Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
<Insert Picture Here>




Building a Strong Foundation for Your Cloud with Identity Management
Nishant Kaushik
Lead Strate...
Before We Start




             Oracle OpenWorld       Join The Conversation
             Latin America 2010           On...
The following is intended to outline our general
product direction. It is intended for information
purposes only, and may ...
Enterprises are Moving Towards the Cloud




                             “   The future is
                              ...
But there are Concerns




                  74%    74% rate cloud
                         security issues
              ...
Cloud and the Loss of Control



                                                                        Built by
        ...
But that’s Predicated on Classic Security Approach




                                                     7
An Approach that has become Outdated



                                                     Borderless
                  ...
A New Approach to Security


 Secured by Policy,
 not Topology
 Loosely coupled,
 services-based
 Standards-based
 Rationa...
Cloud Risk Assessment
      For an SME using a Cloud Service




      0-2: Low Risk                   3-5: Medium Risk   ...
Cloud Risk Assessment
      For an SME using a Cloud Service



     Medium Impact – High Probability
     • Vendor/Servic...
Cloud Risk Assessment
      For an SME using a Cloud Service



     High Impact – High Probability
     • Loss of Governa...
How do we Tame the Monster?




                                                              “   You won’t like me
      ...
Cloud Security Starts with Identity




                                               “   The basis of security
         ...
IdM For The Cloud:
Foundational Elements




                        15
Extend Enterprise IAM to the Cloud




                                         Cloud Apps


   Enterprise Apps
          ...
Managing Authentication for the Cloud


• For business critical                                                   • Provid...
Account Lifecycle Management



                      Implement           Implement
                                      ...
Claims-based Identity



                      AuthN token w/ Claims

                                                    ...
Authorization Policy Rationalization


                                                        Cloud Apps




            ...
IdM For The Cloud:
Platform for the Future




                          21
Become an Identity Services Provider




                             Standards-based Simple APIs

                       ...
Built on Vision of Service-Oriented Security



                         Applications                                Cloud...
Security Glue For The Cloud


                                                                  Identity Services Platform...
Why Oracle?




              25
<Insert Picture Here>




                                                         @sheeri

                        “Oracl...
Oracle Fusion Middleware




                           27
Oracle Identity Management
Oracle + Sun Combination




  Provisioning & Identity               Access                    ...
Oracle Identity Management
       Comprehensive and Best-of-Breed

    Identity Administration             Access Manageme...
Oracle OpenSSO Fedlet
SAML Enablement of SaaS Applications


        Identity Provider                         SaaS App
  ...
Oracle Enterprise Single Sign-On Suite Plus
On the Go Install of Enterprise Single Sign-On Anytime, Anywhere

            ...
Security with Oracle Cloud Platform

  Third Party                                         ISV
                       Orac...
Oracle Platform Security Services (OPSS)



                                            Oracle Platform Security Services
...
Cloud IdM Success Stories

    Identity Assurance
      BT Identity Services includes Managed Fraud and URU
      Identity...
Oracle IAM: Aiming for
the Unbreakable Cloud




                         35
Addressing the 3 Dimensions of Cloud Identity


 Are you leveraging                        Do you need IAM, but don’t
SaaS...
IAM for SaaS and Cloud Platforms


 Providing out-of-the-box support for common Cloud
 Platforms and SaaS applications
   ...
SPML Enablement of SaaS Applications
OIM Provlet


          Provisioning                         SaaS App
            Sys...
Provlet Deployment Architecture



Oracle Identity Manager         Provlet
                                Web App
       ...
IAM as SaaS




Client Enterprise 1
                                                                      Cloud Apps

    ...
Deploying IAM as SaaS
 OIM Provisioning Gateway

                                  Provisioning     App 1

Oracle Identity...
IAM in PaaS



                              Identity Services                              Cloud Apps

                  ...
IDaaS APIs for OPSS
Service-Oriented Security Optimized for the Cloud


    Cloud            SP System         Tenant     ...
Cloud + Identity-based Security = IT Nirvana




