“If you think technology can solve your security
problems, then you don't understand the
problems and you don't understand the
technology.”
Bruce Schneier
American cryptographer, computer security and privacy specialist
Assess customer goals, challenges, threats, requirements, and technical security maturity.
Establish a common framework and definition of security, and introduce Microsoft solutions and services.
Explore customer requirements and goals, and share Microsoft capabilities
Outline strategic and
tactical projects, with
business goals and
requirements.
Implement appropriate security solutions based on business goals.
Solutions
Seen this before?
4
Create
Delete
Attribute
Sync
Cloud
O365, Azure, Amazon, Google, etc.
Active Directory
Exchange, Lotus Notes etc.
HR (PeopleSoft, SAP, Dynamics)
Application
Owner
Business
Manager
Users
IT Helpdesk
Administrator
Administrator
Financials
SharePoint
Sales
Limited or no use of Active Directory
User provisioning and access management done manually
Minimal enterprise identity and access policy standards
Active Directory for User Authentication and Authorization
Single sign-on to Windows-integrated applications
Active Directory security groups used for user access control
Desktops not managed by group policy
Group policy used to manage desktops for security and settings
Desktops are tightly managed
Centrally managed, automated user account provisioning across systems
Centrally managed, automated access controls across systems
Capability Basic Standardized Rationalized Dynamic
Administration
Identity ProliferationApplication Centric, Multiple Enterprise ID Stores
Enterprise ID Store + Application Specific Stores Virtualized Identity Service Single Enterprise ID Store
Provisioning Manual, AdhocSome custom built scripts / Mostly Manual
Automated Creation in one or more ID stores using COTS Email Notifications to other system owners Automated Creation in all ID Stores
Deprovisioning Manual, AdhocSome custom built scripts / Mostly Manual
Automated Deprovisioning in one or more ID StoresEmail Notifications to other system owners
Automated deprovisioning in all ID Stores
Identity UpdatesManually performed by Service Desk in some identity systems
Manually performed by Service Desk in all identity systems
Automated to some identity systems from Authoritative Source
Automated to all identity systems from Authoritative Source plus Self-Service capabilities
SynchronizationManually performed by Service Desk in some identity systems
Manually performed by Service Desk in all identity systems
Synchronization among some identity systems, Time-Based
Synchronization amongst all identity systems, Event-Driven
Password ManagementManually performed by Service Desk in some identity systems
Manually performed by Service Desk in all identity systems
Self-Service Password Reset to central identity system (no synchronization)
Self-Service Password Reset and synchronization to all identity systems
Group Management Manual by Admin, StaticOwner Managed (Delegations), Static
Owner Managed, Self-Service, Approvals Dynamic/Attribute Based
Application Entitlement Management Application owner specific
Central Service Desk, manual workflow
Central access request service with automated workflow Dynamic/Attribute Based
User Interface Service Center/Help DeskInternally Accessible, Manual Updates Internally Accessible, Self-Service Externally Accessible
Change Control None Call Service Desk / Manual WorkflowCall Help Desk / Some Electronic Workflow
Self-Service Request with Electronic Workflow
Authentication
ConvenienceMultiple IDs, Multiple Credentials, Multiple Prompts
Multiple IDs, Multiple Credentials, Single Prompt per Credential Multiple IDs, Single Credential
Single ID, Single Credential, Single Prompt (SSO)
Source Application Centric Issuer(s) Virtual Issuer Central Issuer Federated and Central Issuers
Protocols Multiple Protocols, No StandardStandard set of protocols (no transition, no delegation)
Standardized Protocols with ability to transition (no delegation)
Standardized Protocols with ability for transition and delegation
Assurance Shared Accounts, No AssurancePersonalized Accounts, Password Based Multi-Factor AuthN Risk-Based AuthN
Authorization
Entitlement Type Application Centric Group-Based Role-Based, Attribute-Based Policy-Based
Access Policies Written Enforced per Application/Resource Centrally Enforced Centrally Enforced with Attestation
EnforcementAPI (Handled within Application specific code) Proxy (Handled outside App)
Agent (applied externally and injected into app), Proprietary
Protocol Based using Industry Standard, non-Proprierary Protocols
Audit
Collection None Disparate Synchronized Central Store
Access Logging No LoggingBasic logs - Network IP, Server Event logs, Web Server logs Disparate Application-level logging Common Application Logging Platform
