Help securely enable business by managing risk and empowering people Identity Highly Secure & Interoperable Platform Across on-premises & cloud from: Block Cost Siloed to: Enable Value Seamless.

Download Report

Transcript Help securely enable business by managing risk and empowering people Identity Highly Secure & Interoperable Platform Across on-premises & cloud from: Block Cost Siloed to: Enable Value Seamless.

Help securely enable business by managing risk and empowering people
Identity
Highly Secure & Interoperable
Platform
Across on-premises & cloud
from:
Block
Cost
Siloed
to:
Enable
Value
Seamless
Different sign–on requirements for
applications
Password reset and access
requests handled through
help desk
Multiple identities and
limited sign-on help
Contoso managing
Fabrikam accounts
Remote access solution w/
separate identities
Fabrikam managing
Contoso accounts
Secure Messaging
Secure Collaboration
Information Protection
Identity and Access Management
Secure Endpoint
Enable more secure, identity-based access to applications on-premises and
in the cloud from virtually any location or device
PROTECT everywhere
ACCESS anywhere
• Provide more secure, alwayson access
• Enable access from virtually
any device
INTEGRATE and
EXTEND security
• Control access across
organizations
• Provide standards-based
interoperability
SIMPLIFY security,
MANAGE compliance
• Extend powerful self-service
capabilities to users
• Automate and simplify
management tasks
GOVERNED SELF-SERVICE AND AUTOMATION
Empower Business
• Self-service profile, credential, and group
management
• Password and PIN reset from Windows login
• Group management from within Microsoft Office
• Single identity across heterogeneous applications
Empower IT
• End-to-end, workflow-driven user provisioning
• Policy-controlled self-service capabilities
• Automatic, attribute-based group membership for
simplified resource access
“With Forefront Identity Manager and Active Directory, we have the comprehensive
identity and access management solution that we need to support our banking operations.”
René Chevremont, Head of Access Management, Banque de Luxembourg
Source: http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=4000006579/
•
•
•
•
Policy-based identity lifecycle management system
Built-in workflow for identity management
Automatically synchronize all user information to different directories across the enterprise
Automates the process of on-boarding users
Active
Directory
Lotus
Domino
Workflow
“With Forefront Identity Manager, we are
able to streamline tactical processes, while
at the same time provide strategic business
value through a cohesive identity and
access management solution.”
User Enrollment
HR System
LDAP
FIM
SQL
Server
Approval
Scott Weir, IT Manager–Desktop
Architecture, First American Title Insurance
Company
Oracle DB
User provisioned
Source: http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid=4000006604/
Manager
FIM CM
Attribute
Ownership
HR
System
FirstName
LastName
EmployeeID
SQL Server
DB
Title
Samantha
Dearing
givenName
sn
title
mail
employeeID
telephone
Samara
Darling
Coordinator
Identity Manager
007
GivenName
givenName
sn
title
mail
employeeID
telephone
Samantha
Dearing
Coordinator
[email protected]
007
555-0129
007
Active
Directory/
Exchange
givenName
sn
title
mail
employeeID
telephone
Sam
Dearing
Intern
[email protected]
007
LDAP
givenName
sn
title
mail
employeeID
telephone
Sammy
Dearling
E-Mail
Telephone
givenName
sn
title
mail
employeeID
telephone
008
555-0129
Identity
Data
Aggregation
Attribute
Ownership
HR
System
FirstName
LastName
EmployeeID
SQL Server
DB
Title
Active
Directory /
Exchange
E-Mail
LDAP
Telephone
givenName
sn
title
mail
employeeID
telephone
Samantha
Dearing
givenName
sn
title
mail
employeeID
telephone
Samara
Darling
Coordinator
Identity Manager
007
givenName
sn
title
mail
employeeID
telephone
Samantha
Bob
Dearing
Coordinator
[email protected]
[email protected]
007
555-0129
007
givenName
sn
title
mail
employeeID
telephone
Sam
Dearing
Intern
[email protected]
007
givenName
sn
title
mail
employeeID
telephone
Sammy
Dearling
Identity
Data
Brokering
(Convergence)
007
555-0129
•
•
•
•
•
Increase access security beyond username and password solutions
Streamline deployment by enrolling user and computer certificates without user intervention
Simplify certificate and SmartCard management using Forefront Identity Manager (FIM)
Enhance remote access security through certificates with Network Access Protection
Stronger authentication through certificates for administrative access and management
End User SmartCard
FIM policy triggers request for
FIM CM to issue certificate or
Certificate is issued to user and
SmartCard
written to either machine or
smart card
FIM CM
“We’re confident that we have a security infrastructure that will
help protect … our customers’ data while logging every user
action, for a more flexible and adaptive IT infrastructure.”
FIM
HR System
FIM Certificate Management
(CM) requests certificate
User Enrollment
creationand
from AD CS
Authentication request sent by
HR System
Thomas Pfeifer, Solution Engineer, T-Systems
Active Directory Certificate
Services (AD CS)
Source: http:/www.microsoft.com/casestudies/casestudy.aspx?casestudyid=4000006605/
• Self-service group and distribution list management with the FIM 2010 Web portal
• Office integration allows users to manage group membership from within Microsoft Office Outlook®
for maximum productivity
• Automatically add users to either group based on their employee type at the time they are provisioned to
Active Directory
• Group and distribution list management, including dynamic membership calculation in these groups and
distribution lists based on user’s attributes
FIM Add-in for Outlook
SharePoint-Based Management Console
• Integrates with Exchange and Outlook
