Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Identity and Access Management<br />Business Ready Security Solutions<br />Rune Lystad<br />runel@microsoft.com<br />Enterprise Solution Manager<br />
  2. 2. Multiple identities and limited sign-on help<br />Password reset and access requests handled through help desk<br />Different sign–on requirements for applications <br />ON-PREMISES<br />CONTOSO<br />Contoso managing Fabrikam accounts<br />Separate Remote access solution w/ separate identities<br />EMPLOYEES (REMOTE)<br />PARTNERS<br />Fabrikam<br />Fabrikam managing Contoso accounts<br />Current SituationTime and labor intensive process<br />
  3. 3. Enable more secure, identity-based access to applications on-premises and in the cloud from virtually any location or device<br />PROTECT everywhere<br />ACCESS anywhere<br />INTEGRATE and<br />EXTEND security<br />SIMPLIFY security,<br />MANAGE compliance<br /><ul><li>Provide more secure, always-on access
  4. 4. Enable access from virtually any device
  5. 5. Extend powerful self-service capabilities to users
  6. 6. Automate and simplify management tasks
  7. 7. Control access across organizations
  8. 8. Provide standards-based interoperability</li></ul>Identity and Access Management Strategy<br />
  9. 9. Business Ready Security Solutions<br />Secure Messaging<br />Secure Endpoint<br />Secure Collaboration<br />Information Protection<br />Identity and Access Management<br />
  10. 10. Secure Messaging<br />Secure Endpoint<br />Secure Collaboration<br />Information Protection<br />Identity and Access Management<br />Active Directory®Federation Services<br />Business Ready Security Solutions<br />
  11. 11. PROTECT Everywhere,<br />ACCESS Anywhere<br />
  12. 12. <ul><li>Provides seamless, always-on, secure connectivity to on-premises and remote users
  13. 13. Eliminates the need to connect explicitly to corporate network while remote
  14. 14. Facilitates more secure, end-to-end communication and collaboration
  15. 15. Uses a policy-based network access approach
  16. 16. Enables IT to easily service, secure, update, and provision mobile machines, whether they are inside or outside the network</li></ul>Intranet<br />Internet<br />Corporate Resources<br />DirectAccess Client<br />DirectAccess Server<br />Internal traffic<br />Internet Servers<br />Internet traffic<br />Windows DirectAccess<br />
  17. 17. DirectAccess in Windows 7<br />IPv4 Devices<br />IPv6 Devices<br />IT desktop management<br />Native IPv6 with IPSec<br />AD Group Policy, NAP, software updates<br />IPv6 Transition Services<br />Internet<br />WinSrv 2008R2 DirectAccess<br />Role<br />Supports variety of remote network protocols<br />Windows 7 Client<br />
  18. 18. INTEGRATE and <br />EXTEND security<br />
  19. 19. <ul><li>Shared identity with partner organizations and cloud services
  20. 20. Boost cross-organizational efficiency and communication with more secure access
  21. 21. Support the sharing of rights-protected messages between organizations</li></ul>Firma A<br />Account Forest<br />Firma BResource Forest<br />Federation<br />Trust<br />Business Partners<br />Token and claims<br />Authentication<br />Application Access<br />Post claims<br />AD FS<br />AD FS<br />AD RMS<br />AD DS<br />AD DS<br />Redirect to Security Token Service (STS)<br />SharePoint Server Farm<br />User Account/Credentials<br />Security Token<br />Active Directory Federation Services<br />
  22. 22. Cloud Services<br /><ul><li>Implements a single user access model with native single sign on (SSO) and easier federation to on-premise and cloud services
  23. 23. Helps provide consistent security with a single user access model externalized from applications</li></ul>Security Token<br />(e.g., Kerberos Ticket)<br />Corporate User<br />AD FS<br />Exchange<br />SharePoint<br />Web App<br />Claims-Aware<br />Application<br />AD DS<br /><ul><li>AD FS creates SAML token
  24. 24. Signs it with company’s private key
  25. 25. Sends it back to the user
  26. 26. Access supplied with the token</li></ul>Partner<br />Single Sign On with Extended Collaboration<br />
