Building a Strong Foundation for Your Cloud with Identity Management
1. <Insert Picture Here>
Building a Strong Foundation for Your Cloud with Identity Management
Nishant Kaushik
Lead Strategist, Oracle Identity & Access Management
2. Before We Start
Oracle OpenWorld Join The Conversation
Latin America 2010 On Twitter
December 7–9, 2010
#OOW10
#IDM
@NishantK
Oracle OpenWorld
@OracleIDM
Beijing 2010
December 13–16, 2010
2
3. The following is intended to outline our general
product direction. It is intended for information
purposes only, and may not be incorporated into any
contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decisions.
The development, release, and timing of any
features or functionality described for Oracle‟s
products remains at the sole discretion of Oracle.
3
4. Enterprises are Moving Towards the Cloud
“ The future is
looking very
cloudy.
Yes, very
cloud indeed!
4
5. But there are Concerns
74% 74% rate cloud
security issues
as “very
significant”
Source: IDC
Security
Compliance
Control
5
6. Cloud and the Loss of Control
Built by
Cloud
Built by Customer
Cloud
Built by Customer
Cloud
Customer
-
Provided
Control
by Cloud
Provided +
by Cloud
Provided
by Cloud
Infrastructure Platform Application
(IaaS) e.g. Amazon EC2 (PaaS) e.g. Google App Engine (SaaS) e.g. Oracle On Demand
6
8. An Approach that has become Outdated
Borderless
networks subject
to user mobility and
asset distribution.
Business processes
are fluid
Closed Perimeter with
Controlled Entry Vision
Restricted User Base
Disruption
Low Frequency of Change
Adoption of cloud computing
Stable Business Processes changes the equation for the
business
Convention
8
9. A New Approach to Security
Secured by Policy,
not Topology
Loosely coupled,
services-based
Standards-based
Rationalized,
Integrated
9
10. Cloud Risk Assessment
For an SME using a Cloud Service
0-2: Low Risk 3-5: Medium Risk 6-9: High Risk
ENISA report on Cloud Computing – Benefits, risks and recommendations for information security 10
11. Cloud Risk Assessment
For an SME using a Cloud Service
Medium Impact – High Probability
• Vendor/Service Lock-In
• Isolation Failure
• Cloud Provider Malicious Insider (Abuse
of High Privilege Roles)
• Management Interface Compromise
(Manipulation, Availability of
Infrastructure)
• Legal Risks
0-2: Low Risk 3-5: Medium Risk 6-9: High Risk
ENISA report on Cloud Computing – Benefits, risks and recommendations for information security 11
12. Cloud Risk Assessment
For an SME using a Cloud Service
High Impact – High Probability
• Loss of Governance
• Compliance Challenges
• Changes of Jurisdiction
• Data Protection Risks
0-2: Low Risk 3-5: Medium Risk 6-9: High Risk
ENISA report on Cloud Computing – Benefits, risks and recommendations for information security 12
13. How do we Tame the Monster?
“ You won’t like me
when I’m angry!
13
Image: Incredible Hulk, TM and Copyright 2010 Marvel Comics
14. Cloud Security Starts with Identity
“ The basis of security
in a borderless
environment, only
something that can
transcend domain
boundaries, like
identity, can be!
14
Image: Yoda, TM and Copyright 2010 Lucasfilm
16. Extend Enterprise IAM to the Cloud
Cloud Apps
Enterprise Apps
Enterprise IAM
Core
Authentication
Account Lifecycle Management
Core Extended
Claims-based Identity
Authorization Policy Rationalization
16
17. Managing Authentication for the Cloud
• For business critical • Provide internet
applications, extend identity (e.g.
