This document discusses using Forefront Identity Manager (FIM) 2010 to manage identity and access for a private cloud.
It notes that security is the top concern for cloud adoption. FIM can help by providing a common identity platform across the private cloud, enabling single sign-on and managing access at the group level.
FIM centralizes identity management and synchronization to Active Directory. This allows for self-service access management, delegation of administration, and integration of on-premises and cloud-based applications and resources using a single identity store.
1. JOURNEY TO THE
CLOUD
FIM 2010 Used for Management of
AD the core of your Identity in the
Private Cloud
2. Cloud Security Concerns
• Security is the number 1 concern for cloud adoption
• 75% responded 4 or 5 (on 1 to 5 scale) *
• Key security issues:
• Isolation of tenants from each other & hosting infrastructure
• Compute and network layers
• Authentication / Authorization / Auditing of access to cloud
services
• Unauthorized access / DoS due to weak (or mis)configuration
* Source: IDC Enterprise Panel
3. Three Pillars
Authentication
Authorization
Attributes
Identity Management Platform
5. Typical Cloud ID Journey
Authentication
Authorization
Attributes
Federated
Islands of
Silos Identity
(Islands of Identity)
6. A Better Journey
Authentication
Authorization
Attributes
Federated
Islands of
Silos Identity Identity Management Platform
(Islands of Identity)
7. What is Forefront Identity Manager
Self-Service
integration
Windows
Log On
FIM Portal
Manages Active Directory
LOB - secure delegation
Applications of administration AD FS login across clouds
- enable access to
private cloud
Databases Integrated login to applications
Directories Secure the Private Cloud
8. Common Identity across clouds
Private
Cloud
HR System
FirstName Terry
LastName Adams
Title Sales Manager FirstName Terry
Exchange
Dept Sales LastName Adams
SharePoint
Mgr: Melissa Meyers Title Sales Manager
Web
EmplID 123 Dept Sales Sites Line of
Group membership and user Mgr: Melissa Meyers
Business
attributes generated Apps File /
Print
LoginID Tadams
Integrated
Workflow Phone 555-1212 and
federated
Email Tadams@litware.com
common
FIM 2010 identity Public
Cloud
Groups Melissa’s Directs
All in Sales
PaaS
Phone Sales App Owners SaaS
Firstname Terry
LastName Adams
AD Windows
Azure Office 36
Phone 555-1234
Email
LoginID Tadams
Email tadams@litware.com
9. Private Cloud Enabled Identity
All Microsoft solutions for private cloud leverage a single identity store to authenticate users
with Microsoft® Active Directory® across physical and virtual systems.
Active Directory System Center Virtual Forefront Identity
Machine Manager Manager
o Single identity store to
authenticate users
Forefront™ Security Solutions
o Support across physical and
Active Directory
virtual systems Virtualization
o Federated Identity Hardware Presentation Application
Forefront Identity Manager
Hyper-V™ Terminal Microsoft
o Easy user provisioning Services App. Virt.
o Identity synchronization
o Simplified management of Network Access Protection
cloud resources
Server and Domain Isolation
10. Solution Example –
Enhancing Private Cloud with Identity
• Hyper-V and SC Virtual Machine Manager uses roles
• Roles can contain users or groups from AD
• Delegation of datacenter management
• Forefront Identity Manager securely manages membership in AD
groups
Private Cloud
Roles in Leverage AD
Manage AD Self Service
Hyper-V and Groups in
Groups in FIM secure and
System Center roles
compliant
11. Solution Example- Enhancing Private Cloud with Identity
Hyper-V Authorization Manager + Common identity in Private Cloud
• Default role allows access
to all operations
• Additional roles with
desired rights can be
created
• 33 different operations
OOB
grouped under
• Hyper-V Service
Operations
• Hyper-V Networks
Operations
• Hyper-V Virtual Machine
Operations
12. Solution Example - Enhancing Private Cloud with Identity
Virtual Machine Manager + Common identity in Private Cloud
• The Administrator profile
• Complete administrative access to
all the hosts, virtual machines, and
library servers in VMM 2008
• The Delegated Administrator profile
• Grants administrative access to a
defined set of host groups and
library servers
• The Self-Service User profile
• Administrative access to a defined
set of virtual machines through the
Web-based Virtual Machine
Manager Self-Service Portal
• Additional delegation capabilities
in Self service portal
13. FIM (Helping) with The Cloud
Oh,
alright
then
Can I have
Admin access to
the cloud app?
Request
Approve
User
14. EVERY JOURNEY NEEDS A HISTORY
Authentication
Authorization
Attributes
Audit
Federated
Islands of
Silos Identity Identity Management Platform
(Islands of Identity)
15. TO THE CLOUD!
• Using Hyper-V as an infrastructure for Private Cloud is
great for server optimization but, without an IAM
architecture in place, this is just moving around the
administrative problems.
• FIM provides a compliant and well managed AD.
Compliance here is about automation of changing access
permissions, making sure users have the right
access, reporting.
• Active Directory provides the common identity platform
for classic datacenter hosted systems, to private cloud
and also paves the way to enabling use of public cloud
resources.