Date post: | 29-Mar-2015 |
Category: |
Documents |
Upload: | juliette-inge |
View: | 223 times |
Download: | 2 times |
Business Ready Security: Exploring the Identity and Access Management Solution Brjann BrekkanSr. Technical Product ManagerMicrosoft Corporation
SESSION CODE: SIA321
Across on-premises & cloud
Business Ready SecurityHelp securely enable business by managing risk and empowering people
Integrate and extend securityacross the enterprise
Block
from:
EnableCost Value
Siloed Seamless
to:
Simplify the security experience, manage compliance
Protect everywhere,access anywhere
Highly Secure & Interoperable Platform
Identity
Current SituationTime and labor intensive process
Password reset and access requests handled through
help desk
Contoso managing Fabrikam accounts
Multiple identities and limited sign-on help
Different sign–on requirements for applications
Remote access solution w/ separate identities
Fabrikam managing Contoso accounts
Business Ready Security Solutions
Identity and Access Management
Secure Messaging Secure EndpointSecure Collaboration
Information Protection
Identity and Access Management
Enable more secure, identity-based access to applications on-premises and in the cloud from virtually any location or device
• Provide more secure, always-on access
• Enable access from virtually any device
• Extend powerful self-service capabilities to users
• Automate and simplify management tasks
PROTECT everywhere ACCESS anywhere
INTEGRATE and EXTEND security
SIMPLIFY security,MANAGE compliance
• Control access across organizations
• Provide standards-based interoperability
Empower Business• Self-service profile, credential, and group
management
• Password and PIN reset from Windows login
• Group management from within Microsoft Office
• Single identity across heterogeneous applications
Empower IT• End-to-end, workflow-driven user provisioning
• Policy-controlled self-service capabilities
• Automatic, attribute-based group membership for simplified resource access
GOVERNED SELF-SERVICE AND AUTOMATION
Simplify Identity Management
“With Forefront Identity Manager and Active Directory, we have the comprehensive identity and access management solution that we need to support our banking operations.”
René Chevremont, Head of Access Management, Banque de Luxembourg
Source: http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=4000006579/
• Policy-based identity lifecycle management system• Built-in workflow for identity management• Automatically synchronize all user information to different directories across the enterprise • Automates the process of on-boarding users
Identity ManagementUser provisioning
ActiveDirectory
LotusDomino
LDAP
SQLServer
Oracle DB
HR SystemFIM
Workflow
Manager
User Enrollment
Approval
User provisioned FIM CM
“With Forefront Identity Manager, we are able to streamline tactical processes, while at the same time provide strategic business value through a cohesive identity and access management solution.”
Scott Weir, IT Manager–Desktop Architecture, First American Title Insurance Company
Source: http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid=4000006604/
Identity Synchronization and ConsistencyIdentity synchronization across multiple directories
HRSystem Identity Manager
LDAP
ActiveDirectory/ Exchange
SQL Server DB
givenNamesntitlemailemployeeIDtelephone
SammyDearling
008
givenNamesntitlemailemployeeIDtelephone
givenNamesntitlemailemployeeIDtelephone
SamaraDarling
007
givenNamesntitlemailemployeeIDtelephone
SamDearingIntern
007
givenNamesntitlemailemployeeIDtelephone
555-0129
SamanthaDearing
007
Coordinator
555-0129
SamanthaDearing
Coordinator
007
IdentityData
Aggregation
GivenNamesntitlemailemployeeIDtelephone
SamanthaDearing
007
Coordinator
555-0129
Attribute Ownership
FirstNameLastName
EmployeeID
Title
Telephone
Identity Synchronization and ConsistencyIdentity consistency across multiple directories
Attribute Ownership
FirstNameLastName
EmployeeID
Title
Telephone
Identity ManagerHRSystem
LDAP
ActiveDirectory / Exchange
SQL Server DB
IdentityData
Brokering(Convergence)
givenNamesntitlemailemployeeIDtelephone
SammyDearling
007
givenNamesntitlemailemployeeIDtelephone
givenNamesntitlemailemployeeIDtelephone
SamaraDarling
007
givenNamesntitlemailemployeeIDtelephone
SamDearingIntern
007
givenNamesntitlemailemployeeIDtelephone 555-0129
BobDearing
007
Coordinator
555-0129
SamanthaDearing
Coordinator
007
555-0129
555-0129
SamanthaDearing
Samantha
Coordinator
555-0129
• Increase access security beyond username and password solutions• Streamline deployment by enrolling user and computer certificates without user intervention• Simplify certificate and SmartCard management using Forefront Identity Manager (FIM)• Enhance remote access security through certificates with Network Access Protection• Stronger authentication through certificates for administrative access and management
Certificate and Smart Card Management
“We’re confident that we have a security infrastructure that will help protect … our customers’ data while logging every user action, for a more flexible and adaptive IT infrastructure.”