Change Logging None Request Request and Change Request, Approval, Change
Alerting Reactive, No AlertingReactive, Some Alerting on Key Systems Reactive, Alerting across all systems Alerting and Automatic Remediation
Reporting Methodology Manual, Adhoc Manual with defined processAutomated Report Generation on Key Systems
Automated Reporting and Generation on all Systems
Reporting Types None Change/Historical Attestation Industry/Regulatory Specific
Capability Basic Standardized Rationalized Dynamic
Administration
Identity ProliferationApplication Centric, Multiple Enterprise ID Stores
Enterprise ID Store + Application Specific Stores Virtualized Identity Service Single Enterprise ID Store
Provisioning Manual, AdhocSome custom built scripts / Mostly Manual
Automated Creation in one or more ID stores using COTS Email Notifications to other system owners Automated Creation in all ID Stores
Deprovisioning Manual, AdhocSome custom built scripts / Mostly Manual
Automated Deprovisioning in one or more ID StoresEmail Notifications to other system owners
Automated deprovisioning in all ID Stores
Identity UpdatesManually performed by Service Desk in some identity systems
Manually performed by Service Desk in all identity systems
Automated to some identity systems from Authoritative Source
Automated to all identity systems from Authoritative Source plus Self-Service capabilities
SynchronizationManually performed by Service Desk in some identity systems
Manually performed by Service Desk in all identity systems
Synchronization among some identity systems, Time-Based
Synchronization amongst all identity systems, Event-Driven
Password ManagementManually performed by Service Desk in some identity systems
Manually performed by Service Desk in all identity systems
Self-Service Password Reset to central identity system (no synchronization)
Self-Service Password Reset and synchronization to all identity systems
Group Management Manual by Admin, StaticOwner Managed (Delegations), Static
Owner Managed, Self-Service, Approvals Dynamic/Attribute Based
Application Entitlement Management Application owner specific
Central Service Desk, manual workflow
Central access request service with automated workflow Dynamic/Attribute Based
User Interface Service Center/Help DeskInternally Accessible, Manual Updates Internally Accessible, Self-Service Externally Accessible
Change Control None Call Service Desk / Manual WorkflowCall Help Desk / Some Electronic Workflow
Self-Service Request with Electronic Workflow
Authentication
ConvenienceMultiple IDs, Multiple Credentials, Multiple Prompts
Multiple IDs, Multiple Credentials, Single Prompt per Credential Multiple IDs, Single Credential
Single ID, Single Credential, Single Prompt (SSO)
Source Application Centric Issuer(s) Virtual Issuer Central Issuer Federated and Central Issuers
Protocols Multiple Protocols, No StandardStandard set of protocols (no transition, no delegation)
Standardized Protocols with ability to transition (no delegation)
Standardized Protocols with ability for transition and delegation
Assurance Shared Accounts, No AssurancePersonalized Accounts, Password Based Multi-Factor AuthN Risk-Based AuthN
Authorization
Entitlement Type Application Centric Group-Based Role-Based, Attribute-Based Policy-Based
Access Policies Written Enforced per Application/Resource Centrally Enforced Centrally Enforced with Attestation
EnforcementAPI (Handled within Application specific code) Proxy (Handled outside App)
Agent (applied externally and injected into app), Proprietary
Protocol Based using Industry Standard, non-Proprierary Protocols
Audit
Collection None Disparate Synchronized Central Store
Access Logging No LoggingBasic logs - Network IP, Server Event logs, Web Server logs Disparate Application-level logging Common Application Logging Platform
Change Logging None Request Request and Change Request, Approval, Change
Alerting Reactive, No AlertingReactive, Some Alerting on Key Systems Reactive, Alerting across all systems Alerting and Automatic Remediation
Reporting Methodology Manual, Adhoc Manual with defined processAutomated Report Generation on Key Systems
Automated Reporting and Generation on all Systems
Reporting Types None Change/Historical Attestation Industry/Regulatory Specific
Capability Basic Standardized Rationalized Dynamic
Administration
Identity ProliferationApplication Centric, Multiple Enterprise ID Stores
Enterprise ID Store + Application Specific Stores Virtualized Identity Service Single Enterprise ID Store
Provisioning Manual, AdhocSome custom built scripts / Mostly Manual
Automated Creation in one or more ID stores using COTS Email Notifications to other system owners Automated Creation in all ID Stores
Deprovisioning Manual, AdhocSome custom built scripts / Mostly Manual
Automated Deprovisioning in one or more ID StoresEmail Notifications to other system owners
