Microsoft Forefront Identity Manager 2010 Henk Den Baes Technology advisor Microsoft Belux

Agenda What is identity? Microsoft’s Identity and Access Strategy Business Ready Security −The business challenges −How Forefront Identity Manager (FIM) 2010 addresses the challenges −Scenarios Summary Resources

What is Identity? Definition from ‘ ’: Identity: The collective aspect of the set of characteristics by which a thing is definitively recognizable or known Example Definition for Identity Management: A system of procedures and policies enabled by software to manage the lifecycle and entitlements of digital credentials. IP-Address Username /PW Biometrics SmartcardsPassport Picture Identity Name, Address, Telephone, Mobile, Fax, Building, Room number, …

Exponential Growth of IDs Pre 1980’s 1980’s1990’s2000’s # of Digital IDs Time Applications Mainframe Client Server Internet BusinessAutomation Company(B2E) Partners(B2B) Customers(B2C) Mobility

Services as Identities Application to Application Rich Interactions -Office -Real time Communications -Live Meeting Rich Client Devices & Apps Web Browsers Web Service Web Service Web Service Web Service Web Server InternetOrganizationPartner Web Service Web Service

Identity at the Center Gartner: Companies spend $20-30 per user per year for password resets. PC Pitstop User Survey: 38% of users recycle old passwords, 18% write them down. AMR Research: $15.5B spent in 2005 on compliance with SOX, HIPAA, GLB, …

Across on-premises & cloud Highly Secure & Interoperable Platform Protect everywhere, access anywhere Simplify the security experience, manage compliance Block from: Enable CostValue SiloedSeamless to: Business Ready Security Help securely enable business by managing risk and empowering people Integrate and extend security across the enterprise

Business Ready Security Solutions Identity and Access Management Secure Messaging Secure Endpoint Secure Collaboration Active Directory ® ® Federation Services Information Protection

Delegated admin Identity and Access Management IDA Business Drivers Automate processes In-synch data Single password Protect system Role-based access IRMSoxBasel IIHIPAADS… Remote access Strong AuthN Assure compliance Improve security Single sign-on Self service Improve service and productivity Federation CentralizeHelp desk Pre-audit checks Reduce costs

Basic Standardized Rationalized Dynamic Directory Services Information Protection Strong Authentication Cost Center More Efficient Cost Center Business Enabler Strategic Asset IDA Optimization Model Physical protection of information Separate authentication for each application Identity store per application Basic Passwords Ad-hoc user provisioning & de-provisioning Data protection for local files and folders Primary directory for authorization Simpler access to core enterprise Established access policy Enforceable written policies Persistent data protection Trust-based federation across organizational boundaries Primary id store for heterogeneous enterprise Stronger access security for high risk scenarios Simpler access to core enterprise Automatic policy application for data protection Seamless authentication for web services Primary identity store for extended enterprise Enterprise-wide strong access security Automated digital identity management

Identity Infrastructure Secure Platform Security Username and Credentials Identity and Access Identity Based Access Common platform and infrastructure Simplified and integrated management Systems ApplicationInformationNetworkRemote ManagementManagement End-to-end access Microsoft’s Integrated Solutions Delivering TCO in the drive to Dynamic IT Across physical and virtual environments ClientMobileServerCloud Threat Mitigation Comprehensive security ApplicationEndpointNetworkCloud

Identity and Access Management Enable more secure, identity-based access to applications on-premises and in the cloud from virtually any location or device Provide more secure, always-on access Enable access from virtually any device Extend powerful self- service capabilities to users Automate and simplify management tasks PROTECT everywhere ACCESS anywhere INTEGRATE and EXTEND security SIMPLIFY security, MANAGE compliance Control access across organizations Provide standards- based interoperability

Provide More Secure, Anywhere Access EMPOWER BUSINESS Consolidated secure portal to simplify remote access to resources Simplified sign-on EMPOWER IT Policy-based resource access EMPOWER BUSINESS Seamless and more secure access Simplified, always-on access EMPOWER IT Policy-based network access Ability to manage machines anywhere EMPOWER BUSINESS Access from virtually any device EMPOWER IT Policy-based restricted access DIRECT ACCESS

Geneva (ADFS) project is one of the most significant enhancements for future use and dissemination of the Identity Federation. -Kuppinger Cole Geneva (ADFS) project is one of the most significant enhancements for future use and dissemination of the Identity Federation. -Kuppinger Cole “ “ Extend Access Across Organizations EMPOWER BUSINESS Ability to move seamlessly between applications using a single identity Collaboration across organizations EMPOWER IT No need to manage external accounts Simplified and flexible claims-based federation Common authentication controls for building custom applications Source: Awards for Outstanding Identity Management Projects. Kuppinger Cole, May

“ “ Empower Business Self-service profile, credential, and group management Password and PIN reset from Windows login Group management from within Microsoft Office Single identity across heterogeneous applications Empower IT End-to-end, workflow-driven user provisioning Policy-controlled self-service capabilities Automatic, attribute-based group membership for simplified resource access Source: Windows identity management tools move closer to completion. Tech Target, November GOVERNED SELF-SERVICE AND AUTOMATION Simplify Identity Management

Customers’ Identity & Access Requirements An end-to-end integrated stack that has 3 components 16 Identity-Based Access Network Access Identity-oriented edge access - e.g. NAP Identity Infrastructure Identity & Credentials Infrastructure : Directory – Identity/Credentials, Infocards, Meta/Virt Dir, Basic Policy Identity & Access Management Compliance and Audit: Monitoring, reporting, auditing of identity-based access activity Identity & Credential Management: User provisioning, Certificate & Smartcard Management, User self-service Policy Management: Identity policy, user/role-based access policy, federation policy, Delegation Access Management: Group Management, Federation/Trust Management, Entitlements, RBAC Remote Access Access resources remotely - e.gSSL VPN App Access SSO, Web/Ent/Host Access, Federation Info Access Drive Encryption, ILP, Rights Management

