2. “If you think technology can solve your security
problems, then you don't understand the
problems and you don't understand the
technology.”
Bruce Schneier
American cryptographer, computer security and privacy specialist
3. Solutions
Establish a common
framework and
definition of security,
and introduce
Microsoft solutions
and services.
Explore customer
requirements and
goals, and share
Microsoft capabilities
Assess customer
goals, challenges,
threats, requirements,
and technical security
maturity.
Outline strategic and
tactical projects, with
business goals and
requirements.
Implement
appropriate security
solutions based on
business goals.
4. Seen this before?
Users
Cloud
Create
Delete
O365, Azure, Amazon, Google, etc.
Attribute
Sync
HR (PeopleSoft, SAP, Dynamics)
Financials
Application
Owner
IT Helpdesk
Administrator
Active Directory
Business
Manager
Sales
SharePoint
Administrator
Exchange, Lotus Notes etc.
4
5.
6. Limited or no use
of Active
Directory
User provisioning
and access
management
done manually
Minimal
enterprise
identity and
access policy
standards
Active
Directory for User
Authentication
and Authorization
Single sign-on to
Windowsintegrated
applications
Active Directory
security groups
used for user
access control
Desktops not
managed by
group policy
Group policy used
to manage
desktops for
security
and settings
Desktops are
tightly managed
Centrally
managed,
automated user
account
provisioning
across systems
Centrally
managed,
automated
access controls
across systems
7. Capability
Basic
Standardized
Rationalized
Dynamic
Virtualized Identity Service
Single Enterprise ID Store
Application Centric, Multiple
Enterprise ID Stores
Enterprise ID Store + Application
Specific Stores
Provisioning
Manual, Adhoc
Some custom built scripts / Mostly
Manual
Deprovisioning
Manual, Adhoc
Some custom built scripts / Mostly
Manual
Identity Updates
Manually performed by Service Desk Manually performed by Service Desk Automated to some identity systems
in some identity systems
in all identity systems
from Authoritative Source
Automated to all identity systems from
Authoritative Source plus Self-Service
capabilities
Synchronization
Manually performed by Service Desk Manually performed by Service Desk Synchronization among some identity
in some identity systems
in all identity systems
systems, Time-Based
Synchronization amongst all identity
systems, Event-Driven
Self-Service Password Reset and
synchronization to all identity systems
Change Control
Manually performed by Service Desk Manually performed by Service Desk Self-Service Password Reset to central
in some identity systems
in all identity systems
identity system (no synchronization)
Owner Managed (Delegations),
Owner Managed, Self-Service,
Manual by Admin, Static
Static
Approvals
Central Service Desk, manual
Central access request service with
Application owner specific
workflow
automated workflow
Internally Accessible, Manual
Service Center/Help Desk
Updates
Internally Accessible, Self-Service
Call Help Desk / Some Electronic
None
Call Service Desk / Manual Workflow Workflow
Convenience
Multiple IDs, Multiple Credentials,
Multiple Prompts
Multiple IDs, Multiple Credentials,
Single Prompt per Credential
Multiple IDs, Single Credential
Single ID, Single Credential, Single
Prompt (SSO)
Source
Application Centric Issuer(s)
Virtual Issuer
Central Issuer
Federated and Central Issuers
Protocols
Multiple Protocols, No Standard
Standardized Protocols with ability to
transition (no delegation)
Standardized Protocols with ability for
transition and delegation
Assurance
Entitlement Type
Shared Accounts, No Assurance
Application Centric
Standard set of protocols (no
transition, no delegation)
Personalized Accounts, Password
Based
Group-Based
Multi-Factor AuthN
Role-Based, Attribute-Based
Risk-Based AuthN
Policy-Based
Access Policies
Written
Enforced per Application/Resource Centrally Enforced
Centrally Enforced with Attestation
Enforcement
Collection
API (Handled within Application
specific code)
None
Protocol Based using Industry Standard,
non-Proprierary Protocols
Central Store
Access Logging
No Logging
Agent (applied externally and injected
Proxy (Handled outside App)
into app), Proprietary
Disparate
Synchronized
Basic logs - Network IP, Server Event
logs, Web Server logs
Disparate Application-level logging
Change Logging
None
Request and Change
Request, Approval, Change
Alerting
Reactive, No Alerting
Request
Reactive, Some Alerting on Key
Systems
Reporting Methodology
Reporting Types
Manual, Adhoc
None
Manual with defined process
Change/Historical
Reactive, Alerting across all systems
Automated Report Generation on Key
Systems
Attestation
Alerting and Automatic Remediation
Automated Reporting and Generation
on all Systems
Industry/Regulatory Specific
Identity Proliferation
Administration
Password Management
Group Management
Application Entitlement
Management
User Interface
