identity management at microsoft n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Identity Management at Microsoft PowerPoint Presentation
Download Presentation
Identity Management at Microsoft

Loading in 2 Seconds...

play fullscreen
1 / 20

Identity Management at Microsoft - PowerPoint PPT Presentation


  • 138 Views
  • Uploaded on

Identity Management at Microsoft. Alan Stone ANZ IT Director Microsoft Corporation. Our definition.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Identity Management at Microsoft' - raquel


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
identity management at microsoft

Identity Management at Microsoft

Alan Stone

ANZ IT Director

Microsoft Corporation

our definition
Our definition..

Identity and Access Management is a set of processes enabled by software to manage the lifecycle of identities, as well as the security and privacy policies that govern how the identities can be used to access IT resources.

identity management service
Identity Management Service

The Service guarantees the privacy, consistency andfidelityof all identities in the Identity Systems (enterprise) through secured access while ensuring regulatory compliance.

Microsoft IT approaches Identity Management as an end to end service

  • Identity Management (IdM) is tied to the AD and is core to ensuring a secure, private and controlled environment. This is a key focus area for Sarbanes-Oxley compliance.
microsoft it and idm
Microsoft IT and IdM
  • Identity Management in Microsoft similar to your experience
    • Provisioning and Lifecycle Management
    • Secure Access Management
    • Password Management
    • Enterprise Directory Management
    • Governance and Compliance
  • Manageability challenges similar to customers
    • How to ensure security, enforce least privilege while still providing necessary access
    • Need to centrally manage a federated(multi-forest) environment
  • Value of Microsoft IT
    • Highly effective partnership with Windows Product Group
      • IT driving solid business requirements into AD, MIIS teams from real-world experiences
the identity management lifecycle

Synchronize Identity

  • Extend lifecycle information across all identity stores
  • Entitlement Reporting
  • Audit/log any changes
  • Keep track of Entitlements
The Identity Management Lifecycle
  • Departing User
  • De-provision Account
  • Remove Entitlements
  • Account Changes
  • Promotions
  • Transfers
  • New Privileges
  • Attribute Changes
  • New User
  • User ID Creation
  • Credential Issuance
  • Account Provisioned
  • Access Assignments
microsoft it user provisioning and lifecycle
Microsoft IT User Provisioning and Lifecycle
  • Microsoft IT Guidelines
    • Clearly define authoritative source for all user attributes
    • Clearly define and document processes and policies
      • HR is authority of who works at Microsoft, of Address Book information (Manager, Phone number)
      • IT is authority of network account name, mailbox, remote access
  • Increase IT efficiency through automation
    • Consistency checking automated
    • Terminations fully automated
    • Creation partially automated today, full automation coming
    • Automated Address Book Updates - from HR systems, thru AD to Exchange
    • Automated Provisioning of some entitlements – OWA, RAS, etc.
  • Microsoft Identity Integration Server (MIIS) provides foundation for all Identity automation
how does identity flow in miis

Metadirectory

Connector Namespace

Metaverse Namespace

Suzan Fine

Suzan Fine

Sue Fine

Sue Fine

Name

Post Office

Location

Employee #

Name

Post Office

Location

Employee #

Full Name

Title

Employee #

Full Name

Title

Employee #

1

Suzan Fine

Suzan Fine

Full Name

Title

Employee #

Full Name

Title

Employee #

Name

Post Office

Location

3

5

5

2

4

How Does Identity Flow in MIIS?

