The Four Pillars of Identity

Identity Management in the Age of Hybrid IT

Published: January 2013

Contributors:
Gayana Bagdasaryan, Microsoft
Thomas W. Shinder, M.D, Microsoft
Ken St. Cyr, Microsoft
Heath Aubin, Microsoft
Brjann Brekkan, Microsoft
Gary Verster, Microsoft
Bruce Wittenberg, Microsoft

For the latest information, see

1 | Page

This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This white paper is for informational purposes only. Microsoft makes no warranties, express or implied, in this document.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2013 Microsoft Corporation. All rights reserved.

The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.

Microsoft, BitLocker, Hyper-V, SharePoint, Windows PowerShell, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Table of Contents

Defining Identity and Identity Infrastructure

Importance of Identity

Identity Can Empower Your Users

Identity Enables You to Take Control

Identity Enables You to Plan for the Future

The Impact of Identity

Industry Trends

Explosive Data Growth

Proliferation of Devices

Budgetary Concerns

Other IT Constraints

Access Control Challenges

Secure Access for a Wide Array of Devices

High Availability

Role Based Access Control

Customer and Partner Access to Data

Infrastructure Management Challenges

How to Adapt Current Identity Infrastructures to Work with Cloud Scenarios

On-boarding large number of users

Handling Mergers and Acquisitions

Reduce the Impact on Expanding Users and Groups

Security Challenges

Rapid Response

Protecting While Extending

Centralize and Standardize

Report and Audit

Four Pillars of Identity

Administration

Identity Provisioning

Change Control

Entitlements

Authentication

Authentication strength

Authentication delegation

End-user experience

Authorization

Coarse-Grained Authorization

Fine-Grained Authorization

Implementing Authorization Schemes

Auditing

Trace Logging versus Identity Logging

Alerting

Governance Reporting

Data Collection

Summary

Defining Identity and Identity Infrastructure

The purpose of this document is to define and provide detailed conceptual information on the four fundamental pillars of identity that can be useful in creating a strategic direction for an identity infrastructure in your organization. Based on our knowledge and expertise, we at Microsoft, believe that a strong, healthy, and flexible identity infrastructure must consist of processes, technologies, and policies that are derived from these four pillars. It is also our purposeto explore key industry trends related to identity and access management and how you may apply them in your designs.

An identity infrastructure is a collection of processes, technologies, and policies for managing digital identities and controlling how identities can be used to access resources.The industry formerly thought of identity only in terms of users. It wasn’t until recently that thinking has shifted and now considers device identity equally important.Currently there is a consensus that anything and everything that tries to entera corporate environment from an external location, in other words, from outside of corporate protection boundaries, must have an identity associated with it. Identity is a concept that spans an entire environment, from infrastructure to applications and services, and back to users and devices who try to gain access to these applications and services.

Another important aspect of defining identity revolves around the issues of on-premises versuscloud computing. More and more, customers are maintaining traditional IT environments with identity on premises and at the same time starting to venture into setting up and developing applications in private and public clouds, or adopting 3rd party cloud services. How do we unify identity across these different approaches, manage cloud identities synchronized with on-premises identities, foster a hybrid environment, and ensure that access control is maintained? And while we’re at it, what is the definition of a hybrid identity? Right now various organizations have their own definition of what identity in a hybrid environment means, since the need is always different from customer to customer and greatly varies between implementation to implementation.

Importance of Identity

Having a strong yet flexible identity story in your environment can make or break your business. It can either be a hindrance that keeps your organization from being flexible and cloud-ready, or it can make your organization nimble and adaptive to increasing user loads and facilitate your transition to the cloud.

The importance of identity is highlighted by the following:

  • Identity Can Empower Your Users
  • Identity Enables You to Take Control
  • Identity Enables You to Plan for the Future

Identity Can Empower Your Users

When you empower your users by providing them with self-service identity management capabilities, the cost of managing the identities can be reduced dramatically. For example, a new project is created and the project owner needs to share information and access to project site with team members. With a robust identity management solution, the project owner can create the necessary security or email groups himself without engaging helpdesk or IT support. It makes your employees more agile and satisfied. But you must remember to put the proper access controls in place.