• Manages distribution and security groups
Self-service group management
Criteria-based group membership
Integrated approval
• Enables IT to quickly define, automate, and enforce identity management policies
• IT can use the integrated workflow in the approval/rejection process
• Automatic notifications for request approvals or rejections
• Enables users to reset their own passwords through both Windows logon and FIM password
reset portal
• Controls helpdesk costs by enabling end users to manage certain parts of their own identities
• Improves security and compliance with minimal errors while managing multiple identities and
passwords
Active
Directory
User requests password reset
Oracle
FIM Server
Passwords updated
End User
Reset Password
SQL
Server
IBM DS
LDAP
• Integrated SSL VPN capabilities for both managed and non-managed clients
• Simplified remote access by non-Windows, down-level, or non-trusted
•
endpoints
UAG 2010 extends the benefits of DirectAccess to down-level servers and
applications across your infrastructure
Data Center/Corporate Network
Mobile
Home/Kiosk
Layer3 VPN
Employees/ Partners
(non-managed)
Internet
HTTPS (443)
DirectAccess
AUTHENTICATION AND POLICY
Employees
(managed)
SmartCard,
RADIUS, LDAP….
Terminal Services
Remote Desktop
Citrix
CRM
IBM, SAP, Oracle
Non-Web, Legacy
Down-level
Empower Business
DIRECT ACCESS
• Seamless and more secure access
• Simplified, always-on access
Empower IT
• Policy-based network access
• Ability to manage machines anywhere
Empower Business
• Consolidated secure portal to simplify remote
access to resources
• Simplified sign-on
Empower IT
• Policy-based resource access
Empower Business
• Access from virtually any device
Empower IT
• Policy-based restricted access
SSL
VPN
Empower Business
• Ability to move seamlessly between
applications using a single identity
• Collaboration across organizations
Empower IT
• No need to manage external accounts
• Simplified and flexible claims-based federation
• Common authentication controls for building
custom applications
“We will have more granular control over identity and access, so we can start providing users with self-service capabilities
and extend secure collaboration to our partners. “
Armand Martin, Enterprise Architect, Security, Dow Corning
Source: http:/www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid=4000006589/
• Shared identity with partner organizations and cloud services
• Boost cross-organizational efficiency and communication with more secure access
− Support the sharing of rights-protected messages between organizations
− Improved support for Microsoft SharePoint Server as a claims-aware application
Trey Research
Account Forest
Woodgrove Bank
Resource Forest
Federation
Trust
AD DS
AD FS
AD FS
AD DS
AD RMS
Exchange
2010
Application
Post claims
Access
Business Partners
User Account/Credentials
Redirect to Security
Token Service (STS)
Security Token
SharePoint
Server Farm
• Implements a single user access model with native single sign on (SSO) and easier federation to onpremise and cloud services
• Helps provide consistent security with a single user access model externalized from applications
• Based on open, industry standard protocols for interoperability
Security Token
(e.g., Kerberos Ticket)
Corporate User
Exchange
SharePoint
Internal
App
AD DS
ClaimsAware app
AD FS
• Shared identity with partners and cloud
services
• Boost cross-organizational efficiency
− Share rights-protected messages
− Improved support for SharePoint as a
claims-aware application
Partner
Claims-Aware
Application
CLOUD
SERVICE
S
Cloud Datacenter
Federated Identity
Partner
CLOUD SERVICES
Self Service
WS-* and
SAML Claims
Workflow
HR System
AD FS 2.0
FIM
Role
Client List
Other user
Data stores
SQL Server
ADDS
Phone
Title
Department
Manager
Group
Windows Integrated/Kerberos/ADFS
Claims-Aware
Applications
ClaimsAware
Applications
Exchange
GAL & DL
SharePoint
Profiles and
Access
SAP and
other apps
Customer ID is used
in the cloud
SIA201 |Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity
Foundation
SIA302 | Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0
SIA326 | Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0
Architecture Drilldown
SIA303|Identity and Access Management: Windows Identity Foundation and Windows Azure
SIA304 | Identity and Access Management: Windows Identity Foundation Overview
SIA305 | Top 5 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-Prove
SIA306 | Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle Bin
SIA307 | Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management for Microsoft IT
SIA318 | Microsoft Forefront Identity Manager 2010: Deploying FIM
SIA319 | Microsoft Forefront Identity Manager 2010: In Production
* SIA327 | Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity Manager
SIA01-INT | Identity and Access Management: Best Practices for Deploying and Managing Active Directory Federation Services (AD-FS) 2.0
SIA03-INT | Identity and Access Management: Best Practices for Deploying and Managing Microsoft Forefront Identity Manager
* SIA06-INT | Identity and Access Management Solution Demos
SIA02-HOL | Microsoft Forefront Identity Manager 2010 Overview
SIA06-HOL | Identity and Access Management Solution: Business Ready Security with Microsoft Forefront and Active Directory
Red SIA-5 & SIA-6 | Microsoft Forefront Identity and Access Management Solution
Learn more about our solutions:
http://www.microsoft.com/forefront
Try our products:
http://www.microsoft.com/forefront/trial
www.microsoft.com/teched
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn
Sign up for Tech·Ed 2011 and save $500
starting June 8 – June 31st
http://northamerica.msteched.com/registration
You can also register at the
North America 2011 kiosk located at registration
Join us in Atlanta next year