Journey to the cloud
1 like835 views
This document discusses identity and access management challenges in cloud computing environments and how Forefront Identity Manager (FIM) can help address them. It notes that security is the top concern for cloud adoption and outlines key security issues related to tenant isolation, authentication, authorization, and auditing of access. It then presents FIM as providing the three pillars of identity management - authentication, authorization, and user attributes. The rest of the document provides examples of how FIM can help enhance identity management in a private cloud, including securely managing group membership and roles for access to virtual machines and delegating administration of resources.
Journey to the cloud
- 1. JOURNEY TO THE CLOUD FIM 2010 Used for Management of AD the core of your Identity in the Private Cloud
- 2. Cloud Security Concerns • Security is the number 1 concern for cloud adoption • 75% responded 4 or 5 (on 1 to 5 scale) * • Key security issues: • Isolation of tenants from each other & hosting infrastructure • Compute and network layers • Authentication / Authorization / Auditing of access to cloud services • Unauthorized access / DoS due to weak (or mis)configuration * Source: IDC Enterprise Panel
- 3. Three Pillars Authentication Authorization Attributes Identity Management Platform
- 5. Typical Cloud ID Journey Authentication Authorization Attributes Federated Islands of Silos Identity (Islands of Identity)
- 6. A Better Journey Authentication Authorization Attributes Federated Islands of Silos Identity Identity Management Platform (Islands of Identity)
- 7. What is Forefront Identity Manager Self-Service integration Windows Log On FIM Portal Manages Active Directory LOB - secure delegation Applications of administration AD FS login across clouds - enable access to private cloud Databases Integrated login to applications Directories Secure the Private Cloud
- 8. Common Identity across clouds Private Cloud HR System FirstName Terry LastName Adams Title Sales Manager FirstName Terry Exchange Dept Sales LastName Adams SharePoint Mgr: Melissa Meyers Title Sales Manager Web EmplID 123 Dept Sales Sites Line of Group membership and user Mgr: Melissa Meyers Business attributes generated Apps File / Print LoginID Tadams Integrated Workflow Phone 555-1212 and federated Email Tadams@litware.com common FIM 2010 identity Public Cloud Groups Melissa’s Directs All in Sales PaaS Phone Sales App Owners SaaS Firstname Terry LastName Adams AD Windows Azure Office 36 Phone 555-1234 Email LoginID Tadams Email tadams@litware.com
- 9. Private Cloud Enabled Identity All Microsoft solutions for private cloud leverage a single identity store to authenticate users with Microsoft® Active Directory® across physical and virtual systems. Active Directory System Center Virtual Forefront Identity Machine Manager Manager o Single identity store to authenticate users Forefront™ Security Solutions o Support across physical and Active Directory virtual systems Virtualization o Federated Identity Hardware Presentation Application Forefront Identity Manager Hyper-V™ Terminal Microsoft o Easy user provisioning Services App. Virt. o Identity synchronization o Simplified management of Network Access Protection cloud resources Server and Domain Isolation
- 10. Solution Example – Enhancing Private Cloud with Identity • Hyper-V and SC Virtual Machine Manager uses roles • Roles can contain users or groups from AD • Delegation of datacenter management • Forefront Identity Manager securely manages membership in AD groups Private Cloud Roles in Leverage AD Manage AD Self Service Hyper-V and Groups in Groups in FIM secure and System Center roles compliant
- 11. Solution Example- Enhancing Private Cloud with Identity Hyper-V Authorization Manager + Common identity in Private Cloud • Default role allows access to all operations • Additional roles with desired rights can be created • 33 different operations OOB grouped under • Hyper-V Service Operations • Hyper-V Networks Operations • Hyper-V Virtual Machine Operations
- 12. Solution Example - Enhancing Private Cloud with Identity Virtual Machine Manager + Common identity in Private Cloud • The Administrator profile • Complete administrative access to all the hosts, virtual machines, and library servers in VMM 2008 • The Delegated Administrator profile • Grants administrative access to a defined set of host groups and library servers • The Self-Service User profile • Administrative access to a defined set of virtual machines through the Web-based Virtual Machine Manager Self-Service Portal • Additional delegation capabilities in Self service portal
- 13. FIM (Helping) with The Cloud Oh, alright then Can I have Admin access to cloud app? Request Approve User
- 14. EVERY JOURNEY NEEDS A HISTORY Authentication Authorization Attributes Audit Federated Islands of Silos Identity Identity Management Platform (Islands of Identity)
- 15. TO THE CLOUD! • Using Hyper-V as an infrastructure for Private Cloud is great for server optimization but, without an IAM architecture in place, this is just moving around the administrative problems • FIM provides a compliant and well managed AD. Compliance here is about automation of changing access permissions, making sure users have the right access, reporting. • Active Directory provides the common identity platform for classic datacenter hosted systems, to private cloud and also paves the way to enabling use of public cloud resources.
- 16. QUESTIONS ?
Editor's Notes
- #2: This is not directly related to Private Cloud - did you find this in private cloud mtrl from marketing then you are good to go. If not then this is for Public cloud.
- #4: the pillar slides are generic to CLoud computing and not specific to Private Cloud so the speaker should make the audience aware of this and that identity is a common platform across private and public cloud
- #8: modifying this slide to reflect private cloud. needs more work and perhaps needs to have builds where the left hand side is shown first to talk about enhancing data in Active directory with classic provisioning and synchronization then add the top level to provide info on how datacenter admin can give application owners a way to manage security groups that they will use inside of the applications they own and are deploying on top of the private cloud. same goes true for datacenter administrators that own the private cloud and want to delegate access to certain admins to have access to part of the private cloud (this is done in the VMM self service portal and it uses security groups in AD)
- #9: moved this slide to kick off transfer from generic cloud discussion to private cloud. ... the final comment from speaker should be .. now lets look at how identity is levereged in managing the private cloud
- #15: In Private cloud you really dont need the .CSV file to issue identities in the cloud app as it is all on-premises and is either AD integrated. Having this link to apps in private cloud that are not AD integrated is fine but dont use just a CSV file .. just say account provisioning
- #16: Great value add for FIM to talk about the need for audit history of datacenter admins having requested new VM's, app owners creating new SG's and approving users access to their applications or provide devs access to their applciations and finally the end users requests for these apps.