Authentication
Authorization
Audit
Automated Creation in one or more ID
stores using COTS Email Notifications to
other system owners
Automated Creation in all ID Stores
Automated Deprovisioning in one or
more ID Stores
Email Notifications to other system
Automated deprovisioning in all ID
owners
Stores
Dynamic/Attribute Based
Dynamic/Attribute Based
Externally Accessible
Self-Service Request with Electronic
Workflow
Common Application Logging Platform
8. Capability
Basic
Standardized
Rationalized
Dynamic
Virtualized Identity Service
Single Enterprise ID Store
Application Centric, Multiple
Enterprise ID Stores
Enterprise ID Store + Application
Specific Stores
Provisioning
Manual, Adhoc
Some custom built scripts / Mostly
Manual
Deprovisioning
Manual, Adhoc
Some custom built scripts / Mostly
Manual
Identity Updates
Manually performed by Service Desk Manually performed by Service Desk Automated to some identity systems
in some identity systems
in all identity systems
from Authoritative Source
Automated to all identity systems from
Authoritative Source plus Self-Service
capabilities
Synchronization
Manually performed by Service Desk Manually performed by Service Desk Synchronization among some identity
in some identity systems
in all identity systems
systems, Time-Based
Synchronization amongst all identity
systems, Event-Driven
Self-Service Password Reset and
synchronization to all identity systems
Change Control
Manually performed by Service Desk Manually performed by Service Desk Self-Service Password Reset to central
in some identity systems
in all identity systems
identity system (no synchronization)
Owner Managed (Delegations),
Owner Managed, Self-Service,
Manual by Admin, Static
Static
Approvals
Central Service Desk, manual
Central access request service with
Application owner specific
workflow
automated workflow
Internally Accessible, Manual
Service Center/Help Desk
Updates
Internally Accessible, Self-Service
Call Help Desk / Some Electronic
None
Call Service Desk / Manual Workflow Workflow
Convenience
Multiple IDs, Multiple Credentials,
Multiple Prompts
Multiple IDs, Multiple Credentials,
Single Prompt per Credential
Multiple IDs, Single Credential
Single ID, Single Credential, Single
Prompt (SSO)
Source
Application Centric Issuer(s)
Virtual Issuer
Central Issuer
Federated and Central Issuers
Protocols
Multiple Protocols, No Standard
Standardized Protocols with ability to
transition (no delegation)
Standardized Protocols with ability for
transition and delegation
Assurance
Entitlement Type
Shared Accounts, No Assurance
Application Centric
Standard set of protocols (no
transition, no delegation)
Personalized Accounts, Password
Based
Group-Based
Multi-Factor AuthN
Role-Based, Attribute-Based
Risk-Based AuthN
Policy-Based
Access Policies
Written
Enforced per Application/Resource Centrally Enforced
Centrally Enforced with Attestation
Enforcement
Collection
API (Handled within Application
specific code)
None
Protocol Based using Industry Standard,
non-Proprierary Protocols
Central Store
Access Logging
No Logging
Agent (applied externally and injected
Proxy (Handled outside App)
into app), Proprietary
Disparate
Synchronized
Basic logs - Network IP, Server Event
logs, Web Server logs
Disparate Application-level logging
Change Logging
None
Request and Change
Request, Approval, Change
Alerting
Reactive, No Alerting
Request
Reactive, Some Alerting on Key
Systems
Reporting Methodology
Reporting Types
Manual, Adhoc
None
Manual with defined process
Change/Historical
Reactive, Alerting across all systems
Automated Report Generation on Key
Systems
Attestation
Alerting and Automatic Remediation
Automated Reporting and Generation
on all Systems
Industry/Regulatory Specific
Identity Proliferation
Administration
Password Management
Group Management
Application Entitlement
Management
User Interface
Authentication
Authorization
Audit
Automated Creation in one or more ID
stores using COTS Email Notifications to
other system owners
Automated Creation in all ID Stores
Automated Deprovisioning in one or
more ID Stores
Email Notifications to other system
Automated deprovisioning in all ID
owners
Stores
Dynamic/Attribute Based
Dynamic/Attribute Based
Externally Accessible
Self-Service Request with Electronic
Workflow
Common Application Logging Platform
9. Capability
Basic
Standardized
Rationalized
Dynamic
Virtualized Identity Service
Single Enterprise ID Store
Application Centric, Multiple
Enterprise ID Stores
Enterprise ID Store + Application
Specific Stores
Provisioning
Manual, Adhoc
Some custom built scripts / Mostly
Manual
Deprovisioning
Manual, Adhoc
Some custom built scripts / Mostly
Manual
Identity Updates
Manually performed by Service Desk Manually performed by Service Desk Automated to some identity systems
in some identity systems
in all identity systems
from Authoritative Source
Automated to all identity systems from
