Identitetshåndteri ng og tilgangskontroll
Nov 30, 2014
Identitetshåndtering og tilgangskontroll
Business Ready Security Solutions
Information Protection
Identity and Access Management
Secure Messaging Secure EndpointSecure Collaboration
Business Ready Security Solutions
Identity and Access Management
Secure Messaging Secure EndpointSecure Collaboration
Active Directory® Federation Services
Information Protection
CreateProvision userProvision credentialsProvision resources
Policy enforcement
Approvals and notifications
Audit trails
Policy Management
De-provision identities
Revoke credentials
De-provision resources
RetireRole changes
Phone # or title change
Password and PIN reset
Resource requests
Change
Identity Lifecycle ManagementHelp Desk “Lost” Credentials Password Reset New Entitlements
DevelopersComplex to develop custom applications Forced to develop business rulesChallenge to learn different development modelsHard to integrate systems
IT ProfessionalsDifficult to manage siloed identitiesOverloaded with help desk service requestsManually managing accounts and permissionsPoor tools for managing user credentials
Today: Management Burden Is On IT
Information WorkersCall help desk for passwordand access requestsWait for days or weeks for accessWait for IT to implement business policiesGreater Complexity
Wrong Contexts
Wrong People
Higher Costs
Business rules & policy
Permissions
Group & role membership
Distribution lists
Passwords & PINs
Architecture
Deployment
System administration
Governance
Security
System & application integration & development
Users
Access Credentials
Policy
IT ProfessionalsInformation Workers
Developers
Add
UpdateRevokeAud
it
Aligning Experiences With The Right People
Credential Management
Manage multiple credential types (passwords, certificates, smart cards)
Self-service password reset integrated with Windows logon
Support for multiple & partner reset gates (q/a, smart card, speech, custom)
GroupManagement
Delegated & self-service group and distribution list management
Information worker self-service experiences through Office and SharePoint
Automated group and distribution list updates
UserManagement
Integrated provisioning of identities, credentials, and resources
Automated, codeless user provisioning and de-provisioning
Self-service and admin Profile Management
PolicyManagement
Visual, natural language process authoring & editing
Extensible workflows through Windows Workflow Foundation
Integrates with System Center for monitoring and control
FIM 2010 Solution Areas
Forefront Identity Manager in Action
Directories
Custom
Self-Service integration
LOB Applications
FIM Portal
ISV PartnerSolutions
WindowsLog On
IT Departments
Databases
Policy ManagementCredential Management
User Management Group Management
ActiveDirectory
LotusDomino
LDAP
SQLServer
Oracle DB
HR SystemFIM
Workflow
Manager
• Policy-based identity lifecycle management system
• Built-in workflow for identity management
• Automatically synchronize all user information to different directories across the enterprise
• Automates the process of on-boarding users
User Enrollment
Approval
User provisioned on all allowed systems
Identity ManagementUser provisioning
FIM CM
HR SystemFIM
Workflow
• Automated user de-provisioning
• Built-in workflow for identity management
• Real-time de-provisioning from all systems to prevent unauthorized access and information leakage
User de-provisioned
User de-provisioned or disabled on all systems
Identity ManagementUser de-provisioning
ActiveDirectory
LotusDomino
LDAP
SQLServer
Oracle DB
FIM CM
HRSystem FIM
LDAP
ActiveDirectory/ Exchange
SQL Server DB
givenNamesntitlemailemployeeIDtelephone
SammyDearling
008
givenNamesntitlemailemployeeIDtelephone
givenNamesntitlemailemployeeIDtelephone
SamaraDarling
007
givenNamesntitlemailemployeeIDtelephone
SamDearingIntern
007
givenNamesntitlemailemployeeIDtelephone
555-0129
SamanthaDearing
007
Coordinator
555-0129
SamanthaDearing
Coordinator
007
IdentityData
Aggregation
GivenNamesntitlemailemployeeIDtelephone
SamanthaDearing
007
Coordinator
555-0129
Identity Synchronization and ConsistencyIdentity synchronization across multiple directories
Attribute Ownership
FirstNameLastName
EmployeeID
Title
Telephone
Attribute Ownership
FirstNameLastName
EmployeeID
Title
Telephone
FIMHRSystem
LDAP
ActiveDirectory / Exchange