Automated deprovisioning in all ID Stores
Identity UpdatesManually performed by Service Desk in some identity systems
Manually performed by Service Desk in all identity systems
Automated to some identity systems from Authoritative Source
Automated to all identity systems from Authoritative Source plus Self-Service capabilities
SynchronizationManually performed by Service Desk in some identity systems
Manually performed by Service Desk in all identity systems
Synchronization among some identity systems, Time-Based
Synchronization amongst all identity systems, Event-Driven
Password ManagementManually performed by Service Desk in some identity systems
Manually performed by Service Desk in all identity systems
Self-Service Password Reset to central identity system (no synchronization)
Self-Service Password Reset and synchronization to all identity systems
Group Management Manual by Admin, StaticOwner Managed (Delegations), Static
Owner Managed, Self-Service, Approvals Dynamic/Attribute Based
Application Entitlement Management Application owner specific
Central Service Desk, manual workflow
Central access request service with automated workflow Dynamic/Attribute Based
User Interface Service Center/Help DeskInternally Accessible, Manual Updates Internally Accessible, Self-Service Externally Accessible
Change Control None Call Service Desk / Manual WorkflowCall Help Desk / Some Electronic Workflow
Self-Service Request with Electronic Workflow
Authentication
ConvenienceMultiple IDs, Multiple Credentials, Multiple Prompts
Multiple IDs, Multiple Credentials, Single Prompt per Credential Multiple IDs, Single Credential
Single ID, Single Credential, Single Prompt (SSO)
Source Application Centric Issuer(s) Virtual Issuer Central Issuer Federated and Central Issuers
Protocols Multiple Protocols, No StandardStandard set of protocols (no transition, no delegation)
Standardized Protocols with ability to transition (no delegation)
Standardized Protocols with ability for transition and delegation
Assurance Shared Accounts, No AssurancePersonalized Accounts, Password Based Multi-Factor AuthN Risk-Based AuthN
Authorization
Entitlement Type Application Centric Group-Based Role-Based, Attribute-Based Policy-Based
Access Policies Written Enforced per Application/Resource Centrally Enforced Centrally Enforced with Attestation
EnforcementAPI (Handled within Application specific code) Proxy (Handled outside App)
Agent (applied externally and injected into app), Proprietary
Protocol Based using Industry Standard, non-Proprierary Protocols
Audit
Collection None Disparate Synchronized Central Store
Access Logging No LoggingBasic logs - Network IP, Server Event logs, Web Server logs Disparate Application-level logging Common Application Logging Platform
Change Logging None Request Request and Change Request, Approval, Change
Alerting Reactive, No AlertingReactive, Some Alerting on Key Systems Reactive, Alerting across all systems Alerting and Automatic Remediation
Reporting Methodology Manual, Adhoc Manual with defined processAutomated Report Generation on Key Systems
Automated Reporting and Generation on all Systems
Reporting Types None Change/Historical Attestation Industry/Regulatory Specific
Capability Basic Standardized Rationalized Dynamic
Administration
Identity ProliferationApplication Centric, Multiple Enterprise ID Stores
Enterprise ID Store + Application Specific Stores Virtualized Identity Service Single Enterprise ID Store
Provisioning Manual, AdhocSome custom built scripts / Mostly Manual
Automated Creation in one or more ID stores using COTS Email Notifications to other system owners Automated Creation in all ID Stores
Deprovisioning Manual, AdhocSome custom built scripts / Mostly Manual
Automated Deprovisioning in one or more ID StoresEmail Notifications to other system owners
Automated deprovisioning in all ID Stores
Identity UpdatesManually performed by Service Desk in some identity systems
Manually performed by Service Desk in all identity systems
Automated to some identity systems from Authoritative Source
Automated to all identity systems from Authoritative Source plus Self-Service capabilities
SynchronizationManually performed by Service Desk in some identity systems
Manually performed by Service Desk in all identity systems
Synchronization among some identity systems, Time-Based
Synchronization amongst all identity systems, Event-Driven
Password ManagementManually performed by Service Desk in some identity systems
Manually performed by Service Desk in all identity systems
Self-Service Password Reset to central identity system (no synchronization)
Self-Service Password Reset and synchronization to all identity systems
Group Management Manual by Admin, StaticOwner Managed (Delegations), Static
Owner Managed, Self-Service, Approvals Dynamic/Attribute Based
