planning cloud & hybrid identity withnote.microsoft.com/rs/578-uyy-044/images/consalta - azure...
TRANSCRIPT
PA
GE
2
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.WWW.CONSALTA.SI
PLANNING CLOUD & HYBRID IDENTITY WITH
MICROSOFT AZURE
AZURE SALES STAR PROGRAM IN CEE
IGOR SHASTITKO
FEB 2017
PA
GE
3
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
Every business deserves an opportunity to grow! We support IT companies at growing their business
in the Cloud. We are the Cloud Business Enablers!
About Consalta
1000+ CLIENTS
200+ ONSITE ENGAGEMENTS
180+ WEBINARS
40+ COUNTRIES
4,84 RATING
CONSALTA
PA
GE
4
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
• Senior Infrastructure/
Security Consultant
• Microsoft Partners
• Microsoft Learning
Centers
• Microsoft MCS
• Computer Science
• MCSE/MCT
• Geek
• Family
• Video Blogging
• Gadgets & technologies
ROLE WORK
BACKGROUND PLEASURE
IGOR SHASTITKO
PA
GE
5
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
Azure Sales Star program – Sessions – 10AM (CET)
FEB 6, 2017
AZURE SECURITY
SCENARIOS -
OVERVIEW OF MAIN
SCENARIOS FOR
SECURITY PROJECTS
FEB 9, 2017
NEW PARTNER
OPPORTUNITIES TO
PLAN CLOUD/HYBRID
IDENTITY PROJECTS
FEB 13, 2017
FINE-TUNE THE
DETAILS OF PLANNING
HYBRID IDENTITY
PROTECTION
FEB 16, 2017
PROVIDE A FULL
MANAGEMENT
EXPERIENCE FOR
HYBRID
INFRASTRUCTURE
FEB 20, 2017
SECURE MOBILE USERS
PLANNING: MOBILE
DEVICE MANAGEMENT
(MDM) SCENARIOS
COMPARISON
FEB 23, 2017
IMPLEMENTING
MICROSOFT INTUNE
TO MDM
FEB 27, 2017
PLANNING DATA
ACCESS &
PROTECTION IN
HYBRID
INFRASTRUCTURE
MAR 2, 2017
PLANNING HYBRID
DATA PROTECTION AT
THE FILE LEVEL
MAR 6, 2017
PLANNING AZURE
INFRASTRUCTURE
SECURITY
MAR 9, 2017
PLANNING AZURE
INFRASTRUCTURE
SECURITY – DATA
PROTECTION IN
AZURE
PA
GE
6
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
Agenda for the following 45’
Customers Case Study
How to start fast
Identity Solutions’ Stack
Carefully identify needs
What is next
Webinars and resources
Security Discussion
& Identity Threats
PA
GE
7
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
Security Discussion & Identity Threats
1. THE RESEARCH
2. NEW IDEAS
3. THE GAP
4. THE PLAN
5. THE CHANGE
6. THE
EVALUATION
PA
GE
8
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
Defense-in-Depth MUST NECESSARILY BE implemented for on-premises infrastructure before any
other projects
STEP 0: before we start Hybrid Identity etc.
• Start any new security
project’s discussion with
Defense-in-Depth
methodology/strategy
• Cloud (and hybrid cloud
especially) solutions are
just reflection of customer
on-premises infra’s security
• Most common attacks to
the cloud start with on-
premises’ breaches
PA
GE
9
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
The cyber kill chain: It is most about identity
https://www.microsoft.com/security/sir/default.aspx
PA
GE
10
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
ATTACKS AGAINST CLOUD ADMINISTRATORS & CLOUD IDENTITY
New threats & security trends in “Cloud World”
PA
GE
11
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
Identity is the one of the key breaches of infra
• Azure IaaS is same to
customers local infra in
terms of vulnerabilities
• And it is not only about
VMs/LOBs protection, it is
also about new INFA
protection against modern
threats
INFRASTRUCTURE
• Get admin access/”gold
admin” is most used
hackers practice against
organisations
• “Cloud globalisation” of
identity systems and
accounts helps to use this
breach more effectively
• Requirements of the business demand more mobility from employees
• All confidential mobile data on user devices is potential threat for loss or disclosure
• BYOD/unmanaged devices is threat for customer infra and identity
IDENTITY MOBILITY
“IAAS” IS NOT MEAN SECURE MOST USED PRACTICE LOST DEVICES, BYOD
PA
GE
12
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
Identity Solutions’ Stack in Microsoft Azure
1. THE RESEARCH
2. NEW IDEAS
3. THE GAP
4. THE PLAN
5. THE CHANGE
6. THE
EVALUATION
PA
GE
13
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
Quick overview
Cloud/Hybrid Identity Solutions
• “Pure” Cloud Identity –
Azure Active Directory
• Cloud Identity for Partners
– Azure AD B2B
• Cloud Identity for
Customers – Azure AD B2C
• Hybrid Identity – Cloud
Identity (Azure AD) + on-
premises Active Directory
etc.
PA
GE
14
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
Type of required Cloud Identity solution should be selected carefully
STEP 1: Determination of Customer needs
• Customers manage their accounts (create, delete, change password, etc.) and they are employees of the Organization (in some form) –skip next steps and go to “Pure” Cloud/Hybrid Identity solutions
• Employees of organizations/individuals who are contractors, partners, users of Customer’s organization –Azure Active Directory B2B
• Users (accounts) of Customer’s public websites for purchases, comments, subscriptions, funs, etc. – Azure Active Directory B2C
PA
GE
15
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
MICROSOFT AZURE ACTIVE
DIRECTORY B2B
Be wary of promises and Customer’s expectations, it is not “Silver Bullet” for interoperability
STEP 1.1A: Azure AD B2B
• Federated relationships
with other companies, with
its own Azure AD
authentication
• Delegation of authority to
access compliant SaaS
applications in Azure
PA
GE
16
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
MICROSOFT AZURE ACTIVE
DIRECTORY B2C
Be wary of promises and Customer’s expectations, it is required a lot of changes in code
STEP 1.1B: Azure AD B2C
• Universal system for
authenticating external
users for Customer’s
cloud/web-based solutions
• Used as THE LIBRARY FOR
DEVELOPERS! Can not be
used "as is" for a turnkey
solution!
PA
GE
17
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
Clear classification of solution (for yourself and Customer) is a very important aspect of the project
STEP 1.2: “Pure” Cloud/Hybrid Identity
• Cloud identities: these are identities that exist solely in the cloud. In the case of Azure AD, they would reside specifically in your Azure AD directory.
• Synchronized: these are identities that exist on-premises and in the cloud. Using Azure AD Connect, these users are either created or joined with existing Azure AD accounts.
• Federated: these identities exist both on-premises and in the cloud. Using Azure AD Connect, these users are either created or joined with existing Azure AD accounts.
PA
GE
18
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
STEP 2: SELECT RIGHT SCENARIO
Сценарий PROS CONS
Cloud identities • Easier to manage for small
organization.
• Nothing to install on-premises
• No additional hardware needed
• Easily disabled if the user leaves
the company
• Users will need to sign-in when accessing
workloads in the cloud
• Passwords may or may not be the same for
cloud and on-premises identities
Synchronized • On-premises password will
authenticate both on-premises
and cloud directories.
• Easier to manage for small,
medium or large organizations
• Users can have single sign-on
(SSO) for some resources
• Microsoft preferred method for
synchronization
• Easier to manage
• Some customers may be reluctant to
synchronize their directories with the cloud
due specific company’s police
Federated • Users can have single sign-on
(SSO)
• If a user is terminated or leaves,
the account can be immediately
disabled and access revoked
• Supports advanced scenarios that
cannot be accomplished with
synchronized
• More steps to setup and configure
• Higher maintenance
• May require additional hardware for the STS
infrastructure
• May require additional hardware to install
the federation server.
