How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security Service
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security Service

  • 1,712 views
Uploaded on

This session will help you understand what cloud security is and how to implement it in your enterprise. It will discuss the technical aspects of cloud security and how we can help you secure the......

This session will help you understand what cloud security is and how to implement it in your enterprise. It will discuss the technical aspects of cloud security and how we can help you secure the cloud while ensuring sensitive information always remains behind the firewall.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,712
On Slideshare
1,696
From Embeds
16
Number of Embeds
1

Actions

Shares
Downloads
121
Comments
0
Likes
2

Embeds 16

http://www.slideshare.net 16

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. How to Implement Novell Cloud Security Services ® Nuts and Bolts Dale Olds, Distinguished Engineer Ben Fjeldstet, Sr. Engineer Tom Cecere, Product Strategy Novell Cloud Security Service March 24, 2010
  • 2. Key Takeaways SaaS adoption is projected to increase three-fold to US$14 Billion by 2012, according to Gartner. “SaaS sprawl” is causing IT administration and security nightmare for enterprises. Enforcing consistent policies for internal and cloud applications is key to effective governance. Novell Cloud Security Service allows organizations ® to extend its internal policies, roles and workflow and manage a multi-SaaS environment consistently. Novell is a leading provider of identity and security solutions and has been for over 20 years. 2 © Novell, Inc. All rights reserved.
  • 3. Agenda Why Novell Cloud Security Service (NCSS)? ® What Is NCSS and How Does It Work? Architecture Deployment Options 3 © Novell, Inc. All rights reserved.
  • 4. Creating IT Administration Nightmare User data/ permissions User data/ User data/ permissions permissions User data/ User data/ permissions permissions Users Enterprise Challenge Apps • IT Department Multiple usernames/passwords • Multiple identity silos • Disparate administration tools • Challenge in timely deprovisioning accountsSystems/ Directory User data/ of ex-employees permissions tools 4 © Novell, Inc. All rights reserved.
  • 5. And Concerns Over Security • DuPont: “When a sales person leaves the company, it takes 10 days to de-provision their account in SalesForce.com. Until then, the sales person has access to his account. This is a real problem.” • International Fragrances & Flavors: At an executive briefing told us, “We cannot use SaaS until it uses our identity management systems.” • “What’s keeping us from getting more large enterprise customers? Trust.” –David Carroll, Salesforce.com evangelist 5 © Novell, Inc. All rights reserved.
  • 6. Agenda Why Novell Cloud Security Service (NCSS)? ® What Is NCSS and How Does It Work? Architecture Deployment Options 6 © Novell, Inc. All rights reserved.
  • 7. How Does NCSS Work? Enterprise Relying Party User Store Participant Novell Cloud 2 Security Services NCS IdP SAML 1, Secure SAML 2, User Store Bridge SaaS Application AuthN Service WS-Fed User User Access 1 Authentication SaaS Resources 3 NCSS handles both use cases: A user directly logging into a cloud 1 service or user logging into their enterprise system first. 7 © Novell, Inc. All rights reserved.
  • 8. NCSS Enterprise Connections with LDAP Identity Stores • Secure Bridge Service – SSH Tunneling Services for Identity Verification for NCSS – Audit Reporting • Secure Bridge Appliance (Post 1.0) – Identity Federation to NCSS – SSH Tunneling Services for Audit Reporting Identity Store(s) Secure Bridge Enterprise Firewall Audit Server(s) 8 © Novell, Inc. All rights reserved.
  • 9. NCSS Enterprise Connections with Existing AM Solutions • Secure Bridge Service – SSH Tunneling Services for Audit Reporting • Access Management Solution Integration – Quick Start Integration for Common Identity Providers – SAML 2.0, POST capabilities required Identity Store(s) Enterprise Firewall Audit Server(s) Secure Bridge 9 © Novell, Inc. All rights reserved.