Application Entitlement Management Application owner specific
Central Service Desk, manual workflow
Central access request service with automated workflow Dynamic/Attribute Based
User Interface Service Center/Help DeskInternally Accessible, Manual Updates Internally Accessible, Self-Service Externally Accessible
Change Control None Call Service Desk / Manual WorkflowCall Help Desk / Some Electronic Workflow
Self-Service Request with Electronic Workflow
Authentication
ConvenienceMultiple IDs, Multiple Credentials, Multiple Prompts
Multiple IDs, Multiple Credentials, Single Prompt per Credential Multiple IDs, Single Credential
Single ID, Single Credential, Single Prompt (SSO)
Source Application Centric Issuer(s) Virtual Issuer Central Issuer Federated and Central Issuers
Protocols Multiple Protocols, No StandardStandard set of protocols (no transition, no delegation)
Standardized Protocols with ability to transition (no delegation)
Standardized Protocols with ability for transition and delegation
Assurance Shared Accounts, No AssurancePersonalized Accounts, Password Based Multi-Factor AuthN Risk-Based AuthN
Authorization
Entitlement Type Application Centric Group-Based Role-Based, Attribute-Based Policy-Based
Access Policies Written Enforced per Application/Resource Centrally Enforced Centrally Enforced with Attestation
EnforcementAPI (Handled within Application specific code) Proxy (Handled outside App)
Agent (applied externally and injected into app), Proprietary
Protocol Based using Industry Standard, non-Proprierary Protocols
Audit
Collection None Disparate Synchronized Central Store
Access Logging No LoggingBasic logs - Network IP, Server Event logs, Web Server logs Disparate Application-level logging Common Application Logging Platform
Change Logging None Request Request and Change Request, Approval, Change
Alerting Reactive, No AlertingReactive, Some Alerting on Key Systems Reactive, Alerting across all systems Alerting and Automatic Remediation
Reporting Methodology Manual, Adhoc Manual with defined processAutomated Report Generation on Key Systems
Automated Reporting and Generation on all Systems
Reporting Types None Change/Historical Attestation Industry/Regulatory Specific
IT can publish access to resources with the Web Application Proxybased on device awareness and the users identity
IT can provide seamless corporate access with DirectAccess and automatic VPN connections.
Users can work from anywhere on their device with access to their corporate resources.
Users can register devices for single sign-on and access to corporate data with Workplace Join
Users can enroll devices for access to the Company Portal for easy access to corporate applications
IT can publish Desktop Virtualization (VDI) for access to centralized resources
Not Joined Workplace Joined Domain Joined
User provided devices are “unknown” and IT has no control. Partial access may be provided to corporate information.
Registered devices are “known” and device authentication allows IT to provide conditional access to corporate information
Domain joined computers are under the full control of IT and can be provided with complete access to corporate information
Browser session single
sign-on
Seamless 2-Factor Auth
for web apps
Enterprise apps single
sign-on
Desktop Single Sign-On
( )
( )
Allow users to manage their identity with an easy to use portal, tightly integrated with Office.
Self-service group and distribution list management, including dynamic membership calculation in these groups and distribution lists, is based on the user’s attributes.
Users can reset their passwords via Windows logon, significantly reducing help desk burden and costs.
Sync users identity across directories, including Active Directory, Oracle, SQL Server, IBM DS, and LDAP.
Manage the complete life cycle of certificates and smart cards through integration with Active Directory.
Built-in workflow for identity management
Automatically synchronize all user information to different directories across the enterprise
Automate the process of on-boarding new users
Real-time de-provisioning from all systems to prevent unauthorized access and information leakage
LDAP
Certificate Management
Security Platform SAML
From: Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques
http://www.microsoft.com/en-us/download/details.aspx?id=36036
From: Best Practices for Securing Active Directory
http://www.microsoft.com/en-us/download/details.aspx?id=38785
From: The one company that wasn't hacked
http://www.infoworld.com/d/security/the-one-company-wasnt-hacked-194184?source=footer
How MARS works
MARS Server
Domain Groups
• Managed Servers
• Domain Admin
• Schema Admin
• Top Secret Project
12:00
10:00
1. Request Access (10:00)
2. Auto-Approve (10:00)
3. Access Resource (10:01)
4. Access Resource (3:15)Admin
Account
(requester)
11:00
1:00
2:00
3:00
9:00
Admin Group
(pre-defined)