Brjann Brekkan Sr. Technical Product Manager Microsoft Corporation SESSION CODE: SIA321.

Business Ready Security: Exploring the Identity and Access Management Solution Brjann BrekkanSr. Technical Product ManagerMicrosoft Corporation

SESSION CODE: SIA321

Across on-premises & cloud

Business Ready SecurityHelp securely enable business by managing risk and empowering people

Integrate and extend securityacross the enterprise

Block

from:

EnableCost Value

Siloed Seamless

to:

Simplify the security experience, manage compliance

Protect everywhere,access anywhere

Highly Secure & Interoperable Platform

Identity

Current SituationTime and labor intensive process

Password reset and access requests handled through

help desk

Contoso managing Fabrikam accounts

Multiple identities and limited sign-on help

Different sign–on requirements for applications

Remote access solution w/ separate identities

Fabrikam managing Contoso accounts

Business Ready Security Solutions

Identity and Access Management

Secure Messaging Secure EndpointSecure Collaboration

Information Protection

Identity and Access Management

Enable more secure, identity-based access to applications on-premises and in the cloud from virtually any location or device

• Provide more secure, always-on access

• Enable access from virtually any device

• Extend powerful self-service capabilities to users

• Automate and simplify management tasks

PROTECT everywhere ACCESS anywhere

INTEGRATE and EXTEND security

SIMPLIFY security,MANAGE compliance

• Control access across organizations

• Provide standards-based interoperability

Empower Business• Self-service profile, credential, and group

management

• Password and PIN reset from Windows login

• Group management from within Microsoft Office

• Single identity across heterogeneous applications

Empower IT• End-to-end, workflow-driven user provisioning

• Policy-controlled self-service capabilities

• Automatic, attribute-based group membership for simplified resource access

GOVERNED SELF-SERVICE AND AUTOMATION

Simplify Identity Management

“With Forefront Identity Manager and Active Directory, we have the comprehensive identity and access management solution that we need to support our banking operations.”

René Chevremont, Head of Access Management, Banque de Luxembourg

Source: http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=4000006579/

• Policy-based identity lifecycle management system• Built-in workflow for identity management• Automatically synchronize all user information to different directories across the enterprise • Automates the process of on-boarding users

Identity ManagementUser provisioning

ActiveDirectory

LotusDomino

LDAP

SQLServer

Oracle DB

HR SystemFIM

Workflow

Manager

User Enrollment

Approval

User provisioned FIM CM

“With Forefront Identity Manager, we are able to streamline tactical processes, while at the same time provide strategic business value through a cohesive identity and access management solution.”

Scott Weir, IT Manager–Desktop Architecture, First American Title Insurance Company

Source: http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid=4000006604/

Identity Synchronization and ConsistencyIdentity synchronization across multiple directories

HRSystem Identity Manager

LDAP

ActiveDirectory/ Exchange

SQL Server DB

givenNamesntitlemailemployeeIDtelephone

SammyDearling

008

givenNamesntitlemailemployeeIDtelephone

givenNamesntitlemailemployeeIDtelephone

SamaraDarling

007

givenNamesntitlemailemployeeIDtelephone

SamDearingIntern

007

givenNamesntitlemailemployeeIDtelephone

555-0129

SamanthaDearing

007

Coordinator

[email protected]

555-0129

SamanthaDearing

Coordinator

007

IdentityData

Aggregation

GivenNamesntitlemailemployeeIDtelephone

[email protected]

SamanthaDearing

007

Coordinator

555-0129

Attribute Ownership

FirstNameLastName

EmployeeID

Title

E-Mail

Telephone

Identity Synchronization and ConsistencyIdentity consistency across multiple directories

Attribute Ownership

FirstNameLastName

EmployeeID

Title

E-Mail

Telephone

Identity ManagerHRSystem

LDAP

ActiveDirectory / Exchange

SQL Server DB

IdentityData

Brokering(Convergence)

givenNamesntitlemailemployeeIDtelephone

SammyDearling

007

givenNamesntitlemailemployeeIDtelephone

givenNamesntitlemailemployeeIDtelephone

SamaraDarling

007

givenNamesntitlemailemployeeIDtelephone

SamDearingIntern

007

givenNamesntitlemailemployeeIDtelephone 555-0129

BobDearing

007

Coordinator

555-0129

SamanthaDearing

Coordinator

[email protected]

