2. Business Ready Security Solutions Secure Messaging Secure Endpoint Secure Collaboration Information Protection Identity and Access Management
3. Business Ready Security Solutions Secure Messaging Secure Endpoint Secure Collaboration Information Protection Identity and Access Management Active Directory®Federation Services
6. New EntitlementsRetire Policy Management De-provision identities Revoke credentials De-provision resources Policy enforcement Approvals and notifications Audit trails Change Role changes Phone # or titlechange Password and PIN reset Resource requests Identity Lifecycle Management
7. Today: Management Burden Is On IT IT Professionals Difficult to manage siloed identities Overloaded with help desk service requests Manually managing accounts and permissions Poor tools for managing user credentials Information Workers Call help desk for passwordand access requests Wait for days or weeks for access Wait for IT to implement business policies Greater Complexity Wrong Contexts Wrong People Higher Costs Developers Complex to develop custom applications Forced to develop business rules Challenge to learn different development models Hard to integrate systems
8. Aligning Experiences With The Right People IT Professionals Information Workers Architecture Deployment System administration Governance Security Add Update Users Access Credentials Business rules & policy Permissions Group & role membership Distribution lists Passwords & PINs Policy Revoke Audit Developers System & application integration & development
9. Integrated provisioning of identities, credentials, and resources Automated, codeless user provisioning and de-provisioning Self-service and admin Profile Management UserManagement Manage multiple credential types (passwords, certificates, smart cards) Self-service password reset integrated with Windows logon Support for multiple & partner reset gates (q/a, smart card, speech, custom) Credential Management Delegated & self-service group and distribution list management Information worker self-service experiences through Office and SharePoint Automated group and distribution list updates GroupManagement Visual, natural language process authoring & editing Extensible workflows through Windows Workflow Foundation Integrates with System Center for monitoring and control PolicyManagement FIM 2010 Solution Areas
10. Forefront Identity Manager in Action Databases Self-Service integration WindowsLog On LOB Applications FIM Portal Policy Management Credential Management User Management Group Management Custom ISV PartnerSolutions IT Departments Directories
14. Automates the process of on-boarding usersActiveDirectory LotusDomino Workflow User Enrollment LDAP FIM SQLServer Approval HR System Oracle DB FIM CM Manager User provisioned on all allowed systems
17. Real-time de-provisioning from all systems to prevent unauthorized access and information leakageActiveDirectory LotusDomino Workflow User de-provisioned LDAP FIM SQLServer HR System Oracle DB FIM CM User de-provisioned or disabled on all systems
18. GivenName Samantha sn Dearing title Coordinator mail someone@example.com employeeID 007 telephone 555-0129 givenName sn title mail employeeID telephone Identity Synchronization and ConsistencyIdentity synchronization across multiple directories HR System FIM Samantha givenName Samantha sn Dearing Dearing title mail Attribute Ownership employeeID 007 007 telephone FirstName LastName EmployeeID SQL Server DB givenName Samara sn Darling title Coordinator Coordinator mail employeeID 007 telephone Identity Data Aggregation Title Active Directory/ Exchange givenName Sam sn Dearing title Intern mail someone@example.com employeeID 007 telephone E-Mail someone@example.com LDAP givenName Sammy sn Dearling title mail employeeID 008 555-0129 telephone 555-0129 Telephone
19. Identity Synchronization and ConsistencyIdentity consistency across multiple directories FIM HR System givenName Samantha sn Dearing title mail Attribute Ownership employeeID 007 telephone givenName Bob Samantha Samantha Samantha sn Dearing Dearing Dearing FirstName LastName EmployeeID title Coordinator Coordinator Coordinator Coordinator SQL Server DB givenName Samara mail someone@example.com someone@example.com someone@example.com someone@example.com sn Darling employeeID 007 title Coordinator telephone 555-0129 555-0129 555-0129 555-0129 mail Incorrect or Missing Information employeeID 007 telephone Identity Data Brokering (Convergence) Title Active Directory / Exchange givenName Sam sn Dearing title Intern mail someone@example.com employeeID 007 telephone E-Mail LDAP givenName Sammy sn Dearling title mail employeeID 007 telephone 555-0129 Telephone
20. Customizable Identity Portal SharePoint-based Identity Portal for Management and Self Service How you extend it Add your own portal pages or web parts Build new custom solutions Expose new attributes to manage by extending FIM schema Choose SharePoint theme to customize look and feel
21. Password Reset And Synchronization MELISSA PASSWORD SYCHRONIZATION WINDOWSMACHINE FIM 2010 iPLANET FINANCEAPPLICATION ACTIVEDIRECTORY FINANCEPORTAL
22.