Thomas Pfeifer, Solution Engineer, T-Systems
Source: http:/www.microsoft.com/casestudies/casestudy.aspx?casestudyid=4000006605/
HR System
Active Directory Certificate Services (AD
CS)
FIM CM
FIM
User Enrollment and Authentication request sent by HR System
FIM policy triggers request for FIM CM to issue certificate or SmartCard
FIM Certificate Management (CM) requests certificate creation from AD CS
Certificate is issued to user and written to either machine or smart card
End User
SmartCard
SharePoint-Based Management Console
FIM Add-in for Outlook
Group Management• Self-service group and distribution list management with the FIM 2010 Web portal
• Office integration allows users to manage group membership from within Microsoft Office Outlook® for maximum productivity
• Automatically add users to either group based on their employee type at the time they are provisioned to Active Directory
• Group and distribution list management, including dynamic membership calculation in these groups and distribution lists based on user’s attributes
Advanced Group Management
Self-service group management
Integrated approval
• Integrates with Exchange and Outlook
• Manages distribution and security groups
Criteria-based group membership
Workflow Management• Enables IT to quickly define, automate, and enforce identity management policies
• IT can use the integrated workflow in the approval/rejection process
• Automatic notifications for request approvals or rejections
• Enables users to reset their own passwords through both Windows logon and FIM password reset portal
• Controls helpdesk costs by enabling end users to manage certain parts of their own identities
• Improves security and compliance with minimal errors while managing multiple identities and passwords
End User
ActiveDirectory
Oracle
SQLServer
IBM DS
LDAP
User requests password reset
FIM Server
Passwords updated
Self-Service Password Management
Reset Password
Synchronization and Provisioning Defining attribute flows Trey Engineering has decided to automate HR process
Demo
• Integrated SSL VPN capabilities for both managed and non-managed clients• Simplified remote access by non-Windows, down-level, or non-trusted
endpoints• UAG 2010 extends the benefits of DirectAccess to down-level servers
and applications across your infrastructure
Secure and Seamless Access
DirectAccess
HTTPS (443)
Layer3 VPN
Data Center/Corporate Network
Employees/ Partners(non-managed)
Home/Kiosk
Employees(managed)
Mobile
Terminal ServicesRemote DesktopCitrix
HTTPS /
HTTP
Internet
AUTHENTICATION AND POLICY
SmartCard, RADIUS, LDAP….
