Vol. 18, #6 - February 11, 2013 - Issue #916
Cloudy Thinking - Identity Management
- Editor's Corner
- Reader needs help!
- Cloudy Thinking - Identity Management
- Tip of the Week
- Recommended for Learning
- Quote of the Week
- Admin Toolbox
- Admin Tools We Think You Shouldn't Be Without
- Events Calendar
- Webcast Calendar
- Register for Webcasts
- AD FS 2.0 Content Map
- Office 365 SSO Content Map
- Single-sign-on between on-premise apps, Windows Azure apps and Office 365 services
- Identity (Management) Crisis
- Claims Based Identity: What does it mean to you?
- A Technology Blueprint for the Enterprise of the Future
- Best practice for using cloud computing in Europe 2013 (Part 1)
- Best practice for using cloud computing in Europe 2013 (Part 2)
- Are Your Clients Ready To Move To The Cloud?
- What's New in Windows 8 for Hyper-V Based Cloud Computing
- Windows Server 2012 home lab preparation
- Windows Server 2012 IT Camp – Lab #1
- Microsoft Windows Server vs Chevy Camaro
- Mobile Printing: Workers Don't Have to Leave Printing Behind
- We need a good business reason for investing in IT
- What Government Employees Think About Consumer Technology at Work
- IT Admins and Security Auditors
- Building redundancy into your cloud outage strategy
- Q&A: How to troubleshoot common VDI problems
- VM lifecycle management: Beware the immortal VM
- Ready for a vSphere 5.1 upgrade? Depends on your current version
- This Week's Links We Like. Fun Stuff.
- Sensitive Data Discovery just got a lot easier…and cheaper
- SAVE THIS NEWSLETTER so you can refer back to it later for helpful tips, tools and resources!
- FORWARD THIS NEWSLETTER to a colleague who you think might find it useful!
- SEND YOUR FEEDBACK to [email protected] if you have any comments or suggestions!
This week's newsletter is all about identity management in cloud computing environments. But before we dig into this topic, let's say for a moment that you're working the helpdesk for your organization, and someone phones in saying he's a user and has forgotten his password. How might you try to confirm his identity?
Just wanted to mention that my free ebook Introducing Windows Server 2012 has now been downloaded over half a million times!! If you haven't downloaded it yet you can do so by clicking on the image below:
Reader needs help!
A reader named Jim from Florida asked us to share the following with our community of newsletter readers:
I’ve been struggling with find a method or software to block IP address from hackers that are trying a dictionary attack on my 2007 MS Exchange server. I have several clients that also have this issue. The ideal method or software would see that there is more than X amount of connection attempts from the same IP address and then block the connection. If you could post this question out to the community I would appreciate it.
Do any readers of this newsletter have suggestions for how Jim can deal with this issue? Email us at [email protected]
Cloudy Thinking: Identity Management
You can read previous issues in our Cloudy Thinking series here:
- Cloudy Thinking:
- Cloudy Thinking - Sourcing Models:
- Cloudy Thinking - SaaS:
- Cloudy Thinking - Fundamentals:
- Cloudy Thinking - PaaS:
Identity is a collection of information that uniquely defines a user or system. Identity management has to do with provisioning and managing user and system identities so they can be authenticated and authorized for securely accessing resources in a computing environment. Managing identity is also about protecting the information and computing resources of your organization by controlling and auditing who can access them.
The office is getting cloudy
Active Directory is the most commonly used identity management platform in corporate environments and is typically deployed on-premises. But what if some or all of your computing infrastructure is running in the cloud? How can you manage the identity of users who run cloud apps in pools of shared workstations? We'll get to that in a moment, but what if you don't even want your users to run any cloud apps on their machines? How can you prevent them from doing so? And how do you deal with the problem of business units or individual users who sidestep your on-premises identity management system and self-provision cloud apps using their own separately created identities?
That's a difficult problem, yet it's one that many companies currently face. Traditionally IT has tried to lock down the experience of users to prevent them from installing and using unauthorized apps. Technologies for implementing such control can include:
- Mandatory user profiles, especially in terminal server environments
- Group Policy features such as Software Restriction Policies and AppLocker
- Providing users with non-admin accounts
While technologies like these can effectively lock down many aspects of the Windows desktop environment, they generally fail in preventing users from accessing cloud apps like Google Docs on their computers or from running cloud apps on non-Windows devices such as iPads, Android tablets, or smartphones. What can you do to prevent your users from unauthorized running cloud apps on the computers and other devices they use to perform their work?
I would say that there are only two ways of doing this effectively. The first is simply policy--establish a clear company policy against such practices and make sure you communicate it clearly to explain both the why behind your policy and the what users might face in terms of consequences should they violate the policy. Effective policy should always answer the two questions: Why do we have this policy? and, What will happen if I don't follow it?