  • 10. NCSS Provider Components • Multi-tenant Director – Console hosting – Audit Collection/Reporting – Cost Accounting Collection/Reporting Director Provider Console – Multi-tenant Operations Management Customer Console • Per-tenant Security Brokers Audit Collection/Reporting – Identity Federation Cost Accounting Collection/Reporting – Event Routing for Security Brokers Multi-tenant Operations Audit/Billing/Operations Identity Federation Tenant A Event Routing Identity Federation Tenant B Event Routing Identity Federation Tenant C Event Routing 10 © Novell, Inc. All rights reserved.
  • 11. NCSS SaaS Connections • Quick Customer On-boarding • Per-Customer Services – Identity Federation (SAML 2.0) – Audit Reporting • Large Supported Platform Base – Java Spring SaaS Connections – Apache – ... Identity Events Hoster/MSP Firewall 11 © Novell, Inc. All rights reserved.
  • 12. Agenda Why Novell Cloud Security Service (NCSS)? ® What Is NCSS and How Does It Work? Architecture Deployment Options 12 © Novell, Inc. All rights reserved.
  • 13. CSS: Identity and Compliance Services System Architecture CSS Director Administration Secure Bridge Operations Mgmt SaaS/PaaS Services SSH Protocol Tunnel Connections Identity Federation and RESTful APIs Cloud Security Protocol Broker Mapping PivotLink Authentication Event SharePoint Distribution Federation Workflow Attribute Aggregation Initiation Event Distribution GoogleApp High Availability Engine Limited Workflow 13 © Novell, Inc. All rights reserved.
  • 14. Secure Bridge Services Protocol Mapping Event Distribution Workflow Initiation Secure Bridge Services Stack Event Distribution LDAP Server HTTP Svcs Event Limited Mapping Mapping Receptor Workflow API CSB Connection Manager SSH Tunnel 14 © Novell, Inc. All rights reserved.
  • 15. CSS Director Administration Operations Mgmt CSS - Director Stack Administration Operations Management Customer Provider Consoles Consoles CABE Operations Director Security Manager Processors HTML JavaScript GWT REST APIs Configuration Distributor Event Receptor CSS Core Services Instance Event Receptor Security Session Broker Data Store Mgmt Manager Communication (REST) Manager (Clustering) (Clustering) CSS Service Foundation Apache / Tomcat Cloud Service Bus WS* AXIS XMLSEC XALAN XERCES JPA (Hibernate) JAX-RS JMS/CMS Log4j/cxx Infrastructure Service Foundation IaaS Management APIs HTTP Stack Messaging Stack SQL Database SSH Tunnel (Cloud Vendor) (Apache) (ActiveMQ) (SQLite) 15 © Novell, Inc. All rights reserved.
  • 16. CSS Director Administration Operations Mgmt CSS - Director Stack Administration Provider Consoles Customer Operations Management Consoles Operations Director Security Manager CABE Customer Admin Identity Services Processors Identity Services CSB Registry Tenant Segregation CABE Services CABE Services Config Query APIs Cert/Key Distribution Report Generation Operations Management Security Auditor Configuration Distribution Event Correlation/ Security Auditor Reports (billing, etc.) SB Query APIs Aggregation Billing Auditor Backup/Restore Event Receptor/ Help Desk Storage System Monitoring Service Migration/Upgrade Billing Processing HTML JavaScript GWT REST APIs Configuration Distributor Event Receptor CSS Core Services Instance Event Receptor Security Session Broker Data Store Mgmt Manager Communication (REST) Manager (Clustering) (Clustering) CSS Service Foundation Apache / Tomcat Cloud Service Bus WS* AXIS XMLSEC XALAN XERCES JPA (Hibernate) JAX-RS JMS/CMS Log4j/cxx Infrastructure Service Foundation IaaS Management APIs HTTP Stack Messaging Stack SQL Database SSH Tunnel (Cloud Vendor) (Apache) (ActiveMQ) (SQLite) 16 © Novell, Inc. All rights reserved.
  • 17. Cloud Security Broker Authentication Federation Attribute Aggregation Event Distribution High Availability Limited Workflow CSS – Cloud Security Broker Stack Identity Event High Workflow Distribution Availability Session Event Event Processors Authentication Federation CSB & Services Provisioning Recptor Attribute (Audit, Billing, Operations Methods Protocols With Customer & Monitor/Scale Triggers Management Provider Views) CSS Core Services Instance Event Receptor Security Session Broker Data Store Mgmt Manager Communication (REST) Manager (Clustering) (Clustering) CSS Service Foundation Java / Apache WS* AXIS XMLSEC XALAN XERCES JPA (Hibernate) JAX-RS JMS/CMS Log4j/cxx Infrastructure Service Foundation IaaS Management APIs HTTP Stack Messaging Stack SSH Tunnel SQL Database (Cloud Vendor) (Apache) (ActiveMQ) 17 © Novell, Inc. All rights reserved.
