Specialty chemical manufacturer Dow Corning wanted to consolidate and extend identity management workflows and move toward a more secure, well-managed, and dynamic core IT infrastructure capable of protecting sensitive data as it moves through e-mail and collaboration systems. The IT staff is deploying Microsoft Forefront Identity Manager 2010 to replace custom user-provisioning scripts that could not support an upcoming migration to Microsoft Exchange Server 2007 or additional Active Directory domains. With Forefront Identity Manager 2010, the company expects to increase efficiency through password synchronization and reduce work for help-desk staff. And using Business Ready Security solutions from Microsoft, Dow Corning plans to extend messaging and collaboration beyond the enterprise to business partners, who will also be supported by the identity-based access solution.
Equally owned by the Dow Chemical Company and Corning, Dow Corning is a global chemical manufacturer that boasts more than 7,000 silicone-based products and serves more than 25,000 customers worldwide. More than half of the company’s annual sales, which in 2009 were more than U.S.$5 billion, are outside the United States. Since pioneering the silicone industry in 1943, innovation has been a priority for Dow Corning, which holds more than 4,400 global patents in silicon-based technology. Its products and services are offered under the Dow Corning® and XIAMETER® brands.
“Our intellectual property and commitment to drive innovation through efficient practices are the foundation of our competitive advantage,” says Armand Martin, Enterprise Architect for IT Security Operations at Dow Corning. “Being innovative and having a body of intellectual property is our lifeblood.”
This philosophy also guides the company’s approach to IT. Dow Corning needed to continue safeguarding its vital trade secrets while becoming even more flexible, agile, and efficient. For example, it sought more future-proof and interoperable IT solutions that could be managed, extended, and supported efficiently internally or by IT consultants or other partners. As part of this effort, Dow Corning had deployed Active Directory Rights Management Services to help protect its important data with persistent protection and usage policies. It also decided to migrate from Microsoft Identity Lifecycle Manager 2007—which it was using to consolidate disparate identity management systems and workflows—to Microsoft Forefront Identity Manager 2010 to further automate its security and identity management processes.
Before the implementation of Identity Lifecycle Manager 2007 in mid-2007, an Identity and Access team of two people—Martin and Dow Corning Security Engineer Norman Langston—had relied on its own custom, proprietary scripts to automate security and identity processes. These processes included e-mail account creation; granting Internet access; and provisioning user identities as needed in Active Directory Domain Services, SAP, Oracle and Microsoft SQL Server 2008 data management software, UNIX environments, Microsoft Office SharePoint Server sites, and other systems. With the addition of Identity Lifecycle Manager 2007, the team was able to automate some workflows but had not entirely replaced the custom scripts.
Need for More Flexibility
The custom scripts worked well, but if the Identity and Access team wanted to fix, change, or expand them, it had to do so itself or train each IT consultant or independent software vendor (ISV) that it might hire. When it came to troubleshooting, problems were identified when employees alerted the IT Security Operations staff that they had not been granted access to resources in a timely manner. Then, the Security Operations staff had to log on to various servers to collect log files and examine them to identify the problem. Security Operations staff also reviewed event notification e-mail messages generated by Microsoft System Center Operations Manager 2007, which monitors changes made to Active Directory, to deduce what was wrong and request that the IT Engineering team fix the problem.
Upcoming organizational changes also called for more flexibility and efficiency. Dow Corning planned to add a second Active Directory domain to handle user accounts for its business partners, and the Identity and Access team did not think its proprietary solution could scale to cover a second domain without a lot of extra work.
Need for Faster, More Automated Processes
With Identity Lifecycle Manager 2007, employees still had to manually synchronize their passwords six times a year in various databases, applications, and systems. For a half-dozen or so employees, this meant logging on to more than 100 systems to change passwords, a process that took around an hour. Updated identity and access data from SAP followed a workflow to an Oracle database that was synchronized to Active Directory once a day, and from there to Identity Lifecycle Manager 2007. Dow Corning wanted to investigate boosting efficiency in the future by getting this data faster in order to help identify issues sooner and reduce employees’ productivity downtime.
