Extending Identity & Access Management Mike Barry  Enterprise Relationship Manager Bill Tompkins Sales Engineer
Agenda <ul><li>Part I – Overview of NYS Identity & Access Management </li></ul><ul><li>Benefits Across Organizations </li>...
Benefits Across Organization <ul><li>Facilitate cross agency collaboration and data sharing by “eliminating the need for c...
Benefits Within an Organization <ul><li>“Simplify process for establishing users, granting and revoking access to electron...
Citrix Delivers Access Security <ul><li>Perimeter Security   Establishes a barrier to keep malicious attacks from affectin...
Secure Access Challenges <ul><li>Anywhere access  to business applications and data </li></ul><ul><li>Expanding access  to...
The Customer Problems Endpoint security, identification, and integrity validation Centralized access control to all IT res...
Product Components  Access Gateway Advanced Access Control + <ul><li>Access Gateway hardened appliance in DMZ  </li></ul><...
Advanced Access Control 4.2  New Features <ul><li>End User Features </li></ul><ul><ul><li>Enhanced authentication support ...
Advanced Access Control 4.2  New Features <ul><li>Administrative Features </li></ul><ul><ul><li>Access Suite Console admin...
Advance Access Control  Architecture Overview
Access Gateway  with Advanced Access Control 4.2 Access Gateway  Advanced Access Control Internet Mobile PDA Partner compu...
Advanced Access Control 4.2 Proof of Concept Deployment File Servers Web/App Servers Presentation Server E-mail Servers IP...
Advanced Access Control 4.2 Production (Fully Redundant) Deployment  NetScaler Load-Balancer Internet DMZ Protected Networ...
Citrix Password Manager
What is Citrix Password Manager? <ul><li>Software-based enterprise single sign-on solution </li></ul><ul><li>Provides a si...
Business Challenges Back to Agenda
Overview of Business Challenges <ul><li>Passwords are potential security breaches </li></ul><ul><li>High help desk costs f...
Growing Number of Password-Protected Applications <ul><li>The average user has 18 accounts (Gartner*) </li></ul><ul><li>Co...
Top IT initiatives have one thing in common Source: Gartner, IDC, META, Forrester,  CFO Magazine, Business Week, 2004 Regu...
IT Security Breaches <ul><li>Users create own insecure password management schemes:  sticky notes, text files, spreadsheet...
Security Audits are Top of Mind *Abstract of an actual security audit conducted by a major auditing company.  Information ...
High Help Desk Costs Business Challenges “ Each time an end-user calls the help desk, it costs the organization $25-$50.” ...
Numerous Backend Authentication Systems <ul><li>How many backend authentication systems do you have? </li></ul><ul><ul><li...
How Do Customers Address these Challenges without Citrix? Internal and Partner Use Only Business Challenges Works for Web ...
How Does It Work? How Does it Work? Citrix  Password Manager Smart Card One Primary Logon…  Biometric Token Windows Web Ho...
Intelligent Agent Response <ul><li>End users can SSO-enable applications </li></ul><ul><ul><li>e.g., Business partner web ...
smithj ******** ******** smithj ********
What is Citrix Password Manager? <ul><li>Software-based enterprise single sign-on solution </li></ul><ul><li>Provides a si...
Wrap Up Questions?
 
Upcoming SlideShare
Loading in...5
×

Extending Identity

304

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
304
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Thank you for attending our presentation this afternoon on Identity and Access Management
  • The agenda for this session is
  • What do we mean by “culture?” What’s the difference between strategic and tactical?
  • What do we mean by “culture?” What’s the difference between strategic and tactical?
  • With PERIMETER SECURITY we can keep the malicious attackers out of the overall environment, And By using ACCESS SECURITY we can opt to provide regulated access to resources instead of the entire environment, and based on granular policy settings we can restrict certain local resources as well, providing a strict, secure, remote access policy.
  • Enable access from anywhere. AAC allows you to extend secure access to devices that are not standard, or corporate issued. By using granular access, and only allowing users to utilize what they need, we can also prevent downtime of resources. Administrators typically meet or exceed security policies by using Advanced access control.
