Fred Delombaerde Lead Program Manager Microsoft Corporation Joe Schulman Program Manager Microsoft Corporation Session Code: SIA308
Download ReportTranscript Fred Delombaerde Lead Program Manager Microsoft Corporation Joe Schulman Program Manager Microsoft Corporation Session Code: SIA308
Fred Delombaerde Lead Program Manager Microsoft Corporation Joe Schulman Program Manager Microsoft Corporation Session Code: SIA308 Identity Lifecycle Manager”2” is now Forefront Identity Manager 2010 Agenda Why are we in this space? Product overview and value proposition Provisioning users Credential management Transitioning roles De-provisioning Summary Session outcomes See how FIM can reduce your cost by maintaining policy compliance See FIM as a viable way to automate provisioning and de-provisioning of users See how to reduce costs for managing passwords IT Professionals Respond to the business Information Workers Respond to users Architecture & deployment Call help desk for password and access requests System admin Wait up to weeks for access Governance & security Define business policies Managing permissions Creating & deleting user accounts Policy implementation & enforcement Wrong People Wrong Contexts Greater Complexity Higher Cost Developers Business rule development Custom application development Systems integration IT Professionals Information Workers Users Access Credentials Policy Architecture Deployment Business rules & policy System administration Permissions Governance Group & role membership Security Distribution lists Developers System & application integration & development Passwords & PINs FIM 2010 Solution Areas User Management Automated, codeless user provisioning Enables integration of user, device, and service management Self-service and admin Profile Management Credential Management Manage multiple credential types (passwords, certificates, smart cards) Integrated with Windows logon (registration & reset) Support for multiple & partner reset gates (q/a, smart card, speech, custom) Access Management Delegated & self-service group and distribution list management Information worker self-service experiences through Office and SharePoint Dynamic groups/roles & distribution lists Policy Management Visual, natural language process authoring & editing Extensible workflows through Windows Workflow Foundation Integrates with System Center for monitoring and control Introducing Litware 25K employees 8000 Security and distribution groups Extensive use of AD for access control decisions Multiple AD forests due to acquisitions Using a custom HR application Proliferation of Line of Business applications IT Provisioning at Litware End-to-End Provisioning at Litware Provisioning issues at Litware Maintenance of custom provisioning scripts costly and error prone IT Pro centric scripts do not encompass business unit needs Custom scripts enforce business logic “Soft costs” – user productivity ‘Provisioned’ users frequently lack access to business critical apps and dls Litware has dozens of connected systems requiring provisioning Process compliance nearly an impossibility Inflexible process increases costs as organization grows Litware’s Requirements New employees need to be provisioned for business critical applications to enable productivity within a day A central HR system is authoritative for bootstrapping user data Every employee has an AD account and mailbox Each business unit has it’s own portals and apps Every employee is a member of manager’s required DLs as well as business specific DLs Scenario Overview – New User Melissa Meyers has just been hired into Litware as a new employee in Finance. As a new employee, Melissa will need to be provisioned into key business critical applications so that she can be effective at her job. Today With FIM Custom scripts tie together disparate identity systems ILM automates provisioning to all business critical applications Inefficient processes lead to long period without access to critical applications Provisioning to applications takes place within hours, not days or weeks Custom process prone to errors leading to loss of productivity Access to applications is done in context of defined policy Provisioning with FIM 2010 First day at work with FIM 2010 Joe Schulman Program Manager Microsoft Corporation Password reset issues at Litware Help desk cost are soaring due to password reset requests IT Pro centric scripts do not encompass business unit needs Litware’s Requirements Employees must be able to perform a selfservice password reset Help desk costs must drop dramatically User training costs must be held at bay Scenario Overview – Password Reset Jill is one of the many external contractors in her company. She is does not login to the corporate network very often. As a result, she nearly always forgets her password and must reset it prior to accessing the corporate network. Today With FIM Jill needs to call the helpdesk to reset her password Jill is able to reset her password without connecting to the corporate network Company incurs a significant cost in managing credentials for contractors like Jill The company maintains a centralized set of policies and common tools for credential management for employees and contractors Company needs to maintain different tools for managing the credentials for employees and contractors Employees can reset their credentials directly from the Windows logon screen Transition of Roles at Litware Transitioning issues at Litware All of the same issues as the initial provisioning: - Maintenance of custom provisioning scripts costly and error prone - IT Pro centric scripts do not encompass business unit needs - Custom scripts enforce business logic - “Soft costs” – user productivity - ‘Provisioned’ users frequently lack access to business critical apps and dls - Litware has dozens of connected systems requiring provisioning - Process compliance nearly an impossibility - Inflexible process increases costs as organization grows No automated de-provisioning of access to existing apps! Access to newly required apps completely manual Inflexible process increases costs as organization grows Litware’s Requirements Transitioning employees need to be provisioned for business critical applications to enable productivity within a day Access to existing resources must be evaluated and removed if required within a day Scenario Overview – Transition Melissa is transitioning jobs. The HR system must reflect Melissa’s new role as well as update her management chain. She must be granted access to team portals and LOB applications. Access to her old team’s portals and LOB applications must be revoked. In order to function at full capacity, she must then also be added to key DLs so she is included on all key communications. Today With FIM Melisssa’s LOB applications are not provisioned or de-provisioned automatically on role change Melissa is dynamically added to business critical DLs She must request access to new resources and retains access to some which are no longer relevant She automatically loses access to the LOB apps from his previous role Her domain change process is tedious and long running causing intermittent outages of key services such as mail She automatically gets access to the new team portal and loses access to the previous team portal Transitioning Roles with FIM 2010 Employee changing roles Joe Schulman Program Manager Microsoft Corporation De-provisioning at Litware De-provisioning issues at Litware No automated de-provisioning of access to existing apps! Lingering access to applications and resources represent a real security threat! Inflexible process increases costs as organization grows Litware’s Requirements Employees leaving the organization need have their access to resources and applications deprovisioned within a day A historical record of de-provisioned employees and their access must be maintained Scenario Overview – Employee de-provision Melissa has made it to VP level but is leaving Litware to pursue new opportunities. She is currently granted access to business critical data at Litware, that if leaked, could significantly damage Litware’s business. Today With FIM Melissa’s LOB applications are not de-provisioned automatically on role change Melissa’s access to all business applications and resources is automatically revoked Auditing of historical data for compliance is tedious and error prone A historical audit trail of Melissa’s data and access permissions is maintained Tracking down all access points is costly and error prone Connected systems are automatically de-provisioned in accordance with policy De-provisioning with FIM 2010 De-provisioning Joe Schulman Program Manager Microsoft Corporation Summary FIM 2010 helps reduce provisioning costs by streamlining the process while maintaining a state of policy compliance while focusing on the information worker Resources www.microsoft.com/teched www.microsoft.com/learning Sessions On-Demand & Community Microsoft Certification & Training Resources http://microsoft.com/technet http://microsoft.com/msdn Resources for IT Professionals Resources for Developers www.microsoft.com/learning Microsoft Certification and Training Resources Related Content Breakout Sessions • SIA307 ILM “2”: Reducing Help Desk Costs through Self Service with Examples from Microsoft IT • SIA308 ILM “2”: Reducing Cost of Provisioning and Credential Management • SIA310 Rethinking Certificate Workflows with Microsoft Identity Lifecycle Manager "2" Interactive Theater Sessions • SIA04-TLC ILM "2" Demo: Auditing and Reporting Hands-on Labs • • • • SIA06-HOL ILM "2": Core Concepts SIA07-HOL ILM "2": Customization SIA08-HOL ILM "2": Configuring Self-Service Password Reset SIA09-HOL ILM "2": Provisioning Active Directory Users and Group Management Identity Management Community Blogs Joe’s Identity Management Extensibility http://blogs.msdn.com/imex Bobby and Nima’s blog http://blogs.technet.com/doittoit/ Brjann’s Identity Management http://blogs.technet.com/identitymanagement/ TechNet Forum http://social.technet.microsoft.com/Forums/enUS/identitylifecyclemanager/threads Complete an evaluation on CommNet and enter to win! © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Business Ready Security Help securely enable business by managing risk and empowering people Identity Highly Secure & Interoperable Platform from: Block Cost Siloed to: Enable Value Seamless