1 / 25

Access & Information Protection

Access & Information Protection. Speaker Name Name. Empowering People-centric IT. User and Device Management. Access and Information Protection. Microsoft Virtual Desktop Infrastructure. Apps. Today’s challenges. Deploying and managing applications across platforms is difficult.

lucas
Télécharger la présentation

Access & Information Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Access & Information Protection Speaker Name Name

  2. Empowering People-centric IT User and Device Management Access and Information Protection Microsoft Virtual Desktop Infrastructure

  3. Apps Today’s challenges Deploying and managing applicationsacross platformsis difficult. Devices Users Data Usersexpect to be able to work in any location and have access to all their work resources. The explosion of devicesis eroding the standards-based approach to corporate IT. Users need to be productive while maintaining compliance and reducing risk.

  4. People-centric IT Enable users Allow users to work on the devices of their choice and provide consistent access to corporate resources. Hybrid Identity Deliver a unified application and device managementon-premises and in the cloud. Apps Data Devices Users Protect your data Help protect corporate information and manage risk. Management. Access. Protection.

  5. Access and Information Protection √ Enable users Hybrid Identity Protect your data Common identity to access resources on-premises and in the cloud Centralize corporate information for compliance and data protection Policy-based access control to applications and data Simplified registration and enrollment for BYO devices Automatically connect to internal resources when needed Access to company resources is consistent across devices

  6. Enable users Challenges Solutions Userswant to use the device of their choice and have access to both their personal and work-related applications, data, and resources. Userswant an easy way to be able to access their corporate applications from anywhere. ITdepartments want to empower users to work this way, but they also need to control access to sensitive informationand remain in compliance with regulatory policies. Userscan register their devices, which makes them known to IT, who can then use device authentication as part of providing access to corporate resources. Userscan enroll their devices, which provides them with the company portal for consistent access to applicationsand data, and to manage their devices. ITcan publish access to corporate resources with conditional access based on the user’s identity, the device they are using, and their location.

  7. Helping IT to enable users Users can enroll devices for access to the Company Portal for easy access to corporate applications IT can publish Desktop Virtualization (VDI) for access to centralized resources Users can work from anywhere on their device with access to their corporate resources. VDI Session host IT can publish accessto resources with the Web Application Proxybased on device awareness and the users identity RD Gateway Remote Access Web Application Proxy IT can provide seamless corporate access with DirectAccess and automatic VPN connections. Web Apps LOB Apps Files Users can register devices for single sign-onand access to corporate data with Workplace Join Active Directory

  8. Registering and Enrolling Devices Users can enroll devices which configure the device for management with Windows Intune. The user can then use the Company Portal for easy access to corporate applications Data from Windows Intuneis sync with Configuration Manager which provides unified management across both on-premises and in the cloud Active Directory Multi-Factor Authentication AD FS Users can registerBYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificate is installed on the device Web Application Proxy As part of the registration process, a new device record is created in Active Directory, establishing a link between the user and their device IT can publish accessto corporate resources with the Web Application Proxybased on device awareness and the users identity. Multi-factor authenticationcan be used through Windows Azure Multi-Factor Authentication integration with Active Directory Federation Services. Active Directory

  9. Publish access to resources with the Web Application Proxy AD Integrated Developerscan leverage Windows Azure Mobile Services to integrate and enhance their apps Published applications Use conditional access for granular control over how and where the application can be accessed Other cloud based apps and identity stores Active Directory Office Forms Based Access Claims & Kerberos web apps Mobile Services Restful OAuth apps AD FS Devices Web Application Proxy Users can access corporate applications and data wherever they are Active Directory provides the central repository of user identityas well as the device registration information Apps & Data Reverse proxy pass through e.g. NTLM & Basic based apps IT can use the Web Application Proxyto pre-authenticate users and devices with multi-factor authentication through integration with AD FS Active Directory

