Identity and Access Management:

Overview
2

Identity Problem of Today

3

Universal Identity?

Internet was build so that communications are

anonymous
In-house networks use multiple, often mutually-
incompatible, proprietary identity systems
Users are incapable of handling multiple
identities
Criminals love to exploit this mess
4

Explosion of IDs
Business Partners
# of Automation (B2B)
Digital IDs
Company
(B2E)

Customers
(B2C)

Mobility

ns
atio Internet
plic
Ap
Client Server

Mainframe

Time

Pre 1980’s 1980’s 1990’s 2000’s

5

The Disconnected Reality

•Authentication
•Authorization HR
•Identity Data System
•Authentication
•Authorization
•Identity Data
NOS
•Authentication
•Authorization Lotus
•Identity Data Notes Apps
Enterprise Directory
•Authentication
•Authorization Infra
•Identity Data Application
•Authentication
•Authorization COTS
•Identity Data Application
•Authentication
•Authorization In-House
•Identity Data Application
•Authentication
•Authorization In-House
•Identity Data Application
“Identity Chaos”
Lots of users and systems required to do business
Multiple repositories of identity information; Multiple user IDs, multiple passwords
Decentralized management, ad hoc data sharing
6

Multiple Contexts
Customer satisfaction & customer intimacy
Cost competitiveness
Reach, personalization

Your CUSTOMERS Your SUPPLIERS

Collaboration
Outsourcing
Faster business cycles;
process automation
Value chain

Your COMPANY and

your EMPLOYEES

M&A
Mobile/global workforce
Flexible/temp workforce

Your REMOTE and Your PARTNERS

VIRTUAL EMPLOYEES
7

Trends Impacting Identity

Rising Tide of Regulation and Compliance
SOX, HIPAA, GLB, Basel II, 21 CFR Part 11, …
$15.5 billion spend in 2005 on compliance (analyst estimate)

Deeper Line of Business Automation and Integration

One half of all enterprises have SOA under development
Web services spending growing 45% CAGR

Increasing Threat Landscape

Identity theft costs banks and credit card issuers $1.2 billion in 1 yr
$250 billion lost in 2004 from exposure of confidential info

Maintenance Costs Dominate IT Budget

On average employees need access to 16 apps and systems
Companies spend $20-30 per user per year for PW resets
8

Pain Points

Security/ Business
IT Admin Developer End User
Compliance Owner

Too many user Redundant Too many Too many Too expensive
stores and code in each passwords orphaned to reach new
account admin app accounts partners,
requests
Long waits for
channels
Rework code access to Limited
Unsafe sync apps, auditing Need for
scripts too often control
resources ability
9

Possible Savings
Directory Synchronization
“Improved updating of user data: $185 per user/year”
“Improved list management: $800 per list”
- Giga Information Group
Password Management
“Password reset costs range from $51 (best case) to $147 (worst
case) for labor alone.” – Gartner
User Provisioning
“Improved IT efficiency: $70,000 per year per 1,000 managed users”
“Reduced help desk costs: $75 per user per year”
- Giga Information Group
10

Is This Going to Scale?

Today, average corporate user spends 16 minutes a day

logging on
A typical home user maintains 12-18 identities
Number of phishing and pharming sites grew over
1600% over the past year
Corporate IT Ops manage an average of 73 applications
and 46 suppliers, often with individual directories
Regulators are becoming stricter about compliance and
auditing
Orphaned accounts and identities lead to security
problems
11

One or Two Solutions?

Better Option:
Build a global, universal, federated identity metasystem
Will take years…

Quicker Option:
Build an in-house, federated identity metasystem based on
standards
Federate it to others, system-by-system

But: both solutions could share the same conceptual

basis
12

Identity Laws and Metasystem

13

Lessons from Passport

Passport designed to solve two problems

Identity provider for MSN
250M+ users, 1 billion logons per day
Significant success
Identity provider for the Internet
Unsuccessful:
Not trusted “outside context”
Not generic enough
Meant giving up control over identity management
Cannot re-write apps to use a central system

Learning: solution must be different than

Passport
14

Idea of an Identity Metasystem

Not an Identity System

Agreement on metadata and protocols, allowing
multiple identity providers and brokers
Based on open standards
Supported by multiple technologies and
platforms
Adhering to Laws of Identity
With full respect of privacy needs
15

Roles Within Identity Metasystem

Identity Providers
Organisations, governments, even end-users
They provide Identity Claims about a Subject
Name, vehicles allowed to drive, age, etc.