Identity Enables You to Take Control

You can use identity to take control of the access management infrastructure of all the resources within your organizational boundaries.There are thousands of applications and each application has a different security model. With the proper identity story, you can unify access control for all those applications and thus save yourself a lot of time and yet always be aware of a potential danger.

For example, a rogue administrator might attempt to gain access to an application or a service within your environment. With a strong identity management architecture and design, you will be able to prevent or minimize the damage from such an event.

Identity Enables You to Plan for the Future

You want to move an in-house service to the cloud. But how can you move it into the cloud when all its data is in an on premises database? Do you also move the database into the cloud? How do you keep the data in sync between on premises and the cloud? You need to be able to define identity in a way that allows you to plan for the future of Hybrid IT.

The Impact of Identity

The following are some of the trends and challenges that Microsoft engineers encounter every day and that drive us to develop strong and flexible identity infrastructure solutions. Ourconstant goal is to provide our customers an identity story that can expand and grow with these trends and challenges.

Industry Trends

There are several industry trends that force us to reconsider out thinking around identity. These trends include:

  • Explosive Data Growth
  • Proliferation of Devices
  • Budgetary Concerns
  • Other IT Constraints

Explosive Data Growth

As we become more connected while binding cloud and on-premises applications and services or connecting with partners and external organizations, there’s an avalanche of data that we must consume.It is not just identity data, but business, processes, and analytics data. Once it is all assembled, we need to maintain access control to this data; keep it meaningful and make sure that redaction occurs. Coincidental with explosive data growth is the growing number of identities that will need to access large sets of heterogeneous data. A single user account defined by pre-defined group memberships is unlikely to provide the rich and robust set of access control decisions that will be required.

Proliferation of Devices

Consider the current popularity of the “bring your own device” scenarios. In the years past, customers were not allowed to bring smartphones and tablets to the infrastructures that we built because these devices were not managed by corporate IT and therefore could not be trusted on the protected corporate network. Yet now we are encouraging our customers and users to use their own devices. We need to define and manage an identity story for all these different devices. We need to make authentication and authorization decisions based on a device type. We need to determine what level of granularity should be required, and we need to determine what changes need to be made at the level of network access devices, server access controls, and application access controls.

Budgetary Concerns

Corporate IT is always expected to do more with less. If we can enable you to spend less money on identity and infrastructure, in other words, provide you with processes and tools that just work, we consequently enable you to invest moretime and effort on your company mission, on growing your business, and growing the careers of your company’s employees.

Other IT Constraints

The following numbers represent the way in which IT departments in most companies organize their expenses:

  • 66% of all funds is spent on running the existing capabilities, in other words, keeping the lights on
  • 20% of all funds is spent on growing the existing capabilities and making them more mature
  • 14% of all funds is spent on transforming their environments, in other words, introducing new capabilities into an environment

Thereforewhen a new capability (an application or a service) comes along, if we expect to spend some of that 14% on building a new identity and access control system on top of their infrastructure to support this application or service, we probably will not be providing that customer with the capabilities they need in order to overcome current IT constraints. They will instead plug in whatever available application or service they have or need into their existing identity story.

Access Control Challenges

Cloud computing and its variants such as Hybrid IT introduces a number of access control challenges that are either new or lend themselves to recasting traditional issues in order to insure that access is secure. These include:

  • Secure Access for a Wide Array of Devices
  • High Availability
  • Role Based Access Control
  • Customer and Partner Access to Data

Secure Access for a Wide Array of Devices

One of the primary access control challenges is the enabling of secure access for users with various managed and unmanaged devices. When a new user with his variety of devicesis introduced to an on premises environment, there is a great need to ensure that this user’s devices are trusted. When thinking about enabling device access for application and services, there are multiple factors that comprise the trust level for a device, such as whether the device is managed versus unmanaged, has current anti-virus signatures, or is located in a specific place. Access control decisions in the future must consider the totality of the computing environment of the client device.