  10. Make corporate data available to users with Work Folders Active Directory discoverability provides users Work Folders location IT can configure a File Server to provide Work Folder sync shares for each user to store data that syncs to their devices, including integration with Rights Management IT can selectively wipe the corporate data from managed devices (Windows 8.1, Windows Phone 8, iOS, Android) Reverse Proxy Active Directory AD FS Devices File Services Userscan sync their work datato their devices. Users can register their devicesto be able to sync data when IT enforces conditional access Web Application Proxy IT can publish access directly through a reverse proxy (such as the Web Application Proxy, or conditional access can be enforced through integration with AD FS Domain joined devices Apps & Data

  11. Effective working with Remote Access An automatic VPN connectionprovides automated starting of the VPN when a user launches an application that requires access to corporate resources. • Cannot originate admin connection from intranet Traditional VPNs are user- initiated and provide on-demand connectivity to corporate resources. VPN Session host VDI • Can originate admin connection from intranet Web Apps Firewall With DirectAccess, a users PC is automatically connected whenever an Internet connection is present. Files • Connection to • intranet is always active LOB Apps DirectAccess

  12. Hybrid Identity Challenges Solutions Providing userswith a common identity when they are accessing resources that are located both on-premises in a corporate environment, and in cloud-based platforms. Managing multiple identities and keeping the information in sync across environments is a drain on IT resources. Usershave a single sign-on experience when accessing all resources, regardless of location. Users and IT can leverage their common identity for access to external resources through federation. ITcan consistently manage identities across on-premises and cloud-based identity domains.

  13. Active Directory for the cloud Leverage cloud platforms to run Windows Server Active Directory and Active Directory Federation Servicesto reduce infrastructure on-premises. Infrastructure Services Developerscan integrate applications for single sign-on across on-premises and cloud-based applications. Manage Active Directory using Windows PowerShell, use the improved deployment experience and leverage the Active Directory Administrative Center for centralized management Files Web Apps LOB Apps Active Directory Activateclientsrunning Office on at least Windows 8 or Windows Server 2012 automaticallyusing existing Active Directory infrastructure. Run Active Directory at scale with support for virtualizationand rapid deployment through domain controller cloning.

  14. Increasing the value in Active Directory Federation Services Organizations can connectto SaaS applications running in Windows Azure, Office 365 and 3rd party providers Enhancements to AD FS include simplified deployment and management Published applications SaaS Apps Office Forms Based Access Claims & Kerberos web apps Active Directory Organizations can federatewith partners and other organizations for seamless access to shared resources Restful OAuth apps ADFS AD FS Resources in other businesses or identity realms Web Application Proxy (includes AD FS Proxy) Conditional access with multi-factor authentication is provided on a per-application basis, leveraging user identity, device registration & network location Firewall Users can register their devices to gain access to corporate data and apps and single sign-on through device authentication

  15. Single sign-on with device registration Not Joined Workplace Joined Domain Joined User provided devices are “unknown” and IT has no control. Partial access may be provided to corporate information. Registered devices are “known” and device authentication allows IT to provide conditional access to corporate information Domain joined computers are under the full control of IT and can be provided with complete access to corporate information Browser session single sign-on Seamless 2-Factor Auth for web apps Enterprise apps single sign-on Desktop Single Sign-On

  16. Managing hybrid cloud identities Developerscan build applications that leverage the common identity model 3rd party services Apps in Azure Users get access through accounts in Windows Azure Active Directory to Windows Azure, Office 365 and non-Microsoft applications Active Directory DirSync ADFS Web Apps LOB Apps Usersare more productive by having a single sign-on to all their resources Files IT can use Active Directory Federation Servicesto connect with Windows Azure for a consistent cloud based identity. IT can provide users with a common identity across on-premises or cloud-based services leveraging Windows Server Active Directoryand Windows Azure Active Directory Active Directory

