• Like
Enterprise Mobility (Security)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Enterprise Mobility (Security)

  • 111 views
Published

Opnå fuld sikkerhed og kontrol med dine mobile device. Microsoft Services kan vise dig hvordan. Præsentation af Martin Kiær, Microsoft Services.

Opnå fuld sikkerhed og kontrol med dine mobile device. Microsoft Services kan vise dig hvordan. Præsentation af Martin Kiær, Microsoft Services.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
111
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
7
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. “If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.” Bruce Schneier American cryptographer, computer security and privacy specialist
  • 2. Solutions Establish a common framework and definition of security, and introduce Microsoft solutions and services. Explore customer requirements and goals, and share Microsoft capabilities Assess customer goals, challenges, threats, requirements, and technical security maturity. Outline strategic and tactical projects, with business goals and requirements. Implement appropriate security solutions based on business goals.
  • 3. Seen this before? Users Cloud Create Delete O365, Azure, Amazon, Google, etc. Attribute Sync HR (PeopleSoft, SAP, Dynamics) Financials Application Owner IT Helpdesk Administrator Active Directory Business Manager Sales SharePoint Administrator Exchange, Lotus Notes etc. 4
  • 4. Limited or no use of Active Directory User provisioning and access management done manually Minimal enterprise identity and access policy standards Active Directory for User Authentication and Authorization Single sign-on to Windowsintegrated applications Active Directory security groups used for user access control Desktops not managed by group policy Group policy used to manage desktops for security and settings Desktops are tightly managed Centrally managed, automated user account provisioning across systems Centrally managed, automated access controls across systems
  • 5. Capability Basic Standardized Rationalized Dynamic Virtualized Identity Service Single Enterprise ID Store Application Centric, Multiple Enterprise ID Stores Enterprise ID Store + Application Specific Stores Provisioning Manual, Adhoc Some custom built scripts / Mostly Manual Deprovisioning Manual, Adhoc Some custom built scripts / Mostly Manual Identity Updates Manually performed by Service Desk Manually performed by Service Desk Automated to some identity systems in some identity systems in all identity systems from Authoritative Source Automated to all identity systems from Authoritative Source plus Self-Service capabilities Synchronization Manually performed by Service Desk Manually performed by Service Desk Synchronization among some identity in some identity systems in all identity systems systems, Time-Based Synchronization amongst all identity systems, Event-Driven Self-Service Password Reset and synchronization to all identity systems Change Control Manually performed by Service Desk Manually performed by Service Desk Self-Service Password Reset to central in some identity systems in all identity systems identity system (no synchronization) Owner Managed (Delegations), Owner Managed, Self-Service, Manual by Admin, Static Static Approvals Central Service Desk, manual Central access request service with Application owner specific workflow automated workflow Internally Accessible, Manual Service Center/Help Desk Updates Internally Accessible, Self-Service Call Help Desk / Some Electronic None Call Service Desk / Manual Workflow Workflow Convenience Multiple IDs, Multiple Credentials, Multiple Prompts Multiple IDs, Multiple Credentials, Single Prompt per Credential Multiple IDs, Single Credential Single ID, Single Credential, Single Prompt (SSO) Source Application Centric Issuer(s) Virtual Issuer Central Issuer Federated and Central Issuers Protocols Multiple Protocols, No Standard Standardized Protocols with ability to transition (no delegation) Standardized Protocols with ability for transition and delegation Assurance Entitlement Type Shared Accounts, No Assurance Application Centric Standard set of protocols (no transition, no delegation) Personalized Accounts, Password Based Group-Based Multi-Factor AuthN Role-Based, Attribute-Based Risk-Based AuthN Policy-Based Access Policies Written Enforced per Application/Resource Centrally Enforced Centrally Enforced with Attestation Enforcement Collection API (Handled within Application specific code) None Protocol Based using Industry Standard, non-Proprierary Protocols Central Store Access Logging No Logging Agent (applied externally and injected Proxy (Handled outside App) into app), Proprietary Disparate Synchronized Basic logs - Network IP, Server Event logs, Web Server logs Disparate Application-level logging Change Logging None Request and Change Request, Approval, Change Alerting Reactive, No Alerting Request Reactive, Some Alerting on Key Systems Reporting Methodology Reporting Types