User-Centric
in-house SSO to Federation OpenID, OAuth)
Identity
cloud apps through AuthN schemes for
SAML-based Cloud corporate users to
federation AuthN use at non-critical
cloud services (like
open-source
projects,
Privileged Account
community forums)
Management
• Don‟t give users direct access to the privileged
account for a contracted cloud service
• Use PAM to track, monitor and control access
17
18. Account Lifecycle Management
Implement Implement
Integrate
Automate Self-Registration Access
Provisioning
Provisioning & Role-based Certification
with PAM
Provisioning processes
Develop automated provisioning & de-provisioning for cloud services
Leverage SPML when available; native APIs if forced to
Roll out self-registration for users to request access through corporate
portal. Support role-based provisioning when possible
Attestation processes should identify high-risk cloud services based on
management capabilities (No federation = high risk)
Build assignment of PAM privileges into provisioning processes
18
19. Claims-based Identity
AuthN token w/ Claims
Cloud Apps
Enterprise IAM
Claims-based Provisioning
Federation (SAML) token contains added identity data used
by service to create an account (on first use)
Claims-based Authorization
Federation (SAML) token contains added identity assertions
(attributes, roles) used by service to make AuthZ decisions
19
20. Authorization Policy Rationalization
Cloud Apps
AuthZ
Engine
XACML Document
Entitlement Management
Export AuthZ policies defined in Enterprise Entitlement
Management system to import into Cloud service AuthZ
engine
Based on XACML standard
Must be part of overall entitlement policy rationalization
effort (one policy honored by multiple systems)
20
22. Become an Identity Services Provider
Standards-based Simple APIs
Identity Services Platform
Partner SaaS Apps Cloud Apps
In-house IdM
Service Provider
Cloud IdM
Service Provider
Allows Partner SaaS Apps and Cloud Apps to plug into and
leverage IAM services exposed by the enterprise customer
Secure “IAM Cloud” Services SDK via RESTful Interfaces
Identity & Context Propagation, Claims-based access control
Allows enterprise to leverage 3rd Party and Cloud-based Providers
of Identity Services in addition to rolling out their own
22
23. Built on Vision of Service-Oriented Security
Applications Cloud Service Providers
Declarative Security Services
Authorization Federation Authentication Audit Provisioning Role Mgmt Identity Hub
A new architectural approach to building security into applications
that leverages two key trends – SOA and Application Frameworks
The goal: To provide security functionality in a consistent, reusable
service-oriented model to all applications/services
Promotes loose coupling to ensure long term viability and
heterogeneity of business solutions
23
24. Security Glue For The Cloud
Identity Services Platform
Identity Services Platform
Identity Identity
Identity Identity Hub Administration
Assurance Audit Service Service
Service Service
IAM Service Provider
Business Service Provider
Identity Services Platform
Identity Identity
Authorization Assurance
Service Service
Consumer
All participants have interoperable identity services
Every participant can be both the service provider and service consumer
24
26. <Insert Picture Here>
@sheeri
“Oracle is not a database company...Oracle
is now an adjective, not a noun, as in
„Oracle apps‟ or „Oracle middleware‟ ”
26
28. Oracle Identity Management
Oracle + Sun Combination
Provisioning & Identity Access Directory
Administration Management Services
Roles-based User Authentication, SSO & LDAP Storage
Provisioning Fraud Prevention Virtualized Identity Access
Password Management Authorization &
Self Service Request & Entitlements
Approval Web Services Security
Information Rights
Management
Identity Governance Platform Security Services
Analytics Fraud Prevention Privacy Controls Identity Services for Developers
28
29. Oracle Identity Management
Comprehensive and Best-of-Breed
Identity Administration Access Management * Directory Services
Access Manager
Identity Manager Adaptive Access Manager Directory Server EE
Enterprise Single Sign-On Internet Directory
Entitlements Server Virtual Directory
Identity Federation
Information Rights Management
Web Services Manager
Identity & Access Governance
Identity Analytics Security Governor
Oracle Platform Security Services
Operational Manageability
Management Pack For Identity Management
*Access Management includes Oracle OpenSSO STS and Oracle OpenSSO Fedlet 29
30. Oracle OpenSSO Fedlet
SAML Enablement of SaaS Applications
Identity Provider SaaS App
OIF .NET Fedlet
OpenSSO
SaaS App
3rd Party Java Fedlet
Oracle OpenSSO Fedlet is a lightweight SP-only implementation
of SAML 2.0 SSO protocols
Flexible integration framework
Can be used by a SaaS App Provider to Federation-enable their
application
Standard-based cross-domain authentication and SSO
Standard-based attribute exchange with advanced identity attribute
mapping and filtering
Multi-Tenant
30
31. Oracle Enterprise Single Sign-On Suite Plus
On the Go Install of Enterprise Single Sign-On Anytime, Anywhere
Remote
ESSO Anywhere
Client
Download
Enterprise Credential
Applications Store
Authenticate
Validate
Access
Enterprise
Applications
Access Applications from Anywhere
Faster Deployment and Version Control on the Deployment Packages
Automate Updates and Rollbacks
Reduce Overall Deployment Costs
31
32. Security with Oracle Cloud Platform
Third Party ISV
Oracle Applications
Applications Applications
Platform as a Service
Cloud Management
Shared Services
Oracle Enterprise Manager
Integration: Process Mgmt: Security: User Interaction:
SOA Suite BPM Suite Identity Mgmt WebCenter Configuration Mgmt
Application Grid: WebLogic Server, Coherence, Tuxedo, JRockit
Lifecycle Management
Database Grid: Oracle Database, RAC, ASM, Partitioning,
Application Performance
IMDB Cache, Active Data Guard, Database Security
Management
Infrastructure as a Service Application Quality
Management
Oracle Solaris
Operating Systems: Oracle Enterprise LinuxLinux
Oracle Enterprise
Oracle VM for SPARC (LDom)
Solaris Containers Oracle VM for x86 Ops Center
Servers Physical and Virtual
Systems Management
Storage
32
33. Oracle Platform Security Services (OPSS)
Oracle Platform Security Services
Authentication Authorization Roles & Auditing Directory User Policy Store Session Data
Entitlements Services Provisioning Management
Standards-based Interfaces
Oracle Identity Management
Identity Store, Credential Store, and Policy Store Providers
Access Management Identity Administration Directory Services
Declarative Security Framework optimizes application lifecycle support
Standards-based and Hot-Pluggable with Identity Management Systems
Security Platform for Oracle Fusion Middleware and Fusion Apps
33
34. Cloud IdM Success Stories
Identity Assurance
BT Identity Services includes Managed Fraud and URU
Identity Verification Services that relies on OAAM
Identity Administration
NetApp is provisioning Oracle CRM OnDemand from an
on-premise OIM deployment
Identity Administration
Embry Riddle is provisioning Microsoft Live from an on-
premise OIM deployment
34
36. Addressing the 3 Dimensions of Cloud Identity
Are you leveraging Do you need IAM, but don’t
SaaS applications and want to maintain it?