  17. Delivering a seamless user authentication experience Multi-Factor Authentication can be configured through Windows Azure Cloud Authentication Active Directory Active Directory User attributes are synchronized using DirSyncincluding the password hash, Authentication is completed against Windows Azure Active Directory DirSync with password hash sync DirSync AD FS Federated Authentication with Single Sign-On User attributes are synchronized using DirSync, Authentication is passed back through federation and completed against Windows Server Active Directory Active Directory Active Directory AD FS provides conditional access to resources, Work Place Join for device registration and integrated Multi-Factor Authentication

  18. Windows Azure Active DirectoryMore than a directory in the cloud • Choose among hundreds of popular SaaS apps from a pre-populated application gallery. Active Directory Sync identity with DirSync or provide SSO with AD FS LOB Apps Web Apps Multi-Factor Authentication Add multi-factor authentication for additional user identity verification 3rd party services Easily add custom cloud-based apps. Facilitate developerswith identity management. Comprehensive identity and access management with a common identity across on-premises and in the cloud Active Directory

  19. Protect your data √ Challenges Solutions Userscan work on the device of their choice and be able to access all their resources,regardless of location or device. ITcan enforce a set of central access and audit polices, and be able to protect sensitive information based on the content of the documents. ITcan centrally audit and report on information access. As usersbring their own devicesin to use for work, they will also want to access sensitive information and have access to this information locally on the device. A significant amount of corporatedatacan only be found locally on user devices. ITneeds to be able to secure, classify, and protect databased on the content it contains, not just where it resides, including maintaining regulatory compliance.

  20. Policy based access to corporate information IT can provide a secure and familiar solution for users to access sensitive corporate data from anywhere with VDIand RemoteApptechnologies. Desktop Virtualization Centralized Data Devices RD Gateway VDI Userscan access corporate data regardless of device or location with Work Folders for data sync and desktop virtualization for centralized applications. Session host Files Access Policy LOB Apps Distributed Data Web Apps IT can publish resources using the Web Application Proxyand create business-driven access policies with multi-factor authenticationbased on the content being accessed. IT can audit user access to information based on central audit policies.

  21. Protecting information with multi-factor authentication 1. Users attempts to login or perform an action that is subject to MFA 2. When the user authenticates, the application or service performs a MFA call Multi-Factor Authentication 3. The user must respond to the challenge, which can be configured as a txt, a phone call or using a mobile app ADFS 4. The response is returned to the app which then allows the user to proceed 5. IT can configure the type and frequency of the MFA that the user must respond to Application authentication e.g. Active Directory, Radius, LDAP, SQL, Custom apps User 21

  22. Protect data with Dynamic Access Control Active Directory File Services Central access and audit policies can be applied across multiple file servers, with near real-time classification and processing of new and modified documents. Automatically identify and classifydata based on content. Classification applies as files are created or modified. Centrally manage access control and audit polices from Windows Server Active Directory. Integration with Active Directory Rights Management Services provides automated encryption of documents. File classification, access policies and automated Rights Management works against client distributed data through Work Folders.

  23. Recap: Access and Information Protection √ Enable users Hybrid Identity Protect your data Common identity to access resources on-premises and in the cloud Centralize corporate information for compliance and data protection Policy-based access control to applications and data Simplified registration and enrollment for BYO devices Automatically connect to internal resources when needed Access to company resources is consistent across devices

  24. Empowering People-centric IT User and Device Management Access and Information Protection Microsoft Virtual Desktop Infrastructure

  25. People-centric IT • http://www.microsoft.com/en-us/server-cloud/cloud-os/pcit.aspx • Windows Server 2012 R2 • http://www.microsoft.com/en-us/server-cloud/products/windows-server-2012-r2/default.aspx • System Center 2012 R2 Configuration Manager • and Windows Intune • http://www.microsoft.com/en-us/server-cloud/products/system-center-2012-r2-configuration-manager/default.aspx Calls to Action • Download trial of Windows Server 2012 R2 • Set up a Unified Device Management trial • System Center Configuration Manager 2012 R2 • Windows Intune • Request a Proof-of-Concept

More Related