But if that doesn't work (people tend to break rules when they think they can get away with it or when they feel the need to do so is valid) then what else can you do? The second way of preventing your users from unauthorized running cloud apps on the computers and other devices might simply be to provide them with some authorized cloud apps that can meet their perceived needs. In other words, if you don't want your users to go to the cloud, you should bring the cloud to them instead. According to NetworkWorld that's the message that Microsoft has been trying to get out to their customers:
Identity management and Office 365
Let's get back to managing identity in cloud computing environments. Let's say you've got a mix of on-premises Active Directory-based infrastructure and cloud apps such as Office 365 or some custom apps you've deployed to Windows Azure. Can you create a single identity for each user that will allow them to log on to their systems and run locally-installed apps as well as the cloud apps? And what if users already each have two identities, one account in Active Directory and another Office 365 account? Is there any way of merging their identities to make managing them simpler?
The key glue to making both of these scenarios possible is Active Directory Federation Services (AD FS), which can provide secured identity federation and Web single sign-on (SSO) capabilities that allow users to seamlessly access federated Web-based resources without requiring them to log on a second time to these resources. AD FS 2.0 is included in Windows Server 2008 R2 and has been enhanced in Windows Server 2012 with some new capabilities described here:
A roadmap outlining the steps for implementing AD FS to enable users in your Active Directory environment to use SSO to access Office 365 cloud apps can be found here:
If some of your users are already running Office 365 and have two identities (one in Active Directory and a second one in the cloud) then the following thread on the Office 365 Forums might help you understand how to integrate these separate identities for easier management:
See the Tech Briefing section of this newsletter for links to additional information on implementing SSO with AD FS, Office 365 and Windows Azure.
Finally, you can now run Active Directory in the Windows Azure cloud. But that's a topic for a future issue of this newsletter...
Send us feedback
Have you deployed a federated identity (SSO) solution like AD FS in your organization? Got any tips you'd like to share with readers about the pros and cons of doing this? Let us know at [email protected]
Tip of the Week
Are some of your users experiencing slow logons? It could be because of how Group Policy is being applied to those users or their computers. See the following post by Ned Pyle on the Ask The Directory Services Team blog for more info:
Contact me at [email protected] if you have a tip you'd like to share with our readers.
Recommended for Learning
If you've ever had to go through e-discovery as part of litigation or an audit, you'll know that the process is fraught with difficulties and dangers. The following title from CRC Press (Auerbach Publications) can help you prepare for what your company or organization might face:
Electronically Stored Information: The Complete Guide to Management, Understanding, Acquisition, Storage, Search, and Retrieval (CRC Press, 2013) is an up-to-date introduction to properly managing electronically in a way that meets legal and regulatory requirements. The book explains in layman's terms what electronic information is, how it's stored, who's responsible for managing it, how it should be preserved, and especially why you should care about these things. The legal side of this book focusses on the US legal system, and includes an explanation of the Federal Rules of Evidence and a discussion of some of the relevant case law. All in all, a highly readable book that should be required reading for MIS and business decision makers at mid-sized and large organizations.
Here are some other great titles from Auerbach Publications:
The Definitive Guide to Complying with the HIPAA/HITECH Privacy and Security Rules
Business Analysis for Business Intelligence
Cyberspace and Cybersecurity
IT Best Practices: Management, Teams, Quality, Performance, and Projects
Quote of the Week
"Don't spend a lot of effort acquiring customers and then just let them walk away."
--Gary Vaynerchuck, bestselling author, journalist, and speaker, as quoted in Ash Maurya's book Running Lean
You can find out more about Gary here:
Until next week,
BTW feel free to:
Note to subscribers: If for some reason you don’t receive your weekly issue of this newsletter, please notify us at [email protected] and we’ll try to troubleshoot things from our end.
Admin Tools We Think You Shouldn't Be Without
Start discovering sensitive data in your file systems in the next 10 minutes with StealthSEEK – it's that simple – download now:
Free Trial: NetWrix Change Reporter Suite, a simple IT infrastructure auditing tool that tracks changes made to all critical IT systems and reports on the "4W detail" – Who changed What, Where and When.
Download a free trial of Remote Support from DameWare and instantly start providing support to thousands of end-users without leaving your desk!
Free download: Altaro Hyper-V Backup. Easy to use, fast, has your back. Free for 2 VMs, forever.
ManageEngine ServiceDesk Plus was selected the winner in the Help Desk category of the WindowsNetworking.com Readers' Choice Awards:
- Microsoft Lync Conference 2013 on February 19-21, 2013 in San Diego, USA
- Microsoft Management Summit on April 8-12, 2013 at the Mandalay Bay in Las Vegas, USA
- Microsoft TechEd North America on June 3-6, 2013 in New Orleans, USA
- Microsoft Worldwide Partner Conference on July 7-11, 2013 in Houston, USA
- NEW! - Microsoft TechEd Africa 2013 on April 16-19, 2013 in Durban, South Africa
Add your event
Contact Michael Vella at [email protected] to get your conference or other event listed in our Events Calendar.
