Presentation on theme: "Overview of Access and Information Protection"— Presentation transcript:
1 Overview of Access and Information Protection Presentation: 60 minutesLab: 30 minutesAfter completing this module, students will be able to:Describe Access and Information Protection (AIP) solutions in business.Describe Access and Information Protection solutions in the Windows Server 2012 operating system.Describe Microsoft Forefront Identity Manager (FIM) 2010.Required materialsTo teach this module, you need the Microsoft Office PowerPoint file 10969A_01.pptx.Important: We recommend that you use PowerPoint 2007 or a newer version to display the slides for this course. If you use PowerPoint Viewer or an older version of PowerPoint, all the features of the slides might not display correctly.Preparation tasksTo prepare for this module:Read all of the materials for this module.Practice performing the demonstrations.Practice performing the labs.Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance.As you prepare for this class, it is imperative that you complete the labs yourself so that you understand how they work and the concepts that are covered in each. This will allow you to provide meaningful hints to students who may get stuck in a lab, and it also will help guide your lecture to ensure that you cover the concepts that the labs cover.Module 1Overview of Access and Information Protection
2 Module Overview Overview of FIM 2010 R2 10969A 1: Overview of Access and Information ProtectionOverview of FIM 2010 R2This is an introductory module. The main purpose is to introduce students to the concepts of identity management, and related technologies and products. Try to teach this module as a discussion and a reminder.
3 Discussion: How Do You Manage Identities in Your Organization? Lesson 1: Introduction to Access and Information Protection Solutions in Business1: Overview of Access and Information ProtectionDiscussion: How Do You Manage Identities in Your Organization?Although most of this information should be familiar to students, it is important to set the stage for the role of Active Directory Domain Services (AD DS) and to clarify the terminology, components, and processes associated with AIP.
4 10969AWhat Is Identity?1: Overview of Access and Information ProtectionIdentity. Set of data that uniquely describes a person or an object-sometimes referred to as subject or entity-and contains information about the subject's relationships to other entities:Identities are saved in an identity store known as a directory databaseIn AD DS, identities are called security principalsIn AD DS, identities are represented uniquely by the SIDIdentities are used mainly to access the resourceDefine identity. Before you do that, ask students to tell you their definition of identity. After you define identity, discuss identity stores with a focus on AD DS. However, make sure that you mention other examples of identity stores, such as Active Directory Lightweight Directory Services (AD LDS), Novell directory store, Oracle eDirectory, etc.
5 What Is Authentication? 1: Overview of Access and Information ProtectionAuthentication is the process that verifies a user’s identity through:Credentials. At least two components are requiredTwo types of authentication:Local (interactive) Log on, Authentication for logon to the local computerRemote (network) Log on, Authentication for access to resources on another computerStand-alone authentication, users are authorized by local SAMJoining the computer to the domainDefine the authentication process. Use some real life examples to support and discuss the different types of authentication, such as local and remote. Also, discuss authentication on a local computer and describe what it means to join to the domain.
6 10969AWhat Is Authorization?1: Overview of Access and Information ProtectionAuthorization is the process that determines whether to grant or deny a user a requested level of access to a resourceThree components are required for authorization:ResourceAccess requestSecurity tokenWindows Server 2012 also introduces DAC as a new form of authorizationDefine authorization. Discuss how the process works and use a shared folder as an example. Briefly mention Dynamic Access Control (DAC), but do not go into details.
7 Overview of AD DS and Access and Information Protection 1: Overview of Access and Information ProtectionAn AIP infrastructure should:Store information about users, groups, computers and other identitiesAuthenticate an identity, Kerberos authentication used in an Active Directory domain provides SSO, and users authenticate only onceControl accessProvide an audit trailDiscuss the main concepts of Access and Information Protection management.
8 The Business Case for Access and Information Protection Control 1: Overview of Access and Information ProtectionAIP offers the following solutions:Reduce the information access workloadIncrease operational securityEnable secure cross-organization collaborationProtect intellectual propertyThis topic should address the challenges that students likely will face in their environments. Try to involve students at the beginning of the topic to understand some of the challenges around AIP. For example:Are students spending a lot of time troubleshooting access issues?Are students finding it difficult to collaborate with partners because they do not have an AIP solution in place?How are students sending confidential information to others in their company (or to partners)?How much confidential data is stored in user mailboxes?
9 AIP Management Solutions 1: Overview of Access and Information ProtectionFeatures of AIP management solutions include:Maintaining multiple identity stores in an organizationDetermining the current and authoritative identity informationProvisioning and deprovisioning user accountsAuthenticating and authorizing usersSecuring shared informationSecuring collaboration between partners and vendorsSecuring access and distribution of sensitive dataThis is an important topic. You should identify the main benefits of having an AIP management solution. Explain these main points and prepare to discuss them right after this topic.
