pre-con ed: how to iam-enable your office 365 environment
TRANSCRIPT
World®’16
IAMforOffice365Environment
JohnZebrowskiSr.PrincipalConsultant,CATechnologies
SCX10E
SECURITY
2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.
Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.
ForInformationalPurposesOnlyTermsofthisPresentation
3 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Abstract
BusinessesaremovingawayfromthetraditionalimplementationofMicrosoft®Officeandmigratingtothenew,cloud-basedOffice365™,whichoffersincreasedaccessibilityandsignificantcostsavings.However,thecloudalsointroducessignificantchallenges.Inthissession,we’lldiscusshowidentityandaccessmanagementsolutionsfromCAcanhelpenableandprotectthisenvironment.
JohnZebrowskiCATechnologiesSr.PrincipalConsultant
4 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Agenda
OFFICE365IMPACT
SINGLESIGNONTOOFFICE365
STRONGAUTHENTICATIONFOROFFICE365
PROVISIONINGTOOFFICE365
1
2
3
4
5 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TheImpactofOffice365
§ Businessesmigratingtocloud-basedOffice365
§ Adoptionrateisfastandaccelerating
§ Buttherearechallenges
1out of 5corporate employees uses an Office 365 cloud service, up from less than 7% just nine months ago1
1. https://www.skyhighnetworks.com/cloud-security-blog/7-charts-reveal-the-meteoric-rise-of-office-365/
6 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
SingleSignOntoOffice365
§ Background– Asbusinessesmovefromclient-basedMicrosoftOfficeandtocloud-basedOffice
365,theyneedasimplewayforuserstoaccesstheseapplicationswithoutadditionallogins.
§ OneOption– Office365supportsADFS2.0claims-basedfederation,butifthisisbuiltwithAD,
youareforcedtoaccepta“loosecoupling”andlosecontroloftheuser’ssession.
§ TheCAAlternativeOption– CASSSOcansupportlooseortightcoupling,asneeded,andcansupportsingle
sign-ontohundredsofon-premise andcloud-basedapplications.
7 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
AuthenticationtoOffice365ProcessFlow
Step1:UserlogsintonetworkandisauthenticatedbyActiveDirectory
EndUser Workstation ActiveDirectory
8 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
AuthenticationtoOffice365ProcessFlow
CASSOleveragesIntegratedWindowsAuthenticationtologuserintoportal.
Step2:UserclickslinktoopenIntranetPortal,whichisprotectedbyCASSO.
EndUser Workstation ActiveDirectory
CASingleSign-OnIntranetPortal
9 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
EndUser Workstation ActiveDirectory
CASingleSign-OnIntranetPortal
Office365
AuthenticationtoOffice365ProcessFlow
Step3:UserclickslinktoopenOffice365,whichisprotectedbyCASSO.
CASSOfederatesuserintoOffice365usingADFS.
10 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
AuthenticationtoOffice365ProcessFlow
EndUser Workstation ActiveDirectory
CASingleSign-On
Office365
CASSOalsosupportsdirectaccesstoOffice365.
11 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
AuthenticationtoOffice365ProcessFlow
EndUser Workstation ActiveDirectory
CASingleSign-On
Office365
LoginPage
Step1:UserwouldberedirectedtoCASSO,whichwouldpromptUsertoLogin.
CASSOwouldcollectCredentialsandValidatethemagainstActiveDirectory.
12 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
EndUser Workstation ActiveDirectory
CASingleSign-On
Office365
AuthenticationtoOffice365ProcessFlow
Step2:CASSOfederatesuserintoOffice365.
13 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
SummaryofCASSOSupportforOffice365
§ ProfilesSupported– WS-FederationPassiveRequestorProfile– WS-FederationActiveRequestorProfile
§ UseCasesSupported– Browser-basedSSOtoOffice365– Thickclient-basedSSOtoOffice365– IWA-basedSSOtoOffice365
§ BrowsersSupported– InternetExplorer,Safari
14 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Whataboutadditionalauthenticationsecurity?
