Gov Identity Mgmt Presentation

7/30/2019 Gov Identity Mgmt Presentation

1/42

Industry Solutions DirectorMicrosoft WW Public Sector


2/42

Agenda

Megatrends and Government Challenges

Identity Management

Summary of Benefits

Case Studies: Identity Management at Work

Appendix: U-Prove Technology


3/42

Today governments are facing a numberof megatrends and challenges

Improving Staff Productivity

Increasing Operational Efficiency

Working Collaboratively and

Taking Advantage of Shared Services

Leveraging the Power of Technology

Caring for the Environment

Delivering Social Care

Improving Customer (Citizen and Business)

Service Delivery

Improving Compliance and Accountability

Raising Standards in Education

Sustaining the Local Economy

Continuous Cost Reduction

More Efficient and Greener

IT Infrastructure

Increased Citizen Interaction


4/42

eGovernment Identity Management SolutionsAddress a Number of these Challenges

Identity Management

solutions create digital

identities for citizens andenterprises, manage

their lifecycle, and

provide services for

user identification,

authentication, and

authorization across

borders and across

multiple identity systems.

Efficient and securedelivery of e-services

Seamless userexperience acrossboundaries

Simplifiedmanagement

Applicationdevelopementefficiency



Working Collaboratively and Taking

Advantage of Shared Services

Leveraging the Power

of Technology



Improving Customer (Citizen and

Business) Service Delivery

Improving Compliance

and Accountability




5/42

Identity Management Key Benefits

IT can centrally manage accessto applications and data,regardless of location

Authentication method independenceacross applications

More efficient application ofsecurity policy

Open interfaces between the eIDinfrastructure and the consumingapplications or cloud services

Developers can externalizeauthentication / authorization

Faster, nimbler developmentof services Win. Identity Foundation

Secure eIDs enable eGovservices delivery, while reducingcost and fraud

Support for multiple authenticationmethods and security levels ofaccess to government services

Privacy, minimum ID disclosure

ID Federation across agencies,including cloud/hosted services

Single Sign On (SSO) experienceacross borders, platforms andauthentication methods

Federated access rights ondocuments posted on extranets


6/42

Passwordresetandaccessrequestshandledthroughhelpdesk

AgencyXismanaging

AgencyYaccounts

Current SituationTime and labor intensive process

Multipleidentitiesandlimitedsign-onhelpDifferentsignonrequirementsforapplications

Remoteaccesssolutionw/

separateidentities

AgencyYismanaging

AgencyXaccounts


7/42

Always-onaccessbuiltinto

platform

Moresecure,simplified

accessacrossagencies

AgencyXIDsareusedinthecloud

Singleidentityacrossresources

Identity and Access ManagementSimple and easy


8/42

Key Government Challenges



Working Collaboratively and Taking Advantage of Shared Services

Leveraging the Power of Technology



Improving Customer (Citizen and Business) Service Delivery Improving Compliance and Accountability



Desktop Productivity Software

Data Warehousing

Collaboration &Content Mgmt

Customer Rel.Management

ApplicationIntegration

Mail

Server Operating System

Mobile Operating SystemDesktop Operating System

UnifiedCommunication

IntegratedDevelop

ment

Environment

Enterprise Res.Planning

SystemsManagement

Identity & AccessMgmt

Security Workflow


9/42

Identity Management with Partners

ExampleofSolutionAreawithPartnerSolutions

Office

Dynamics ERP Dynamics CRM BizTalk Exchange

Windows Server

Windows MobileWindows Client


VisualStudio

MOSS

SQL Server System Ctr. AD/ADFS Forefront .NET Framework

Microsoft Consulting / Partner Solutions

SolutionComponent

OptionalComponent


10/42

Office

Dynamics ERP Dynamics CRM BizTalk Exchange

Windows Server

Windows MobileWindows Client


VisualStudio

MOSS

SQL Server System Ctr. AD/ADFS Forefront .NET Framework

Microsoft Consulting / Partner Solutions

SolutionComponent

OptionalComponent

Identity Management with Partners

ExampleofSolutionAreawithArchitecturemapping

WithProductsowned/needed

You already own these products

Products needed to complete this solution

Forefront Identity ManagerUnified Access Gateway

Windows CardSpaceWindows Identity Foundation

Rights Mgmt Services CALor part of ECAL

SolutionDetail

Windows 7 includes SmartcardMinidriver concept, and Windows

Biometric Framework (WBF)

