Title: Part 1: Preventing the Big Lebowski Justin Stanton, Stuart Ami from Interlink Group, LLC Part 2: Win
1Part 1 Preventing the Big Lebowski Justin
Stanton, Stuart Ami from Interlink Group,
LLCPart 2 Windows Focused Identity
AdministrationRon Clarkson from NetIQ Corporation
2Agenda
- Introduction
- Business Drivers
- EIM Components
- Is EIM Right For You?
- Implementation Strategies
- Snapshot of a Solution
- Administration Overview
- NetIQ Identity Administration Capabilities
- Extending Beyond Windows with MIIS
- Summary
- Demo
3Preventing the Big Lebowski Justin Stanton,
Stuart AmiInterlink Group, LLC
4Topics
- Overview
- Business Drivers
- EIM Components
- Is EIM Right For You?
- Implementation Strategies
- Snapshot of a Solution
5What is Identity Management?
- The strategy of employing process and
technologies to manage information about the
identity of users and control access to company
resources
6Identity Chaos
- Absence of Federated Directories
Federation. n - the technology and business
processes necessary for the interconnecting of
users, applications, and systems.
?
?
?
?
?
7Identity Chaos (continued)
- Proprietary Identity Stores
- Proprietary Administration
- Proprietary User Provisioning
- Proprietary User Access Control
8Identity Lifecycle
- Account Creation (Provisioning)
- Account Maintenance
- Account Revocation (De-provisioning)
9Account Creation
- Rising support costs
- Increased complexity
- External vs. internal
10Account Maintenance
- Rising costs to support
- 45 of total help desk calls are password resets1
- 11 of all employees will experience an access
right issue every month2 - Often the result of configuration errors made
during account creation
1 2 META Group research conducted on companies
with over 500 million in annual revenue
11Account Revocation
- Costs and risks on the rise
- Unclear scope of access
- Inability to react can lead to increased
vulnerability
12Identity Lifecycle Business Risks(yep, theres
more!)
- Lower productivity
- Avg. time to complete user provisioning request
is 6 to 29 hours!1 - Duplicate and conflicting user information
- On average, internal user information is stored
in 22 different identity stores and external user
data is stored in 6 different identity data
stores2 - Lack of information security
- Difficulty in meeting regulatory compliance
1 2 META Group research conducted on companies
with over 500 million in annual revenue
13Identity Management Components
14(No Transcript)
15Directory Services
- Foundation of an Identity Management solution
- Stores digital identity information, policies,
and user credentials - Interacts directly with all other EIM components
- LDAP - emerging directory standard
- Does not necessarily store ALL identity
attributes
16Meta-directory Services
- Provides a unified view of a users digital
identity - Integration and synchronization of digital
identity data - Facilitates bi-directional flow of information
between directory and identity store(s) - Processes unidirectional flow of data coming from
authoritative sources and transfers data to the
EIM system
17Federation
- Interface between directory services and
application authentication/authorization - Trust relationships provide a way to authenticate
digital identities among autonomous organizations - Forest trusts, shadow accounts, and PKI trusts
18Authentication
- Proving a user is who they claim to be
- Single Factor Authentication
- Multi-Factor Authentication
- Identifying Credentials
- Smartcards
- Biometrics
- Proximity
19Authorization
- Determines access permissions to services,
resources, and applications - Role-Based Access
- Can be based on a companys organizational model
20Administration
- Centralized Administration
- Delegated Administration
21Provisioning
- Lifecycle of a digital identity
- Role-based access can ease administration
- Dont forget de-provisioning and re-provisioning!
22Password Management
- Synchronize passwords across multiple systems
- User self-service functionality
- Reduces burden on help desk
23Self-Service
- Empowers users to manage aspects of their own
digital identity - Reduces risk associated with password sharing
- Reduces administrative costs and burden on help
desk
24Single Sign-On (SSO)
- Single point of authentication
- Automates access to authorized services,
applications, and resources - Eliminates the security headaches and
vulnerabilities associated with multiple
IDs/passwords - Best if used with Multi-Factor Authentication
25Is Identity Management Right For You?
26Any of these sound familiar?
- Users have more than six username and password
combinations? - Turnaround time to provision an account for new
employees is gt 1 day? - Turnaround time to revoke a terminated users
account and permissions is gt 1 day? - Access to critical resources cannot be
restricted? - Access to critical resources cannot be audited or
monitored? - CFO needs Sarbanes-Oxley compliance measures?
- HIPAA compliance becoming a real concern?
27Interested in ROI?
- Potential savings of 4,395,081.60 per year1
- Gartner estimates that a 300 ROI over three
years can be earned for a company with 10,000
employees implementing a provisioning solution
for 12 applications2
1 META Group research conducted on 420 companies
with over 500 million in annual revenue 2
Gartner Group Research on companies over 10,000
employees Your actual mileage may vary
28Implementation Strategies
- Executive Level buy-in and commitment is
essential - Clearly define business objectives
- Take a comprehensive approach to design
- Top Down
- Bottom Up
- Prioritize tasks by
- Aggregation
- Consolidation
- Integration
- Involve ALL stakeholders!
