identity and access management presented by microsoft and atidan
TRANSCRIPT
David J. Rosenthal
CEO, Atidan
October 4, 2016
Microsoft MTC New York City
* Forrester Research: “BT Futures Report: Info workers will erase boundary between enterprise & consumer technologies,” Feb. 21, 2013** http://www.computing.co.uk/ctg/news/2321750/more-than-80-per-cent-of-employees-use-non-approved-saas-apps-report*** Verizon 2013 data breach investigation report
61 percent of workers mix
personal and work tasks in
their devices*
61% >70%
>70 percent of network
intrusions exploited weak or
stolen credentials ***
>80 percent of employees
admit to using non-approved
software-as-a-service (SaaS)
applications in their jobs**
>80%
Mobile and cloud: challenging security paradigms
Is it possible to keep up?
Is it possible to stay secure?
Employees
Business partners
Customers
Apps
Devices
Data
Users
Data leaks
Lost device
Compromised identity
Stolen credentials
Is it possible to keep up?
Microsoft’s vision
Employees Business partners Customers
Access everything from everywhere
Manage and secure productivity
Integrate with what you haveApps
Devices
Data
Users
Enterprise Mobility Suite
Microsoft Azure Active Directory Premium
Microsoft Azure Rights Management Premium
Advanced Threat Analytics
Single sign-on to 1000s of
cloud and on-premises
applications.
Identity protection with
notifications, analysis,
recommended remediation, &
risk-based conditional access.
Leverage PC management,
MDM, and MAM to protect
corporate apps and data on
almost any device.
Encryption, identity, and
authorization to secure
corporate files and email across
phones, tablets, and PCs.
Identify suspicious activities
and advanced threats in near
real time with simple,
actionable reporting.
Behavior-based
threat analytics
Information
protection
Identity and access
management
Device and app
management
Microsoft Intune
System Center
Configuration Manager
The current reality
Single sign-on
Microsoft Azure Active Directory
Self-service
Simple connection
On-premises
Other directories
Windows ServerActive Directory
SaaSAzure
Publiccloud
Cloud
Identity as the core of enterprise mobility
1 trillionAzure AD
authentications
since the release of
the service
>80kthird-party
applications used
with Azure AD
each month
>1.3
billion authentications every
day on Azure AD
More than
600 Muser accounts on
Azure AD
Azure AD
Directories
>9 M
86% of Fortune 500
companies use
Microsoft Cloud
(Azure, O365, CRM
Online, and PowerBI)
Every Office 365 and Microsoft Azure customer uses Azure Active Directory
Azure Active Directory
Microsoft’s “Identity Management as a Service
(IDaaS)” for organizations.
Millions of independent identity systems
controlled by enterprise and government
“tenants.”
Information is owned and used by the
controlling organization—not by Microsoft.
Born-as-a-cloud directory for Office 365.
Extended to manage across many clouds.
Evolved to manage an organization’s
relationships with its customers/citizens and
partners (B2C and B2B).
Azure Active Directory. Identity at the core of your business
Identity and access management in the cloud
1000s of apps, 1 identity
Provide one persona to the workforce for SSO to 1000s of cloud and on-premises apps
Manage access at scale
Manage identities and access at scale in the cloud
and on-premises
Cloud-powered protection
Ensure user and admin accountability with better security and governance
Enable business without borders
Stay productive with universal
access to every app and
collaboration capability
Azure Active Directory Connect and Connect Health
*
MIM
*
Microsoft AzureActive Directory
HR apps
OTHER DIRECTORIES
PowerShell
SQL (ODBC)
LDAP v3
Web Services ( SOAP, JAVA, REST)
1000s of apps, 1 identity
Connect and sync on-premises directories with Azure
1000s of apps, 1 identity
Web apps
(Azure Active Directory Application Proxy)
Integrated
custom appsSaaS apps
OTHER DIRECTORIES
2500+ pre-integrated popular
SaaS apps and self-service integration via
templates
Connect and sync on-premises directories
with Azure
Easily publish on-premises web apps via
Application Proxy + custom apps
Microsoft Azure
Microsoft AuthenticatorA mobile authenticator application for all platforms
1000s OF APPS, 1 IDENTITY
Converges the existing Azure Authenticator and all
consumer Authenticator applications.
