Extending Enterprise Security into the Cloud
3 likes719 views
The document discusses the importance of identity and security in cloud computing, highlighting challenges and the need for effective cloud access governance. It emphasizes the role of a consolidated identity in managing access controls, compliance, and dynamic policy enforcement across various cloud environments. Additionally, it introduces solutions like cloud access gateways and federated single sign-on to enhance security and identity management in cloud infrastructures.
Extending Enterprise Security into the Cloud
- 1. Identity and Security in the Age of Cloud Steve Coplan, Analyst L AY E R 7 P R E S E N TAT I O N , M A R C H 1 5 , 2 0 1 0
- 2. Agenda What do we mean by cloud? What control and security issues does cloud present? How do these issues map to current enterprise security architectures? Why does this create the need for cloud access governance? What role does identity play in cloud access governance? Moving from federated SSO to distributed access management 2 Layer 7 Presentation | March 2011
- 3. Defining a Cloud Computing Architecture Dynamic Publicly Pricing Model Accessible Rapid Provisioning & Programmatic Self-Service Mgmt. Interface Multi-Tenancy Automation Virtualization Scalability & Elasticity Technology Enablers Enterpise Security Network Compute Storage Apps Mgmt Apps 3 Layer 7 Presentation | March 2011
- 4. Defining a Cloud Computing Architecture 4 Layer 7 Presentation | March 2011
- 5. What does cloud mean for security? Security Management & GRC Identity/Entity Security Application Security Data Security Host Network Infrastructure Security 5 Layer 7 Presentation | March 2011
- 6. What does this have to do with identity and the cloud? Identity is important because: Compliance requirements invoke identity attributes or definitions, access controls and authentication Identity pivot construct in defining access controls for the cloud • Need to know who you are to describe what you can/can’t do Identity single control construct for multiple resources • SSO functions as a normalized event stream for a user • Cloud Hybridization, Desktop Virtualization, Device Proliferation escalate need for a consolidated identity and abstracted attributes 6 Layer 7 Presentation | March 2011
- 7. What does this have to do with identity and the cloud? Identity in the cloud is important because: Identity is the common point of reference for discontinuous infrastructure Identity is the a key parameter for making sense of visibility Who is the first question from a business context and by extension policy 7 Layer 7 Presentation | March 2011
- 8. Introducing The Cloud Access Gateway 8 Layer 7 Presentation | March 2011
- 9. The Cloud Access Gateway Acts as a proxy between clouds, virtualized data- centers and internal resources Ensures that policies remain consistent and are uniformly enforced by associating policies with the workload Provides dynamic policy enforcement Establishes resource partitioning and data access rights when a session is established Can function as security for the cloud and security for the cloud 9 Layer 7 Presentation | March 2011
- 10. Federated SSO and unified access control 10 Layer 7 Presentation | March 2011
- 11. The Intersection of Cloud and Identity Identity management vendors Cloud service providers are from Mars are from Venus View identity as a middleware View identity as a platform layer or service component View cloud, virtualization View identity as an service and mobile enablement construct Different understanding of the function of identity Identity management vendors still dealing with technical challenges of portable identity Cloud service providers see need for portable identity associated with portable image 11 Layer 7 Presentation | March 2011
- 12. Identity and the Journey to the Cloud Maturity stage Customers Technology Elements Providers Delivery Model Portability Enterprise SSO Identity management Hybrid: On-premise gateways (Identity providers) Authentication vendors (Incumbents, Federation gateways Service Providers venture-funded partners) Federation (SAML, OpenID, Federation hubs (relying parties) OAuth, WS-Fed) Platform vendors SaaS providers Application Access Control Paas Providers Infrastructure Identity Providers Authorization (XACML Paas/SaaS Providers From the cloud Authentication, Cloud Service Providers Provisioning/Governance Identity management SSO, trust services Identity as a Service Cloud access gateways vendors To the cloud Providers Trust brokers Cloud service providers Provisioning User privacy stores In the cloud: Directory in the cloud Architecture Enterprise Embedded middleware Cloud service providers In the cloud -service federation, Cloud service providers Attribute sources PaaS providers image federation Attribute assurance Identity Providers Run-time authentication, authorization and provisioning Trust brokers Identity as a service Cloud federation vendors Incumbents 12 Layer 7 Presentation | March 2011
