Access and Information ProtectionProduct Overview Andrew McMurrayTechnical Evangelist – Windows Infra@MaccaMSOz

The explosion of devices is eroding the standards-based approach to corporate IT.

Devices

Deploying and managing applications across platforms is difficult.

Apps

Today’s challenges

2

Data

Users need to be productive while maintaining compliance and reducing risk.

Users expect to be able to work in any location and have access to all their work resources.

Users

Devices

AppsUsers

People-centric IT

3

Enable usersAllow users to work on the devices of their choice and provide consistent access to corporate resources.

Hybrid Identity

Deliver a unified application and device management on-premises and in the cloud.

Protect your data

Help protect corporate information and manage risk.

Management. Access. Protection.

Data

Access and Information Protection

4

Protect your data

Centralize corporate information for compliance and data protection

Policy-based access control to applications and data

Hybrid Identity

Common identity to access resources on-premises and in the cloud

Enable users

Simplified registration and enrollment for BYO devices

Automatically connect to internal resources when needed

Access to company resources is consistent across devices

√

5

Challenges Solutions

Users want to use the device of their choice and have access to both their personal and work-related applications, data, and resources.

Users want an easy way to be able to access their corporate applications from anywhere.

IT departments want to empower users to work this way, but they also need to control access to sensitive information and remain in compliance with regulatory policies.

Users can register their devices, which makes them known to IT, who can then use device authentication as part of providing access to corporate resources.

Users can enroll their devices, which provides them with the company portal for consistent access to applications and data, and to manage their devices.

IT can publish access to corporate resources with conditional access based on the user’s identity, the device they are using, and their location.

Enable users

Helping IT to enable users

6

IT can publish access to resources with the Web Application Proxy based on device awareness and the users identity

IT can provide seamless corporate access with DirectAccess and automatic VPN connections.

Users can work from anywhere on their device with access to their corporate resources.

Users can register devices for single sign-on and access to corporate data with Workplace Join

Users can enroll devices for access to the Company Portal for easy access to corporate applications

IT can publish Desktop Virtualization (VDI) for access to centralized resources

Remote Access

Web Application Proxy

RD Gateway

Web Apps

Files

LOB Apps

Session host VDI

Registering and Enrolling Devices

7

IT can publish access to corporate resources with the Web Application Proxy based on device awareness and the users identity. Multi-factor authentication can be used through Windows Azure Multi-Factor Authentication integration with Active Directory Federation Services.

Users can register BYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificate is installed on the device

Users can enroll devices which configure the device for management with Windows Intune. The user can then use the Company Portal for easy access to corporate applications

As part of the registration process, a new device record is created in Active Directory, establishing a link between the user and their device

Data from Windows Intune is sync with Configuration Manager which provides unified management across both on-premises and in the cloud

Web Application Proxy

AD FS

8

Publish access to resources with the Web Application Proxy

Users can access corporate applications and data wherever they are

IT can use the Web Application Proxy to pre-authenticate users and devices with multi-factor authentication through integration with AD FS

Use conditional access for granular control over how and where the application can be accessed

Active Directory provides the central repository of user identity as well as the device registration information

Web Application

Proxy

Developers can leverage Windows Azure Mobile Services to integrate and enhance their apps

Devices

Apps & Data

AD FS

Active Directory

Reverse proxy pass throughe.g. NTLM & Basic based

apps

Published applications

Restful OAuth apps

Office Forms Based Access

Claims & Kerberos web apps

AD Integrated

9

Users can sync their work data to their devices.

Users can register their devices to be able to sync data when IT enforces conditional access

IT can publish access directly through a reverse proxy (such as the Web Application Proxy, or conditional access can be enforced through integration with AD FS

IT can configure a File Server to provide Work Folder sync shares for each user to store data that syncs to their devices, including integration with Rights Management

IT can selectively wipe the corporate data from managed devices (Windows 8.1, Windows Phone 8, iOS, Android)

Devices

Apps & Data

Make corporate data available to users with Work Folders

Reverse Proxy

Web Application Proxy

Active Directory discoverability provides users Work Folders location

File Services

Domain joined devices

Active Directory

AD FS

10

Effective working with Remote Access

Can originate admin connection from

intranet

Connection tointranet is always

active

Cannot originate admin connection from intranet

VPN

DirectAccess

With DirectAccess, a users PC is automatically connected whenever an Internet connection is present.

Traditional VPNs are user- initiated and provide on-demand connectivity to corporate resources.

An automatic VPN connection provides automated starting of the VPN when a user launches an application that requires access to corporate resources.

FirewallWeb Apps

Session host

LOB Apps

Files

VDI

Hybrid Identity

11

Challenges Solutions

Providing users with a common identity when they are accessing resources that are located both on-premises in a corporate environment, and in cloud-based platforms.

Managing multiple identities and keeping the information in sync across environments is a drain on IT resources.

Users have a single sign-on experience when accessing all resources, regardless of location.

Users and IT can leverage their common identity for access to external resources through federation.

IT can consistently manage identities across on-premises and cloud-based identity domains.

Active Directory for the cloud

Run Active Directory at scale with support for virtualization and rapid deployment through domain controller cloning.

Developers can integrate applications for single sign-on across on-premises and cloud-based applications.

Leverage cloud platforms to run Windows Server Active Directory and Active Directory Federation Services to reduce infrastructure on-premises.

Manage Active Directory using Windows PowerShell, use the improved deployment experience and leverage the Active Directory Administrative Center for centralized management

Activate clients running Office on at least Windows 8 or Windows Server 2012 automatically using existing Active Directory infrastructure.

