IdM And The Cloud: Stormy Days Ahead?

Identity Management and the Cloud: Stormy Days Ahead? Nishant Kaushik Architect, Oracle Identity Management

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

Agenda
The X’s of Cloud Computing
The Identity Factor
The Identity Platform for the Cloud
Putting it All Together
<Insert Picture Here>

The Allure of Cloud Computing
Pay As You Go
Availability
Flexibility
Time To Value
Simplicity
A New Paradigm Cloud Computing is about the on-demand, elastic and scalable consumption of computing resources.

The Basics of Cloud Computing
It is service-based
It is scalable and elastic
It shares a pool of resources
It is metered by use
It uses internet technologies
Basic Attributes Gartner has said there are 5 basic attributes of a cloud computing model.

The Myths of Cloud Computing
The Cloud Computing model should be viewed as any other utility - a black box that seamlessly presents your information on demand
IT As Utility Pay no attention to how it works under the hood

The Reality of Cloud Computing
SLAs = Inadequate; Usually favoring provider
Transparency = Missing
Standards = Few in practice
Security Concerns = Unresolved
Interoperability = Coming…?
Dig A Little Deeper Cloud Computing lacks some of the characteristics expected of a utility.

The Risks of Cloud Computing
Information Protection Challenges
Governance Models in Jeopardy
Strategic Vulnerability
Mind The Gap IDC survey: 74% rate cloud security issues as “very significant”

Agenda
The Identity Factor

It’s Déjà Vu All Over Again… Who has access? How is the access controlled? What about Privileged Access? Is data encrypted, segregated? Is data located in correct jurisdictions? Am I in compliance with regulations? How are breaches detected? Do I have audit & investigative capability? Can I switch services to another vendor? Cloud Security Challenges

It’s Déjà Vu All Over Again… Who has access? How is the access controlled? What about Privileged Access? Is data encrypted, segregated? Is data located in correct jurisdictions? Am I in compliance with regulations? How are breaches detected? Do I have audit & investigative capability? Can I switch services to another vendor? Cloud Security Challenges Enterprise Security Challenges

Identity – The Key to Enterprise Security
Compliance with business policies & regulations
Make governance sustainable by driving down administration cost & improving service levels
Enables business agility & collaboration
Improved risk management & customer satisfaction
The 3 A’s of Identity are core to the Information Protection challenge
Access Controls Strategic Advantage

Identity – The Key to Enterprise Security
Compliance with business policies & regulations
Make governance sustainable by driving down administration cost & improving service levels
Enables business agility & collaboration
Improved risk management & customer satisfaction
The 3 A’s of Identity are core to the Information Protection challenge
Access Controls Strategic Advantage and Cloud

Considerations for a Move to the Cloud
Single-Sign On for users of enterprise and cloud based assets
Ability to quickly provision and de-provision access to cloud assets
Granular access controls that can be managed externally
Privileged Account Management
Audit capabilities in support of compliance requirements
Standards-based Interfaces

Having Said All That While Cloud Computing is more… … this… …than this… Each evolutionary jump does introduce variables and characteristics that change the game

Cloud computing has “unique attributes that require risk assessment in areas such as data integrity, recovery and privacy, and an evaluation of legal issues in areas such as e-discovery, regulatory compliance and auditing,”
Assessing the Security Risks of Cloud Computing, June 2009
What Gartner Is Saying

Enterprise IdM, Interrupted Convention Traditional Enterprise IdM relies on tight integration and heavy customization, with direct access to data stores

Enterprise IdM, Interrupted Convention Disruption Traditional Enterprise IdM relies on tight integration and heavy customization, with direct access to data stores The cloud’s model of sharing resources makes tight coupling a non starter

Enterprise IdM, Interrupted Convention Disruption Traditional Enterprise IdM relies on tight integration and heavy customization, with direct access to data stores Vision Identity infrastructure that seamlessly spans an enterprises internal & cloud environments The cloud’s model of sharing resources makes tight coupling a non starter

Agenda
The Identity Factor

Enter the Identity Services Model
The goal: To provide identity functionality in a consistent, reusable service-oriented model to all applications/services
Identity, access and compliance management functionality implemented as services in a SOA
Promotes loose coupling to ensure long term viability and heterogeneity of business solutions
Applications/Services/Platforms Sharing Services Shared, Reusable Services Service Infrastructure Service 1 Service 2 Service 3 Retail Customer Service Partner Application Employee Portal Cloud Service Identity Services

Cloud Computing Tiered Architecture Software as a Service (SaaS) Platform as a Service (PaaS) Software Infrastructure as a Service (SIaaS) Hardware Infrastructure as a Service (HIaaS) Identity Services Cloud Computing: Transforming IT – Burton Group Report, 2009

Extending Enterprise IdM to the Cloud SaaS PaaS IaaS Enterprise Identity Management Identity Services Platform Adopting the Identity Service Platform allows compliant services to plug into your identity infrastructure

Identity Services Platform for the Cloud
The Identity Services Platform contains the set of identity services needed to extend Enterprise Identity to the cloud
Could be deployed internally or in the cloud itself
Enterprise Identity Providers protected by IGF-style policy controls Identity Assurance Identity Administration Identity Authorization Identity Hub Federated Authentication & User-Centric Identity that spans the enterprise environment and cloud environment Strong User and Access Lifecycle Management (Provisioning/De-Provisioning Capabilities) A Claims-Based Authorization model, coupled with strong XACML-based Entitlement Management A standardized Audit Framework for creating, managing and analyzing audit trails across cloud services Identity Audit Interfaces Identity Services Platform