                                                                  “   Wel...
Questions




Learn More               Connect, Discuss
   oracle.com/identity      @NishantK

   bit.ly/oracleidm11g     ...
46
Upcoming SlideShare
Loading in …5
×

of

Building a Strong Foundation for Your Cloud with Identity Management Slide 1 Building a Strong Foundation for Your Cloud with Identity Management Slide 2 Building a Strong Foundation for Your Cloud with Identity Management Slide 3 Building a Strong Foundation for Your Cloud with Identity Management Slide 4 Building a Strong Foundation for Your Cloud with Identity Management Slide 5 Building a Strong Foundation for Your Cloud with Identity Management Slide 6 Building a Strong Foundation for Your Cloud with Identity Management Slide 7 Building a Strong Foundation for Your Cloud with Identity Management Slide 8 Building a Strong Foundation for Your Cloud with Identity Management Slide 9 Building a Strong Foundation for Your Cloud with Identity Management Slide 10 Building a Strong Foundation for Your Cloud with Identity Management Slide 11 Building a Strong Foundation for Your Cloud with Identity Management Slide 12 Building a Strong Foundation for Your Cloud with Identity Management Slide 13 Building a Strong Foundation for Your Cloud with Identity Management Slide 14 Building a Strong Foundation for Your Cloud with Identity Management Slide 15 Building a Strong Foundation for Your Cloud with Identity Management Slide 16 Building a Strong Foundation for Your Cloud with Identity Management Slide 17 Building a Strong Foundation for Your Cloud with Identity Management Slide 18 Building a Strong Foundation for Your Cloud with Identity Management Slide 19 Building a Strong Foundation for Your Cloud with Identity Management Slide 20 Building a Strong Foundation for Your Cloud with Identity Management Slide 21 Building a Strong Foundation for Your Cloud with Identity Management Slide 22 Building a Strong Foundation for Your Cloud with Identity Management Slide 23 Building a Strong Foundation for Your Cloud with Identity Management Slide 24 Building a Strong Foundation for Your Cloud with Identity Management Slide 25 Building a Strong Foundation for Your Cloud with Identity Management Slide 26 Building a Strong Foundation for Your Cloud with Identity Management Slide 27 Building a Strong Foundation for Your Cloud with Identity Management Slide 28 Building a Strong Foundation for Your Cloud with Identity Management Slide 29 Building a Strong Foundation for Your Cloud with Identity Management Slide 30 Building a Strong Foundation for Your Cloud with Identity Management Slide 31 Building a Strong Foundation for Your Cloud with Identity Management Slide 32 Building a Strong Foundation for Your Cloud with Identity Management Slide 33 Building a Strong Foundation for Your Cloud with Identity Management Slide 34 Building a Strong Foundation for Your Cloud with Identity Management Slide 35 Building a Strong Foundation for Your Cloud with Identity Management Slide 36 Building a Strong Foundation for Your Cloud with Identity Management Slide 37 Building a Strong Foundation for Your Cloud with Identity Management Slide 38 Building a Strong Foundation for Your Cloud with Identity Management Slide 39 Building a Strong Foundation for Your Cloud with Identity Management Slide 40 Building a Strong Foundation for Your Cloud with Identity Management Slide 41 Building a Strong Foundation for Your Cloud with Identity Management Slide 42 Building a Strong Foundation for Your Cloud with Identity Management Slide 43 Building a Strong Foundation for Your Cloud with Identity Management Slide 44 Building a Strong Foundation for Your Cloud with Identity Management Slide 45 Building a Strong Foundation for Your Cloud with Identity Management Slide 46
Upcoming SlideShare
CIO's Guide to Enterprise Cloud Adoption
Next

10 Likes

Share

Building a Strong Foundation for Your Cloud with Identity Management

My Oracle OpenWorld 2010 presentation on building a secure cloud using identity management

