Every day most of us take for granted people’s ability to login, authenticate, and access the data they need. We start to take more notice when people can’t access their data, perhaps remotely over the internet, or there is a need for companies to share data. Under all of this is an assumed cost of managing and maintaining the identity and access to these resources. The Forefront products in the “Identity and Access Solution” can help save costs through various means such as reducing help desk calls and also enable secure access to their data from anywhere and even between companies.
The question is how do all of the Microsoft components fit together to accomplish this? Here is a high-level breakdown of what each of the products in this solution do and some ways on how they work together:
Forefront Identity Manager (FIM) – I like to think of FIM as your identity management hub. You can reduce your management and support costs through things like automated user group provisioning, user password reset tools, creating automated identity policies, and user self-management of distribution lists/groups. FIM ties in with many third party applications and identity stores to make it even more compelling. Note: FIM just released its final code today. See the RSA announcement which has links to other deeper dive videos.
Active Directory Rights Management Services (ADRMS) – This is an essential component from Microsoft to enable data-centric security and defense in depth in your organization. This runs on top of Windows Server 2008, integrates with your identity to provide specific access, and can also be run in conjunction with RSA’s DLP technology. Essentially, granularly secure who has what access your files or emails (even outside your organization) and help prevent data loss.
Forefront Unified Access Gateway (UAG) – This product is essential to enable the granular secure anywhere access to your data. It scales and extends Direct Access (DA) in Windows Server 2008 R2. If you don’t have DA, there are tons of other capabilities to publish various services (such as ADFS) individually, via a single-sign-on portal, or through a SSL-VPN. The previous version of UAG was called IAG and UAG runs on top of TMG.
Active Directory Federation Services (ADFS) 2.0 – This is great to enable seamless data sharing and collaboration between separate organizations, even if the other organization is using something other than Active Directory as their identity store.
Windows Identity Foundation and Windows Cardspace - These are separate developer tools to help enable your applications to have more robust and interoperable authentication and good user authentication experiences.
To compliment this post, please check out the video interview I did with Brjann Brekkan on the IAM solution. We chat about the solution for ~6 minutes and for the remaining ~10 min give you a demo screencast of some of the interesting scenarios enabled.
You can also download the video in various formats by going to the original post on Edge.
Hi All -
No question about it: Cloud is THE big
topic of discussion in IT circles these days. The opportunities, challenges and questions related to cloud
are many. Microsoft
recently held a cloud computing
event at the University of Washington,
where we clarified that Microsoft is "all in" when it comes to cloud computing
and outlined the company's already long history and tremendous investment in
Of course, many customers have questions about cloud security and privacy. A recent
revealed that while 86% of senior business leaders are excited about it, more
than 75% believe data safety, security, and privacy are top potential risks of
To this end, Microsoft corporate vice president Scott Charney spoke at the recent RSA
security conference, explaining how the company's vision for End to End
Trust applies to cloud. In his
speech Charney highlighted the importance of identity technologies for cloud
Cloud security is a big, broad topic. But identity is a good place to start
the discussion. This is an area where we're "all in," too, with a broad set of
investments in identity and access management. Our aim is to help companies achieve more secure, efficient
access and collaboration - within the enterprise, across company boundaries and
into the cloud.
Key to this strategy is enabling companies to build on their
existing identity infrastructure - such as Active Directory (AD) - to cost-effectively
give employees security-enhanced access to the applications and information
they need to get their jobs done, no matter where the apps, data or employees are.
A first step for companies is to get their identity house in
order, meaning streamline the process of assigning identities, creating groups
and roles, and implementing the right policies for identity-based access. That's where the newly launched Forefront
Identity Manager 2010 (FIM) comes in.
Part of our Business
Ready Security strategy, FIM works with AD and provides both workflow tools
for IT admins and self-service capabilities for employees to help alleviate
much of the cost and effort related to identity and access.
You can read a case
study here, for example, about how specialty chemical manufacturer Dow
Corning is using FIM and other Forefront solutions to boost employee
productivity and collaboration with partners. Another example: First
American Title Insurance is using FIM to automate
provisioning and access to mostly on-site business systems for its 14,000
employees. And the company also
takes advantage of FIM's capabilities to govern access and security of its cloud-based
Once their identity infrastructure is in place, companies can
Directory Federation Services 2.0 (ADFS 2.0), a new role in Windows Server®that
will be released soon. ADFS 2.0 provides
a single point of management for authenticating user "claims" for single sign
on access to applications - whether those apps are on-premise, inside a
separate and trusted company, or in the cloud. Businesses such as travel company Hogg Robinson and Quest
Software are already using ADFS 2.0 to authenticate and authorize users of
their online systems.
Also, using solutions such as Forefront
Unified Access Gateway 2010 (UAG), and/or Network
Access Protection and Direct
Access in Windows Server, companies can more easily give remote workers more
secure access, too, based on their identities. (Windows 7 includes built-in support for all.) There's a great white
paper on UAG and Direct Access here, and a recent Network
World review of UAG here.