- 13. Understanding Cloud Adoption Stages of Maturity 13 Layer 7 Presentation | March 2011
- 14. Many Clouds, One identity Federated SSO pushes out an enterprise identity Standards (SAML, OAuth, OpenID) allow applications to consume the identity Access policies mapped back to identity assertion One identity, but many identity assertions based on context How to evaluate at multiple 'cloud edges'? 14 Layer 7 Presentation | March 2011
- 15. Many Clouds, One Identity? Directory in the Cloud 15 Layer 7 Presentation | March 2011
- 16. Many Clouds, One identity Provisioning on the fly (just in time provisioning) addresses synchronization across the enterprise and A application user store Core of identity assertions may be static, but context can be dynamic Spectrum of accounts associated with users: • Long-lived accounts • Ephemeral accounts (project-based, collaboration portals) • Life of the application 16 Layer 7 Presentation | March 2011
- 17. Extending Enterprise Security to the Cloud Pushing out what you Taking what you know want services to know about your users about your users Making services 'identity Looking beyond federated aware' for SaaS, PaaS SSO to distributed access stacks management 17 Layer 7 Presentation | March 2011
- 18. Identity In The Cloud • Q&A Thank You. Questions? steve.coplan@the451group.com 18 Layer 7 Presentation | March 2011
- 19. Extending Enterprise Security Into The Cloud K. Scott Morrison CTO and Chief Architect March 15, 2011
- 20. Identity Is The Basis For True Cloud Governance Mosaic Source: facesofmillions.com 14-mar-2011
- 21. Achieving Compliance Using Security Gateways No Agents Audit API/Serv Service agnostic ice Host Enforce Policies Monitor & Distributed Transaction Report Publish If you sit in the middle, you can do anything
- 22. The Cloud Services Gateway Traditional Hardware Virtual Appliance Appliance Identical Functionality Access Control Audit Monitoring Policy Mgmt Security Token Services (STS) Cope with dynamic perimeter Support incremental adoption
- 23. Taking Identity To A Dynamic Perimeter Private Cloud Systems of Record Public Cloud Existing IAM On-Premise Network
- 24. Security For The Cloud: CloudConnect Securely connect enterprises to the cloud: Leverage existing IAM infrastructure for SaaS SSO Securely integrate with SaaS apps Track usage of SaaS System of Record Existing IAM CloudConnect On Premise Network
- 25. Security in the Cloud: CloudSpan Virtual Gateways Secure applications residing in the cloud: Simple public or private cloud IaaS deployment Your IaaS Cloud Shrinks security perimeter to the application Applications Virtual Automatically coordinates policy on-premise and in CloudSpan Application-Layer the cloud Isolation, Monitoring, & Control Integration with on- premise apps ID-based security for enterprise users and apps both inside or outside the firewall Hardware CloudConnect Instances On Premise Network Gives control back to the enterprise security group
- 26. Security by the Cloud : Cloud Control A complete API management solution Secure Manage Automate Developer Communities Enterprise Datacenter Portal Widget Mobile Apps Social Network Plug-in
- 27. Summary Cloud has perimeters that are dynamic - The security perimeter is actually shrinking to the API/service level Identity is the basic construct for extending corporate policy into the cloud Cloud is making identity portable Policy-based enforcement with strong audit is the basic approach for achieving compliance. This can only be managable if the approach to identity enforcement is consistent, and driven by a central strategy and repository. Layer 7 offers a holistic solution to enterprise identity in the cloud - CloudConnect for extending single sign-on (SSO) to the cloud and integrating cloud with existing applications and data. - CloudSpan virtual gateways for securing applications in the cloud - CloudControl to create automation services in the cloud
- 28. For further information: K. Scott Morrison Chief Technology Officer & Chief Architect Layer 7 Technologies 1100 Melville St, Suite 405 Vancouver, B.C. V6E 4A6 Canada (800) 681-9377 smorrison@layer7tech.com http://www.layer7tech.com March 2011