Strong Authentication with Identity Lifecycle Manager John Weigelt

Strong Authentication with Identity Lifecycle Manager John Weigelt National Technology Officer Microsoft Canada Hugh Lindley VP, Identity Assurance Avaleris Inc.

Identity at the Center

IDA Challenges Compliance Security Provisioning in accordance with company policies Establishing auditable processes for granting access rights Ensuring that only authorized users get network access Protecting confidential information from improper distribution Business Enablement Freeing up IT resources to focus on high business-value work Operational Efficiency Automating, reducing and simplifying manual processes Creating new ways to connect with customers & partners Reducing the complexity of managing many identity stores

Microsoft’s IDA Offerings Microsoft Office Windows . Net & Visual Studio Web Sites IDA Management Identity Lifecycle Manager Certificate Services Rights Management Services Active Directory Federation Services Active Directory Domain & Directory Services Workflow Foundation 20+ Connectors User and Developer Experiences Platform Components Windows Services WS-* Extensibility

Focused on 5 Solution Areas Microsoft Solution Focus Areas Microsoft Office Windows Web Sites . Net & Visual Studio Identity Lifecycle Manager Certificate Services Rights Management Services 20+ Connectors Directory Services IDA Management Information Protection Active Directory Federation Services Active Directory Domain & Directory Services Workflow Foundation User and Developer Experiences Platform Components Windows Services WS-* Extensibility Strong Authentication Federated Identity/SSO Identity Lifecycle Mgmt

Identity Lifecycle Manager Previously Today 2 H 2008 User Management MIIS CLM Beta Microsoft Identity Lifecycle Manager 2007 Access Common Platform Management Connectors Delegation Workflow Web Service API Logging Credential Management ILM “ 2” Policy Management Metadirectory Empowers People Certificate Management IT Control with Less Effort User Provisioning Increases Operational Efficiency

Microsoft ILM 2007 Brings together metadirectory, certificate & smart card lifecycle management, and user provisioning across Windows and enterprise systems into a single packaged offering. Identity Synchronization Provides single view of a user across enterprise systems Automatically keeps identity information across systems consistent Certificate and Smart Card Management Reduces cost of managing certificate-based credentials Automates workflow-driven certificate issuance and revocation Vastly simplifies deployment of smart cards User Provisioning Automates the process of on-boarding and off-boarding users Simplifies compliance through automated IDA enforcement Enforces consistent credentials across systems

Hugh Lindley, CISSP VP, Identity Assurance Avaleris Inc. hugh. lindley@avaleris. com (613) 237 -9695 ext 235

About Avaleris Company Profile Microsoft Identity & Access (IDA) Systems Integration Partner Global provider of Identity Assurance professional services & solutions Incorporated by founders of Alacris -- the original developer of id. Nexus Predecessor to Microsoft Certificate Lifecycle Manager (CLM) Acquired by Microsoft in late 2005 -- now integrated with Microsoft ILM 2007 Successfully deployed in over 25 global clients in North America & Europe Value Avaleris Provides Heritage of client success & proven solution approach in Identity Assurance Understanding of the management & implementation challenges Depth of technical expertise in Microsoft IDA products

Agenda The business case for Multi-Factor Authentication Typical ILM 2007 deployment scenarios Smart card deployment scenario walkthrough ILM 2007 demonstration Share best practices & lessons learned Identify additional resources

Business Drivers Regulatory Compliance Canada GSP and MITS Federal Accountability Act PIPEDA, FIPA, MFIPPA Bill 198 - ICOFR International HSPD-12 / FIPS 201 Sarbanes-Oxley HIPAA Gramm-Leach-Bliley Basel II EU - Data Protection Directive EU - Qualified Certificates & Signatures FFIEC Increased IT Security & Operational Efficiencies Security and Risk Management Privacy and Information Protection Auditability and Accountability Effective deployment and lifecycle management of MFA Simplifying user authentication Increased efficiency of helpdesk staff

Implementation Challenges Lifecycle Management of Smart Cards and Certificates Smart card personalization and customization Dealing with lost, stolen or forgotten smart cards Deployment of smart card middleware Multi-channel authentication Alignment of management and security practices High number of distributed sites and locations Leveraging existing IT infrastructure Integration with other IDA solution components Minimizing help-desk workload

ILM 2007 Functionality Smart Card / Certificate Lifecycle Management Single administration point for digital certificates and smart cards Configurable policy-based workflows for common tasks Enroll / renew / update Recover / card replacement Revoke Retire / disable smart card Issue temporary / duplicate smart card Personalize smart card Detailed auditing and reporting Support for centralized, decentralized and self-service scenarios Tightly integrated with Active Directory