23. Simplify certificate and SmartCard management using Forefront Identity Manager (FIM)User is validated using multi-factor authentication FIM policy triggers request for FIM CM to issue certificate or SmartCard Certificate is issued to user and written to either machine or smart card SmartCard EndUser End User FIM CM Active Directory Certificate Services (AD CS) FIM SmartCard FIM Certificate Management (CM) requests certificate creation from AD CS User ID andPassword Multi-Factor Authentication User Enrollment and Authentication request sent by HR System HR System
24. Certificate Lifecycle Management Single administration point for digital certificatesand smart cards Configurable policy-based workflows for common tasks Enroll/renew/update Recover/card replacement Revoke Retire/disable smart card Issue temporary/duplicate smart card Personalize smart card Detailed auditing and reporting Support for both centralized and self-service scenarios Integration with existing infrastructure investments Windows Active Directory; Windows Certificate Services
25. End User Scenarios Example Scenario FIM 2010 Advantages UserManagement Automatic routing of multiple approvals Approval process through Office Audit trail of approvals CFO gives final approval for newuser to access app with associated SOX compliance requirement Automatic updating of business applications No need to call help desk Faster time to resolution Credential Management User changes cell phone number GroupManagement Request process through Office No waiting for help desk Faster time to resolution User asks to join secure distribution list for newproduct development Integration with Windows logon No need to call help desk Faster time to resolution PolicyManagement Self-service smart card provisioning & management
26. IT Administrator Scenarios Example Scenario FIM 2010 Advantages UserManagement Centralized management Automatic policy enforcement across systems Author policy to require HRapproval for job title change Automatic policy enforcement across systems Management of role changes & retirements Credential Management Automatically provision new employees with identity, mailbox, and credentials Automatic management of group membership Secure access to departmental resources, with audit trail GroupManagement Design policy to automatically create departmental security groups Generation and delivery of initialone-time use password Integration of smart card & cert enrollment with provisioning Create workflow to automatically issue passwords and smart cards to new users PolicyManagement
27. Software for policy-based management of identities,credentials, and resources across heterogeneous environments Provides self-service tools SharePoint admin console to manage identities Greater productivity through faster time to resolution Empowers People Reduces costs through automation and self-service Maximizes existing investments in Identity Infrastructure Integrates with familiar developer tools to enable new scenarios Delivers Agility and Efficiency Integrates identity, credential, and access management Rich permissions and delegation model Enables system auditing and compliance Increases Security and Compliance Summary: FIM 2010
There are six (6) core solutions that make up Business Ready Security. Each one delivers an integrated, identity-based platform that helps organizations reduce IT costs while enabling new capabilities:Secure MessagingEnable secure business communication from virtually anywhere and on any device, while preventing unauthorized use of confidential information.Secure CollaborationEnable secure business collaboration from virtually anywhere and on any device, while preventing unauthorized use of confidential information.Secure EndpointProtect client and server operating systems from emerging threats and information loss, while enabling secure access from virtually anywhere and any deviceInformation ProtectionDiscover, protect, and manage confidential data throughout your business with a comprehensive solution integrated with the computing platform and applicationsIdentity and Access ManagementEnable secure, seamless access to on-premise and cloud infrastructure and applications from any location or deviceIntegrated SecurityProtect information and infrastructure across your business through a comprehensive solution that is easier to manage and control
How do customers think about IDA management? What are the scenarios they are solving for? The lifecycle of identities, credentials and access from hire to retire…Customers are asking us for comprehensive solutions that span identities, credentials, and resources across the enterprise.