29Lessons Learned (Continued)
- Balance wish with risk
- Identify requirements before vendor selection
phase - Have vendors provide a proof of concept in YOUR
environment - Take a phased approach to implementation
- Implement most business-critical applications
last
30EIM Solution Snapshot Single Sign-on /
Authentication
Security Token (e.g. Kerberos Ticket)
Smart card using Microsoft Certificate Services
31EIM Solution Snapshot Re-provisioning /
Authorization
Added last name Lebowski
- Add his last name, Lebowski
- Promoted from janitor to cashier
- Remove user from Janitor Group
- Add user to Cashier Group
Policy
Policy
Add SN Lebowski
Update last name Lebowski
Update attributes to reflect new position
Cashier
32The Total Solution
- Microsoft provides the x-platform infrastructure
MIIS - Interlink provides the integration and
professional services - What about an administrative interface?
allow me to introduce NetIQ!
33- Windows Focused Identity Administration
- By Ron Clarkson
34Topics
- Administration Overview
- NetIQ Identity Administration Capabilities
- Extending Beyond Windows with MIIS
- Summary
- Demo
35 36What Is Identity Administration?
- Identity Administration ensures that
authoritative data stores ARE! - Hard to achieve IdM ROI without proper identity
administration - For Windows focused organizations AD
administration most critical piece of identity
administration -
37What Are The Challenges?
38Why Is It Important?
39How Do We Do It?Task Appropriate Directory Access
AD Architect / Security Admin
Native access for auditing and management of the
Active Directory security model and similar tasks
that require a high level of privilege.
Protected access for tasks that require low
levels of privilege, and high levels of auditing,
automation and extensibility.
Offline access for sensitive tasks that can
impact the entire enterprise environment if
performed online.
LAYERED SECURITY ARCHITECTURE
Desktop Management / Group Policy Admin
Departmental Admin / Help Desk Admin
40NetIQ Identity Administration Capabilities
41Challenge Keep Content Accurate
- Goals
- Make sure account management activities comply
with appropriate policies - Challenges
- Content control (data validation policies, etc.)
- Content consistency
- Contextual control (not only what, but when)
42Challenge Secure Delegation
- Goals
- Delegate out day-to-day administration tasks
without giving away the keys to the kingdom - Challenges
- Defining roles responsibilities
- Delivering appropriate capabilities
- Providing easy admin interfaces to delegates
- Avoiding power escalation (identity theft, etc.)
- Delegating certain aspects tasks is difficult
- Undelegation is even more challenging
43Challenge Centralize Auditing
- Goals
- Capture all account management activities (Who
did what to whom or what, and when?) - Challenges
- Enforcement of audits
- Capturing centralizing activities in a
multi-master environment - AD security audit log conciseness
interpretation - Completeness of audit
44Challenge Automation of Repetitive Tasks
- Goals
- Enable provisioning and deprovisioning through
automation - Challenges
- Automation of tasks isnt possible natively
- Home directory
- Home shares
- Mailbox creation
- Group membership adds/deletes
- Distribution list adds/deletes
- Difficult to delegate some of these rights
natively without giving away the keys to the
kingdom
45Directory Resource Administrator
- The What
- Enforce Policies
- Secure Delegation
- Centralized Auditing
- Automate Tasks
- The Why
- Keep AD content accurate
- Offload tasks to help desk
- Know who accessed what, when
- Reduce repetitive work
46Challenge End User Self Service
- Goal
- Task end users to manage own information where
possible - Challenges
- No native web interface to expose AD attributes
about personal information - No interface to unlock accounts, reset passwords
- Ability to log in to reset password when unable
to access own account
47Secure Password Administrator Module
- The What
- Password Resets Unlocks
- Password Synchronization
- Self Service for NT and Windows
- The Why
- Reduces calls to help desk
- Keeps accounts in synch
- Prevent account hijacking
48Challenge Role Based Security
- Goals
- Simple sustainable permissions set up
management within Active Directory - Challenges
- Defining appropriate permissions templates for
various job functions or roles - Applying permissions to Active Directory in a
repeatable way - Updating roles over time
- Documentation of role definitions applications
49Directory Security Administrator
- The What
- Native ACL Administration
- Role Based Security
- Permissions Search
-
- The Why
- Manage within Active Directory
- Easier privilege management
- See who can do what
50- Extending Beyond Windows with MIIS
51What is MIIS?
- Microsoft Identity Integration Server IS
- Two-way synchronization infrastructure
- Connects AD to AD or AD to X-platform
- Vision is to facilitate IdM for Win Focused Orgs
- Current focus in to provide X-platform password
synch - Microsoft Identity Integration Server IS NOT
- Authentication Directory (Thats still AD)
- User Administration
- Password Self Service
- Content Enforcement
- Role Based Security
52How MIIS Works
- Metaverse
- Uneditable store of authoritative directory
attributes - Connector Space
- Contains statefull directory info
- Management Agents
- Synchronization across dirs
- Connected Directories
- AD, LDAP, SunONE
- Oracle, Txt file, etc.
MIIS Store (SQL Server)
53The Total Solution NetIQ, MIIS, Interlink
- NetIQ provides the administrative interface
- MIIS provides the X-platform infrastructure
- Interlink provides the integration
- Example X-Platform Password Self Service
- NetIQ provides front end authorization interface
- MIIS provides password synch beyond Windows
- Interlink provides solution integration/customizat
ion - User gets single web interface to update
passwords
54 55Summary
- User Provisioning is the Holy Grail
- Identity Management is a critical necessary
step - Cant do ID Mgmt without ID administration
process - Enforce content policies
- Enable self service
- Automate provisioning tasks
- Delegate tasks and implement role based security
- Interlink, Microsoft, and NetIQ provide the
complete solution for the Windows Focused
Organization
56