibility • Alternate Account created for better auditing, reporting • Has limited privileges (no email, no RAS) • Terminated automatically when user account terminated • Requires: • Two-factor authentication • Director approval and re-justification every 6 months • Annual Security and Compliance training • Pledge to abide by policies every 6 months

  10. Password Management Guidelines • Microsoft IT Password Policy • NO Non-expiring Passwords – users, service or administrative accounts • Strong and complex passwords are required, including local Admin accounts • Password cannot be serial, synchronized nor have been used previously • Group Policy used to enforce security policies in all Forests • Password Delivery Process • Must prove identity • Securely delivered only to user or manager • Acquisitions challenging • Password Reset Cost • Expensive - #1 Helpdesk support call but is secure • Testing MIIS Self Service Password Reset Application today

  11. Enterprise Directory Management • Manage Active Directory Infrastructure Content • Forests, Domains, Trusts, Organizational Units, Schema, Group Policy Objects, Group Management • Microsoft IT Guidelines • Clearly document process, timeframes for users • Use Infopath Forms for requests • Strong Workflow with approvals required • Emergency process requires request Director approval • Deployments • Plan, Plan, Plan • Always phased with clear roll-back plans • Change Control Board notified • Goal is to maintain Active Directory Stability!

  12. Microsoft IT Governance • Governance is the centralized body used to integrate and manage the policies and processes for regulatory compliance • Regulatory Compliance is rapidly becoming mission critical • Impacts Privacy, Security, Investor Confidence, Revenue • Examples: EU Fair Information Act, EU Data Protection Directive, US HIPPA, US Sarbanes-Oxley Act, etc. • It is all about Managing Access • IT manages access to and provides support for financial systems, therefore is heavily involved in Sarbanes-Oxley Act

  13. Microsoft IT Guidelines - Governance • Governance - Step by Step • What’s key to your business? It’s all about securing your Intellectual Property • Document, Document, Document! • Develop your audit plans • Must show evidence! • Perform Audit • Report successes and failures to Management • Failures – remediate and audit again • Management Sign-off • Required for Internal and External Auditors • Governance Guidelines • Automate everywhere possible • Build Applications with auditing and reporting capabilities • Review documentation regularly • Make Operations Managers accountable

  14. Microsoft IT Governance Controls • Manage Elevated Access • Ensure Roles and Responsibilities correspond to access granted for Users and Applications • Enforce Security and Privacy Policy • Use Active Directory settings and Group Policy deployment • Closely monitor requests that expose Identity data • Manage Account Lifecycle • Ensure Accounts terminated on time • When Roles change – access change • Integrate Workflow and Consistency • Ensure regulatory compliance is a key decision factor in workflow • Forces compliance requirements into application development

  15. For More Information Identity Management and MIIS Microsoft Identity & Access Management • http://microsoft.com/IdM IT Identity Management Whitepaper • http://microsoft.com/technet/itsolutions Webcast: IT Identity Management via MIIS 2003 • http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032250107 Microsoft Identity Integration Server 2003 • http://microsoft.com/MIIS IT Showcase: How Microsoft does IT http://www.microsoft.com/itshowcase/ Active Directory and GPO Microsoft Active Directory • http://microsoft.com/ActiveDirectory Microsoft Group Policy Management • http://microsoft.com/windowsserver2003/gpmc GPMC, Troubleshooting Guide, Best Practices Documents • http://www.microsoft.com/windowsserver2003/technologies/management/grouppolicy/default.mspx

  16. For More Information Microsoft and Sarbanes-Oxley Microsoft Office Solution Accelerator for Sarbanes-Oxley • http://www.microsoft.com/presspass/newsroom/office/factsheets/OASXFS.asp Microsoft and Partner Resources to Reduce Risk, Increase Productivity Around Sarbanes-Oxley Compliance • http://www.microsoft.com/business/productivity/collaboration/sox/default.mspx The Sarbanes-Oxley Information Portal • http://www.sarbanes-oxley.com COSO – Guidelines on Establishing Internal Controls to Achieve Objectives, Including Reliable Financial Reporting • http://www.coso.org

  17. © 2003-2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

  18. Sarbanes-Oxley Act Overview • Sarbanes-Oxley Act (SOX) impacts all publicly traded corporations • Fraud and Collusion - requires quarterly certification by Exec Management that significant changes & deficiencies are disclosed • Access to Financial Reporting – requires yearly certification by both Exec Management and External Auditor that controls are effective. • Sarbanes-Oxley Act signed into law on July 30, 2002 • Radically changes corporate governance and reporting obligations of publicly traded companies, and significantly increases personal accountability for organizations’ officers, auditors, securities analysts and legal counsel • Purpose is to restore investor and stockholder confidence • Fundamental change in how Audit Committees, management and auditors carry out responsibilities and interact

  19. Microsoft SOX Program Organization 2 Executive Sponsors “Ultimate Owner and Decision Maker” Steering Committee 20 “Remove Resource Barriers” Project Management Office & Core Team 8 “Day to Day Approach and Activities” Subcycle and Regional leads (business, functional & regional sponsors) 100 “Owners and Setting Direction for the Business Cycles” Sub-cycle Location Owners and local controllers 200 “Local Project Mgrs. to execute activities at a Location” Transaction Teams 600 “On the Ground Documentation and Testing Teams” PwC Internal Audit External audit

  20. So what can you expect? • Prepare Now! Compliance requirements are coming your way! • Requirements shift - Auditors are learning about IT • Plan to Invest in Change - Time, resources, technology

More Related