Enterprise Mobility and Security Blog

RSS

STB_Banners_WhatsNext2

Throughout this series I’ve written quite a bit about identity management and its pivotal role in any enterprise mobility strategy. While I don’t want to be too repetitious on this topic, I do think it’s important to continually emphasize its ongoing value.

Any strategy that attempts to enable device usage anywhere with any platform has to give you the tools to set policies about how corporate data is accessed and used. This seemingly simple (but incredibly difficult) process is all based on your infrastructure’s ability to identify the individuals and devices accessing your network. Identity management helps keep your data in the right hands at the right times.

As enterprises continue to consume more and more SaaS offerings (the workforce in an average enterprise uses more than 300 SaaS apps!), IT has to take an active position when it comes to extending identity management to each of these SaaS apps. Today the majority of SaaS apps that are being used are completely unmanaged by IT – and this puts corporate reputation and assets at risk.

When we look at the big trends and challenges the IT industry is facing, identity management is the key element at play in all of them. For example: The device-based consumerization of IT would be impossible if we couldn’t quickly and easily verify and manage a user’s identity and their devices. A move to a cloud-based or hybrid cloud-based IT infrastructure would be impossible if there wasn’t a way to manage access, and compounding that problem, all your carefully gathered data would be worthless if there wasn’t a simple way to identify who should (and should not) be able to access it.

Identity management is an area where Microsoft excels because it is a big part of our DNA as a company. Today, over 90% of businesses around the world (and 95% of the Fortune 1000) use Active Directory for their identity management. We have spent millions of person-hours building and fine tuning software that enables enterprises to expand their on-prem investments to the cloud – and now we have optimized our solutions for device management with Azure Active Directory (you can read about AAD in depth here).

Whenever I get the opportunity to look at the scale and usage of Azure Active Directory I am really impressed. AAD is the premiere Enterprise Identity solution that’s delivered as cloud service. To give you an idea of its scale and power, it is servicing up to 18 billion authentication requests every day. There are 4 million organizations using AAD to manage access to their Microsoft Enterprise services (e.g. Azure, Office 365, EMS, etc.) and it is time to extend AAD’s trusted, reliable functionality to all of the SaaS apps your organization uses.

Considering the massive install base of AD, it is safe to say that the industry would prefer not to reinvent the wheel or manually recreate all of their identities in the cloud. The good news is that this kind of reinvention is unnecessary since this is exactly what Azure Active Directory (AAD) provides in a secure and comprehensive way. AAD combines directory services, advanced identity governance, application access management, and a developer’s identity management platform.  Impressive, right?

Using Azure Active Directory to Set Your Organization Apart

When building your enterprise mobility solution, you want it to deliver a small handful of critical things that I believe you should list as requirements around identity:

  • Integration into your existing infrastructure.
  • Easy syncing of your internal AD identities with 3rd party SaaS apps – and bring them under common management.
  • Easy syncing with your on-prem directories (aka Active Directory).
  • Self-service capabilities like password reset, group management, user profile, management, etc.

These areas are where Azure Active Directory really shines – especially the AAD Premium capabilities that are a part of the Enterprise Mobility Suite.

As noted earlier in this series, one of the key benefits AD has been providing for years is centralized identity management and access control across the enterprise + a great SSO experience for the end-users consuming enterprise services. Now, as organizations use more and more SaaS offerings (e.g. salesforce.com, Office 365, Workday, etc.), a centralized identity management solution is more important than ever. A centralized identity management solution is critical if you want to manage SaaS apps, protect that information from being stored and accessed in those SaaS apps, and provide a SSO experience to end users.