Need for Improved Compliance in a Collaborative Environment
In addition to using Microsoft products for Identity and Access Management, Dow Corning also relies on several other Microsoft products —Microsoft Forefront Security for Exchange Server, Forefront Online Protection for Exchange, and Forefront Security for SharePoint—to deliver secure messaging and secure collaboration solutions. Together, these solutions help protect vital company data, such as intellectual property, as employees communicate and exchange ideas using e-mail and collaboration sites. In addition, Dow Corning is taking advantage of the interoperability of Active Directory Rights Management Services with Office SharePoint Server 2007 and the Windows Server 2008 operating system to embed usage rights into company data, for an additional layer of protection. This layered approach to information security helps prevent employees from forwarding or copying sensitive data and helps protect this content from security threats when it resides on SharePoint sites or in e-mail messages. Though Dow Corning could already protect data and help control who was accessing it, the company wanted to add the ability to log and audit these actions automatically.
In the summer of 2008, Dow Corning joined the Technology Adoption Program (TAP) and Rapid Deployment Program (RDP) for Microsoft Forefront Identity Manager 2010 to test the synchronization service, workflows, and policies. Microsoft invited Martin and Langston to spend a week at the Microsoft Enterprise Engineering Center (EEC) in Redmond, Washington, where Microsoft IT staff set up a replica of the Dow Corning IT environment to test and demonstrate a beta version of Forefront Identity Manager 2010.
||We will have more granular control over identity and access, so we can start providing users with self-service capabilities and extend secure collaboration to our partners.
Enterprise Architect, Security, Dow Corning
The software offers flexibility and extensibility. For instance, the synchronization engine in Forefront Identity Manager 2010 can coordinate passwords across systems enterprisewide. This way, once Dow Corning fully deploys the product in March 2010, employees will be able to change their passwords just once, in their primary Active Directory Domain Services account. Because Forefront Identity Manager 2010 is implemented on a common set of services—including workflows, delegation, and Web services application programming interfaces (APIs)—Dow Corning, IT consultants, and ISVs will be able to use these services to extend and customize the functionality of the core product. For instance, using the synchronization services in Forefront Identity Manager 2010 with third-party reporting products, Dow Corning will be able to more easily comply with government regulations, such as the Sarbanes-Oxley Act of 2002, by better monitoring how administrators make changes to Active Directory. And, instead of custom scripts, Dow Corning will be able to use Forefront Identity Manager 2010 to automatically provision mailboxes in Microsoft Exchange Server 2007 e-mail messaging and collaboration software and entitlements for Microsoft Office Communications Server according to the business rules it sets for these processes.
Dow Corning plans to connect Forefront Identity Manager 2010 to its SAP system so that the company will receive updated identity and access data almost in real time, instead of once a day.
With Forefront Identity Manager 2010, the IT Security Operations staff will enjoy simplified management through a policy-management console based on Office SharePoint Server that will be part of the company’s March 2010 deployment. With this new management tool, Security Operations staff will have a central location from which to identify failed provisioning requests, make any necessary changes to applicable identity attributes, and resubmit requests—without having to compile server logs and e-mail alerts.
Dow Corning also intends to implement Group Management and other self-service features in Forefront Identity Manager 2010, to enable administrators and employees to create and manage groups—such as e-mail distribution groups in Microsoft Office Outlook messaging and collaboration client and project teams on SharePoint sites—without assistance from IT staff. For example, from within the familiar interface of Office Outlook, employees will be able to use Approve and Reject buttons to manage membership requests, or to add or delete group members. In addition, Dow Corning wants to someday use Forefront Identity Manager 2010 for public key infrastructure (PKI) certificate management, which would enable employees to manage their own certificates without having to call the help desk. The company also plans to create a single address book for both of its Active Directory domains in order to support more efficient communication and collaboration.
