Post on 08-Jan-2017
Automating PKI with Active Directory Integration
GlobalSign Webinar
Reducing PKI deployment time and costs
GlobalSign WebinarGlobalSign Webinar
WHATYOU WILLLEARNTODAY
1
2 What is AEG?
3 Use cases
Challenges of on-premise CAs
4 Business benefits
GlobalSign Webinar
Identity for Everything™Our PKI & IAM experience and technology to build
high volume, high scale identity management solutions for the billions of devices, people and things
GlobalSign Webinar
Reduce costs and time to deploy enterprise PKI
Manage high volumes of Identities for IoT/IoE
Manage Certificate-related risk (Compliance, expirations etc.)
Reduce time to deploy IAM solutions from months to weeks
THE PROBLEMS WE SOLVE
GlobalSign WebinarGlobalSign Webinar
/// The challenges with an on-premise CA
GlobalSign Webinar
ELEMENTS TO CONSIDER
Multiple teamsImplementation, Infrastructure, Cybersecurity, Technical Support…
Implementation timeframe3-4 months
DocumentationApproval & maintenance
Software & Hardware costOS, virtualization, CA servers, CRL/OCSP, storage, HSMs, load balancers ComplianceWriting and maintaining CP/CPS, industry-specific regulations
GlobalSign Webinar
Total = USD 800K – 1 Million for a 5 year Project!
EFFORT & COST
ESTIMATE
GlobalSign Webinar
The Solution - Automation + Cloud
GlobalSign Webinar
TWO TYPES OF END USERS
Enterprise/Corporate Users Part of organization’s domain
Citizens/Customers (‘IOT’) Not part of any domain
GlobalSign Webinar
DIFFERENT SOLUTIONS
Corporate Users Auto Enrolment Gateway (AEG)
Citizens/CustomersIOT use cases via APIs
GlobalSign Webinar
For Corporate Users
GlobalSign Webinar
• AEG is a ‘connector’ between Windows Active Directory and GlobalSign’s world-class Cloud CA infrastructure
• Allows organizations to ‘automatically’ provision, re-issuance and manage its Certificates to all Windows domain connected users and computers at a fraction of the cost!
+ +Active Directory AEG GlobalSign Cloud CA
AUTO ENROLLMENT GATEWAY
GlobalSign Webinar
Active Directory
Domain
AEG
Enterprise Environment
OVERVIEW…
GlobalSign Webinar
ANOTHER VIEW
GlobalSign Webinar
AEG Server
AD – Domain # 1
Workstation
RoutersServer
Users
ENDPOINTS
AD – Domain # 2
Workstation
RoutersServer
Users
ENDPOINTS
TRUST
MULTIPLE FORESTS – MULTIPLE DOMAIN(S)
GlobalSign Webinar
Workstation AuthenticationWeb ServerUserSmartcard Logon / Smartcard UserKerberos AuthenticationKey Recovery AgentDomain Controller / Domain Controller AuthenticationAdministratorMany more ….
SUPPORTED TEMPLATES
GlobalSign WebinarGlobalSign Webinar
/// CERTIFICATE ENROLMENT OPTIONSENROLLMENT OPTIONS
GlobalSign Webinar
Certificate is automatically installed or user is prompted to install
2-step process
Auto-enrollment is controlled by ACLs
AUTOMATIC ENROLLMENT FOR DOMAIN-JOINED ENDPOINTS
GlobalSign Webinar
User has to manually go through the steps to get a cert from the Microsoft MMC certificates snap-in
5-step process
MANUAL ENROLLMENT FOR DOMAIN-JOINED ENDPOINTS
GlobalSign Webinar
Can make available to anyone with a Non domain-joined machine
Option to enter a CSR or enroll a SCEP-compatible device
All orders need to be approved by the admin
MANUAL ENROLLMENT PAGEFOR NON-DOMAIN ENDPOINTS
-----BEGIN NEW CERTIFICATE REQUEST-----MIIEXjCCA0YCAQAwXzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5IMQ0wCwYDVQQHDARUZXN0MQwwCgYDVQQKDANUTUQxDTALBgNVBAsMBFRlc3QxFzAVBgNVBAMMDmRjmV0TWdyLmV4ZTByBgorBgEEVJ5HI8TM4WTHtv89WCKhdWSQGsbJzb1FzFtQ4dMz8535OTM9HQtRBy9CJB2vkGRuM7T7olSLSuv5fAIqKCYP4W+yNKedOfJQvhx4+mswLVEw5MZh+he1LnWHvclZBIkv0EFSINAtL3Ukm/p7WAJ/7o3Vabqt6oBjDaNRn+ZTaofFmBC4iSG-----END NEW CERTIFICATE REQUEST-----
/admin/domain.csr
GlobalSign Webinar
S/MIME: Digitally Sign and Encrypt EmailsKey Archival and RecoverySmart Card LogonUser AuthenticationMachine AuthenticationDomain Controller AuthenticationDigital Signature for PDF & MS Office documentsSSLEncrypted File System (EFS)
KEY USE CASES
GlobalSign Webinar
Mid to large Enterprise running Windows environment and utilizing Active Directory
Organizations requiring strong digital certificate based 2FA (and optionally tokens) to replace weak passwords
Organizations with mission-critical PKI operation requiring 7 X 24 service availability
Organizations looking to reduce their TCO around PKI deployments
WHO IS AEG FOR?
GlobalSign WebinarGlobalSign Webinar
/// BENEFITS
GlobalSign Webinar
SOLUTION BENEFITSZero client footprint Supports a variety of use cases Supports Private and Public certificate types Reduces the risk associated with in-house PKI operationsEnterprises retain control of users and policiesMinimizes total cost for PKI deploymentsDeveloped by ex-Microsoft Crypto team
GlobalSign Webinar
BUSINESS BENEFITS
Costsavings
Timesavings
Customer Satisfaction
Compre-hensive
PKI portfolio
GlobalSign Webinar
GET IN TOUCHwww.globalsign.com
globalsignssl
globalsign
globalsign