Identitet och åtkomsthantering (IAM) Identity Management Identitet och åtkomsthantering (IAM) Fundamentet för molnet
4/5/2017 8:25 PM Vad är en Identitet? “En identitet är ett antal påståenden som en part gör om en annan part i samband med en etablerad relation” Användarnamn: Lösenrod: Pass Engångslösenord (OTP) Badge A person who is granted a set of privileges based on their role The is then given an identifier that will be associated with their role The strength of the identifier will determine the strength of the forensic evidence in an investigation. Smarta kort Biometri Namn | Adress | Telefon | Mobil | Fax | Byggnad | Rum # 2 © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Evolutionen av identiteter 4/5/2017 8:25 PM Evolutionen av identiteter “Client/Server eran startade en tillväxta av digitala Identiteter som fortsätter med molnet” Antal Identiteter Web SSO Stark Autentisering Molnet Enterprise SSO Mobilitet Ett ID och lösenord Federering In the early days IT was very simple you had one domain didn’t interact with other domains id users that logon to that the main the biggest privilege that they were granted was what they could see or what they could print. That evolved into portable clients they could take data and relatively large volumes away from the physical protection of the entity and also required remote connectivity But that was generally done by private line. Evolution of the Internet has data coming and going from many sources to many devices with IP spread across the Internet Internet PKI Client Server Identitetshantering Mainframe Pre-1980 1980 1990 2000 © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Evolutionen av användare 4/5/2017 8:25 PM Evolutionen av användare Definitionen av en användare har förändrats sedan 80-talet och det har även antalet och komplexiteten kring digitala identiteter Antal Identiteter Mobila användare Web SSO Molnet Mobilitet In the early days IT was very simple you had one domain didn’t interact with other domains id users that logon to that the main the biggest privilege that they were granted was what they could see or what they could print. That evolved into portable clients they could take data and relatively large volumes away from the physical protection of the entity and also required remote connectivity But that was generally done by private line. Evolution of the Internet has data coming and going from many sources to many devices with IP spread across the Internet Leverantörer Partners Kunder Medborgare Off Shoring Entreprenörer Konsulter Outsourcing Anställd Pre-1980 1980 1990 2000 © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Evolutionen av IT funktioner och tjänster Internt Externt Tidigare Idag Framtiden De traditionella gränserna för en organisation förändras när IT funktioner och tjänster inte längre begränsas av de traditionella modellerna
Huvudvärk för användaren Hantera Identiteter Växande antal identiter med olika användarid och lösenord eller hantera olika autentiserings tokens Glömda lösenord Åtkomst till tjänster Beställa åtkomst ofta krångligt När beställt dålig insikt i statusen Olika processer för olika system och applikationer Tar för lång tid Arbeta i molnet Åtkomst till tjänster i molntjänster ställer krav på att kunna hantera nya relationer med externa tjänsteleverantörer Ofta baseras relationen med tredje part på email och begränsat till att lita på en emailadress
Konsolidera Identiteten Fysisk Säkerhet Nätverks Säkerhet Engångslösenord (OTP) ID och lösen Applikations Säkerhet Smarta kort Dokument Säkerhet Certifikat
Värdeanalys Identitetshantering Monetära värden Direkta Monetära Värden Indirekta Värdeanalys Icke Monetära Värden Return on Investment (ROI) Sponsorskap & kommunikation Mätbara mål Värdebaserat tillvägagångssätt En analys av värdet av en IDM lösning skapar sponsorskap, definerar mätbara mål och prioriterar aktivititeter
Varför en Microsoft baserad IAM lösning? Microsoft erbjuder en integrerad lösning som är fokuserad på verksamhetsnytta Nyttja befintliga investeringar i viktig infrastruktur som Active Directory En smidigare och mer kapabel infrastruktur som kan leverera värde snabbare än konkurrenterna Stort nätverk av partners som kan utöka värdet och möjligheterna Lättare att få tag på kompetens och kort inlärningskurva Fokus flyttas från infrastruktur/teknik till att lösa verksamhetens behov
En komplett IAM lösning Edgile, Inc. 4/5/2017 En komplett IAM lösning Verksamhetsanpassad Identitetshantering Ease of Doing Business Förbättrade Processer Effektiv “Compliance” Koppla samman med molnet Säkerhet Externa Användare Externa System & Appar Användare Roller System & Appar Interna och externa användare... med verksamhets- funktioner och roller.... tilldelas åtkomst till.... interna och externa tjänster.. Microsoft och Partners Identitetslösningar Single Sign-0n IAM Processer Compliance Reporting Enterprise Roles Universal Badge Självbetjäning Federering User Access Revalidation Public Key Smart Card hantering
Lifespan of a User / Identity Constant change HR | Procurement | Business Units | IT | Legal Participation in a Team Termination of Employment Expansion of Roles New Hire Contracts End Change Jobs Summer Interns Professional Services Contract Employment Change at Third Party Promotions Staffing Contract Change in Relationships Change in Partnership New Business Relationship Office Closure New Services Employment Change at Service Provider Changing Locations New Customer Anställning Nya relationer Åtkomst till tjänster för att kunna utföra arbete Avslut/Terminering
