290 likes | 475 Views
Strong Authentication with Identity Lifecycle Manager. John Weigelt National Technology Officer Microsoft Canada Hugh Lindley VP, Identity Assurance Avaleris Inc. Identity and Access. Regulations. IT Controls. Business Policy. Security. Business Process. Interact. Inform. Decisions.
E N D
Strong Authentication with Identity Lifecycle Manager John Weigelt National Technology Officer Microsoft Canada Hugh Lindley VP, Identity Assurance Avaleris Inc.
Identity and Access Regulations IT Controls Business Policy Security Business Process Interact Inform Decisions Collaboration Identity at the Center
IDA Challenges Compliance • Provisioning in accordance with company policies • Establishing auditable processes for granting access rights Security • Ensuring that only authorized users get network access • Protecting confidential information from improper distribution Business Enablement • Freeing up IT resources to focus on high business-value work • Creating new ways to connect with customers & partners OperationalEfficiency • Automating, reducing and simplifying manual processes • Reducing the complexity of managing many identity stores
User andDeveloperExperiences MicrosoftOffice Windows WebSites .Net & Visual Studio IDAManagement Identity Lifecycle Manager PlatformComponents Active DirectoryFederation Services CertificateServices Rights ManagementServices Active Directory Domain & Directory Services Workflow Foundation Windows Services 20+ Connectors Extensibility WS-* Microsoft’s IDA Offerings
User andDeveloperExperiences MicrosoftOffice Windows WebSites .Net & Visual Studio IDAManagement Identity Lifecycle Manager PlatformComponents Active DirectoryFederation Services CertificateServices Rights ManagementServices Active Directory Domain & Directory Services 20+ Connectors Extensibility WS-* Workflow Foundation Windows Services Focused on 5 Solution Areas Microsoft SolutionFocus Areas DirectoryServices InformationProtection StrongAuthentication FederatedIdentity/SSO IdentityLifecycle Mgmt
MIIS CLM Beta Identity Lifecycle Manager Today 2H 2008 Previously Common Platform Connectors Delegation Workflow Web Service API Logging User Management Access Management Microsoft IdentityLifecycle Manager 2007 ILM “2” Credential Management Policy Management • Metadirectory • Certificate Management • User Provisioning • Empowers People • IT Control with Less Effort • Increases Operational Efficiency
Microsoft ILM 2007 • Brings together metadirectory, certificate & smart card lifecycle management, and user provisioning across Windows and enterprise systems into a single packaged offering. • Identity Synchronization • Provides single view of a user across enterprise systems • Automatically keeps identity information across systems consistent • Certificate and Smart Card Management • Reduces cost of managing certificate-based credentials • Automates workflow-driven certificate issuance and revocation • Vastly simplifies deployment of smart cards • User Provisioning • Automates the process of on-boarding and off-boarding users • Simplifies compliance through automated IDA enforcement • Enforces consistent credentials across systems
Partner Title Hugh Lindley, CISSPVP, Identity Assurance Avaleris Inc. hugh.lindley@avaleris.com (613) 237-9695 ext 235
About Avaleris Company Profile • Microsoft Identity & Access (IDA) Systems Integration Partner • Global provider of Identity Assurance professional services & solutions • Incorporated by founders of Alacris -- the original developer of idNexus • Predecessor to Microsoft Certificate Lifecycle Manager (CLM) • Acquired by Microsoft in late 2005 -- now integrated with Microsoft ILM 2007 • Successfully deployed in over 25 global clients in North America & Europe Value Avaleris Provides • Heritage of client success & proven solution approach in Identity Assurance • Understanding of the management & implementation challenges • Depth of technical expertise in Microsoft IDA products
Agenda • The business case for Multi-Factor Authentication • Typical ILM 2007 deployment scenarios • Smart card deployment scenario walkthrough • ILM 2007 demonstration • Share best practices & lessons learned • Identify additional resources
Canada GSP and MITS Federal Accountability Act PIPEDA, FIPA, MFIPPA Bill 198 - ICOFR International HSPD-12 / FIPS 201 Sarbanes-Oxley HIPAA Gramm-Leach-Bliley Basel II EU - Data Protection Directive EU - Qualified Certificates & Signatures FFIEC Business Drivers Increased IT Security & Operational Efficiencies Regulatory Compliance Security and Risk Management Privacy and Information Protection Auditability and Accountability Effective deployment and lifecycle management of MFA Simplifying user authentication Increased efficiency of helpdesk staff
Implementation Challenges • Lifecycle Management of Smart Cards and Certificates • Smart card personalization and customization • Dealing with lost, stolen or forgotten smart cards • Deployment of smart card middleware • Multi-channel authentication • Alignment of management and security practices • High number of distributed sites and locations • Leveraging existing IT infrastructure • Integration with other IDA solution components • Minimizing help-desk workload