Authoritative Source plus Self-Service
capabilities
Synchronization
Manually performed by Service Desk Manually performed by Service Desk Synchronization among some identity
in some identity systems
in all identity systems
systems, Time-Based
Synchronization amongst all identity
systems, Event-Driven
Self-Service Password Reset and
synchronization to all identity systems
Change Control
Manually performed by Service Desk Manually performed by Service Desk Self-Service Password Reset to central
in some identity systems
in all identity systems
identity system (no synchronization)
Owner Managed (Delegations),
Owner Managed, Self-Service,
Manual by Admin, Static
Static
Approvals
Central Service Desk, manual
Central access request service with
Application owner specific
workflow
automated workflow
Internally Accessible, Manual
Service Center/Help Desk
Updates
Internally Accessible, Self-Service
Call Help Desk / Some Electronic
None
Call Service Desk / Manual Workflow Workflow
Convenience
Multiple IDs, Multiple Credentials,
Multiple Prompts
Multiple IDs, Multiple Credentials,
Single Prompt per Credential
Multiple IDs, Single Credential
Single ID, Single Credential, Single
Prompt (SSO)
Source
Application Centric Issuer(s)
Virtual Issuer
Central Issuer
Federated and Central Issuers
Protocols
Multiple Protocols, No Standard
Standardized Protocols with ability to
transition (no delegation)
Standardized Protocols with ability for
transition and delegation
Assurance
Entitlement Type
Shared Accounts, No Assurance
Application Centric
Standard set of protocols (no
transition, no delegation)
Personalized Accounts, Password
Based
Group-Based
Multi-Factor AuthN
Role-Based, Attribute-Based
Risk-Based AuthN
Policy-Based
Access Policies
Written
Enforced per Application/Resource Centrally Enforced
Centrally Enforced with Attestation
Enforcement
Collection
API (Handled within Application
specific code)
None
Protocol Based using Industry Standard,
non-Proprierary Protocols
Central Store
Access Logging
No Logging
Agent (applied externally and injected
Proxy (Handled outside App)
into app), Proprietary
Disparate
Synchronized
Basic logs - Network IP, Server Event
logs, Web Server logs
Disparate Application-level logging
Change Logging
None
Request and Change
Request, Approval, Change
Alerting
Reactive, No Alerting
Request
Reactive, Some Alerting on Key
Systems
Reporting Methodology
Reporting Types
Manual, Adhoc
None
Manual with defined process
Change/Historical
Reactive, Alerting across all systems
Automated Report Generation on Key
Systems
Attestation
Alerting and Automatic Remediation
Automated Reporting and Generation
on all Systems
Industry/Regulatory Specific
Identity Proliferation
Administration
Password Management
Group Management
Application Entitlement
Management
User Interface
Authentication
Authorization
Audit
Automated Creation in one or more ID
stores using COTS Email Notifications to
other system owners
Automated Creation in all ID Stores
Automated Deprovisioning in one or
more ID Stores
Email Notifications to other system
Automated deprovisioning in all ID
owners
Stores
Dynamic/Attribute Based
Dynamic/Attribute Based
Externally Accessible
Self-Service Request with Electronic
Workflow
Common Application Logging Platform
10. Capability
Basic
Standardized
Rationalized
Dynamic
Virtualized Identity Service
Single Enterprise ID Store
Application Centric, Multiple
Enterprise ID Stores
Enterprise ID Store + Application
Specific Stores
Provisioning
Manual, Adhoc
Some custom built scripts / Mostly
Manual
Deprovisioning
Manual, Adhoc
Some custom built scripts / Mostly
Manual
Identity Updates
Manually performed by Service Desk Manually performed by Service Desk Automated to some identity systems
in some identity systems
in all identity systems
from Authoritative Source
Automated to all identity systems from
Authoritative Source plus Self-Service
capabilities
Synchronization
Manually performed by Service Desk Manually performed by Service Desk Synchronization among some identity
in some identity systems
in all identity systems
systems, Time-Based
Synchronization amongst all identity
systems, Event-Driven
Self-Service Password Reset and
synchronization to all identity systems
Change Control
Manually performed by Service Desk Manually performed by Service Desk Self-Service Password Reset to central
in some identity systems
in all identity systems
identity system (no synchronization)
Owner Managed (Delegations),
Owner Managed, Self-Service,
Manual by Admin, Static
Static
Approvals
Central Service Desk, manual
Central access request service with
Application owner specific
workflow
automated workflow
Internally Accessible, Manual
Service Center/Help Desk
Updates
Internally Accessible, Self-Service
Call Help Desk / Some Electronic
None
Call Service Desk / Manual Workflow Workflow
Convenience
Multiple IDs, Multiple Credentials,
Multiple Prompts
