CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?

551 views

Published on

John Tolbert, Fortune 50 Company

An examination of the often complex mix of scalability, interoperability, and security requirements that certain industries face, and what is needed for these types of organizations to be able to fully leverage the benefits of the cloud.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
551
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
18
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

CIS14: Is the Cloud Ready for Enterprise Identity and Security Requirements?

  1. 1. Is The Cloud Ready for Enterprise Security Requirements? John Tolbert
  2. 2. The Cloud A Huge Success Story Rent what you need, rather than buy Simplify data center management Scalable Fast provisioning and de-provisioning
  3. 3. Security Requirements Consumer Privacy Regulatory compliance SOX HIPAA Export regulations
  4. 4. More Security Requirements Intellectual Property Licensing and Collaboration Background and Foreground IP Trade Secret Protection High Security / High Assurance NIST 800-63 Level 3 and 4 authentication Fine-grained access controls Need-to-know
  5. 5. Authorization is like fashion Informal Attire For a Day at The Lake
  6. 6. Admission to certain venues requires formal wear http://upload.wikimedia.org/wikipedia/commons/3/39/MITO_Orchestra_Sinfonica_RAI.jpg
  7. 7. Access Control X OK
  8. 8. Organizations need to collaborate with business partners The cloud is a natural place for collaboration Easy to set up workspaces as needed Identity management can be a combination of federated identities for those with robust IAM infrastructures and cloud-managed identities for business partners without the heavy-duty IAM infrastructures Protecting intellectual property in collaborative environments can be a challenge
  9. 9. Enterprise IAM infrastructure in place LDAP SAML XACML PAP Enterprise IAM Infrastructure SSO XACML PEP XACML PDP The Cloud SaaS IaaS PaaS File Repositories Web Apps Cloud IAM Enterprise Applications SCIM
  10. 10. Evolution of access controls Time IAM Solution Complexity Evolves To Meet Scalability and Granularity Requirements Users Groups RBAC ABAC PBAC
  11. 11. Union of Attribute and Policy Policy Attribute Based Access Control
  12. 12. Policy/Attribute-based access control XACML for consistent attribute-based access control in both the cloud and on-premise infrastructure Profiles for privacy, export controls, intellectual property controls, and data loss prevention Interoperability at the transport layer Can facilitate the migration to Mandatory Access Control (MAC) model
  13. 13. Fine-grained Authorization Subject identity is just one variable in the authorization equation Resources have identities too! Resource attributes must also be evaluated in runtime authorization decisions Subject Resource Environment Action
  14. 14. Fine-grained AuthZ Two major categories of data necessitate two different approaches: Unstructured data: standardized metadata tags on data objects Structured data: policy-based access controls applied via SQL and web application proxies Backend Attribute Exchange: one domain trusts another to provide authoritative attributes for authenticated users
  15. 15. Metadata tagging and AuthZ Create Document Content Analysis Metadata Application XACML PEP XACML PDP By United States Air Force.718 Bot at en.wikipedia [Public domain], from Wikimedia Commons http://upload.wikimedia.org/wikipedia/commons/6/62/1948_Top_Secret_USAF_UFO_extraterrestrial_document.png Read Metadata Class: Top Secret Decision Pass Metadata as Resource Attributes LDAP Subject User Subject Attributes
  16. 16. Policy-based SQL and application proxies LDAP XACML PAP SQL/ XACML PEP XACML PDP Thick Client App DB Web App WAF/XACML PEP DB Certain row/column Results match policies Certain application Actions match policies
  17. 17. Backend Attribute Exchange User authenticates in Domain A Domain B SSO gets attributes from Domain A User receives access in Domain B User requests access to resource in Domain B Assumption: Domain B trusts that Domain A is authoritative for specific attributes about users originating from there. SSO LDAP SAML SSO SSO SAML SSO Web App 1 2 4 3 5 6 7 8 9
  18. 18. Mandatory Access Control Gov't Classification Commercial Analogs Unclassified Public Domain Confidential Confidential Secret Competition Sensitive / Restricted Top Secret Limited Distribution No Read Up No Write Down Bell-LaPadula No Read Down No Write Up Biba Integrity
  19. 19. Compliance Monitoring and Risk Management Standardized authentication and authorization mechanisms for consistent enforcement and reporting Integration with Security Incident and Event Management for real-time alerting Integration with GRC software
  20. 20. Conclusion Is the cloud ready for enterprise security? Yes, some providers offer solutions in most areas described above. Cloud service providers will capture more customers with high security service offerings Resource identities (attributes) are just as important in access control decisions as subject identities

×