Chapter 8. Planning Authorization and Information Protection Options
In this chapter, we will explore the various functions for authorization and information protection when building a solid hybrid Access Management solution. Furthermore, in this chapter you will get to know risk-based Access Control and the future functionality of Windows Server 2016. The following topics to be covered in this chapter include:
Designing and applying risk based Access Control
Delivering authentication and authorization improvements with Windows Server 2016
Enabling advanced application Access Control
Getting in touch with information protection
How authorization and information protection reporting works
Designing and applying risk-based Access Control
In the first section of this chapter we will discuss both the design required information for applying risk based Access Control. The main actor in this story is your ADFS and WAP infrastructure, which will help you to integrate such a solution in your environment. Obviously, there are many other technologies in the field, but we want to focus on the native components that are already in place with the use of an identity bridge. This will give you the opportunity to provide an efficient and flexible solution for providing Risk-Based Access Control. We will divide this section into the following topics to provide a better understanding:
Managing device registration
Managing authentication and authorization
The magic of claims rules for application access
The main focus will be on how to support a risk matrix, like the following simple example:
Note
The terms of the matrix (HBI, MBI, and LBI) define the business impact:
HBI stands for High Business...
Delivering authentication and authorization improvements with Windows Server 2016
For Microsoft, and the hybrid vision AD FS, Windows Server 2016 plays a key role in the whole IAM strategy. It's critical to the overall success of Azure Stack and the hybrid identity. This takes us to the point of the new feature sets of AD FS 4.0, which you can include in your design considerations. Additionally, we will provide more in-depth insights in a later, special chapter dedicated to the new features of Windows Server 2016.
The AF FS provides the following extensions to the identity and access management framework:
Comprehensive Authentication, supporting multiple stores with additional security controls for MFA
Enhanced Conditional Access, supporting MDM capabilities for conditional Access Control
Modern applications - REST based services support with OAuth
Enhanced Sign-In experience - a rich and flexible set of customization options in special per relying party
Simplified deployment...
Enabling advanced application Access Control
In the following section we will provide you with some design ideas to include in your on premise identity management system to prepare for an advanced application Access Control. We are often asked by our customers how they can manage access to applications both on premise and in the cloud, for example, SaaS.
For this reason, we will use the capabilities of MIM 2016 or earlier to provide the complex group building scenarios on premise. The groups are commonly based on roles derived from the contract or contracts of an employee. These can be business or application (technical) roles. Other models like User | Role | Permission or User | Enterprise Role(s) | Application Role (s) | Permissions are also representative examples of such models that provide the correct permissions to a user account.
We can also use the contract to define the representation of an employee in different repositories or applications with a special type of...
Getting in touch with information protection
In the following section, we will dive into advanced Access Control for information on protection solutions.
There was an interesting presentation from Dan Plastina, a product manager at Microsoft, which asked a very important question: 'Why do you seek to protect information?' The following answers were given in an actual survey:
96% - Reduce leakage of data shared with others (B2B collaboration)
94% - Partitioning of sensitive data from unauthorized users
89% - Preventing malicious employees from leaking secrets
87% - Meeting compliance requirements
Exactly because of these needs, we need to think about an information protection strategy in our solution design in order to provide the following:
Persistent protection level independent from your storage solution
Permit all companies to authenticate and to enforce authorization policies
Provide tracking and compliance with powerful logging for reporting, including end user use/abuse tracking...
How does authorization and information protection reporting work?
For authorization, and especially for Azure RMS, there is a rich set of reporting capabilities. The full set of reports requires an Azure AD Premium license. The reports are shown in the following manner:
With the installed hybrid reporting agent on your MIM infrastructure, you can view all the details from your Azure AD and your local identity management infrastructure.
Another important feature in the usage of Azure RMS is the Azure RMS tracking website. On this website you can track the usage of your RMS-protected and shared information around the globe. You get also the capability to revoke permissions to a specific document. The Azure RMS tracking feature looks like the following figure:
Note
Practical note
For privacy considerations, organizations are able to disable the track feature if desired.
If you need to revoke permissions on a specific file, you can just select the option to revoke the permissions. You provide...
In this chapter, we talked about the design of a hybrid access management solution, focusing on the key aspects of authorization and information protection. With this information, you can now apply the required design principles to a risk-based Access Control and information protection strategy, including Azure RMS and the future Windows Server 2016 system. In the next chapter, we will start to implement our own solution. We will focus on the synchronization and federation functionality, group management, and the activation of the MFA.