  • 18. Cloud Security Broker Authentication Federation Attribute Aggregation Event Distribution High Availability Limited Workflow CSS – Cloud Security Broker Stack Identity Event High Workflow Distribution Availability Authentication Federation Session Event Processors CSB Cluster Annexation Methods Protocols Attribute Director Management Card Space Audit CSB Cluster User LDAP SAML 1.1 Billing Monitor Provision OAuth SAML 2 Aggregation Event Operations Recptor Service Health User X-509 WS-* Security Customer Monitor De-provision CSS Core Services Instance Event Receptor Security Session Broker Data Store Mgmt Manager Communication (REST) Manager (Clustering) (Clustering) CSS Service Foundation Java / Apache WS* AXIS XMLSEC XALAN XERCES JPA (Hibernate) JAX-RS JMS/CMS Log4j/cxx Infrastructure Service Foundation IaaS Management APIs HTTP Stack Messaging Stack SSH Tunnel SQL Database (Cloud Vendor) (Apache) (ActiveMQ) 18 © Novell, Inc. All rights reserved.
  • 19. Enterprise SaaS/PaaS SB SaaS Identity Federation Services Protocol SB Daemon Identity Connector AEB Mapping CSB Event Connector LDAP Mapping Enterprise Identity Store Secure Data Marshaling 19 © Novell, Inc. All rights reserved.
  • 20. Enterprise Console Enterprise SaaS/PaaS SB SaaS Audit Store Services SB Daemon Identity Connector AEB Mapping CSB Event Connector LDAP Mapping REST API with 0Auth Secure Data Marshaling 20 © Novell, Inc. All rights reserved.
  • 21. Enterprise SaaS/PaaS SB SaaS Audit Store Services SB Daemon Identity Federation Protocol Identity Connector AEB Mapping CSB Event Connector LDAP Mapping Identity Store REST API with 0Auth Secure Data Marshaling 21 © Novell, Inc. All rights reserved.
  • 22. Enterprise SaaS/PaaS Provider Data Store SB SaaS Audit Store Services SB Daemon CSSD REST API Identity Connector AEB Mapping Federation CSB Event Connector LDAP Mapping REST API Identity Store Secure Data Marshaling 22 © Novell, Inc. All rights reserved.
  • 23. Agenda Why Novell Cloud Security Service (NCSS)? ® What Is NCSS and How Does It Work? Architecture Deployment Options 23 © Novell, Inc. All rights reserved.
  • 24. NCSS Small Deployment • 1 Multi-tenant Director Director Provider Console – With configuration backup/restore services Customer Console Audit Collection/Reporting • 1-N Customers/Tenants, each with: Cost Accounting Collection/Reporting – 1 Secure Bridge and Multi-tenant Operations – 1-2 Security Brokers connecting to 1-20 SaaS applications Customer SaaS Connections Security Brokers Connections Tenant A Tenant B ... Tenant C 24 © Novell, Inc. All rights reserved.
  • 25. NCSS Medium Deployment Director Provider Console Cluster • Multi-tenant Director Cluster** Customer Console Audit Collection/Reporting – 1-8 Directors Cost Accounting Collection/Reporting • 1-N Tenants, each with: Multi-tenant Operations – 1 Secure Bridge – 1-5 Security Brokers connecting to Database 1-50 SaaS applications Cluster Customer SaaS Connections Security Brokers Connections Tenant A Tenant B ... Tenant C 25 © Novell, Inc. All rights reserved. ** Requires clustered DB server deployment
  • 26. NCSS Large Deployment Database Cluster • Multi-tenant Director Cluster** – 1-5 Directors > Console hosting > Multi-tenant Operations – 1-5 Audit Servers Director Audit Cost Accounting Cluster Cluster Cluster – 1-5 Billing Servers • 50-N Tenants, each with: – 1 Security Broker – 1-5 Security Brokers connecting to 1-100 SaaS applications Customer SaaS Connections Security Brokers Connections Tenant A Tenant B ... Tenant C 26 © Novell, Inc. All rights reserved. ** Requires clustered DB server deployment
  • 27. Novell Cloud Security Service (NCSS) Director Provider Console Cluster Customer Console Audit Collection/Reporting Deep Connectors to Rackspace Internal and App Store Apps Cost Accounting Collection/Reporting Multi-tenant Operations Security Brokers Internal LDAP Directory Only. Uses NCSS Tenant A Secure Bridge Internal Identity management System Tenant B with Federation ... No User Accounts on Tenant C Customer Premises Novell Identity Manager Surface Connectors to External SaaS Applications, SSO Only 27 © Novell, Inc. All rights reserved.
  • 28. Questions and Answers
  • 29. Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.