Jeffrey Schwartz of Redmond Magazine published an in-depth story discussing how the new Active Directory Federation Services 2.0 for Windows Server simplifies secure access to applications and services in the cloud. 

The article is a good read, providing perspective from a variety of companies – most highly supportive of ADFS 2.0, some slightly critical.  Overall, Schwartz says, “Numerous Windows IT pros and security experts are bullish” on the new technology and what it can do.   In the article, Kevin von Keyserling of Certified Security Solutions does a good job of summing up ADFS 2.0’s benefits:

"The end user can have the same experience in the cloud as if they were inside their own network; that's one of the advantages or drivers for these large enterprises looking at taking up the Federation Services and extending it. It provides cloud services without having to stop and deal with password resets and credential management, and allows [companies] to focus on the execution of their business strategy versus the day-to-day nuances of dealing with security issues."

Patrick Harding, CTO of Ping Identity, says "ADFS 2.0 is a big deal because it validates that federated identity management is important; it's going to become a must-have for cloud computing and SaaS computing."

"The bottom line is we're streamlining how access should work and how things like single sign-on should work from on-premises to the cloud."
John Chirapurath, Senior Director, Microsoft

A real-world example of ADFS 2.0 in action (not in the article) is Thomson Reuter’s Treasura web service to help professional treasurers handle cash and liquidity management, forecasting, payments and compliance.

Using Windows Identity Foundation - an extension to the Microsoft .NET Framework – and ADFS 2.0, Thomson Reuters was able to provide single sign on access to Treasura and related software through identity federation with its customers.  Customers can log on to their computers once and navigate to the Treasura site and among Treasura applications without having to sign in again. They can manage and control their own authentication and access policies just once, on their own networks. The Treasura team also provided SSO access to other Thomson Reuters products, even ones that are built using Sun OpenSSO or other third-party technologies instead of Active Directory.

Because Windows Identity Foundation provides their application developers with the same familiar Windows development tools to provide single sign on without having to write custom authentication code, Thomson Reuters expects to save an average of three months of development time.

And offering one shared authentication infrastructure improves security, because developers can focus their efforts on making applications and services the best they can be, without worrying about creating authentication silos in each application that must be managed separately.

Direct Access (DA) is a game-changing technology for remote access in your company; removing the need for a VPN all together.  Within Microsoft, we've seen great productivity benefits to end users.  We surveyed users from our DA pilot and over 87% saw instant productivity gains, overall resulting in net benefit of ~1 hour each day for users.  Furthermore, Microsoft operations is saving costs by things such as not having to convert internet connected sites to dedicated lines.  For more information on the business value of DA and Microsoft's implementation, watch the Direct Access MSIT video.

Ok, you know you want to implement the DA functionality which comes with Windows Server 2008 R2 and Windows 7 - but now why would you want to have Unified Access Gateway (UAG) along with it?

As discussed in the video below, here are some of the key reasons you would want to run UAG with DA:

• Access to IPv4 resources - If you have any machines inside your corporate environment which are not capable of running IPv6 or you do not want to put forth the effort to add the IPv6 stack, UAG will enable this scenario to work.  This will make the transition to have full access to all of the internal resources quicker and easier.
  
• Scalability - DA by itself has scaling limitations.  UAG works with NLB in Windows, allowing multiple UAG servers working with DA to scale your implementation of DA.  Specific numbers for scalability have not been released, but are in the works.
  
• Central management - there is one console to control an entire array of UAG servers.  Furthermore, there is a SCOM management pack for UAG to help keep central management of the product.

To hear more about the business value for UAG with DA and to learn the technical information behind how DA and UAG work, watch this video:

You can also see the breakdown of what is played when by going to the original post on TechNet Edge.

International Speedway Corporation (ISC) promotes motorsports events, including NASCAR’s DAYTONA 500. The company operates 13 facilities, representing more than one million grandstand seats and 550 suites. Exceptional customer service for the more than 3.5 million people that attend their events is critical to success.

ISC relies heavily on email communication via Exchange Server 2007 to respond to customers’ needs. “It is not an easy task for us to fill 150,000 grandstand seats at one event, so it is key for us to maintain that customer service relationship,” says Brandon McNulty, Senior Director of Technology at ISC. ”Email is at the heart of that.” (continued below)

“Keeping spam off our email system is critical for both maintaining the integrity of our email security and business productivity,” explains McNulty. However, managing spam must be done intelligently because the company works with legitimate sponsors who can often be the subject of spam messages.

ISC used a third-party service to filter email, but found that spam incidents were steadily on the rise, impacting customer service. In fact, in the final nine months that ISC used the service, the rate of incidents that required intervention from the IT department increased at least four-fold.

So, ISC took advantage of its Microsoft enterprise license agreement and implemented Forefront Online Protection for Exchange, a hosted service that offers layered protection against spam and malicious software.  Within four weeks, the company completely replaced its third-party service and was using Forefront Online across 1,000 employee computers and monitoring a total of 1,300 email accounts, including aliases.

