Access & Information Protection
This presentation is the property of its rightful owner.
Sponsored Links
1 / 25

Access & Information Protection PowerPoint PPT Presentation


  • 82 Views
  • Uploaded on
  • Presentation posted in: General

Access & Information Protection. Speaker Name Name. Empowering People-centric IT. User and Device Management. Access and Information Protection. Microsoft Virtual Desktop Infrastructure. Apps. Today’s challenges. Deploying and managing applications across platforms is difficult.

Download Presentation

Access & Information Protection

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Access information protection

Access & Information Protection

Speaker Name

Name


Access information protection

Empowering People-centric IT

User and Device Management

Access and Information Protection

Microsoft

Virtual

Desktop Infrastructure


Today s challenges

Apps

Today’s challenges

Deploying and managing applicationsacross platformsis difficult.

Devices

Users

Data

Usersexpect to be able to work in any location and have access to all their work resources.

The explosion of devicesis eroding the standards-based approach to corporate IT.

Users need to be productive while maintaining compliance and reducing risk.


People centric it

People-centric IT

Enable users

Allow users to work on the devices of their choice and provide consistent access to corporate resources.

Hybrid Identity

Deliver a unified application and device managementon-premises and in the cloud.

Apps

Data

Devices

Users

Protect your data

Help protect corporate information and manage risk.

Management. Access. Protection.


Access and information protection

Access and Information Protection

Enable users

Hybrid Identity

Protect your data

Common identity to access resources on-premises and in the cloud

Centralize corporate information for compliance and data protection

Policy-based access control to applications and data

Simplified registration and enrollment for BYO devices

Automatically connect to internal resources when needed

Access to company resources is consistent across devices


Access information protection

Enable users

Challenges

Solutions

Userswant to use the device of their choice and have access to both their personal and work-related applications, data, and resources.

Userswant an easy way to be able to access their corporate applications from anywhere.

ITdepartments want to empower users to work this way, but they also need to control access to sensitive informationand remain in compliance with regulatory policies.

Userscan register their devices, which makes them known to IT, who can then use device authentication as part of providing access to corporate resources.

Userscan enroll their devices, which provides them with the company portal for consistent access to applicationsand data, and to manage their devices.

ITcan publish access to corporate resources with conditional access based on the user’s identity, the device they are using, and their location.


Helping it to enable users

Helping IT to enable users

Users can enroll devices for access to the Company Portal for easy access to corporate applications

IT can publish Desktop Virtualization (VDI) for access to centralized resources

Users can work from anywhere on their device with access to their corporate resources.

VDI

Session host

IT can publish accessto resources with the Web Application Proxybased on device awareness and the users identity

RD Gateway

Remote Access

Web Application Proxy

IT can provide seamless corporate access with DirectAccess and automatic VPN connections.

Web Apps

LOB Apps

Files

Users can register devices for single sign-onand access to corporate data with Workplace Join

Active Directory


Registering and enrolling devices

Registering and Enrolling Devices

Users can enroll devices which configure the device for management with Windows Intune. The user can then use the Company Portal for easy access to corporate applications

Data from Windows Intuneis sync with Configuration Manager which provides unified management across both on-premises and in the cloud

Active Directory

Multi-Factor Authentication

AD FS

Users can registerBYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificate is installed on the device

Web Application Proxy

As part of the registration process, a new device record is created in Active Directory, establishing a link between the user and their device

IT can publish accessto corporate resources with the Web Application Proxybased on device awareness and the users identity. Multi-factor authenticationcan be used through Windows Azure Multi-Factor Authentication integration with Active Directory Federation Services.

Active Directory


Publish access to resources with the web application proxy

Publish access to resources with the Web Application Proxy

AD Integrated

Developerscan leverage Windows Azure Mobile Services to integrate and enhance their apps

Published applications

Use conditional access for granular control over how and where the application can be accessed

Other cloud based apps and identity stores

Active Directory

Office Forms Based Access

Claims & Kerberos web apps

Mobile Services

Restful OAuth apps

AD FS

Devices

Web Application Proxy

Users can access corporate applications and data wherever they are

Active Directory provides the central repository of user identityas well as the device registration information

Apps & Data

Reverse proxy pass through

e.g. NTLM & Basic based apps

IT can use the Web Application Proxyto pre-authenticate users and devices with multi-factor authentication through integration with AD FS

Active Directory


Access information protection

Make corporate data available to users with Work Folders

Active Directory discoverability provides users Work Folders location

IT can configure a File Server to provide Work Folder sync shares for each user to store data that syncs to their devices, including integration with Rights Management

IT can selectively wipe the corporate data from managed devices (Windows 8.1, Windows Phone 8, iOS, Android)

Reverse Proxy

Active Directory

AD FS

Devices

File Services

Userscan sync their work datato their devices.