10 Discussion: How Do You Manage Identities in Your Organization? 1: Overview of Access and Information ProtectionWhat AIP technologies are you currently running in your organization?What business enhancements do your AIP technologies provide?What risks does your business currently face that AIP could help to mitigate?How can AIP solutions simplify IT operations?How do AIP solutions change how people access enterprise resources?QuestionWhat AIP technologies are you currently running in your organization?AnswerIt starts with the receptionist, who serves as an AIP component to identify visitors, determine access requirements, and grant access.What business enhancements do your AIP technologies provide?Possible enhancements include tighter security, the ability to meet compliance requirements, and a reduction in operational overhead by simplifying the management of multiple authentication repositories.What risks does your business currently face that AIP could help to mitigate?Possible risks include the inability to identify who has access to what, inefficient employee termination processes, and authentication repositories with mismatched information.How can AIP solutions simplify IT operations?AIP solutions simplify IT operations through centralizing access management and providing flexible technologies to manage various systems.(More notes on the next slide)
11 1: Overview of Access and Information Protection QuestionHow do AIP solutions change how people access enterprise resources?AnswerAIP solutions can provide people with SSO experience, which allows them to access resources in same way from multiple devices.
12 Lesson 2: Overview of AIP Solutions in Windows Server 2012 1: Overview of Access and Information ProtectionOverview of Workplace Join
13 Identity Management in Windows Server 2012 1: Overview of Access and Information ProtectionWindows Server 2012 provides several roles and functionalities for AIP management:AD CSAD RMSAD FSAD LDSDACWorkplace JoinWindows Server 2012 R2Server roles work together to provide full AIP functionality
14 Certificates can be issued in various ways Overview of AD CS1: Overview of Access and Information ProtectionAD CS provides services for creating, managing, and distributing digital certificatesDigital certificates are distributed to users and computers and are used to secure communicationsCertificates can be issued in various waysIntroduce Active Directory Certificate Services (AD CS).
15 10969AOverview of AD RMS1: Overview of Access and Information ProtectionMajor functional uses of AD RMS include the following:Provides business-level encryption of informationEnables information protection while in useAllows for simple mapping of business classificationsProvides offline use without requiring network access by users for particular amounts of timeProvides full auditing of access to documents and enables business users make changes to usage rightsDiscuss the key points related to Information Rights Management. Ask students how they protect information within their current environment. Likely, they will answer access control lists and permissions, and if they do, ask them what would happen if an employee s a confidential document to someone outside of the company.Provide examples of the protection provided by Active Directory Rights Management Services (AD RMS). For example, an employee wants to send an to the entire company with highlights of the quarterly results but does not want that information to be forwarded, copied, or printed.AD RMS works with rights management–enabled applications such as Microsoft Office and Windows Internet Explorer, and it includes a set of core application programming interfaces (APIs) that developers can use to write code for their own rights management–enabled applications or to add rights management–functionality to existing applications. Mention that students can use AD RMS with Active Directory Federation Services (AD FS).AD RMS relies on a Secure Sockets Layer (SSL) certificate, which can help students associate some of the roles together. More details on tying roles together are discussed later in this course.
16 AD FS can be summarized as follows: Overview of AD FS1: Overview of Access and Information ProtectionAD FS can be summarized as follows:AD FS is an identity access solutionAD FS provides browser-based SSOAD FS can interact with other SAML 2.0, WS*providersAD FS enhancements in Windows Server include:DAC integrationImproved installation experienceEnhanced Windows PowerShell cmdletsWorkplace JoinMultifactor authenticationMultifactor access controlDiscuss the key points related to federated identity and the benefits of using it as outlined in the student workbook.Ask students to provide examples of where they can use AD FS within their environments.Point out that in a business-to-business scenario, both organizations stay autonomous in the management of their respective users and resources.Mention that AD FS is more tightly integrated with Microsoft Office SharePoint Services—web single sign- on (SSO) authentication—and also with the AD RMS component of Windows Server 2012—content access management between partners—as mentioned in the student workbook.At the end, briefly discuss new features in Windows Server 2012 and Windows Server 2012 R2.