High Availability

High availability can wreak havoc on access control. When building an identity management and access control solution, you need to consider what level of availability is required and how to manage that availability. Do you use completely redundant hardware or do you forsake hardware redundancy for cloud-based software resiliency? You need to consider what level of tolerance you are willing to accept a for service outage. If you depend on third-party identity providers, you need to know what their historical levels of availability have been, their mean time between failures and mean time to restore service.

Role Based Access Control

Role-based access control is increasingly necessary in a complex identity management environment. There can be both organizational role-based access control (RBAC) models and application-specific RBAC models.

With organizational models, the roles are aligned to the hierarchy of an organization. In an application-based RBAC model, the roles are application-specific and align to specific functionality inside the application. There can be a mixture of both, where application roles map to organizational roles. Another aspect to consider when we think of RBAC is managing not just the roles of users, but also the roles of the devices since they also have identities associated with them.

User-based roles can be tied to a multiplicity of attributes. Some of these include:

  • What team is that user on at this time?
  • What division of the company?
  • What projects are the users working on?
  • Is the user part of the management team or is he or she non-management?
  • What is the level of trust that the company has for that user?

Similarly, device identity can be defined in a number of ways:

  • What operating system is the device running?
  • What is the device’s patch level?
  • Is the device on a private or public network?
  • What networks has the device been historically connected to?
  • Is the device a single user or multi-user device?
  • Does the device have a history of compromise?
  • What is the device’s degree of portability?
  • Is the device encrypted?
  • Does the device require a strong password to access the system?

All of these attributes and more can be used to determine user and device access.

Customer and Partner Access to Data

Why is external-facing identity infrastructure, or in other words, allowing customers and partners who are not within your organization to access applications and services within your environment, a challenge? Because most organizations build their applications for internal use only.

For example, a company might deploy a SharePoint site on premises with the intention that only the internal, corporate users will be granted access to it. However, all too often they find that suddenly they need to onboard a partner and share their SharePoint site or some other network applications with someone from outside the organization. The problem quickly becomes apparent that the application or the site was notwritten for inter-organization collaboration. It was written to authenticate users against an internal database that is specific to this application or site.

This leads to you needing to consider the following:

  • How will you inject external identities into an internal application or into an internal process
  • Will you federate your two private identity repositories or just mirror accounts
  • Do you need to create dedicated accounts in your organization that you need to manage
  • Do you want to create a partition in your identity infrastructure that your partners can manage
  • Do you want to create a dedicated identity infrastructure to support the single application
  • Do you have a process or a mechanism in place in the event that you have tens or hundreds of partners that need to be on-boarded
  • Do you want to migrate your application to a cloud service and how each organization maps corporate accounts to a third party identity provider

These are just a few of the options you might have to consider.

Infrastructure Management Challenges

Identity management challenges include new and evolving requirements based on sea of changes in the quickly evolving computing landscape. These include:

  • How to adapt current identity infrastructures to work with cloud scenarios
  • On-boarding large number of users
  • Handling mergers and acquisitions
  • Reduce the impacts on expanding users and groups

How to Adapt Current Identity Infrastructures to Work with Cloud Scenarios

Identity management related issues have been seen as a potential deployment blocker for moving applications into the cloud. Not only do you have to move the application, but you often have to move the identities and the identity infrastructure as well. This introduces issues with keeping the data in sync and ensuring that the same entitlements and access controls are applied across on-premises and the cloud.

This introduces several important questions to answer when architecting an identity management solution for cloud applications:

  • Should you make your applications transparent both on and off premises as a service?
  • If you have an application that is 100% on-premises, howdo you move it to the cloud in order to make it more available or to take some of the load off of your infrastructure?
  • What happens if your identity infrastructure is still fully on premises, but your applications are now in the cloud?
  • Have you established a way to connect youridentity infrastructure and those applications?
  • Will you useestablished connectivity mechanisms such as site to site VPN?
  • Does the cloud service provider enable a dedicated link between your cloud service and your on-premises identity infrastructure?
  • Will you need to assess if there is some out-of-band mechanism for synchronizing identities or perhaps a combination of in- and out-of-band solutions?

These are some of the more important issues that you will need to consider when assessing identity management requirements in a cloud application scenario.