Related Books

Free with a 30 day trial from Scribd

See all

Building a Strong Foundation for Your Cloud with Identity Management

  1. 1. <Insert Picture Here> Building a Strong Foundation for Your Cloud with Identity Management Nishant Kaushik Lead Strategist, Oracle Identity & Access Management
  2. 2. Before We Start Oracle OpenWorld Join The Conversation Latin America 2010 On Twitter December 7–9, 2010 #OOW10 #IDM @NishantK Oracle OpenWorld @OracleIDM Beijing 2010 December 13–16, 2010 2
  3. 3. The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle‟s products remains at the sole discretion of Oracle. 3
  4. 4. Enterprises are Moving Towards the Cloud “ The future is looking very cloudy. Yes, very cloud indeed! 4
  5. 5. But there are Concerns 74% 74% rate cloud security issues as “very significant” Source: IDC Security Compliance Control 5
  6. 6. Cloud and the Loss of Control Built by Cloud Built by Customer Cloud Built by Customer Cloud Customer - Provided Control by Cloud Provided + by Cloud Provided by Cloud Infrastructure Platform Application (IaaS) e.g. Amazon EC2 (PaaS) e.g. Google App Engine (SaaS) e.g. Oracle On Demand 6
  7. 7. But that’s Predicated on Classic Security Approach 7
  8. 8. An Approach that has become Outdated Borderless networks subject to user mobility and asset distribution. Business processes are fluid Closed Perimeter with Controlled Entry Vision Restricted User Base Disruption Low Frequency of Change Adoption of cloud computing Stable Business Processes changes the equation for the business Convention 8
  9. 9. A New Approach to Security Secured by Policy, not Topology Loosely coupled, services-based Standards-based Rationalized, Integrated 9
  10. 10. Cloud Risk Assessment For an SME using a Cloud Service 0-2: Low Risk 3-5: Medium Risk 6-9: High Risk ENISA report on Cloud Computing – Benefits, risks and recommendations for information security 10
  11. 11. Cloud Risk Assessment For an SME using a Cloud Service Medium Impact – High Probability • Vendor/Service Lock-In • Isolation Failure • Cloud Provider Malicious Insider (Abuse of High Privilege Roles) • Management Interface Compromise (Manipulation, Availability of Infrastructure) • Legal Risks 0-2: Low Risk 3-5: Medium Risk 6-9: High Risk ENISA report on Cloud Computing – Benefits, risks and recommendations for information security 11
  12. 12. Cloud Risk Assessment For an SME using a Cloud Service High Impact – High Probability • Loss of Governance • Compliance Challenges • Changes of Jurisdiction • Data Protection Risks 0-2: Low Risk 3-5: Medium Risk 6-9: High Risk ENISA report on Cloud Computing – Benefits, risks and recommendations for information security 12
  13. 13. How do we Tame the Monster? “ You won’t like me when I’m angry! 13 Image: Incredible Hulk, TM and Copyright 2010 Marvel Comics
  14. 14. Cloud Security Starts with Identity “ The basis of security in a borderless environment, only something that can transcend domain boundaries, like identity, can be! 14 Image: Yoda, TM and Copyright 2010 Lucasfilm
  15. 15. IdM For The Cloud: Foundational Elements 15
  16. 16. Extend Enterprise IAM to the Cloud Cloud Apps Enterprise Apps Enterprise IAM Core Authentication Account Lifecycle Management Core Extended Claims-based Identity Authorization Policy Rationalization 16
  17. 17. Managing Authentication for the Cloud • For business critical • Provide internet applications, extend identity (e.g. User-Centric in-house SSO to Federation OpenID, OAuth) Identity cloud apps through AuthN schemes for SAML-based Cloud corporate users to federation AuthN use at non-critical cloud services (like open-source projects, Privileged Account community forums) Management • Don‟t give users direct access to the privileged account for a contracted cloud service • Use PAM to track, monitor and control access 17
  18. 18. Account Lifecycle Management Implement Implement Integrate Automate Self-Registration Access Provisioning Provisioning & Role-based Certification with PAM Provisioning processes Develop automated provisioning & de-provisioning for cloud services Leverage SPML when available; native APIs if forced to Roll out self-registration for users to request access through corporate portal. Support role-based provisioning when possible Attestation processes should identify high-risk cloud services based on management capabilities (No federation = high risk) Build assignment of PAM privileges into provisioning processes 18
  19. 19. Claims-based Identity AuthN token w/ Claims Cloud Apps Enterprise IAM Claims-based Provisioning Federation (SAML) token contains added identity data used by service to create an account (on first use) Claims-based Authorization Federation (SAML) token contains added identity assertions (attributes, roles) used by service to make AuthZ decisions 19
  20. 20. Authorization Policy Rationalization Cloud Apps AuthZ Engine XACML Document Entitlement Management Export AuthZ policies defined in Enterprise Entitlement Management system to import into Cloud service AuthZ engine Based on XACML standard Must be part of overall entitlement policy rationalization effort (one policy honored by multiple systems) 20
  21. 21. IdM For The Cloud: Platform for the Future 21
  22. 22. Become an Identity Services Provider Standards-based Simple APIs Identity Services Platform Partner SaaS Apps Cloud Apps In-house IdM Service Provider Cloud IdM Service Provider Allows Partner SaaS Apps and Cloud Apps to plug into and leverage IAM services exposed by the enterprise customer Secure “IAM Cloud” Services SDK via RESTful Interfaces Identity & Context Propagation, Claims-based access control Allows enterprise to leverage 3rd Party and Cloud-based Providers of Identity Services in addition to rolling out their own 22
  23. 23. Built on Vision of Service-Oriented Security Applications Cloud Service Providers Declarative Security Services Authorization Federation Authentication Audit Provisioning Role Mgmt Identity Hub A new architectural approach to building security into applications that leverages two key trends – SOA and Application Frameworks The goal: To provide security functionality in a consistent, reusable service-oriented model to all applications/services Promotes loose coupling to ensure long term viability and heterogeneity of business solutions 23
  24. 24. Security Glue For The Cloud Identity Services Platform Identity Services Platform Identity Identity Identity Identity Hub Administration Assurance Audit Service Service Service Service IAM Service Provider Business Service Provider Identity Services Platform Identity Identity Authorization Assurance Service Service Consumer All participants have interoperable identity services Every participant can be both the service provider and service consumer 24
  25. 25. Why Oracle? 25
  26. 26. <Insert Picture Here> @sheeri “Oracle is not a database company...Oracle is now an adjective, not a noun, as in „Oracle apps‟ or „Oracle middleware‟ ” 26
  27. 27. Oracle Fusion Middleware 27
  28. 28. Oracle Identity Management Oracle + Sun Combination Provisioning & Identity Access Directory Administration Management Services Roles-based User Authentication, SSO & LDAP Storage Provisioning Fraud Prevention Virtualized Identity Access Password Management Authorization & Self Service Request & Entitlements Approval Web Services Security Information Rights Management Identity Governance Platform Security Services Analytics Fraud Prevention Privacy Controls Identity Services for Developers 28
  29. 29. Oracle Identity Management Comprehensive and Best-of-Breed Identity Administration Access Management * Directory Services Access Manager Identity Manager Adaptive Access Manager Directory Server EE Enterprise Single Sign-On Internet Directory Entitlements Server Virtual Directory Identity Federation Information Rights Management Web Services Manager Identity & Access Governance Identity Analytics Security Governor Oracle Platform Security Services Operational Manageability Management Pack For Identity Management *Access Management includes Oracle OpenSSO STS and Oracle OpenSSO Fedlet 29
  30. 30. Oracle OpenSSO Fedlet SAML Enablement of SaaS Applications Identity Provider SaaS App OIF .NET Fedlet OpenSSO SaaS App 3rd Party Java Fedlet Oracle OpenSSO Fedlet is a lightweight SP-only implementation of SAML 2.0 SSO protocols Flexible integration framework Can be used by a SaaS App Provider to Federation-enable their application Standard-based cross-domain authentication and SSO Standard-based attribute exchange with advanced identity attribute mapping and filtering Multi-Tenant 30
  31. 31. Oracle Enterprise Single Sign-On Suite Plus On the Go Install of Enterprise Single Sign-On Anytime, Anywhere Remote ESSO Anywhere Client Download Enterprise Credential Applications Store Authenticate Validate Access Enterprise Applications Access Applications from Anywhere Faster Deployment and Version Control on the Deployment Packages Automate Updates and Rollbacks Reduce Overall Deployment Costs 31
  32. 32. Security with Oracle Cloud Platform Third Party ISV Oracle Applications Applications Applications Platform as a Service Cloud Management Shared Services Oracle Enterprise Manager Integration: Process Mgmt: Security: User Interaction: SOA Suite BPM Suite Identity Mgmt WebCenter Configuration Mgmt Application Grid: WebLogic Server, Coherence, Tuxedo, JRockit Lifecycle Management Database Grid: Oracle Database, RAC, ASM, Partitioning, Application Performance IMDB Cache, Active Data Guard, Database Security Management Infrastructure as a Service Application Quality Management Oracle Solaris Operating Systems: Oracle Enterprise LinuxLinux Oracle Enterprise Oracle VM for SPARC (LDom) Solaris Containers Oracle VM for x86 Ops Center Servers Physical and Virtual Systems Management Storage 32