MicrosoftExcel29%
Other23%AdobePDF
19%
MicrosoftWord17%
MicrosoftPowerPoint10%
MicrosoftOutlook(MSG/PST)2%
58%of sensitive data stored in the cloud is stored in OFFICE DOCUMENTS1
1. https://www.skyhighnetworks.com/cloud-security-blog/7-charts-reveal-the-meteoric-rise-of-office-365/
15 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
EndUser MultipleDevices ActiveDirectory
IntranetPortal
Office365
AuthenticationtoOffice365TheSecurityRisk
SensitivedatastoredinOffice365cloudisprotected,inmostcases,byapassword
LoginwithUserID&Password
Acredentialthatcanbeeasilycracked,stolen,orgivenaway
16 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
EndUser MultipleDevices ActiveDirectory
IntranetPortal
Office365
CAAdvancedAuthentication
AuthenticationtoOffice365TheSecuritySolution
Butwhatifyoucouldenhancethepasswordwithoutimpactingtheuserexperience
WithCAAdvancedAuthentication,youcan!
17 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
EndUser MultipleDevices ActiveDirectory
IntranetPortal
Office365
AuthenticationtoOffice365TheSecurityOptions
ThreeOptionstoenhancethepasswordloginprocesstoOffice365
Option3– CombinationofBoth2FACredentialsandRiskEvaluation
Option2RiskEvaluation
Option12FACredentials
18 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
EndUser MultipleDevices ActiveDirectory
IntranetPortal
Office365
CAAdvancedAuthentication
AuthenticationtoOffice365TheDeploymentOptions
CAAdvancedAuthenticationcanbedeployedasstandalonesolution,or…
ItcanbedeployedwithCASingleSignOn!EndUser MultipleDevices ActiveDirectory
IntranetPortal
Office365
CASingleSign-On CAAdvancedAuthentication
19 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
SummaryofCAAASupportforOffice365
§ ProfilesSupported– WS-FederationPassiveRequestorProfile– WS-FederationActiveRequestorProfile
§ UseCasesSupported– Browser-basedSSOtoOffice365– Thickclient-basedSSOtoOffice365
§ AuthenticationMechanismsSupported– CAAuthID,CAMobileOTP,knowledge-basedsecurityquestions,OATH
tokens,out-of-bandOTP,andrisk-basedadaptiveauthentication.
20 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ProvisioningtoOffice365
§ UserProvisioning– CAIdentitySuitecanautomaticallyprovisionandde-provisionusers
andaccessrightstoOffice365basedonchangessubmittedtoitfromanAuthoritativeSource.
§ IdentityGovernance– CAIdentitySuitecancertifyuseraccesstoOffice365toensurethat
onlytherightpeoplehaveaccesstosensitivedocumentsanddata.
21 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAIdentityService
§ SSOtoOffice365– ProfilesSupported
§ WS-FederationPassiveRequestorProfile§ WS-FederationActiveRequestorProfile
– UseCasesSupported§ Browser-basedSSOtoOffice365§ Thickclient-basedSSOtoOffice365
§ ProvisioningtoOffice365– Automateduserprovisioningandde-provisioningtoOffice365
22 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
HowCAIAMSolutionsWorkTogether
Add-OnPossibilities
Product OutoftheBox CAAA CAIDM CAIDMService CASSO
CASingle SignOn FederatedSSOtoO365
CAIdentityManager UserProvisioningtoO365
CAAdvanced Auth StrongAuthtoO365
CAIdentityServiceSSO&
ProvisioningtoO365
23 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
RecommendedSessions
SESSION# TITLE DATE/TIME
SCX09E CASSO:AccessModels 11/14/2016at1:00pm
SCT44TWAM&Federation:TwoGreatTastesthatTasteGreatTogether 11/16/2016at11:30am
SCX20S CASSO&AARoadmap 11/17/2016at1:45pm
24 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Don’tMissOurINTERACTIVESecurityDemoExperience!
SNEAKPEEK!
24 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
25 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Questions?
26 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Thankyou.
Stayconnectedatcommunities.ca.com
@CAWORLD#CAWORLD ©2016CA.AllRIGHTSRESERVED.27 @CAWORLD#CAWORLD
Security
FormoreinformationonSecurity,pleasevisit:http://cainc.to/EtfYyw