Since implementing Forefront Online Protection for Exchange, ISC has reduced the number of spam incidents on its network by at least 25 percent. “Spam isn’t even a concern for us anymore. It doesn’t require human intervention for us to prevent it as it did before,” explains McNulty.

Instead of manually creating and deleting user accounts, ISC can automatically synchronize its Active Directory and Exchange Server accounts to Forefront Online Protection for Exchange, saving six hours of IT administration time each month.

Because there is no hardware or software to purchase and manage with the hosted service, ISC is saving money compared to an on-premises solution. “By avoiding hardware costs, licensing costs, and manpower to maintain the infrastructure, our savings are easily more than $120,000,” concludes McNulty.

Recently, our Forefront Protection 2010 for SharePoint (FPSP) product was released so I thought I’d take the opportunity to explain, in my own terms, the business value for the product.  I also interviewed Noreen from the product team to get her take on the product as well as give us some demos of FPSP in action (viewable at bottom of this post).

Defense in Depth 
Especially considering how important SharePoint is to your business, you should have a defense in depth strategy which includes SharePoint.  How much employee time or money would your company lose if someone uploaded a virus on SharePoint bringing it down or compromised the data?  There are two significant unique features in FPSP that help your defense-in-depth strategy which I’d like to highlight:

• Multi-Engine Anti-Virus – The statistics are irrefutable, having multiple anti-virus engines has the highest detection rate.  Every company’s client anti-virus software, including Microsoft’s Forefront Client Security, utilize only a single engine.  Furthermore, if you rely only on your client anti-malware software and it does detect a virus on the SharePoint server itself, the user experience will more than likely be poor causing a loss of productivity time. 
  Side note: multi-engine AV is also available in Forefront Protection 2010 for Exchange.
• Interoperability with Rights-Management-Services (RMS) – RMS is an excellent addition to your defense in depth strategy, protecting the documents themselves.  FPSP still has all of the same protection capabilities even with RMS-protected documents.

More control and visibility over your data 
With a continued expansion of the amount of data inside your environment, the time to filter this data or cost to increase storage capacity can be significant.  The data keyword & file filtering give you control over what type of data you allow on the SharePoint server and provide reporting on what type of files are present.   This could save costs through not requiring additional storage capacity or helping to prevent data leaks.  For instance, if you have a publicly-accessible SharePoint server in your company you could enable keyword file-filtering to prevent anything with the words “confidential" or “internal only” inside the files, even specifying the threshold of how many times these words show up before you disallow them from being posted.

To download this video in various formats such as Zune, iPod, WMV, or MP3, please visit the original post.

At my first 1-on-1 this year with Lee Nackman, the Identity and Security Division's Corporate Vice President, he asked me how something could possibly work.  While on vacation on the east coast Lee had changed his password to Microsoft's corporate network using Outlook Web Access from a family computer.  When he returned to his home near Redmond a week later he turned on his laptop and, since he hadn't yet been to the office, thought he would need his old (cached on the laptop) password to login.  Lee was trying to recall the old password when he discovered he was able to login using the new password.  How, he wondered, had the laptop been able to pick up the new password without having been inside the corporate network?  Lee had experienced one of the benefits of DirectAccess being "always on".  His Windows 7 laptop had, immediately after boot, established connectivity to the corporate network allowing the use of the new password rather than the old cached password.  Not only was Lee delighted, but security was improved by rapid invalidation of the old credentials for accessing his laptop.  Lee is one of over 10,000 users inside Microsoft currently enjoying the benefits of DirectAccess deployed using Forefront UAG.

I'm another of the DirectAccess users inside of Microsoft.  I used to dread receiving requests to approve expense reports and purchase orders while I was out of the office because of the time and "clunkiness" of using VPN to connect to the corporate network.  I admit to it being painful enough that sometimes I made employees wait until I returned to the office to do approvals.  With DirectAccess though I approve them as quickly when I'm on the road as I do when I'm in the office.  I just click on the approval link in an email and am immediately launched into the appropriate intranet site.  There is no need for me to explicitly go run a VPN client and wait to be connected to the corporate network just so I can access the approval site.  The experience is so much better that after using DirectAccess for just a short while I knew I could never go back to using a VPN.

What I like about Lee's experience in particular is it really helps demonstrate the core difference between DirectAccess and traditional VPNs.  Where a VPN allows the creation of a temporary bridge from a PC outside of the corporate network to corporate resources, DirectAccess effectively keeps PCs that are part of your corporate network (that is, domain-joined machines) on the corporate network even when they aren't physically connected to it.  From the standpoint of the administrator, you maintain control over the PC (Group Policy changes, patch management, health monitoring, etc.) anytime it is connected to the Internet anywhere in the world.  From the end user standpoint, corporate resources such as Sharepoint sites, intranet sites, and file shares are accessible on the road exactly as they are when sitting in the office.  How often does IT have an opportunity to increase control while improving the end user's experience and productivity?  These are usually positioned as conflicting goals, but with DirectAccess there is no conflict.

One thing I hope to do in this blog is show that security and identity can be business enablers, rather than a tax a business pays to protect their assets.  With DirectAccess, that is easy.