My quest to bring Best Practices to Identity Management especially with Microsoft FIM / ILM

Tuesday, June 2, 2009

To PKI or not to PKI?

When should one implement a Public Key Infrastructure and when should one not? Obviously we implement a PKI to solve a problem, usually around security, enabling secure communications with a web server, multi-factor authentication, encryption. A PKI solution can be very versatile, but it comes at a price in setup and maintenance. But what alternatives do we have? Let's examine each problem in turn

 

Problem PKI difficulties Alternatives Benefits for Alternatives
Enable Secure web transactions (SSL) certs expire without warning anyone none  
Secure network communications (IPSEC) Need to issue certificates to all client computers (can use AutoEnroll GPO) none  
Multi-factor authentication for Wireless networks using 802.1X Need to issue certificates to all client computers or smart cards to all users Radius -- One Time Password Tokens With Quest Defender issuing and maintaining of OTP is very easy. Defender is much easier than standing up a PKI and issuing smart cards to everyone
Multi-factor authentication (certificates, smart cards) Need to issue smart cards to all users (can be time consuming) Need special hardware One Time Password Tokens With Quest Defender issuing and maintaining of OTP is very easy. Defender is much easier than standing up a PKI and issuing smart cards to everyone. Can work even on computers without the smart card reader.
Encryption of files (EFS) Need to issue smart cards to all users (can be time consuming) AD Rights Management Services Enrollment of users is transparent -- new users can be given permissions by adding them to groups without having to re-encrypt the files. No need to renew certificates. Restrictions are enforced after file is opened. It allows you to assign rights and permissions to other people to documents (open, saving, edit, print, cut and paste) and emails (forward, cut and paste)
Enabling users (internal and/or external) to use your code without getting scary warning (Signing Code Modules, Macros, ActiveX controls etc) Need to issue/buy certificates for developers none  
Signing emails Need to issue certificates (whether on smart cards or not) to all users PGP (web of trust)  
Encrypting emails Need to issue certificates (whether on smart cards or not) to all users AD Rights Management Services

or
PGP (web of trust)
AD RMS Enrollment of users is transparent. Restrictions are enforced after file is opened. It allows you to assign rights and permissions to other people to documents (open, saving, edit, print, cut and paste) and emails (forward, cut and paste)

In short you need certificates for SSL, IPSEC, code signing and signing emails. Whether you build your own PKI or get certificates for them is another question. For SSL and code signing you can get away with buying your certs and should if your web site and/or code is for the public (although if you have enough you may want to look at setting up a subordinate CA with a Public CA that way you control the certs but they are issued through a trusted root CA and your customer don't get those confidence inspiring messages asking them whether to trust you or not) . For IPSEC and signing emails you should implement your own PKI in order to save the cost of buying so many certs.

If you need to implement signing of emails along with multi-factor authentication then it makes sense to take advantage of the versatility of certificates on smart cards. Then it makes sense to implement the Certificate Management component (CLM) of ILM 2007 to ease many of the challenges with issuing and managing smart cards.

However, if multi-factor authentication and encryption are your main goals you may want to take a look at one time password tokens with Defender and Microsoft's AD Rights Management Services (AD RMS) respectively. Both present easier and perhaps cheaper alternatives, that also add capabilities. Defender adds the capability to use multi-factor authentication on machines without smart card readers, and AD RMS adds the capability to restrict what users can do with content even after they decrypt it.

Labels: , , , , ,

Friday, May 15, 2009

The Business Impact of Identity and Access Management with Forefront Identity Manager 2010

Brad and I are going to cover the value of the whole Identity Management Stack from Microsoft and a few additional pieces from partners.

When:
Thursday, May 28th

Where:
Webinar/Online
(Live Meeting links will be
sent to all registrants) (Click Here to RSVP)

Presenters:
David Lundell – Microsoft MVP for ILM, Ensynch Practice Director
Brad Turner – Microsoft MVP for ILM, Ensynch Sr. Technical Architect
Time:
9am-10am Pacific/Arizona
10am-11am Mountain
11am-12pm Central
12pm-1pm Eastern

*Convert time zone

 

Webinar: The Business Impact of Identity
and Access Management with Forefront Identity Manager 2010
(formerly ILM "2")

You’re invited to attend an informational webinar showcasing the business benefits associated of Identity and Access Management with the newly named Microsoft Forefront Identity Manager 2010 (Formerly ILM "2").

This webinar is designed for Business and Technology Decision-makers interested in reducing operational costs while increasing security, compliance and overall operational efficiency. If you're interested in how Identity and Access Management solutions can impact business results, this webinar is for you.
Ensynch is proud of our world-class Identity and Access Management practice, boasting 3 Microsoft MVPs (out of only a handful world-wide). This team’s efforts have earned Ensynch back-to-back Microsoft Worldwide Partner Awards for Identity Management in 2007 and 2006. Take advantage of this opportunity to learn from their vast enterprise and mid-market experience in incorporating Best Practices to deliver heightened business results.


Agenda:
The Business Value of Microsoft’s Identity Management Stack

  • Evaluate the business challenges, the cost and the opportunities for savings with Identity Management

    • IDA with Forefront Identity Manager 2010 (ILM 2)

    • Maintaining existing ILM 2007 deployments

  • Strong Authentication

    • Certificate Services

    • Quest Defender

  • Sharing with Partners and Customers

  • Active Directory Federation Services /Geneva

    • Reducing the need to provision Accounts for Partners

    • Speedier disabling of access for Partner/Customer’s Accounts

    • Implications with cloud based applications

  • Information Protection (now that you’re sharing your documents, how do you protect them)

  • Active Directory Rights Management Services

    • Add-ons

Labels: , , , , ,

Wednesday, March 25, 2009

New Certificate and Identity Blogger on the Loose

Marc Mac Donnell has just launched his blog on http://assurancesinidentity.blogspot.com/ and called it Assurances in Identity, and has posted the links to the CLM API documentation and case study about some work he did with MCS UK and CapGemini.

I look forward to many more posts from Mark about some of the wizardry and trick in managing certificates and identities.

Labels: , , ,

Saturday, August 16, 2008

IDM in pop culture

Some days I am amazed at how deeply the identity management concepts have penetrated into popular culture:

"Mr Big Stuff, who do you think you are?" clearly relates to an authentication issue or authorization issue.

"Won't get fooled again" by the WHO is clearly making a reference to a Certificate Revocation List, now that I have revoked your certificate you won't be authenticated again.

One area where pop culture is still shockingly uninformed still need help is in asset protection. I guess the authors of many forlorn love songs wish they could have used Rights Management Service and issued a use license that did not contain the permission to "Steal my heart" and "Break my heart."

Labels: , , , ,

Monday, June 16, 2008

Tech Ed -- Lotsa Buzz ILM 2 and CLM

On Tuesday Bob Muglia made a big announcement -- ILM 2 Beta 3 has been released. While the beta install is only 64 bit on Microsoft Connect you can download the 32-bit Virtual PC. At the ILM 2 booth at Tech Ed the Microsoft ILM Product Group and I were handing them out like crazy.

Thanks to Nima for inviting me to participate at the booth.

Best session I went was by Candy Stark from MS IT. She presented on the smart card deployment at MSFT using CLM.

Labels: , , , , ,