  • Customers wants: Their connecting endpoints to be trusted and secure. End users have a consistent access experience, regardless of the user being inside or outside the network. Leverage a secure, hardened appliance in the DMZ Provide a centralized management point for all of their resources Lastly, control how information can be used or accessed. Challenges customers face with solutions in the market today: Limited access from behind the firewall (e.g. IPSec VPNs) Increasing number of mobile users are leveraging small form factor devices Require access to information from anywhere, anytime to stay competitive (kiosk, home, etc.) Combination of slow bandwidth &amp; limited usability often leave users frustrated
  • The way these two parts of AAC are deployed is as follows: The Citrix Access Gateway resides in your DMZ and provides secure communication via SSL, and works in conjunction with the ADVANCED ACCESS CONTROL server which is placed securely on your internal network. The ADVANCED ACCESS GATEWAY server also boasts centralized administration, management and policy based access control.
  • New features in AAC 4.2 Enhanced Authentication Support AD, LDAP, Radius, RSA SecureID and Safeword by Secure Computing Client Consolidation 1 New client instead of 2 separate clients Simplified Access to published Presentation Server Apps Applications are now accessible from the NAVUI page
  • Administrative Features Include: Access Suite Console Administration for the majority of appliance settings and configuration. Some basic settings are still configured with the Access Gateway Admin Console, and I don’t know if that will be addressed in the future. Very similar to the way basic settings of a Presentation Server are configured at the server level and farm settings are configured elsewhere. Extended License Server Support: Licenses for the Access Gateway and AAC are now maintained by the Citrix License Server. Extended Endpoint Scan Capability: Endpoint scans are used to control the access and availability to the logon page itself as well as the secured resources. The continuous scan engine controls the SSL/VPN tunnel sessions running to the appliance.
  • We are going to show you a brief Architectural overview of the different components and where they fit into your environment.
  • Access Gateway appliance replaces Secure Gateway in the DMZ. Customers should use the Access Gateway if they need: Customers should use the Access Gateway Enterprise to get the above benefits, plus advanced SmartAccess ™ to Presentation Server applications
  • As you can see the traffic initiated at the client is secured via SSL on port 443 The Access Gateway terminates all traffic, and reinitiates a new TCP/IP conversation to the original internal resource. Operating in this manner (like a smart reverse proxy) allows only one trusted resource from the DMZ to traverse your interior network instead of the real client-initiated TCP packets.
  • It is possible to use a 3 rd party load balancer, like the Citrix NetScaler 9000 series Load Balancer, in order to implement a fully redundant deployment of Citrix Advanced Access Control.
  • Now, moving on to the next product: We are going to talk about. Citrix Password Manager.
  • Password Manager is a software-based Enterprise Single Sign on solution that provides a single sign-on to Windows, Web and Host-based (or Mainframe) applications, by utilizing a lightweight agent that runs against a central database or repository and syncs automatically without any user intervention.
  • Administrators are starting to see users with too many passwords as being a risk: Since people can’t remember all the passwords needed to productively function, some of those passwords are being written down. The simple task of resetting a password actually cost money.. We’ll come back to that one in a minute. As the array of applications gets wider, and the information in those applications gets more and more valuable, the requirement of passwords to secure applications becomes more prevalent. The complexity and cost associated to integrating these applications into existing authentication systems is staggering.
  • With the “NEED” for password protected applications rises, the amount of password that are needed rise as well. The average user has 18 passwords. Found in a Gartner Study. The prompting for passwords can disrupt a great flow of thought. 20 Minutes is the average time to get a password reset. Found in a Gartner study.
  • Key Points: All of these top IT initiatives have a single component in common – They all deal with gaining access. Plan and address access, and you simplify the solutions to each one of these challenges.
  • Gartner states that our own users create an insecure password environment by using sticky notes and spreadsheets. Also by not changing their password often enough.
  • When you’re audited, these are some of the things a security auditor will be looking for. Password Complexity policies. Lock account after a specified number of failed attempts Auditing per application Users able to login to a critical application via a different users credentials. These are all things that Password Manager can assist with.
  • Know these statistics to determine how much calls to the help desk for password resets are costing your customers.
  • Numerous backend authentication systems. How many backend authentication systems do you have currently. Are you trying to consolidate? Potential pitfalls with data owners giving up control.