007

[email protected]

[email protected]

555-0129

[email protected]

555-0129

SamanthaDearing

[email protected]

Samantha

Coordinator

555-0129

• Increase access security beyond username and password solutions• Streamline deployment by enrolling user and computer certificates without user intervention• Simplify certificate and SmartCard management using Forefront Identity Manager (FIM)• Enhance remote access security through certificates with Network Access Protection• Stronger authentication through certificates for administrative access and management

Certificate and Smart Card Management

“We’re confident that we have a security infrastructure that will help protect … our customers’ data while logging every user action, for a more flexible and adaptive IT infrastructure.”

Thomas Pfeifer, Solution Engineer, T-Systems

Source: http:/www.microsoft.com/casestudies/casestudy.aspx?casestudyid=4000006605/

HR System

Active Directory Certificate Services (AD

CS)

FIM CM

FIM

User Enrollment and Authentication request sent by HR System

FIM policy triggers request for FIM CM to issue certificate or SmartCard

FIM Certificate Management (CM) requests certificate creation from AD CS

Certificate is issued to user and written to either machine or smart card

End User

SmartCard

SharePoint-Based Management Console

FIM Add-in for Outlook

Group Management• Self-service group and distribution list management with the FIM 2010 Web portal

• Office integration allows users to manage group membership from within Microsoft Office Outlook® for maximum productivity

• Automatically add users to either group based on their employee type at the time they are provisioned to Active Directory

• Group and distribution list management, including dynamic membership calculation in these groups and distribution lists based on user’s attributes

Advanced Group Management

Self-service group management

Integrated approval

• Integrates with Exchange and Outlook

• Manages distribution and security groups

Criteria-based group membership

Workflow Management• Enables IT to quickly define, automate, and enforce identity management policies

• IT can use the integrated workflow in the approval/rejection process

• Automatic notifications for request approvals or rejections

• Enables users to reset their own passwords through both Windows logon and FIM password reset portal

• Controls helpdesk costs by enabling end users to manage certain parts of their own identities

• Improves security and compliance with minimal errors while managing multiple identities and passwords

End User

ActiveDirectory

Oracle

SQLServer

IBM DS

LDAP

User requests password reset

FIM Server

Passwords updated

Self-Service Password Management

Reset Password

Synchronization and Provisioning Defining attribute flows Trey Engineering has decided to automate HR process

Demo

• Integrated SSL VPN capabilities for both managed and non-managed clients• Simplified remote access by non-Windows, down-level, or non-trusted

endpoints• UAG 2010 extends the benefits of DirectAccess to down-level servers

and applications across your infrastructure

Secure and Seamless Access

DirectAccess

HTTPS (443)

Layer3 VPN

Data Center/Corporate Network

Employees/ Partners(non-managed)

Home/Kiosk

Employees(managed)

Mobile

Terminal ServicesRemote DesktopCitrix

HTTPS /

HTTP

Internet

AUTHENTICATION AND POLICY

SmartCard, RADIUS, LDAP….

CRMIBM, SAP, OracleNon-Web, LegacyDown-level

Providing Secure Access Woodgrove Bank is setting up process for managers to create contractors Providing Contractors with secure remote access to corporate resources

Demo

Provide More Secure, Anywhere Access

Empower Business• Consolidated secure portal to simplify remote

access to resources

• Simplified sign-on

Empower IT• Policy-based resource access

Empower Business• Seamless and more secure access

• Simplified, always-on access

Empower IT• Policy-based network access

• Ability to manage machines anywhere

Empower Business

• Access from virtually any device

Empower IT

• Policy-based restricted access

DIRECT ACCESS

SSL VPN

SSL

VPN

“We will have more granular control over identity and access, so we can start providing users with self-service capabilities and extend secure collaboration to our partners. “Armand Martin, Enterprise Architect, Security, Dow Corning

Source: http:/www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid=4000006589/

