280 likes | 450 Views
How to use Identity Management to be MORE productive?. Robert Jones, Identity and RMS Architect. RMS Requires Identity Assurance to ensure security. Identity Management is core to deploying highly secure applications like RMS. Security (Deny ). Users & Devices. Permissions & Access
E N D
How to use Identity Management to be MORE productive? Robert Jones, Identity and RMS Architect
RMS Requires Identity Assurance to ensure security • Identity Management is core to deploying highly secure applications like RMS Security(Deny) Users & Devices Permissions & Access with Policies Credentials Identity(Grant) Security Policies & Auditing Identity and Access Workflow Regulations Business Policies Voice People Business Process Portals Resources Email Information Collaboration
Identity and Access Solutions Framework Common Services Identity Lifecycle Management Strong Authentication Information Protection Federated Identity Directory services
Company (B2E) Partners (B2B) Customers B2C) Mobility Client Server Internet Mainframe Islands of Applications - Has lead to islands of identities # of Digital IDs BusinessAutomation Applications Time Pre 1980’s 1980’s 1990’s 2000’s
What is Identity Management? • A system of procedures and policies to manage the lifecycle and entitlements of electronic credentials. Directory Services Identity, Access Lifecycle Management Federation
The ID Lifecycle • Password Mgmt • Strong Passwords • “Lost” Password • Password Reset • Retire User • Delete/Freeze Accounts • Delete/Freeze Entitlements • Synchronize Identity • Extend lifecycle information across all identity stores • Entitlement Reporting • Audit/log any ILM changes • Keep track of Entitlements • Account Changes • Promotions • Transfers • New Privileges • Attribute Changes • New User • User ID Creation • Credential Issuance • Access Rights
Identity Aggregation • Data consistency across multiple repositories • “Agentless” connection to other systems • Provides attribute-level control • Manage global address lists (GAL) • Automate group and DL management Active Directory Exchange 5.5 iPlanet Notes SQL Oracle
Available Connectors (MIIS): • Active Directory & Active Directory Application Mode • Computer Associates ACF2 • IBM DB2, Lotus Domino 5.x/6.x, Tivoli Directory Server, RACF • Microsoft SQL 2000, SQL 7 • Novell eDirectory • Oracle 8i/9i • Microsoft Exchange 5.5, 2000, 2003 • Microsoft NT 4.x • Sun/iPlanet/Netscape Directory • Various flat-file formats: DSML, LDIF, CSV, fixed width • SAP, PeopleSoft • CA-ACF2 • CA-TopSecret • IBM OS/400 Active Directory iPlanet Notes SQL Oracle
certificates Identity and access Secure collaboration Credential Management
Strong authentication and smart cards reduce password management costs Encryption with central key archival ensures encrypted content is recoverable Network access protection (NAP) protects networks from unhealthy pc’s Virtual private networks (VPNs) and secure wireless access enable secure and cost-effective network access Business Scenarios - Driving use of digital certificates
CLM Architecture Logical Architecture Physical Architecture Other Services Microsoft Certificate Authority CLM Policy Module Microsoft CAs CLM Exit Module E-mail Server CLM AD Integration CLM Web App Internet Information Server Microsoft CLM Server Active Directory Internet Explorer CLM Browser Control Smart Card Middleware End User SQL Server
Information Protection with Windows Rights Management Services Traditional solutions control initial access Authorized Users Yes Information Leakage No Access Control List Perimeter Unauthorized Users Unauthorized Users Firewall Perimeter …RMS addresses ongoing information usage
Safeguard Sensitive Information with RMSProtect e-mail, documents, and Web content Outlook 2003 and 2007 Windows RMS Secure Emails • Keep corporate e-mail off the Internet • Prevent forwarding of confidential information • Templates to centrally manage policies Office 2003 and 2007 (Word, PowerPoint, Excel, Infopath) Sharepoint Server 2007 Windows RMS • Control access to sensitive info • Set access level - view, change, print... • Determine length of access • Automatically apply usage policies to documents libraries • Log and audit who has accessed rights-protected information Secure Documents IE w/RMA, Windows RMS • Users without Office 2003 can view rights-protected files • Enforces assigned rights: view, print, export, copy/paste & time-based expiration Secure Intranets
Overview of RMS components • Active Directory • Authentication • Service Discovery • Group Membership • SQL Server • Configuration data • Logging • Cache • RMS Client • RMS Lockbox • Client API • Templates (XML Copy) • RMS Server • Certification • Licensing • Templates RMS-enabled Client and Server Applications
Example: Rights-Protected Document - Word, Excel, or PowerPoint 2003 Pro a NOTE: Outlook E-mail EULs are stored in the local user profile directory Created when file is protected Publishing License End User Licenses Only added to the file after server licenses a user to open it Content Key Encrypted with the server’s public key Rights for a particular user Rights Info w/ email addresses Content Key (big random number) Encrypted with the server’s public key Encrypted with the user’s public key The Content of the File (Text, Pictures, metadata, etc) Encrypted with Content Key, a cryptographically secure 128-bit AES symmetric encryption key Encrypted with the user’s public key
The information lifecycle Author Generate Annotate Edit Recovery Display Archive Hard disk Search Delete Memory Print Revoke Network Expiry Hosted storage USB drive E-mail Home Workflow Enterprise Peer-to-peer USB drive Instant messaging Mobile Cloud workspace Cloud USB drive PC
SharePoint and RMS • Documents can be stored encrypted or non encrypted on the server • Recommendations are: • Store Documents Non Encrypted • Non encrypted documents can be searched • Let SharePoint encrypt documents on retrieval • Using SharePoint ensures the use and adoption of RMS • Enhances the SharePoint proposition • Education of users is still required
What is Microsoft Forefront? • Microsoft Forefront is a comprehensive line of business security products providing greater protection and control through integration with your existing IT infrastructure and through simplified deployment, management, and analysis. Server Applications Edge Client and Server OS
Next steps • Receive the latest Security news, sign-up for the: • Microsoft Security Newsletter • Microsoft Security Notification Service • Assess your current IT security environment • Download the free Microsoft Security Assessment Tool • Find all your security resources here http://www.microsoft.com/uk/security/infosec2008
Session Evaluation • Hand-in you session evaluation on your way out • Win one of 2 Xbox 360® Elite’s in our free prize draw* • Winners will be drawn at 3.30 today • Collect your goody bag which includes. • Windows Vista Business (Upgrade), • Forefront Trials, • Forefront Hand-On-Labs • Security Resources CD • I’ll be at the back of the room if you have any questions * Terms and conditions apply, alternative free entry route available.