Relying Parties
Online services or sites, doors, etc.
Subjects
Individuals and other bodies that need its identity
established
16

Metasystem Players

Identity Providers
Issue identities

Relying Parties
Require identities

Subjects
Individuals and other
entities about whom claims
are made
17

Identity Metasystem Today

Basically, the set of WS-* Security Guidelines as

we have it
Plus
Software that implements the services
Microsoft and many others working on it
Companies that would use it
Still to come, but early adopters exist
End-users that would trust it
Will take time
18

Identity Laws

1. User Control and Consent

2. Minimal Disclosure for a Constrained Use
3. Justifiable Parties
4. Directed Identity
5. Pluralism of Operators and Technologies
6. Human Integration
7. Consistent Experience Across Contexts
19

Enterprise Applicability

That proposed metasystem would work well

inside a corporation
But, it will be 5-7 years at least before the beginning
of adoption!
Of course, we need a solution before it becomes
a reality
Following the principles seems a good idea
while planning immediate solutions
Organic growth likely to lead to an identity
metasystem in long term
20

Enterprise Trends

Kerberos can no longer easily span disconnected

identity forests and technologies
We are moving away from Groups and traditional
ACLs…
Increasingly limited and difficult to manage on large scales
…towards a combination of:
Role-Based Access Management, and,
Rich Claims Authorization
PKI is still too restrictive, but it is clearly a component of
a possible solution
21

Components and Terminology

22

What is Identity Management?

e Sign
s s w ord Sing l
Pa ent On Secure Remote
g e m F e de
Ma n a ratio
n
Access

Role
Manageme
nt
Web Services Provisionin
g
Security

Authorization d it in g&
Au ing
p o r t
Re
t o r ies
c
g D ir e
Digital Stron tion
Rights h e n t ica
Management Aut PKI
23

Identity and Access Management

Directory Repositories for storing and managing

accounts, identity information, and
Services security credentials

A system of procedures, policies and

technologies
Access
to manage
The process the credentials
of authenticating lifecycle and
controlling access to networked resources
and entitlements
Management based on trust andof electronic
identity
credentials
Identity The processes used to create and delete
Lifecycle accounts, manage account and entitlement
Management changes, and track policy compliance
24

Remember the Chaos?

•Authentication
•Authorization HR
•Identity Data System
•Authentication
•Authorization
•Identity Data
NOS
•Authentication
•Authorization Lotus
•Identity Data Notes Apps
Enterprise Directory
•Authentication
•Authorization Infra
•Identity Data Application
•Authentication
•Authorization COTS
•Identity Data Application
•Authentication
•Authorization In-House
•Identity Data Application
•Authentication
•Authorization In-House
•Identity Data Application
25

Identity Integration
•Authentication
•Authorization HR
•Identity Data System
•Authentication
•Authorization Student

Identity Integration Server

•Identity Data Admin
•Authentication
•Authorization Lotus
Enterprise Directory •Identity Data Notes Apps
•Authentication
•Authorization Infra
•Identity Data Application
•Authentication
•Authorization COTS
•Identity Data Application
•Authentication
•Authorization In-House
•Identity Data Application
•Authentication
•Authorization In-House
•Identity Data Application
26

IAM Benefits

Benefits today Benefits to take you

(Tactical) forward
(Strategic)
Save money and improve operational
efficiency New ways of working

Improved time to deliver applications and

service
Improved time to market
Enhance Security

Closer Supplier, Customer,

Regulatory Compliance and Audit
Partner and Employee relationships
27

Some Basic Definitions

Authentication (AuthN)
Verification of a subject’s identity by means of relying on a
provided claim
Identification is sometimes seen as a preliminary step of
authentication
Collection of untrusted (as yet) information about a subject, such
as an identity claim
Authorization (AuthZ)
Deciding what actions, rights or privileges can the subject be
allowed

Trend towards separation of those two

Or even of all three, if biometrics are used
28

Components of IAM

Administration
User Management
Password Management
Workflow
Access Management

Authentication
Authentication

Administration
Authorization
Authorization
Identity Management
Account Provisioning
Account Deprovisioning
Synchronisation Reliable Identity Data
29

IAM Architecture
30

Roadmap
31

Microsoft’s Identity Management

Directory (Store) Access Identity
Services Management Lifecycle
Management

Active Active Directory Identity Integration

Directory & ADAM Federation Services Server

Extended Directory Authorization

BizTalk
Services Manager

Enterprise Audit Collection

PKI / CA
Single Sign On Services

Services for Unix / ISA SQL Server

Services for Netware Server Reporting
32

Components of a Microsoft-based IAM

Infrastructure Directory Active Directory

Application Directory AD/AM (LDAP)

Lifecycle Management MIIS
Workflow BizTalk, Partner Solutions (Ultimus BPM, SAP)
Role-Based Access Control Authorization Manager or Partner Solutions
(ex: OCG, RSA) and traditional approaches
Directory & Password MIIS & Partner solutions
Synchronization
SSO (Intranet) Kerberos/NTLM, Vintela/Centrify
Enterprise SSO (Intranet) Sharepoint ESSO, BizTalk ESSO, HIS ESSO
Strong Authentication SmartCards, CA/PKI, Partner (eg. RSA –
SecurID, Alacris, WizeKey)
Web SSO ADFS, Partner (eg. RSA – ClearTrust)
Integration of UNIX/Novell SFU, SFN, Partner (eg. Vintella/Centrify)
Federation ADFS