Cloud platforms?
IAM for Cloud IAM as SaaS
IAM in PaaS
Are you building SaaS applications?
36
37. IAM for SaaS and Cloud Platforms
Providing out-of-the-box support for common Cloud
Platforms and SaaS applications
OIM Provisioning Connectors for Salesforce, Google Apps,
Amazon AWS, Microsoft Live, Oracle OnDemand
OIF Federated SSO for Google Apps, Salesforce, Oracle
OnDemand
Securing Web & Cloud Services with OWSM
Managing API Keys required for AuthN
Managing connections
SPML Enablement of SaaS Applications
37
38. SPML Enablement of SaaS Applications
OIM Provlet
Provisioning SaaS App
System Provlet
OIM
SaaS App
3rd Party Provlet
OIM Provlet is a lightweight SP-only implementation of SPML 2.0
provisioning protocol
Web Application co-located with target
Can be used by a SaaS App Provider to expose standards-
based provisioning interfaces
Built on same ICF-based connectors deployed in OIM Server
REST or SOAP based Web Services
Multi-Tenant
38
39. Provlet Deployment Architecture
Oracle Identity Manager Provlet
Web App
SPML Web
Services
App 1
App 1
Metadata Connector
Connector Bundle
(LDAP
Connector Framework
LDAP AD
Config)
Connector
Config
39
40. IAM as SaaS
Client Enterprise 1
Cloud Apps
Cloud IAM
Client Enterprise 2
Customers are looking to outsource IAM
Don‟t want to maintain in-house IAM
IT Staff expertise is a challenge
MSPs looking to offer IAM as a Service
Cost benefits of shared service model over hosted instances
Maintenance simplicity
Requires many technical features: M/T, Federation, Metering/Billing
40
41. Deploying IAM as SaaS
OIM Provisioning Gateway
Provisioning App 1
Oracle Identity Manager Gateway
DB
Connector
Bundle
App
App Connector
App Connector Connector
Metadata
Metadata Framework Bundle Config
Metadata
Connector
Bundle
App 2
Deploy provisioning gateway at a customer site with a
single connection back to the IAM service at the SP
Limit number of firewall holes SP has to open to one
per customer
Limit number of firewall holes customer has to open to
their IAM SP
41
42. IAM in PaaS
Identity Services Cloud Apps
SaaS Apps
Partner SaaS Apps IAM Providers
Private, Public or Hybrid Cloud
Customers looking to build Cloud Services
Telco Clouds and SDPs
Trust and Federation Clouds
Consumer Services
MSPs that need to manage customer identities across environments
Leverages new IAM infrastructure or existing IAM system
42
43. IDaaS APIs for OPSS
Service-Oriented Security Optimized for the Cloud
Cloud SP System Tenant Cloud Service
Services Administrator Administrator Developer
IDaaS Framework
IDaaS Interfaces IDaaS Admin Interfaces
(REST) (REST, SOAP)
Oracle Platform Security Services
Shared Services for Shared Services for
Access Identity
Oracle Identity Management
LDAP Tenant Config
Metadata
43
44. Cloud + Identity-based Security = IT Nirvana
“ Well, when we do it,
cloud-based defenses
can be more robust,
scalable and cost-
effective. And we’ll
throw in business
differentiator to boot!
44
Image: Iron Man, TM and Copyright 2010 MVLFFLLC and 2010 Marvel