Identity Assurance
Federated Authentication (including MFA) for high-assurance identity verification
User-Centric Identity Schemes (like OpenID and OAuth) for consumer authentication and lightweight federation
Fraud Prevention
Identity Proofing
Risk Forensics

Identity Administration
User and Role Lifecycle Management
Approval-based Administration
Account Provisioning and De-Provisioning
Change Notification
Credential Management
Centralized Self-Service
Profile and Password Management

Identity Authorization
Policy Definition and Management
Standard-based
Replication and Synchronization of policies
Fine-Grained Policy Enforcement
Support for Distributed, real-time, high performance Policy Enforcement Points
Enforce Separation of Duties policies
Support Claims-based model

Identity Hub
Identity Service that provides access to Identity Data
Support for Virtualization over multiple authoritative sources
Secure storage of Credentials
Privacy Controls with Identity Governance Framework
Declarative Governance Model for how identity data is provided and consumed
Implements the Principle of Least Knowledge and Minimal Disclosure
Support both definitive (date of birth) and derived (over 21) identity data
Attribute declaration
Usage Constraints

Identity Audit
Identity Auditing
Common Audit Framework
Centralized Identity Warehouse
Compliance Reporting
Access Certification Services
Analytics
Preventive and Detective Controls
Mining
Event Correlation
Activity Monitoring

Moving IdM Services into the Cloud Enterprise Identity Management Cloud-based Identity Service Providers Adopting the Identity Service Platform means never having to worry about where your Identity Service is deployed

Many Services already in the Cloud
User Authentication
Identity Proofing based on Public Databases
Identity Risk Assessment
Identity Oracles
User Provisioning

Becoming a Cloud Service Provider Enterprise Identity Management Cloud-based Relying Parties Adopting the Identity Service Platform enables an enterprise to become an Identity SP for other Cloud Services (RPs)

The Cloud Identity Model IAM Service Provider Identity Administration Service Identity Services Platform Identity Hub Service Business Service Provider Consumer Identity Authorization Service Identity Assurance Service Identity Assurance Service Identity Audit Service Identity Services Platform Identity Services Platform
All participants have interoperable identity services
Every participant can be both the service provider and service consumer

Agenda
The Identity Factor

A Path into the Cloud Service Externalization Build A Private Cloud Extend to Hybrid/Public Clouds
Develop your company's security policy toward cloud computing
Implement IdS platform by leveraging standards-based IdM tools
Use private cloud build-out to validate policies, controls & interfaces
Evaluate cloud providers the same way you would internal systems
Insist they be interoperable with your identity services
Put in place detective controls
Define Cloud Security Policy

Oracle Identity Management Can Help Audit & Compliance Manageability Access Management Identity Administration Directory Services
Access Manager
Adaptive Access Manager
Enterprise Single Sign-On
Identity Federation
Entitlements Server
Identity Manager
Role Manager
Internet Directory
Virtual Directory
Identity Management Suite
Enterprise Manager IdM Pack

Build your Identity Services Platform Check out my OpenWorld 2008 session (S298923) on “Building an Identity Services Layer with Oracle Identity Management OIM + OIA + CAF Identity Audit OPSS Interfaces OIM Identity Administration OES + OAAM Identity Authorization OAM + OAAM Identity Assurance OVD + IGF (+ OID, if needed) Identity Hub Implement Using Identity Service

Oracle IdM in the Cloud
Identity Assurance
BT Identity Services includes Managed Fraud and URU Identity Verification Services that relies on OAAM
CUNY provisioning deployment spans Peoplesoft hosted by Cedar-Crestone and other apps in their datacenter
Embry Riddle is provisioning to hosted Microsoft Online
Identity Services
EDS offering the whole Identity Management suite to partners as a hosted/managed service

Unlocking the Potential
Security built right into the platform
Multi-Tenant model spreads the cost of security across
Vendors have incentive to standardize, interoperate
Introduce greater rigor and best practices into business policy and governance
Transforming IT Cloud architecture actually lends itself to a far more robust and reliable security architecture.

To Learn More
Oracle Identity Management
Visit: www.oracle.com/identity
Oracle Cloud Computing
Visit: www.oracle.com/us/technologies/cloud
Continue the Discussion
Blog: blog.talkingidentity.com
Twitter: @ nishantk

While at OpenWorld
EDS Automates Infrastructure Outsourcing Provisioning Processes with Oracle Identity Manager
Monday October 12 | 2:30pm | Marriot Hotel Salon 2
Quantifying the Benefits of Oracle Identity Management at the City of University of New York
Monday October 12 | 4:00pm | Moscone South 308
Benefits and Challenges of Centralized Entitlements
Tuesday October 13 | 11:30am | Marriott Hotel Salon 3
Identity Administration Services and Standards
Thursday October 15 | 9:00am | Marriott Hotel Salon 8

http://blog.talkingidentity.com	191
http://www.ukocn.com	24
http://www.slideshare.net	13
http://static.slidesharecdn.com	4
http://www.linkedin.com	3

IdM And The Cloud: Stormy Days Ahead?

by Nishant Kaushik on Oct 14, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

5 Embeds 235

Statistics

IdM And The Cloud: Stormy Days Ahead? — Webinar Transcript