Manual, Adhoc None Manual with defined process Change/Historical Reactive, Alerting across all systems Automated Report Generation on Key Systems Attestation Alerting and Automatic Remediation Automated Reporting and Generation on all Systems Industry/Regulatory Specific Identity Proliferation Administration Password Management Group Management Application Entitlement Management User Interface Authentication Authorization Audit Automated Creation in one or more ID stores using COTS Email Notifications to other system owners Automated Creation in all ID Stores Automated Deprovisioning in one or more ID Stores Email Notifications to other system Automated deprovisioning in all ID owners Stores Dynamic/Attribute Based Dynamic/Attribute Based Externally Accessible Self-Service Request with Electronic Workflow Common Application Logging Platform
  • 6. Capability Basic Standardized Rationalized Dynamic Virtualized Identity Service Single Enterprise ID Store Application Centric, Multiple Enterprise ID Stores Enterprise ID Store + Application Specific Stores Provisioning Manual, Adhoc Some custom built scripts / Mostly Manual Deprovisioning Manual, Adhoc Some custom built scripts / Mostly Manual Identity Updates Manually performed by Service Desk Manually performed by Service Desk Automated to some identity systems in some identity systems in all identity systems from Authoritative Source Automated to all identity systems from Authoritative Source plus Self-Service capabilities Synchronization Manually performed by Service Desk Manually performed by Service Desk Synchronization among some identity in some identity systems in all identity systems systems, Time-Based Synchronization amongst all identity systems, Event-Driven Self-Service Password Reset and synchronization to all identity systems Change Control Manually performed by Service Desk Manually performed by Service Desk Self-Service Password Reset to central in some identity systems in all identity systems identity system (no synchronization) Owner Managed (Delegations), Owner Managed, Self-Service, Manual by Admin, Static Static Approvals Central Service Desk, manual Central access request service with Application owner specific workflow automated workflow Internally Accessible, Manual Service Center/Help Desk Updates Internally Accessible, Self-Service Call Help Desk / Some Electronic None Call Service Desk / Manual Workflow Workflow Convenience Multiple IDs, Multiple Credentials, Multiple Prompts Multiple IDs, Multiple Credentials, Single Prompt per Credential Multiple IDs, Single Credential Single ID, Single Credential, Single Prompt (SSO) Source Application Centric Issuer(s) Virtual Issuer Central Issuer Federated and Central Issuers Protocols Multiple Protocols, No Standard Standardized Protocols with ability to transition (no delegation) Standardized Protocols with ability for transition and delegation Assurance Entitlement Type Shared Accounts, No Assurance Application Centric Standard set of protocols (no transition, no delegation) Personalized Accounts, Password Based Group-Based Multi-Factor AuthN Role-Based, Attribute-Based Risk-Based AuthN Policy-Based Access Policies Written Enforced per Application/Resource Centrally Enforced Centrally Enforced with Attestation Enforcement Collection API (Handled within Application specific code) None Protocol Based using Industry Standard, non-Proprierary Protocols Central Store Access Logging No Logging Agent (applied externally and injected Proxy (Handled outside App) into app), Proprietary Disparate Synchronized Basic logs - Network IP, Server Event logs, Web Server logs Disparate Application-level logging Change Logging None Request and Change Request, Approval, Change Alerting Reactive, No Alerting Request Reactive, Some Alerting on Key Systems Reporting Methodology Reporting Types Manual, Adhoc None Manual with defined process Change/Historical Reactive, Alerting across all systems Automated Report Generation on Key Systems Attestation Alerting and Automatic Remediation Automated Reporting and Generation on all Systems Industry/Regulatory Specific Identity Proliferation Administration Password Management Group Management Application Entitlement Management User Interface Authentication Authorization Audit Automated Creation in one or more ID stores using COTS Email Notifications to other system owners Automated Creation in all ID Stores Automated Deprovisioning in one or more ID Stores Email Notifications to other system Automated deprovisioning in all ID owners Stores Dynamic/Attribute Based Dynamic/Attribute Based Externally Accessible Self-Service Request with Electronic Workflow Common Application Logging Platform
