4. 5
Special Thanks
This seminar was prepared with the help of:
Oxford Computer Group Ltd
Expertise in Identity and Access
Management (Microsoft Partner)
IT Service Delivery and Training
www.oxfordcomputergroup.com
Microsoft, with special thanks to:
Daniel Meyer – thanks for many
slides
Steven Adler, Ronny Bjones, Olga
Londer – planning and reviewing
Philippe Lemmens, Detlef Eckert
– Sponsorship
Bas Paumen & NGN - feedback
5. 6
Welcome!
Our Objectives:
Clarify the complex field of identity and access management
Start a discussion about IAM in the community, so that the solutions
and products are no longer “Best Kept Secrets”
Show you how to better realise value and optimise costs of dealing
with identities
Outline the future
Our Plan:
One overview session – concepts and ideas
Three specialised sessions - technology
6. 7
Logistics
You will receive a paper evaluation form. Please
complete it as your feedback is very important to
us.
You can also contact Matjaz at v-matper@microsoft.com
All PowerPoint presentations will be available for
download.
Please ask questions at any time you wish.
Additionally, I will be available to take questions
after my last session today.
8. 9
Objectives
Build a good conceptual background to enable
later technical discussions of the subject
Overview the problems and opportunities in the
field of identity and access management
Introduce terminology
Highlight a possible future direction
11. 12
Universal Identity?
Internet was build so that communications are
anonymous
In-house networks use multiple, often mutually-
incompatible, proprietary identity systems
Users are incapable of handling multiple
identities
Criminals love to exploit this mess
12. 13
Explosion of IDs
Pre 1980’s 1980’s 1990’s 2000’s
# of
Digital IDs
Time
Mainframe
Client Server
Internet
Business
Automation
Company
(B2E)
Partners
(B2B)
Customers
(B2C)
Mobility
13. 14
The Disconnected Reality
“Identity Chaos”
Lots of users and systems required to do business
Multiple repositories of identity information; Multiple user IDs, multiple passwords
Decentralized management, ad hoc data sharing
Enterprise Directory
HR
System
Infra
Application
Lotus
Notes Apps
In-House
Application
COTS
Application
NOS
In-House
Application
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
•Authorization
•Identity Data
•Authentication
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
14. 15
Your COMPANY and
your EMPLOYEES
Your SUPPLIERS
Your PARTNERS
Your REMOTE and
VIRTUAL EMPLOYEES
Your CUSTOMERS
Customer satisfaction & customer intimacy
Cost competitiveness
Reach, personalization
Collaboration
Outsourcing
Faster business cycles;
process automation
Value chain
M&A
Mobile/global workforce
Flexible/temp workforce
Multiple Contexts
15. 16
Trends Impacting Identity
Increasing Threat Landscape
Identity theft costs banks and credit card issuers $1.2 billion in 1 yr
$250 billion lost in 2004 from exposure of confidential info
Maintenance Costs Dominate IT Budget
On average employees need access to 16 apps and systems
Companies spend $20-30 per user per year for PW resets
Deeper Line of Business Automation and Integration
One half of all enterprises have SOA under development
Web services spending growing 45% CAGR
Rising Tide of Regulation and Compliance
SOX, HIPAA, GLB, Basel II, 21 CFR Part 11, …
$15.5 billion spend in 2005 on compliance (analyst estimate)
Data Sources: Gartner, AMR Research, IDC, eMarketer, U.S. Department. of Justice
16. 17
Business
Owner
End User
IT Admin Developer
Security/
Compliance
Too
expensive to
reach new
partners,
channels
Need for
control
Too many
passwords
Long waits
for access to
apps,
resources
Too many
user stores
and account
admin
requests
Unsafe sync
scripts
Pain Points
Redundant
code in each
app
Rework
code too
often
Too many
orphaned
accounts
Limited
auditing
ability
17. 18
Possible Savings
Directory Synchronization
“Improved updating of user data: $185 per user/year”
“Improved list management: $800 per list”
- Giga Information Group
Password Management
“Password reset costs range from $51 (best case) to $147 (worst
case) for labor alone.” – Gartner
User Provisioning
“Improved IT efficiency: $70,000 per year per 1,000 managed users”
“Reduced help desk costs: $75 per user per year”
- Giga Information Group
18. 19
Is This Going to Scale?
Today, average corporate user spends 16 minutes a day
logging on
A typical home user maintains 12-18 identities
Number of phishing and pharming sites grew over
1600% over the past year
Corporate IT Ops manage an average of 73 applications
and 46 suppliers, often with individual directories
Regulators are becoming stricter about compliance and
auditing
Orphaned accounts and identities lead to security
problems
Source: Microsoft’s internal research and Anti-phishing Working Group Feb 2005
19. 20
One or Two Solutions?
Better Option:
Build a global, universal, federated identity metasystem
Will take years…
Quicker Option:
Build an in-house, federated identity metasystem based on
standards
Federate it to others, system-by-system
But: both solutions could share the same conceptual
basis
21. 22
Lessons from Passport
Passport designed to solve two
problems
Identity provider for MSN
250M+ users, 1 billion logons per day
Significant success
Identity provider for the Internet
Unsuccessful:
Not trusted “outside context”
Not generic enough
Meant giving up control over identity management
Cannot re-write apps to use a central system
Learning: solution must be different
than Passport
22. 23
Idea of an Identity Metasystem
Not an Identity System
Agreement on metadata and protocols, allowing
multiple identity providers and brokers
Based on open standards
Supported by multiple technologies and
platforms
Adhering to Laws of Identity
With full respect of privacy needs
23. 24
Roles Within Identity Metasystem
Identity Providers
Organisations, governments, even end-users
They provide Identity Claims about a Subject
Name, vehicles allowed to drive, age, etc.