  33. 33. Oracle Platform Security Services (OPSS) Oracle Platform Security Services Authentication Authorization Roles & Auditing Directory User Policy Store Session Data Entitlements Services Provisioning Management Standards-based Interfaces Oracle Identity Management Identity Store, Credential Store, and Policy Store Providers Access Management Identity Administration Directory Services Declarative Security Framework optimizes application lifecycle support Standards-based and Hot-Pluggable with Identity Management Systems Security Platform for Oracle Fusion Middleware and Fusion Apps 33
  34. 34. Cloud IdM Success Stories Identity Assurance BT Identity Services includes Managed Fraud and URU Identity Verification Services that relies on OAAM Identity Administration NetApp is provisioning Oracle CRM OnDemand from an on-premise OIM deployment Identity Administration Embry Riddle is provisioning Microsoft Live from an on- premise OIM deployment 34
  35. 35. Oracle IAM: Aiming for the Unbreakable Cloud 35
  36. 36. Addressing the 3 Dimensions of Cloud Identity Are you leveraging Do you need IAM, but don’t SaaS applications and want to maintain it? Cloud platforms? IAM for Cloud IAM as SaaS IAM in PaaS Are you building SaaS applications? 36
  37. 37. IAM for SaaS and Cloud Platforms Providing out-of-the-box support for common Cloud Platforms and SaaS applications OIM Provisioning Connectors for Salesforce, Google Apps, Amazon AWS, Microsoft Live, Oracle OnDemand OIF Federated SSO for Google Apps, Salesforce, Oracle OnDemand Securing Web & Cloud Services with OWSM Managing API Keys required for AuthN Managing connections SPML Enablement of SaaS Applications 37
  38. 38. SPML Enablement of SaaS Applications OIM Provlet Provisioning SaaS App System Provlet OIM SaaS App 3rd Party Provlet OIM Provlet is a lightweight SP-only implementation of SPML 2.0 provisioning protocol Web Application co-located with target Can be used by a SaaS App Provider to expose standards- based provisioning interfaces Built on same ICF-based connectors deployed in OIM Server REST or SOAP based Web Services Multi-Tenant 38
  39. 39. Provlet Deployment Architecture Oracle Identity Manager Provlet Web App SPML Web Services App 1 App 1 Metadata Connector Connector Bundle (LDAP Connector Framework LDAP AD Config) Connector Config 39
  40. 40. IAM as SaaS Client Enterprise 1 Cloud Apps Cloud IAM Client Enterprise 2 Customers are looking to outsource IAM Don‟t want to maintain in-house IAM IT Staff expertise is a challenge MSPs looking to offer IAM as a Service Cost benefits of shared service model over hosted instances Maintenance simplicity Requires many technical features: M/T, Federation, Metering/Billing 40
  41. 41. Deploying IAM as SaaS OIM Provisioning Gateway Provisioning App 1 Oracle Identity Manager Gateway DB Connector Bundle App App Connector App Connector Connector Metadata Metadata Framework Bundle Config Metadata Connector Bundle App 2 Deploy provisioning gateway at a customer site with a single connection back to the IAM service at the SP Limit number of firewall holes SP has to open to one per customer Limit number of firewall holes customer has to open to their IAM SP 41
  42. 42. IAM in PaaS Identity Services Cloud Apps SaaS Apps Partner SaaS Apps IAM Providers Private, Public or Hybrid Cloud Customers looking to build Cloud Services Telco Clouds and SDPs Trust and Federation Clouds Consumer Services MSPs that need to manage customer identities across environments Leverages new IAM infrastructure or existing IAM system 42
  43. 43. IDaaS APIs for OPSS Service-Oriented Security Optimized for the Cloud Cloud SP System Tenant Cloud Service Services Administrator Administrator Developer IDaaS Framework IDaaS Interfaces IDaaS Admin Interfaces (REST) (REST, SOAP) Oracle Platform Security Services Shared Services for Shared Services for Access Identity Oracle Identity Management LDAP Tenant Config Metadata 43
  44. 44. Cloud + Identity-based Security = IT Nirvana “ Well, when we do it, cloud-based defenses can be more robust, scalable and cost- effective. And we’ll throw in business differentiator to boot! 44 Image: Iron Man, TM and Copyright 2010 MVLFFLLC and 2010 Marvel
  45. 45. Questions Learn More Connect, Discuss oracle.com/identity @NishantK bit.ly/oracleidm11g blog.talkingidentity.com 45 45
  46. 46. 46
  • KolawoleAinaITIL

    Sep. 20, 2016
  • TaranehKhalili

    Sep. 5, 2016
  • nayoungakim

    Apr. 12, 2015
  • jbitte

    Mar. 15, 2015
  • tweeksun

    Feb. 23, 2015
  • rcanonico

    Jul. 2, 2014
  • alexanderhou14

    Sep. 12, 2013
  • albnix

    Jan. 22, 2013
  • rogerxia

    Nov. 9, 2010
  • mtaarao

    Oct. 7, 2010

My Oracle OpenWorld 2010 presentation on building a secure cloud using identity management

Views

Total views

7,492

On Slideshare

0

From embeds

0

Number of embeds

553

Actions

Downloads

0

Shares

0

Comments

0

Likes

10

×