Effective identity and access management involves several interdependent technologies and processes. These elements combine to maintain a unified view of identities in an organization and use them effectively. The main topics for discussion in identity and access management include directory services, identity life-cycle management, access management, and how applications should integrate with the infrastructure.
Note: This chapter provides an overview of each of these topics and the remaining chapters examine the processes and services within each topic in much more detail. For an overview of these topics, read this chapter. For a more rigorous, technical treatment, read Chapters 4 through 7.
Many identity and access management technologies and solutions have evolved independently in response to specific tactical problems. Organizations, analysts, vendors, and systems integrators have increasingly come to recognize that these technologies and business problems are all interdependent, resulting in a single category that is simply described as "identity and access management."
To visualize this interdependency, Microsoft created the Identity and Access Management Framework, a graphical depiction of the services and processes involved in identity and access management.
The following figure shows the main components of the Microsoft Identity and Access Management Framework:
This chapter establishes each of these framework topics and introduces the technologies, services, and processes that support each of them.
Pervasive elements of the Microsoft Identity and Access Management Framework include the governing business, security, and privacy policies that embody the specific requirements of an organization. These elements help define the business assumptions, rules, standards, and constraints that control how technologies and processes should be applied to meet business objectives. For example, security policies are broad and far-reaching, influencing all aspects of identity and access management.
On This Page
Directory services provide the foundation of any identity and access management infrastructure. Directory services provide a single source of authoritative digital identity information. Such information can include security information, such as passwords and X.509 certificate mappings, as well as user profile information in the form of user attributes that include addresses, telephone numbers, office space, titles, and department names.
Microsoft recommends identifying a minimal number of directories that become the trusted digital identity store(s) for your organization. This reduction offers immediate returns and provides a solid base on which to integrate all other components.
Directory Services in Microsoft Technologies
Microsoft started supporting directory services on the Microsoft Windows platform when Windows NT 3.1 was introduced. Current directory services from Microsoft include:
The Microsoft Active Directory directory service, which is an integral part of Windows 2000 Server and Windows Server™ 2003.
Active Directory Application Mode (ADAM).
For more information on Microsoft directory services, see Chapter 4, "Directory Services" later in this paper.
Identity Life-Cycle Management
There are several related processes for managing users, their entitlements, and their credentials. These processes include:
Identity integration services, including aggregation and synchronization.
Provisioning, including the management of related processes that occur before, during, and after provisioning (often called "workflow").
Delegated administration, such as account management by partner staff.
Self-service administration, such as user-initiated entitlement requests.
Credential and password management, including end-user password change and Helpdesk password resets.
Deprovisioning, including the deactivation or deletion of an account.
Identity Integration Services
Identity integration services are typically needed when an organization has multiple directories or identity stores. Since each of these directories contains a subset of all the information about a user, identity integration services can help by creating an aggregate view of the information from all the identity stores.
Identity integration services create this aggregate view by pulling identity information from a variety of authoritative sources, such as existing directories, Human Resources (HR) and accounting applications, e-mail directories, and various databases. All the identity information that the identity integration services bring together populates a single database or metaverse — a single global, integrated view of all combined objects aggregated from identity information in multiple connected data sources.
With this central database of information, rules can be applied to the data that control the flow during import and export operations. The ability to have rule-based import and export data flows allows for the implementation of identity synchronization and even provisioning. Since this synchronization and provisioning can be automated through programmatic rules, identity integration services allow the organization to reduce costs associated with the management of identity data and limit errors introduced by human administration.
A key component of identity and access management is how digital identities are created. The provisioning process provides a powerful tool that takes advantage of user information contained in the organization's directory infrastructure to speed up the granting and revoking of user accounts and entitlements for information resources. These resources can include e-mail, telephone service, HR applications, line-of-business (LOB) and functional applications, intranet and extranet access, and Helpdesk services.
Automating the processes that create digital identities can reduce costs and increase productivity dramatically. For example, when a new employee joins the organization, the provisioning system can reduce the time required to obtain user accounts and access rights from over a week to a few hours. Automated provisioning also eliminates much of the time managers spend processing associated paperwork, as well as the time that finance, human resources, and IT personnel spend approving and implementing the requests.
Workflow is a requirement of most provisioning processes. Requests for resources are entered online, routed in a predetermined path to reviewers and approvers, and then finally to the person or system that creates the user account. Requests and electronic copies of supporting materials are automatically routed to each participant in the process. Processes are applied consistently and completely across all departments, with each piece of information entered only once. A complete audit trail is available regarding who granted approval and when it was granted. Automatically monitored workflows notify a higher-level manager or administrator if review or approval actions are not completed in a timely fashion.