Multiple IDs, Multiple Credentials,
Single Prompt per Credential
Multiple IDs, Single Credential
Single ID, Single Credential, Single
Prompt (SSO)
Source
Application Centric Issuer(s)
Virtual Issuer
Central Issuer
Federated and Central Issuers
Protocols
Multiple Protocols, No Standard
Standardized Protocols with ability to
transition (no delegation)
Standardized Protocols with ability for
transition and delegation
Assurance
Entitlement Type
Shared Accounts, No Assurance
Application Centric
Standard set of protocols (no
transition, no delegation)
Personalized Accounts, Password
Based
Group-Based
Multi-Factor AuthN
Role-Based, Attribute-Based
Risk-Based AuthN
Policy-Based
Access Policies
Written
Enforced per Application/Resource Centrally Enforced
Centrally Enforced with Attestation
Enforcement
Collection
API (Handled within Application
specific code)
None
Protocol Based using Industry Standard,
non-Proprierary Protocols
Central Store
Access Logging
No Logging
Agent (applied externally and injected
Proxy (Handled outside App)
into app), Proprietary
Disparate
Synchronized
Basic logs - Network IP, Server Event
logs, Web Server logs
Disparate Application-level logging
Change Logging
None
Request and Change
Request, Approval, Change
Alerting
Reactive, No Alerting
Request
Reactive, Some Alerting on Key
Systems
Reporting Methodology
Reporting Types
Manual, Adhoc
None
Manual with defined process
Change/Historical
Reactive, Alerting across all systems
Automated Report Generation on Key
Systems
Attestation
Alerting and Automatic Remediation
Automated Reporting and Generation
on all Systems
Industry/Regulatory Specific
Identity Proliferation
Administration
Password Management
Group Management
Application Entitlement
Management
User Interface
Authentication
Authorization
Audit
Automated Creation in one or more ID
stores using COTS Email Notifications to
other system owners
Automated Creation in all ID Stores
Automated Deprovisioning in one or
more ID Stores
Email Notifications to other system
Automated deprovisioning in all ID
owners
Stores
Dynamic/Attribute Based
Dynamic/Attribute Based
Externally Accessible
Self-Service Request with Electronic
Workflow
Common Application Logging Platform
11. Users can enroll devices for
access to the Company Portal
for easy access to corporate
applications
IT can publish Desktop
Virtualization (VDI) for
access to centralized
resources
Users can work
from anywhere on
their device with
access to their
corporate resources.
IT can publish access to
resources with the Web
Application Proxy
based on device
awareness and the users
identity
Users can register
devices for single
sign-on and access to
corporate data with
Workplace Join
IT can provide seamless
corporate access with
DirectAccess and
automatic VPN
connections.
12. Not Joined
User provided devices are
“unknown” and IT has no control.
Partial access may be provided to
corporate information.
Browser session single
sign-on
Seamless 2-Factor Auth
for web apps
(
)
Enterprise apps single
sign-on
(
)
Desktop Single Sign-On
Workplace Joined
Registered devices are “known”
and device authentication
allows IT to provide conditional
access to corporate information
Domain Joined
Domain joined computers are
under the full control of IT
and can be provided with
complete access to corporate
information
13. Manage the complete life cycle of
certificates and smart cards
through integration with Active
Directory.
Self-service group and
distribution list
management, including
dynamic membership
calculation in these
groups and distribution
lists, is based on the
user’s attributes.
Users can reset their
passwords via Windows
logon, significantly reducing
help desk burden and costs.
Sync users identity
across directories,
including Active
Directory, Oracle, SQL
Server, IBM DS, and
LDAP.
Allow users to manage their identity
with an easy to use portal, tightly
integrated with Office.
14. Automate the process of
on-boarding new users
Real-time de-provisioning
from all systems to prevent
unauthorized access and
information leakage
LDAP
Certificate Management
Built-in workflow for
identity management
Automatically synchronize all
user information to different
directories across the enterprise
16. From: Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques
http://www.microsoft.com/en-us/download/details.aspx?id=36036
From: Best Practices for Securing Active Directory
http://www.microsoft.com/en-us/download/details.aspx?id=38785
From: The one company that wasn't hacked
http://www.infoworld.com/d/security/the-one-company-wasnt-hacked-194184?source=footer
17. How MARS works
9:00
1. Request Access (10:00)
2. Auto-Approve (10:00)
10:00
MARS Server
11:00
12:00
3. Access Resource (10:01)
1:00
2:00
3:00
Admin
Account
(requester)
4. Access Resource (3:15)
Admin Group
(pre-defined)
Domain Groups
• Managed Servers
• Domain Admin
• Schema Admin
• Top Secret Project