Integrerade Processer Identitetshantering handlar i slutändan om verksamhetsprocesser Access Request & Approval Processes Integration Business Relationship Processes Human Resource Processes Workflow Security & Compliance Processes Procurement Processes Provisioning Processes
Integrating Provisioning Integration Access Request and Approval Processes Procurement Processes Human Resource Processes Security and Compliance Processes Workflow Business Relationship Processes Provisioning Processes Identity Process Management Capability HR Driven Self Service Component Policy Driven – who can access what and why Authorization based Transactional auditing – who authorized what Cross Platform Role Based Exception Based Component Audited and Reported Integrated Provisioning Identity Stores Content Stores Enterprise Apps Web Apps SaaS/Cloud Services Managed Systems and Directories
Evolution of Identity Manager (Zoomit, MMS, MIIS, ILM, FIM) User Management Group Management Common Platform Workflow Connectors Logging Web Service API Synchronization Credential Management Policy Management The journey we have been on for more than a decade… Microsoft has been in IDA for over 10 years. Began with our investments in AD. Brought meta-directory into the mainstream with MIIS. With ILM 2007 we converged the metadirectory and user provisioning with management of strong credentials, areas that have traditionally and needlessly been separate implementations. With Forefront Identity Manager 2010 we bring solutions to manage identities, credentials, and identity-based access policies across heterogeneous environments. Office Integration for Self-Service Password synch / reset Codeless Provisioning Group & DL Management Workflow and Policy Identity Synchronization User Provisioning Certificate and Smartcard Management 14
Identitetshantering Identitetsystemet måste kunna utökas Edgile, Inc. Identitetshantering 4/5/2017 Roller System och Applikationer Personer Roller används För att tilldela åtkomst till system och applikationer Externa Personer Personer har Roller med verksamhets- funktioner Externa System och Applikationer IAM Tjänster Federeringstjänst Process för Extern Åtkomst Process för Extern Provisionering IAM tjänsterna tillhandahåller funktioner som används av verksamheten för att beställa, spåra, hantera och validera behörigheter till rätt roller och system Identitetsystemet måste kunna utökas för att effektiv stöda molntjänster
Identity Management tasks Provisioning Deprovisioning Synchronization Self-Service Profile Management Self-Service Group Management Self-Service Password Management Certificate and Smart Card Management One of the most common challenges in managing identity is the provisioning and subsequent deprovisioning of new accounts in existing data sources; common data sources include LDAP directory services and databases. As technology evolves, so do the requirements placed upon it – nowadays, modern solutions must also consider self-service interaction as well as automated provisioning. FIM can help to solve the following common problems: Need Description Provisioning Identities need to be created automatically in one or more directories or data sources based on the identity appearing in an authoritative source like Human Resources (HR). E.g. Automatically create an Active Directory Account, Exchange Mailbox, LDAP user account, and record in the users table in a custom SQL Database, shortly after HR enters information for a new employee. Deprovisioning Identities need to be removed or disabled from one or more data sources once a qualifying event (transfer, promotion, leave, termination) occurs. E.g. Promptly, after HR enters someone’s termination information, automatically disable their AD account, hide their mailbox, delete their LDAP accounts, and update a status flag on a record in a custom SQL database. Synchronization Attribute data corresponding to the identity must be synchronized from an authoritative source to all other subscribing data sources to enforce consistency E.g. HR personnel update job titles and department names then the updated data flows to the corporate directory (AD), LDAP and phone book. Self-service Profile Management Users require the ability to update personal profile information like preferred name, address, and telephone number and this information needs to be kept consistent across all subscribers E.g. Users and managers update their cell phone numbers and preferred first names then the updated data flows to the corporate directory (AD), LDAP and phone book. Self-service Group Management Many users require the ability to request membership in security group or email distribution lists. Selected users may need the ability to request the creation of new security groups or email distribution list objects and manage them across their lifecycle; conversely, Administrators need a process for delegating access control back to the data owners Self-service Password Management Users require the ability to change their password and have it synchronized across all subscribing data sources as well as enroll for password reset in the event they forget their password E.g. Upon returning from vacation a user has forgotten his/her password and needs to reset it without call the helpdesk.