  • 7. Capability Basic Standardized Rationalized Dynamic Virtualized Identity Service Single Enterprise ID Store Application Centric, Multiple Enterprise ID Stores Enterprise ID Store + Application Specific Stores Provisioning Manual, Adhoc Some custom built scripts / Mostly Manual Deprovisioning Manual, Adhoc Some custom built scripts / Mostly Manual Identity Updates Manually performed by Service Desk Manually performed by Service Desk Automated to some identity systems in some identity systems in all identity systems from Authoritative Source Automated to all identity systems from Authoritative Source plus Self-Service capabilities Synchronization Manually performed by Service Desk Manually performed by Service Desk Synchronization among some identity in some identity systems in all identity systems systems, Time-Based Synchronization amongst all identity systems, Event-Driven Self-Service Password Reset and synchronization to all identity systems Change Control Manually performed by Service Desk Manually performed by Service Desk Self-Service Password Reset to central in some identity systems in all identity systems identity system (no synchronization) Owner Managed (Delegations), Owner Managed, Self-Service, Manual by Admin, Static Static Approvals Central Service Desk, manual Central access request service with Application owner specific workflow automated workflow Internally Accessible, Manual Service Center/Help Desk Updates Internally Accessible, Self-Service Call Help Desk / Some Electronic None Call Service Desk / Manual Workflow Workflow Convenience Multiple IDs, Multiple Credentials, Multiple Prompts Multiple IDs, Multiple Credentials, Single Prompt per Credential Multiple IDs, Single Credential Single ID, Single Credential, Single Prompt (SSO) Source Application Centric Issuer(s) Virtual Issuer Central Issuer Federated and Central Issuers Protocols Multiple Protocols, No Standard Standardized Protocols with ability to transition (no delegation) Standardized Protocols with ability for transition and delegation Assurance Entitlement Type Shared Accounts, No Assurance Application Centric Standard set of protocols (no transition, no delegation) Personalized Accounts, Password Based Group-Based Multi-Factor AuthN Role-Based, Attribute-Based Risk-Based AuthN Policy-Based Access Policies Written Enforced per Application/Resource Centrally Enforced Centrally Enforced with Attestation Enforcement Collection API (Handled within Application specific code) None Protocol Based using Industry Standard, non-Proprierary Protocols Central Store Access Logging No Logging Agent (applied externally and injected Proxy (Handled outside App) into app), Proprietary Disparate Synchronized Basic logs - Network IP, Server Event logs, Web Server logs Disparate Application-level logging Change Logging None Request and Change Request, Approval, Change Alerting Reactive, No Alerting Request Reactive, Some Alerting on Key Systems Reporting Methodology Reporting Types Manual, Adhoc None Manual with defined process Change/Historical Reactive, Alerting across all systems Automated Report Generation on Key Systems Attestation Alerting and Automatic Remediation Automated Reporting and Generation on all Systems Industry/Regulatory Specific Identity Proliferation Administration Password Management Group Management Application Entitlement Management User Interface Authentication Authorization Audit Automated Creation in one or more ID stores using COTS Email Notifications to other system owners Automated Creation in all ID Stores Automated Deprovisioning in one or more ID Stores Email Notifications to other system Automated deprovisioning in all ID owners Stores Dynamic/Attribute Based Dynamic/Attribute Based Externally Accessible Self-Service Request with Electronic Workflow Common Application Logging Platform
  • 8. Capability Basic Standardized Rationalized Dynamic Virtualized Identity Service Single Enterprise ID Store Application Centric, Multiple Enterprise ID Stores Enterprise ID Store + Application Specific Stores Provisioning Manual, Adhoc Some custom built scripts / Mostly Manual Deprovisioning Manual, Adhoc Some custom built scripts / Mostly Manual Identity Updates Manually performed by Service Desk Manually performed by Service Desk Automated to some identity systems in some identity systems in all identity systems from Authoritative Source Automated to all identity systems from Authoritative Source plus Self-Service capabilities Synchronization Manually performed by Service Desk Manually performed by Service Desk Synchronization among some identity in some identity systems in all identity systems systems, Time-Based Synchronization amongst all identity systems, Event-Driven Self-Service Password Reset and synchronization to all identity systems Change Control Manually performed by Service Desk Manually performed by Service Desk Self-Service Password Reset to central in some identity systems in all identity systems identity system (no synchronization) Owner Managed (Delegations), Owner Managed, Self-Service, Manual by Admin, Static Static Approvals Central Service Desk, manual Central access request service with Application owner specific workflow automated workflow Internally Accessible, Manual Service Center/Help Desk Updates Internally Accessible, Self-Service Call Help Desk / Some Electronic None Call