1 / 30

Identity & A c cess Management

Identity & A c cess Management. Amol Bhandarkar Technology Solution Professional – IDA | Microsoft amolrb@microsoft.com. A genda . Identity & Access Management ILM 2 High level architecture ILM 2 Features Demo of ILM 2 Intelligent Application Gateway AD Rights Management Service.

ganit
Download Presentation

Identity & A c cess Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identity & Access Management Amol Bhandarkar Technology Solution Professional – IDA | Microsoft amolrb@microsoft.com

  2. Agenda • Identity & Access Management • ILM 2 High level architecture • ILM 2 Features • Demo of ILM 2 • Intelligent Application Gateway • AD Rights Management Service

  3. Identity & Access Management Identity & Access Management Compliance and Audit: Monitoring, reporting , auditing of identity-based access activity Policy Management: Identity policy, user/role-based access policy, federation policy, Delegation Access Management: Group Management, Federation/Trust Management, Entitlements, RBAC Identity & Credential Management: User provisioning, Certificate & Smartcard Management, User self-service Identity-Based Access • Info Access • Drive Encryption, ILP, Rights Management • Remote Access • Access resources remotely - e.gSSL VPN • Network Access • Identity-oriented edge access - e.g. NAP • App Access • SSO, Web/Ent/Host Access, Federation Identity Infrastructure Identity & Credentials Infrastructure : Directory – Identity/Credentials, Infocards, Meta/Virt Dir, Basic Policy

  4. Microsoft Identity Lifecycle Manager Common Platform Workflow Connectors Logging Web Service API Synchronization Group Management User Management Identity Synchronization User Provisioning Certificate and Smartcard Management Credential Management Policy Management Office Integration for Self-Service Support for 3rd Party CAs Codeless Provisioning Group & DL Management Workflow and Policy

  5. ILM 2 High Level Architecture

  6. Identity Lifecycle Manager “2” Features UserManagement SharePoint-based console for policy authoring, enforcement & auditing Extensible WS– * APIs and Windows Workflow Foundation workflows Heterogeneous identity synchronization and consistency Credential Management Heterogeneous certificate management with 3rd party CAs Management of multiple credential types, including One Time Passwords Self-service password reset integrated with Windows logon GroupManagement Integrated provisioning of identities, credentials, and resources Automated, codeless user provisioning and de-provisioning Self-service profile management PolicyManagement Rich Office-based self-service group management tools Offline approvals through Office Automated group and distribution list updates 6

  7. End User Scenarios Example Scenario ILM “2” Advantages UserManagement Automatic routing of multiple approvals Approval process through Office Audit trail of approvals CFO gives final approval for newuser to access in-scope SOX app Credential Management Integration with Windows logon No need to call help desk Faster time to resolution Self-service smart card provisioning GroupManagement Automatic updating of business applications No need to call help desk Faster time to resolution User changes their cell phone number PolicyManagement Request process through Office No waiting for help desk Faster time to resolution User requests to join secure distribution list for newproduct development 7

  8. IT Administrator Scenarios Example Scenario ILM “2” Advantages UserManagement Centralized management Automatic policy enforcement across systems Author policy to require HRapproval for job title change Generation and delivery of initialone-time use password Integration of smart cardenrollment with provisioning Credential Management Create workflow to automatically issue passwords and smart cards to new users GroupManagement Automatic policy enforcement across systems Management of role changes & retirements Automatically provision new employees with identity, mailbox, and credentials PolicyManagement Automatic management of group membership Secure access to departmental resources, with audit trail Design policy to automatically create departmental security groups 8

  9. ILM "2" in Action Databases Self-Service integration WindowsLog On LOB Applications ILM “2” Portal Policy Management Credential Management User Management Group Management Custom ISV PartnerSolutions IT Departments Directories

  10. ILM "2" In Action HR-driven provisioning a of new employee ILM managesmanager and dept head approvals Once approved, changes committed to ILM app store New user added in HR app Sync receives request Sync DB App DB Management Agents AuthN & AuthZ Workflows ILM sends welcomeand confirmatione-mails ILM synchronizes updates with external identity stores Sync DB Management Agents Action Workflow Identity Stores

  11. ILM "2" In Action Self-service smart card provisioning Does userhave permissionto add user to ILM? ILM managesmanager and dept head approvals New user added in HR app Sync receives request Sync DB Management Agents Delegation& Permissions AuthN & AuthZ Workflows Approval workflows Card created & printed Certificates requested Self-service notification and One Time Password sent to end user End user downloads certificates onto smart card ILM sends welcomeand confirmatione-mails Once approved, changes committed to ILM app store ILM syncs to external identity stores Sync DB App DB Management Agents Action Workflow Identity Stores

  12. ILM "2" In Action Self-service password management User forgets passwordRequests password reset at Win logon and answers Q/A Does userhave permissionto reset password? ILM receives XML ILM validates Q/A response from user Request Processor Delegation& Permissions AuthN & AuthZ Workflows ILM makes WMI call to reset passwordin AD ILM syncs new password to external identity stores Changes committed to ILM app store Sync DB App DB Management Agents Action Workflow Identity Stores