When it comes to extending its existing secure messaging and collaboration solutions, the company will be able use Forefront Identity Manager 2010 to manage identities in TeamRoom, a collaboration platform that Dow Corning created on Microsoft Office SharePoint Server 2007. Currently, the TeamRoom sites are internal-only collaboration sites; but with this new capability, Dow Corning will enable business partners to join.
The company also plans to use Windows Identity Foundation, an extension of the Microsoft .NET Framework that makes it easier for developers to create applications with open, identity-based access capabilities. Specifically, Dow Corning wants to develop a claims-based model that will support complex business-process templates so that it can grant users permission in TeamRoom to do more than just read and edit files. TeamRoom would then interoperate with Forefront Identity Manager 2010 and Active Directory Federation Services 2.0, so Dow Corning will be able to add users to appropriate collaboration groups and roles based on their identity attributes.
To round out the evolution of their secure messaging and secure collaboration solutions, Dow Corning plans to upgrade to Forefront Protection 2010 for Exchange Server and Forefront Protection 2010 for SharePoint, most likely as part of a migration to Microsoft Exchange Server 2010 and Microsoft SharePoint Server 2010. The company is also considering testing Microsoft Forefront Threat Management Gateway to help employees safely and productively use the Internet without worrying about malicious software and other threats.
Dow Corning will use Forefront Identity Manager 2010 to future-proof and simplify its identity and access management processes. The company anticipates time and cost savings as it offers more flexible tools to its IT team and end users, and it expects the Microsoft Forefront products to help support a more secure and consolidated messaging and collaboration environment enterprisewide for improved efficiency.
||Using Microsoft Business Ready Security solutions, we are in a position to deliver a secure messaging and secure collaboration environment that is built on a robust identity management infrastructure.
Global Cyber Security and Business Intelligence Manager, Dow Corning
Support from Microsoft
Martin found participation in the TAP and RDP to be extremely valuable. At the EEC, he and Langston were able to visualize how Forefront Identity Manager 2010 would work in their company’s environment. “Before we even installed it, we were able to see the product in action. Having Microsoft product experts there to help us build it, touch it, and discuss it was a tremendous experience,” says Martin. Throughout the TAP and RDP, Dow Corning gave input on the beta version, some of which was incorporated into the final product. “Unlike our custom scripts, Forefront products come with a community of support and best practices,” Martin continues.
Greater Flexibility to Extend Identity and Access Management Across the Enterprise
Dow Corning will get identity, credential, and access management in a single product. Unlike the company’s custom scripts for user provisioning, Forefront Identity Manager 2010 is supported by Microsoft, third-party vendors, and IT consultants. Martin remarks, “When it comes to maintenance and development of our security infrastructure, the code we wrote was very specific and quite rigid compared to what we get with an off-the-shelf solution. And, with Forefront Identity Manager, we have a community of support that we can take advantage of, now and into the future, whether it’s hiring consultants to extend our solution or sharing best practices with colleagues.”
Martin also appreciates that Forefront Identity Manager 2010 offers new tools that can help make Dow Corning agile enough to handle the rapid pace of business and technology changes while improving efficiency. Says Martin, “After Dow Corning fully deploys Forefront Identity Manager 2010, we will have more granular control over identity and access, so we can start providing users with self-service capabilities and extend secure collaboration to our partners.”
Dow Corning expects these new capabilities, such as those for self-service Group Management, to reduce the need for IT assistance when setting up new accounts. Now that Dow Corning has multiple Active Directory domains, it will be able to use Forefront Identity Manager 2010 to build a single address book, increasing the ease and efficiency of adding more domains in the future. These capabilities will simplify collaboration—employees will be able to find internal and partner contacts in a single address book and easily share scheduling information—and increase IT control. For example, Security Operations staff will be able to delegate the creation of groups and the management of group membership to end users while enforcing policies around group life spans and the number of groups a user can create.
