Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Journey to the cloud
1. JOURNEY TO THE
CLOUD
FIM 2010 Used for Management of
AD the core of your Identity in the
Private Cloud
2. Cloud Security Concerns
• Security is the number 1 concern for cloud adoption
• 75% responded 4 or 5 (on 1 to 5 scale) *
• Key security issues:
• Isolation of tenants from each other & hosting infrastructure
• Compute and network layers
• Authentication / Authorization / Auditing of access to cloud
services
• Unauthorized access / DoS due to weak (or mis)configuration
* Source: IDC Enterprise Panel
3. Three Pillars
Authentication
Authorization
Attributes
Identity Management Platform
5. Typical Cloud ID Journey
Authentication
Authorization
Attributes
Federated
Islands of
Silos Identity
(Islands of Identity)
6. A Better Journey
Authentication
Authorization
Attributes
Federated
Islands of
Silos Identity Identity Management Platform
(Islands of Identity)
7. What is Forefront Identity Manager
Self-Service
integration
Windows
Log On
FIM Portal
Manages Active Directory
LOB - secure delegation
Applications of administration AD FS login across clouds
- enable access to
private cloud
Databases Integrated login to applications
Directories Secure the Private Cloud
8. Common Identity across clouds
Private
Cloud
HR System
FirstName Terry
LastName Adams
Title Sales Manager FirstName Terry
Exchange
Dept Sales LastName Adams
SharePoint
Mgr: Melissa Meyers Title Sales Manager
Web
EmplID 123 Dept Sales Sites Line of
Group membership and user Mgr: Melissa Meyers
Business
attributes generated Apps File /
Print
LoginID Tadams
Integrated
Workflow Phone 555-1212 and
federated
Email Tadams@litware.com
common
FIM 2010 identity Public
Cloud
Groups Melissa’s Directs
All in Sales
PaaS
Phone Sales App Owners SaaS
Firstname Terry
LastName Adams
AD Windows
Azure Office 36
Phone 555-1234
Email
LoginID Tadams
Email tadams@litware.com
9. Private Cloud Enabled Identity
All Microsoft solutions for private cloud leverage a single identity store to authenticate users
with Microsoft® Active Directory® across physical and virtual systems.
Active Directory System Center Virtual Forefront Identity
Machine Manager Manager
o Single identity store to
authenticate users
Forefront™ Security Solutions
o Support across physical and
Active Directory
virtual systems Virtualization
o Federated Identity Hardware Presentation Application
Forefront Identity Manager
Hyper-V™ Terminal Microsoft
o Easy user provisioning Services App. Virt.
o Identity synchronization
o Simplified management of Network Access Protection
cloud resources
Server and Domain Isolation
10. Solution Example –
Enhancing Private Cloud with Identity
• Hyper-V and SC Virtual Machine Manager uses roles
• Roles can contain users or groups from AD
• Delegation of datacenter management
• Forefront Identity Manager securely manages membership in AD
groups
Private Cloud
Roles in Leverage AD
Manage AD Self Service
Hyper-V and Groups in
Groups in FIM secure and
System Center roles
compliant
11. Solution Example- Enhancing Private Cloud with Identity
Hyper-V Authorization Manager + Common identity in Private Cloud
• Default role allows access
to all operations
• Additional roles with
desired rights can be
created
• 33 different operations
OOB
grouped under
• Hyper-V Service
Operations
• Hyper-V Networks
Operations
• Hyper-V Virtual Machine
Operations
12. Solution Example - Enhancing Private Cloud with Identity
Virtual Machine Manager + Common identity in Private Cloud
• The Administrator profile
• Complete administrative access to
all the hosts, virtual machines, and
library servers in VMM 2008
• The Delegated Administrator profile
• Grants administrative access to a
defined set of host groups and
library servers
• The Self-Service User profile
• Administrative access to a defined
set of virtual machines through the
Web-based Virtual Machine
Manager Self-Service Portal
• Additional delegation capabilities
in Self service portal
13. FIM (Helping) with The Cloud
Oh,
alright
then
Can I have
Admin access to
cloud app?
Request
Approve
User
14. EVERY JOURNEY NEEDS A HISTORY
Authentication
Authorization
Attributes
Audit
Federated
Islands of
Silos Identity Identity Management Platform
(Islands of Identity)
15. TO THE CLOUD!
• Using Hyper-V as an infrastructure for Private Cloud is
great for server optimization but, without an IAM
architecture in place, this is just moving around the
administrative problems
• FIM provides a compliant and well managed AD.
Compliance here is about automation of changing access
permissions, making sure users have the right
access, reporting.
• Active Directory provides the common identity platform
for classic datacenter hosted systems, to private cloud
and also paves the way to enabling use of public cloud
resources.
This is not directly related to Private Cloud - did you find this in private cloud mtrl from marketing then you are good to go. If not then this is for Public cloud.
the pillar slides are generic to CLoud computing and not specific to Private Cloud so the speaker should make the audience aware of this and that identity is a common platform across private and public cloud
modifying this slide to reflect private cloud. needs more work and perhaps needs to have builds where the left hand side is shown first to talk about enhancing data in Active directory with classic provisioning and synchronization then add the top level to provide info on how datacenter admin can give application owners a way to manage security groups that they will use inside of the applications they own and are deploying on top of the private cloud. same goes true for datacenter administrators that own the private cloud and want to delegate access to certain admins to have access to part of the private cloud (this is done in the VMM self service portal and it uses security groups in AD)
moved this slide to kick off transfer from generic cloud discussion to private cloud. ... the final comment from speaker should be .. now lets look at how identity is levereged in managing the private cloud
In Private cloud you really dont need the .CSV file to issue identities in the cloud app as it is all on-premises and is either AD integrated. Having this link to apps in private cloud that are not AD integrated is fine but dont use just a CSV file .. just say account provisioning
Great value add for FIM to talk about the need for audit history of datacenter admins having requested new VM's, app owners creating new SG's and approving users access to their applications or provide devs access to their applciations and finally the end users requests for these apps.