Extend Access Across Organizations

Empower Business

• Ability to move seamlessly between applications using a single identity

• Collaboration across organizations

Empower IT

• No need to manage external accounts

• Simplified and flexible claims-based federation

• Common authentication controls for building custom applications

• Shared identity with partner organizations and cloud services• Boost cross-organizational efficiency and communication with more secure access

−Support the sharing of rights-protected messages between organizations−Improved support for Microsoft SharePoint Server as a claims-aware application

Active Directory Federation Services

SharePoint Server Farm

Exchange 2010

AD DSAD FS

Business Partners

AD DS AD FS

AD RMS

FederationTrust

Application Access

Redirect to Security Token Service (STS)

Auth

entica

tion

Toke

n a

nd

clai

ms

Post claims

Trey ResearchAccount Forest

Woodgrove BankResource Forest

User Account/Credentials Security Token

• Implements a single user access model with native single sign on (SSO) and easier federation to on-premise and cloud services

• Helps provide consistent security with a single user access model externalized from applications• Based on open, industry standard protocols for interoperability

Single Sign On Extended to collaboration

AD DS

AD FS

Security Token(e.g., Kerberos Ticket)

• Shared identity with partners and cloud services

• Boost cross-organizational efficiency

− Share rights-protected messages

− Improved support for SharePoint as a claims-aware application

Partner

Exchange SharePoint

Internal App

Claims-Aware

Application

Corporate User

CLOUD SERVICE

S

Claims-Aware app

Federation with service providers

Federated Identity

SSO to hosted services with standards based federation

Call to Action:• Provide additional

services offering heterogeneous federation extending on-premises AD to services

• Organization with AD has integrated federation

Federation Service

Customer Data Center

Federation Service

Cloud Datacenter

Identity and Access Management Integrated across on-premises to cloud

Win

dow

s In

tegra

ted

/Kerb

ero

s/A

DFS

HR SystemFIM

Other user Data stores

Self Service

Workflow

ADDS

PhoneTitleDepartmentManagerGroup

Exchange GAL & DL

SharePoint Profiles and

Access

SAP and other apps

AD FS 2.0

WS-* and SAML Claims

Partner

Claims-Aware

Applications

Claims-Aware

Applications

SQL Server

Role

Client List

CLOUD SERVICES

Extending IAM to partners for cross organizational collaboration Configuring claims across organizations HR driven data modifies access to partner network

Demo

Identity and Access Management

Seamless access to resources on-

premises or in the cloud

Extending AD accessing partner

resources

Customer ID is used in the cloud

Single identity across

resources

Related ContentSIA201 |Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity FoundationSIA302 | Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0SIA326 | Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture DrilldownSIA303|Identity and Access Management: Windows Identity Foundation and Windows AzureSIA304 | Identity and Access Management: Windows Identity Foundation Overview SIA305 | Top 5 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-Prove

SIA306 | Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle Bin

SIA307 | Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management for Microsoft IT SIA318 | Microsoft Forefront Identity Manager 2010: Deploying FIMSIA319 | Microsoft Forefront Identity Manager 2010: In Production* SIA327 | Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity Manager

SIA01-INT | Identity and Access Management: Best Practices for Deploying and Managing Active Directory Federation Services (AD-FS) 2.0SIA03-INT | Identity and Access Management: Best Practices for Deploying and Managing Microsoft Forefront Identity Manager* SIA06-INT | Identity and Access Management Solution Demos

SIA02-HOL | Microsoft Forefront Identity Manager 2010 OverviewSIA06-HOL | Identity and Access Management Solution: Business Ready Security with Microsoft Forefront and Active Directory

Red SIA-5 & SIA-6 | Microsoft Forefront Identity and Access Management Solution

* Brjann presenting

Track Resources

Learn more about our solutions:

http://www.microsoft.com/forefront

Try our products:http://www.microsoft.com/forefront/trial

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

Complete an evaluation on CommNet and enter to win!

Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st

http://northamerica.msteched.com/registration

You can also register at the

North America 2011 kiosk located at registrationJoin us in Atlanta next year

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

JUNE 7-10, 2010 | NEW ORLEANS, LA