Part 1: Preventing the Big Lebowski Justin Stanton, Stuart Ami from Interlink Group, LLC Part 2: Win

1
Part 1 Preventing the Big Lebowski Justin
Stanton, Stuart Ami from Interlink Group,
LLCPart 2 Windows Focused Identity
AdministrationRon Clarkson from NetIQ Corporation
2
Agenda

• Introduction
• Business Drivers
• EIM Components
• Is EIM Right For You?
• Implementation Strategies
• Snapshot of a Solution
• Administration Overview
• NetIQ Identity Administration Capabilities
• Extending Beyond Windows with MIIS
• Summary
• Demo

3
Preventing the Big Lebowski Justin Stanton,
Stuart AmiInterlink Group, LLC
4
Topics

• Overview
• Business Drivers
• EIM Components
• Is EIM Right For You?
• Implementation Strategies
• Snapshot of a Solution

5
What is Identity Management?

• The strategy of employing process and
  technologies to manage information about the
  identity of users and control access to company
  resources

6
Identity Chaos

• Absence of Federated Directories

Federation. n - the technology and business
processes necessary for the interconnecting of
users, applications, and systems.
?
?
?
?
?
7
Identity Chaos (continued)

• Proprietary Identity Stores
• Proprietary Administration
• Proprietary User Provisioning
• Proprietary User Access Control

8
Identity Lifecycle

• Account Creation (Provisioning)
• Account Maintenance
• Account Revocation (De-provisioning)

9
Account Creation

• Rising support costs
• Increased complexity
• External vs. internal

10
Account Maintenance

• Rising costs to support
• 45 of total help desk calls are password resets1
• 11 of all employees will experience an access
  right issue every month2
• Often the result of configuration errors made
  during account creation

1 2 META Group research conducted on companies
with over 500 million in annual revenue
11
Account Revocation

• Costs and risks on the rise
• Unclear scope of access
• Inability to react can lead to increased
  vulnerability

12
Identity Lifecycle Business Risks(yep, theres
more!)

• Lower productivity
• Avg. time to complete user provisioning request
  is 6 to 29 hours!1
• Duplicate and conflicting user information
• On average, internal user information is stored
  in 22 different identity stores and external user
  data is stored in 6 different identity data
  stores2
• Lack of information security
• Difficulty in meeting regulatory compliance

1 2 META Group research conducted on companies
with over 500 million in annual revenue
13
Identity Management Components
14
(No Transcript)
15
Directory Services

• Foundation of an Identity Management solution
• Stores digital identity information, policies,
  and user credentials
• Interacts directly with all other EIM components
• LDAP - emerging directory standard
• Does not necessarily store ALL identity
  attributes

16
Meta-directory Services

• Provides a unified view of a users digital
  identity
• Integration and synchronization of digital
  identity data
• Facilitates bi-directional flow of information
  between directory and identity store(s)
• Processes unidirectional flow of data coming from
  authoritative sources and transfers data to the
  EIM system

17
Federation

• Interface between directory services and
  application authentication/authorization
• Trust relationships provide a way to authenticate
  digital identities among autonomous organizations
• Forest trusts, shadow accounts, and PKI trusts

18
Authentication

• Proving a user is who they claim to be
• Single Factor Authentication
• Multi-Factor Authentication
• Identifying Credentials
• Smartcards
• Biometrics
• Proximity

19
Authorization

• Determines access permissions to services,
  resources, and applications
• Role-Based Access
• Can be based on a companys organizational model

20
Administration

• Centralized Administration
• Delegated Administration

21
Provisioning

• Lifecycle of a digital identity
• Role-based access can ease administration
• Dont forget de-provisioning and re-provisioning!

22
Password Management

• Synchronize passwords across multiple systems
• User self-service functionality
• Reduces burden on help desk

23
Self-Service

• Empowers users to manage aspects of their own
  digital identity
• Reduces risk associated with password sharing
• Reduces administrative costs and burden on help
  desk

24
Single Sign-On (SSO)

• Single point of authentication
• Automates access to authorized services,
  applications, and resources
• Eliminates the security headaches and
  vulnerabilities associated with multiple
  IDs/passwords
• Best if used with Multi-Factor Authentication

25
Is Identity Management Right For You?
26
Any of these sound familiar?

• Users have more than six username and password
  combinations?
• Turnaround time to provision an account for new
  employees is gt 1 day?
• Turnaround time to revoke a terminated users
  account and permissions is gt 1 day?
• Access to critical resources cannot be
  restricted?
• Access to critical resources cannot be audited or
  monitored?
• CFO needs Sarbanes-Oxley compliance measures?
• HIPAA compliance becoming a real concern?

27
Interested in ROI?

• Potential savings of 4,395,081.60 per year1
• Gartner estimates that a 300 ROI over three
  years can be earned for a company with 10,000
  employees implementing a provisioning solution
  for 12 applications2

1 META Group research conducted on 420 companies
with over 500 million in annual revenue 2
Gartner Group Research on companies over 10,000
employees Your actual mileage may vary
28
Implementation Strategies

• Executive Level buy-in and commitment is
  essential
• Clearly define business objectives
• Take a comprehensive approach to design
• Top Down
• Bottom Up
• Prioritize tasks by
• Aggregation
• Consolidation
• Integration
• Involve ALL stakeholders!