Identity Synchronization and Consistency Identity synchronization across multiple directories Attribute Ownership FirstName LastName EmployeeID Title E-Mail Telephone HR System FIM givenName Samantha Samantha sn Dearing Dearing title mail employeeID 007 007 telephone GivenName sn title mail employeeID telephone someone@example.com Samantha Dearing 007 Coordinator 555-0129 givenName sn title mail employeeID telephone SQL Server DB givenName Samantha sn Darling title Coordinator Coordinator mail employeeID 007 telephone Identity Data Aggregation Organizations can also use FIM to synchronize e-mail address lists that are maintained by heterogeneous e-mail systems, such as Microsoft Exchange Server 2000, Exchange Server 2007, and Lotus Notes. Organizations that have multiple Active Directory Domain Services and Exchange forests can use FIM to build a single address book. This increases the value of identity integration by simplifying collaboration as well as increasing IT control. Note: FIM 2010 provides a simplified single sign on experience through its identity synchronization capabilities, delivering the ability to synchronize passwords across heterogeneous systems. The policy-based management system of FIM manages users’ identity lifecycle and protects corporate assets against misuse as users move between roles or leave the organization. http://www.microsoft.com/forefront/identitymanager/en/us/features.aspx http://download.microsoft.com/download/3/2/A/32A7B77A-7D3A-4D24-ACE7- 5AA3A908B95E/Understanding%20FIM%202010.docx Active Directory/ Exchange givenName Sam sn Dearing title Intern mail someone@example.com someone@example.com employeeID 007 telephone LDAP givenName Sammy sn Dearling title mail employeeID 007 telephone 555-0129 555-0129
Incorrect or Missing Information Identity Synchronization and Consistency Identity consistency across multiple directories Attribute Ownership FirstName LastName EmployeeID Title E-Mail Telephone HR System FIM givenName Samantha sn Dearing title mail employeeID 007 telephone givenName Samantha Bob Samantha Samantha sn Dearing Dearing Dearing SQL Server DB title Coordinator Coordinator Coordinator Coordinator givenName Samantha mail someone@example.com someone@example.com someone@example.com someone@example.com sn Darling employeeID 007 title Coordinator telephone 555-0129 555-0129 555-0129 555-0129 mail Incorrect or Missing Information employeeID 007 telephone Identity Data Brokering (Convergence) Combining identity data across multiple directories and systems yields automated account reconciliation and consistency management for user accounts, credentials, and attributes. This means organizations with many different directories and other data repositories, such as an HR application, can use Forefront Identity Manager to synchronize user accounts across systems. Active Directory / Exchange givenName Sam sn Dearing title Intern mail someone@example.com employeeID 007 telephone LDAP givenName Sammy sn Dearling title mail employeeID 007 telephone 555-0129
Connecting to systems
Synchronisation Rules
Connecting and attribute flow
Example of management agents Microsoft Active Directory, AD LDS Microsoft Exchange Microsoft SQL Server SAP IBM DB2, RACF, Tivoli Directory Server, Notes CA ACF2, Top secret Oracle Novell eDirectory Sun Directory Server LDAP, DSML, XML, CSV Extensible Management Agent (SOA, Web services) Many ISV Partner Managemente Agents Open Source Management Agents
Forefront Identity Manager Portal Overview
Creating Users
User Self Service
User Self Service Users by default can perform self service on themselves, create groups (that expire after a period of time), and view the white pages
Group Management Purpose: Distribution Security Membership: Manual (Owners adding/removing members or users requesting membership subject to Approval Policy) Manager Criteria-Based Scope: Universal Global Domain Local
Group Membership Types
Who can get in to the group?