Active DirectoryFederation Services

(ADFS) 2.0


11/42

Identity Management

Solution Area


12/42

Some definitions

Term Meaning

Authentication Prove that you are eligible for a particular

online service (not necessarily revealing your

full identity)

Authorization What are your access rights or access levels

Federated Identity Trusting on-line users based on some other

entitys proof of authentication

Claims-based access Authorization by means of claims (attributes)Eg. Surname = Jiricek

Age>18 = Yes

Minimal Disclosure of

Personal Information

Reveal the minimal needed set of claims during

authentication & authorization

PII Personal Identifiable Information


13/42

Requirements of Identity in eGovernment Services

Reduce Cost of e-Service Delivery

Identity as a Shared Service

Reuse existing IdP infrastructures

Remove unnecessary overhead

Improve Security and Trust

Jointly defined ID assurance levels

Identity across organiz. boundaries

Dynamic, claims-based access

Simplify Handling of Identity

Across on-premise and cloud Flexible for architecture changes

Agnostic to authentication methods

Improve User Centricity / Uptake

Users in control of personal data Minimal disclosure of personal data

Consistent User Experience


14/42

Secure identity on-line as an enabler

Lower Risk Transactions

Less assurance required

Beyond a certain point, a high level

of identity assurance is necessary

to complete a transaction

Higher Risk Transactions

More assurance required


15/42

e-Identity 1.0 Concept

Local User Directory

WebApplication

1. Require credentials

2. Enter credentials

Identity and Access Management are built

into each web service

User experience is application specific

PII disclosure follows data in local directory

4. Grant/deny accessBrowser

Service Provider

ID Mgmt

End User


16/42

Identity Metasystem Concept(Vendor and technology neutral)

Identity Provider

End User Relying Party

Web

Application

Claims Provider

1. Require claims

4. Send claims

Establish trust

between

the Service

Provider

and the Identity

Provider

5. Grant/deny accessBrowser

Service Provider

Takes user directory and

authentication out of the application

Makes Identity Provider a shared service

Delivers consistent user experience


17/42

How Identity Metasystem Contributes

Policy objectives Identity Federation Claims-based Access:

Identity = shared service Less cost for developers

Consistent user

experience

Minimal disclosure of

personal information

Common Identity

Assurance levels

Dynamic effect of identity

attributes (claims)

ID externalized fromapplications agnostic

to IdPs / authN

Same for on-premise andcloud

Reducing Cost

User Centricity

Security & Trust

Simplicity & Flexibility


18/42

Microsoft Identity and Access ManagementBuilding Blocks

Self-service / automation of administration, workflows, password

reset, and group management

Secure remote access for employees, partners and contractors on

managed / unmanaged PCs and mobile devices.

Externalize identity logic from applications for a more secure,

flexible and interoperable identity model based on claims.

Repository for identities to centrally configure and administer

system, user, and application settings.

Standards-based platform for federated access and single sign-on

to applications on-premise, in the cloud, and cross-organizations

Secure remote access with Windows 7 PCs to organizational

resources without VPN just on Internet

Integrates single sign-on and centralized authorization into your

web applications. Supports most of common federation standards.Access Control Service


19/42

Evolution of Microsoft Identity Manager

Identity Synchronization

User Provisioning

Certificate andSmartcard Management

Office Integration for Self-Service

Support for 3rd Party CAsExtensible authentication (OTP...)