  • Customers have choices and can try to meet these challenges other solutions, but these often result in less desirable results.
  • Users authenticate once with a single password (primary network logon), and Password Manager authenticates the user to all other password-protected applications.
  • In this example, the Intelligent Agent Response responds to a logon request as indicated by the red boxes around the “Login” and “Password” fields. Then, the user is prompted with “Would you like Password Manager to remember the logon information for this Web application?” If the user selects “Yes” then the “Enter you logon information below” screen will appear. After completing the “Username” and “Password” fields and clicking on “Finish” the application has been single sign-on enabled by the end-user in two simple steps—no scripting and no programming. In many Password Manager deployments, the Administrator will single sign-on enable the core enterprise applications (ERP, CRM, etc.) and provide end-users with the ability to single sign-on enable their own applications. This functionality is especially useful when small user populations access Web applications from business partners (e.g., on line literature fulfillment, market analyst web sites, supplier web sites, etc.)
  • Password Manager is a software-based Enterprise Single Sign on solution that provides a single sign-on to Windows, Web and Host-based (or Mainframe) applications, by utilizing a lightweight agent that runs against a central database or repository and syncs automatically without any user intervention.
  • Extending Identity

    1. 1. Extending Identity & Access Management Mike Barry Enterprise Relationship Manager Bill Tompkins Sales Engineer
    2. 2. Agenda <ul><li>Part I – Overview of NYS Identity & Access Management </li></ul><ul><li>Benefits Across Organizations </li></ul><ul><li>Benefits Within an Organization </li></ul><ul><li>Part II – Citrix Advanced Access Control </li></ul><ul><li>Extends and Secures NYS Access Infrastructure </li></ul><ul><li>Part III – Citrix Password Manager </li></ul><ul><li>Facilitates single sign on thus limiting complexity </li></ul>
    3. 3. Benefits Across Organization <ul><li>Facilitate cross agency collaboration and data sharing by “eliminating the need for complex, cumbersome bi-lateral data sharing agreements” </li></ul><ul><li>Improve productivity by “increasing access to external information resources” </li></ul>
    4. 4. Benefits Within an Organization <ul><li>“Simplify process for establishing users, granting and revoking access to electronic resources” – as the agencies requirements expand </li></ul><ul><li>“Reduce the number of separate user ID’s and passwords for users, thereby enhancing security” – by leveraging password management/ SSO utilities </li></ul><ul><li>“Enable the organization to securely access external resources owned by another member of the federation” – to facilitate user access from outside the enterprise </li></ul>
    5. 5. Citrix Delivers Access Security <ul><li>Perimeter Security Establishes a barrier to keep malicious attacks from affecting the productivity of the organization </li></ul>Access Security Provides regulated access only to the business resources users need to perform their duties
    6. 6. Secure Access Challenges <ul><li>Anywhere access to business applications and data </li></ul><ul><li>Expanding access to more users and device types cost-effectively </li></ul><ul><li>Prevent downtime and business loss from security breaches </li></ul><ul><li>Meet or exceed security , privacy and regulatory concerns </li></ul>Mobile PDA Kiosks Partner Machine Corporate Laptop Home Computer
    7. 7. The Customer Problems Endpoint security, identification, and integrity validation Centralized access control to all IT resources Hardened Appliance Control over how information and applications can be used Internet Mobile PDA Home Computer Partners Firewall File Servers Web or App Servers CPS Applications Local Users Access Gateway Advanced Access Control Corporate Laptop Email Servers Desktops & Phones Firewall Consistent user experience Consistent user experience <ul><li>Bandwidth </li></ul><ul><li>Latency </li></ul><ul><li>Device idiosyncrasies </li></ul>Cannot access from behind firewalls Access from widely varying devices Minimize re-authentication on re-connect Need access to all internal IT resources
