1 / 32

Business Ready Security: Exploring the Identity and Access Management Solution

SESSION CODE: SIA321. Business Ready Security: Exploring the Identity and Access Management Solution . Brjann Brekkan Sr. Technical Product Manager Microsoft Corporation. Business Ready Security Help securely enable business by managing risk and empowering people.

coy
Download Presentation

Business Ready Security: Exploring the Identity and Access Management Solution

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SESSION CODE: SIA321 Business Ready Security: Exploring the Identity and Access Management Solution Brjann Brekkan Sr. Technical Product Manager Microsoft Corporation

  2. Business Ready SecurityHelp securely enable business by managing risk and empowering people Across on-premises & cloud Access Protection Identity Protect everywhere, access anywhere Integrate and extend security across the enterprise Management Highly Secure & Interoperable Platform Simplify the security experience, manage compliance from: to: Block Enable Cost Value Siloed Seamless

  3. Current SituationTime and labor intensive process Multiple identities and limited sign-on help Password reset and access requests handled through help desk Different sign–on requirements for applications ON-PREMISES • CONTOSO Contoso managing Fabrikam accounts Remote access solution w/ separate identities • EMPLOYEES (REMOTE) PARTNERS Fabrikam Fabrikam managing Contoso accounts

  4. Business Ready Security Solutions Secure Messaging Secure Collaboration Secure Endpoint Information Protection Identity and Access Management

  5. Identity and Access Management Enable more secure, identity-based access to applications on-premises and in the cloud from virtually any location or device PROTECT everywhere ACCESS anywhere INTEGRATE and EXTEND security SIMPLIFY security, MANAGE compliance • Provide more secure, always-on access • Enable access from virtually any device • Control access across organizations • Provide standards-based interoperability • Extend powerful self-service capabilities to users • Automate and simplify management tasks

  6. Simplify Identity Management • GOVERNED SELF-SERVICE AND AUTOMATION • Empower Business • Self-service profile, credential, and group management • Password and PIN reset from Windows login • Group management from within Microsoft Office • Single identity across heterogeneous applications • Empower IT • End-to-end, workflow-driven user provisioning • Policy-controlled self-service capabilities • Automatic, attribute-based group membership for simplified resource access GROUP MANAGEMENT IDENTITY MANAGEMENT • CREDENTIAL • MANAGEMENT “With Forefront Identity Manager and Active Directory, we have the comprehensive identity and access management solution that we need to support our banking operations.” René Chevremont, Head of Access Management, Banque de Luxembourg Source: http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=4000006579/

  7. Identity ManagementUser provisioning • Policy-based identity lifecycle management system • Built-in workflow for identity management • Automatically synchronize all user information to different directories across the enterprise • Automates the process of on-boarding users ActiveDirectory LotusDomino • Workflow LDAP “With Forefront Identity Manager, we are able to streamline tactical processes, while at the same time provide strategic business value through a cohesive identity and access management solution.” Scott Weir, IT Manager–Desktop Architecture, First American Title Insurance Company • User Enrollment • FIM • HR System SQLServer • Approval Oracle DB • Manager FIM CM User provisioned Source: http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid=4000006604/

  8. GivenName Samantha sn Dearing title Coordinator mail someone@example.com employeeID 007 telephone 555-0129 givenName sn title mail employeeID telephone Identity Synchronization and ConsistencyIdentity synchronization across multiple directories HR System Identity Manager Samantha givenName Samantha sn Dearing Dearing title mail Attribute Ownership employeeID 007 007 telephone FirstName LastName EmployeeID SQL Server DB givenName Samara sn Darling title Coordinator Coordinator mail employeeID 007 telephone Identity Data Aggregation Title Active Directory/ Exchange givenName Sam sn Dearing title Intern mail someone@example.com employeeID 007 telephone E-Mail LDAP givenName Sammy sn Dearling title mail employeeID 008 555-0129 telephone 555-0129 Telephone