MFA for any account, enterprise or consumer and
3rd party : Push Notifications/OTP
Device Registration (workplace join)
SSO to native mobile apps - Certificate-based SSO
Sign in to a device (Windows Hello), app, or
website without a password
AzureActive Directory
Lift-and-shift on-premises
apps to Azure IaaS
On-premises
Azure AD Connect
Windows Server Active Directory
Your Azure IaaS workloads/apps
Azure AD
Domain Services
Your virtual network
Azure
Azure Active Directory Domain Services
1000s OF APPS, 1 IDENTITY
Your domain controller as a service
Kerberos
NTLM
LDAP
Group Policy
Manage your account, apps and groups
Company branded, personalized application Access Panel:
http://myapps.microsoft.com
+ iOS and Android Mobile Apps
Self-service password reset
Application access requests
Integrated Office 365 app launching
Making the lives of users (and IT) easier
ENABLE BUSINESS WITHOUT BORDERS
“We needed to quickly and cost effectively stand up new IT infrastructure, including extranet applications
for thousands of business partners. Azure Active Directory B2B collaboration provides a simple and
secure way for partners, large and small, to use their own credentials to access Kodak Alaris systems.” 3000+ partners
Collaborate with partners: B2B collaboration
Share without complex
configuration or duplicate users
Partners use their own credentials to access
your org
Users lose access when leaving the
partner org
No external directories
No per partner federation
You manage
access
You control partner access in your
directory:
• app assignment
• group membership
• custom attributes
Partners of
all sizes
Bulk invite 1000s at a time
Partners with Azure Active Directory sign
in to accept invite
Other partners simply sign up to
accept invite
ENABLE BUSINESS WITHOUT BORDERS
Intune/MDM
auto-enrollment
Azure Active Directory Join makes it possible
to connect work-owned Windows 10 devices
to your company’s Azure Active Directory
Enterprise-compliant services
SSO from the desktop to cloud and
on-premises applications with no VPN
Support for hybrid environments
MDM auto-enrollment
Windows 10 Azure AD joined devices
Enabling anytime,anywhere productivity: Azure Active Directory Join for Windows 10
ENABLE BUSINESS WITHOUT BORDERS
Superior economics
Identity experience engine
Connecting with consumers: Azure Active Directory B2CConsumer identity and access management in the cloud
Cross-platform
Identity management for consumers
“By using Azure Active Directory B2C we were able to build a fully
customized login page without having to build custom code.
Additionally, with a Microsoft solution in place, we alleviated all
our concerns about security, data breaches, and scalability."
- Rafael de los Santos, Head of Digital, Real Madrid
ENABLE BUSINESS WITHOUT BORDERS
Centralized access administration for pre-integrated SaaS apps and other cloud-based apps
Dynamic groups, device registration, secure business processes with advanced access management capabilities
Comprehensive identity and access management console
IT professional
Managing identities
MANAGE ACCESS AT SCALE
Connect Health
MANAGE ACCESS AT SCALE
Monitor and gain insights into the identity infrastructure used
to extend on-premises identities to Azure Active Directory and
Office 365.
Monitor:
The Azure AD Connect sync engine health
ADFS infrastructure health
On-premises AD DS health
Conditions
Allow access or
Block access
Actions
Enforce MFA per
user/per app
User, App sensitivity
Device state
LocationUser
NOTIFICATIONS, ANALYSIS, REMEDIATION, RISK-BASED POLICIES
CLOUD APP DISCOVERY PRIVILEGED IDENTITY MANAGEMENT
MFA
IDENTITY PROTECTION
Risk
Identity-driven security
CLOUD-POWERED PROTECTION
Azure Active Directory Identity Protection
CLOUD-POWERED PROTECTION
Identity Protection at its best
Risk severity calculation
Remediation recommendations
Risk-based conditional access automatically protects against suspicious logins and compromised credentials
Gain insights from a consolidated view of machine learning based threat detection
Leaked credentials
Infected devices Configuration
vulnerabilities Risk-based
policies
MFA Challenge Risky Logins
Block attacks
Change bad credentials
Machine-Learning Engine
Brute force attacks
Suspicious sign-in activities
Azure Active Directory Identity Protection
CLOUD-POWERED PROTECTION
Use the power of Identity Protection in PowerBI, SIEM and other monitoring tools
Security/Monitoring/Reporting SolutionsNotifications
Data Extracts/Downloads
Reporting APIs
Apply Microsoft learnings to your existing security tools
Microsoft machine - learning engine
Leaked credentials
Infected devices Configuration
vulnerabilities Brute force
attacksSuspicious sign-
in activities
Privileged Identity Management
CLOUD-POWERED PROTECTION
Discover, restrict, and monitor privileged identities
Enforce on-demand, just-in-time administrative access when needed
Use Alert, Audit Reports and Access Review
Global Administrator
Billing Administrator
Service Administrator
User Administrator
Password Administrator
Privileged Identity Management
CLOUD-POWERED PROTECTION
How time-limited activation of privileged roles works
MFA is enforced during the activation process
Alerts inform administrators about out-of-band changes
Users need to activate their privileges to perform a task
Users will retain their privileges for a pre-configured amount of time
Security admins can discover all privileged identities, view audit reports and review everyone who has is eligible to activate via access reviews
Audit
SECURITY ADMIN
Configure Privileged
Identity Management
USER
PRIVILEGED IDENTITY MANAGEMENT
Identity
verificationMonitor
Access reports
MFA
ALERT
Read only
ADMIN PROFILES
Billing Admin
Global Admin
Service Admin
CLOUD-POWERED PROTECTION
Removes unneeded permanent
admin role assignments
Limits the time a user has admin
privileges
Ensures MFA validation prior to
admin role activation
Reduces exposure to attacks targeting admins
Separates role administration
from other tasks
Adds roles for read-only views
of reports and history
Asks users to review and justify
continued need for admin role
Simplifies delegation
Enables least privilege role
assignments
Alerts on users who haven’t
used their role assignments
Simplifies reporting on admin
activity
Increases visibility and finer-grained control
Benefits: Privileged Identity Management
Detect threats fast
with behavioral
analytics
Adapt as fast as
your enemies
Focus on what is
important fast using
the simple attack
timeline
Reduce the fatigue
of false positives
No need to create rules or policies,
deploy agents, or monitor a flood of
security reports. The intelligence
needed is ready to analyze and is
continuously learning.
ATA continuously learns from the
organizational entity behavior (users,
devices, and resources) and adjusts
itself to reflect the changes in your
rapidly evolving enterprise.
The attack timeline is a clear, efficient,
and convenient feed that surfaces the
right things on a timeline, giving you
the power of perspective on the “who,
what, when, and how” of your
enterprise. It also provides
recommendations for next steps.
Alerts only happen once suspicious
activities are contextually
aggregated; not only comparing the
entity’s behavior to its own behavior,
but also to the profiles of other
entities in its interaction path.
Microsoft Advanced Threat Analytics
CLOUD-POWERED PROTECTION
Introducing Microsoft Cloud App Security
CLOUD-POWERED PROTECTION
Extending visibility and control to
cloud apps
Create policies for access, activities,
and data sharing
Automatically identify risky activities,
abnormal behaviors, and threats
Prevent data leakage (DLP)
Minimize risk and automated threat
prevention and policy enforcement
Intune
Azure Rights
Management and
Secure IslandsProtect your users, devices, and apps
Detect problems early with visibility
and threat analytics
Protect your data, everywhere
Extend enterprise-grade security
to your cloud and SaaS apps
Manage identity with hybrid
integration to protect application
access from identity attacks
Enterprise mobility + security
Advanced Threat Analytics
Microsoft Cloud App Security
Azure Active Directory
Identity Protection
Customer StoriesTRANSPORTATION, LOGISTICS, OIL-GAS RETAIL, HOSPITALITY AND TRAVEL GOVERNMENT, BANKING, INSURANCE
CONSTRUCTION, PROFESSIONAL SERVICES EDUCATION – NONPROFIT HEALTH
Identity and access management in the cloud
• Advanced user lifecycle
management
• Low IT overhead
• Monitor your identity bridge
• Cloud-connected seamless
authentication experience
• Single sign-on to 1000s pre-
integrated apps/ Your own apps
• Secure remote access to on-premises
apps
• SSO to mobile apps
• Support for lift-and-shift to the cloud
• Control access to resources
• Safeguard user authentication
• Respond to advanced threats with
risk-based policies and monitoring
• Mitigate administrative risks
• Governance of on-premises and
cloud identities
• Ease of use for end users
/Integration with Office
• Cross-organization collaboration
• Any time, any place productivity
with Windows 10
• Support for consumer facing
applications
1000s of apps, 1 identity
Provide one persona to the workforce for SSO to 1000s of cloud and on-premises apps
Manage access at scale
Manage identities and access at scale in the cloud
and on-premises
Cloud-powered protection
Ensure user and admin accountability with better security and governance
Enable business without borders
Stay productive with universal
access to every app and
collaboration capability
Identity as the core of enterprise mobility
Single sign-onSelf-service
Simple connection
On-premises
Other directories
Windows ServerActive Directory
SaaSAzure
Publiccloud
CloudMicrosoft Azure Active Directory
FastTrack will:
Retain control of sensitive documents locally and
over email
Automatically protect mail containing privileged
information
Ensure files stored in SharePoint are rights
protected
Microsoft FastTrack for Enterprise Mobility Suite provides remote deployment assistance for Azure Active
Directory Premium, Intune, and Azure Rights Management Premium.
Azure Rights Management Premium
FastTrack will:
Set up users and groups
Enable management of test devices
Optionally connect on-premises Microsoft
System Center Configuration Manager to Intune
for a single pane management experience
FastTrack will:
Get organizational identities to the cloud
Set up single sign-on for test apps (including
Azure Active Directory Application Proxy apps)
Configure self-service options like password
reset and Azure Multi-Factor Authentication in
the MyApps site
Azure Active Directory Premium
Microsoft Intune
FastTrack for EMS: Deploy it Right
Now included with all EMS services
Top ISV solutions in Identity & Access Management
Soha Cloud
Soha’s security service ensures that you can continue to develop, test and
deploy applications on public clouds with maximum agility – while giving
management the assurance they need. It provides the security missing in
public cloud infrastructures.
Key Use Cases/ Benefits
• Eliminate VPNs, Whitelists, Access Lists and Security Groups
• Enable micro-granular access to only the applications users are
authorized to use – and nothing else
• Simple to use – Easy and fast to deploy
• Lower operating cost and no hardware or network changes required
Availability: Global
Average Deal Revenue: $5K/Quarter
Link to AppCatalog
Link to Marketplace
Enterprise Random Password Manager
Lieberman Software proactively mitigates cyber threats that bypass
traditional enterprise defenses by delivering automated intrusion
remediation in real time. Controls privilege access across data center and
cloud assets by continuously changing privileged credentials and SSH
keys. Deploy on-premises or as Azure Certified VMs (hybrid or cloud only).
