Identity and Access Identity and Access Management beyond Management beyond OrganisationsOrganisations

Detlef EckertDetlef EckertChief Security Advisor Chief Security Advisor Microsoft Europe, Middle East, and AfricaMicrosoft Europe, Middle East, and Africa

What is Identity Management?What is Identity Management?Example Definition for Identity Management:Example Definition for Identity Management:

A system of procedures and policies enabled by software to A system of procedures and policies enabled by software to manage the lifecycle and entitlements of manage the lifecycle and entitlements of digital credentialsdigital credentials..

IP-Address

Username /PW

Biometrics

Smartcards

Passport

Picture

Identity

Name, Address, Telephone, Mobile, Fax, Building, Room number, …

Exponential Growth of IDsExponential Growth of IDsThrough separated islands of identitiesThrough separated islands of identities

Pre 1980’sPre 1980’s 1980’s1980’s 1990’s1990’s 2000’s2000’s

# ofDigital IDs

Time

Applicatio

ns

MainframeMainframe

Client ServerClient Server

InternetInternet

BusinessBusinessAutomationAutomation

CompanyCompany(B2E)(B2E)

PartnersPartners(B2B)(B2B)

CustomersCustomers(B2C)(B2C)

MobilityMobility

Your COMPANY andyour EMPLOYEES

Your SUPPLIERS

Your PARTNERSYour REMOTE andVIRTUAL EMPLOYEES

Your CUSTOMERS

Customer satisfaction & customer intimacyCost competitivenessReach, personalization

CollaborationOutsourcingFaster business cycles; process automationValue chain

M&AMobile/global workforceFlexible/temp workforce

Orgs Have To Extend AccessOrgs Have To Extend Access

Through a Service Oriented ArchitectureConnected SystemsConnected Systems

Application to Application

Rich Interactions- Office- Real time

Communications- Live Meeting

Rich ClientDevices & Apps

Web Browsers

WebService

WebService

WebService

WebService

Web Server

InternetOrganization PartnerWeb

ServiceWeb

Service

The Business DriversThe Business Drivers

IdentityManagement

ReduceCosts

ImproveService &

Productivity

ImproveSecurity

AssureCompliance

RemoteAccess

StrongAuthN

Role-basedAccess

ProtectSystems

DRM

SOX

Basel II

HIPAA

DS …

Help-Desk

Centralize

AutomateProcesses

Pre-AuditChecks

DelegatedAdmin

SelfService

SingleSign-On

Federation

SinglePassword

In-SynchData

What is Identity and Access What is Identity and Access Management?Management?

�������������� ��� ��� ���������� ������������������ ��� ��� ���������� ����������� ������������� ���� �������������� ������������� ���� ����������������������� �� ��������� � ������������������ �� ��������� � ��

����� �������� ������������������������ �������� ������������������������� ������ � �������� �������������� �������� ������ � �������� �������������� �������� ����������� �����

���� �������������������������� ������ ������ �������������������������� ������ ���������� �������� ��������������� ������������� �������� ��������������� ������� � ����� ������������� �������������� � ����� ������������� ����������������������������������

Directory Services

Access Management

Identity Lifecycle

Management

A system of technologies, procedures and A system of technologies, procedures and policies enabling management of the policies enabling management of the lifecycle and entitlements of electronic lifecycle and entitlements of electronic

identities.identities.

““The Laws of Identity”The Laws of Identity”

1.1. User control and consentUser control and consent

2.2. Minimal disclosure for a defined useMinimal disclosure for a defined use

3.3. Justifiable partiesJustifiable parties

4.4. Directional identityDirectional identity

5.5. Pluralism of operators and technologiesPluralism of operators and technologies

6.6. Human integrationHuman integration

7.7. Consistent experience across contextsConsistent experience across contexts

Join the discussion atJoin the discussion at www.identityblog.comwww.identityblog.com

Identity Identity MetasystemMetasystem

We need a unifying “Identity We need a unifying “Identity metasystemmetasystem””Protect applications from identity complexitiesProtect applications from identity complexitiesAllow digital identity to be loosely coupled: multiple Allow digital identity to be loosely coupled: multiple operators, technologies, and implementationsoperators, technologies, and implementations

Not first time we’ve seen this in computingNot first time we’ve seen this in computingEmergence of TCP/IP unified Ethernet, Token Ring, Emergence of TCP/IP unified Ethernet, Token Ring, Frame Relay, X.25, even the notFrame Relay, X.25, even the not--yetyet--invented wireless invented wireless protocolsprotocols

Identity MetasystemIdentity Metasystem

Consistent way to use multiple identity systemsConsistent way to use multiple identity systemsRemove friction without requiring everyone agree on Remove friction without requiring everyone agree on one identity technology for everythingone identity technology for everythingLeverage current successesLeverage current successesEnable us to move from past to futureEnable us to move from past to future

Four key characteristicsFour key characteristicsNegotiationNegotiationEncapsulating protocolEncapsulating protocolClaims transformationClaims transformationConsistent user experienceConsistent user experience

An Identity Metasystem An Identity Metasystem ArchitectureArchitecture

Global industry developed protocols that Global industry developed protocols that enable an identity metasystem: WSenable an identity metasystem: WS--* * Web ServicesWeb Services