CRMIBM, SAP, OracleNon-Web, LegacyDown-level
Providing Secure Access Woodgrove Bank is setting up process for managers to create contractors Providing Contractors with secure remote access to corporate resources
Demo
Provide More Secure, Anywhere Access
Empower Business• Consolidated secure portal to simplify remote
access to resources
• Simplified sign-on
Empower IT• Policy-based resource access
Empower Business• Seamless and more secure access
• Simplified, always-on access
Empower IT• Policy-based network access
• Ability to manage machines anywhere
Empower Business
• Access from virtually any device
Empower IT
• Policy-based restricted access
DIRECT ACCESS
SSL VPN
SSL
VPN
“We will have more granular control over identity and access, so we can start providing users with self-service capabilities and extend secure collaboration to our partners. “Armand Martin, Enterprise Architect, Security, Dow Corning
Source: http:/www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid=4000006589/
Extend Access Across Organizations
Empower Business
• Ability to move seamlessly between applications using a single identity
• Collaboration across organizations
Empower IT
• No need to manage external accounts
• Simplified and flexible claims-based federation
• Common authentication controls for building custom applications
• Shared identity with partner organizations and cloud services• Boost cross-organizational efficiency and communication with more secure access
−Support the sharing of rights-protected messages between organizations−Improved support for Microsoft SharePoint Server as a claims-aware application
Active Directory Federation Services
SharePoint Server Farm
Exchange 2010
AD DSAD FS
Business Partners
AD DS AD FS
AD RMS
FederationTrust
Application Access
Redirect to Security Token Service (STS)
Auth
entica
tion
Toke
n a
nd
clai
ms
Post claims
Trey ResearchAccount Forest
Woodgrove BankResource Forest
User Account/Credentials Security Token
• Implements a single user access model with native single sign on (SSO) and easier federation to on-premise and cloud services
• Helps provide consistent security with a single user access model externalized from applications• Based on open, industry standard protocols for interoperability
Single Sign On Extended to collaboration
AD DS
AD FS
Security Token(e.g., Kerberos Ticket)
• Shared identity with partners and cloud services
• Boost cross-organizational efficiency
− Share rights-protected messages
− Improved support for SharePoint as a claims-aware application
Partner
Exchange SharePoint
Internal App
Claims-Aware
Application
Corporate User
CLOUD SERVICE
S
Claims-Aware app
Federation with service providers
Federated Identity
SSO to hosted services with standards based federation
Call to Action:• Provide additional
services offering heterogeneous federation extending on-premises AD to services
• Organization with AD has integrated federation
Federation Service
Customer Data Center
Federation Service
Cloud Datacenter
Identity and Access Management Integrated across on-premises to cloud
Win
dow
s In
tegra
ted
/Kerb
ero
s/A
DFS
HR SystemFIM
Other user Data stores
Self Service
Workflow
ADDS
PhoneTitleDepartmentManagerGroup
Exchange GAL & DL
SharePoint Profiles and
Access
SAP and other apps
AD FS 2.0
WS-* and SAML Claims
Partner
Claims-Aware
Applications
Claims-Aware
Applications
SQL Server
Role
Client List
CLOUD SERVICES
Extending IAM to partners for cross organizational collaboration Configuring claims across organizations HR driven data modifies access to partner network
Demo
Identity and Access Management
Seamless access to resources on-
premises or in the cloud
Extending AD accessing partner
resources
Customer ID is used in the cloud
Single identity across
resources
Related ContentSIA201 |Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity FoundationSIA302 | Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0SIA326 | Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture DrilldownSIA303|Identity and Access Management: Windows Identity Foundation and Windows AzureSIA304 | Identity and Access Management: Windows Identity Foundation Overview SIA305 | Top 5 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-Prove
SIA306 | Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle Bin
SIA307 | Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management for Microsoft IT SIA318 | Microsoft Forefront Identity Manager 2010: Deploying FIMSIA319 | Microsoft Forefront Identity Manager 2010: In Production* SIA327 | Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity Manager
SIA01-INT | Identity and Access Management: Best Practices for Deploying and Managing Active Directory Federation Services (AD-FS) 2.0SIA03-INT | Identity and Access Management: Best Practices for Deploying and Managing Microsoft Forefront Identity Manager* SIA06-INT | Identity and Access Management Solution Demos
SIA02-HOL | Microsoft Forefront Identity Manager 2010 OverviewSIA06-HOL | Identity and Access Management Solution: Business Ready Security with Microsoft Forefront and Active Directory
Red SIA-5 & SIA-6 | Microsoft Forefront Identity and Access Management Solution
* Brjann presenting
Track Resources
Learn more about our solutions:
http://www.microsoft.com/forefront
Try our products:http://www.microsoft.com/forefront/trial
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
Complete an evaluation on CommNet and enter to win!
Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st
http://northamerica.msteched.com/registration
You can also register at the
North America 2011 kiosk located at registrationJoin us in Atlanta next year
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
JUNE 7-10, 2010 | NEW ORLEANS, LA