  27. 27. SIMPLIFY security,<br />MANAGE compliance<br />
  28. 28. Identity Lifecycle Management<br />Create<br />Provision user<br />Provision credentials<br />Provision resources<br />Help Desk<br /><ul><li>“Lost” Credentials
  29. 29. Password Reset
  30. 30. New Entitlements</li></ul>Retire<br />Policy Management<br />De-provision identities<br />Revoke credentials<br />De-provision resources<br />Policy enforcement<br />Approvals and notifications<br />Audit trails<br />Change<br />Role changes<br />Phone # or titlechange<br />Password and PIN reset<br />Resource requests<br />
  31. 31. Forefront Identity Manager in Action<br />Databases<br />Self-Service integration<br />LOB Applications<br />WindowsLog On<br />FIM Portal<br />Policy Management<br />Credential Management<br />User Management <br />Group Management<br />Custom<br />ISV PartnerSolutions<br />IT Departments<br />Directories<br />
  32. 32. <ul><li>Policy-based identity lifecycle management system
  33. 33. Built-in workflow for identity management
  34. 34. Automatically synchronize all user information to different directories across the enterprise
  35. 35. Automates the process of on-boarding users</li></ul>ActiveDirectory<br />LotusDomino<br />Workflow<br />User Enrollment <br />LDAP<br />FIM<br />SQLServer<br />HR System<br />Approval<br />Oracle DB<br />Manager<br />FIM CM<br />User provisioned on all allowed systems<br />Identity ManagementUser provisioning<br />
  36. 36. <ul><li>Automated user de-provisioning
  37. 37. Built-in workflow for identity management
  38. 38. Real-time de-provisioning from all systems to prevent unauthorized access and information leakage</li></ul>Identity ManagementUser de-provisioning<br />ActiveDirectory<br />LotusDomino<br />Workflow<br />User de-provisioned <br />LDAP<br />FIM<br />SQLServer<br />HR System<br />Oracle DB<br />FIM CM<br />User de-provisioned or disabled on all systems<br />
  39. 39. Self Service Group Management<br /><ul><li>Self-service group and distribution list management with the FIM 2010 Web portal
  40. 40. Office integration allows users to manage group membership from within Microsoft Office Outlook® for maximum productivity
  41. 41. Enables users to use Outlook to manage approvals while they are offline
  42. 42. Automatically add users to either group based on their employee type at the time they are provisioned to Active Directory
  43. 43. Group and distribution list management, including dynamic membership calculation in these groups and distribution lists based on user’s attributes</li></ul>Add-in for Office<br />SharePoint-Based Management Console<br />
  44. 44. Self-Service Password Management<br /><ul><li>Enables users to reset their own passwords through both Windows logon and FIM password reset portal
  45. 45. Controls helpdesk costs by enabling end users to manage certain parts of their own identities
  46. 46. Improves security and compliance with minimal errors while managing multiple identities and passwords</li></ul>ActiveDirectory<br />User requests password reset<br />Oracle<br />FIM Server<br />Passwords updates<br />SQLServer<br />Notes<br />End User<br />LDAP<br />Reset Password<br /><ul><li>FIM capabilities integrated with Windows logon
  47. 47. Randomly selects a number of questions</li></li></ul><li>Enable more secure, identity-based access to applications on-premises and in the cloud from virtually any location or device<br />PROTECT everywhere,<br />ACCESS anywhere<br />INTEGRATE and<br />EXTEND security<br />SIMPLIFY security,<br />MANAGE compliance<br /><ul><li>Provide more secure, always-on access
  48. 48. Enable access from virtually any device
  49. 49. Extend powerful self-service capabilities to users
  50. 50. Automate and simplify management tasks
  51. 51. Control access across organizations
  52. 52. Provide standards-based interoperability</li></ul>Learn more at www.microsoft.com/forefront<br />Summary<br />
  53. 53. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.<br />The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. <br />MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.<br />