Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Common Challenges of Identity Management and Federated Single Sign-On in a SaaS World

This session explores common challenges and solutions associated with Identity and Access Management for SaaS, including topics such as federation vs form fill for single sign on, identity lifecycle management best practices and retaining data when de-provisioning. It also covers what to look for as a SaaS consumer and what to build as a SaaS inventor. Seating is limited and available first come-first served.

For more information, please visit http://cainc.to/Nv2VOe

  • Login to see the comments

Common Challenges of Identity Management and Federated Single Sign-On in a SaaS World

  1. 1. Common Challenges of Identity Management and Federated Single Sign-On in a SaaS World Phil Tidmarsh Security CA Technologies VP, Engineering Services SCT18T @CASecurity #CAWorld
  2. 2. 2 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD © 2015 CA. All rights reserved. All trademarks referenced herein belong to their respective companies. The content provided in this CA World 2015 presentation is intended for informational purposes only and does not form any type of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA. For Informational Purposes Only Terms of this Presentation
  3. 3. 3 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Abstract This session explores common challenges and solutions associated with identity and access management for SaaS. We will discuss topics such as single sign-on, federation vs form fill and identity lifecycle management, including some best practices like retaining data when de- provisioning. It also covers what to look for as a SaaS consumer and what to build as a SaaS inventor. Phil Tidmarsh CA Technologies Vice President, Engineering Services and acting Product Manager, CA Secure Cloud
  4. 4. 4 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Agenda THE CONCLUSION WHAT’S THE GOAL? BUSINESS CHALLENGE COMMON IDENTITY & ACCESS MANAGEMENT METHODS COMMON SINGLE SIGN-ON METHODS 1 2 3 4 5 SAAS INVENTOR VS. SAAS ADOPTER6
  5. 5. 5 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD The conclusion… SCIM System for Cross-domain Identity Management The SCIM standard was created to simplify user management in the cloud by defining a schema for representing users and groups and a REST API for all the necessary CRUD operations. SCIM is developed under the Internet Engineering Task Force (IETF®). SAML Security Assertion Markup Language An XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is a product of the OASIS® Security Services Technical Committee.
  6. 6. 6 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD What’s the goal?  User experience  Time-to-Value  Total Cost of Ownership  Compliance
  7. 7. 7 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Shopping for Cloud Apps
  8. 8. 8 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Authentication Authorisation State
  9. 9. 9 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Cloud App Identity and Access Management (IAM) Cloud App Requirements  Does it meet the business requirements?  Does it deliver the desired user experience?  Does it meet our IAM compliance requirements?
  10. 10. 10 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  Self service/self registration – Does it integrate with Identity Management solutions?  Bulk load (CSV) – Does it meet real time Identity Management requirements?  LDAP (user store) – How do we secure this?  Just in time – Usually available as part of a federated partnership. Common Identity and Access Management Methods:
  11. 11. 11 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  API – APIs offer the most preferred method of achieving compliance as it offers real time management of identities, however they tend to be unique to the app. – SCIM is the only standards based approach that enables CRUD based management of users and groups. – Non-SCIM SaaS App interfaces require IAM vendors to build and maintain connectors.  Therefore SCIM makes the most sense…. Common Identity and Access Management Methods
  12. 12. 12 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  In the identity management world, we talk about “JML” – Joiners—The action of creating or provisioning an account – Movers—Accounts whose attributes (role, department, etc.) change – Leavers—Accounts that are no longer active or de-provisioned Fundamentals of Identity and Access Management
  13. 13. 13 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  What happens to data stored in SaaS apps during de- provisioning?  Cloud storage, for example: – Some cloud storage solutions offer an API to move contents to another user, i.e. based on relationship. – Other cloud storage solutions simply purge what is stored. – IAM vendors may be able to implement methods to retain data when de-provisioning. Complete SaaS App Identity Management
  14. 14. 14 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD But, simply managing accounts isn’t enough…  An identity can be: – Authentication source – Authentication method – Attributes – Group membership – Organisation—Internal and/or external – Device – Location – Time
  15. 15. 15 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  Form based authentication (Form Fill) – Storing and form filling a username and password is the most basic form of SSO. – It lacks flexibility to leverage risk based authentication.  Synchronised credentials – Slightly more advanced than form based authentication as the username and password are synchronised with a user’s corporate credentials. – Removes the need to remember/manage multiple usernames and passwords. Common Single Sign-On Methods
  16. 16. 16 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD  Federated Single Sign-On – OAuth, OpenID, Simple Web Tokens, JSON Web Tokens, Web Service Specifications, Microsoft Azure® Cloud Services and Windows® Identity Foundation all offer Federated Single Sign-On capabilities but tend to be flexible in the implementation and specification or less commonly used. – SAML (Security Assertion Markup Language) is the most rigid standard and most commonly adopted by enterprises wishing to enable Federated SSO.  Therefore SAML offers the smoothest integration experience.. Common Single Sign-On Methods
  17. 17. 17 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD For a SaaS Inventor… SCIM System for Cross-domain Identity Management The SCIM standard was created to simplify user management in the cloud by defining a schema for representing users and groups and a REST API for all the necessary CRUD operations. SCIM is developed under the Internet Engineering Task Force (IETF®). SAML Security Assertion Markup Language An XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is a product of the OASIS® Security Services Technical Committee.
  18. 18. 18 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD For a SaaS Adopter… Identity Identity Management Integration Ensure the SaaS App is supported by your Identity management solution, not just for JML actions but also the implications of those actions. Enable compliance by ensuring you effectively manage identities. Access Standards Based Single Sign-On Enable a seamless user experience when accessing cloud apps by removing the need to remember usernames and passwords. Enable compliance by making real time authentication and risk decisions.
  19. 19. 19 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Successful adoption of Cloud Apps Cloud App Requirements  Does it meet the business requirements?  Does it deliver the desired user experience?  Does it meet security/compliance requirements?
  20. 20. 20 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Recommended Sessions SESSION # TITLE DATE/TIME SCT03P The Future of Identity, Access, SaaS and IoT Weds. Nov 18 at 1:00 pm SCT32T Privileged Access Management for the Software-Defined Network Thurs. Nov 19 at 11:30 pm SCT25T Preventing Data Breaches with Risk-Aware Session Management Thurs. Nov 19 at 3:00 pm
  21. 21. 21 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Must See Demos Protect Against Fraud & Breaches CA Advanced Auth Security Theater Engage Customers CA SSO Security Theater Innovation—IoT Slot Car CA AA, APIM Security Theater Secure Omni- Channel Access CA AA, APIM, SSO Security Theater
  22. 22. 22 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Q & A
  23. 23. 23 © 2015 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD For More Information To learn more, please visit: http://cainc.to/Nv2VOe CA World ’15

×