Identity and Access Management Reference Architecture for Cloud Computing

9,549 views
9,045 views

Published on

This presentation will outline a comprehensive reference architecture for meeting the secure access and provisioning demands of outsourcing business and technology processes to “the cloud”. The attendee will walk away with a more solid understanding of what identity and access management challenges face organizations looking to move application and business process support to cloud computing providers as well as offer a reference architecture that outlines how to build standards based solutions for each challenge.

John F. Bauer III has over 20 years of Information Technology and Security delivery experience. John is currently the Enterprise Security Architect for Key Bank and has previous held leadership positions at British Petroleum, Cliffs Natural Resources, MTD Products, and National City/PNC Bank. John has spoken previously on the topic of Information Security at CA World, Oracle Open World, Digital ID World and NACHA conferences. John has both a Computer Science degree and MBA from Case Western Reserve University’s Weatherhead School of Management and is a frequent Adjunct Professor on Network Security at Cuyahoga Community College. John also maintains an active blog: MidwestITSurvival.com.

Published in: Technology, Business

Identity and Access Management Reference Architecture for Cloud Computing

  1. 1. Identity and Access Management Reference Architecture for Cloud Computing John F. Bauer III [email_address]
  2. 2. BIO Page <ul><li>John F. Bauer III </li></ul><ul><ul><li>Over 20 years of Information Technology and Security delivery experience. </li></ul></ul><ul><ul><li>Currently the Enterprise Security Architect for Key Bank </li></ul></ul><ul><li>Previous leadership positions at: </li></ul><ul><ul><li>British Petroleum </li></ul></ul><ul><ul><li>Cliffs Natural Resources </li></ul></ul><ul><ul><li>MTD Products </li></ul></ul><ul><ul><li>National City/PNC Bank </li></ul></ul><ul><li>Spoken previously on the topic of Information Security at: </li></ul><ul><ul><li>CA World </li></ul></ul><ul><ul><li>Oracle Open World </li></ul></ul><ul><ul><li>Digital ID World </li></ul></ul><ul><ul><li>NACHA Security conferences. </li></ul></ul><ul><ul><li>Computer Science degree and MBA from Case Western Reserve University’s Weatherhead School of Management </li></ul></ul><ul><ul><li>Adjunct Professor on Network Security at Cuyahoga Community College </li></ul></ul><ul><ul><li>Author: Blog – http:// MidwestITSurvival.com </li></ul></ul>
  3. 3. Quote &quot;Computing may someday be organized as a public utility just as the telephone system is a public utility,&quot; Professor John McCarthy said at MIT's centennial celebration in 1961 . &quot;Each subscriber needs to pay only for the capacity he actually uses, but he has access to all programming languages characteristic of a very large system ... Certain subscribers might offer service to other subscribers ... The computer utility could become the basis of a new and important industry.&quot; Page Cleveland, Ohio, USA Carl B. Stokes Public Utilities Building Completed: 1971
  4. 4. Agenda <ul><li>The Hype has Legs, Real Usage of “the Cloud” Growing (SaaS) </li></ul><ul><li>Need for a Comprehensive IAM Architecture as Part of Secure SaaS Success </li></ul><ul><li>Business and Technology Architecture </li></ul><ul><ul><li>User Access and Directories </li></ul></ul><ul><ul><li>Provisioning </li></ul></ul><ul><ul><li>Procurement, HR and Legal </li></ul></ul><ul><ul><li>SSO and Federation </li></ul></ul><ul><ul><li>Authorization </li></ul></ul><ul><li>IAM Reference Architecture </li></ul><ul><li>Architecture Framework Investment Roadmap </li></ul><ul><li>NOTE: All the content of this presentation is the opinion of the author and not the author's past or current employers. </li></ul>Page
  5. 5. Moving to the Cloud Page
  6. 6. Moving to the Cloud Forrester The Software Market in … 2011 http://www.gartner.com/it/page.jsp?id=1438813 http://itredux.com/2009/10/11/defining-cloud-computing-for-business-users/ Source: Ismael Chang Ghalimi http://itredux.com/2009/10/11/defining-cloud-computing-for-business-users/ Page
  7. 7. Cloud Econ 101 The lower total operating costs afforded by cloud SaaS offerings resonates with IT and business leaders. Booz Allen Senior Associate Gwen Morton and Associate Ted Alford compared the life cycle cost to run 1,000 servers in a managed environment in-house, through a cloud offering from a commercial provider, from a centralized in-house cloud, and a hybrid of a public and private cloud. Source: Booz Allen, http://www.boozallen.com/insights/insight-detail/42656904 Page
  8. 8. Cloud IAM – There still is Time Page
  9. 9. IAM Cloud Strategy Needed <ul><li>Business Architecture </li></ul><ul><li>Procurement </li></ul><ul><li>Legal </li></ul><ul><li>Human Resources </li></ul><ul><li>Technology Architecture </li></ul><ul><li>Access </li></ul><ul><li>Directory </li></ul><ul><li>Provisioning </li></ul><ul><li>Federation </li></ul><ul><li>Authorization </li></ul>Page
  10. 10. Business Architecture - Procurement With just a credit card , any business user can start using SalesForce.com for $15 a month per user without IT involvement . Source: http://www.salesforce.com/crm/editions-pricing.jsp “ What?!?! The sales department signed up for a SaaS CRM service last month?” Page
  11. 11. Business Architecture - Procurement <ul><li>Get plugged into your procurement life-cycle </li></ul>Source: http://indirectpurchasing.com/lifecycle.html <ul><li>Get buy-in to participate in the SaaS selection process </li></ul><ul><li>Provide RFI/RFP questions around IAM for SaaS </li></ul>Page
  12. 12. Business Architecture - Legal <ul><li>Educate legal on the need for IAM language in SaaS contracts </li></ul><ul><li>Get buy-in that IAM language reduces risk and drives down costs </li></ul><ul><li>Assist with default MSA and other template language </li></ul>Page
  13. 13. Business Architecture - HR <ul><li>Educate HR on how employees using SaaS affects them </li></ul><ul><li>Get HR buy-in that SaaS provisioning needs IT participation </li></ul>Do SaaS roles match HR job codes? Do employees get de-provisioned in SaaS when terminated in the HR platform? Page
  14. 14. IAM Cloud Strategy Needed <ul><li>Business Architecture </li></ul><ul><li>Procurement </li></ul><ul><li>Legal </li></ul><ul><li>Human Resources </li></ul><ul><li>Technology Architecture </li></ul><ul><li>Access </li></ul><ul><li>Directory </li></ul><ul><li>Provisioning </li></ul><ul><li>Federation </li></ul><ul><li>Authorization </li></ul>Page
  15. 15. Technology Architecture - Directory <ul><li>Identify a “central” directory for linking user groups to SaaS </li></ul><ul><li>LDAP capable technology will integrate most easily with access platforms </li></ul>Page
  16. 16. Technology Architecture - Access <ul><li>Shift to “externalized access thinking” </li></ul><ul><li>Invest in access control products </li></ul><ul><li>Consider vendor products that offer both web access management as well as federation capabilities </li></ul><ul><li>Integrate externalized access technology with your “centralized” directory </li></ul>Page
  17. 17. Technology Architecture - Provisioning <ul><li>Shift to centralized provisioning thinking </li></ul><ul><li>Identify systems of record by user relationship </li></ul><ul><li>Invest in enterprise provisioning products </li></ul>Page Page
  18. 18. Technology Architecture - Federation Invest in a Federation solution: “ Federated Identity Management amounts to having a common set of policies, practices and protocols in place to manage the identity and trust into IT users and devices across organizations” Source = Wikipedia, http://en.wikipedia.org/wiki/Federated_Identity_Management Page
  19. 19. Technology Architecture - Federation Federation approach is driven by your partner relationships Page
  20. 20. Technology Architecture - Federation Page
  21. 21. Technology Architecture - Provisioning Federation needs users provisioned in SaaS platforms: … but consider extending your identity federation exchange Established Standard {heavy weight, complex} Emerging Standard {light weight, unproven} Page
  22. 22. … with “Just in Time” provisioning <saml:Attribute Name=&quot;Fullname&quot;> <saml:AttributeValue xmlns:saml=&quot;urn:oasis:names:tc:SAML:2.0:assertion&quot;> John F. Bauer III </saml:AttributeValue> </saml:Attribute> <saml:Attribute Name=&quot;AppRole&quot;> <saml:AttributeValue xmlns:saml=&quot;urn:oasis:names:tc:SAML:2.0:assertion&quot;> Manager2 </saml:AttributeValue> During the federation exchange, populate attributes with provisioning details Technology Architecture - Provisioning Page
  23. 23. Technology Architecture - Authorization Shift to “externalized authorization thinking” Vendors Established Standard Page
  24. 24. Reference Architecture Page
  25. 25. Roadmap Page
  26. 26. Questions? John F. Bauer III [email_address] http://midwestitsurvival.com http://twitter.com/jfbauer Page

×