Group & DL Management

Workflow and Policy

UserManagement

Group

Management

CredentialManagement

Common Platform

WorkflowConnectorsLoggingWeb Service APISynchronization

PolicyManagement


20/42

Positioning FIM 2010 to BDMs (non-technical)


21/42

Forefront Unified Access Gateway (UAG)


22/42

Newsflash: SharePoint 2010 is Claims-enabled

22

Set trust

GovEmployeeorCitizen

Browser SameforSharePoint2010

OnLine

(ComingH1CY11)

On-Premise

External Id. Provider

SAML 2.0 / WS-FedADFS 2.0

Note: OpenID needs claims

transformation

Security Design principle Benefit

Passwords not synchronized to cloud Addresses passwords security concern

Federating with Enterprise identity mgmt Enterprises retain their credential policy

Enterprise 2-factor authN possible

Dynamic authentication Instant mapping of user attributes

Access

Authenticate


23/42

Government Agency

Integrated scenarios: Office 365 Identity options

1. Microsoft Online IDs (cloud-based only)

AD

MS Online

Directory Sync

Identity

platform

Provisioning

platformLync

Online

SharePoint

Online

ExchangeOnline

Federation

Gateway

Active Directory

Federation

Server 2.0

Trust

IdPDirectory

Store

Admin Portal

Authentication

platformIdP

Microsoft

Office 365 Services

2. Microsoft Online IDs + DirSync (synchd with on-premise)

3. Federated IDs + DirSync: True Single Sign-On

End user

Administrator


24/42

CloudApplication

Access Control Service

Enduser

Browser

ServiceBus

Federated & Claims-Based Access to Azure ServicesCloud- Using Access Control Service

Authenticate

Get access!

Benefits:

Externalizes handling Identity and Access from Azure apps (less work for the developers) Acts as Trust gateway between multiple customers and apps for easy administration

Interoperates with many federation standards / Identity Providers

Low cost but valuable service for Azure developers


25/42

AppFabric Access Control Service 2.0 - Interoperability

Ref: Samples and Documentation on http://acs.codeplex.com/

Intro session on http://channel9.msdn.com
http://acs.codeplex.com/http://channel9.msdn.com/shows/Identity/Introducing-the-New-Features-of-the-August-Labs-Release-of-the-Access-Control-Service/http://channel9.msdn.com/http://channel9.msdn.com/http://channel9.msdn.com/http://channel9.msdn.com/shows/Identity/Introducing-the-New-Features-of-the-August-Labs-Release-of-the-Access-Control-Service/http://acs.codeplex.com/http://acs.codeplex.com/


26/42

Customer Case Studies


27/42

UK Government Gatewaywww.gateway.gov.uk

27

Uses Identity federation to allow

other departments to authenticate,

offering protocols

WS-Federation

Liberty Alliance

SAML 1.1 and SAML 2.0

Supports multiple levels ofidentity assurance via

Pin activated password

X.509 Certificates

Chip&Pin cards

One-Time Password (OTP)
http://www.gateway.gov.uk/http://www.gateway.gov.uk/


28/42

UK Ministry of Defence Federating with UK Gateway

Customer ProfileCustomer: Ministry of Defence, UKSegment: Central GovernmentSeats: 320,000 personnel incl. 40,000 reservists. Approx 10,000 of them are remote users

Used UK Govt Gateway forChip&PIN authentication, MSIntelligent Apps Gway (IAG)for secure remote access,

Internet Security andAcceleration Server (ISA),Identity Lifecycle Manager2007 etc.

Identity & Access customsolution by Capgemini, EDS,Gemalto, Avaleris, MCS

Solution

Remote worker expenseclaims settled in 24 Hoursinstead of days or weeks

Saves taxpayers Many Millions

of Pounds in 10 yrs Secure access via One-Time

Passwords (OTP)

Integrates well with otherOracle based applications

Consolidates multiple formsof Digital Identity

CustomerResults/Benefits

10,000 of their orphanedusers without online accessto Line of Business applics.

E.g. field users expense

claims took weeks to sendand process on paper forms

Identified 20 routine HRapplications as a priority forsecure remote access tosave operating costs.

Customer Challenge

http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid=4000003478
http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid=4000003478http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid=4000003478


29/42

Customer ProfileCustomer: Regional Government of Biscay (Spain)Segment: Local and Regional GovernmentProject: Citizen Service Platform (Largest Implementation to Date)

Identity Semantics Suite: Anidentity management layerenabling government to useexisting eIDs from otherauthorities for authentication

and transactional services. Admin. Compliance Suite: Meet

administrative law requirementssuch as signing and long-termarchiving.

Solution

Transparent management ofidentity and authenticationservices using own and 3rdparty eIDs.

Enable transactional servicesand Compliance with the 2010legal deadline.

Citizen-centric approachfacilitates access to citizenservices as well as the use ofthe platform by civil servants.


Political: realize a ground-breaking project building onbroadband access provided tothe population in the region

Regulatory: Compliance with2007 law requiring online publicservices by 2010 using diversecitizen eIDs.

IT: rationalize and update thetechnology platforms in usageacross the 100+ city-halls.

Customer Challenge

Regional Government of Biscay (Spain)Identity Solution for the Citizen Service Platform


30/42

Vancouver Coastal Health: Seamless Collaborationhttp://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000007158

Customer ProfileThe Province of British Columbia, Canada, provides public services, such as healthcare, education, andtransportation, to the residents of British Columbia. Vancouver Coastal Health is one of the healthagencies in British Columbia.Segment: Health and Social Services

The Province decided toimplement a shared serviceeHealth Viewer, based onWindows Identity

Foundation infrastructure. Authorization managed by

claims-based access andfederation with employeeshome Active DirectoryFederation Services 2.0.

Solution

Solved the problem takingadvantage of existing ADcredentials

Only one user accountmanagement process

Dynamic access rightsimmediate update effect

System open for broaderfederation with other healthorganizations


Multiple health agenciesand hospitals neededsecure access to patienthealth records, stored in

the provincial systems. Traditionally, that would

involve creating andmaintaining new useraccounts with access rightsfor authorized personnel.

Customer Challenge
http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000007158http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000007158


31/42

Identity Demo: Fraunhofer Fokus U-Prove PoC

Fraunhofer Fokus video (March 2010) 4 min med resolution
http://mms//msvcatalog-2.wmod.llnwd.net/a2249/e1/ds/us/CMG_US/CMG_Microsoft/2f237e0a-1142-4940-9292-a3f3e1f74460.wmvhttp://mms//msvcatalog-2.wmod.llnwd.net/a2249/e1/ds/us/CMG_US/CMG_Microsoft/2f237e0a-1142-4940-9292-a3f3e1f74460.wmvhttp://mms//msvcatalog-2.wmod.llnwd.net/a2249/e1/ds/us/CMG_US/CMG_Microsoft/2f237e0a-1142-4940-9292-a3f3e1f74460.wmvhttp://mms//msvcatalog-2.wmod.llnwd.net/a2249/e1/ds/us/CMG_US/CMG_Microsoft/2f237e0a-1142-4940-9292-a3f3e1f74460.wmv


32/42

Identity Management Partner Solutions(Examples of International IdM Solution Partners)

WISeKey Semantics Suite for Citizen Service Platform covers the fullidentity and compliance lifecycle: identify, access, sign, encrypt, validate,timestamp, and archive. www.wisekey.com/en/solutions/gov/csp

Gemalto Solutions for smartcards, tokens, and secure documents.Started in EMEA, now a global player www.gemalto.com

Omada Identity Manager Solution enhancing FIM 2010 functionality,also SharePoint secure access, Role based engine www.omada.net

Quest One Identity Solution, enhancing FIM 2010 and ADFS.Broad range of infrastructure solutions, multi-platform vendor. www.quest.com

L-1 End-to-end Driver License and National ID card issuance solutions.