Service Desk / Manual Workflow Workflow Convenience Multiple IDs, Multiple Credentials, Multiple Prompts Multiple IDs, Multiple Credentials, Single Prompt per Credential Multiple IDs, Single Credential Single ID, Single Credential, Single Prompt (SSO) Source Application Centric Issuer(s) Virtual Issuer Central Issuer Federated and Central Issuers Protocols Multiple Protocols, No Standard Standardized Protocols with ability to transition (no delegation) Standardized Protocols with ability for transition and delegation Assurance Entitlement Type Shared Accounts, No Assurance Application Centric Standard set of protocols (no transition, no delegation) Personalized Accounts, Password Based Group-Based Multi-Factor AuthN Role-Based, Attribute-Based Risk-Based AuthN Policy-Based Access Policies Written Enforced per Application/Resource Centrally Enforced Centrally Enforced with Attestation Enforcement Collection API (Handled within Application specific code) None Protocol Based using Industry Standard, non-Proprierary Protocols Central Store Access Logging No Logging Agent (applied externally and injected Proxy (Handled outside App) into app), Proprietary Disparate Synchronized Basic logs - Network IP, Server Event logs, Web Server logs Disparate Application-level logging Change Logging None Request and Change Request, Approval, Change Alerting Reactive, No Alerting Request Reactive, Some Alerting on Key Systems Reporting Methodology Reporting Types Manual, Adhoc None Manual with defined process Change/Historical Reactive, Alerting across all systems Automated Report Generation on Key Systems Attestation Alerting and Automatic Remediation Automated Reporting and Generation on all Systems Industry/Regulatory Specific Identity Proliferation Administration Password Management Group Management Application Entitlement Management User Interface Authentication Authorization Audit Automated Creation in one or more ID stores using COTS Email Notifications to other system owners Automated Creation in all ID Stores Automated Deprovisioning in one or more ID Stores Email Notifications to other system Automated deprovisioning in all ID owners Stores Dynamic/Attribute Based Dynamic/Attribute Based Externally Accessible Self-Service Request with Electronic Workflow Common Application Logging Platform
  • 9. Users can enroll devices for access to the Company Portal for easy access to corporate applications IT can publish Desktop Virtualization (VDI) for access to centralized resources Users can work from anywhere on their device with access to their corporate resources. IT can publish access to resources with the Web Application Proxy based on device awareness and the users identity Users can register devices for single sign-on and access to corporate data with Workplace Join IT can provide seamless corporate access with DirectAccess and automatic VPN connections.
  • 10. Not Joined User provided devices are “unknown” and IT has no control. Partial access may be provided to corporate information. Browser session single sign-on Seamless 2-Factor Auth for web apps ( ) Enterprise apps single sign-on ( ) Desktop Single Sign-On Workplace Joined Registered devices are “known” and device authentication allows IT to provide conditional access to corporate information Domain Joined Domain joined computers are under the full control of IT and can be provided with complete access to corporate information
  • 11. Manage the complete life cycle of certificates and smart cards through integration with Active Directory. Self-service group and distribution list management, including dynamic membership calculation in these groups and distribution lists, is based on the user’s attributes. Users can reset their passwords via Windows logon, significantly reducing help desk burden and costs. Sync users identity across directories, including Active Directory, Oracle, SQL Server, IBM DS, and LDAP. Allow users to manage their identity with an easy to use portal, tightly integrated with Office.
  • 12. Automate the process of on-boarding new users Real-time de-provisioning from all systems to prevent unauthorized access and information leakage LDAP Certificate Management Built-in workflow for identity management Automatically synchronize all user information to different directories across the enterprise
  • 13. Security Platform SAML
  • 14. From: Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques http://www.microsoft.com/en-us/download/details.aspx?id=36036 From: Best Practices for Securing Active Directory http://www.microsoft.com/en-us/download/details.aspx?id=38785 From: The one company that wasn't hacked http://www.infoworld.com/d/security/the-one-company-wasnt-hacked-194184?source=footer
  • 15. How MARS works 9:00 1. Request Access (10:00) 2. Auto-Approve (10:00) 10:00 MARS Server 11:00 12:00 3. Access Resource (10:01) 1:00 2:00 3:00 Admin Account (requester) 4. Access Resource (3:15) Admin Group (pre-defined) Domain Groups • Managed Servers • Domain Admin • Schema Admin • Top Secret Project