  13. DEMO Identity Management

  14. Intelligent application gateway

  15. Intelligent Application Gateway 2007 • Supports all Applications with SSL VPN • Web – Client/Server - File Access • Microsoft – SharePoint, Exchange, Dynamics • In-house developed • Third-party, e.g. Citrix, IBM, Lotus, SAP, PeopleSoft… • Designed for Managed and Unmanaged Users & Devices • Automatic detection of user system, software and configuration • Access policies according to device “security state” • Delete temporary files and data traces from unmanaged devices • Drives Productivity with Application Intelligence • Apply policy at granular application feature levels • Dynamically control application data for desired functionality • Single Sign-on with multiple directories, protocols and formats • Fully customizable portal and user interface

  16. Safeguard Information Control Access Protect Assets Secure, browser-based access to corporate applications and data from more locations and more devices Ensure the integrity and safety of network and application infrastructure by blocking malicious traffic and attacks Comprehensive policy enforcement helps drive compliance with legal and business guidelines for using sensitive data Intelligent Application Gateway The IAG provides SSL-based application access and protection with endpoint security management, enabling granular access control and deep content inspection from a broad range of devices and locations to line-of-business, intranet, and client/server resources.

  17. Control Secure Application Access Protect Safeguard Native AD integration w/strong and two-factor authentication SQL Server File upload / download control; .EXE identification Active Directory Session termination & inactivity timeouts File Shares Comprehensive monitoring and logging Single sign-on to multiple and custom directories ISA Server Endpoint policy-defined micro-portal IIS Mobile Devices Data Resources Intelligent Application Gateway™ Port 443 Custom Applications Laptops Intranet Kiosks External Firewall Web application firewall w/app-specific content, command, and URL filtering Portal defined by user identity SharePoint Server Exchange Server ‘Restricted zones’ definitions for URLs Policy-driven intranet access with ACL-level controls Endpoint compliance check and clean-up Positive and negative-logic filtering rules

  18. Control Customizable Enterprise Security Protect Safeguard Application Optimizer Toolkit lets IT admins / app developers build customized security Web application firewall with positive and negative logic learns and adapts to new apps Support for multiple simultaneous portal configurations Web LDAP Oracle SSL VPN connectivity and endpoint security verification Vendors Intelligent Application Gateway™ Third-party Port 443 IBM / Lotus SAP Partners Employees MS apps External Firewall SharePoint Server Exchange Server Active Directory Flexible config. and context-sensitive portal based on endpoint state & user identity Endpoint session control, monitoring and state cleanup Granular policy enforcement Per-application policy and comprehensive authentication / authorization mechanisms Extensive monitoring and logging

  19. Rights Management SERVICES (ad rms)

  20. Structured Databases In Applications In Person Archive Unstructured Data By Employees, Marketers Online Electronic Devices Destruction Shared with Third Parties From 3rd Party Backup Framework for Data Governance Policy Process People Technology Information Lifespan Retention/ Destruction Usage Collection Storage

  21. The Information Workplace Home USB Drive Mobile Devices Independent Consultant Partner Organization The flow of information has no boundaries Information is shared, stored and accessed outside the control of its owner 21

  22. Traditional solutions protect initial access … Authorized Users Yes Information Leakage No Access Control List Perimeter Unauthorized Users Unauthorized Users Firewall Perimeter …but not usage

  23. Today’s policy expression… …lacks enforcement tools

  24. Data Encryption Microsoft’s Approach to Information ProtectionActive Directory Rights Management Services (AD RMS) Persistent Protection + • Provides identity-based protection for sensitive data • Controls access to information across the information lifecycle • Allows only authorized access based on trusted identity • Secures transmission and storage of sensitive information wherever it goes – policies embedded into the content; documents encrypted with 128 bit encryption • Embeds digital usage policies (print, view, edit, expiration etc. ) in to the content to help prevent misuse after delivery • Access Permissions • Use Right Permissions Policy Enforcement:

  25. How does RMS work? • Author receives a client licensor certificate the first time they rights-protect information Active Directory SQL Server • Author defines a set of usage rights and rules for their file; Application creates a “publishing license” and encrypts the file RMS Server • Author distributes file 4 1 • Recipient clicks file to open, the application calls to the RMS server which validates the user and issues a “use license” 2 5 3 • Application renders file and enforces rights Information Author The Recipient

  26. Live Trial- RMS

  27. References • Identity Lifecycle Manager 2 • www.microsoft.com/ilm2 • technet.microsoft.com/ilm • Intelligent Application Gateway • www.microsoft.com/iag • http://technet.microsoft.com/en-us/forefront/edgesecurity/bb687299.aspx • AD Rights Management Services • www.microsoft.com/rms

  28. Feedback / QnA • Your Feedback is Important! Please take a few moments to fill out our online feedback form. For detailed feedback, use the form at http://www.connectwithlife.co.in/vtd/helpdesk.aspx Or email us at vtd@microsoft.com • Use the Question Manager on LiveMeeting to ask your questions now!

  29. Contact • Email Address amolrb@microsoft.com

More Related