Key Use Cases/ Benefits
• Proactive Cyber Defense
• Simplified Compliance
• Next Generation Privilege Management
• Enhanced IT Ops. Security and Efficiency
Availability: Global
Average Deal Revenue: $45K
Link to AppCatalog
Link to Marketplace
© 2016 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Contact us for demonstration, briefing and deployment planning:
1-215-825-5045 x5001
Appendix
Directory as a service 500,000 object limit No object limit No object limitNo object limit for Office
365 user accounts
User/group management (add/update/delete)/user-based provisioning, device
registrationYes Yes Yes Yes
Singe Sign On
10 apps per user (pre-
integrated SaaS and
developer-integrated
apps)
10 apps per user(free
tier + Application proxy
apps)
No limit (free, Basic
tiers +Self-Service
App Integration
templates 1)
10 apps per user (pre-
integrated SaaS and
developer-integrated apps)
User-based access management/provisioning Yes Yes Yes
Self-service password change for cloud users Yes Yes Yes
Connect (sync engine that extends on-premises directories to Azure Active Directory) Yes Yes Yes
Security reports/audit 3 basic reports 3 basic reportsAdvanced security
reports3 basic reports
Premium
+ basic
features
Group-based access management/provisioning Yes Yes
Self-service password reset for cloud users Yes Yes Yes
Company branding (logon pages/access panel customization) Yes Yes Yes
Application Proxy Yes Yes
SLA Yes Yes Yes
Premium
features
Self-Service Group and app Management/Self-Service application additions/ Dynamic
GroupsYes
Self-service password reset/change/account unlock with on-premises write-back Yes
Advanced usage reporting Yes
Multi-factor authentication (cloud and on-premises (MFA server)) YesLimited cloud only for Office
365 apps
MIM CAL + MIM server Yes
Cloud app discovery Yes
Automated password rollover Yes
Connect Health Yes
Azure Active Directory editions GA feature comparison + Office 365 IAM features
Yes Yes Yes Yes
MDM auto-enrollment, Self-Service Bitlocker recovery, Additional local administrators
to Windows 10 devices via Azure AD JoinYes
Microsoft Intune
Mobile device settings
management
Mobile application
management
Selective wipe
Microsoft Azure Active Directory Premium + Microsoft Identity Manager
Security reports, audit reports,
Multi-Factor Authentication
Self-service password reset
and group management
Connection between Active
Directory and Azure Active
Directory
Microsoft Azure Rights Management Service
Information protection Connection to
on-premises assets
Bring your own key
Microsoft enterprise mobility management
Challenge: identities live in too many places
HR system
LDAP
Oracle DB
Finance
Web apps
Windows Server Active Directory Hybrid
identity
User identities from
multiple repositories
LDAP v3
Windows
PowerShell
Web services
(SOAP, Java,
REST)
Generic SQL
via ODBC
Windows Server Active Directory
Microsoft Azure
Active Directory
VS.
Microsoft’s IAM solution
Apps in
Azure
Third-party
apps &
cloudsMicrosoft Cloud
Microsoft Identity
ManagerApps on-
premises
AAD App
Proxy
Spans cloud and on-premises
Provides full spectrum of services
• Federation
• Identity management
• Device registration
• User provisioning
• Application access control
• Data protection
Modern identity management system
The combination of Windows Server Active
Directory, Microsoft Identity Manager, and
Microsoft Azure Active Directory enables
better security for today’s hybrid enterprise.
Microsoft AzureActive Directory
Introducing Microsoft Identity Manager 2016
MANAGE EVERYTHING
Cloud-ready
identitiesPowerful user
self-service
Enhanced
security
Automatic preparation of
Active Directory identities for
synchronization with Azure
Active Directory
Password reset with Azure Multi-
Factor Authentication
Dynamic groups with approvals and
redesigned certificate management
Hybrid reporting and privileged
access management to protect
administrator accounts
Support for new security protocols
Microsoft Identity Manager 2016 features
MANAGE EVERYTHING
Cloud-ready
identitiesPowerful user
self-service
Enhanced
security
• Standardized Active Directory attributes
and values
• Partitioned identities for synchronization
to the cloud
• Easier-to-deploy reporting connected to
Azure Active Directory
• Preparation of user profiles for Microsoft
Office 365
• Self-service password reset with Multi-
Factor Authentication
• New REST-based APIs for AuthN/AuthZ
• Self-service account unlock
• Certificate management support for multi-
forest and modern apps
• Privileged user and account discovery
• New Windows PowerShell support and
REST-based API
• Workflow management: elevated just-in-
time administrator access
• Reporting and auditing specific to
privileged access management
IAM evolution
MANAGE EVERYTHING
ON-PREMISES HYBRID CLOUD
Managed: Microsoft System
Center Configuration
Manager
On-premises LOB
applications, traditional
productivity
iOS, Android, Windows
Phone, BYOD
Mobile apps, shadow IT SaaS
solutions
Managed: Microsoft Intune
connected to System Center
Configuration Manager
On-premises LOB applications,
managed SaaS, Office 365
hybrid deployment, Azure
Active Directory
implementation
Deployment of cloud-enabled
rich clients
Managed cloud identities with
Multi-Factor Authentication
Managed by EMS:
Combination of mobile clients
(iOS, Android) and cloud-
enabled clients (Windows 10)
Managed SaaS and Office 365
Enterprise, full Azure IAM
Event - Mobility Event-Win 8.x/10
Microsoft Identity Manager 2016
Architecture: hybrid identity with MIM
MANAGE EVERYTHING
MIM
Microsoft Identity Manager 2016
Azure AD App Proxy
Azure AD Connect
IAM
On-premises applications
Microsoft AzureActive Directory
Microsoft Azure
Scenario: self-service password reset
Username
?