ILM 2007 Functionality Smart Card / Certificate Lifecycle Management • Single administration point for digital certificates and smart cards • Configurable policy-based workflows for common tasks • Enroll / renew / update • Recover / card replacement • Revoke • Retire / disable smart card • Issue temporary / duplicate smart card • Personalize smart card • Detailed auditing and reporting • Support for centralized, decentralized and self-service scenarios • Tightly integrated with Active Directory
Smart Cards in the Public Sector • U.S. Federal Government • HSPD-12 / FIPS 201-- issued fall of 2004 • Goal: Establish a common identification standard for all federal government employees and contractors • Personal Identity Verification (PIV) – I (Oct 2005): • Identity validation & credential issuance process • Personal Identity Verification (PIV) - I I (Oct 2006): • Ability to issue FIPS 201 compliant smart card • Most departments / agencies have met initial FIPS 201 milestones and are working towards production implementations • Growing interest in broader public & private sectors
Deployment Scenarios • Smart Card Authentication • Secure Email (S/MIME) • Secure Remote Access (VPN) • Wireless LAN Authentication • File and Hard Drive Encryption • Secure Web Applications • Distributed Certificate Enrollment • Document Signing
Deployment Scenarios • Smart Card Authentication • Secure Email (S/MIME) • Secure Remote Access (VPN) • Wireless LAN Authentication • File and Hard Drive Encryption • Secure Web Applications • Distributed Certificate Enrollment • Document Signing
Smart Card Deployment Requirement: • Two-factor authentication • Smart card based network login • Verification of Employee ID before card issuance • Address smart card management issues • 100’s – 10,000’s of users
Smart Card Deployment Deployment Considerations: • Registration and Issuance Process • Choice of Smart Card Platform • Lifecycle Management of the Smart Cards • Middleware Deployment (if not Base CSP)
Physical Architecture Component Architecture E-mail SQL Microsoft Certificate Authority AD CLM Policy Module Microsoft CAs CLM Exit Module MicrosoftCertificate Lifecycle Manager CLM AD Integration CLM Web App Internet Information Server Internet Explorer End User CLM Browser Control Smart Card Middleware ILM 2007 Architecture
Profile Templates Certificate Template(s) Management Policies EnrollmentWork flowSelf-ServiceDataCollection RecoveryWork flowSelf-ServiceDataCollection Etc.,Work flowSelf-ServiceDataCollection Smart Card Information(if needed) ILM 2007 Architecture Include policies for each taskthat might be performed Additional profile data includedfor smart card management Can include templates issued from more than one CA Profile Templates include oneor more certificate managedas a single entity Policy updates managedon a per user basis by Active Directory (AD) groups Contains necessary informationto enforce policy across multiple certificates, users, and groups Stored in AD and availableacross the forest
Smart Card Deployment • Duplicate • Enroll • Online Update • Replace Policy • Recover on Behalf • Renew Policy • Reinstate Policy • Disable Policy • Retire Policy • Temporary Cards • Unblock
Enroll Policy Some questions to answer: • What level of assurance are you trying to achieve? • Are you giving the end-user the ability to self-service? • Are you using enrollment agents? • Are you collecting comments? • How many approvals do you require? • Who can initiate the request? • Who can approve the request? • What types of data will you be collecting? • Are you using one-time secrets for registration? • Are you printing smart cards or documentation during enrollment?
Smart Card Deployment • Duplicate • Enroll • Online Update • Replace Policy • Recover on Behalf • Renew Policy • Reinstate Policy • Disable Policy • Retire Policy • Temporary Cards • Unblock
Demo Title Smart Card Enrollment Policy and Smart Card Issuance
Benefits of ILM 2007 Approach • Two Factor Authentication • Reduced cost and complexity • Flexible policy driven workflow model • Integrated Identity Lifecycle Management (certs, SC, etc) • Supports a range of smart card platforms • Less custom development effort required • Leverages existing infrastructure
Business Proceed in phased approach to realize success early Align issuance process with management and security policy Use risk assessments to identify high-sensitivity systems Determine your required level of assurance Map access control workflow and optimize where possible Technical Understand the Smart Card Lifecycle Management Challenge Map out optimal deployment scenario Centralized Decentralized Self-Service Select a smart card & middleware strategy Deal with temporary card issuance Leverage existing infrastructure where practical Lessons Learned
ILM 2007 Resources • Microsoft ILM 2007 Website - www.microsoft.com/ilm • Datasheets • Whitepapers • Flash Demo • Avaleris Website - www.avaleris.com • Identity Assurance Solutions • ILM 2007 Service Offerings • Whitepapers & technical information • Avaleris ILM 2007 Lunch & Learn Series • Closer look at ILM 2007 within context of your specific requirements • Map out next steps towards ILM 2007 Proof of Concept Pilot • Contact Avaleris representative for schedule of upcoming sessions
Avaleris Contacts • Hugh Lindley, CISSP • VP, Identity Assurance • hugh.lindley@avaleris.com • (613) 237-9795 ext 235 • Anita Burwash • VP, Sales • anita.burwash@avaleris.com • (613) 237-9695 ext 221