+ All Categories

Iam

Date post: 18-Nov-2014
Category:
Upload: microsoft-norge-as
View: 900 times
Download: 2 times
Share this document with a friend
Description:
 
Popular Tags:
20
Identity and Access Management Rune Lystad [email protected] Enterprise Solution Manager Business Ready Security Solutions
Transcript
Page 1: Iam

Identity and Access Management

Rune [email protected] Solution Manager

Business Ready Security Solutions

Page 2: Iam

Password reset and access requests

handled through help desk

Contoso managing Fabrikam accounts

Multiple identities and limited sign-on

help

Different sign–on requirements for applications

Separate Remote access solution w/ separate

identities

Fabrikam managing Contoso accounts

Current SituationTime and labor intensive process

Page 3: Iam

Enable more secure, identity-based access to applications on-premises and in the cloud from virtually any location or device

• Provide more secure, always-on access

• Enable access from virtually any device

• Extend powerful self-service capabilities to users

• Automate and simplify management tasks

PROTECT everywhere ACCESS anywhere

INTEGRATE and EXTEND security

SIMPLIFY security,MANAGE compliance

• Control access across organizations

• Provide standards-based interoperability

Identity and Access Management Strategy

Page 4: Iam

Business Ready Security Solutions

Information Protection

Identity and Access Management

Secure Messaging Secure EndpointSecure Collaboration

Page 5: Iam

Identity and Access Management

Secure Messaging Secure EndpointSecure Collaboration

Active Directory® Federation Services

Information Protection

Business Ready Security Solutions

Page 6: Iam

PROTECT Everywhere, ACCESS Anywhere

Page 7: Iam

• Provides seamless, always-on, secure connectivity to on-premises and remote users

• Eliminates the need to connect explicitly to corporate network while remote

• Facilitates more secure, end-to-end communication and collaboration

• Uses a policy-based network access approach

• Enables IT to easily service, secure, update, and provision mobile machines, whether they are inside or outside the network

DirectAccess Client

Internet Servers

DirectAccess Server

Internal traffic

Internet traffic

Corporate Resources

Intranet

Internet

Windows DirectAccess

Page 8: Iam

IPv6 Devices IPv4 Devices

WinSrv 2008R2 DirectAccess

Role

Windows 7 Client

Native IPv6 with IPSec

IPv6 Transition Services

Supports variety of remote network protocols

DirectAccess in Windows 7

IT desktop manageme

nt

AD Group Policy, NAP,

software updates

Internet

Page 9: Iam

INTEGRATE and EXTEND security

Page 10: Iam

SharePoint Server Farm

AD DSAD FS

Business Partners

AD DS AD FS

AD RMS

FederationTrust

Application Access

Redirect to Security Token Service (STS)

Auth

entica

tion

Toke

n a

nd

clai

ms

Post claims

Firma AAccount Forest

Firma BResource Forest

User Account/Credentials

Security Token

• Shared identity with partner organizations and cloud services

• Boost cross-organizational efficiency and communication with more secure access

−Support the sharing of rights-protected messages between organizations

Active Directory Federation Services

Page 11: Iam

AD DS

AD FS

• Implements a single user access model with native single sign on (SSO) and easier federation to on-premise and cloud services

• Helps provide consistent security with a single user access model externalized from applications

Security Token(e.g., Kerberos Ticket)

• AD FS creates SAML token

• Signs it with company’s private key

• Sends it back to the user

• Access supplied with the token

Partner

Exchange SharePoint

Web App

Claims-Aware

Application

Corporate User

Single Sign On with Extended Collaboration

CLOUD SERVIC

ES

Page 12: Iam

SIMPLIFY security,MANAGE compliance

Page 13: Iam

CreateProvision userProvision credentialsProvision resources

Policy enforcement

Approvals and notifications

Audit trails

Policy Management

De-provision identities

Revoke credentials

De-provision resources

RetireRole changes

Phone # or title change

Password and PIN reset

Resource requests

Change

Identity Lifecycle Management

Help Desk “Lost” Credentials Password Reset New Entitlements

Page 14: Iam

Forefront Identity Manager in Action

Directories

Custom

Self-Service integration

LOB Applications

FIM Portal

ISV PartnerSolutions

WindowsLog On

IT Departments

Databases

Policy ManagementCredential Management

User Management Group Management

Page 15: Iam

ActiveDirectory

LotusDomino

LDAP

SQLServer

Oracle DB

HR SystemFIM

Workflow

Manager

• Policy-based identity lifecycle management system

• Built-in workflow for identity management

• Automatically synchronize all user information to different directories across the enterprise

• Automates the process of on-boarding users

User Enrollment

Approval

User provisioned on all allowed systems

Identity ManagementUser provisioning

FIM CM

Page 16: Iam

HR SystemFIM

Workflow

• Automated user de-provisioning

• Built-in workflow for identity management

• Real-time de-provisioning from all systems to prevent unauthorized access and information leakage

User de-provisioned

User de-provisioned or disabled on all systems

Identity ManagementUser de-provisioning

ActiveDirectory

LotusDomino

LDAP

SQLServer

Oracle DB

FIM CM

Page 17: Iam

SharePoint-Based Management Console

Add-in for Office

Self Service Group Management

• Self-service group and distribution list management with the FIM 2010 Web portal

• Office integration allows users to manage group membership from within Microsoft Office Outlook® for maximum productivity

• Enables users to use Outlook to manage approvals while they are offline

• Automatically add users to either group based on their employee type at the time they are provisioned to Active Directory

• Group and distribution list management, including dynamic membership calculation in these groups and distribution lists based on user’s attributes

Page 18: Iam

• Enables users to reset their own passwords through both Windows logon and FIM password reset portal

• Controls helpdesk costs by enabling end users to manage certain parts of their own identities

• Improves security and compliance with minimal errors while managing multiple identities and passwords

End User

ActiveDirectory

Oracle

SQLServer

Notes

LDAP

User requests password reset

FIM Server

Passwords updates

Self-Service Password Management

• FIM capabilities integrated with Windows logon• Randomly selects a number of questions

Reset Password

Page 19: Iam

Learn more at www.microsoft.com/forefront

PROTECT everywhere, ACCESS anywhere

INTEGRATE and EXTEND security

SIMPLIFY security,MANAGE compliance

Enable more secure, identity-based access to applications on-premises and

in the cloud from virtually any location or device

• Provide more secure, always-on access

• Enable access from virtually any device

• Extend powerful self-service capabilities to users

• Automate and simplify management tasks

• Control access across organizations

• Provide standards-based interoperability

Summary

Page 20: Iam

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.


Recommended