Smart Cards in the Public Sector U. S. Federal Government HSPD-12 / FIPS 201 -- issued fall of 2004 Goal: Establish a common identification standard for all federal government employees and contractors Personal Identity Verification (PIV) – I (Oct 2005): Identity validation & credential issuance process Personal Identity Verification (PIV) - I I (Oct 2006): Ability to issue FIPS 201 compliant smart card Most departments / agencies have met initial FIPS 201 milestones and are working towards production implementations Growing interest in broader public & private sectors

Deployment Scenarios Smart Card Authentication Secure Email (S/MIME) Secure Remote Access (VPN) Wireless LAN Authentication File and Hard Drive Encryption Secure Web Applications Distributed Certificate Enrollment Document Signing

Deployment Scenarios Smart Card Authentication Secure Email (S/MIME) Secure Remote Access (VPN) Wireless LAN Authentication File and Hard Drive Encryption Secure Web Applications Distributed Certificate Enrollment Document Signing

Smart Card Deployment Requirement: Two-factor authentication Smart card based network login Verification of Employee ID before card issuance Address smart card management issues 100’s – 10, 000’s of users

Smart Card Deployment Considerations: 1. Registration and Issuance Process 2. Choice of Smart Card Platform 3. Lifecycle Management of the Smart Cards 4. Middleware Deployment (if not Base CSP)

ILM 2007 Architecture Physical Architecture Component Architecture Microsoft Certificate Authority E-mail SQL AD Microsoft CAs Microsoft Certificate Lifecycle Manager CLM Policy Module CLM Exit Module CLM AD Integration CLM Web App Internet Information Server Internet Explorer End User CLM Browser Control Smart Card Middleware

ILM 2007 Architecture Profile Templates Certificate Template(s) Management Policies Enrollment Work flow Self-Service Data Collection Recovery Work flow Self-Service Data Collection Etc. , Work flow Self-Service Data Collection Smart Card Information (if needed) Include policies for each task that might be performed Additional profile data included for smart card management Can include templates issued from more than one CA Profile Templates include one or more certificate managed as a single entity Policy updates managed on a per user basis by Active Directory (AD) groups Contains necessary information to enforce policy across multiple certificates, users, and groups Stored in AD and available across the forest

Smart Card Deployment Duplicate Enroll Online Update Replace Policy Recover on Behalf Renew Policy Reinstate Policy Disable Policy Retire Policy Temporary Cards Unblock

Enroll Policy Some questions to answer: What level of assurance are you trying to achieve? Are you giving the end-user the ability to self-service? Are you using enrollment agents? Are you collecting comments? How many approvals do you require? Who can initiate the request? Who can approve the request? What types of data will you be collecting? Are you using one-time secrets for registration? Are you printing smart cards or documentation during enrollment?

Enroll Policy

Smart Card Deployment Duplicate Enroll Online Update Replace Policy Recover on Behalf Renew Policy Reinstate Policy Disable Policy Retire Policy Temporary Cards Unblock

Smart Card Enrollment Policy and Smart Card Issuance

Benefits of ILM 2007 Approach Two Factor Authentication Reduced cost and complexity Flexible policy driven workflow model Integrated Identity Lifecycle Management (certs, SC, etc) Supports a range of smart card platforms Less custom development effort required Leverages existing infrastructure

Lessons Learned Business Technical Proceed in phased approach to realize success early Understand the Smart Card Lifecycle Management Challenge Align issuance process with management and security policy Map out optimal deployment scenario Use risk assessments to identify high-sensitivity systems Determine your required level of assurance Map access control workflow and optimize where possible Centralized Decentralized Self-Service Select a smart card & middleware strategy Deal with temporary card issuance Leverage existing infrastructure where practical

ILM 2007 Resources Microsoft ILM 2007 Website - www. microsoft. com/ilm Datasheets Whitepapers Flash Demo Avaleris Website - www. avaleris. com Identity Assurance Solutions ILM 2007 Service Offerings Whitepapers & technical information Avaleris ILM 2007 Lunch & Learn Series Closer look at ILM 2007 within context of your specific requirements Map out next steps towards ILM 2007 Proof of Concept Pilot Contact Avaleris representative for schedule of upcoming sessions

Avaleris Contacts Hugh Lindley, CISSP VP, Identity Assurance hugh. lindley@avaleris. com (613) 237 -9795 ext 235 Anita Burwash VP, Sales anita. burwash@avaleris. com (613) 237 -9695 ext 221