17 Provides directory service for applications Overview of AD LDS1: Overview of Access and Information ProtectionAD LDS:Provides directory service for applicationsAllows data synchronization with AD DS Allows storage of application dataCan run on Windows-based desktop operating systemAsk students to provide examples of instances where they can use AD LDS within their environments. Their answers might include web portal applications, customer relationship management systems, Human Resources (HR) databases, or the Microsoft Exchange Server Edge Transport server role.Mention that if an organization has AD DS and multiple instances of AD LDS, then FIM might help maintain and consolidate the directories. This is introduced in the next lesson.Explain to students that AD LDS is basically a simplified version of AD DS that supports many of the features of AD DS, such as multimaster replication, application directory partitions, Lightweight Directory Access Protocol over SSL access, and the Active Directory Service Interfaces API. Also, explain that it does not store Windows security principals such as domain user and computer accounts, domains, global catalogs, or Group Policy. That is, AD LDS gives you all the benefits of having a directory but none of the features for managing resources on a network.
18 Overview of Windows Azure Active Directory 1: Overview of Access and Information ProtectionWindows Azure AD is a cloud-based service that provides identity management and access control capabilities for other cloud-based applicationsWindows Azure AD functionalities:Access control for applicationsIntegrate with on-premises AD DSSSO for cloud-based applicationsEnable social connections in the enterpriseDefine Windows Azure Active Directory (AD) and its main features and benefits. Do not spend much time on this technology, as another module will cover it in more detail.
19 10969AOverview of DAC1: Overview of Access and Information ProtectionDAC is a new security mechanism for resource access control in Windows Server 2012DAC uses claims and properties together with expressions to control accessDAC provides:Data classificationAccess control to filesAuditing of file accessOptional Rights Management Services protection integrationBriefly introduce DAC. This technology will be discussed in more detail later, so do not go into detail. It is important that you describe the way DAC enhances access management.
20 Overview of Workplace Join 1: Overview of Access and Information ProtectionWorkplace Join enhances the BYOD conceptUsers can operate their private devices in your AD DSUsers can use their workplace joined devices to access company resources with SSO experiencesDRS uses Windows Server 2012 R2 for this technologyWorkplace Join is supported only on Windows Server 2012 R2, Windows 8.1, and iOS-based devices onlyDescribe Workplace Join technology. Be sure to explain the main difference between domain-joined and workplace-joined devices. Emphasize that this is specific to Windows Server 2012 R2, Windows 8.1, and iOS-based devices.
21 Lesson 3: Overview of FIM 2010 R2 10969ALesson 3: Overview of FIM 2010 R21: Overview of Access and Information ProtectionDiscussion: Business Scenarios for FIM UsageMost students probably will not have much knowledge about FIM. Make sure that you do not go into too much technical detail, as that is not the purpose of this lesson. Try to focus more on explaining the main functionalities and define some good business examples where using FIM is appropriate.
22 What Is FIM? Metadirectory services and user (de)provisioning 1: Overview of Access and Information ProtectionCertificate and smart card managementPassword managementAutomated provisioningDirectory synchronizationMetadirectory services and user (de)provisioningDefine FIM and discuss the main FIM components and functionalities.
23 FIM Directory Synchronization 1: Overview of Access and Information ProtectionMetaverseConnectedData SourceEmployeeUserConnectorSpacepersonFIM ServiceHR Management AgentAD Management AgentThis topic focuses on one of the main FIM functionalities, identity synchronization. Define and explain the main components that are involved in that process.FIM Management Agent
24 Managing Identities with FIM 1: Overview of Access and Information ProtectionUser ProvisioningUser ManagementSharePoint-based portalAutomated, codeless user provisioning and deprovisioningSelf-service managementGroup ManagementRich group management capabilitiesOffline group membership approvalsManual, manager-based, and criteria-based group membershipDiscuss some of the past difficulties associated with automated user provisioning, particularly the custom code and development requirements that many administrators were not comfortable using.Now, codeless provisioning can simplify a typical corporate process. A common scenario is the hiring process for a new employee. HR creates the new employee in the HR database, FIM synchronizes the HR database with AD DS, and the new employee is provisioned in AD DS.Ask students how much time they spend on the following user management tasks:Resetting user passwordsUnlocking user accountsUpdating user information in AD DS, such as phone numbers, office locations, and so onGroup management in FIM focuses on self-service. Ask students how much time and effort IT puts into the following group management tasks:Adding membersRemoving membersCreating new groupsVerifying membership information (for example, is John in Group123?)Ask students if they use dynamic distribution groups. Have students envision how things might improve if the majority of group management was offloaded to users by using a self-service portal and the FIM Outlook add-in feature.Remember, this is about providing employees tools to be more efficient, while enabling administrators to work on more interesting tasks and projects.
