Amol Bhandarkar Technology Solution Professional – IDA | Microsoft

Agenda Identity & Access Management ILM 2 High level architecture ILM 2 Features Demo of ILM 2 Intelligent Application Gateway AD Rights Management Service

Identity & Access Management Identity-Based Access Network Access Identity-oriented edge access - e.g. NAP Identity Infrastructure Identity & Credentials Infrastructure : Directory – Identity/Credentials, Infocards, Meta/Virt Dir, Basic Policy Identity & Access Management Compliance and Audit: Monitoring, reporting, auditing of identity-based access activity Identity & Credential Management: User provisioning, Certificate & Smartcard Management, User self-service Policy Management: Identity policy, user/role-based access policy, federation policy, Delegation Access Management: Group Management, Federation/Trust Management, Entitlements, RBAC Remote Access Access resources remotely - e.gSSL VPN App Access SSO, Web/Ent/Host Access, Federation Info Access Drive Encryption, ILP, Rights Management

Microsoft Identity Lifecycle Manager Identity Synchronization User Provisioning Certificate and Smartcard Management Office Integration for Self-Service Support for 3rd Party CAs Codeless Provisioning Group & DL Management Workflow and Policy UserManagement GroupManagement CredentialManagement Common Platform WorkflowConnectorsLogging Web Service API Synchronization PolicyManagement

ILM 2 High Level Architecture

Credential Management Heterogeneous certificate management with 3rd party CAs Management of multiple credential types, including One Time Passwords Self-service password reset integrated with Windows logon Group Management Rich Office-based self-service group management tools Offline approvals through Office Automated group and distribution list updates User Management Integrated provisioning of identities, credentials, and resources Automated, codeless user provisioning and de-provisioning Self-service profile management Policy Management SharePoint-based console for policy authoring, enforcement & auditing Extensible WS– * APIs and Windows Workflow Foundation workflows Heterogeneous identity synchronization and consistency Identity Lifecycle Manager “2” Features 6

End User Scenarios Credential Management Group Management User Management Policy Management 7 Integration with Windows logon No need to call help desk Faster time to resolution Request process through Office No waiting for help desk Faster time to resolution Automatic updating of business applications No need to call help desk Faster time to resolution Automatic routing of multiple approvals Approval process through Office Audit trail of approvals

IT Administrator Scenarios Credential Management Group Management User Management 8 Policy Management Centralized management Automatic policy enforcement across systems Management of role changes & retirements Generation and delivery of initial one-time use password Integration of smart card enrollment with provisioning Automatic management of group membership Secure access to departmental resources, with audit trail

ILM "2" in Action Directories Custom Self-Service integration LOB Applications ILM “2” Portal ISV Partner Solutions Windows Log On IT Departments Databases Policy Management Credential Management User Management Group Management

AuthN & AuthZ Workflows Action Workflow App DB Sync DB ILM "2" In Action Management Agents New user added in HR app ILM manages manager and dept head approvals Once approved, changes committed to ILM app store ILM sends welcome and confirmation s Identity Stores ILM synchronizes updates with external identity stores Sync receives request Sync DB Management Agents HR-driven provisioning a of new employee

ILM "2" In Action Self-service smart card provisioning Approval workflows Card created & printed Certificates requested Self-service notification and One Time Password sent to end user End user downloads certificates onto smart card

ILM "2" In Action Self-service password management AuthN & AuthZ Workflows Delegation & Permissions Action Workflow App DB Sync DB Management Agents User forgets password Requests password reset at Win logon and answers Q/A Does user have permission to reset password? ILM validates Q/A response from user Changes committed to ILM app store ILM makes WMI call to reset password in AD Identity Stores ILM syncs new password to external identity stores ILM receives XML Request Processor

Identity Management

INTELLIGENT APPLICATION GATEWAY

Supports all Applications with SSL VPN Web – Client/Server - File Access Microsoft – SharePoint, Exchange, Dynamics In-house developed Third-party, e.g. Citrix, IBM, Lotus, SAP, PeopleSoft… Designed for Managed and Unmanaged Users & Devices Automatic detection of user system, software and configuration Access policies according to device “security state” Delete temporary files and data traces from unmanaged devices Drives Productivity with Application Intelligence Apply policy at granular application feature levels Dynamically control application data for desired functionality Single Sign-on with multiple directories, protocols and formats Fully customizable portal and user interface Intelligent Application Gateway 2007

Ensure the integrity and safety of network and application infrastructure by blocking malicious traffic and attacks Comprehensive policy enforcement helps drive compliance with legal and business guidelines for using sensitive data The IAG provides SSL-based application access and protection with endpoint security management, enabling granular access control and deep content inspection from a broad range of devices and locations to line-of-business, intranet, and client/server resources. Control Access Safeguard Information Protect Assets Secure, browser- based access to corporate applications and data from more locations and more devices Intelligent Application Gateway

Secure Application Access Intelligent Application Gateway™ External Firewall Port 443 Active Directory ISA Server SQL Server File Shares IIS Exchange Server SharePoint Server Laptops Single sign-on to multiple and custom directories Portal defined by user identity Native AD integration w/strong and two-factor authentication Control Policy-driven intranet access with ACL- level controls Web application firewall w/app-specific content, command, and URL filtering ‘Restricted zones’ definitions for URLs File upload / download control;.EXE identification Positive and negative- logic filtering rules Protect Comprehensive monitoring and logging Session termination & inactivity timeouts Endpoint compliance check and clean-up Endpoint policy- defined micro-portal Safeguard Custom Applications Intranet

Customizable Enterprise Security Intelligent Application Gateway™ External Firewall Port 443 LDAP Oracle Exchange Server SharePoint Server Partners IBM / Lotus SAP Web Active Directory SSL VPN connectivity and endpoint security verification Control Flexible config. and context- sensitive portal based on endpoint state & user identity Support for multiple simultaneous portal configurations Web application firewall with positive and negative logic learns and adapts to new apps Protect Per-application policy and comprehensive authentication / authorization mechanisms Application Optimizer Toolkit lets IT admins / app developers build customized security Endpoint session control, monitoring and state cleanup Safeguard Granular policy enforcement Extensive monitoring and logging

RIGHTS MANAGEMENT SERVICES (AD RMS)

Retention/ Destruction Usage StorageCollection Destruction Archive In Applications Shared with Third Parties ByEmployees,Marketers ElectronicDevices Backup Structured Databases UnstructuredData Online From 3rd Party InPerson Information Lifespan Technology Policy People Process Framework for Data Governance

21 Independent Consultant Partner Organization Home Mobile Devices USB Drive The flow of information has no boundaries Information is shared, stored and accessed outside the control of its owner The Information Workplace

Traditional solutions protect initial access … Access Control List Perimeter No Yes Firewall Perimeter Authorized Users Unauthorized Users Information Leakage Unauthorized Users …but not usage

Today’s policy expression… …lacks enforcement tools

Microsoft’s Approach to Information Protection Active Directory Rights Management Services (AD RMS) Persistent Protection + Data Encryption Policy Enforcement: Access Permissions Use Right Permissions Provides identity-based protection for sensitive data Controls access to information across the information lifecycle Allows only authorized access based on trusted identity Secures transmission and storage of sensitive information wherever it goes – policies embedded into the content; documents encrypted with 128 bit encryption Embeds digital usage policies (print, view, edit, expiration etc. ) in to the content to help prevent misuse after delivery

How does RMS work? Information Author The Recipient RMS Server SQL Server Active Directory Author defines a set of usage rights and rules for their file; Application creates a “publishing license” and encrypts the file 3.Author distributes file 4.Recipient clicks file to open, the application calls to the RMS server which validates the user and issues a “use license” 5.Application renders file and enforces rights 1.Author receives a client licensor certificate the first time they rights-protect information 1

Live Trial- RMS

References Identity Lifecycle Manager 2 technet.microsoft.com/ilm Intelligent Application Gateway us/forefront/edgesecurity/bb aspx AD Rights Management Services

Feedback / QnA Your Feedback is Important! Please take a few moments to fill out our online feedback form. For detailed feedback, use the form at Or us at Use the Question Manager on LiveMeeting to ask your questions now!

Contact Address

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.