• Additional software is required if AD FS is
used
• Require extensive setup for SSO
• Critical point of failure, if the federation
server is down, users won’t be
PA
GE
19
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
Most required feature for Hybrid Identity solution, KEY differentiator for Federated Identity
STEP 2: SINGLE SIGN-ON SCENARIES
PA
GE
20
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
• Azure AD/on-premises Microsoft Active Directory synchronization planning
• A lot of technical parameters to discuss:
– Single forest, single Azure AD tenant
– Multiple forests, single Azure AD tenant:
• separate topologies
• match users
• full mesh
• Account-Resource Forest
– Multiple Azure AD tenants
– Account filtering
– Password Sync/Write-Back, Group/Device Write-Back Requirements
• HA Microsoft Azure AD Connect infra, Staging server
Main topics for project
STEP 3.1A: Hybrid Identity with Synchronized AD
PA
GE
21
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
Have to be discussed, some scenarios do not work
STEP 3.1B: ADs’ synchronization scenarios
PA
GE
22
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
• Group based: Filtering based on a single group can only be configured on initial
install using the installation wizard. It is not further covered in this topic.
• Domain-based: This option enables you to select which domains that
synchronize to Azure AD. It also allows you to add and remove domains from the
sync engine configuration if you make changes to your on-premises
infrastructure after you installed Azure AD Connect sync.
• Organizational-Unit–based: This filtering option enables you to select which
OUs synchronize to Azure AD. This option is for all object types in selected OUs.
• Attribute–based: This option allows you to filter objects based on attribute
values on the objects. You can also have different filters for different object
types.
Some Customers really care (F.U.D.) about what will be synchronized with Azure AD
STEP 3.1C: Filtering options
PA
GE
23
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
• An Azure subscription or an Azure trial subscription.
• Add and verify the domain you plan to use in Azure AD.
• An Azure AD tenant allows by default 50k objects. When domain is verified, the limit is increased to 300k objects. For 500k objects license such as Office 365, Azure AD Basic, Azure AD Premium, or Enterprise Mobility Suite is required.
• The AD schema version and forest functional level must be Windows Server 2003 or later.
• Domain Controllers must be on Windows Server 2008 (with latest SP) or later if feature password writeback is planned.
• Azure AD Connect cannot be installed on Small Business Server or Windows Server Essentials.
• Azure AD Connect must be installed on Windows Server 2008 or later.
• If Active Directory Federation Services is being deployed, the servers where AD FS or Web Application Proxy are installed must be Windows Server 2012 R2 or later.
• If Active Directory Federation Services is being deployed, SSL Certificates needed.
Please! Please! Make assessment before set customer expectation
STEP 3.1D: HW/SW requirements
PA
GE
24
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
• Deployment and security planning AD
FS publications
• Planning the deployment of Microsoft
Web Publishing Service Application
Proxy
https://technet.microsoft.com/en-
us/library/jj205462.aspx
https://docs.microsoft.com/en-
us/azure/active-directory/active-directory-
aadconnect-ports
STEP 3.2А: Federated Identity & Single Sign-On
PA
GE
25
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
Customer Case Studies
1. THE RESEARCH
2. NEW IDEAS
3. THE GAP
4. THE PLAN
5. THE CHANGE
6. THE
EVALUATION
PA
GE
26
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
• The company has grown rapidly by acquisition and by performing well in key global automotive markets.
• It employs more than 15,000 people at approximately 60 locations worldwide and earned revenues of about €2.68 billion (US$3 billion) in 2013.
• MANN+HUMMEL depends on Microsoft Exchange Server 2010 for email messaging and Microsoft SharePoint Server 2013 for collaboration. But it wanted to augment those core capabilities with Microsoft Lync Server 2013 to take advantage of presence, videoconferencing, instant messaging, and desktop sharing.
• The company decided instead to deploy Microsoft Lync Online, a cloud-based version of Lync Server 2013 that is part of Microsoft Office 365, but it didn’t know how to authenticate employees in a cloud environment.
The MANN+HUMMEL Group is a global leader in the design, manufacture, and distribution of liquid
and air filter systems
Customer Case Study - MANN+HUMMEL Group
Source: Microsoft Customer Stories
PA
GE
27
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
SOLUTION
Customer Case Study - MANN+HUMMEL Group
Source: Microsoft Customer Stories
• Microsoft invited MANN+HUMMEL to test its beta release of a new synchronization service called Microsoft Azure Active Directory Sync.
• Azure AD Sync makes it possible for organizations to synchronize multiforest Active Directory environments without needing a full-blown identity management product such as Microsoft Forefront Identity Manager 2010 R2.