Users can register their devicesto be able to sync data when IT enforces conditional access

Web Application Proxy

IT can publish access directly through a reverse proxy (such as the Web Application Proxy, or conditional access can be enforced through integration with AD FS

Domain joined devices

Apps & Data


Effective working with remote access

Effective working with Remote Access

An automatic VPN connectionprovides automated starting of the VPN when a user launches an application that requires access to corporate resources.

  • Cannot originate admin connection from intranet

Traditional VPNs are user- initiated and provide on-demand connectivity to corporate resources.

VPN

Session host

VDI

  • Can originate admin connection from intranet

Web Apps

Firewall

With DirectAccess, a users PC is automatically connected whenever an Internet connection is present.

Files

  • Connection to

  • intranet is always active

LOB Apps

DirectAccess


Access information protection

Hybrid Identity

Challenges

Solutions

Providing userswith a common identity when they are accessing resources that are located both on-premises in a corporate environment, and in cloud-based platforms.

Managing multiple identities and keeping the information in sync across environments is a drain on IT resources.

Usershave a single sign-on experience when accessing all resources, regardless of location.

Users and IT can leverage their common identity for access to external resources through federation.

ITcan consistently manage identities across on-premises and cloud-based identity domains.


Active directory for the cloud

Active Directory for the cloud

Leverage cloud platforms to run Windows Server Active Directory and Active Directory Federation Servicesto reduce infrastructure on-premises.

Infrastructure Services

Developerscan integrate applications for single sign-on across on-premises and cloud-based applications.

Manage Active Directory using Windows PowerShell, use the improved deployment experience and leverage the Active Directory Administrative Center for centralized management

Files

Web Apps

LOB Apps

Active Directory

Activateclientsrunning Office on at least Windows 8 or Windows Server 2012 automaticallyusing existing Active Directory infrastructure.

Run Active Directory at scale with support for virtualizationand rapid deployment through domain controller cloning.


Increasing the value in active directory federation services

Increasing the value in Active Directory Federation Services

Organizations can connectto SaaS applications running in Windows Azure, Office 365 and 3rd party providers

Enhancements to AD FS include simplified deployment and management

Published applications

SaaS Apps

Office Forms Based Access

Claims & Kerberos web apps

Active Directory

Organizations can federatewith partners and other organizations for seamless access to shared resources

Restful OAuth apps

ADFS

AD FS

Resources in other businesses or identity realms

Web Application Proxy

(includes AD FS Proxy)

Conditional access with multi-factor authentication is provided on a per-application basis, leveraging user identity, device registration & network location

Firewall

Users can register their devices to gain access to corporate data and apps and single sign-on through device authentication


Single sign on with device registration

Single sign-on with device registration

Not Joined

Workplace Joined

Domain Joined

User provided devices are “unknown” and IT has no control. Partial access may be provided to corporate information.

Registered devices are “known” and device authentication allows IT to provide conditional access to corporate information

Domain joined computers are under the full control of IT and can be provided with complete access to corporate information

Browser session single sign-on

Seamless 2-Factor Auth

for web apps

Enterprise apps single sign-on

Desktop Single Sign-On


Managing hybrid cloud identities

Managing hybrid cloud identities

Developerscan build applications that leverage the common identity model

3rd party services

Apps in Azure

Users get access through accounts in Windows Azure Active Directory to Windows Azure, Office 365 and non-Microsoft applications

Active Directory

DirSync

ADFS

Web Apps

LOB Apps

Usersare more productive by having a single sign-on to all their resources

Files

IT can use Active Directory Federation Servicesto connect with Windows Azure for a consistent cloud based identity.