Register for Webcasts
Add your Webcast
PLANNING A WEBCAST you'd like to tell our 100,000 subscribers about? Contact [email protected]
We'll begin with links to some resources on identity management:
AD FS 2.0 Content Map
This TechNet wiki page provides a comprehensive content map for resources on AD FS 2.0:
Office 365 SSO Content Map
This wiki page provides a complete roadmap for Single Sign-On (SSO) content relating to Office 365:
Single-sign-on between on-premise apps, Windows Azure apps and Office 365 services
This post on the Plankytronixx blog on MSDN is a bit old but still provides a good explanation of how SSO is implemented:
Identity (Management) Crisis
Deb Shinder examines how the concept of identity has evolved, why protecting it is important, what identity management solutions currently look like, and how you can choose the right identity management solution for your organization in this four-part series of articles (WindowSecurity.com):
Claims Based Identity: What does it mean to you?
Deb Shinder looks at the concept of claims-based identity and examines solutions like Microsoft AD FS 2.0, Windows Azure, Windows Live ID, Office 365, and SharePoint (WindowsSecurity.com):
Next, here's some general stuff on cloud computing:
A Technology Blueprint for the Enterprise of the Future
The Recovery Accountability and Transparency Board makes use of many different flavors of cloud computing (FedTech Magazine):
Best practice for using cloud computing in Europe 2013 (Part 1)
Ricky Magalhaes begins by explaining four principles of good information handling (WindowSecurity.com):
Best practice for using cloud computing in Europe 2013 (Part 2)
Ricky Magalhaes finishes by describes three additional principles of good information handling (WindowSecurity.com):
Are Your Clients Ready To Move To The Cloud?
Robert Peretson demonstrates how managed service providers can help their clients decide whether to migrate their business into the cloud (MSPAnswers.com):
What's New in Windows 8 for Hyper-V Based Cloud Computing
Also be sure to check out this eleven-part series of articles on what’s new in Windows 8 for Hyper-V based cloud computing by Janique Carbone (VirtualizationAdmin.com):
Now on to some other stuff...
Windows Server 2012 home lab preparation
First of a series where we look at setting up a home lab on 2 spare machines in order to run through some Windows Server 2012 scenarios and Labs as part of the online IT Camp that we are putting together (Canadian IT Pro Connection blog on TechNet):
Windows Server 2012 IT Camp – Lab #1
In this lab we look at the Hyper-v role of Windows Server 2012 and we explore "Shared Nothing Live Migration" (Canadian IT Pro Connection blog on TechNet):
Microsoft Windows Server vs Chevy Camaro
Derek Melber discusses some of the good and bad changes happening in the latest versions of Microsoft Windows and Windows Server, and he includes some terrific photos of Chevy Camaros as well (WindowsNetworking.com):
Mobile Printing: Workers Don't Have to Leave Printing Behind
A mobile workforce needs access to all the comforts of the workplace to be truly productive (BizTech Magazine):
We need a good business reason for investing in IT
What is the good business reason behind changing the relationship and role of IT? (Gartner):
What Government Employees Think About Consumer Technology at Work
MeriTalk reveals graying line between professional and personal use of technology (FedTech Magazine):
IT Admins and Security Auditors
Derek Melber discusses the pitfalls of security audits when administrators and auditors do not work well together (WindowSecurity.com):
Building redundancy into your cloud outage strategy
When it comes to the cloud, it’s essential to have an effective strategy in place to prevent outages from impacting your organization. Inside this tip, learn how planned redundancy can help you ensure that your end-users experience little to no downtime in the event of a cloud outage.
Q&A: How to troubleshoot common VDI problems
While VDI can deliver a wide range of benefits, it’s not without its challenges. In this expert Q&A, explore the top VDI problems your peers are experiencing and review essential tips and tricks for eliminating these common pain points.
VM lifecycle management: Beware the immortal VM
While virtual machines do not have the wear and tear nature of physical computers, it doesn’t mean you should keep them around forever. As a result, it’s essential to have an effective VM lifecycle management strategy in place. Find out key tips that can help you avoid out-of-date immortal VMs.
Ready for a vSphere 5.1 upgrade? Depends on your current version
Many IT pros are eager to take advantage of the new features and improvements in VMware vSphere 5.1. However, this upgrade may not be for every IT shop, so it’s important to do your research beforehand. Learn key factors that can help you determine whether or not you’re ready for vSphere 5.1.
This Week's Links We Like. Tips, Hints And Fun Stuff
GOT FUN VIDEOS or other fun links to suggest you'd like to recommend? Email us at [email protected]
Driving in snow and ice provides many challenges. These drivers and pedestrians are incredibly lucky!
Meanwhile in Japan: Train plowing through deep snow.
The amazing Mozart Group combine superb musical skills with creative humor, joy and fun:
WServerNews - Editors
Mitch Tulloch is Senior Editor of WServerNews and is a widely recognized expert on Windows administration, deployment and virtualization. Mitch was lead author of the bestselling Windows 7 Resource Kit from Microsoft Press and has published hundreds of articles for IT pros. Mitch is also a seven-time recipient of Microsoft's Most Valuable Professional (MVP) award for his outstanding contributions in support of the global IT pro community. Mitch owns and runs an information technology content development business based in Winnipeg, Canada. For more information see www.mtit.com
Ingrid Tulloch is Associate Editor of WServerNews and was co-author of the Microsoft Encyclopedia of Networking from Microsoft Press. Ingrid is also Head of Research for our content development business and has co-developed university-level courses in Information Security Management for a Masters of Business Administration program.