Majority market shares in USA and Russia, expanding globally www.l1id.com

Indusa Global ICAO ePassport (with biometrics), Border control based onbiometric identification, secure eIDs. www.indusaglobal.com
http://www.wisekey.com/en/solutions/gov/csphttp://www.gemalto.com/http://www.omada.net/http://www.quest.com/http://www.l1id.com/http://www.indusaglobal.com/http://www.indusaglobal.com/http://www.l1id.com/http://www.quest.com/http://www.omada.net/http://www.omada.net/http://www.gemalto.com/http://www.gemalto.com/http://www.wisekey.com/en/solutions/gov/csp


33/42

Identity Management is Based on Familiar MicrosoftProducts [that you already own under EA]

Primary products Windows Server & Certificate Services ADDS or AD LDS, AD FS 2.0 Forefront Identity Manager Unified Access Gateway

SQL Server for large scale eID implementations Windows Identity Foundation

Attached products

Forefront Protection Suite System Center CardSpace

Optional products SharePoint Server (Resource and Policy mgmt)


34/42

Summary: Identity Management

Microsoft, together with solutions partners,

delivers Identity Management solutions that:

Enable citizens, businesses, and employees

to securely access information they need to

be more productive

Integrate with the existing infrastructure and

accelerate application development

Are able to dynamically adapt to changing

needs, threats, and legal requirements


35/42

Next Steps

Meeting to discus how to best fit theIdentity Management solution to your needs

Engage Microsoft to perform a Planning

and Architecture Design Session (ADS)

Build the business case for aIdentity Management solution

Deploy Solution


36/42

Identity Management for SW Architects

Microsoft IAM Platform entry point on MSDNBlogs, videos, webcasts, whitepapers http://msdn.microsoft.com/en-us/security/aa570351.aspxGeneva Team Blog on MSDN good summary of external content - link

Windows Azure AppFabric Access Control ServiceAll AppFabric overview: http://www.microsoft.com/windowsazure/appfabric/Access Control Service video on MSDN Channel9Access Control Service sample code: http://acs.codeplex.com/

Identity Developer Training Kit downloadable pack (March2010 update):Contains a set of hands-on labs, documents and references that will help you to learn how to take advantage ofMicrosoft's latest identity and access control developer's products and services.http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=c3e315fa-94e2-4028-99cb-904369f177c0