Companies will implement these solutions at different points
in time and in various combinations, depending on their identity and access needs...and
their cloud plans. That's why we
focus on helping businesses use the identity and access technologies they've
already invested in as they progress toward cloud computing. This is consistent with Microsoft's overall approach to
cloud, which assumes companies will use the combination of on-premises and
cloud computing that best serves their purposes.
I hope this is a useful overview.
Let us know your thoughts and questions!
Hi all - I'm joining the team of Forefront bloggers here on the Because It's Everybody's Business site. As a senior marketing communications manager on the Core Infrastructure Marketing team, I'll be pitching in with updates, comments and insights about "all things" business security. That includes information related to our Forefront brand of products, but also identity and security technologies within the Windows platform and other Microsoft applications. (In many cases, our Business Ready Security solutions - such as those for secure messaging, secure collaboration, identity and access, information protection and secure endpoint - combine Forefront products with technologies in Windows and in applications like Exchange, SharePoint, Office and others.)
A little background on me: I've been at Microsoft for about four years now, doing marketing for a variety of Server and Tools businesses, including Windows Server, Small Business Server, Windows Home Server, enterprise storage, management and virtualization. One of the great things about my job is that I'm able to regularly interact with customers and partners who are solving their real world challenges with our solutions. I'll do my best to apply what I hear and learn from those interactions here in my posts.
With that in mind, I thought I'd kick my blogging off with a quick overview of how (and why) Del Monte Foods uses our security solutions.
As many know, Del Monte is one of the country's largest and most recognized producers, distributors and marketers of premium food and pet products. Their intellectual property, such as recipes, is their lifeblood. The volume and range of that intellectual property continues to grow, of course, and so do the ways that employees use and share that information. They rely heavily on traditional e-mail, collaboration platforms and, now, presence and instant messaging. Protecting that precious information, while still enabling employee productivity with the latest forms of communication and collaboration, is crucial for Del Monte.
That's where the Forefront Protection Suite comes in. Del Monte uses Forefront to protect Exchange and Office Communications Server messages from spam and malware, to protect documents on Office SharePoint from viruses, and to protect employee PCs from Web-based threats. They have been using the current versions of Forefront for some time, and are in the process of upgrading to several of the newer products now. Del Monte also takes advantage of Active Directory Rights Management Services in Windows Server to better control access and distribution of information.
As a result, Del Monte has more secure email, more secure collaboration between both employees and trusted suppliers, and more secure PCs. Forefront and Windows technologies help them protect their intellectual property and manage risk, while allowing employees to get the job done.
They are also very pleased with the manageability of our solutions. For example, Jonathan Wynn, Manager of Advanced Technology and Collaborative Services, said, “With the Forefront Protection Suite, we expect to save countless hours in administrative overhead. We wouldn’t put anything else for e-mail security on our new Exchange Server machines.”
I hope this summary is helpful. Let me know your thoughts and comments. Until next time...
We all know that spam is more than just an annoyance. It’s a productivity killer and a real security threat that exposes enterprise employees to phishing and online fraud. Symantec recently published some research around the top words used in spam, illustrated below. Microsoft does a tremendous amount of security research, too, such as the Security Intelligence Report, which said that about 8%of spam is phishing, scams and malware.
Interesting (but perhaps not surprising) how the most commonly used words are related to a “call to action” with exclamation marks.
Email is mission critical for most organizations, so spam protection is, too. Did you know that Microsoft offers an efficient, cloud based solution for email protection?
Johnstons of Elgin, which makes cashmere and other fine textiles in northern Scotland, was receiving up to 1 million unwanted e-mail messages a day. The spam clogged data lines, crashed server computers, overwhelmed numerous internal solutions, and diminished employee productivity. Efforts to stem the spam were ineffective, and some proposals were prohibitively expensive. Finally, Johnstons worked with solution provider Adventi Group to implement Forefront Online Protection for Exchange, which routes incoming e-mail messages to the Microsoft global data center network for filtering. The solution, which required no capital expenditure or long-term commitment, virtually eliminated spam instantly. With more reliable incoming and outgoing mail, Johnstons saved three to five hours per week of IT administrative time, and restored employees’ faith in the IT department.
Said Johnstons IT manager Craig Lambourne: “With the difference that Forefront Online Protection for Exchange has made for all of our employees—all the way up to the director level—and the trust and confidence they now have in our systems, I don’t think we would ever cancel it.”
As an alternative or complement to the on-premise Forefront Protection for Exchange, Forefront Online Protection for Exchange includes comprehensive Service Level Agreements (SLAs) that include:
TechNet Edge videographer and fellow blogger David Tesar briefly mentioned First American Title Insurance’s use of Forefront Identity Manager (FIM) in a previous post. The short case study is available here, but David and I also caught up with First American VP of Infrastructure Cameron Cosgrove and IT manager Scott Weir at the RSA Conference earlier this month and shot a video discussion with them. (OK, I actually just arranged the meeting and made sure the camera didn’t fall over.)
Take a look below to hear about:
How FIM helped them have better data centric security
Why they decided to choose FIM over other vendors
How they used FIM to federate identities out into a 3rd party cloud
What the process was like to implement FIM and what they learned
Some tips to help you implement FIM
FIM is available for download and evaluation here.