Presentation is loading. Please wait.

Presentation is loading. Please wait.

EMEA Jürgen Pfeifer Architect Microsoft EMEA HQ Kevin Sangwell Architect Microsoft EMEA HQ

Published byBrendan Price Modified over 9 years ago

Similar presentations

Presentation on theme: "EMEA Jürgen Pfeifer Architect Microsoft EMEA HQ Kevin Sangwell Architect Microsoft EMEA HQ"— Presentation transcript:

1 EMEA Jürgen Pfeifer Architect Microsoft EMEA HQ http://blogs.msdn.com/juergenp Kevin Sangwell Architect Microsoft EMEA HQ http://blogs.technet.com/sanger SaaS - Implications for your Infrastructure

2 Infrastructure Architecture Principals I.T. Should be seamless to users and the business Infrastructure Applications Access Helpdesk Physical Location

3 SaaS: Replacing Challenges SaaS Provider You Integration Identity Management Data Operations Security Contract Management SLAs Compliance Service Delivery Service Level Management Capacity Management Availability Management IT Continuity Management Financial Management Service Support Helpdesk Training

4 Some people may be after your head Why care? Another username & password! Where is the training? I can’t access the CRM application! Sales Team Um, what CRM application? Helpdesk Lawyers ‘R Us Are we still in compliance with regulations? What about our privacy policies: customer and partner data? CSO

5 Why care? Integration Users: another username, training? Helpdesk: another app, where is 2nd line, what about password resets.. Contractual Lawyers: regulatory compliance Security: privacy - customer data?

6 Integration Infrastructure Integration Identity Management Data Operations Security

7 Integration Infrastructure Integration Identity Management Federated Identity and Access Management Role based access control Data Operations Compliance

8 Federated Identity and Access Management Industry Definition Standards-based technology & IT processes … Distributed identification, authentication & authorization Across boundaries (security, departmental, organizational or platform boundaries) … Without federation Another username & password for users Manual definition of roles and rights in SaaS app User admin in SaaS app = high overhead for you / your business to maintain Provisioning/de-provisioning overhead

9 SaaS Provider Tennant Namespace(s) You Private Namespace Active Directory Federation Services Projects AD Identities to other security realms Federation Server Federation Server Federation Servers Manage: Trust -- Keys Security -- Claims required Privacy -- Claims allowed Audit -- Identities, authorities

10 Security Tokens & Claims Distributed authentication/authorization Secret Key Password Proof of Possession Security tokens assert claims Claims – Statements authorities make about security principals (name, identity, key, group, privilege, capability, etc). SignedX.509 Kerberos XrML SAML

11 Security Token Service Key Distribution Center A security token service issues security tokens STS’s can “swap” tokens as a request crosses security domain boundaries

12 ADFS: How it works Federation Trust

13 ADFS Architecture Active Directory Authenticates users Manages attributes used to populate claims Federation Service (FS) STS Issues security tokens Manages federation trust policy FS Proxy (FS-P) Client proxy for token requests Provides UI for browser clients Web Server SSO Agent Enforces user authentication Creates user authorization context HTTPS LPC/Web Methods Windows Authentication/ LDAP Note: ADFS supports both W2K & W2K3 forests FS & FS-P co-located by default, Can be separate boxes FS, FS-P & SSO agent require IISv6 W2K03 R2 Browser clients only for ADFSv1 (W2K03 R2 release)

14 ADFS Requirements Internet Information Server (IIS) 6.0 ASP.NET Microsoft.NET Framework 2.0 Transport Layer Security and Secure Sockets Layer (TLS/SSL) X.509 certificate (Federation Service only) ADFS requires Active Directory or ADAM Domain controllers must be Windows Server 2003 Service Pack 1 (SP1) Windows Server 2003 R2 Windows 2000 with Service Pack 4 (SP4)

15 Integration Infrastructure Integration Identity Management Federated Identity and Access Management Role based access control Data Operations Compliance

16 Sales Role Role Based Access Control (RBAC) Michal Sales Dept Portal Author on Account Activity pages Document Mgmt Owner for Sales Order Processing documents CRM Manager for Eastern Europe sales teams

17 Role Based Access Control (RBAC) CRM Portal Document Mgmt Author on Account Activity pages Owner for Sales Order Processing documents Manager for Eastern Europe sales teams Sales Role

18 Role Based Access Control (RBAC) CRM Portal Docume nt Mgmt Author on Account Activity pages Owner for Sales Order Processing documents Manager for Eastern Europe sales teams Sales Role SaaS Reader on Sales Order Processing pipeline

19 Role Based Access Control (RBAC) RBAC + Federation approach Configure Federation to transform group claims to SaaS Application SaaS Application Group Member: Managers Cookie: Group: Managers  Authorisation

20 NOT Role Based Access Control Implemented only in SaaS Application Another (external) application in which you need to perform admin Do the business get delegated admin of users inside the SaaS app? How do they include enterprise users in the SaaS app as Federation won't necessarily reveal users in SaaS app?

21 Integration Infrastructure Integration Identity Management Data Operations Security

22 Data Integration LoB apps are typically islands, but need to share data EAI Do you have another application which needs this data? (CRM & Accounting) Is the data used in a workflow? ETL Do you want to do data mining in house? (CRM) How do you get the data into the “Universal Business Management Tool” (Excel)

23 Integration Infrastructure Integration Identity Management Data Operations Security

24 Operations How are helpdesk going to treat the SaaS App? Not involved at all Then how do you measure quality? Ideally add the SaaS Vendor as a 2 nd line in the Trouble Ticketing system Integrate with the enterprise monitoring Helpdesk know of a problem before your users Trending/metrics for decision support:- Is user training needed? Bugs/poor performance or availability: challenge the SaaS provider Helps with SLA measurement Replace text w/drawings

25 Integration Infrastructure Integration Identity Management Data Operations Security

26 Security / Compliance Are you subject to regulations? These extend to the SaaS Provider Industry regulations SoX, ECB, BASEL II, EMV Data Protection EU & USA incompatible Common Criteria to at least EAL 3 on all layers of the SaaS stack – network, OS, application, DB etc.

27 Infrastructure Architecture Visio/stack diagram showing top level integration TBC To be added in v2

28 SaaS Infrastructure Integration Checklist (SiiC) Define and implement an Identity Management strategy Obtain skills in Federation technology and products Create an architecture for operations and data integration which supports SaaS Applications Doing it one by one = quick path to chaos

29 Why care? Integration Users: another username, training? Helpdesk: another app, where is 2nd line, what about password resets.. Contractual Lawyers: regulatory compliance Security: privacy - customer data?

30 Why care? Contractual Operations, operations, operations Data ownership & Compliance Cross-provider integration?

31 Operations, operations, operations Does the provider follow formal operations frameworks? Security accreditations? User training? Ability to turn on/off functionality Can you define when upgrades occur

32 Operations, operations, operations Impact on business continuity Can you make brick-level restores? Is there a charge for this? What Disaster Recovery or Business Continuity level do they offer?

33 Data ownership & Compliance What is “data”? Proving you are still in compliance What reporting is available from the SaaS app? Do you have any internal policies about customers data Microsoft policy for Personally Identifiable Information (PII) = no vendor has access to PII without adopting our policy (legal agreement)

34 Cross-Provider Integration The obvious stuff SOA & WS Does the SaaS provider have public APIs What security technology do they use to allow programmatic access to your data/the app?

35 SaaS “Keep My Job” Checklist Identity Integration RBAC Operations Integration Security Accreditations Contractual SLAs Data Ownership WS Data Access LoB ApplicationTactical Application Data Ownership

36 Summary SaaS = Integration Infrastructure Operations SaaS is similar to outsourcing Contracts SLAs Multiple SaaS applications introduce a new set of complexities we need to address

Download ppt "EMEA Jürgen Pfeifer Architect Microsoft EMEA HQ Kevin Sangwell Architect Microsoft EMEA HQ"

Similar presentations

Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Agenda AD to Windows Azure AD Sync Options Federation Architecture

Agenda AD to Windows Azure AD Sync Options Federation Architecture
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Active Directory Federation Services Architecture Drilldown

Active Directory Federation Services Architecture Drilldown
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.

Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.
Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,

Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,
Problem Statement AD DB App1 DB App2 AD App4 App6 AD App5 Intranet Extranet Cloud AD App3 DB SSO Separate Sign-in Separate Sign-in Separate Sign-in.

Problem Statement AD DB App1 DB App2 AD App4 App6 AD App5 Intranet Extranet Cloud AD App3 DB SSO Separate Sign-in Separate Sign-in Separate Sign-in.
Identity and Access Management

Identity and Access Management
EMEA Kevin Sangwell Architect Microsoft EMEA HQ SaaS - Implications for Enterprise Infrastructures.

EMEA Kevin Sangwell Architect Microsoft EMEA HQ SaaS - Implications for Enterprise Infrastructures.
Greg Pierce| Concerto Cloud Services Which Cloud is Right for Microsoft CRM?

Greg Pierce| Concerto Cloud Services Which Cloud is Right for Microsoft CRM?
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Cloud Attributes Business Challenges Influence Your IT Solutions Business to IT Conversation Microsoft is Changing too Supporting System Center In House.

Cloud Attributes Business Challenges Influence Your IT Solutions Business to IT Conversation Microsoft is Changing too Supporting System Center In House.
Active Directory Implementation Class 4

Active Directory Implementation Class 4
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

Similar presentations

Ads by Google