Help securely enable business by managing risk and empowering people Identity Highly Secure & Interoperable Platform Across on-premises & cloud from: Block Cost Siloed to: Enable Value Seamless.
Download ReportTranscript Help securely enable business by managing risk and empowering people Identity Highly Secure & Interoperable Platform Across on-premises & cloud from: Block Cost Siloed to: Enable Value Seamless.
Help securely enable business by managing risk and empowering people Identity Highly Secure & Interoperable Platform Across on-premises & cloud from: Block Cost Siloed to: Enable Value Seamless Different sign–on requirements for applications Password reset and access requests handled through help desk Multiple identities and limited sign-on help Contoso managing Fabrikam accounts Remote access solution w/ separate identities Fabrikam managing Contoso accounts Secure Messaging Secure Collaboration Information Protection Identity and Access Management Secure Endpoint Enable more secure, identity-based access to applications on-premises and in the cloud from virtually any location or device PROTECT everywhere ACCESS anywhere • Provide more secure, alwayson access • Enable access from virtually any device INTEGRATE and EXTEND security • Control access across organizations • Provide standards-based interoperability SIMPLIFY security, MANAGE compliance • Extend powerful self-service capabilities to users • Automate and simplify management tasks GOVERNED SELF-SERVICE AND AUTOMATION Empower Business • Self-service profile, credential, and group management • Password and PIN reset from Windows login • Group management from within Microsoft Office • Single identity across heterogeneous applications Empower IT • End-to-end, workflow-driven user provisioning • Policy-controlled self-service capabilities • Automatic, attribute-based group membership for simplified resource access “With Forefront Identity Manager and Active Directory, we have the comprehensive identity and access management solution that we need to support our banking operations.” René Chevremont, Head of Access Management, Banque de Luxembourg Source: http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=4000006579/ • • • • Policy-based identity lifecycle management system Built-in workflow for identity management Automatically synchronize all user information to different directories across the enterprise Automates the process of on-boarding users Active Directory Lotus Domino Workflow “With Forefront Identity Manager, we are able to streamline tactical processes, while at the same time provide strategic business value through a cohesive identity and access management solution.” User Enrollment HR System LDAP FIM SQL Server Approval Scott Weir, IT Manager–Desktop Architecture, First American Title Insurance Company Oracle DB User provisioned Source: http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid=4000006604/ Manager FIM CM Attribute Ownership HR System FirstName LastName EmployeeID SQL Server DB Title Samantha Dearing givenName sn title mail employeeID telephone Samara Darling Coordinator Identity Manager 007 GivenName givenName sn title mail employeeID telephone Samantha Dearing Coordinator [email protected] 007 555-0129 007 Active Directory/ Exchange givenName sn title mail employeeID telephone Sam Dearing Intern [email protected] 007 LDAP givenName sn title mail employeeID telephone Sammy Dearling E-Mail Telephone givenName sn title mail employeeID telephone 008 555-0129 Identity Data Aggregation Attribute Ownership HR System FirstName LastName EmployeeID SQL Server DB Title Active Directory / Exchange E-Mail LDAP Telephone givenName sn title mail employeeID telephone Samantha Dearing givenName sn title mail employeeID telephone Samara Darling Coordinator Identity Manager 007 givenName sn title mail employeeID telephone Samantha Bob Dearing Coordinator [email protected] [email protected] 007 555-0129 007 givenName sn title mail employeeID telephone Sam Dearing Intern [email protected] 007 givenName sn title mail employeeID telephone Sammy Dearling Identity Data Brokering (Convergence) 007 555-0129 • • • • • Increase access security beyond username and password solutions Streamline deployment by enrolling user and computer certificates without user intervention Simplify certificate and SmartCard management using Forefront Identity Manager (FIM) Enhance remote access security through certificates with Network Access Protection Stronger authentication through certificates for administrative access and management End User SmartCard FIM policy triggers request for FIM CM to issue certificate or Certificate is issued to user and SmartCard written to either machine or smart card FIM CM “We’re confident that we have a security infrastructure that will help protect … our customers’ data while logging every user action, for a more flexible and adaptive IT infrastructure.” FIM HR System FIM Certificate Management (CM) requests certificate User Enrollment creationand from AD CS Authentication request sent by HR System Thomas Pfeifer, Solution Engineer, T-Systems Active Directory Certificate Services (AD CS) Source: http:/www.microsoft.com/casestudies/casestudy.aspx?casestudyid=4000006605/ • Self-service group and distribution list management with the FIM 2010 Web portal • Office integration allows users to manage group membership from within Microsoft Office Outlook® for maximum productivity • Automatically add users to either group based on their employee type at the time they are provisioned to Active Directory • Group and distribution list management, including dynamic membership calculation in these groups and distribution lists based on user’s attributes FIM Add-in for Outlook SharePoint-Based Management Console • Integrates with Exchange and Outlook • Manages distribution and security groups Self-service group management Criteria-based group membership Integrated approval • Enables IT to quickly define, automate, and enforce identity management policies • IT can use the integrated workflow in the approval/rejection process • Automatic notifications for request approvals or rejections • Enables users to reset their own passwords through both Windows logon and FIM password reset portal • Controls helpdesk costs by enabling end users to manage certain parts of their own identities • Improves security and compliance with minimal errors while managing multiple identities and passwords Active Directory User requests password reset Oracle FIM Server Passwords updated End User Reset Password SQL Server IBM DS LDAP • Integrated SSL VPN capabilities for both managed and non-managed clients • Simplified remote access by non-Windows, down-level, or non-trusted • endpoints UAG 2010 extends the benefits of DirectAccess to down-level servers and applications across your infrastructure Data Center/Corporate Network Mobile Home/Kiosk Layer3 VPN Employees/ Partners (non-managed) Internet HTTPS (443) DirectAccess AUTHENTICATION AND POLICY Employees (managed) SmartCard, RADIUS, LDAP…. Terminal Services Remote Desktop Citrix CRM IBM, SAP, Oracle Non-Web, Legacy Down-level Empower Business DIRECT ACCESS • Seamless and more secure access • Simplified, always-on access Empower IT • Policy-based network access • Ability to manage machines anywhere Empower Business • Consolidated secure portal to simplify remote access to resources • Simplified sign-on Empower IT • Policy-based resource access Empower Business • Access from virtually any device Empower IT • Policy-based restricted access SSL VPN Empower Business • Ability to move seamlessly between applications using a single identity • Collaboration across organizations Empower IT • No need to manage external accounts • Simplified and flexible claims-based federation • Common authentication controls for building custom applications “We will have more granular control over identity and access, so we can start providing users with self-service capabilities and extend secure collaboration to our partners. “ Armand Martin, Enterprise Architect, Security, Dow Corning Source: http:/www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid=4000006589/ • Shared identity with partner organizations and cloud services • Boost cross-organizational efficiency and communication with more secure access − Support the sharing of rights-protected messages between organizations − Improved support for Microsoft SharePoint Server as a claims-aware application Trey Research Account Forest Woodgrove Bank Resource Forest Federation Trust AD DS AD FS AD FS AD DS AD RMS Exchange 2010 Application Post claims Access Business Partners User Account/Credentials Redirect to Security Token Service (STS) Security Token SharePoint Server Farm • Implements a single user access model with native single sign on (SSO) and easier federation to onpremise and cloud services • Helps provide consistent security with a single user access model externalized from applications • Based on open, industry standard protocols for interoperability Security Token (e.g., Kerberos Ticket) Corporate User Exchange SharePoint Internal App AD DS ClaimsAware app AD FS • Shared identity with partners and cloud services • Boost cross-organizational efficiency − Share rights-protected messages − Improved support for SharePoint as a claims-aware application Partner Claims-Aware Application CLOUD SERVICE S Cloud Datacenter Federated Identity Partner CLOUD SERVICES Self Service WS-* and SAML Claims Workflow HR System AD FS 2.0 FIM Role Client List Other user Data stores SQL Server ADDS Phone Title Department Manager Group Windows Integrated/Kerberos/ADFS Claims-Aware Applications ClaimsAware Applications Exchange GAL & DL SharePoint Profiles and Access SAP and other apps Customer ID is used in the cloud SIA201 |Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity Foundation SIA302 | Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0 SIA326 | Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture Drilldown SIA303|Identity and Access Management: Windows Identity Foundation and Windows Azure SIA304 | Identity and Access Management: Windows Identity Foundation Overview SIA305 | Top 5 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-Prove SIA306 | Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle Bin SIA307 | Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management for Microsoft IT SIA318 | Microsoft Forefront Identity Manager 2010: Deploying FIM SIA319 | Microsoft Forefront Identity Manager 2010: In Production * SIA327 | Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity Manager SIA01-INT | Identity and Access Management: Best Practices for Deploying and Managing Active Directory Federation Services (AD-FS) 2.0 SIA03-INT | Identity and Access Management: Best Practices for Deploying and Managing Microsoft Forefront Identity Manager * SIA06-INT | Identity and Access Management Solution Demos SIA02-HOL | Microsoft Forefront Identity Manager 2010 Overview SIA06-HOL | Identity and Access Management Solution: Business Ready Security with Microsoft Forefront and Active Directory Red SIA-5 & SIA-6 | Microsoft Forefront Identity and Access Management Solution Learn more about our solutions: http://www.microsoft.com/forefront Try our products: http://www.microsoft.com/forefront/trial www.microsoft.com/teched www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st http://northamerica.msteched.com/registration You can also register at the North America 2011 kiosk located at registration Join us in Atlanta next year