Gestión de Identidad Presente y Futuro 3/23/2017 1:22 AM Gestión de Identidad Presente y Futuro © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Agenda Plataforma de Gestión de Identidad Partners Productos Evolución 3/23/2017 1:22 AM Agenda Plataforma de Gestión de Identidad Partners Productos Windows Server 2003 R2 MIIS Evolución Metasistema de Gestión de Identidad Identity Management Platform Partner echosystem Products Windows Server 2003 R2 MIIS Roadmap © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Plataforma de Gestión de Identidad 3/23/2017 1:22 AM Plataforma de Gestión de Identidad Gestión del Ciclo de Vida Servicios de Frontend Servicios de Acceso Gestión de Acceso Servicios de Aprovisionamiento Servicios de Directorio Servicios de Directorio © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Plataforma de Gestión de Identidad 3/23/2017 1:22 AM Plataforma de Gestión de Identidad Servicios de Frontend Servicios de Acceso Sharepoint AzMan SQL-Server BizTalk IIS Active Directory Federation Server Quest /Centrify Servicios de Aprovisionamiento Microsoft Identity Integration Server HIS & Biztalk ISA Server Servicios de Directorio Active Directory ADAM, Kerberos Quest / Centrify AzMan MOM & ACS © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Microsoft Identity Integration Server 3/23/2017 1:22 AM Partners Comprar Servicios de Acceso Servicios de FrontEnd FastPass Active Directory Federation Server bHold, BMC AVAC Quest Ultimus / K2 Mission Control Servicios de Aprovisionamiento Quest /Centrify Microsoft Identity Integration Server HIS/ESSO RSA ISA Server Servicios de Directorio Active Directory ADAM, Kerberos Quest / Centrify AzMan MOM & ACS Quest Info Card Servicios de Directorio Extendidos Windows PKI MS Alacris RMS Server © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Microsoft Identity Integration Server 2003 3/23/2017 1:22 AM Productos Windows Server 2003 R2 Directorio Activo ADAM ADFS Microsoft Identity Integration Server 2003 Key concept: integration. We’ve been presenting some complicated slides with many concepts and characteristics related to Identity Management, but we want to point out that many of those characteristics are provided by only one product, Windows Server 2003 R2, that includes some of the required technologies. We’ll talk later on about the evolution, but se start talking about it with the R2 version. © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Aplicaciones de terceros Productos: Directorio Activo Base para la Gestión de Identidad 3/23/2017 1:22 AM Informacion de cuentas Privilegios Perfiles Politicas Single Sign-On Usuarios deWindows Recursos de red Recursos compartidos Impresoras Politicas Servidores Windows Configuración Seguridad Quarentena Politicas Clientes Windows Configuración QoS Políticas de Seguridad Single Sign-On Dispositivos de Red Información de producto Privilegios Perfiles Politicas Implementacion automatizada Productos Microsoft Eficiencia operativa Seguridad mejorada Mejoras en Productividad Interoperabilidad Directorio Activo Directorios Bases de Datos Mainframes UNIX Otros Sistemas Configuración Política de seguridad VPN y Acceso Remoto Cuerentena Single Sign-On Servicios de Firewall Single Sign-On Implementación automatizada Configuración Data especifica de directorio Aplicaciones de terceros Base para la gestión de usuarios y recursos de red Autoridad central para la seguridad de redes y aplicaciones Punto de integración para la unificación de servicios © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