Filter Builder for Groups
Workflow example
End User Experience - Portal
Joining a Group via Outlook
Password Reset – User Interface
QA Gate
Reset Password
Self-Service Password Management Simplify security, manage compliance Self-Service Password Management Enables users to reset their own passwords through both Windows logon and FIM password reset portal Controls helpdesk costs by enabling end users to manage certain parts of their own identities Improves security and compliance with minimal errors while managing multiple identities and passwords Active Directory User requests password reset Oracle FIM Server Passwords updated End User SQL Server FIM 2010 makes it possible for users to manage their own credentials information. It allows user to change and reset their passwords without depending on helpdesk support, and it takes care of password synchronization with back-end systems. FIM 2010 has configurable question-and-answer authentication gates and includes extensibility to build additional types of gates—for instance, a smart card gate or a gate that requires a user to enter a code sent to a mobile phone. The enrollment process for authentication gates can be configured to ensure that all users in an organization enroll—for instance, requiring registration at logon. For example, when users want to change their password, they will change their password through a password management application that verifies the current user’s credential information. If it matches, it will update the new password to FIM. Then, FIM will replicate the new password to all relevant applications, database servers, and multiple directories. http://www.microsoft.com/forefront/identitymanager/en/us/features.aspx IBM DS LDAP Reset Password FIM capabilities integrated with Windows logon Randomly selects a number of questions
Koppla samman med Molnet Verksamhetsanpassad Identitetshantering Koppla samman med Molnet
Problem Statement Autentisering (AuthN) Auktorisation (AuthZ) Verifiera användarens Identitet AnvändarID “Vem är du?” Lösenord “Bevisa att du är den du påstår dig vara” Auktorisation (AuthZ) Besluta vilka funktioner som skall vara tillgängliga för användaren Användarprofil “Vilken sorts användare är du?”(e.g. grupp medlemskap, roll)
Problem statement För att en applikation skall kunna utföra en AuthN och AuthZ behövs följande AnvändarID Lösenord Profil (grupp medlemskap, AD attribut…) … vart lagras dessa??
AuthN & AuthZ for @molnet Två möjligheter för att lagra användarID, lösenord och profil I molnet Copy AuthN/AuthZ info from on-premise stores to a repository in the cloud using Forefront Identity Manager BPOS apps will query the repository in the cloud for AuthN/AuthZ info when users log on “On premise” – “Private Cloud/Onsite” Spara data @onsite Skicka AuthN/AuthZ info för en specifik användare till applikationen endast när användaren loggar på (ADFSv2/Federation)
Val 1: AuthN/AuthZ data i molnet BPOS inkluderar ett verktyg (ILM/FIM baserat) för att kopiera AuthN/AuthZ info från “on-premise” AD skog till molnet “On-Premise” Moln Kopia av lokala konton sparade I m,olnet Lokala konton User1, Seller User2, HR Mngr User3, HelpDesk OP User4, Finance Cntr User1, Seller User2, HR Mngr User3, HelpDesk OP User4, Finance Cntr User1, Seller User2, HR Mngr User3, HelpDesk OP User4, Finance Cntr BPOS On-premise AD Data synkat var 3 timme Endast “On-premise” cloud synk BPOS Synch Tool
Val 2: AuthN/AuthN data “on-premise only” Kräver “federated trust relationship” mellan “on-premise identity store” och Microsoft Federation Gateway Local accounts Federated Trust Relationship (X.509 cert exchanged) BPOS ADFS 2.0 MS FG User1, Seller User2, HR Mngr User3, HelpDesk OP User4, Finance Cntr Token with username and profile On-Premise AD When a user logs on, a token with username and profile info is sent to BPOS app No need to create a copy of on-premise AuthN/AuthZ info The trust relationship allows BPOS applications to delegate to on-premise AD the task of authenticating users No copy of local accounts!!