Suzan Fine

Full Name

Title

Employee #

HRDatabase

Suzan Fine

Suzan Fine

Name

Post Office

Location

Employee #

Sue Fine

Name

Post Office

Location

Employee #

AD andMessaging

access is a privilege not a right
Access is a privilege not a right!
  • Microsoft IT Guidelines
    • Investigate adopting most restrictive policies and implement company-wide
    • Build a Policy Management strategy
      • Post all user policies centrally
      • Build a Policy Education and Awareness campaign
      • Microsoft focuses on Business Code of Conduct, Security Basics, Diversity
    • Principle of Least Privilege Authorization
      • Role-based access based on minimum access needed
      • Used to lock-down Intellectual Property (IP) like source code, HR systems
      • MIIS Solution coming – calculated security group creation and management
elevated access management
Elevated Access Management
  • Elevated Access = Administrative Account
    • Any access above and beyond regular user access
      • Includes Read, Read/Write, Full Admin Control
    • Access level based on individual’s role and responsibility
    • Alternate Account created for better auditing, reporting
      • Has limited privileges (no email, no RAS)
      • Terminated automatically when user account terminated
    • Requires:
      • Two-factor authentication
      • Director approval and re-justification every 6 months
      • Annual Security and Compliance training
      • Pledge to abide by policies every 6 months
password management guidelines
Password Management Guidelines
  • Microsoft IT Password Policy
    • NO Non-expiring Passwords – users, service or administrative accounts
    • Strong and complex passwords are required, including local Admin accounts
    • Password cannot be serial, synchronized nor have been used previously
    • Group Policy used to enforce security policies in all Forests
  • Password Delivery Process
    • Must prove identity
    • Securely delivered only to user or manager
    • Acquisitions challenging
  • Password Reset Cost
    • Expensive - #1 Helpdesk support call but is secure
  • Testing MIIS Self Service Password Reset Application today
enterprise directory management
Enterprise Directory Management
  • Manage Active Directory Infrastructure Content
    • Forests, Domains, Trusts, Organizational Units, Schema, Group Policy Objects, Group Management
  • Microsoft IT Guidelines
    • Clearly document process, timeframes for users
    • Use Infopath Forms for requests
    • Strong Workflow with approvals required
      • Emergency process requires request Director approval
    • Deployments
      • Plan, Plan, Plan
      • Always phased with clear roll-back plans
      • Change Control Board notified
  • Goal is to maintain Active Directory Stability!
microsoft it governance
Microsoft IT Governance
  • Governance is the centralized body used to integrate and manage the policies and processes for regulatory compliance
  • Regulatory Compliance is rapidly becoming mission critical
    • Impacts Privacy, Security, Investor Confidence, Revenue
    • Examples: EU Fair Information Act, EU Data Protection Directive, US HIPPA, US Sarbanes-Oxley Act, etc.
  • It is all about Managing Access
    • IT manages access to and provides support for financial systems, therefore is heavily involved in Sarbanes-Oxley Act
microsoft it guidelines governance
Microsoft IT Guidelines - Governance
  • Governance - Step by Step
    • What’s key to your business? It’s all about securing your Intellectual Property
    • Document, Document, Document!
    • Develop your audit plans
      • Must show evidence!
    • Perform Audit
      • Report successes and failures to Management
      • Failures – remediate and audit again
    • Management Sign-off
      • Required for Internal and External Auditors
  • Governance Guidelines
    • Automate everywhere possible
    • Build Applications with auditing and reporting capabilities
    • Review documentation regularly
    • Make Operations Managers accountable
microsoft it governance controls
Microsoft IT Governance Controls
  • Manage Elevated Access
    • Ensure Roles and Responsibilities correspond to access granted for Users and Applications
  • Enforce Security and Privacy Policy
    • Use Active Directory settings and Group Policy deployment
    • Closely monitor requests that expose Identity data
  • Manage Account Lifecycle
    • Ensure Accounts terminated on time
    • When Roles change – access change
  • Integrate Workflow and Consistency
    • Ensure regulatory compliance is a key decision factor in workflow
    • Forces compliance requirements into application development
for more information
For More Information

Identity Management and MIIS

Microsoft Identity & Access Management

  • http://microsoft.com/IdM

IT Identity Management Whitepaper

  • http://microsoft.com/technet/itsolutions

Webcast: IT Identity Management via MIIS 2003

  • http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032250107

Microsoft Identity Integration Server 2003

  • http://microsoft.com/MIIS

IT Showcase: How Microsoft does IT http://www.microsoft.com/itshowcase/

Active Directory and GPO

Microsoft Active Directory

  • http://microsoft.com/ActiveDirectory

Microsoft Group Policy Management

  • http://microsoft.com/windowsserver2003/gpmc

GPMC, Troubleshooting Guide, Best Practices Documents

  • http://www.microsoft.com/windowsserver2003/technologies/management/grouppolicy/default.mspx
for more information1
For More Information

Microsoft and Sarbanes-Oxley

Microsoft Office Solution Accelerator for Sarbanes-Oxley

  • http://www.microsoft.com/presspass/newsroom/office/factsheets/OASXFS.asp

Microsoft and Partner Resources to Reduce Risk, Increase Productivity Around Sarbanes-Oxley Compliance

  • http://www.microsoft.com/business/productivity/collaboration/sox/default.mspx

The Sarbanes-Oxley Information Portal

  • http://www.sarbanes-oxley.com

COSO – Guidelines on Establishing Internal Controls to Achieve Objectives, Including Reliable Financial Reporting

  • http://www.coso.org
slide17

© 2003-2004 Microsoft Corporation. All rights reserved.

This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

sarbanes oxley act overview
Sarbanes-Oxley Act Overview
  • Sarbanes-Oxley Act (SOX) impacts all publicly traded corporations
    • Fraud and Collusion - requires quarterly certification by Exec Management that significant changes & deficiencies are disclosed
    • Access to Financial Reporting – requires yearly certification by both Exec Management and External Auditor that controls are effective.
  • Sarbanes-Oxley Act signed into law on July 30, 2002
    • Radically changes corporate governance and reporting obligations of publicly traded companies, and significantly increases personal accountability for organizations’ officers, auditors, securities analysts and legal counsel
    • Purpose is to restore investor and stockholder confidence
    • Fundamental change in how Audit Committees, management and auditors carry out responsibilities and interact
microsoft sox program organization
Microsoft SOX Program Organization

2

Executive

Sponsors

“Ultimate Owner and Decision Maker”

Steering Committee

20

“Remove Resource Barriers”

Project Management Office &

Core Team

8

“Day to Day Approach and Activities”

Subcycle and Regional leads

(business, functional & regional sponsors)

100

“Owners and Setting Direction for the Business Cycles”

Sub-cycle Location Owners

and local controllers

200

“Local Project Mgrs. to execute activities at a Location”

Transaction Teams

600

“On the Ground Documentation and Testing Teams”

PwC

Internal

Audit

External

audit

so what can you expect
So what can you expect?
  • Prepare Now! Compliance requirements are coming your way!
  • Requirements shift - Auditors are learning about IT
  • Plan to Invest in Change - Time, resources, technology