25 Managing Certificates and Smart Cards with FIM 1: Overview of Access and Information ProtectionFIM CM provides full management for certificates and smart cards, and FIM CM lets you manage tasks such as :EnrollmentRenewalUnblockingDisablingSuspendingUpdatingDiscuss the capabilities of FIM CM components. Emphasize that FIM CM does not have public key infrastructure (PKI) functionalities within itself, but it serves as an extension to the existing PKI and provides the ability to manage certificates and smart cards with workflows and role-based access control.
26 Discussion: Business Scenarios for FIM Usage 1: Overview of Access and Information ProtectionDo you use any identity management solution?Do you have the need for identity management?In which scenarios are common identities not appropriate?What are some real world examples of using identity management?Discuss with students some most common business scenarios for identity management. Use questions from the slide to open the discussion, but also allow students to ask their own questions. Provide some real life examples of identity management. For example, you can use a scenario where HR is using a third- party application to manage employees. That application can connect to AD DS to provision user data by using FIM. After a user provisions in AD DS from FIM, another workflow can begin for a smart card. When some of the user data changes—for example, last name change—HR employees do the change in the HR application, and the change synchronizes to AD DS again by using FIM.QuestionDo you use any identity management solution?AnswerAnswers may vary.Do you have the need for identity management?In which scenarios are common identities not appropriate?If you have applications or systems where you specifically want to have separate identities from your main directory.What are some real world examples of using identity management?A real world example would be, if you have a heterogeneous system with Microsoft and non-Microsoft directory services implemented, and you want to centralize user provisioning and deprovisioning in a way that when user is created in AD DS, it is automatically provisioned into other systems.
27 Exercise 2: Propose a Solution Lab: Choosing an Appropriate Access and Information Protection Management Solution1: Overview of Access and Information ProtectionExercise 2: Propose a SolutionThis is paper/discussion-based lab. Give students some time to read and analyze the scenario, and then start a discussion.Exercise 1: Analyze the Lab Scenario and Identify Business RequirementsYou must analyze the provided requirements from A. Datum’s management listed in the lab scenario.Exercise 2: Propose a SolutionAfter you have analyzed and identified the business requirements, you have to propose the appropriate products and technologies that can address A. Datum’s issues and requirements.Logon Information:There are no virtual machines in this labEstimated Time: 30 minutes
28 10969ALab Scenario1: Overview of Access and Information ProtectionYou are working as a system administrator for A. Datum Corporation. As part of your job, you need to understand how to use AD DS to secure the company’s data and infrastructure. Management wants to ensure the protection of A. Datum’s IT infrastructure by using the most secure method of authentication and authorization. Currently, A. Datum uses passwords to protect its accounts, but that has proven to be unsecure in some cases.Management also requests that you prevent unauthorized personnel from being able to read Microsoft Office documents. Specifically, they want to make business-critical documents inaccessible if the documents leave the company in any way, such as in , or on a USB flash drive. It is critical that only authorized personnel can access these documents. Also, management would like to consider digital signatures on documents.A. Datum recently has partnered with Contoso, Ltd. Contoso needs access to A. Datum’s web applications, but wants to ensure that users can continue to use their current AD DS user accounts. The web team at A. Datum has explained that they can make web applications claims aware.
29 Lab Scenario (continued) 1: Overview of Access and Information ProtectionA. Datum has expressed concern for developer efficiency. Developers currently utilize a development instance of AD DS and have noted that they are often waiting for IT but instead need the ability to manage their own directory services for development. In addition, developers need a technology to help them to separate identity logic from their current applications. Developers also are using iOS-based devices for testing and development, and they need to have the ability to access company resources securely from these devices.HR maintains its own database that contains much of the same information that exists in AD DS.However, some of the information in the HR database conflicts with the information in the AD DS database; it should synchronize so that the information is consistent throughout each database.Management requests that you determine the Windows Server roles and available AIP solutions to address the organization’s current issues.
30 There are no review questions for this lab. Lab Review1: Overview of Access and Information ProtectionThere are no review questions for this lab. There are no review questions for this lab.
31 Module Review and Takeaways 1: Overview of Access and Information ProtectionBest PracticeReview QuestionsQuestionWhat are the five server roles that support AIP solutions?AnswerThese roles include AD DS, AD CS, AD FS, AD RMS and AD LDS.What technology can help you to simplify and automate user provisioning?FIM components.What server role and technology are required to implement and manage smart cards?You need to have AD CS and FIM 2010 R2Best Practice:Clearly define your business requirements.Identify which roles and solutions will best meet business needs.Thoroughly test the proposed solution before implementing any AIP solutions.