SQL Server DB
IdentityData
Brokering(Convergence)
givenNamesntitlemailemployeeIDtelephone
SammyDearling
007
givenNamesntitlemailemployeeIDtelephone
givenNamesntitlemailemployeeIDtelephone
SamaraDarling
007
givenNamesntitlemailemployeeIDtelephone
SamDearingIntern
007
givenNamesntitlemailemployeeIDtelephone 555-0129
BobDearing
007
Coordinator
555-0129
SamanthaDearing
Coordinator
007
555-0129
555-0129
SamanthaDearing
Samantha
Coordinator
555-0129
Identity Synchronization and ConsistencyIdentity consistency across multiple directories
Customizable Identity Portal
How you extend it
SharePoint-based Identity Portal for Management and Self Service
Add your own portal pages or web partsBuild new custom solutionsExpose new attributes to manage by extending FIM schemaChoose SharePoint theme to customize look and feel
FIM 2010
PASSWORD SYCHRONIZATION
iPLANET
Password Reset And Synchronization
FINANCEAPPLICATION
FINANCEPORTAL
ACTIVEDIRECTORY
WINDOWSMACHINE
MELISSA
• Streamline deployment by enrolling user and computer certificates without user intervention
• Simplify certificate and SmartCard management using Forefront Identity Manager (FIM)
Strong Authentication—Certificate Authority
HR System
Active Directory Certificate Services (AD
CS)
FIM CM
FIM
User Enrollment and Authentication request sent by HR System
FIM policy triggers request for FIM CM to issue certificate or SmartCard
User is validated using multi-factor authentication
FIM Certificate Management (CM) requests certificate creation from AD CS
Certificate is issued to user and written to either machine or smart card
End User
SmartCard
User ID andPassword
SmartCard
End User
Certificate Lifecycle Management
Single administration point for digital certificatesand smart cardsConfigurable policy-based workflows for common tasks
Enroll/renew/updateRecover/card replacementRevokeRetire/disable smart cardIssue temporary/duplicate smart cardPersonalize smart card
Detailed auditing and reportingSupport for both centralized and self-service scenariosIntegration with existing infrastructure investments
Windows Active Directory; Windows Certificate Services
End User Scenarios
GroupManagement
UserManagement
PolicyManagement
User asks to join secure distribution list for newproduct development
User changes cell phone number
Request process through OfficeNo waiting for help deskFaster time to resolution
Automatic updating of business applicationsNo need to call help deskFaster time to resolution
Example Scenario FIM 2010 Advantages
CFO gives final approval for newuser to access app with associated SOX compliance requirement
Automatic routing of multiple approvalsApproval process through OfficeAudit trail of approvals
Credential Management
Self-service smart card provisioning & management
Integration with Windows logonNo need to call help deskFaster time to resolution
IT Administrator Scenarios
GroupManagement
UserManagement
PolicyManagement
Design policy to automatically create departmental security groups
Author policy to require HRapproval for job title change
Automatically provision new employees with identity, mailbox, and credentials
Centralized managementAutomatic policy enforcement across systems
Automatic policy enforcement across systemsManagement of role changes & retirements
Automatic management of group membershipSecure access to departmental resources, with audit trail
Example Scenario FIM 2010 Advantages
Credential Management
Create workflow to automatically issue passwords and smart cards to new users
Generation and delivery of initialone-time use passwordIntegration of smart card & cert enrollment with provisioning
Integrates identity, credential, and access managementRich permissions and delegation modelEnables system auditing and compliance
Provides self-service toolsSharePoint admin console to manage identitiesGreater productivity through faster time to resolution
Reduces costs through automation and self-serviceMaximizes existing investments in Identity InfrastructureIntegrates with familiar developer tools to enable new scenarios
Empowers People
Delivers Agility and Efficiency
Increases Security
and Compliance
Software for policy-based management of identities,credentials, and resources across heterogeneous environments
Summary: FIM 2010
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
BACKUP SLIDES