Workflow is also helpful within some delegated administration and self-service processes — for example, routing requests for approval.
The typical administration model involves a small group of trusted individuals who have the ability to manage all aspects of an identity store. These administrators create and delete users, set and reset passwords, and can set all user attributes.
However, there are often good business reasons for not having a single central group of administrators manage all aspects of user identity. In the case of partner accounts in an extranet directory, the preferred method is for the owning organization to delegate administration of the accounts to an administrator in the partner organization. The partner administrator assumes responsibility for all of the accounts for their own employees. This arrangement makes sense from an administrative standpoint, since the partner has a better idea of when users need to be created or deleted and requests for assistance are processed locally.
Delegated administration can also occur within an organization, where trusted individuals within different departments manage a subset of an organization's identity store.
For typical users such as employees, there are many user attributes that are not security related; an organization may consider allowing users to modify such attributes. For example, users may be allowed to change their cell phone number. However, self-service administration should have suitable constraints, such as enforcing naming conventions and validity checking.
Since credentials are the "keys" to authentication and authorization, they have special management needs and should have strict security considerations for all related processes. Credentials need to be provisioned, they need to be administered (such as revoking a certificate or resetting a password), and users need self-service capabilities (such as changing their passwords). The mechanism for receiving a credential should be closely scrutinized (for example, receiving a smart card in person by showing identification, or receiving a reset password through an encrypted, direct channel).
A specific subset of credential management is called password management. Authentication using username and password combinations is still the most widely used technique in today's networks and applications. Different techniques are available for managing password information across heterogeneous environments.
One aspect of password management covers the use of technologies to automatically propagate password information from one system to another. This propagation allows a user to use the same password to log on to multiple systems, which can reduce the possibility of forgotten passwords and the associated Helpdesk calls that forgotten passwords generate. With consistent passwords between platforms and applications, there is typically a requirement to centralize password change and Helpdesk password reset operations through common interfaces.
Password propagation should only be considered once the security characteristics of each participating system are fully understood. For example, a UNIX environment that uses Telnet and sends passwords in plaintext over the network should not have the same password as an Active Directory account used to complete sensitive, business-critical transactions.
Deprovisioning is another key function of identity life-cycle management. Deprovisioning ensures that accounts are systematically disabled or deleted and entitlements are revoked when employees leave the organization. Good security practice recommends that accounts be disabled quickly (to prevent possible attacks by disgruntled ex-employees) but not deleted until after a suitable time has elapsed, in case it becomes necessary to re-enable (or rename and reassign) the account. Disabling accounts (rather than deleting) is also helpful for some organizations that need to ensure certain identity attributes such as account name are unique and not reused within a time period that meets policy requirements.
Identity Life-Cycle Management in Microsoft Technologies
Microsoft technologies for identity life-cycle management include:
Active Directory, including the Active Directory Users and Groups Microsoft Management Console (MMC) and built in delegation of administration capabilities.
Microsoft Identity Integration Server 2003, Enterprise Edition (MIIS 2003), which includes the following specific capabilities:
Password propagation and web interfaces for password reset and change
The Identity Integration Feature Pack for Microsoft Windows Server Active Directory.
Self-service and automatic X.509 certificate enrollment.
Services for UNIX 3.5 (SFU 3.5).
Services for NetWare.
Windows Credential Manager.
For more information on identity life-cycle management with Microsoft technologies, see Chapter 5, "Identity Life-Cycle Management," later in this paper.
Access management involves controlling user access to resources, whether using authentication to identify a user, credential mapping to relate digital identities to each other, or authorization to check user identity against resource permissions. Additional access management topics discuss implementing federation and trusts to extend access, and auditing to track and record what users are doing.
Authentication is the process of proving the digital identity of a user or object to a network, application, or resource. Once authenticated, users can access resources based on their entitlements through the process of authorization.
Authentication techniques range from a simple logon based on user identification and password information (something you know), biometrics (something distinguishing about you), to more powerful security mechanisms such as tokens, digital certificates, and smart cards (something you have). High security environments may require a multi-factor authentication process. For example, combining something you know (such as a password) with either a distinguishing feature (such as a fingerprint) or something you have (like a smart card).