Encapsulating protocol and claims Encapsulating protocol and claims transformation: WStransformation: WS--TrustTrustNegotiation: WSNegotiation: WS--MetadataExchangeMetadataExchange and and WSWS--SecurityPolicySecurityPolicy

Only technology we know of specifically Only technology we know of specifically designed to satisfy requirements of an designed to satisfy requirements of an identity metasystemidentity metasystem

Metasystem PlayersMetasystem Players

Relying PartiesRelying PartiesRequire identitiesRequire identities

SubjectsSubjectsIndividuals and other Individuals and other entities about whom entities about whom

claims are madeclaims are made

Identity ProvidersIdentity ProvidersIssue identitiesIssue identities

WS-Trust, WS-MetadataExchange

WSWS--* Metasystem Architecture* Metasystem Architecture

SecurityTokenServer

Kerberos

WS-SecurityPolicy

SAML

SecurityTokenServer

WS-SecurityPolicy

…

ID ProviderID Provider

X.509

ID ProviderID Provider

SubjectSubject

Relying PartyRelying Party Relying PartyRelying Party

Identity Selector

Microsoft Support for Microsoft Support for Identity Identity MetasystemMetasystemWindows CommunicationWindows CommunicationFoundationFoundation

Runtime for building Runtime for building applsapplssupporting identity supporting identity metasystemmetasystem

““InfoCardInfoCard””Identity selector for Windows to Identity selector for Windows to visualize user’s digital identity; visualize user’s digital identity; ships with ships with WinFXWinFX

Active DirectoryActive DirectoryInfrastructure services for Infrastructure services for identity and accessidentity and access

“InfoCard” WinCF

Active Directory

WS-*

EndEnd--UsersUsers DevelopersDevelopers

IT OrganizationsIT Organizations

eID cards Country VieweID cards Country View

Rollout:Rollout: Austria, Bahrain, Belgium, Brunei, Austria, Bahrain, Belgium, Brunei, China/HongKong/Macao, Denmark (SW), China/HongKong/Macao, Denmark (SW), Estonia, Finland, Italy, Japan, Malaysia,, Estonia, Finland, Italy, Japan, Malaysia,, Spain, Sweden, Thailand, Spain, Sweden, Thailand, Plans and Pilots:Plans and Pilots: Czech Republic, France Czech Republic, France (advanced on Health Cards), Germany (advanced on Health Cards), Germany (like France), Greece, Gulf States, Israel, (like France), Greece, Gulf States, Israel, Netherlands, Portugal, Singapore, Netherlands, Portugal, Singapore, Slovakia, Slovenia, South Africa, UKSlovakia, Slovenia, South Africa, UK=> Near Future: 100 millions of citizens => Near Future: 100 millions of citizens worldwide will have government issued worldwide will have government issued Smart CardsSmart Cards

The Big Picture of eID CardsThe Big Picture of eID CardsElectronic ID cards are becoming more commonplace in Electronic ID cards are becoming more commonplace in advancing economy and security sensitive worldadvancing economy and security sensitive world

Most governments around the world are planning or will be issuinMost governments around the world are planning or will be issuing g smartcards to citizens in next 3smartcards to citizens in next 3--5 years5 years

Most countries want to stimulate the eEconomyMost countries want to stimulate the eEconomyHowever, it is difficult for governments to drive commercial However, it is difficult for governments to drive commercial application usage of smartcardsapplication usage of smartcardsMost governments do not want to be in the software businessMost governments do not want to be in the software business

Health Cards are driven by cost savingsHealth Cards are driven by cost savingsPrivacy, security and efficiency demandsPrivacy, security and efficiency demands

In several countries Legal framework for electronic In several countries Legal framework for electronic signatures is in placesignatures is in place

(in the EU: eSignature, eInvoice, eProcurements Directives)(in the EU: eSignature, eInvoice, eProcurements Directives)

eID is a natural solution component to common problems eID is a natural solution component to common problems such as phishing, online identity verification, etc.such as phishing, online identity verification, etc.

Trustworthy Identity ScenariosTrustworthy Identity Scenarios

Woodgrove Bank

Nicholas

Smartcard +Reader / PIN pad

WebBanking

WindowsDomainLogon

Dial Corp

Government eIDMSN SmartcardBank Smartcard…

Government Tax Agency

AbbyEmail, IM, …eID Issuance

NameAddress Submit/sign form …

Summary: Current eID issuesSummary: Current eID issuesGovernment issued eID cards solve the Government issued eID cards solve the ‘chicken and egg’ problem of open PKI‘chicken and egg’ problem of open PKIContactless cards vs contact cardsContactless cards vs contact cardsBiometric Security (and Privacy)Biometric Security (and Privacy)Mandatory rollMandatory roll--out vs optional offer vs market out vs optional offer vs market driven approachdriven approachManaging a national PKI a challenge: Costs, Managing a national PKI a challenge: Costs, Reliability, Security, Privacy.Reliability, Security, Privacy.Citizens will have more than one Smart Card Citizens will have more than one Smart Card (Health Cards, Credit/Debit Cards, eID cards, (Health Cards, Credit/Debit Cards, eID cards, ... ): raising the question of multi... ): raising the question of multi--application application cardscardsData FormatData Format

Legal Recognition of eID internationally Legal Recognition of eID internationally