  9. Identity Synchronization and ConsistencyIdentity consistency across multiple directories HR System Identity Manager givenName Samantha sn Dearing title mail Attribute Ownership employeeID 007 telephone givenName Samantha Samantha Bob Samantha sn Dearing Dearing Dearing FirstName LastName EmployeeID title Coordinator Coordinator Coordinator Coordinator SQL Server DB givenName Samara mail someone@example.com someone@example.com someone@example.com someone@example.com sn Darling employeeID 007 title Coordinator telephone 555-0129 555-0129 555-0129 555-0129 mail Incorrect or Missing Information employeeID 007 telephone Identity Data Brokering (Convergence) Title Active Directory / Exchange givenName Sam sn Dearing title Intern mail someone@example.com employeeID 007 telephone E-Mail LDAP givenName Sammy sn Dearling title mail employeeID 007 telephone 555-0129 Telephone

  10. Certificate and Smart Card Management • Increase access security beyond username and password solutions • Streamline deployment by enrolling user and computer certificates without user intervention • Simplify certificate and SmartCard management using Forefront Identity Manager (FIM) • Enhance remote access security through certificates with Network Access Protection • Stronger authentication through certificates for administrative access and management • FIM policy triggers request for FIM CM to issue certificate or SmartCard • Certificate is issued to user and written to either machine or smart card SmartCard • End User • FIM CM • Active Directory Certificate Services (AD CS) “We’re confident that we have a security infrastructure that will help protect … our customers’ data while logging every user action, for a more flexible and adaptive IT infrastructure.” Thomas Pfeifer, Solution Engineer, T-Systems • FIM • FIM Certificate Management (CM) requests certificate creation from AD CS • User Enrollment and Authentication request sent by HR System • HR System Source: http:/www.microsoft.com/casestudies/casestudy.aspx?casestudyid=4000006605/

  11. Group Management • Self-service group and distribution list management with the FIM 2010 Web portal • Office integration allows users to manage group membership from within Microsoft Office Outlook® for maximum productivity • Automatically add users to either group based on their employee type at the time they are provisioned to Active Directory • Group and distribution list management, including dynamic membership calculation in these groups and distribution lists based on user’s attributes FIM Add-in for Outlook SharePoint-Based Management Console

  12. Advanced Group Management • Integrates with Exchange and Outlook • Manages distribution and security groups Self-service group management Criteria-based group membership Integrated approval

  13. Workflow Management • Enables IT to quickly define, automate, and enforce identity management policies • IT can use the integrated workflow in the approval/rejection process • Automatic notifications for request approvals or rejections

  14. Self-Service Password Management • Enables users to reset their own passwords through both Windows logon and FIM password reset portal • Controls helpdesk costs by enabling end users to manage certain parts of their own identities • Improves security and compliance with minimal errors while managing multiple identities and passwords ActiveDirectory User requests password reset Oracle • FIM Server Passwords updated SQLServer • End User IBM DS LDAP Reset Password

  15. Synchronization and Provisioning Defining attribute flows Trey Engineering has decided to automate HR process Demo

  16. Secure and Seamless Access • Integrated SSL VPN capabilities for both managed and non-managed clients • Simplified remote access by non-Windows, down-level, or non-trusted endpoints • UAG 2010 extends the benefits of DirectAccess to down-level servers and applications across your infrastructure Data Center/Corporate Network Mobile HTTPS / HTTP Home/Kiosk Terminal Services Remote Desktop Citrix Layer3 VPN HTTPS (443) Internet Employees/ Partners (non-managed) DirectAccess CRM IBM, SAP, Oracle Non-Web, Legacy Down-level Authentication and Policy Employees(managed) SmartCard, RADIUS, LDAP….

  17. Providing Secure Access Woodgrove Bank is setting up process for managers to create contractors Providing Contractors with secure remote access to corporate resources Demo

  18. Provide More Secure, Anywhere Access • Empower Business • Seamless and more secure access • Simplified, always-on access • Empower IT • Policy-based network access • Ability to manage machines anywhere TRUSTED DIRECT ACCESS • Empower Business • Consolidated secure portal to simplify remote access to resources • Simplified sign-on • Empower IT • Policy-based resource access SSL VPN TRUSTED SSL VPN • Empower Business • Access from virtually any device • Empower IT • Policy-based restricted access UNTRUSTED

  19. Extend Access Across Organizations • Empower Business • Ability to move seamlessly between applications using a single identity • Collaboration across organizations • Empower IT • No need to manage external accounts • Simplified and flexible claims-based federation • Common authentication controls for building custom applications ON-PREMISES • ACTIVE DIRECTORY • FEDERATION SERVICES WS-* and SAML 2.0 PARTNER • EXTERNAL/CUSTOMERS “We will have more granular control over identity and access, so we can start providing users with self-service capabilities and extend secure collaboration to our partners. “ Armand Martin, Enterprise Architect, Security, Dow Corning Source: http:/www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid=4000006589/

  20. Active Directory Federation Services • Shared identity with partner organizations and cloud services • Boost cross-organizational efficiency and communication with more secure access • Support the sharing of rights-protected messages between organizations • Improved support for Microsoft SharePoint Server as a claims-aware application Trey Research Account Forest Woodgrove BankResource Forest Federation Trust Business Partners Token and claims Authentication Exchange 2010 Application Access Post claims AD FS AD FS AD RMS AD DS AD DS Redirect to Security Token Service (STS) SharePoint Server Farm User Account/Credentials Security Token

  21. Cloud Services Single Sign On Extended to collaboration • Implements a single user access model with native single sign on (SSO) and easier federation to on-premise and cloud services • Helps provide consistent security with a single user access model externalized from applications • Based on open, industry standard protocols for interoperability Security Token (e.g., Kerberos Ticket) Corporate User AD FS Exchange SharePoint Internal App Claims-Aware app Claims-Aware Application AD DS Partner • Shared identity with partners and cloud services • Boost cross-organizational efficiency • Share rights-protected messages • Improved support for SharePoint as a claims-aware application

  22. Federation with service providers • Call to Action: • Provide additional services offering heterogeneous federation extending on-premises AD to services • Organization with AD has integrated federation Cloud Datacenter Federation Service SSO to hosted services with standards based federation Federated Identity Customer Data Center Federation Service

  23. Identity and Access Management Integrated across on-premises to cloud Partner Windows Integrated/Kerberos/ADFS Cloud Services • WS-* and SAML Claims Claims-Aware Applications • Workflow • SharePoint Profiles and Access • SAP and other apps • Other user Data stores • Self Service • HR System • AD FS 2.0 • FIM • Claims-Aware • Applications • Exchange GAL & DL Phone Title Department Manager Group Role Client List SQL Server • ADDS

  24. Extending IAM to partners for cross organizational collaboration Configuring claims across organizations HR driven data modifies access to partner network Demo

  25. Identity and Access Management Single identity across resources Customer ID is used in the cloud EMPLOYEES • ACTIVE DIRECTORY • FEDERATION SERVICES WS-* and SAML 2.0 PARTNERS EMPLOYEES (REMOTE) Seamless access to resources on-premises or in the cloud Extending AD accessing partner resources

  26. Related Content SIA201 |Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity Foundation SIA302 | Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0 SIA326 | Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture Drilldown SIA303|Identity and Access Management: Windows Identity Foundation and Windows Azure SIA304 | Identity and Access Management: Windows Identity Foundation Overview SIA305 | Top 5 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-Prove SIA306 | Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle Bin SIA307 | Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management for Microsoft IT  SIA318 | Microsoft Forefront Identity Manager 2010: Deploying FIM SIA319 | Microsoft Forefront Identity Manager 2010: In Production * SIA327 | Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity Manager SIA01-INT | Identity and Access Management: Best Practices for Deploying and Managing Active Directory Federation Services (AD-FS) 2.0 SIA03-INT | Identity and Access Management: Best Practices for Deploying and Managing Microsoft Forefront Identity Manager * SIA06-INT | Identity and Access Management Solution Demos • SIA02-HOL | Microsoft Forefront Identity Manager 2010 Overview • SIA06-HOL | Identity and Access Management Solution: Business Ready Security with Microsoft Forefront and Active Directory Red SIA-5 & SIA-6 | Microsoft Forefront Identity and Access Management Solution * Brjann presenting

  27. Track Resources Learn more about our solutions: • http://www.microsoft.com/forefront Try our products: • http://www.microsoft.com/forefront/trial

  28. Required Slide Resources Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet • http://microsoft.com/msdn

  29. Required Slide Complete an evaluation on CommNet and enter to win!

  30. Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st http://northamerica.msteched.com/registration You can also register at the North America 2011 kiosk located at registrationJoin us in Atlanta next year

  31. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related