In an e-business environment, users may access multiple applications spanning many Web servers within a single site or across multiple sites. Effective identity and access management strategies deploy authentication services to simplify the user experience and reduce administration overhead. For these reasons, authentication services must support heterogeneous environments.
Examples of authentication techniques include:
User names and passwords
Personal identification numbers (PINs)
X.509 digital certificates
Biometrics (for example, fingerprint or iris scans)
Comparing Strong and Weak Authentication Techniques
Authentication techniques can range from simple ones where users provide passwords directly to applications or hosts to much more complicated ones that use advanced cryptographic mechanisms to protect user credentials against potentially malicious applications and hosts.
Providing a plaintext password (that is, one that is not encrypted in any way) to an application or host is considered the weakest authentication technique because of the danger of interception of the authentication sequence. Also, if the user authenticates to a malicious host, the owner of that host has all the necessary information to act as that user anywhere on the network. If you think of a password as a secret, then it is not much of a secret if the user must tell every computer on the network what the secret is.
Stronger authentication techniques protect the authentication credentials so that the host or resource to which the user authenticates does not know what the secret actually is. Typically, this is done by cryptographically signing data with the secret password that is known only to the user and a trusted third party (such as an Active Directory domain controller). A computer authenticates the user by presenting the signed data to the trusted third party. The third party then compares the signature to what it knows about the user and advises the computer whether it believes the user is who they say they are. Such a mechanism helps keep passwords as true secrets.
Single Sign On
An important part of any authentication discussion is the concept of single sign on (SSO). SSO at the application level involves establishing a "session" between the client and server that allows the user to keep using the application without providing a password every time they take an action within the application.
The same kind of idea can be extended to a set of applications available on the network. To implement SSO amongst different applications, sessions can be established between the client, a trusted third party on the network, and various server applications and network resources. The session is represented in many implementations by a ticket or cookie which is best thought of as a substitute credential for the user. Instead of requiring the user to provide their credential during authentication, the ticket or cookie is sent to the server and accepted as proof of the user's identity.
The end result is that the user only has to sign on once before using many applications — thus providing a single sign on experience.
Note: Only in very unusual circumstances is it considered appropriate for an authentication mechanism to force the user to repeatedly provide authentication credentials. Applications, on the other hand, may sometimes prompt for credentials before performing a particularly sensitive operation.
Authentication in Microsoft Technologies
Microsoft Windows Server 2003 Active Directory provides integral support for a range of authentication methods, including:
Public key infrastructure (PKI)-based authentication
The Kerberos version 5 authentication protocol
X.509 certificate mapping
Windows NT LAN Manager (NTLM) challenge/response
Extensible Authentication Protocol (EAP)
Secure Sockets Layer (SSL) 3.0 and Transport Layer Security (TLS) 1.0 encryption
Support for smart cards with X.509 certificates
Windows Server 2003 Internet Information Services 6.0 (IIS) supports all of the above in addition to the following:
Applications can call authentication methods through application programming interfaces (APIs) such as the Security Support Provider Interface (SSPI), which includes Secure Protocol Negotiation (SPNEGO).
Windows XP includes integrated authentication for workstation log on and resource access, Internet Explorer for integrated authentication to Web sites, and Credential Manager for managing the passwords, digital certificates, and Passports used for authentication.
Authorization is the process of determining whether a digital identity is allowed to perform a requested action. Authorization occurs after authentication, and maps attributes associated with the digital identity (such as group memberships) to access permissions on resources to identify which resources the digital identity can access.
Access Control Lists
Different platforms use different mechanisms for storing authorization information. The most common authorization mechanism is known as an access control list (ACL), which is a list of digital identities along with a set of actions that they may perform on the resource (also known as permissions).
Actions are typically defined relative to the type of object the ACL protects. For example, a printer might allow actions such as “print” or “delete job” while a file might allow actions such as “read” and “write.”
Operating systems that support large numbers of users typically support security groups, which constitute a special type of digital identity. Using security groups reduces the management complexity of dealing with thousands of users in a large network.
Security groups simplify management because an ACL can have a few entries specifying which groups have a specific level of access to an object. With careful group design, the ACL should be relatively static. You can easily change authorization policy for many objects at a time by manipulating the members of a group maintained by a centralized authority, such as a directory. Nesting groups within each other increases the flexibility of the group model for managing authorization.
Many applications use the term role to refer to a user classification. For example, a "Manager" role could be used to refer to all members of a security group called "Finance Managers," who as members of this group would automatically be granted the entitlements to network resources this role provides.