One reason IdM projects fail is that the burden is always on IT to get management tasks done. Why is the state of the art failing to deliver? Today’s offerings are…Verynarrow view of the problem. Identity management is not about dropping another expensive box into IT. Failing to empower the right people at the right time with the right tools and information.Siloed, with separate applications for identity, access and credential management. This drives complexity and cost.Lack a end-to-end view of IDA across the enterprise because of the lack of integration, lack of comprehensive scope. Result…IT is overloaded, cannot move IT to a strategic asset.End users are not empoweredDevelopers don’t have an identity platform or tools to build on…Detail…Challenges for usersThis slide sets the stage for exploring the present state of identity management in a typically large enterprise through the lens of a new employee or partner coming in to the enterprise. New users, businesses, and partners are not productive from day one because they do not have access to the right resources due to a lack of identity management processes. When you think about all of the business processes, IT infrastructure, IT services, and IT processes that are required to bring that new employee, contract or partner into the enterprise, you need toEnable them to be productive in a secure and efficient manner right from day oneManage their needs over their entire lifecycle within the enterpriseManage de-provisioning when they choose to leave or the contract endsManaging identity across the enterpriseChallenges for IT professionalsLack unified view of identity across the enterpriseUnable to automate systems; have to provision access in an ad-hoc manner, which drives up cost and increases risk We also have a set of challenges, needs, or domains of the enterprise that are separate for the specific end users, but then it’s all about managing identity across the enterprise. In any large enterprise, many business applications that contain identity information have to be synchronized, monitored, maintained, purported, and audited. Since they are responsible for managing these processes and domains, IT Pros should Be experts in all the business processes so they can respond to the demands of individual users Maintain the architecture and infrastructure of the enterprise Merge multiple applications, systems, and processes securely in mergers and acquisitions Manage all the governance and security associated with these systems and processes Handle everyday challenges, such as creating and deleting user accounts Manage provisioning and de-provisioning. One of the big challenges we have in identity management is that when new employees join, they are provisioned in an average of 16 applications. When those employees leave, they are only de-provisioned in about 10 applications. Over time, these create significant numbers of personal accounts that, from identity management standpoint, represent risks and security gaps because these systems are siloed, manual, and not integrated. This is the burden that the modern enterprise is dealing with today, so developers are brought in to stitch together these process applications and systems—at great cost. When all these systems are not working perfectly they get in the way of IWs being productive in driving business. With changing compliance, it’s difficult to cater to needs of IWs and users effectivelyChallenges for developers Unable to integrate security and policies into their application, which leads to complexity and dissatisfaction Must maintain provisioning, de-provisioning and Identity management, so the current state forces developers to use tools that are Application Platform specific limits their ability to develop identity-aware applications that can serve the needs of the organization
With automated user provisioning through Forefront Identity Manager, IT can automatically give and update rights to resources and business applications as per the user’s profile. It becomes easy to provision user identity to only those resources and applications which user is suppose to work and prevent from unauthorized use.Organizations using Forefront Identity Manager can define policies that automatically create user accounts, mail boxes, and group memberships in real time so that new employees are productive immediately. When a user changes roles within an organization, Forefront Identity Manager automatically makes the necessary changes in heterogeneous target systems to add and remove access rights.For example, if a user moves from a role in sales to a role in marketing, Forefront Identity Manager can remove them from sales-specific groups and add them to marketing-specific groups to deliver appropriate access permissions to perform their job function.
With Forefront Identity Manager (FIM), organizations can define automatic policy enforcement for removing user accounts, mail boxes, and group memberships in real time, which minimizes the risk of information leakage from unauthorized access to resources and confidential information. With FIM, de-provisioning for users leaving the enterprise also becomes centralized and less complicated, which makes it easier to ensure complete de-provisioning to handle future compliance audits.For example, if a user leaves the organization, the HR system forwards a de-provisioning request to FIM. FIM follows approval workflow. With the manager’s approval, FIM automatically removes all rights, account information, mail boxes, and memberships from all relevant applications, groups, and different directories.