• Azure AD Sync makes multiforest and non-Active Directory on-boarding to Azure Active Directory and Office 365 much easier and includes precisely the capabilities that MANN+HUMMEL needs, such as attribute filtering.
PA
GE
28
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
BENEFITS
Customer Case Study - MANN+HUMMEL Group
Source: Microsoft Customer Stories
• After deploying Azure AD Sync, which took just two weeks, MANN+HUMMEL was able to instantly turn on Lync Online for thousands of employees.
• Now MANN+HUMMEL is able to synchronize user identities quickly and simply with the cloud, without violating any internal data protection rules.
• With the company’s previous manual process for synchronizing user identities across applications, there were many opportunities for mistakes. With the process automated by Azure AD Sync, MANN+HUMMEL knows that user information is correct across all applications.
• By using the Azure AD Sync multiforest sync capability, MANN+HUMMEL can more easily integrate acquisitions.
PA
GE
29
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
What’s NEXT?
1. THE RESEARCH
2. NEW IDEAS
3. THE GAP
4. THE PLAN
5. THE CHANGE
6. THE
EVALUATION
PA
GE
30
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
Azure Sales Star program – Sessions
FEB 6, 2017
AZURE SECURITY
SCENARIOS -
OVERVIEW OF MAIN
SCENARIOS FOR
SECURITY PROJECTS
FEB 9, 2017
NEW PARTNER
OPPORTUNITIES TO
PLAN CLOUD/HYBRID
IDENTITY PROJECTS
FEB 13, 2017
FINE-TUNE THE
DETAILS OF PLANNING
HYBRID IDENTITY
PROTECTION
FEB 16, 2017
PROVIDE A FULL
MANAGEMENT
EXPERIENCE FOR
HYBRID
INFRASTRUCTURE
FEB 20, 2017
SECURE MOBILE USERS
PLANNING: MOBILE
DEVICE MANAGEMENT
(MDM) SCENARIOS
COMPARISON
FEB 23, 2017
IMPLEMENTING
MICROSOFT INTUNE
TO MDM
FEB 27, 2017
PLANNING DATA
ACCESS &
PROTECTION IN
HYBRID
INFRASTRUCTURE
MAR 2, 2017
PLANNING HYBRID
DATA PROTECTION AT
THE FILE LEVEL
MAR 6, 2017
PLANNING AZURE
INFRASTRUCTURE
SECURITY
MAR 9, 2017
PLANNING AZURE
INFRASTRUCTURE
SECURITY – DATA
PROTECTION IN
AZURE
NEXT
PA
GE
31
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
Azure Sales Star program - Resources
CHECK ALL THE SESSIONS AND
ANNOUNCEMENTS
https://partner.microsoft.com/pl-
pl/training/AzureSalesStarProgram#kic
k_off-session
…AND REGISTER SOON!
CHECK OUR LATEST THINKING –
AZURE SALES STAR BLOG
https://partner.microsoft.com/pl-
pl/training/azuresalesstarprogram/secu
rity-can-be-the-primary-reason-for-
cloud-adoption
…AND MORE TO COME!
PA
GE
32
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
Cloud/Hybrid Identity Resources
• Azure Active Directory Proof
of Concept Playbook -
http://aka.ms/aadpocplaybook
• Microsoft Hybrid Identity
Design Considerations Guide
-
https://docs.microsoft.com/en-
us/azure/active-
directory/active-directory-
hybrid-identity-design-
considerations-overview
PA
GE
33
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
Brought to you by Consalta
1. THE RESEARCH
2. NEW IDEAS
3. THE GAP
4. THE CHANGE
5. THE PLAN
6. THE
EVALUATION
PA
GE
34
AZURE SALES STAR PROGRAM WWW.CONSALTA.SICopyright © Consalta Ltd.
DAVID BALAZICe: [email protected]
m: +386 31 699 622
Skype: davidb-consalta
Thank you for your attention!
SAMO
KANELLOPULOSe: [email protected]
m: +386 41 781 761
Skype: samok-consalta
IGOR SHASTITKOe: [email protected]
m: +421 949 88 78 36
Skype: iwalker2012