IT can provide users with a common identity across on-premises or cloud-based services leveraging Windows Server Active Directoryand Windows Azure Active Directory

Active Directory


Delivering a seamless user authentication experience

Delivering a seamless user authentication experience

Multi-Factor Authentication can be configured through Windows Azure

Cloud Authentication

Active Directory

Active Directory

User attributes are synchronized using DirSyncincluding the password hash, Authentication is completed against Windows Azure Active Directory

DirSync with password hash sync

DirSync

AD FS

Federated Authentication with Single Sign-On

User attributes are synchronized using DirSync, Authentication is passed back through federation and completed against Windows Server Active Directory

Active Directory

Active Directory

AD FS provides conditional access to resources, Work Place Join for device registration and integrated Multi-Factor Authentication


Access information protection

Windows Azure Active DirectoryMore than a directory in the cloud

  • Choose among hundreds of popular SaaS apps from a pre-populated application gallery.

Active Directory

Sync identity with DirSync or provide SSO with AD FS

LOB Apps

Web Apps

Multi-Factor Authentication

Add multi-factor authentication for additional user identity verification

3rd party services

Easily add custom cloud-based apps. Facilitate developerswith identity management.

Comprehensive identity and access management with a common identity across on-premises and in the cloud

Active Directory


Access information protection

Protect your data

Challenges

Solutions

Userscan work on the device of their choice and be able to access all their resources,regardless of location or device.

ITcan enforce a set of central access and audit polices, and be able to protect sensitive information based on the content of the documents.

ITcan centrally audit and report on information access.

As usersbring their own devicesin to use for work, they will also want to access sensitive information and have access to this information locally on the device.

A significant amount of corporatedatacan only be found locally on user devices.

ITneeds to be able to secure, classify, and protect databased on the content it contains, not just where it resides, including maintaining regulatory compliance.


Policy based access to corporate information

Policy based access to corporate information

IT can provide a secure and familiar solution for users to access sensitive corporate data from anywhere with VDIand RemoteApptechnologies.

Desktop Virtualization

Centralized Data

Devices

RD Gateway

VDI

Userscan access corporate data regardless of device or location with Work Folders for data sync and desktop virtualization for centralized applications.

Session

host

Files

Access Policy

LOB Apps

Distributed Data

Web Apps

IT can publish resources using the Web Application Proxyand create business-driven access policies with multi-factor authenticationbased on the content being accessed.

IT can audit user access to information based on central audit policies.


Protecting information with multi factor authentication

Protecting information with multi-factor authentication

1. Users attempts to login or perform an action that is subject to MFA

2. When the user authenticates, the application or service performs a MFA call

Multi-Factor Authentication

3. The user must respond to the challenge, which can be configured as a txt, a phone call or using a mobile app

ADFS

4. The response is returned to the app which then allows the user to proceed

5. IT can configure the type and frequency of the MFA that the user must respond to

Application authentication

e.g. Active Directory, Radius, LDAP, SQL, Custom apps

User

21


Protect data with dynamic access control

Protect data with Dynamic Access Control

Active Directory

File Services

Central access and audit policies can be applied across multiple file servers, with near real-time classification and processing of new and modified documents.

Automatically identify and classifydata based on content. Classification applies as files are created or modified.

Centrally manage access control and audit polices from Windows Server Active Directory.

Integration with Active Directory Rights Management Services provides automated encryption of documents.

File classification, access policies and automated Rights Management works against client distributed data through Work Folders.


Recap access and information protection

Recap: Access and Information Protection

Enable users

Hybrid Identity

Protect your data

Common identity to access resources on-premises and in the cloud

Centralize corporate information for compliance and data protection

Policy-based access control to applications and data

Simplified registration and enrollment for BYO devices

Automatically connect to internal resources when needed

Access to company resources is consistent across devices


Access information protection

Empowering People-centric IT

User and Device Management

Access and Information Protection

Microsoft

Virtual

Desktop Infrastructure


Access information protection

  • People-centric IT

    • http://www.microsoft.com/en-us/server-cloud/cloud-os/pcit.aspx

  • Windows Server 2012 R2

    • http://www.microsoft.com/en-us/server-cloud/products/windows-server-2012-r2/default.aspx

  • System Center 2012 R2 Configuration Manager

  • and Windows Intune

  • http://www.microsoft.com/en-us/server-cloud/products/system-center-2012-r2-configuration-manager/default.aspx

Calls to Action

  • Download trial of Windows Server 2012 R2

  • Set up a Unified Device Management trial

    • System Center Configuration Manager 2012 R2

    • Windows Intune

  • Request a Proof-of-Concept


  • Login