Organizations can also use FIM to synchronize e-mail address lists that are maintained by heterogeneous e-mail systems, such as Microsoft Exchange Server 2000, Exchange Server 2007, and Lotus Notes. Organizations that have multiple Active Directory Domain Services and Exchange forests can use FIM to build a single address book. This increases the value of identity integration by simplifying collaboration as well as increasing IT control.Note:FIM 2010 provides a simplified single sign on experience through its identity synchronization capabilities, delivering the ability to synchronize passwords across heterogeneous systems.The policy-based management system of FIM manages users’ identity lifecycle and protects corporate assets against misuse as users move between roles or leave the organization. http://www.microsoft.com/forefront/identitymanager/en/us/features.aspxhttp://download.microsoft.com/download/3/2/A/32A7B77A-7D3A-4D24-ACE7-5AA3A908B95E/Understanding%20FIM%202010.docx
Combining identity data across multiple directories and systems yields automated account reconciliation and consistency management for user accounts, credentials, and attributes. This means organizations with many different directories and other data repositories, such as an HR application, can use Forefront Identity Manager to synchronize user accounts across systems.
Key points we want to illustrate: Melissa is a new employee starting her first day of work at Contoso. She sits down in her assigned office to begin her work which is heavily dependent on LOB applications and being ‘plugged in’ to key DLs.Rather than calling the help desk to get access, groups, etc. Melissa’s accounts and mailbox are automatically provisioned and available at first login, due to preconfigured rules in FIM 2010She is automatically granted access to the LOB apps relevant to her roleShe is dynamically added to key DLsAnimation flow:Data flows in from HR system. Would like a file to pass from HR to FIM 2010 with information on the new hire like Name = Melissa Meyers, Employee ID = 122145, Dept = Finance, Title = Analyst, Employee Type = Full Time.Data flows to each of the target systems. For Exchange a mailbox is created. I want icons to travel along the arrow to represent the data passed to Exchange as well mailbox created. Her email address should be filled in as mmeyers@contoso.com.For AD, a password is assigned and sent to her manager. She is also given membership in the “Finance,” “New Hire” and “FTE” groups in AD. I want icons to travel along the arrow to represent the data passed to AD as well as the password and new groups created.A smart card is also provisioned so for remote access and for her to access the finance appFor the other accounts show the data passing along the arrows. Show only her name, employee ID, and department being passed to iPlanet, and show her Name, ID, and Employee Type passing to the mainframe.
Active Directory Certificate Services (AD CS) provides an integrated public key infrastructure that enables the secure exchange of information. With strong security and easy administration across the Internet, extranets, intranets, and applications, AD CS provides customizable services for issuing and managing the certificates used in software security systems employing public key technologies.BenefitsIncrease access security with better security than username and password solutions, and verify the validity of certificates using the Online Certificate Status Protocol (OCSP).Reduce cost of ownership by taking advantage of Active Directory integration for enrollment, storage, and revocation processes.Simplify certificate management using a single information store that comes from full integration with Microsoft Management Console.Streamline deployment by enrolling user and computer certificates without user intervention.Client retrieves certificate policy from Active Directory.Client submits certificate request to Certificate Server based on policy.Certificate Server retrieves user information from Active Directory.Certificate Server returns signed digital certificate to the client.
Some example scenarios for each pillar, for end users. These are examples and non-exhaustive. Policy ManagementApprovals integrated in Outlook. The right person, in this case the CFO, can easily approve access within their scope of responsibilities and within agreed upon company policies. Credential ManagementIn addition to PW and PIN reset integrated with Windows, end users can provision their own smart cards through an easy to use self-service interface. One example of how this could be configured: FIM can send the user a one-time use password that the user could use with FIM to bring the right certificates down to their smart card. User Management Manage own identity profile. In this case end users could be given permission to manage their mobile phone number. This makes it easy for other end users to find one another, especially in cases where workers work remotely and operate using mobile phones frequently. Of course, other attributes could also be delegated to end users to manage. Group ManagementCreate and manage approvals for group membership in Office. End user can make requests to join groups, or create their own groups from a button in the Outlook ribbon.
Exemplary but non-exhaustive list of scenarios for IT professionals…Policy ManagementIT can use UI tools to generate policies to enforce required business approvals. Example: The policy is that a GM must approve VPN access for non employees (e.g., contractors). ILM will not grant VPN access to a contractor until they have received the required approval from the GM.Credential ManagementAs part of the policy to provision new users, the issuance of multiple types of credentials can be easily incorporated. User ManagementUser Provisioning Policy . Example: All FTEs should receive an AD account, Exchange mailbox, become a member of the “FTE” security group, and get a smart card. Group ManagementDynamic groups. FIM can create security groups or DLs based on attributes such as what department someone is in. In this case FIM would automatically create and populate a group for each department in a company.