Forgot your password?
User
Cloud
On-premises applications
•••••••••••••
IT
User’s identity
Self-service
experiences
Scenario: Collapse multi-forest Active Directory into one Active Directory
Microsoft Identity Manager 2016
Collapse directories
Map multiple identities
Transform usernames and
other attributes
Scenario: Implement privileged access management
UserExisting apps
Existing FIM
Existing AD
forests
WS 2003 or later
User: PRIV\JenAdmin
Groups: CORP\Resource Admins
Refresh after: 60 minutesGroup “Resource Admins”
Privileged access management
AD DS
Microsoft Identity Manager
Configured for PAM
Group: Resource
Admins
Domain: CORP
Candidate: Jen
Time-based
memberships
User “JenAdmin”
Access
requests
Existing trust
Trust for admin access
Access
requests
Deep dive: DirSync, Azure AD, and MIM Sync
DirSync
Azure Active Directory Sync
FIM Sync(+ Azure Active Directory Connector)
Azure Active Directory
Connect
MIM Sync(+ Azure Active Directory Connector)
Azure Active Directory
Connect
Deep dive: migrate to Azure Active Directory
Connect and sync on-premises directories with Azure
Azure Active Directory Connect
Microsoft AzureActive Directory
Other directories
PowerShell
LDAP v3
SQL (ODBC)
Web services (SOAP, Java, REST)
Azure Active Directory Microsoft Identity Manager
Password reset/management YES YES
Group management YES, not dynamic YES
Provisioning, deprovisioning NO YES
Certificate management NO YES
Role-based access control NO YES
Deep dive: IAM in MIM vs. Azure Active Directory
Microsoft Identity Manager 2016 is also included with Azure Active Directory Premium, which is
part of the Enterprise Mobility Suite.
Microsoft Enterprise Mobility Suite is the most cost-effective way to acquire all included cloud
services: Azure Active Directory Premium, Azure Rights Management, and Intune.
Purchasing
Microsoft Identity
Manager 2016
Licensed on a per-user basis
Client Access License (CAL) Required for each user whose identity is managed
Windows Server license with active
Software Assurance
Required to use the Microsoft Identity Manager 2016 server software as a
Windows Server add-on
Introducing Microsoft Identity Manager 2016
Cloud-ready
identitiesPowerful user
self-service
Enhanced
security
Automatic preparation of
Active Directory identities for
synchronization with Azure
Active Directory
Password reset with Azure Multi-
Factor Authentication
Dynamic groups with approvals and
redesigned certificate management
Hybrid reporting and privileged
access management to protect
administrator accounts
Support for new security protocols
Microsoft Identity Manager 2016 features
Cloud-ready
identitiesPowerful user
self-service
Enhanced
security
• Standardized Active Directory attributes
and values
• Partitioned identities for synchronization
to the cloud
• Easier-to-deploy reporting connected to
Azure Active Directory
• Preparation of user profiles for Microsoft
Office 365
• Self-service password reset with Multi-
Factor Authentication
• New REST-based APIs for AuthN/AuthZ
• Self-service account unlock
• Certificate management support for multi-
forest and modern apps
• Privileged user and account discovery
• New Windows PowerShell support and
REST-based API
• Workflow management: elevated just-in-
time administrator access
• Reporting and auditing specific to
privileged access management