Your SlideShare is downloading. ×
  • Like
  • Save

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Extending Enterprise Security into the Cloud

  • 1,172 views
Published

For years enterprises have invested in identity, privacy and threat protection technologies to guard their information and communication from attack, theft or compromise. The growth in SaaS and IaaS …

For years enterprises have invested in identity, privacy and threat protection technologies to guard their information and communication from attack, theft or compromise. The growth in SaaS and IaaS usage however introduces the need to secure information and communication that spans the enterprise and cloud. This presentation will look at approaches for extending existing enterprise security investments into the cloud without significant cost or complexity.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,172
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Identity and Securityin the Age of CloudSteve Coplan, AnalystL AY E R 7 P R E S E N TAT I O N , M A R C H 1 5 , 2 0 1 0
  • 2. AgendaWhat do we mean by cloud?What control and security issues does cloud present?How do these issues map to current enterprise security architectures?Why does this create the need for cloud access governance?What role does identity play in cloud access governance?Moving from federated SSO to distributed access management2 Layer 7 Presentation | March 2011
  • 3. Defining a Cloud Computing Architecture Dynamic Publicly Pricing Model Accessible Rapid Provisioning & Programmatic Self-Service Mgmt. Interface Multi-Tenancy Automation Virtualization Scalability & Elasticity Technology Enablers Enterpise Security Network Compute Storage Apps Mgmt Apps3 Layer 7 Presentation | March 2011
  • 4. Defining a Cloud Computing Architecture4 Layer 7 Presentation | March 2011
  • 5. What does cloud mean for security? Security Management & GRC Identity/Entity SecurityApplication Security Data Security Host Network Infrastructure Security 5 Layer 7 Presentation | March 2011
  • 6. What does this have to do with identity and the cloud?Identity is important because:  Compliance requirements invoke identity attributes or definitions, access controls and authentication  Identity pivot construct in defining access controls for the cloud • Need to know who you are to describe what you can/can’t do Identity single control construct for multiple resources • SSO functions as a normalized event stream for a user • Cloud Hybridization, Desktop Virtualization, Device Proliferation escalate need for a consolidated identity and abstracted attributes6 Layer 7 Presentation | March 2011
  • 7. What does this have to do with identity and the cloud?Identity in the cloud is important because:  Identity is the common point of reference for discontinuous infrastructure  Identity is the a key parameter for making sense of visibility  Who is the first question from a business context and by extension policy7 Layer 7 Presentation | March 2011
  • 8. Introducing The Cloud Access Gateway8 Layer 7 Presentation | March 2011
  • 9. The Cloud Access Gateway Acts as a proxy between clouds, virtualized data- centers and internal resources Ensures that policies remain consistent and are uniformly enforced by associating policies with the workload Provides dynamic policy enforcement Establishes resource partitioning and data access rights when a session is established Can function as security for the cloud and security for the cloud9 Layer 7 Presentation | March 2011
  • 10. Federated SSO and unified access control10 Layer 7 Presentation | March 2011
  • 11. The Intersection of Cloud and IdentityIdentity management vendors Cloud service providersare from Mars are from Venus View identity as a middleware  View identity as a platform layer or service component View cloud, virtualization  View identity as an service and mobile enablement constructDifferent understanding of the function of identity Identity management vendors still dealing with technical challenges of portable identity Cloud service providers see need for portable identity associated with portable image11 Layer 7 Presentation | March 2011
  • 12. Identity and the Journey to the CloudMaturity stage Customers Technology Elements Providers Delivery ModelPortability Enterprise SSO Identity management Hybrid: On-premise gateways (Identity providers) Authentication vendors (Incumbents, Federation gateways Service Providers venture-funded partners) Federation (SAML, OpenID, Federation hubs (relying parties) OAuth, WS-Fed) Platform vendors SaaS providers Application Access Control Paas ProvidersInfrastructure Identity Providers Authorization (XACML Paas/SaaS Providers From the cloud Authentication, Cloud Service Providers Provisioning/Governance Identity management SSO, trust services Identity as a Service Cloud access gateways vendors To the cloud Providers Trust brokers Cloud service providers Provisioning User privacy stores In the cloud: Directory in the cloudArchitecture Enterprise Embedded middleware Cloud service providers In the cloud -service federation, Cloud service providers Attribute sources PaaS providers image federation Attribute assurance Identity Providers Run-time authentication, authorization and provisioning Trust brokers Identity as a service Cloud federation vendors Incumbents12 Layer 7 Presentation | March 2011
  • 13. Understanding Cloud Adoption Stages of Maturity13 Layer 7 Presentation | March 2011
  • 14. Many Clouds, One identity Federated SSO pushes out an enterprise identity Standards (SAML, OAuth, OpenID) allow applications to consume the identity Access policies mapped back to identity assertion One identity, but many identity assertions based on context How to evaluate at multiple cloud edges?14 Layer 7 Presentation | March 2011
  • 15. Many Clouds, One Identity? Directory in the Cloud15 Layer 7 Presentation | March 2011
  • 16. Many Clouds, One identity  Provisioning on the fly (just in time provisioning) addresses synchronization across the enterprise and A application user store  Core of identity assertions may be static, but context can be dynamic  Spectrum of accounts associated with users: • Long-lived accounts • Ephemeral accounts (project-based, collaboration portals) • Life of the application16 Layer 7 Presentation | March 2011
  • 17. Extending Enterprise Security to the Cloud Pushing out what you Taking what you know want services to know about your users about your users Making services identity Looking beyond federated aware for SaaS, PaaS SSO to distributed access stacks management17 Layer 7 Presentation | March 2011
  • 18. Identity In The Cloud • Q&A Thank You. Questions? steve.coplan@the451group.com18 Layer 7 Presentation | March 2011
  • 19. Extending Enterprise Security Into The Cloud K. Scott Morrison CTO and Chief Architect March 15, 2011
  • 20. Identity Is The Basis For True Cloud Governance Mosaic Source: facesofmillions.com 14-mar-2011
  • 21. Achieving Compliance Using Security Gateways No Agents Audit API/Serv Service agnostic ice Host Enforce Policies Monitor & Distributed Transaction Report Publish If you sit in the middle, you can do anything
  • 22. The Cloud Services Gateway Traditional Hardware Virtual Appliance Appliance Identical Functionality Access Control Audit Monitoring Policy Mgmt Security Token Services (STS)  Cope with dynamic perimeter  Support incremental adoption
  • 23. Taking Identity To A Dynamic Perimeter Private Cloud Systems of Record Public CloudExisting IAM On-Premise Network
  • 24. Security For The Cloud: CloudConnectSecurely connect enterprises to the cloud: Leverage existing IAM infrastructure for SaaS SSO Securely integrate with SaaS apps Track usage of SaaS System of Record Existing IAM CloudConnect On Premise Network
  • 25. Security in the Cloud: CloudSpan Virtual GatewaysSecure applications residing in the cloud: Simple public or private cloud IaaS deployment Your IaaS Cloud Shrinks security perimeter to the application Applications Virtual Automatically coordinates policy on-premise and in CloudSpan Application-Layer the cloud Isolation, Monitoring, & Control Integration with on- premise apps ID-based security for enterprise users and apps both inside or outside the firewall Hardware CloudConnect Instances On Premise Network Gives control back to the enterprise security group
  • 26. Security by the Cloud : Cloud Control A complete API management solution  Secure  Manage  AutomateDeveloper Communities Enterprise Datacenter Portal Widget Mobile Apps Social Network Plug-in
  • 27. Summary Cloud has perimeters that are dynamic - The security perimeter is actually shrinking to the API/service level Identity is the basic construct for extending corporate policy into the cloud Cloud is making identity portable Policy-based enforcement with strong audit is the basic approach for achieving compliance. This can only be managable if the approach to identity enforcement is consistent, and driven by a central strategy and repository. Layer 7 offers a holistic solution to enterprise identity in the cloud - CloudConnect for extending single sign-on (SSO) to the cloud and integrating cloud with existing applications and data. - CloudSpan virtual gateways for securing applications in the cloud - CloudControl to create automation services in the cloud
  • 28. For further information: K. Scott Morrison Chief Technology Officer & Chief Architect Layer 7 Technologies 1100 Melville St, Suite 405 Vancouver, B.C. V6E 4A6 Canada (800) 681-9377 smorrison@layer7tech.com http://www.layer7tech.comMarch 2011