private cloud forefront identity manager 2010 (adam bresson)
DESCRIPTION
Forefront Identity Manager 2010TRANSCRIPT
JOURNEY TO THE CLOUD
FIM 2010 Used for Management of AD the core of your Identity in the Private Cloud
Cloud Security Concerns
• Security is the number 1 concern for cloud adoption
• 75% responded 4 or 5 (on 1 to 5 scale) *• Key security issues:
• Isolation of tenants from each other & hosting infrastructure
• Compute and network layers• Authentication / Authorization / Auditing of access to
cloud services• Unauthorized access / DoS due to weak (or
mis)configuration
* Source: IDC Enterprise Panel
Three Pillars
Identity Management Platform
Au
thori
zati
on
Au
then
ticati
on
Att
rib
ute
s
To The Cloud!
• Hyper-V uses AD groups natively for delegated administration
• Security configuration driven via Group Policy
• What is an effective way to manage groups?
Typical Cloud ID Journey
Silos(Islands of Identity)
FederatedIslands ofIdentity
Au
thori
zati
on
Au
then
ticati
on
Att
rib
ute
s
A Better Journey
Silos(Islands of Identity)
FederatedIslands ofIdentity Identity Management Platform
Au
thori
zati
on
Au
then
ticati
on
Att
rib
ute
s
What is Forefront Identity Manager
Self-Service integration
FIM Portal
WindowsLog On
AD FS login across clouds
Integrated login to applications
Secure the Private CloudDirectories
LOB Applications
Databases
Manages Active Directory - secure delegation
of administration- enable access to
private cloud
Phone
AD
Common Identity across clouds
FIM 2010
Workflow
HR SystemFirstName
Terry
LastName
Adams
Title Sales Manager
Dept Sales
Mgr: Melissa Meyers
EmplID 123
FirstName
Terry
LastName
Adams
Title Sales Manager
Dept Sales
Mgr: Melissa Meyers
LoginID Tadams
Firstname Terry
LastName
Adams
Phone 555-1234
Phone 555-1212
EmailLoginID
Tadams
Email [email protected]
Email [email protected]
Groups Melissa’s Directs
All in Sales
Sales App Owners
Group membership and user attributes generated
Exchange
SharePoint
Web Sites
File / Print
Line of Business
Apps
Integrated and federated common identity
Office 365
Windows Azure
Private Cloud
PaaSSaaS
Public Cloud
Private Cloud Enabled Identity
All Microsoft solutions for private cloud leverage a single identity store to authenticate users with Microsoft® Active Directory® across physical and virtual systems.
Virtualization
Hyper-V™
Hardware Presentation Application
Network Access Protection
Server and Domain Isolation
Forefront™ Security Solutions
System Center Virtual Machine Manager
Forefront Identity Manager
Activ
e Di
rect
ory
Active Directoryo Single identity store to
authenticate users o Support across physical and
virtual systemso Federated Identity
Forefront Identity Managero Easy user provisioningo Identity synchronizationo Simplified management of
cloud resources
Terminal Services
Microsoft App. Virt.
Roles in Hyper-V and
System Center
Leverage AD Groups in
roles
Manage AD Groups in
FIM
Private Cloud Self
Service secure and compliant
Solution Example – Enhancing Private Cloud with Identity
• Hyper-V and SC Virtual Machine Manager uses roles• Roles can contain users or groups from AD• Delegation of datacenter management • Forefront Identity Manager securely manages membership in AD
groups
Solution Example- Enhancing Private Cloud with Identity
• Default role allows access to all operations
• Additional roles with desired rights can be created• 33 different operations
OOB grouped under• Hyper-V Service Operations• Hyper-V Networks
Operations• Hyper-V Virtual Machine
Operations
Hyper-V Authorization Manager + Common identity in Private Cloud
Virtual Machine Manager + Common identity in Private Cloud
• The Administrator profile • Complete administrative access to
all the hosts, virtual machines, and library servers in VMM 2008
• The Delegated Administrator profile• Grants administrative access to a
defined set of host groups and library servers
• The Self-Service User profile • Administrative access to a defined
set of virtual machines through the Web-based Virtual Machine Manager Self-Service Portal
• Additional delegation capabilities in Self service portal
Solution Example - Enhancing Private Cloud with Identity
FIM (Helping) with The Cloud
Can I have Admin access to the cloud
app?Request
Oh, alright then
Approve
User
EVERY JOURNEY NEEDS A HISTORY
Silos(Islands of Identity)
FederatedIslands ofIdentity Identity Management Platform
Au
thori
zati
on
Au
then
ticati
on
Au
dit
Att
rib
ute
s
TO THE CLOUD!
• Using Hyper-V as an infrastructure for Private Cloud is great for server optimization but, without an IAM architecture in place, this is just moving around the administrative problems.
• FIM provides a compliant and well managed AD. Compliance here is about automation of changing access permissions, making sure users have the right access, reporting.
• Active Directory provides the common identity platform for classic datacenter hosted systems, to private cloud and also paves the way to enabling use of public cloud resources.
QUESTIONS ?