Key Challenges

2. Key Challenges Mergers, Supply Chain, Outsourcing, Partnering, Globalization, … Integration Imperative Cloud Computing Compliance++

3. Why the Focus on the Cloud? • The cloud cadence is the fastest way to get users new capabilities – including on-premises • State-of-the-art cloud architectures provide the highest availability and scale with good TCO • Significant innovation occurring on the internet; ensure headroom for your solutions

4. Implications (1/2) • In some ways, nothing new here. Just more challenging… • As predicted, growing need for access while crossing boundaries • Still need to be able to provision, authenticate, and authorize • Still need to track, manage, and report • With high-availability, high-scale, great management, low TCO, … • But increasingly organizations control less of the solution • Applications and developers can be in other organizations and are probably on different or new platforms • Identities and profiles can be external – and need to be “validated” • And the regulatory complexity is growing

5. Implications (2/2) • “Hybrid” is the Norm • Current systems and applications remain critical indefinitely • And you need to be able to integrate with applications in other organizations and with SaaS solutions • Want to be able to deliver applications that are accessible to any device running anywhere

6. Seamless Experiences in a Hybrid World Enterprise’s Partners ID (Potentially not AD) Enterprise’s Customers Consumer ID (Facebook, Google, Live) Verified ID (DMV, banks, credit agencies) Fed Svc Fed Svc Fed Svc Example of Microsoft Services Enterprise HeathVault Office 365 Exchange SharePoint OCS WindowsAzure Apps Markets DS Dir ADFS SQL Azure InTune(device management) App/Service management Sync FIM Sync Identity Management

7. Emerging Technologies That Can Help • Claims-Based Identity • Organizations like RBAC, entitlements, and other policy-driven approaches • The claims model provides a comprehensive foundation to enable these solutions in a distributed, cloud-friendly manner – learn more at http://identityblog.com • The technology generalizes the proven mechanisms found in Kerberos, PKI, SAML, ACLs, RBAC, Entitlements, … • These technologies are embedded in products from MS, IBM, Oracle, Ping as well as many existing and emerging standards • Enables cross-organization collaboration and new scenarios; e.g. distributed delegation; distributed groups and role management; high-scale, capability-based access control; …

8. Why claims allow crossing of boundaries • OED Definitions: • An assertion is a “confident and forceful statement of fact or belief”. • A claim is “an assertion of the truth of something, typically one which is disputed or in doubt”. • Better than: “To state as being the case, without being able to give proof” (TD 0910) • A claim is always spoken by some entity, and the fact that a claim is signed by that entity does not in itself reduce that doubt. • Essence is building an infrastructure in which relying parties can deal with doubt

9. Emerging Technologies That Can Help • Need-to-know Internet: • Internet services operating on behalf of ALL actors assume other services may be rogue and defend themselves • Identity information released is ONLY that required for transaction to complete (proportionality). • Contextual linking should be opt-in by individuals in return for benefits – not done by services or behind their backs • Compliance requirement: Profile information must be isolated from natural identity • Audit requirements should be proportionate to context (e.g. financial transactions, youth sites, search engines) • Audit information should be visible only to auditors and only as required – not weaken overall Internet security and privacy

10. Build minimal disclosure into Identification • Clarify how identifiers relate to minimal disclosure: • Wrong: • Generally, identifiers, and/or attributes will uniquely characterise an entity within a particular context. • Right: • Identity: A representation of an entity in the form of one or more attributes that allow the entity or entities to be sufficiently distinguished within a context.

11. Emerging Technologies That Can Help • Cloud directory++ that • Synchronizes with and synergizes with enterprise directory • Shares a logical schema with enterprise and device directories • Is multi-tenant • Is secure (more than lip service!) • Is based on “Privacy By Design” • Privacy of individuals • Privacy of enterprises • Supports “hybrid applications” • E.g. Sharepoint • Shares and supports common policy system

12. Cloud Identity Conceptual Architecture LDAP OpenID WS-Fed WS-Trust SAML OAuth Directory Service Authentication, Claims Transformation Service Management Organization Data Models Synchronization PE PE Filter xForm PE Filter xForm xForm Filter Multi-tenant, Extensible, Secure Identity Store

13. Looking Ahead • Identity Fabric (Look at Windows Azure ACS V2) • Loosely coupled approach built on interoperable protocols and claims-based architecture • Integrated authentication and authorization spanning Servers, cloud hosting environments, private clouds, extranets, and clients • Authorization that enables coordinated, cross-system policies • Seamless Experiences • Borderless collaboration – BYOI SSO, integrated connectivity • Deep integration applications • Integrated device management, group policy Integrated Management Developer Ecosystem Seamless Experiences Core Identity Fabric

14. Looking Ahead • Developer Ecosystem • Standards-based protocols for integration • Great developer assets - Visual Studio and Marketplace integration • Integrated Management • Common management on-premises and in the cloud • Common experience across directories, applications and services • Enhanced self-service Integrated Management Developer Ecosystem Seamless Experiences Core Identity Fabric