JOURNEY TO THE CLOUD

FIM 2010 Used for Management of AD the core of your Identity in the Private Cloud

Cloud Security Concerns

• Security is the number 1 concern for cloud adoption

• 75% responded 4 or 5 (on 1 to 5 scale) *• Key security issues:

• Isolation of tenants from each other & hosting infrastructure

• Compute and network layers• Authentication / Authorization / Auditing of access to

cloud services• Unauthorized access / DoS due to weak (or

mis)configuration

* Source: IDC Enterprise Panel

Three Pillars

Identity Management Platform

Au

thori

zati

on

Au

then

ticati

on

Att

rib

ute

s

To The Cloud!

• Hyper-V uses AD groups natively for delegated administration

• Security configuration driven via Group Policy

• What is an effective way to manage groups?

Typical Cloud ID Journey

Silos(Islands of Identity)

FederatedIslands ofIdentity

Au

thori

zati

on

Au

then

ticati

on

Att

rib

ute

s

A Better Journey

Silos(Islands of Identity)

FederatedIslands ofIdentity Identity Management Platform

Au

thori

zati

on

Au

then

ticati

on

Att

rib

ute

s

What is Forefront Identity Manager

Self-Service integration

FIM Portal

WindowsLog On

AD FS login across clouds

Integrated login to applications

Secure the Private CloudDirectories

LOB Applications

Databases

Manages Active Directory - secure delegation

of administration- enable access to

private cloud

Phone

AD

Common Identity across clouds

FIM 2010

Workflow

HR SystemFirstName

Terry

LastName

Adams

Title Sales Manager

Dept Sales

Mgr: Melissa Meyers

EmplID 123

FirstName

Terry

LastName

Adams

Title Sales Manager

Dept Sales

Mgr: Melissa Meyers

LoginID Tadams

Firstname Terry

LastName

Adams

Phone 555-1234

Phone 555-1212

EmailLoginID

Tadams

Email tadams@litware.com

Email Tadams@litware.com

Groups Melissa’s Directs

All in Sales

Sales App Owners

Group membership and user attributes generated

Exchange

SharePoint

Web Sites

File / Print

Line of Business

Apps

Integrated and federated common identity

Office 365

Windows Azure

Private Cloud

PaaSSaaS

Public Cloud

Private Cloud Enabled Identity

All Microsoft solutions for private cloud leverage a single identity store to authenticate users with Microsoft® Active Directory® across physical and virtual systems.

Virtualization

Hyper-V™

Hardware Presentation Application

Network Access Protection

Server and Domain Isolation

Forefront™ Security Solutions

System Center Virtual Machine Manager

Forefront Identity Manager

Activ

e Di

rect

ory

Active Directoryo Single identity store to

authenticate users o Support across physical and

virtual systemso Federated Identity

Forefront Identity Managero Easy user provisioningo Identity synchronizationo Simplified management of

cloud resources

Terminal Services

Microsoft App. Virt.

Roles in Hyper-V and

System Center

Leverage AD Groups in

roles

Manage AD Groups in

FIM

Private Cloud Self

Service secure and compliant

Solution Example – Enhancing Private Cloud with Identity

• Hyper-V and SC Virtual Machine Manager uses roles• Roles can contain users or groups from AD• Delegation of datacenter management • Forefront Identity Manager securely manages membership in AD

groups

Solution Example- Enhancing Private Cloud with Identity

• Default role allows access to all operations

• Additional roles with desired rights can be created• 33 different operations

OOB grouped under• Hyper-V Service Operations• Hyper-V Networks

Operations• Hyper-V Virtual Machine

Operations

Hyper-V Authorization Manager + Common identity in Private Cloud

Virtual Machine Manager + Common identity in Private Cloud

• The Administrator profile • Complete administrative access to

all the hosts, virtual machines, and library servers in VMM 2008

• The Delegated Administrator profile• Grants administrative access to a

defined set of host groups and library servers

• The Self-Service User profile • Administrative access to a defined

set of virtual machines through the Web-based Virtual Machine Manager Self-Service Portal

• Additional delegation capabilities in Self service portal

Solution Example - Enhancing Private Cloud with Identity

FIM (Helping) with The Cloud

Can I have Admin access to the cloud

app?Request

Oh, alright then

Approve

User

EVERY JOURNEY NEEDS A HISTORY

Silos(Islands of Identity)

FederatedIslands ofIdentity Identity Management Platform

Au

thori

zati

on

Au

then

ticati

on

Au

dit

Att

rib

ute

s

TO THE CLOUD!

• Using Hyper-V as an infrastructure for Private Cloud is great for server optimization but, without an IAM architecture in place, this is just moving around the administrative problems.

• FIM provides a compliant and well managed AD. Compliance here is about automation of changing access permissions, making sure users have the right access, reporting.

• Active Directory provides the common identity platform for classic datacenter hosted systems, to private cloud and also paves the way to enabling use of public cloud resources.

QUESTIONS ?