Identity Lifecycle Management Rafa ukawiecki Strategic Consultant Project

Identity Lifecycle Management Rafał Łukawiecki Strategic Consultant, Project Botticelli Ltd rafal@projectbotticelli. co. uk www. projectbotticelli. co. uk Copyright 2006 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in File/Properties. This presentation is based on work of many authors from Microsoft, Oxford Computer Group and other companies. Please see the “Introductions” presentation for acknowledgments.

2 Objectives Introduce Microsoft Identity Integration Server and related products and technologies Explain the processes involved in lifecycle management

3 Session Agenda Functionality of Microsoft Identity Integration Server Scenarios and Applications of MIIS A Few Tips on MIIS

4 Microsoft’s Identity Management Directory (Store) Services Access Management Identity Lifecycle Management Active Directory & ADAM Active Directory Federation Services Identity Integration Server Extended Directory Services Authorization Manager Biz. Talk PKI / CA Enterprise Single Sign On Audit Collection Services for Unix / Services for Netware ISA Server SQL Server Reporting

5 Functionality of Microsoft Identity Integration Server

6 What is MIIS? MIIS is… Rock-solid synchronization engine for identity information Software that ensures consistency of identity data across repositories MIIS makes it radically easier to design, deploy and manage a metadirectory across an enterprise of any size

7 IIFP - Identity Integration Feature Pack for Windows Server 2003 Subset of MIIS functionality available free of charge as download Synchronisation with only the following stores: Active Directory ADAM Exchange 2000/3 Server

8 MIIS: Identity Lifecycle Management Retire User - Delete/Freeze Accounts - Delete/Freeze Entitlements New User Password Mgmt - User ID Creation - Credential Issuance - Access Rights - Strong Passwords - “Lost” Password - Password Reset Account Changes - Promotions Transfers New Privileges Attribute Changes

9 MIIS Capabilities & Benefits Key capabilities: Identity Synchronization Provisioning & Deprovisioning NOS Password Management “Agentless” connection to heterogeneous systems LDAP SQL Key benefits: Easy to deploy Easy to translate business rules into MIIS Easy to build solution over time LOB Apps Identity Data Robust and Scalable Low cost State Based

10 Metadirectory Concept Represents all identity information from all connected data sources Through a mechanism of rules, allows for even most intricate relationships to be maintained between seemingly incompatible identity management systems The “heart” of MIIS system

11 Scenario – Join/Leave HR Provisioning RBAC LDAP MIIS Example: University of West England • 40, 000 Students • 8, 000 new students each year • Provisioned into 4 systems (including AD, Exchange, NT, HR) • Immediate savings of £ 50 k/year AD Email

12 Scenario – Password Web Applications Join/Leave Provisioning User Reset? RBAC User Change Helpdesk Reset Portal S PCN Self-service/helpdesk ID data/passwords Example: Elsevier • Passwords managed across AD, Lotus Notes, Sun ONE MIIS AD Email LDAP

13 Scenario – Portal Join/Leave Provisioning Web Application ADAM LDAP RBAC Portal Self-service/helpdesk AD MIIS ID data/passwords Portals Email HR

14 Most Typical Implementations White Pages Directory Synchronization Identity Administration / Self Service

15 MIIS Terms MIIS MV CS CD MA Connected Data Source (CD) Any source and/or destination containing identity data Management Agent (MA) Facilitates the communication between CD and CS and MV Connector Space (CS) Staging area (SQL) for inbound or outbound synchronized attributes Metaverse (MV) Central (SQL) store of identity information Matching CS entries to a single MV entry is called “join”

16 MIIS Concepts MV entries are linked to CS entries through: Projection Provisioning a connector Joining SAP User CS entries represent objects in Connected Data Sources Synchronization is MIIS between MV and CS Let’s zoom in on what. Connector MIIS does Metaverse Staging is from CD to CS (MV) Space (CS) Export is from CS to CD SQL Oracle Notes Connected Data Sources (CD)

17 MIIS Sequence Of Events Oracle HR database staged and projected Provision and export to SQL-based approval system Manager approval app causes import and delta synchronization Sun One and Notes connectors provisioned and exported SAP User Metaverse (MV) SQL Connector Space (CS) Oracle Notes Connected Data Sources (CD)

18 Object creation CD 7) Normal MA Export Run (creates object in CD) 3) Create new connector Connector 5) Set other initial values Extension CS HR 4) Set Anchor Value Provision Step MV Rules 1) HR MA imports new user object Person Object 6) Export attribute flow 2) Project new user MV Person Object

19 Object Deletion Note: Deprovision does not necessarily mean delete (3) (4) 5) MA Export deletes CD object Disconnector cleanup Make normal disconnector Make explicit disconnector Delete Object Custom extension Connector CD CS CS Object becomes disconnector HR 1) HR MA imports user object with status = “terminated” Person Object MA Rules Extension Deprovision 2) Object deletion rule applies Connector filter “status=terminates” Satisfied MV Person Object MV Object deleted

20 Scenarios and Applications of MIIS

21 Identity Lifecycle Management with MIIS Password Management Identity Provisioning Synchronisation Audit Compliance Assurance Role Management (for Role-based Access Management)

22 Password Synchronization Password Extension MIIS ese rd R ts PCNSFlt. DLL MA swo Encrypted Pwd AD MA Password Reset Ctrl-Alt-Del PCNS AD Domain Controller Source System Target Systems