One possible way to deliver this kind of functionality is to federate each user with each and every cloud-based app. The challenge, however, is that not all apps use the same protocols or standards when it comes to identity management. This can make federation a very complex and costly operation. What organizations really need is a hub that can do six key things:

  1. Connect SaaS identities with their on-prem Active Directory users.
  2. Seamlessly connect with a variety of cloud applications.
  3. Integrate with various web protocols.
  4. Scale around the globe to authenticate users in any location, from any device, in a way that integrates simply with their existing identities.
  5. Provide SSO to all these apps for users.
  6. And you do not want to have to do all this integration yourself. That’s why we do it for you.

the most common scenarios that organizations of all sizes will face as they manage identities in the public cloud:

  • Many applications, one identity repository.
  • Managing identities and access to cloud applications.
  • Monitoring and protecting access to enterprise applications.
  • Personalizing access and self-service capabilities.

You need to insist that your mobility partners/vendors provide comprehensive solutions for these four scenarios – and that solution needs to seamlessly connect to the on-prem work where you’ve already invested.

These four areas are places where, I’m proud to say, AAD can consistently deliver at enterprise grade.

Sync & Federation with AAD

AAD allows you to sync with the on-prem Windows Server Active Directory using DirSync combined with either Active Directory Federation Services (ADFS), or, alternatively, with password hash sync. This setup helps to configure SSO and, to make SSO even easier, the most popular cloud apps are already pre-integrated in the application gallery – no matter what kind of public cloud is doing the hosting.

This kind of integration goes way beyond simple compatibility. Remember that, in every scenario, you are in complete control of what is synchronized from AD into AAD. Our services (like Office 365 and the Enterprise Mobility Suite) only need to have the users’ identity and four attributes in AAD. The users’ password is not one of those attributes, thus you can keep all the passwords in your local ID if you so choose

We have already done the work to integrate more than 2,400 of the most popular SaaS apps with AAD, and this fully enables the scenarios described above. We’ve also preconfigured all the parameters needed to federate with these clouds so that an administrator can select the cloud applications their enterprise is already using and configure SSO accordingly. With your identities and apps under control, the Azure Management portal allows for super-efficient management with a section specifically for AAD administration that allows you to take your custom LOB apps (or the ones you’ve bought from a vendor) and enable them for SSO.

Dollars and Cents: The Value of Cloud-based Identity Management

Once you’re operating your identity management solution from the cloud, your ability to manage a growing number of users and SaaS apps from the same console with the same processes becomes an invaluable advantage.

Access isn’t the only element that benefits from a top-tier identity management solution, however. Your ability to govern the creation, publishing, and usage of SaaS apps (which can be used via single sign-on) is a huge productivity booster for both you and your end users.

There’s not an IT team in the world that goes more than a few minutes without thinking about security – and this is something we think a lot about, too. This is why AAD is based on Trustworthy Computing principals and security is a foundational part of its architecture. I recommend reading that site’s information about just how secure that data is. It is really impressive stuff.

This is all delivered through Azure Active Directory Premium (a component of the Enterprise Mobility Suite) and it is an incredibly high quality foundation for any Enterprise Mobility strategy.

When it comes down to authentication and control of corporate resources, not only should your Enterprise Mobility identity solution require the user to correctly authenticate, but that identity solution should also know about all the devices being used to access corporate resources. This is exactly what Domain Join has done for Windows devices over the past 15 years. In our Enterprise Mobility solution we have added what you can think of as a modern Domain Join – what we call Workplace Join. Workplace join enables users to register their personal devices with AAD which allows IT to express policy on both the user and the device.

The “Managed Everything” Model

I previously wrote about the “Managed Everything” approach to infrastructure, and identity plays a crucial role here. Simply put, too many IT teams are saddled with one set of tools for PC management, another set for device management, yet another for server-based computing scenarios, and then something else for identity management.

Common? Yes. Smart? No.

This approach makes a lack of integration/interoperability and compromised agility a foundational part of your infrastructure, and it guarantees a fragmented experience that is more expensive and more difficult to operate. Instead, start with a solution that can manage identity no matter where the person or their hardware travels, and then build around this carefully managed structure.

To get a lot of additional information about Microsoft’s cloud-based identity management solutions, check out this very helpful Hybrid Identity Management site.