Embed Size (px)
Citation preview
Identity and Access Identity and Access Management beyond Management beyond OrganisationsOrganisations
Detlef EckertDetlef EckertChief Security Advisor Chief Security Advisor Microsoft Europe, Middle East, and AfricaMicrosoft Europe, Middle East, and Africa
What is Identity Management?What is Identity Management?Example Definition for Identity Management:Example Definition for Identity Management:
A system of procedures and policies enabled by software to A system of procedures and policies enabled by software to manage the lifecycle and entitlements of manage the lifecycle and entitlements of digital credentialsdigital credentials..
IP-Address
Username /PW
Biometrics
Smartcards
Passport
Picture
Identity
Name, Address, Telephone, Mobile, Fax, Building, Room number, …
Exponential Growth of IDsExponential Growth of IDsThrough separated islands of identitiesThrough separated islands of identities
Pre 1980’sPre 1980’s 1980’s1980’s 1990’s1990’s 2000’s2000’s
# ofDigital IDs
Time
Applicatio
ns
MainframeMainframe
Client ServerClient Server
InternetInternet
BusinessBusinessAutomationAutomation
CompanyCompany(B2E)(B2E)
PartnersPartners(B2B)(B2B)
CustomersCustomers(B2C)(B2C)
MobilityMobility
Your COMPANY andyour EMPLOYEES
Your SUPPLIERS
Your PARTNERSYour REMOTE andVIRTUAL EMPLOYEES
Your CUSTOMERS
Customer satisfaction & customer intimacyCost competitivenessReach, personalization
CollaborationOutsourcingFaster business cycles; process automationValue chain
M&AMobile/global workforceFlexible/temp workforce
Orgs Have To Extend AccessOrgs Have To Extend Access
Through a Service Oriented ArchitectureConnected SystemsConnected Systems
Application to Application
Rich Interactions- Office- Real time
Communications- Live Meeting
Rich ClientDevices & Apps
Web Browsers
WebService
WebService
WebService
WebService
Web Server
InternetOrganization PartnerWeb
ServiceWeb
Service
The Business DriversThe Business Drivers
IdentityManagement
ReduceCosts
ImproveService &
Productivity
ImproveSecurity
AssureCompliance
RemoteAccess
StrongAuthN
Role-basedAccess
ProtectSystems
DRM
SOX
Basel II
HIPAA
DS …
Help-Desk
Centralize
AutomateProcesses
Pre-AuditChecks
DelegatedAdmin
SelfService
SingleSign-On
Federation
SinglePassword
In-SynchData
What is Identity and Access What is Identity and Access Management?Management?
�������������� ��� ��� ���������� ������������������ ��� ��� ���������� ����������� ������������� ���� �������������� ������������� ���� ����������������������� �� ��������� � ������������������ �� ��������� � ��
����� �������� ������������������������ �������� ������������������������� ������ � �������� �������������� �������� ������ � �������� �������������� �������� ����������� �����
���� �������������������������� ������ ������ �������������������������� ������ ���������� �������� ��������������� ������������� �������� ��������������� ������� � ����� ������������� �������������� � ����� ������������� ����������������������������������
Directory Services
Access Management
Identity Lifecycle
Management
A system of technologies, procedures and A system of technologies, procedures and policies enabling management of the policies enabling management of the lifecycle and entitlements of electronic lifecycle and entitlements of electronic
identities.identities.
““The Laws of Identity”The Laws of Identity”
1.1. User control and consentUser control and consent
2.2. Minimal disclosure for a defined useMinimal disclosure for a defined use
3.3. Justifiable partiesJustifiable parties
4.4. Directional identityDirectional identity
5.5. Pluralism of operators and technologiesPluralism of operators and technologies
6.6. Human integrationHuman integration
7.7. Consistent experience across contextsConsistent experience across contexts
Join the discussion atJoin the discussion at www.identityblog.comwww.identityblog.com
Identity Identity MetasystemMetasystem
We need a unifying “Identity We need a unifying “Identity metasystemmetasystem””Protect applications from identity complexitiesProtect applications from identity complexitiesAllow digital identity to be loosely coupled: multiple Allow digital identity to be loosely coupled: multiple operators, technologies, and implementationsoperators, technologies, and implementations
Not first time we’ve seen this in computingNot first time we’ve seen this in computingEmergence of TCP/IP unified Ethernet, Token Ring, Emergence of TCP/IP unified Ethernet, Token Ring, Frame Relay, X.25, even the notFrame Relay, X.25, even the not--yetyet--invented wireless invented wireless protocolsprotocols
Identity MetasystemIdentity Metasystem
Consistent way to use multiple identity systemsConsistent way to use multiple identity systemsRemove friction without requiring everyone agree on Remove friction without requiring everyone agree on one identity technology for everythingone identity technology for everythingLeverage current successesLeverage current successesEnable us to move from past to futureEnable us to move from past to future
Four key characteristicsFour key characteristicsNegotiationNegotiationEncapsulating protocolEncapsulating protocolClaims transformationClaims transformationConsistent user experienceConsistent user experience
An Identity Metasystem An Identity Metasystem ArchitectureArchitecture
Global industry developed protocols that Global industry developed protocols that enable an identity metasystem: WSenable an identity metasystem: WS--* * Web ServicesWeb Services