23 Password Management Initial password set versus password management Passwords are write-only Scope of password management Security groups Events and password history Developing custom applications NT 4 Helpdesk Web App WMI AD/ AD AD ADAM Lotus Notes MIIS Self-serve Web App Sun ONE Novell e. Directory

24 Password Management 4. 1. User signs-on to app User changes password using password management web app Pwd mgmt 3. Passwords updated Applicationbased sign-on 2. Infrastructure Directory (AD) MIIS Pwd mgmt app finds matching accounts in MIIS LOB 4 ADAM LOB 5 3 rd party LDAP

25 Provisioning Identity can be sourced from a number of directories through management agents (MAs): Database, LDAP, File-based Whenever a Metaverse object is changed, Provision Methods run This is code in a Metaverse rule DLL If not catered by an existing management agent, you can customise it to suit most unusual provisioning needs Deprovisioning is those operations that occur at the end of an identity life cycle (deletion, disabling)

26 Synchronisation MIIS Out-of-the-Box Connectivity NT 4 Exchange 5. 5 Lotus Notes SQL Server Oracle IBM RACF IBM DB 2 Novell e. Directory Partner (Extensible) Management Agents (NEW!) Other systems to follow Active Directory / Exchange Active Directory Application Mode (ADAM) Sun. One Directory (i. Planet) IBM Tivoli Directory Server (Secure. Way) DSML 2. 0 LDAP Directory Interchange Format (LDIF) Delimited Text Fixed-Width Text Attribute-Value Pair Text

27 Audit and Compliance Regulatory requirements: Sarb. Ox, Data Protection Directive/Act, Freedom of Information Acts, HIPAA… Arguably, we have to monitor the directories, not MIIS claims. As this is very difficult today, here is an interim suggestion: 1. Centralise all tracked identity information on an MIIS metadirectory 2. 3. 4. 5. Audit MIIS events Code bespoke rules Obtain existing compliance checking code (e. g. OCG) Use Microsoft Audit Collection Service (ACS) for ensuring integrity of the audit – ACS plans to ship with next version of Microsoft Operations Manager

28 Additional Security Benefit Through analysis of MIIS audit (for example, using Microsoft Operations Manager) you can detect unusual and unexpected operations This can become a basis for building an element of your automated Intrusion Detection System (IDS) Please refer to “Holistic Security” seminar, Part 2, available on www. microsoft. com/itsshowtime for more information on IDS and Active Security

29 Audit Collection Services Architectural Overview Management System y rit cu Se Monitored Clients lo gs WMI Security Real-Time Intrusion Detection Applications logs Monitored Servers Events subject to tampering Collector SQL Forensic Analysis Events under control of auditors

30 A Few Tips on MIIS (Refer to course 2731 on MIIS for more)

31 Guidelines for Securing the MIIS 2003 Environment Use strong passwords Ensure that only trusted people have access Institute checks and balances Encrypt sensitive data; use secure network connections Provide appropriate training Use Windows authentication on SQL Servers Implement RAID and UPS on SQL Servers If using a remote SQLServer, change TCP/IP port Install MIIS 2003 and SQL Server behind a firewall Maintain software patches up-to-date

32 Encryption Keys Password information is encrypted: Connection passwords Passwords waiting to be synchronized Newly created passwords (not yet provisioned) Key sets should be backed up to safe place miiskmu allows backup/restore of keys, reencryption of new key and key abandonment If a new key is created, old keys are scrubbed

33 Security Groups and Access Control Lists Limit Access to Specific Users and Groups Monitor Group Membership and Access Control Lists If a security breach occurs: Backup the MIIS database and the encryption keys Change the MIIS service account credentials Delete existing MIIS security groups Run MIIS setup and use the new security credentials Obtain and deploy new connection credentials for connected data sources; de-activate old credentials

34 Maintain a Warm Standby Server X Domain controller authenticates MIIS service account and groups MIISActivate. e xe Warm Standby (Using Domain service a/c) Active MIIS Server (Using domain service a/c) Clustered SQL Server

35 Backup and Restore SQLServer backup includes data, configuration and extensions Encryption keys and madata must be backed up separately There are two approaches to restoring on a clean machine: Restore then install Install then restore When restore on an existing installation, you should run miisactivate to restore extensions reliably

36 Summary

37 MIIS Success & References 250+ large customers since the launch (which was in Aug 2003) 28 different countries (NA, EMEA, APAC, LTAM) 25 different verticals (Gov’t, Finance, Education, . com) 20, 000+ Downloads of the feature pack 10, 000+ Downloads of the evaluation version User Group > 1500 User

38 Summary At the heart of Identity Lifecycle Management lies a strong metadirectory server: MIIS Main functions deal with provisioning, password management, and identity synchronisation Additional benefits include ability to audit and ensure regulatory compliance www. microsoft. com/idm & www. microsoft. com/itsshowtime & www. microsoft. com/technet

39 Special Thanks This seminar was prepared with the help of: Oxford Computer Group Ltd Expertise in Identity and Access Management (Microsoft Partner) IT Service Delivery and Training www. oxfordcomputergroup. com Microsoft, with special thanks to: Daniel Meyer – thanks for many slides Steven Adler, Ronny Bjones, Olga Londer – planning and reviewing Philippe Lemmens, Detlef Eckert – Sponsorship Bas Paumen & NGN - feedback