Identity Developer Step-By-Step Claims Based AccessExplains how claims-based access works in common scenarios:http://blogs.msdn.com/vbertocci/archive/2009/05/15/more-details-about-the-identity-developer-training-kit.aspx
http://msdn.microsoft.com/en-us/security/aa570351.aspxhttp://blogs.msdn.com/card/archive/2009/11/18/windows-identity-foundation-wif-rtm-announced.aspxhttp://www.wisekey.com/en/solutions/gov/csphttp://www.microsoft.com/windowsazure/appfabric/http://channel9.msdn.com/shows/Identity/Introducing-the-New-Features-of-the-August-Labs-Release-of-the-Access-Control-Service/http://acs.codeplex.com/http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=c3e315fa-94e2-4028-99cb-904369f177c0http://blogs.msdn.com/vbertocci/archive/2009/05/15/more-details-about-the-identity-developer-training-kit.aspxhttp://blogs.msdn.com/vbertocci/archive/2009/05/15/more-details-about-the-identity-developer-training-kit.aspxhttp://blogs.msdn.com/vbertocci/archive/2009/05/15/more-details-about-the-identity-developer-training-kit.aspxhttp://blogs.msdn.com/vbertocci/archive/2009/05/15/more-details-about-the-identity-developer-training-kit.aspxhttp://blogs.msdn.com/vbertocci/archive/2009/05/15/more-details-about-the-identity-developer-training-kit.aspxhttp://blogs.msdn.com/vbertocci/archive/2009/05/15/more-details-about-the-identity-developer-training-kit.aspxhttp://blogs.msdn.com/vbertocci/archive/2009/05/15/more-details-about-the-identity-developer-training-kit.aspxhttp://blogs.msdn.com/vbertocci/archive/2009/05/15/more-details-about-the-identity-developer-training-kit.aspxhttp://blogs.msdn.com/vbertocci/archive/2009/05/15/more-details-about-the-identity-developer-training-kit.aspxhttp://blogs.msdn.com/vbertocci/archive/2009/05/15/more-details-about-the-identity-developer-training-kit.aspxhttp://blogs.msdn.com/vbertocci/archive/2009/05/15/more-details-about-the-identity-developer-training-kit.aspxhttp://blogs.msdn.com/vbertocci/archive/2009/05/15/more-details-about-the-identity-developer-training-kit.aspxhttp://blogs.msdn.com/vbertocci/archive/2009/05/15/more-details-about-the-identity-developer-training-kit.aspxhttp://blogs.msdn.com/vbertocci/archive/2009/05/15/more-details-about-the-identity-developer-training-kit.aspxhttp://blogs.msdn.com/vbertocci/archive/2009/05/15/more-details-about-the-identity-developer-training-kit.aspxhttp://blogs.msdn.com/vbertocci/archive/2009/05/15/more-details-about-the-identity-developer-training-kit.aspxhttp://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=c3e315fa-94e2-4028-99cb-904369f177c0http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=c3e315fa-94e2-4028-99cb-904369f177c0http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=c3e315fa-94e2-4028-99cb-904369f177c0http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=c3e315fa-94e2-4028-99cb-904369f177c0http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=c3e315fa-94e2-4028-99cb-904369f177c0http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=c3e315fa-94e2-4028-99cb-904369f177c0http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=c3e315fa-94e2-4028-99cb-904369f177c0http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=c3e315fa-94e2-4028-99cb-904369f177c0http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=c3e315fa-94e2-4028-99cb-904369f177c0http://acs.codeplex.com/http://acs.codeplex.com/http://channel9.msdn.com/shows/Identity/Introducing-the-New-Features-of-the-August-Labs-Release-of-the-Access-Control-Service/http://channel9.msdn.com/shows/Identity/Introducing-the-New-Features-of-the-August-Labs-Release-of-the-Access-Control-Service/http://www.microsoft.com/windowsazure/appfabric/http://www.microsoft.com/windowsazure/appfabric/http://www.wisekey.com/en/solutions/gov/csphttp://blogs.msdn.com/card/archive/2009/11/18/windows-identity-foundation-wif-rtm-announced.aspxhttp://msdn.microsoft.com/en-us/security/aa570351.aspxhttp://msdn.microsoft.com/en-us/security/aa570351.aspxhttp://msdn.microsoft.com/en-us/security/aa570351.aspx


37/42

Privacy By Design -

U-Prove Technology Appendix


38/42

Increased Privacy Concerns - Minimize PII Disclosure

PII = Personal Identifiable Information


39/42

Existing standards, but some risks remain...

http://xml.coverpages.org/IMI-Standard.htmlInformation Cards Identity Selector

www.projectliberty.org

http://www.fokus.fraunhofer.de/de/fokus_testbeds/secure_eidentity-lab/projekte/u_prove/index.html
http://www.fokus.fraunhofer.de/de/fokus_testbeds/secure_eidentity-lab/projekte/u_prove/index.htmlhttp://www.fokus.fraunhofer.de/de/fokus_testbeds/secure_eidentity-lab/projekte/u_prove/index.htmlhttp://www.fokus.fraunhofer.de/de/fokus_testbeds/secure_eidentity-lab/projekte/u_prove/index.htmlhttp://www.fokus.fraunhofer.de/de/fokus_testbeds/secure_eidentity-lab/projekte/u_prove/index.htmlhttp://www.projectliberty.org/http://xml.coverpages.org/IMI-Standard.htmlhttp://xml.coverpages.org/IMI-Standard.htmlhttp://xml.coverpages.org/IMI-Standard.html


40/42

Identity Metasystem Using U-Prove Technology

40

A. Token

requestB. Token

response

1. Request

access2. Policy

3. Token

STS

Client

User-centric

trust

Identity Provider Relying Party

IPIP


41/42

U-Prove Technology Released

www.microsoft.com/uprove
http://www.microsoft.com/U-Provehttp://www.microsoft.com/U-Prove


42/42

Thank [email protected]
mailto:[email protected]:[email protected]:[email protected]:[email protected]

Documents

Gov Identity Mgmt Presentation