Encapsulating protocol and claims Encapsulating protocol and claims transformation: WStransformation: WS--TrustTrustNegotiation: WSNegotiation: WS--MetadataExchangeMetadataExchange and and WSWS--SecurityPolicySecurityPolicy
Only technology we know of specifically Only technology we know of specifically designed to satisfy requirements of an designed to satisfy requirements of an identity metasystemidentity metasystem
Metasystem PlayersMetasystem Players
Relying PartiesRelying PartiesRequire identitiesRequire identities
SubjectsSubjectsIndividuals and other Individuals and other entities about whom entities about whom
claims are madeclaims are made
Identity ProvidersIdentity ProvidersIssue identitiesIssue identities
WS-Trust, WS-MetadataExchange
WSWS--* Metasystem Architecture* Metasystem Architecture
SecurityTokenServer
Kerberos
WS-SecurityPolicy
SAML
SecurityTokenServer
WS-SecurityPolicy
…
ID ProviderID Provider
X.509
ID ProviderID Provider
SubjectSubject
Relying PartyRelying Party Relying PartyRelying Party
Identity Selector
Microsoft Support for Microsoft Support for Identity Identity MetasystemMetasystemWindows CommunicationWindows CommunicationFoundationFoundation
Runtime for building Runtime for building applsapplssupporting identity supporting identity metasystemmetasystem
““InfoCardInfoCard””Identity selector for Windows to Identity selector for Windows to visualize user’s digital identity; visualize user’s digital identity; ships with ships with WinFXWinFX
Active DirectoryActive DirectoryInfrastructure services for Infrastructure services for identity and accessidentity and access
“InfoCard” WinCF
Active Directory
WS-*
EndEnd--UsersUsers DevelopersDevelopers
IT OrganizationsIT Organizations
eID cards Country VieweID cards Country View
Rollout:Rollout: Austria, Bahrain, Belgium, Brunei, Austria, Bahrain, Belgium, Brunei, China/HongKong/Macao, Denmark (SW), China/HongKong/Macao, Denmark (SW), Estonia, Finland, Italy, Japan, Malaysia,, Estonia, Finland, Italy, Japan, Malaysia,, Spain, Sweden, Thailand, Spain, Sweden, Thailand, Plans and Pilots:Plans and Pilots: Czech Republic, France Czech Republic, France (advanced on Health Cards), Germany (advanced on Health Cards), Germany (like France), Greece, Gulf States, Israel, (like France), Greece, Gulf States, Israel, Netherlands, Portugal, Singapore, Netherlands, Portugal, Singapore, Slovakia, Slovenia, South Africa, UKSlovakia, Slovenia, South Africa, UK=> Near Future: 100 millions of citizens => Near Future: 100 millions of citizens worldwide will have government issued worldwide will have government issued Smart CardsSmart Cards
The Big Picture of eID CardsThe Big Picture of eID CardsElectronic ID cards are becoming more commonplace in Electronic ID cards are becoming more commonplace in advancing economy and security sensitive worldadvancing economy and security sensitive world
Most governments around the world are planning or will be issuinMost governments around the world are planning or will be issuing g smartcards to citizens in next 3smartcards to citizens in next 3--5 years5 years
Most countries want to stimulate the eEconomyMost countries want to stimulate the eEconomyHowever, it is difficult for governments to drive commercial However, it is difficult for governments to drive commercial application usage of smartcardsapplication usage of smartcardsMost governments do not want to be in the software businessMost governments do not want to be in the software business
Health Cards are driven by cost savingsHealth Cards are driven by cost savingsPrivacy, security and efficiency demandsPrivacy, security and efficiency demands
In several countries Legal framework for electronic In several countries Legal framework for electronic signatures is in placesignatures is in place
(in the EU: eSignature, eInvoice, eProcurements Directives)(in the EU: eSignature, eInvoice, eProcurements Directives)
eID is a natural solution component to common problems eID is a natural solution component to common problems such as phishing, online identity verification, etc.such as phishing, online identity verification, etc.
Trustworthy Identity ScenariosTrustworthy Identity Scenarios
Woodgrove Bank
Nicholas
Smartcard +Reader / PIN pad
WebBanking
WindowsDomainLogon
Dial Corp
Government eIDMSN SmartcardBank Smartcard…
Government Tax Agency
AbbyEmail, IM, …eID Issuance
NameAddress Submit/sign form …
Summary: Current eID issuesSummary: Current eID issuesGovernment issued eID cards solve the Government issued eID cards solve the ‘chicken and egg’ problem of open PKI‘chicken and egg’ problem of open PKIContactless cards vs contact cardsContactless cards vs contact cardsBiometric Security (and Privacy)Biometric Security (and Privacy)Mandatory rollMandatory roll--out vs optional offer vs market out vs optional offer vs market driven approachdriven approachManaging a national PKI a challenge: Costs, Managing a national PKI a challenge: Costs, Reliability, Security, Privacy.Reliability, Security, Privacy.Citizens will have more than one Smart Card Citizens will have more than one Smart Card (Health Cards, Credit/Debit Cards, eID cards, (Health Cards, Credit/Debit Cards, eID cards, ... ): raising the question of multi... ): raising the question of multi--application application cardscardsData FormatData Format
Legal Recognition of eID internationally Legal Recognition of eID internationally
