Joe Schulman Program Manager Microsoft Corporation Session Code: SIA308 Fred Delombaerde Lead Program Manager Microsoft Corporation
Identity Lifecycle Manager”2” is now Forefront Identity Manager 2010
Why are we in this space? Product overview and value proposition Provisioning users Credential management Transitioning roles De-provisioning Summary Agenda
See how FIM can reduce your cost by maintaining policy compliance See FIM as a viable way to automate provisioning and de-provisioning of users See how to reduce costs for managing passwords Session outcomes
Information Workers Call help desk for password and access requests Wait up to weeks for access Define business policies Developers Business rule development Custom application development Systems integration Wrong People Wrong Contexts Greater Complexity Higher Cost IT Professionals Respond to the business Respond to users Architecture & deployment System admin Governance & security Managing permissions Creating & deleting user accounts Policy implementation & enforcement
Business rules & policy Permissions Group & role membership Distribution lists Passwords & PINs Architecture Deployment System administration Governance Security System & application integration & development Users AccessCredentials Policy IT Professionals Information Workers Developers Add Update Revoke Audit
CredentialManagement Manage multiple credential types (passwords, certificates, smart cards) Integrated with Windows logon (registration & reset) Support for multiple & partner reset gates (q/a, smart card, speech, custom) Access Management Delegated & self-service group and distribution list management Information worker self-service experiences through Office and SharePoint Dynamic groups/roles & distribution lists User Management Automated, codeless user provisioning Enables integration of user, device, and service management Self-service and admin Profile Management Policy Management Visual, natural language process authoring & editing Extensible workflows through Windows Workflow Foundation Integrates with System Center for monitoring and control FIM 2010 Solution Areas
25K employees 8000 Security and distribution groups Extensive use of AD for access control decisions Multiple AD forests due to acquisitions Using a custom HR application Proliferation of Line of Business applications Introducing Litware
IT Provisioning at Litware
End-to-End Provisioning at Litware
Provisioning issues at Litware Maintenance of custom provisioning scripts costly and error prone “Soft costs” – user productivity ‘Provisioned’ users frequently lack access to business critical apps and dls Litware has dozens of connected systems requiring provisioning Process compliance nearly an impossibility IT Pro centric scripts do not encompass business unit needs Custom scripts enforce business logic Inflexible process increases costs as organization grows
New employees need to be provisioned for business critical applications to enable productivity within a day A central HR system is authoritative for bootstrapping user data Every employee has an AD account and mailbox Each business unit has it’s own portals and apps Every employee is a member of manager’s required DLs as well as business specific DLs Litware’s Requirements
Scenario Overview – New User Melissa Meyers has just been hired into Litware as a new employee in Finance. As a new employee, Melissa will need to be provisioned into key business critical applications so that she can be effective at her job. Today Custom scripts tie together disparate identity systems Inefficient processes lead to long period without access to critical applications Custom process prone to errors leading to loss of productivity ILM automates provisioning to all business critical applications Provisioning to applications takes place within hours, not days or weeks Access to applications is done in context of defined policy With FIM
Provisioning with FIM 2010
First day at work with FIM 2010 Joe Schulman Program Manager Microsoft Corporation
Password reset issues at Litware Help desk cost are soaring due to password reset requests IT Pro centric scripts do not encompass business unit needs
Employees must be able to perform a self- service password reset Help desk costs must drop dramatically User training costs must be held at bay Litware’s Requirements
Scenario Overview – Password Reset Jill is one of the many external contractors in her company. She is does not login to the corporate network very often. As a result, she nearly always forgets her password and must reset it prior to accessing the corporate network. Today Jill needs to call the helpdesk to reset her password Company incurs a significant cost in managing credentials for contractors like Jill Company needs to maintain different tools for managing the credentials for employees and contractors Jill is able to reset her password without connecting to the corporate network The company maintains a centralized set of policies and common tools for credential management for employees and contractors Employees can reset their credentials directly from the Windows logon screen With FIM