    8. 8. Product Components Access Gateway Advanced Access Control + <ul><li>Access Gateway hardened appliance in DMZ </li></ul><ul><li>Enables end-to-end secure communication via SSL </li></ul><ul><li>Authentication point </li></ul><ul><li>Enforces policies generated by Advanced Access Control </li></ul><ul><li>Deployed in a secured network </li></ul><ul><li>Deployed on Windows Server platform </li></ul><ul><li>Centralizes administration, management & policy based access control </li></ul><ul><li>Centralized reporting and auditing </li></ul><ul><li>Manages endpoint analysis and client delivery </li></ul><ul><li>Extends access to more devices and scenarios </li></ul><ul><li>Advanced policy engine with action control </li></ul>
    9. 9. Advanced Access Control 4.2 New Features <ul><li>End User Features </li></ul><ul><ul><li>Enhanced authentication support </li></ul></ul><ul><ul><ul><li>Appliance integration allows several authenticators to be used </li></ul></ul></ul><ul><ul><ul><li>Active Directory, LDAP (such as Novell eDirectory), Radius, RSA SecurID, Secure Computing Safeword </li></ul></ul></ul><ul><ul><li>Client consolidation and improved end-user experience </li></ul></ul><ul><ul><ul><li>Secure Access Client replaces ActiveX Gateway Client and Advanced Gateway Client from previous versions </li></ul></ul></ul><ul><ul><ul><li>All clients are downloaded on as-needed basis </li></ul></ul></ul><ul><ul><li>Simplified access to published applications </li></ul></ul><ul><ul><ul><li>Published applications are accessible from Navigation UI page </li></ul></ul></ul>
    10. 10. Advanced Access Control 4.2 New Features <ul><li>Administrative Features </li></ul><ul><ul><li>Access Suite Console administration of appliance </li></ul></ul><ul><ul><ul><li>Majority of appliance settings are configured within Access Suite Console </li></ul></ul></ul><ul><ul><ul><li>Only basic appliance settings are configured within Access Gateway Admin Console </li></ul></ul></ul><ul><ul><li>Extended Citrix License Server support </li></ul></ul><ul><ul><ul><li>Licenses for appliance are maintained on Citrix License Server </li></ul></ul></ul><ul><ul><ul><li>Advanced Access Control acquires a license for user when connecting through the appliance </li></ul></ul></ul><ul><ul><li>Extended Endpoint Scan Functionality </li></ul></ul><ul><ul><ul><li>Standard scans control access to login page and resources </li></ul></ul></ul><ul><ul><ul><li>Continuous scans control VPN tunnel session to appliance </li></ul></ul></ul>
    11. 11. Advance Access Control Architecture Overview
    12. 12. Access Gateway with Advanced Access Control 4.2 Access Gateway Advanced Access Control Internet Mobile PDA Partner computer Home computer File Servers Web or App Servers Presentation Server Applications Local Users Corporate Laptop E-mail Servers Kiosks Firewall Firewall Advanced Access Control Server Farm Citrix Access Gateway Appliance IP Phones
    13. 13. Advanced Access Control 4.2 Proof of Concept Deployment File Servers Web/App Servers Presentation Server E-mail Servers IP PBX Firewall Firewall Client Device Advanced Access Control SSL / Port 443 Traffic SSL / Port 443 Access Gateway
    14. 14. Advanced Access Control 4.2 Production (Fully Redundant) Deployment NetScaler Load-Balancer Internet DMZ Protected Network Exchange/ Notes File Shares Web Servers MPS Enterprise Resource Servers Advanced Access Control Servers Access Gateways Endpoint Device Database Cluster Optional - Access Center Agent Services Optional - Indexing Services
    15. 15. Citrix Password Manager
    16. 16. What is Citrix Password Manager? <ul><li>Software-based enterprise single sign-on solution </li></ul><ul><li>Provides a single logon to Windows, Web, and host-based applications </li></ul><ul><li>Lightweight agent runs against central database, users automatically synchronize </li></ul><ul><li>… and is really easy to deploy and use </li></ul>Product Overview
    17. 17. Business Challenges Back to Agenda
    18. 18. Overview of Business Challenges <ul><li>Passwords are potential security breaches </li></ul><ul><li>High help desk costs for password resets </li></ul><ul><li>Growing number of password-protected applications </li></ul><ul><li>Complex integration required to consolidate numerous backend authentication systems </li></ul>Business Challenges
    19. 19. Growing Number of Password-Protected Applications <ul><li>The average user has 18 accounts (Gartner*) </li></ul><ul><li>Constant authentication prompts disrupts work and multiple passwords are difficult to remember </li></ul><ul><li>Average call to help desk for a password reset takes 20 minutes (Gartner*) </li></ul>*Source: Five Business Drivers of Identity and Access Management. Gartner, 31 October 2003 Business Challenges
    20. 20. Top IT initiatives have one thing in common Source: Gartner, IDC, META, Forrester, CFO Magazine, Business Week, 2004 Regulatory Compliance Wireless Mobility Teleworking Mergers & Acquisitions IT Centralization Business Continuity Branch Office Expansion Partner Commerce Business Challenges Access
    21. 21. IT Security Breaches <ul><li>Users create own insecure password management schemes: sticky notes, text files, spreadsheets </li></ul><ul><li>Infrequent password changes </li></ul><ul><li>De-provisioning users to disable access </li></ul>Source: Management Update The Future of Enterprise Security. Gartner, 15 September 2004 Business Challenges
    22. 22. Security Audits are Top of Mind *Abstract of an actual security audit conducted by a major auditing company. Information provided by Knowlity, Citrix Silver Solution Advisor in San Juan, Puerto Rico Yes Yes Yes Yes Business Challenges Password Manager helps meet requirement? Security Audit Observations* Applications passwords do not meet minimum complexity criteria Applications unable to lock application access after reaching maximum failed logon attempts Detailed audit trails of application access, logon attempts, and change password events not available on a per application basis Users login to critical applications using other user credentials
    23. 23. High Help Desk Costs Business Challenges “ Each time an end-user calls the help desk, it costs the organization $25-$50.” Forrester “ 30 percent of all calls to the help desk are for password resets” Gartner Group “ The average end-user calls the help desk four times per year for password resets” Gartner Group “ Businesses spend $200 per year per person on password management” Forrester
    24. 24. Numerous Backend Authentication Systems <ul><li>How many backend authentication systems do you have? </li></ul><ul><ul><li>Apps: Windows, Web, host-based applications </li></ul></ul><ul><ul><li>Directories: Active Directory, LDAP, eDirectory, Tivoli Directory Server, etc. </li></ul></ul><ul><li>Directory consolidation projects are frequently unsuccessful </li></ul><ul><ul><li>Data owners unwilling to relinquish control </li></ul></ul><ul><ul><li>Not all apps can talk to a single directory </li></ul></ul>Business Challenges
    25. 25. How Do Customers Address these Challenges without Citrix? Internal and Partner Use Only Business Challenges Works for Web applications only. Most users still need to manage passwords for Windows and host-based applications. Web SSO Users continue to manage passwords on sticky notes, spreadsheets, text files, or notebooks, decreasing IT security. Do nothing Two or more authentication factors increase security but users must still manually manage multiple passwords, decreasing user productivity. Strong authentication Users remember a single logon but the common password across applications is the least strong. Hackers only need to discover a single password to access all resources directly. Password synchronization Scripts are version-specific and require continual maintenance. Software costs are the “tip of the iceberg” with respect to implementation costs. Script-based Enterprise Single Sign-on (ESSO) COMPROMISES WITHOUT ESSO SOLUTION
    26. 26. How Does It Work? How Does it Work? Citrix Password Manager Smart Card One Primary Logon… Biometric Token Windows Web Host For Access to Any Application
    27. 27. Intelligent Agent Response <ul><li>End users can SSO-enable applications </li></ul><ul><ul><li>e.g., Business partner web sites </li></ul></ul><ul><li>Change password requests - generate new passwords without user intervention </li></ul><ul><li>Supports Windows, Web, Host-based applications </li></ul>Automatically respond to end-user password-related events How Does it Work?
    28. 28. smithj ******** ******** smithj ********
    29. 29. What is Citrix Password Manager? <ul><li>Software-based enterprise single sign-on solution </li></ul><ul><li>Provides a single logon to Windows, Web, and host-based applications </li></ul><ul><li>Lightweight agent runs against central database, users automatically synchronize </li></ul><ul><li>… and is really easy to deploy and use </li></ul>Product Overview
    30. 30. Wrap Up Questions?
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×