El Rol de Directorio Activo… 3/23/2017 1:22 AM El Rol de Directorio Activo… Repositorio central de usuarios, servidores y puestos Permite identificar de forma unívoca a cualquier persona de la organización Establece políticas de seguridad, validación y autorización Gestión de Identidad Automatiza el bloqueo de sistemas Windows Refuerza el uso de contraseñas y credenciales fuertes Punto central y homogéneo de administración Seguridad We are talking about The Role of AD… Active Directory plays three important roles in any organization (pick one bullet from each) Increase IT Operational Efficiency by: Increasing the efficiency of managing Windows by up to 30% (and we’ll talk about that in the next few slides) Reducing the number of directories and passwords Centrally managing Windows servers & desktops AD helps you strengthen security by enabling you to do things like: Automate the lockdown of Windows systems Enforce the user of strong passwords & credentials More easily manage access to network resources 3. Improving employee productivity by: Enabling end users to find people, applications and resources faster Empowering employees with rich collaboration capabilities; and, Providing single sign-on to integrated applications and resources NEXT SLIDE Permite gestión uno a muchos de usuarios y máquinas Automatiza el forzado de políticas Implementación eficiente de configuraciones estándar para grupos de usuarios y máquinas Gestión de Configuración © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Productos: MIIS Gestión del Ciclo de Vida Integración y Sincronización de Directorios Vista unificada del usuario Sincronización a nivel de propiedades Gestión del Ciclo de Vida Altas y bajas de usuarios Cambios en las cuentas: promociones, transferencias, etc Establecimiento de valores iniciales Gestión de Contraseñas Establecimiento inicial de contraseñas Sincronización de contraseñas Aplicaciones para gestión centralizada Facilidad de Despliegue Sistema sin Agentes Modo de Vista Previa

Componentes Connector Metaverse Space Directorios Conectados MA iPlanet Oracle SQL Exchange 5.5 MA Usuario MA MA Connector Space Metaverse MA Directorios Conectados

MIIS: Repositorios Soportados 3/23/2017 1:22 AM MIIS: Repositorios Soportados Directorio Activo y ADAM Microsoft SQL 2000, SQL 7 Oracle 8i/9i Lotus Domino 5.x/6.x Novell eDirectory Microsoft Exchange 5.5, 2000, 2003 Microsoft NT 4.x Sun/iPlanet/Netscape Directory Ficheros: DSML, LDIF, CSV, atributo – valor… MIIS 2003 RACF SAP / Peoplesoft www.microsoft.com/miis IBM DB2, IBM Directory Server Extensible conectivity, MA SDK y MA Packaging Tool MIIS 2003 SP1 http://www.miisexperts.org/DeveloperVerse.html mySQL Generic Database Open LDAP Contar aquí también la evolución de MIIS www.miisexperts.org MySQL OpenLDAP Genérico BBDD En desarrollo Computer Associates ACF2, Top Secret LDAP Genérico © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

MIIS: Configuración

MIIS: Configuración

Productos: ADAM Flexibilidad para aplicaciones y administradores Misma tecnología que Directorio Activo, limitada al modo LDAP Esquema y topología independiente, aunque puede sincronizarse con Directorio Activo Escenarios de uso: Directorio de aplicación Directorio de extranet When an organization or developer needs to store identity-related information that is application specific or requires local control of their data, they can benefit from a new mode of Active Directory called Active Directory Application Mode (ADAM). ADAM solves many of the issues that result when deploying applications that need the structure of a directory but are not well-suited for the Active Directory environment because of one or more of the following requirements: Storing personalization data Storing data that needs frequent updating Supporting directory-enabled applications that require aggregation of profile data from multiple forests or a different organization such as OU structure Enabling directory migration © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Federación de Identidades Procesos y Tecnología basada en Estándares Proyección de la Identidad del usuario desde un logon único Autenticación Distribuida y autorización basada en notificaciones Más allá de los límites (de seguridad, departamentales, organizacionales o de plataforma)