Roles can also be based on dynamic, run-time decisions that provide more flexibility, such as authorization in an expense report application. This application may have approval actions that only authorized users (or principals) can validate in the "Approving Manager" role. However, before granting approval to authorize an expense, the system queries the directory to determine if the submitter's "Manager" attribute matches the name of the person approving the expense. Such business-driven logic is almost impossible to configure with ACL-type mechanisms.
Roles can be defined either globally, such as by group memberships in a directory, or with application code that determines role membership based on a dynamic query. There are even combinations of both types, such as an application that defines a role called "Managers" that is locally defined to include both the global group's "HR Managers" and "Engineering Managers" roles.
There are advantages to each of these methods. A well-designed roles mechanism provides application developers with the flexibility to choose among them for the correct fit.
Authorization in Microsoft Technologies
Windows Server 2003 provides integral support for a range of authorization methods. Microsoft authorization technologies and supporting components include:
Access control lists (ACL)
Role-based access control through Windows Authorization Manager
IIS 6.0 URL authorization
For more information on Microsoft authorization technologies, see the "Authorization" section in Chapter 6, "Access Management" later in this paper.
The concept of trust is becoming more important as organizations continue to share resources with their business partners. The ability to establish trust between independently administered systems is crucial for IT systems to support the required level of data exchange. Trust enables secure authentication and authorization of digital identities between autonomous information systems with less management overhead.
The mechanisms of trust are complicated because there are many tasks that must happen between independent organizations to make the authentication and subsequent authorization processes useful. The trusting organization needs to have a secure mechanism to communicate with the trusted organization. Once the trusting organization has authenticated the foreign digital identity, it must incorporate the entitlement information about that foreign account into the authorization process within the trusting organization.
A federation is a special kind of trust relationship established beyond internal network boundaries between distinct organizations. Federation enables the secure authentication and authorization of digital identities between autonomous information systems based on the principle of trust. For example, a user from company A can use information available at company B because there is a federated trust relationship between the two companies.
Note: Federation includes the implementation of evolving specifications, such as WS-Federation, an initiative headed by Microsoft and IBM for standardizing the way companies share user and machine identities among disparate authentication and authorization systems spread across organizational boundaries. For more information on WS-Federation, see Web Services Federation Language on Microsoft.com at: http://msdn2.microsoft.com/en-us/library/ms951236.
Federation is an attempt to remove the requirement for management of accounts in more than one place. In federation, a user from one organization can authenticate directly to a resource managed by another organization using his or her normal network account. This idea is popular because it can remove the requirement (or at least make the requirements much easier to meet) for administration of many different accounts.
Consider an organization that does business with one hundred different partners. The alternative to federation would be for the organization to use a delegated administration interface to manage accounts on one hundred different partner extranets. Through this example, it should be obvious that techniques such as delegated administration do not scale to highly connected business environments. The ability to federate digital identities reliably and securely is essential for advancing business opportunities.
Trust in Microsoft Technologies
Microsoft Windows provides support for trust through the following technologies:
External trusts in Windows NT 4.0 and Windows 2000 Server.
Cross-forest trusts in Windows Server 2003.
The Kerberos version 5 authentication protocol.
Auditing provides a means to monitor access management events and changes to directory objects. Security auditing is typically used to monitor for the occurrence of problems and security breaches.
Security Auditing in Microsoft Technologies
Microsoft Windows provides a security event log for recording interesting security events such as:
Changes to directory objects.
Microsoft Operations Manager (MOM) 2000 can consolidate event logs in an environment and provide useful auditing reports.
General purpose business applications are the ultimate consumers of identity and access information. Accordingly, they should be integrated with the identity and access management platform. Applications typically integrate with the authentication and authorization components of the framework through APIs. Applications that fail to integrate add complexity to the environment, increasing management costs and often creating new attack surfaces, which in turn lead to security vulnerabilities.
Integrating applications may require a large amount of effort, but this integration process can deliver a high return on investment (ROI). If an application has its own authentication system, the only way an organization can fully integrate the application into the authentication process is to redesign it to work with the platform. Therefore, to ensure application compatibility with the identity and access management framework, the organization's Software Development Life Cycle (SDLC) methodology must include clear standards on how applications must use the authentication and authorization functionality of the standard platform.
For more information on application integration using Microsoft technologies, see Chapter 7, "Applications" later in this paper.
The following figure lists all of the processes and services in the Microsoft Identity and Access Management Framework.