12

Active Directory

Files

LOB AppsWeb Apps

Increasing the value in Active Directory Federation Services

13

Active Directory

Web Application Proxy

(includes AD FS Proxy)

Users can register their devices to gain access to corporate data and apps and single sign-on through device authentication

Conditional access with multi-factor authentication is provided on a per-application basis, leveraging user identity, device registration & network location

Organizations can federate with partners and other organizations for seamless access to shared resources

Organizations can connect to SaaS applications running in Windows Azure, Office 365 and 3rd party providers

Enhancements to AD FS include simplified deployment and management

AD FS

ADFSPublished

applications

Restful OAuth apps

Office Forms Based Access

Claims & Kerberos web apps

FirewallResources in other businesses or

identity realms

Single sign-on with device registrationNot Joined

Workplace Joined

Domain Joined

User provided devices are “unknown” and IT has no control. Partial access may be provided to corporate information.

Registered devices are “known” and device authentication allows IT to provide conditional access to corporate information

Domain joined computers are under the full control of IT and can be provided with complete access to corporate information

Browser session single sign-on

Seamless 2-Factor Auth for web apps

Enterprise apps single sign-on

Desktop Single Sign-On

Users get access through accounts in Windows Azure Active Directory to Windows Azure, Office 365 and non-Microsoft applications

Managing cloud identities

IT can provide users with a common identity across on-premises or cloud-based services leveraging Windows Server Active Directory and Windows Azure Active Directory

Users are more productive by having a single sign-on to all their resources

IT can use Active Directory Federation Services to connect with Windows Azure for a consistent cloud based identity.

Developers can build applications that leverage the common identity model

15

DirSync

ADFS

Active Directory

Web Apps LOB

Apps

Files

Delivering a seamless user authentication experience

User attributes are synchronized using DirSync including the password hash, Authentication is completed against Windows Azure Active Directory

16

DirSync

AD FS

Active Directory DirSync with

password hash sync

User attributes are synchronized using DirSync, Authentication is passed back through federation and completed against Windows Server Active Directory

Active Directory

Cloud Authentication

Federated Authentication with Single Sign-On

Multi-Factor Authentication can be configured through Windows Azure

AD FS provides conditional access to resources, Work Place Join for device registration and integrated Multi-Factor Authentication

Choose among hundreds of popular SaaS apps from a pre-populated application gallery.

Easily add custom cloud-based apps. Facilitate developers with identity management.

Comprehensive identity and access management with a common identity across on-premises and in the cloud

Active Directory

Sync identity with DirSync or provide SSO with AD FS

Windows Azure Active DirectoryMore than a directory in the cloud

Add multi-factor authentication for additional user identity verification

Protect your data

18

Challenges Solutions

As users bring their own devices in to use for work, they will also want to access sensitive information and have access to this information locally on the device.

A significant amount of corporate data can only be found locally on user devices.

IT needs to be able to secure, classify, and protect data based on the content it contains, not just where it resides, including maintaining regulatory compliance.

Users can work on the device of their choice and be able to access all their resources, regardless of location or device.

IT can enforce a set of central access and audit polices, and be able to protect sensitive information based on the content of the documents.

IT can centrally audit and report on information access.

√

Desktop Virtualizatio

n

Policy based access to corporate information

IT can publish resources using the Web Application Proxy and create business-driven access policies with multi-factor authentication based on the content being accessed.

IT can audit user access to information based on central audit policies.

Users can access corporate data regardless of device or location with Work Folders for data sync and desktop virtualization for centralized applications.

IT can provide a secure and familiar solution for users to access sensitive corporate data from anywhere with VDI and RemoteApp technologies.

Centralized Data

19

RD Gateway

Distributed Data

Devices

LOB AppsWeb Apps

Session host

Files

VDI

Access Policy

Protecting information with multi-factor authentication

2020

1. Users attempts to login or perform an action that is subject to MFA2. When the user authenticates, the application or service performs a MFA call

3. The user must respond to the challenge, which can be configured as a txt, a phone call or using a mobile app

5. IT can configure the type and frequency of the MFA that the user must respond to

4. The response is returned to the app which then allows the user to proceed

Application authentication

e.g. Active Directory, Radius, LDAP, SQL,

Custom apps

ADFS

User

Protect data with Dynamic Access Control

Centrally manage access control and audit polices from Windows Server Active Directory.

Automatically identify and classify data based on content. Classification applies as files are created or modified.

Integration with Active Directory Rights Management Services provides automated encryption of documents.

Central access and audit policies can be applied across multiple file servers, with near real-time classification and processing of new and modified documents.

File classification, access policies and automated Rights Management works against client distributed data through Work Folders.

File Services

21

Active Directory

Recap: Access and Information Protection

22

Protect your data

Centralize corporate information for compliance and data protection

Policy-based access control to applications and data

Hybrid Identity

Common identity to access resources on-premises and in the cloud

Enable users

Simplified registration and enrollment for BYO devices

Automatically connect to internal resources when needed

Access to company resources is consistent across devices

√

http://www.microsoft.com/en-us/server-cloud/solutions/access-information-protection.aspxhttp://www.microsoft.com/en-us/server-cloud/solutions/user-device-management.aspx

More Resources:

System Center 2012 R2 Configuration Managerhttp://technet.microsoft.com/en-us/evalcenter/hh667640.aspx?wt.mc_id=TEC_105_1_33

Windows Intunehttp://www.microsoft.com/en-us/windows/windowsintune/try-and-buy

Windows Server 2012 R2 http://www.microsoft.com/en-us/server-cloud/windows-server/windows-server-2012-r2.aspx

For More Information

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.