Productos: ADFS Extender el Acceso 3/23/2017 1:22 AM Productos: ADFS Extender el Acceso A. Datum Account Forest Trey Research Resource Forest Federation Trust © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Evolución Unificar los servicios 3/23/2017 1:22 AM Evolución Unificar los servicios Certificate Services ADFS IIFP RMS Authorization Manager Servicios de Directorio Today, Microsoft offers a range of identity and access products, many of which grew organically: Active Directory provides domain and directory services Windows Certificate Services provides strong credentials Active Directory Federation Services provides federated identity Identity Integration Feature Pack (a version of MIIS) provides metadirectory and provisioning services Authorization Manager provides role-based access control Rights Management Services provides information rights protection Since these products grew organically, they do not share a consistent deployment model, architecture, or administrative console. As such, the effort required to deploy, integrate, and manage these products is significant. We believe customers need a single unified identity and access infrastructure – a single installation for a broad set of capabilities, a unified policy model that spans across applications, and one place to administer it all. As we bring all of these technologies together, which starts in Windows Server “Longhorn,” we’ll make it much easier for customers to use these services and generate a great deal of synergy. For example, establishing trust in a federated identity relationship requires the use of certificates. By having both a certificate authority and federation services in the same unified platform, we can make it vastly simpler for customers to manage federated relationships. The certificate issuance, renew, and revocation process can be completely seamless and automated by the platform. Another example is the benefit of having information rights protection and federation in the same platform. Protecting documents and files that travel across organizational boundaries today requires the installation of software at all endpoints to enforce the information rights policy. With an ability to share and exchange identity information across organizational boundaries, through the use of federated identity, protecting documents or information that is shared with affiliates, customers, or partners is vastly simplified and achievable. In addition to these synergies, there’s also the benefit of skill re-use. Today, there’s a fair amount of expertise required to deploy each of these capabilities, and that expertise is typically locked up in a small group of individuals. By rationalizing these services and streamlining, you create re-usable skills across your IT organization that can more efficiently deploy and manage the infrastructure. Our customers stand to derive great business value as we unify these capabilities in Active Directory. Arquitectura, política y gestión unificada © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Metasistema de Gestión de Identidad 3/23/2017 1:22 AM Metasistema de Gestión de Identidad GRAN BAZAR Aceptamos © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Las Leyes de Identidad www.identityblog.com User control and consent 3/23/2017 1:22 AM Las Leyes de Identidad User control and consent Minimal disclosure for a defined use Justifiable parties Directional identity Pluralism of operators and technologies Human integration Consistent experience across contexts www.identityblog.com User Control and Consent: Identity systems must only reveal information identifying a user with the user's consent. Minimal Disclosure for a Constrained Use: The identity system must disclose the least identifying information possible, as this is the most stable, long-term solution. Justifiable Parties: Identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship. Directed Identity: A universal identity system must support both “omnidirectional” identifiers for use by public entities and “unidirectional” identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles. Pluralism of Operators and Technologies: A universal identity solution must utilize and enable the interoperation of multiple identity technologies run by multiple identity providers. Human Integration: Identity systems must define the human user to be a component of the distributed system, integrated through unambiguous human-machine communication mechanisms offering protection against identity attacks. Consistent Experience Across Contexts: The unifying identity metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies. © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Nomenclatura GRAN BAZAR Aceptamos Relying Party Subject Security Policy Validated Token Aceptamos Identity Selector “Managed” Card Identity Provider © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Arquitectura del Metasistema WS-* ID Provider Relying Party ID Provider Relying Party Kerberos SAML X.509 … Security Token Server WS-SecurityPolicy Security Token Server WS-SecurityPolicy WS-Trust, WS-MetadataExchange Identity Selector Subject

InfoCard Abstracción de la identidad digital Para gestión de colecciones de notificaciones Para gestión de claves Basado en la representación de tarjetas físicas Self-issued cards: firmadas por el usuario “Managed cards” firmadas por una autoridad externa Implementado como subsistema de seguridad Interfaz protegido Técnicas Anti-spoofing Almacenamiento encriptado

Infocard

Más Información… Contacto: Mónica Fernández Referencias: 3/23/2017 1:22 AM Más Información… Contacto: Mónica Fernández monicf@microsoft.com 913919442 Referencias: Gestión de identidad: http://www.microsoft.com/windowsserversystem/overview/benefits/access/default.mspx Windows Server 2003 R2: http://www.microsoft.com/windowsserver2003/default.mspx Microsoft Identity Integration Server: http://www.microsoft.com/windowsserversystem/miis2003/default.mspx © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.