Relying Parties
Online services or sites, doors, etc.
Subjects
Individuals and other bodies that need its identity
established
25. 26
Identity Metasystem Today
Basically, the set of WS-* Security Guidelines as
we have it
Plus
Software that implements the services
Microsoft and many others working on it
Companies that would use it
Still to come, but early adopters exist
End-users that would trust it
Will take time
26. 27
Identity Laws
www.identityblog.com
1. User Control and Consent
2. Minimal Disclosure for a Constrained Use
3. Justifiable Parties
4. Directed Identity
5. Pluralism of Operators and Technologies
6. Human Integration
7. Consistent Experience Across Contexts
27. 28
Enterprise Applicability
That proposed metasystem would work well
inside a corporation
But, it will be 5-7 years at least before the beginning
of adoption!
Of course, we need a solution before it becomes
a reality
Following the principles seems a good idea
while planning immediate solutions
Organic growth likely to lead to an identity
metasystem in long term
28. 29
Enterprise Trends
Kerberos can no longer easily span disconnected
identity forests and technologies
We are moving away from Groups and traditional
ACLs…
Increasingly limited and difficult to manage on large scales
…towards a combination of:
Role-Based Access Management, and,
Rich Claims Authorization
PKI is still too restrictive, but it is clearly a component of
a possible solution
31. 32
Identity and Access Management
The process of authenticating credentials and
controlling access to networked resources
based on trust and identity
Repositories for storing and managing
accounts, identity information, and
security credentials
The processes used to create and delete
accounts, manage account and entitlement
changes, and track policy compliance
Directory
Services
Access
Management
Identity
Lifecycle
Management
A system of procedures, policies and
technologies to manage the lifecycle
and entitlements of electronic
credentials
32. 33
Remember the Chaos?
Enterprise Directory
HR
System
Infra
Application
Lotus
Notes Apps
In-House
Application
COTS
Application
NOS
In-House
Application
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
•Authorization
•Identity Data
•Authentication
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
34. 35
IAM Benefits
Benefits to take you
forward
(Strategic)
Benefits today
(Tactical)
Save money and improve operational
efficiency
Improved time to deliver applications and
service
Enhance Security
Regulatory Compliance and Audit
New ways of working
Improved time to market
Closer Supplier, Customer,
Partner and Employee relationships
35. 36
Some Basic Definitions
Authentication (AuthN)
Verification of a subject’s identity by means of relying on a
provided claim
Identification is sometimes seen as a preliminary step of
authentication
Collection of untrusted (as yet) information about a subject, such
as an identity claim
Authorization (AuthZ)
Deciding what actions, rights or privileges can the subject be
allowed
Trend towards separation of those two
Or even of all three, if biometrics are used
36. 37
Components of IAM
Administration
User Management
Password
Management
Workflow
Access Management
Authentication
Authorization
Identity Management
Account Provisioning
Account
Deprovisioning
Synchronisation
Reliable Identity Data
Administration
Authorization
Authentication
39. 40
Microsoft’s Identity Management
PKI / CA
Extended Directory
Services
Active
Directory & ADAM
Enterprise
Single Sign On
Authorization
Manager
Active Directory
Federation Services
Audit Collection
Services
BizTalk
Identity Integration
Server
ISA
Server
SQL Server
Reporting
Services for Unix /
Services for Netware
Directory (Store)
Services
Access
Management
Identity
Lifecycle
Management
40. 41
Components of a Microsoft-based IAM
Infrastructure Directory Active Directory
Application Directory AD/AM (LDAP)
Lifecycle Management MIIS
Workflow BizTalk, Partner Solutions (Ultimus BPM, SAP)
Role-Based Access Control Authorization Manager or Partner Solutions
(ex: OCG, RSA) and traditional approaches
Directory & Password
Synchronization
MIIS & Partner solutions
SSO (Intranet) Kerberos/NTLM, Vintela/Centrify
Enterprise SSO (Intranet) Sharepoint ESSO, BizTalk ESSO, HIS ESSO
Strong Authentication SmartCards, CA/PKI, Partner (eg. RSA –
SecurID, Alacris, WizeKey)
Web SSO ADFS, Partner (eg. RSA – ClearTrust)
Integration of UNIX/Novell SFU, SFN, Partner (eg. Vintella/Centrify)
Federation ADFS
42. 43
Summary
We have reached an “Identity Crisis” both on the
intranet and the Internet
Identity Metasystem suggests a unifying way
forward
Meanwhile, Identity and Access Management
systems need to be built so enterprises can
benefit immediately
Microsoft is rapidly becoming a strong provider
of IAM technologies and IM vision
www.microsoft.com/idm & www.microsoft.com/itsshowtime & www.microsoft.com/technet
43. 44
Special Thanks
This seminar was prepared with the help of:
Oxford Computer Group Ltd
Expertise in Identity and Access
Management (Microsoft Partner)
IT Service Delivery and Training
www.oxfordcomputergroup.com
Microsoft, with special thanks to:
Daniel Meyer – thanks for many
slides
Steven Adler, Ronny Bjones, Olga
Londer – planning and reviewing
Philippe Lemmens, Detlef Eckert
– Sponsorship
Bas Paumen & NGN - feedback