Val 2: Federering/ADFS Verksamheten IT Ability to move seamlessly between applications using a single identity Collaboration across organizations IT No need to manage external accounts Simplified and flexible claims-based federation Common authentication controls for building custom applications ON-PREMISES ACTIVE DIRECTORY FEDERATION SERVICES WS-* and SAML 2.0 EXTERNAL PARTNER Background Collaborating across organizational boundaries—an increasing requirement due to economic forces that are driving companies to outsource more while involving partners and customers more deeply in business processes—requires establishing “trust” between IT environments. In essence, if you want to share sensitive information, then your identity on one network needs to be represented on the other. Otherwise, people outside your firewall will either not be able to view it, or you would have to remove all data restrictions when you forward it—obviously, this is a compliance violation. Talking Points End users need consistent, persistent identity and credentials that can flow between organizations and eliminate the need for multiple user accounts, passwords, group memberships, and other IT overhead. With Windows Server 2008 R2 Active Directory Federation Services 2.0 (formerly code named “Geneva”), a single identity can be “federated” from one organization to the other, leveraging “claims” which describe identity attributes and can be used to drive application and other system behaviors. The end result is that a single user needs only a single account (in the parent organization) and password (or smartcard), and all other access and usage policies—wherever the user is allowed to log in and whatever applications are used—are assigned by IT. When the partner or other external organization configures the federation (trust) with your company, they can assign whatever access privileges are needed without having to create a whole new identity / password / policy. The simply accept your “claim” of who you are, and allow you access. This works for both on-premise and in-the-cloud services / networks / applications, and enables a richer collaboration experience without the hassles normally associated with sharing sensitive information--because all policies are identity-based. One identity to rule them all! Additional Information BEST INNOVATION – European Identity award at EIC 2009 “Geneva (ADFS) project one of the most significant enhancements for future use and dissemination of the Identity Federation” - Kuppinger Cole European Identity Conference 2009 (EIC) In the category “Best innovation”, the award went to the OpenSSO initiative, founded and supported by Sun Microsystems. Their project, OpenSSO Fedlet has provided a lean solution for the Identity Federation. Another award goes to the companies Yubico and AXSionics for their respective innovations in the area of strong authentication, which provide easier solutions for use on the internet and in the context of user-centric identity management. Another award in that category went to Microsoft for their Geneva project, in which federation becomes part of user containers – in the view of Kuppinger Cole, one of the most significant enhancements for future use and dissemination of the Identity Federation. Source: http://www.id-conf.com/blog/2009/05/07/awards-for-outstanding-identity-management-projects/
Val 2: ADFS / Single Sign On Exchange SharePoint Web App Security Token (e.g., Kerberos Ticket) AD DS Corporate User AD FS Cloud Services FIM provides the internal data quality to build claims from AD/SQL etc AD FS creates SAML token Signs it with company’s private key Sends it back to the user Access supplied with the token Partner Claims-Aware Application
Utöka lösningen Forefront Identity Manager 2010 (datakvalitet, roller, claims) ADFS 2.0 (Federering onsite/moln) WebSSO Unified Access Gateway 2010 (access policies, stöd för andra autentisetingsmekanismer BankID/eID SMS tokens Oath OTP Certifikat / Smarta kort / USB dongel etc RSA dosor etc
Sammanfattning En effektiv intern identitetshantering skapar ett stort värde för organisationen och är fundementet för att på ett säkert och kostnadseffektivt sätt kunna konsumera molnettjänster Identitetshantering handlar i slutändan om verksamhetsprocesser Microsoft och partners erbjuder en komplett och marknadsledande IDM lösning som är kostnadseffektiv “Microsoft's entry into the market is transformational in both the pricing and deployment models”