29
Lessons Learned (Continued)

• Balance wish with risk
• Identify requirements before vendor selection
  phase
• Have vendors provide a proof of concept in YOUR
  environment
• Take a phased approach to implementation
• Implement most business-critical applications
  last

30
EIM Solution Snapshot Single Sign-on /
Authentication
Security Token (e.g. Kerberos Ticket)
Smart card using Microsoft Certificate Services
31
EIM Solution Snapshot Re-provisioning /
Authorization
Added last name Lebowski

• Add his last name, Lebowski
• Promoted from janitor to cashier

• Remove user from Janitor Group
• Add user to Cashier Group

Policy
Policy
Add SN Lebowski
Update last name Lebowski
Update attributes to reflect new position
Cashier
32
The Total Solution

• Microsoft provides the x-platform infrastructure
  MIIS
• Interlink provides the integration and
  professional services
• What about an administrative interface?

allow me to introduce NetIQ!
33

• Windows Focused Identity Administration
• By Ron Clarkson

34
Topics

• Administration Overview
• NetIQ Identity Administration Capabilities
• Extending Beyond Windows with MIIS
• Summary
• Demo

35

• Administration Overview

36
What Is Identity Administration?

• Identity Administration ensures that
  authoritative data stores ARE!
• Hard to achieve IdM ROI without proper identity
  administration
• For Windows focused organizations AD
  administration most critical piece of identity
  administration

37
What Are The Challenges?
38
Why Is It Important?
39
How Do We Do It?Task Appropriate Directory Access
AD Architect / Security Admin
Native access for auditing and management of the
Active Directory security model and similar tasks
that require a high level of privilege.
Protected access for tasks that require low
levels of privilege, and high levels of auditing,
automation and extensibility.
Offline access for sensitive tasks that can
impact the entire enterprise environment if
performed online.
LAYERED SECURITY ARCHITECTURE
Desktop Management / Group Policy Admin
Departmental Admin / Help Desk Admin
40
NetIQ Identity Administration Capabilities
41
Challenge Keep Content Accurate

• Goals
• Make sure account management activities comply
  with appropriate policies
• Challenges
• Content control (data validation policies, etc.)
• Content consistency
• Contextual control (not only what, but when)

42
Challenge Secure Delegation

• Goals
• Delegate out day-to-day administration tasks
  without giving away the keys to the kingdom
• Challenges
• Defining roles responsibilities
• Delivering appropriate capabilities
• Providing easy admin interfaces to delegates
• Avoiding power escalation (identity theft, etc.)
• Delegating certain aspects tasks is difficult
• Undelegation is even more challenging

43
Challenge Centralize Auditing

• Goals
• Capture all account management activities (Who
  did what to whom or what, and when?)
• Challenges
• Enforcement of audits
• Capturing centralizing activities in a
  multi-master environment
• AD security audit log conciseness
  interpretation
• Completeness of audit

44
Challenge Automation of Repetitive Tasks

• Goals
• Enable provisioning and deprovisioning through
  automation
• Challenges
• Automation of tasks isnt possible natively
• Home directory
• Home shares
• Mailbox creation
• Group membership adds/deletes
• Distribution list adds/deletes
• Difficult to delegate some of these rights
  natively without giving away the keys to the
  kingdom

45
Directory Resource Administrator

• The What
• Enforce Policies
• Secure Delegation
• Centralized Auditing
• Automate Tasks

• The Why
• Keep AD content accurate
• Offload tasks to help desk
• Know who accessed what, when
• Reduce repetitive work

46
Challenge End User Self Service

• Goal
• Task end users to manage own information where
  possible
• Challenges
• No native web interface to expose AD attributes
  about personal information
• No interface to unlock accounts, reset passwords
• Ability to log in to reset password when unable
  to access own account

47
Secure Password Administrator Module

• The What
• Password Resets Unlocks
• Password Synchronization
• Self Service for NT and Windows

• The Why
• Reduces calls to help desk
• Keeps accounts in synch
• Prevent account hijacking

48
Challenge Role Based Security

• Goals
• Simple sustainable permissions set up
  management within Active Directory
• Challenges
• Defining appropriate permissions templates for
  various job functions or roles
• Applying permissions to Active Directory in a
  repeatable way
• Updating roles over time
• Documentation of role definitions applications

49
Directory Security Administrator

• The What
• Native ACL Administration
• Role Based Security
• Permissions Search

• The Why
• Manage within Active Directory
• Easier privilege management
• See who can do what

50

• Extending Beyond Windows with MIIS

51
What is MIIS?

• Microsoft Identity Integration Server IS
• Two-way synchronization infrastructure
• Connects AD to AD or AD to X-platform
• Vision is to facilitate IdM for Win Focused Orgs
• Current focus in to provide X-platform password
  synch
• Microsoft Identity Integration Server IS NOT
• Authentication Directory (Thats still AD)
• User Administration
• Password Self Service
• Content Enforcement
• Role Based Security

52
How MIIS Works

• Metaverse
• Uneditable store of authoritative directory
  attributes
• Connector Space
• Contains statefull directory info
• Management Agents
• Synchronization across dirs
• Connected Directories
• AD, LDAP, SunONE
• Oracle, Txt file, etc.

MIIS Store (SQL Server)
53
The Total Solution NetIQ, MIIS, Interlink

• NetIQ provides the administrative interface
• MIIS provides the X-platform infrastructure
• Interlink provides the integration
• Example X-Platform Password Self Service
• NetIQ provides front end authorization interface
• MIIS provides password synch beyond Windows
• Interlink provides solution integration/customizat
  ion
• User gets single web interface to update
  passwords

54

• Summary

55
Summary

• User Provisioning is the Holy Grail
• Identity Management is a critical necessary
  step
• Cant do ID Mgmt without ID administration
  process
• Enforce content policies
• Enable self service
• Automate provisioning tasks
• Delegate tasks and implement role based security
• Interlink, Microsoft, and NetIQ provide the
  complete solution for the Windows Focused
  Organization

56

• Demo