Transition of Roles at Litware
Transitioning issues at Litware All of the same issues as the initial provisioning: - Maintenance of custom provisioning scripts costly and error prone - IT Pro centric scripts do not encompass business unit needs - Custom scripts enforce business logic - “Soft costs” – user productivity - ‘Provisioned’ users frequently lack access to business critical apps and dls - Litware has dozens of connected systems requiring provisioning - Process compliance nearly an impossibility - Inflexible process increases costs as organization grows No automated de-provisioning of access to existing apps! Access to newly required apps completely manual Inflexible process increases costs as organization grows
Transitioning employees need to be provisioned for business critical applications to enable productivity within a day Access to existing resources must be evaluated and removed if required within a day Litware’s Requirements
Scenario Overview – Transition Melissa is transitioning jobs. The HR system must reflect Melissa’s new role as well as update her management chain. She must be granted access to team portals and LOB applications. Access to her old team’s portals and LOB applications must be revoked. In order to function at full capacity, she must then also be added to key DLs so she is included on all key communications. Today Melisssa’s LOB applications are not provisioned or de-provisioned automatically on role change She must request access to new resources and retains access to some which are no longer relevant Her domain change process is tedious and long running causing intermittent outages of key services such as mail Melissa is dynamically added to business critical DLs She automatically loses access to the LOB apps from his previous role She automatically gets access to the new team portal and loses access to the previous team portal With FIM
Transitioning Roles with FIM 2010
Employee changing roles Joe Schulman Program Manager Microsoft Corporation
De-provisioning at Litware
De-provisioning issues at Litware No automated de-provisioning of access to existing apps! Lingering access to applications and resources represent a real security threat! Inflexible process increases costs as organization grows
Employees leaving the organization need have their access to resources and applications de- provisioned within a day A historical record of de-provisioned employees and their access must be maintained Litware’s Requirements
Scenario Overview – Employee de-provision Melissa has made it to VP level but is leaving Litware to pursue new opportunities. She is currently granted access to business critical data at Litware, that if leaked, could significantly damage Litware’s business. Today Melissa’s LOB applications are not de-provisioned automatically on role change Auditing of historical data for compliance is tedious and error prone Tracking down all access points is costly and error prone Melissa’s access to all business applications and resources is automatically revoked A historical audit trail of Melissa’s data and access permissions is maintained Connected systems are automatically de-provisioned in accordance with policy With FIM
De-provisioning with FIM 2010
De-provisioning Joe Schulman Program Manager Microsoft Corporation
Summary FIM 2010 helps reduce provisioning costs by streamlining the process while maintaining a state of policy compliance while focusing on the information worker
Sessions On-Demand & Community Resources for IT Professionals Resources for Developers Microsoft Certification and Training Resources Microsoft Certification & Training Resources Resources Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online. Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online.
Related Content Breakout Sessions Interactive Theater Sessions Hands-on Labs Required Slide Speakers, please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session. Required Slide Speakers, please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session. SIA307 ILM “2”: Reducing Help Desk Costs through Self Service with Examples from Microsoft IT SIA308 ILM “2”: Reducing Cost of Provisioning and Credential Management SIA310 Rethinking Certificate Workflows with Microsoft Identity Lifecycle Manager "2" SIA04-TLC ILM "2" Demo: Auditing and Reporting SIA06-HOL ILM "2": Core Concepts SIA07-HOL ILM "2": Customization SIA08-HOL ILM "2": Configuring Self-Service Password Reset SIA09-HOL ILM "2": Provisioning Active Directory Users and Group Management
Identity Management Community Blogs Joe’s Identity Management Extensibility Bobby and Nima’s blog Brjann’s Identity Management TechNet Forum US/identitylifecyclemanager/threads
Complete an evaluation on CommNet and enter to win! Required Slide
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Required Slide
Business Ready Security Help securely enable business by managing risk and empowering people Highly Secure & Interoperable Platform Block from: Enable CostValue SiloedSeamless to: