Identity and Access Management Reference Architecture for Cloud Computing

Identity and Access Management Reference Architecture for Cloud Computing John F. Bauer III [email_address]

BIO Page
John F. Bauer III
Over 20 years of Information Technology and Security delivery experience.
Currently the Enterprise Security Architect for Key Bank
Previous leadership positions at:
British Petroleum
Cliffs Natural Resources
MTD Products
National City/PNC Bank
Spoken previously on the topic of Information Security at:
CA World
Oracle Open World
Digital ID World
NACHA Security conferences.
Computer Science degree and MBA from Case Western Reserve University’s Weatherhead School of Management
Adjunct Professor on Network Security at Cuyahoga Community College
Author: Blog – http:// MidwestITSurvival.com

Quote "Computing may someday be organized as a public utility just as the telephone system is a public utility," Professor John McCarthy said at MIT's centennial celebration in 1961 . "Each subscriber needs to pay only for the capacity he actually uses, but he has access to all programming languages characteristic of a very large system ... Certain subscribers might offer service to other subscribers ... The computer utility could become the basis of a new and important industry." Page Cleveland, Ohio, USA Carl B. Stokes Public Utilities Building Completed: 1971

Agenda
The Hype has Legs, Real Usage of “the Cloud” Growing (SaaS)
Need for a Comprehensive IAM Architecture as Part of Secure SaaS Success
Business and Technology Architecture
User Access and Directories
Provisioning
Procurement, HR and Legal
SSO and Federation
Authorization
IAM Reference Architecture
Architecture Framework Investment Roadmap
NOTE: All the content of this presentation is the opinion of the author and not the author's past or current employers.
Page

Moving to the Cloud Page

Moving to the Cloud Forrester The Software Market in … 2011 http://www.gartner.com/it/page.jsp?id=1438813 http://itredux.com/2009/10/11/defining-cloud-computing-for-business-users/ Source: Ismael Chang Ghalimi http://itredux.com/2009/10/11/defining-cloud-computing-for-business-users/ Page

Cloud Econ 101 The lower total operating costs afforded by cloud SaaS offerings resonates with IT and business leaders. Booz Allen Senior Associate Gwen Morton and Associate Ted Alford compared the life cycle cost to run 1,000 servers in a managed environment in-house, through a cloud offering from a commercial provider, from a centralized in-house cloud, and a hybrid of a public and private cloud. Source: Booz Allen, http://www.boozallen.com/insights/insight-detail/42656904 Page

Cloud IAM – There still is Time Page

IAM Cloud Strategy Needed
Business Architecture
Procurement
Legal
Human Resources
Technology Architecture
Access
Directory
Provisioning
Federation
Authorization
Page

Business Architecture - Procurement With just a credit card , any business user can start using SalesForce.com for $15 a month per user without IT involvement . Source: http://www.salesforce.com/crm/editions-pricing.jsp “ What?!?! The sales department signed up for a SaaS CRM service last month?” Page

Business Architecture - Procurement
Get plugged into your procurement life-cycle
Source: http://indirectpurchasing.com/lifecycle.html
Get buy-in to participate in the SaaS selection process
Provide RFI/RFP questions around IAM for SaaS
Page

Business Architecture - Legal
Educate legal on the need for IAM language in SaaS contracts
Get buy-in that IAM language reduces risk and drives down costs
Assist with default MSA and other template language
Page

Business Architecture - HR
Educate HR on how employees using SaaS affects them
Get HR buy-in that SaaS provisioning needs IT participation
Do SaaS roles match HR job codes? Do employees get de-provisioned in SaaS when terminated in the HR platform? Page

IAM Cloud Strategy Needed
Business Architecture
Procurement
Legal
Human Resources
Technology Architecture
Access
Directory
Provisioning
Federation
Authorization
Page

Technology Architecture - Directory
Identify a “central” directory for linking user groups to SaaS
LDAP capable technology will integrate most easily with access platforms
Page

Technology Architecture - Access
Shift to “externalized access thinking”
Invest in access control products
Consider vendor products that offer both web access management as well as federation capabilities
Integrate externalized access technology with your “centralized” directory
Page

Technology Architecture - Provisioning
Shift to centralized provisioning thinking
Identify systems of record by user relationship
Invest in enterprise provisioning products
Page Page

Technology Architecture - Federation Invest in a Federation solution: “ Federated Identity Management amounts to having a common set of policies, practices and protocols in place to manage the identity and trust into IT users and devices across organizations” Source = Wikipedia, http://en.wikipedia.org/wiki/Federated_Identity_Management Page

Technology Architecture - Federation Federation approach is driven by your partner relationships Page

Technology Architecture - Federation Page

Technology Architecture - Provisioning Federation needs users provisioned in SaaS platforms: … but consider extending your identity federation exchange Established Standard {heavy weight, complex} Emerging Standard {light weight, unproven} Page

… with “Just in Time” provisioning <saml:Attribute Name="Fullname"> <saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> John F. Bauer III </saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="AppRole"> <saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> Manager2 </saml:AttributeValue> During the federation exchange, populate attributes with provisioning details Technology Architecture - Provisioning Page

Technology Architecture - Authorization Shift to “externalized authorization thinking” Vendors Established Standard Page

Reference Architecture Page

Roadmap Page

Questions? John F. Bauer III [email_address] http://midwestitsurvival.com http://twitter.com/jfbauer Page

Identity and Access Management Reference Architecture for Cloud Computing

by John Bauer on Oct 31, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

1 Embed 245

Statistics

Identity and Access Management Reference Architecture for Cloud Computing — Presentation Transcript