CIS14: Identity Management for the Cloud


Published on

Jim Scharf, Amazon

What’s different in providing identity and access management for one of the largest cloud providers, some of the key technology and design decisions made along the way, and how AWS is working to make it even easier to federate with existing social and enterprise identity providers.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

CIS14: Identity Management for the Cloud

  1. 1. Jim Scharf @jim_scharf 7/22/2014 Identity Management in the AWS Cloud
  2. 2. Introductions Jim Scharf General Manager, AWS Identity and Access Management Joined AWS in 2004
  3. 3. Agenda Identity Requirements For: Infrastructure Services Platform Services Enterprise Applications Mobile Internet of Things Challenges
  4. 4. AWS Overview
  5. 5. Infrastructure Foundation Services Regions Availability Zones Storage (Object, Block and Archive) Networking Security & Access Control Platform Services Databases Relational NoSQL Caching Analytics Hadoop Real-time Data warehouse App Services Queuing Orchestration App streaming Transcoding Email Search Deployment & Management Containers Dev/ops Tools Resource Templates Mobile Services Identity Sync Mobile Analytics Notifications Enterprise Applications Virtual Desktops Data Workflows Usage Tracking Monitoring and Logs Compute (VMs, Auto-scaling and Load Balancing) CDN and Points of Presence Collaboration and Sharing
  6. 6. Global Availability 10 AWS Regions Worldwide 26 Availability Zones 51 Edge Locations
  7. 7. Infrastructure Services
  8. 8. Last Year @CIS… Discussed things that made AWS Identity and Access Management a bit different from traditional corporate IAM: –  Scale –  Resources –  Customers
  9. 9. AWS Identity and Access Management 55-min Talk: Two Minute Overview:
  10. 10. The Cloud isn’t an ‘All or Nothing’ Choice Corporate Data Centers On-Premises Resources Cloud Resources IntegrationSAML 2.0
  11. 11. Identity Federation Partners
  12. 12. Identity Requirements: Infrastructure Services Infrastructure Identities IT, DevOps Scale 1 – 100+ Identity Providers Cloud Provider, Corporate Security Controls Privileged user controls Admin/ Integration Needs Federation
  13. 13. Platform Services
  14. 14. Elastic Beanstalk OpsWorks CloudFormation Application Container Application Automation Templated Provisioning
  15. 15. Identity Requirements: Platform Services Platform Identities Developers Scale 1 – 1,000+ Identity Providers Cloud Provider, Corporate, Web/Social Security Controls Start open, then tighten Admin/ Integration Needs Simple programming model
  16. 16. Enterprise Applications
  17. 17. Delivering on the promise of desktop virtualization •  Infrastructure & admin tools •  End user desktop and mobile apps Fully managed, secure document storage and sharing service for the Enterprise •  Share documents and folders •  Corporate directory integration •  Set user sharing policies •  Audit logs for document and user activity
  18. 18. Identity Requirements: Enterprise Applications Applications Identities Employees Scale 10 – 100K+ Identity Providers Corporate Security Controls Enterprise controls, security, audit Admin/ Integration Needs Federation
  19. 19. Mobile
  20. 20. Powering Popular Mobile Businesses Today Mobile Startups on AWS Mobile Apps within Enterprises
  21. 21. Managing Identities Across Devices Keeping Data in Sync The Challenge of Multiple Devices
  22. 22. Amazon Cognito Fully Managed User Identity and Data Synchronization Service SecurityIdentity Synchronization + +
  23. 23. Manage unique identities Supports multiple login providers Amazon Cognito and Identity
  24. 24. Store app data, preferences & state Work offline via local data store Seamlessly sync across devices Amazon Cognito and Sync
  25. 25. Implement security best practices Safeguard AWS credentials Set granular access permissions on AWS resources Amazon Cognito and Security
  26. 26. Fully Integrated AWS Mobile SDK •  No back-end programming required •  Common authentication mechanism across all services •  Automatically handle intermittent network connections •  Cross-platform Support: Android, iOS, Fire OS •  Secure access to global AWS services
  27. 27. Identity Requirements: Mobile Apps Mobile: Enterprise Mobile: Consumer Identities Employees Consumers Scale 10 – 100K+ 1 M – 1B Identity Providers Corporate Web/Social Security Controls Enterprise controls, security, audit Auto per-user isolation Admin/ Integration Needs Simple programming model, Federation A few lines of client-side code
  28. 28. Internet of Things
  29. 29. Amazon Cognito for Unauthenticated Identities Unique Identifier for Your “Things” “Headless” connected devices can also securely access cloud services. Save Data to the Cloud Save app and device data to the cloud and merge them after login Guest User Access Securely access AWS resources and leverage app features without the need to create an account or logging in Visitor Preferences Cognito Store Guest EC2 S3 DynamoDB Kinesis
  30. 30. Identity Requirements: Internet of Things IoT Identities Devices Scale 50 B Identity Providers Web/Social/ Personal? Security Controls Varies Admin/ Integration Needs Class/attribute based controls
  31. 31. Recap
  32. 32. Identities Developers Employees Consumers DevicesIT, DevOps
  33. 33. IaaS PaaS SaaS Mobile: Enterprise Mobile: Consumer IoT Time ScaleIdentities 101 102 103 104 105 106 107 108 109 1010
  34. 34. Identity Providers AWS Web/Social Corporate
  35. 35. Security Controls
  36. 36. Identity Requirements Infrastructure Platform Applications Mobile: Enterprise Mobile: Consumer IoT Identities IT, DevOps Developers Employees Employees Consumers Devices Scale 1 – 100+ 1 – 1,000+ 10 – 100K+ 10 – 100K+ 1 M – 1B 50 B Identity Providers Cloud Provider, Corporate Cloud Provider, Corporate, Web/Social Corporate Corporate Web/Social Web/ Social/ Personal? Security Controls Privileged user controls Start open, then tighten Enterprise controls, security, audit Enterprise controls, security, audit Auto per-user isolation Varies Admin/ Integration Needs Federation Simple programming model Federation Simple programming model, Federation A few lines of client-side code Class/ attribute based controls
  37. 37. Challenges •  Billions of identities •  Millions of authentications/second, latencies ~1ms •  Becomes a large scale distributed systems challenge •  Authorizing trillions of resources •  Audit becomes a big data problem •  Global, high-availability system •  Constant tension of security vs. eventual consistency
  38. 38.
  39. 39. Thank You For more information: Website: AWS Security Blog: Follow: @AWSIdentity