Business rules & policy Permissions Group & role membership Distribution lists Passwords & PINs Aligning Experiences With The Right People Architecture Deployment System administration Governance Security System & application integration Custom application development Users AccessCredentials Policy IT Professionals Information Workers Developers Add Update Revoke Audit

User Centric Open & Extensible Open & Extensible Best TCO Rich Office Integration Privacy Enabled Easiest to Deploy Broadest Ecosystem Simplified Licensing Service oriented Application Platform Integration Interoperable Comprehensive Solutions Comprehensive Solutions On Premises and Cloud (ADFS) Physical and Virtual Turnkey Offerings Consistent User Experience Microsoft’s Identity & Access Strategy 18

Compliance Single sign-on (SSO)/ Federation Strong authN & authZ Privacy Access Accessmanagement Identity life cycle Network operating system (NOS) directory Internetdirectory Authentication Windowsmanagement Meta-directory The Changing Role of IT Lower total cost of ownership (TCO) 2000 Compliance Security and privacy Operational efficiency Business enablement IDA

MIIS CLM Beta Previously ILM 2007 Microsoft Identity Lifecycle Manager 2007 Identity Synchronization User Provisioning Certificate and Smartcard Management Today: FIM 2010 Office Integration for Self-Service Support for 3rd Party CAs Codeless Provisioning Group & DL Management Workflow and Policy FIM 2010 User Management Access Management Credential Management Common Platform Connectors Delegation Workflow Logging Web Service API Policy Management Identity Lifecycle Management Roadmap

Credential Management Heterogeneous certificate management with 3rd party CAs Management of multiple credential types Self-service password reset integrated with Windows logon Group Management Rich Office-based self-service group management tools Offline approvals through Office Automated (dynamic calculated) group and distribution list updates User Management Integrated provisioning of identities, credentials, and resources Automated, codeless user provisioning and de-provisioning Self-service profile management Policy Management SharePoint-based console for policy authoring, enforcement & auditing Extensible WS– * APIs and Windows Workflow Foundation workflows Heterogeneous identity synchronization and consistency Key Pillars of Forefront Identity Manager 21

Integrates identity, credential, and access management Implements a rich permissions and delegation model Enables system auditing and compliance Provides Office-based self-service tools SharePoint admin console to manage identities Greater productivity through faster time to resolution Reduces costs through automation and self-service Maximizes existing investments in Identity Infrastructure (e.g.: OTP…) Integrates with familiar developer tools to enable new scenarios Empowers People Delivers Agility and Efficiency Increases Security and Compliance Microsoft IDA Management

IT Administrator Scenarios Credential Management Group Management User Management 23 Policy Management Centralized management Automatic policy enforcement across systems Management of role changes & retirements Generation and delivery of initial one-time use password Integration of smart card & cert enrollment with provisioning Automatic management of group membership Secure access management to departmental resources, with audit trail

New User User ID Creation Credential / Smartcard Issuance Entitlements Change User Entitlement Changes Renew/Update Certificate Promotions Transfers Help Desk “Lost” Credentials Recover/card replacement Issue temp card Password Reset New Entitlements Retire User Delete Accounts Remove Entitlements Disable Smartcard Reporting Compliance Audit Security e.g. Revoke Certificates Integration Workflow Self-Service Password Kiosk Identity New Entitlements Personalize card Identity Lifecycle Management

New Employee Scenario FIM 2010 MAINFRAME FINANCE APPLICATION FINANCE PORTAL iPLANET SMART CARD EXCHANGE ACTIVE DIRECTORY HR SYSTEM ILM PROVISIONING POLICY APPLIED MANAGER APPROVAL MANAGER APPROVAL

Employee Transition Scenario FIM 2010 MAINFRAME FINANCE APPLICATION FINANCE PORTAL iPLANET SMART CARD HR SYSTEM ILM PROVISIONING POLICY APPLIED MARKETING APPLICATION MARKETING PORTAL EXCHANGE ACTIVE DIRECTORY

Separation/Fire Scenario FIM 2010 MAINFRAME MARKETING APPLICATION MARKETING PORTAL iPLANET SMART CARD HR SYSTEM ILM PROVISIONING POLICY APPLIED EXCHANGE ACTIVE DIRECTORY

End User Scenarios Credential Management Group Management User Management Policy Management Integration with Windows logon No need to call help desk Faster time to resolution Request process through Office No waiting for help desk Faster time to resolution Automatic updating of business applications No need to call help desk Faster time to resolution Automatic routing of multiple approvals Approval process through Office Audit trail of approvals

Integrated Office Experience For Group Management & Password Management At Login

Answer Questions to Authenticate

Set a New Password

Identity is core to the people-driven business Today the identity life cycle management burden is on IT Microsoft’s approach: Align experiences with the right people Lowers cost Empowers people Provides IT with control with less effort How we get there ILM 2007: Brings together metadirectory, certificate management, and provisioning across Windows and enterprise systems FIM 2010: Extends ILM 2007 with new solutions to manage users, credentials, access, and policy using the tools that IT, users, and developers are most familiar with Summary

Resources Learn more about Identity Lifecycle Manager FIM 2010 Product Page: ILM 2007 Product Page: www.microsoft.com/ILM 2007 Learn About Microsoft Identity and Access (IDA) IDA Solutions Home Page: IDA Partners:

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.