The company plans to extend its PKI certificate infrastructure, as well. Although the cost and IT overhead of managing more complex authentication such as this is often a barrier to adoption, Forefront Identity Manager 2010 can handle both user provisioning and certificate management. So Dow Corning will be able to define a single management flow across both processes to help the company maximize its existing infrastructure investments and improve efficiency.
When Dow Corning connects Forefront Identity Manager 2010 directly to SAP for near real-time synchronization of identity and access data across systems, it will be able to reduce productivity loss. For example, instead of waiting for employees to report that a new account or access has not been granted on schedule, Security Operations staff will know within minutes if there is a problem and can react, preventing hours or days of downtime.
Savings and Simplified Management
Martin reports that Dow Corning is implementing Forefront Identity Manager 2010 to get the synchronization and interoperability needed to strengthen and extend its identity and access infrastructure while simplifying management: “That’s why we’re implementing these tools— integration,” he says. “Soon, we will be able to bring familiar interfaces, such as Outlook, to our employees while offering them self-service identity and access management options.”
With the forthcoming self-service options, Dow Corning expects to see a reduction in help-desk calls and IT support around identity and access management. Requests for group and service accounts are 20 percent of the company’s new-account activity, which should add up to a measurable reduction in the workload for the Security Operations team—and in increased efficiency for the company. With password synchronization alone, Dow Corning expects to greatly reduce help-desk costs.
Martin also points to the policy management console for IT administrators. “With the console for viewing troubleshooting data, I will be able to document how to make a fix and turn it over to a support team more easily. It’s much simpler than chasing down a bunch of log files and e-mail messages,” he says.
Support for Compliance and Secure Messaging and Collaboration
Using Microsoft Forefront products, Exchange Server 2007, Windows Server, and Active Directory, Dow Corning will be able to consolidate identity management and integrated workflows to support more secure messaging and collaboration inside and outside the enterprise. Mark Gandy, Global Cyber Security and Business Intelligence Manager at Dow Corning, says, “With these solutions, we will be able to apply our business rules consistently across our work processes to support innovation and protect intellectual property no matter how or with whom our people work. We’ve got an integrated environment with layered, secure, identity-based access to help us on our journey to a much more dynamic and expressive collaboration environment.” With the addition of Windows Identity Foundation in the future, Dow Corning will be able to update its IT infrastructure for service-oriented architecture and claims-based authorization models.
Dow Corning will also be able to add auditing and reporting to this environment for easier compliance. “Identity-based access and auditing will complement our secure messaging and collaboration solutions,” says Gandy. “We will be able to see who is accessing our data, where they’re sending it, and who they are sharing it with—and our solutions will apply digital rights and log everything to help us with compliance. Our solution software is designed to work together to support this secure environment.”
The automated, policy-driven identity and access management environment will support easier compliance and mailbox provisioning in the greater context of an integrated solution. Gandy concludes, “Using Microsoft Business Ready Security solutions, we are in a position to deliver a secure messaging and secure collaboration environment that is built on a robust identity management infrastructure through Forefront Identity Manager 2010.”
Microsoft Forefront Product Portfolio
The Microsoft Forefront comprehensive line of business security products provides greater protection and control through integration with your existing IT infrastructure and through simplified deployment, management, and analysis. Forefront is a comprehensive solution that helps provide protection for the client operating system, application servers, and the network edge.
For more information about the Forefront product portfolio, go to:
For More Information
For more information about Microsoft products and services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Information Centre at (877) 568-2495. Customers in the United States and Canada who are deaf or hard-of-hearing can reach Microsoft text telephone (TTY/TDD) services at (800) 892-5234. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information using the World Wide Web, go to:
For more information about Dow Corning products and services, call (800) 248-2481 or visit the Web site at: